Re: Problem with sending email to multiple recipients
mouss-4 wrote: sim085 a écrit : hi mouss, Please don't top post. put your replies after the text you reply to. Thank you very much for your answer. I did have a feeling the problem was with the catch-all-email setting and was wondering if anyone uses this setting with mail servers! times ago, people used this setup to pay less. but the prices have dropped since then, at least in countries I know of. The problem is that I can not understand how to configure fetchmail without having this setting on (I can turn it off if I want). Without this setting I would have to edit fetchmail config files each time I add a new user since I would have to tell fetchmail from where to retrieve the mail of that user, even though their mailbox would be with the same ISP. you do create users on your postfix, right? simply write a script to do this and update fetchmail config file at the same time. Should my ISP allow me other options? if your ISP is offering you multiple mailboxes, do not use a catch-all. if they are only offering you one mailbox, then that's a problem. What is the best way to get emails on my mail server when not using catch-all-emails setting? according to http://catb.org/~esr/fetchmail/fetchmail-FAQ.html#M8 there doesn't seem to be a solution to this in fecthmail itself. you can use maildrop to eliminate duplicates. read http://www.courier-mta.org/maildrop/maildropex.html (look for Check if the Message-ID: ...) if your ISP stores the envelope recipient in a header (Delivered-To or other), it may be possible to write a script to get this. but care is needed. Sorry, yesterday I hadn't seen the last part of your message where you suggested me to look into mail drop. I will definitely do that immediately and see if it can solve the problem I am having. Also thank you very much for your help. It is really appreciated. Regards, Sim085 -- View this message in context: http://www.nabble.com/Problem-with-sending-email-to-multiple-recipients-tp21992750p22020935.html Sent from the Postfix mailing list archive at Nabble.com.
Re: Question about smptd_sender_logins_map and allow to use
Hi, thanks for the reply. Sorry i didn't understand what you meant here: restrictions: smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/access, if this map contains an OK, then you are an open relay. better move these checks to smtpd_sender_restrictions. in /etc/postfix/access_client we have few ips that we permit with OK. Yes, probably restriction classes will do the job that i want. smtp_sender_logins_map is set to ldap-qeury file. So it contains all our users. This is why i...@domain2.com is in the list. I'm reading now about the classes. if an IP can send spam, why whitelist it? if you need to (customers, ...), use a dedicated port (or IP) and have a specific configuration. otherwise, your config would quickly become too complicated. with a dedicated (ip, port), you can use a specific content filter, you can rate limit, ... etc. Who knows what users are behind this server. If they have an infected PC then, it is possible to send spam to me :) On Sat, 2009-02-14 at 07:05 -0500, Digest of postfix-users list wrote: Date: Fri, 13 Feb 2009 21:32:00 +0100 From: mouss mo...@ml.netoyen.net Subject: Re: Question about smptd_sender_logins_map and allow to use only for several domains? an...@iguanait.com a écrit : Hi, i have a question about using smtpd_sender_logins_map, reject_sender_login_mismatch and check_client_access. I set smtpd_sender_logins_map and set these rules in sender restrictions: smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/access, if this map contains an OK, then you are an open relay. better move these checks to smtpd_sender_restrictions. check_client_access cidr:/etc/postfix/access_client, reject_sender_login_mismatch, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit The file /etc/postfix/access_client contains the ip addresses that i permit to pass reject_sender_login_mismatch rule. But i have a question about this. In this case these ips can use my email address to send messages to me. I don't want this to be possible. I want to permit the ips, but also I want them to be allowed to send mail only if they do so from a specific domain, for examle @igdomain.com. So, I need to filter mail sending not only by IPs, but by domain name at the same time - even if an IP is permitted in /etc/postfix/access_client, it still should not be able to send mail if the sender domain is different from @igdomain.com. if the domain depens on the IP, you need a policy server. if not, use restriction calsses as Noel suggested. This is an example: Lets say that we have permitted this IP in access_client 198.236.125.7 and i have 2 domains that i manage emails for: domain1.com domain2.com Lets say that we have 2 email addresses, one per domain. an...@domain1.com i...@domain2.com The current situation with only permitted ip address is this: This ip connects to my mail server and send to an...@domain1.com or i...@domain2.com, message from i...@domain2.com and/or an...@domain1.com without requiring authentication. It can use both e-mail addresses in MAIL FROM and it can send spam. if an IP can send spam, why whitelist it? if you need to (customers, ...), use a dedicated port (or IP) and have a specific configuration. otherwise, your config would quickly become too complicated. with a dedicated (ip, port), you can use a specific content filter, you can rate limit, ... etc. I want to achieve the following: I permit this ip in access_client file and it connects. And we have 2 conditions: 1. If it try to send email to an...@domain1.com or i...@domain2.com using an...@domain1.com in MAIL FROM field, than it must be rejected, because it is not authenticated and i don't want this ip to use my email address to send message to me or someone else in my system. 2. If it try to send email to an...@domain1.com, or i...@domain2.com using i...@domain2.com in MAIL FROM field, then this should be allowed (permitted) and in this situation it should pass reject_sender_login_mismatch rule and send message successfully. what is the purpose of putting i...@domain2.com in smtpd_sender_logins_map? I suppose it is almost clear :) Is it possible this to be realize and how? Thanks in advanced!
