Problem of mail suffix replacement
Hi all, I have a problem with a system based on Postfix+LDAP with virtual domains. I'm using LDAP to store domains and user. The LDAP tree is like that: ou=hosting +virtualdomain=company1.common.com ++ou=mail +++uid=user1 (with attribute mail wich is its mail adress) +virtualdomain=company2.common.com ++ou=mail +++uid=user1 +++uid=user2 All is (almost) working except that for some domains we send mails, there is a replacement of the suffix. For example, when us...@company1.common.com sends a mail to some mail adresses, when these people receive the mail, instead to have the mail From filled with us...@company1.common.com, they have us...@www.common.com (this is the same server hosting mail and the website www.common.com) I don't know exactly what could be the cause of this problem. Is it due to Postfix or to my DNS config or the mail server for these domains which do not understand my mail server? What config files do you want I give in order to have more details to understand? Thank you very much for help.. Gauthier -- Gauthier DOUCHET
Re: Problem with alias Lists
Helmut Weigel a écrit : Hi all, I have a wiered problem with alias lists in Postfix We use aliases for our internal mailing lists (departmnents for instance). We use an OpenLDAP for the Userbase. Normally everything is ok. But if one recipient out of this list is over Quota Postfix keeps the message in the mailq not only for the one recipient but for the original used alias. So the mail gets deliverd twice or more times to all other recipients until the one box over quota is emtied or the mail is deletet from mailq. Do you have any ideas? Where schould I have a closer look to? how do you deliver mail? unless you use lmtp, you should deliver one recipient at a time. if you use lmtp, your lmtp delivery agent should handle the situation correctly.
Re: Send all outbound mail to one address
Russell Horn wrote: For our dev server we'd like to direct any outbound messages to a single address on an external postfix server. Can anyone suggest the best way to configure this? i.e. mail to anyu...@anydomain all goes to receiving.acco...@example.com I have a suspicion that generic_maps might do the job, but I've not used them myself. http://www.postfix.org/ADDRESS_REWRITING_README.html#generic The docs don't say whether it rewrites both sender and recipient addresses; someone can probably clarify that. signature.asc Description: OpenPGP digital signature
AW: Problem with alias Lists
we use lmtp with cyrus imapd Mit freundlichem Gruß Helmut Weigel DFB-Medien GmbH Co. KG Otto-Fleck-Schneise 6 60528 Frankfurt -Ursprüngliche Nachricht- Von: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] Im Auftrag von mouss Gesendet: Mittwoch, 17. Dezember 2008 09:59 An: postfix-users@postfix.org Betreff: Re: Problem with alias Lists Helmut Weigel a écrit : Hi all, I have a wiered problem with alias lists in Postfix We use aliases for our internal mailing lists (departmnents for instance). We use an OpenLDAP for the Userbase. Normally everything is ok. But if one recipient out of this list is over Quota Postfix keeps the message in the mailq not only for the one recipient but for the original used alias. So the mail gets deliverd twice or more times to all other recipients until the one box over quota is emtied or the mail is deletet from mailq. Do you have any ideas? Where schould I have a closer look to? how do you deliver mail? unless you use lmtp, you should deliver one recipient at a time. if you use lmtp, your lmtp delivery agent should handle the situation correctly.
Re: smtp hangs on 4xx code response - active queue is stuck
#1 0x0806d01f in read_wait (fd=-4, timeout=3600) at read_wait.c:120 #2 0x08072241 in timed_read (fd=13, buf=0x8092d60, len=4096, timeout=3600, unused_context=0x0) at timed_read.c:73 That makes no sense. timed_read() does not change its argument as shown below. But it does not matter. The poll() is waiting for your defer(8) daemon to respond. #3 0x0806f20f in vstream_buf_get_ready (bp=0x80918f0) at vstream.c:731 #4 0x0806eaf7 in vbuf_get (bp=0x80918f0) at vbuf.c:157 #5 0x08063bcb in attr_vscan0 (fp=0x80918f0, flags=3, ap=0xafb16988 \001) at attr_scan0.c:272 #6 0x08063f9b in attr_scan0 (fp=0x80918f0, flags=3) at attr_scan0.c:427 #7 0x08056e67 in mail_command_client (class=0x807462e private, name=0x8085810 defer) at mail_command_client.c:76 Your defer daemons aren't working. Wietse /* timed_read - read with deadline */ ssize_t timed_read(int fd, void *buf, size_t len, int timeout, void *unused_context) { ssize_t ret; /* * Wait for a limited amount of time for something to happen. If nothing * happens, report an ETIMEDOUT error. * * XXX Solaris 8 read() fails with EAGAIN after read-select() returns * success. */ for (;;) { if (timeout 0 read_wait(fd, timeout) 0) return (-1); if ((ret = read(fd, buf, len)) 0 timeout 0 errno == EAGAIN) { ..warn then sleep... continue; } else if (ret 0 errno == EINTR) { continue; } else { return (ret); } } }
