Re: [Fwd: Re: Fwd: Re: postfix, dovecot auth and rip/lip]
At 06:45 PM 2/10/2009, post...@corwyn.net wrote: At 07:22 PM 2/10/2009, Nate wrote: At 03:53 PM 3/18/2008, you wrote: Wietse Venema wrote: We're using SMTP AUTH in postfix, querying the dovecot auth socket which works well; however, in our virtual hosted environment it requires that customers login with their full email address. Great in practice, but impractical when a hosting account moves over and has 300, or 3000 subscribers all using username only authentication. In that case, with dovecot currently the query is written to compare full email Couldn't you just change the sql query to compare the login passed in to the left side of the User ID/email address? Rick Unfortunately not, because the server runs multiple domains, so if it compared r...@% for instance in the query it would likely return multiple results, and dovecot will reject on multiple results, as it should. - Nate
Re: Create additional sub-folders postfix/courier
At 05:24 PM 2/10/2009, mouss wrote: You can create dummy mailboxes that use the folders as their maildir. for example: joe+s...@example.com/some/path/example.com/joe/Maildir/.Spam/ then tell amavisd-new to add the +spam extension to mail tagged as spam. This may or may not be easy depending on your setup. This approach can work for any folder as follows. you populate virtual_mailbox_maps with things like: joe+fol...@example.com /some/path/example.com/joe/Maildir/.folder Man this is clever. Clever enough I'm having a hard time wrapping my head around it. My sql for determining the mail folder for virtual_mailbox_maps is: query= SELECT CONCAT(maildir,'Maildir/') FROM mailbox WHERE username='%s' AND active = '1' While I can readily create a user b...@example.com, who has a default maildir location for that sql of 'example.com/bob/' I can't quite figure out how to change the SQL to get the folder for bob+t...@example.com to return: 'example.com/bob/Maildir/.test' without breaking everything else? Rick
Re: Redirect all mail from one domain to the same u...@otherdomain?
jeff_homeip a écrit :
[snip]
that creates some complications...and might be too difficult
a script and a Makefile... or sql as below:
but why not use wildcard virtual aliases? You noted below that they
break
recipient
validations. Do you mean that smtp_recipient_restrictions won't
work? at all
or parts?
no, it's not about smtpd restrictions. it's about rejecting mail to
invalid recipients.
Wildcard virtual aliases seems like the best waybut I want to
understand
the implications
on everything esle before I proceed.
Thanks!
The reason is that if you use
@example.com @example.org
then this breaks recipient validation: smtpd will accept
anything^example.com, then at delivery time, the user won't be
found and
a bounce will be generated. in short, you become a source of
backscatter
(you send bounces to innocents whose addresses were forged by
spammers)
Unless I don't bounce unknown addresses
and you'd do what with these? if you have a catchall, it's ok. but you
should not discard mail (people do mistype addresses some time, so
it's
not just spammers trying invalid addresses).
I use a catchall for some domains instead of rejecting unknown
recipients, for exactly that reason. I find about 2-3% of catchall mai
is user errors (like mis-spellings) rather than spam.
So in this case, I can use a wildcard catchall.
So an alias map of:
@domain1.tld @domain2.tld
will produce the expected result of anyuser @ domain1.tld being
redirected to the same user (anyuser) @ domain2.tld?
That would be by far the easiest to do in my setup.
you can generate the individual mappings with a script.
alternatively,
if you store users in sql, you can use sql statements to generate
these
on the fly. examples have been posted multiple times to the list
(a
long time ago, that said, but you may be lucky...).
it would be something like:
if (%d=3D'domain1.com') then select %...@domain2..com from
virtual_alias else select alias
from virtual_alias where address=3D%s
(that's not quite right in the syntax, but you get the idea). This
wont' work, as I'd have to
write a special select clause for each domain I want to work this
way.
assuming you have a User table containing valid email addresses and a
AliasDomain table containing (alias, destination) domains:
select User.user from AliasDomain, User where
AliasDomain.alias =3D '%d'
AND
User.user =3D CONCAT('%u', '@', AliasDomain.destination)
you can avoid the CONCAT inside the search if you split your
emails in
(user, domain) columns like I do. in which case, the query becomes
select CONCAT(User.user, '@', User.domain) where
AliasDomain.alias =3D '%d'
AND
AliasDomain.destination =3D User.domain
AND
User.user =3D '%u'
of course, this works for 1 depth alias domains (it doesn't work if
example.net is an alis for example.org which is in turn an alias of
example.com). but this should be enough in most cases.
This is helpful, but I still need the query to take all the other
alias domains into account. So, I need the IF condition, or a second
map.
Thank you for your help...it's informative as always!
if the wildcard alias will produce the result I need then this is
resolved.
--
Jeff Weinberger
http://disruptivemarketing.jeffweinberger.com
Re: Create additional sub-folders postfix/courier
At 11:04 PM 2/10/2009, post...@corwyn.net wrote: At 05:24 PM 2/10/2009, mouss wrote: While I can readily create a user b...@example.com, who has a default maildir location for that sql of 'example.com/bob/' I can't quite figure out how to change the SQL to get the folder for bob+t...@example.com to return: 'example.com/bob/Maildir/.test' without breaking everything else? To answer my own question (more correctly) SELECT CONCAT(maildir,'Maildir/',if(INSTR(username,'+'),'.',''),if(INSTR(username,'+'),MID(username,INSTR(username,'+')+1,INSTR(username,'@')-INSTR(username,'+')-1),'')) FROM mailbox Rick
Re: Create additional sub-folders postfix/courier
On Wed, Feb 11, 2009 at 12:55:31AM -0500, post...@corwyn.net wrote: At 11:04 PM 2/10/2009, post...@corwyn.net wrote: At 05:24 PM 2/10/2009, mouss wrote: While I can readily create a user b...@example.com, who has a default maildir location for that sql of 'example.com/bob/' I can't quite figure out how to change the SQL to get the folder for bob+t...@example.com to return: 'example.com/bob/Maildir/.test' without breaking everything else? To answer my own question (more correctly) SELECT CONCAT(maildir,'Maildir/',if(INSTR(username,'+'),'.',''),if(INSTR(username,'+'),MID(username,INSTR(username,'+')+1,INSTR(username,'@')-INSTR(username,'+')-1),'')) FROM mailbox This is a bad idea. You are allowing external parties to construct mailbox filenames on your system. Potential for various directory pathname injection attacks: user+./../../not/where/you/exp...@example.com You must specifically designate which folders are addressible in this way, or at least limit the character-set of acceptable extensions. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Create additional sub-folders postfix/courier
At 01:05 AM 2/11/2009, Victor Duchovni wrote: On Wed, Feb 11, 2009 at 12:55:31AM -0500, post...@corwyn.net wrote: This is a bad idea. You are allowing external parties to construct mailbox filenames on your system. Potential for various directory pathname injection attacks: user+./../../not/where/you/exp...@example.com You must specifically designate which folders are addressible in this way, or at least limit the character-set of acceptable extensions. Grr, a very valid point. I'll try to put something together that only uses the maildir that's in the database. Better anyway because then it will work from when the account is created instead of having to manually tweak the maildir (which is what I did this time). More to come ... Rick
Re: Create additional sub-folders postfix/courier
At 01:31 AM 2/11/2009, post...@corwyn.net wrote: At 01:05 AM 2/11/2009, Victor Duchovni wrote: On Wed, Feb 11, 2009 at 12:55:31AM -0500, post...@corwyn.net wrote: This is a bad idea. You are allowing external parties to construct mailbox filenames on your system. Potential for various directory pathname injection attacks: user+./../../not/where/you/exp...@example.com You must specifically designate which folders are addressible in this way, or at least limit the character-set of acceptable extensions. Now it uses the data already in the table. Better? select if(INSTR(maildir,'+'),concat(left(maildir,instr(maildir,'+')-1),'/Maildir/.',right(substring_index(maildir,'/',2),length(substring_index(maildir,'/',2))-instr(substring_index(maildir,'/',2),'+' )),'/'),CONCAT(maildir,'Maildir/')) from mailbox where username='%s' and active='1' Rick
Re: Create additional sub-folders postfix/courier
And a last betterer/simpler way to do it. SELECT if(INSTR(maildir,'+'),concat(left(maildir,instr(maildir,'+')-1),'/Maildir/.',right(maildir,length(maildir)-instr(maildir,'+'))),CONCAT(maildir,'Maildir/')) from mailbox where username ='%s' and active='1'
Strange problem with pickup process (maybe just a coincidence)
Hi. I have a strange problem monitoring the pickup process: we have a monitoring system that, sometimes, warns us with pickup process not in memory (master and qmgr seems to continue running). When we enter the machine, we notice that pickup is really in memory, but after that alarm, every monitoring cycle (every 180 seconds) tells us that pickup is not present in memory as a process. Starting with the first alarm reported by the monitoring tool, pickup process is reported as not in memory in each monitoring cycle, until we do a postfix restart. Then it works perfectly again for a undeterminated amount of time (days, weeks, months). I can't find any error in the logs... and my master.cf shows: # grep pickup /etc/postfix/master.cf pickupfifo n - n 60 1 pickup I noticed that pickup wakes up every 60 seconds, and my monitoring system checks processes every 180 seconds. Maybe it's just synchronization and my monitoring system performs the checking just when postfix is restarting pickup? Does the wake up restart the process itself? The docs just say: Wake up time (default: 0) Automatically wake up the named service after the specified number of seconds. The wake up is imple- mented by connecting to the service and sending a wake up request. A ? at the end of the wake-up time field requests that no wake up events be sent before the first time a service is used. Specify 0 for no automatic wake up. But I don't now if wake up means a signal or an o.s. kill + new process (which could explain my monitoring incidence). (if it's that, I can just change 60 to 70 seconds, and that way the ps auxwww | grep pickup won't synchronize with pickup restart). Is it safe to raise those 60 seconds to a more higher value, such as 600 or so? Am I right with the synchronization hypotesis or could be something different? Thanks a lot. -- Santiago Romero
Problem with postfix and amavisd-new
I have some problem with postfix and amavisd-new. Postfix is configured as a mx backup and use amavisd-new to check about spam. I setup amavisd-new to rejict messages that are disoverd as SPAM, but seem that postfix bounce this messages and sent a sender non-delivery notification. Why this happen and is possible to disable sender non-delivery notification ? This is the log that I found : Feb 11 05:43:40 relay2-new2 postfix/smtp[5003]: F1DA1F9054: to=u...@example.com, relay=127.0.0.1[127.0.0.1]:10024, conn_use=6, delay=84, delays=1.3/69/0/14, dsn=5.7.0, status=bounced (host 127.0.0.1[127.0.0.1] said: 554 5.7.0 Reject, id=01422-15-6 - SPAM (in reply to end of DATA command)) Feb 11 05:43:40 relay2-new2 postfix/cleanup[4994]: CE905F8FE6: message-id=20090211044340.ce905f8...@relay2-new.n.nnn Feb 11 05:43:40 relay2-new2 postfix/bounce[5012]: F1DA1F9054: sender non-delivery notification: CE905F8FE6 Thanks in advance This message was sent using IMP, the Internet Messaging Program.
Re: Strange problem with pickup process (maybe just a coincidence)
On Wed, Feb 11, 2009 at 09:00:14AM +0100, Santiago Romero wrote: I have a strange problem monitoring the pickup process: we have a monitoring system that, sometimes, warns us with pickup process not in memory What is the meaning of this message? Does the wake up restart the process itself? No, why should it? All the postfix processes are reused for a long time. Is it safe to raise those 60 seconds to a more higher value, such as 600 or so? No, at least not if you use the sendmail command. Am I right with the synchronization hypotesis or could be something different? Find out what the message means. What I would suspect: the check wants to warn if the memory of a process gets swapped out. On a modern operation system such a metric is unusable. Bastian -- Conquest is easy. Control is not. -- Kirk, Mirror, Mirror, stardate unknown
Re: Strange problem with pickup process (maybe just a coincidence)
Bastian Blank escribió: On Wed, Feb 11, 2009 at 09:00:14AM +0100, Santiago Romero wrote: I have a strange problem monitoring the pickup process: we have a monitoring system that, sometimes, warns us with pickup process not in memory What is the meaning of this message? This one (this morning!): truth:~# date mie feb 11 09:52:04 CET 2009 b...@truth:/usr/local/bb/ext$ ps auxwww | grep pickup bb 12674 0.0 0.0 1332 432 pts/0S09:50 0:00 grep pickup b...@truth:/usr/local/bb/ext$ ps auxwww | grep pickup bb 12692 0.0 0.0 1332 432 pts/0S09:50 0:00 grep pickup b...@truth:/usr/local/bb/ext$ ps auxwww | grep pickup bb 12705 0.0 0.0 1332 432 pts/0S09:50 0:00 grep pickup b...@truth:/usr/local/bb/ext$ ps auxwww | grep pickup bb 12712 0.0 0.0 1332 432 pts/0S09:50 0:00 grep pickup truth:~# /etc/init.d/postfix restart Shutting down postfix: postfix/postfix-script: stopping the Postfix mail system Starting postfix: postfix/postfix-script: starting the Postfix mail system truth:~# ps auxwww | grep pickup postfix 13427 0.1 0.0 2864 976 ?S09:51 0:00 pickup -l -t fifo -u root 13560 0.0 0.0 1752 732 pts/0S09:51 0:00 grep pickup Pickup process just disappears from memory, and no info about that is shown in log files :-? -- Santiago Romero
Re: How to allow mails from some other servers to pass: reject_sender_login_mismatch
Hi, yes, you are right using mynetworks is ok. I also though for this way. I just didn't understood from beginning why it didn't work with access file, but now is clear. Thanks! On Wed, 2009-02-11 at 04:35 -0500, Digest of postfix-users list wrote: your access file is used for check_SENDER_access, not for check_client_access. the easy way is to add the IP to mynetworks. otherwise add check_client_access cidr:/etc/postfix/access_client before reject_sender_login_mismatch and put the IP in acces_client: 10.1.2.3/32 OK do not postmap this, since it is a cidr map.
