Re: restrict or alter to address based on from address

2014-11-19 Thread Mikael Bak

Hi,

On 11/19/2014 03:27 AM, Joe Acquisto-j4 wrote:
[snip]

I was daydreaming about ways to get messages from the old system to the
new one, as might be required.  For a bit it seemed feasible to cobble up
something  to allow messages to be sent via SMTP from the old system
to the new, in a controlled and highly restricted manner.


[snip]

Perhaps a tool like imapsync is what you are looking for. It is 
available in most Linux distributions and available in the FreeBSD ports 
tree.


HTH,
Mikael


Re: mynetworks in mysql database

2013-10-25 Thread Mikael Bak
Hi,

On 10/25/2013 09:48 AM, Rune Elvemo wrote:
 Does anyone know how to use a mysql database for mynetworks?
 We did manage to use it to match a single ip address, but is there a way to
 match entire networks?
 

That can be done at the sql level.
See mysql functions INET_ATON and INET_NTOA for more info.

HTH,
Mikael



Re: Block certain remote hosts on submission port

2013-08-23 Thread Mikael Bak
On 08/22/2013 01:51 PM, Charles Marcus wrote:
[snip]
 
 The simple fact is, we do not have any users based *anywhere* but the
 US, so, is what is the simplest way to block any/all non-US based client
 connections on my submission port?
 
[snip]

Hi,
Sometimes it seems like a good solution to filter out all countries but
your own.

In fact it's not a good idea at all IMO.

People do travel and they need to read and write email while they are
abroad.
Laptop and/or smartphone users will not like your new restriction policy
when they try to get some work done while visiting a partner company in
Germany.

Use fail2ban as suggested by others.

Mikael



Re: Would somebody let me know what I need to do to improve this setup.

2013-08-07 Thread Mikael Bak
On 08/07/2013 12:03 PM, John Allen wrote:
 Is there any particular reason you need to accept messages 32 GB in size?


 Yes. We support a business that designs and manufactures packaging and
 displays. The sort of thing you might see in the aisle of a supermarket
 or store selling gum, personal care products.  The graphics, art work
 and design of these need to be sent to the people involved. We have
 looked into using services like Dropbox but the problem with all of
 these is copyright. Our customers legal eagles have advise against such
 services as they may compromise their copyright on anything stored on
 such services.
 
 OT: It is the same advice and reasoning they gave against using public
 cloud services, some of whose terms of service essentially strip the
 user of all copyright ownership.
 
 

I don't recall email being the only alternative to public cloud file
storage solutions.

Set up a file server of you own and keep copyrights in house.
32GB sized email messages is a mistake IMO.

Mikael



Re: Outsourced anti-spam and Issues with VRFY

2013-08-05 Thread Mikael Bak
On 08/05/2013 02:15 PM, Charles Marcus wrote:
 Also - I hate to ask (it isn't your job to do their job), but could you
 suggest off the top of your head what they *should* be doing? Would
 properly closing all VRFY probe connections really impact performance on
 their side that much - especially if they are caching these responses
 (so those wouldn't even need to be sent downstream to my server)? I
 really hope I don't find out they aren't caching them for at least a few
 hours to a day or so.
 

I could be wrong.
I have the impression that they should use something similar to postfix'
reject_unverified_recipient. That's what our anti spam solution does.

HTH,
Mikael



Re: smtp restrictions

2013-05-31 Thread Mikael Bak
Stan,

On 05/31/2013 08:49 AM, Stan Hoeppner wrote:
 On 5/30/2013 11:43 PM, James Zee wrote:
 I was hoping someone could take a quick glance at my
 smtpd_*_restrictions configurations. While I've read and (re-)read the
 SMTPD_ACCESS_README file a few times over I would be greatly
 appreciative if someone could sanity check my work.
 
 Reviewing people's main.cf files is not a function of the mailing list.
  Answering specific questions or solving problems related to main.cf is.
  If we did the former the list would be clogged with such requests and
 responses.
 
 Thus I'll reply off list.  It'll arrive shortly.
 

I disagree.
It could be VERY helpful to others to have a discussion about different
configurations. It is a way to learn.

I fail to see why you have the authority to decide what is and is not
the purpose of this mailing list.

Cheers,
Mikael



Re: Postfix 2.8.x anti anti backscattering settings

2013-04-18 Thread Mikael Bak
Hi Josef,

On 04/18/2013 11:06 AM, Josef Karliak wrote:
   Good morning,
   our outgoing smtp server gets into a backscatter blacklist. When I
 checked my logs, there were only one mailer daemon email to some server
 in the time that is mentioned on the backscatter web.
   In all servers in the way of the email (incoming MX-antispam server-
 our imap server) has unknown_local_recipient_reject_code = 550.
   What else could I do ? There could be one thing - incoming MX accept
 all emails for our domain, he doesn't know our aliases. The mail is send
 to antispam and when antispam wanna sent the email to imap server and
 the target email address doesn't exists, it has 550 error and it is send
 away by our antispam server (it is our outgoing server).
   So, is this all wrong ? We decided to have more servers because of
 loading reasons (we've daily up to 15 000 emails, but there were a 60
 000 peak)

You can have reject_unverified_recipient on the MX to check the IMAP
server if the email address exists before accepting it.

HTH,
Mikael



Re: Postfix 2.8.x anti anti backscattering settings

2013-04-18 Thread Mikael Bak
On 04/18/2013 12:20 PM, Josef Karliak wrote:
   Hi,
   thanks for reply. We thought that we have to copy existing aliases
 file from imap server to incoming MX. If we reject an emailduring smtp
 communication, we won't relay spam to victim. Am I right ?
   Best regards
   J.K.
 

Hi,
Please do not top-post. Fscks up formating.

I don not understand your question.
If you use reject_unverified_recipient on the MX then you should not
need to copy any alias files.
But I am speculating. I don't know how your system works.

HTH,
Mikael




Re: block ip-range for 1 domain

2013-02-19 Thread Mikael Bak
Richard,

On 02/19/2013 12:34 PM, richard lucassen wrote:
 I have transport front-end servers for domains:
 
 domain1.tld
 domain2.tld
 domain3.tld
 domain4.tld
 [..]
 domainX.tld
 
 I want to blacklist 1.2.3.4/24 only for destination domain3.tld (and
 reply with a 5xx if possible).
 
 What's the best way to handle this? On the backend server somewhere?
 But the backend server receives the mail from the frontend server, so
 simple blacklisting will not work.
 
 Any hint?
 

I think you are looking for this:
http://www.postfix.org/RESTRICTION_CLASS_README.html

HTH,
Mikael




Re: block ip-range for 1 domain

2013-02-19 Thread Mikael Bak
On 02/19/2013 01:58 PM, richard lucassen wrote:
 On Tue, 19 Feb 2013 13:49:54 +0100
 Benny Pedersen m...@junc.eu wrote:
 
 Any hint?

 google postfwd

 postfix can do it with classes, but its more complicated then with 
 postfwd
 
 Ok, that seems to be very nice. AFAIUI it can be implemented on the
 backend server. I'd prefer not to touch the front-end servers.
 

That does NOT sound like a good idea.
If you accept the message on the fronend and then reject is on the
backend, then you will generate a bounce message back to the sender. If
the sender's address is forged, then you will generate backscatter, and
could end up on black lists.

Reject on the frontend servers to avoid this.

