t; CAUTION: EXTERNAL SENDER. Please use caution when opening links,
> attachments, or sending information. This email did not originate from
> internal staff. - IT Support
>
> On 24.06.22 22:50, Gary Smith wrote:
> > I have an smtpd process configured with this below. It works great
&
Looking for advice.
I have an smtpd process configured with this below. It works great when
injecting the messages from localhost but fails with '5.7.1 :
Recipient address rejected: Access denied' when I try it from a remote node
(this port is firewalled and only allowed for specific
-Original Message-
From: owner-postfix-us...@postfix.org On
Behalf Of Viktor Dukhovni
Sent: Wednesday, April 21, 2021 3:02 PM
To: Postfix users
Subject: Re: Certificate Postfix.org missing?
> On Apr 21, 2021, at 4:34 PM, Gary Smith wrote:
>
> Chrome shows it as "Not se
On Wed, Apr 21, 2021 at 10:08:37PM +0200, Jos Chrispijn wrote:
> > There is neither a service at port 443, nor a postfix.org website.
>
> You mean you don't authorize this site to use the Postfix name?
> Don't understand, too cryptic.
As stated there is no postfix.org website:
$ curl
> -Original Message-
> From: owner-postfix-us...@postfix.org
> On Behalf Of Wietse Venema
> Sent: Monday, April 8, 2019 1:18 PM
> To: Postfix users
> Subject: Re: How to retrieve queue_id after submission
>
> Gary Smith:
> > > Gary Smith:
> >
> Gary Smith:
> > Hi team,
> >
> > I may have asked this years ago, but I can't find it in my email.
> > I have a need to retrieve the queue_id of emails submitted at time of
> > submission when issuing submissions with the -G option. I can see
> > that t
com> 2>&1 | grep "send
attr queue_id"
postdrop: send attr queue_id = 874DA54C89
Gary Smith
Hi Everyone,
It's been a long time since something in postfix has stumped me. I am using
virtual alias rewrites to handle 50k incoming email addresses that expand to
1+n recipients. The recipients are the line managers and lower level people
that handle those accounts. The virtual alias
Restarting postfix, saslauthd and authdaemon seems to get it working again,
at least for a while.
Are you using pam_mysql by chance?
Am 03.01.2012 18:30, schrieb Stan Hoeppner:
To add to this sentiment, haven't most/all the viri/malware pushers
switched from an email delivery vector to drive-by downloads? I can't
recall the last time I saw a viral email attachment.
our barracuda saw 2929 in the last year
So you should change 'client' to 'recipient' in master.cf before you
remove the 'permit_sasl_authenticated' in main.cf.
At that point, SquirrelMail (or anything else) won't be able to send
mail unless it authenticates on port 587, sends to one of your domains
on port 25, or is in
To summarize, we think SMTP Auth is the simplest and most useful way to
allow people to send mail through our outbound mail system, and we are
hoping to get some feedback from the community regarding this
perspective.
Yes and No. for 99% of our client base, we use SMTP auth. We have a couple
Does anyone have a simple policy daemon written in Python they would be willing
to share? I was looking at policy but that's overkill and it might require some
tweaking just to support my tiny requirements.
Gary Smith
Sure.
https://launchpad.net/pypolicyd-spf
Scott K
Scott,
Thanks. Looks much simpler than the other ones that I have looked at. I really
need to have a single check for sasl_username and compare it against a set of
canned rules from stats in a memcached server, and either return DUNNO or
cool - this means i do not need any like in any postfix-mysql-config what is
faster because keys are used, nice to know, i wanted to get sure that there
nothing fails while making this setup a year ago
Depending on what character set you are using, it could be a problem but the
fix is simple,
Depending on what character set you are using, it could be a problem
but the fix is simple, UPPER(%s) or LOWER(%s) (based on how your data is
stored).
I agree to dumping LIKE for performance reasons
the tables are all UTF8, but there is no relevant non-ascii data i choosed
like
only
HOLD always take place last, and only accepted mail is put on
HOLD. Since this server is for user submission and all mail
is either authenticated or rejected, it doesn't matter too
much where you put the hold.
