Header Filter Time Range
Probably a stupid question, but in practical terms is it possible to set a header filter that will reject (or ideally defer) mail on time range? For example during the hours of 00:00 - 07:00. I appreciate that the action will probably have to be 'reject' if it is possible at all. Has anyone tried/implemented this and what are the thoughts/comments on it. TIA.
Re: Header Filter Time Range
On Mon, June 15, 2009 9:09 am, EASY steve.h...@digitalcertainty.co.uk said: Probably a stupid question, but in practical terms is it possible to set a header filter that will reject (or ideally defer) mail on time range? For example during the hours of 00:00 - 07:00. *Header* filter? Do you simply mean that all messages, regardless of contents, should be rejected between 00:00 and 07:00? Either use two main.cf configurations that you switch between at 00:00 and 07:00, or use a lookup table that you change the contents of at that time. The latter approach avoids a Postfix reload, which is good (but if the timing is critical you do need to reload Postfix to make it pick up the new configuration immediately). -- Magnus Bäck mag...@dsek.lth.se
Re: Header Filter Time Range
On Mon, 2009-06-15 at 09:26 +0200, Magnus Bäck wrote: On Mon, June 15, 2009 9:09 am, EASY steve.h...@digitalcertainty.co.uk said: Probably a stupid question, but in practical terms is it possible to set a header filter that will reject (or ideally defer) mail on time range? For example during the hours of 00:00 - 07:00. *Header* filter? Do you simply mean that all messages, regardless of contents, should be rejected between 00:00 and 07:00? Either use two main.cf configurations that you switch between at 00:00 and 07:00, or use a lookup table that you change the contents of at that time. The latter approach avoids a Postfix reload, which is good (but if the timing is critical you do need to reload Postfix to make it pick up the new configuration immediately). Thanks Magnus. What I like about asking stupid questions is that someone always has a better way to do things than my retarded brain can think of! I want to defer/reject all mail between those hours. The timing does not have to be totally accurate - a few minutes either way is no big issue. I am noticing that all connections overnight are UCE attempts. There has not been a legitimate one every in my logs. I appreciate that this is not going to be true for many, but for us it looks like a plausible approach. It seems a bit convoluted by my guess would be to set up two main.cf files, the seconds (short) version denying everything and then get cron to swap these in and out at the required times. I guess, doing it this way, I can set some exemptions and white listing in the second conf. Mmmm. The possibilities :-)
Re: Header Filter Time Range
On 15-Jun-2009, at 01:09, EASY steve.h...@digitalcertainty.co.uk wrote: Probably a stupid question, but in practical terms is it possible to set a header filter that will reject (or ideally defer) mail on time range? For example during the hours of 00:00 - 07:00. Erm.. well, yes, you COULD do that, but why? $ cat header_checks.pcre # Emails with erroneous dates (or dates far in the past) will appear at the top or bottom of your mail client. /^Date:.* 19[0-9][0-9]/ REJECT Your email has a date from the past. Fix your system clock and try again. /^Date:.* 200[0-8]/ REJECT Your email has a date from the past. Fix your system clock and try again. /^Date:.* 20[1-9][0-9]/ REJECT Your email has a date from the future. Fix your system clock and try again. That should give you the idea... I appreciate that the action will probably have to be 'reject' if it is possible at all. Has anyone tried/implemented this and what are the thoughts/comments on it. Well, it seems like a spectacularly bad idea to me... -- Over 3,500 gay marriages and, what, no hellfire? I was promise hellfire. And riots. What gives? -- Mark Morford
Re: trivial-rewrite warning although mydestination is empty
Hello Noel Jones, thank you very much for your answer. Guess #1: You didn't run postfix reload after changing the configuration. First I had the same idea. But I restarted Postfix via '/etc/init.d/postfix restart' and trivial-rewrite is still raising these warnings. Guess #2: The configuration you report is not the actual configuration. Guess #3: Not enough information for us to do more than guess. To get a better answer, please provide full unaltered postconf -n and unaltered logging demonstrating the problem. Sorry, here is my full 'postconf -n' output: alias_database = alias_maps = config_directory = /etc/postfix disable_vrfy_command = yes message_size_limit = 25165824 mydestination = mydomain = lunox.net myhostname = lunox.net mynetworks = 127.0.0.0/8 78.46.95.147 smtp_tls_security_level = may smtpd_helo_required = yes smtpd_milters = unix:/var/lib/amavis/amavisd-milter.sock smtpd_recipient_restrictions = reject_unknown_sender_domain reject_unknown_recipient_domain permit_sasl_authenticated permit_mynetworks reject_invalid_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unauth_destination reject_invalid_helo_hostname check_policy_service inet:127.0.0.1:8765 check_policy_service inet:127.0.0.1:8766 reject_unknown_client reject_unknown_hostname permit smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_tls_cert_file = /etc/ssl/x.crt smtpd_tls_key_file = /etc/ssl/x.key smtpd_tls_received_header = yes smtpd_tls_security_level = may strict_rfc821_envelopes = yes transport_maps = cdb:/etc/postfix/transport-maps virtual_alias_domains = mysql:/etc/postfix/virtual-alias-domains.cf virtual_alias_maps = mysql:/etc/postfix/virtual-alias-maps.cf virtual_mailbox_domains = mailbox.lunox.net lists.lunox.net virtual_transport = dovecot Here is a part of my mail logs where I found this warning (I had to replace two domains of my customers; cdomain1.com and cdomain2.com but they are not the same and not subdomains of mydomain = lunox.net and trivial-rewrite is always warning about the domain lunox.net): Jun 14 14:25:40 [postfix/smtpd] connect from wall.zjnb.cnuninet.net[211.90.248.97] Jun 14 14:25:42 [policyd-weight] decided action=550 temporarily blocked because of previous errors - retrying too fast. penalty: 30 seconds x 0 retries.; client=211.90.248.97 helo=gmail.com from=andeeefrietschte...@gmail.com to=i...@cdomain1.com; delay: 0s_ Jun 14 14:25:42 [postfix/smtpd] NOQUEUE: reject: RCPT from wall.zjnb.cnuninet.net[211.90.248.97]: 550 5.7.1 i...@cdomain1.com: Recipient address rejected: temporarily blocked because of previous errors - retrying too fast. penalty: 30 seconds x 0 retries.; from=andeeefrietschte...@gmail.com to=i...@cdomain1.com proto=SMTP helo=gmail.com Jun 14 14:25:43 [postfix/smtpd] lost connection after RCPT from wall.zjnb.cnuninet.net[211.90.248.97] Jun 14 14:25:43 [postfix/smtpd] disconnect from wall.zjnb.cnuninet.net[211.90.248.97] Jun 14 14:26:38 [postfix/smtpd] connect from unknown[190.68.101.10] Jun 14 14:26:53 [postfix/smtpd] connect from unknown[88.234.131.122] Jun 14 14:26:54 [postfix/trivial-rewrite] warning: do not list domain lunox.net in BOTH mydestination and virtual_alias_domains Jun 14 14:26:54 [policyd-weight] decided action=DUNNO NULL () Sender; client=88.234.131.122 helo=wergvan from= to...