arty how-to's on the internet; try to
ignore them.
You may find particularly helpful:
http://www.postfix.org/BASIC_CONFIGURATION_README.html
http://www.postfix.org/STANDARD_CONFIGURATION_README.html
http://www.postfix.org/STANDARD_CONFIGURATION_README.html#null_client
-- Noel Jones
On 1/24/2019 3:12 PM, Matt Wong wrote:
> Hi Noel Jones,
>
> sadly, this didn't the trick. I can change /etc/postfix/master.cf
> and call postfix reload - then smtpd shuts down and james is able to
> start its smtp server. Strangely, when using systemctl restart
> postfix master.
f you're just looking for a replacement for the sendmail command
that can forward to a local SMTP server, the mini_sendmail program
is probably just what you need.
https://acme.com/software/mini_sendmail/
Packages are available for most systems.
-- Noel Jones
our mail display name. Mail arriving labeled from "Me" when
it obviously isn't might be considered abusive or a spoofing attempt.
-- Noel Jones
; on a public server.
Postfix can't tell why the MX is dead, so the behavior is correct.
If you want to handle it differently, you'll need to add rules for
each site, such as a transport map entry that points only to the
main MX, or an error: transport entry.
-- Noel Jones
On 12/6/2018 10:46 AM, Rich Shepard wrote:
> On Thu, 6 Dec 2018, Noel Jones wrote:
>
>> Wild guess: some spammer used your own address as sender, and the
>> connection was rejected by some of your spam controls, probably an
>> rbl.
>
> Noel,
>
> There are
ected by some of your spam controls, probably an rbl.
-- Noel Jones
lated information.
Postfix is used in a wide variety of situations, with a wide variety
of valid setups. To help you, we need to know what happens and how
that differs from what you expect. We also need to see supporting
documentation, including "postconf -n" output and normal non-d
th_destination
>
> [root@mta5 files]# more sender_relay_domains
> ## -ALF This should allow Listerv addresses even though they are not in
> PerName DB
> listserv.uconn.edu DUNNO
# sender_relay_domains
listserv.uconn.edu DUNNO
uconn.edu reject_unverified_recipient
-- Noel Jones
sign deals only with IP addresses. This is
because of the intended use as a lightweight and high speed
front-end for postfix.
You didn't mention why this client changes IP frequently, or what
problem you're trying to solve. You might get better suggestions if
you explain the problem you're having in detail.
-- Noel Jones
bye !!!
Yes, you can find examples on google. SPF is the accepted way to
deal with it.
-- Noel Jones
ing mail from
> local address just from an internal IP...not from external.
>
> Thanks a lot, regards!!!
That's perfectly normal. Anyone on the internet can send mail to
your company's public mailserver, and the mail from address is not
checked with default setup.
If you don't like people spoofing the mail from: address, use SPF.
-- Noel Jones
[most of] the headers of a real email that gets delivered to my
> first.l...@uconn.edu address even though it does not appear anywhere in the
> headers :
Headers are irrelevant for this discussion. Postfix logs will show
what is happening.
-- Noel Jones
The combination
of "postconf -n" plus any overrides you've added in master.cf, and
normal logging almost certainly provides all the information you
need. Debug logging will likely bury the real problem in a flood of
unrelated information.
-- Noel Jones
recipient
>
>
>
Two things that come to mind...
you must have smtpd_delay_reject=yes
and parent_domain_matches_subdomains must contain smtpd_access_maps
check your "postconf -n" output to make sure it shows what you expect.
If you have more trouble, please see
http://www.postfix.org/DEBUG_README.html#mail
-- Noel Jones
der the list you have specified.
>
> Shouldn't the client restriction have kicked in here instead of sender?
No, they are executed in the order you specify.
>
> Thanks,
>
> Kai
>
>
-- Noel Jones
gers FILTER
> amavis:[127.0.0.1]:10026; from=
> to=mailto:i...@skpkrakow.pl>> proto=ESMTP
> helo= <http://dedicated-aip61.rev.nazwa.pl>>
Another check_sender_access table with a FILTER result.
If you need more help, please see
http://www.postfix.org/DEBUG_README.html#mail
>
> What do they mean?
>
>
>
> --
> /Pozdrawiam / Best Regards
> /
> /Piotr Bracha/
-- Noel Jones
it
>
> and should just keep it off ?