Re: Question about smptd_sender_logins_map and allow to use
Ali Nebi a écrit : Hi, thanks for the reply. Sorry i didn't understand what you meant here: restrictions: smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/access, if this map contains an OK, then you are an open relay. I meant that if you have a line like mydomain.exampleOK in /etc/postfix/access, then anyone gets free relay by forging an address in this domain. In short, avoid putting check_sender_access in smtpd_recipient_restrictions before reject_unauth_destination. better move these checks to smtpd_sender_restrictions. in /etc/postfix/access_client we have few ips that we permit with OK. my remark applies to maps used in check_sender_access, because a sender address is easily forged. Yes, probably restriction classes will do the job that i want. smtp_sender_logins_map is set to ldap-qeury file. So it contains all our users. This is why i...@domain2.com is in the list. I'm reading now about the classes. if an IP can send spam, why whitelist it? if you need to (customers, ...), use a dedicated port (or IP) and have a specific configuration. otherwise, your config would quickly become too complicated. with a dedicated (ip, port), you can use a specific content filter, you can rate limit, ... etc. Who knows what users are behind this server. If they have an infected PC then, it is possible to send spam to me :)
Re: Question about smptd_sender_logins_map and allow to use
I think i got it. On Sun, 2009-02-15 at 07:28 -0500, Digest of postfix-users list wrote: I meant that if you have a line like mydomain.exampleOK in /etc/postfix/access, then anyone gets free relay by forging an address in this domain. In short, avoid putting check_sender_access in smtpd_recipient_restrictions before reject_unauth_destination. better move these checks to smtpd_sender_restrictions. in /etc/postfix/access_client we have few ips that we permit with OK. my remark applies to maps used in check_sender_access, because a sender address is easily forged. I have these rules for now: smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/access, reject_unauth_pipelining, # reject_unknown_client, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client rbl-plus.mail-abuse.org, reject_rbl_client cbl.abuseat.org, # reject_rbl_client list.dsbl.org, # reject_rhsbl_sender dsn.rfc-ignorant.org, permit smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, check_helo_access hash:/etc/postfix/access_helo, reject_invalid_hostname, # reject_unknown_hostname, # reject_non_fqdn_hostname, reject_unauth_pipelining, permit smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/access, check_client_access cidr:/etc/postfix/access_client, reject_sender_login_mismatch, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access hash:/etc/postfix/access, reject_unauth_destination, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_pipelining, permit /etc/postfix/access is empty. I have not set there any ips/domains to OK. i have set these ips only to /etc/postfix/access_client. so, you suggest to change it this way: smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/access, reject_unauth_pipelining, # reject_unknown_client, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client rbl-plus.mail-abuse.org, reject_rbl_client cbl.abuseat.org, # reject_rbl_client list.dsbl.org, # reject_rhsbl_sender dsn.rfc-ignorant.org, permit smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, check_helo_access hash:/etc/postfix/access_helo, reject_invalid_hostname, # reject_unknown_hostname, # reject_non_fqdn_hostname, reject_unauth_pipelining, permit smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/access, check_client_access cidr:/etc/postfix/access_client, reject_sender_login_mismatch, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access hash:/etc/postfix/access, check_sender_access hash:/etc/postfix/access, reject_unauth_destination, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_pipelining, permit ?
Re: Question about smptd_sender_logins_map and allow to use
Ali Nebi a écrit : [snip] smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/access, you are sharing this map (for client, sender, and recipient). better use dedicated maps (access_client, access_sender, access_recipient). reject_unauth_pipelining, # reject_unknown_client, reject_rbl_client sbl-xbl.spamhaus.org, consider using zen.spmahaus.org instead (this reject_rbl_client rbl-plus.mail-abuse.org, I wouldn't use this one. not onlybecause it's commercial... reject_rbl_client cbl.abuseat.org, cbl prefer that you query spamhaus instead. [snip] smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access hash:/etc/postfix/access, check_sender_access hash:/etc/postfix/access, it is still here (up). and this is before reject_unauth_destination. reject_unauth_destination, reject_unknown_recipient_domain, reject_non_fqdn_recipient, at this point, the recipient is in _your_ domain (because reject_unauth_destination has alreday rejected all other domains). so this check is useless. reject_unauth_pipelining, this too is useless here. put it under smtpd_data_restrictions. permit ? consider starting from the version below and smtpd_helo_required = yes smtpd_client_restrictions = smtpd_helo_restrictions = smtpd_sender_restrictions = smtpd_recipient_restrictions = reject_non_fqdn_sender reject_non_fqdn_recipient permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_sender_login_mismatch reject_invalid_hostname reject_non_fqdn_hostname check_recipient_access hash:/etc/postfix/access_recipient check_client_access cidr:/etc/postfix/access_client check_helo_access hash:/etc/postfix/access_helo check_sender_access hash:/etc/postfix/access_sender reject_unknown_sender_domain reject_rbl_client zen.spamhaus.org, smtpd_data_restrictions = reject_unauth_pipelining PS. note the access_sender and access_recipient maps. (I wonder why your Evolution posts to my From: address instead of the Reply-To: address. did you do anything special or is this the default behaviour of Evolution, in which case, it would be a bug).