@lommerzheim.net; delay: 0s_ Jun 14 14:26:54 [sqlgrey] grey: new: 88.234.131.122(88.234.131.122), -und...@-undef- - f...@lommerzheim.net_ Jun 14 14:26:54 [postfix/smtpd] NOQUEUE: reject: RCPT from unknown[88.234.131.122]: 450 4.7.1 Client host rejected: cannot find your hostname, [88.234.131.122]; from= to=f...@lommerzheim.net proto=SMTP helo=wergvan Jun 14 14:26:55 [postfix/smtpd] disconnect from unknown[88.234.131.122] Jun 14 14:27:01 [postfix/anvil] statistics: max connection rate 2/60s for (smtp:77.123.96.16) at Jun 14 14:18:44 Jun 14 14:27:01 [postfix/anvil] statistics: max connection count 2 for (smtp:77.123.96.16) at Jun 14 14:18:44 Jun 14 14:27:01 [postfix/anvil] statistics: max cache size 6 at Jun 14 14:17:11 Jun 14 14:27:22 [policyd-weight] decided action=550 temporarily blocked because of previous errors - retrying too fast. penalty: 30 seconds x 0 retries.; client=190.68.101.10 helo=hrbufqfeet from=cave...@oceanmortgage.net to=fwg...@lommerzheim.com; delay: 0s_ Jun 14 14:27:22 [postfix/smtpd] NOQUEUE: reject: RCPT from unknown[190.68.101.10]: 550 5.7.1 fwg...@lommerzheim.com: Recipient address rejected: temporarily blocked because of previous errors - retrying too fast. penalty: 30 seconds x 0 retries.; from=cave...@oceanmortgage.net to=fwg...@lommerzheim.com proto=ESMTP helo=HRBUFQFEET Jun 14 14:27:37 [postfix/smtpd] warning: 89.47.97.96: hostname TIMnet-97-96.tim.ro verification failed: Name or service not known Jun 14 14:27:37 [postfix/smtpd] connect from unknown[89.47.97.96] Jun 14 14:27:38 [policyd-weight] weighted check: IN_DYN_PBL_SPAMHAUS=3.25 IN_SBL_XBL_SPAMHAUS=4.35 IN_SPAMCOP=3.75;
Re: customizing postfix logs with a mailing id
On Mon, June 15, 2009 10:35 am, Stéphane MERLE said: I would love to customize a little the logs of postfix. We are using postfix for massmailing and I'd like to be able to get statistic on mailing, so I would like to tag each mail with the mailing number so I can split the log files by mailing and then get the bounced/sent/spam detection for each mailing and get back to our users with specific data for there mailings. Use the queue id to correlate log entries for a single message. That'll let you obtain statistics for delivered and rejected messages. Bounces are another thing -- there is no way for Postfix to know that a particular bounce message is for a specific message that Postfix has sent. What you can do is use VERP to at least identify which recipient addresses lead to bounces. -- Magnus Bäck mag...@dsek.lth.se
Re: customizing postfix logs with a mailing id
Can I, at least, add the from in the logs ? Jun 15 11:59:01 smtp postfix/smtp[3061]: 683EB37AECA3: to=kdkdlem...@live.fr, relay=mx1.hotmail.com[65.55.92.136]:25, conn_use=91, delay=401662, delays=401197/464/0.13/0.32, dsn=2.0.0, status=sent (250 20090610182440.0a14a3776...@smtp.domaineamoi.com Queued mail for delivery) would be : Jun 15 11:59:01 smtp postfix/smtp[3061]: 683EB37AECA3: from=sen...@domaineamoi.com, to=kdkdlem...@live.fr, relay=mx1.hotmail.com[65.55.92.136]:25, conn_use=91, delay=401662, delays=401197/464/0.13/0.32, dsn=2.0.0, status=sent (250 20090610182440.0a14a3776...@smtp.domaineamoi.com Queued mail for delivery) Stéphane. Magnus Bäck a écrit : On Mon, June 15, 2009 10:35 am, Stéphane MERLE said: I would love to customize a little the logs of postfix. We are using postfix for massmailing and I'd like to be able to get statistic on mailing, so I would like to tag each mail with the mailing number so I can split the log files by mailing and then get the bounced/sent/spam detection for each mailing and get back to our users with specific data for there mailings. Use the queue id to correlate log entries for a single message. That'll let you obtain statistics for delivered and rejected messages. Bounces are another thing -- there is no way for Postfix to know that a particular bounce message is for a specific message that Postfix has sent. What you can do is use VERP to at least identify which recipient addresses lead to bounces.
Re: delay between delivery for a specific transport.
Title: stephane Hi, I did update to the last 2.6-20081205 looks perfect :o) can I specify a rate_delay of less than 1s ? The aim of all these is to deal with " The mail server IP connecting to Windows Live Hotmail server has exceeded the rate limit allowed." messages in logs. Even by dropping the concurrency limit, I still get those messages, so the waiting time between 2 sent should solve the problem but 1 per second is way too low ... Stphane Victor Duchovni a crit: On Fri, Jun 12, 2009 at 11:34:42PM +0200, St?phane MERLE wrote: hi, thanks for your help, is there any tutorial or help page to upgrade my 2.5.1 to 2.6.2 ? I am on ubuntu 2.6.28.1--std-ipv4-32 ? do I have to recompile it from the source code ? If you are using 2.5.1, you could try to find an updated package that takes you to 2.5.7. The rate_delay issue was IIRC fixed in 2.5.6, but I am not sure, so 2.5.7 is best if you can find that, else try 2.5.6. Of course 2.6 is not substantially different from 2.5. If you are using a packaged build, I'd try to find a similar package of the newer version. --
Re: customizing postfix logs with a mailing id
On Mon, June 15, 2009 12:01 pm, Stéphane MERLE said: Can I, at least, add the from in the logs ? Jun 15 11:59:01 smtp postfix/smtp[3061]: 683EB37AECA3: to=kdkdlem...@live.fr, relay=mx1.hotmail.com[65.55.92.136]:25, conn_use=91, delay=401662, delays=401197/464/0.13/0.32, dsn=2.0.0, status=sent (250 20090610182440.0a14a3776...@smtp.domaineamoi.com Queued mail for delivery) would be : Jun 15 11:59:01 smtp postfix/smtp[3061]: 683EB37AECA3: from=sen...@domaineamoi.com, to=kdkdlem...@live.fr, relay=mx1.hotmail.com[65.55.92.136]:25, conn_use=91, delay=401662, delays=401197/464/0.13/0.32, dsn=2.0.0, status=sent (250 20090610182440.0a14a3776...@smtp.domaineamoi.com Queued mail for delivery) The envelope sender is logged by qmgr(8). Grep your log for 683EB37AECA3 and see for yourself. Please do not top-post. -- Magnus Bäck mag...@dsek.lth.se
Re: Header Filter Time Range
Here is another possibility with Postfix version 2.6 and later. Cron job at midnight: postconf -e master_service_disable=inet (or: smtp.inet) postfix reload Cron job at 07:00: postconf -e master_service_disable= postfix reload There are many other uses of cron that would also achive the desired effect. Wietse
Re: Header Filter Time Range
Steve schrieb: I have to be honest, I looked at Postfwd a couple of weeks back and it left me with a bad feeling. It was utter dependency hell to install - It's your decision, but the only dependencies are Net::DNS and Net::Server perl modules and perl itself, of course. like Russian Dolls for one thing - and to see your logs littered with Perl errors like; postfwd: warning - Use of uninitialized value $_ in scalar chop at /usr/sbin/postfwd line 1958. I use postfwd on different solaris, linux and freebsd systems (volume ~100 - 1000k mails/day) and don't see these. Maybe an outdated version or a bogus ruleset?
