Re: restrict or alter to address based on from address
Hi, On 11/19/2014 03:27 AM, Joe Acquisto-j4 wrote: [snip] I was daydreaming about ways to get messages from the old system to the new one, as might be required. For a bit it seemed feasible to cobble up something to allow messages to be sent via SMTP from the old system to the new, in a controlled and highly restricted manner. [snip] Perhaps a tool like imapsync is what you are looking for. It is available in most Linux distributions and available in the FreeBSD ports tree. HTH, Mikael
Re: mynetworks in mysql database
Hi, On 10/25/2013 09:48 AM, Rune Elvemo wrote: Does anyone know how to use a mysql database for mynetworks? We did manage to use it to match a single ip address, but is there a way to match entire networks? That can be done at the sql level. See mysql functions INET_ATON and INET_NTOA for more info. HTH, Mikael
Re: Block certain remote hosts on submission port
On 08/22/2013 01:51 PM, Charles Marcus wrote: [snip] The simple fact is, we do not have any users based *anywhere* but the US, so, is what is the simplest way to block any/all non-US based client connections on my submission port? [snip] Hi, Sometimes it seems like a good solution to filter out all countries but your own. In fact it's not a good idea at all IMO. People do travel and they need to read and write email while they are abroad. Laptop and/or smartphone users will not like your new restriction policy when they try to get some work done while visiting a partner company in Germany. Use fail2ban as suggested by others. Mikael
Re: Would somebody let me know what I need to do to improve this setup.
On 08/07/2013 12:03 PM, John Allen wrote: Is there any particular reason you need to accept messages 32 GB in size? Yes. We support a business that designs and manufactures packaging and displays. The sort of thing you might see in the aisle of a supermarket or store selling gum, personal care products. The graphics, art work and design of these need to be sent to the people involved. We have looked into using services like Dropbox but the problem with all of these is copyright. Our customers legal eagles have advise against such services as they may compromise their copyright on anything stored on such services. OT: It is the same advice and reasoning they gave against using public cloud services, some of whose terms of service essentially strip the user of all copyright ownership. I don't recall email being the only alternative to public cloud file storage solutions. Set up a file server of you own and keep copyrights in house. 32GB sized email messages is a mistake IMO. Mikael
Re: Outsourced anti-spam and Issues with VRFY
On 08/05/2013 02:15 PM, Charles Marcus wrote: Also - I hate to ask (it isn't your job to do their job), but could you suggest off the top of your head what they *should* be doing? Would properly closing all VRFY probe connections really impact performance on their side that much - especially if they are caching these responses (so those wouldn't even need to be sent downstream to my server)? I really hope I don't find out they aren't caching them for at least a few hours to a day or so. I could be wrong. I have the impression that they should use something similar to postfix' reject_unverified_recipient. That's what our anti spam solution does. HTH, Mikael
Re: smtp restrictions
Stan, On 05/31/2013 08:49 AM, Stan Hoeppner wrote: On 5/30/2013 11:43 PM, James Zee wrote: I was hoping someone could take a quick glance at my smtpd_*_restrictions configurations. While I've read and (re-)read the SMTPD_ACCESS_README file a few times over I would be greatly appreciative if someone could sanity check my work. Reviewing people's main.cf files is not a function of the mailing list. Answering specific questions or solving problems related to main.cf is. If we did the former the list would be clogged with such requests and responses. Thus I'll reply off list. It'll arrive shortly. I disagree. It could be VERY helpful to others to have a discussion about different configurations. It is a way to learn. I fail to see why you have the authority to decide what is and is not the purpose of this mailing list. Cheers, Mikael
Re: Postfix 2.8.x anti anti backscattering settings
Hi Josef, On 04/18/2013 11:06 AM, Josef Karliak wrote: Good morning, our outgoing smtp server gets into a backscatter blacklist. When I checked my logs, there were only one mailer daemon email to some server in the time that is mentioned on the backscatter web. In all servers in the way of the email (incoming MX-antispam server- our imap server) has unknown_local_recipient_reject_code = 550. What else could I do ? There could be one thing - incoming MX accept all emails for our domain, he doesn't know our aliases. The mail is send to antispam and when antispam wanna sent the email to imap server and the target email address doesn't exists, it has 550 error and it is send away by our antispam server (it is our outgoing server). So, is this all wrong ? We decided to have more servers because of loading reasons (we've daily up to 15 000 emails, but there were a 60 000 peak) You can have reject_unverified_recipient on the MX to check the IMAP server if the email address exists before accepting it. HTH, Mikael
Re: Postfix 2.8.x anti anti backscattering settings
On 04/18/2013 12:20 PM, Josef Karliak wrote: Hi, thanks for reply. We thought that we have to copy existing aliases file from imap server to incoming MX. If we reject an emailduring smtp communication, we won't relay spam to victim. Am I right ? Best regards J.K. Hi, Please do not top-post. Fscks up formating. I don not understand your question. If you use reject_unverified_recipient on the MX then you should not need to copy any alias files. But I am speculating. I don't know how your system works. HTH, Mikael
Re: block ip-range for 1 domain
Richard, On 02/19/2013 12:34 PM, richard lucassen wrote: I have transport front-end servers for domains: domain1.tld domain2.tld domain3.tld domain4.tld [..] domainX.tld I want to blacklist 1.2.3.4/24 only for destination domain3.tld (and reply with a 5xx if possible). What's the best way to handle this? On the backend server somewhere? But the backend server receives the mail from the frontend server, so simple blacklisting will not work. Any hint? I think you are looking for this: http://www.postfix.org/RESTRICTION_CLASS_README.html HTH, Mikael
Re: block ip-range for 1 domain
On 02/19/2013 01:58 PM, richard lucassen wrote: On Tue, 19 Feb 2013 13:49:54 +0100 Benny Pedersen m...@junc.eu wrote: Any hint? google postfwd postfix can do it with classes, but its more complicated then with postfwd Ok, that seems to be very nice. AFAIUI it can be implemented on the backend server. I'd prefer not to touch the front-end servers. That does NOT sound like a good idea. If you accept the message on the fronend and then reject is on the backend, then you will generate a bounce message back to the sender. If the sender's address is forged, then you will generate backscatter, and could end up on black lists. Reject on the frontend servers to avoid this. HTH, Mikael
Re: Relaying email to exchange
Kevin, On 02/14/2013 09:41 PM, Kevin Blackwell wrote: I have 2 mx records. The primary is Exchanges edge server that has it's own internal spam filtering. The secondary is poxtfix server relaying mail to the edge server as a backup mx record. Are you saying the postfix server should be behind the Exchange edge server? A rule of thumb is that if you must have a backup MX you should have the same spam defence as on the primary one. If you can't do that, I suggest you drop the backup MX. Alternatively you can hide the exchange behind a postfix, but the you should let postfix do the spam filtering and disable spam filter on the exchange. You must now ask you the question why you need a backup MX. HTH, Mikael
Re: Gmail as Relayhost
On 02/13/2013 01:14 PM, Dominique wrote: Hi, I am looking at using gmail as a relayhost in our current server setup ubuntu12.04/postfix/cyrus instead of using the ISP relayhost. Is you ISP relayhost service bad? I have it working, but the outgoing email address is replaced by the gmail address (from the authentication info) - things that did not happen when using the ISP. How can I fix that ? I'm not sure it's possible. I think you need to use gmail.com as from email addresses in order to use their SMTP. Solution: use your ISP relayhost or buy the service from someone else. Thanks, Dominique Mikael
Re: Gmail as Relayhost
On 02/13/2013 03:24 PM, Noel Jones wrote: [snip] - If you only have a handful of addresses, you can sign up for a free google apps account with your own domain name. That will allow you to relay through google. You are not required to use google as your MX; you can continue to use your own server. If you have too many for the free service, you might consider paying. [snip] Too late for that! Starting on December 6, 2012, Google will no longer offer new accounts for the free edition of Google Apps. http://support.google.com/a/bin/answer.py?hl=enanswer=2855120
Re: pop client for postfix.