Good to know. I probably asked the same question years ago, but this helps.
Anyway, the question is, how does the community as a whole deal with
big ISP's losing email? It seems that some companies (like ATT) seem
to have less and less access to tools necessary for communicating with
them on things like this. Is there any know lists of contact/support
You must have permit_sasl_authenticated in
smtpd_recipient_restrictions to allow users to relay.
Typically on the outgoing only server, only
smtpd_recipient_restrictions is used and the other
smtpd_*_restrictions sections are empty.
Gotcha
The one that's repeated ;)
I have clients relaying email through a set of servers but I wanted to put a
hold in there based on specific circumstances (such as they are sending too
much data, so lets hold and inspect). I have a hash file
(/etc/postfix/maps/hold) that is dynamically updated from a central server. So
when
-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org]
On Behalf Of Gary Smith
Sent: Thursday, February 10, 2011 8:34 PM
To: 'postfix-users@postfix.org'
Subject: hold after permit question
I have clients relaying email through a set
openssl can convert between various formats.
http://www.sslshopper.com/article-most-common-openssl-commands.html
http://security.ncsa.illinois.edu/research/grid-
howtos/usefulopenssl.html
http://shib.kuleuven.be/docs/ssl_commands.shtml
...
Mouss,
Thanks for the follow up. I know that
Oops, while the umask 077 is indeed required, this does produce a PEM
file with a usable key and certificate, provided the OpenSSL library
behind the pkcs12 command is not substantially newer than the one
Postfix
is linked with. If the command is from OpenSSL 1.0.0, it will generate
a
openssl s_client -showcerts -state -quiet -status -connect localhost:465
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
3075593864:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
It appears mycingular ( iphone ) ips are listed on spamhaus (
XBL and PBL ) for 8 days.
Yes, they should be listed.
Why should they? They have mail servers too. I just don't get this.
Randy,
Right now my be the time to rethink your question, as you stated your
customers, their
for them as well. I just want to make sure that there's little, if any,
problems for myself and my customers that use my services.
Any advice would be greatly appreciated.
Gary Smith
,
-will
Makes sense. I will keep a set of MX servers at the original COLO setup to
accept emails from my new range and forward outgoing email through them until
we verify the new one.
Gary Smith
you can try a lookup of these IPs in multiple RBLs, and lookup the
surrounding subnet (/24 for example) on:
http://www.senderbase.org/
you may want to keep the old servers for some time.
(from experience, I've found MS to cache reputation for a long long
time. That once forced me to
as the primary, so
it should be transparent. In fact for some of them they wont even notice the
outage. I'm just more worried about sites that I'll have to register the IP's
at. I guess I'll start doing that as soon as I get the IP's.
Gary Smith
My general advice WRT to VPS/colo/hosting outfits such as Softlayer,
Limestone, Sharktech, Hostnoc, Colocation America, Colo4, SingleHop,
Liquid Web, ServePath, GigeNet, WholeSale Internet, FDCservers,
CarolinaNet, Hurricane Electric, et al is to SMTP block their entire IP
space and then
The spam-assassin filter is still on testing period so some messages are
marked as SPAM only but are not blocked. Could that be the reason of
duplicated emails?
Possibly a problem with SA. If you remove it does the problem go away?
Also think about how spam assassin is configured. If you
Here is a parts from my main.cf
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 10.78.0.0/16, 10.82.0.0/19, 127.0.0.0/32
relay_domains = $mydestination, $mydomain
relayhost = [192.168.10.2]
smtpd_sender_restrictions =
permit_sasl_authenticated
What about avoid the NOQUEUE error on the smtp server when policy
service is down? I mean, queue all mail until the policy server is UP
again. Is it possible?
That defeats the use of the policy server. The purpose of the policy server is
to help determine if it should be queued or rejected.
