Re: .forward files
On 2011-08-23 07:53, Selcuk Yazar wrote: Hi We have installed and runned Postifx+OpenLDAP+SASL cryrus + DoveCot + SquirellMail + Jamm applciations in our mail server. Everything is going fine. in this system can we enable .forward files ? As documented here: http://www.postfix.org/local.8.html under EXTERNAL COMMAND DELIVERY, forward files can be used for all mail that is delivered to a local mailbox. This specifically excludes virtual(8) delivery. thanks in advance. -- Selçuk YAZAR http://www.selcukyazar.blogspot.com -- J.
Re: .forward files
you can do this with a sieve script in doveocot http://www.dovecot.org/list/dovecot/2010-June/049557.html thx Mario 2011/8/23 Jeroen Geilman jer...@adaptr.nl: On 2011-08-23 07:53, Selcuk Yazar wrote: Hi We have installed and runned Postifx+OpenLDAP+SASL cryrus + DoveCot + SquirellMail + Jamm applciations in our mail server. Everything is going fine. in this system can we enable .forward files ? As documented here: http://www.postfix.org/local.8.html under EXTERNAL COMMAND DELIVERY, forward files can be used for all mail that is delivered to a local mailbox. This specifically excludes virtual(8) delivery. thanks in advance. -- Selçuk YAZAR http://www.selcukyazar.blogspot.com -- J.
Re: Problem with postfix and amavis
Il 22/08/11 22:51, Fernando Maior ha scritto: Andrea, How did you look at the final delivered mail? Did you use cat or vi or another text editor? Cause if you just try using a webmail or mail client you may not be able to see those headers... Hi, I saw the headers opening the file delivered with vim The problem was amavis configuration, in particular how $sql_select_policy was defined to match with ISPConfig configuration. I adjust @local_domains_map to contains all domains managed by my system, reading from a hash (@local_domains_maps =read_hash(/etc/amavis/local_domains); ), otherwise amavis will consider not local those domains and strip header before sending. Headers are maintained only for local domains Hope this help someone Best regards -- Ing. Andrea Cappelli Asidev s.r.l. Via Osteria Bianca, 108/6A 50053 Empoli (Firenze) Tel. (+39) 333 60 18 258 Fax. (+39) 0571 1 979 978 E-mail: a.cappe...@asidev.com Web: www.asidev.com Skype: a.cappelli
Re: IPv6, backup MX and 4XX deferrals
Pim Zandbergen: Wietse Venema wrote: I know of no RFC that says only whitelisted clients can send email over IPv6. Well, it's their policy. I can respect that, if their assumption that senders should fall back to IPv4 is valid. 2 - Increase smtp_mx_session_limit (default: 2) so that Postfix will knock more doors. I guess that is what made their assumption fail. I've upped this limit to 5, and now my messages are waiting to be unlisted at their greylist on their backup IPv4-only MX. Looks promising. After having reported to the ISP to have already fixed the issue in Postfix, I got a message stating that they have decided to stop rejecting non-whitelisted IPv6 addresses. Thanks, Pim
Rewrite the From field
Hello guys, I am using postfix for one domain, lets call it domain1. In my postfix configuration I do have some alias defined on my ldap with virtual_alias_maps. I used to send my mail to one alias from another domain (domain2) not managed by my self. The alias is basically sending mail to different mailbox in the domain2 : user1@domain2,user2@domain2 to be clear it what happen : From : me@domain2 To : alias@domain1 alias@domain1 = user1@domain2, user2@domain2 so postfix is sending for each mail address in the alias a mail like : from : me@domain2 to user1@domain2 But as my postfix is outside domain2 I get a : Domain2 reject the mail beacause it says that @domain2 is not allowed from the internet. To avoid this issue, I would like to specify another from field for my aliases is that possible ? Regards, Anthony BRODARD
Is there something like check_recipient_access for postscreen?