On 11/12/2012 05:55 PM, John Hinton wrote: A really good use for POP is for more sensitive email situations, such as legal, medical or financial. Some of our users want it 'off' the server soonest. But yes, IMAP is more the standard these days. We allow either using Dovecot. POP is faster, after a mailbox gets large. POP reduces online storage use and is easier to back up. There are advantages for some users and all administrators. So, to me, long live POP but we do encourage our users to set up their accounts using IMAP. If the information in an email is sensible, then it should be encrypted. If sensible information is transfered unencrypted then stored for a while unencrypted on a server storage, then you can't really know who has had access to it, can you? Cheers, Mikael
Re: sporadic bouts of lost connections to exchange 2010 hub transport
Hi Stan, On 09/25/2012 08:22 AM, Stan Hoeppner wrote: Apparently Linux and Windows TCP window scaling doesn't always work reliably together. Try disabling TCP window scaling on the Linux box(en): [snip] Perhaps off topic, but do you have any links to documents or similar that proves that there is a problem between the two operationg systems with regard to TCP window scaling. This is the first time I hear about this to be honest. TIA, Mikael
Re: Outgoing mail problem from phone
Hi Dominique, On 07/27/2012 11:37 AM, Dominique wrote: However when trying to connect through a phone app (Android/email app), there is no way to send a mail. It gets rejected all the time. Jul 27 10:25:03 www postfix/smtpd[10868]: connect from 230.Red-176-83- 90.dynamicIP.rima-tde.net[176.83.90.230] Jul 27 10:25:04 www postfix/smtpd[10868]: NOQUEUE: reject: RCPT from 230.Red-176-83-90.dynamicIP.rima-tde.net[176.83.90.230]: 554 5.7.1 230.Red-176-83-90.dynamicIP.rima-tde.net[176.83.90.230]: Client host rejected: Access denied; from=hraboga...@hrabogados.com to=dco...@gmail.com proto=ESMTP helo=[10.27.232.189] Jul 27 10:25:05 www postfix/smtpd[10868]: lost connection after RCPT from 230.Red-176-83-90.dynamicIP.rima-tde.net[176.83.90.230] Jul 27 10:25:05 www postfix/smtpd[10868]: disconnect from 230.Red-176-83- 90.dynamicIP.rima-tde.net[176.83.90.230] Here is the output of postconf -n. [snip] mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128, 192.168.1.0/24 [snip] smtpd_client_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/access [snip] smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,reject_unauth_destination, reject_invalid_hostname,reject_non_fqdn_hostname, reject_non_fqdn_sender,reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain,reject_unauth_pipelining reject_rbl_client bl.spamcop.net,reject_rbl_client zen.spamhaus.org, reject_rbl_client blackholes.easynet.nl,reject_rbl_client dnsbl.njabl.org, reject_rbl_client dul.dnsbl.sorbs.net, check_policy_service [snip] The phone is connecting from outside mynetworks. It threrefore gets rejected. You should probably add permit_sasl_authenticated to smtpd_client_restrictions to fix this. HTH, Mikael
Re: Q: Postfix MTA as a router - callback verification
On 06/15/2012 06:03 AM, Adam Bradley wrote: Sorry, but this sounds to me like an accident waiting to happen. I would /strongly/ recommend getting a proper recipient list and populating transport_maps with a user-host mapping. My only concern is scalability, is there anything you can point me to regarding transport_maps and sizing/scalability? LDAP is pretty scalable. Postfix has support for LDAP lookup maps. If you don't like LDAP, you can do the same thing with MySQL. HTH, Mikael
Re: Multiple IP
On 05/03/2012 07:45 AM, Kirill Bychkov wrote: Hi all, I need create server with 5 IP addresses (interfaces) and postfix(es). The role of this server is relay. If message delivered into my mail server on one ip address, for example, 172.16.35.35, so this message should be sent from same ip: 172.16.35.35. In other words, on which interface the message came, with this should be sent. What method should I do? 1. Postfix multi instace (postmulti) 2. Postfix manual multi instance (http://advosys.ca/papers/email/58-postfix-instance.html) 3. Configure master.cf http://master.cf and main.cf http://main.cf of one postfix instance. Thank you. Hi, This may or may not be what you are looking for. If you have a dedicated machine with lots of IP addresses then I would do LXC[1] (Linux Containers) on it. This way you can have completely different rules on each postfix. Your containers will act as if they were different physical machines. HTH, Mikael [1] http://lxc.sourceforge.net/
logging transport route
Hi list, I have configured an alternate transport route for mail going to specific destination domains. I call this transport slowsmtp. My problem is that I see no evidence in my logs that email sent to the specific domains uses slowsmtp route for delivery. I have defined slowsmtp in /etc/postfix/master.cf like this: [snip] smtp unix - - - - - smtp slowsmtp unix - - - - - smtp [snip] My /etc/postfix/transport looks like this: example1.com slowsmtp: example2.com slowsmtp: My postconf -n like this: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix default_destination_rate_delay = 3s header_checks = regexp:/etc/postfix/header_checks inet_interfaces = all mailbox_size_limit = 0 mydestination = myhost.mydomain.com, localhost.mydomain.com, localhost myhostname = myhost.mydomain.com mynetworks = 127.0.0.0/8, cidr:/etc/postfix/network_table.cidr myorigin = /etc/mailname readme_directory = no recipient_delimiter = + smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP smtpd_recipient_restrictions = reject_unknown_recipient_domain, permit_mynetworks,reject_unauth_destination,reject smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes transport_maps = hash:/etc/postfix/transport An extract from my logs showing that smtp is used instead of slowsmtp. The line with postfix/smtp[7913] in it: Mar 31 06:16:57 myhost postfix/smtpd[7934]: 1F6E8200F99: client=smtphost1.foreigndomain.com.hu[DD.DD.DDD.DD] Mar 31 06:16:57 myhost postfix/cleanup[7902]: 1F6E8200F99: message-id= Mar 31 06:16:57 myhost postfix/qmgr[5517]: 1F6E8200F99: from=u...@foreigndomain.com, size=220513, nrcpt=1 (queue active) Mar 31 06:16:58 myhost postfix/smtp[7913]: 1F6E8200F99: to=u...@example1.com, relay=mx.example1.com[DDD.DDD.DD.DD]:25, delay=1.8, delays=0.07/0/0.08/1.6, dsn=2.0.0, status=sent (250 2.0.0 OK) Mar 31 06:16:58 myhost postfix/qmgr[5517]: 1F6E8200F99: removed Is this normal that I in this log can't see that the email took slowsmtp route instead of normal smtp? TIA, Mikael