Selective relaying to internal office server
Hi, I've got two Postfix hosts, mail.example.com and office.example.com. mail.example.com is MX for several domains which are set up as virtual alias domains. Now I would like to forward certain mails, dependent on the recipient, to an internal office server, so us...@foo.org should be delivered locally on mail.example.com, us...@foo.org should be forwarded to us...@office.example.com, us...@bar.org should be forwarded to us...@office.example.com, us...@bar.org should be delivered locally on mail.example.com etc. I've played around with the virtual_alias_domain settings on office.example.com a little, but I think I'm completely wrong there since Postfix keeps complaining about unknown local users. What would be the correct way to set up such a relaying? -- Thomas
smtp hangs on 4xx code response - active queue is stuck
Hi I have big problem with soft bounces. Take a look for following transaction log (I have change dest mail to fake one): Dec 17 12:03:39 www postfix/smtp[17276]: vstream_buf_get_ready: fd 12 got 87 12:03:39 www postfix/smtp[17276]: mx.poczta.onet.pl[213.180.130.8 220 mx.poczta.onet.pl ESMTP (8) our local time is now Wed, 17 Dec 2008 12:03:39 Dec 17 12:03:39 www postfix/smtp[17276]: mx.poczta.onet.pl[213.180.130.86]:25:www.dentonline.pl Dec 17 12:03:39 www postfix/smtp[17276]: vstream_fflush_some: fd 12 flush 24 12:03:39 www postfix/smtp[17276]: vstream_buf_get_ready: fd 12 got Dec 17 12:03:39 www postfix/smtp[17276]: mx.poczta.onet.pl[213.180.130.8 250-mx.poczta.onet.pl Hello www.dentonline.pl 12:03:39 www postfix/smtp[17276]: mx.poczta.onet.pl[213.180.130.86]:25SIZE 52428800Dec 17 12:03:39 www postfix/smtp[17276]: mx.poczta.onet.pl[213.180.130.86]:258BITMIME Dec 17 12:03:39 www postfix/smtp[17276]: mx.poczta.onet.pl[213.180.130.86]:25PIPELINING Dec 17 12:03:39 www postfix/smtp[17276]: mx.poczta.onet.pl[213.180.130.86]:25CHUNKING Dec 17 12:03:39 www postfix/smtp[17276]: mx.poczta.onet.pl[213.180.130.86]:25ENHANCEDSTATUSCODES Dec 17 12:03:39 www postfix/smtp[17276]: mx.poczta.onet.pl[213.180.130.8 250-AUTH=LOGIN Dec 17 12:03:39 www postfix/smtp[17276]: mx.poczta.onet.pl[213.180.130.8 250-AUTH LOGIN Dec 17 12:03:39 www postfix/smtp[17276]: mx.poczta.onet.pl[213.180.130.8 250-STARTTLS Dec 17 12:03:39 www postfix/smtp[17276]: mx.poczta.onet.pl[213.180.130.8 250 HELP Dec 17 12:03:39 www postfix/smtp[17276]: server features: 0x100f size 5242Dec 17 12:03:39 www postfix/smtp[17276]: Using ESMTP PIPELINING, TCP send size is 4096 Dec 17 12:03:39 www postfix/smtp[17276]: mx.poczta.onet.pl[213.180.130.8 MAIL FROM:nob...@dentonet.pl SIZE=3449 12:03:39 www postfix/smtp[17276]: mx.poczta.onet.pl[213.180.130.8 RCPT TO:brzoz...@op.pl 12:03:39 www postfix/smtp[17276]: mx.poczta.onet.pl[213.180.130.8 DATA Dec 17 12:03:39 www postfix/smtp[17276]: vstream_fflush_some: fd 12 flush Dec 17 12:03:39 www postfix/smtp[17276]: vstream_buf_get_ready: fd 12 got Dec 17 12:03:39 www postfix/smtp[17276]: mx.poczta.onet.pl[213.180.130.8 250 2.1.0 Sender syntax Ok; 12:03:39 www postfix/smtp[17276]: mx.poczta.onet.pl[213.180.130.8 450 4.7.1 W chwili obecnej nie mozesz wyslac listu do: x...@op.pl, j za chwile [0400.-1] Dec 17 12:03:39 www postfix/smtp[17276]: connect to subsystem private/defeDec 17 12:03:39 www postfix/smtp[17276]: send attr nrequest = 0 Dec 17 12:03:39 www postfix/smtp[17276]: send attr flags = 0 Dec 17 12:03:39 www postfix/smtp[17276]: send attr queue_id = AC7D8637C3 Dec 17 12:03:39 www postfix/smtp[17276]: send attr original_recipient = x...@op.pl Dec 17 12:03:39 www postfix/smtp[17276]: send attr recipient = x...@opdec 17 12:03:39 www postfix/smtp[17276]: send attr offset = 3644 Dec 17 12:03:39 www postfix/smtp[17276]: send attr dsn_orig_rcpt =Dec 17 12:03:39 www postfix/smtp[17276]: send attr notify_flags = 0 Dec 17 12:03:39 www postfix/smtp[17276]: send attr status = 4.7.1 Dec 17 12:03:39 www postfix/smtp[17276]: send attr diag_type = smtp Dec 17 12:03:39 www postfix/smtp[17276]: send attr diag_text = 450 4.7.1 Wi obecnej nie mozesz wyslac listu do: x...@op.pl, sprobuj za chwile -1] / At the moment you cannot sen a message to x...@op.pl, try agair [0400.-1] Dec 17 12:03:39 www postfix/smtp[17276]: send attr mta_type = dns Dec 17 12:03:39 www postfix/smtp[17276]: send attr mta_mname = mx.poczta.oDec 17 12:03:39 www postfix/smtp[17276]: send attr action = delayed Dec 17 12:03:39 www postfix/smtp[17276]: send attr reason = host mx.pocztapl[213.180.130.86] said: 450 4.7.1 W chwili obecnej nie mozesz wyslac listx...@op.pl, sprobuj za chwile [0400.-1] / At the moment you cannot sessage to x...@op.pl, try again later [0400.-1] (in reply to RCPT Tand)