Whitelist final draft
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi All, I now have added dnswl to my config to whitelist. Can I get some comments it looks okay please? smtpd_client_restrictions = check_client_access hash:/etc/postfix/whitelist, check_sender_access hash:/etc/postfix/check_backscatterer, check_sender_access hash:/etc/postfix/check_spamcannibal, check_client_access cidr:/etc/postfix/postfix-dnswl-permit, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org I want my whitelist run first and anyone on it gets to the end I then want to remove those pesky backscatters to , postmaster and MAILER_DAEMON I then want to run my postfix-dnswl-permit And then onto the RBLs postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 header_checks = regexp:/etc/postfix/header_checks html_directory = no inet_interfaces = all inet_protocols = all local_recipient_maps = $virtual_mailbox_maps mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 1024 mydestination = localhost.$mydomain, localhost, localhost.localdomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.5.6/README_FILES sample_directory = /usr/share/doc/postfix-2.5.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_send_xforward_command = yes smtp_tls_security_level = may smtp_use_tls = no smtpd_authorized_xforward_hosts = 127.0.0.0/8 smtpd_client_restrictions = check_client_access hash:/etc/postfix/whitelist, check_sender_access hash:/etc/postfix/check_backscatterer, check_sender_access hash:/etc/postfix/check_spamcannibal, check_client_access cidr:/etc/postfix/postfix-dnswl-permit, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, reject_non_fqdn_sender smtpd_tls_cert_file = /etc/postfix/postfix_default.pem smtpd_tls_key_file = $smtpd_tls_cert_file smtpd_tls_security_level = may smtpd_use_tls = yes transport_maps = hash:/var/spool/postfix/plesk/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual virtual_gid_maps = static:31 virtual_mailbox_base = /var/qmail/mailnames virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains virtual_mailbox_maps = hash:/var/spool/postfix/plesk/vmailbox virtual_transport = plesk_virtual virtual_uid_maps = static:110 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmSqMcACgkQi1lOcz5YUMgKdACgtMofPO1k6EMvi4Hg8VV/gkLm ZV4AoMTXs2E+iU+VgkY0yFEUXgbaxoW9 =Y4OA -END PGP SIGNATURE- begin:vcard fn:David Cottle n:Cottle;David email;internet:webmas...@aus-city.com title:Webmaster version:2.1 end:vcard
Re: Problem with postfix and amavisd-new
On 2/11/2009, Vittorio Manfredini (vitto...@vitsoft.bz) wrote: I setup amavisd-new to rejict messages that are disoverd as SPAM, but seem that postfix bounce this messages and sent a sender non-delivery notification. Never bounce a message once its been accepted. Either setup amavisd-new as a pre-queue content filter, or simply tag+deliver. -- Best regards, Charles
Re: Connection Refused
On Feb 10, 2009, at 9:05 PM, Sahil Tandon wrote: On Tue, 10 Feb 2009, Jason Wohlford wrote: Is there a way to notify me (i.e. postmaster) when my smtpd_proxy_filter fails? I see in the logs where a warning: connect to proxy service 127.0.0.1:10024: Connection refused occurs. How do I get a message sent to me when this happens? Try monit, or some log monitoring service that notifies you when service X fails. But if service X is required for root to send you email, you'll have to figure out a way around that. I thought 'notify_classes=bounce,delay,policy,protocol,resource,software' would do the trick, but no luck. -- Jason Wohlford ja...@wohlford.org http://wohlford.org
Assistance with email error
Hello All, I have researched this without a 100% clear reason that an exchange server would return this error: The error that the other server returned was: 550 550 #5.1.0 Address rejected My guess is it's an invalid email address that we attempted to be delivered to, but I want to be positive. Thanks! Joey
Re: Connection Refused
Jason Wohlford schrieb: I thought 'notify_classes=bounce,delay,policy,protocol,resource,software' would do the trick, but no luck. I have the default setting notify_classes = resource, software active and receive those notifications all the time. Check the value of error_notice_recipient and check your postmas...@myorigin alias. -martin -- Martin Schmitt / Schmitt Systemberatung / www.scsy.de -- http://www.pug.org/index.php/Benutzer:Martin -- signature.asc Description: OpenPGP digital signature
Re: filtering mail
Ilo Lorusso wrote: Hi is their a way I can reject messages when its from address does not match the envelope from address? Doing that will drop tons of legit email. Mike Katz http://messagepartners.com using postfix ofcourse Thanks Regards Ilo
Re: 451 Remote TLS ERROR - Connection closed by peer
On Wed, Feb 11, 2009 at 04:27:07PM +0100, Ralf Hildebrandt wrote: When sending to nashfinch.com I get: Feb 11 16:23:36 mail postfix/smtp[22382]: setting up TLS connection to nashfinch.com.s5a1.psmtp.com[64.18.4.10]:25 Feb 11 16:23:37 mail postfix/smtp[22382]: Trusted TLS connection established to nashfinch.com.s5a1.psmtp.com[64.18.4.10]:25: TLSv1 with cipher AES256-SHA (256/256 bits) The nashfinch.com email service is proxied by Postini. Feb 11 16:23:42 mail postfix/smtp[22382]: BDCC11C35E9: host nashfinch.com.s5a1.psmtp.com[64.18.4.10] said: 451 Remote TLS ERROR - Connection closed by peer (state:SSLv2/v3 read server hello A) (host:[63.85.29.124]) - psmtp (in reply to RCPT TO command) on all of their 4 Postini MX hosts. Postini connects to the remote system at RCPT TO and tries to maintain the same security level by using STARTTLS with the next-hop server. This fails, and Postini gives you the bad news. This started shortly after midnight (local time), thus no changes to the system. The real nashfinch.com server is not feeling well. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: how to accept some addresses but relay the rest?
Andy Spiegl wrote: On 2009-02-10, 12:00, Noel Jones wrote: This should get you started: Thanks! # relay_recipients ... list of valid recipients at example.com ... us...@example.com OK us...@example.com OK ... Hm, but I don't have the list of valid recipients. :-( All I have is the list of valid LOCAL recipients. Everything else I have to relay to the MX of example.com... If the receiving server rejects unknown recipients during SMTP (it should), you can use reject_unverified_recipient and let postfix maintain the list of valid users for you. http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient -- Noel Jones
PATCH: postfix, dovecot auth and rip/lip
Can someone have a look at this patch for Postfix = 2.5? The patch
for Postfix 2.3 does not work because I had to add a SASL mechanism
filter feature.
Wietse
*** xsasl_dovecot_server.c.orig Sun Mar 16 19:09:04 2008
--- xsasl_dovecot_server.c Wed Feb 11 10:26:37 2009
***
*** 65,70
--- 65,71
#include vstring_vstream.h
#include name_mask.h
#include argv.h
+ #include myaddrinfo.h
/* Global library. */
***
*** 162,167
--- 163,170
unsigned int sec_props; /* Postfix mechanism filter */
char *mechanism_list; /* filtered mechanism list */
ARGV *mechanism_argv; /* ditto */
+ MAI_HOSTADDR_STR server_addr; /* local IP address */
+ MAI_HOSTADDR_STR client_addr; /* remote IP address */
} XSASL_DOVECOT_SERVER;
/*
***
*** 379,391
/* xsasl_dovecot_server_create - create server instance */
static XSASL_SERVER *xsasl_dovecot_server_create(XSASL_SERVER_IMPL *impl,
!VSTREAM *unused_stream,
const char *service,
const char *realm,
const char *sec_props)
{
const char *myname = xsasl_dovecot_server_create;
XSASL_DOVECOT_SERVER *server;
if (msg_verbose)
msg_info(%s: SASL service=%s, realm=%s,
--- 382,397
/* xsasl_dovecot_server_create - create server instance */
static XSASL_SERVER *xsasl_dovecot_server_create(XSASL_SERVER_IMPL *impl,
!VSTREAM *stream,
const char *service,
const char *realm,
const char *sec_props)
{
const char *myname = xsasl_dovecot_server_create;
XSASL_DOVECOT_SERVER *server;
+ struct sockaddr_storage ss;
+ struct sockaddr *sa = (struct sockaddr *) ss;
+ SOCKADDR_SIZE salen = sizeof(ss);
if (msg_verbose)
msg_info(%s: SASL service=%s, realm=%s,
***
*** 413,418
--- 419,435
name_mask_opt(myname, xsasl_dovecot_conf_sec_props,
sec_props, NAME_MASK_ANY_CASE | NAME_MASK_FATAL);
+ /*
+ * XXX This is not the right place: it ignores client overrides with the
+ * XCLIENT command.
+ */
+ if (getpeername(vstream_fileno(stream), sa, salen) 0
+ || sockaddr_to_hostaddr(sa, salen, server-client_addr, 0, 0) != 0)
+ server-client_addr.buf[0] = 0;
+ if (getsockname(vstream_fileno(stream), sa, salen) 0
+ || sockaddr_to_hostaddr(sa, salen, server-server_addr, 0, 0) != 0)
+ server-server_addr.buf[0] = 0;
+
return (server-xsasl);
}
***
*** 605,613
/* send the request */
server-last_request_id = ++server-impl-request_id_counter;
vstream_fprintf(server-impl-sasl_stream,
! AUTH\t%u\t%s\tservice=%s\tnologin,
server-last_request_id, sasl_method,
! server-service);
if (init_response) {
/*
--- 622,631
/* send the request */
server-last_request_id = ++server-impl-request_id_counter;
vstream_fprintf(server-impl-sasl_stream,
! AUTH\t%u\t%s\tservice=%s\tlip=%s\trip=%s,
server-last_request_id, sasl_method,
! server-service, server-client_addr.buf,
! server-server_addr.buf);
if (init_response) {
/*
Re: Whitelist final draft
David Cottle wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi All, I now have added dnswl to my config to whitelist. Can I get some comments it looks okay please? smtpd_client_restrictions = check_client_access hash:/etc/postfix/whitelist, check_sender_access hash:/etc/postfix/check_backscatterer, check_sender_access hash:/etc/postfix/check_spamcannibal, check_client_access cidr:/etc/postfix/postfix-dnswl-permit, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org I want my whitelist run first and anyone on it gets to the end I then want to remove those pesky backscatters to , postmaster and MAILER_DAEMON I then want to run my postfix-dnswl-permit And then onto the RBLs Looks OK from here. As I said before, I would be surprised if postmaster or MAILER_DAEMON ever match anything, but leaving them does no harm. postconf -n smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, reject_non_fqdn_sender What's in this blacklist? You may want to list your client whitelist before the blacklist. It's also common (but not required) to list permit_mynetworks before these checks to exempt local mail. -- Noel Jones
Re: problem with virtual domains and mailman
G?ran H?glund: virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual-alias-maps.cf, proxy:mysql:/etc/postfix/mysql-virtual-mailbox-to-alias-maps.cf hash:/usr/local/mailman/data/aliases As I suspected, you are mixing local alias syntax with virtual alias syntax. The two have different syntax. In particular, virtual aliases do not support |command syntax, and local aliases never have a @domain part. Remove the domain from virtual_alias_domains, and remove mailman/data/aliases from virtual_alias_maps. Add the domain to mydestination, and add mailman/data/aliases to the alias_maps and alias_database parameters. Wietse
best book to learn on?
Hi, Looking to get educated on postfix, and I started browsing through amazons reviews. I've found the book 'The book of postfix' and that everyone seemed quite happy with it. But the problem is the book is from 2005 / 2006. Is this book still current? Or has there been enough revisions that I would be better off with a more current book? Thanks, Charlie
postfix logs, spams and bounce messages
Hi there, Yahoo starts blocking e-mails from our server. It is possible that someone/somehow is sending spams. Please help me find what is sending spam from our server. First please explain to me the following logs (ourdomain is hosted on our server): Feb 3 14:45:57 softexp postfix/smtpd[23394]: NOQUEUE: reject: RCPT from unknown[117.87.x.x]: 554 5.7.1 Service unavailable; Client host [117.87.x.x] blocked using sbl-xbl.spamhaus.org; http://www.spamhaus.org/query/bl?ip=117.87.x.x; from=x...@yahoo.com.au to=experienceoff...@ourdomain.ro proto=ESMTP helo=PC-20090752 Feb 3 14:45:58 softexp postfix/smtp[23424]: 56966AC86D: to=x...@yahoo.com.au, relay=d.mx.mail.yahoo.com[66.196.82.7]:25, delay=7.6, delays=0/0.01/7.6/0, dsn=4.7.0, status=undeliverable (host d.mx.mail.yahoo.com[66.196.82.7] refused to talk to me: 421 4.7.0 [TS02] Messages from 80.96.148.194 temporarily deferred due to user complaints - 4.16.56.1; see http://postmaster.yahoo.com/421-ts02.html) What I understand: 1. the client 117.87.x.x tries to connect to our server but is blocked. (it is at spamhouse). It tries to send frm x...@yahoo.com to experienceof...@ourdomain.com. Everything ok till now. 2. what does the second line means? Our server is tring to send to x...@yahoo.com. Why? It is for sure related with the first log line... It is because of some bounce message or what? t looks like Postfix is accepting messages even though the RBL check happened after RCPT. That means even though the message is rejected, Postfix has accepted it, then sent a bounce later. Is this correct? How can I solve it? The output of postconf -n: postconf -n command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 2 debug_peer_list = dom1.com html_directory = no mail_owner = postfix mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man myhostname = mail.dom1.com mynetworks_style = host newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = no sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtpd_helo_restrictions = reject_invalid_hostname smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_sender_access hash:/usr/local/etc/postfix/access_sender check_helo_access pcre:/usr/local/etc/postfix/helo_checks reject_non_fqdn_recipient reject_unknown_recipient_domain reject_unverified_recipient reject_rbl_client list.dsbl.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rhsbl_sender dsn.rfc-ignorant.org permit smtpd_sasl_auth_enable = yes smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender, reject_unverified_sender, permit unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/usr/local/etc/postfix/valias.txt virtual_gid_maps = static:1000 virtual_mailbox_base = /var/spool/vmail virtual_mailbox_domains = /usr/local/etc/postfix/vhost.txt virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmaps.txt virtual_uid_maps = static:1000
Re: best book to learn on?
