Re: Upgraded to 3.4 today. All logging has Stopped?
On 11 Jan 2019, at 4:08 am, Wietse Venema wrote: > > Larry Stone: >>> # Log file to use for error messages. "syslog" logs to syslog, >>> # /dev/stderr logs to stderr. >>> #log_path = syslog >>> log_path = /var/log/mail.log >>> >>> So I?ve had to change this so that it writes directly to the file, and not >>> to syslog. >> >> Ah. So Dovecot has the ability to write logs directly. I believe >> Wietse has stated in the past that no such capability exists in >> Postfix and it only logs to the syslog daemon. And it?s the changes >> Apple has made to syslog that are the issue. > > Is that better than Bill Cole's solution to run a log exporter at > system startup? > > If both Dovecot and Postfix write to the same logfile, that would > be a disaster. > > - The only way to make multiple logfile writers safe is that each > logfile writer flushes its own buffers after every log call, and > that would be disastrous for performance. See the Postfix > LINUX_README for a discussion. It may be OK for MacOS but it is > not good for real servers. > > - If individual programs write directly to the logfile, flushing > after every log call is also required to avoid losing logs when > a program crashes, and that is when logs are needed most. > > - The only way to make logging performant is to have a single writer > that has a limited-size write buffer (like syslogd and rsyslogd). > > Therefore, > > - Postfix and Dovecot cannot share logfiles. But there is nothing > to enforce that, because there are no mandatory locks. > > - Postfix needs its own logger daemon, which brings major challenges > when Postfix is not (yet) running. > > - What happens with logging during Postfix startup? >Hack the log client code to directly write to the logfile? Will >it even be allowed to write outside the Postfix queue? If every >program opens the logfile as root, it has to make sure that the >file is not a symlink, has no multiple hard links, etc. > > - What happens with logging from non-daemon programs when Postix >is down? Unless the logfile is world-writable, those prograns >will have nowhere to log. This affects programs that invoke >/bin/mail before Postfix is up; we should not assume that such >programs will always run as root. > > - Log rotation support. Postfix cannot keep appending to the >same file forever. It may be OK for MacOS but it is not good >for real servers. Basically re-invent the log rotation wheel. > > Wietse Thanks Wietse, Larry, Robert and Bill. I really appreciate your help. Wietse, thanks for pointing out all the problems of Postfix logging without syslog. I have created a script that runs Bill’s log command to send it to a file. Not the same log file that Dovecot is using. Created a LaunchDaemon to open the script at startup. Seems to work perfectly, so thanks again everyone. James.
Re: concurrency rate limit
li...@lazygranch.com: > I'm wondering if I have my rate limiting set up correctly. Note I have > that perl script that sniffs out dynamic IP addresses, so I am not sure > how this user is even getting concurrent connections. Postfix receives more than 4 concurrent connections at a rate of more than 10 connections over some time interval, and closes excess connections. If you want to prevent that such connections reach Postfix, then you need to do that *outside* Postfix, during the TCP handshake. Postfix does not implement TCP. That happens in the kernel. Wietse
Re: The AUTH parameter on MAIL commands
Jacky: > Hi Wietse, > > Thank you for the information. > > Just wonder that will Postfix support the Message Submission BURL Extension? Possibly. See my other post on that subject. BURL does not require changes to Postfix's AUTH= support. Wietse
pflogsumm milter patch