HTH,
Mikael




Re: Relaying email to exchange

2013-02-15 Thread Mikael Bak
Kevin,

On 02/14/2013 09:41 PM, Kevin Blackwell wrote:
 I have 2 mx records. The primary is Exchanges edge server that has it's
 own internal spam filtering. The secondary is poxtfix server relaying
 mail to the edge server as a backup mx record. Are you saying the
 postfix server should be behind the Exchange edge server? 
 

A rule of thumb is that if you must have a backup MX you should have the
same spam defence as on the primary one.
If you can't do that, I suggest you drop the backup MX.

Alternatively you can hide the exchange behind a postfix, but the you
should let postfix do the spam filtering and disable spam filter on the
exchange.

You must now ask you the question why you need a backup MX.

HTH,
Mikael



Re: Gmail as Relayhost

2013-02-13 Thread Mikael Bak
On 02/13/2013 01:14 PM, Dominique wrote:
 Hi,
 
 I am looking at using gmail as a relayhost in our current server setup
 ubuntu12.04/postfix/cyrus instead of using the ISP relayhost.
 

Is you ISP relayhost service bad?


 I have it working, but the outgoing email address is replaced by the
 gmail address (from the authentication info) - things that did not
 happen when using the ISP.
 
 How can I fix that ?
 

I'm not sure it's possible. I think you need to use gmail.com as from
email addresses in order to use their SMTP.

Solution: use your ISP relayhost or buy the service from someone else.


 Thanks,
 
 Dominique
 
 

Mikael



Re: Gmail as Relayhost

2013-02-13 Thread Mikael Bak
On 02/13/2013 03:24 PM, Noel Jones wrote:
[snip]
 
 - If you only have a handful of addresses, you can sign up for a
 free google apps account with your own domain name.  That will allow
 you to relay through google.  You are not required to use google as
 your MX; you can continue to use your own server.  If you have too
 many for the free service, you might consider paying.
 
[snip]

Too late for that!

Starting on December 6, 2012, Google will no longer offer new accounts
for the free edition of Google Apps.

http://support.google.com/a/bin/answer.py?hl=enanswer=2855120




Re: pop client for postfix.

2012-11-13 Thread Mikael Bak
On 11/12/2012 05:55 PM, John Hinton wrote:
 A really good use for POP is for more sensitive email situations, such
 as legal, medical or financial. Some of our users want it 'off' the
 server soonest. But yes, IMAP is more the standard these days. We allow
 either using Dovecot. POP is faster, after a mailbox gets large. POP
 reduces online storage use and is easier to back up. There are
 advantages for some users and all administrators. So, to me, long live
 POP but we do encourage our users to set up their accounts using IMAP.
 

If the information in an email is sensible, then it should be encrypted.
If sensible information is transfered unencrypted then stored for a
while unencrypted on a server storage, then you can't really know who
has had access to it, can you?

Cheers,
Mikael



Re: sporadic bouts of lost connections to exchange 2010 hub transport

2012-09-25 Thread Mikael Bak
Hi Stan,

On 09/25/2012 08:22 AM, Stan Hoeppner wrote:
 
 Apparently Linux and Windows TCP window scaling doesn't always work
 reliably together.  Try disabling TCP window scaling on the Linux box(en):
 
[snip]

Perhaps off topic, but do you have any links to documents or similar
that proves that there is a problem between the two operationg systems
with regard to TCP window scaling. This is the first time I hear about
this to be honest.

TIA,
Mikael



Re: Outgoing mail problem from phone

2012-07-27 Thread Mikael Bak
Hi Dominique,


On 07/27/2012 11:37 AM, Dominique wrote:

 However when trying to connect through a phone app (Android/email app),
 there is no way to send a mail. It gets rejected all the time.

 Jul 27 10:25:03 www postfix/smtpd[10868]: connect from 230.Red-176-83-
 90.dynamicIP.rima-tde.net[176.83.90.230]
 Jul 27 10:25:04 www postfix/smtpd[10868]: NOQUEUE: reject: RCPT from
 230.Red-176-83-90.dynamicIP.rima-tde.net[176.83.90.230]: 554 5.7.1
 230.Red-176-83-90.dynamicIP.rima-tde.net[176.83.90.230]: Client host
 rejected: Access denied; from=hraboga...@hrabogados.com
 to=dco...@gmail.com  proto=ESMTP helo=[10.27.232.189]  Jul 27
 10:25:05 www postfix/smtpd[10868]: lost connection after RCPT from
 230.Red-176-83-90.dynamicIP.rima-tde.net[176.83.90.230]
 Jul 27 10:25:05 www postfix/smtpd[10868]: disconnect from
 230.Red-176-83-
 90.dynamicIP.rima-tde.net[176.83.90.230]

 
 Here is the output of postconf -n.
[snip]
 mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128, 192.168.1.0/24
[snip]
 smtpd_client_restrictions = permit_mynetworks,   
 check_client_access hash:/etc/postfix/access
[snip]
 smtpd_recipient_restrictions = permit_sasl_authenticated,   
 permit_mynetworks,reject_unauth_destination,   
 reject_invalid_hostname,reject_non_fqdn_hostname,   
 reject_non_fqdn_sender,reject_non_fqdn_recipient,   
 reject_unknown_sender_domain,   
 reject_unknown_recipient_domain,reject_unauth_pipelining   
 reject_rbl_client bl.spamcop.net,reject_rbl_client
 zen.spamhaus.org, reject_rbl_client
 blackholes.easynet.nl,reject_rbl_client dnsbl.njabl.org, 
 reject_rbl_client dul.dnsbl.sorbs.net,  check_policy_service
[snip]

The phone is connecting from outside mynetworks. It threrefore gets
rejected. You should probably add permit_sasl_authenticated to
smtpd_client_restrictions to fix this.

HTH,
Mikael



Re: Q: Postfix MTA as a router - callback verification

2012-06-15 Thread Mikael Bak
On 06/15/2012 06:03 AM, Adam Bradley wrote:
 
 Sorry, but this sounds to me like an accident waiting to happen.  I
 would /strongly/ recommend getting a proper recipient list and
 populating transport_maps with a user-host mapping.
 
 
 
 My only concern is scalability, is there anything you can point me to
 regarding transport_maps and sizing/scalability?
  

LDAP is pretty scalable. Postfix has support for LDAP lookup maps. If
you don't like LDAP, you can do the same thing with MySQL.

HTH,
Mikael


Re: Multiple IP

2012-05-04 Thread Mikael Bak
On 05/03/2012 07:45 AM, Kirill Bychkov wrote:
 Hi all,
 
 I need create server with 5 IP addresses (interfaces) and postfix(es).
 The role of this server is relay.
 If message delivered into my mail server on one ip address, for example,
 172.16.35.35, so this message should be sent from same ip: 172.16.35.35.
 In other words, on which interface the message came, with this should be
 sent.
 What method should I do?
 1. Postfix multi instace (postmulti)
 2. Postfix manual multi instance
 (http://advosys.ca/papers/email/58-postfix-instance.html)
 3. Configure master.cf http://master.cf and main.cf http://main.cf
 of one postfix instance.
 
 Thank you.

Hi,
This may or may not be what you are looking for.

If you have a dedicated machine with lots of IP addresses then I would
do LXC[1] (Linux Containers) on it.
This way you can have completely different rules on each postfix. Your
containers will act as if they were different physical machines.