Charlie wrote: Hi, Looking to get educated on postfix, and I started browsing through amazons reviews. I've found the book 'The book of postfix' and that everyone seemed quite happy with it. But the problem is the book is from 2005 / 2006. Is this book still current? Or has there been enough revisions that I would be better off with a more current book? Welcome to postfix. That's an excellent book, and I'm not aware of any more current. (It's impossible for treeware to keep up with active software projects.) Since postfix tries hard to be backwards-compatible, everything described in that book should still work. Postfix has added several new features since that book was published. Once you grasp the musty old basics, the new features will likely make sense to you, should you need them. Current documentation is always on the postfix web site. http://www.postfix.org/documentation.html -- Noel Jones
Re: postfix logs, spams and bounce messages
On Wed, Feb 11, 2009 at 08:05:56PM +0200, ddaas wrote: Feb 3 14:45:57 softexp postfix/smtpd[23394]: NOQUEUE: reject: RCPT from unknown[117.87.x.x]: 554 5.7.1 Service unavailable; Client host [117.87.x.x] blocked using sbl-xbl.spamhaus.org; [1]http://www.spamhaus.org/query/bl?ip=117.87.x.x; from=[2]x...@yahoo.com.au to=[3]experienceoff...@ourdomain.ro proto=ESMTP helo=PC-20090752 Feb 3 14:45:58 softexp postfix/smtp[23424]: 56966AC86D: to=[4]x...@yahoo.com.au, relay=d.mx.mail.yahoo.com[66.196.82.7]:25, delay=7.6, delays=0/0.01/7.6/0, dsn=4.7.0, status=undeliverable (host d.mx.mail.yahoo.com[66.196.82.7] refused to talk to me: 421 4.7.0 [TS02] Messages from 80.96.148.194 temporarily deferred due to user complaints - 4.16.56.1; see [5]http://postmaster.yahoo.com/421-ts02.html) You are doing Sender Address Verification (reject_unverified_sender) before doing RBL checks. Fix this. Do the RBL checks first, and consider not doing SAV at all, but if you do use it, do SAV *last*. smtpd_client_restrictions = ... no reject_unverified_sender ... smtpd_helo_restrictions = ... no reject_unverified_sender ... smtpd_sender_restrictions = ... no reject_unverified_sender ... smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_rbl_client zen.spamhaus.org ... no reject_unverified_sender ... smtpd_data_restrictions = reject_unverified_sender -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: postfix logs, spams and bounce messages
ddaas wrote: Hi there, Yahoo starts blocking e-mails from our server. It is possible that someone/somehow is sending spams. Please help me find what is sending spam from our server. First please explain to me the following logs (ourdomain is hosted on our server): Feb 3 14:45:57 softexp postfix/smtpd[23394]: NOQUEUE: reject: RCPT from unknown[117.87.x.x]: 554 5.7.1 Service unavailable; Client host [117.87.x.x] blocked using sbl-xbl.spamhaus.org; http://www.spamhaus.org/query/bl?ip=117.87.x.x; from=x...@yahoo.com.au to=experienceoff...@ourdomain.ro proto=ESMTP helo=PC-20090752 Your system rejects a message because the client is listed at spamhaus. Good. Feb 3 14:45:58 softexp postfix/smtp[23424]: 56966AC86D: to=x...@yahoo.com.au, relay=d.mx.mail.yahoo.com[66.196.82.7]:25, delay=7.6, delays=0/0.01/7.6/0, dsn=4.7.0, status=undeliverable (host d.mx.mail.yahoo.com[66.196.82.7] refused to talk to me: 421 4.7.0 [TS02] Messages from 80.96.148.194 temporarily deferred due to user complaints - 4.16.56.1; see http://postmaster.yahoo.com/421-ts02.html) You've configured your server to verify sender addresses. Apparently Yahoo doesn't like it, and refuses to answer. The output of postconf -n: smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_sender_access hash:/usr/local/etc/postfix/access_sender check_helo_access pcre:/usr/local/etc/postfix/helo_checks reject_non_fqdn_recipient reject_unknown_recipient_domain reject_unverified_recipient reject_rbl_client list.dsbl.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rhsbl_senderdsn.rfc-ignorant.org permit Note that list.dsbl.org is no longer active. Remove it. Rather than sbl-xbl.spamhaus.org, you might want to use zen.spamhaus.org as it's more effective. smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender, reject_unverified_sender, permit remove reject_unverified_sender or move it to smtpd_data_restrictions. Probably better to remove it. -- Noel Jones
postfix benchmark performance
Hello, I'm doing some experiments with a synthetic benchmark and
postfix. My current postfix configuration can deliver ~3000
msg/sec to 1000 virtual mailboxes; however, the system (16
core/4x4 AMD opteron) is ~90% idle. All logs and queues reside
in a RAM filesystem, so disk IO is not a bottleneck. I am
generating the incoming load locally using (a slightly modified)
smtp-source, so the network is not a bottleneck. smtp-source is
generating 10k emails and smtpd/cleanup can put the incoming
emails on the incoming queue much faster than the qmgr can pull
them off. Besides the incoming and active queues, all queues are
empty during the benchmark. Ideally I want the system to be 0%
idle. Any suggestions on how to achieve this?
postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
alternate_config_directories = /etc/postfix1, /etc/postfix2
append_dot_mydomain = no
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /tmp/mail/0/lib/postfix
default_destination_concurrency_limit = 1
default_destination_recipient_limit = 1000
default_process_limit = 200
default_recipient_refill_limit = 10
disable_dns_lookups = yes
html_directory = no
in_flow_delay = 0
inet_interfaces = all
initial_destination_concurrency = 500
mail_owner = postfix
mailbox_command = procmail -a $EXTENSION
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
mydestination = localhost.csail.mit.edu, , localhost
myhostname = localhost.csail.mit.edu
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
newaliases_path = /usr/bin/newaliases
qmgr_message_active_limit = 8
qmgr_message_recipient_limit = 8
queue_directory = /tmp/mail/0/postfix
readme_directory = no
recipient_delimiter = +
relayhost =
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_connection_count_limit = 0
smtpd_peername_lookup = no
syslog_facility = local0
virtual_gid_maps = static:1000
virtual_mailbox_base = /tmp/mail/vhosts
virtual_mailbox_domains = goo.com
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_uid_maps = static:1000
Here is sequence from strace -p qmgr -T -tt:
12:34:33.138590 lstat(incoming/2303823913A8, {st_mode=S_IFREG|0700,
st_size=10797, ...}) = 0 0.09
12:34:33.138648 rename(incoming/2303823913A8, active/2303823913A8) = 0
0.12
12:34:33.138697 open(active/2303823913A8, O_RDWR) = 10 0.08
12:34:33.138738 flock(10, LOCK_EX|LOCK_NB) = 0 0.06
12:34:33.138773 lseek(10, 0, SEEK_CUR) = 0 0.06
12:34:33.138808 read(10, CO 10291 50..., 4096) = 4096
0.09
12:34:33.138863 stat(/etc/localtime, {st_mode=S_IFREG|0644, st_size=1267,
...}) = 0 0.07
12:34:33.138925 stat(/etc/localtime, {st_mode=S_IFREG|0644, st_size=1267,
...}) = 0 0.07
12:34:33.138981 stat(/etc/localtime, {st_mode=S_IFREG|0644, st_size=1267,
...}) = 0 0.07
12:34:33.139044 sendto(7, 134Feb 11 12:34:33 postfix/qmg..., 108,
MSG_NOSIGNAL, NULL, 0) = 108 0.13
12:34:33.139114 lseek(10, 6697, SEEK_CUR) = 10793 0.06
12:34:33.139149 read(10, X\0E\0, 4096) = 4 0.06
12:34:33.139187 lseek(10, 0, SEEK_END) = 10797 0.06
12:34:33.139221 unlink(defer/2/2303823913A8) = -1 ENOENT (No such file or
directory) 0.08
12:34:33.139266 poll([{fd=11, events=POLLIN}], 1, 0) = 0 0.06
12:34:33.139305 poll([{fd=11, events=POLLOUT, revents=POLLOUT}], 1, 360) =
1 0.06
12:34:33.139345 write(11, request\0resolve\0sender\0...@josmp..., 57) = 57
0.68
12:34:33.139478 poll([{fd=11, events=POLLIN, revents=POLLIN}], 1, 360) = 1
0.07
12:34:33.139524 read(11, flags\\0transport\0virtual\0nextho..., 4096) =
79 0.09
12:34:33.139579 close(10) = 0 0.07
12:34:33.139617 epoll_wait(8, {}, 100, 0) = 0 0.06
12:34:33.139651 alarm(333) = 333 0.06
12:34:33.139699 stat(/etc/localtime, {st_mode=S_IFREG|0644, st_size=1267,
...}) = 0 0.08
12:34:33.139763 stat(/etc/localtime, {st_mode=S_IFREG|0644, st_size=1267,
...}) = 0 0.08
12:34:33.139824 stat(/etc/localtime, {st_mode=S_IFREG|0644, st_size=1267,
...}) = 0 0.07
12:34:33.139888 sendto(7, 134Feb 11 12:34:33 postfix/qmg..., 82,
MSG_NOSIGNAL, NULL, 0) = 82 0.11
12:34:33.139947 stat(/etc/localtime, {st_mode=S_IFREG|0644, st_size=1267,
...}) = 0 0.07
12:34:33.140012 stat(/etc/localtime, {st_mode=S_IFREG|0644, st_size=1267,
...}) = 0 0.08
12:34:33.140070 stat(/etc/localtime, {st_mode=S_IFREG|0644, st_size=1267,
...}) = 0 0.08
12:34:33.140134 sendto(7, 134Feb 11 12:34:33 postfix/qmg..., 131,
MSG_NOSIGNAL, NULL, 0) = 131 0.11
12:34:33.140190 stat(/etc/localtime, {st_mode=S_IFREG|0644, st_size=1267,
...}) = 0 0.08
12:34:33.140260 stat(/etc/localtime, {st_mode=S_IFREG|0644, st_size=1267,
...}) = 0 0.07
12:34:33.140319
Re: best book to learn on?
Noel Jones wrote: Charlie wrote: Hi, Looking to get educated on postfix, and I started browsing through amazons reviews. I've found the book 'The book of postfix' and that everyone seemed quite happy with it. But the problem is the book is from 2005 / 2006. Is this book still current? Or has there been enough revisions that I would be better off with a more current book? Welcome to postfix. That's an excellent book, and I'm not aware of any more current. (It's impossible for treeware to keep up with active software projects.) Since postfix tries hard to be backwards-compatible, everything described in that book should still work. Postfix has added several new features since that book was published. Once you grasp the musty old basics, the new features will likely make sense to you, should you need them. Current documentation is always on the postfix web site. http://www.postfix.org/documentation.html -- Noel Jones Thanks everyone!
Re: postfix benchmark performance
On Wed, Feb 11, 2009 at 01:41:19PM -0500, Silas Boyd-Wickizer wrote: Hello, I'm doing some experiments with a synthetic benchmark and postfix. My current postfix configuration can deliver ~3000 msg/sec to 1000 virtual mailboxes; however, the system (16 core/4x4 AMD opteron) is ~90% idle. All logs and queues reside in a RAM filesystem, so disk IO is not a bottleneck. I am generating the incoming load locally using (a slightly modified) smtp-source, so the network is not a bottleneck. smtp-source is generating 10k emails and smtpd/cleanup can put the incoming emails on the incoming queue much faster than the qmgr can pull them off. Besides the incoming and active queues, all queues are empty during the benchmark. Ideally I want the system to be 0% idle. Any suggestions on how to achieve this? With 16 logical CPUs, in this configuration you'll find your CPU load to be 1/16th of the theoretical maximum + overhead. Your report of 10% is about right. What exactly are you trying to measure with this benchmark? No realistic configuration has the same critical resource, and you'll run out of disk I/O throughput or CPU first depending on how CPU hungry your content-filters are. If you really are planning to host all spools in RAM disk, and need more than 3000 msgs/sec, I am most curious what use-case motivates this design and performance requirement. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: problem with virtual domains and mailman
Hi Thanks that helped! Now i just have to get the listmanager deliver the mails ... But that is another list I assume. /GH Wietse Venema skrev: G?ran H?glund: virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual-alias-maps.cf, proxy:mysql:/etc/postfix/mysql-virtual-mailbox-to-alias-maps.cf hash:/usr/local/mailman/data/aliases As I suspected, you are mixing local alias syntax with virtual alias syntax. The two have different syntax. In particular, virtual aliases do not support |command syntax, and local aliases never have a @domain part. Remove the domain from virtual_alias_domains, and remove mailman/data/aliases from virtual_alias_maps. Add the domain to mydestination, and add mailman/data/aliases to the alias_maps and alias_database parameters. Wietse
Re: postfix benchmark performance
With 16 logical CPUs, in this configuration you'll find your CPU load to be 1/16th of the theoretical maximum + overhead. Your report of 10% is about right. The system has 16 physical execution units: four quad core AMD Opterons. In the configuration I described, 90% of total cycles are unused. What exactly are you trying to measure with this benchmark? I'm measuring how many emails Postfix can deliver per-sec to some number of virtual aliases. I'm not interested so much in the absolute throughput performance, but in the reasons for the performance. No realistic configuration has the same critical resource, and you'll run out of disk I/O throughput or CPU first depending on how CPU hungry your content-filters are. I understand this. If you really are planning to host all spools in RAM disk, and need more than 3000 msgs/sec, I am most curious what use-case motivates this design and performance requirement. I don't have a real use-case in mind. For curiosities sake I would like to know what the second-order bottlenecks are after the disk and network. I suspect that I mis-configured because postfix only utilizes 10% of available cycles. I realize this is a synthetic/contrived/silly benchmark and a little outside the scope of what is normally discussed on this list..but I would still like to know why postfix uses 10% of available cycles. Silas
Mail Received But Not Delivered
This has not happened before: two messages sent to me, and received, but not delivered to my mailbox. Here's what the maillog shows: Feb 9 11:43:59 salmo postfix/qmgr[32715]: E4041AAE: from=usern...@gte.net, size=4572, nrcpt=1 (queue active) Feb 11 11:33:33 salmo postfix/qmgr[21684]: 8BA1AF50: from=usern...@gte.net, size=4839, nrcpt=1 (queue active) I've replace the actual username. There should be nothing in procmail that prevents delivery so I'm really puzzled where these went. Thanks, Rich -- Richard B. Shepard, Ph.D. | IntegrityCredibility Applied Ecosystem Services, Inc.|Innovation http://www.appl-ecosys.com Voice: 503-667-4517 Fax: 503-667-8863
Re: Mail Received But Not Delivered
Rich Shepard wrote: This has not happened before: two messages sent to me, and received, but not delivered to my mailbox. Here's what the maillog shows: Feb 9 11:43:59 salmo postfix/qmgr[32715]: E4041AAE: from=usern...@gte.net, size=4572, nrcpt=1 (queue active) Feb 11 11:33:33 salmo postfix/qmgr[21684]: 8BA1AF50: from=usern...@gte.net, size=4839, nrcpt=1 (queue active) I've replace the actual username. There should be nothing in procmail that prevents delivery so I'm really puzzled where these went. Thanks, Rich What do you get with: grep E4041AAE /var/log/maillog and postqueue -p ? Terry -- Terry Carmen CNY Support, LLC http://cnysupport.com
Re: No reason not to use reject_unverified sender (was Re: reject_unverified_sender vs greylisting)
Paweł Leśniak a écrit : mouss pisze: João Miguel Neves a écrit : OK, I'll take that into consideration if I re-enable SAV. if you re-enable SAV, do as much checks as you can. the minimum is zen.spamhaus.org. but you can also use spamcop. it would also be good to do it after greylisting, but this means your GL server need to return a defer instead of defer_if_permit. what you can also do is run a log parser that counts the SAV probes you send, and disable the feature if some threshold is reached (rate limit per client network, per sender domain, and global). (an alternative is a policy server that implements this, but a log parser is enough). I was under the impression that you did it before zen check because the log you posted has a client listed in zen. but I now realize it may have been listed later. And again my 5 cents. I think that people should take advantage of SPF and/or DKIM records. If you'll check DKIM/SPF then you could for example do SAV for clients/senders who are not allowed via SPF/DKIM or do not provide those records. I believe this change is no cost for you, and is saving some resources on both sides. Anyways whether you'll do SAV for bad hosts or just reject emails from them is your choice. But no one will blame you if you reject those emails, as you should be informed by administrator (in terms of SPF/DKIM records) which hosts are permitted to send (relay) - if you're given SPF record it should be correct, right? first, let's rule DKIM out of this. DKIM doesn't tell you which hosts are permitted. And DKIM verification requires getting the message DATA. people want to reject a transaction before getting this data. In addition, doing verification based on data requires a milter or a proxy filter. second, many of us ignore SPF at once. if you think it is good, go on. but there will be no discussion on this list (it is taboo here. search the archives).
