Re: postfix cleanup process dropping messages
On 07/12/2018 07:36 PM, Viktor Dukhovni wrote: On Thu, Jul 12, 2018 at 07:20:26PM +0530, Ram wrote: My postfix servers remain pretty busy throughout the day getting around 100 - 200 mails / second I have seen that for every 100 k mails around 20 mails disappear from the queue. From maillogs , I can see smtpd accepting the connection , creating a queue-id and then cleanup picking it up. If you look closely, you'll see smtpd reporting early connection termination after the queue file was created, and message-id written but before the message is fully received ("."). Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: open incoming/6262B115F Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: 6262B115F: message-id= What is the corresponding logging on the smtpd(8) side? I will look at smtp logs too. The logs are a bit verbose for me to make sense , but that should be done But the smtp-client closing connection before "." is unlikely , because the sender got a full DSN with an OK queued as ... https://netcore.in/resources/webinar/how-has-browser-push-notification-grown-as-channel/
postfix cleanup process dropping messages
My postfix servers remain pretty busy throughout the day getting around 100 - 200 mails / second I have seen that for every 100 k mails around 20 mails disappear from the queue. From maillogs , I can see smtpd accepting the connection , creating a queue-id and then cleanup picking it up. But nothing after that , no qmgr lines no discard etc If I enable cleanup in debug mode I can see errors like this ( esp cleanup_flush: status 1 ) How do I debug this further ? Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: open incoming/6262B115F Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: cleanup_open: open incoming/6262B115F Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: send attr queue_id = 6262B115F Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: cleanup socket: wanted attribute: flags Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: input attribute name: flags Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: input attribute value: 178 Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: cleanup socket: wanted attribute: (list terminator) Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: input attribute name: (end) Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: cleanup flags = enable_header_body_filter enable_automatic_bcc enable_address_mapping enable_smtp_reply Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: initial envelope T 1531399835 381154 Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: initial envelope A log_ident=6262B115F Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: initial envelope A rewrite_context=remote Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: initial envelope A sasl_method=PLAIN Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: initial envelope A sasl_username=justdialf Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: initial envelope S XXX Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: send attr request = rewrite Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: send attr rule = local Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: send attr address = jdale...@justdial.com Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: private/rewrite socket: wanted attribute: flags Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: input attribute name: flags Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: input attribute value: 0 Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: private/rewrite socket: wanted attribute: address Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: input attribute name: address Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: input attribute value: jdale...@justdial.com Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: private/rewrite socket: wanted attribute: (list terminator) Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: input attribute name: (end) Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: rewrite_clnt: local: Xx Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: initial envelope A log_client_name=unknown Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: initial envelope A log_client_address=10.139.64.141 Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: initial envelope A log_client_port=10802 Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: initial envelope A log_message_origin=unknown[10.139.64.141] Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: initial envelope A log_helo_name=localhost.localdomain Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: initial envelope A log_protocol_name=ESMTP Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: initial envelope A client_name=unknown Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: initial envelope A reverse_client_name=unknown Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: initial envelope A client_address=10.139.64.141 Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: initial envelope A client_port=10802 Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: initial envelope A server_address=10.139.64.82 Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: initial envelope A server_port=25 Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: initial envelope A helo_name=localhost.localdomain Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: initial envelope A protocol_name=ESMTP Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: initial envelope A client_address_type=2 Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: initial envelope A dsn_orig_rcpt=XX Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: initial envelope R XXXxx Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: send attr request = rewrite Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: send attr rule = local Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: send attr address = Xx Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: private/rewrite socket: wanted attribute: flags Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: input attribute name: flags Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: input attribute value: 0 Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: private/rewrite socket: wanted attribute: address Jul 12 18:20:35
Re: Mails stuck in queue until inflow stops
On 04/20/2018 07:39 PM, Wietse Venema wrote: Ram: On 04/20/2018 07:14 PM, Wietse Venema wrote: Ram: I have a very busy postfix server that acts as a relay. It gets mails from an application and then forwards the mails to the delivery servers on local LAN The application can send mails at rate of? upto 600 mails per second Postfix has been configured to accept mails all that quickly, but the delivery is very poor until inflow stops. Only around 20-50 mails per s Once the app completes the inflow, then the mails are cleared at a rate of 1000 mails per second Why ? Is there a contention on the queue manager when the inflow is too quick ? No, there is contention for the file system. If you disabled in_flow_delay, turn it back on, please. This allows the queue manager to push back, though it works only for clients that make few parallel connections. Otherwise, you need a faster disk. SSDs have become quite affordable, even the 'enterprise' ones that have some extra capacitors to prevent data corruption after power failure. I am using spool dir on /dev/shm in flow delay .. slows down smtp connections which the application can not handle That is why I have disabled If you can't use the Postfix safety mechanism, then I can't help you. I know , And in_fllow_delay works for almost all cases where I use postfix. Excepting when 1 sec delay per process becomes too much If I have a high end machine , will running multiple postfix instances on the same machine help That way If I change the app to deliver to multiple instances simultaneously. There is no IO load running everything in /dev/shm https://netcore.in/20-years-journey/?utm_source=email-disclaimer_medium=email_campaign=netcore-turns-20
Re: Mails stuck in queue until inflow stops
On 04/20/2018 07:14 PM, Wietse Venema wrote: Ram: I have a very busy postfix server that acts as a relay. It gets mails from an application and then forwards the mails to the delivery servers on local LAN The application can send mails at rate of? upto 600 mails per second Postfix has been configured to accept mails all that quickly, but the delivery is very poor until inflow stops. Only around 20-50 mails per s Once the app completes the inflow, then the mails are cleared at a rate of 1000 mails per second Why ? Is there a contention on the queue manager when the inflow is too quick ? No, there is contention for the file system. If you disabled in_flow_delay, turn it back on, please. This allows the queue manager to push back, though it works only for clients that make few parallel connections. Otherwise, you need a faster disk. SSDs have become quite affordable, even the 'enterprise' ones that have some extra capacitors to prevent data corruption after power failure. I am using spool dir on /dev/shm in flow delay .. slows down smtp connections which the application can not handle That is why I have disabled Wietse https://netcore.in/20-years-journey/?utm_source=email-disclaimer_medium=email_campaign=netcore-turns-20
Mails stuck in queue until inflow stops
I have a very busy postfix server that acts as a relay. It gets mails from an application and then forwards the mails to the delivery servers on local LAN The application can send mails at rate of upto 600 mails per second Postfix has been configured to accept mails all that quickly, but the delivery is very poor until inflow stops. Only around 20-50 mails per s Once the app completes the inflow, then the mails are cleared at a rate of 1000 mails per second Why ? Is there a contention on the queue manager when the inflow is too quick ? Postfix version 3.0.1 on Centos 7.2 postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases always_add_missing_headers = yes bounce_queue_lifetime = 5d bounce_template_file = /etc/postfix/bounce.cf.default broken_sasl_auth_clients = yes command_directory = /usr/sbin compatibility_level = 2 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 default_destination_concurrency_limit = 500 default_process_limit = 500 disable_mime_input_processing = yes disable_vrfy_command = yes hash_queue_depth = 1 hash_queue_names = deferred, defer, hold header_checks = regexp:/etc/postfix/header_checks html_directory = no in_flow_delay = 0s inet_interfaces = 127.0.0.1 inet_protocols = all lmtp_destination_concurrency_limit = 30 lmtp_line_length_limit = 990 mail_owner = postfix mailbox_size_limit = 52783082 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man maximal_queue_lifetime = 5d message_size_limit = 52783082 meta_directory = /etc/postfix minimal_backoff_time = 30s mydestination = XXX myhostname = XXX mynetworks = /etc/postfix/mynetworks newaliases_path = /usr/bin/newaliases.postfix qmgr_message_active_limit = 20 qmgr_message_recipient_limit = 20 queue_directory = /dev/shm/postfix readme_directory = /usr/share/doc/postfix-3.0.1/README_FILES relayhost = [X] sample_directory = /usr/share/doc/postfix-3.0.1/samples setgid_group = postdrop shlib_directory = /usr/lib64/postfix smtp_connection_cache_on_demand = yes smtp_connection_cache_time_limit = 300s smtp_line_length_limit = 990 smtpd_client_connection_count_limit = 0 smtpd_client_connection_rate_limit = 0 smtpd_recipient_limit = 3000 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access cidr:/etc/postfix/relay_allowedips, reject smtpd_restriction_classes = check_env_from smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_sender_login_maps = hash:/etc/postfix/smtpd_sender_login_maps smtpd_sender_restrictions = permit_mynetworks, check_client_access cidr:/etc/postfix/permit_sender_ip, reject_sender_login_mismatch, permit transport_maps = cdb:/etc/postfix/bounce_transport,cdb:/etc/postfix/suppresslist,hash:/etc/postfix/transport,regexp:/etc/postfix/transport_regex,hash:/etc/postfix/emm_transport unknown_hostname_reject_code = 550 unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/vmap virtual_mailbox_base = /var/spool/mail https://netcore.in/20-years-journey/?utm_source=email-disclaimer_medium=email_campaign=netcore-turns-20
Email client ignores end-of-data REJECT
I am using a custom policy daemon to reject some messages which do not match the policies of the company. This is usually to do with some content checks in subject or body. The problem is even if the message is given a REJECT, The email client (Thunderbird ) does not throw up any error For testing I put in main.cf -- smtpd_end_of_data_restrictions=reject --- Now *all* mails are rejected. But thunderbird thinks the mail is sent. Is there a workaround to get an error message on the email client http://www.netcoremarketingcloud.com/marketing-automation-webinar-2016/?utm_source=All-emp_medium=Email-Disclaimer_campaign=Weekly-Webinar-2
Bounce message with original subject
I have a postfix gateway that relays mails for various senders and for some mails it generates NDR's when the mail is not deliverable Can I configure postfix to bounce the message and retain the original subject with the current message Something like Undelivered Mail:
Re: Use relayhost and also DNS based routing
On Wednesday 04 May 2016 12:43 PM, Viktor Dukhovni wrote: On Wed, May 04, 2016 at 11:39:48AM +0530, Ram wrote: I have a postfix relay server that sends all mails to a relayhost. Problem is that some domains , whose MX is all same, are not accepting mails from that relayhost for now. Until that issue is resolved I want to route all such domains mails ( where MX is pointing to a particular host ) via a different network. I dont have a list of all such domains , only the MX host is known Can there be any such configuration in postfix You'd need a socketmap-based transport(5) table, with the daemon I have been trying to get an example of a socketmap daemon , which postfix can talk to for a transport. The man page of socketmap describes the usage but I couldnt find where we get the socketmap code Can you please give me pointers , of how this is implemented serving the socket doing the MX lookups and deciding what to do. If the MX lookup temp-fails, you'd need to return "retry:4.1.2 MX resolution failed" as the transport. (You could also use "tcp" tables, but the "socketmap" protocol is somewhat better). Transport lookup needs to be low-latency, so the daemon needs to be capable of processing many requests in parallel, and needs to consolidate multiple requests for the same domain while the answer is still pending). Unfortunately, transport(5) lookups in qmgr(8) are single-threaded, so you're going to see a significant throughput penalty for doing this. Your queue manager may stall for multiple seconds delivering no mail. This is only suitable for low-volume senders. To support this properly the Postfix queue manager would need to be redesigned to load messages into the active queue in parallel, with multiple front-end servers reading queue files and doing transport queries, and only delegating work to "the one" qmgr that only does scheduling and does not block doing file I/O or transport lookups. Such a re-design would be a major undertaking. Another approach would be a content filter or pre-queue proxy filter that rewrites addresses whose domains have the special MX hosts. Because there can be many parallel proxy or content filters, the latency cost of lookups for slow domains will be ammortized across a wide pool of concurrent processes. The rewritten addresses would then be forwarded to a second Postfix instance and returned to their original form in the process. The second instance would do MX-based routing and bypass the relayhost.
