Reject/Discard mails to a Receipient
Hello, I have clients sending mails to an non-existent email address/domain, emailerm...@exchange.example.net. I want to discard any mail sent to this address. I looked at smtpd_recipient_restrictions, but cant figure out how to get this done. Please help me!! ~LA
Re: Reject/Discard mails to a Receipient
Sahil Tandon wrote: Linux Addict wrote: Hello, I have clients sending mails to an non-existent email address/domain, emailerm...@exchange.example.net. I want to discard any mail sent to this address. I looked at smtpd_recipient_restrictions, but cant figure out how to get this done. Please help me!! Why not simply reject such messages? What is the reason you want to accept but silently discard messages to that non-existent user? It is your choice to do so, but please offer some rationale for the archives. Sorry.. I wasn't checking my mails for sometime. I am open to Rejecting those mails as well.. Well. The mails are sent by one of the legacy app which has the hard coded the email address. The email domain has been decommed recently. The engineering will update this email address in their next release. But till that time, I don't want postfix to spend energy on these mails. So How will I reject mails to the email in question. Transport will do? Cheers LA
Re: Reject/Discard mails to a Receipient
Wietse Venema wrote: Linux Addict: Sahil Tandon wrote: Linux Addict wrote: Hello, I have clients sending mails to an non-existent email address/domain, emailerm...@exchange.example.net. I want to discard any mail sent to this address. I looked at smtpd_recipient_restrictions, but cant figure out how to get this done. Please help me!! Why not simply reject such messages? What is the reason you want to accept but silently discard messages to that non-existent user? It is your choice to do so, but please offer some rationale for the archives. Sorry.. I wasn't checking my mails for sometime. I am open to Rejecting those mails as well.. Well. The mails are sent by one of the legacy app which has the hard coded the email address. The email domain has been decommed recently. The engineering will update this email address in their next release. But till that time, I don't want postfix to spend energy on these mails. So How will I reject mails to the email in question. Transport will do? Transport rules such as: u...@example.com error:5.1.1 user unknown example.com error:5.1.2 domain unknown will do the job. Wietse thank you!
Zenoss Monitoring.
Apologies if its offlist. If Anyone using zenoss to monitor postfix, please reply only to me with whatever details you may have. Thank you very much in advance. ~LA
Bounces.
I am seeing multiple messages on Postfix Maillog. The mx server cant reach the host in question and its timing out. We monitor the mailq size and because of 100 of messages like this, we are bombarded with pages. What is the best practice to handle these messages? Any help or link to documentation is greatly appreciated. A414CD52788 3706 Fri Jan 23 02:36:41 bounce.7d54cafd@example.net (connect to a34-mta03.direcpc.com[66.82.4.104]:25: Connection timed out) movieaho...@direcway.com ~LA
Re: Bounces.
Magnus Bäck wrote: On Monday, January 26, 2009 at 23:39 CET, Linux Addict wrote: I am seeing multiple messages on Postfix Maillog. The mx server cant reach the host in question and its timing out. We monitor the mailq size and because of 100 of messages like this, we are bombarded with pages. What is the best practice to handle these messages? Any help or link to documentation is greatly appreciated. A414CD52788 3706 Fri Jan 23 02:36:41 bounce.7d54cafd@example.net (connect to a34-mta03.direcpc.com[66.82.4.104]:25: Connection timed out) movieaho...@direcway.com Where do these messages come from? Check the logs and inspect the messages with postcat(1). Are any of these domains hosted by you? If not, why are they being relayed in the first place? 100 deferred messages in the queue is nothing. Typo. Its 100s of messages, currently its more than 1600. We are sending this from one of our internal application. What I would like to do is, if a destination host does not have an MX record, then I would like to drop the message, don't want to bounce it.
Re: Bounces.
Wietse Venema wrote: Linux Addict: What I would like to do is, if a destination host does not have an MX record, then I would like to drop the message, don't want to bounce it. The Internet email RFCs do not require MX records. They specify that the MTA must deliver by A records when MX records don't exist. Wietse I dont know if its convincing to send mails to a host where no smtp is running(hence no MX record) but is there anyway at all in Postfix to check for MX record before the qmgr accepts the mail? I know Postfix is compliant to all RFCs, but just wondering anything customizable exists. ~LA
rbl clients.
Please see below my smtpd_recipient_restrictions. On my rbl client list I have multiple entries, but not sure how many of them actually maintained. Is there one single place where I can find such a list. Any help is greatly appreciated. smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit smtpd_recipient_limit = 300 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,reject_unauth_destination, reject_invalid_hostname,reject_unauth_pipelining, reject_non_fqdn_sender,reject_unknown_sender_domain, reject_non_fqdn_recipient,reject_unknown_recipient_domain, reject_rbl_client blackholes.easynet.nl,reject_rbl_client cbl.abuseat.org,reject_rbl_client proxies.blackholes.wirehub.net, reject_rbl_client bl.spamcop.net,reject_rbl_client sbl.spamhaus.org, reject_rbl_client dnsbl.njabl.org,reject_rbl_client list.dsbl.org, reject_rbl_client multihop.dsbl.org,permit ~LA
Re: rbl clients.
Thank you everyone!! Lot of information. On Fri, Feb 13, 2009 at 4:44 PM, Res wrote: > On Thu, 12 Feb 2009, Linux Addict wrote: > > reject_rbl_client blackholes.easynet.nl,reject_rbl_client >> cbl.abuseat.org,reject_rbl_client proxies.blackholes.wirehub.net, >> reject_rbl_client bl.spamcop.net,reject_rbl_client sbl.spamhaus.org, >> reject_rbl_client dnsbl.njabl.org,reject_rbl_client list.dsbl.org, >> reject_rbl_client multihop.dsbl.org,permit >> >> > As others have mentioned, some of these have been dead for a long time, and > with others, you are doing twice the work, since some RBL's interact with > each other. > > We find the following work great, some recommend using spamhaus first, on > my private mail server I use it last, to keep under their 'hits per day', > I don't use spamhaus on employers because of the 'hits per day', and I cant > justify the rates they want, I find even at home I only get one or two hits > in a blue moon from spamhaus because SORBS and spamcop end up stopping > pretty much all of it. > > Privately I use: > reject_rbl_client dnsbl.njabl.org > reject_rbl_client dnsbl.sorbs.net > reject_rbl_client bl.spamcop.net > reject_rbl_client b.barracudacentral.org (you need to register, but its > free) > reject_rbl_client zen.spamhaus.org > > commercially we use: > reject_rbl_client dnsbl.sorbs.net > reject_rbl_client bl.spamcop.net > reject_rbl_client b.barracudacentral.org > > and along with things like > >reject_unknown_client_hostname >reject_unknown_helo_hostname >reject_invalid_helo_hostname >reject_non_fqdn_helo_hostname >reject_non_fqdn_sender >reject_non_fqdn_recipient > > we also use sendmails milter-regex with all these combined, its rare > spam gets through to MailScanner to deal with. > > (milter regex rules used: http://kb.ausics.net/sendmail/milter-regex.conf) > > -- > Res > > "All we need, is just a little patience" -- William Bruce (Axl) Rose >
smtpd_recipient_restrictions Check
Dear Group, I am modifying my recipient restrictions to displayed below. I referred many documents to compile the options. I want you experts to once verify it for me. smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unauth_pipelining, reject_unknown_reverse_client_hostname reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit Thank you ~LA
Re: smtpd_recipient_restrictions Check
On Tue, Mar 10, 2009 at 12:24 PM, Victor Duchovni < victor.ducho...@morganstanley.com> wrote: > On Tue, Mar 10, 2009 at 12:17:29PM -0400, Matt Hayes wrote: > > > Linux Addict wrote: > > > Dear Group, I am modifying my recipient restrictions to displayed > below. > > > I referred many documents to compile the options. I want you experts to > > > once verify it for me. > > > > > > smtpd_recipient_restrictions = > > > reject_non_fqdn_sender, > > > reject_non_fqdn_recipient, > > > reject_unknown_sender_domain, > > > reject_unknown_recipient_domain, > > > permit_mynetworks, > > > permit_sasl_authenticated, > > > reject_unauth_destination, > > > reject_unlisted_recipient, > > > reject_invalid_hostname, > > > reject_invalid_helo_hostname > > > reject_non_fqdn_helo_hostname > > > reject_unauth_pipelining, > > > reject_unknown_reverse_client_hostname > > > reject_rbl_client zen.spamhaus.org <http://zen.spamhaus.org>, > > > reject_rbl_client bl.spamcop.net <http://bl.spamcop.net>, > > > permit > > > > > > Thank you > > > ~LA > > > > > > I would suggest moving permit_sasl_authenticated to the top of that > > list. Either that or using the submission service for SASL > > authenticated users > > THere is not much point in acceping invalid sender and recipient addresses > from MUAs. The restriction is fine where it is. > > -- >Viktor. > > Disclaimer: off-list followups get on-list replies or get ignored. > Please do not ignore the "Reply-To" header. > > To unsubscribe from the postfix-users list, visit > http://www.postfix.org/lists.html or click the link below: > <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> > > If my response solves your problem, the best way to thank me is to not > send an "it worked, thanks" follow-up. If you must respond, please put > "It worked, thanks" in the "Subject" so I can delete these quickly. > The reason I moved below is there seems to be some rogue hosts/users(Mostly things like "Refer a Link") misusing the priority and injecting spam.