I've seen everything set up per the documents and all the online tests
showing that i'm not an open relay. I have no need for external
sendmail and I've used all the proper configs and all the suggestions
on the list, and I still get some guy with watches for sale who can
send mail anyway.
hello postfix network
are you there a official version of centos postfix most days can be
redhat
this actual version is
[r...@r13151 ~]# rpm -qa | grep postfix
postfix-pflogsumm-2.3.3-2.1.el5_2
postfix-2.3.3-2.1.el5_2
This version is outdated and is no longer supported
how to keep the
do you have any information on a future release redhat postfix
I'm going to compile my rpm
I have no more information than you. I just manage my own base packages and
update them when a new postfix release comes out.
I came across Policyd. It seems to follow similar Perl script for rate
limiting. Does that sound like a solution ?
If it fits your needs, then yes.
I am using Postfix as an MTA but I see nowadays lot of spam going out of my
system. I have used transport based throttling for a domain but I am looking
for options for per sender based rate limiting. Can I achieve per user based
throttling using postfix or I have to use some 3rd party
A while back I changed my aliases to use the mysql database. Well I
thought everything was fine until I had a changed and relized the
postmaster address was not working. Okay no problem I'll just link a
postmaster address to the support account of my system. Well that is
great if I send a
Per the welcome message you received when you joined the list:
That would be like 5+ years ago. I've slept since then.
TO REPORT A PROBLEM see:
http://www.postfix.org/DEBUG_README.html#mail
At a minimum, postfix version, output of postconf -n and unedited
NON-verbose logs exhibiting
Weitse,
For some reason, random mails from you pop up in my inbox, instead of my
postfix list instead delivery on behalf of postfix-users@postfix.org like most
others. Just an FYI
If the NAT assumes that everything is a web client and drops
connections after a few seconds, then Postfix
Have you disabled window scaling on your Postfix server. Lost connections
are often the result of firewalls mangling advanced TCP features.
- Disable window scaling
- Disable ECN
I don't believe we have disabled any of the advanced features. That will give
me something to do
This strongly suggests that you have is a 10 second time limit
on the life time of NAT/VPS/whatever state.
Wietse
Makes complete sense. I will bounce it off the ipvsadm list. They don't tend
to respond much as of recent.
BTW, I did notice, while analyzing some of the logs, that a
May 13 04:09:23 host01 postfix/smtpd[10301]: lost connection after RCPT from
unknown[190.107.112.194]
Listed on SpamHaus XBL
Unless these listings postdate your log entries, you should probably
not allow these clients to get as far as DATA.
reject_rbl_client zen.spamhaus.org
Just make sure to close stdout and stderr, to avoid writing garbage
into the pipe between Postfix and the filter, used to collect filter
error messages.
With this level of complexity, you really should use the advanced (SMTP)
filter approach not pipe(8) based filters.
Viktor/Weitse,
I've been getting a lost of lost connection after DATA this last week. On
our low volume servers (that houses some minor clients) we are receiving
800/day. We switched over to ipvsadm about 3 weeks ago and I though maybe it's
because of non-persistent connections. So I reset ipvsadm to be
That depends on how Postfix is configured.
Remember, Postfix passes the RCPT TO and MAIL FROM commands to the
filter as received. By default, Postfix allows non-standard forms
(such as your examples). If this is a problem then you will need
to configure strict_rfc821_envelopes =
The SMTP protocol is not a trade secret. The definition is publically
available from the IETF website.
You make it hard to try to be lazy ;). I'll look into the RFC. In the
background I will probably just enforce the strict_rfc821_envelopes policy.
As covered, the pipe probably isn't what I want to do. Looking into the
advanced content filter, these seems two paths; execute a script as a process
from postfix (spawn) or setup a simple proxy indepdenent of postfix. Either
one would probably work.
In either case, spawn or proxy, is it
Given the message below, if I fork a process inside a content filter (say in
python or perl), so I can return the message back to postfix faster (and end
the content pipe fast with a success exist code), will this have any impact on
postfix?
We have a custom content filter in place. During
If the filter reports success to Postfix before giving the FILTERED
message to the Postfix queue, then Postfix will remove the UNFILTERED
message from the queue too early, and you will lose mail when (not
if) the filter has a problem.