Re: logging transport route
Szia Levente! On 04/02/2012 02:26 PM, Birta Levente wrote: On 02/04/2012 14:31, Mikael Bak wrote: Hi list, I have configured an alternate transport route for mail going to specific destination domains. I call this transport slowsmtp. My problem is that I see no evidence in my logs that email sent to the specific domains uses slowsmtp route for delivery. You specified the service name slowsmtp, but it's use smtp client and thats what generate the log entry. I have defined slowsmtp in /etc/postfix/master.cf like this: [snip] smtp unix - - - - - smtp slowsmtp unix - - - - - smtp -o syslog_name=whatever [snip] That was exactly what I was looking for! Thank you very much! Regards, Mikael
Re: Filtering spam received from multiple users
Stan Hoeppner wrote: Mikael Bak put forth on 4/12/2011 7:31 AM: Stan Hoeppner wrote: [snip] Received: from [190.221.28.39] (unknown [190.221.28.39]) In this example, reject_unknown_reverse_client_hostname would have generated a 450 rejection. You should always use reject_unknown_reverse_client_hostname at minimum, or the more restrictive reject_unknown_client_hostname, though this one can cause problems with FPs on occasion. Best to use it with warn_if_reject for a while and monitor what it would have rejected. http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname However, it appears that 190.221.28.39 has rDNS of Name: host39.190-221-28.telmex.net.ar Address: 190.221.28.39 No. The reject_unknown_reverse_client_hostname in the above example would not have generated a 450 rejection, since the IP address HAS a reverse dns hostname. Yes, it would have. Note the unknown in the Received line. The rDNS lookup failed during the transaction in question, thus this restriction would have generated a 450 for this transaction. Note the following that I wrote, due to the fact the host does have rDNS: so reject_unknown_reverse_client_hostname isn't a permanent solution here. I think you were a bit hasty in your reply, not carefully reading the information I provided. I think not. As others already have proven, you made a hasty judgement upon faulty information. My only motivation getting into this discussion was to prevent faulty information to make it to the list archives without correction. Mikael
Re: Filtering spam received from multiple users
Stan Hoeppner wrote: [snip] Received: from [190.221.28.39] (unknown [190.221.28.39]) In this example, reject_unknown_reverse_client_hostname would have generated a 450 rejection. You should always use reject_unknown_reverse_client_hostname at minimum, or the more restrictive reject_unknown_client_hostname, though this one can cause problems with FPs on occasion. Best to use it with warn_if_reject for a while and monitor what it would have rejected. http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname However, it appears that 190.221.28.39 has rDNS of Name: host39.190-221-28.telmex.net.ar Address: 190.221.28.39 No. The reject_unknown_reverse_client_hostname in the above example would not have generated a 450 rejection, since the IP address HAS a reverse dns hostname. http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname The reject_unknown_client_hostname generates lots of FP. I would not recommend using it. so reject_unknown_reverse_client_hostname isn't a permanent solution here. The host is HELO'ing with an IP address, something legitimate hosts don't normally do. A check_helo_access pcre table with an expression that rejects dotted quads (and other undesirable HELO strings) would work well here. Rejecting hosts with generic rDNS, or scoring generic rDNS aggressively in SA, is also a good way to stop spam from such hosts. fqrdns.pcre would have rejected this mail outright: $ postmap -q host39.190-221-28.telmex.net.ar pcre:fqrdns.pcre REJECT Generic - Please relay via ISP (telmex.net.ar) See: http://www.hardwarefreak.com/fqrdns.pcre This pcre table stops a lot of spam. Many OPs here use it with good success. Instructions are comments at the top of the file. Very low FP rate. If most of the spam that's causing you a problem is from sources similar to this host, you'll be pleasantly surprised how much of it fqrdns.pcre rejects. May I suggest that we don't reuse well defined abbrevations. OP is original poster, nothing else. To use it for sysop or mailadmin in a mailing list is confusing. Cheers, Mikael
Re: Success story: smtpd_reject_footer
Reindl Harald wrote: Am 20.01.2011 12:29, schrieb Christian Roessner: Why adding a contact form? If a postmaster really does his/her job and scans the logs, finds your assistance info and enters the website, don't you think the same admin is also able to write a mail to you (postmaster@...)? Because if his server is rejected you will also not receive this mail You can have rules on your mx letting in email for postmaster and abuse addresses. I think that's quite common. We do that. Mikael
Re: Success story: smtpd_reject_footer
