Re: Postscreen: bad command startup -- throttling issues
Am 13.02.2013 22:14, schrieb LDB: Syslog is seemingly configured properly, as well: server:/var/log # grep mail /etc/rsyslog.conf # email-messages mail.* -/var/log/mail mail.info -/var/log/mail.info mail.warning-/var/log/mail.warn mail.err/var/log/mail.err *.*;mail.none;news.none -/var/log/messages But yet, /var/log/mail.err, remains empty and what is in the others? cat /var/log/mail* would have been the minimum i expected as reply and a look in /var/log/messages is also not wrong signature.asc Description: OpenPGP digital signature
Re: HOLDing certain recipients during migration
On Thu, Feb 14, 2013 at 4:34 AM, Sahil Tandon sahil+post...@tandon.net wrote: The HOLD action affects all recipients; you can be more specific by using the retry service. See the following thread: http://article.gmane.org/gmane.mail.postfix.user/197989 Thanks Sahil! I'll consider it. It also makes sense, though delivery of rejected emails is somewhat delayed (due to unknown retry interval). What do you mean by 'HOLD action affects all recipients'? HOLD action affects only recipients listed in the hold file - at least that's how I understand it. Miha
Re: HOLDing certain recipients during migration
On 2/14/2013 3:43 AM, Miha Valencic wrote: On Thu, Feb 14, 2013 at 4:34 AM, Sahil Tandon sahil+post...@tandon.net wrote: The HOLD action affects all recipients; you can be more specific by using the retry service. See the following thread: http://article.gmane.org/gmane.mail.postfix.user/197989 Thanks Sahil! I'll consider it. It also makes sense, though delivery of rejected emails is somewhat delayed (due to unknown retry interval). What do you mean by 'HOLD action affects all recipients'? HOLD action affects only recipients listed in the hold file - at least that's how I understand it. Miha HOLD acts at the message level, not the recipient level. If one recipient of a multi-recipient message is put on HOLD, all recipients of that message will be affected. -- Noel Jones
Re: Gmail as Relayhost
On 02/13/2013 03:24 PM, Noel Jones wrote: [snip] A few choices... - Don't use a relayhost, deliver mail directly. This requires you have a static IP address with proper FCrDNS entries, which will require cooperation from your ISP and may cost some extra, depending on your current service agreement. - If you only have a handful of addresses, you can sign up for a free google apps account with your own domain name. That will allow you to relay through google. You are not required to use google as your MX; you can continue to use your own server. If you have too many for the free service, you might consider paying. - Use some third-party relayhost service, such as dyndns. This will not be free, but shouldn't cost very much. If you have more than a couple dozen email addresses, this will be cheaper than a google apps account. -- Noel Jones [snip] I finally went with dyndns. Low cost for the volume we have and easy to setup. But since the price is volume based I was thinking of splitting the outgoing trafficbetween my ISP and dym.com I thought of using relayhost to my ISP by default and use fallback_relay when the ISP failed. However the documentation of fallback_relay mentions only that it kicks in when then main relay fails. In my case I want to use it when it bounces the mail for the wrong reason (reason why I went with dyn.com in the first place): Feb 4 14:20:57 www postfix/smtp[6592]: 6CF7EA41F89: to=servic...@dominio.com, relay=smtp.movistar.es[213.4.149.228]:25, delay=3.4, delays=0.15/0.01/0.26/3, dsn=5.2.0, status=bounced (host smtp.movistar.es[213.4.149.228] said: 552 5.2.0 wDHP1k00B3cN3cx1hDHPt5 internal error ??. 6007 (in reply to end of DATA command)) Would it work ? Dominique
Unable to set postfix as smarthost with plain authentication on port 25 (no tls/ssl): error 550 5.1.0 xxxxx authentication failed
Hi, I'm using Debian GNU Linux 6.0 squeeze, postfix 2.7.1-1+squeeze1 I'm in need of using a smarthost to relay all of my mail. I'm unable to use an italia provider (aruba) as smarthos for my server. I obtain the (in)famous 550 5.1.0 X authentication failed relevant part of logs: Feb 6 13:42:42 myserver postfix/smtp[12173]: smtp.provider.com[ smtp.provider.com]:25: MAIL FROM:r...@myserver.com Feb 6 13:42:42 myserver postfix/smtp[12173]: smtp.provider.com[ smtp.provider.com]:25: 550 5.1.0 x0ih1k00U1GKSXt010ihSY authentication failed Relevant part of configuration: relayhost = smtp.provider.com smtp_cname_overrides_servername=no smtp_sasl_auth_enable = yes #smtp_sasl_security_options = noanonymous smtp_sasl_security_options = smtp_sasl_password_maps = hash:/etc/postfix/sasl/saslpasswd smtp_always_send_ehlo = yes I've tested username/password using thunderbird as client, it works. I've tested the same configuration with another provider: it works. My guess is that the provider uses different server to answer to my request, and so postfix is unable to find a matching password in file /etc/postfix/sasl/saslpasswd. But I've tried by using smtp_cname_overrides_servername=yes or smtp_cname_overrides_servername=no and it failed in the same way. I've also tried to declare all hostnames that I can see in the logs placing all of them in the /etc/postfix/sasl/saslpasswd but even this way I cannot send my mail. Is there anyone that can help me? Thanks, larzeni
Re: Unable to set postfix as smarthost with plain authentication on port 25 (no tls/ssl): error 550 5.1.0 xxxxx authentication failed