HTH,
Mikael

[1] http://lxc.sourceforge.net/


logging transport route

2012-04-02 Thread Mikael Bak
Hi list,

I have configured an alternate transport route for mail going to
specific destination domains. I call this transport slowsmtp.

My problem is that I see no evidence in my logs that email sent to the
specific domains uses slowsmtp route for delivery.

I have defined slowsmtp in /etc/postfix/master.cf like this:

[snip]
smtp  unix  -   -   -   -   -   smtp
slowsmtp  unix  -   -   -   -   -   smtp
[snip]

My /etc/postfix/transport looks like this:

example1.com   slowsmtp:
example2.com   slowsmtp:

My postconf -n like this:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
default_destination_rate_delay = 3s
header_checks = regexp:/etc/postfix/header_checks
inet_interfaces = all
mailbox_size_limit = 0
mydestination = myhost.mydomain.com, localhost.mydomain.com, localhost
myhostname = myhost.mydomain.com
mynetworks = 127.0.0.0/8, cidr:/etc/postfix/network_table.cidr
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP
smtpd_recipient_restrictions = reject_unknown_recipient_domain,
permit_mynetworks,reject_unauth_destination,reject
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport

An extract from my logs showing that smtp is used instead of
slowsmtp. The line with postfix/smtp[7913] in it:

Mar 31 06:16:57 myhost postfix/smtpd[7934]: 1F6E8200F99:
client=smtphost1.foreigndomain.com.hu[DD.DD.DDD.DD]
Mar 31 06:16:57 myhost postfix/cleanup[7902]: 1F6E8200F99: message-id=
Mar 31 06:16:57 myhost postfix/qmgr[5517]: 1F6E8200F99:
from=u...@foreigndomain.com, size=220513, nrcpt=1 (queue active)
Mar 31 06:16:58 myhost postfix/smtp[7913]: 1F6E8200F99:
to=u...@example1.com, relay=mx.example1.com[DDD.DDD.DD.DD]:25,
delay=1.8, delays=0.07/0/0.08/1.6, dsn=2.0.0, status=sent (250 2.0.0 OK)
Mar 31 06:16:58 myhost postfix/qmgr[5517]: 1F6E8200F99: removed

Is this normal that I in this log can't see that the email took
slowsmtp route instead of normal smtp?

TIA,
Mikael


Re: logging transport route

2012-04-02 Thread Mikael Bak
Szia Levente!

On 04/02/2012 02:26 PM, Birta Levente wrote:
 On 02/04/2012 14:31, Mikael Bak wrote:
 Hi list,

 I have configured an alternate transport route for mail going to
 specific destination domains. I call this transport slowsmtp.

 My problem is that I see no evidence in my logs that email sent to the
 specific domains uses slowsmtp route for delivery.
 
 You specified the service name slowsmtp, but it's use smtp client and
 thats what generate the log entry.
 

 I have defined slowsmtp in /etc/postfix/master.cf like this:

 [snip]
 smtp  unix  -   -   -   -   -   smtp
 
 
 slowsmtp  unix  -   -   -   -   -   smtp
  -o syslog_name=whatever
 
 
 [snip]


That was exactly what I was looking for! Thank you very much!

Regards,
Mikael


Re: Filtering spam received from multiple users

2011-04-13 Thread Mikael Bak
Stan Hoeppner wrote:
 Mikael Bak put forth on 4/12/2011 7:31 AM:
 Stan Hoeppner wrote:
 [snip]
 Received: from [190.221.28.39] (unknown [190.221.28.39])
 In this example, reject_unknown_reverse_client_hostname would have
 generated a 450 rejection.  You should always use
 reject_unknown_reverse_client_hostname at minimum, or the more
 restrictive reject_unknown_client_hostname, though this one can cause
 problems with FPs on occasion.  Best to use it with warn_if_reject for a
 while and monitor what it would have rejected.

 http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname

 However, it appears that 190.221.28.39 has rDNS of

 Name: host39.190-221-28.telmex.net.ar
 Address: 190.221.28.39
 
 No. The reject_unknown_reverse_client_hostname in the above example
 would not have generated a 450 rejection, since the IP address HAS a
 reverse dns hostname.
 
 Yes, it would have.  Note the unknown in the Received line.  The rDNS
 lookup failed during the transaction in question, thus this restriction
 would have generated a 450 for this transaction.  Note the following
 that I wrote, due to the fact the host does have rDNS:
 
 so reject_unknown_reverse_client_hostname isn't a permanent solution
 here.  
 
 I think you were a bit hasty in your reply, not carefully reading the
 information I provided.
 

I think not.
As others already have proven, you made a hasty judgement upon faulty
information.

My only motivation getting into this discussion was to prevent faulty
information to make it to the list archives without correction.

Mikael


Re: Filtering spam received from multiple users

2011-04-12 Thread Mikael Bak
Stan Hoeppner wrote:
[snip]
 
 Received: from [190.221.28.39] (unknown [190.221.28.39])
 
 In this example, reject_unknown_reverse_client_hostname would have
 generated a 450 rejection.  You should always use
 reject_unknown_reverse_client_hostname at minimum, or the more
 restrictive reject_unknown_client_hostname, though this one can cause
 problems with FPs on occasion.  Best to use it with warn_if_reject for a
 while and monitor what it would have rejected.
 
 http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
 
 However, it appears that 190.221.28.39 has rDNS of
 
 Name: host39.190-221-28.telmex.net.ar
 Address: 190.221.28.39
 

No. The reject_unknown_reverse_client_hostname in the above example
would not have generated a 450 rejection, since the IP address HAS a
reverse dns hostname.

http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname

The reject_unknown_client_hostname generates lots of FP. I would not
recommend using it.

 so reject_unknown_reverse_client_hostname isn't a permanent solution
 here.  The host is HELO'ing with an IP address, something legitimate
 hosts don't normally do.  A check_helo_access pcre table with an
 expression that rejects dotted quads (and other undesirable HELO
 strings) would work well here.
 
 Rejecting hosts with generic rDNS, or scoring generic rDNS aggressively
 in SA, is also a good way to stop spam from such hosts.  fqrdns.pcre
 would have rejected this mail outright:
 
 $ postmap -q host39.190-221-28.telmex.net.ar pcre:fqrdns.pcre
 REJECT  Generic - Please relay via ISP (telmex.net.ar)
 
 See:  http://www.hardwarefreak.com/fqrdns.pcre
 
 This pcre table stops a lot of spam.  Many OPs here use it with good
 success.  Instructions are comments at the top of the file.  Very low FP
 rate.  If most of the spam that's causing you a problem is from sources
 similar to this host, you'll be pleasantly surprised how much of it
 fqrdns.pcre rejects.
 

May I suggest that we don't reuse well defined abbrevations. OP is
original poster, nothing else. To use it for sysop or mailadmin in a
mailing list is confusing.

Cheers,
Mikael


Re: Success story: smtpd_reject_footer

2011-01-21 Thread Mikael Bak
Reindl Harald wrote:
 Am 20.01.2011 12:29, schrieb Christian Roessner:
 
 Why adding a contact form? If a postmaster really does his/her job and scans 
 the logs, finds your assistance info and enters the website, don't you think 
 the same admin is also able to write a mail to you (postmaster@...)?
 