Re: customizing postfix logs with a mailing id
On Mon, June 15, 2009 12:47 pm, Wietse Venema said: Magnus Bäck: Use the queue id to correlate log entries for a single message. That'll let you obtain statistics for delivered and rejected messages. Bounces are another thing -- there is no way for Postfix to know that a particular bounce message is for a specific message that Postfix has sent. What you can do is use VERP to at least identify which recipient addresses lead to bounces. As of a few releases, Postfix will log the original queue ID when sending a bounce. True, but what I think the OP is after is correlating bounce messages sent from *remote* sites with the original messages sent by them. -- Magnus Bäck mag...@dsek.lth.se
Re: customizing postfix logs with a mailing id
Hi, First, I would like to appologize if I don't do thing correctly, but english is not my mother langage and I'm not alway sure of what I understand ... (I think of Please do not top-post., which I though I wasn't doing, as I stay in the same thread ...). My aim, is to be able to séparate bounced/sent statistics from the log file. Lets say we have 30 SMTP POSTFIX Servers, we sent 10 differents mailing for 3 or 4 différents customers. For now, I can't tell to my 1st client, you're mailing number #4012 had 30% of bounces, 50% of sent and 20% of deferred that are still pending. The only way to do that is to use one IP by mailing which is not really easy. For that, I would like to have an ID (my mailing id) added to the logs [I do understood that postfix may not know exactly which mail is what when it bounced]. I would find a way out with the Return-Path if I could get it in the logs (not in a new line but within the sent or bounced lines, this way, I could parse it with grep). Thanks for your patience. Stéphane Stéphane MERLE a écrit : Hi, I would love to customize a little the logs of postfix. We are using postfix for massmailing and I'd like to be able to get statistic on mailing, so I would like to tag each mail with the mailing number so I can split the log files by mailing and then get the bounced/sent/spam detection for each mailing and get back to our users with specific data for there mailings. Is that possible ? Thanks. Stéphan
Re: customizing postfix logs with a mailing id
St?phane MERLE: [ Charset ISO-8859-1 unsupported, converting... ] Hi, First, I would like to appologize if I don't do thing correctly, but english is not my mother langage and I'm not alway sure of what I understand ... (I think of Please do not top-post., which I though I wasn't doing, as I stay in the same thread ...). My aim, is to be able to s?parate bounced/sent statistics from the log file. Lets say we have 30 SMTP POSTFIX Servers, we sent 10 differents mailing for 3 or 4 diff?rents customers. For now, I can't tell to my 1st client, you're mailing number #4012 had 30% of bounces, 50% of sent and 20% of deferred that are still pending. The envelope sender address can give you the ID. Just embed it as an address extension. /etc/postfix/main.cf: recipient_delimiter = - Send mail as foo-4...@example.com, and use routine logfile analysis to match the delivery records and the bounces. The envelope sender is logged in the Postfix logs. Wietse The only way to do that is to use one IP by mailing which is not really easy. For that, I would like to have an ID (my mailing id) added to the logs [I do understood that postfix may not know exactly which mail is what when it bounced]. I would find a way out with the Return-Path if I could get it in the logs (not in a new line but within the sent or bounced lines, this way, I could parse it with grep). Thanks for your patience. St?phane St?phane MERLE a ?crit : Hi, I would love to customize a little the logs of postfix. We are using postfix for massmailing and I'd like to be able to get statistic on mailing, so I would like to tag each mail with the mailing number so I can split the log files by mailing and then get the bounced/sent/spam detection for each mailing and get back to our users with specific data for there mailings. Is that possible ? Thanks. St?phan
SSL_accept error from - somebody that could tell me what goes on
Hello everybody, I am getting the following error on a fully updated Debian stable production server. The connection is closed by a SSL_accept error and I have no idea what goes on. It seems smtpd is getting values that it is not expecting, but who is responsible and what to do about it? I attached the smtpd -v log in the mail. Could somebody help me fix the issue. Where does the issue lies? Best regards, Jelle de Jong Jun 15 13:57:46 emily postfix/smtpd[23401]: connect from sepaip2.webish.nl[77.243.228.161] Jun 15 13:57:46 emily postfix/smtpd[23401]: match_list_match: sepaip2.webish.nl: no match Jun 15 13:57:46 emily postfix/smtpd[23401]: match_list_match: 77.243.228.161: no match Jun 15 13:57:46 emily postfix/smtpd[23401]: match_list_match: sepaip2.webish.nl: no match Jun 15 13:57:46 emily postfix/smtpd[23401]: match_list_match: 77.243.228.161: no match Jun 15 13:57:46 emily postfix/smtpd[23401]: match_hostname: sepaip2.webish.nl ~? 127.0.0.0/8 Jun 15 13:57:46 emily postfix/smtpd[23401]: match_hostaddr: 77.243.228.161 ~? 127.0.0.0/8 Jun 15 13:57:46 emily postfix/smtpd[23401]: match_hostname: sepaip2.webish.nl ~? 192.168.1.0/24 Jun 15 13:57:46 emily postfix/smtpd[23401]: match_hostaddr: 77.243.228.161 ~? 192.168.1.0/24 Jun 15 13:57:46 emily postfix/smtpd[23401]: match_list_match: sepaip2.webish.nl: no match Jun 15 13:57:46 emily postfix/smtpd[23401]: match_list_match: 77.243.228.161: no match Jun 15 13:57:46 emily postfix/smtpd[23401]: auto_clnt_open: connected to private/anvil Jun 15 13:57:46 emily postfix/smtpd[23401]: send attr request = connect Jun 15 13:57:46 emily postfix/smtpd[23401]: send attr ident = smtp:77.243.228.161 Jun 15 13:57:46 emily postfix/smtpd[23401]: private/anvil: wanted attribute: status Jun 15 13:57:46 emily postfix/smtpd[23401]: input attribute name: status Jun 15 13:57:46 emily postfix/smtpd[23401]: input attribute value: 0 Jun 15 13:57:46 emily postfix/smtpd[23401]: private/anvil: wanted attribute: count Jun 15 13:57:46 emily postfix/smtpd[23401]: input attribute name: count Jun 15 13:57:46 emily postfix/smtpd[23401]: input attribute value: 1 Jun 15 13:57:46 emily postfix/smtpd[23401]: private/anvil: wanted attribute: rate Jun 15 13:57:46 emily postfix/smtpd[23401]: input attribute name: rate Jun 15 13:57:46 emily postfix/smtpd[23401]: input attribute value: 1 Jun 15 13:57:46 emily postfix/smtpd[23401]: private/anvil: wanted attribute: (list terminator) Jun 15 13:57:46 emily postfix/smtpd[23401]: input attribute name: (end) Jun 15 13:57:46 emily postfix/smtpd[23401]: sepaip2.webish.nl[77.243.228.161]: 220 emily.helmwijk.com ESMTP Postfix (2.5.5) Jun 15 13:57:46 emily postfix/smtpd[23401]: sepaip2.webish.nl[77.243.228.161]: EHLO sepa.webish.nl Jun 15 13:57:46 emily postfix/smtpd[23401]: sepaip2.webish.nl[77.243.228.161]: 250-emily.helmwijk.com Jun 15 13:57:46 emily postfix/smtpd[23401]: sepaip2.webish.nl[77.243.228.161]: 250-PIPELINING Jun 15 13:57:46 emily postfix/smtpd[23401]: sepaip2.webish.nl[77.243.228.161]: 250-SIZE 2500 Jun 15 13:57:46 emily postfix/smtpd[23401]: sepaip2.webish.nl[77.243.228.161]: 250-ETRN Jun 15 13:57:46 emily postfix/smtpd[23401]: sepaip2.webish.nl[77.243.228.161]: 250-STARTTLS Jun 15 13:57:46 emily postfix/smtpd[23401]: match_list_match: sepaip2.webish.nl: no match Jun 15 13:57:46 emily postfix/smtpd[23401]: match_list_match: 77.243.228.161: no match Jun 15 13:57:46 emily postfix/smtpd[23401]: sepaip2.webish.nl[77.243.228.161]: 250-AUTH PLAIN Jun 15 13:57:46 emily postfix/smtpd[23401]: sepaip2.webish.nl[77.243.228.161]: 250-ENHANCEDSTATUSCODES Jun 15 13:57:46 emily postfix/smtpd[23401]: sepaip2.webish.nl[77.243.228.161]: 250-8BITMIME Jun 15 13:57:46 emily postfix/smtpd[23401]: sepaip2.webish.nl[77.243.228.161]: 250 DSN Jun 15 13:57:46 emily postfix/smtpd[23401]: sepaip2.webish.nl[77.243.228.161]: STARTTLS Jun 15 13:57:46 emily postfix/smtpd[23401]: sepaip2.webish.nl[77.243.228.161]: 220 2.0.0 Ready to start TLS Jun 15 13:57:46 emily postfix/smtpd[23401]: setting up TLS connection from sepaip2.webish.nl[77.243.228.161] Jun 15 13:57:46 emily postfix/smtpd[23401]: send attr request = seed Jun 15 13:57:46 emily postfix/smtpd[23401]: send attr size = 32 Jun 15 13:57:46 emily postfix/smtpd[23401]: private/tlsmgr: wanted attribute: status Jun 15 13:57:46 emily postfix/smtpd[23401]: input attribute name: status Jun 15 13:57:46 emily postfix/smtpd[23401]: input attribute value: 0 Jun 15 13:57:46 emily postfix/smtpd[23401]: private/tlsmgr: wanted attribute: seed Jun 15 13:57:46 emily postfix/smtpd[23401]: input attribute name: seed Jun 15 13:57:46 emily postfix/smtpd[23401]: input attribute value: YuvlIV0a1sMFU6JK6BcvsKr6WJm8YP7zsFNJz/XEv+w= Jun 15 13:57:46 emily postfix/smtpd[23401]: private/tlsmgr: wanted attribute: (list terminator) Jun 15 13:57:46 emily postfix/smtpd[23401]: input attribute name: (end) Jun 15 13:57:46 emily postfix/smtpd[23401]: SSL_accept error from