Am 14.02.2013 14:48, schrieb Luca Arzeni: I'm in need of using a smarthost to relay all of my mail. I'm unable to use an italia provider (aruba) as smarthos for my server. I obtain the (in)famous 550 5.1.0 X authentication failed maybe he does not like PLAIN without encryption why in the world would anybody do this? install cyrus-sasl-md5 or however the package is called in your dsitribution and postfix will automatically use the best available method I've tested username/password using thunderbird as client, it works with unencrypted plain auth? I've tested the same configuration with another provider: it works. does not matter My guess is that the provider uses different server to answer to my request how should it do this? and so postfix is unable to find a matching password in file /etc/postfix/sasl/saslpasswd. YOU control the match not the target server YOU control that host/port of the reylhost matchs EXACTLY how it is defined in saslpasswd and my guess is that you forgot to put the hostname inside [] to disable MX lookups cat /etc/postfix/saslpasswd # CHANGES: postmap /etc/postfix/saslpasswd [mail.thelounge.net]:587 user:pwd But I've tried by using smtp_cname_overrides_servername=yes or smtp_cname_overrides_servername=no and it failed in the same way. don't do mangling around everywhere I've also tried to declare all hostnames that I can see in the logs placing all of them in the /etc/postfix/sasl/saslpasswd but even this way I cannot send my mail why are you doing this? signature.asc Description: OpenPGP digital signature
Re: Gmail as Relayhost
On 2/14/2013 6:23 AM, Dominique wrote: On 02/13/2013 03:24 PM, Noel Jones wrote: [snip] - Use some third-party relayhost service, such as dyndns. This will not be free, but shouldn't cost very much. If you have more than a couple dozen email addresses, this will be cheaper than a google apps account. -- Noel Jones [snip] I finally went with dyndns. Low cost for the volume we have and easy to setup. But since the price is volume based I was thinking of splitting the outgoing trafficbetween my ISP and dym.com I thought of using relayhost to my ISP by default and use fallback_relay when the ISP failed. However the documentation of fallback_relay mentions only that it kicks in when then main relay fails. In my case I want to use it when it bounces the mail for the wrong reason (reason why I went with dyn.com in the first place): Feb 4 14:20:57 www postfix/smtp[6592]: 6CF7EA41F89: to=servic...@dominio.com, relay=smtp.movistar.es[213.4.149.228]:25, delay=3.4, delays=0.15/0.01/0.26/3, dsn=5.2.0, status=bounced (host smtp.movistar.es[213.4.149.228] said: 552 5.2.0 wDHP1k00B3cN3cx1hDHPt5 internal error ??. 6007 (in reply to end of DATA command)) Would it work ? No, fallback_relay is for when the preferred destination is unreachable. When the primary (incorrectly) rejects your mail, your options are somewhat limited. One ugly-hack workaround is to add soft_bounce=yes to the master.cf smtp transport entry, which will transform the 5xx reject into a 4xx retry, and hope the relay will accept the message on the next try. This can cause the unwanted side effect that if a message is persistently undeliverable it will hang around in your queue for $maximal_queue_lifetime (default 5 days). #master.cf existing smtp transport entry smtp unix - - n - - smtp -o soft_bounce=yes Hmmm... Now that I think about it, the soft_bounce setting should trigger a fallback_relay delivery attempt. Give it a whirl. And complain loudly to the ISP when the service you're paying for isn't working. -- Noel Jones
Null sender address in NDR's
Hello List, I'll have to start by breaking to golden rule of this list and not posting postconf -n output as my question relates to a server over which I have no control. A customer of mine is using a smart host provided by their ISP through which all outbound mail is delivered smtp.enta.net (which is running postfix). This server holds a list of valid domain from which this customer is allowed to send. A sensible precaution to prevent a compromised machine from sending spam using spoofed sender addresses on other domains. The problem is that when clients mail server sends a NDR the sender address is (ie NULL). The null sender address causes the message to be rejected with: 554+5.7.1+:+Sender+address+rejected:+Access+denied Is there a sensible way to configure postfix to allow these messages with null sender addresses to be relayed without opening the smart host up to exploitation? Or alternatively - and this is off topic for this list - is there a way to configure Microsoft exchange 2003 to send NDR's with a different sender address. And before anyone comments, yes I know this isn't best practice as NDR's should have null sender addresses to stop loops (bouncing bounce-backs!). Kind regards, James Day (IT Engineer)
Re: Null sender address in NDR's
On Thu, Feb 14, 2013 at 03:03:23PM +, James Day wrote: A customer of mine is using a smart host provided by their ISP through which all outbound mail is delivered smtp.enta.net (which is running postfix). This ISP's outbound relay is a submission service that is *only* suitable for relaying email from MUAs. The problem is that when clients mail server sends a NDR the sender address is (ie NULL). The null sender address causes the message to be rejected with: The relay does not support MTAs. Is there a sensible way to configure postfix to allow these messages with null sender addresses to be relayed without opening the smart host up to exploitation? Sending bounces is not exploitation, but the smart host (really submission service) policy is up to the ISP. Ask them. Or alternatively - and this is off topic for this list - is there a way to configure Microsoft exchange 2003 to send NDR's with a different sender address. NO. Bounces MUST be sent with a null sender address. Otherwise, bounces would elicit bounces in return creating mail loops, sometimes exponentially growing, if a message elicits multiple non-delivery reports. The solution is to use a relay that permits bounces. Either the ISP relaxes their policies, or a different relay must be found. And before anyone comments, yes I know this isn't best practice as NDR's should have null sender addresses to stop loops (bouncing bounce-backs!). Not should, MUST. Not isn't best practice, rather prohibited. -- Viktor.