/dev/rob0 wrote: On Fri, Jan 21, 2011 at 09:12:32AM +0100, Mikael Bak wrote: Reindl Harald wrote: Am 20.01.2011 12:29, schrieb Christian Roessner: Why adding a contact form? If a postmaster really does his/her job and scans the logs, finds your assistance info and enters the website, don't you think the same admin is also able to write a mail to you (postmaster@...)? Because if his server is rejected you will also not receive this mail You can have rules on your mx letting in email for postmaster and abuse addresses. I think that's quite common. We do that. When I did that, I found that the postmaster address was receiving bucketloads of spam every day, and maybe 2-3 legitimate mails per YEAR. Now my postmaster address is protected by Zen and basic HELO checks. Yeah, I know. It's a real pain. And the suckers are spamming those addresses on purpose! It's plain sabotage. But still, you need to have them up and running. The abuse address is even more sensitive because abuse reports often comes with spam email source in the message body. We can't have content filter delete those, can we? :-) But indeed, this gives me an idea: rather than a contact form, I might try a form which generates a limited-use non-blocked address. The next hurdle: how to present it in a way such that the end user can see/use it, and yet protect it from harvesting bots? Perhaps make them add a ticket number in the subject line, and reject if it's absent? HTH, Mikael
Re: Success story: smtpd_reject_footer
/dev/rob0 wrote: http://nospam4.nodns4.us/ The Alternate media stuff is like accepting that spam has made email impossible to rely on for communication. Antispam made right can actually make email work again as it once did. Mikael
Re: Reject unencrypted messages
IT geek 31 wrote: Outlook is all-or-nothing - it can force encryption for all recipients, regardless if they have a certificate or not, or none at all. Thunderbird and Enigmail can encrypt by default if a valid key is avalable. HTH, Mikael
Re: Problem with relaying denied error
Stan Hoeppner wrote: [snip] Yes. I would suggest configuring a new smtpd listener for this. Most people use the master.cf default TCP 587 listener daemon to accept submitted mail. MUA clients will need to be configured accordingly. Apparently your current configuration relays all mail to the Domino server after it is piped through various anti spam processes, which I believe is why you're getting the error. I believe what you need is to enable 587 in master.cf, and eliminate all of the A/S junk for submitted mail, something like: 587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o content_filter= -o header_checks= -o smtpd_recipient_restrictions=permit_mynetworks,reject [snip] Hi, Instead of permit_mynetworks I'd suggest permit_sasl_authenticated on the above line. The submission service is not very often used without authentication. Mikael
Re: Fwd: Problem with relaying denied error
Rich wrote: Hi, Instead of permit_mynetworks I'd suggest permit_sasl_authenticated on the above line. The submission service is not very often used without authentication. Mike are you saying remove permit_mynetworks? Yes, I do not see any reason to have it on the submission service. Local services on localhost (and mynetworks) can still use 25/tcp. Submission is best used dedicated for authenticated users. HTH, Mikael
Re: SPF and greylisting conditioning
Stan Hoeppner wrote: Mikael Bak put forth on 9/27/2010 6:18 AM: Stan Hoeppner wrote: Michal Bruncko put forth on 9/26/2010 4:24 AM: It is possible in some way to configure postfix, that SPF Passed mails will be automatically accepted with postfix without greylisting? If I may be blunt: this is a really dumb idea. Many, maybe all, snowshoe spammers have valid SPF records. Thus, accepting mail simply because the connecting IP passes SPF muster isn't a bright idea. Snowshoe spam will most probably pass greylisting too. Better not clutter greylisting database with useless things. Have the blacklists block'em instead. I don't follow your logic here. Yes, most snowshoe is sent from real MTAs, not bots, so greylisting won't stop it. However, dnsbls and local block lists aren't very effective against snowshoe either, although Spamhaus DBL is getting much better WRT snowshoe. I have a local snowshoe cidr table I've been building for 2 years and it works rather well as I see maybe 1 snowshoe in the inbox every two weeks or so. However, most people probably don't have such a local snowshoe blocking list. My logic is crystal clear. Your post is full of contradictions. Your snowshoe cidr is a blacklist, isn't it? I did not specify what blacklist to use. I did just say that graylisting is an expensive task to do if you know that it's almost worthless for those emails. But I guess for your one-person mail server at home, that does not count. So OP's request is valid IMO. Shooting mail straight into the inbox based on an SPF pass is not a valid strategy, but a recipe for more spam in the inbox. SPF is properly used in a scoring system within a policy daemon or external content filter such as SA, same as DKIM etc are. I did not say that! I said OP's request to bypass greylisting for SPF Passed email is valid. I did not say it should bypass anything else! You had a problem reading my not-so-native English? And please, Stan. Please understand that some of us here have large email infrastructure to administer. It's completely different from a hobby mail server at home. Kind regards, Mikael
Re: SPF and greylisting conditioning
Stan Hoeppner wrote: Michal Bruncko put forth on 9/26/2010 4:24 AM: It is possible in some way to configure postfix, that SPF Passed mails will be automatically accepted with postfix without greylisting? If I may be blunt: this is a really dumb idea. Many, maybe all, snowshoe spammers have valid SPF records. Thus, accepting mail simply because the connecting IP passes SPF muster isn't a bright idea. Snowshoe spam will most probably pass greylisting too. Better not clutter greylisting database with useless things. Have the blacklists block'em instead. So OP's request is valid IMO. Mikael
Re: Virtual users pop3d suggestions
Nick Edwards wrote: So basically, using postifx's virtual, excluding Dovecot, what POP3 servers are people using? Hi Nick, We have been happy with Courier for POP and IMAP for years. Not a single problem. We are using it with Postfix's virtual. http://www.courier-mta.org/imap/ Most Linux distributions seem to have pre compiled packages, and FreeBSD users should be able to install it from ports. It has to be added though that we will replace Courier for Dovecot in the near future. HTH, Mikael
Re: Can postfix work with a TLS, authenticated smtp relay server?