Re: Mail Received But Not Delivered
On Wed, 11 Feb 2009, Terry Carmen wrote: What do you get with: grep E4041AAE /var/log/maillog Terry, Feb 9 11:43:58 salmo postfix/smtpd[17963]: E4041AAE: client=vms173007pub.verizon.net[206.46.173.7] Feb 9 11:43:59 salmo postfix/cleanup[17966]: E4041AAE: message-id=88ba18204f8d4137a8f4a4b0601d2...@mrdsoffice Feb 9 11:43:59 salmo postfix/qmgr[32715]: E4041AAE: from=usern...@gte.net, size=4572, nrcpt=1 (queue active) Feb 9 11:44:01 salmo postfix/local[17967]: E4041AAE: to=rshep...@appl-ecosys.com, relay=local, delay=4, delays=1.4/0/0/2.6, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail) Feb 9 11:44:01 salmo postfix/qmgr[32715]: E4041AAE: removed and postqueue -p -Queue ID- --Size-- Arrival Time -Sender/Recipient--- B1FF5F50* 3326 Wed Feb 11 11:59:54 pgsql-general-owner+m143814=rshepard=appl-ecosys@postgresql.org rshep...@appl-ecosys.com -- 3 Kbytes in 1 Request. Procmail's not held out on me before, and I've been using it for more than a decade. I'm puzzled. Thanks, Rich -- Richard B. Shepard, Ph.D. | IntegrityCredibility Applied Ecosystem Services, Inc.|Innovation http://www.appl-ecosys.com Voice: 503-667-4517 Fax: 503-667-8863
Re: Redirect all mail from one domain to the same u...@otherdomain?
Jeff Weinberger a écrit : [snip] This is helpful, but I still need the query to take all the other alias domains into account. So, I need the IF condition, or a second map. I don't think so. I used this. I don't remember the details, but the idea is that you can often get rid of flow control (if, ...) using additional tables. Thank you for your help...it's informative as always! if the wildcard alias will produce the result I need then this is resolved. @example.org@example.com works, but smtpd will accept mail to anyth...@example.org (virtual_alias_maps are used for recipient validation during the smtp transaction). if all addresses are valid (catchall or whatver), this is ok. otherwise, it's bad. in any case, you must make sure that mail isn't bounced after it is accepted (queued). This is what happens by default (after virtual alias expansion, a delivery error occurs, and an NDR is generated).
Re: Mail Received But Not Delivered
Rich Shepard wrote: On Wed, 11 Feb 2009, Terry Carmen wrote: What do you get with: grep E4041AAE /var/log/maillog Terry, Feb 9 11:43:58 salmo postfix/smtpd[17963]: E4041AAE: client=vms173007pub.verizon.net[206.46.173.7] Feb 9 11:43:59 salmo postfix/cleanup[17966]: E4041AAE: message-id=88ba18204f8d4137a8f4a4b0601d2...@mrdsoffice Feb 9 11:43:59 salmo postfix/qmgr[32715]: E4041AAE: from=usern...@gte.net, size=4572, nrcpt=1 (queue active) Feb 9 11:44:01 salmo postfix/local[17967]: E4041AAE: to=rshep...@appl-ecosys.com, relay=local, delay=4, delays=1.4/0/0/2.6, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail) Feb 9 11:44:01 salmo postfix/qmgr[32715]: E4041AAE: removed Feb 9 11:44:01 salmo postfix/local[17967]: E4041AAE: to=rshep...@appl-ecosys.com, relay=local, delay=4, delays=1.4/0/0/2.6, dsn=2.0.0, -- status=sent (delivered to command: /usr/bin/procmail) Postfix delivered it to procmail, so postfix is done with it. I don't use procmail so I can't help you there, but I would assume it has some sort of log you could check to follow the message. Terry
Re: Mail Received But Not Delivered
Rich Shepard wrote: On Wed, 11 Feb 2009, Terry Carmen wrote: What do you get with: grep E4041AAE /var/log/maillog Terry, Feb 9 11:43:58 salmo postfix/smtpd[17963]: E4041AAE: client=vms173007pub.verizon.net[206.46.173.7] Feb 9 11:43:59 salmo postfix/cleanup[17966]: E4041AAE: message-id=88ba18204f8d4137a8f4a4b0601d2...@mrdsoffice Feb 9 11:43:59 salmo postfix/qmgr[32715]: E4041AAE: from=usern...@gte.net, size=4572, nrcpt=1 (queue active) Feb 9 11:44:01 salmo postfix/local[17967]: E4041AAE: to=rshep...@appl-ecosys.com, relay=local, delay=4, delays=1.4/0/0/2.6, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail) Feb 9 11:44:01 salmo postfix/qmgr[32715]: E4041AAE: removed Might be worth turning on logging procmail. I don't see any problem from postfix, looks like the mail was delivered and whatever procmail did with it will probably revealed via procmail's log for future messsages. In procmailrc: LOGFILE=/path/to/procmail.log J.P.
Re: postfix benchmark performance
Silas Boyd-Wickizer: Hello, I'm doing some experiments with a synthetic benchmark and postfix. My current postfix configuration can deliver ~3000 msg/sec to 1000 virtual mailboxes; however, the system (16 core/4x4 AMD opteron) is ~90% idle. All logs and queues reside Why do you believe that this should use 100% of ALL Cpus? If you look at your synthetic test then you will likely find that there are at any point in time only a few mail receiving processes and mail delivering processes, and that these processes will all be waiting for kernel system calls to complete. With this synthetic test you really have only a low-concurrency load. Wietse
Re: Create additional sub-folders postfix/courier
post...@corwyn.net a écrit : And a last betterer/simpler way to do it. SELECT if(INSTR(maildir,'+'),concat(left(maildir,instr(maildir,'+')-1),'/Maildir/.',right(maildir,length(maildir)-instr(maildir,'+'))),CONCAT(maildir,'Maildir/')) from mailbox where username ='%s' and active='1' you are still allowing random folder names. create a table, say Folder, where you put the folders you want to support (spam, ). That should also make your query a little simpler (unfortunately, postfixadmin table structure makes this and other things harder...).
Re: postfix benchmark performance
On Wed, Feb 11, 2009 at 02:28:40PM -0500, Silas Boyd-Wickizer wrote: With 16 logical CPUs, in this configuration you'll find your CPU load to be 1/16th of the theoretical maximum + overhead. Your report of 10% is about right. The system has 16 physical execution units: four quad core AMD Opterons. In the configuration I described, 90% of total cycles are unused. Yes, but in this configuration, 1 CPU is pegged, and the others are idle, actually the others are working baout as hard combined, so that's where you get the ~10%. What exactly are you trying to measure with this benchmark? I'm measuring how many emails Postfix can deliver per-sec to some number of virtual aliases. I'm not interested so much in the absolute throughput performance, but in the reasons for the performance. Why is this an interseting measurement? In practice, your performance will be at least a factor of 10 (more likely 30-100) lower, once you add real disk latency, and other real loads. No realistic configuration has the same critical resource, and you'll run out of disk I/O throughput or CPU first depending on how CPU hungry your content-filters are. I understand this. If you really are planning to host all spools in RAM disk, and need more than 3000 msgs/sec, I am most curious what use-case motivates this design and performance requirement. I don't have a real use-case in mind. This benchmark is essentially meaningless, it proves that Postfix switching won't be a problem util you reach 3000 msgs/sec. Since your real loads will be much lower, you don't have to worry about it. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Create additional sub-folders postfix/courier
On Wed, Feb 11, 2009 at 09:24:25PM +0100, mouss wrote: post...@corwyn.net a ?crit : And a last betterer/simpler way to do it. SELECT if(INSTR(maildir,'+'),concat(left(maildir,instr(maildir,'+')-1),'/Maildir/.',right(maildir,length(maildir)-instr(maildir,'+'))),CONCAT(maildir,'Maildir/')) from mailbox where username ='%s' and active='1' you are still allowing random folder names. That's what I thought at first, but now I am not so sure. Perhaps all this string munging is based on an attribute from the table, not the input address. It sems that the database does not hold mailbox paths, and they are always constructed from the user name, with special logic for user+spam user names. That's OK, provided the OP controls user names. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Create additional sub-folders postfix/courier
Victor Duchovni a écrit : On Wed, Feb 11, 2009 at 09:24:25PM +0100, mouss wrote: post...@corwyn.net a ?crit : And a last betterer/simpler way to do it. SELECT if(INSTR(maildir,'+'),concat(left(maildir,instr(maildir,'+')-1),'/Maildir/.',right(maildir,length(maildir)-instr(maildir,'+'))),CONCAT(maildir,'Maildir/')) from mailbox where username ='%s' and active='1' you are still allowing random folder names. That's what I thought at first, but now I am not so sure. Perhaps all this string munging is based on an attribute from the table, not the input address. It sems that the database does not hold mailbox paths, and they are always constructed from the user name, with special logic for user+spam user names. That's OK, provided the OP controls user names. ah! indeed, he puts complete addresses in the mailbox table. This is too much work however, IMHO. using a Folder table would be better.
Re: Mail Received But Not Delivered
On Wed, 11 Feb 2009, Terry Carmen wrote: Postfix delivered it to procmail, so postfix is done with it. I saw that, but there's nothing in ~/procmail/log since 2007. Time to look further. Thanks, Rich -- Richard B. Shepard, Ph.D. | IntegrityCredibility Applied Ecosystem Services, Inc.|Innovation http://www.appl-ecosys.com Voice: 503-667-4517 Fax: 503-667-8863
Re: Mail Received But Not Delivered
Rich Shepard wrote: On Wed, 11 Feb 2009, Terry Carmen wrote: Postfix delivered it to procmail, so postfix is done with it. I saw that, but there's nothing in ~/procmail/log since 2007. Time to look further. Yep. That's definitely a good place to start. At a minimum the procmail log should show the messages its processing. Terry
Mail looping with transport maps and virtual alias maps
I have a few requirements which seem to be opposed to each other, as what I'm currently doing is causing a mail loop and bounce. Here's what I'm trying to accomplish: 1) This server is a standalone server sending outgoing mail, it is not receiving anything other than locally posted messages 2) Messages need to come from mydomain.com (myorigin = $mydomain) 3) Messages sent to local 'root' account must be forwarded to a different account @mydomain.com 4) Delivery to all but a few domains is not allowed, and must be discarded For #2 I'm using the already mentioned myorigin = $mydomain. This works as expected, but $mydomain is not listed in mydestination, so for #3 I am using the method mentioned here: http://www.postfix.org/STANDARD_CONFIGURATION_README.html#some_local (virtual_alias_maps) to deliver the root mail locally, and allowing the rest to go off to our main mail server. For #4, I am using transport_maps (which was suggested in this thread http://archives.neohapsis.com/archives/postfix/2008-07/0875.html), and my transport file contains the following: mydomain.comsmtp *.mydomain.comsmtp * discard The problem I am seeing is that when I send a message to root using the local command mail root, the domain gets added (as expected), then the virtual alias changes the to address to r...@localhost.mydomain.com, but then it is bounced because of looping. I've reached the edge of my current postfix knowledge, and would appreciate any input or suggestions. Relevant information: Server is running CentOS 5.2 Linux rpm -q postfix: postfix-2.3.3-2.1.el5_2 - postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 html_directory = no inet_interfaces = localhost mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual /etc/aliases root:ad...@mydomain.com /etc/postfix/transport: mydomain.comsmtp *.mydomain.comsmtp * discard /etc/postfix/virtual: rootr...@localhost maillog: postfix/pickup[5241]: AAB102019B: uid=0 from=root postfix/pickup[5241]: AAB102019B: uid=0 from=root postfix/cleanup[5248]: AAB102019B: message-id=20090211213405.aab1020...@server.mydomain.com postfix/cleanup[5248]: AAB102019B: message-id=20090211213405.aab1020...@server.mydomain.com postfix/qmgr[5242]: AAB102019B: from=r...@mydomain.com, size=307, nrcpt=1 (queue active) postfix/qmgr[5242]: AAB102019B: from=r...@mydomain.com, size=307, nrcpt=1 (queue active) postfix/smtp[5250]: AAB102019B: to=r...@localhost.mydomain.com, orig_to=root, relay=none, delay=0.09, delays=0.01/0/0.07/0, dsn=5.4.6, status=bounced (mail for localhost.mydomain.com loops back to myself) postfix/cleanup[5248]: BF9BF2019C: message-id=20090211213405.bf9bf20...@server.mydomain.com postfix/bounce[5251]: AAB102019B: sender non-delivery notification: BF9BF2019C postfix/qmgr[5242]: BF9BF2019C: from=, size=2174, nrcpt=1 (queue active) postfix/qmgr[5242]: AAB102019B: removed postfix/smtp[5250]: AAB102019B: to=r...@localhost.mydomain.com, orig_to=root, relay=none, delay=0.09, delays=0.01/0/0.07/0, dsn=5.4.6, status=bounced (mail for localhost.mydomain.com loops back to myself) postfix/cleanup[5248]: BF9BF2019C: message-id=20090211213405.bf9bf20...@server.mydomain.com postfix/bounce[5251]: AAB102019B: sender non-delivery notification: BF9BF2019C postfix/qmgr[5242]: BF9BF2019C: from=, size=2174, nrcpt=1 (queue active) postfix/qmgr[5242]: AAB102019B: removed postfix/smtp[5250]: BF9BF2019C: to=r...@localhost.mydomain.com, orig_to=r...@mydomain.com, relay=none, delay=0, delays=0/0/0/0, dsn=5.4.6, status=bounced (mail for localhost.mydomain.com loops back to myself) postfix/qmgr[5242]: BF9BF2019C: removed postfix/smtp[5250]: BF9BF2019C: to=r...@localhost.mydomain.com, orig_to=r...@mydomain.com, relay=none, delay=0, delays=0/0/0/0, dsn=5.4.6, status=bounced (mail for localhost.mydomain.com loops back to myself) postfix/qmgr[5242]: BF9BF2019C: removed PS. Please forgive that I have changed the server name and domain.