Re: Problem with alias Lists
On Wed, Dec 17, 2008 at 07:41:41AM +0100, Helmut Weigel wrote: Hi all, I have a wiered problem with alias lists in Postfix We use aliases for our internal mailing lists (departmnents for instance). We use an OpenLDAP for the Userbase. Normally everything is ok. But if one recipient out of this list is over Quota Postfix keeps the message in the mailq not only for the one recipient but for the original used alias. So the mail gets deliverd twice or more times to all other recipients until the one box over quota is emtied or the mail is deletet from mailq. Do you have any ideas? Where schould I have a closer look to? Local aliases(5) that expand to multiple local recipients should have owner-list aliases to handle delivery issues, or should list non-local addresses on the right-hand-side, that may ultimately expand via virtual(5) to local mailboxes, but are not immediately local. One way of doing this, is to make sure that $mydestination is not listed in $myorigin, but localp...@$myorigin rewrites via virtual(5) to suitable domains in $mydestination for appropriate users. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: smtp hangs on 4xx code response - active queue is stuck
Konrad Rzepecki: Dnia _roda, 17 grudnia 2008, Wietse Venema napisa_: Your defer daemons aren't working. If you mean this one: postfix 29426 0.0 0.1 6472 1740 ?S14:24 0:00 bounce -z -n defer -t unix -u it seems running... And what is it doing? You have right - this was problem with defer. I have invastigate it . The bounce process hangs in flock() on unix.defer file. It was permamently locked or something like that. The purpose of /var/spool/postfix/pid/unix.defer is to block all idle defer service processes except one. If this 10-year old synchronization mechanism messes up on your system, then you may want to consider a kernel update. Wietse After deleting and recreating it, everything seems runs OK. Thanks for hint. -- Konrad Rzepecki - Wydawnictwo Bestom DENTOnet.pl Sp.z o.o.
Re: smtp hangs on 4xx code response - active queue is stuck
Konrad Rzepecki: #3 0x0806f20f in vstream_buf_get_ready (bp=0x80918f0) at vstream.c:731 #4 0x0806eaf7 in vbuf_get (bp=0x80918f0) at vbuf.c:157 #5 0x08063bcb in attr_vscan0 (fp=0x80918f0, flags=3, ap=0xafb16988 \001) at attr_scan0.c:272 #6 0x08063f9b in attr_scan0 (fp=0x80918f0, flags=3) at attr_scan0.c:427 #7 0x08056e67 in mail_command_client (class=0x807462e private, name=0x8085810 defer) at mail_command_client.c:76 Your defer daemons aren't working. If you mean this one: postfix 29426 0.0 0.1 6472 1740 ?S14:24 0:00 bounce -z -n defer -t unix -u it seems running... And what is it doing? Wietse
Re: masses of mailer-daemon mails to postmaster
On Saturday 06 December 2008 19:16:41 mouss wrote: In: MAIL FROM:mustar...@crstudio.it Out: 250 Ok In: RCPT TO: guforme...@rfi.net Out: 451 Server configuration error you have an error in your config. postfix logs will tell you more about this error. Yep, there it is: warning: unknown smtpd restriction: reject_unknown_client_hostname and: warning: unknown smtpd restriction: reject_unknown_reverse_client_hostname I had these under smtpd_recipient_restrictions and postfix was understandably complaining on a regular basis :-} However, even when I placed them under smtpd_client_restrictions, as per the docs, I still had complaints, so I'll admit to being a little confused here... -- Richard Foley Ciao - shorter than aufwiedersehen http://www.rfi.net/
Postfix and DNSSEC
I'd like to use DNSSEC with Postfix. I did some research on the web but although DNSSEC is there nobody really cares about it. The most recent patch for Postfix is for release 2.3 and is based on libs (libval, libsres) I didn't find any download page for. Is there any recent development going on? Thanks, Bernhard signature.asc Description: This is a digitally signed message part.