Re: smtpd_recipient_restrictions Check
On Tue, Mar 10, 2009 at 12:22 PM, Victor Duchovni < victor.ducho...@morganstanley.com> wrote: > On Tue, Mar 10, 2009 at 11:59:22AM -0400, Linux Addict wrote: > > > Dear Group, I am modifying my recipient restrictions to displayed below. > I > > referred many documents to compile the options. I want you experts to > once > > verify it for me. > > > > smtpd_recipient_restrictions = > > reject_non_fqdn_sender, > > reject_non_fqdn_recipient, > > reject_unknown_sender_domain, > > reject_unknown_recipient_domain, > > This mostly for hosts that handle "submission" from MUAs. Often best to > move submission to port 587 and apply only there. You'll reject bogus > domains from untrusted senders anyway. > > > permit_mynetworks, > > permit_sasl_authenticated, > > reject_unauth_destination, > > reject_unlisted_recipient, > > reject_invalid_hostname, > > reject_invalid_helo_hostname > > The two above are the same. > > > reject_non_fqdn_helo_hostname > > Why so much emphasis on HELO names, they are not a very effective > spam sign. > > > reject_unauth_pipelining, > > Currently best in smtpd_data_restrictions, where it is effective after > EHLO, as during RCPT TO, additional RCPT TO commands or the "DATA" > command can be legitimately "PIPELINED" in the same packet. > > > reject_unknown_reverse_client_hostname > > reject_rbl_client zen.spamhaus.org, > > reject_rbl_client bl.spamcop.net, > > permit > > Fairly sensible overall. Is it better to place rbl rejections under smtpd_client_restrictions? > > > -- >Viktor. > > Disclaimer: off-list followups get on-list replies or get ignored. > Please do not ignore the "Reply-To" header. > > To unsubscribe from the postfix-users list, visit > http://www.postfix.org/lists.html or click the link below: > <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> > > If my response solves your problem, the best way to thank me is to not > send an "it worked, thanks" follow-up. If you must respond, please put > "It worked, thanks" in the "Subject" so I can delete these quickly. >
Re: NMAP information about postfix
On Mon, Apr 19, 2010 at 11:37 AM, Wietse Venema wrote: > Gaby L: > > Hi > > I scan with my postfix server with NMap from other location. > > The NMAP creats report smtp port open (It is OK) but apear Postfix smtpd > and other information about MTA program. > > I dont want to apear any information about my MTA server. > > To disclose no information, close the SMTP port. > > Seriously. > > Even when you change the smtpd_banner value to say "$myhostname > ESMTP Sendmail" (this text MUST start with the hostname), the > server's replies (especially error messages) still reveal that it's > really Postfix. > >Wietse > Disclaimer :- It may violate some RFCs and possibly break the smtp system itself. [r...@stick ~]# grep ^smtpd_banner /etc/postfix/main.cf smtpd_banner = "unknown" [r...@stick ~]# telnet 0 25 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. 220 "unknown"
Re: NMAP information about postfix
On Tue, Apr 20, 2010 at 1:33 PM, Brian Evans - Postfix List < grkni...@scent-team.com> wrote: > On 4/20/2010 1:23 PM, Linux Addict wrote: > > > > > > On Mon, Apr 19, 2010 at 11:37 AM, Wietse Venema > <mailto:wie...@porcupine.org>> wrote: > > > > Gaby L: > > > Hi > > > I scan with my postfix server with NMap from other location. > > > The NMAP creats report smtp port open (It is OK) but apear > > Postfix smtpd and other information about MTA program. > > > I dont want to apear any information about my MTA server. > > > > To disclose no information, close the SMTP port. > > > > Seriously. > > > > Even when you change the smtpd_banner value to say "$myhostname > > ESMTP Sendmail" (this text MUST start with the hostname), the > > server's replies (especially error messages) still reveal that it's > > really Postfix. > > > >Wietse > > > > > > > > Disclaimer :- It may violate some RFCs and possibly break the smtp > > system itself. > > > > [r...@stick ~]# grep ^smtpd_banner /etc/postfix/main.cf <http://main.cf> > > smtpd_banner = "unknown" > > > > [r...@stick ~]# telnet 0 25 > > Trying 0.0.0.0... > > Connected to 0. > > Escape character is '^]'. > > 220 "unknown" > > > > > > As Wietse mentioned, the above has no effect on determining the server > type. > > Just because the banner doesn't say Postfix, doesn't mean a > script/person couldn't figure it out from the response/error messages. > > True. seems nmap doesn't even check the banner, it does an EHLO and picks the mta from response code. 25/tcp open smtpPostfix smtpd postfix/smtpd[21190]: lost connection after EHLO from stick127.0.0.1]
Disable NDR
Hello, One of my postfix server is sending thousands of messages to non-existent mail box in another internal server. The internal application sends mail as mailb...@domain.net thru postfix. The TO addresses are invalid. I need reject messages from those domains not resolved. to=, relay=none, delay=0.05, delays=0.01/0/0.04/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=dsaperftest.edu type=A: Host not found) thank you LA
Re: Disable NDR
On Mon, May 24, 2010 at 2:05 PM, Linux Addict wrote: > Hello, One of my postfix server is sending thousands of messages to > non-existent mail box in another internal server. The internal application > sends mail as mailb...@domain.net thru postfix. The TO addresses are > invalid. I need reject messages from those domains not resolved. > > > > to=, relay=none, delay=0.05, > delays=0.01/0/0.04/0, dsn=5.4.4, status=bounced (Host or domain name not > found. Name service error for name=dsaperftest.edu type=A: Host not found) > > thank you > LA > These are the restrictions. Surely the host which is sending spam is part of mynetworks. smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_rbl_client blackholes.easynet.nl, reject_rbl_client cbl.abuseat.org, reject_rbl_client proxies.blackholes.wirehub.net, reject_rbl_client bl.spamcop.net, reject_rbl_client sbl.spamhaus.org, reject_rbl_client dnsbl.njabl.org, reject_rbl_client list.dsbl.org, reject_rbl_client multihop.dsbl.org, permit disable_vrfy_command = yes smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit transport_maps = hash:/etc/postfix/transport smtpd_recipient_limit = 300 data_directory = /var/lib/postfix smtpd_tls_wrappermode = no
Re: Disable NDR
On Mon, May 24, 2010 at 2:25 PM, John Adams wrote: > On 24.05.2010 20:05, Linux Addict wrote: > >> Hello, One of my postfix server is sending thousands of messages to >> non-existent mail box in another internal server. The internal >> application sends mail as mailb...@domain.net >> <mailto:mailb...@domain.net> thru postfix. The TO addresses are invalid. >> >> I need reject messages from those domains not resolved. >> >> >> >> to=> <mailto:dmr0613420524125827...@dsaperftest.edu>>, relay=none, >> >> delay=0.05, delays=0.01/0/0.04/0, dsn=5.4.4, status=bounced (Host or >> domain name not found. Name service error for name=dsaperftest.edu >> <http://dsaperftest.edu> type=A: Host not found) >> >> thank you >> LA >> > > > Well, if its one of your hosts doing the spamming turn of the application > that is causing it. Or blacklist the sender host's IP address on the first > receiving smtp server. Or do some sender address verification on your mail > gateway (or however your email architecture looks like - I have no idea). > The postfix MX are behind a load balancer so they dont show the actual IP. I stopped the postfix, then did postcat on one of the queued message and found the spam host. thanks for your help.
Upgrade 2.5.4
Hello, I am running postfix 2.5.4 and would like to upgrade it to latest stable 2.7.0. What is the best way upgrade? Do a clean install and port the settings to newer version? Any help is appreciated. ~LA
Re: Upgrade 2.5.4
On Tue, Oct 19, 2010 at 3:37 PM, fake...@fakessh.eu wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Le 19.10.2010 19:42, Victor Duchovni a écrit : > > On Tue, Oct 19, 2010 at 12:17:23PM -0400, Linux Addict wrote: > > > >> Hello, I am running postfix 2.5.4 and would like to upgrade it to latest > >> stable 2.7.0. What is the best way upgrade? Do a clean install and port > the > >> settings to newer version? Any help is appreciated. > > > > No. Do an upgrade. If installing from source: > > > > Read the RELEASE_NOTES file for 2.6 and 2.7, then: > > > > % make > > % su root > > # postfix stop > > # make upgrade > > # postfix start > > > > If installing from a well constructed package: > > > > Read the RELEASE_NOTES file for 2.6 and 2.7, then: > > > > # postfix stop > > # some-command-to-install-updated-package > > # postfix start > > > > In either case, save the updated main.cf and master.cf files that > > are automatically upgraded as part of the install process. > > > > If the package is not well constructed: > > > > Read the RELEASE_NOTES file for 2.6 and 2.7, then: > > > > # postfix stop > > > > # mkdir -p /etc/postfix/cfsavedir > > # cp /etc/postfix/main.cf /etc/postfix/master.cf \ > > /etc/postfix/cfsavedir/ > > > > # some-command-to-install-updated-poorly-constructed-package > > > > # cp /etc/postfix/cfsavedir/main.cf /etc/postfix/cfsavedir/ > master.cf \ > > /etc/postfix/ > > # postfix set-permissions upgrade-configuration > > > > # postfix start > > > > A package is not well contstructed if it fails to preserve and upgrade > > your existing main.cf and master.cf files. > > > > Thanks Victor. Reading from 2.6 releasing notes, it looks like postfix changed how multiple instances are handled. I am going to test on sandbox.
Re: Upgrade 2.5.4
On Wed, Oct 20, 2010 at 3:21 PM, Linux Addict wrote: > > On Tue, Oct 19, 2010 at 3:37 PM, fake...@fakessh.eu wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Le 19.10.2010 19:42, Victor Duchovni a écrit : >> > On Tue, Oct 19, 2010 at 12:17:23PM -0400, Linux Addict wrote: >> > >> >> Hello, I am running postfix 2.5.4 and would like to upgrade it to >> latest >> >> stable 2.7.0. What is the best way upgrade? Do a clean install and port >> the >> >> settings to newer version? Any help is appreciated. >> > >> > No. Do an upgrade. If installing from source: >> > >> > Read the RELEASE_NOTES file for 2.6 and 2.7, then: >> > >> > % make >> > % su root >> > # postfix stop >> > # make upgrade >> > # postfix start >> > >> > If installing from a well constructed package: >> > >> > Read the RELEASE_NOTES file for 2.6 and 2.7, then: >> > >> > # postfix stop >> > # some-command-to-install-updated-package >> > # postfix start >> > >> > In either case, save the updated main.cf and master.cf files that >> > are automatically upgraded as part of the install process. >> > >> > If the package is not well constructed: >> > >> > Read the RELEASE_NOTES file for 2.6 and 2.7, then: >> > >> > # postfix stop >> > >> > # mkdir -p /etc/postfix/cfsavedir >> > # cp /etc/postfix/main.cf /etc/postfix/master.cf \ >> > /etc/postfix/cfsavedir/ >> > >> > # some-command-to-install-updated-poorly-constructed-package >> > >> > # cp /etc/postfix/cfsavedir/main.cf /etc/postfix/cfsavedir/ >> master.cf \ >> > /etc/postfix/ >> > # postfix set-permissions upgrade-configuration >> > >> > # postfix start >> > >> > A package is not well contstructed if it fails to preserve and upgrade >> > your existing main.cf and master.cf files. >> > >> >> > Thanks Victor. Reading from 2.6 releasing notes, it looks like postfix > changed how multiple instances are handled. I am going to test on sandbox. > Sorry about beating the dead horse, but just came to know that there are few 2.2 postfix instances which needs to upgraded to 2.7 as well. Does upgrade stands true for 2.2 to 2.7 or install a clean 2.7 and just port the postconf -n will suffice? thanks again.