Re: Create additional sub-folders postfix/courier
At 03:46 PM 2/11/2009, mouss wrote: Victor Duchovni a écrit : SELECT if(INSTR(maildir,'+'),concat(left(maildir,instr(maildir,'+')-1),'/Maildir/.',right(maildir,length(maildir)-instr(maildir,'+'))),CONCAT(maildir,'Maildir/')) from mailbox where username ='%s' and active='1' you are still allowing random folder names. That's what I thought at first, but now I am not so sure. Perhaps all this string munging is based on an attribute from the table, not the input address. It sems that the database does not hold mailbox paths, and they are always constructed from the user name, with special logic for user+spam user names. That's OK, provided the OP controls user names. ah! indeed, he puts complete addresses in the mailbox table. In the table, as defined by postfixadmin, is username (which is the email address) and maildir (the location of the users Maildir folder). I initially was using the username for the SQL, but changed it to the maildir value, which is defined at the point of user creation, and thus only tweakable by someone who can make changes to the postfix mysql database. the folder would be domain/username/ normally, so all the SQL is doing is checking to see if there's a + in it (ex: example.com/user+foo/) and breaking it apart so that it's correctly formatted: example.com/user/Maildir/.foo/ This is too much work however, IMHO. using a Folder table would be better. Since Ive already figured out how the SQL works, I'm not sure how this is too much work. Can you expound on a folder table as I don't understand how that's better. (Keep in mind I don't know what you mean by a folder table except that obviously it's a table in the same mysql database). Since this way (above) looks like it works, isn't anything else more work? :-) I thought I'd made it work the way the intial suggestion ... suggested. More than happy to learn what's better. Rick
Re: Virtual domains, aliases and deliver (Dovecot)
On Wed, 11 Feb 2009, Roderick A. Anderson wrote: I'm still trying to get my head wrapped around all the options and how they interact with each other and non-Postfix stuff. I have questions in regards to a mail server that will be a virtual mailbox server. I have set virtual_mailbox_domains and virtual_mailbox_maps (I think I got this one right and most mail is delivered) but I'm now trying to set up, for each virtual domain those required and helpful aliases typically found in the single domain aliases file. The documentation indicates a virtual_alias_maps with a line like: ab...@mydomain.tldab...@anotherdomain.tld should work. But I'm getting this in /var/log/maillog: Feb 11 13:57:59 mx0 postfix/smtpd[2487]: NOQUEUE: reject: RCPT from mx100.thesenderdomain.tld[10.10.3.21]: 550 5.1.1 ab...@mydomain.tld: Recipient address rejected : User unknown in virtual mailbox table; from=m...@senderdomain.tld to=ab...@mydomain.tld proto=ESMTP helo=mx100.thesenderdomain.com This should be only an alias not a real account and I _do not_ have an entry in virtual_mailbox_maps for ab...@mydomain.tld but do for ab...@anotherdomain.tld. Can you show 'postconf -n' and confirm that you postmap'd (if necessary, depending on your map type) the virtual_alias_maps file after adding the above alias to it? -- Sahil Tandon sa...@tandon.net
Re: postfix logs, spams and bounce messages
I did the modification and it seems it work better. Since that modification I got no message rejected from yahoo. 1. Could you please explain to me why should the RBL checks be done before Sender Address Verification? And why it is not advisable to do SAV at all? 2. It is correct that my server received spams with forged yahoo address and for every spam it responded to yahoo and yahoo got upset? Thanks everybody. Victor Duchovni wrote: You are doing Sender Address Verification (reject_unverified_sender) before doing RBL checks. Fix this. Do the RBL checks first, and consider not doing SAV at all, but if you do use it, do SAV *last*. smtpd_client_restrictions = ... no reject_unverified_sender ... smtpd_helo_restrictions = ... no reject_unverified_sender ... smtpd_sender_restrictions = ... no reject_unverified_sender ... smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_rbl_client zen.spamhaus.org ... no reject_unverified_sender ... smtpd_data_restrictions = reject_unverified_sender
Re: postfix logs, spams and bounce messages
ddaas a écrit : I did the modification and it seems it work better. Since that modification I got no message rejected from yahoo. 1. Could you please explain to me why should the RBL checks be done before Sender Address Verification? And why it is not advisable to do SAV at all? 2. It is correct that my server received spams with forged yahoo address and for every spam it responded to yahoo and yahoo got upset? There was a recent thread about this. look for Subject: reject_unverified_sender vs greylisting (initial post: 9 Feb 2009). postfix docs already say a little about this: http://www.postfix.org/ADDRESS_VERIFICATION_README.html#limitations if you like reading, take a look at: http://www.circleid.com/posts/sender_address_verification/ http://en.wikipedia.org/wiki/Callback_verification#Drawbacks http://taint.org/2007/03/16/134743a.html http://www.spamresource.com/2007/01/whatever-happened-to-vrfy.html
Re: postfix benchmark performance
Zitat von Silas Boyd-Wickizer s...@mit.edu: Why do you believe that this should use 100% of ALL Cpus? If you look at your synthetic test then you will likely find that there are at any point in time only a few mail receiving processes and mail delivering processes, and that these processes will all be waiting for kernel system calls to complete. With this synthetic test you really have only a low-concurrency load. Yes, there are only a few mail delivering processes (virtual). Why is this a function of my load? There are many messages waiting for delivery, so why doesn't postfix run more virtuals to increase concurrency? I'm not sure what you mean by waiting for kernel system calls to complete. Do you mean executing kernel system calls (reading from a pipe), or blocked on kernel system calls (i.e. waiting on a pipe)? As far as i understand all mail must pass (by means of decide what to do with) the qmgr which is a single process and therefore limited to one CPU. As you have show it is able to manage around 3000 mail/sec (which means around 10 mio. a hour btw) on a low cost CPU core. In practice you will never be able to push mail that fast to any permanent storage available today... If you will be able to do so in the far future one CPU core will be even faster and therefore qmgr will still not be the bottleneck in any real mailsystem. This is why your benchmark is only useful to see qmgr working hard because in any real-world scenario it is nearly idle waiting for the disk I/O. Be aware that this is a naive explantation and the internal details are more complex than this. Regards Andreas
Re: postfix logs, spams and bounce messages
Justin Piszcz a écrit : On Wed, 11 Feb 2009, Victor Duchovni wrote: You are doing Sender Address Verification (reject_unverified_sender) before doing RBL checks. Fix this. Do the RBL checks first, and consider not doing SAV at all, but if you do use it, do SAV *last*. smtpd_data_restrictions = reject_unverified_sender -- Viktor. Hi, Quick question, if one has all of his restrictions in smtpd_recipient_restrictions, why is it(?) better to put the reject_unverified_sender within the smtpd_data_restrictions? it helps making sure that SAV will only be done for mail that is not otherwise rejected or greylisted. it also helps avoiding sorcerer apprentice SAV on SAV issues. if you don't use greylisting, you can put the check at the end of smtpd_recipient_restrictions. but if you use greylisting and your GL returns defer_if_permit, then SAV will be performed when you prefer to wait until the client retries.
Re: recipient_delimiter and virtual users
post...@corwyn.net a écrit : OK, so I've become intrigued with recipient delimiters. My users are currently stored in a mysql database, 'postfix'. The table format is as postfixadmin sets it up, so in the username is the user email address u...@example.com Before I started tinkering, email to u...@example.com worked. Email to user+...@example.com failed with unknown recipient, all well and good. It looks like even with recipient_delimiter = + set, mail is still bounced for the same reason. I theorize that recipient_delimiter is actually checked at the end of the address such that with it enabled what I really have is u...@example.com+foo working (which, of course, won't work). Does this mean that I can't really use recipient_delimiter with my users defined as u...@example.com? If so, I presume I need to munge up (even more) my SQL statement so that instead of checking for username='%s' I'm going to need to strip %s apart into its constituent components and then reassemble it, so that user+...@example.com, user+...@example.com works? Or would I just use '%d', which looks like it might be the left side of the email address (tho I'd still have to make the SQL match that). The end result that would be cool would be that if foo was defined as a folder, mail would get delivered there, and if not mail would be delivered to the default inbox. I can currently (with my existing sql) create a second user user+...@example.com and get mail to deliver to inbox/foo , but that means that a) I have to maintain a u...@example.com AND a user+...@example.com, and additionally if I want to add additional extensions I have to create additional accounts, which seems tiresome. Thanks for any guidance! recipient_delimiter works out of the box. there is no need to change your tables, your sql statements nor add users. if it doesn't work for you, then you have something misconfigured. to get help, follow the directions in http://www.postfix.org/DEBUG_README.html#mail In particular: - logs - postconf -n
holding mail for recipient
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi list, after having implemented dynamic aliases using ldap I have the following problem: I want to hold mails for a specific recipient which is an alias to multiple addresses so admin interaction is required to send to this alias. Problem is that the mail is now held twice (following is the output of mailq and releasing the message): srvopt postfix # mailq - -Queue ID- --Size-- Arrival Time -Sender/Recipient--- 594C5E083A8! 751 Thu Feb 12 11:49:10 i...@team-erdle.de t...@team-erdle.de - -- 1 Kbytes in 1 Request. srvopt postfix # postsuper -H 594C5E083A8 postsuper: 594C5E083A8: released from hold postsuper: Released from hold: 1 message srvopt postfix # mailq - -Queue ID- --Size-- Arrival Time -Sender/Recipient--- 594C5E083A8 751 Thu Feb 12 11:49:10 i...@team-erdle.de t...@team-erdle.de - -- 1 Kbytes in 1 Request. srvopt postfix # postqueue -f srvopt postfix # mailq - -Queue ID- --Size-- Arrival Time -Sender/Recipient--- DD553E08409!1193 Thu Feb 12 11:50:13 i...@team-erdle.de i...@team-erdle.de y...@team-erdle.de - -- 1 Kbytes in 1 Request. How can I prevent this so that the message is only held once from delivery? Thanks in advance, Christoph Erdle the file hold-distributions to hold the delivery: t...@team-erdle.de HOLD testing hold with alias postconf -n: 2bounce_notice_recipient = sys...@partofus.org address_verify_sender = sendverf...@partofus.org alias_maps = hash:/usr/local/mailman/data/virtual-mailman, hash:/etc/ mail/aliases body_checks_size_limit = 512000 bounce_notice_recipient = sys...@partofus.org bounce_size_limit = 5 broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/lib/postfix debug_peer_level = 2 delay_notice_recipient = sys...@partofus.org delay_warning_time = 1h deliver_lock_delay = 10s double_bounce_sender = double-bou...@partofus.org error_notice_recipient = sys...@partofus.org fast_flush_domains = $relay_domains header_checks = regexp:/etc/postfix/rcvd_check header_size_limit = 102400 home_mailbox = .maildir/ html_directory = /usr/share/doc/postfix-2.2.10/html in_flow_delay = 1s inet_interfaces = all local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname local_transport = local mail_name = Postfix mail_owner = postfix mail_release_date = 19071224 mail_version = 2010 mailbox_command = /usr/bin/procmail -a $EXTENSION mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man maximal_backoff_time = 2500s message_size_limit = 8192 minimal_backoff_time = 170s mydestination = mydomain = partofus.org myhostname = srvopt.partofus.org mynetworks = 127.0.0.0/8 myorigin = partofus.org newaliases_path = /usr/bin/newaliases owner_request_special = no queue_directory = /var/spool/postfix queue_run_delay = 180s readme_directory = /usr/share/doc/postfix-2.2.10/readme recipient_delimiter = + relay_domains = $mydestination, localhost sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtpd_banner = $myhostname ESMTP smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, hash:/etc/postfix/ client_restrictions smtpd_helo_required = yes smtpd_recipient_restrictions = check_recipient_access hash:/etc/ postfix/hold-recipients, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_recipient_access ldap:/etc/postfix/ ldap-block.cf, check_recipient_access hash:/etc/postfix/blocked- teamerdle, check_policy_service inet:127.0.0.1:10030 smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous smtpd_sender_restrictions = reject_unknown_sender_domain, permit_mynetworks smtpd_tls_CAfile = /etc/ssl/PartOfUs.CA/ca.partofus.org_cert.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/PartOfUs.CA/mail.partofus.org_cert.pem smtpd_tls_key_file = /etc/ssl/PartOfUs.CA/mail.partofus.org_key.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes soft_bounce = yes tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport, ldap:/etc/postfix/ldap- otherTransport.cf, ldap:/etc/postfix/ldap-transport.cf unknown_local_recipient_reject_code = 450 unverified_recipient_reject_code = 450 virtual_alias_maps = hash:/usr/local/mailman/data/virtual-mailman, ldap:/etc/postfix/ldap-accountsmap.cf, ldap:/etc/postfix/ldap- aliases.cf, ldap:/etc/postfix/ldap-distributionlists.cf virtual_gid_maps = static:800
Add X-Envelope From/To into incoming mail
Hi everybody! I need add X-Envelope From: and X-Envelope To: into incoming mail from envelope mail, no from head mail! I use Postfix and procmail. Can you help me, please?