The filter re-injects the message back into the queue
Just make sure to close stdout and stderr, to avoid writing garbage
into the pipe between Postfix and the filter, used to collect filter
error messages.
With this level of complexity, you really should use the advanced (SMTP)
filter approach not pipe(8) based filters.
Victor,
To be
Also, if the process does not close/redirect stdout and stderr,
Postfix will still wait for program output, and you won't gain any
speedup from forking off into the background.
With this level of complexity, you really should use the advanced (SMTP)
filter approach not pipe(8) based
Just make sure to close stdout and stderr, to avoid writing garbage
into the pipe between Postfix and the filter, used to collect filter
error messages.
With this level of complexity, you really should use the advanced (SMTP)
filter approach not pipe(8) based filters.
Looking around
When it comes to envelope, specifically mail from: and rcpt
to:, my understanding is that these will never have comments in
them and be just plain email addresses j...@example.com,
bou...@jack@bou...@example.com, etc, but never jack j...@example.com
(or j...@example.com (i.e. the ).
I use a unique email address (alias) for every web(service)
registration. I would like to limit or even block spam sent to these
unique addresses. I glanced through the Postfix book but couldn't find
an answer.
I've done that as well. Sometimes I love it when I get emails from
I have a content filter in which I need the sasl_username. This works for most
of our outgoing email. The problem is sometimes locally generated email is
submitted without SASL (as they are in the mynetworks table). This leaves
sasl_username blank. So to get around this I have wrapped
... ${sasl_username:unknown} ${recipient}
ie. if $sasl_username is empty, substitute unknown
But nothing particularly wrong with what you're doing already.
That will work better for me since I won't have to parse out the sasl_username
from the [] if it's empty. I can just check for
Hi guys,
I still need to accept mail for the email addresses we host on our
machine from the net, so blocking port 25 or mynetworks as local host
would seem to prevent that. we still have users on the domain that
get mail to the address, except now we forward that mail to gmail
using the
I have a need to migrate some IP's from a static file to a hash file. These
are singleton IP's (hash CIDR's). My understanding is this is just a
verification table, so a long as it exists (i.e. returns any value) it's
considered allows if there is a match. Is this correct?
i.e. would this
I have a need to migrate some IP's from a static file to a hash file. These
are singleton IP's (hash CIDR's).
hash != cidr
It was meant to read singleton IP's (not CIDR's). I need to do a little more
proof reading before sending out these things.
i.e. would this be acceptable for this
I tried to make a CIDR file with most of the 3rd world in it, some
30,000 ips but for some reason it doesn't seem to have the effect I
was hoping for.
Any ideas would be helpful, thanks.David
Add amavisd to your postfix.
If they are relaying messages through their server, how is
We don't have any legitimate users sending mail aside from scripts on
the server (linux), only mail from localhost, anyone with an email
address is listed in the virtual file and has their email forwarded to
a gmail and uses gmail's MTA to send mail.
Since we have all the email addresses
Lately I have found that my outgoing queues are getting a little clogged for
yahoo and sbcglobal.net. This usually coincides with a bulk set of news
letters sent out from a couples clients. Typically we are seeing that they
dump about 2000msg/per batch, with no more than one batch per week
rate_limit_transport:
aol.com ratelimit:
yahoo.com ratelimit:
sbcglobal.net ratelimit:
gmail.com ratelimit:
This looks reasonable to me; no more than 3 connections should
be made at a time to any
Do you realize the entries you just posted are misspelled domains? They
are not sbcglobal.net, comcast.net, or earthlink.net.
-Mike
Mike, um, belay my last... My eyes are tired from clearing out queue's.
Yes, those are wrong, looks like they have some typos, but they queues that
were
This DOES NOT limit your delivery RATE!!
This limits only the delivery CONCURRENCY.
To limit the delivery RATE, see
http://www.postfix.org/postconf.5.html#transport_destination_rate_delay.
Looking into it now. Thanks for the pointer Wietse. If I'm running multiple
outgoing relays,
This DOES NOT limit your delivery RATE!!