Re: Upgrade 2.5.4
On Tue, Nov 2, 2010 at 1:31 PM, Wietse Venema wrote: > Linux Addict: > > >> > If the package is not well constructed: > > >> > > > >> > Read the RELEASE_NOTES file for 2.6 and 2.7, then: > > >> > > > >> > # postfix stop > > >> > > > >> > # mkdir -p /etc/postfix/cfsavedir > > >> > # cp /etc/postfix/main.cf /etc/postfix/master.cf \ > > >> > /etc/postfix/cfsavedir/ > > >> > > > >> > # some-command-to-install-updated-poorly-constructed-package > > >> > > > >> > # cp /etc/postfix/cfsavedir/main.cf /etc/postfix/cfsavedir/ > > >> master.cf \ > > >> > /etc/postfix/ > > >> > # postfix set-permissions upgrade-configuration > > >> > > > >> > # postfix start > > >> > > > >> > A package is not well contstructed if it fails to preserve and > upgrade > > >> > your existing main.cf and master.cf files. > > >> > > > >> > > >> > > > Thanks Victor. Reading from 2.6 releasing notes, it looks like postfix > > > changed how multiple instances are handled. I am going to test on > sandbox. > > > > Sorry about beating the dead horse, but just came to know that there are > few > > 2.2 postfix instances which needs to upgraded to 2.7 as well. Does > upgrade > > stands true for 2.2 to 2.7 or install a clean 2.7 and just port the > postconf > > -n will suffice? > > No. The config files need to be upgraded, not overwritten. > > If you install clean 2.7, then follow instructions above as with > "not well constructed package", i.e. save the config files, install > Postfix, restore the config files and do "postfix set-permissions > upgrade-configuration". > >Wietse > Awsome, thank you. Testing the upgrade from 2.2 to 2.7.
Re: Upgrade 2.5.4
On Wed, Nov 3, 2010 at 4:48 AM, Terry Kemp wrote: > On 11/3/10, Linux Addict wrote: > > On Tue, Nov 2, 2010 at 1:31 PM, Wietse Venema > wrote: > > > >> Linux Addict: > >> > >> > If the package is not well constructed: > >> > >> > > >> > >> > Read the RELEASE_NOTES file for 2.6 and 2.7, then: > >> > >> > > >> > >> > # postfix stop > >> > >> > > >> > >> > # mkdir -p /etc/postfix/cfsavedir > >> > >> > # cp /etc/postfix/main.cf /etc/postfix/master.cf \ > >> > >> > /etc/postfix/cfsavedir/ > >> > >> > > >> > >> > # > some-command-to-install-updated-poorly-constructed-package > >> > >> > > >> > >> > # cp /etc/postfix/cfsavedir/main.cf/etc/postfix/cfsavedir/ > >> > >> master.cf \ > >> > >> > /etc/postfix/ > >> > >> > # postfix set-permissions upgrade-configuration > >> > >> > > >> > >> > # postfix start > >> > >> > > >> > >> > A package is not well contstructed if it fails to preserve and > >> upgrade > >> > >> > your existing main.cf and master.cf files. > >> > >> > > >> > >> > >> > >> > >> > > Thanks Victor. Reading from 2.6 releasing notes, it looks like > postfix > >> > > changed how multiple instances are handled. I am going to test on > >> sandbox. > >> > > >> > Sorry about beating the dead horse, but just came to know that there > are > >> few > >> > 2.2 postfix instances which needs to upgraded to 2.7 as well. Does > >> upgrade > >> > stands true for 2.2 to 2.7 or install a clean 2.7 and just port the > >> postconf > >> > -n will suffice? > >> > >> No. The config files need to be upgraded, not overwritten. > >> > >> If you install clean 2.7, then follow instructions above as with > >> "not well constructed package", i.e. save the config files, install > >> Postfix, restore the config files and do "postfix set-permissions > >> upgrade-configuration". > >> > >>Wietse > >> > > > > > > Awsome, thank you. Testing the upgrade from 2.2 to 2.7. > > > > -- > Sent from my mobile device > Victor, I see these message after upgrade and in fact its RHEL4 w/ openssl-0.9.7a-43.17.el4_6.1 Nov 3 12:02:11 MXHOST postfix/smtp[6209]: certificate verification failed for MXHOST-1[10.46.200.23]:25: untrusted issuer /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority Nov 3 12:02:11 MXHOST postfix/smtp[6209]: warning: tls_text_name: MXHOST-1[10.46.200.23]:25: error decoding peer subject CN of ASN.1 type=12 Nov 3 12:02:11 MXHOST postfix/smtp[6209]: warning: TLS library problem: 6209:error:0D07A0A0:asn1 encoding routines:ASN1_mbstring_copy:unknown format:a_mbstr.c:142: I see your patch "coded_CN_buf = vstring_alloc(strlen(CN) + 1); \" on http://www.mailinglistarchive.com/postfix-users@postfix.org/msg35241.html which already in place for 2.7.1. I know its not postfix issue, cause I was getting cert error even before upgrade, but "TLS Library Problem" is an additional error after the upgrade. Cheers.
Header Time
Hi, I am sure someone can clarify it for me. A device uses postfix relay to send mails out. When I receive them in outlook, they are 4 hrs behind. When I looked at the header, postfix seems to doing -400 (EDT). by postfixmta.domain.net (Postfix) with SMTP id 62B1257AB5 for ; Thu, 25 Jun 2009 12:16:12 -0400 (EDT) But I looked at var log messages, it shows the right time there. Did I configured anything wrong or how to fix this? Thank you very much!! ~LA
Re: Header Time
On Thu, Jun 25, 2009 at 1:41 PM, ghe wrote: > On 6/25/09 9:50 AM, Linux Addict wrote: > > A device uses postfix relay to send mails out. When I receive them in >> outlook, they are 4 hrs behind. When I looked at the header, postfix seems >> to doing -400 (EDT). >> > > Hmmm. 4 hours. Are you using greylisting? > > -- > Glenn English > g...@slsware.com > > We are, but these aren't even going out. There is a transport map which directs it to internal exchange servers. I am curious where its getting the -400(EDIT) from.
Re: Header Time
On Thu, Jun 25, 2009 at 2:22 PM, Sahil Tandon wrote: > On Jun 25, 2009, at 2:06 PM, Linux Addict wrote: > > > On Thu, Jun 25, 2009 at 1:41 PM, ghe < > g...@slsware.com>wrote: > >> On 6/25/09 9:50 AM, Linux Addict wrote: >> >> A device uses postfix relay to send mails out. When I receive them in >>> outlook, they are 4 hrs behind. When I looked at the header, postfix >>> seems >>> to doing -400 (EDT). >>> >> >> Hmmm. 4 hours. Are you using greylisting? >> >> -- >> Glenn English >> g...@slsware.com >> >> > We are, but these aren't even going out. There is a transport map which > directs it to internal exchange servers. > > I am curious where its getting the -400(EDIT) from. > > > No Outlook help here but what exactly is the Postfix problem? Or is the > GMT -> EDT terminology confusing you? EDT = Eastern Daylight Time = GMT - > 4:00. > Not looking for any outlook. See below the complete header. The BOLD text is where message enters the postfix and time seem adjusted. On my Mail Client, the sent time is showing as Wed 6/24/2009 *1:12 PM*instead of *5:12PM* ie. -4 hours. I believe that was caused by -0400 (EDT) modified by postfix. Microsoft Mail Internet Headers Version 2.0 Received: from NYCEX20.MYDOMAIN.NET ([XX.XX.XX.XX]) by NYCEX20.MYDOMAIN.NETwith Microsoft SMTPSVC(6.0.3790.3959); Wed, 24 Jun 2009 17:13:42 -0400 Received: from POSTFIXMTA.MYDOMAIN.NET ([XX.XX.XX.XX]) by NYCEX20.MYDOMAIN.NET with Microsoft SMTPSVC(6.0.3790.3959); Wed, 24 Jun 2009 17:13:42 -0400 Received: from LCM (unknown [XX.XX.XX.XX]) by POSTFIXMTA.MYDOMAIN.NET (Postfix) with SMTP id A21103A006F for ; *Wed, 24 Jun 2009 17:13:39 -0400 (EDT)* From: bac...@mydomain.net To: backups-al...@mydomain.net Subject: T120 Test Mail Date: *Wed, 24 Jun 2009 17:11:41* Message-Id: <20090624211340.a21103a0...@postfix.mydomain.net> Return-Path: bac...@mydomain.net X-OriginalArrivalTime: 24 Jun 2009 21:13:42.0727 (UTC) FILETIME=[A7067570:01C9F510]
Re: Header Time
On Thu, Jun 25, 2009 at 4:17 PM, ghe wrote: > I can't say much because I know next to nothing about Outlook and friends, > but MS keeps time in local time (I hear), and *nix goes on GMT, and there's > a 4 hour time correction for your local time, and you're seeing a 4 hour > time change in your headers in mail being passed between *nix and MS. Betcha > it's in there somewhere... > > > -- > Glenn English > g...@slsware.com > > I dont think this is something to do with outlook as I tested with yahoo and gmail as well. I see the same pattern. Looks to me message leaves postfix with updated time stamp. Is there any verbose can enabled in postfix to see what its doing to check time change process?