Re: SSL_accept error from - somebody that could tell me what to do
Jelle de Jong: Jun 15 13:57:46 emily postfix/smtpd[23401]: input attribute name: seed Jun 15 13:57:46 emily postfix/smtpd[23401]: input attribute value: YuvlIV0a1sMFU6JK6BcvsKr6WJm8YP7zsFNJz/XEv+w= Jun 15 13:57:46 emily postfix/smtpd[23401]: private/tlsmgr: wanted attribute: (list terminator) Jun 15 13:57:46 emily postfix/smtpd[23401]: input attribute name: (end) Jun 15 13:57:46 emily postfix/smtpd[23401]: SSL_accept error from sepaip2.webish.nl[77.243.228.161]: -1 Jun 15 13:57:46 emily postfix/smtpd[23401]: match_hostname: sepaip2.webish.nl ~? 127.0.0.0/8 Code fragment: sts = tls_bio_accept(vstream_fileno(props-stream), props-timeout, TLScontext); if (sts = 0) { msg_info(SSL_accept error from %s: %d, props-namaddr, sts); tls_print_errors(); tls_free_context(TLScontext); return (0); This means that the OpenSSL library error stack did not contain any additional information about the problem. Maybe the client-side logging is more informative. Wietse
Doubt about smtpd_delay_reject
Hi, when I set smtpd_delay_reject = yes, all restrictions (helo, sender, client and recipients) will be apllied just in the RCPT TO stage. So, In my main.cf, I can put all restrictions in the smtpd_recipient_restrictions? Or I must put each restrictions in each stage? []'s -- Eduardo Júnior GNU/Linux user #423272 :wq
backup mx and with header checks
List, I operate a backup mx for one of my customers. In doing so, I have run into an issue where I must accept all email regardless of weather or not the messages is destined for a valid email account in my customers email system (which is MS Exchange 2003). I thought about asking my customer is they would export a list of email addresses for which they want backup MX service for so I can place that in a relay_recipient_map, but that process requires ongoing admin time and might not appeal to them. The majority of the junk mail I am seeing is in the form of From: u...@domain and RCPT: u...@domain which is obviously forged. Would a header_check be the way to go here in order to match and discard the junk mail in this case? If so, what would the pcre check look like? I understand that legitimate users wouldn't be able to send themselves email, but that fine with me. best regards, _Terry
Re: Doubt about smtpd_delay_reject
* Eduardo Júnior ihtrau...@gmail.com: Hi, when I set smtpd_delay_reject = yes, all restrictions (helo, sender, client and recipients) will be apllied just in the RCPT TO stage. Yes. It's the default. So, In my main.cf, I can put all restrictions in the smtpd_recipient_restrictions? Yes. Or I must put each restrictions in each stage? No. -- Ralf Hildebrandt Postfix - Einrichtung, Betrieb und Wartung Tel. +49 (0)30-450 570-155 http://www.computerbeschimpfung.de You know the world is going crazy when the best rapper is a white guy, the best golfer is a black guy, France is accusing the US of arrogance, and Germany doesn't want to go to war.
Re: SSL_accept error from - somebody that could tell me what to do
Wietse Venema wrote: Jelle de Jong: Jun 15 13:57:46 emily postfix/smtpd[23401]: input attribute name: seed Jun 15 13:57:46 emily postfix/smtpd[23401]: input attribute value: YuvlIV0a1sMFU6JK6BcvsKr6WJm8YP7zsFNJz/XEv+w= Jun 15 13:57:46 emily postfix/smtpd[23401]: private/tlsmgr: wanted attribute: (list terminator) Jun 15 13:57:46 emily postfix/smtpd[23401]: input attribute name: (end) Jun 15 13:57:46 emily postfix/smtpd[23401]: SSL_accept error from sepaip2.webish.nl[77.243.228.161]: -1 Jun 15 13:57:46 emily postfix/smtpd[23401]: match_hostname: sepaip2.webish.nl ~? 127.0.0.0/8 Code fragment: sts = tls_bio_accept(vstream_fileno(props-stream), props-timeout, TLScontext); if (sts = 0) { msg_info(SSL_accept error from %s: %d, props-namaddr, sts); tls_print_errors(); tls_free_context(TLScontext); return (0); This means that the OpenSSL library error stack did not contain any additional information about the problem. Maybe the client-side logging is more informative. Wietse Thank you Wietse, I have asked the other server party to see if they can sent me the logs, I hope they will sent them, they say the problem is on my end, but I have no diffidence for that so far. I will also sent the debug info to the openssl mailinglist and see if they know what to do. If somebody has any more ideas please share them. Best regards, Jelle de Jong
Re: delay between delivery for a specific transport.
St?phane MERLE: Hi, Can I set the parameter : transport_destination_rate_delay to less than a second ? Can you read the documentation? if not, where is that sleep() in the code ? There is no sleep in the code. The delay is enforced by the scheduler, and the scheduler cannot use sleep() as that would also cause delays for all other deliveries. Wietse Thanks, St?phane St?phane MERLE a ?crit : Hi, I try to add a 1 second delay between each smtp sent to a sp?cifique transport. I followed this help file (in french as I feel more confortable in this langage) : http://postfix.traduc.org/index.php/QSHAPE_README.html#deferred_queue so I did : /etc/postfix/transport: problem.exemple.com slow:[dead.host] /etc/postfix/master.cf: # service type private unpriv chroot wakeup maxproc command slow unix - - n - 1smtp -o fallback_relay=problem.exemple.com -o smtp_connect_timeout=1 the domain are : hotmail.fr and hotmail.com I also add this in the master.cf : hotmail_tr unix - - n - 1 smtp and this to main.cf hotmail_tr_destination_concurrency = 1 hotmail_tr_destination_concurrency_limit = 2 hotmail_tr_destination_rate_delay=10 transport_maps = hash:/etc/postfix/transport but still no delay between each try or retry ... any help would be appreciated ... St?phane
Re: delay between delivery for a specific transport.
Wietse Venema a écrit : Stephane MERLE: Hi, Can I set the parameter : transport_destination_rate_delay to less than a second ? Can you read the documentation? I am sorry, again, I apology, I do not want to waste your time or the one anybody would spend to help me out ... but this is my major problem, it's not easy to find information on that parameter : destination_rate_delay The only page showing up with the search box in the postfix.org page is : http://www.postfix.org/announcements/postfix-2.5.7.html I am scanning the source code and I think that I am going the wrong way..., either I set even if the 1s pause looks like pleasing hotmail, this will not be usable for the amount of email we send (multi million a day). Is there other ways to drop the rate delivery for a specific transport ? I tried hotmail_tr_destination_concurrency_limit to 1 but it was not enough low ... Again, if you feel that this question shouldn't be asked here, please tell me where to go and ask, I understand that you must have other more interesting/important things to do :o) Stéphane if not, where is that sleep() in the code ? There is no sleep in the code. The delay is enforced by the scheduler, and the scheduler cannot use sleep() as that would also cause delays for all other deliveries. Wietse Thanks, St?phane St?phane MERLE a ?crit : Hi, I try to add a 1 second delay between each smtp sent to a sp?cifique transport. I followed this help file (in french as I feel more confortable in this langage) : http://postfix.traduc.org/index.php/QSHAPE_README.html#deferred_queue so I did : /etc/postfix/transport: problem.exemple.com slow:[dead.host] /etc/postfix/master.cf: # service type private unpriv chroot wakeup maxproc command slow unix - - n - 1smtp -o fallback_relay=problem.exemple.com -o smtp_connect_timeout=1 the domain are : hotmail.fr and hotmail.com I also add this in the master.cf : hotmail_tr unix - - n - 1 smtp and this to main.cf hotmail_tr_destination_concurrency = 1 hotmail_tr_destination_concurrency_limit = 2 hotmail_tr_destination_rate_delay=10 transport_maps = hash:/etc/postfix/transport but still no delay between each try or retry ... any help would be appreciated ... St?phane
Re: tcp policy service and spawn
Michael Moritz: Hi, my apologies if this has been answered before. I was just reading through the smtpd_policy_readme and documentation on spawn but I'm looking for clarification of this. Let's say I have this in main.cf smtpd_recipient_restrictions = reject_unauth_destination check_policy_service inet:127.0.0.1: The readme says also to put a corresponding spawn entry into master.cf. Now I just tried with a tcp server on port that always replies dunno but *without* the spawn entry in master.cf and it works. At least with one manually produced smtp session. You don't HAVE to run the policy daemon from master.cf. It's just a convenience for getting the thing started on demand. Wietse Is there a reason why I should use spawn? Something like parallelism that I don't understand? spawn seems resource intensive and a tcp server would listen, start a new thread on connect and close the connection after action=... (or probably wait for the socket being closed) Thanks for any help Michael