 Because if his server is rejected you will also not receive this mail
 

You can have rules on your mx letting in email for postmaster and abuse
addresses. I think that's quite common. We do that.

Mikael


Re: Success story: smtpd_reject_footer

2011-01-21 Thread Mikael Bak
/dev/rob0 wrote:
 On Fri, Jan 21, 2011 at 09:12:32AM +0100, Mikael Bak wrote:
 Reindl Harald wrote:
 Am 20.01.2011 12:29, schrieb Christian Roessner:

 Why adding a contact form? If a postmaster really does
 his/her job and scans the logs, finds your assistance info
 and enters the website, don't you think the same admin is
 also able to write a mail to you (postmaster@...)?
 Because if his server is rejected you will also not receive
 this mail
 You can have rules on your mx letting in email for postmaster
 and abuse addresses. I think that's quite common. We do that.
 
 When I did that, I found that the postmaster address was receiving 
 bucketloads of spam every day, and maybe 2-3 legitimate mails per 
 YEAR. Now my postmaster address is protected by Zen and basic HELO 
 checks.
 

Yeah, I know. It's a real pain. And the suckers are spamming those
addresses on purpose! It's plain sabotage. But still, you need to have
them up and running. The abuse address is even more sensitive because
abuse reports often comes with spam email source in the message body. We
can't have content filter delete those, can we? :-)

 But indeed, this gives me an idea: rather than a contact form, I 
 might try a form which generates a limited-use non-blocked address. 
 The next hurdle: how to present it in a way such that the end user 
 can see/use it, and yet protect it from harvesting bots?

Perhaps make them add a ticket number in the subject line, and reject if
it's absent?

HTH,
Mikael


Re: Success story: smtpd_reject_footer

2011-01-20 Thread Mikael Bak
/dev/rob0 wrote:
 http://nospam4.nodns4.us/
 

The Alternate media stuff is like accepting that spam has made email
impossible to rely on for communication. Antispam made right can
actually make email work again as it once did.

Mikael



Re: Reject unencrypted messages

2011-01-07 Thread Mikael Bak
IT geek 31 wrote:
 
 Outlook is all-or-nothing - it can force encryption for all
 recipients, regardless if they have a certificate or not, or none at
 all.
 

Thunderbird and Enigmail can encrypt by default if a valid key is avalable.

HTH,
Mikael


Re: Problem with relaying denied error

2010-10-25 Thread Mikael Bak
Stan Hoeppner wrote:
[snip]
 Yes.  I would suggest configuring a new smtpd listener for this.  Most
 people use the master.cf default TCP 587 listener daemon to accept
 submitted mail.  MUA clients will need to be configured accordingly.
 Apparently your current configuration relays all mail to the Domino
 server after it is piped through various anti spam processes, which I
 believe is why you're getting the error.
 
 I believe what you need is to enable 587 in master.cf, and eliminate all
 of the A/S junk for submitted mail, something like:
 
 587  inet  n   -   n   -   -   smtpd
   -o smtpd_enforce_tls=yes
   -o smtpd_sasl_auth_enable=yes
   -o content_filter=
   -o header_checks=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
 
[snip]

Hi,

Instead of permit_mynetworks I'd suggest permit_sasl_authenticated
on the above line. The submission service is not very often used without
authentication.

Mikael



Re: Fwd: Problem with relaying denied error

2010-10-25 Thread Mikael Bak
Rich wrote:
 
 Hi,
 
 Instead of permit_mynetworks I'd suggest permit_sasl_authenticated
 on the above line. The submission service is not very often used without
 authentication.
 
 Mike are you saying remove permit_mynetworks? 
 

Yes, I do not see any reason to have it on the submission service. Local
services on localhost (and mynetworks) can still use 25/tcp. Submission
is best used dedicated for authenticated users.

HTH,
Mikael


Re: SPF and greylisting conditioning

2010-09-28 Thread Mikael Bak
Stan Hoeppner wrote:
 Mikael Bak put forth on 9/27/2010 6:18 AM:
 Stan Hoeppner wrote:
 Michal Bruncko put forth on 9/26/2010 4:24 AM:

 It is possible in some way to configure postfix, that SPF Passed mails
 will be automatically accepted with postfix without greylisting?
 If I may be blunt:  this is a really dumb idea.  Many, maybe all,
 snowshoe spammers have valid SPF records.  Thus, accepting mail simply
 because the connecting IP passes SPF muster isn't a bright idea.

 Snowshoe spam will most probably pass greylisting too. Better not
 clutter greylisting database with useless things. Have the blacklists
 block'em instead.
 
 I don't follow your logic here.  Yes, most snowshoe is sent from real
 MTAs, not bots, so greylisting won't stop it.  However, dnsbls and local
 block lists aren't very effective against snowshoe either, although
 Spamhaus DBL is getting much better WRT snowshoe.  I have a local
 snowshoe cidr table I've been building for 2 years and it works rather
 well as I see maybe 1 snowshoe in the inbox every two weeks or so.
 However, most people probably don't have such a local snowshoe blocking
 list.
 

My logic is crystal clear. Your post is full of contradictions.

Your snowshoe cidr is a blacklist, isn't it?
I did not specify what blacklist to use.
I did just say that graylisting is an expensive task to do if you know
that it's almost worthless for those emails.

But I guess for your one-person mail server at home, that does not count.


 So OP's request is valid IMO.
 
 Shooting mail straight into the inbox based on an SPF pass is not a
 valid strategy, but a recipe for more spam in the inbox.  SPF is
 properly used in a scoring system within a policy daemon or external
 content filter such as SA, same as DKIM etc are.
 

I did not say that!
I said OP's request to bypass greylisting for SPF Passed email is valid.
I did not say it should bypass anything else!

You had a problem reading my not-so-native English?

And please, Stan. Please understand that some of us here have large
email infrastructure to administer. It's completely different from a
hobby mail server at home.

Kind regards,
Mikael


Re: SPF and greylisting conditioning

2010-09-27 Thread Mikael Bak
Stan Hoeppner wrote:
 Michal Bruncko put forth on 9/26/2010 4:24 AM:
 
 It is possible in some way to configure postfix, that SPF Passed mails
 will be automatically accepted with postfix without greylisting?
 
 If I may be blunt:  this is a really dumb idea.  Many, maybe all,
 snowshoe spammers have valid SPF records.  Thus, accepting mail simply
 because the connecting IP passes SPF muster isn't a bright idea.
 

Snowshoe spam will most probably pass greylisting too. Better not
clutter greylisting database with useless things. Have the blacklists
block'em instead.

So OP's request is valid IMO.

Mikael



Re: Virtual users pop3d suggestions

2010-09-13 Thread Mikael Bak
Nick Edwards wrote:
 
 So basically, using postifx's virtual, excluding Dovecot, what POP3
 servers are people using?

Hi Nick,

We have been happy with Courier for POP and IMAP for years. Not a single
problem. We are using it with Postfix's virtual.

http://www.courier-mta.org/imap/

Most Linux distributions seem to have pre compiled packages, and FreeBSD
users should be able to install it from ports.

It has to be added though that we will replace Courier for Dovecot in
the near future.

HTH,
Mikael


Re: Can postfix work with a TLS, authenticated smtp relay server?

2010-09-08 Thread Mikael Bak
Richard Chapman wrote:
 Perhaps you are describing an alternative method for google apps smtp
 which I am unaware of. If so - can you point me to a description of this
 alternative option?
 