Re: Header Time
On Thu, Jun 25, 2009 at 5:11 PM, Blake Hudson wrote: > > Original Message > Subject: Re: Header Time > From: Linux Addict > > >> I dont think this is something to do with outlook as I tested with yahoo >> and gmail as well. I see the same pattern. >> Looks to me message leaves postfix with updated time stamp. �Is there any >> verbose can enabled in postfix to see what its doing to check time change >> process? >> >> >> The only problem I see is that your appliance sends the date as "Date: > Wed, 24 Jun 2009 17:11:41" when it should send as "Date: Wed, 24 Jun 2009 > 17:11:41 -0400". Since no time zone is provided, most mail clients likely > interpret this as UTC time and display accordingly. If your device send > email for the correct time zone, set the clock as UTC on the device. > > -Blake > A RHEL host(mailx) was able to sent correctly, but I didn't compare headers of the both. I will do it next morning and will confirm.
Re: Header Time
On Thu, Jun 25, 2009 at 10:18 PM, Linux Addict wrote: > > > On Thu, Jun 25, 2009 at 5:11 PM, Blake Hudson wrote: > >> >> Original Message >> Subject: Re: Header Time >> From: Linux Addict >> >> >>> I dont think this is something to do with outlook as I tested with yahoo >>> and gmail as well. I see the same pattern. >>> Looks to me message leaves postfix with updated time stamp. �Is there any >>> verbose can enabled in postfix to see what its doing to check time change >>> process? >>> >>> >>> The only problem I see is that your appliance sends the date as "Date: >> Wed, 24 Jun 2009 17:11:41" when it should send as "Date: Wed, 24 Jun 2009 >> 17:11:41 -0400". Since no time zone is provided, most mail clients likely >> interpret this as UTC time and display accordingly. If your device send >> email for the correct time zone, set the clock as UTC on the device. >> >> -Blake >> > > > A RHEL host(mailx) was able to sent correctly, but I didn't compare headers > of the both. I will do it next morning and will confirm. > > > Thank you everyone, I am all set. The appliance can set time, but no option to setup timezone.
Verisign Cert
Hello Gurus, Currently my postfix server runs with self-signed cert, but now I was asked to implement verisign cert for some of the outgoing mails. My question is when the verisign is cert installed, will all the outgoing mails such as toyahoo.com, gmail.com will be encrypted? Do the clients neeeds any certificate information? I am not very clear. Please throw some light.. ~LA
Re: Verisign Cert
On Wed, Jul 15, 2009 at 12:52 PM, Victor Duchovni < victor.ducho...@morganstanley.com> wrote: > On Wed, Jul 15, 2009 at 10:38:55AM -0400, Linux Addict wrote: > > > Hello Gurus, Currently my postfix server runs with self-signed cert, but > now > > I was asked to implement verisign cert for some of the outgoing mails. > > You are mightily confused. X.509 certificates with SMTP STARTTLS are for > *incoming* mail, so that *senders* can authenticate your server: > >http://www.postfix.org/TLS_README.html#client_tls_secure > > The *server installs* a certificate signed by a trusted CA, and the > *client verifies* it. > > > My > > question is when the verisign is cert installed, will all the outgoing > mails > > such as toyahoo.com, gmail.com will be encrypted? Do the clients neeeds > any > > certificate information? I am not very clear. Please throw some light.. > > Your client certificate play no role in the delivery of email to other > domains, and will almost never be used, because the vast majority of > MX hosts that support STARTTLS do not request client certificates. > > The recommended configuration for TLS enabled Postfix servers is: > ># SMTP Server TLS (cert + key): >smtpd_tls_cert_file = /etc/postfix/your-cert.pem >smtpd_tls_key_file = /etc/postfix/your-key.pem > ># SMTP Client TLS (no cert or key): >smtp_tls_cert_file = >smtp_tls_key_file = > > -- >Viktor. > > Disclaimer: off-list followups get on-list replies or get ignored. > Please do not ignore the "Reply-To" header. > > To unsubscribe from the postfix-users list, visit > http://www.postfix.org/lists.html or click the link below: > <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> > > If my response solves your problem, the best way to thank me is to not > send an "it worked, thanks" follow-up. If you must respond, please put > "It worked, thanks" in the "Subject" so I can delete these quickly. > On Wed, Jul 15, 2009 at 10:46 AM, Thomas Gelf wrote: > I assume you're using this certificate for TLS, so the answer is NO, no > single mails will be encrypted - TLS is "only" there to allow MTA's to > encrypt their transport layer. If no restrictions are configured this > happens automagically if both endpoints support TLS. > > Best regards, > Thomas Gelf > > > Linux Addict wrote: > > Hello Gurus, Currently my postfix server runs with self-signed cert, but > > now I was asked to implement verisign cert for some of the outgoing > > mails. My question is when the verisign is cert installed, will all the > > outgoing mails such as toyahoo.com <http://yahoo.com/>, gmail.com > > <http://gmail.com/> will be encrypted? Do the clients neeeds any > > certificate information? I am not very clear. Please throw some light.. > > > > ~LA > > Thank you. Looks like I need to stand up another postfix instance since the outgoing mails domain will different from the one on $mydomain. On the current instance(self-signed), when I do telnet to port 25, I get the below. 250-PIPELINING 250-SIZE 1024 250-ETRN 250-STARTTLS 250-AUTH PLAIN DIGEST-MD5 LOGIN CRAM-MD5 250-AUTH=PLAIN DIGEST-MD5 LOGIN CRAM-MD5 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN The postconf output is below smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_tls_CAfile = /usr/share/ssl/certs/cacert.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /usr/share/ssl/certs/cert.pem smtpd_tls_key_file = /usr/share/ssl/certs/key.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_exchange_name = /var/lib/postfix/prng_exch tls_random_source = dev:/dev/urandom I read on one of the doc, http://palmcoder.net/files/howtos/Postfix%20SSL/Postfix_SSL-HOWTO-2.html#ss2.1, for a successfull TLS setup, the last line shud be "220 Ready to start TLS". I dont see any error on the logs, does my current setup really has TLS enabled? thanks LA
Re: Verisign Cert
On Wed, Jul 15, 2009 at 1:58 PM, Victor Duchovni < victor.ducho...@morganstanley.com> wrote: > On Wed, Jul 15, 2009 at 01:49:24PM -0400, Linux Addict wrote: > > > smtp_tls_note_starttls_offer = yes > > smtp_use_tls = yes > > smtpd_tls_CAfile = /usr/share/ssl/certs/cacert.pem > > Make that: > >smtp_tls_CAfile = ... > > you don't need an smtpd_tls_CAfile, unless your cert file is missing > the intermediate CA issuing certificates that are found in this file. > The right solution is to include your trust chain in the cert.pem file > (in the right order, subject cert before issuer cert, leaf to root). > > > smtpd_tls_session_cache_timeout = 3600s > > No need if you don't also specify a "btree" cache database. > > > smtpd_use_tls = yes > > Make that: > >smtpd_tls_security_level = may > > > I read on one of the doc, > > > http://palmcoder.net/files/howtos/Postfix%20SSL/Postfix_SSL-HOWTO-2.html#ss2.1 > , > > for a successfull TLS setup, the last line should be > > "220 Ready to start TLS". > > No, this is not the case. To test: > >openssl s_client -starttls stmp -connect 192.0.2.1:25 > > where 192.0.2.1 is replaced by the IP address of your SMTP server. > > -- > Viktor. > > Disclaimer: off-list followups get on-list replies or get ignored. > Please do not ignore the "Reply-To" header. > > To unsubscribe from the postfix-users list, visit > http://www.postfix.org/lists.html or click the link below: > <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> > > If my response solves your problem, the best way to thank me is to not > send an "it worked, thanks" follow-up. If you must respond, please put > "It worked, thanks" in the "Subject" so I can delete these quickly. > I think I lack knowledge on this.. I gotta do some reading. I ran openssl test command that you provided and doesn't look like my cert config is good. [r...@mx01 ~]# openssl s_client -starttls smtp -connect localhost:25 CONNECTED(0003) depth=0 /C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX i:/C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX --- Server certificate -BEGIN CERTIFICATE- MIIDvzCCAyigAwIBAgIBATANBgkqhkiG9w0BAQQFADCBkzELMAkGA1UEBhMCVVMx CzAJBgNVBAgTAk5ZMQswCQYDVQQHEwJOWTEOMAwGA1UEChMFV2ViTUQxDzANBgNV BAsTBnN5c29wczEjMCEGA1UEAxMabXgwMXgtb3BzLTAxLnBvZC53ZWJtZC5uZXQx JDAiBgkqhkiG9w0BCQEWFW1rYW50aGFzYW15QHdlYm1kLm5ldDAeFw0wODA5MTIx NjM1MzRaFw0wOTA5MTIxNjM1MzRaMIGTMQswCQYDVQQGEwJVUzELMAkGA1UECBMC TlkxCzAJBgNVBAcTAk5ZMQ4wDAYDVQQKEwVXZWJNRDEPMA0GA1UECxMGc3lzb3Bz MSMwIQYDVQQDExpteDAxeC1vcHMtMDEucG9kLndlYm1kLm5ldDEkMCIGCSqGSIb3 DQEJARYVbWthbnRoYXNhbXlAd2VibWQubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQC9FTsWjPgYo6mxFVwuEkS9VkAdzZCpWHjx1Dyu+LhNdGhatz309tiw lMo45z+DhIm0mlm8GoIsWRneZSQMHWAL6Jq1uDg5BaATtntsZAF+29oLeB5CsCZL IScdGs0NI5gnV4OC8r/Ne5mH47gKMSXVifhR9TGGF/rweuXYuK3CdwIDAQABo4IB HzCCARswCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0 ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFMzUytMgpvHMtuIvrPwl86EIYsKLMIHA BgNVHSMEgbgwgbWAFGNNJBeYOV6PTYePdDE1mDPyd8bioYGZpIGWMIGTMQswCQYD VQQGEwJVUzELMAkGA1UECBMCTlkxCzAJBgNVBAcTAk5ZMQ4wDAYDVQQKEwVXZWJN RDEPMA0GA1UECxMGc3lzb3BzMSMwIQYDVQQDExpteDAxeC1vcHMtMDEucG9kLndl Ym1kLm5ldDEkMCIGCSqGSIb3DQEJARYVbWthbnRoYXNhbXlAd2VibWQubmV0ggEA MA0GCSqGSIb3DQEBBAUAA4GBAKValmAURkIp3r17tNbehKsRCsYsEjtUDGE9T+EB 4Ig9N2G8JztAWeXIltDRgpS1j2sKVrXTxxA5UntrB0T7nYRzPpEG6B7wl4pu4jHf iq+hUiiPU8vdED4/d5xiM0bpn9TdFRpgqI+0DNNBE34613P5Hw8iqwH1KTJE2/nU PZ6H -END CERTIFICATE- subject=/C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX issuer=/C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX --- No client certificate CA names sent --- SSL handshake has read 1595 bytes and written 350 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA Session-ID: E73EFFA5B6E8331A2571E2B15E43189D1F585D4B9D64128E6C09CE67190E2B64 Session-ID-ctx: Master-Key: BD77CCB997AFCD42BDFDC750763FD56FD82237E09686F6E596A9E885AD5B46C5FD99E9C5B45A7BBDE25A183F8BAA05D5 Key-Arg : None Krb5 Principal: None Start Time: 1247682108 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- 220 XXX ESMTP