Hello List Since a few weeks i am using postscreen on our mailservers. I really like the postscreen_dnsbl_* settings as in july they blocked 75% of spammers. But now i have a user which fears, that the blacklists could also block legitim clients because of false positives. So he wants us to let trough all mails with a RCPT TO: set to his address. He is aware, that he will then get a lot of spam. But he does not care about that. In the former setup - without postscreen - i would just have added a check_recipient_access before the reject_rbl_client which says something like user@domain OK As far as i have seen this is not possible when using postscreen. The only solution i could think of is setting postscreen_dnsbl_sites = and postscreen_dnsbl_action = ignore and then using reject_rbl_client. But then i would loose the abilty of having one process blocking the big masses instead of using a lot of smtpd processes. So my question is: Am i right or am i doing some reasoning error? And a little question to Wietse: Would it make sense to also have settings like the check_recipient_* and check_sender_* for postscreen? Thank you for your time and best regards Matthew -- Matthias Egger ETH Zurich Department of Information Technology maeg...@ee.ethz.ch and Electrical Engineering IT Support Group (ISG.EE), ETL/F/24.1 Phone +41 (0)44 632 03 90 Physikstrasse 3, CH-8092 Zurich Fax +41 (0)44 632 11 95
Re: Is there something like check_recipient_access for postscreen?
On Tue, Aug 23, 2011 at 12:25:29PM +0200, Matthias Egger wrote: But now i have a user which fears, that the blacklists could also block legitim clients because of false positives. So he wants us to let trough all mails with a RCPT TO: set to his address. He is aware, that he will then get a lot of spam. But he does not care about that. Sorry, postscreen is for keeping away zombies, and has no per-user policy. Apply only conservative tests and convince your user or his management that this is safe enough. -- Viktor.
post-install, IPv6-only: could not find any active network interfaces
Trying to install postfix on an IPv6-only host FreeBSD 9.0B1, http://wiki.freebsd.org/IPv6Only ports: mail/postfix-current, but the installation chokes in the post-install phase. Running that failing command manually (in the ports work directory) gives: # bin/postfix -v post-install postfix: name_mask: ipv4 postfix: name_mask: host postfix: inet_addr_local: configured 0 IPv4 addresses postfix: fatal: could not find any active network interfaces # ifconfig em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=9bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM ether 08:00:27:99:9a:19 inet6 fe80::a00:27ff:fe99:9a19%em0 prefixlen 64 scopeid 0x1 inet6 2001:1470:ff80:88:a00:27ff:fe99:9a19 prefixlen 64 autoconf inet6 2001:1470:ff80:0:a00:27ff:fe99:9a19 prefixlen 64 autoconf nd6 options=23PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL media: Ethernet autoselect (1000baseT full-duplex) status: active lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 options=3RXCSUM,TXCSUM inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 nd6 options=21PERFORMNUD,AUTO_LINKLOCAL While it may not currently be of much use to have a MX without an IPv4 address, it still does make sense to have such mailer on the intranet. Suggestions for a solution? Mark
Re: allow mutual authentication with ssl certificate
Create the .db file with postmap. postmap hash:relay_clientcerts thanks for the hint! I did it and it almost worked. Almost, because the smtp server asked me for a certificate, but i can still send messages with my MUA with no certificate (or with a non-registered certificate). Which option should i change ? I thought it was relay_clientcerts, i tried smtpd_client_restrictions too (i don't want to remove the option permit_sasl_authentication, i just add check_ccert_access hash:/etc/postfix/relay_clientcerts). Thanks.
Re: allow mutual authentication with ssl certificate
On 8/23/2011 6:42 AM, Alano Conraz wrote: Create the .db file with postmap. postmap hash:relay_clientcerts thanks for the hint! I did it and it almost worked. Almost, because the smtp server asked me for a certificate, but i can still send messages with my MUA with no certificate (or with a non-registered certificate). Which option should i change ? I thought it was relay_clientcerts, i tried smtpd_client_restrictions too (i don't want to remove the option permit_sasl_authentication, i just add check_ccert_access hash:/etc/postfix/relay_clientcerts). Thanks. List the authorized certificate fingerprints in relay_clientcerts, and everywhere you have permit_mynetworks ADD permit_tls_clientcerts. If that's not working as expected, you'll need to show your config and what is happening. Please see http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones
Bind Postfix to outgoing IP address
How can I bind Postfix to only send outgoing mail via one IP address (ie, always use the same ethernet interface)? I have a server which has two IP addresses, one on eth0 and one on eth0.1. I have discovered that some of my outgoing mail is being rejected by over-zealous spam filters because it comes from the second, which doesn't have reverse DNS configured (which is OK; I don't use it for anything which needs it). However, Postfix seems to pick the wrong interface for sending outgoing mail, hence the problems above. How can I force it to always use the one I want it to use? Adding reverse DNS to the second IP is not the solution; I don't have control over this and, in any case, all my existing mail DNS is set to use the primary IP. I've looked at the documentation, and can't see anything obvious. inet_interfaces seems only to apply to inbound mail - that is, interfaces from which Postfix will accept mail, not those which it uses to send it. Any clues, anyone? Mark -- Sent from my Babbage Difference Engine http://mark.goodge.co.uk http://www.ratemysupermarket.com
Re: Bind Postfix to outgoing IP address