Use relayhost and also DNS based routing
I have a postfix relay server that sends all mails to a relayhost. Problem is that some domains , whose MX is all same, are not accepting mails from that relayhost for now. Until that issue is resolved I want to route all such domains mails ( where MX is pointing to a particular host ) via a different network. I dont have a list of all such domains , only the MX host is known Can there be any such configuration in postfix Thanks Ram
keeping off brute force password attempts
I am seeing a surge in the number of password attempts both at my postfix smtp servers as well as imap servers These attacks seem to be targetted since the attempts are made at correct userids At one instance I have seen mails being sent impersonating a valid sender asking for money to be transferred for some service. This makes it very risky. I tried implementing banip and blocked a few ips but that did not work for long. Many customers are behind a single gateway and when someone has an old account configured on some device the number of failed attempts cross threshold easily. So I end up blocking a good ip address I guess this must a common problem. Is there a standard "good practices" list to keep these scammers/spammers off
add a recipient in a policy daemon
How can I add a bcc recipient using a policy daemon I have written a custom policy daemon , and the logic requires that for some conditions the mail needs to be bcc'ed to a program Can this be done ? Thanks Ram
Re: add a recipient in a policy daemon
On 09/11/2015 08:01 PM, Wietse Venema wrote: Ram: How can I add a bcc recipient using a policy daemon I have written a custom policy daemon , and the logic requires that for some conditions the mail needs to be bcc'ed to a program Can this be done ? Postfix 3.0 and later: BCC user@domain Send one copy of the message to the specified recipient. So can I write in my perl policy filter something like if($condition) { print STDOUT "bcc scr...@domain.com"; }
Re: Is the development of Milters still encouraged
On 06/25/2015 06:31 PM, Viktor Dukhovni wrote: On Thu, Jun 25, 2015 at 02:07:37PM +0530, Ram wrote: I see that milter.org has been shut down. A commercial decision by the new owners of Sendmail. This does not remove support for the milter API from Postfix. Now I am wondering if milters are the recommended way for extracting data , or perform some changes to mail in transit. They are way to do so. Ok, that sounds fine. I am not sure where do milter specific questions now go ? If I were to use a multithreaded C milter , and I need to use a redis handle ( Not thread safe ) How do I maintain persistent redis handle so that I dont have to connect to redis for every mail
Is the development of Milters still encouraged
I am currently using a custom milter to copy the mail for our archiving software , with original envelope information. I see that milter.org has been shut down. Now I am wondering if milters are the recommended way for extracting data , or perform some changes to mail in transit. What are the other options in postfix, Thanks Ram
Re: Issues using Postfix behind a load balancer
On 01/07/2015 10:40 PM, Brad Riemann wrote: Hello! First time caller, long time listener J. I’ve been working on a new mail filtering solution for our company that revolves around the solution receiving inbound mail through a load balancer. We have come upon an issue that I am not finding any sort of documentation or notes that others have experienced.. We are using a load balancer behind a nat, that distributes the inbound emails to a clustered mail scanning solution (we have been having issues with our current solution where the existing servers are overloaded, and this gives us the ability to plug and play new servers with zero dns adjustments..) Now, our load balancers hands off the message to the first available postfix server, we get headers that look like the following (after postfix picks it up). -- Received: from batch.email.flyfrontier.com (edge1.dc1.domain.com [172.16.4.#]) by mta02.dc1.domain.com (Postfix) with ESMTP id ### for u...@domain.com; Wed, 7 Jan 2015 10:48:52 -0600 (CST) -- The issue, if you don’t see it, is that postfix seems to be using the load balancer ip as the last hop, and because the load balancer is just pushing content through it is not recording the previous hop to the headers, which is causing some issues.. This seems to be a Firewall NAT issue. The Load balancer would add a HOP if it is on the application layer. What is the load balancer you are using. We use LVS and we always get the IP of the smtp client machine on postfix, not the load balancer IP Thanks Ram
Re: Smtp auth from a hash or cdb file
On 12/19/2014 03:16 PM, li...@rhsoft.net wrote: Am 19.12.2014 um 08:53 schrieb Ram: Can I use postfix smtpauth with a hash or cdb file sasldb2 file is unfriendly , because that requires command line to add / modify. I want to have this fully automated using a UI no - cyrus SASL is just a provider for postfix and postfix as consumer even don't have access to the passwords at all - so cyrus don't know anything about postfix table types Ok fine , Is there any other file based approach that does not use a provider Currently the users are authenticating against a remote mysql table , but I want to remove the DB dependency in realtime why? Because the DB is a remote machine with a not so good line. I could probably create a table replication for authentication but it was hoping for something simpler if it ain't broken don't fix it
Smtp auth from a hash or cdb file
Can I use postfix smtpauth with a hash or cdb file sasldb2 file is unfriendly , because that requires command line to add / modify. I want to have this fully automated using a UI Currently the users are authenticating against a remote mysql table , but I want to remove the DB dependency in realtime Thanks Ram
Convert all envelope ids to lowercase
Is there a simple way I can configure postfix to convert all Envelope From and To addresses to lowercase, before delivery I believe postfix internally converts all ids to-lowercase while doing hash map lookups I need this because that will save all unnecessary tolower() function calls in all reporting modules
Use a different smtp_bind_address for fallback
Today I use in master.cf smtp unix - - n - - smtp -o smtp_bind_address=X.X.X.X -o fallback_relay=newhost But I have a requirement that the fallback mails should be sent via a different smtp_bind_address How can I specify this in smtp fallback Thanks Ram
Re: Use a different smtp_bind_address for fallback
On 07/09/2013 04:24 PM, Wietse Venema wrote: Ram: Today I use in master.cf smtp unix - - n - - smtp -o smtp_bind_address=X.X.X.X -o fallback_relay=newhost But I have a requirement that the fallback mails should be sent via a different smtp_bind_address How can I specify this in smtp fallback You configure this in the newhost MTA. I want the fallback mail to go via a new bind address I can not specify -o fallback_relay=smtpnew:[newhost] Wietse
Re: Use a different smtp_bind_address for fallback
On 07/09/2013 05:33 PM, Wietse Venema wrote: Ram: On 07/09/2013 04:24 PM, Wietse Venema wrote: Ram: Today I use in master.cf smtp unix - - n - - smtp -o smtp_bind_address=X.X.X.X -o fallback_relay=newhost But I have a requirement that the fallback mails should be sent via a different smtp_bind_address How can I specify this in smtp fallback You configure this in the newhost MTA. I want the fallback mail to go via a new bind address I can not specify -o fallback_relay=smtpnew:[newhost] There are a bazillion things that you can't specify with fallback_relay or other Postfix parameters. I document only the things that are promised to work. I guess I understand that. But I think the requirement would be reasonable If I have 2 networks I may need to have different bind addresses On the fallback_relay , can I specify any command line parameter ? Postfix does not support multiple smtp_bind_address settings. if you really need that then you can use some network address/port translation rule in the IP stack. Wietse
multiple auth methods for smtpd
Is it possible to use 2 different methods of authentication on smtpd based on userids Some users authentication against ldap , some authenticate against say a database
How to quarantine a mail at milter
I am using a custom milter in my postfix to implement policy restrictions. If I want to quarantine a mail what should I return The milter site explains a function called quarantine https://www.milter.org/developers/api/smfi_quarantine Do I just make a call to this function in the eom() and the mail will get quarantined ? I am not getting any samples of this Thanks Ram
Multiple owners in smtpd_sender_login_maps
I have a requirement of 2 different users using the same sender email address I found a very old patch for doing this in postfix. http://permalink.gmane.org/gmane.mail.postfix.devel/4 Is this patch still the only way of doing multiple owners Thanks Ram
Realtime log reporting when postfix delivers mails
I have a postfix server sending out mails and we are creating reports by parsing the maillogs using a couple of perl cron scripts (linux machine with mysql ) Now the requirement is of realtime reporting. I tried using rsyslog with a mysql table. But the performance is far too bad. Rsyslog seems to have some memory leak and it brings down the machine. I guess realtime logging should be a very common requirement. What is the best way for this Thanks Ram
250 Data Dropped
Hi Am facing this issue for certain time. The logs Feb 28 15:54:32 mail postfix/smtp[529]: EF95621C0FA1: to=x...@gmail.com, relay=gmail-smtp-in.l.google.com[173.194.79.26]:25, delay=2.2, delays=0.15/0/0.96/1.1, dsn=2.0.0, status=sent (250 Data Dropped) This does not happen to all mails Neither the sender receives a bounce or the sender gets the message!!! Can some one please assist me on how to go about and resolve this issue Thanks Regards Ram
Re: Send mails use the same source IP across multiple servers
On 12/15/2012 08:48 PM, Wietse Venema wrote: Ram: Hi I have a slightly OT question If I have to use a single IP for a sender domain to the internet, but yet the mails may get sent from different servers What is the best way for doing it The requirement is because the volumes are too large for a single machine to handle but the client still wants to send the mails using a dedicated IP You want to share one dedicated external source IP address among multiple Postfix SMTP clients. If there were only one dedicated external source IP address, then a NAT router would suffice. Otherwise, multiple Postfix SMTP clients have to send their mail through an intermediate server that owns the dedicated external source IP address. 1) Use one proxy server or SMTP server per dedicated external source IP address (multiple servers may run on the same OS instance), and configure your Postfix SMTP clients with sender_dependent_relayhost_maps. 2) Use a SOCKS server for one or more dedicated external source IP addresses. This would require an extension of the SOCKS protocol such that the Postfix SMTP client can specify both the local and the remote IP address for a connection. Option 2 seems perfect Please is there a SMTP over socks example somewhere I can use ? I am not able to find any
Send mails use the same source IP across multiple servers
Hi I have a slightly OT question If I have to use a single IP for a sender domain to the internet, but yet the mails may get sent from different servers What is the best way for doing it The requirement is because the volumes are too large for a single machine to handle but the client still wants to send the mails using a dedicated IP Thanks Ram
Block ip address on ratelimit
Our client's postfix servers are being frequently getting attacks using compromised accounts In most cases it seems the spammer simply uses a phished username/password , sends a whole lot of 419ers until we manually change the password , but the damage is already done Implementing ratelimits is not really helping because ultimately the mail will go through after the anvil time. Since the legitimate users are extremely low email users , I can safely block anyone permanently who sends more than 1 mail in 10s with zero FP's How can I do this ? Thanks Ram
Re: postfix dimensioning
On 11/01/2012 11:49 AM, mancyb...@gmail.com wrote: Hi All, first post here, nice to meet you :) I've been using postfix and dovecot for years but always with few users. Now i must build a server for 1500 users, they will use various email software (thunderbird, outlook, ..) the webmail (i'm not sure if squirrelmail or roundcube) and blackberry devices (with the BIS service). There will be around 1000 domains (virtual_domains) and postfix will read its users and domains from mysql. I already have the hardware, it is a server with 4 physical cpu (Intel Xeon E5504 @ 2.00GHz) and 24 gb of ram, do you think it is enough ? Usually postfix would not be the bottleneck for any mail server. You need to size for dovecot in your case. And sizing would be impossible unless you know how many mails / hr or concurrent imap / pop connections you are going to get. Please size your dovecot server accordingly. The disk i/o will also be very important when you size dovecot. Thank Ram PS: 1500 users with 1000 domains means hardly 2 users per domain .. Are these right numbers ?