Re: Verisign Cert
On Wed, Jul 15, 2009 at 3:07 PM, Victor Duchovni < victor.ducho...@morganstanley.com> wrote: > On Wed, Jul 15, 2009 at 02:33:46PM -0400, Linux Addict wrote: > > > I ran openssl test command that you provided and doesn't look like my > cert > > config is good. > > > > > > [r...@mx01 ~]# openssl s_client -starttls smtp -connect localhost:25 > > CONNECTED(0003) > > --- > > Certificate chain > > 0 s:/C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX > >i:/C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX > > --- > > No client certificate CA names sent > > --- > > SSL handshake has read 1595 bytes and written 350 bytes > > --- > > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > > Server public key is 1024 bit > > --- > > 220 XXX ESMTP > > This is exactly what you would expect. Everything is working fine. > > -- > Viktor. > > Disclaimer: off-list followups get on-list replies or get ignored. > Please do not ignore the "Reply-To" header. > > To unsubscribe from the postfix-users list, visit > http://www.postfix.org/lists.html or click the link below: > <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> > > If my response solves your problem, the best way to thank me is to not > send an "it worked, thanks" follow-up. If you must respond, please put > "It worked, thanks" in the "Subject" so I can delete these quickly. > I am reading TLS page on postfix and here http://www.state-of-mind.de/assets/postfix_tls.pdf. I have one last question. What I am trying to setup is, I have set of hosts in LAN which use postfix relay servers in DMZ to send (secure) mails to one of our external client. The external client insists on using verisign cert. On this scenario my postfix server will send mails to the external client's server, so should I configure the Client Certificate on my postfix. Thank you,
Re: Verisign Cert
On Thu, Jul 16, 2009 at 12:03 PM, Victor Duchovni < victor.ducho...@morganstanley.com> wrote: > On Thu, Jul 16, 2009 at 09:33:24AM -0400, Linux Addict wrote: > > > I am reading TLS page on postfix and here > > http://www.state-of-mind.de/assets/postfix_tls.pdf. > > > > I have one last question. What I am trying to setup is, I have set of > hosts > > in LAN which use postfix relay servers in DMZ to send (secure) mails to > one > > of our external client. The external client insists on using verisign > cert. > > This is not sufficiently precise, what does "using" mean? Printing it > on a piece of paper and using it as bathroom wallpaper? :-) :-) Honestly I haven't spoke to them directly, just working based on using piece of mail I got. > > > You need to understand what role the private key and associated (Verisign > or > other CA) certificate is to play in your communications with this party. > > > On this scenario my postfix server will send mails to the external > client's > > server, so should I configure the Client Certificate on my postfix. > > If they restrict access to their server, and allow only (certain) TLS > authenticated clients to connect, then indeed you may need to configure > a client certificate. This is never true for MX hosts, but if this is > a dedicated gateway used only by specially configured clients, it may > be one of the exceptions where SMTP client certs are useful. > Being secure, I think they allow only specific clients to connect. The postfix TLS doc says the key should be in .pem format, but I see many howtos usng .key or .crt as well. I used the openssl command to generate keys, and they both .pem and .key seems to be just rsa encryption with BEGIN and END. I assume the extension can be .pem or .crt or can be anything. Is that right?
Log file for Second Instance.
Greetings, I have Two instacnes of postfix running, but all the logs getting to /var/log/maillog. Could someone please point me on how to create separate log file for the 2nd instance?
Transport Maps
I have a postfix MTA server running. I was asked to setup relay mail to a specific domain thru MX record. Domain - Example.com An A record smtp.example.com MX Records smtp.example.com - smtp1.example.com and smtp2.example.com. In simple, When I send a mail to @example.com, postfix must send the mail to the MX records of smtp.example.com. I tried using transport maps, "example.com :[smtp1.example.com]" and " example.com smtp:[smtp1.example.com], but of them didn't use smtp.example.com. Please help me set this one up. ~LA
Re: Transport Maps
On Tue, Jul 21, 2009 at 12:00 PM, Ralf Hildebrandt < ralf.hildebra...@charite.de> wrote: > * Ralf Hildebrandt : > > > > In simple, When I send a mail to @example.com, postfix must send the > mail > > > to the MX records of smtp.example.com. > > > example.com smtp.example.com > > OK, not too sure if Postfix will perform an MX lookup for the RHS > (smtp.example.com in this example). Please try > > -- > Ralf Hildebrandt > Geschäftsbereich IT | Abteilung Netzwerk > Charité - Universitätsmedizin Berlin > Campus Benjamin Franklin > Hindenburgdamm 30 | D-12203 Berlin > Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 > ralf.hildebra...@charite.de | http://www.charite.de > > I just tried, Its NOT using MX records of smtp.example.com. I can manipulate it thru DNS, but will more comfortable if we can do it through Postfix.
Re: Transport Maps
On Tue, Jul 21, 2009 at 12:03 PM, Simon Waters wrote: > On Tuesday 21 July 2009 16:53:52 Linux Addict wrote: > > > > I tried using transport maps, "example.com :[smtp1.example.com]" > > and " example.com smtp:[smtp1.example.com], but of them didn't use > > smtp.example.com. > > Not clear what you mean here. > > Documentation of "transport" (man transport) suggests you don't want the > "[]" > if you want MX lookup. > > So I think you want: > > example.com smtp:smtp.example.com Simon, I already tried that. Its not doing MX lookup I guess.
Re: Transport Maps
I tried digging, I get the MX servers on the ANSWER section. I manage DNS as well, so I know its resolving correctly. On Tue, Jul 21, 2009 at 12:20 PM, Jaroslaw Grzabel wrote: > Linux Addict wrote: > >> >> Simon, I already tried that. Its not doing MX lookup I guess. >> >> Maybe it works but you're using your local DNS which doesn't know MX > record for that remote domain you want to relay your messages through. Try > locally run dig domainname.com MX and see the result. If it's empty it > means that it's something wrong with that domain name and there is nothing > to do with postfix in this case because postfix will not cast a spell for > you and charm MX record. > > syntax as: > domainname.com smtp:server.domain.com > should work for you > > Regards, > Jarek > > P.S. Sorry I posted that to your priv as well... reply to the list please. >
Re: Transport Maps
On Tue, Jul 21, 2009 at 12:24 PM, Jaroslaw Grzabel wrote: > Linux Addict wrote: > >> I tried digging, I get the MX servers on the ANSWER section. I manage DNS >> as well, so I know its resolving correctly. >> > What is in the log files then when you're trying to relay your messages ? > > Regards, > Jarek > Good Question. It is using the MX records of example.com, but we need postfix to use the MX records of smtp.example.com
Re: Transport Maps
On Tue, Jul 21, 2009 at 12:37 PM, Linux Addict wrote: > > > On Tue, Jul 21, 2009 at 12:24 PM, Jaroslaw Grzabel wrote: > >> Linux Addict wrote: >> >>> I tried digging, I get the MX servers on the ANSWER section. I manage DNS >>> as well, so I know its resolving correctly. >>> >> What is in the log files then when you're trying to relay your messages ? >> >> Regards, >> Jarek >> > > Good Question. It is using the MX records of example.com, but we need > postfix to use the MX records of smtp.example.com > > > Thanks all. I just worked around by adding internal CNAME pointing to 2 MX servers. I will come back later and check
Re: tls_random_source and OSX
On Tue, Jul 21, 2009 at 5:13 PM, Quanah Gibson-Mount wrote: > I noticed that on my OSX builds, there is no default tls_random_source > defined, yet /dev/urandom exists on those systems: > > OSX 10.4: > > build24:~ build$ ls -l /dev/urandom > crw-rw-rw- 1 root wheel8, 1 Jun 18 13:38 /dev/urandom > build24:~ build$ uname -a > Darwin build24.lab.zimbra.com 8.11.1 Darwin Kernel Version 8.11.1: Wed Oct > 10 18:23:28 PDT 2007; root:xnu-792.25.20~1/RELEASE_I386 i386 i386 > > OSX 10.5: > build09:~ build$ ls -l /dev/urandom > crw-rw-rw- 1 root wheel8, 1 Jun 23 12:42 /dev/urandom > build09:~ build$ uname -a > Darwin build09.lab.zimbra.com 9.7.0 Darwin Kernel Version 9.7.0: Tue Mar > 31 22:52:17 PDT 2009; root:xnu-1228.12.14~1/RELEASE_I386 i386 > > > Is there a particular reason for this? > > --Quanah > > -- > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > > Zimbra :: the leader in open source messaging and collaboration Was the postfix compiled with TLS enabled? If yes what does postconf -d|grep tls_random_source shows?
Re: [Postfix] Wrong Time
On Tue, Oct 27, 2009 at 10:51 AM, Dan Schaefer wrote: > Wietse Venema wrote: > >> Try without SeLinux, AppArmor, and other "security" add-ons. >> They are not covered by the Postfix warranty. >> >>Wietse >> >> > Postfix has a warranty? :) It's a free product... > > -- > Dan Schaefer > Web Developer/Systems Analyst > Performance Administration Corp. > > This issue(-0600) is usually caused by an application/script sends mail without setting time offset.
Re: Is it time for 2.x.y -> x.y?
After 2.9, it should have been 3, not 2.10 ;) Sent from my iPhone On Jun 1, 2013, at 8:33 AM, Len Conrad wrote: > At 07:18 AM 6/1/2013, you wrote: >> Am 31.05.2013 22:56, schrieb Wietse Venema: >>> After the confusion that Postfix 2.10 is not Postfix 2.1, maybe it >>> is time to change the release numbering scheme. > > don't dumb postfix down. keep the current numbering style. > > Len > > >
Redirect Mail for specific Domain.