Postscreen is intended for internet traffic on an internet-facing
mail gateway.
Does this server also accept incoming unauthenticated mail from the
general internet? If no, then postscreen is not for you.
-- Noel Jones
gt; If somebody could point me in the right direction? Am I missing
> something?
>
> Thank you
> philipp
>
This is a very odd problem. I'm guessing either a corrupted
filesystem or some security software interfering with file access.
I think it's unlikely this is a problem with postfix itself.
-- Noel Jones
her than to sendmail.
- use a check_recipient_access map that looks for the specific OOO
recipient and calls the filter for them. Something like
recipi...@example.com FILTER autoreply:dummy
-- Noel Jones
On 10/15/2018 3:13 PM, Mike Schleif wrote:
> No parallel content_filte
ike
# main.cf
authorized_submit_users = root, cron
(add any other service owners that need to send mail)
and also remove "permit_mynetworks" from
smtpd_recipient_restrictions and from smtpd_relay_restrictions.
-- Noel Jones
such as this. MIMEDefang is a more complex milter that can alter
subjects, plus many more features.
-- Noel Jones
rk. Here's an example using the inline: map type.
# main.cf
recipient_bcc_maps =
inline:{mrct...@llereta.com=mr...@mx02.lereta.com}
-- Noel Jones
T,
a better recipe for MTA4 would be:
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/maps/block_to
smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
The idea is smtpd_recipient_restrictions is general anti-UCE and
other loca
On 9/19/2018 4:25 PM, Diego Vadell wrote:
> Hello everyone,
>
> In order to avoid sending backscattering I'm going to implement
> Address Verification (reject_unverified_recipient). Can I skip it for
> one domain? If I configure postfix like this:
>
> smtpd_recipient_restrictions =
>
It appears postfix is operating properly; this is either an amavis
problem or a dovecot/sieve problem. Those products have their own
support lists.
-- Noel Jones
On 9/17/2018 10:33 AM, Miguel Almeida wrote:
> Thanks for the reply.
>
> It seems that I might have something wr
EBUG_README.html
For further help from the list, please see:
http://www.postfix.org/DEBUG_README.html#mail
In your description of the problem, please be sure to include
"postconf -n" output. It would also be helpful to include log
entries showing the problem (NOT debug logs).
-- Noel Jones
eed to do anything other than run newaliases.
Postfix will automatically use the changed the aliases map, so
reload is unnecessary.
The error on closing the database (caused by postfix reload) is an
artifact of Berkeley DB and can be ignored; it does no harm. With
your environment, you'll likely see that message every time postfix
stops or reloads.
-- Noel Jones
.5.html#allow_min_user
You can change your setting to yes if you're confident that you
don't have any software in your email setup (delivery agents, spam
filters, etc.) that might be affected by this hack.
-- Noel Jones
On 9/4/2018 2:23 PM, Viktor Dukhovni wrote:
>
>
>> On Sep 4, 2018, at 2:47 PM, Noel Jones wrote:
>>
>> postconf: warning: /etc/postfix/main.cf: undefined parameter: localtime
>> postconf: warning: /etc/postfix/main.cf: undefined parameter:
>> client_addres
On 9/4/2018 2:01 PM, Noel Jones wrote:
> On 9/4/2018 1:57 PM, Wietse Venema wrote:
>> Noel Jones:
>>> Using the new 3.4-20180903 snapshot.
>>>
>>>
>>> # main.cf
>>> postscreen_reject_footer = \c; Contact postmas...@example.com for
>
On 9/4/2018 1:57 PM, Wietse Venema wrote:
> Noel Jones:
>> Using the new 3.4-20180903 snapshot.
>>
>>
>> # main.cf
>> postscreen_reject_footer = \c; Contact postmas...@example.com for
>> assistance. Include this data: servertime=($localtime)
>> c
erver_name)
(postscreen)
Sep 4 13:46:46 mgate3 postfix/postscreen[8656]: fatal: open
dictionary: expecting "type:name" form instead of "\c;"
-- Noel Jones
ning: /etc/postfix/main.cf: undefined parameter: localtime
postconf: warning: /etc/postfix/main.cf: undefined parameter:
client_address
postconf: warning: /etc/postfix/main.cf: undefined parameter:
client_port
postconf: warning: /etc/postfix/main.cf: undefined parameter:
server_name
-- Noel Jones
ck to the original name during delivery.