Re: Null sender address in NDR's
Am 14.02.2013 16:03, schrieb James Day: Hello List, I'll have to start by breaking to golden rule of this list and not posting postconf -n output as my question relates to a server over which I have no control. A customer of mine is using a smart host provided by their ISP through which all outbound mail is delivered smtp.enta.net (which is running postfix). This server holds a list of valid domain from which this customer is allowed to send. A sensible precaution to prevent a compromised machine from sending spam using spoofed sender addresses on other domains. The problem is that when clients mail server sends a NDR the sender address is (ie NULL). The null sender address causes the message to be rejected with: 554+5.7.1+:+Sender+address+rejected:+Access+denied Is there a sensible way to configure postfix to allow these messages with null sender addresses to be relayed without opening the smart host up to exploitation? Or alternatively - and this is off topic for this list - is there a way to configure Microsoft exchange 2003 to send NDR's with a different sender address. And before anyone comments, yes I know this isn't best practice as NDR's should have null sender addresses to stop loops (bouncing bounce-backs!). Kind regards, James Day (IT Engineer) Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
RE: Null sender address in NDR's
. Is there a sensible way to configure postfix to allow these messages with null sender addresses to be relayed without opening the smart host up to exploitation? Sending bounces is not exploitation, but the smart host (really submission service) policy is up to the ISP. Ask them. I wasn't trying to suggest that sending bounces would be exploitation, rather that allowing *all* messages with a NULL sender to relayed through could potentially be exploited to send spam as NO. Bounces MUST be sent with a null sender address. Otherwise, bounces would elicit bounces in return creating mail loops, sometimes exponentially growing, if a message elicits multiple non-delivery reports. Yes I know that and have referred to that point below. The solution is to use a relay that permits bounces. Either the ISP relaxes their policies, or a different relay must be found. As I feared, thank you for confirming. And before anyone comments, yes I know this isn't best practice as NDR's should have null sender addresses to stop loops (bouncing bounce-backs!). Not should, MUST. Not isn't best practice, rather prohibited. -- Viktor. I understand and agree however in my experience you sometimes have to fudge things so they operate with incorrectly configured systems (against my own wishes!) James
Re: Null sender address in NDR's
Am 14.02.2013 16:36, schrieb James Day: Not should, MUST. Not isn't best practice, rather prohibited. I understand and agree however in my experience you sometimes have to fudge things so they operate with incorrectly configured systems (against my own wishes!) no you have not if you can clearly show that your setup goes with all relevant RFC's and is configured by best common practice you NEVER need to do anything to support incorrectly configured systems the one with the incorrectly configured system has to fix it if i know what i am doing and can verify that my setup is correct and some boss is forcing me to violate RFC's this would be my last day working for whatever company signature.asc Description: OpenPGP digital signature
Re: Null sender address in NDR's
Am 14.02.2013 16:36, schrieb James Day: . Is there a sensible way to configure postfix to allow these messages with null sender addresses to be relayed without opening the smart host up to exploitation? Sending bounces is not exploitation, but the smart host (really submission service) policy is up to the ISP. Ask them. I wasn't trying to suggest that sending bounces would be exploitation, rather that allowing *all* messages with a NULL sender to relayed through could potentially be exploited to send spam as NO. Bounces MUST be sent with a null sender address. Otherwise, bounces would elicit bounces in return creating mail loops, sometimes exponentially growing, if a message elicits multiple non-delivery reports. Yes I know that and have referred to that point below. The solution is to use a relay that permits bounces. Either the ISP relaxes their policies, or a different relay must be found. As I feared, thank you for confirming. And before anyone comments, yes I know this isn't best practice as NDR's should have null sender addresses to stop loops (bouncing bounce-backs!). Not should, MUST. Not isn't best practice, rather prohibited. -- Viktor. I understand and agree however in my experience you sometimes have to fudge things so they operate with incorrectly configured systems (against my own wishes!) James looking in my relayhosts for exchange, i see is accepted via submission tls if sasl auth is done before from exchange with reject_sender_login_mismatch , smtpd_sender_login_maps exists, this should be enough for the smarthost isp , i only know the problem apearing with i.e static restrict tables solution Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
Re: Null sender address in NDR's
On Thu, Feb 14, 2013 at 03:36:11PM +, James Day wrote: Is there a sensible way to configure postfix to allow these messages with null sender addresses to be relayed without opening the smart host up to exploitation? Sending bounces is not exploitation, but the smart host (really submission service) policy is up to the ISP. Ask them. I wasn't trying to suggest that sending bounces would be exploitation, rather that allowing *all* messages with a NULL sender to relayed through could potentially be exploited to send spam as This has nothing to do with spam. One can just as easily send spam as mal...@example.com as one can as . The ISP can equally easily track it down, since the Received: headers will contain the offending IP address. The real issue is that the ISP offering a consumer-grade submission service for MUAs, not a relay service for MTAs. Their rate limit policies may be based on sender domains, rather than client IP addresses (ideally they should really use the SASL login name). Perhaps a business-grade service offering from the same ISP (typically at a higher price-point) offers ISP support, or a static sending IP not listed in the PBL (in which case simply send direct and don't use the ISP relay). And before anyone comments, yes I know this isn't best practice as NDR's should have null sender addresses to stop loops (bouncing bounce-backs!). Not should, MUST. Not isn't best practice, rather prohibited. I understand and agree however in my experience you sometimes have to fudge things so they operate with incorrectly configured systems (against my own wishes!) Not in this case, sending NDRs with a non-null envelope sender address is a fundamental violation of the robustness requirements of SMTP. This goes beyond working-around misconfiguration to flagrant violation of a basic design requirement that prevents congestive collapse of the mail system. -- Viktor.