Re: sender_bcc_maps only domain
M?rcio Luciano Donada wrote: Sahil Tandon escreveu: M?rcio Luciano Donada wrote: I am using the sender_bcc_maps, but would like to know if there is the possibility of doing the audit in e-mail sent from the field for only domain xyz Can you re-state your question more clearly? Perhaps use an example. Also read: http://www.postfix.org/postconf.5.html#sender_bcc_maps http://www.postfix.org/DEBUG_README.html Sorry Sahil, You really understand my question? Today I already use the sender_bcc_maps but the usual way, ful...@domain.com backup @ domain and is functional, but here I want to make a copy of the e-mail that come out only to the domain xyz.com If you want to back up all emails addressed to xyz.com then use recipient_bcc_maps. -- Sahil Tandon sa...@tandon.net
Re: masses of mailer-daemon mails to postmaster
Richard Foley wrote: On Saturday 06 December 2008 19:16:41 mouss wrote: In: MAIL FROM:mustar...@crstudio.it Out: 250 Ok In: RCPT TO: guforme...@rfi.net Out: 451 Server configuration error you have an error in your config. postfix logs will tell you more about this error. Yep, there it is: warning: unknown smtpd restriction: reject_unknown_client_hostname and: warning: unknown smtpd restriction: reject_unknown_reverse_client_hostname I had these under smtpd_recipient_restrictions and postfix was understandably complaining on a regular basis :-} However, even when I placed them under smtpd_client_restrictions, as per the docs, I still had complaints, so I'll admit to being a little confused here... http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname requires postfix 2.3 or newer. Older postfix use the name reject_unknown_client. Note either of these are likely to reject legitimate mail. http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname requires postfix 2.3 or newer. There is no equivalent for older postfix. These restrictions work fine under smtpd_recipient_restrictions, but you need to upgrade your postfix. -- Noel Jones
Re: Postfix and DNSSEC
Bernhard Fischer escribió: I'd like to use DNSSEC with Postfix. I did some research on the web but although DNSSEC is there nobody really cares about it. The most recent patch for Postfix is for release 2.3 and is based on libs (libval, libsres) I didn't find any download page for. Is there any recent development going on? Although I don't know wether there is actual development or not in DNSSEC, you should bear on mind that there are still a lot of servers which don't support DNSSEC, either because it is disabled, due to problems with the proved denial of existence system used originaly, or because the admins haven't updated the machine as DNS is a fairly sensitive service. Said that, if postfix developers want to add DNSSEC support, although that should be implemented on the name resolving libraries, I wouldn't mind sharing my, scarce, knowledge on it. klondike Developer of Kontinuidad Jabata signature.asc Description: OpenPGP digital signature
Re: Postfix and DNSSEC
On Wed, Dec 17, 2008 at 08:55:04PM +0100, klondike wrote: Bernhard Fischer escribi?: I'd like to use DNSSEC with Postfix. I did some research on the web but although DNSSEC is there nobody really cares about it. The most recent patch for Postfix is for release 2.3 and is based on libs (libval, libsres) I didn't find any download page for. Is there any recent development going on? Although I don't know wether there is actual development or not in DNSSEC, you should bear on mind that there are still a lot of servers which don't support DNSSEC, either because it is disabled, due to problems with the proved denial of existence system used originaly, or because the admins haven't updated the machine as DNS is a fairly sensitive service. Said that, if postfix developers want to add DNSSEC support, although that should be implemented on the name resolving libraries, I wouldn't mind sharing my, scarce, knowledge on it. Postfix uses res_search(3). DNSSEC would have to be supported by the C-library stub resolver code, not Postfix. DNSSEC is very complex. I rather like DJB's DNSCurve, but it seems the the political climate may be against this IMHO very sound proposal. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Postfix and DNSSEC
Bernhard Fischer a écrit : I'd like to use DNSSEC with Postfix. I did some research on the web but although DNSSEC is there nobody really cares about it. The most recent patch for Postfix is for release 2.3 and is based on libs (libval, libsres) I didn't find any download page for. Is there any recent development going on? given that DNSSEC was proposed a long time ago, but has not been adopted, I don't see any reason why this would change. My opinion is that dnssec was proposed at that time means that it is obsolete (at that time, most people wanted pki, spoke perimeter security, ...). and anyway, dnssec is about dns. the place to implement it is in dns servers and resolvers. not in MTAs or web servers...
Re: AW: Problem with alias Lists
Helmut Weigel a écrit : we use lmtp with cyrus imapd - how are the aliases implemented? are they implemented in postfix or in another program? - how are quota checks implemented? - show some logs? - ...
Re: Selective relaying to internal office server
Thomas Broda wrote: Hi, I've got two Postfix hosts, mail.example.com and office.example.com. mail.example.com is MX for several domains which are set up as virtual alias domains. Now I would like to forward certain mails, dependent on the recipient, to an internal office server, so us...@foo.org should be delivered locally on mail.example.com, foo.org is a local domain listed in mydestination only. us...@foo.org should be forwarded to us...@office.example.com, use a virtual_alias_maps entry (not virtual_alias_domains) to rewrite us...@foo.org to the correct domain. us...@bar.org should be forwarded to us...@office.example.com, use a virutual_alias_maps entry (not virtual_alias_domains) to rewrite us...@bar.org to the correct domain. us...@bar.org should be delivered locally on mail.example.com etc. bar.org is a local domain listed in mydestination only. -- Noel Jones
Re: Postfix and DNSSEC
klondike: Bernhard Fischer escribi?: I'd like to use DNSSEC with Postfix. I did some research on the web but although DNSSEC is there nobody really cares about it. The most recent patch for Postfix is for release 2.3 and is based on libs (libval, libsres) I didn't find any download page for. Is there any recent development going on? Although I don't know wether there is actual development or not in DNSSEC, you should bear on mind that there are still a lot of servers which don't support DNSSEC, either because it is disabled, due to problems with the proved denial of existence system used originaly, or because the admins haven't updated the machine as DNS is a fairly sensitive service. Said that, if postfix developers want to add DNSSEC support, although that should be implemented on the name resolving libraries, I wouldn't mind sharing my, scarce, knowledge on it. What are the application-visible changes? If one relies on BIND etc. for validation, where does DNSSEC affect the application? Postfix uses the standard resolver library but these calls are entirely encapsulated in a single module. Wietse
Re: Can content_filter take a map as an argument?