This limits only the delivery CONCURRENCY.
To limit the delivery RATE, see
http://www.postfix.org/postconf.5.html#transport_destination_rate_delay.
...
If that still doesn't help, then implement the rate delay as
explained in the link Wietse
We have a custom content filter in place. During the execution of this filter
we create a set of files, per message, for the purpose of being processes
after the filter is finished. The goal in that was to get the mail back into
postfix ASAP.
In the background we have a cronjob that goes
I'm working on load balancing some sqlgrey servers using ipvsadm (non of the
other bells and whistles, just the director itself). Anyway, at first glimps
things look like they are running well until I find that I have a lot of
connections in ESTABLISHED mode running on the sqlgrey real
I'm working on load balancing some sqlgrey servers using ipvsadm (non of the
other bells and whistles, just the director itself). Anyway, at first glimps
things look like they are running well until I find that I have a lot of
connections in ESTABLISHED mode running on the sqlgrey real
Is there some reason the Message-ID won't work as a unique
identifier?
It's about compliance tracking and tagging for specific things.
You can use a policy server to insert a header based on
envelope information.
http://www.postfix.org/SMTPD_POLICY_README.html
If your header must be
No, there must be a result with the address, but postfix
doesn't use that result. The file will look like:
u...@example.com anything
us...@example.com anything
us...@example.com anything
anything can be any text, such as an administrative comment.
That's what I thought. I've
We use a filter to break out and run our spamassassin and other checks. In bash
shell that process, we have a need to insert a custom unique header per email
for compliance. Is there a simple way of doing this without having to go into
any special mime processing of the message?
Gary Smith
Currently we are using mysql plugin for this and are switching over to static
files (or files generated on a schedule from the database). Anyway, looking at
the docs, it says that the entry need only been found in the file to be
accepted, otherwise it will be rejected.
Postfix needs to know
The script just does:
* Copy in new relay_recipients file
* postmap relay_recipients
* postfix reload
Is there a better way to do this? Should I stop postfix completely during
this time? Will putting the queue on hold avoid this problem, or do I need
to stop Postfix completely from
Our Q2 patch cycle is coming up and I was going to upgrade 2.6.5 - 2.6.6 on
the servers but then though maybe 2.6.5 - 2.7.0 might be in order. I have
everything ready to go either way (download and created RPM's for both 2.6.6
and 2.7.0).
Is there any consideration that needs to be made in
Everything you need to know is the RELEASE_NOTES.
Read them already... I just wanted to do a double check first.
Thanks,
Gary-
There may be several legitimate reasons to stick with an older version
for some time, but if it's all the same to you, then using the latest
stable release is always the best default choice.
For products like postfix (in terms of how they manager their product), I have
high confidence when
I am running CentOS 5.4 and the latest version of Postfix it has on the
repository is version 2.3.3. After looking at the Postfix site I found out
that that version is no longer updated.
Kaleb,
RedHat tends to backport security patches even for older products, when they
can. I personally
http://roundcube.net/
+1
If you're going to offer webmail, you may as well offer IMAP folders instead
of
POP. JMHO.
I think it depends upon the requirements. For very simple mail and setup, +1
roundcube. I have been using horde for some time for my clients (as they use
more of
Dhiraj,
First off, if Wietse said how to do it then it’s the right way. The question I
have is how many emails are you sending to these two organizations? Can you
quantify “a good number”?
Gary Smith
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org]
On Behalf
OK, now more. Apparently there is a problem with one of my users who
is constantly being spammed by a specific remote sender. The remote
senders email is always the same and somehow gets bounced for days in
between my postfix server and my exchange bridgehead. What can I do to
just
what I was smoking when I used a common file for that.
Gary Smith
this for postmaster/abuse on all hosted domains. Is there a
simple way to do this using an access policy or something? i.e. accept all
email for ab...@* and postmas...@* (and whatever other accounts we do want to
bypass as well)?