RE: Null sender address in NDR's
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix- us...@postfix.org] On Behalf Of Reindl Harald Sent: 14 February 2013 15:43 To: postfix-users@postfix.org Subject: Re: Null sender address in NDR's Am 14.02.2013 16:36, schrieb James Day: Not should, MUST. Not isn't best practice, rather prohibited. I understand and agree however in my experience you sometimes have to fudge things so they operate with incorrectly configured systems (against my own wishes!) no you have not if you can clearly show that your setup goes with all relevant RFC's and is configured by best common practice you NEVER need to do anything to support incorrectly configured systems the one with the incorrectly configured system has to fix it if i know what i am doing and can verify that my setup is correct and some boss is forcing me to violate RFC's this would be my last day working for whatever company I hope you don't take offence when I say that your messages come across as rather hostile. Unfortunately when dealing with a 3rd party it's not always possible to ensure RFC compliance so on some occasions exceptions have to be made for the sake of getting things working. Perhaps incorrectly configured was the wrong phrase to use. It's not that there is anything inherently wrong with the smtp.enta.net server, rather it wasn't designed to do what I'm asking of it. I'm going to setup reverse DNS for the IP of this connection and send out directly from the clients Exchange server. Thanks for your input. James
RE: Null sender address in NDR's
--snip-- Not in this case, sending NDRs with a non-null envelope sender address is a fundamental violation of the robustness requirements of SMTP. This goes beyond working-around misconfiguration to flagrant violation of a basic design requirement that prevents congestive collapse of the mail system. -- Viktor. I understand the potential consequences (bouncing bounce-backs!). I was hoping someone had a clever fix to work around the issue I was having but it appears my initial thought was correct and I'll need to find an alternative method to send mail. I didn't mean to start an argument about breaking RFC's. Again, thanks for your input, it is greatly appreciated. James
Re: Null sender address in NDR's
On Thu, Feb 14, 2013 at 04:14:06PM +, James Day wrote: Not in this case, sending NDRs with a non-null envelope sender address is a fundamental violation of the robustness requirements of SMTP. This goes beyond working-around misconfiguration to flagrant violation of a basic design requirement that prevents congestive collapse of the mail system. I didn't mean to start an argument about breaking RFC's. I don't think you did. I'm not an RFC maximalist, and don't care a great deal whether a particular setting does or does not violate some RFC. The RFCs provide a guide to determine what is sound and robust behaviour, and what is fragile or dangerously misguided. One should generally strive to be RFC compliant, but, more importantly, one must apply logic and avoid misguided configurations or policy that put the network at risk, or carry a high risk of interoperability failure. This is a combination of RFC compliance, common sense, and best-practice experience. There was only one knee-jerk RFC maximalist post in this thread, it can be safely ignored. -- Viktor.
Re: Gmail as Relayhost
On Thu, Feb 14, 2013 at 08:29:06AM -0600, Noel Jones wrote: On 2/14/2013 6:23 AM, Dominique wrote: Feb 4 14:20:57 www postfix/smtp[6592]: 6CF7EA41F89: to=servic...@dominio.com, relay=smtp.movistar.es[213.4.149.228]:25, delay=3.4, delays=0.15/0.01/0.26/3, dsn=5.2.0, status=bounced (host smtp.movistar.es[213.4.149.228] said: 552 5.2.0 wDHP1k00B3cN3cx1hDHPt5 internal error ??. 6007 (in reply to end of DATA command)) snip And complain loudly to the ISP when the service you're paying for isn't working. It's seriously broken if it is giving 5xx rejections for its own internal errors! Granted, that might not be the actual reason for rejection -- it could be that the internal error was encountered while retrieving rejection messages from a database. Still: don't pay good money for bad service. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Re: virtual-regex problem
On 2/14/2013 11:16 AM, Alex wrote: Hello, I am having an issue with setting up virtual-regex email redirection. It appears that my wild card redirection is overriding an entry with less specific criteria. Here is what I have in my /etc/postfix/virtual-regex /somename+.*@somedomain.com/ http://somedomain.com/ some...@gmail.com /.*@.*/ somelocaluser Line one is being ignored Line 1 is not ignored, the problem is that wildcards are evil and should be avoided. Virtual alias lookups are recursive, so you'll need a 1-1 mapping to stop the recursion. Also be careful with your expressions so you don't get unintended matches. Something like: /somename+.*@example\.com$/ some...@gmail.com /^some...@gmail\.com$/ some...@gmail.com IF /@example\.com$/ /./ somelocaluser@localhost.localdomain ENDIF If you really intend your wildcard to capture the whole internet address space and redirect it to somelocaluser, you can remove the IF and ENDIF statements. Such a setup is common in a testing lab, but never in the real world. -- Noel Jones
Re: virtual-regex problem