Specify alternate delivery for expired mails
I want to redirect all mails that expire after maximal_queue_lifetime to a program that will parse these mails then send an appropriate error Can I do this with postfix ? Thanks Ram
Re: Specify alternate delivery for expired mails
On 10/29/2012 05:28 PM, Wietse Venema wrote: Ram: I want to redirect all mails that expire after maximal_queue_lifetime to a program that will parse these mails then send an appropriate error Can I do this with postfix ? That is not documented, therefore that is not implemented. Postfix uses the same text for bounced mail as too old mail. See: http://www.postfix.org/bounce.5.html The problem is when the mail has been on my postfix relay server for 5 days and then the mail bounces back, postfix does not log for which recipient the mail failed To trace the qid for five days maillogs on a busy server is not possible to get all the recipients for whom the mail expired is not possible Is there a better way out to simply log all failed recipients Thanks Ram
Re: Specify alternate delivery for expired mails
On 10/29/2012 06:54 PM, Wietse Venema wrote: Ram: On 10/29/2012 05:28 PM, Wietse Venema wrote: Ram: I want to redirect all mails that expire after maximal_queue_lifetime to a program that will parse these mails then send an appropriate error Can I do this with postfix ? That is not documented, therefore that is not implemented. Postfix uses the same text for bounced mail as too old mail. See: http://www.postfix.org/bounce.5.html The problem is when the mail has been on my postfix relay server for 5 days and then the mail bounces back, postfix does not log for which recipient the mail failed Postfix logs the recipients when the last delivery attempt fails. Shortly after the failure, Postfix returns the failed recipients in the body of the returned message. If you are the sender, then Postfix will return that message to you. The problem is this is just a relay server. I just need to show report of every mail that entered the system. If it were possible please consider if we can have an alternate delivery mechanism for expired messages Thanks Ram Wietse
Re: Catch-all problem
On 10/04/2012 04:30 PM, DN Singh wrote: Hello group, I want to implement a catch-all address on my system. This is a very simple setup where the users are system users. Hence, the unrouted mail should go to user bounce. After searching documentation I implemented virtual_alias_maps. But, all mails are going to the address rather than unrouted ones. Please let me know what is wrong. The virtual file is as below: @sub.domain.tldbounce You will have to put all your users in the virtual_alias_maps not just the catchall entry so it will be like us...@sub.domain.tld DUNNO us...@sub.domain.tld DUNNO .. @sub.domain.tldbounce
Envelope headers in always_bcc
Can I get information of envelope recipients when I do a always_bcc This is required If I use always_bcc to send to an archiving program. Unless I get envelope recipients I will never get the original recipients of the mail .. which is required for compliance purposes. The recipients mentioned in the header need not be the recipients of the mail. Currently I have written a milter to manually insert the envelope recipients and then create a separate copy of the mail to send to archive This seems an unnecessary exercise if postfix had a feature in itself This is similar to e/nvelope journaling/ offered by exchange This was probably discussed here long back .. http://tech.groups.yahoo.com/group/postfix-users/message/286167 Is there any workaround available now ? Thanks Ram
Re: Non-Postfix mailbox store: separate domains, non-UNIX accounts
On Monday 25 June 2012 07:40 PM, Feel Zhou wrote: Hello My friend I read the documentation of virtual domain hosting. http://www.postfix.org/VIRTUAL_README.html. and use the next setting: 3virtual_mailbox_domains http://www.postfix.org/postconf.5.html#virtual_mailbox_domains =example.com http://example.com ...more domains... 4virtual_mailbox_maps http://www.postfix.org/postconf.5.html#virtual_mailbox_maps = hash:/etc/postfix/vmailbox 5virtual_alias_maps http://www.postfix.org/postconf.5.html#virtual_alias_maps = hash:/etc/postfix/virtual My mail server is the first mx record of the example.com http://example.com in DNS system. So I set the virtual domain of the example.com http://example.com with Non-Postfix mailbox store: separate domains, non-UNIX accounts Actually, my server got all the mail who send to the example.com http://example.com.But I don't know how to give these mail to the second mx record mail server of the example.com http://example.com. The documentation told me use virtual_transport, and I have no idea how to use this setting. Who can do me a favor, my friend. Thanks for your time. I assume your mail storage is on the second mx server. So the first MX server is just a gateway ? In that case you dont require a virtual_transport You just require a simple transport_maps entry On the first server put in /etc/postfix/transport example.com smtp:[secondmx.example.com] That should help Thanks Ram PS: If I got your problem wrong , I am sorry , Perhaps you should try explaining your problem better .. :-)
Gmail servers not accepting mails
I was wondering if others on this list are also facing this , gmail breaking off some connections All my postfix mailq is increasing because gmail , sporadically , times out some connections. Jun 1 07:40:37 mmail14 postfix/smtp[17190]: 8D3CD5E6D00: conversation with gmail-smtp-in.l.google.com[173.194.79.27] timed out while sending RCPT TO Jun 1 07:40:38 mmail14 postfix/smtp[17097]: 289895E6D0B: conversation with gmail-smtp-in.l.google.com[173.194.79.27] timed out while sending RCPT TO Jun 1 07:43:24 mmail14 postfix/smtp[17196]: 682755E6AB4: conversation with gmail-smtp-in.l.google.com[173.194.79.27] timed out while sending RCPT TO I think I will have to reduce the backoff time in postfix , so that postfix does not learn that gmail is not accepting mails Thanks Ram
Re: turn off mailer daemon returns
You can enable soft bounce. So NDR mails will be pending in the queue But I am not sure really want to do this. Why should you not notify senders of delivery failures ? What is the real problem you want to solve ? On 06/01/2012 12:36 PM, Wael MANAI wrote: Any idea? Le jeudi 31 mai 2012 à 17:49 +0200, Wael MANAI a écrit : Hi everybody, I would like to know if it's possible to prevent postfix to NOT send a MAILER DAEMON email back to the sender if something is wrong? thanks in advance,
postfix9.2 patch for changing the dot response
Hi I had been using a patch into postfix to change the postfix response to the smtp client after end of data http://archives.neohapsis.com/archives/postfix/2008-04/1032.html This patch had been working until postfix 2.8.x ...unfortunately now it does not seem to work It would be very helpful if someone got it working on postfix 2.9 Thanks Ram
Re: I want to route all email to a second server.
On Fri, 2012-02-17 at 15:43 -0500, Rich wrote: I have a postfix with lotus notes setup. That peice is working fine. I use a transport map entry to send the email to the Domino server. What I want to do is send all incoming and outgoing mail to a second server that will be for historical purposes. I will be using cyrus as the mailstore. My challenge is to set up the postfix mail-relay I have in place to send all the email to both the main domino server and the historical cyrus box. How can I do this? Do you have all the users created on the cyrus box too ? In that case 1) create a recipient_bcc_maps regexp file For eg /^(.*)@example.com$/ {$1}@cyrus.example.com 2) Define in transport hash file to send to cyrus directly via lmtp on tcp or send to another smtp server on the cyrus box. For eg. cyrus.example.com lmtp:[cyrus.example.com]:24 3) Rewrite the recipient address before sending using lmtp_generic_maps For eg @cyrus.example.com @example.com That should work AFAIK , please test it before you implement though :-) Thanks Ram PS: You seem to have historic reasons for sending to cyrus , infact it should be other way around. Get rid of the domino and make the cyrus server a primary server. Domino breaks a lot of standards and there is hardly any reason why you should prefer it over cyrus.