Richard Chapman wrote: Perhaps you are describing an alternative method for google apps smtp which I am unaware of. If so - can you point me to a description of this alternative option? I fail to see why you need postfix if your domain is hosted on Google Apps. Google Apps provide you with Webmail, IMAP4, and SMTP (submission). https://www.google.com/a/ http://mail.google.com/support/a/google.com/bin/answer.py?answer=33384 HTH, Mikael
Re: set envelope sender = sasl authenticated user ?
Jan-Frode Myklebust wrote: and I still fail to understand how controlling your customers envelope sender will help with backscatterer.org. It will make sure that when viruses/malware on the customers computer is sending out spam from fake addresses, the bounces goes back to the customer with the infected computer -- instead of to whomever the malware was pretending to send from. I have never seen malware use SMTP AUTH via the smarthost SMTP. Most malware shoot directly on 25/tcp. Maybe you'll be better off blocking 25/tcp and force users to use the submission port (587/tcp) with SMTP AUTH and possibly STARTTLS. I think your spam problems will go away if you do that. HTH, Mikael
Re: postfix as forwarder and backscatterer problem
Vasya Pupkin wrote: Hello. First, I have spent two days reading articles and searching web for solution but failed there. I am using postfix as an mx for my domains, it accpets mail for different addresses withing my domains which is then forwarded to other external domains, i.e. google.com and other mail services. Mail for unknown users is rejected, many other check are performed, but still sometimes my system acts as a backscatterer when something like this happens: 1. Incoming mail passes all tests, it's coming to one of the addresses within my domain, i.e. existing-u...@mydomain.tld 2. Postfix then forwards mail to external domain, i.e. myem...@mailservice.tld 3. For some reason mailservice.tld rejects this mail, i.e. it doesn't like it's content or size. 4. Postfix then bounces mail to sender, which can be forged, and thus, becoming a backscatterer. Is there any way to prevent postfix from sending bounces anywhere? Hi Vasya, To be sure to not acting as a backscatter you will have to configure the front mx to be as restrictive regarding content and mail sizes as the final destination is. Otherwise you will see problems like the theese. HTH, Mikael
Re: Better spam filter for postfix
Steve wrote: [big snip] So you have made your point. You prefer (or are required) to have user in control. Yes. The big problem is that no solution out there is 100% accurate for all users. So the only way to make the user happy is to delegate the control to him. Can't speek for all users. But I have the impression that users don't want to go through piles of spam and take action. They just expect the damn spam filter to work by itself. At least our users expect this :-) Mikael
Re: SOLVED: rbl check being skipped - Postfix logs no error on NXDOMAIN, does on SERVFAIL
Stan Hoeppner wrote: 1. Spamhaus has banned Google Public DNS resolver queries. Stan, Do you have a good enough reason to not run your own name resolver on your front MX machine? IMO relying on third parties for DNS on an MX is bad design. Mikael
Re: [OT?] blocking replies (WAS: whitelisting problem)
Hi Stan, On Wed, 09 Dec 2009 21:24:53 -0600 Stan Hoeppner s...@hardwarefreak.com wrote: Mikael Bak put forth on 12/9/2009 4:18 AM: I understand why you avoid the real question. But hey - it's your server :-) Do you? I have avoided it because these threads can quickly delve into childish mud slinging if the participants aren't civil thoughtful adults. I'm assuming we are all civil adults, and can have a valid thoughtful discussion. So, I will explain my configuration and the reasons for it. [snipped technical details] Thanks for the technical details and the explanation. I have no intension starting holy wars on the list. I'm too old for that. This setup works for you, and you are happy with it. May I suggest that you add a postmaster address to the 550 rejection message that one can contact even from a blacklisted country. This way one could apply to be added on a white list. I don't use SA or any other content filtering. IMHO content filtering is a dead end. As only solution yes. Together with DNSBL, it could be quite effective. This works well for my site. YMMV. I'm glad to hear that. Have a nice day. Mikael
Re: [OT?] blocking replies (WAS: whitelisting problem)
Stan Hoeppner wrote: Mikael Bak put forth on 12/8/2009 3:31 AM: mouss wrote: I'm looking through you, where did you go: s...@hardwarefreak.com: host greer.hardwarefreak.com[65.41.216.221] said: 554 5.7.1 imlil.netoyen.net[91.121.103.130]: Client host rejected: Access denied (in reply to RCPT TO command) It is nice to not reject mail from people who help you... I could not agree more. I got this from him: s...@hardwarefreak.com: host greer.hardwarefreak.com[65.41.216.221] said: 554 5.7.1 thor.iszerviz.hu[62.77.131.9]: Client host rejected: Mail not accepted from Hungary (in reply to RCPT TO command) Maybe he thinks nobody in Hungary can help him ;-) Mikael Two words: LIST MAIL. When you reply directly to senders, all kinds of unpleasant things can happen. Keep replies on list only and you can avoid seeing some of the draconian things folks do. If you want to bitch about such draconian things folks do, this isn't the appropriate forum. I agree. Answers should go to the list. I discovered your unpleasant setup by mistake when I send reply to you directly AND cc to the list. I understand why you avoid the real question. But hey - it's your server :-) Mikael
Re: [OT?] blocking replies (WAS: whitelisting problem)
mouss wrote: I'm looking through you, where did you go: s...@hardwarefreak.com: host greer.hardwarefreak.com[65.41.216.221] said: 554 5.7.1 imlil.netoyen.net[91.121.103.130]: Client host rejected: Access denied (in reply to RCPT TO command) It is nice to not reject mail from people who help you... I could not agree more. I got this from him: s...@hardwarefreak.com: host greer.hardwarefreak.com[65.41.216.221] said: 554 5.7.1 thor.iszerviz.hu[62.77.131.9]: Client host rejected: Mail not accepted from Hungary (in reply to RCPT TO command) Maybe he thinks nobody in Hungary can help him ;-) Mikael
Re: [OT?] blocking replies (WAS: whitelisting problem)
lst_ho...@kwsoft.de wrote: Zitat von Mikael Bak mik...@t-online.hu: I could not agree more. I got this from him: s...@hardwarefreak.com: host greer.hardwarefreak.com[65.41.216.221] said: 554 5.7.1 thor.iszerviz.hu[62.77.131.9]: Client host rejected: Mail not accepted from Hungary (in reply to RCPT TO command) Maybe he thinks nobody in Hungary can help him ;-) Mikael Funny that the attitude to block other countries because of spam is mostly present in the USA where most of the spam orginates... Andreas Yes. If I was to block one single country based on how much spam I block from it, that could only be the USA. Mikael