Re: backup mx and with header checks
On Monday, June 15, 2009 at 16:49 CEST, Terry L. Inzauro tinza...@ha-solutions.net wrote: I operate a backup mx for one of my customers. In doing so, I have run into an issue where I must accept all email regardless of weather or not the messages is destined for a valid email account in my customers email system (which is MS Exchange 2003). I thought about asking my customer is they would export a list of email addresses for which they want backup MX service for so I can place that in a relay_recipient_map, but that process requires ongoing admin time and might not appeal to them. The majority of the junk mail I am seeing is in the form of From: u...@domain and RCPT: u...@domain which is obviously forged. Would a header_check be the way to go here in order to match and discard the junk mail in this case? If so, what would the pcre check look like? header_checks cannot be used like that. Besides, it wouldn't solve the backscatter problem. Either obtain a full recipient list for use with relay_recipient_maps, use recipient address verification, or don't be a backup MX. -- Magnus Bäck mag...@dsek.lth.se
Re: backup mx and with header checks
Terry L. Inzauro wrote: List, I operate a backup mx for one of my customers. In doing so, I have run into an issue where I must accept all email regardless of weather or not the messages is destined for a valid email account in my customers email system (which is MS Exchange 2003). I thought about asking my customer is they would export a list of email addresses for which they want backup MX service for so I can place that in a relay_recipient_map, but that process requires ongoing admin time and might not appeal to them. If their system rejects unknown recipients during SMTP, you can use the reject_unverified_recipient feature to let postfix manage the valid recipient list for you. Do this inside a check_recipient_access map to limit the address probes to only this domain. http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient The majority of the junk mail I am seeing is in the form of From: u...@domain and RCPT: u...@domain which is obviously forged. Would a header_check be the way to go here in order to match and discard the junk mail in this case? If so, what would the pcre check look like? header_checks examines one header at a time, so you can't compare From: To:. You can use a policy server such as postfwd to compare envelope sender vs. recipient, or a content_filter such as spamassassin to compare the headers. I understand that legitimate users wouldn't be able to send themselves email, but that fine with me. -- Noel Jones
Re: backup mx and with header checks
Terry L. Inzauro schrieb: List, I operate a backup mx for one of my customers. In doing so, I have run into an issue where I must accept all email regardless of weather or not the messages is destined for a valid email account in my customers email system (which is MS Exchange 2003). I thought about asking my customer is they would export a list of email addresses for which they want backup MX service for so I can place that in a relay_recipient_map, but that process requires ongoing admin time and might not appeal to them. so they have accepted to get forged mail The majority of the junk mail I am seeing is in the form of From: u...@domain and RCPT: u...@domain which is obviously forged. Would a header_check be the way to go here in order to match and discard the junk mail in this case? If so, what would the pcre check look like? i wouldnt start solving this with header checks you might use clamav-milter with sanesecurity antispam,antipish signatures , if you really have to accept all mails, set it up to quarantaine in hold the spam found mails , let the customer pay your manual inspection of the holded mail, (alternative let it reject on income smtp level which normally is fine with any law problems, consider to use rbls if possible ) after all, change the customer *g I understand that legitimate users wouldn't be able to send themselves email, but that fine with me. best regards, _Terry -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Accepting A Specific Network
I am having a problem with a network that does not have reverse DNS at this time. I am trying to configure postfix (v2.1.5) so that it will accept hosts from that network. I thought the order of the commands in 'smtpd_client_restrictions' section was significant but it does not seem to work. I put my 'smtpdreject' hash first: smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/smtpdreject reject_non_fqdn_sender reject_unknown_sender_domain permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_sender_access hash:/etc/postfix/sender_whitelist reject_rbl_client bl.spamcop.net reject_rbl_client dnsbl.sorbs.net reject_rbl_client cbl.abuseat.org reject_rbl_client dnsbl.njabl.org The 'smtpdreject' contains, as the first entry: nnn.nnn.nnn.0 OK However, hosts from that network still are being rejected because there is no reverse DNS. What am I doing wrong? Thanks. Dennis Putnam Sr. IT Systems Administrator AIM Systems, Inc. 11675 Rainwater Dr., Suite 200 Alpharetta, GA 30009 Phone: 678-240-4112 Main Phone: 678-297-0700 FAX: 678-297-2666 or 770-576-1000 The information contained in this e-mail and any attachments is strictly confidential. If you are not the intended recipient, any use, dissemination, distribution, or duplication of any part of this e-mail or any attachment is prohibited. If you are not the intended recipient, please notify the sender by return e-mail and delete all copies, including the attachments.
Re: Accepting A Specific Network
On Monday, June 15, 2009 at 18:51 CEST, Dennis Putnam dennis.put...@aimaudit.com wrote: I am having a problem with a network that does not have reverse DNS at this time. I am trying to configure postfix (v2.1.5) so that it will accept hosts from that network. I thought the order of the commands in 'smtpd_client_restrictions' section was significant but it does not seem to work. I put my 'smtpdreject' hash first: smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/smtpdreject reject_non_fqdn_sender reject_unknown_sender_domain permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_sender_access hash:/etc/postfix/sender_whitelist reject_rbl_client bl.spamcop.net reject_rbl_client dnsbl.sorbs.net reject_rbl_client cbl.abuseat.org reject_rbl_client dnsbl.njabl.org The 'smtpdreject' contains, as the first entry: nnn.nnn.nnn.0 OK However, hosts from that network still are being rejected because there is no reverse DNS. What am I doing wrong? Thanks. None of the restrictions above reject clients without a working reverse lookup. You probably have a reject_unknown_client elsewhere. As always, show logs and postconf -n output. -- Magnus Bäck mag...@dsek.lth.se
Re: Accepting A Specific Network
Dennis Putnam wrote: The 'smtpdreject' contains, as the first entry: nnn.nnn.nnn.0 OK As Magnus points out, this is too little information. Also, this will never match anything. access(5) says that: net.work.addr.ess net.work.addr net.work netMatches the specified IPv4 host address or subnet- work. An IPv4 host address is a sequence of four decimal octets separated by .. Subnetworks are matched by repeatedly truncating the last .octet from the remote IPv4 host address string until a match is found in the access table, or until further truncation is not possible. If your Postfix supports cidr tables (check with postconf -m), it may be simpler to use those for the familiar netmask syntax. In addition, it is unwise to blanket OK untrusted networks before reject_unauth_destination.
Problem with 450 bounce notices
I'm hoping someone knows the key to this. I use a backup MX service to accompany my Postfix mail server. Right now the Backup MX service has more than 1,200 messages waiting to be delivered. As near as I can tell (from the Postfix logs) all of them are addressed to addresses that either never existed or no longer exist. The Postfix log indicates it is bouncing them with a 450 (temporary bounce) instead of a 550. So the Backup MX service is keeping them and continually trying to re-send. I've checked the main.cf. The following two lines are as listed in the file: unknown_local_recipient_reject_code = 550 soft_bounce = no To complicate things further, when I sent a test message to an invalid address, I quickly get a 550 response. It appears it's giving 450 responses to some senders and 550 responses to others, even when the same invalid address is used. Thanks for any assistance.