Re: spam to postmaster
On Fri, 2012-02-17 at 15:49 -0600, /dev/rob0 wrote: On Fri, Feb 17, 2012 at 03:59:22PM -0500, Peter Blair wrote: On Fri, Feb 17, 2012 at 3:54 PM, Reindl Harald h.rei...@thelounge.net wrote: how do other people act with such braindead sh**t? Look into greylisting it. You'll find that greylisting could very well deal with most of the bots that things like zen.spamhaus.org would normally deal with. And strictly speaking, you're not filtering it -- just making a policy decision to not accept the transaction before the DATA section ;) Personally I do not consider strict RFC interpretation to be worth more than the time it takes to sort through the garbage. All my mail is subjected to Zen and BRBL blockage (with DNSWL and SWL exceptions allowed.) Very little spam here since I decided to do that. (Most of what does get through is to the postmaster addresses, however.) postscreen/smtpd_reject_footer is a safety net. A real sender can view that and figure out alternate means of contact. That has not happened in the time since smtpd_reject_footer was implemented here. I'd much rather give someone a rejection, than accept their mail and miss it in a flood of spam. I agree. When really flooded with spam , you would probably miss a real abuse complain. But there are cons of scanning the postmaster messages too. Most complains too will get hit as spam I manually delete the spam messages that come to my abuse@ id. but not before feeding it to a program that automatically creates URI and domain blacklists. These spammers are then blocked from sending to abuse@ addresses.
rfc822 regex
I am trying to validate email ids of subscribers coming to my site Is there a standard regular expression for email id syntax that confirms to rfc822. I want to avoid junk entries from entering my database. Postfix already checks this syntax in RCPT-TO , but is this regex available already Thanks Ram
Redirect all bounces to a particular id
Can I configure my postfix server to send all bounces to a single mailbox , instead of the sender of the mail
Re: Is there a RHSBL for parked domains?
On 10/13/2011 02:37 AM, Ralf Hildebrandt wrote: * Noel Jonesnjo...@megan.vbhcs.org: You might be able to do something with check_recipient_mx_access. Mostly, these domains have no MX, but only an A record. But yes, I havne'T yet checked if they all resolve to but a few IPs Since all the non existing domains are now being typo-squatted with A records and MX records too What I saw that most of these domains use common MX or NS records I use check_recipient_mx_access and reject these mails at SMTPD I typically reject all mails where MX points to mx.fakemx.net , or mxs1.tradenames.com .. among others Ofcourse getting users to use addressbook is the correct thing , but when you have far too many users from different cities this may not be easy
NDR should show orig-to
I have a cluster of mailservers , so when a mail arrives it is sent to the actual recipient by using virtual alias maps How can I configure postfix to send NDR's like quota bounces with the original recipient address and not the expanded alias Thanks Ram
Re: BCC in access type
On 10/01/2011 06:43 PM, Wietse Venema wrote: Ram: According to access Manpage http://www.postfix.org/access.5.html The BCC option for a access lookup is not supported. When will support for BCC be added ? According to the HISTORY file: 20070405 Feature: BCC access/policy action, to demonstrate that this is not a good feature. The action's behavior is non-intuitive and requires too much documentation to explain. It's therefore snapshot only. File: smtpd/smtpd_check.c. Among the limitations are: the BCC access/policy action can't be used in the before-smtpd_proxy_filter smtpd process, and it can't be used with smtpd_delay_reject=no before the MAIL FROM command (these limitations also apply to FILTER, HOLD, DISCARD, REDIRECT). These limitations don't exist with recipient/sender_bcc_maps; every match will add a BCC recipient. The differences between _bcc_maps and BCC in access maps make the feature non-intuitive. And intuitive it has to be, because many people assume that Postfix documentation is as useless as other documentation. Is there a patch file available for 2.8.2 :-)
BCC in access type
According to access Manpage http://www.postfix.org/access.5.html The BCC option for a access lookup is not supported. When will support for BCC be added ? Thanks Ram
Re: Write a mail directly to postfix queue
On 08/20/2011 12:27 AM, Stan Hoeppner wrote: On 8/19/2011 10:50 AM, Noel Jones wrote: But from the volume you've described, you'll have trouble without using specialized hardware. Or a small outbound relay farm comprised of, say, 4 relatively low end boxen, each with a low power dual core CPU, 8GB RAM, and a ~100GB SSD. Rewrite the app to submit via SMTP. The actual outbound is indeed a relay farm of outgoing mail servers behind LVS. The application server is just a generation box. And that is where the bottleneck is. An application change is anyway required, But what I would probably have to do is make parallel smtp connections (which will be much more complex to write :-) )
Write a mail directly to postfix queue
One customer of ours wants to send research reports to all his partners instantly after the data is available. Our custom application generates the mail files with the attachments. ( personalized per recipient ) These files are then read by an independent daemon and sent to postfix smtpd with multiple connections The biggest bottleneck to this system is the disk I/O. ( 15k rpm SAS drives ) To avoid the double write to disk can I write to postfix queue directly using some postfix library I dont want to make smtpd connections in the app because that slows down the app significantly , and also this is a serialized process. So sending mails serially slows down the general delivery Thanks Ram
Re: Write a mail directly to postfix queue
On 08/19/2011 07:59 PM, Wietse Venema wrote: Ram: One customer of ours wants to send research reports to all his partners instantly after the data is available. Why not put the report on a website and send the partners email with a hyperlink? The partners want them mailed .. just a (stupid ?) business requirement. The biggest bottleneck to this system is the disk I/O. ( 15k rpm SAS drives ) Why not send ONE COPY of the report with multiple recipients? These are personalized. Every partner gets his own data. To avoid the double write to disk can I write to postfix queue directly using some postfix library Direct Postfix queue access is not and will never be supported. I think I will have to make my app parallel processing. But is there a reason why you should not make a postfix-devel package :-) Postfix has a impressive set of features , this could be one of them too.
Re: Write a mail directly to postfix queue
On 08/19/2011 07:50 PM, Reindl Harald wrote: Am 19.08.2011 16:05, schrieb Ram: I dont want to make smtpd connections in the app because that slows down the app significantly and also this is a serialized process. So sending mails serially slows down the general delivery it is a bad design sending hughe bulk and normal mail-traffic with the same server/ip a) your slowing down problem b) reputation of this machine will be degraded sooner or later Why reputation? These are mails which partners pay to receive , not spam. Also the numbers are not too huge. It could be 50k-100k mails ..Only that they have to get sent ideally within 10 minutes .
Immediately bounce mails stuck to typosquatted domains
I have had many instances people typo their recipients email-domains and the typo domain does not accept mails Like for instance mail for u...@yahoo.com is sent to u...@tahoo.com Mail to these domains ( Typosquatted ? ) get stuck in my queue until 4 days when the mail is actually bounced after expiry. And I cannot decrease my expiry time. The original sender receives the NDR log very late and is not very happy that he wasnt informed of the typo earlier. ( The queue delay warning .. satisfies some of the requirement though ) I have seen that usually a large number of the typosquatted ( tahoo.com etc ) all go to the same ip addresses, usually to some park server , which does not accept mails at all. Can I configure postfix such a way that if mail is sent to these ip addresses , then bounce immediately. Or if the DNS is ns1.sedoparking.com etc Thanks Ram
default_rbl_reply to silently discard mails
Hi, How can I configure postfix to silently discard mails from ips listed in a DNS blacklist default_rbl_reply=DISCARD does not work ( Obviously I made this up .. that was not documented anywhere :-) ) Thanks Ram
Sample milter with gmime
Sorry for being OT here ;-) I am writing a milter that will insert custom attachments into mails sent depending on the recipient and insert some text too Is there are sample milter that I can build upon Thanks Ram
Delivery rate drops soon after restart
I have a postfix (2.7) server where as soon as I restart the mails are moved rapidly from incoming queue to active But soon ( after 5 minutes ) the queue manager is left behind .. the incoming queue keeps increasing 10k+ but active queue has hardly 10-15 mails After checking http://www.postfix.org/QSHAPE_README.html#incoming_queue .. I have increased in_flow_delay to 10s But that does not help. I wonder what happens when I restart postfix that the queue clearing is so fast for the first 5 minutes or so Thanks Ram
Re: Delivery rate drops soon after restart
On 03/17/2011 10:11 PM, Victor Duchovni wrote: On Thu, Mar 17, 2011 at 11:04:31AM -0400, Wietse Venema wrote: Ram: I have a postfix (2.7) server where as soon as I restart the mails are moved rapidly from incoming queue to active But soon ( after 5 minutes ) the queue manager is left behind .. the incoming queue keeps increasing 10k+ but active queue has hardly 10-15 mails How many recipients in those 10-15 messages? What is the queue manager doing (strace, truss, ktrace, ...)? I've seen cases (potential C-library or kernel issue) in which trivial-rewrite does not see a new request from the queue-manager until the queue-manager exits and only then does trivial-rewrite notice the queue-manager's lookup request. Report any warnings, or fatal messages logged by trivial-rewrite or qmgr. Is there a known kernel issue .. I am using a centos.plus kernel on 64 bit. ( rpm kernel-2.6.18-194.32.1.el5.centos.plus ) This performance is not consistent. Today the mail server is working just fine. The number of mails transacted are almost the same but there seems to be no issue now. Initially I had a similar issue but that was due to syslog , ( I had dabbled with syslog-ng .. then reverted to syslog and all was fine ) But I would love to find the root cause why the queue manager is left behind at times. Thanks Ram
smtp_header_checks WARN chops long subjects while logging
I am using postfix smtp_header_checks to log subjects of mails I have enabled WARN inside smtp_header_checks But If I send a mail with a long subject then the subject gets chopped at some length (approx 50 chars ) Is this documented somewhere (max length of WARN). ? header_checks via cleanup dont seem to have any limit For eg. MAIL FROM:r...@netcore.co.in 250 2.1.0 Ok RCPT TO:r...@netcore.co.in 250 2.1.5 Ok DATA 354 End data with CRLF.CRLF MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Mailer: MIME::Lite 3.027 (F2.77; T1.28; A2.04; B3.07_01; Q3.07) Subject: This is a long subject of mail from ram to test if smtp_header_checks is working fine for 1 Message-Id: t4hc4wc1s2v8.1294402...@netcore.co.in To: r...@netcore.co.in Date: Fri, 07 Jan 2011 17:40:01 +0530 From: r...@netcore.co.in This is a Test Mail Please Ignore . 250 2.0.0 Ok: queued as DE2CC49A3E QUIT 221 2.0.0 Bye - But the logs dont have the complete subject [...@darkstar ~]$ grep DE2CC49A3E /var/log/maillog Jan 7 17:40:01 darkstar postfix/smtpd[5934]: DE2CC49A3E: client=darkstar.netcore.co.in[127.0.0.1] Jan 7 17:40:01 darkstar postfix/cleanup[5943]: DE2CC49A3E: message-id=t4hc4wc1s2v8.1294402...@netcore.co.in Jan 7 17:40:01 darkstar postfix/qmgr[5930]: DE2CC49A3E: from=r...@netcore.co.in, size=649, nrcpt=1 (queue active) Jan 7 17:40:02 darkstar postfix/smtp[5946]: DE2CC49A3E: warning: header Subject: This is a long subject of mail from ram to test if Jan 7 17:40:03 darkstar postfix/smtp[5946]: DE2CC49A3E: to=r...@netcore.co.in, relay=192.168.2.1[192.168.2.1]:25, delay=1.6, delays=0.08/0/0.01/1.5, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 9F46C6CE0261) Jan 7 17:40:03 darkstar postfix/qmgr[5930]: DE2CC49A3E: removed [...@darkstar ~]$