--- In postfix-us...@yahoogroups.com, Sahil Tandon sa...@... wrote: jweinbergerhj wrote: I know it's a simple question...but doea any know if this: content_filter=hash:/path/to/table (or mysql:/path/to/filters.cf) will work? No. From postconf(5): content_filter (default: empty) The name of a mail delivery transport that filters mail after it is queued. This parameter uses the same syntax as the right-hand side of a Postfix transport(5) table. This setting has a lower precedence than a content filter that is specified with an access(5) table or in a header_checks(5) or body_checks(5) table. I'm trying to test some new content filters and want to be able to apply them per domain or per address (recipient) for my test and personal domains before I make them standard. You could use check_recipient_access; example: /etc/postfix/main.cf: smtpd_recipient_restrictions = .. check_recipient_access hash:/etc/postfix/filters .. /etc/postfix/filters recipi...@... FILTER foo:bar There are some caveats and limitations; for more information see: http://www.postfix.org/access.5.html http://www.postfix.org/FILTER_README.html -- Sahil Tandon sa...@... Sahil Thanks!! I read This parameter uses the same syntax as the right-hand side of a Postfix transport(5) table as meaning it can take the same syntax as transport_maps, i.e. a table. Maybe not. check_recipient_access works fine, but it is problematic for me, as the messages get passed to the content filter before alias translation, which causes problems with aliases that map to virtual mailboxes. Also I would need check_recipient_access to be a mysql: table (which it can be), but I don't know how to control the matching order in a mysql table lookup - any ideas? Do you (or anyone) have any ideas on how to overcome this? I also came up with another way to do this...does anyone have any thoughts on how this will work? Make the content filter into the transport using transport_maps. Then when the content filter injects the messages back into postfix, use master.cf -o transport_maps to override and make the actual transport maps effective. Will that work? Thanks for your help! --Jeff
Re: Can content_filter take a map as an argument?
jeff_homeip a écrit : --- In postfix-us...@yahoogroups.com, Sahil Tandon sa...@... wrote: jweinbergerhj wrote: I know it's a simple question...but doea any know if this: content_filter=hash:/path/to/table (or mysql:/path/to/filters.cf) will work? No. From postconf(5): content_filter (default: empty) The name of a mail delivery transport that filters mail after it is queued. This parameter uses the same syntax as the right-hand side of a Postfix transport(5) table. This setting has a lower precedence than a content filter that is specified with an access(5) table or in a header_checks(5) or body_checks(5) table. I'm trying to test some new content filters and want to be able to apply them per domain or per address (recipient) for my test and personal domains before I make them standard. You could use check_recipient_access; example: /etc/postfix/main.cf: smtpd_recipient_restrictions = .. check_recipient_access hash:/etc/postfix/filters .. /etc/postfix/filters recipi...@...FILTER foo:bar There are some caveats and limitations; for more information see: http://www.postfix.org/access.5.html http://www.postfix.org/FILTER_README.html -- Sahil Tandon sa...@... Sahil Thanks!! I read This parameter uses the same syntax as the right-hand side of a Postfix transport(5) table as meaning it can take the same syntax as transport_maps, i.e. a table. Maybe not. no. the syntax is that of the RIGHT-HAND SIDE of transport_maps. content_filter isn't a map. check_recipient_access works fine, I hope you are aware that per-recipient FILTER is fragile: if the message is sent to multiple recipients, the last FILTER is used (a message is passed to a single filter. it is not split). but it is problematic for me, as the messages get passed to the content filter before alias translation, which causes problems with aliases that map to virtual mailboxes. you can expand aliases before or after the filter. it's your choice. but make sure to only enable rewrite once in a mail path (otherwise, you may get duplicates if a virtual alias is expanded twice) Also I would need check_recipient_access to be a mysql: table (which it can be), but I don't know how to control the matching order in a mysql table lookup - any ideas? postfix lookup order is independent of the map type. Do you (or anyone) have any ideas on how to overcome this? I also came up with another way to do this...does anyone have any thoughts on how this will work? Make the content filter into the transport using transport_maps. Then when the content filter injects the messages back into postfix, use master.cf -o transport_maps to override and make the actual transport maps effective. Will that work? not with a single instance. transport_maps are global in an instance. so you would create a loop. but if you want per recipient filtering, then your best choice is to use different postfix instances (run postfix twice. not add smtpd listeners to a single master.cf). then you don't need content_filter at all. you can use transport_maps instead. the advantage is that this works as intended in the case of multiple recipients. Thanks for your help! --Jeff
postfig confiuration advice/info
First of all let me apologize if you have seen this request/query before. I originally posted this to Google Groups mailing.postfix.users, but felt that that it was probably the wrong place to ask for advice. I then tried the Postfix oriented groups on my news service, only to realize that the latest post other than mine was 3 weeks ago (time to get a new news service or am I seeing the end of NNTP). I am very new to postfix and am looking for advice on my my postfix configuration (see below), the configuration is aimed at a small group of people (less than 25 users) who are all volunteers at a local not for profit organization. The server is setup with no local users, and all mail is delivered to virtual mailboxes. 1) I am using RBL + RBHL + amavis-new + spamassassin + clamv + greylisting as anti-spam defenses. Question: are the header and body checks still worthwhile as anti-spam defenses? I can see the use of header checks for removing unwanted stuff, like the various headers that get inserted during spam processing are there any other worth while uses, if so what and where can I find more information. On the subject of RBL servers does anybody have any suggestions as the RBL lists to use or avoid. I am currently using bl.spamcop.net, zen.spamhaus.org, list.dsbl.org all of which seem to work well. 2) a lot of the configuration advice/tutorials/how-to's that I have looked at put all the checks into the smtpd_recipient_restrictions. Why defer killing spam, why not kill it ASAP and save spending anymore resources processing it? I know that smtpd_delay_reject parameter defaults to yes, therefore all checks are deferred until recipient. But that just leads me to the same question. 