Thank you for your help. This setup is for lab/qa indeed. What I intend to do is have only certain email form a test account forward to outside and everything else to a single local user. Am I correct to assume that there is no way to accomplish this with regex? On Thu, Feb 14, 2013 at 10:26 AM, Noel Jones njo...@megan.vbhcs.org wrote: On 2/14/2013 11:16 AM, Alex wrote: Hello, I am having an issue with setting up virtual-regex email redirection. It appears that my wild card redirection is overriding an entry with less specific criteria. Here is what I have in my /etc/postfix/virtual-regex /somename+.*@somedomain.com/ some...@gmail.com /.*@.*/ somelocaluser Line one is being ignored Line 1 is not ignored, the problem is that wildcards are evil and should be avoided. Virtual alias lookups are recursive, so you'll need a 1-1 mapping to stop the recursion. Also be careful with your expressions so you don't get unintended matches. Something like: /somename+.*@example\.com$/ some...@gmail.com /^some...@gmail\.com$/ some...@gmail.com IF /@example\.com$/ /./ somelocaluser@localhost.localdomain ENDIF If you really intend your wildcard to capture the whole internet address space and redirect it to somelocaluser, you can remove the IF and ENDIF statements. Such a setup is common in a testing lab, but never in the real world. -- Noel Jones
Re: virtual-regex problem
On Thu, Feb 14, 2013 at 10:26 AM, Noel Jones njo...@megan.vbhcs.org Virtual alias lookups are recursive, so you'll need a 1-1 mapping to stop the recursion. Also be careful with your expressions so you don't get unintended matches. Something like: /somename+.*@example\.com$/ some...@gmail.com mailto:some...@gmail.com /^some...@gmail\.com$/ some...@gmail.com mailto:some...@gmail.com IF /@example\.com$/ /./ somelocaluser@localhost.localdomain ENDIF If you really intend your wildcard to capture the whole internet address space and redirect it to somelocaluser, you can remove the IF and ENDIF statements. Such a setup is common in a testing lab, but never in the real world. -- Noel Jones On 2/14/2013 1:01 PM, Alex wrote: Thank you for your help. This setup is for lab/qa indeed. What I intend to do is have only certain email form a test account forward to outside and everything else to a single local user. Am I OK. correct to assume that there is no way to accomplish this with regex? As I said above, the remove the IF and ENDIF statements from the example I supplied to capture all addresses. -- Noel Jones
Relaying email to exchange
I'm using postfix to relay email to our exchange server. The problem I'm running into is the spam filtering on the exchange filter is being bypassed because the relayed email shows a from address of the email relay server and not the originating ip address. Is there a was to configure postfix to relay male but retain the received from IP address when it was received by postfix? -- Kevin Blackwell
Re: Relaying email to exchange
Am 14.02.2013 20:31, schrieb Kevin Blackwell: I'm using postfix to relay email to our exchange server. The problem I'm running into is the spam filtering on the exchange filter is being bypassed because the relayed email shows a from address of the email relay server and not the originating ip address. Is there a was to configure postfix to relay male but retain the received from IP address when it was received by postfix? wrong setup the spamfilter has to be on the MX directly in front of both machines and especially in front of exchange what do you imagine happens if spam would be caught on the exchange? well, it jectes while postfix in front of it has received it now you have two choices and btoh are completly wrong: * get a backscatter * drop messages which you accepted with 250 silently which is not permitted per law signature.asc Description: OpenPGP digital signature
Re: virtual-regex problem
I apologize, as I am being confused. Contents of my virtual-regex now are: /somename+.*@mydomain\.com$/ somen...@yahoo.com /^somename...@mydomain\.com$/ somen...@yahoo.com /@mydomain\.com$/ somen...@gmail.com /./ localuser When I ran postmap -q somen...@somedomain.com regexp:virtual.regex. I actually get correct results. When I ran mailx somen...@somedoman.com and vary name and domain all mails goes to localuser. Nothing is being forwarded out to somename@yahoo.comeven though regex patter should match. What do I need to change? Thank you for your help. On Thu, Feb 14, 2013 at 10:26 AM, Noel Jones njo...@megan.vbhcs.org wrote: On 2/14/2013 11:16 AM, Alex wrote: Hello, I am having an issue with setting up virtual-regex email redirection. It appears that my wild card redirection is overriding an entry with less specific criteria. Here is what I have in my /etc/postfix/virtual-regex /somename+.*@somedomain.com/ http://somedomain.com/ some...@gmail.com /.*@.*/ somelocaluser Line one is being ignored Line 1 is not ignored, the problem is that wildcards are evil and should be avoided. Virtual alias lookups are recursive, so you'll need a 1-1 mapping to stop the recursion. Also be careful with your expressions so you don't get unintended matches. Something like: /somename+.*@example\.com$/ some...@gmail.com /^some...@gmail\.com$/ some...@gmail.com IF /@example\.com$/ /./ somelocaluser@localhost.localdomain ENDIF If you really intend your wildcard to capture the whole internet address space and redirect it to somelocaluser, you can remove the IF and ENDIF statements. Such a setup is common in a testing lab, but never in the real world. -- Noel Jones
Re: virtual-regex problem
Alex: When I ran postmap -q somen...@somedomain.com regexp:virtual.regex. I actually get correct results. That's now what you should query. What virtual alias expansion does is equivalent to this: postmap -q somen...@somedomain.com regexp:virtual.regex postmap -q RESULT-FROM-PREVIOUS-QUESTION regexp:virtual.regex postmap -q RESULT-FROM-PREVIOUS-QUESTION regexp:virtual.regex until there is no result, or until the question appears in the result. Wietse
Re: virtual-regex problem
On 2/14/2013 1:40 PM, Alex wrote: I apologize, as I am being confused. Don't use HTML; use the gmail plain text button. Don't top-post. Put responses at the bottom or in-line. Contents of my virtual-regex now are: /somename+.*@mydomain\.com$/ somen...@yahoo.com mailto:somen...@yahoo.com Bad expression. username containing somenam followed by a series of e followed by anything probably not what you intend. better: /^somename\+.*@example\.com$/ somen...@yahoo.com /^somename...@mydomain\.com$/ somen...@yahoo.com mailto:somen...@yahoo.com Where's the 1-1 mapping to stop recursion? That's why it still doesn't work for you. /^somename@yahoo\.com$/ somen...@yahoo.com /@mydomain\.com$/ somen...@gmail.com mailto:somen...@gmail.com Don't know where you came up with that. Remove it. /./ localuser When I ran postmap -q somen...@somedomain.com mailto:somen...@somedomain.com regexp:virtual.regex. I actually get correct results. because postmap doesn't do recursion. -- Noel Jones