I fail to see why you need postfix if your domain is hosted on Google
Apps. Google Apps provide you with Webmail, IMAP4, and SMTP (submission).

https://www.google.com/a/

http://mail.google.com/support/a/google.com/bin/answer.py?answer=33384

HTH,
Mikael


Re: set envelope sender = sasl authenticated user ?

2010-09-08 Thread Mikael Bak
Jan-Frode Myklebust wrote:
 
 and I still fail to understand how controlling your customers
 envelope sender will help with backscatterer.org.
 
 It will make sure that when viruses/malware on the customers computer is
 sending out spam from fake addresses, the bounces goes back to the
 customer with the infected computer -- instead of to whomever the
 malware was pretending to send from.
 

I have never seen malware use SMTP AUTH via the smarthost SMTP. Most
malware shoot directly on 25/tcp.

Maybe you'll be better off blocking 25/tcp and force users to use the
submission port (587/tcp) with SMTP AUTH and possibly STARTTLS. I think
your spam problems will go away if you do that.

HTH,
Mikael


Re: postfix as forwarder and backscatterer problem

2010-07-22 Thread Mikael Bak
Vasya Pupkin wrote:
 Hello.
 
 First, I have spent two days reading articles and searching web for
 solution but failed there. I am using postfix as an mx for my domains,
 it accpets mail for different addresses withing my domains which is
 then forwarded to other external domains, i.e. google.com and other
 mail services. Mail for unknown users is rejected, many other check
 are performed, but still sometimes my system acts as a backscatterer
 when something like this happens:
 
 1. Incoming mail passes all tests, it's coming to one of the addresses
 within my domain, i.e. existing-u...@mydomain.tld
 2. Postfix then forwards mail to external domain, i.e. myem...@mailservice.tld
 3. For some reason mailservice.tld rejects this mail, i.e. it doesn't
 like it's content or size.
 4. Postfix then bounces mail to sender, which can be forged, and thus,
 becoming a backscatterer.
 
 Is there any way to prevent postfix from sending bounces anywhere?

Hi Vasya,

To be sure to not acting as a backscatter you will have to configure the
front mx to be as restrictive regarding content and mail sizes as the
final destination is. Otherwise you will see problems like the theese.

HTH,
Mikael



Re: Better spam filter for postfix

2010-07-16 Thread Mikael Bak
Steve wrote:
[big snip]
 So you have made your point. You prefer (or are required) to have user in
 control.

 Yes. The big problem is that no solution out there is 100% accurate for all 
 users. So the only way to make the user happy is to delegate the control to 
 him.
 

Can't speek for all users. But I have the impression that users don't
want to go through piles of spam and take action. They just expect the
damn spam filter to work by itself.

At least our users expect this :-)

Mikael




Re: SOLVED: rbl check being skipped - Postfix logs no error on NXDOMAIN, does on SERVFAIL

2010-01-22 Thread Mikael Bak
Stan Hoeppner wrote:
 
 1.  Spamhaus has banned Google Public DNS resolver queries.

Stan,
Do you have a good enough reason to not run your own name resolver on
your front MX machine?

IMO relying on third parties for DNS on an MX is bad design.

Mikael


Re: [OT?] blocking replies (WAS: whitelisting problem)

2009-12-10 Thread Mikael Bak
Hi Stan,

On Wed, 09 Dec 2009 21:24:53 -0600
Stan Hoeppner s...@hardwarefreak.com wrote:

 Mikael Bak put forth on 12/9/2009 4:18 AM:
 
  I understand why you avoid the real question. But hey - it's your server :-)
 
 Do you?  I have avoided it because these threads can quickly delve into
 childish mud slinging if the participants aren't civil thoughtful
 adults.  I'm assuming we are all civil adults, and can have a valid
 thoughtful discussion.  So, I will explain my configuration and the
 reasons for it.

[snipped technical details]

Thanks for the technical details and the explanation. I have no intension 
starting holy wars on the list. I'm too old for that.

This setup works for you, and you are happy with it.

May I suggest that you add a postmaster address to the 550 rejection message 
that one can contact even from a blacklisted country. This way one could apply 
to be added on a white list.
 
 
 I don't use SA or any other content filtering.  IMHO content filtering
 is a dead end.
 

As only solution yes. Together with DNSBL, it could be quite effective.

 This works well for my site.  YMMV.
 

I'm glad to hear that.
Have a nice day.

Mikael


Re: [OT?] blocking replies (WAS: whitelisting problem)

2009-12-09 Thread Mikael Bak
Stan Hoeppner wrote:
 Mikael Bak put forth on 12/8/2009 3:31 AM:
 mouss wrote:
 I'm looking through you, where did you go:

 s...@hardwarefreak.com: host greer.hardwarefreak.com[65.41.216.221]
 said: 554 5.7.1 imlil.netoyen.net[91.121.103.130]: Client host
 rejected: Access denied (in reply to RCPT TO command)

 It is nice to not reject mail from people who help you...
 I could not agree more. I got this from him:

 s...@hardwarefreak.com: host greer.hardwarefreak.com[65.41.216.221]
 said: 554 5.7.1 thor.iszerviz.hu[62.77.131.9]: Client host rejected:
 Mail not accepted from Hungary (in reply to RCPT TO command)

 Maybe he thinks nobody in Hungary can help him ;-)

 Mikael
 
 Two words:  LIST MAIL.  When you reply directly to senders, all kinds of
 unpleasant things can happen.  Keep replies on list only and you can
 avoid seeing some of the draconian things folks do.
 
 If you want to bitch about such draconian things folks do, this isn't
 the appropriate forum.
 

I agree. Answers should go to the list. I discovered your unpleasant
setup by mistake when I send reply to you directly AND cc to the list.

I understand why you avoid the real question. But hey - it's your server :-)

Mikael


Re: [OT?] blocking replies (WAS: whitelisting problem)

2009-12-08 Thread Mikael Bak
mouss wrote:
 
 I'm looking through you, where did you go:
 
 s...@hardwarefreak.com: host greer.hardwarefreak.com[65.41.216.221]
 said: 554 5.7.1 imlil.netoyen.net[91.121.103.130]: Client host
 rejected: Access denied (in reply to RCPT TO command)
 
 It is nice to not reject mail from people who help you...

I could not agree more. I got this from him:

s...@hardwarefreak.com: host greer.hardwarefreak.com[65.41.216.221]
said: 554 5.7.1 thor.iszerviz.hu[62.77.131.9]: Client host rejected:
Mail not accepted from Hungary (in reply to RCPT TO command)

Maybe he thinks nobody in Hungary can help him ;-)

Mikael



Re: [OT?] blocking replies (WAS: whitelisting problem)

2009-12-08 Thread Mikael Bak
lst_ho...@kwsoft.de wrote:
 Zitat von Mikael Bak mik...@t-online.hu:

 I could not agree more. I got this from him:

 s...@hardwarefreak.com: host greer.hardwarefreak.com[65.41.216.221]
 said: 554 5.7.1 thor.iszerviz.hu[62.77.131.9]: Client host rejected:
 Mail not accepted from Hungary (in reply to RCPT TO command)

 Maybe he thinks nobody in Hungary can help him ;-)

 Mikael

 
 Funny that the attitude to block other countries because of spam is
 mostly present in the USA where most of the spam orginates...
 