* Mark Goodge m...@good-stuff.co.uk: How can I bind Postfix to only send outgoing mail via one IP address (ie, always use the same ethernet interface)? postconf |grep bind -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Bind Postfix to outgoing IP address
* Mark Goodge postfix-users@postfix.org: How can I bind Postfix to only send outgoing mail via one IP address (ie, always use the same ethernet interface)? smtp_bind_address -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: Bind Postfix to outgoing IP address
On 23/08/2011 14:29, Patrick Ben Koetter wrote: * Mark Goodgepostfix-users@postfix.org: How can I bind Postfix to only send outgoing mail via one IP address (ie, always use the same ethernet interface)? smtp_bind_address Yes, I discovered that about 5 seconds after I hit send on the previous email. Oh well, and thanks anyway :-) Mark -- Sent from my Babbage Difference Engine http://mark.goodge.co.uk http://www.ratemysupermarket.com
postscreen stats
Dear postfix-users, I'm preparing for a presentation, and I'd like to include some statistics about postscreen. If you use this feature, could you please share it with me? Eg. it would be nice to include the blocked / total inbound emails % ratio, or any other data you think that can be relevant. Thanks in advance, Kovacs Janos
Re: postscreen stats
* Kovács János albiba...@yahoo.com: Dear postfix-users, I'm preparing for a presentation, and I'd like to include some statistics about postscreen. If you use this feature, could you please share it with me? Eg. it would be nice to include the blocked / total inbound emails % ratio, or any other data you think that can be relevant. http://www.arschkrebs.de/slides/2.8-slides.pdf slide 66ff -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Bind Postfix to outgoing IP address
Mark Goodge: On 23/08/2011 14:29, Patrick Ben Koetter wrote: * Mark Goodgepostfix-users@postfix.org: How can I bind Postfix to only send outgoing mail via one IP address (ie, always use the same ethernet interface)? smtp_bind_address Yes, I discovered that about 5 seconds after I hit send on the previous email. Oh well, and thanks anyway :-) Beware, this does not specify the INTERFACE. It only specifies the source IP ADDRESS. That's not the same thing. If the source IP address is not reachable via other network interfaces, then connection attempts will fail. Wietse
Re: postscreen stats
Thanks Ralf! It's amazing how much spam the pregreet test and a good RBL can catch. Do you have any data on how many spam emails survived postscreen? Kovacs Janos
Group-readable email and overriden ACL's
Dear list members, In our setup we have various mailboxes that have to be read (and edited) by groups of people. All these groups are defined in LDAP, as are the members (everything uses PAM, so all these accounts are on the system as well). The email is accessed by Dovecot, binding with the LDAP server as the user owning the mail. This means that all the mail for a certain user has to be accessible to that user on the system, otherwise Dovecot cannot read it. We use public namespaces in Dovecot to achieve this. Our problem is that postfix gives permissions 700 to all messages (overriding default ACL's). The messages may be owned by the correct group for a user, and be in the right folder, but still cannot be read by Dovecot (and our users). Hopefully, there is a more elegant solution then monitoring the filesystem for edits and changing the permissions when a mail folder is edited. Kind regards, Kasper Loopstra. postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no broken_sasl_auth_clients = yes config_directory = /etc/postfix home_mailbox = Mail/ inet_interfaces = all inet_protocols = all mailbox_command = mailbox_size_limit = 0 mydestination = chemische-binding.nl, chloroform.chemische-binding.nl, localhost.chemische-binding.nl, localhost myhostname = chloroform.chemische-binding.nl mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 myorigin = /etc/mailname readme_directory = no recipient_delimiter = + relayhost = smtp_tls_note_starttls_offer = yes smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom
Re: Group-readable email and overriden ACL's
Kasper Loopstra: Dear list members, In our setup we have various mailboxes that have to be read (and edited) by groups of people. All these groups are defined in LDAP, as are the members (everything uses PAM, so all these accounts are on the system as well). The email is accessed by Dovecot, binding with the LDAP server as the user owning the mail. This means that all the mail for a certain user has to be accessible to that user on the system, otherwise Dovecot cannot read it. We use public namespaces in Dovecot to achieve this. Our problem is that postfix gives permissions 700 to all messages (overriding default ACL's). The messages may be owned by the correct group for a user, and be in the right folder, but still cannot be read by Dovecot (and our users). Hopefully, there is a more elegant solution then monitoring the filesystem for edits and changing the permissions when a mail folder is edited. In this case, the solution would be to deliver and read the mail with dovecot, and to configure the permissions with Dovecot if possible. Postfix implements only bare-bones email delivery and does not support access by multiple UIDs other than the owner and root. Wietse
Re: Automating regular checks that incoming outgoing mails are still working
On 8/21/2011 10:03 AM, Roger Goh wrote: There's often problem with our postfix mail server (that runs Cyrus / Cyrus-imapd) : I have scripts (using mutt) to send hourly mails out ( from another postfix server, I can send mails to it). I need a way / method such that if those hourly test mails were never sent out or received, I'll need to be alerted. Let me know the freeware tools method to go about doing this? Look into a monitoring solution like Nagios, Cacti, etc. You'll want to communicate failure of the email system over some non-mail communication channel (such as Jabber/XMPP alerts).