Re: smtp_header_checks WARN chops long subjects while logging
On 01/07/2011 06:25 PM, Wietse Venema wrote: Ram: I am using postfix smtp_header_checks to log subjects of mails I have enabled WARN inside smtp_header_checks But If I send a mail with a long subject then the subject gets chopped at some length (approx 50 chars ) Postfix truncates EVERYTHING, especially when it is logged. The intention is to protect your file system against logfile flooding attack. Wietse That seems absolutely reasonable from a tech point of view. Unfortunately people have designed business processes based on reports of mails from applications that send mails. If this max_size_limit can be set to 100 chars then that should be enough. Anyway these are app generated mails sending transaction receipt info inside the Subject. So there is no security issue of log flooding in this controlled environment. I wont mind a recompile of postfix. I was also wondering ... If there a truncation of subject logging via smtpd/cleanup too, Apparently there seems to be none. Thanks Ram
Re: mailq command
On 11/11/2010 11:42 AM, Kaushal Shriyan wrote: On Thu, Nov 11, 2010 at 11:38 AM, Sahil Tandonsa...@freebsd.org wrote: On Thu, 2010-11-11 at 11:29:58 +0530, Kaushal Shriyan wrote: is there a way to grep for sender email address using mailq command ? Yes, if you mean the *envelope* sender address. i did sudo mailq | grep senderemailaddress didnot worked This is an insufficient problem description. -- Sahil Tandonsa...@freebsd.org Hi Sahil, so is there a way to find a particular emailid in mail.log or mailq for any sort of issues ? Kaushal , What are you trying to do ? If you are trying to trace a lost mail , look in your maillog. (grep for sender or recipient if you like ) If the mail was received mail may be sent, bounced , discarded or may be still in the queue. Anyway the entry will give you a clue. Thanks Ram
Re: Postfix with AD and Exchange
On Sat, 2010-09-04 at 14:28 +0530, Ashwin Muni wrote: Thanks Ram But all my 1000 users are in AD and only few of them need to have mailboxes on exchange, how shall i bifurcate 250 users in exchange and rest 750 users in postfix. Again the idea of fetching valid users is great from AD will script it. Add users in the AD with some column to identify postfix users. For eg put pager=POSTFIX.
Re: client dependant relay
On Mon, 2010-09-06 at 14:22 +0300, Mihamina Rakotomandimby wrote: Manao ahoana, Hello, Bonjour, I would like to setup a specific relay host to some client IP address. How to? I already saw sender_dependent_relayhost_maps but it's per sender, not per client IP. I think you can use this smtpd_client_restrictions= check_client_access=hash:/etc/postfix/ipfilter ... .. --/etc/postfix/ipfilter 1.1.1.1 FILTER smtp1: And in master.cf make sure smtp1 uses a different bind address
Re: Postfix with AD and Exchange
On Sat, 2010-09-04 at 12:11 +0530, Ashwin Muni wrote: I am using exchange and want to migrate to postfix, The issue is users should be authenticated from Active Directory and other thing is i have got 1000 users from which 150 users will remain on exchange and the rest mailboxes will be created on postfix (Linux Box). the 750 users are actually not very important. If user has mailbox in AD deliver in Ad || =(4)== || || [][ ]===(3)==[ ] [ v ] (1)-- Port 25 ][ Postfix] Authentication from AD [ Active Directory Box] ===[ Exchange] [][Linux Box ]=(2)=== [ ] [] || Else Deliver on Postfix Machine (5) || [ v] [ Storage on Linux Box ] [ ] 1. Mail Entering Postfix machien using Port 25 2. Authentication from AD if user exists and mailbox location 3 Results from AD 4. If user on Mailbox on exchange then deliver to echange 5. Else Deliver to postfix Why do you want to query AD in real-time. Micro$$oft AD implements ldap very poorly and you will waste time on your postfix server waiting for AD replies. Instead do this * Ldap Query the Ad server in the cron and get list of all valid users with mailboxes. * create a transport file to deliver only these users to the Exchange Rest to your local delivery .. I assume you use lmtp ---/etc/postfix/transport exch_us...@domain.tld smtp:[exchange.server.ip] exch_us...@domain.tld smtp:[exchange.server.ip] exch_us...@domain.tld smtp:[exchange.server.ip] ... .. domain.tld lmtp:/path * Just make sure the unknown users are rejected at the smtpd level before the mail enters inside. Thanks Ram Any help appreciated. -- Ashwin Muni http://www.linuxmaza.com Linux Tutorials and Howtos
transport_maps overrides sender_dependent_default_transport_maps
I have set up sender dependent transport_maps different clients to use different outgoing ips From the document at http://www.postfix.org/postconf.5.html#sender_dependent_default_transport_maps The transport_maps overrides sender_dependent_default_transport_maps What I need to do is reverse. For some senders , I always want to use a different transport regardless of what is there in the transport maps What is the best way of doing this. If I use a FILTER rule. Is FILTER more expensive than sender based maps
smtp defer messages on smtp-auth error
One of our postfix servers relays outbound mails to a relay provider using smtpauth. There have been some issues that sporadically the relay providers database returns auth-failure for valid accounts and the mail bounces. I know they have to fix the issue at their database end , but can I configure my postfix to defer mails if authentication fails , rather then bouncing them. For any other rejection , obviously, the mail has to be bounced back. Thanks Ram
build custom milter with milter_protocol=6
I have a custom milter for userwise blacklists/whitelists I have been running with postfix 2.3.4 Now when I upgraded to postfix 2.7 I get this error can't read SMFIC_DATA reply packet header: Success This works if I use milter_protocol=2. But how do I build my milter again with protocol=6. Is there any benefit for using protocol=6, how can I measure the impact of using a lower protocol. Thanks Ram
Re: Speed up queue injection
On Sun, 2010-08-15 at 17:35 +0200, J. Roeleveld wrote: On Friday 13 August 2010 19:58:38 Noel Jones wrote: On 8/13/2010 8:22 AM, J. Roeleveld wrote: On Friday 13 August 2010 14:23:51 Wietse Venema wrote: Ralf Hildebrandt: * Ramr...@netcore.co.in: Mail in plain text format , mime encoded message OK! Currenlty I get 40/s - 45/s That sounds normal. Any filtering (in these cases you should inject in a way that bypasses and filters) But I want it to be atleast 100/s Two machineS? relay boxes Delivery is not at all an issue , because postfix gives it to further relay boxes which are under our control again. Why not inject to the further relay boxes? Do I need to increase the hardware It could be :) Other options: increase input concurrency, or play with in_flow_delay. Note that increasing your input rates will cause output rates to drop. It's all about competing for disk access. Wietse Further options, I think: - Disable filtering (provided the only possible connections are related to these emails Presumably the client would be in mynetworks, which should bypass most or all restrictions, so this is unlikely to make much difference. Unless you're doing something silly like 1000 body_check rules or using a content_filter or milter. - put the queue on a ram-disk (8GB Ram, might leave 6GB for the queue, would this be sufficient?) Putting the queue on ramdisk is only for spammers who don't particularly care if their mail is lost. But putting the queue on an enterprise-quality SSD would almost certainly help. But Enterprise quality SSD's are so expensive. I can get an additional server and still save money. It seems I will have to break my app scatter the mail creation across multiple servers to acheieve higher injection. Thanks Ram
Re: Speed up queue injection
Hi , On Fri, 2010-08-13 at 09:39 +0200, Ralf Hildebrandt wrote: * Ram r...@netcore.co.in: We have a requirement to send some research analysis mails as quickly as possible. Everyday after the data is available my app generates the mails in eml format in a directory. What is eml format? Mail in plain text format , mime encoded message Currently I have a perl script that makes parallel smtp connections on localhost and sends the mails. This sounds good! Should I send the mails on command line. No, using the postfix sendmail binary is actually slower. There are currently around 50k mails to be delivered ideally within 5-10 mins. How fast are you now? 50.000/10min = 5.000/min = 83/s = that's a lot 50.000/50min = 10.000/min = 186/s = that's even more Currenlty I get 40/s - 45/s But I want it to be atleast 100/s Delivery is not at all an issue , because postfix gives it to further relay boxes which are under our control again. This is a 8GB Ram Centos 5.4 server with SAS discs Do I need to increase the hardware Thanks Ram
Speed up queue injection
We have a requirement to send some research analysis mails as quickly as possible. Everyday after the data is available my app generates the mails in eml format in a directory. These are personalized mails with attachments and have to reach the recipients instantly ( in my customers lingo ... Research reports are useless after the market opens ) What is the quickest way of pushing EML files to postfix for delivery. Currently I have a perl script that makes parallel smtp connections on localhost and sends the mails. Should I send the mails on command line. There are currently around 50k mails to be delivered ideally within 5-10 mins. I am only bothered about sending to postfix because delievery from there is already taken care of. Is there a better way , other than sending mails on command line or SMTP. Something like and API to inject into postfix maildrop. Thanks Ram
Re: Postfix queue on ramdisk: Insufficient system storage
On Thu, 2010-07-22 at 04:50 -0500, Stan Hoeppner wrote: Patrick Ben Koetter put forth on 7/22/2010 2:11 AM: * Stan Hoeppner s...@hardwarefreak.com: Wietse Venema put forth on 7/21/2010 2:22 PM: Ram: One server of ours just accepts the mails from clients and then relays the mails to other servers. Since there is almost no mail queued on the server , I think it is will be good to mount /var/spool/postfix on a tmpfs partition. You will lose all mail in the queue when the system crashes. I agree with Victor that this is a really bad idea. +3 If you truly have a _need_ for a super fast Postfix queue, I suggest using a good quality wear leveling SSD. You'll get random I/O performance many times greater than a 15k rpm disk, but with data persistence, unlike when using a ramdisk queue. There are many fast good quality SSDs available in various capacities for between $100-200 USD, in standard 2.5 and 3.5 hard disk mounting form factors. You can get about 150 msg/sec a 100k on a single Postfix instance if you use a set of 10k rpm discs in a RAID 0 and server hardware. If my math is correct, I believe Ram's relay server has a queue load of less than 15 msg/sec on average, which is easily handled by a single SATA disk. 50,000/hr = 50,000/3600 = 13.88 msg/sec Ram, why are you considering ramdisk or SSD for your Postfix queues given that a regular disk would seem to handle your load rather easily? Or, is this more of a philosophical issue of not wanting to write anything to disk that isn't permanent? You are right. If Postfix alone was running on this server will be able to handle (50k-70k msgs/hr) with the given I/O. But there are other custom functions running on this machine. I was just considering ramdisk , because that was the laziest way I could get rid of unnecessary IOPS to disk. Anyway I think I will go by what all you folk say. No ramdisk for postfix. Thanks for the inputs. Ram
Postfix queue on ramdisk: Insufficient system storage
One server of ours just accepts the mails from clients and then relays the mails to other servers. Since there is almost no mail queued on the server , I think it is will be good to mount /var/spool/postfix on a tmpfs partition. The machine ( linux Centos 5.4 + postfix 2.7 ) has enough Memory free all the time. The ramdisk seems to work great. But sporadically some smtp clients are getting an error Insufficient system storage When will this happen ? Does postfix find not enough space on the ramdisk ? How can I find when this occurs ? Thanks Ram
Re: What is the proper way to deal with non-existing e-mail addresses?