 Andreas
 
 

Yes. If I was to block one single country based on how much spam I block
from it, that could only be the USA.

Mikael


Re: whitelisting problem

2009-12-06 Thread Mikael Bak
On Sat, 05 Dec 2009 21:32:02 -0600
Stan Hoeppner s...@hardwarefreak.com wrote:

 It's looking like I was having transient issues with my resolvers.  I
 did some more log digging and found more dns related temp fails than I
 should be having given my mail volume.  I've since switched from the old
 resolvers to the new free Google resolvers.  So far so good.  If I run
 into problems there, I'll switch again or setup my own caching resolver.
 

Stan,
I don't know anything about Google's resolvers. I only know you'd be better off 
with reliable resolvers you can control when running an MX and rely on reverse 
DNS to be OK and use DNS blocklists.

We use only local DNS resolvers, and do not have problems many others have. 
It's not difficult to set up, so there's no point rely on a third party for 
such basic and important service.

Mikael
 


Re: Don't filter the users\

2009-11-25 Thread Mikael Bak
Stan Hoeppner wrote:
 Why bother?  This is an ISP scenario, correct?  The 587 command set is
 standard SMTP right?  Just iptables (verb) TCP 25 to TCP 587 for any IP
 ranges within the ISP's MUA customer range.  This is assuming said
 customers already have to submit auth over TCP 25 to relay mail.  Simple
 solution.  Done.
 
 Or, have I missed something?
 

Submission on port 587 implies STARTTLS (I think). In that case perhaps
stunnel magic is needed too.

Mikael


Re: smtpd_recipient_restrictions evaluation question

2009-10-30 Thread Mikael Bak
Simon Morvan wrote:
 Consider Zen here. It also incorporates the (not-quite-so) new PBL,
 which has been very effective here.

 The last time I tried it, Zen included too many legitimate users behind
 ADSL lines. The Policy behind PBL is a bit too restrictive. Maybe it
 changed, I'll give it another try.

Can you please tell me why an ADSL user would send legitimate email
without using the ISP's SMTP server?

More and more ISP even blocks outbound access to port 25, which may not
be popular, but it's very effective in stoping spam at its source.

Mikael



Re: smtpd_recipient_restrictions evaluation question

2009-10-30 Thread Mikael Bak
Larry Stone wrote:
 On Fri, 30 Oct 2009, Mikael Bak wrote:
 
 Simon Morvan wrote:
 The last time I tried it, Zen included too many legitimate users behind
 ADSL lines. The Policy behind PBL is a bit too restrictive. Maybe it
 changed, I'll give it another try.

 Can you please tell me why an ADSL user would send legitimate email
 without using the ISP's SMTP server?
 
 At ths risk of this moving too far away from Postfix, let me just ask if
 you're thinking ADSL means dynamic IP address? There are many legitimate
 mail servers on static IP ADSL lines (including mine) provided by ISPs
 with servers permitted policies. Typically these are business-class
 services but not always (my ISP does not distinguish between residential
 and business but their services are not priced for the mass-market
 residential user). Why handle the outgoing mail myself? Better control.
 If there's a problem, it sits on my system where I can see it and deal
 with it, not on my ISP's server where it's invisible to me.
 

You are of course right. I ment home ADSL, not static IP business ADSL.
And yes. We're moving away from postfix :-)

Mikael


Re: Reverse DNS Rejection Problem

2009-10-28 Thread Mikael Bak
Dennis Putnam wrote:
 Thanks for the reply. It appears this is not supported with my version
 of Postfix (2.1.5). When I try this syntax:
 
 smtpd_helo_restrictions =
 check_client_access pcre:/etc/postfix/heloaccept.pcre
 
 I get this error:
 
 fatal: unsupported dictionary type: pcre
 

On a Debian type system this is packaged separately:

# apt-cache search postfix
[snip]
postfix - High-performance mail transport agent
postfix-cdb - CDB map support for Postfix
postfix-dev - Loadable modules development environment for Postfix
postfix-doc - Documentation for Postfix
postfix-gld - greylisting daemon for postfix, written in C, uses MySQL
postfix-ldap - LDAP map support for Postfix
postfix-mysql - MySQL map support for Postfix
postfix-pcre - PCRE map support for Postfix
postfix-pgsql - PostgreSQL map support for Postfix
[snip]

I guess you should install the missing package on your system.

HTH,
Mikael


Re: Postfix Hangs if relaying this virus

2009-10-25 Thread Mikael Bak
Jacqui Caren-home wrote:
 
 Same here - stock RH (actually CentOS) install.
 
 [r...@gate ~]# postconf -d | grep xfer_timeout
 lmtp_data_xfer_timeout = 180s
 smtp_data_xfer_timeout = 180s
 [r...@gate ~]#
 
 Could this be a redhat thing?
 
 Nope - emerged mail-mta/postfix-2.5.5 on gentoo gives
 
 emailhealth ~ # postconf -d | grep xfer_timeout
 lmtp_data_xfer_timeout = 180s
 smtp_data_xfer_timeout = 180s
 
 

Not specific to RH.

Postfix v2.6.5 installed from ports on FreeBSD.

# uname -r
7.2-RELEASE-p4

# postconf -d | grep xfer_timeout
lmtp_data_xfer_timeout = 180s
smtp_data_xfer_timeout = 180s

It seems these defaults are quite universal.

It must be another config parameter Wietse was refering to.

Mikael


Re: question about fiters

2009-10-16 Thread Mikael Bak
Cottalorda Sébastien wrote:
 Sorry, I've courier-imap, and I use roundcubemail as webmail.
 I also add to roundcube the vacation plugin that allow my users to program
 themselves theirs vacations.
 Everything is good, the link between the mysql database and the plugin, but
 now I want to connect the vacation program to my existing
 antivirus/antispam postfix server explained above.
 
 If I'm wrong doing what I want, please tell me.
 

If your mailbox server != antivirus/antispam server, then I think it's a
wrong approach.

A vacation script should be implemented after any filtering is done IMO,
as close to the mailboxes as possible.

HTH,
Mikael


Re: postfix 2.3.x vs postfix 2.6 stable

2009-10-13 Thread Mikael Bak
Zhang Huangbin wrote:
 
 On Oct 10, 2009, at 2:55 AM, Eero Volotinen wrote:
 
 I am currently using postfix 2.3.x on RHEL for mail proxy and mailserver.

 Is there any good reason to update to 2.6 ? and if is, is there any
 good and stable rpm repositories for RHEL 5 on web ?
 
 As i know, postfix-2.3.x which shipped in RHEL/CentOS doesn't support
 'receive_override_options=no_address_mappings'. You have to update to
 2.3.14 or newer version.
 

Perhaps you can try these:
ftp://mirror.newnanutilities.org/pub/postfix-rpm/official/2.6/

HTH,
Mikael


Re: Writing an after-queue content filter in php

2009-09-11 Thread Mikael Bak
Mathias Tausig wrote:
 I just tried to replace the \n with \r\l, but to no avail. The same
 problem remains.

I can be wrong here, but shouldn't that be \r\n ?

HTH,
Mikael



Re: relay_domains vs virtual_mailbox_domains

2009-09-09 Thread Mikael Bak
Steve Heaven wrote:
 On Wed, 2009-09-09 at 08:11 +0100, Clunk Werclick wrote:
 
 Are you saying that it is not possible to configure it to reject users
 that don't exist at the SMTP level? Are you *sure*? So if you telnet in
 to it and send mail for anyoldrubb...@domain.co.uk it accepts it?