Gary Smith
/etc/postfix/main.cf
smtpd_recipient_restrictions =
...
reject_unauth_destination
check_recipient_access hash:/etc/postfix/recipient_whitelist
...greylisting here...
And put address OK in the whitelist.
I'll give that a try. I think the problem that I
-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
us...@postfix.org] On Behalf Of Bob Cohen
Sent: Wednesday, October 14, 2009 1:26 PM
To: users Postfix
Subject: Emptying SPAM account
I have set up SpamAssissin with an account to collect rejected
I recall some months ago seeing a large discussion on someone taking
their time and dedication on creating a pre-packaged RPM of 2.6.X. I
was wondering if anyone has the latest RPM that I can download for my
new RHEL 5 server. I am looking to use 2.6.5 from a packaged RPM
however Redhat /
I have a list of IP/domain combinations that I want to reject. This list is
built from spamassassin AWL. I don't necessarily want to block the entire
domain if I don't have to, just domain IP combinations. So, running creative
queries against AWL, I get a list of domain/IP's.
Is there a way
I have a list of IP/domain combinations that I want to reject. This
list is built from spamassassin AWL. I don't necessarily want to block
the entire domain if I don't have to, just domain IP combinations. So,
running creative queries against AWL, I get a list of domain/IP's.
Is there a
A client uses hash files for transport and access on a couple relays. When I
need to make a change to one of these files I typically just edit it and then
do a postmap whatever. On one of the machines it doesn't seem to pickup the
change until I restart postfix (it's an older machine with an
posting. OWA doesn't have a good way to do it.
From: Noel Jones [njo...@megan.vbhcs.org]
Sent: Friday, July 31, 2009 10:46 AM
To: Gary Smith; postfix-users@postfix.org
Subject: Re: Hash file oddity
Gary Smith wrote:
A client uses hash files for transport
From: owner-postfix-us...@postfix.org [owner-postfix-us...@postfix.org] On
Behalf Of Evan Platt [e...@espphotography.com]
Sent: Friday, July 31, 2009 11:55 AM
To: postfix-users@postfix.org
Subject: RE: Hash file oddity
At 11:50 AM 7/31/2009, you wrote:
Stuff is AFU after server migration. Email can be delivered to accounts that
existing on domain1.com prior to the migration. I created a new domain,
domain2, and issued the standard cm user/g...@domain2.com.
I verified that the domain exist in both the mydestinations and virtual_users
sql
...@postfix.org [mailto:owner-postfix-
us...@postfix.org] On Behalf Of Gary Smith
Sent: Thursday, July 30, 2009 6:14 PM
To: postfix-users@postfix.org
Subject: lmtp delivery rewriting issue.
Stuff is AFU after server migration. Email can be delivered to
accounts that existing on domain1.com prior
Steve,
I know it's already been mentioned, but greylist. That has cut down our spam
90%+. Restricting your email to hours when you office is open means that legit
email gets backed on the senders servers queues. If you really don't think
your need the email during that period of time, do
Steve,
That's not what the users will receive though. They will, probably after 4
hours receive a nicely formatted message from their local MTA that says
something like
Message to j...@domain.tld has been delayed. We will retry this message
again in X hours...
And remeber, anthing
:52 PM
To: postfix users list
Subject: Re: Catchall not working
Gary Smith wrote:
Noel,
I created a file /etc/postfix/custom/mydestination and put my entry in there
(hash) and added the following lines to /etc/postfix/main.cf
(only changes made to a stock 2.5.5 config)
mydestination
] On
Behalf Of Noel Jones [njo...@megan.vbhcs.org]
Sent: Thursday, June 11, 2009 12:52 PM
To: postfix users list
Subject: Re: Catchall not working
Gary Smith wrote:
Noel,
I created a file /etc/postfix/custom/mydestination and put my entry in there
(hash) and added the following lines to /etc/postfix
shooting from the hip I would say stop listening on the network connection and
only listen to localhost
In the /etc/postfix/master.cf file change the line smtp... to 127.0.0.1:smtp
... thus forcing it to listen to localhost only.
From:
1 - 100 of 103 matches
Mail list logo