[pfx] Re: sendmail bounce messages
As always, very grateful for your clarifications. El 8/6/23 a las 18:12, Wietse Venema via Postfix-users escribió: Wietse Venema via Postfix-users: Victor Rubiella Monfort via Postfix-users: Hi, I want to prevent that sendmail milter rejections generates bounces messages. Reading sendmail documentation I see "-N" option: echo "HELLO" | sendmail -N 'never' t...@test.es; echo $? 0 Jun 8 13:51:30 server.test postfix/cleanup[597560]: 077616620F: milter-reject: END-OF-MESSAGE from localhost[127.0.0.1]: 5.7.1 Rejected for policy reason; from= to= Jun 8 13:51:30 server.test postfix/cleanup[597560]: 077616620F: to=, relay=none, delay=0.1, delays=0.1/0/0/0, dsn=5.7.1, status=bounced (Rejected for policy reason) non-delivery notification seems not executed (no logs related). But logs shows as "status=bounced". This generate confusions on post-log-anilisis. I can prenvent this "status=bounced" on logs (status=rejected)? This is not configurable. Perhaps your log analyzer could look for messages that do not have an : sender non-delivery notification: record. Those messages were not returned to the sender. Note that "sendmail -N" (and NOTIFY=NONE in RCPT TO comands) disable sender notifications only, not postmaster notifications. Those are configured with main.cf:notify_classes, and produce similar logging: : postmaster non-delivery notification: When Postfix logs the status= value, it logs 'bounced' for compatibility with logfile analyzers that were written when Postfix had no support to disable sender non-delivery notifications. Postfix 'status=' logging was inspred by RFC 3461, which uses 'failed' in non-delivery status notifications. I suppose that here there could be a parameter setting to log 'failed' instead of 'bounced'. I would not log the REASON in the status= field; the reason is logged in the text portion in the logfile record. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] sendmail bounce messages
Hi, I want to prevent that sendmail milter rejections generates bounces messages. Reading sendmail documentation I see "-N" option: echo "HELLO" | sendmail -N 'never' t...@test.es; echo $? 0 Jun 8 13:51:30 server.test postfix/cleanup[597560]: 077616620F: milter-reject: END-OF-MESSAGE from localhost[127.0.0.1]: 5.7.1 Rejected for policy reason; from= to= Jun 8 13:51:30 server.test postfix/cleanup[597560]: 077616620F: to=, relay=none, delay=0.1, delays=0.1/0/0/0, dsn=5.7.1, status=bounced (Rejected for policy reason) non-delivery notification seems not executed (no logs related). But logs shows as "status=bounced". This generate confusions on post-log-anilisis. I can prenvent this "status=bounced" on logs (status=rejected)? Thanks! ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: logging strangeness
Hi, But what about show user login? Currently we have issues when fail2ban blocks IPS for a high number or failed logins, but is a customer with several mail accounts and he don't know which bad-configured account is causing the ban. Would be so healpfull shows the sasl_username that produces the failure. For example for imap/pop login failures dovecot log email account that produces the failure. El 16/5/23 a las 16:06, Wietse Venema via Postfix-users escribió: mailmary--- via Postfix-users: In all honesty, the current situation of logging the base64 string "UGFzc3dvcmQ6" does not help us. Maybe we could reconsider, and actually log the data (raw or base64-decoded)? Absolutely not. As a matter of security principle, one does not log the content of login failures unless absolutely necessary. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] temporary lookup error with utf8mb4 characters
Hi, I have more info and I try to explain it better: First of all I have smtputf8_enable = no (disabled). I have several databases related with several mysql_virtual maps: - Some with utf8 + utf8_general_ci collation - Another ones with latin1 + latin1_spanish_ci. I'm using mysql-postfix (mysql_table) lookups, not postgres. "proxy:mysql:/XXX.cf". I can reproduce same issue with both cf files (tables with utf8 and tables with latin1). As I say before, the worst part is when error is raised during about 1 minute all lookups raises failures. Error is easy to reproduce manually calling to "postmap -q "emailWithspecialchar" "proxy:mysql:/XXX.cf" Debugging I observe 2 things. - adding CONVERT('%s' using ascii) fix the issue but I don't want/like add converts on all my sql queries... - adding COLLATE utf8_general_ci raises error "this collate is not valid for utf8mb4". This error shows me than mysql_table lookup connections are using "utf8mb4" charset by default. My conclusion to hard-solve this issue on my system is transform all tables to utf8mb4. But: - I don't see any option to change default charset on mysql_table connector, maybe should be interesting add this option on configuration file. - mix collation error should raise 1 error, but next queries should be work ok, this could be considered and issue right?. - with "smtputf8_enable = no" I should be able to work without this kind of issues right? For modern