Hi, I have virtual zone on a postfix mail relay. Virtual Zone Virtual Alias zone1.example.com [EMAIL PROTECTED] goes to [EMAIL PROTECTED] zone1.example.com is managed by us which is postfix example.net is Exchange server managed by another Team. The problem I am facing is, the postfix server is resolving example.net to external address, but I really want to send those mails to internal SMTP address of example.net(Exchange Server). Is there a tweak in postfix to do this.? Cheers, LA
Re: Redirect Mail for specific Domain.
On Fri, Aug 8, 2008 at 9:45 PM, Sahil Tandon <[EMAIL PROTECTED]> wrote: > Linux Addict <[EMAIL PROTECTED]> wrote: > > > Hi, I have virtual zone on a postfix mail relay. > > > > Virtual Zone Virtual Alias > > zone1.example.com [EMAIL PROTECTED] goes to > > [EMAIL PROTECTED] > > > > zone1.example.com is managed by us which is postfix > > example.net is Exchange server managed by another Team. > > > > The problem I am facing is, the postfix server is resolving > example.net to > > external address, but I really want to send those mails to internal SMTP > > address of example.net(Exchange Server). > > > > Is there a tweak in postfix to do this.? > > If you want to direct all mail destined for zone1.example.com to > example.net, then instead of virtual aliases, you might consider > transport maps: > > http://www.postfix.org/transport.5.html > > -- > Sahil Tandon <[EMAIL PROTECTED]> > I can fix DNS, but it may break other prod. services. I will give it a shot with Transport Maps. Cheers.. Grt Weekend!!
Re: Redirect Mail for specific Domain.
Linux Addict wrote: On Fri, Aug 8, 2008 at 9:45 PM, Sahil Tandon <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: Linux Addict <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: > Hi, I have virtual zone on a postfix mail relay. > > Virtual Zone Virtual Alias > zone1.example.com <http://zone1.example.com/> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> goes to > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > zone1.example.com <http://zone1.example.com/> is managed by us which is postfix > example.net <http://example.net/> is Exchange server managed by another Team. > > The problem I am facing is, the postfix server is resolving example.net <http://example.net/> to > external address, but I really want to send those mails to internal SMTP > address of example.net <http://example.net/>(Exchange Server). > > Is there a tweak in postfix to do this.? If you want to direct all mail destined for zone1.example.com <http://zone1.example.com/> to example.net <http://example.net/>, then instead of virtual aliases, you might consider transport maps: http://www.postfix.org/transport.5.html -- Sahil Tandon <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> I can fix DNS, but it may break other prod. services. I will give it a shot with Transport Maps. Cheers.. Grt Weekend!! Hit a bump.. On the transport file, I cant seem to enter multiple MX server for the same domain. example.net smtp:[mx01] Works great, but How do I configure the MX02 for the same example.net? When I add new line it complains duplicate. ~LA
Re: HOTMAIL rejections ?
Frank Bonnet wrote: hello Our site is regulary rejected by HOTMAIL/LIVE during several days then it stop to be rejected then rejected again and so on ... This happens ONLY with HOTMAIL Anyone has the same trouble ? the rejection message is like the following host mx1.hotmail.com[65.54.244.8] said: 550 OU-002 Mail rejected by Windows Live Hotmail for policy reasons. Reasons for rejection may be related to content with spam-like characteristics or IP/domain reputation problems. If you are not an email/network admin please contact your E-mail/Internet Service Provider for help. Email/network admins, please visit http://postmaster.live.com for email delivery information and support (in reply to MAIL FROM command) Thanks for any infos. Did you published your spf and sender id records? I had same issues and worked MS guys. Hotmail uses sender id very similar to spf. You can generate sender id records on MS Site. Hit this link, you should have all you need. http://www.clickz.com/showPage.html?page=3627253 ~LA
Likely Spam.
Hi, Looks like our MX servers are hit hard by a specific email address which is sending frequent mails trying to use our relay effectively many mail servers seems to be blacklisting. Oct 20 18:20:05 mx01 postfix/qmgr[6512]: DBB784BE68E: from=< [EMAIL PROTECTED]>, size=3309, nrcpt=1 (queue active) Oct 20 18:20:05 mx0 postfix/error[9345]: DA960E73E11: to=< [EMAIL PROTECTED]>, relay=none, delay=77080, delays=76950/130/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to exchange.net Connection timed out) Please help me stop this. Thank you! ~LA
Re: Likely Spam.
On Mon, Oct 20, 2008 at 6:33 PM, Neil <[EMAIL PROTECTED]> wrote: > On 20 Oct 2008, at 18:24, Linux Addict wrote: > > Hi, Looks like our MX servers are hit hard by a specific email address > which is sending frequent mails trying to use our relay effectively many > mail servers seems to be blacklisting. > > Oct 20 18:20:05 mx01 postfix/qmgr[6512]: DBB784BE68E: from=< > [EMAIL PROTECTED]>, size=3309, nrcpt=1 (queue active) > Oct 20 18:20:05 mx0 postfix/error[9345]: DA960E73E11: to=< > [EMAIL PROTECTED]>, relay=none, delay=77080, > delays=76950/130/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily > suspended: connect to exchange.net Connection timed out) > > Please help me stop this. Thank you! > > ~LA > > > Unless I'm mistaken (and I'm not the most knowledgeable person on this > list), I think your server thinks it's okay to accept mail for the domain " > exchange.net" (and I'm assuming "exchange.net" isn't yours). So to fix > this, you need to tell postfix only to accept mail for your domains. I > think you should check my_destination, relay_domains, etc. > > Post the output of "postconf -n". > > -N. > Thanks for your reply. mydestination = $myhostname relay_domains = $mydestination Actually its not just exchange.net, most of the mails are being sent to bellsouth.net Oct 20 18:37:27 mx01 postfix/qmgr[6597]: 5CE74D08FE1: from=< [EMAIL PROTECTED]>, size=3237, nrcpt=1 (queue active) Oct 20 18:37:27 mx01 postfix/error[6838]: 57AD01031088: to=< [EMAIL PROTECTED]>, relay=none, delay=14928, delays=14928/0.05/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host gateway-f2.isp.att.net[207.115.11.16] refused to talk to me: 450 too frequent connects from 63.240.86.13, please try again later.) Thanks LA
Re: Likely Spam.
On Mon, Oct 20, 2008 at 6:41 PM, Neil <[EMAIL PROTECTED]> wrote: > > On 20 Oct 2008, at 18:39, Linux Addict wrote: > > > > On Mon, Oct 20, 2008 at 6:33 PM, Neil <[EMAIL PROTECTED]> wrote: > >> On 20 Oct 2008, at 18:24, Linux Addict wrote: >> >> Hi, Looks like our MX servers are hit hard by a specific email address >> which is sending frequent mails trying to use our relay effectively many >> mail servers seems to be blacklisting. >> >> Oct 20 18:20:05 mx01 postfix/qmgr[6512]: DBB784BE68E: from=< >> [EMAIL PROTECTED]>, size=3309, nrcpt=1 (queue active) >> Oct 20 18:20:05 mx0 postfix/error[9345]: DA960E73E11: to=< >> [EMAIL PROTECTED]>, relay=none, delay=77080, >> delays=76950/130/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily >> suspended: connect to exchange.net Connection timed out) >> >> Please help me stop this. Thank you! >> >> ~LA >> >> >> Unless I'm mistaken (and I'm not the most knowledgeable person on this >> list), I think your server thinks it's okay to accept mail for the domain " >> exchange.net" (and I'm assuming "exchange.net" isn't yours). So to fix >> this, you need to tell postfix only to accept mail for your domains. I >> think you should check my_destination, relay_domains, etc. >> >> Post the output of "postconf -n". >> >> -N. >> > > > Thanks for your reply. > > > mydestination = $myhostname > relay_domains = $mydestination > > Actually its not just exchange.net, most of the mails are being sent to > bellsouth.net > > Oct 20 18:37:27 mx01 postfix/qmgr[6597]: 5CE74D08FE1: from=< > [EMAIL PROTECTED]>, size=3237, nrcpt=1 (queue active) > Oct 20 18:37:27 mx01 postfix/error[6838]: 57AD01031088: to=< > [EMAIL PROTECTED]>, relay=none, delay=14928, delays=14928/0.05/0/0, > dsn=4.0.0, status=deferred (delivery temporarily suspended: host > gateway-f2.isp.att.net[207.115.11.16] refused to talk to me: 450 too > frequent connects from 63.240.86.13, please try again later.) > > > Thanks > LA > > > I don't think you need $mydestination in relay_domains. And the rest of > postconf -n would still be useful. > alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 50 disable_vrfy_command = yes fallback_transport = maildrop header_checks = regexp:/etc/postfix/header_checks home_mailbox = Maildir/ html_directory = no inet_interfaces = all local_recipient_maps = proxy:unix:passwd.byname $virtual_alias_maps $alias_maps mail_owner = postfix mail_spool_directory = /var/spool/mail mailq_path = /usr/bin/mailq manpage_directory = /usr/local/man mydestination = $myhostname mydomain = example.net myhostname = mx02.example.net mynetworks = /etc/postfix/network_table mynetworks_style = class myorigin = $myhostname newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = no relay_domains = $mydestination sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_banner = $myhostname ESMTP smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit smtpd_recipient_limit = 300 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,reject_unauth_destination, reject_invalid_hostname,reject_unauth_pipelining, reject_non_fqdn_sender,reject_unknown_sender_domain, reject_non_fqdn_recipient,reject_unknown_recipient_domain, reject_rbl_client blackholes.easynet.nl,reject_rbl_client cbl.abuseat.org,reject_rbl_client proxies.blackholes.wirehub.net, reject_rbl_client bl.spamcop.net,reject_rbl_client sbl.spamhaus.org, reject_rbl_client dnsbl.njabl.org,reject_rbl_client list.dsbl.org, reject_rbl_client multihop.dsbl.org,permit smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /usr/share/ssl/certs/cacert.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /usr/share/ssl/certs/cert.pem smtpd_tls_key_file = /usr/share/ssl/certs/key.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_exchange_name = /var/lib/postfix/prng_exch tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/maps/pf_aliases virtual_gid_maps = static:102 virtual_mailbox_base = /home/vmail virtual_mailbox_domains = hash:/etc/postfix/maps/pf_domain virtual_mailbox_limit = 5120 virtual_mailbox_maps = hash:/etc/postfix/maps/pf_domain_mailboxes virtual_minimum_uid = 102 virtual_transport = maildrop virtual_uid_maps = static:102
Re: Likely Spam.