Re: virtual-regex problem
Apparently I do not understand what you mean by 1-1 mapping. My intentions is to have any email going to: somename(any character)@somedomain.com to be forwarded to somen...@yahoo.com all other email to be sent to a local user. Again thank you for your help.
Re: Relaying email to exchange
I have 2 mx records. The primary is Exchanges edge server that has it's own internal spam filtering. The secondary is poxtfix server relaying mail to the edge server as a backup mx record. Are you saying the postfix server should be behind the Exchange edge server? Kevin On Thu, Feb 14, 2013 at 1:36 PM, Reindl Harald h.rei...@thelounge.netwrote: Am 14.02.2013 20:31, schrieb Kevin Blackwell: I'm using postfix to relay email to our exchange server. The problem I'm running into is the spam filtering on the exchange filter is being bypassed because the relayed email shows a from address of the email relay server and not the originating ip address. Is there a was to configure postfix to relay male but retain the received from IP address when it was received by postfix? wrong setup the spamfilter has to be on the MX directly in front of both machines and especially in front of exchange what do you imagine happens if spam would be caught on the exchange? well, it jectes while postfix in front of it has received it now you have two choices and btoh are completly wrong: * get a backscatter * drop messages which you accepted with 250 silently which is not permitted per law -- Kevin Blackwell
Re: Relaying email to exchange
DO NOT TOP POST IF YOU GOT A REPLY BELOW YOUR MESSAGE ON MAILING-LISTS, SEE MY REPLY AT BOTTOM WHILE I REFUSE TO REPAIR THE THRAED BECAUSE NOBODY WOULD PAY THE WORK Am 14.02.2013 21:41, schrieb Kevin Blackwell: I have 2 mx records. The primary is Exchanges edge server that has it's own internal spam filtering. The secondary is poxtfix server relaying mail to the edge server as a backup mx record. Are you saying the postfix server should be behind the Exchange edge server? On Thu, Feb 14, 2013 at 1:36 PM, Reindl Harald h.rei...@thelounge.net mailto:h.rei...@thelounge.net wrote: Am 14.02.2013 20:31, schrieb Kevin Blackwell: I'm using postfix to relay email to our exchange server. The problem I'm running into is the spam filtering on the exchange filter is being bypassed because the relayed email shows a from address of the email relay server and not the originating ip address. Is there a was to configure postfix to relay male but retain the received from IP address when it was received by postfix? wrong setup the spamfilter has to be on the MX directly in front of both machines and especially in front of exchange what do you imagine happens if spam would be caught on the exchange? well, it jectes while postfix in front of it has received it now you have two choices and btoh are completly wrong: * get a backscatter * drop messages which you accepted with 250 silently which is not permitted per law i say simply the spam-filter has to be on the MX and not on a relay server after, how you design your infrastructure is yours Is there a was to configure postfix to relay male but retain the received from IP address when it was received by postfix? is simply impossible your postfix connects to the exchange the connection happens per TCP/IP how do you imagine that postfix retains anything in this case postfix is the client the client is not in the position to decide what UP the server sees for a connection, otherwise any netfilter would be impossible, and no, throw away the idea to rely on whatever headers for such decisions i would never setup a mail system at all where the final destination does spam-filtering, there are solutions dedicated for spam-filterung and the already filtered mails are dlivered to the final destination no need for two MX records at all one is enough - if is down, well that is the reason for why mail queue where invented, if the MX is down for maintainance - so what, try later again deliver the message, that is how SMTP was designed to work signature.asc Description: OpenPGP digital signature
Re: virtual-regex problem
On Thu, Feb 14, 2013 at 12:26:34PM -0600, Noel Jones wrote: On 2/14/2013 11:16 AM, Alex wrote: I am having an issue with setting up virtual-regex email redirection. It appears that my wild card redirection is overriding an entry with less specific criteria. Here is what I have in my /etc/postfix/virtual-regex /somename+.*@somedomain.com/ http://somedomain.com/ some...@gmail.com /.*@.*/ somelocaluser Line one is being ignored Line 1 is not ignored, the problem is that wildcards are evil and should be avoided. Virtual alias lookups are recursive, so you'll need a 1-1 mapping to stop the recursion. Also be careful with your expressions so you don't get unintended matches. Something like: /somename+.*@example\.com$/ some...@gmail.com All hail JWZ! [1] I'd anchor this expression on the beginning, and escape the +: /^somename\+.*@example\.com$/ some...@gmail.com /^some...@gmail\.com$/ some...@gmail.com IF /@example\.com$/ /./ somelocaluser@localhost.localdomain ENDIF I'll toss out another idea, of which JWZ would approve: a hash: map followed by a static: map: main.cf : mydestination = localhost.localdomain[, ...] # unset virtual_alias_domains to avoid all domains being included # therein by the default setting $virtual_alias_maps virtual_alias_domains = virtual_alias_maps = hash:/path/to/virtual_alias_maps, static:somelocaluser@localhost.localdomain /path/to/virtual_alias_maps : somelocaluser@localhost.localdomain somelocaluser@localhost.localdomain some...@gmail.com some...@gmail.com [1] http://en.wikiquote.org/wiki/Jamie_Zawinski#Attributed -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Re: virtual-regex problem