# virtual_alias
u...@example.com u...@example.com u...@other.example.com
# transport
u...@other.example.com lmtp:[other.example.com]:port
# lmtp_generic
other.example.com example.com
# main.cf
virtual_alias_maps = hash:/path/to/virtual_alias
transport_maps = hash:/path/to/transport
lmtp_generic_maps = hash:/path/to/lmtp_generic
-- Noel Jones
wever, that does not appear to be a valid postfix option.
>
>
As documented in:
http://www.postfix.org/postconf.5.html#smtp_tls_connection_reuse
"This feature is available in Postfix 3.4 and later."
-- Noel Jones
SS_README.html#external
You'll need to adjust it for your needs, but it can do that.
-- Noel Jones
ntly less than 100.
>
> Thanks in advance for any guides that you can reference!
Are you using the proxymap service with your table lookups? That
can greatly reduce the load on the MySQL server and improve
performance, sometimes dramatically.
http://www.postfix.org/postconf.5.html#proxy_read_maps
http://www.postfix.org/proxymap.8.html
-- Noel Jones
message headers, so it is
not possible to determine if a particular recipient is in the to:
cc: or not listed (bcc). A content filter such as spamassassin may
be able to help.
> Any Ideas and suggestions / links to similar software doing this
> please contribute.
>
> Thanks/DP
>
-- Noel Jones
generate emails will have header From: correctly rewritten,
> while email coming from outside will not have header From: rewritten..
>
> Correct?
Setting "local_header_rewrite_clients=permit_mynetworks" is the
default.
Note that if mail enters postfix multiple times, such as after a
content_filter or some other external process such as a spam filter,
the second trip through postfix will be from $mynetworks, causing
empty domains to be rewritten to the local domain. That's another
good reason to use "remote_header_rewrite_domain = domain.invalid".
-- Noel Jones
m
attractors, and spammers will eventually clog your queue with
thousands/millions of undeliverable bounces, affecting incoming mail
delivery. If that's not bad enough, some sites blacklist
backscatter sources, affecting your ability to send mail.
-- Noel Jones
On 7/13/2018 4:07 PM, jor.goncal...@free.fr wrote:
> Hi folks, excuse me for my noob question
>
> I have installed a system with recent postfix and courier-imap(maildrop).
>
> I found how to use transport_maps for routing message with a request over
> ldap to obtain a mailhost to route some
an easy grep target.
(Single-recipient mail only. Multi-recipient mail will log the
sender and the last recipient.)
http://www.postfix.org/header_checks.5.html
It should be pretty easy to convince the postfwd policy service to
log a line for each sender/recipient/QUEUEID.
http://www.postfix.org/SMTPD_
mit or reject) for local email
> addresses which are not listed in this file? I assume, permit. Is
> this correct?
>
> Ingo
Yes, local recipients are by default accepted.
http://www.postfix.org/ADDRESS_CLASS_README.html
-- Noel Jones
inadvertently
creating open relays, so the developers added
smtpd_relay_restrictions as a place dedicated to *only* relay
checks, with a safe default.
http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions
-- Noel Jones
links:
http://www.postfix.org/ADDRESS_CLASS_README.html
http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient
http://www.postfix.org/documentation.html
-- Noel Jones
.postfix.org/documentation.html
-- Noel Jones
Sorry, I don't debian.
IIRC, the Debian postfix package supplies a script that is supposed
to populate the chroot on bootup. Track down the script and run it,
or ask on a debian-specific forum.
-- Noel Jones
On 6/27/2018 2:57 PM, Sophie Loewenthal wrote:
> Thanks Noel.
>
> I
ther pertinent pages:
http://www.postfix.org/ADDRESS_CLASS_README.html
http://www.postfix.org/ADDRESS_VERIFICATION_README.html
-- Noel Jones
art postfix.
If that fixes the problem, then you're missing some files in your
chroot.
http://www.postfix.org/DEBUG_README.html#no_chroot
-- Noel Jones
On 6/13/2018 11:19 AM, Viktor Dukhovni wrote:
>
>
>> On Jun 13, 2018, at 12:09 PM, Noel Jones wrote:
>>
>> Maybe tlsproxy is dropping permissions too soon?