Re: Problem with 450 bounce notices
I use a backup MX service to accompany my Postfix mail server. Right now the Backup MX service has more than 1,200 messages waiting to be delivered. As near as I can tell (from the Postfix logs) all of them are addressed to addresses that either never existed or no longer exist. The Postfix log indicates it is bouncing them with a 450 (temporary bounce) instead of a 550. So the Backup MX service is keeping them and continually trying to re-send. I've checked the main.cf. The following two lines are as listed in the file: unknown_local_recipient_reject_code = 550 soft_bounce = no Please post the unedited output (except for passwords/private data) from postconf -n, as well as log entries showing unknown recipients being bounced with 450 and 550. Terry
Re: backup mx and with header checks
Terry L. Inzauro wrote: Noel Jones wrote: Terry L. Inzauro wrote: List, I operate a backup mx for one of my customers. In doing so, I have run into an issue where I must accept all email regardless of weather or not the messages is destined for a valid email account in my customers email system (which is MS Exchange 2003). I thought about asking my customer is they would export a list of email addresses for which they want backup MX service for so I can place that in a relay_recipient_map, but that process requires ongoing admin time and might not appeal to them. If their system rejects unknown recipients during SMTP, you can use the reject_unverified_recipient feature to let postfix manage the valid recipient list for you. Do this inside a check_recipient_access map to limit the address probes to only this domain. http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient The majority of the junk mail I am seeing is in the form of From: u...@domain and RCPT: u...@domain which is obviously forged. Would a header_check be the way to go here in order to match and discard the junk mail in this case? If so, what would the pcre check look like? header_checks examines one header at a time, so you can't compare From: To:. You can use a policy server such as postfwd to compare envelope sender vs. recipient, or a content_filter such as spamassassin to compare the headers. I understand that legitimate users wouldn't be able to send themselves email, but that fine with me. -- Noel Jones I like the idea of verifying addresses, but this stuck out. snip from the Postfix Address Verification Howto WARNING The sender/recipient address verification feature described in this document is suitable only for low-traffic sites. It performs poorly under high load; excessive sender address verification activity may even cause your site to be blacklisted by some providers. See the Limitations section below for details. /snip -- what does the author consider as being low traffic? Whatever the performance of address verification, it will beat the dickens out of accepting and bouncing undeliverable mail. -- Noel Jones
Re: Signing outgoing mailman mail with DKIM
Zbigniew Szalbot wrote: Hello, I used to have a working setup where all outgoing mail, including mailman, was being signed. However, I decided to stop using maia for content scanning (most of my mail is variuos subscriptions sent to outside users) and just sign the outgoing mail with DKIM. So I changed the entry in main.cf to say this: smtpd_milters = inet:127.0.0.1:4445 non_smtpd_milters = inet:127.0.0.1:4445 This does what I want as DKIM-filter is listening on port 4445 and is indeed singing outgoing mail. However, I am not sure why, mailman lists emails are no longer being signed. Here is the entry in mailman that I have been using all the time. mailman unix - n n - - pipe flags=FR user=mailman:mailman argv=/usr/local/mailman/postfix-to-mailman.py ${nexthop} ${user} -o milter_macro_daemon_name=ORIGINATING -o smtpd_milters=inet:127.0.0.1:4445 And it has always worked well but not anymore. I mean the outgoing mail is not being signed. Is there any apparent flaw in my setup? I guess there is but I would appreciate if you could give me some pointers. I am using postfix-2.5.6,1 on a FreeBSD 7.2 system. Thank you very much in advance! Zbigniew Szalbot The -o smtpd_milters... and -o milter... in your entry above is not used; those options are a property of smtpd, not pipe. As a consequence, dkim-milter never processes your mailman mail, so they aren't signed. To fix this, you can run an smtpd listener on another port including the milter options, and configure your mailman to submit to that port. -- Noel Jones
Re: backup mx and with header checks
Terry L. Inzauro wrote, at 06/15/2009 01:52 PM: I like the idea of verifying addresses, but this stuck out. snip from the Postfix Address Verification Howto WARNING The sender/recipient address verification feature described in this document is suitable only for low-traffic sites. It performs poorly under high load; excessive sender address verification activity may even cause your site to be blacklisted by some providers. See the Limitations section below for details. /snip what does the author consider as being low traffic? As long as you follow Noel's advice and don't accidentally the whole Internet, you'll be fine. :) Furthermore, you may want to configure the optional persistent verification database and tweak the settings as needed to reduce excessive probes to the domain: http://www.postfix.org/ADDRESS_VERIFICATION_README.html#caching http://www.postfix.org/verify.8.html Keep in mind that this approach (recipient address verification) is better suited for gateways and is a somewhat imperfect match for a backup MX. If the primary goes offline, there is still a risk that your backup server will reject legitimate addresses that are not present in the cache. Nonetheless, it is better than becoming a backscatter source (though a real dump of valid recipients is far preferable).
Re: Postfix-2.6.0 RPM
On Sun, May 24, 2009 at 9:07 AM, Simon J Muddsjm...@pobox.com wrote: sjm...@pobox.com (Simon J Mudd) writes: For those interested I've updated the packages and you should be able to find: postfix-2.6.0-1.src.rpm and postfix-2.6.0-1.rhel5.x86_64.rpm Updated to 2.6.1 as I hadn't seen Wietse's 2.6.1 update. Simon Simon, Thanks for your efforts and hard work. Is the 2.6.1 RPM download still available? I can't seem to find it unless I am looking under the wrong spot. - Carlos
Re: delay between delivery for a specific transport.
Wietse Venema: St_phane MERLE: even if the 1s pause looks like pleasing hotmail, this will not be usable for the amount of email we send (multi million a day). Is there other ways to drop the rate delivery for a specific transport ? I suppose you overlooked this text in the documentation: To enable the delay, specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is s (seconds). This answers your question about less-than-one second delays. Currently, the only way to have sub-second delays In Postfix is to sleep in the SMTP client. For example, a crude solution would look like this: if (strcasecmp(request-nexthop, hotmail.com)) usleep(1); Wietse
SASL authentication failure
This is just probably a harmless warning; however, I was wondering how to make it go away if possible. I am using 'clamsmtpd' with postfix. I have SASL enabled as well. When I connect from my MUA, an error message regarding SALA authentication failure is placed in the maillog. The message is sent never-the-less. This is a copy of the maillog: Jun 15 09:53:15 scorpio postfix/smtpd[32177]: connect from localhost[127.0.0.1] Jun 15 09:53:15 scorpio postfix/smtpd[32177]: warning: SASL authentication failure: no user in db Jun 15 09:53:15 scorpio postfix/smtpd[32177]: 163F1229B9: client=localhost[127.0.0.1], sasl_method=LOGIN, sasl_username=XX Jun 15 09:53:15 scorpio postfix/cleanup[32180]: 163F1229B9: message-id=20090615095314.2dc16...@scorpio.seibercom.net Jun 15 09:53:15 scorpio postfix/qmgr[32134]: 163F1229B9: from=xxx...@x.xxx, size=615, nrcpt=1 (queue active) Jun 15 09:53:15 scorpio postfix/smtpd[32177]: disconnect from localhost[127.0.0.1] Jun 15 09:53:15 scorpio clamsmtpd: 100045: accepted connection from: 127.0.0.1 Jun 15 09:53:15 scorpio postfix/smtpd[32182]: connect from localhost[127.0.0.1] Jun 15 09:53:15 scorpio postfix/smtpd[32182]: warning: SASL authentication failure: no user in db This is the postconf -n: alias_database = hash:/usr/local/etc/postfix/aliases alias_maps = hash:/usr/local/etc/postfix/aliases broken_sasl_auth_clients = yes command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix content_filter = scan:[127.0.0.1]:10025 daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 2 html_directory = no inet_interfaces = all mail_owner = postfix mail_spool_directory = /var/mail mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = seibercom.net mynetworks_style = class myorigin = $mydomain newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = no sample_directory = /usr/local/etc/postfix sender_dependent_relayhost_maps = hash:/usr/local/etc/postfix/sender_relay sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_sasl_type = cyrus smtp_sender_dependent_authentication = yes smtp_tls_CAfile = /usr/local/etc/postfix/certs/cacert.pem smtp_tls_cert_file = /usr/local/etc/postfix/certs/postfix-cert.pem smtp_tls_key_file = /usr/local/etc/postfix/certs/postfix-key.pem smtp_tls_loglevel = 0 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_tls_session_cache smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = smtpd_sasl_path = smtpd smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = moanonymous smtpd_tls_CAfile = /usr/local/etc/postfix/certs/cacert.pem smtpd_tls_cert_file = /usr/local/etc/postfix/certs/postfix-cert.pem smtpd_tls_key_file = /usr/local/etc/postfix/certs/postfix-key.pem smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_tls_session_cache tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 -- Jerry -- Gerard postfix.u...@yahoo.com TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html Have at you! -- Gerard postfix.u...@yahoo.com TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html You never gain something but that you lose something. -- Thoreau -- Gerard postfix.u...@yahoo.com TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html WYSIWYG: What You See Is What You Get.
Re: backup mx and with header checks
2009/6/16 Terry L. Inzauro tinza...@ha-solutions.net: I like the idea of verifying addresses, but this stuck out. snip from the Postfix Address Verification Howto WARNING The sender/recipient address verification feature described in this document is suitable only for low-traffic sites. It performs poorly under high load; excessive sender address verification activity may even cause your site to be blacklisted by some providers. See the Limitations section below for details. I think this warning really applies more to the wider internet, as opposed to infrastructure that you maintain/own/control yourself. In short, people don't like extra traffic. Sender/recipient verification is extra traffic. Recipient verification is usually discussed for exactly the situation you're in; you only perform recipient verification for domains that you accept inbound mail for, and only because you can't get an address list ahead of time. Obviously it's silly to be blacklisted by your own downstream MTA, it's assumed you're whitelisted because you're a backup MX.