protocols I can undestant change to utf8, but utf8mb4? this is much more expensive for the database, is it really necessary? El 14/4/23 a las 20:46, Viktor Dukhovni via Postfix-users escribió: On Fri, Apr 14, 2023 at 01:06:16PM -0400, Wietse Venema via Postfix-users wrote: Wietse Venema via Postfix-users: As for the temp error becoming persistent, the Postfix pgsql: client code returns an error when it gets an error from all of the hosts configured in the Postfix pgsql: client configuration file, or when all hosts have been flagged as 'down'. If a host returns an error then the Postfix pgsql: client code flags that host as 'down', and resets that 'down' state after about 60 seconds. As implemented, the Postfix pgsql: clien code treats all errors as a connection failure, and skips the connection for 60 seconds. That may not be optimal when an error is data dependent. FWIW, the OP's issue was with MySQL, not Postgres... The database should be configured for client and server encoding of UTF8. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: temporary lookup error with utf8mb4 characters
Hi, I have more info and I try to explain it better: First of all I have smtp_utf8 = no (disabled). I have several databases related with several mysql_virtual maps: - Some with utf8 + utf8_general_ci collation - Another ones with latin1 + latin1_spanish_ci. I'm using mysql-postfix (mysql_table) lookups, not postgres. "proxy:mysql:/XXX.cf". I can reproduce same issue with both cf files (tables with utf8 and tables with latin1). As I say before, the worst part is when error is raised during about 1 minute all lookups raises failures. Error is easy to reproduce manually calling to "postmap -q "emailWithspecialchar" "proxy:mysql:/XXX.cf" Debugging I observe 2 things. - adding CONVERT('%s' using ascii) fix the issue but I don't want/like add converts on all my sql queries... - adding COLLATE utf8_general_ci raises error "this collate is not valid for utf8mb4". This error shows me than mysql_table lookup connections are using "utf8mb4" charset by default. My conclusion to hard-solve this issue on my system is transform all tables to utf8mb4. But: - I don't see any option to change default charset on mysql_table connector, maybe should be interesting add this option on configuration file. - mix collation error should raise 1 error, but next queries should be work ok, this could be considered and issue right?. - with "smtputf8_enable = no" I should be able to work without this kind of issues right? For modern protocols I can undestant change to utf8, but utf8mb4? this is much more expensive for the database, is it really necessary? ** El 14/4/23 a las 20:46, Viktor Dukhovni via Postfix-users escribió: On Fri, Apr 14, 2023 at 01:06:16PM -0400, Wietse Venema via Postfix-users wrote: Wietse Venema via Postfix-users: As for the temp error becoming persistent, the Postfix pgsql: client code returns an error when it gets an error from all of the hosts configured in the Postfix pgsql: client configuration file, or when all hosts have been flagged as 'down'. If a host returns an error then the Postfix pgsql: client code flags that host as 'down', and resets that 'down' state after about 60 seconds. As implemented, the Postfix pgsql: clien code treats all errors as a connection failure, and skips the connection for 60 seconds. That may not be optimal when an error is data dependent. FWIW, the OP's issue was with MySQL, not Postgres... The database should be configured for client and server encoding of UTF8. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: temporary lookup error with utf8mb4 characters
Hi again, I realized than same error is raised when database is in utf8 if email contains utf8mb4 characters. Which is the convenient database collation for postfix? We can force postfix to accept only utf8 characters?. El 13/4/23 a las 18:36, Víctor Rubiella Monfort via Postfix-users escribió: When mysql_table lookup is executing nonascii characters and database is in latin1, not only fails query, all sesion/connection is corrupted and produces a lot of "temporary lookup table" errors until sesion is recreated (about 1 minute later). Today some external ip was trying to deliver an email with special character on one on my legacy servers (with latin1) and produces this errors. I can understant that lookup fails for query with special characters, but main issue was for all raised failures for other accounts and lookups during 1-2 minutes. This is a knew issue?. I deploy an workaround using "CONVERT('%s' using ascii)" until not pass all database tables to utf8. The main problem debuging this issue was "proxy:mysql" , "proxy" was hiding original collation error and only shows regular lookup errors on postfix log, when user "postmap" to debug, I only see root cause when execute without "proxy". postfix versions tested: postfix 3.5.17-0+deb11u1 postfix-mysql 3.5.17-0+deb11u1 postfix 3.5.15-0+deb11u1 postfix-mysql 3.5.15-0+deb11u1 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] temporary lookup persistent after query collate error corrupt connection.