Re: SMTP relay only
Rocco Scappatura a écrit : Hello, I need to setup a mail server for outgoing email only. I clearly would like to restrict access to my networks only. Moreover, I would like to permit only to some envelope senders to relay email trhough a such MTA. And no other envelope sender should be able to relay trhough this MTA. So the restriction classes are made so: smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf -- this let me disable some content checking through filter (Amavisd-new). No matter. smtpd_helo_restrictions = smtpd_sender_restrictions = smtpd_recipient_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf reject If I understand you, you want something like: - if IP is in a list of allowed IPs, _and_ if sender is in a list of allowed sender, permit - anything else is rejected right? what you did above is - if IP _OR_ ... which is not the same thing. (I am assuming your maps return OK). you want smtpd_sender_restrictions = check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf reject smtpd_recipient_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf reject This is also safer (if check_sender_access accidentally returns an OK, you don't become an open relay). Please note that I use check_client_access restriction together with: mynetworks = /etc/postfix/relay to limit access to SMTP relay server per IP. I don't understand this part. I see no permit_mynetworks in the snippet you posted. [snip] This configuration doesn't work. What is conceptually wrong in my config? Finally I would like to deny message delivery to my mail server.. It should suffice to unset relay_domains or it is too restrictive doing so? to disable local delivery, check the FIREWALL README. In addition, if you don't have relay domains, then set relay_domains =
Re: SMTP relay only
On Sun, Feb 15, 2009 at 03:20:55PM +0100, mouss wrote: Finally I would like to deny message delivery to my mail server.. It should suffice to unset relay_domains or it is too restrictive doing so? to disable local delivery, check the FIREWALL README. I think this means: http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: SMTP relay only
Rocco Scappatura a écrit : Hello, I need to setup a mail server for outgoing email only. I clearly would like to restrict access to my networks only. Moreover, I would like to permit only to some envelope senders to relay email trhough a such MTA. And no other envelope sender should be able to relay trhough this MTA. So the restriction classes are made so: smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf -- this let me disable some content checking through filter (Amavisd-new). No matter. smtpd_helo_restrictions = smtpd_sender_restrictions = smtpd_recipient_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf reject If I understand you, you want something like: - if IP is in a list of allowed IPs, _and_ if sender is in a list of allowed sender, permit - anything else is rejected right? yes, exactly. what you did above is - if IP _OR_ ... which is not the same thing. (I am assuming your maps return OK). you want smtpd_sender_restrictions = check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf reject smtpd_recipient_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf reject This is also safer (if check_sender_access accidentally returns an OK, you don't become an open relay). NowI have understood quite all. I ve tried new config and works pretty well! Please note that I use check_client_access restriction together with: mynetworks = /etc/postfix/relay to limit access to SMTP relay server per IP. I don't understand this part. I see no permit_mynetworks in the snippet you posted. Infact, I haven't reported it.. I just forgot! :-( smtpd_recipient_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf permit_mynetworks reject This should be ok! [snip] This configuration doesn't work. What is conceptually wrong in my config? Finally I would like to deny message delivery to my mail server.. It should suffice to unset relay_domains or it is too restrictive doing so? to disable local delivery, check the FIREWALL README. :-) In addition, if you don't have relay domains, then set relay_domains = Indeed, I don't want to do so for delivery efficiency rights! Infact if i set: relay_domains = every message destined to my domain goes on another my mail server that accept email for that domain, and the is delivered to the post office. While, actually now the email for one of my domain is delivered quickly to the postoffice specified as transport for that domain. Maybe the best solution is to deny incoming (from outside of my network) connection on port 25.. thanks, rocsca
Re: SMTP relay only
Victor, Finally I would like to deny message delivery to my mail server.. It should suffice to unset relay_domains or it is too restrictive doing so? to disable local delivery, check the FIREWALL README. I think this means: http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall I have just finished to explain better what I would like to implement in another post.. The link above doesn't seems that is worth for my porpouse.. Thanks as well, rocsca
Re: Reverse DNS not working - yet SPF works, its just RDNS.
On Mon, 16 Feb 2009, David Cottle wrote: I see a lot of unknown on RDNS lookups, yet SPF works, so DNS is looking up, its just RDNS comes up unknown Not a Postfix issue. -- Sahil Tandon sa...@tandon.net