Re: Problem with 450 bounce notices
I'm hoping someone knows the key to this. I use a backup MX service to accompany my Postfix mail server. Right now the Backup MX service has more than 1,200 messages waiting to be delivered. As near as I can tell (from the Postfix logs) all of them are addressed to addresses that either never existed or no longer exist. The Postfix log indicates it is bouncing them with a 450 (temporary bounce) instead of a 550. So the Backup MX service is keeping them and continually trying to re-send. I've checked the main.cf. The following two lines are as listed in the file: unknown_local_recipient_reject_code = 550 soft_bounce = no To complicate things further, when I sent a test message to an invalid address, I quickly get a 550 response. It appears it's giving 450 responses to some senders and 550 responses to others, even when the same invalid address is used. You have reject_unverified_recipient enabled and the verification is failing. Terry smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_client_access hash:/etc/postfix/access, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, *reject_unverified_recipient* http://www.postfix.org/postconf.5.html#reject_unverified_recipient
Re: SASL authentication failure
* Gerard postfix.u...@yahoo.com: This is just probably a harmless warning; however, I was wondering how to make it go away if possible. I am using 'clamsmtpd' with postfix. I have SASL enabled as well. When I connect from my MUA, an error message regarding SALA authentication failure is placed in the maillog. The message is sent never-the-less. This is a copy of the maillog: Jun 15 09:53:15 scorpio postfix/smtpd[32177]: connect from localhost[127.0.0.1] Jun 15 09:53:15 scorpio postfix/smtpd[32177]: warning: SASL authentication failure: no user in db Jun 15 09:53:15 scorpio postfix/smtpd[32177]: 163F1229B9: client=localhost[127.0.0.1], sasl_method=LOGIN, sasl_username=XX Jun 15 09:53:15 scorpio postfix/cleanup[32180]: 163F1229B9: message-id=20090615095314.2dc16...@scorpio.seibercom.net Jun 15 09:53:15 scorpio postfix/qmgr[32134]: 163F1229B9: from=xxx...@x.xxx, size=615, nrcpt=1 (queue active) Jun 15 09:53:15 scorpio postfix/smtpd[32177]: disconnect from localhost[127.0.0.1] Jun 15 09:53:15 scorpio clamsmtpd: 100045: accepted connection from: 127.0.0.1 Jun 15 09:53:15 scorpio postfix/smtpd[32182]: connect from localhost[127.0.0.1] Jun 15 09:53:15 scorpio postfix/smtpd[32182]: warning: SASL authentication failure: no user in db This is the postconf -n: alias_database = hash:/usr/local/etc/postfix/aliases alias_maps = hash:/usr/local/etc/postfix/aliases broken_sasl_auth_clients = yes command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix content_filter = scan:[127.0.0.1]:10025 daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 2 html_directory = no inet_interfaces = all mail_owner = postfix mail_spool_directory = /var/mail mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = seibercom.net mynetworks_style = class myorigin = $mydomain newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = no sample_directory = /usr/local/etc/postfix sender_dependent_relayhost_maps = hash:/usr/local/etc/postfix/sender_relay sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_sasl_type = cyrus smtp_sender_dependent_authentication = yes smtp_tls_CAfile = /usr/local/etc/postfix/certs/cacert.pem smtp_tls_cert_file = /usr/local/etc/postfix/certs/postfix-cert.pem smtp_tls_key_file = /usr/local/etc/postfix/certs/postfix-key.pem smtp_tls_loglevel = 0 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_tls_session_cache smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = smtpd_sasl_path = smtpd Is the concatenation of smtpd_sasl_local_domain and smtpd_sasl_path on purpose? It usually should be: smtpd_sasl_local_domain = smtpd_sasl_path = smtpd As for your problem: If no application is required to authenticate when it connects on localhost set this and AUTH will not be offered on localhost: smtpd_sasl_exception_networks = 127.0.0.0/8 The other, right way [tm] to solve your problem would be to tell the app that connects on localhost to stop trying to authenticate if it hasn't been configured to do so. p...@rick -- All technical answers asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: SSL_accept error from - somebody that could tell me what to do
On Mon, Jun 15, 2009 at 04:48:26PM +0200, Jelle de Jong wrote: Thank you Wietse, I have asked the other server party to see if they can sent me the logs, I hope they will sent them, they say the problem is on my end, but I have no diffidence for that so far. I will also sent the debug info to the openssl mailinglist and see if they know what to do. Obtain ssldump (has not been updated for a while, but is still quite usable). Apply ssldump (or wireshark to a full (no trucation of packets) packet capture of the session. Then post the ssldump output. The OpenSSL-users list is only appropriate once you have reasons to suspect that you actually have an OpenSSL related issue and not a network issue, ... -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Header Filter Time Range
On 15-Jun-2009, at 02:52, EASY steve.h...@digitalcertainty.co.uk wrote: Look at it like this, if you go to the supermarket when it is closed for business you don't expect to be able to get in :-) Supermarkets close? But what about mailing lists? I sent my message at 0200 or so this morning, easily in your reject/defer time range. -- Adolescence is the period between childhood and adultery
Multiple groups for user in pipe entry master.cf
Hi, running Postfix 2.4.5 According to http://www.postfix.org/pipe.8.html it is possible to define a 'user:group' in a pipe entry in master.cf: *user*=/username/:/groupname/ Execute the external command with the rights of the specified /username/. The software refuses to exe- cute commands with root privileges, or with the privileges of the mail system owner. If /groupname/ is specified, the corresponding group ID is used instead of the group ID of /username/. Let's assume we have: user: appuser primary group: appgroup1 other groups where appuser is listed in /etc/group: appgroup7 and appgroup8 It seems that if we use appuser as username in the pipe entry in master.cf, without defining a group, the script is executed as appuser with the primary group: appgroup1. As expected, if we define for example appuser:appgroup8, the script is executed as user appuser with group appgroup8. My question: is it possible to have the script executed by the user, where the user has all groups 'active' (appgroup1, appgroup7 and appgroup8). It seems the 'groupname' in the pipe entry in master.cf does not allow for a list of groups? Or is it intentional that only one group can be selected (maybe for security reasons)? /rolf
Re: Illegal mix of collations error
On Mon, Jun 8, 2009 at 10:09 AM, Darren Pilgrim post...@bitfreak.orgwrote: Simon wrote: Jun 8 07:15:19 mail-in1 postfix/trivial-rewrite[23183]: warning: mysql query failed: Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,COERCIBLE) for operation '=' Jun 8 07:15:19 mail-in1 postfix/trivial-rewrite[23183]: fatal: mysql:/etc/postfix/mysql-transport.cf http://mysql-transport.cf(0,lock|fold_fix): table lookup problem I have googled and have not really found a solution to this issue... can anyone assist please? This is usually due to comparing a string literal to a function return or a table with collation set to something other than latin1_swedish_ci (what it should be for email addresses). Email addresses are always latin1 case-insensitive. This URL will give you some useful hints: http://www.google.com/search?q=Illegal+mix+of+collations+site%3Amysql.com Short answer: change the collation on your table or force collation on your string literal(s). Thanks for the reply on this. I have now changed the collation of the tables to latin1_swedish_ci, but am still getting these errors. Dont quite understand what todo from here? Can anyone assist further please? Thanks!! Simon
Re: Multiple groups for user in pipe entry master.cf
Wietse Venema wrote: Rolf E. Sonneveld: [ Charset ISO-8859-1 unsupported, converting... ] Hi, running Postfix 2.4.5 According to http://www.postfix.org/pipe.8.html it is possible to define a 'user:group' in a pipe entry in master.cf: *user*=/username/:/groupname/ Execute the external command with the rights of the specified /username/. The software refuses to exe- This text could be more precise: Postfix executes the external command with the user ID and group ID of /username/. cute commands with root privileges, or with the privileges of the mail system owner. If /groupname/ is specified, the corresponding group ID is used instead of the group ID of /username/. Note, it says the group ID of username meaning it uses only one. thanks for your answer. Is there a way to file a 'request for enhancement' to ask for support of multiple groups in a future version of Postfix? /rolf
running a delivery agent as a daemon?