When mysql_table lookup is executing nonascii characters and database is in latin1, not only fails query, all sesion/connection is corrupted and produces a lot of "temporary lookup table" errors until sesion is recreated (about 1 minute later). Today some external ip was trying to deliver an email with special character on one on my legacy servers (with latin1) and produces this errors. I can understant that lookup fails for query with special characters, but main issue was for all raised failures for other accounts and lookups during 1-2 minutes. This is a knew issue?. I deploy an workaround using "CONVERT('%s' using ascii)" until not pass all database tables to utf8. The main problem debuging this issue was "proxy:mysql" , "proxy" was hiding original collation error and only shows regular lookup errors on postfix log, when user "postmap" to debug, I only see root cause when execute without "proxy". postfix versions tested: postfix 3.5.17-0+deb11u1 postfix-mysql 3.5.17-0+deb11u1 postfix 3.5.15-0+deb11u1 postfix-mysql 3.5.15-0+deb11u1 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] warn_if_reject for milters equivalent?
Hi!, There are any way to implement equivalent to "warn_id_reject" for milters? I'm deploying centralized spam milter on inet:X: and I would like to deploy as "dryrun" to evaluate rejections before full enable it, and activate it gradually on different servers. Thanks! ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
bloquing phising MAIL FROM sender name
Hi! I'm having problems to block phishing email with this kind of header: From: "h...@mydomain.com ". I want to configure postifx to allow "mydomain.com" email only for certain IPS. I added this ips to smtpd_client_restrictions whitelist and added on smpd_sender_restrictions mydomain.com REJECT. This works when sender name and sender adress is the same on From header, but not with previous example. I try to fix them adding restrictions with "heder_checks", but header_checks is aplying after whitelist and aplies always. I have no way (or I dont know) to "whitelist ip" over header_checks. There are any mistake on my configurations? the only way is build a custom filter to check domain and IP to reject it?. Thank you!.
Re: smtpd_sender_login_maps with variable SASL names
Hi, If helps, and your problem is than alias can be completly different than sasl, I'm just implementing several approach, and I configure 2 diferent maps hash:aliases.map em...@domain.tld alias,em...@domain.tld Another one with authorized domains: regexp:authdomains.map /.*@authorixed\.tld/ alias,em...@domain.tld smtpd_sender_login_maps = regexp:authdomains.map, hash:aliases.map Best, El 5/7/22 a las 16:02, Viktor Dukhovni escribió: On 5 Jul 2022, at 7:31 am, Wietse Venema wrote: This lookup table looks for the sender address and returns the SASL username that is allowed to send mail with that address. I could (with much additional complexity) generate all the app-specific uids and return these, but I prefer keeping it simple. Could you use a regexp: or pcre: tabble? https://www.postfix.org/pcre_table.5.html https://pcre.org/current/doc/html/pcre2syntax.html I don't think this can work, because the request is not to match variable senders in the lookup key, but rather for a single key to return an RHS value that is itself a SASL login *pattern*. That said, if the application sending email could be convinced to explicitly specify envelope sender address extensions, so that each SASL login has its own dedicated sender address, compatible with a table of the form: # Sender address login (same as sender) magicuser+e...@example.com magicuser+e...@example.com magicuser+e...@example.com magicuser+e...@example.com magicuser+e...@example.com magicuser+e...@example.com ... then the whole thing could be (carefully) simulated with an RE table: # PCRE only /^(magicuser[+][^,\s@]+@example\.com)$/ $1 where "carefully" means not allowing at least ",", whitespace and perhaps other characters in the extension. Or just specify a set of allowed characters: # PCRE only /^(magicuser[+][-\w]+@example\.com)$/ $1
Re: Separate domain sender reject for inbound and outbound
Totally true. Sorry and thanks! El 21/6/22 a las 19:20, Viktor Dukhovni escribió: smtpd_sender_restrictions =
Separate domain sender reject for inbound and outbound
Hi, I'm trying to define independent domain reject list for inboud than outbound: This works fine configuring: smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/domainslist_in Works ok, but for in and out with the same file. I have not found a way to distinguish between in/out on main.cf options, and I'm trying to use "-o" overriding on master.cf services configuration: smtp inet n - y - 150 smtpd -o syslog_name=smtpd-25 -o smtpd_sender_restrictions=permit_mynetworks,{check_sender_access hash:/etc/postfix/domainslist_out} But this not working as expected, This warnings appears on log: smtpd-25/smtpd[15203]: warning: {check_sender_access hash:/etc/postfix/domainslist_out} is unavailable. unsupported dictionary type: {check_sender_access hash smtpd-25/smtpd[15203]: warning: {check_sender_access hash:/etc/postfix/domainslist_out} lookup error for"du...@testing.com" Of course,hash is supported and works fine in "regular" configuration. File exists, and if I run manually: postmap -qdu...@testing.com hash:/etc/postfix/domainslist_out works fine. What's wrong? This is not the correct way to do this? Thanks a lot !!
