Over the last few days I discussed SMTP delivery problems with a czech
site which was using Postfix and a CISCO ASA with smtp protocol
fixup enabled.
I was able to work around the delivery problems by stripping the DKIM
headers on outgoing mails (as so often).
Some interesting info got out:
Hi, Ralf,
On 12/8/11 9:53 AM, Ralf Hildebrandt wrote:
Over the last few days I discussed SMTP delivery problems with a czech
site which was using Postfix and a CISCO ASA with smtp protocol
fixup enabled.
I was able to work around the delivery problems by stripping the DKIM
headers on outgoing
* Rolf E. Sonneveld r.e.sonnev...@sonnection.nl:
I was able to work around the delivery problems by stripping the DKIM
headers on outgoing mails (as so often).
Do you mean a Cisco ASA/PIX firewall with 'smtp protocol fixup'
effectively blocks _any_ message carrying a DKIM-signature header?
* Wietse Venema wie...@porcupine.org [2011-12-07 17:20]:
Yes it was. I point the attention to the RIGHT problem, which is
fixing the suboptimal configuration that does domain queries from
SQL.
Hi,
with all due respect but for me the important thing at the moment
would be to understand why it
Am 08.12.2011 09:53, schrieb Ralf Hildebrandt:
Over the last few days I discussed SMTP delivery problems with a czech
site which was using Postfix and a CISCO ASA with smtp protocol
fixup enabled.
I was able to work around the delivery problems by stripping the DKIM
headers on outgoing
Hallo,
I have 2 postfix setup with openLDAP as back ends. I need to stress test my
configuration.
I tried with the smtp-source but I don't know it is OK to test with 1
connection or more. How is postfix handles the connections with the
smtp-source? Is it reliable? I mean, if I use 200
Sebastian Wiesinger:
I really would like to know if it is not possible to have a temporary
error when trivial-rewrite fails to access the MySQL database. I don't
see any apparent reason for it. If there is one I would like to know.
You have the right to ask these questions. I recommend that
Wietse Venema:
Sebastian Wiesinger:
I really would like to know if it is not possible to have a temporary
error when trivial-rewrite fails to access the MySQL database. I don't
see any apparent reason for it. If there is one I would like to know.
You have the right to ask these
Hello,
First post to the list, I would really appreciate any help/advice.
In my current setup I act as a Spam and Virus filter for several domains. Mail
is then relayed to their local Exchange servers once it has been scanned.
In the event that their Exchange server is down and they require
* Wietse Venema wie...@porcupine.org [2011-12-08 13:09]:
Sebastian Wiesinger:
I really would like to know if it is not possible to have a temporary
error when trivial-rewrite fails to access the MySQL database. I don't
see any apparent reason for it. If there is one I would like to know.
Le jeudi 08 décembre 2011 à 15:33 +1300, Peter a écrit :
On 08/12/11 15:28, Kwasi Gyasi - Agyei wrote:
Thanks, where can I get src.rpm for v2.6.6, the highest version from
here http://postfix.wl0.org/en/available-packages/ is 2.5.
...picking a CentOS mirror at random:
Zitat von Sebastian Wiesinger postfix-us...@ml.karotte.org:
* Wietse Venema wie...@porcupine.org [2011-12-08 13:09]:
Sebastian Wiesinger:
I really would like to know if it is not possible to have a temporary
error when trivial-rewrite fails to access the MySQL database. I don't
see any
Am 08.12.2011 14:45, schrieb lst_ho...@kwsoft.de:
Help is always welcome, simply demand how things could be better is useless
you have a bad attitude!
demand how things could be better is useful, everywhere
because it is a hint what can be improved
you need not always to be able making
Zitat von Reindl Harald h.rei...@thelounge.net:
Am 08.12.2011 14:45, schrieb lst_ho...@kwsoft.de:
Help is always welcome, simply demand how things could be better is useless
you have a bad attitude!
demand how things could be better is useful, everywhere
because it is a hint what can be
Am 08.12.2011 15:15, schrieb lst_ho...@kwsoft.de:
Zitat von Reindl Harald h.rei...@thelounge.net:
Am 08.12.2011 14:45, schrieb lst_ho...@kwsoft.de:
Help is always welcome, simply demand how things could be better is useless
you have a bad attitude!
demand how things could be better is
I don't see why local Squirrelmail won't send mail over 587,
but remote Thunderbird will. Squirrelmail also won't send mail over
port 25, but it will send mail over 465.