2a) have set the smtp_delay_reject = no, should I, am I giving myself a problem by doing this? 2b) based on some things I read here, it would seem that I should add permit_sasl_authenticated to each of the smtp_*_restriction sections is this correct? 2c) I was originally advised to have unknown_local_recipient_reject_code = 554 but in a couple of places I have seen it set to 550, which is better? Supplementary, is there a list of codes, if so where? 3) Is it possible to replace the virtual_mailbox_maps = hash:/etc/postfix/vmailbox with something like proxy maps such as virtual_mailbox_maps = proxy:unix:passwd.byname and if so how would implement this using Dovecot as the LDA/ MDA? 4) Are there any gotcha's in the config below. Thanks you for your patience John Allen Main.cf == # DDOS stuff default_process_limit=20 smtpd_recipient_limit = 128 smtpd_soft_error_limit = 10 smtpd_hard_error_limit = 20 smtpd_error_sleep_time = 5s # Virtual virtual_mailbox_domains = /etc/postfix/maps/vdomains virtual_mailbox_base = /var/mail/vhosts virtual_minimum_uid = 100 virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 virtual_mailbox_maps = hash:/etc/postfix/maps/vmailbox virtual_alias_maps = hash:/etc/postfix/maps/valiases virtual_transport = dovecot dovecot_destination_recipient_limit = 1 # SASL support smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = broken_sasl_auth_clients = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtp_sasl_auth_enable = no # tls smtpd_tls_auth_only = yes smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/pki/tls/private/invalid.key smtpd_tls_cert_file = /etc/pki/tls/certs/invalid.crt smtpd_tls_CAfile = /etc/pki/CA/sub.class2.server.ca.crt smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom # PARAMETERS THAT DON'T SEEM TO FIT ELSE WARE biff=no unknown_address_reject_code = 554 unknown_hostname_reject_code = 554 unknown_client_reject_code = 554 unknown_local_recipient_reject_code = 554 unverified_sender_reject_code = 550 # JUNK MAIL CONTROLS smtpd_helo_required = yes disable_vrfy_command = yes strict_rfc821_envelopes = yes allow_untrusted_routing = no smtpd_etrn_restriction = reject message_size_limit = 32768000 bounce_size_limit = 65536 header_size_limit = 32768 delay_warning_time = 12 smtpd_delay_reject = no header_checks = regexp:/etc/postfix/maps/header_checks body_checks = regexp:/etc/postfix/maps/body_checks content_filter = amavisfeed:[127.0.0.1]:10024 smtpd_client_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/maps/client_access, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client list.dsbl.org, reject_unknown_client_hostname, reject_invalid_hostname, permit smtpd_helo_restrictions = permit_mynetworks, check_helo_access pcre:/etc/postfix/maps/helo_checks, check_helo_access pcre:/etc/postfix/maps/helo_access, reject_unauth_pipelining, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, reject_invalid_helo_hostname, permit
Re: postfig confiuration advice/info
KLaM Postmaster a écrit : First of all let me apologize if you have seen this request/query before. I originally posted this to Google Groups mailing.postfix.users, but felt that that it was probably the wrong place to ask for advice. I then tried the Postfix oriented groups on my news service, only to realize that the latest post other than mine was 3 weeks ago (time to get a new news service or am I seeing the end of NNTP). I am very new to postfix and am looking for advice on my my postfix configuration (see below), the configuration is aimed at a small group of people (less than 25 users) who are all volunteers at a local not for profit organization. The server is setup with no local users, and all mail is delivered to virtual mailboxes. 1) I am using RBL + RBHL + amavis-new + spamassassin + clamv + greylisting as anti-spam defenses. Question: are the header and body checks still worthwhile as anti-spam defenses? I can see the use of header checks for removing unwanted stuff, like the various headers that get inserted during spam processing are there any other worth while uses, if so what and where can I find more information. some uses of header and body checks: - reject banned attachments - detect forged Received headers - detect some backscatter (see the BACKSCATTER README) but they are not a general content filter. see the limitations in the docs. On the subject of RBL servers does anybody have any suggestions as the RBL lists to use or avoid. I am currently using bl.spamcop.net, zen.spamhaus.org, list.dsbl.org all of which seem to work well. remove list.dsbl.org. it's no more active. use zen before spamcop. you will then probably realize that spamcop doesn't catch enough spam thatis not caught by zen. 2) a lot of the configuration advice/tutorials/how-to's that I have looked at put all the checks into the smtpd_recipient_restrictions. Why defer killing spam, why not kill it ASAP and save spending anymore resources processing it? I know that smtpd_delay_reject parameter defaults to yes, therefore all checks are deferred until recipient. But that just leads me to the same question. 2a) have set the smtp_delay_reject = no, should I, am I giving myself a problem by doing this? yes. - some smtp implementations are too strict about error codes. they will generally retry if you reject them before RCPT stage. - when rejecting at RCPT stage, you have more infos. so you can assess your FPs... - how much do you gain in rejecting at connection time instead of RCPT time. exceptionally if the client retries. - most people use the default setup. so this is the setup that has been widely tested and validated. if you use a less common setup, you run the risks to find problems that were undetected. for example, there is a known problem with sender check in smtpd_recipient_restrictions if you set smtpd_delay_reject to no. (search the archives if interested). 2b) based on some things I read here, it would seem that I should add permit_sasl_authenticated to each of the smtp_*_restriction sections is this correct? if you want to whitelist (be that sasl authenticated users or mynetworks or other), you need to do that before any reject in any restriction. This is why putting your checks under smtpd_recipient_restrictions is good (you don't need to repeat the permit_*). 2c) I was originally advised to have unknown_local_recipient_reject_code = 554 but in a couple of places I have seen it set to 550, which is better? 550 means: Requested action not taken: mailbox unavailable. so is better. Supplementary, is there a list of codes, if so where? the codes are defined in the RFCs ;-p #postconf -d | grep unknown_ ... unknown_local_recipient_reject_code = 550 unknown_relay_recipient_reject_code = 550 unknown_virtual_alias_reject_code = 550 unknown_virtual_mailbox_reject_code = 550 ... 3) Is it possible to replace the virtual_mailbox_maps = hash:/etc/postfix/vmailbox with something like proxy maps such as virtual_mailbox_maps = proxy:unix:passwd.byname and if so how would implement this using Dovecot as the LDA/ MDA? virtual_mailbox_maps is for addresses in virtual_mailbox_domains. passwd.byname is for unix users. do not mix these. 4) Are there any gotcha's in the config below. The tradition here is to show output of 'postconf -n' instead of main.cf. but I'm skipping it anyway...