Re: Restricting MAIL_FROM based on SASL login
Thanks for the proposals, the main problem is accounts names and domains could be totally different. I'm reconsidering this approach to add only selected accounts to able to cross domains, simplifing automation and increasing security. Although it requires more config for client. Thanks a lot. El 5/5/22 a las 15:23, Wietse Venema escribió: V?ctor Rubiella Monfort: Hello, I'm working on a map for restrict MAIL_FROM declared on mail based on sasl user authenticated. For example if we want that all accounts for domain @domain1.com can define MAIL_FROM @domain1.com and @domain2.com accounts: @domain1.comaccou...@domain1.com accou...@domain2.com accou...@domain2.com accou...@domain2.com @domain2.comaccou...@domain1.com accou...@domain2.com accou...@domain2.com accou...@domain2.com Perhaps you can use reject_sender_login_mismatch with main.cf: smtpd_sender_login_maps = pcre:$config_directory/sender-login.pcre sender-login.pcre /^(.+)@domain1\.example$/ $1@domain1.example $1@domain2.example /^(.+)@domain2\.example$/ $1@domain1.example $1@domain2.example Assuming that the usernames are the same in different domains. Wietse
Re: Restricting MAIL_FROM based on SASL login
El 4/5/22 a las 12:27, Matus UHLAR - fantomas escribió: On 04.05.22 10:50, Víctor Rubiella Monfort wrote: I'm working on a map for restrict MAIL_FROM declared on mail based on sasl user authenticated. For example if we want that all accounts for domain @domain1.com can define MAIL_FROM @domain1.com and @domain2.co accounts: @domain1.com accou...@domain1.com accou...@domain2.com accou...@domain2.com accou...@domain2.com @domain2.com accou...@domain1.com accou...@domain2.com accou...@domain2.com accou...@domain2.com I store this on map file and add this configuration on postfix: smtpd_sender_login_maps: hash:/etc/postfix/sender_restrictions_map smtpd_sender_restrictions .* reject_sender_login_mismatch* This seems works fine, but is incremental complexity of this map when we add several domains and this domain has several accounts, for example if we add 4 domains with 20, 30 o 50 accounts each one. There are any way to do something like this: @domain1.com @domain1.com,@domain2.com,@domain3.com @domain2.com @domain1.com,@domain2.com,@domain3.com @domain3.com @domain1.com,@domain2.com,@domain3.com The final purpose is restrict domains can be used on MAIL_FROM, based on domain used on SASL account. Without consider each account. If you want to allow all accounts to specify all addresses in @domain1.com and @domain2.com, why to specify them at all? Not specifying @domain1.com and @domain2.com should not restrict sending mail from those domains at all. for unauthenticated clients, you can deny mail from: using check_sender_access. So, because not all domains can use all domains :D, this should be more clarify sample @domain1.com @domain1.com,@domain2.com,@domain3.com @domain2.com @domain1.com,@domain2.com,@domain3.com @domain3.com @domain1.com,@domain2.com,@domain3.com @domain4.com @domain4.com,@domain5.com @domain5.com @domain4.com,@domain5.com
Restricting MAIL_FROM based on SASL login
Hello, I'm working on a map for restrict MAIL_FROM declared on mail based on sasl user authenticated. For example if we want that all accounts for domain @domain1.com can define MAIL_FROM @domain1.com and @domain2.com accounts: @domain1.com accou...@domain1.com accou...@domain2.com accou...@domain2.com accou...@domain2.com @domain2.com accou...@domain1.com accou...@domain2.com accou...@domain2.com accou...@domain2.com I store this on map file and add this configuration on postfix: smtpd_sender_login_maps: hash:/etc/postfix/sender_restrictions_map smtpd_sender_restrictions .* reject_sender_login_mismatch* This seems works fine, but is incremental complexity of this map when we add several domains and this domain has several accounts, for example if we add 4 domains with 20, 30 o 50 accounts each one. There are any way to do something like this: @domain1.com @domain1.com,@domain2.com,@domain3.com @domain2.com @domain1.com,@domain2.com,@domain3.com @domain3.com @domain1.com,@domain2.com,@domain3.com The final purpose is restrict domains can be used on MAIL_FROM, based on domain used on SASL account. Without consider each account. Thanks!