On Mon, Oct 20, 2008 at 9:53 PM, Charles Marcus <[EMAIL PROTECTED]>wrote: > On 10/20/2008 Linux Addict wrote: > >> mynetworks = /etc/postfix/network_table >> > > Contents of this file could be instructive... > All I have on the file is RFC 1918 Address Space.
Re: Likely Spam.
On Tue, Oct 21, 2008 at 3:29 AM, mouss <[EMAIL PROTECTED]> wrote: > Linux Addict a écrit : > > > [snip] > > local_recipient_maps = proxy:unix:passwd.byname $virtual_alias_maps > > $alias_maps > > remove $virtual_alias_maps from local_recipient_maps. > > > [snip] > > mynetworks_style = class > > remove mynetworks_style (mynetworks is enough). > > > [snip] relay_domains = $mydestination > > set > relay_domains = > > The $mydestination setting is for compatibility reasons, and given your > mydestination setting, you don't need it (you don't want mail to > [EMAIL PROTECTED]). > > > [snip] > > smtpd_recipient_restrictions = permit_mynetworks, > > permit_sasl_authenticated,reject_unauth_destination, > > reject_invalid_hostname,reject_unauth_pipelining, > > reject_unauth_pipelining is useless here. > > > reject_non_fqdn_sender,reject_unknown_sender_domain, > > reject_non_fqdn_recipient,reject_unknown_recipient_domain, > > reject_unknown_recipient_domain is useless here. it only checks your own > domains. > > > reject_rbl_client blackholes.easynet.nl, > >reject_rbl_client cbl.abuseat.org, > >reject_rbl_client proxies.blackholes.wirehub.net, > >reject_rbl_client bl.spamcop.net, > >reject_rbl_client sbl.spamhaus.org, > >reject_rbl_client dnsbl.njabl.org, > >reject_rbl_client list.dsbl.org, > >reject_rbl_client multihop.dsbl.org, > >permit > > > you should check that the DNSBLs you use are active. You can start with >http://spamlinks.net/filter-dnsbl-dead.htm > In particular, blackholes.easynet.nl and *.dsbl.org are gone. > > and I don't think blackholes.wirehub.net does anything (it once (2003) > became blackholes.easynet.nl, which is dead now). > > and instead of using cbl and sbl, use xbl-sbl.spamhaus.org. Or better > yet, use zen.spamhaus.org. > > > [snip] > > > Regarding your problem, do what Noel said. check how the message entered > your system by finding all message > > Could someone please point to the direction of documents for tracking Queue ID.?
Re: Likely Spam.
On Tue, Oct 21, 2008 at 7:19 AM, Linux Addict <[EMAIL PROTECTED]>wrote: > > > On Tue, Oct 21, 2008 at 3:29 AM, mouss <[EMAIL PROTECTED]> wrote: > >> Linux Addict a écrit : >> >> > [snip] >> > local_recipient_maps = proxy:unix:passwd.byname $virtual_alias_maps >> > $alias_maps >> >> remove $virtual_alias_maps from local_recipient_maps. >> >> > [snip] >> > mynetworks_style = class >> >> remove mynetworks_style (mynetworks is enough). >> >> > [snip] relay_domains = $mydestination >> >> set >> relay_domains = >> >> The $mydestination setting is for compatibility reasons, and given your >> mydestination setting, you don't need it (you don't want mail to >> [EMAIL PROTECTED]). >> >> > [snip] >> > smtpd_recipient_restrictions = permit_mynetworks, >> > permit_sasl_authenticated,reject_unauth_destination, >> > reject_invalid_hostname,reject_unauth_pipelining, >> >> reject_unauth_pipelining is useless here. >> >> > reject_non_fqdn_sender,reject_unknown_sender_domain, >> > reject_non_fqdn_recipient,reject_unknown_recipient_domain, >> >> reject_unknown_recipient_domain is useless here. it only checks your own >> domains. >> >> > reject_rbl_client blackholes.easynet.nl, >> >reject_rbl_client cbl.abuseat.org, >> >reject_rbl_client proxies.blackholes.wirehub.net, >> >reject_rbl_client bl.spamcop.net, >> >reject_rbl_client sbl.spamhaus.org, >> >reject_rbl_client dnsbl.njabl.org, >> >reject_rbl_client list.dsbl.org, >> >reject_rbl_client multihop.dsbl.org, >> >permit >> >> >> you should check that the DNSBLs you use are active. You can start with >>http://spamlinks.net/filter-dnsbl-dead.htm >> In particular, blackholes.easynet.nl and *.dsbl.org are gone. >> >> and I don't think blackholes.wirehub.net does anything (it once (2003) >> became blackholes.easynet.nl, which is dead now). >> >> and instead of using cbl and sbl, use xbl-sbl.spamhaus.org. Or better >> yet, use zen.spamhaus.org. >> >> > [snip] >> >> >> Regarding your problem, do what Noel said. check how the message entered >> your system by finding all message >> >> > > Could someone please point to the direction of documents for tracking Queue > ID.? > Nevermind.. I did strings on one of the messages on "deferred" and got the information.
Re: Likely Spam.
On Tue, Oct 21, 2008 at 7:33 AM, Noel Jones <[EMAIL PROTECTED]> wrote: > Linux Addict wrote: > >> >> Nevermind.. I did strings on one of the messages on "deferred" and got the >> information. >> >> > use > postcat -q QUEUEID | more > to view the contents of a queued messsage. > > -- > Noel Jones > I got the culprit. Its was one of the internal host. Now how do I reject any mail from that particular email address. I tried with sender_access, but not working. Any ideas? Thanks, LA
Re: Likely Spam.
On Thu, Oct 23, 2008 at 5:15 PM, Noel Jones <[EMAIL PROTECTED]> wrote: > Linux Addict wrote: > > >> >> On Tue, Oct 21, 2008 at 7:33 AM, Noel Jones <[EMAIL PROTECTED]> [EMAIL PROTECTED]>> wrote: >> >>Linux Addict wrote: >> >> >>Nevermind.. I did strings on one of the messages on "deferred" >>and got the information. >> >> >>use >>postcat -q QUEUEID | more >>to view the contents of a queued messsage. >> >>--Noel Jones >> >> >> >> I got the culprit. Its was one of the internal host. Now how do I reject >> any mail from that particular email address. I tried with sender_access, but >> not working. Any ideas? >> >> Thanks, LA >> >> >> > > Use a check_client_access table to reject that host's IP. > > sample config: > > #main.cf > smtpd_client_restrictions = > check_client_access hash:/etc/postfix/client_blacklist > > > # /etc/postfix/client_blacklist > 192.168.1.33 REJECT your computer has a virus. > > then run: > # postmap client_blacklist > > # postfix reload > > If you don't have a smtpd_client_restrictions section in your main.cf yet, > the above example should work fine as is. > > -- > Noel Jones > Unfortuantly that hosts also sends some legitimate mails. I just want to block those two mail ids for now. smtpd_sender_restrictions = hash:/etc/postfix/sender_access sender_access has following entries, but not working. [EMAIL PROTECTED] REJECT [EMAIL PROTECTED] REJECT Anything wrong here?
Re: Likely Spam.
On Thu, Oct 23, 2008 at 5:49 PM, mouss <[EMAIL PROTECTED]> wrote: > Linux Addict a écrit : > > Unfortuantly that hosts also sends some legitimate mails. I just want to > > block those two mail ids for now. > > unfortunately for you, if the host is owned, it will find other sender > addresses... > > > > > smtpd_sender_restrictions = hash:/etc/postfix/sender_access > > > > put the name of the check explicitely: > > smtpd_sender_restrictions = >check_sender_access hash:/etc/postfix/sender_access > > don't forget to postmap the hash map. > > > sender_access has following entries, but not working. > > > > [EMAIL PROTECTED] REJECT > > [EMAIL PROTECTED] REJECT > > > > > > Anything wrong here? > > > > it's ok, but see note above (a sender address is easily forged unless > you use reject_sender_login_mismatch). > Thank you guys!! It worked. We have escalated to the DEV to fix the problem. Actually spammers are exploiting "Email a Friend" option on our webpage inserting spam note, but there are also legitimate referrals. Its a bit of politics as well as DEV is downplaying the issue. Thank you again.
Spam on deck!!
We have a java mailer application which was hung and queued more than 100k mails. People are working to fix it. I am worried that all 100k mails may hit postfix server and cause some damage. Anyway I can prepare for it? ~LA
Re: Spam on deck!!
Steven King wrote: Postfix is very cautious about system resource usage. It keeps an eye on RAM usage, disk space, and CPU usage. I battered my postfix server with 200K mails once. Just for a stress test. The load on the server went up sharply and was a bit sluggish but postfix chugged along through it with very little impact to other services running on the system. Linux Addict wrote: We have a java mailer application which was hung and queued more than 100k mails. People are working to fix it. I am worried that all 100k mails may hit postfix server and cause some damage. Anyway I can prepare for it? ~LA Thanks! I am not just worried about the system performance, but possible blacklisting as it may send flurry of mails to external domains. ~LA
Re: Spam on deck!!
Linux Addict wrote: Steven King wrote: Postfix is very cautious about system resource usage. It keeps an eye on RAM usage, disk space, and CPU usage. I battered my postfix server with 200K mails once. Just for a stress test. The load on the server went up sharply and was a bit sluggish but postfix chugged along through it with very little impact to other services running on the system. Linux Addict wrote: We have a java mailer application which was hung and queued more than 100k mails. People are working to fix it. I am worried that all 100k mails may hit postfix server and cause some damage. Anyway I can prepare for it? ~LA Thanks! I am not just worried about the system performance, but possible blacklisting as it may send flurry of mails to external domains. ~LA I am reading the TUNING_README and it looks like anvil seems to be taking care of most things.