 I would be gobsmacked. Surely this is a simple configuration issue ?
 
 It may well be possible, but the default seems to be to accept any user.
 
 Almost all our client's SBS servers (there are about 50 of them) are
 managed by non-IT staff, usually just someone in the office who knows
 add users, change passwords etc, but little else. So asking them to make
 detailed configuration changes is out of the question.
 

Read Step 2: Configure recipient filtering in Exchange Server 2003:

http://support.microsoft.com/default.aspx?scid=kb;en-us;886208

If I were you I'd write up a nice howto for my clients describing the
problem and asking them to do these easy configuration steps. And then
both you and your clients will be good internet citizens.

Just my 2 cents.

Have a nice day,
Mikael


Re: Force smtpauth for all mails including myhostname bound mails

2009-09-09 Thread Mikael Bak
ram wrote:
 
 I have a very basic ( and old) postfix installation and I want to accept
 mails only after smtpauth 
 
 The rule works fine except when the recipient belongs to $myhostname 
 
[snip]
 mydestination = mumbai.nstest.com
[snip]

Hi Ram,
$mydestination is probably why the email gets accepted even without SMTP
AUTH.

http://www.postfix.org/postconf.5.html#mydestination

HTH,
Mikael



Re: relay_domains vs virtual_mailbox_domains

2009-09-08 Thread Mikael Bak
Steve Heaven wrote:
 On Mon, 2009-09-07 at 11:50 -0400, Sahil Tandon wrote:
 

 You should not accept mail for invalid recipients.  Use existing
 functionality to build a cache/database of valid recipients on the fly.
 See: http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient
 
 We have no way of knowing if the recipient address is valid or not as we
 are only acting as a relay for the final destination.
 We cannot build a database of recipients on the fly as that information
 is held on the various servers of our clients, to which we do not have
 access.
 

Sahil Tandon gave you a link containing the solution to you problem. I
suggest you read it before you say it can't be done.

Tip: scoll up to How address verification works.

Mikael


Re: Simple filter via pipe

2009-09-01 Thread Mikael Bak
rank1see...@gmail.com wrote:
 
 Thanks. On FreeBSD that is section 2
 http://www.freebsd.org/cgi/man.cgi?query=pipesektion=2apropos=0manpath=FreeBSD+7.2-RELEASE
 
 I've read it and still have no logical clue.

# uname -r
7.2-RELEASE-p2

# man 8 pipe

Formatting page, please wait...Done.
PIPE(8)

NAME
   pipe - Postfix delivery to external command

SYNOPSIS
[snip]

HTH,
Mikael


Re: Mail Box

2009-08-24 Thread Mikael Bak
Hi,

Roman Gelfand wrote:
 Can somebody recommend a mail box server software that would be worthy
 of postfix?
 

dovecot

 Also, if anyone knows of a cool web client.
 

roundcube



Re: Country IP block list

2009-08-24 Thread Mikael Bak
Daniel L'Hommedieu wrote:
 
 The spam I see pretty much all originates in China  Brazil, with some
 originating in Korea  US.  It also pretty much all originates on
 dynamic IP addresses, so if there's a way to block email from dynamic
 address ranges, I would very much be interested in that.
 

Not exactly what you ask for, but it'll stop most of them:

http://www.spamhaus.org/zen/

HTH,
Mikael


Re: Building milter in PHP

2009-08-23 Thread Mikael Bak
rank1see...@gmail.com wrote:
 It did, but not anymore.
 It is now depreciated.(php-milter)
 
 I use PHP 5.3 and already have working filter.
 
 To finalise it, I just need a list and description of milter commands.
 Those milter commands works for any type of coding language
 
 Up to now I've found out these but without explanation or examples
   connect
   helo
   envfrom
   envrcpt
   header
   eoh
   body
   eom
   abort
   close

Perhaps you should have a look here:
https://www.milter.org/developers

I'm sure you can find example code there.

HTH,
Mikael


Re: Country IP block list

2009-08-22 Thread Mikael Bak
Security Admin (NetSec) wrote:
 Could someone provide links to sites where IP addresses are grouped by
 country?  ASNs would work too but would prefer IP lists that I could put
 in a file that my postfix mail gateway could read.  Obvious countries
 like China and Brazil I would like to block wholesale.  Thanks in advance!
 

I know it's OT, becase it doesn't involve postfix, but I use
RelayCountry plugin in SA to score some countries higher.

I find this a safer solution than cut off some countries entirely.

Mikael



Re: Looking for opinions on FreeBSD OS for Postfix

2009-08-18 Thread Mikael Bak
Stefan Förster wrote:
 
 The documentation at http://www.postfix.org/INSTALL.html#4 mentions
 that earlier versions of Postfix were supported on FreeBSD 2.x to 5.x.
 
 I think it's very likely that you can run recent Postfix versions on
 newer FreeBSD releases, too.
 
 

Ack,
I have FreeBSD 7.1 (amd64) with postfix 2.6.3 running here. No problems
at all.

Mikael


Re: filtering mail from outside with dynamic address

2009-08-12 Thread Mikael Bak
Hi,

Florin Andrei wrote:
 Running Postfix 2.5.5 on Linux. The system is multihomed, connected to
 several private networks, and to the Internet with a dynamic DNS hostname.
 

Is it really recommended to run a mail server that accepts email from
outside with non static IP address?

I would not do it.

Mikael


Re: confused about authentication/SASL

2009-08-06 Thread Mikael Bak
Jay G. Scott wrote:
[snip]
 mynetworks_style = host
[snip]
 smtpd_recipient_restrictions = permit_mynetworks, 
 permit_sasl_authenticated,  reject_unauth_destination
[snip]

Hi,
Are you running mutt on the postfix host? In that case perhaps that is
why you can send email without AUTH.

HTH,
Mikael


Re: Question about address verification in MX2 when primary MX is down...

2009-08-05 Thread Mikael Bak
Santiago Romero wrote:
 
 Hi,

 Quoting the documentation[1]:

 The unverified_recipient_defer_code parameter (default 450) specifies
 the numerical Postfix SMTP server reply code when a recipient address
 probe fails with some temporary error. Some sites insist on changing
 this into 250. NOTE: This change turns MX servers into backscatter
 sources when the load is high.

   
 
 So, do you mean that changing this parameter to 250 would make postfix
 to accept the email?
 

Hi,

No. You should leave this parameter in its default value.

I realize now that I shouldn't have quoted the entire piece from the
documentation, only the relevant part. You're not the only one who
misinterpreted my post. Sorry for that.

I only wanted to quote this:

The unverified_recipient_defer_code parameter (default 450) specifies
the numerical Postfix SMTP server reply code when a recipient address
probe fails with some temporary error.

This is the relevant part, and answers the question you had. Everything
else is irrelevant - and as Brian Evans ponted out earlier (and the
documentation too), setting this parameter to 250 will generate bounces
and backscatter. And that is very bad!

Using reject_unverified_recipient should produce the behaviour you are
asking for. I also set unverified_recipient_reject_code = 550. This
makes postfix permanently reject when the recipient address is confirmed
 not existing.

When postfix does not know it'll reject the connection with a 450 (or
whatever unverified_recipient_defer_code is set to), which should be
fine for most cases.