Re: Enforcing TLS by recipient and sender domain
Urban Hillebrand: Hello list, is there a way to enforce TLS dependent on the sender domain? Yes. Use check_sender_access and reject_plaintext_session. Wietse Background: Many customers are using our SMTP infrastructure (opportunistic TLS is active). Now one customer wants to enforce TLS to a certain destination; can I do this without affecting all other customers (who might as well send mails to this destination, but did not ask for enforced TLS)? The only ways I can think of involve more SMTP servers (or at least instances). Is there an easy solution to this? Thanks in advance!
Re: Add X-Envelope From/To into incoming mail
Petr Hude?ek: Hi everybody! I need add X-Envelope From: and X-Envelope To: into incoming mail from envelope mail, no from head mail! I use Postfix and procmail. Can you help me, please? Use PREPEND actions in access maps. http://www.postfix.org/SMTPD_ACCESS_README.5.html http://www.postfix.org/access.5.html http://www.postfix.org/postconf.5.html#check_sender_access http://www.postfix.org/postconf.5.html#check_recipient_access /etc/postfix/main.cf: smtpd_recipient_restrictions = check_recipient_access pcre:/etc/postfix/recipient_access smtpd_data_restrictions = check_sender_access pcre:/etc/postfix/sender_access /etc/postfix/sender_access: /(.*)/ prepend X-Envelope-From: $1 /etc/postfix/check_recipient_access: /(.*)/ prepend X-Envelope-To: $1 Beware, this breaks the privacy of BCC recipients. Wietse
Mail Annotation in Postfix
Hello All, I work on a project where we annotate emails coming through a mail server. By annotation I mean attaching additional possibly useful information to email body based on the email content. Annotation is enacted selectively based on users preferences. What is your opinion, what is the best mechanism to integrate such annotation particularly for Postfix? Recently we have implemented the annotator as a pre-queue mail filter and through maildrop MDA. Do you see any other (possibly better) mechanism to integrate such solution? Thanks for your opinion. Regards, Zoltan
Re: Enforcing TLS by recipient and sender domain
On Thu, Feb 12, 2009 at 07:13:19AM -0500, Wietse Venema wrote: Urban Hillebrand: Hello list, is there a way to enforce TLS dependent on the sender domain? Yes. Use check_sender_access and reject_plaintext_session. Thank you Wietse, but isn´t this a smtpD setting? My problem is about outgoing mails. We act as SMTP relay for our customers, who want to send TLS encrypted SMTP to destinations in the internet. Sorry if I wasn´t clear. [...] Background: Many customers are using our SMTP infrastructure (opportunistic TLS is active). Now one customer wants to enforce TLS to a certain destination; can I do this without affecting all other customers (who might as well send mails to this destination, but did not ask for enforced TLS)? The only ways I can think of involve more SMTP servers (or at least instances). Is there an easy solution to this?
Re: Mail Annotation in Postfix
* Zoltan Balogh zee.bal...@gmail.com: Hello All, I work on a project where we annotate emails coming through a mail server. By annotation I mean attaching additional possibly useful information to email body based on the email content. Annotation is enacted selectively based on users preferences. What is your opinion, what is the best mechanism to integrate such annotation particularly for Postfix? Recently we have implemented the annotator as a pre-queue mail filter and through maildrop MDA. Do you see any other (possibly better) mechanism to integrate such solution? Have you had a look at Postfix milter interface? Your milter might work for Sendmail too. p...@rick Thanks for your opinion. Regards, Zoltan -- The Book of Postfix http://www.postfix-book.com saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: How to safely re-inject an archived queue file?
On Wed, Feb 11, 2009 at 6:51 PM, Wietse Venema wie...@porcupine.org wrote: Curtis: Hi, I'm looking for a safe way to re-inject an archived queue file that was backed up and removed (via postsuper) from the hold queue. (Not just this once, but on a regular basis.) I realize that it would be possible to use postcat to grab the raw contents of the archived message and feed it back through sendmail (after first parsing and then removing the envelope information), but before I went through that much trouble, I wanted to see if there was an easier way. On a test machine, I threw it into the incoming queue and ran postkick public qmgr I and it seemed to deliver to all original recipients of the message. But, I have a feeling that direct insertion into the incoming directory is not the right way to do this. If the above method is unsafe, is there a postfix command that I can pipe an archived queue file to that would safely re-inject the message? Or, am I stuck with the sendmail method? Thanks for any advice anyone has on this... On a quiet system, put it into the maildrop directory, as a file that is owned by the postfix user. If you manually insert files into the incoming/active/deferred queues then you may lose mail. Postfix ensures that queue files have unique names, but that guarantee fails when you insert queue files in by hand. Wietse So, on a box that I know has nothing else feeding into the maildrop queue, it would be safe to skip the step of dropping it in the idle queue of a second instance (on the same filesystem) and running postsuper -s to get a properly named queue file? I would, of course, use a queue file name that would never be used by postfix. Curtis
Re: How to safely re-inject an archived queue file?
On Thu, Feb 12, 2009 at 06:51:20AM -0700, Curtis wrote: So, on a box that I know has nothing else feeding into the maildrop queue, it would be safe to skip the step of dropping it in the idle queue of a second instance (on the same filesystem) and running postsuper -s to get a properly named queue file? I would, of course, use a queue file name that would never be used by postfix. The queue file should be created mode 0600, owner $mail_owner, and changed to 0700 once the contents are fully copied into the file. The file-name must be alphanumeric. Postfix queue-ids only use [0-9A-F], so in the maildrop directory you can avoid collisions by prefixing the original filename with X. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Sending hangs for no apparent reason..
It happened again :( Not in connection with backup, but in another situation with high load. Output of ps http://div.org/postfix_debug/postfix.processes.txt http://div.org/postfix_debug/stack_trace.28848 - qmgr http://div.org/postfix_debug/stack_trace.7175 - smtp http://div.org/postfix_debug/core.28848 http://div.org/postfix_debug/core.7175 the bit of log with the last qmgr and smtp lines before hang. no hits for grep -i watchdog http://div.org/postfix_debug/maillog.12.02.09 I am guessing a ready indication arrived for the private/smtp socket, but accept() blocked indefinitely. This would then be a kernel issue. Does this look like that? Thanks Gaute On Mon, Feb 02, 2009 at 05:26:10PM +0100, Gaute Amundsen wrote: On Monday 02 February 2009 15:43:19 Victor Duchovni wrote: On Mon, Feb 02, 2009 at 01:50:30PM +0100, Gaute Amundsen wrote: Jan 25 05:59:19 hotell01 postfix/smtp[595]: fatal: watchdog timeout Jan 25 05:59:20 hotell01 postfix/master[734]: warning: process /usr/libexec/postfix/smtp pid 595 exit status 1 Jan 25 05:59:20 hotell01 postfix/master[734]: warning: /usr/libexec/postfix/smtp: bad command startup -- throttling This happens when the smtp(8) process has been stuck waiting for something to happen for 5 hours. What was happening around 00:59:xx on the same day? Apparently nothing in particular: http://pastebin.ca/1325397 Jan 25 00:56:53 hotell01 postfix/qmgr[738]: B75CA147967: from=...@..., size=29074, nrcpt=1 (queue active) The delivery agent scheduled to handle this message locked up for 5 hours and gave up. It got stuck before reporting busy to the master daemon, so no other smtp(8) processes were allocated. our Munin http://munin.projects.linpro.no/ has lost the fine details that far back but there is a regular high peak on IOstsat just before 01:00 every night. Backup related I guess. both today and Jan 25 was a monday, so I had a look at cron.weekly which runs Perhaps your system runs out of resources during backup, and perhaps when this happens the system behaves in ways it should not. I am guessing a ready indication arrived for the private/smtp socket, but accept() blocked indefinitely. This would then be a kernel issue. If this happens again, you need to catch the stuck smtp(8) *before* the watchdog timer expires, and get a core file via gcore. Then report a stack trace of the process.
Re: Enforcing TLS by recipient and sender domain
Victor Duchovni: On Thu, Feb 12, 2009 at 08:33:35AM -0500, Wietse Venema wrote: is there a way to enforce TLS dependent on the sender domain? This would have to be simulated with sender_dependent_relayhost_maps. Specify a Postfix instance that encrypts all outbound mail. Postfix multi-instance support will go alpha in a few days. To expand this a bit, you deploy (at least) two Postfix instances on your system. The input instance accepts mail from senders and normally delivers it directly to the nexthop gateway for the destination. You already have this. The (TLS) output instance has a separate config_directory, queue_directory and data_directory, but shares the Postfix executables and docs. In the output instance, TLS is enforced for certain destinations. The input instance uses sender_dependent_relayhost_maps to route some mail to the (TLS) output instance. This scales poorly if different customers want to enforce TLS for different sets of destinations at different security levels. If that happens, it is much better to just field a separate input MTA for special-needs customers, and have the input instances do all the work. The main difficulty with multiple input instances is that it is difficult to get the process limits right. If loads on all the input instances spike at the same time, your system may not have enough disk I/O or CPU to handle the load. There is no sender_dependent_tls_policy_maps, nor any lookup key syntax for TLS policy by sender *and* recipient domain combined. In addition, when people say sender they sometimes mean the client IP address, instead of the envelope sender domain or address. If the poster wants encryption depending on client IP address, then they will have to direct those clients directly to an MTA instance that encrypts all outbound mail. That also gives more assurance that bounces will be encrypted. Wietse
Re: Add X-Envelope From/To into incoming mail
On Thu, Feb 12, 2009 at 7:10 AM, Petr Hudeček ph...@seznam.cz wrote: Hi everybody! I need add X-Envelope From: and X-Envelope To: into incoming mail from envelope mail, no from head mail! I use Postfix and procmail. Can you help me, please? I believe by default there is an: X-Original-To header which does the same as X-Envelope-To. At least my postfix does it and I didn't do anything to get that behaviour
Re: How to safely re-inject an archived queue file?
On Thu, Feb 12, 2009 at 08:46:51AM -0700, Curtis wrote: Perfect. Does the pickup command have a trigger like qmgr that I can use with postkick to get the queue file picked up from the maildrop queue immediately? I'm guessing not since there's no mention of it in the man page, but I thought I'd check anyway. Or is there another way to make this happen? Yes, it does: # postkick public pickup W all public services with a wakeup timer in master.cf support the W trigger, that's how master(8) wakes them up. $ perl -lane ' $F[0] =~ /^[^#\s]/ or next; $F[2] eq n or next; $F[5] ne - or next; print;' \ /etc/postfix/master.cf pickupfifo n - n 60 1 pickup qmgr fifo n - n 300 1 qmgr flush unix n - n 1000? 0 flush You don't really want to wake the flush service manually, that's just internal house-keeping, but waking pickup(8) or qmgr(8) is fine. I am not sure whether not documenting the pickup(8) trigger is deliberate or an oversight. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: holding mail for recipient
Christoph Erdle wrote: I want to hold mails for a specific recipient which is an alias to multiple addresses so admin interaction is required to send to this alias. Problem is that the mail is now held twice (following is the output of mailq and releasing the message): Feb 12 12:40:08 [postfix/smtpd] NOQUEUE: hold: RCPT from localhost[127.0.0.1]: t...@team-erdle.de: Recipient address testing hold with alias; from=i...@team-erdle.de to=t...@team-erdle.de proto=ESMTP helo=localhost Your reinjection postfix listenter (defined in master.cf) is using the same access map. See the README.postfix included with amavisd-new for suggested master.cf entries, or at a minimum add the following to your master.cf listener entry. # master.cf ... 127.0.0.1:10025 inet n - n - - smtpd (you should already have something similar to the above) (add these entries just underneath) -o mynetworks=127.0.0.0/8 -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_data_restrictions= -o smtpd_end_of_data_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject note there is no space in permit_mynetworks,reject. You will probably want to add -o receive_override_options=... if you haven't already, and there are some other parameters that may be useful to you. See the README.postfix included with amavisd-new for details. http://www.ijs.si/software/amavisd/README.postfix.html -- Noel Jones
Re: recipient_delimiter and virtual users
At 04:28 AM 2/12/2009, mouss wrote: recipient_delimiter works out of the box. there is no need to change your tables, your sql statements nor add users. The problem is I don't know what the out of the box behavior should be. If I set recipient_delimiter = + then mail to u...@example.com, user+...@example.com, and user+spam all deliver to INBOX, regardless of whether there is a spam or foo folder created. What I want is, without having to set filters in the client, for mail to deliver to the appropriate folder. What is the default behavior I should expect from recipient_delimiter with user+...@example.com? Should mail: go to the default inbox always, or go to a folder foo if it's been created and inbox otherwise go to a folder foo if it's been created, or if the folder isn't there create foo and place the mail in that folder? Once I know what it should do, it's a lot easier for me to figure out what's broken/misconfigured :-) and ask for help appropriately. Thanks! Rick
Re: recipient_delimiter and virtual users
On Thu, Feb 12, 2009 at 12:33:57PM -0500, post...@corwyn.net wrote: At 04:28 AM 2/12/2009, mouss wrote: recipient_delimiter works out of the box. there is no need to change your tables, your sql statements nor add users. The problem is I don't know what the out of the box behavior should be. If I set recipient_delimiter = + then mail to u...@example.com, user+...@example.com, and user+spam all deliver to INBOX, regardless of whether there is a spam or foo folder created. What I want is, without having to set filters in the client, for mail to deliver to the appropriate folder. This up to your LDA. No LDA bundled with Postfix understands folders. Cyrus IMAP understands folders, and even knows that user+foo only goes to folder foo when the folder's ACL allows anonymous POST, otherwise mail goes to the Inbox. These issues are dealt with by Mailstore aware delivery agents, not the MTA. Deploy a delivery agent that co-operates with your mailstore (Cyrus, Dovecot, ...). Postfix will pass the address and extension to the delivery agent. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
virtual_alias_maps against local_recipient_maps
Hello, Is there a way to check the result of a iteration(email address) on virtual_alias_maps(cleanup) against the local_recipient_maps (smtp) ? Best Regards Jakjr
Re: virtual_alias_maps against local_recipient_maps
jakjr wrote: Hello, Is there a way to check the result of a iteration(email address) on virtual_alias_maps(cleanup) against the local_recipient_maps (smtp) ? Best Regards Jakjr No. If you describe your problem maybe someone can give some helpful suggestions. -- Noel Jones
Re: rbl clients.