Re: postscreen stats
On 8/23/2011 9:10 AM, Kovács János wrote: Thanks Ralf! It's amazing how much spam the pregreet test and a good RBL can catch. Do you have any data on how many spam emails survived postscreen? Overall, Postscreen is no better nor worse at stopping spam than what we've all been doing via SMTPD for many years. It simply decreases the number of SMTPD processes required to do so, hence decreasing server load and allowing more processing of legitimate mail. Postscreen is no magic bullet, it's overall catch rate being little different than setups without Postscreen. -- Stan
Re: postscreen stats
Stan Hoeppner: On 8/23/2011 9:10 AM, Kov?cs J?nos wrote: Thanks Ralf! It's amazing how much spam the pregreet test and a good RBL can catch. Do you have any data on how many spam emails survived postscreen? Overall, Postscreen is no better nor worse at stopping spam than what we've all been doing via SMTPD for many years. It simply decreases the number of SMTPD processes required to do so, hence decreasing server load and allowing more processing of legitimate mail. Postscreen is no magic bullet, it's overall catch rate being little different than setups without Postscreen. Agreed. Postscreen's main goal is to reduce mail server load, so that you can postpone that forklift upgrade. Postscreen also stops a few percent of spambots that popular DNSBLs miss, but at this time, that is only a minor benefit. Wietse
Re: postscreen stats
* Wietse Venema postfix-users@postfix.org: Stan Hoeppner: On 8/23/2011 9:10 AM, Kov?cs J?nos wrote: Thanks Ralf! It's amazing how much spam the pregreet test and a good RBL can catch. Do you have any data on how many spam emails survived postscreen? Overall, Postscreen is no better nor worse at stopping spam than what we've all been doing via SMTPD for many years. It simply decreases the number of SMTPD processes required to do so, hence decreasing server load and allowing more processing of legitimate mail. Postscreen is no magic bullet, it's overall catch rate being little different than setups without Postscreen. Agreed. Postscreen's main goal is to reduce mail server load, so that you can postpone that forklift upgrade. Postscreen also stops a few percent of spambots that popular DNSBLs miss, but at this time, that is only a minor benefit. I tend to believe (speculation, not measurement) I can get rid of greylisting, which I dislike because it slows down first mail contact, if I use postscreen. Not because postscreen does the same job, but because it seems to keep the same miscreants away. IIRC I've seen a few discussions on this list that seemed to discuss the topic greylisting vs. postscreen, but I didn't have the time to read and follow them. I disabled greylisting since I started using postscreen and the spam ratio did not increase, but the immediacy at which mails from new senders arrive did. Anyone with similiar observations? p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: postscreen stats
Stan Hoeppner: Agreed. Postscreen's main goal is to reduce mail server load, so that you can postpone that forklift upgrade. Postscreen also stops a few percent of spambots that popular DNSBLs miss, but at this time, that is only a minor benefit. I would think the proper metric for evaluating the success of Postscreen deployment should be something like mx_#smtpds_per_connect_per_day_week_month vs the period before deploying Postscreen; load average before and after Postscreen, Postfix memory consumption, etc. It would include no spam catch/miss/false positive/negative data as the difference between before/after would likely be within statistical margin of error. Has anyone compiled such data? If so and I missed it, apologies for having my head in the sand. On my tiny site, spam volume turns out to be more variable than I expected, so comparing before/after differences is not so simple. One way to cancel the variability is to run equal-preference MXes with different configurations. Another way is to randomly switch configurations several times a day. I expect, though, that the exact numbers would be site-specific. Wietse
Re: postscreen stats
On Tue, 2011-08-23 at 21:33 +0200, Patrick Ben Koetter wrote: I disabled greylisting since I started using postscreen and the spam ratio did not increase, but the immediacy at which mails from new senders arrive did. Anyone with similiar observations? That's what I've seen. I've only been using postscreen for a few weeks now, but started with no greylisting and saw no change from before (other than no delays as you've pointed out). -- Homer Parker hpar...@homershut.net