On Wed, 2010-07-21 at 08:47 +0200, Aniruddha wrote: When somebody emails to a non-existing e-mail address postfix bounces these by default with a Recipient address rejected: User unknown in local recipient error. I wonder what the appropriate behavior is. To discard emails for unknow, users, forward them to another address or bounce them? What about backscatter? Doesn't bouncing generate a lot of backscatter? Thanks in advance! Do not accept the mails that are not deliverable. That is the best way because in that case you do not generate any NDR's Postfix has various methods by which you can achieve that. You may start with these http://www.postfix.org/LOCAL_RECIPIENT_README.html http://www.postfix.org/ADDRESS_VERIFICATION_README.html Thanks Ram
OT: Check out my photos on Facebook
Now this is the problem of all invites, especially those invites that scrape my addressbook and invite everyone. Should not all invites carry some header or any other identification , that list management software can automatically detect and /dev/null the mails Thanks Ram
RHSBL bcc_maps on rcpt-to for outbound spam checks
We provide smtp relay services for a lot of remote mailservers There are still some inadvertent spam outbreaks , either because the remote mail server has some weak username/password account. Or because there is some Micro$$oft windows desktop with a virus spewing spams We do partial outbound spam scan + ratelimits , that somehow seems to mitigate the issue. But outbound spam scanning is not perfect and is very heavy ( and without tangible benefits to explain extra h/w to the management :-) ) I feel there is a better way of dealing with this issue. I have a huge list of parked domains ( 1M entries) , or domains that never receive any mails. This list can be fed to my rbldnsd server. If any client sends a mail to these parked domains , I should be able to bcc the mails to a central program for analysis. I dont want to reject the mails using reject_rhsbl_recipient ( my list may not be that perfect :-) ) I thought of using recipient_bcc_maps but having huge recipient_bcc_maps files on all my servers does not seem a good idea. Anyway most of these map entries will *never* get used in normal times. Thanks Ram
Re: email account bombarded with SPAM error bounces - what to do?
On Sat, 2010-07-10 at 14:15 +0200, Administrator Beckspaced.com wrote: On 7/9/2010 16:13, Administrator Beckspaced.com wrote: On 7/9/2010 14:40, Ram wrote: On Fri, 2010-07-09 at 13:35 +0200, Administrator Beckspaced.com wrote: On 7/9/2010 13:27, Robert Schetterer wrote: Am 09.07.2010 12:51, schrieb Administrator Beckspaced.com: hello robert, thanks a lot for your quick reply ... actually it is not always the same IP or host sending the error bounces ... the bounces are sent from hundred of different IP addresses ... any more idea? Usually you can do very little to prevent forging your domain and sending spam. Some months ago one client of ours too had the same issue, but the issue is very temporary. The short term solution , as someone suggested, will be to temporarily defer all NDR's with a sender check regex file like //450Try Later ( The RFC's say you cant do this .. but sometimes you must be practical :-) ) From my personal experience I found that if , for your regular mailing you use some sender authentication mechanism like SPF then these NDR's significantly reduce. For eg many servers reject forged messages based on SPF checks so you dont get NDR's from them at least. I guess , spammers ( the more intelligent ones ... I mean ) too would be less inclined to forge a domain that uses sender authentication Because that will reduce the deliverability of their spams Thanks Ram hello again robert ram thanks again for your ideas ... so i had another search in google about that backscatter topic and sort of found a nice, simple also quick solution? SAFE MODE with Postfix: Edit /etc/postfix/main.cf: smtpd_recipient_restrictions = ... check_sender_access dbm:/etc/postfix/check_backscatterer ... Create new file:/etc/postfix/check_backscatterer: reject_rbl_client ips.backscatterer.org postmaster reject_rbl_client ips.backscatterer.org well ... had to change the postfix dbm lookup to hash and do a postmap on the file ... but now this seems to work as it already rejected a few emails according to the mail log ... more info can be found here - http://www.backscatterer.org does anyone have any experience with that list? is this a good longterm solution? best regards becki hello again ram, robert postfix users ;-) already posted yesterday about the backscatterer.org ... but was a bit too skeptical to do the check on ALL NDR's for ALL email accounts on my mail server ... so i had a look around to do the check ONLY for that specific email account. it's actually quite easy with smtpd_restriction_classes i thought i will write a short 'todo' as it might help some other mail server administrators out there ... who knows? so first thing is to setup a restriction class in main.cf - smtpd_restriction_classes = reject_ndr_class reject_ndr_class = check_sender_access hash:/etc/postfix/backscatter_check now create the backscatter_check file in /etc/postfix/ touch /etc/postfix/backscatter_check and fill in this data reject_rbl_client ips.backscatterer.org postmaster reject_rbl_client ips.backscatterer.org MAILER-DAEMON reject_rbl_client ips.backscatterer.org use a regexp: file I dont think is supported in a hash: file //reject_rbl_client ips.backscatterer.org /^postmaster/ reject_rbl_client ips.backscatterer.org
Re: email account bombarded with SPAM error bounces - what to do?
On Fri, 2010-07-09 at 13:35 +0200, Administrator Beckspaced.com wrote: On 7/9/2010 13:27, Robert Schetterer wrote: Am 09.07.2010 12:51, schrieb Administrator Beckspaced.com: hello robert, thanks a lot for your quick reply ... actually it is not always the same IP or host sending the error bounces ... the bounces are sent from hundred of different IP addresses ... any more idea? Usually you can do very little to prevent forging your domain and sending spam. Some months ago one client of ours too had the same issue, but the issue is very temporary. The short term solution , as someone suggested, will be to temporarily defer all NDR's with a sender check regex file like //450 Try Later ( The RFC's say you cant do this .. but sometimes you must be practical :-) ) From my personal experience I found that if , for your regular mailing you use some sender authentication mechanism like SPF then these NDR's significantly reduce. For eg many servers reject forged messages based on SPF checks so you dont get NDR's from them at least. I guess , spammers ( the more intelligent ones ... I mean ) too would be less inclined to forge a domain that uses sender authentication Because that will reduce the deliverability of their spams Thanks Ram
Re: Postfix.org SPF
On Sun, 2010-07-04 at 23:39 -0700, junkyardma...@verizon.net wrote: Very aware spammers can create their own domains and and SPF records. They can do essentially the same thing with any anti spam measures. And I have see a number of them do just that, an SPF record of entire IPv4 address space (0.0.0.0/0). But guess what, everyone of them has been in an RHSBL. The fact it prevents them from using just any ol domain instead of their own makes it extermely quick and easy for them to get detected and added into the RHSBL's. Requiring an SPF record to publish a domains authorized MTA's is very effective. Having a cover-all SPF record doesnot mean the domain is spamming. Even a top email standards aware company like messagelabs has a stupid SPF record dig messagelabs.com TXT +short v=spf1 +all Nevertheless SPF is an excellent tool for whitelisting with SA whitelist_auth feature. If postfix.org also users SPF I could use it for all my servers here.