Re: whitelisting problem
On Sat, 05 Dec 2009 21:32:02 -0600 Stan Hoeppner s...@hardwarefreak.com wrote: It's looking like I was having transient issues with my resolvers. I did some more log digging and found more dns related temp fails than I should be having given my mail volume. I've since switched from the old resolvers to the new free Google resolvers. So far so good. If I run into problems there, I'll switch again or setup my own caching resolver. Stan, I don't know anything about Google's resolvers. I only know you'd be better off with reliable resolvers you can control when running an MX and rely on reverse DNS to be OK and use DNS blocklists. We use only local DNS resolvers, and do not have problems many others have. It's not difficult to set up, so there's no point rely on a third party for such basic and important service. Mikael
Re: Don't filter the users\
Stan Hoeppner wrote: Why bother? This is an ISP scenario, correct? The 587 command set is standard SMTP right? Just iptables (verb) TCP 25 to TCP 587 for any IP ranges within the ISP's MUA customer range. This is assuming said customers already have to submit auth over TCP 25 to relay mail. Simple solution. Done. Or, have I missed something? Submission on port 587 implies STARTTLS (I think). In that case perhaps stunnel magic is needed too. Mikael
Re: smtpd_recipient_restrictions evaluation question
Simon Morvan wrote: Consider Zen here. It also incorporates the (not-quite-so) new PBL, which has been very effective here. The last time I tried it, Zen included too many legitimate users behind ADSL lines. The Policy behind PBL is a bit too restrictive. Maybe it changed, I'll give it another try. Can you please tell me why an ADSL user would send legitimate email without using the ISP's SMTP server? More and more ISP even blocks outbound access to port 25, which may not be popular, but it's very effective in stoping spam at its source. Mikael
Re: smtpd_recipient_restrictions evaluation question
Larry Stone wrote: On Fri, 30 Oct 2009, Mikael Bak wrote: Simon Morvan wrote: The last time I tried it, Zen included too many legitimate users behind ADSL lines. The Policy behind PBL is a bit too restrictive. Maybe it changed, I'll give it another try. Can you please tell me why an ADSL user would send legitimate email without using the ISP's SMTP server? At ths risk of this moving too far away from Postfix, let me just ask if you're thinking ADSL means dynamic IP address? There are many legitimate mail servers on static IP ADSL lines (including mine) provided by ISPs with servers permitted policies. Typically these are business-class services but not always (my ISP does not distinguish between residential and business but their services are not priced for the mass-market residential user). Why handle the outgoing mail myself? Better control. If there's a problem, it sits on my system where I can see it and deal with it, not on my ISP's server where it's invisible to me. You are of course right. I ment home ADSL, not static IP business ADSL. And yes. We're moving away from postfix :-) Mikael
Re: Reverse DNS Rejection Problem
Dennis Putnam wrote: Thanks for the reply. It appears this is not supported with my version of Postfix (2.1.5). When I try this syntax: smtpd_helo_restrictions = check_client_access pcre:/etc/postfix/heloaccept.pcre I get this error: fatal: unsupported dictionary type: pcre On a Debian type system this is packaged separately: # apt-cache search postfix [snip] postfix - High-performance mail transport agent postfix-cdb - CDB map support for Postfix postfix-dev - Loadable modules development environment for Postfix postfix-doc - Documentation for Postfix postfix-gld - greylisting daemon for postfix, written in C, uses MySQL postfix-ldap - LDAP map support for Postfix postfix-mysql - MySQL map support for Postfix postfix-pcre - PCRE map support for Postfix postfix-pgsql - PostgreSQL map support for Postfix [snip] I guess you should install the missing package on your system. HTH, Mikael
Re: Postfix Hangs if relaying this virus
Jacqui Caren-home wrote: Same here - stock RH (actually CentOS) install. [r...@gate ~]# postconf -d | grep xfer_timeout lmtp_data_xfer_timeout = 180s smtp_data_xfer_timeout = 180s [r...@gate ~]# Could this be a redhat thing? Nope - emerged mail-mta/postfix-2.5.5 on gentoo gives emailhealth ~ # postconf -d | grep xfer_timeout lmtp_data_xfer_timeout = 180s smtp_data_xfer_timeout = 180s Not specific to RH. Postfix v2.6.5 installed from ports on FreeBSD. # uname -r 7.2-RELEASE-p4 # postconf -d | grep xfer_timeout lmtp_data_xfer_timeout = 180s smtp_data_xfer_timeout = 180s It seems these defaults are quite universal. It must be another config parameter Wietse was refering to. Mikael
Re: question about fiters
Cottalorda Sébastien wrote: Sorry, I've courier-imap, and I use roundcubemail as webmail. I also add to roundcube the vacation plugin that allow my users to program themselves theirs vacations. Everything is good, the link between the mysql database and the plugin, but now I want to connect the vacation program to my existing antivirus/antispam postfix server explained above. If I'm wrong doing what I want, please tell me. If your mailbox server != antivirus/antispam server, then I think it's a wrong approach. A vacation script should be implemented after any filtering is done IMO, as close to the mailboxes as possible. HTH, Mikael
Re: postfix 2.3.x vs postfix 2.6 stable
Zhang Huangbin wrote: On Oct 10, 2009, at 2:55 AM, Eero Volotinen wrote: I am currently using postfix 2.3.x on RHEL for mail proxy and mailserver. Is there any good reason to update to 2.6 ? and if is, is there any good and stable rpm repositories for RHEL 5 on web ? As i know, postfix-2.3.x which shipped in RHEL/CentOS doesn't support 'receive_override_options=no_address_mappings'. You have to update to 2.3.14 or newer version. Perhaps you can try these: ftp://mirror.newnanutilities.org/pub/postfix-rpm/official/2.6/ HTH, Mikael
Re: Writing an after-queue content filter in php
Mathias Tausig wrote: I just tried to replace the \n with \r\l, but to no avail. The same problem remains. I can be wrong here, but shouldn't that be \r\n ? HTH, Mikael
Re: relay_domains vs virtual_mailbox_domains