Catch all deliveries
Hi, I'm changing postfix local delivery to LMTP dovecot delivery and I'm have some doubts: Before to move to LMTP I have something like this: virtual_mailbox_maps: h...@example.com maildir1/ ad...@example.com maildir2/ @example.com maildir1/ This works ok with "@example.com" as catchall entry. But when move to LMTP, unexisting accounts start to produce error on dovecot, and I add cathcall accounts on aliases: virtual_mailbox_maps: h...@example.com maildir1/ ad...@example.com maildir2/ virtual_alias_maps: @example.com h...@example.com But with this configuration, catchall is working for ALL mail accounts, not only for unexisting accounts. Next test should be test to add all-accounts to alias maps: virtual_mailbox_maps: h...@example.com maildir1/ ad...@example.com maildir2/ virtual_alias_maps @example.com h...@example.com h...@example.com h...@example.com ad...@example.com ad...@example.com .. This is the correct way? is really necessary to duplicate all existing account on aliases with A A keyvalues? Isn't there a cleaner way to only match the non-existent ones?
Re: filter not being applied
when u send by localhost sendmail filters layers not raised. you need to send mail via regular smtp 25. El 10/2/22 a las 20:50, Edward Sandberg escribió: I am attempting to configure content filtering by following this guide: http://www.postfix.org/FILTER_README.html I have added the filter service and modified the smtp service in master.cf: filter unix - n n - 10 pipe flags=Rq user=filter null_sender= argv=/home/filter/filter.sh -f ${sender} -- ${recipient} smtp inet n - y - - smtpd -o content_filter=filter:dummy and reloaded postfix. When that didn't work I tried editing master.cf.proto instead but still no change in behavior. I also tried adding the filter option to these services: smtp unix - - y - - smtp -o content_filter=filter:dummy relay unix - - y - - smtp -o syslog_name=postfix/$service_name -o content_filter=filter:dummy but no joy. The mail is being sent but the filter is not being used. I can delete the filter script, mail still gets sent and no difference in behavior occurs. I would expect some kind of error if the filter script can't be found so I think its not even trying to use the filter. When I run the following command: echo "body of your email" | mail -s "This is a subject too" -a "From:redac...@redacted.com" redac...@redacted.com This is the syslog outout I see: Feb 10 19:39:03 postfix postfix/pickup[13850]: 7D1D0E0E6F: uid=0 from= Feb 10 19:39:03 postfix postfix/cleanup[13903]: 7D1D0E0E6F: message-id=<20220210193903.7d1d0e0...@postfix.redacted.net> Feb 10 19:39:03 postfix postfix/qmgr[13849]: 7D1D0E0E6F: from=, size=393, nrcpt=1 (queue active) Feb 10 19:39:04 postfix postfix/smtp[13905]: 7D1D0E0E6F: to=, relay=ASPMX.L.GOOGLE.com[173.194.219.26]:25, delay=0.61, delays=0.03/0.03/0.24/0.31, dsn=2.0.0, status=sent (250 2.0.0 OK 1644521944 i1si9676536ybt.537 - gsmtp) Feb 10 19:39:04 postfix postfix/qmgr[13849]: 7D1D0E0E6F: removed What am I missing?