When the address is confirmed to exist, everything is cool and mail is
accepted.

Maybe I should add that I use Postfix v2.6.2 just in case there are
differences in default values between versions.

HTH,
Mikael



Re: Question about address verification in MX2 when primary MX is down...

2009-08-05 Thread Mikael Bak
Charles Marcus wrote:
 On 8/5/2009, Mikael Bak (mik...@t-online.hu) wrote:
 So, do you mean that changing this parameter to 250 would make postfix
 to accept the email?
 
 No.
 
 Actually, the answer to his question is yes.
 
 You should leave this parameter in its default value.
 
 Correct - but he specifically asked if he CHANGED this to 250 - which
 means it accepted the mail...
 

Charles,

You are right. I was too much into his original question about how he
could get the functionality he originally asked for.

Mikael



Re: smtpd -o stress

2009-08-05 Thread Mikael Bak
Robert Lopez wrote:
 On one mail gateway running postfix I see about 24 lines that look like this:
 
 postfix   7579 32735  0 10:00 ?00:00:00 smtpd -n smtp -t inet
 -u -c -o stress
 
 On all the other gateways I normally see lines that look like this:
 
 postfix   9243  3682  0 08:52 ?00:00:00 smtpd -n smtp -t inet -u
 
 Are there configuration parameters that cause the addition of the -c
 -o stress?
 

Hi Robert,

http://www.postfix.org/STRESS_README.html

HTH,
Mikael


Re: Postfix HELO FQDN requirement

2009-08-04 Thread Mikael Bak
Robin Smidsrød wrote:
 
 I've had at least one client leave because he absolutely needs to have
 every email, because every single email he receives could be really
 important. So dealing with spam is something he just has to do. On the
 other hand I have users that don't really care one way or the other. I
 just want to be able to let the user make that choice. And rejecting
 email based on (possibly forged) helo is a system-wide policy, not a
 user-specific policy. Is it possible to make this a user-policy?
 

Hi Robin,

It is possible to make rules user and/or domain dependant with carefully
built restriction classes. If you haven't read this already, please do:

http://www.postfix.org/RESTRICTION_CLASS_README.html

The examples here are not exactly what you want, but you will get an
idea of how you can build user / domain specific rules.

HTH,
Mikael


Re: Question about address verification in MX2 when primary MX is down...

2009-08-04 Thread Mikael Bak
Santiago Romero wrote:
 
 Really, reject_unverified_recipient feature is very nice, but rejecting
 all mail when primary MX doesn't answers breaks it for us :(
 
 Any idea? :?
 

Hi,

Quoting the documentation[1]:

The unverified_recipient_defer_code parameter (default 450) specifies
the numerical Postfix SMTP server reply code when a recipient address
probe fails with some temporary error. Some sites insist on changing
this into 250. NOTE: This change turns MX servers into backscatter
sources when the load is high.

So you are not rejecting any email if the MX is down. You are just
delaying reject or accept until the MX is asked if there is such user or
not. We're very happy with this over here.

HTH,
Mikael

[1] http://www.postfix.org/ADDRESS_VERIFICATION_README.html


Re: Question about address verification in MX2 when primary MX is down...

2009-08-04 Thread Mikael Bak
Brian Evans - Postfix List wrote:
 Mikael Bak wrote:
 Santiago Romero wrote:
   
 Really, reject_unverified_recipient feature is very nice, but rejecting
 all mail when primary MX doesn't answers breaks it for us :(

 Any idea? :?
 
 Hi,

 Quoting the documentation[1]:

 The unverified_recipient_defer_code parameter (default 450) specifies
 the numerical Postfix SMTP server reply code when a recipient address
 probe fails with some temporary error. Some sites insist on changing
 this into 250. NOTE: This change turns MX servers into backscatter
 sources when the load is high.

 So you are not rejecting any email if the MX is down. You are just
 delaying reject or accept until the MX is asked if there is such user or
 not. We're very happy with this over here.
   
 
 No, you are not delaying reject.
 You are bouncing and possibly BackSattering because you really don't
 know if the recipient is valid.
 
 Many, many envelope recipients are forged these days.
 So you end up bouncing to the wrong place and sending spam to a 3rd party.
 
 A good MTA in the world will hold a 450 for 3 to 5 days and keep retrying.
 If it doesn't retry, it's usually a bot and bad for your health.
 

Hi Brian,
Well, thank you for sharing this with me.

IMO this setup does not bounce as you say, it sends a 450 Address
verification in progress. Try later.. When the client tries next time
there is either an OK the address exists, or a 550 User does not exist.

Maybe I don't understand what you try to say. I just don't see why this
would generate bounces or backscatter.

Mikael



Re: Question about address verification in MX2 when primary MX is down...

2009-08-04 Thread Mikael Bak
Brian Evans - Postfix List wrote:
 Mikael Bak wrote:
 Brian Evans - Postfix List wrote:
   
 Mikael Bak wrote:
 
 Santiago Romero wrote:
   
   
 Really, reject_unverified_recipient feature is very nice, but rejecting
 all mail when primary MX doesn't answers breaks it for us :(

 Any idea? :?
 
 
 Hi,

 Quoting the documentation[1]:

 The unverified_recipient_defer_code parameter (default 450) specifies
 the numerical Postfix SMTP server reply code when a recipient address
 probe fails with some temporary error. Some sites insist on changing
 this into 250. NOTE: This change turns MX servers into backscatter
 sources when the load is high.

 So you are not rejecting any email if the MX is down. You are just
 delaying reject or accept until the MX is asked if there is such user or
 not. We're very happy with this over here.
   
   
 No, you are not delaying reject.
 You are bouncing and possibly BackSattering because you really don't
 know if the recipient is valid.

 Many, many envelope recipients are forged these days.
 So you end up bouncing to the wrong place and sending spam to a 3rd party.

 A good MTA in the world will hold a 450 for 3 to 5 days and keep retrying.
 If it doesn't retry, it's usually a bot and bad for your health.

 
 Hi Brian,
 Well, thank you for sharing this with me.

 IMO this setup does not bounce as you say, it sends a 450 Address
 verification in progress. Try later.. When the client tries next time
 there is either an OK the address exists, or a 550 User does not exist.

 Maybe I don't understand what you try to say. I just don't see why this
 would generate bounces or backscatter.

 Mikael

   
 I was referring to the change to 250 that was quoted.
 I inferred that was the advice being given.
 
 If this was incorrect, then, yes, it is just fine to use.

Hi Brian,
I knew that we were misunderstanding eachother. :-)

So to clarify. We have the unverified_recipient_defer_code parameter set
to its default (450).

Mikael


Re: sieve instead procmail?

2009-07-23 Thread Mikael Bak
Michael Monnerie wrote:
 
 Now if you can tell me the way to get the e-mail out of that deliver 
 program again into postfix, with the recipient rewritten to 
 user+mail...@x.y, then you made my day.
 

I can be terribly wrong here, but isn't this what amavisd-new does when
working together with postfix? Postfix sends the email to amavisd-new
for processing, and after that the email are pushed back to postfix for
delivery.

Your deliver program will have to be able to push back the email into
postfix exactly as amavisd-new does. I think you have to fiddle with
master.cf for this to work.

As I said. I may have misunderstood your purpose completely :-)

HTH,
Mikael Bak