Re: postfig confiuration advice/info
mouss wrote: some uses of header and body checks: - reject "banned attachments" - detect forged Received headers - detect some backscatter (see the BACKSCATTER README) I gather that all of these are well described in the BACKSCATTER README, are there any other sources that might be worth a look? your FPs... Sorry for being dumb, but what are FPs? - most people use the default setup. so this is the setup that has been widely tested and validated. My trouble here was that I haven't found a consistent default setup. The setup that came with my Linux distribution was designed for the local desktop machine and did not seem to be suitable for a server. the codes are defined in the RFCs ;-p OK, I should have known that. :-! 3) Is it possible to replace the virtual_mailbox_maps = hash:/etc/postfix/vmailbox with something like proxy maps such as virtual_mailbox_maps = proxy:unix:passwd.byname and if so how would implement this using Dovecot as the LDA/ MDA virtual_mailbox_maps is for addresses in virtual_mailbox_domains. passwd.byname is for unix users. do not mix these. Sorry, I asked my question poorly and provided an even poorer exemplar. My objective here was to see if there was some way of avoiding having two lists of addresses/mail boxes, the vmailbox table and the Dovecot user_db file. What I was trying to get at is that Dovecot has a look up function for addresses using its auth_master function. Is that accessible from Postfix, and if so how? I am trying to make this easy to administer for a total non-techie, as I may not be around. The "tradition" here is to show output of 'postconf -n' instead of main.cf. but I'm skipping it anyway... I did that, but the output seemed bigger than the stuff I appended, but if the convention is "postconf -n" then I will do that in future, thanks for the heads up. Etiquette question, should I post to the mailing list alone or to both the list and the respondent (in this case mouss). Once again TIA JLA
Re: postfig confiuration advice/info
On Thu, 18 Dec 2008, mouss wrote: use zen before spamcop. you will then probably realize that spamcop doesn't catch enough spam thatis not caught by zen. Very true. We have a datafeed from Spamhaus and out of roughly five million connections every 24 hours, bl.spamcop.net rejects about 6,000. I am actually considering the removal of the spamcop list entirely which would bring the number of blacklists used at SMTP time down to one.
DNSWL
Does anyone here make use of the DNS Whitelist? If so, what's your experience with it? Do you find it helpful in speeding up the delivery of legitimate mail, or does it just increase the amount of spam you receive? Also, do you find it more useful to use it as part of a spamassassin check, or as part of the SMTP transaction? I'm interested in any info you can provide. Adrian
Re: Can content_filter take a map as an argument?
--- In post...@yahoogroups.com, mouss mo...@... wrote: jeff_homeip a écrit : --- In postfix-us...@yahoogroups.com, Sahil Tandon sahil@ wrote: jweinbergerhj wrote: I know it's a simple question...but doea any know if this: content_filter=hash:/path/to/table (or mysql:/path/to/filters.cf) will work? No. From postconf(5): content_filter (default: empty) The name of a mail delivery transport that filters mail after it is queued. This parameter uses the same syntax as the right-hand side of a Postfix transport(5) table. This setting has a lower precedence than a content filter that is specified with an access(5) table or in a header_checks(5) or body_checks(5) table. I'm trying to test some new content filters and want to be able to apply them per domain or per address (recipient) for my test and personal domains before I make them standard. You could use check_recipient_access; example: /etc/postfix/main.cf: smtpd_recipient_restrictions = .. check_recipient_access hash:/etc/postfix/filters .. /etc/postfix/filters recipient@ FILTER foo:bar There are some caveats and limitations; for more information see: http://www.postfix.org/access.5.html http://www.postfix.org/FILTER_README.html -- Sahil Tandon sahil@ Sahil Thanks!! I read This parameter uses the same syntax as the right-hand side of a Postfix transport(5) table as meaning it can take the same syntax as transport_maps, i.e. a table. Maybe not. no. the syntax is that of the RIGHT-HAND SIDE of transport_maps. content_filter isn't a map. thank you! check_recipient_access works fine, I hope you are aware that per-recipient FILTER is fragile: if the message is sent to multiple recipients, the last FILTER is used (a message is passed to a single filter. it is not split). but it is problematic for me, as the messages get passed to the content filter before alias translation, which causes problems with aliases that map to virtual mailboxes. you can expand aliases before or after the filter. it's your choice. but make sure to only enable rewrite once in a mail path (otherwise, you may get duplicates if a virtual alias is expanded twice) When I used the check_recipient_access it passed the message to the content filter before alias expansion, and when I used the content_filter it passed it after. Can you tell me (or point me to resources) that show me how to control this? it might help me achieve my goal...thanks. Also I would need check_recipient_access to be a mysql: table (which it can be), but I don't know how to control the matching order in a mysql table lookup - any ideas? postfix lookup order is independent of the map type. OK, got that. But the question isn't whether it's different for mysql maps, but how I can make sure that when addr...@domain.tld is matched it matches addr...