HIgh availability thougts
Hello, I continue working on redesign separate isolate postfix instantes on new highavailable architecture for inboud mail. At the moment I have functional PoC (Proof of concept) with this components: haproxy => postfix gateway => (SMTP/Relay) postfix (filtering) => (LMTP) dovecot The configurations was based on samples in book (The book of Postfix and Postfix Definitive Guide) and knowledge of this list :D. But what about deploying new filters, or managing a lot of accounts/domains?. When requires deploy new filter for example, I want to deploy only for several domains or final dovecot instances and increase deployment step by step to all platform in a controlled way. In this kind of proposal, all postfix filtering layer can send to all dovecots/domains instances. If I isolate or deploy one postfix isntance for this purpose, requires reconfigure relays on gateway and lost all the redundance during the process. ANother aproach should be rolling update postfix instances and adding/removing from relays gateway, but when this configurations manages a lot of domains and needs regenerate relay maps with a thounsands of lines... I dont know is the best idea or not... and this brings me to next topic. Has sense try to implement high-available one entrypoint? (clusterized or not). In terms of configurations for example, this implies create large map files for "relay_domains", "relay_recipients_map" on gateways. Maybe has sense split in several high-available clusters? Furthermore, if I generate several clusters I need to add aditional logical related with domain-cluster, increase management complexity and requires generate several sets of MX, because HAproxy cant balance based on recipients concepts. Thinking in other large providers for example, they offers only a reduced MX sets for all domains (gmail for example). Maybe I need to think in implement multiple gateway levels? Is there a piece that I am missing or I not planning/thinking correctly? Thanks!
Postfix high traffic (max proc) considerations
Hello, I'm was reading http://www.postfix.org/TUNING_README.html about increase number of process configurations related. We can increase smtp easly to 1000 connections for example to allow multiple incoming connections. But what about pickup and qmsg processes? by default is configuret to 1 process. I'm supose the best approach depends of a lot of diferent inpunts, but in general there are some tips to consider increase this values?, for example mantain the ratios 1/10 etc.. ? Prevent bottlenecks, excesive cpu/memory consumption increasing one of this procs,etc... Thanks!
Re: Inbound Mail Gateway Doubts
Thanks a lot Wietse and Viktor for quick and util responses!. bent smtpprox samples are so useful it's just what i was looking for. Consider recheck doc link on this page http://www.postfix.org/FILTER_README.html because is not upgraded (it's ok on http://www.postfix.org/SMTPD_PROXY_README.html). Considering you recomendation to use milters instead of After-Queue filters, I was reading several documentation about pros/cons, and I'm specially worried about the delay of our antispam and antivirus scanner introduce on process. In fact I want to move to Before-Queue the lighter functionalities of current filter. In any case I will test both aproaches in a stress test. Best. El 27/1/22 a las 19:34, Wietse Venema escribió: V?ctor Rubiella Monfort: Hi!, I'm working on redefine inbound mail delivery but I have some basic "mixconceptions". Now I have several separate inbound servers. I want to improve deploying MX gateway postfix gateways, improve content filtering, etc. First of all if someone can provide some links with more info about configuration and architecture on this kind of layered aproach (GW->postfix->dovecot) I will be very grateful :D. (something more than official doc and "postfix the definitive guide book" :D) Now I have an old perl script doing a lot of task in one filter script, I want to refactor and optimize it. See my suggestions below. They are likely more secure and more performant. It's hard to give recommendations for writing custom code like you do. I'm need help on concepts for "advanced content filter". First of all, documentation referers to Perl sample with broken link (http://bent.latency.net/smtpprox/. ) You're looking at old documentation. The on-line doc has a link to https://web.archive.org/web/20151022025756/http://bent.latency.net/smtpprox/ I have found quite few samples for Before-Queue filters (Milters), but nothing advanced samples with After-Queue filtering. I'd suggest using Milters (i.e. before-queue) where possible, many SPAM filters have a Milter integration (examples: mimedefang, amavis, spamass-milter). Wietse
Inbound Mail Gateway Doubts
Hi!, I'm working on redefine inbound mail delivery but I have some basic "mixconceptions". Now I have several separate inbound servers. I want to improve deploying MX gateway postfix gateways, improve content filtering, etc. First of all if someone can provide some links with more info about configuration and architecture on this kind of layered aproach (GW->postfix->dovecot) I will be very grateful :D. (something more than official doc and "postfix the definitive guide book" :D) Now I have an old perl script doing a lot of task in one filter script, I want to refactor and optimize it. I'm need help on concepts for "advanced content filter". First of all, documentation referers to Perl sample with broken link (http://bent.latency.net/smtpprox/. ) I see this related link https://stackoverflow.com/questions/40267168/advanced-content-filter-for-postfix-using-spawn-service That links to http://www.postfix.org/spawn.8.html and http://www.postfix.org/SMTPD_POLICY_README.html, but this examples confusing me because seems related to policy filters not content_filter. I have found quite few samples for Before-Queue filters (Milters), but nothing advanced samples with After-Queue filtering. I'm looking for some code examples and best practices of advanced filters and how to concatenate several advanced content filters: reinjecting from one to another one, etc.. Thanks a lot!