Hello, I have made a small patch for counting milter rejections in pflogsumm. I put it on http://test.fantomas.sk/pflogsumm-milter-test.patch pflogsumm now displays erors below when using amavisd-milter refusals. I would strip the "from ", but first I would like to ask people who use header and body checks to reject messages, and use pflogsumm, to confirm whether they need the "from ", and possibly send me (personally, please) the part output where "cleanup" rejections are shown. without --verbose-msg-detail cleanup END-OF-MESSAGE (top 10) (total: 485) 17 from mail.simenge.art[213.202.252.21]: 5.7.0 Reject, id=11636... 16 from mail.simenge.art[213.202.252.21]: 5.7.0 Reject, id=11643... 15 from mail.simenge.art[213.202.252.21]: 5.7.0 Reject, id=11307... 15 from mail.simenge.art[213.202.252.21]: 5.7.0 Reject, id=11746... 15 from mail.simenge.art[213.202.252.21]: 5.7.0 Reject, id=12094... 14 from mail.simenge.art[213.202.252.21]: 5.7.0 Reject, id=11610... 13 from mail.simenge.art[213.202.252.21]: 5.7.0 Reject, id=12057... 13 from mail.simenge.art[213.202.252.21]: 5.7.0 Reject, id=10533... 13 from mail.simenge.art[213.202.252.21]: 5.7.0 Reject, id=11005... 12 from mail.simenge.art[213.202.252.21]: 5.7.0 Reject, id=11070... with --verbose-msg-detail END-OF-MESSAGE (top 10) (total: 485) 1 prose.cdeloitte.com[212.162.150.104]: 5.7.0 Reject, id=21479-06 - spam; from= to= proto=ESMTP helo= 1 prose.cdeloitte.com[212.162.150.104]: 5.7.0 Reject, id=21212-12 - spam; from= to= proto=ESMTP helo= 1 prose.cdeloitte.com[212.162.150.104]: 5.7.0 Reject, id=21620-04 - spam; from= to= proto=ESMTP helo= 1 prose.cdeloitte.com[212.162.150.104]: 5.7.0 Reject, id=21512-05 - spam; from= to= proto=ESMTP helo= 1 daily.makemoneyglobal.com[212.162.151.104]: 5.7.0 Reject, id=21479-16 - spam; from= to= proto=ESMTP helo= 1 daily.makemoneyglobal.com[212.162.151.104]: 5.7.0 Reject, id=22326-03 - spam; from= to= proto=ESMTP helo= 1 sedge.myabtb.com[185.234.183.110]: 5.7.0 Reject, id=12801-02 - spam; from= to= proto=ESMTP helo= 1 sedge.myabtb.com[185.234.183.110]: 5.7.0 Reject, id=12425-14 - spam; from= to= proto=ESMTP helo= 1 terrible.cdeloitte.com[212.162.150.117]: 5.7.0 Reject, id=25380-08 - spam; from= to= proto=ESMTP helo= 1 terrible.cdeloitte.com[212.162.150.117]: 5.7.0 Reject, id=24561-19 - spam; from= to= proto=ESMTP helo= Just FYI, I have already made patch for postscreen rejections, that made it into debian package, available here: http://test.fantomas.sk/pflogsumm-postscreen.patch seems that original author doesn't care (have tried to contact him at least 3 times). I will try with people having repositories on github (where the original author doesn't maintain it anymore). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are...
Re: concurrency rate limit
> On Jan 11, 2019, at 9:02 AM, Gary wrote: > > Now with that interpretation of the log, this makes sense. I was thinking > rate and concurrency were different things. They are different things. Both the rate and the concurrency were exceeded in the logs you posted. * Concurrency = Number of simultaneous connections. (With slight "fuzz" as a result of message latency between smtpd(8) and anvil(8) if connections are sufficiently short-lived, lasting not much longer than the time it takes smtpd(8) to deliver a connection status update to anvil(8). Not a problem in practice.) * Rate = connections per time quantum (still subject to message latency, but much less important over the longer time scale). -- Viktor.
Re: concurrency rate limit
Now with that interpretation of the log, this makes sense. I was thinking rate and concurrency were different things. Original Message From: wie...@porcupine.org Sent: January 11, 2019 4:21 AM To: postfix-users@postfix.org Reply-to: postfix-users@postfix.org Subject: Re: concurrency rate limit li...@lazygranch.com: > I'm wondering if I have my rate limiting set up correctly. Note I have > that perl script that sniffs out dynamic IP addresses, so I am not sure > how this user is even getting concurrent connections. Postfix receives more than 4 concurrent connections at a rate of more than 10 connections over some time interval, and closes excess connections. If you want to prevent that such connections reach Postfix, then you need to do that *outside* Postfix, during the TCP handshake. Postfix does not implement TCP. That happens in the kernel. Wietse