Steve Heaven wrote: On Wed, 2009-09-09 at 08:11 +0100, Clunk Werclick wrote: Are you saying that it is not possible to configure it to reject users that don't exist at the SMTP level? Are you *sure*? So if you telnet in to it and send mail for anyoldrubb...@domain.co.uk it accepts it? I would be gobsmacked. Surely this is a simple configuration issue ? It may well be possible, but the default seems to be to accept any user. Almost all our client's SBS servers (there are about 50 of them) are managed by non-IT staff, usually just someone in the office who knows add users, change passwords etc, but little else. So asking them to make detailed configuration changes is out of the question. Read Step 2: Configure recipient filtering in Exchange Server 2003: http://support.microsoft.com/default.aspx?scid=kb;en-us;886208 If I were you I'd write up a nice howto for my clients describing the problem and asking them to do these easy configuration steps. And then both you and your clients will be good internet citizens. Just my 2 cents. Have a nice day, Mikael
Re: Force smtpauth for all mails including myhostname bound mails
ram wrote: I have a very basic ( and old) postfix installation and I want to accept mails only after smtpauth The rule works fine except when the recipient belongs to $myhostname [snip] mydestination = mumbai.nstest.com [snip] Hi Ram, $mydestination is probably why the email gets accepted even without SMTP AUTH. http://www.postfix.org/postconf.5.html#mydestination HTH, Mikael
Re: relay_domains vs virtual_mailbox_domains
Steve Heaven wrote: On Mon, 2009-09-07 at 11:50 -0400, Sahil Tandon wrote: You should not accept mail for invalid recipients. Use existing functionality to build a cache/database of valid recipients on the fly. See: http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient We have no way of knowing if the recipient address is valid or not as we are only acting as a relay for the final destination. We cannot build a database of recipients on the fly as that information is held on the various servers of our clients, to which we do not have access. Sahil Tandon gave you a link containing the solution to you problem. I suggest you read it before you say it can't be done. Tip: scoll up to How address verification works. Mikael
Re: Simple filter via pipe
rank1see...@gmail.com wrote: Thanks. On FreeBSD that is section 2 http://www.freebsd.org/cgi/man.cgi?query=pipesektion=2apropos=0manpath=FreeBSD+7.2-RELEASE I've read it and still have no logical clue. # uname -r 7.2-RELEASE-p2 # man 8 pipe Formatting page, please wait...Done. PIPE(8) NAME pipe - Postfix delivery to external command SYNOPSIS [snip] HTH, Mikael
Re: Mail Box
Hi, Roman Gelfand wrote: Can somebody recommend a mail box server software that would be worthy of postfix? dovecot Also, if anyone knows of a cool web client. roundcube
Re: Country IP block list
Daniel L'Hommedieu wrote: The spam I see pretty much all originates in China Brazil, with some originating in Korea US. It also pretty much all originates on dynamic IP addresses, so if there's a way to block email from dynamic address ranges, I would very much be interested in that. Not exactly what you ask for, but it'll stop most of them: http://www.spamhaus.org/zen/ HTH, Mikael
Re: Building milter in PHP
rank1see...@gmail.com wrote: It did, but not anymore. It is now depreciated.(php-milter) I use PHP 5.3 and already have working filter. To finalise it, I just need a list and description of milter commands. Those milter commands works for any type of coding language Up to now I've found out these but without explanation or examples connect helo envfrom envrcpt header eoh body eom abort close Perhaps you should have a look here: https://www.milter.org/developers I'm sure you can find example code there. HTH, Mikael
Re: Country IP block list
Security Admin (NetSec) wrote: Could someone provide links to sites where IP addresses are grouped by country? ASNs would work too but would prefer IP lists that I could put in a file that my postfix mail gateway could read. Obvious countries like China and Brazil I would like to block wholesale. Thanks in advance! I know it's OT, becase it doesn't involve postfix, but I use RelayCountry plugin in SA to score some countries higher. I find this a safer solution than cut off some countries entirely. Mikael
Re: Looking for opinions on FreeBSD OS for Postfix
Stefan Förster wrote: The documentation at http://www.postfix.org/INSTALL.html#4 mentions that earlier versions of Postfix were supported on FreeBSD 2.x to 5.x. I think it's very likely that you can run recent Postfix versions on newer FreeBSD releases, too. Ack, I have FreeBSD 7.1 (amd64) with postfix 2.6.3 running here. No problems at all. Mikael
Re: filtering mail from outside with dynamic address
Hi, Florin Andrei wrote: Running Postfix 2.5.5 on Linux. The system is multihomed, connected to several private networks, and to the Internet with a dynamic DNS hostname. Is it really recommended to run a mail server that accepts email from outside with non static IP address? I would not do it. Mikael
Re: confused about authentication/SASL
Jay G. Scott wrote: [snip] mynetworks_style = host [snip] smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination [snip] Hi, Are you running mutt on the postfix host? In that case perhaps that is why you can send email without AUTH. HTH, Mikael
Re: Question about address verification in MX2 when primary MX is down...
Santiago Romero wrote: Hi, Quoting the documentation[1]: The unverified_recipient_defer_code parameter (default 450) specifies the numerical Postfix SMTP server reply code when a recipient address probe fails with some temporary error. Some sites insist on changing this into 250. NOTE: This change turns MX servers into backscatter sources when the load is high. So, do you mean that changing this parameter to 250 would make postfix to accept the email? Hi, No. You should leave this parameter in its default value. I realize now that I shouldn't have quoted the entire piece from the documentation, only the relevant part. You're not the only one who misinterpreted my post. Sorry for that. I only wanted to quote this: The unverified_recipient_defer_code parameter (default 450) specifies the numerical Postfix SMTP server reply code when a recipient address probe fails with some temporary error. This is the relevant part, and answers the question you had. Everything else is irrelevant - and as Brian Evans ponted out earlier (and the documentation too), setting this parameter to 250 will generate bounces and backscatter. And that is very bad! Using reject_unverified_recipient should produce the behaviour you are asking for. I also set unverified_recipient_reject_code = 550. This makes postfix permanently reject when the recipient address is confirmed not existing. When postfix does not know it'll reject the connection with a 450 (or whatever unverified_recipient_defer_code is set to), which should be fine for most cases. When the address is confirmed to exist, everything is cool and mail is accepted. Maybe I should add that I use Postfix v2.6.2 just in case there are differences in default values between versions. HTH, Mikael
Re: Question about address verification in MX2 when primary MX is down...