On 2/14/2013 2:23 PM, Alex wrote: Apparently I do not understand what you mean by 1-1 mapping. My intentions is to have any email going to: somename(any character)@somedomain.com to be forwarded to somen...@yahoo.com all other email to be sent to a local user. Again thank you for your help. 1 /^somename.*@example\.com$/ somen...@yahoo.com 2 /^somename@yahoo\.com$/ somen...@yahoo.com 3 /./ somelocaluser@localhost.localdomain Line 1 - redirect secret name to yahoo account line 2 - 1-1 mapping to stop recursion, input equals output line 3 - wildcard catchall Good luck. -- Noel Jones
Re: Unable to set postfix as smarthost with plain authentication on port 25 (no tls/ssl): error 550 5.1.0 xxxxx authentication failed
On 14 Feb 2013, at 8:48, Luca Arzeni wrote: Is there anyone that can help me? Maybe, maybe not. It is made less likely that anyone will be able to help by the fact that you ignored the advice sent to all subscribers to this list about how best to ask for help and get it. That advice is here: http://www.postfix.com/DEBUG_README.html#mail Specific to your request: 1. You should be expansive rather than selective when posting logs. In this case you seem to have logged the whole SMTP chat, yet you only posted 2 lines. Earlier lines in this case would be critical to any analysis. 2. Do not make any changes to log lines except to obscure truly security-sensitive information like authentication tokens or private email addresses. Hostnames and IP addresses are almost never worth obscuring and can be critical to figuring out a problem. In this case, you even asked about host identity and naming issues that we could help you with if you had not falsified what little evidence you provided. 3. Including 'postconf -n' output is important because it shows all of the non-default configuration that Postfix actually uses. Citing a few settings without stating whether they came from main.cf or postconf output leaves open a broad range for conjecture and if you don't know how to correct your config, then your determination of what configuration is relevant is likely to be wrong. Some wild guesses on your difficulty: A. Your provider isn't offering an AUTH mechanism that your SASL config will use so there was no AUTH attempted, yet your provider requires it. B. Some idiot between your server and your provider has put a Cisco PIX or ASA in your path and turned on its 'smtp fixup' misfeature. C. There are errant/mismatched quotes and/or whitespace in your main.cf that results in a formally valid format that is not being parsed as you intend it to be. D. The main.cf file that you *think* Postfix is using is not the one it *is* using, due to a misconfigured chroot. My hunch is that there is about a 90% chance that your problem is caused by something else, but all of those unlikely possibilities could be eliminated (or confirmed) if you were to simply follow the instructions for seeking help here.
Re: virtual-regex problem
On 2/14/2013 4:15 PM, Alex wrote: Hi Noel, After implementing changes below: 1 /^somename.*@example\.com$/ somen...@yahoo.com 2 /^somename@yahoo\.com$/ somen...@yahoo.com 3 /./ somelocaluser@localhost.localdomain Wildcard line still catching all emails. Any other information I can provide? Thanks The above example works for me. Did you issue postfix reload after editing the regexp file? -- Noel Jones
Re: virtual-regex problem
The above example works for me. Did you issue postfix reload after editing the regexp file? Yes, I am doing postfix reload, I have verified that adding and removing willdcard has effect. Could aliases file have adverse effect?
Re: Null sender address in NDR's
Le 14/02/2013 16:03, James Day a écrit : Hello List, I'll have to start by breaking to golden rule of this list and not posting postconf -n output as my question relates to a server over which I have no control. A customer of mine is using a smart host provided by their ISP through which all outbound mail is delivered smtp.enta.net (which is running postfix). This server holds a list of valid domain from which this customer is allowed to send. A sensible precaution to prevent a compromised machine from sending spam using spoofed sender addresses on other domains. The problem is that when clients mail server sends a NDR the sender address is (ie NULL). The null sender address causes the message to be rejected with: 554+5.7.1+:+Sender+address+rejected:+Access+denied Is there a sensible way to configure postfix to allow these messages with null sender addresses to be relayed without opening the smart host up to exploitation? null sender should be accepted. as of today, null sendr is not (yet?) abused by spammers. and even if someday spammers decide to abuse it, we will setup simple content filtering rules (NDR is not supposed to use a normal From: address, etc etc). so I'd say: just allow the null sender for now. Or alternatively - and this is off topic for this list - is there a way to configure Microsoft exchange 2003 to send NDR's with a different sender address. dunno. but if you can put a postfix in front of exchange, you could replace the null sender with specific address (of course, if you do so, make sure to discard mail to this address to avoid loops). of course, you should try to only do that for that specific ISP. And before anyone comments, yes I know this isn't best practice as NDR's should have null sender addresses to stop loops (bouncing bounce-backs!). yeah. but as long as you take care for auto-replies, you can replace the null sender with any specific address of yours (such as n...@example.com) for which you never send bounces. not trivial, but you can do that.