Do you have a new-enough SquirrelMail? From the looks of it, the only
version = 1.5.1 is the development snapshot. (Do
You've probably got permit_mynetworks near the top of your
smtpd_foo_restrictions, which are inherited by default. The -o
The only smtpd_foo_restrictions I have in main.cf are:
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
Le 08.12.2011 16:50, Kwasi Gyasi - Agyei a écrit :
The building of postfix with pgsql is proving to be rather
complicated, I think it doesn't like my Kernel
(echo # Do not edit -- this file documents how Postfix was built for
your machine.; /bin/sh makedefs) makedefs.tmp
ATTENTION:
ATTENTION:
Hi folks,
Hope this isn't too dumb a question, but here goes:
Is there are best practice concerning the ordering of the directives
to the right hand side of the = for smtpd_recipient_restrictions?
The reason I'm asking is I added a set of lines for RBL reverse DNS and
they don't seem to be
On 12/8/2011 2:04 PM, Peter L. Berghold wrote:
Hi folks,
Hope this isn't too dumb a question, but here goes:
Is there are best practice concerning the ordering of the directives
to the right hand side of the = for smtpd_recipient_restrictions?
The reason I'm asking is I added a set of lines
On 12/08/2011 11:24 AM, Grant wrote:
You don't really need the permit_sasl_authenticated, since you shouldn't be
trying to auth on port 25. It doesn't hurt, though.
I just noticed that I can't send mail from Thunderbird unless I
include permit_sasl_authenticated in the above
On Thursday 08 December 2011 13:04:13 Peter L. Berghold wrote:
Is there are best practice concerning the ordering of the
directives to the right hand side of the = for
smtpd_recipient_restrictions?
Consider the relative costs of the restrictions. For example, a hash:
table access(5) lookup
smtpd_recipient_restrictions =
permit_mynetworks,
permit_auth_destination,
reject_unauth_destination,
check_sender_access hash:/etc/postfix/access,
permit_sasl_authenticated,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
So you should change 'client' to 'recipient' in master.cf before you
remove the 'permit_sasl_authenticated' in main.cf.
At that point, SquirrelMail (or anything else) won't be able to send
mail unless it authenticates on port 587, sends to one of your domains
on port 25, or is in
On 12/08/2011 02:21 PM, Gary Smith wrote:
Wouldn't it be smarter to just tell SquirrelMail to use port 587 and
pass through authentication? This way if the server is compromised
or has another exploit there isn't a simple internal email server to
send all that spam from.
This is exactly what
On 12/8/11 8:46 AM, Grant wrote:
I don't see why local Squirrelmail won't send mail over 587,
but remote Thunderbird will. Squirrelmail also won't send mail over
port 25, but it will send mail over 465.
Do you have a new-enough SquirrelMail? From the looks of it, the only
version = 1.5.1
On 12/8/2011 6:45 AM, James Day wrote:
Hello,
First post to the list, I would really appreciate any help/advice.
In my current setup I act as a Spam and Virus filter for several domains.
Mail is then relayed to their local Exchange servers once it has been scanned.
In the event that
On Thursday, December 08, 2011 at 19:17:44 UTC, pe...@berghold.net confabulated:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_auth_destination,
reject_unauth_destination,
check_sender_access hash:/etc/postfix/access,
permit_sasl_authenticated,
On 12/8/2011 1:28 PM, Michael Orlitzky wrote:
On 12/08/2011 02:21 PM, Gary Smith wrote:
Wouldn't it be smarter to just tell SquirrelMail to use port 587 and
pass through authentication? This way if the server is compromised
or has another exploit there isn't a simple internal email server to
I don't see why local Squirrelmail won't send mail over 587,
but remote Thunderbird will. Squirrelmail also won't send mail over
port 25, but it will send mail over 465.