@domain.tld before it matches domain.tld and that before it matches /./ (all). This way I can specify per user, per domain and have a catch-all (default) It did not work this way with transport_maps, but that might be because I specified two different maps (transport_maps=mysql:/path/to/one.cf, mysql:/path/to/two.cf). In that case if something matched in one.cf, then it never checked two.cf. Do you (or anyone) have any ideas on how to overcome this? I also came up with another way to do this...does anyone have any thoughts on how this will work? Make the content filter into the transport using transport_maps. Then when the content filter injects the messages back into postfix, use master.cf -o transport_maps to override and make the actual transport maps effective. Will that work? not with a single instance. transport_maps are global in an instance. so you would create a loop. but if you want per recipient filtering, then your best choice is to use different postfix instances (run postfix twice. not add smtpd listeners to a single master.cf). then you don't need content_filter at all. you can use transport_maps instead. the advantage is that this works as intended in the case of multiple recipients. Multiple postfix instances on one machine might be the best answer to this. Can you point me to something on how to do this? I'm not at all familiar with how this might work and be sure they don't interfere with one another. Thank you so much for your help! Thanks for your help! --Jeff
Re: Problems running multiple instances of postfix on same host
Rob Tanner wrote: Hi, I need to run a separate instance of postfix in order to accommodate a FAX server. I created the directory /etc/postfix/fax and copied and customized the main.cf and master.cf files from the default directory to this new directory. I also copied post-install, postfix-files and postfix-script. I also crated the directory /var/spool/postfix/pid/fax for the pid files and explicitly declared it in main.cf (process_id_directory = /var/spool/postfix/pid/fax). When I do an initial attempt to start the postfix instance, I get a message that postfix is already running. Note, also, that the message says postfix/postfix-script rather than postfix/fax/postfix-script. [r...@neskowin ~]# postfix -c /etc/postfix/fax start postfix/postfix-script: fatal: the Postfix mail system is already running [r...@neskowin ~]# I'm running Postfix 2.2.10. Is there something more I need to do in the setup to get this second instance running? You need separate queue_directory and data_directory locations for each instance. process_id_directory is defined relative to queue_directory. On a side note, are you sure you really need a second instance? Extra services can be enabled in master.cf and you can override with the -o flag pretty much anything you can specify in main.cf.
SMTP Relay question.
Hi, I have configured a postfix mail server with mysql virtual domains/users. I had a (test) domain say foo.test.com and a user for that domain ( no...@foo.test.com ) The mail server is having IP address 222.333.444.55 Following are some important parameter values in my main.cf broken_sasl_auth_clients = yes command_directory = /usr/sbin content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix ddd $daemon_directory/$process_name $process_id sleep 5 debugger_command = debug_peer_level = 2 header_checks = regexp:/etc/postfix/header_checks html_directory = no maildrop_destination_recipient_limit = 1 mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/local/man newaliases_path = /usr/bin/newaliases PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin queue_directory = /var/spool/postfix readme_directory = no recipient_delimiter = + sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtpd_pw_server_security_options = plain,login,cram-md5 *smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination* smtpd_sasl2_auth_enable = yes smtpd_sasl_application_name = smtpd smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.cert smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_use_pw_server = yes smtpd_use_tls = yes smtp_helo_required = yes unknown_local_recipient_reject_code = 550 virtual_alias_maps = mysql:/etc/postfix/mysql/mysql_valias_maps.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /home/vmail virtual_mailbox_domains = mysql:/etc/postfix/mysql/mysql_vdomain_maps.cf virtual_mailbox_limit = 5120 virtual_mailbox_maps = mysql:/etc/postfix/mysql/mysql_vmailbox_maps.cf virtual_minimum_uid = 5000 virtual_transport = maildrop virtual_uid_maps = static:5000 Now I am telnetting to this mail server from a diff network ( 111.222.333.44) When I send mail from: no...@foo.test.com to rcpt to: some...@gmail.com it gives me 554 5.7.1 some...@gmail.com: Relay access denied which is fine due to smtp_recipent_restrictions. But now if I send mail from: no...@foo.test.com to rcpt to: no...@foo.test.com Mail gets delivered .. how can I restrict this since anybody can send such mails by telnetting to this server. Same this I am having another domain on the same server say 'boo.test.com' having user nob...@boo.test.com still mail from: no...@foo.test.com to rcpt to: nob...@boo.test.com delivers mails. How can I restrict such cases. Thanks Regards Swati Meghanand.
Re: SMTP Relay question.
2008/12/18 Swati Meghanand swati.meghan...@gmail.com 2008/12/18 Darren Pilgrim post...@bitfreak.org The two examples above are expected behavior--postfix accepted for delivery an email address to a valid address within its domain. How can I restrict such cases. Restrict such cases how? Prohibit unauthorized senders from using addresses in your domain? OK, agreed but it means, if someone using any IP out of 'mynetworks' can send mails to my domains by just telnetting 25 to mailserver even by mail from: nob...@gmail.com rcpt to: no...@foo.test.com Sorry for this silly statement... I just forgot about SMTP's nature :-( delivers mail, can I put some sender restrictions using smtpd_sender_restrictions parameter ? @Darren Thnx for ur help. Regards, Swati Meghanand