Re: postscreen stats
On Tue, Aug 23, 2011 at 8:04 PM, Homer Parker hpar...@homershut.net wrote: On Tue, 2011-08-23 at 21:33 +0200, Patrick Ben Koetter wrote: I disabled greylisting since I started using postscreen and the spam ratio did not increase, but the immediacy at which mails from new senders arrive did. Anyone with similiar observations? That's what I've seen. I've only been using postscreen for a few weeks now, but started with no greylisting and saw no change from before (other than no delays as you've pointed out). You may have read in the news that spam is under control, etc etc. Which is a misnomer. It should read: Botnet spam is on the decline, but snowshoe spam and spear phishing is on the rise!. The botnet spam that greylisting was originally intended to deal with is becoming a lesser used vector, but you're probably seeing plenty of mail coming from places like romanian VIP hosting facilities that are plenty happy to rent out a /24 to a single machine for SMTP proxying.
Re: postscreen stats
- Original Message - From: Patrick Ben Koetter p...@state-of-mind.de To: postfix-users@postfix.org Cc: Sent: Tuesday, August 23, 2011 9:33 AM Subject: Re: postscreen stats I disabled greylisting since I started using postscreen and the spam ratio did not increase, but the immediacy at which mails from new senders arrive did. Anyone with similiar observations? I would agree with that in the couple weeks we started using postscreen on some larger domains. However, we do still greylist, but, only for certain cases. Mailfromd provides the logic to allow us to very selectively greylist. So, maybe 2% of real mail ever gets greylisted. So, 98% of it is fast. The 2% is usually strange cases, mis-configured, etc.
Re: Group-readable email and overriden ACL's
On Tue, Aug 23, 2011 at 11:11:31AM -0400, Wietse Venema wrote: Kasper Loopstra: Dear list members, In our setup we have various mailboxes that have to be read (and edited) by groups of people. All these groups are defined in LDAP, as are the members (everything uses PAM, so all these accounts are on the system as well). The email is accessed by Dovecot, binding with the LDAP server as the user owning the mail. This means that all the mail for a certain user has to be accessible to that user on the system, otherwise Dovecot cannot read it. We use public namespaces in Dovecot to achieve this. Our problem is that postfix gives permissions 700 to all messages (overriding default ACL's). The messages may be owned by the correct group for a user, and be in the right folder, but still cannot be read by Dovecot (and our users). Hopefully, there is a more elegant solution then monitoring the filesystem for edits and changing the permissions when a mail folder is edited. In this case, the solution would be to deliver and read the mail with dovecot, and to configure the permissions with Dovecot if possible. Postfix implements only bare-bones email delivery and does not support access by multiple UIDs other than the owner and root. Support for multi-user access is the job of the mail-store, not the MTA. IMAP servers like Cyrus, Dovecot, ... have appropriate mailbox access-control mechanisms that allow access by multiple (typically IMAP) users, and in some cases access to the underlying files via local clients running as the user. Work with the mail-store. Direct access to the underlying files is probably not a good idea. -- Viktor.
Re: Automating regular checks that incoming outgoing mails are still working
On Tue, Aug 23, 2011 at 11:59 AM, Thomas Harold thomas-li...@nybeta.com wrote: On 8/21/2011 10:03 AM, Roger Goh wrote: There's often problem with our postfix mail server (that runs Cyrus / Cyrus-imapd) : I have scripts (using mutt) to send hourly mails out ( from another postfix server, I can send mails to it). I need a way / method such that if those hourly test mails were never sent out or received, I'll need to be alerted. Let me know the freeware tools method to go about doing this? Look into a monitoring solution like Nagios, Cacti, etc. You'll want to communicate failure of the email system over some non-mail communication channel (such as Jabber/XMPP alerts). Ok, now completely OT, but we're looking at replacing our Nagios solution with Zabbix. If you want to call your system production, then it needs to be monitored.