DKIMproxy Information.
Hi, Please excuse me if it is not relevant on this forum. I am planning to use domain keys and dkim for our domain just to send mails outside. Is DKIMproxy good enough to cover both older Yahoo Domainkeys and new DKIM? thanks you. ~LA
Re: Spam on deck!!
On Sat, Nov 8, 2008 at 12:06 AM, Sahil Tandon <[EMAIL PROTECTED]> wrote: > Terry Carmen <[EMAIL PROTECTED]> wrote: > > > Sahil Tandon wrote: > >> Linux Addict <[EMAIL PROTECTED]> wrote: > >> > >> > >>> Steven King wrote: > >>> > >>>> Postfix is very cautious about system resource usage. It keeps an eye > on > >>>> RAM usage, disk space, and CPU usage. > >>>> > >>>> I battered my postfix server with 200K mails once. Just for a stress > >>>> test. The load on the server went up sharply and was a bit sluggish > but > >>>> postfix chugged along through it with very little impact to other > >>>> services running on the system. > >>>> > >>>> Linux Addict wrote: > >>>> > >>>>> We have a java mailer application which was hung and queued more than > >>>>> 100k mails. People are working to fix it. I am worried that all 100k > >>>>> mails may hit postfix server and cause some damage. > >>>>> > >>>>> Anyway I can prepare for it? > >>>>> > >>>>> ~LA > >>>>> > >>>> > >>> Thanks! I am not just worried about the system performance, but > possible > >>> blacklisting as it may send flurry of mails to external domains. > >>> > >> > >> If you're really worried, you can parse the queue for large amounts of > >> messages heading to the same external domain and release the associated > >> QUEUE IDs slowly. Bit of a crude option, but one you might consider. > >> > > > > I'm not sure that would be helpful. One of my IPs got throttled at Yahoo > > for sending exactly two messages that looked spammy (but actually > weren't). > > > > The OP will probably have to take his lumps and fix it later. > > Yahoo! is especially atrocious in this regard and considers almost any > frequent sender as spammer unless the server is whitelisted. I only > have anecdotal evidence to back that up, so I am sure some will > disagree. > > The advice was disclaimed as "crude" for a reason. :-) It's no panacea, > but it should help on the margin. > > -- > Sahil Tandon <[EMAIL PROTECTED]> > Well... I worked with yahoo in the past to whitelist an IP and they ask tons of information but literally they think were always right in blacklisting. I am planning to sign domain keys and dkim. I hope yahoo doesn't block me. thank you. ~LA
Re: DKIMproxy Information.
On Mon, Nov 10, 2008 at 5:19 PM, Noel Jones <[EMAIL PROTECTED]> wrote: > Linux Addict wrote: > >> Hi, Please excuse me if it is not relevant on this forum. >> >> I am planning to use domain keys and dkim for our domain just to send >> mails outside. >> >> Is DKIMproxy good enough to cover both older Yahoo Domainkeys and new >> DKIM? >> >> thanks you. >> >> ~LA >> > > dkimproxy supports both DKIM and DomainKeys. > http://dkimproxy.sourceforge.net/ > > -- > Noel Jones > While I read through this, I understand that to use domain keys, the client has to send mails through submission port 587. Does that sound right? Just to use domainkeys, all clients to has to send mails to port 587 instead of port 25? Please clarify. Thank you ~LA
Re: DKIMproxy Information.
On Tue, Nov 11, 2008 at 4:53 PM, Charles Marcus <[EMAIL PROTECTED]>wrote: > On 11/11/2008 4:49 PM, Charles Marcus wrote: > >> Common administrative practices include submission on 587 for > >> trusted clients only and should not be permitted on the internet. > >> This port should be firewalled outside of your network. > > > Excuse me?!?!? Thats ridiculous... in fact, just the OPPOSITE is > > true. > > Well... correction... > > Port 587 is designed to provide smtp_auth services to trusted clients > VIA an UNtrusted network (like the internet)... > > So, no WAY should it be firewalled - just limit it to sasl_auth based > sessions - and hopefully you enforce strong password policies too... > > -- > > Best regards, > > Charles > My reason for configuring domain keys is yahoo not filtering my mails as spam. I dont want to go back and change more than 1000 clients port from 25 to 587. So is there anyway we can achieve domainkeys authentication on port 25? Thanks, LA
Re: DKIMproxy Information.
On Wed, Nov 12, 2008 at 12:44 PM, mouss <[EMAIL PROTECTED]> wrote: > Linux Addict wrote: > >> On Tue, Nov 11, 2008 at 4:53 PM, Charles Marcus >> <[EMAIL PROTECTED]>wrote: >> >> On 11/11/2008 4:49 PM, Charles Marcus wrote: >>> >>>> Common administrative practices include submission on 587 for >>>>> trusted clients only and should not be permitted on the internet. >>>>> This port should be firewalled outside of your network. >>>>> >>>> Excuse me?!?!? Thats ridiculous... in fact, just the OPPOSITE is >>>> true. >>>> >>> Well... correction... >>> >>> Port 587 is designed to provide smtp_auth services to trusted clients >>> VIA an UNtrusted network (like the internet)... >>> >>> So, no WAY should it be firewalled - just limit it to sasl_auth based >>> sessions - and hopefully you enforce strong password policies too... >>> >>> -- >>> >>> Best regards, >>> >>> Charles >>> >>> >> >> My reason for configuring domain keys is yahoo not filtering my mails as >> spam. >> > > because you think once you sign your mail they will deliver it to Inbox? :-) I know they may or may not. As an admin, we are trying our best. > > > I dont want to go back and change more than 1000 clients port from 25 >> to 587. >> >> if they come from specific networks, you can use a NAT implementation to > redirect them to port 587. otherwise, see below. > > >> So is there anyway we can achieve domainkeys authentication on port 25? >> >> > smtpd_client_restrictions = >check_client_access pcre:/etc/postfix/filter_outbound >permit_mynetworks >permit_sasl_authenticated >check_client_access pcre:/etc/postfix/filter_inbound > > == filter_outbound > # pass to "outbound" filter > /./ FILTER scan:[127.0.0.1]:10586 > > == filter_inbound > # pass to "inbound" filter > /./ FILTER scan:[127.0.0.1]:10024 > > if you wonder what that does: > - if mail comes from mynetworks or is sasl authenticated, then it is passed > to port 10586 > - otherwise, it is passed to port 10024 > > > >
DISCORD from a user to noreply
Folks, I am trying to configure discord when supp...@company.com sends to noreply@ / no-reply@. The smtp recipient/header checks seems to parse line by line so I can discord to noreply, but how do add a condition. I looked if.. endif, but I am unsure how to get this done with from and to lines in one regex. any help would be appreciated.
Re: DISCORD from a user to noreply
Sorry.. yeah discard.
though there are headers checks already on this system, I can do recipient
check for this one. But is it possible to discard noreply email for just
only one sender? I am clear on how to discard when everything sent to
noreply@.*.
check_recipient_access inline:{{nore...@example.com = discard}}
On Thu, Feb 13, 2020 at 2:57 PM Wietse Venema wrote:
> Linux Addict:
> > Folks, I am trying to configure discord when supp...@company.com sends
> to
> > noreply@ / no-reply@.
>
> Did you mean "discard"?
>
> > The smtp recipient/header checks seems to parse line by line so I can
> > discord to noreply, but how do add a condition. I looked if.. endif, but
> I
> > am unsure how to get this done with from and to lines in one regex.
>
> Headers are not a good way to determine where email is being sent
> to. The recipient is part of the envelope. It is sent with the RCPT
> TO command.
>
> /etc/postfix/main.cf:
> smtpd_recipient_restrictions =
> ...
> reject_unauth_destination
> check_recipient_access inline:{{nore...@example.com = discard}}
> ...
>
> Wietse
>
Re: DISCORD from a user to noreply
I have no reason to use DISCARD. I also dont want sender to receive anything back. Is reject silently is an option? /^From:.?(no|No)(reply|-reply)@.*/ REJECT:silently On Thu, Feb 13, 2020 at 3:12 PM Viktor Dukhovni wrote: > On Thu, Feb 13, 2020 at 03:06:37PM -0500, Linux Addict wrote: > > > Sorry.. yeah discard. > > > > But is it possible to discard noreply email for just > > only one sender? I am clear on how to discard when everything sent to > > noreply@.*. > > Nothing built into Postfix will discard just the one recipient > in a multi-recipient mail based on the sender. > > In a single-recipient message (unsafe assumption), discarding > the whole message is possible via restriction classes. > > Now it turns out that "recipient_restrictions" configured via: > > smtpd_data_restrictions = ... > > only run on single-recipient messages, if the message had two or more > recipients, the restriction is skipped. Thus it would be safe to > use a sender-based rule that resolves to a restriction class that > processes the recipient, and run that sender rule in the data > restrictions, and be sure to discard just single-recipient mail. > > -- > Viktor. >
Re: DISCORD from a user to noreply
Well.. I should have checked but assumed the action statements are similar
whether its transport or access.. obviously that does not seem to be the
case.
*Mail is either accepted or rejected (the sender is **told which) *- this
is my I wished or made up silent with reject. I don't want sender to know
about the rejects.
I guess I am going to go with below which will silently drop the email and
wont notify the sender.
check_recipient_access inline:{{nore...@example.com = discard}}
On Thu, Feb 13, 2020 at 3:43 PM Viktor Dukhovni
wrote:
> On Thu, Feb 13, 2020 at 03:33:42PM -0500, Linux Addict wrote:
>
> > I have no reason to use DISCARD. I also dont want sender to receive
> > anything back. Is reject silently is an option?
> >
> > /^From:.?(no|No)(reply|-reply)@.*/ REJECT:silently
>
> First of all, as you've already been told, header checks are entirely
> the wrong tool for this. You need to use either access(5) restrictions
> or else rewriting to an address which is dropped on delivery.
>
> You're also randomly making up syntax. The "discard:silently" example
> was transport table example and only makes sense in that context.
>
> Lastly, and sadly, you may need better command of English to get help on
> this list. There's no such thing as a silent "REJECT", that's a
> contradiction. Mail is either accepted or rejected (the sender is
> told which), delivered or discarded (after the message is accepted).
>
> --
> Viktor.
>