Large incoming queues
On my central postfix server I do typically 100k mail transactions per hour. Postfix 2.7 on a Dual Quadcore Xeon 4 GB Ram RHEL5 box. Sometimes this happens that mails move very slowly from incoming queue to the active queue. I think I got the basic hygiene right: This server has absolutely no header-checks , no content-checks , transport file ( hash) has less than 2k lines and syslog is not an issue too. ( I dev-nulled the mail and tested that ) I suspect that the machine is starving on I/O , but iostat shows an iowait of only 10% From the qshape readme http://www.postfix.com/QSHAPE_README.html If the problem is I/O starvation, consider striping the queue over more disks Does that mean I can have them over different partitions on different disks. I had initially assumed all the postfix spool must be on the same partition Thanks Ram
Ratelimit on sender id
Is there a way I can ratelimit messages on sender id. Off late I have seen that my spamtraps are being thrashed by random yahoo or hotmail sender (forged ) mails .. all identical fake pharmacy spams. Infact I get upto 300 connections a minute for a singe mailbox and that takes up all the smtpd processes on the machine I tried blocking the from id and the spam-bot changes the id in the very next hour Is there a way I can auto ratelimi mails on from-id Thanks Ram
DIsable connects to ldap
On our postfix servers , we use a remote ldapserver for system-auth for some FM users. System users login via /etc/shadow .. FM users login via ldap. The MTA is not configured to use any ldap connection. Yet whenever postfix is being restarted , If the remote ldapserver is not available postfix refuses to start. I get errors like this Jun 4 14:53:00 mmail postfix/smtpd[23565]: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)... Jun 4 14:53:04 mmail postfix/smtpd[23565]: nss_ldap: failed to bind to LDAP server ldap://: Can't contact LDAP server Jun 4 14:53:04 mmail postfix/smtpd[23565]: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)... Jun 4 14:53:12 mmail postfix/smtpd[23565]: nss_ldap: reconnected to LDAP server ldap://XX after 3 attempts How do I configure postfix , not to connect to ldap at all. Thanks Ram
Re: lmtp_generic_maps for delivery to dovecot
Postfix doesn't have a pipe_generic_maps feature, so the only way you can fix this in postfix is by delivering to another postfix instance, and let that instance deliver to dovecot. But dovecot is pretty flexible; maybe there's some way to change the delivery destination on that end. -- Noel Jones Thats exactly what I looked for in the first place ... I was hoping for a dovecot feature , but there doesnt seem to be one. A pipe_generic_maps would be a really welcome feature, considering that postfix does far more complex things this should be pretty simple. Thanks Ram
Re: DKIM checking but not signing with Postfix?
On Sun, 2010-05-09 at 21:57 -0400, VR wrote: My Debian(Lenny)/Postfix environment is inbound only (except bounces/rejects of course) that uses transports to hand messages off to Exchange servers for multiple domains. I've been reading about DKIM in the Postfix archives most of tonight and have seen both praise and pause going back to about 2007 regarding implementing DKIM in general. I realize DKIM, nor Postfix are spam solutions but I would like to know if DKIM might reduce the number of forgeries passed through my Postfix gateway? More specifically, from hosts claiming to be larger organizations that do use DKIM signing for their outbound traffic? Ideally I would not like to do content inspection (at this time) nor would I like to implement outbound signing. I have seen some write ups on DKIM but all discuss signing outbound. Can DKIM be done just for inbound? And which DKIM implementation works smoothly or is recommended with Postfix? DKIM checking for inbound mails has almost nothing to do with postfix. The best way will be to use spamassassin and use the DKIM_* rules. Default SA has them configured If you use some other antispam , see how it supports DKIM checks Thanks Ram
Re: lmtp_generic_maps for delivery to dovecot
On Mon, 2010-05-10 at 10:15 -0500, Noel Jones wrote: On 5/10/2010 8:33 AM, ram wrote: Can I use somthing like lmtp_generic_maps for delivery to dovecot Your question is incomplete. What are you trying to accomplish? How does postfix deliver to dovecot? I have a master.cf entry for delivery to dovecot. dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient} The rules are very simple mails to *...@local.example.com send to dovecot:[127.0.0.1] mails to *...@otherlocation.example.com send to smtp:[otherlocation] But the users are created on dovecot as u...@example.com. How can I configure postfix to send mails for *...@local.example.com to dovecot and strip off the local. I use lmtp_generic_maps for a similar thing in postfix+cyrus Thanks Derwyn.
Re: Stopping spammers extreme
On Tue, 2010-05-04 at 12:29 +0300, Appliantologist wrote: Hi guys, I still need to accept mail for the email addresses we host on our machine from the net, so blocking port 25 or mynetworks as local host would seem to prevent that. we still have users on the domain that get mail to the address, except now we forward that mail to gmail using the virtual table here is the result of postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 default_privs = apache disable_vrfy_command = yes html_directory = no in_flow_delay = 1s inet_interfaces = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost mydomain = wans-eu.com myhostname = wans-eu.com newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_helo_restrictions = reject_invalid_hostname strict_rfc821_envelopes = yes unknown_local_recipient_reject_code = 550 virtual_alias_domains = multiterminal.ua virtual_alias_maps = hash:/etc/postfix/virtual 1) Add smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit 2) create a relaydomains file http://www.postfix.org/postconf.5.html#relay_domains 3) And ask the legitimate senders to use sasl auth
Re: same mailboxname in both virtual alias maps virtual mailbox maps to create a forward ?
On Mon, 2010-05-03 at 09:13 +0200, Gerrit wrote: Hi All, I have searched many hours on google trying to find if an virtual alias is possible in combination with a virtual mailbox with te same name. The setup we have is a complete complete virtual based one with mailboxes stored in mysql virtual_alias_domains = $virtual_alias_maps virtual_alias_expansion_limit = 1000 virtual_alias_maps = mysql:/etc/postfix/mysql-autoreply.cf mysql:/etc/postfix/mysql-virtual.cf hash:/etc/postfix/virtual-special regexp:/etc/postfix/reserved-addresses virtual_alias_recursion_limit = 1000 virtual_destination_concurrency_limit = $default_destination_concurrency_limit virtual_destination_recipient_limit = $default_destination_recipient_limit virtual_gid_maps = static:1002 virtual_mailbox_base = / virtual_mailbox_domains = hash:/etc/postfix/mailbox-domains mysql:/etc/postfix/mysql-transport.cf virtual_mailbox_limit = 5120 virtual_mailbox_lock = fcntl virtual_mailbox_maps = mysql:/etc/postfix/mysql-mailbox.cf virtual_minimum_uid = 1000 virtual_transport = virtual virtual_uid_maps = static:1002 Now i have already this working situation : When an email comes in for a certain mailbox, lets say destinat...@myexample.com, it is aliased to seconddestinat...@myexample.com and some...@yahoomail. In my mysql table i then have two entries destinat...@myexample.com - seconddestinat...@myexample.com and destinat...@myexample.com - some...@yahoomail. This would make destinat...@myexample.com a pure virt. alias and seconddestinat...@myexample.com a pure virtual mailbox. My wish is this : When an email comes in for a certain mailbox, lets say w...@myexample.com, i also want a copy to some...@googlemail.com. How do i have to setup this ? @ first i would think of this : In my virtual mailbox maps i put w...@myexample.com and in my virtual alias maps i put 2 entries : w...@myexample.com - w...@myexample.com and w...@myexample.com - some...@googlemail.com. I guess you need recipient_bcc_maps http://www.postfix.org/postconf.5.html#recipient_bcc_maps Thanks Ram
Re: DKIM-milter only for outgoing
On Fri, 2010-04-16 at 16:22 +0300, Birta Levente wrote: On 15/04/2010 18:26, Tomoyuki Murakami wrote: From: Birta Leventeblevi.li...@gmail.com Subject: DKIM-milter only for outgoing Date: Thu, 15 Apr 2010 17:23:12 +0300 My postfix server is set up with amavisd-new and dkim-milter. In the main.cf: content_filter = smtp-amavis:[127.0.0.1]:10024 smtpd_milters = inet:localhost:20209 non_smtpd_milters = inet:localhost:20209 milter_protocol = 2 milter_default_action = accept With this configuration the DKIM signature is added even to the incoming mails and I don't see any reason to do that. For dkim-filter, you can limit the signing domain by -d option. In Postfix, you should separate the services for incoming and outgoing(submission). If you do so, you can move the milter setting from main.cf to master.cf and setting like, smtpinet n - n - - smtpd -o . -o .. submission inet n - n - - smtpd -o smtpd_etern_restrictions=reject -o smtpd_sasl_auth_enable=yes -o ... -o smtpd_milters=inet:127.0.0.1:20209 ... I'm not sure how these are appropriate, but this setting smtpd_milters only for submission and work for me fine in normal operation. -- Tomo. Thanks Tomo. With submission I nedd to use port 587 (no?), but I want to use on 25 port, can I? AFAIK In dkim milter you can specify domains for whom you dont want to sign Put your domains in there Thanks Ram
Re: Protection against stolen credentials?
On Wed, 2010-04-14 at 21:15 +0200, Ignacio García wrote: Hi there. Some days ago 1 of our postfix servers was abused by bot networks using one of our customer's stolen credentials, inadvertently done by a virus/keylogger probably. In few hours more than 2 spam messages were in our queue. Looking at the logs I realized all those outgoing messages came authenticated with the same stolen user credentials and from many different geolocations. Just changing the password solved the problem. This is a very disturbing issue for us, since it is hard to notice there's something going on until the server is already puking spam all over. Does anybody know of an automatic way of preventing this (or at least an automatic way of blocking it in early stages)? We were thinking of something like a script monitoring the logs for same-user authenticated connections from different IPs to create a blacklist of some sort... Thanks in advance. Ignacio This is very common problem. Search the archives for older conversations One of them is here http://groups.google.com/group/mailing.postfix.users/browse_thread/thread/596a160388faba35/862d6abf348b8962
RE: Avoiding User unknown in recipient table during reload
On Tue, 2010-04-13 at 17:45 -0700, Gary Smith wrote: The script just does: * Copy in new relay_recipients file * postmap relay_recipients * postfix reload Is there a better way to do this? Should I stop postfix completely during this time? Will putting the queue on hold avoid this problem, or do I need to stop Postfix completely from responding? Brian, I know this is a late follow up, but I am doing the same thing, or getting ready to. Here is my general plan, with some questions. As suggested on the postfix FAQ using a cdb format of the file avoids this problem. Ofcourse your postfix must be compiled with cdb support. On my servers I recompiled postfix for this precise reason. Works perfectly fine
Re: building Postfix 2.7 from source Help!