Charles Marcus wrote: On 8/5/2009, Mikael Bak (mik...@t-online.hu) wrote: So, do you mean that changing this parameter to 250 would make postfix to accept the email? No. Actually, the answer to his question is yes. You should leave this parameter in its default value. Correct - but he specifically asked if he CHANGED this to 250 - which means it accepted the mail... Charles, You are right. I was too much into his original question about how he could get the functionality he originally asked for. Mikael
Re: smtpd -o stress
Robert Lopez wrote: On one mail gateway running postfix I see about 24 lines that look like this: postfix 7579 32735 0 10:00 ?00:00:00 smtpd -n smtp -t inet -u -c -o stress On all the other gateways I normally see lines that look like this: postfix 9243 3682 0 08:52 ?00:00:00 smtpd -n smtp -t inet -u Are there configuration parameters that cause the addition of the -c -o stress? Hi Robert, http://www.postfix.org/STRESS_README.html HTH, Mikael
Re: Postfix HELO FQDN requirement
Robin Smidsrød wrote: I've had at least one client leave because he absolutely needs to have every email, because every single email he receives could be really important. So dealing with spam is something he just has to do. On the other hand I have users that don't really care one way or the other. I just want to be able to let the user make that choice. And rejecting email based on (possibly forged) helo is a system-wide policy, not a user-specific policy. Is it possible to make this a user-policy? Hi Robin, It is possible to make rules user and/or domain dependant with carefully built restriction classes. If you haven't read this already, please do: http://www.postfix.org/RESTRICTION_CLASS_README.html The examples here are not exactly what you want, but you will get an idea of how you can build user / domain specific rules. HTH, Mikael
Re: Question about address verification in MX2 when primary MX is down...
Santiago Romero wrote: Really, reject_unverified_recipient feature is very nice, but rejecting all mail when primary MX doesn't answers breaks it for us :( Any idea? :? Hi, Quoting the documentation[1]: The unverified_recipient_defer_code parameter (default 450) specifies the numerical Postfix SMTP server reply code when a recipient address probe fails with some temporary error. Some sites insist on changing this into 250. NOTE: This change turns MX servers into backscatter sources when the load is high. So you are not rejecting any email if the MX is down. You are just delaying reject or accept until the MX is asked if there is such user or not. We're very happy with this over here. HTH, Mikael [1] http://www.postfix.org/ADDRESS_VERIFICATION_README.html
Re: Question about address verification in MX2 when primary MX is down...
Brian Evans - Postfix List wrote: Mikael Bak wrote: Santiago Romero wrote: Really, reject_unverified_recipient feature is very nice, but rejecting all mail when primary MX doesn't answers breaks it for us :( Any idea? :? Hi, Quoting the documentation[1]: The unverified_recipient_defer_code parameter (default 450) specifies the numerical Postfix SMTP server reply code when a recipient address probe fails with some temporary error. Some sites insist on changing this into 250. NOTE: This change turns MX servers into backscatter sources when the load is high. So you are not rejecting any email if the MX is down. You are just delaying reject or accept until the MX is asked if there is such user or not. We're very happy with this over here. No, you are not delaying reject. You are bouncing and possibly BackSattering because you really don't know if the recipient is valid. Many, many envelope recipients are forged these days. So you end up bouncing to the wrong place and sending spam to a 3rd party. A good MTA in the world will hold a 450 for 3 to 5 days and keep retrying. If it doesn't retry, it's usually a bot and bad for your health. Hi Brian, Well, thank you for sharing this with me. IMO this setup does not bounce as you say, it sends a 450 Address verification in progress. Try later.. When the client tries next time there is either an OK the address exists, or a 550 User does not exist. Maybe I don't understand what you try to say. I just don't see why this would generate bounces or backscatter. Mikael
Re: Question about address verification in MX2 when primary MX is down...
Brian Evans - Postfix List wrote: Mikael Bak wrote: Brian Evans - Postfix List wrote: Mikael Bak wrote: Santiago Romero wrote: Really, reject_unverified_recipient feature is very nice, but rejecting all mail when primary MX doesn't answers breaks it for us :( Any idea? :? Hi, Quoting the documentation[1]: The unverified_recipient_defer_code parameter (default 450) specifies the numerical Postfix SMTP server reply code when a recipient address probe fails with some temporary error. Some sites insist on changing this into 250. NOTE: This change turns MX servers into backscatter sources when the load is high. So you are not rejecting any email if the MX is down. You are just delaying reject or accept until the MX is asked if there is such user or not. We're very happy with this over here. No, you are not delaying reject. You are bouncing and possibly BackSattering because you really don't know if the recipient is valid. Many, many envelope recipients are forged these days. So you end up bouncing to the wrong place and sending spam to a 3rd party. A good MTA in the world will hold a 450 for 3 to 5 days and keep retrying. If it doesn't retry, it's usually a bot and bad for your health. Hi Brian, Well, thank you for sharing this with me. IMO this setup does not bounce as you say, it sends a 450 Address verification in progress. Try later.. When the client tries next time there is either an OK the address exists, or a 550 User does not exist. Maybe I don't understand what you try to say. I just don't see why this would generate bounces or backscatter. Mikael I was referring to the change to 250 that was quoted. I inferred that was the advice being given. If this was incorrect, then, yes, it is just fine to use. Hi Brian, I knew that we were misunderstanding eachother. :-) So to clarify. We have the unverified_recipient_defer_code parameter set to its default (450). Mikael
Re: sieve instead procmail?
Michael Monnerie wrote: Now if you can tell me the way to get the e-mail out of that deliver program again into postfix, with the recipient rewritten to user+mail...@x.y, then you made my day. I can be terribly wrong here, but isn't this what amavisd-new does when working together with postfix? Postfix sends the email to amavisd-new for processing, and after that the email are pushed back to postfix for delivery. Your deliver program will have to be able to push back the email into postfix exactly as amavisd-new does. I think you have to fiddle with master.cf for this to work. As I said. I may have misunderstood your purpose completely :-) HTH, Mikael Bak