http://stats.dnsbl.com/ As victor said, ZEN is usually enough for most people, but it's always good to know why you're not using the rest. On Thu, Feb 12, 2009 at 2:02 PM, Linux Addict linuxaddi...@gmail.com wrote: Please see below my smtpd_recipient_restrictions. On my rbl client list I have multiple entries, but not sure how many of them actually maintained. Is there one single place where I can find such a list. Any help is greatly appreciated. smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit smtpd_recipient_limit = 300 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,reject_unauth_destination, reject_invalid_hostname,reject_unauth_pipelining, reject_non_fqdn_sender,reject_unknown_sender_domain, reject_non_fqdn_recipient,reject_unknown_recipient_domain, reject_rbl_client blackholes.easynet.nl,reject_rbl_client cbl.abuseat.org,reject_rbl_client proxies.blackholes.wirehub.net, reject_rbl_client bl.spamcop.net,reject_rbl_client sbl.spamhaus.org, reject_rbl_client dnsbl.njabl.org,reject_rbl_client list.dsbl.org, reject_rbl_client multihop.dsbl.org,permit ~LA
Re: filtering mail
Including every solicited bulk email. They usually create unique bounce addresses to track dead target mailboxes etc. On Wed, Feb 11, 2009 at 9:30 AM, Michael Katz mkn...@messagepartners.com wrote: Ilo Lorusso wrote: Hi is their a way I can reject messages when its from address does not match the envelope from address? Doing that will drop tons of legit email. Mike Katz http://messagepartners.com using postfix ofcourse Thanks Regards Ilo
Re: Redirect all mail from one domain to the same u...@otherdomain?
Mouss wrote: Jeff Weinberger a �crit : [snip] This is helpful, but I still need the query to take all the other alias domains into account. So, I need the IF condition, or a second map. I don't think so. I used this. I don't remember the details, but the idea is that you can often get rid of flow control (if, ...) using additional tables. Thanks - yes, additional tables, maps, etc. would make the sql coding far simpler. Thank you for your help...it's informative as always! if the wildcard alias will produce the result I need then this is resolved. @example.org @example.com works, but smtpd will accept mail to anyth...@... (virtual_alias_maps are used for recipient validation during the smtp transaction). if all addresses are valid (catchall or whatver), this is ok. otherwise, it's bad. in any case, you must make sure that mail isn't bounced after it is accepted (queued). This is what happens by default (after virtual alias expansion, a delivery error occurs, and an NDR is generated). Thank you - this will work well. I'll use a catchall mailbox to make sure that I don't generate an NDR. thanks for your help!
How disk I/O affect postfix performance ?
Hi, We're building a box to run two postfix instances to receive and send high volume of emails. According to the documentation it's better to run the two instances on separate disks for performance reason. I'm trying to understand how exactly does the disk I/O affect the postfix performance? By speed (bytes per second) or activities (# of read/write per second)? Let's say I have two hard disks. If I make a RAID0 array out of the two disks the overall speed is twice as the speed of a single drive (I know it's not exact twice the speed. just simplify it for discussion). If the postfix performance depends on the disk speed then running two instances on two separate disks or running two instances on one RAID0 array should not make big difference, right? But if it depends on disk activities then running on two separate disks is definitely better. I know no matter which case using two disks is the choice. But if I have other reason to use RAID0 I just want to know how much performance I lost in postfix? Thanks -Irvin
Re: Add X-Envelope From/To into incoming mail
On Thu, 12 Feb 2009, Petr Hude?ek wrote: I need add X-Envelope From: and X-Envelope To: into incoming mail from envelope mail, no from head mail! I use Postfix and procmail. Can you help me, please? Would Return-Path: and X-Original-To: suffice? Postfix adds these headers by default. -- Sahil Tandon sa...@tandon.net
Re: holding mail for recipient
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 12.02.2009 um 18:02 schrieb Noel Jones: Christoph Erdle wrote: I want to hold mails for a specific recipient which is an alias to multiple addresses so admin interaction is required to send to this alias. Problem is that the mail is now held twice (following is the output of mailq and releasing the message): Feb 12 12:40:08 [postfix/smtpd] NOQUEUE: hold: RCPT from localhost[127.0.0.1]: t...@team-erdle.de: Recipient address testing hold with alias; from=i...@team-erdle.de to=t...@team-erdle.de proto=ESMTP helo=localhost Your reinjection postfix listenter (defined in master.cf) is using the same access map. See the README.postfix included with amavisd- new for suggested master.cf entries, or at a minimum add the following to your master.cf listener entry. Thanks for your hint, I adapted master.cf to have the reinjection smtpd meet my needs, working like a charm. Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAkmVGucACgkQqqYbNmv9eYm8bQCfYTr+1bmkVFIAoUxgfBnLRpRk Zu0An1NwpyiOui/eF4sZhVfxGo8MORHs =0zSm -END PGP SIGNATURE-
RE: Timing question
Sorry for the delay.. Could you explain - in the same terms - how is quantified the time before a message is passed to the queue manager, after it is processed by the content filter? The time to deliver is measured as the time between MAIL FROM and end-of-data. Sorry for my bad english.. To be clearer, given delays=a/b/c/d I asked for the meaning of a delay. I need this definition to understand better the difference of time between d in 1) and d in 2) in the example above. Citing from the HISTORY file: The information is now logged as delays=a/b/c/d where a=time before queue manager, including message transmission; a=time from MAIL FROM until queue manager. Ok, Wietse so considering my example: 1) Jan 30 10:02:17 av5 postfix/smtp[10603]: C0AFB226F23: to=recei...@domain.tld, relay=127.0.0.1[127.0.0.1]:10026, delay=8.9, delays=1.3/0/0/7.7, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 95CEE226F30) 2) Jan 30 10:02:17 av5 postfix/smtp[5441]: 95CEE226F30: to=recei...@domain.tld, relay=server[xxx.yyy.zzz.uuu]:25, delay=0.11, delays=0.03/0.04/0.01/0.03, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5C7951098002) and that: i) There are 7.7 seconds between the time that the Postfix SMTP client sends the MAIL FROM command to the filter, and the time that the filter sends the end-of-data reply to the Postfix SMTP client. ii) a=time from MAIL FROM until queue manager = 0.3 in 2) No, 0.03 not 0.3. Indeed, I thought (wrong) that they was the same transmission (and I cannot justify it because there was an evident timing difference - 7.7 and 0.3). The filter is likely buffering the SMTP dialogue, and not initiating the downstream connection until it has processed the data. Instead, i) is the transmission from Postfix to the content filter, while ii) should be the reinjection of the message back to the normal MTA flow. This happens when filters buffer the envelope, not just the payload. A last trivial question on this argument.. In a such configuration (Postfix+Amavisd-new), is the total latency of a message from the time it is transmitted from the client SMTP to the time the receinving MTA sends end-of-data, given by summing the delay 1) and 2) reported above? Thanks, rocsca
Holiday/out of office message
Hello Newsgroup, i will implement a holiday/out of office message in my postfix. the user should sent a message to holiday@domain.de and the holiday/out of office notification for the mailsender are active. with a 2. mail to holiday@domain.de the notification will be inactive. Can anybody help how to implement this? Any other possibilities? Kind regards Oliver Schwalbe
throtling / queue management system
Hi all. Im want something for throtling msgs, say if user X sends more than 10 emails/minute, then requeue next msgs from user X with some lower priority. Policyd is not bad, but it rejects emails when the limit is reached. Anyone knows an application like this? Will involve hacking/patching postfix code? Thanks! Gerardo
About filtering mail with mailq
Hi
Im new postfix and Im learning how to use. My first problem is about the
spam because in my server are incoming mails with my domain but using bad
adresses and making copy to the aol.com domain. Im making:
#postqueue -p | grep ' Feb @aol.com' | sed 's/*//' | awk '{print $1}'
spam.txt
but not appears de ID. I need to filter to domins in different lines, for
exemple:
ID -m...@mydomina.com
-m...@aol.com
How I can make this?
Thanks Best Regards
Re: Problem with sending email to multiple recipients
On 2/13/2009, sim085 (sim...@hotmail.com) wrote: Any suggestions? You'll get a lot more help if you follow the instructions that were in the welcome message you got when you signed up to the list... Specifically and for starters, output of postconf -n and logs exhibiting the problem? -- Best regards, Charles
header_checks check_sender_access don't work
Hi there, I have 2 problems I want to discuss with you guys. 1. I want to block e-mails from some specific address. So I used header_checks = regexp:/usr/local/etc/postfix/header_checks and in header_checks I have: /^From: badaddr...@domain.com/ REJECT message But nothing happens. 2. I am getting spams from remote smtp servers with forged sender address (it is my address). The e-mail comes from myaddr...@mydomain.com to myaddr...@mydomain.com So, I decided to block all e-mails that come to my servers to my domains (virtual) from remote smtp servers. Fort that a added in check_sender_access hash:/usr/local/etc/postfix/access_sender in smtpd_recipient_restrictions. But surprise, today I got such a e-mail. In access_sender I have: mydomainREJECT message1 I also ran postmap access_sender. Why is that possible? What should I do? Here is the output of postconf -n command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 2 debug_peer_list = domain.com header_checks = regexp:/usr/local/etc/postfix/header_checks html_directory = no mail_owner = postfix mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man myhostname = mail.domain.com mynetworks_style = host newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = no sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtpd_helo_restrictions = reject_invalid_hostname permit smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_sender_access hash:/usr/local/etc/postfix/access_sender check_helo_access pcre:/usr/local/etc/postfix/helo_checks reject_non_fqdn_recipient reject_unknown_recipient_domain reject_unverified_recipient reject_rbl_client zen.spamhaus.org, reject_rhsbl_sender dsn.rfc-ignorant.org permit smtpd_sasl_auth_enable = yes smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender, permit soft_bounce = no unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/usr/local/etc/postfix/valias.txt virtual_gid_maps = static:1000 virtual_mailbox_base = /var/spool/vmail virtual_mailbox_domains = /usr/local/etc/postfix/vhost.txt virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmaps.txt Thank you.
Re: About filtering mail with mailq
On 2/13/2009 6:36 AM, deconya wrote:
Im new postfix and Im learning how to use. My first problem is about the
spam because in my server are incoming mails with my domain but using
bad adresses and making copy to the aol.com http://aol.com domain. Im
making:
Don't accept messages for invalid recipients.
I'm confused about the second part of your complaint... are you sure you
are not an open relay?
#postqueue -p | grep ' Feb @aol.com http://aol.com/' | sed 's/*//' |
awk '{print $1}' spam.txt
but not appears de ID. I need to filter to domins in different lines,
for exemple:
ID -m...@mydomina.com mailto:m...@mydomina.com
-m...@aol.com mailto:m...@aol.com
How I can make this?
You'll get a lot more help if you follow the instructions that were in
the welcome message you got when you signed up to the list...
Specifically and for starters, output of postconf -n and logs exhibiting
the problem?
--
Best regards,
Charles
Re: How disk I/O affect postfix performance ?