Do you have a new-enough SquirrelMail? From the looks of it, the only
version = 1.5.1 is the development snapshot. (Do
On 12/8/2011 2:17 PM, Peter L. Berghold wrote:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_auth_destination,
This restriction at this location will IGNORE all RBL lookups when mail
is destined for your system.
I suggest removing it as it is implied if
Where did you find this list? There are major issues here.
On Thursday 08 December 2011 13:17:44 Peter L. Berghold wrote:
smtpd_recipient_restrictions =
permit_mynetworks,
fine ...
permit_auth_destination,
If the destination is served by this host, accept the mail.
On 12/8/2011 1:17 PM, Peter L. Berghold wrote:
smtpd_recipient_restrictions =
permit_mynetworks,
OK.
permit_auth_destination,
Permits all mail handled by your server.
reject_unauth_destination,
Rejects all mail not handled by your server.
Nothing left after that... None
Thanks Noel.
I'm forwarding the aliased mail to catch all Pop3 boxes to prevent back
scatter. I don't have a valid recipient list for all these domains hence the
request for a wild card type solution. I gather this function isn't built in so
maybe, as you suggest, a script is the way to go.
On 12/8/2011 2:13 PM, James Day wrote:
Thanks Noel.
I'm forwarding the aliased mail to catch all Pop3 boxes to prevent back
scatter. I don't have a valid recipient list for all these domains hence the
request for a wild card type solution. I gather this function isn't built in
so maybe,
On Thursday 08 December 2011 14:06:15 Grant wrote:
Philip:
587 can be used encrypted or unencrypted, authenticated
(preferably) or not... you could for instance just limit 587
connections from a particular subnet, etc.
Why then won't Squirrelmail send mail on port 587 unencrypted with
You don't really need the permit_sasl_authenticated, since you shouldn't
be
trying to auth on port 25. It doesn't hurt, though.
I just noticed that I can't send mail from Thunderbird unless I
include permit_sasl_authenticated in the above
smtpd_recipient_restrictions block. I get relay
On 12/8/11 1:06 PM, Grant wrote:
I don't think you're really getting the significance of port 587 vs. port 25.
I think you're right.
587 can be used encrypted or unencrypted, authenticated (preferably) or
not... you could for instance just limit 587 connections from a particular
subnet,
On 12/08/2011 03:24 PM, Grant wrote:
So I should specify smtpd_client_restrictions or
smtpd_recipient_restrictions, but not both?
I think most people find it easier to put all of the restrictions under
smtpd_recipient_restrictions, since you can just read them top-to-bottom
with
25 is used by your MTA to receive *incoming* messages from other
administrative domains (organizations).
Port 25 is never used to submit outbound messages? If not, I'm
confused as to why Squirrelmail describes its SMTP Port setting this
way:
This is the port to connect to for SMTP.
Zitat von Peter Tselios s91...@yahoo.gr:
Hallo,
I have 2 postfix setup with openLDAP as back ends. I need to stress
test my configuration.
I tried with the smtp-source but I don't know it is OK to test with
1 connection or more. How is postfix handles the connections with
the
Am 08.12.2011 21:49, schrieb Grant:
25 is used by your MTA to receive *incoming* messages from other
administrative domains (organizations).
Port 25 is never used to submit outbound messages? If not, I'm
confused as to why Squirrelmail describes its SMTP Port setting this
way:
This is
On 12/8/2011 2:49 PM, Grant wrote:
Is it alright to send on port 25 from Squirrelmail when it's on the
same machine as postfix?
OK, but not optimal. Better to leave on 465 to separate the traffic.
That way I can make 587 require TLS and
authentication but not require that local
So I should specify smtpd_client_restrictions or
smtpd_recipient_restrictions, but not both?
I think most people find it easier to put all of the restrictions under
smtpd_recipient_restrictions, since you can just read them top-to-bottom
with smtpd_delay_reject = yes (the default).
But
On 12/8/11 1:49 PM, Grant wrote:
25 is used by your MTA to receive *incoming* messages from other
administrative domains (organizations).
Port 25 is never used to submit outbound messages? If not, I'm
confused as to why Squirrelmail describes its SMTP Port setting this
way:
This is the
25 is used by your MTA to receive *incoming* messages from other
administrative domains (organizations).