Re: virtual-regex problem
On 2/14/2013 5:11 PM, Alex wrote: The above example works for me. Did you issue postfix reload after editing the regexp file? Yes, I am doing postfix reload, I have verified that adding and removing willdcard has effect. Could aliases file have adverse effect? Lots of things could have adverse effect, but no one knows what you've done. The sample regexp file provided works for me. -- Noel Jones
Re: Null sender address in NDR's
On Thu, 14 Feb 2013 15:58:34 +, Viktor Dukhovni wrote: This has nothing to do with spam. One can just as easily send spam as mal...@example.com as one can as . The ISP can equally easily track it down, since the Received: headers will contain the offending IP address. I don't know if you are seeing the storm I'm seeing that works like this: Spammer sends mail to my domain using a target like jixnzq...@witworx.com and of course that is not accepted at entry. However there are masses of idiots who accept and bounce and so I see: uhpuagek...@witworx.com proto=ESMTP helo=mail-pa0-f68.google.com in bounce messages that did not originate in my domain. The spammer is hoping for his message to be bounced so that it looks like the spam came from an innocent domain. I aasume that the content is spam. I don't have time to probe messages that may even have malware involved. I wonder how many bounced messages are read at the falsely accused domain R/ *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
Re: Relaying email to exchange
On 02/15/2013 06:10 AM, Reindl Harald wrote: no need for two MX records at all I think perhaps that is a bit of hasty advice. I'm quite sure given a large enough infrastructure and traffic load that you'd want two or more MX records with a different SMTP server sitting behind each IP address. I could (and have been) wrong though. -- htholidays.com
Re: Relaying email to exchange
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kevin Blackwell said the following on 14/02/2013 20:31: I'm using postfix to relay email to our exchange server. The problem I'm running into is the spam filtering on the exchange filter is being bypassed because the relayed email shows a from address of the email relay server and not the originating ip address. Is there a was to configure postfix to relay male but retain the received from IP address when it was received by postfix? As Reindl Harald pointed out, the spam filter should be in only one place: the border server. If you add something like (che the documentation before adding this parameters) reject_invalid_hostname reject_non_fqdn_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_rbl_client cbl.abuseat.org reject_rbl_client sbl.spamhaus.org reject_rbl_client pbl.spamhaus.org to smtpd_recipient_restrictions you block nearly 90% of spam My advice is to disable antispam on Exchange _and_ Outlook (if you have any) and filter in just one point. This is useful also if you want to debug the filter, i.e. if a user asks why a mail has been rejected. Of course smtpd_recipient_restrictions alone is not an antispam filter, you should also add at least an antivirus scanner. Ciao, luigi - -- / +--[Luigi Rosa]-- \ Talk is cheap because supply exceeds demand. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlEduNEACgkQ3kWu7Tfl6ZSC1QCgymM8xcjCLLMn/9C0HqrHn6Ln JPsAoIKeVd2RkEcHUMi2yZYz84yZJVIq =lOiv -END PGP SIGNATURE-
Re: Relaying email to exchange
* Kevin Blackwell akblack...@gmail.com: I have 2 mx records. The primary is Exchanges edge server that has it's own internal spam filtering. The secondary is poxtfix server relaying mail to the edge server as a backup mx record. Are you saying the postfix server should be behind the Exchange edge server? Wrong setup. If you have more than one MX, each of them should apply the exact same content filter policies. Either buy a second Exchange edge server or get rid of Exchange and buy a second MX running Postfix. Stefan
Re: Null sender address in NDR's
Am 15.02.2013 00:29, schrieb Rod Whitworth: On Thu, 14 Feb 2013 15:58:34 +, Viktor Dukhovni wrote: This has nothing to do with spam. One can just as easily send spam as mal...@example.com as one can as . The ISP can equally easily track it down, since the Received: headers will contain the offending IP address. I don't know if you are seeing the storm I'm seeing that works like this: Spammer sends mail to my domain using a target like jixnzq...@witworx.com and of course that is not accepted at entry. However there are masses of idiots who accept and bounce and so I see: uhpuagek...@witworx.com proto=ESMTP helo=mail-pa0-f68.google.com in bounce messages that did not originate in my domain. as in real world, there is less you can do against idiots The spammer is hoping for his message to be bounced so that it looks like the spam came from an innocent domain. I aasume that the content is spam. I don't have time to probe messages that may even have malware involved. I wonder how many bounced messages are read at the falsely accused domain you may use dmarc, helps a little bit however in my most spammed domain, i use an adaptive firewall for blocking servers/bot ips ( beyond postscreen etc ), this keeps the log clean, and free up cpu power for legal mail, but that isnt a concept for everywhere, its more like last defense R/ *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it. Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