Wietse Venema: Yu (Irvin) Fan: Hi, We're building a box to run two postfix instances to receive and send high volume of emails. According to the documentation it's better to run the two instances on separate disks for performance reason. I'm trying to understand how exactly does the disk I/O affect the postfix performance? By speed (bytes per second) or activities (# of read/write per second)? I have shocking information for you: it is none of the above. Postfix must write the message to stable storage, so that it will not be lost after a system crash. For example, writing mail to a queue file requires multiple file system updates: - allocate queue file inode (in inode bitmap etc.) - allocate queue file blocks (in block bitmap etc.) - update queue file blocks - update queue file inode - update directory file (for queue file name etc.) - update directory file inode Each of these are in a different place in the file system. Only once all this information is updated, can Postfix claim that mail is in stable storage. Thus the read/write speed is largely irrelevant for small email messages. Performance is dominated by seek latency and rotational latency. You can reduce the latencies by using a large non-volatile buffer (as is common with RAID systems). With the large non-volatile buffer, writes complete quickly. The hardware can sort the update order to minimize head movements. Wietse
More main.cf cleanup
Hello again, I just want to confirm before I change this that I'm not missing something that will cause me some pain... Currently I have all of my restrictions under smtpd_recipient_restrictions, but after seeing some questions about these on the list, I'm thinking that there are two that should be moved. My current restrictions are: smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/moved-employees, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, ## only allow outsourced anti-spam service to send us email check_client_access cidr:/etc/postfix/allowed_clients.cidr, ## custom rejects for x-employees check_recipient_access hash:/etc/postfix/x-employees, ## block certain senders from sending us mail check_sender_access hash:/etc/postfix/blocked_senders I'm thinking it would be better to move the check_client_access check to smtpd_client_restrictions, and the check_sender_access check to smtpd_sender_restrictions, so I'd then have: smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access cidr:/etc/postfix/allowed_clients.cidr, smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/blocked_senders smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/moved-employees, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access hash:/etc/postfix/x-employees, I'm unsure if the permit_mynetworks and permit_sasl_authenticated checks are necessary under all three - is it sufficient to just have these under recipient_restrictions, or do you need to add them to each when breaking things up like this? Or does this make sense to change this? Would it be better/ok to just leave them all under recipient_restrictions? Tia for any comments/help, -- Best regards, Charles
Re: throtling / queue management system
Gerardo Herzig: Wietse Venema wrote: Gerardo Herzig: Hi all. Im want something for throtling msgs, say if user X sends more than 10 emails/minute, then requeue next msgs from user X with some lower priority. Postfix has no queue priotity. When the street to the airport is congested, first-class passengers have to wait just as long as coach-class passengers. Ok. Thanks. So what would be wise to put those mails (the ones who exceed the quota) in defer queue? Can policyd do that? Or any other? Why do you believe that it is a good idea to accept over-quota email? By doing this you are lying to the customer. You accept their mail but you don't deliver it and you don't give them a chance to find out that they are over quota. Wietse
Re: No virtual alias with diferent cleanup for submission service
rafa wrote: Hello everyone, I created a second cleanup for the submission service to have separate header checks from incoming emails. cleanup-out unix n - - - 0 cleanup -o header_checks=pcre:/etc/postfix/header_checks-out -o body_checks=pcre:/etc/postfix/body_checks-out -o mime_checks=pcre:/etc/postfix/mime_checks-out After this change the recipients that have a virtual alias to an external host or other virtual domain, in the example gmail.com, stop working for the mail submitted via the submission service ,mail received via port 25 flows as before. The only change was in the submission service It doesn't work as expected because your main.cf contains receive_override_options = no_address_mappings To fix this, just add -o receive_override_options= (ie. an empty value) to your submission service. Modified submission service: --- submission inet n - - - - smtpd -o smtpd_etrn_restrictions=reject -o smtpd_sender_restrictions=permit_mynetworks,reject_sender_login_mismatch -o smtpd_client_restrictions=permit_sasl_authenticated,permit_mynetworks,reject -o content_filter= #-o receive_override_options=no_header_body_checks add here: -o receive_override_options= -o smtpd_milters=unix:/clamav/clamav-milter.ctl,inet:localhost:10040 -o milter_default_action=accept -o smtpd_discard_ehlo_keywords=silent-discard,8bitmime,etrn,dsn -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_security_options=noanonymous -o cleanup_service_name=cleanup-out -- Noel Jones
unknown mail transport error
Hi, I have a simple postfix server that was working fine for more than one year. I have now many mail transport error that seems to begin after an update, and I do need some help ! Thanks in advance This server is a debian etch and postfix is 2.3.8-2+etch1 A strange thing : I've send e-mail to a list of users and for some users, mail was delivered ... Here is a portion of the log that concern one mail delivery to the user doli (send locally with the mail command, but the problem is the same if the mail comes from another server): Feb 13 14:25:37 alty postfix/local[19045]: been_here: mailbox doli: 0 Feb 13 14:25:37 alty postfix/qmgr[18753]: private/local socket: wanted attribute: status Feb 13 14:25:37 alty postfix/qmgr[18753]: warning: premature end-of-input on private/local socket while reading input attribute name Feb 13 14:25:37 alty postfix/qmgr[18753]: warning: private/local socket: malformed response Feb 13 14:25:37 alty postfix/qmgr[18753]: qmgr_transport_throttle: transport local: status: 4.3.0 reason: unknown mail transport error Feb 13 14:25:37 alty postfix/qmgr[18753]: warning: transport local failure -- see a previous warning/fatal/panic logfile record for the problem description and the entire log (I've put -v in master.cf for smtp qmgr local) r...@alty:/var/log# cat mail.log.tmp Feb 13 14:25:37 alty postfix/pickup[18754]: A86D52A41C4: uid=0 from=root Feb 13 14:25:37 alty postfix/cleanup[19043]: A86D52A41C4: message-id=20090213132537.a86d52a4...@alty.enib.fr Feb 13 14:25:37 alty postfix/qmgr[18753]: trigger_server_accept_fifo: trigger arrived Feb 13 14:25:37 alty postfix/qmgr[18753]: master_notify: status 0 Feb 13 14:25:37 alty postfix/qmgr[18753]: request: 87 (W) Feb 13 14:25:37 alty postfix/qmgr[18753]: qmgr_scan_start: start incoming queue scan Feb 13 14:25:37 alty postfix/qmgr[18753]: master_notify: status 1 Feb 13 14:25:37 alty postfix/qmgr[18753]: qmgr_active_feed: queue incoming Feb 13 14:25:37 alty postfix/qmgr[18753]: qmgr_active_feed: incoming/A86D52A41C4 Feb 13 14:25:37 alty postfix/qmgr[18753]: qmgr_message_alloc: active A86D52A41C4 Feb 13 14:25:37 alty postfix/qmgr[18753]: A86D52A41C4: from=r...@alty.enib.fr, size=298, nrcpt=1 (queue active) Feb 13 14:25:37 alty postfix/qmgr[18753]: start sorted recipient list Feb 13 14:25:37 alty postfix/qmgr[18753]: qmgr_message_sort: d...@alty.enib.fr Feb 13 14:25:37 alty postfix/qmgr[18753]: end sorted recipient list Feb 13 14:25:37 alty postfix/qmgr[18753]: resolve_clnt: cached: `r...@alty.enib.fr' - `d...@alty.enib.fr' - transp=`local' host=`alty.enib.fr' rcpt=`d...@alty.enib.fr' flags= class=local Feb 13 14:25:37 alty postfix/qmgr[18753]: start sorted recipient list Feb 13 14:25:37 alty postfix/qmgr[18753]: qmgr_message_sort: d...@alty.enib.fr Feb 13 14:25:37 alty postfix/qmgr[18753]: end sorted recipient list Feb 13 14:25:37 alty postfix/qmgr[18753]: mail_flow_put: 1 1 Feb 13 14:25:37 alty postfix/qmgr[18753]: qmgr_transport_select: local Feb 13 14:25:37 alty postfix/qmgr[18753]: qmgr_active_drain: allocate local Feb 13 14:25:37 alty postfix/qmgr[18753]: connect to subsystem private/local Feb 13 14:25:37 alty postfix/qmgr[18753]: done incoming queue scan Feb 13 14:25:37 alty postfix/local[19045]: dict_eval: const mail Feb 13 14:25:37 alty postfix/local[19045]: dict_eval: const ipv4 Feb 13 14:25:37 alty postfix/local[19045]: name_mask: ipv4 Feb 13 14:25:37 alty postfix/local[19045]: dict_eval: const alty.enib.fr Feb 13 14:25:37 alty postfix/local[19045]: dict_eval: const enib.fr Feb 13 14:25:37 alty postfix/local[19045]: dict_eval: const Postfix Feb 13 14:25:37 alty postfix/local[19045]: dict_eval: const postfix Feb 13 14:25:37 alty postfix/local[19045]: dict_eval: const postfix Feb 13 14:25:37 alty postfix/local[19045]: dict_eval: const postdrop Feb 13 14:25:37 alty postfix/local[19045]: dict_eval: expand $myhostname, localhost.$mydomain, localhost, atlantic, atlantic.enib.fr - alty.enib.fr, localhost.enib.fr, localhost, atlantic, atlantic.enib.fr Feb 13 14:25:37 alty postfix/local[19045]: dict_eval: expand $myhostname - alty.enib.fr Feb 13 14:25:37 alty postfix/local[19045]: dict_eval: const smtp.enib.fr Feb 13 14:25:37 alty postfix/local[19045]: dict_eval: const /usr/lib/postfix Feb 13 14:25:37 alty postfix/local[19045]: dict_eval: const /usr/sbin Feb 13 14:25:37 alty postfix/local[19045]: dict_eval: const /var/spool/postfix Feb 13 14:25:37 alty postfix/local[19045]: dict_eval: const pid Feb 13 14:25:37 alty postfix/local[19045]: dict_eval: const all Feb 13 14:25:37 alty postfix/local[19045]: dict_eval: const Feb 13 14:25:37 alty postfix/local[19045]: dict_eval: const double-bounce Feb 13 14:25:37 alty postfix/local[19045]: dict_eval: const nobody Feb 13 14:25:37 alty postfix/local[19045]: dict_eval: const hash:/etc/aliases Feb 13 14:25:37 alty postfix/local[19045]: dict_eval: const 20070301 Feb 13 14:25:37 alty postfix/local[19045]: dict_eval: const 2.3.8 Feb 13 14:25:37
Re: More main.cf cleanup
On Fri, 13 Feb 2009, Charles Marcus wrote: On 2/13/2009, Ralf Hildebrandt (ralf.hildebra...@charite.de) wrote: I'm thinking it would be better to move the check_client_access check to smtpd_client_restrictions, and the check_sender_access check to smtpd_sender_restrictions, so I'd then have: No, don't do it. Ok... I do appreciate the response, but I'd be more comfortable with a bit more of an explanation as to why... -- Best regards, Charles I have one question to add to this thread, in the past it has always been up to the admin whether to put all beneath recipient restrictions (with the exception of SAV), is this still considered best-practice? Or should one follow Charles' method and put each set of checks under the approrpriate restriction class? Justin.
Re: header_checks check_sender_access don't work
ddaas wrote: Hi there, I have 2 problems I want to discuss with you guys. 1. I want to block e-mails from some specific address. So I used header_checks = regexp:/usr/local/etc/postfix/header_checks and in header_checks I have: /^From: badaddr...@domain.com/ REJECT message But nothing happens. 2. I am getting spams from remote smtp servers with forged sender address (it is my address). The e-mail comes from myaddr...@mydomain.com to myaddr...@mydomain.com So, I decided to block all e-mails that come to my servers to my domains (virtual) from remote smtp servers. Fort that a added in check_sender_access hash:/usr/local/etc/postfix/access_sender in smtpd_recipient_restrictions. But surprise, today I got such a e-mail. In access_sender I have: mydomainREJECT message1 I also ran postmap access_sender. Your description and your postconf output seem reasonable. The only explanation for it not working as expected is that the input doesn't match your access map or header check. /^From: badaddr...@domain.com/ REJECT message instead: /^From:.*(| )badaddr...@domain\.com/ REJECT message note matching addresses in headers is tricky (impossible with a simple regexp). This is close, but will mis-fire on odd address constructions. In access_sender I have: mydomainREJECT message1 My assumption here is that although the From: header is your domain, the envelope sender isn't. Examining the logs will show the envelope sender. -- Noel Jones
Re: No virtual alias with diferent cleanup for submission service
Noel Jones wrote: To fix this, just add -o receive_override_options= (ie. an empty value) to your submission service. Now it's working. Thanks. rafael.
DSN: Improper sequence of commands in postfix 2.5.4
Hi! I'm using Postfix 2.5.4 and it worked well. Thanks ;-) One of my academic user received this error message Google didn't help me much Do you know what can cause this failure ? Is it cause by my server ? Thanks, Eddy Sujet : Delivery Status Notification (Failure) Date : Thu, 12 Feb 2009 11:55:31 -0800 De :postmas...@hotmail.com Pour : remov...@hec.ca This is an automatically generated Delivery Status Notification. Delivery to the following recipients failed. remov...@hotmail.com Reporting-MTA: dns;bay0-imc3-s4.bay0.hotmail.com Received-From-MTA: dns;COl0-MC4-F43.Col0.hotmail.com Arrival-Date: Thu, 12 Feb 2009 11:37:57 -0800 Final-Recipient: rfc822;u...@hotmail.com Action: failed Status: 5.5.0 Diagnostic-Code: smtp;503 Improper sequence of commands
SMTP relay only
Hello, I need to setup a mail server for outgoing email only. I clearly would like to restrict access to my networks only. Moreover, I would like to permit only to some envelope senders to relay email trhough a such MTA. And no other envelope sender should be able to relay trhough this MTA. So the restriction classes are made so: smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf -- this let me disable some content checking through filter (Amavisd-new). No matter. smtpd_helo_restrictions = smtpd_sender_restrictions = smtpd_recipient_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf reject Please note that I use check_client_access restriction together with: mynetworks = /etc/postfix/relay to limit access to SMTP relay server per IP. The /etc/postfix/mysql-check-sender-access.cf verifies if the envelope sender is enabled for relay (I'm assuming that on my networks none forges email sender). The lookup return OK if sender is enabled. Nothing otherwise (the sender should be rejected at the next restriction..). This configuration doesn't work. What is conceptually wrong in my config? Finally I would like to deny message delivery to my mail server.. It should suffice to unset relay_domains or it is too restrictive doing so? Thanks, rocsca
Re: unknown mail transport error
Henri Chevreton: Feb 13 14:25:37 alty postfix/master[3972]: warning: process /usr/lib/postfix/local pid 19045 killed by signal 6 That is your problem. Wietse
Re: header_checks check_sender_access don't work
Thank you Noel ! Your regex worked. But related the second problem, how can I block this kind of spams? Spams from remote servers From: myaddr...@myvirtualdomain.com To: myaddr...@myvirtualdomain.com? It is ok for me to block all e-mail that are comming from remote smtp servers From addres...@myvirtualdomains. I don't have tele-workers, peaple that are using other servers to relay their e-mails. Thank you one more time. Dan Noel Jones wrote: ddaas wrote: Hi there, I have 2 problems I want to discuss with you guys. 1. I want to block e-mails from some specific address. So I used header_checks = regexp:/usr/local/etc/postfix/header_checks and in header_checks I have: /^From: badaddr...@domain.com/ REJECT message But nothing happens. 2. I am getting spams from remote smtp servers with forged sender address (it is my address). The e-mail comes from myaddr...@mydomain.com to myaddr...@mydomain.com So, I decided to block all e-mails that come to my servers to my domains (virtual) from remote smtp servers. Fort that a added in check_sender_access hash:/usr/local/etc/postfix/access_sender in smtpd_recipient_restrictions. But surprise, today I got such a e-mail. In access_sender I have: mydomain REJECT message1 I also ran postmap access_sender. Your description and your postconf output seem reasonable. The only explanation for it not working as expected is that the input doesn't match your access map or header check. /^From: badaddr...@domain.com/ REJECT message instead: /^From:.*(| )badaddr...@domain\.com/ REJECT message note matching addresses in headers is tricky (impossible with a simple regexp). This is "close", but will mis-fire on odd address constructions. In access_sender I have: mydomain REJECT message1 My assumption here is that although the From: header is your domain, the envelope sender isn't. Examining the logs will show the envelope sender. -- Noel Jones
Re: More main.cf cleanup
On 2/13/2009, Justin Piszcz (jpis...@lucidpixels.com) wrote: I have one question to add to this thread, in the past it has always been up to the admin whether to put all beneath recipient restrictions (with the exception of SAV), is this still considered best-practice? Or should one follow Charles' method and put each set of checks under the approrpriate restriction class? Actually after an email exchange with Ralf off list, I decided against doing this, because in my case - that these checks come after reject_unauth_destination - it would be of no benefit, and only complicate things. -- Best regards, Charles