Port 25 is never used to submit outbound messages? If not, I'm
confused as to why Squirrelmail describes its SMTP Port setting this
way:
This is the port to connect to for SMTP.
On 12/8/2011 5:29 PM, Grant wrote:
I think I can't do that because I also need to connect to 587 from
Thunderbird in remote locations.
You're making this way too complicated.
Either continue to happily use 465 as you always have, or make the
changes to submission I suggested a few minutes ago.
* lst_ho...@kwsoft.de lst_ho...@kwsoft.de [2011-12-08 14:46]:
And I had hoped that perhaps this would be an improvement to postfix.
Sadly it seems it was some kind of blasphemy to question the way
postfix does handle this stuff.
No, it means until now no one needs this so important to step
Sebastian Wiesinger:
* lst_ho...@kwsoft.de lst_ho...@kwsoft.de [2011-12-08 14:46]:
And I had hoped that perhaps this would be an improvement to postfix.
Sadly it seems it was some kind of blasphemy to question the way
postfix does handle this stuff.
No, it means until now no one needs
* Wietse Venema wie...@porcupine.org [2011-12-09 01:01]:
And that is where I disagree. IMHO a mailsystem should respond with a
temporary error if it is experiencing a temporary error (like a lookup
table not being availabe) not simply hang there and do.. nothing.
We know that. What are
I think I can't do that because I also need to connect to 587 from
Thunderbird in remote locations.
You're making this way too complicated.
Either continue to happily use 465 as you always have, or make the
changes to submission I suggested a few minutes ago. These changes
still allow
Am 09.12.2011 01:11, schrieb Grant:
I think I can't do that because I also need to connect to 587 from
Thunderbird in remote locations.
You're making this way too complicated.
Either continue to happily use 465 as you always have, or make the
changes to submission I suggested a few
On 09/12/11 13:11, Grant wrote:
Got it. I misunderstood you before. May I ask why using 465 for
Thunderbird and Squirrelmail would be better than 587 for Thunderbird
and 25 for Squirrelmail talking to localhost?
I'm quite sure that he never said to use 465 for Thunderbird. The
reason you
On 12/8/2011 6:11 PM, Grant wrote:
Got it. I misunderstood you before. May I ask why using 465 for
Thunderbird and Squirrelmail would be better than 587 for Thunderbird
and 25 for Squirrelmail talking to localhost?
The good reason to not use port 25 for local user submissions is
that it
This week I implemented a memcache client for Postfix in the hope
that it would be useful to share postscreen(8) or verify(8) caches
among multiple MTAs.
The implementation is based on libmemcache. This was not too much
work, given a few examples (libmemcache is under-documented).
However,
Got it. I misunderstood you before. May I ask why using 465 for
Thunderbird and Squirrelmail would be better than 587 for Thunderbird
and 25 for Squirrelmail talking to localhost?
I'm quite sure that he never said to use 465 for Thunderbird. The
reason you don't want to use port 25 for
On 12/08/2011 05:18 PM, Grant wrote:
I've boiled my config down to this. It is functional and I think it
is secure and that it rejects any attempt to send messages from
outside mynetworks unless authenticated. Am I correct? Please
consider all other directives to be default.
You're fine.
On 12/8/11 4:29 PM, Grant wrote:
Is it alright to send on port 25 from Squirrelmail when it's on the
same machine as postfix? That way I can make 587 require TLS and
authentication but not require that local Squirrelmail encrypt or
authenticate.
No, I'd do exactly what I said we do here:
On 12/8/11 5:33 PM, Reindl Harald wrote:
Got it. I misunderstood you before. May I ask why using 465 for
Thunderbird and Squirrelmail would be better than 587 for Thunderbird
and 25 for Squirrelmail talking to localhost?
there is no better
configure a server as YOU need
Well, there
Is it alright to send on port 25 from Squirrelmail when it's on the
same machine as postfix?
OK, but not optimal. Better to leave on 465 to separate the traffic.
That way I can make 587 require TLS and
authentication but not require that local Squirrelmail encrypt or
authenticate.
You
60 matches
Mail list logo