I'm running into some performance issues with the sheer volume of email I'm dealing with that is destined to a perl script for final email delivery. The start up cost of this particular perl script is not insubstantial, and is slowly bringing this poor box to its knees. I've done as much optimization as I can, and the only logical next step is to turn it into a daemon, so I no longer have to worry about the initial start up cost of this script. I've played around with creating a new service, when defined as a pipe, which works, but it still forks off a single process per mail that is to be delivered. I've tried to redo it by using spawn, but that's actually not working, and I don't think it will as I believe it will only hand over the headers as it would for my SPF+greylisting script, not the full body which I need. I fully expect to have to implement that can actually speak LMTP or something else postfix speaks, so I have no illusions that this is going to be super easy. Does anyone know of anything/anyone that currently does this? Any suggestions on how to configure postfix to talk to something else for delivery (preferably spawned off by postfix itself, but not a necessity)? I wasn't expect to be unable to find anything, as I would have guessed that this is probably #1 on the high performance list when doing something fancy, such as delivering to dovecot/cyrus/etc as I imagine those aren't overly cheap either. Unfortunately, my search has turned up not much, just the same old stuff on how to use a milter and the SPF/greylisting how-to's. If worse comes to worse, I can run this script as a daemon that accepts unix socket connections, then have the local delivery agent replacement just make a connection, spew the email over the connection and exit, but I was hoping to do something a bit more robust, as that solution means I'm bound to only one CPU at that point (part of the start up cost is DB connections and stuff, which can't be safely shared by perl processes that get forked off.)
Re: Disabling a domain
Eduardo Júnior a écrit : Hi, On Fri, May 29, 2009 at 11:25 PM, Barney Desmond barneydesm...@gmail.com mailto:barneydesm...@gmail.com wrote: 2009/5/30 Eduardo Júnior ihtrau...@gmail.com mailto:ihtrau...@gmail.com: On Thu, May 28, 2009 at 11:15 PM, Sahil Tandon sa...@tandon.net mailto:sa...@tandon.net wrote: What is your definition of 'disable' in this context? In my context, disable a domain would be leave it suspended. Become it inatve. I didn't find out more information about this field in the table domain of the postfix to complete understanding, so i'm a little confused. But for me, become a domain inatice, means which it don't will receibe mails after I unset active active. Or i'm wrong? This is really a feature of postfixadmin. Postfix just does what it's told, it's up to the map files used by postfixadmin that determine how it works. You can figure out what you need to change by inspecting the map files (usually /etc/postfix/mysql_something.cf http://mysql_something.cf), but it will take some work. It's been a while since I've touched postfix admin, but the edit-domain.php script seems to make the change you're referring to. You probably want the `domain` table (the name may be different), you can set the `active` field to False. I read about mysql maps and now I understand how it works. My problem was that my /etc/postfix/mysql_something.cf http://mysql_something.cf didn't have an additional conditional to the postfix's query. To enable what I want, was need add directive additional_conditional = and active = '1' to my map and update this map. you really should read postfix docs, on www.postfix.org. the new syntax is ... query = select oh and don't tell me where you got that active= thing. I don't understand why people add a column for this...
Re: running a delivery agent as a daemon?
Matt Burgoon a écrit : I'm running into some performance issues with the sheer volume of email I'm dealing with that is destined to a perl script for final email delivery. The start up cost of this particular perl script is not insubstantial, and is slowly bringing this poor box to its knees. I've done as much optimization as I can, and the only logical next step is to turn it into a daemon, so I no longer have to worry about the initial start up cost of this script. I've played around with creating a new service, when defined as a pipe, which works, but it still forks off a single process per mail that is to be delivered. I've tried to redo it by using spawn, but that's actually not working, and I don't think it will as I believe it will only hand over the headers as it would for my SPF+greylisting script, not the full body which I need. I fully expect to have to implement that can actually speak LMTP or something else postfix speaks, so I have no illusions that this is going to be super easy. Does anyone know of anything/anyone that currently does this? Any suggestions on how to configure postfix to talk to something else for delivery (preferably spawned off by postfix itself, but not a necessity)? I wasn't expect to be unable to find anything, as I would have guessed that this is probably #1 on the high performance list when doing something fancy, such as delivering to dovecot/cyrus/etc as I imagine those aren't overly cheap either. Unfortunately, my search has turned up not much, just the same old stuff on how to use a milter and the SPF/greylisting how-to's. If worse comes to worse, I can run this script as a daemon that accepts unix socket connections, then have the local delivery agent replacement just make a connection, spew the email over the connection and exit, but I was hoping to do something a bit more robust, as that solution means I'm bound to only one CPU at that point (part of the start up cost is DB connections and stuff, which can't be safely shared by perl processes that get forked off.) start by telling us why you can can't use maildrop.
Re: Multiple groups for user in pipe entry master.cf
Rolf E. Sonneveld: Wietse Venema wrote: Rolf E. Sonneveld: Hi, running Postfix 2.4.5 According to http://www.postfix.org/pipe.8.html it is possible to define a 'user:group' in a pipe entry in master.cf: *user*=/username/:/groupname/ Execute the external command with the rights of the specified /username/. The software refuses to exe- This text could be more precise: Postfix executes the external command with the user ID and group ID of /username/. cute commands with root privileges, or with the privileges of the mail system owner. If /groupname/ is specified, the corresponding group ID is used instead of the group ID of /username/. Note, it says the group ID of username meaning it uses only one. thanks for your answer. Is there a way to file a 'request for enhancement' to ask for support of multiple groups in a future version of Postfix? You can ask but I don't promise it will be implemented. System V.2 mail relied on group write permissions. It was utterly easy for users to screw up file permissions and break mail. It also is no good within Postfix because Postfix runs with an umask of 077. Wietse
Re: Signing outgoing mailman mail with DKIM
Zbigniew Szalbot a écrit : Hello, I used to have a working setup where all outgoing mail, including mailman, was being signed. However, I decided to stop using maia for content scanning (most of my mail is variuos subscriptions sent to outside users) and just sign the outgoing mail with DKIM. So I changed the entry in main.cf to say this: smtpd_milters = inet:127.0.0.1:4445 non_smtpd_milters = inet:127.0.0.1:4445 This does what I want as DKIM-filter is listening on port 4445 and is indeed singing outgoing mail. However, I am not sure why, mailman lists emails are no longer being signed. Here is the entry in mailman that I have been using all the time. mailman unix - n n - - pipe flags=FR user=mailman:mailman argv=/usr/local/mailman/postfix-to-mailman.py ${nexthop} ${user} -o milter_macro_daemon_name=ORIGINATING -o smtpd_milters=inet:127.0.0.1:4445 you can repeat -o milter_macro_daemon_name=ORIGINATING 666 times, there is no chance that this will add dkim signing code in pipe or /.../...mailman.py. if you want your mail to be signed, get it go via something that signs mail. but why do you want to sign mailman (resent) mail? do you really think it will help you? And it has always worked well but not anymore. I mean the outgoing mail is not being signed. most of that outgoing mail has been generated by remote systems. the best you can do is preserve their signature (by not adding footer not munging reply-to headers). but given the amount of invalid yahoo mail I see, I lost hope in trying to preserve such sigs. Is there any apparent flaw in my setup? I guess there is but I would appreciate if you could give me some pointers. I am using postfix-2.5.6,1 on a FreeBSD 7.2 system.
Re: customizing postfix logs with a mailing id
Stéphane MERLE a écrit : Hi, First, I would like to appologize if I don't do thing correctly, but english is not my mother langage and I'm not alway sure of what I understand ... (I think of Please do not top-post., which I though I wasn't doing, as I stay in the same thread ...). so I'll say it in french: Mets ta réponse après le texte auquel tu réponds. comme je le fais là. My aim, is to be able to séparate bounced/sent statistics from the log file. Lets say we have 30 SMTP POSTFIX Servers, we sent 10 differents mailing for 3 or 4 différents customers. For now, I can't tell to my 1st client, you're mailing number #4012 had 30% of bounces, 50% of sent and 20% of deferred that are still pending. use VERP (embed the recipient and the mailing-id in the envelope sender). this means that you send one message per recipient, which may not be good for performandes (although many list managers do it happily). if this is problem, embed the mailing id but not the recipient. but whatever you do, please make sure to follow good practices for mass mailing. feel free to ask if you have any doubt (if you prefer french, you can contact me offlist, but I only look at my mail when I have time). The only way to do that is to use one IP by mailing which is not really easy. For that, I would like to have an ID (my mailing id) added to the logs [I do understood that postfix may not know exactly which mail is what when it bounced]. I would find a way out with the Return-Path if I could get it in the logs (not in a new line but within the sent or bounced lines, this way, I could parse it with grep).