On Sun, 2010-04-11 at 19:51 -0400, john wrote: i am attempting to build Postfix from the source rpms, I think I have worked out how to set the various parameters to get the options I want. except I don't see how to make this a x86_64 install. What am i missing? JLA On a redhat like box this should work rpmbuild --rebuild /path/postfix.xxx.src.rpm
Re: email to yahoo stuck in queue
On Thu, 2010-04-08 at 23:32 +0800, jan gestre wrote: Hi, I've noticed lately that I have a lot mail stuck on queue, most are intended for yahoo users where most of the emails being sent to yahoo contains attachments mostly image files, flushing the queue doesn't do anything, and most of all yahoo doesn't do anything to my complaints. Any idea how to go about this? If you see deferrals even for your normal mailing telling yahoo might help http://help.yahoo.com/l/us/yahoo//mail/postmaster/defer.html Your problems may not go away totally but you will see less mails getting deferred. I reduce the minimal_backoff_time for yahoo alone to around 1 minute so that there are more retries. But, as usual, YMMV If you are doing bulk mailing yahoo does not accept mails at the rate you would like to. Even if all they are all legitimate. Tell your clients not to use an yahoo id. Thanks Ram
Re: ratelimiting locally originating messages
On Fri, 2010-04-09 at 15:03 +0400, Vladimir Vassiliev wrote: Hi postfixers, thanks to http://www.postfix.org/QSHAPE_README.html I learned how to limit rate of sending messages which arrives via smtpd. Now I tries to do the same with locally originating (via sendmail) messages. It seems usual recipes doesn't work. What are the best practices to do this? Several postfix instances or something else? Usually applications that submit mail on commandline are not designed to handle ratelimits and queue messages for throttled delivery. In fact IMHO you should *not* try to build the intelligence of queue-ing and trying later when postfix already does that so elegantly. It will be best to run two instances on postfix, the first instance picks up all the messages from the apps and send it at whatever rates you find reasonable to the second delivery instance of postfix. You could use different rates for different senders too based on the envelope-from address Thanks Ram
Re: Bounces resulting from forwarded Mails
On Wed, 2010-04-07 at 11:59 +0200, lst_ho...@kwsoft.de wrote: Zitat von Michael Weissenbacher m...@dermichi.com: Hi List! I am having the problem that our Postfix Mail Server generates too many bounces which unfortunately results in getting listed (at least at backscatterer.org). Having digged deepter into the problem i already read and followed [1] as well as the obvious stuff like correct local_recipient_maps. The problem i now have is like the following: - our server accepts mail for localu...@localdomain.com - there is a entry in /etc/postfix/virtual that forwards this mail to foreignu...@foreigndomain.com (which is a legitemate destination and usually accepts mails without a problem) - the foreign server detects spam or a virus and rejects the delivery, i get an entry in mail.log like: status=bounced (host email.foreigndomain.com[1.2.3.4] said: 554 mail server rejected message: spam or virus detected (#5.3.0) (in reply to end of DATA command) Find out why the host rejected the mail. I assume your mails are not spam and they dont have a virus ( Email virus is almost a non-issue now a days ) Are all the forwarded mails getting rejected , or only a few I suspect the recipient server is doing an SPF check. So you wont be able to forward unless you change the envelope. Thanks Ram
Re: Selective alias depending on FROM?
On Wed, 2010-04-07 at 09:47 +0200, Jordi Espasa Clofent wrote: Hi all, I've a PHP script which is executed by 'www-data' (the httpd user) local user in Debian GNU/Linux box. I use this smtpd box as massive mailing remainder to all of our costumers. Because of that I need to know the costumers haven't could be contacted, so I want to redirect these bounces to dedicated mailbox. That's easy: www: failed_deliv...@domain.com in aliases and rebuild the aliases. But the problem is local user 'www-data' executes a lof of scripts using smtpd and I don't want to redirecto all the bounces to mailbox failed_deliv...@domain.com. ¿Is there any way to establish some pattern disctintion? For example, let's to suppose that my massive mails are always generated with FROM: warni...@domain.com: ¿Can I set up www: failed_deliv...@domain.com in alias when _ONLY_ the FROM is warni...@domain.com? Thanks in advance. Do not try to modify any setting in postfix. Set your mass ( massive ?? ) mail application Envelope sender-id to a different sender-id. All mail servers would send the bounce messages to the Envelope sender id Thanks Ram
Re: Relaying to SPF protected server
On Thu, 2010-04-01 at 12:14 +, Simon Waters wrote: On Thursday 01 April 2010 12:38:29 J.R.Ewing wrote: Is there any solution? I have idea to move senders address to reply to field and write new sender. Is it possible with postfix? As Ralph says SRS will do this. However I looked at this recently for a project, where I thought I'd need SRS, and after reviewing the various issues and SPF adoption figures, concluded I'd ignore SPF. In particular very few people reject outright on SPF failure (not least this isn't a good strategy compared to other filtering methods if all you want to do is reduce spam). Various systems handle SPF failed email in a more suspicious manner, but that isn't a practical problem in my experience. SRS might work better for your purpose, but SPF is broken by design and you should flag that to the people using it. We forward a lot of email, we don't do envelope rewriting, and have had a handful of complaints over the years, most from the same person who didn't seem to understand we have no plans to change at this time. SPF if not the only reason why you would need SRS. We provide SMTP relay for various mail servers. I want to make sure that every customer uses only his domain(s) and sends the mail. Important to implement proper usage reporting as well as stop abuse of network Thanks Ram PS: SPF is used by gmail,hotmail, aol and 40% of the fortune 500 companies in the world among a huge lot of others. I dont think it makes any sense to flag anything like SPF is broken to so many people. Anyway discussing rising SPF adoption and the unreasonable arguments against SPF is OT on the postfix mailing list.
Re: smtpd-policyd feature.
On Wed, 2010-03-31 at 09:03 +0530, an...@isac.gov.in wrote: Dear List, We are using the smtpd-policyd feature from long time to allow some specific users to receive higher size mails. It is working fine. But, it does not work when the recipient_count is more than one as we are comparing the value with recipient. There has been lot of development in Postfix by now and is there now a better way of allowing some specific users to receive higher size mails? -ANANT. Where are the mails sent to a MDA or to another relay server ?
Best way to implement SRS
I know postfix has no native support for Sender Rewriting Scheme (IMHO it should ..) We implement forwarding using virtual_alias_maps or using cyrus+sieve. So what is the recommended way to implement SRS. I think since a milter now can do sender rewrite that will be the easiest way to do it Thanks Ram
reject_authenticated_sender_login_mismatch only for some logins
I need to implement smtpd login maps on our postfix servers so as minimize the chances of a compromised client machine screwing our smtp relay. But this cannot be done overnight. There are various clients who use different envelope sender domains (for perfectly legitimate reasons) and I cannot get a mapping for all such entries. How can I use reject_authenticated_sender_login_mismatch only for some auth logins. Especially those who insist on using some junk mailserver in their offices and cannot sufficiently secure their network So I want to say if(sasl authenticated) { if(suspect client login) { reject_authenticated_sender_login_mismatch } else { allow sender_login_mismatch } } Thanks Ram
Re: change hostname based on relay
On Mon, 2010-03-15 at 10:10 -0400, Manuel Mely wrote: Hi, Is there a way to change my hostname based on the relay i'm using? For example, i have postfix servers in an ha config that relays to three differents mail service providers, this providers restricts me in what helo i have to use; How do you rotate your relay servers .. DNS Round robin ? so if i'm using ISP1 as relay, i must identify as helo1.mydomain if i'm using ISP2 then helo2.mydomain... this it's really annoying but rules are rules. Then, i need a way to change the helo based on the sender_dependent_relayhost Sender dependent ? If I understand correctly all you need is distribute between three servers. This seems difficult with a single postfix instance. Probably running a second instance will help. * Run another instance with 3 different smtpd processes on 3 new ips * The first instance sends the mail to all these 3 ips in round robin * On the second instance depending on the entry ip write a FILTER rule to send using a different smtp process * Control the helo in the smtp process you use That seems pretty complicated :-) And you will also add an unnecessary hop for every mail. If you get a better a solution let me know too. Thanks Ram
Re: Best practice: Spam-filtering outgoing e-mail
On Tue, 2010-03-16 at 15:40 +0100, Vegard Svanberg wrote: Hi, we are trying to mitigate the impact of having infected users, brute force hacked webmail accounts etc. sending (larging amounts of) outbound spam. The best idea we've come up with so far is to perform outbound spam filtering following these rules (it's a bit more complicated than this, but this is the big picture): - Spam scoring (Spamassassin). If spam: - Put the mail on hold - Add an iptables rule rejecting the IP - Notify postmaster/abuse Also, * Implement ratelimits both inside postfix and in webmail * Have strong password policies * Sign up for Feedback loops and monitor the feedback address closely * In webmail write scripts to alert you if someone adds a large multiline signature We tried blocking outbound spam using a commercial scanner but the FP's are far too many to be used in production. So we just alert a human on these spams and manually intervene if account needs to be blocked. Ofcourse some spams do get through by the time :-(
Can I configure 5xx error for smtpd_recipient_limit
I need to reject messages above n recipients with a Permanent Failure. If I configure smtpd_recipient_limit=50 I cant outright reject the messages unless I set smtpd_hard_error_limit=1 Thanks Ram
Re: postfix explicit logging all failures in maillog
On Sat, 2010-02-20 at 14:30 -0500, Victor Duchovni wrote: On Sat, Feb 20, 2010 at 03:43:25PM +0530, ram wrote: One of our clients sends contract notes to their customers and they require to store all logs of deliveries/bounces by some law. They have requirements like * The log should contain the full date including year * The log line should indicate full info -- sender,rcpt,datetime,size,status I have managed to add custom logs in postfix source in bounce.c and sent.c. (Thanks to the neatly structured code it wasnt much of an effort) Only problem is when a message expires there is no log line that says $queue-id: $sender to $rcpt status=expired How can I log this ? Collate the logs by message-id. What expired is the message, therefore, all recipients not yet delivered are expired. But when a message expires , the recipient not delivered is not logged at all.( Except for in status=deferred lines much much before the expiry ) Collating lines from different places in the logfile calls for some parsing. The parser may in itself be very trivial but I have to educate the client to read collated :-( If the client uses a decently written bounce-bot, they can parse any bounces and extract the undelivered recipients. Perfect. We are already doing bounce handling at the bounce box. The real requirement here is just cosmetic: We need logs of every single mail with *exact* status for 7 years