>
> Because it serves multiple SMTP delivery agents, with
> potentially different client certs, it ca
em lib:ssl_rsa.c:722:
Jun 13 10:53:29 mgate3 postfix/smtp[93494]: warning:
private/tlsproxy service role "client" is not available
Temporarily making the cert world-readable clears the error and
allows connection reuse.
Maybe tlsproxy is dropping permissions too soon?
-- Noel Jones
re is no
>
> What's the best solution to achieve this ?
> Content filter ?
Use a milter or content_filter.
-- Noel Jones
not
recommended. Some map types support wildcards.
http://www.postfix.org/postconf.5.html#mynetworks
http://www.postfix.org/DATABASE_README.html
-- Noel Jones
r html-ized messages harder for everyone else
to read.
-- Noel Jones
O FAZZINA
>
The ability to hover on a link and see something depends on html
code in the message, so this feature isn't possible in a plain text
mail.
It seems counterproductive to rewrite a plain-text link... I don't
know it there's a setting in the O365 controls to avoid mangling
plain text, so you may have to live with it.
-- Noel Jones
ternal domain, AND you use SPF/DKIM/DMARC to prevent
spoofing, then you'll need to exempt the service provider from those
tests.
-- Noel Jones
support for this OS-specific issue
on a forum dedicated to your OS.
Consider (temporarily) turning chroot off to verify this is the problem.
-- Noel Jones
On 5/14/2018 4:07 PM, Vivaldi Vivaldi wrote:
> I've already
> found http://www.postfix.org/BASIC_CONFIGURATION_README.html#chroot
ww.postfix.org/DEBUG_README.html#no_chroot
If you need more help, see:
http://www.postfix.org/DEBUG_README.html#mail
-- Noel Jones
ote: This performs a single search of the key as supplied.
Iterative search of sub-keys is not supported.
-- Noel Jones
hose ports to
have overrides in master.cf to permit only sasl authenticated clients.
If you need more help, see
http://www.postfix.org/DEBUG_README.html
and especially
http://www.postfix.org/DEBUG_README.html#mail
-- Noel Jones
>
> May 7 14:47:19 fender postfix/submission/sm
is mutt and not postfix?
>
Mutt (or whatever tool sends the mail) is responsible for saving the
"sent" copy.
See the mutt docs for how to save sent mail in a maildir folder, or
if you don't need copies of sent mail you can turn that feature off.
-- Noel Jones
e option in braces.
-o { smtpd_reject_footer = ... }
or for any postfix version, you can reference a macro in main.cf
# main.cf
submit_reject_footer = ...
# master.cf
-o smtpd_reject_footer=$submit_reject_footer
http://www.postfix.org/master.5.html
http://www.postfix.org/postconf.5.html
-- Noel Jones
m people hitting reply-all
and then replying to the reply -- does the hotel have a pool, how's
your mother doing after her surgery, etc. ad nauseam.
>
> If I wanted to block emails without any recipient, what would be the
> best way to do it ?
Use header_checks. But I don't recommend it.
>
> thanks,
> Karel
>
-- Noel Jones
il has
SPF or DKIM a whitelist_auth entry.
For further help with amavis or spamassassin, refer to the
documentation and user lists for those programs.
-- Noel Jones
wing your own
posts to mailing lists. Gmail and others do this as part of their
duplicate suppression.
-- Noel Jones
This is intentional to keep performance
high and latency low.
The fqrdns.pcre operates on the rDNS hostname of the connecting
client, which isn't available in postscreen.
Consequently, by design the fcrdns.pcre cannot work in postscreen,
and should not be used there.
-- Noel Jones
s EHLO, and before the client sends any other commands.
Now that you know it's working, you can use the silent_discard
keyword to clean up the logs.
-- Noel Jones
servers. If you have
hundreds of servers, the postfix config will become unmanageable and
require a different solution.
Reference:
http://www.postfix.org/RESTRICTION_CLASS_README.html
http://www.postfix.org/SMTPD_POLICY_README.html
http://www.postfix.org/DATABASE_README.html
http://www.postfix.org/documentation.html
-- Noel Jones
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
On 1/26/2018 11:47 PM, Voytek wrote:
> On Wed, January 24, 2018 3:55 am, Noel Jones wrote:
>
>> There is no simple regexp, but there is the fqrdns.pcre project. The
>> project is a large hand-maintained list of dynamic hostnames with a goal of
>> zero false positives. It
If this table has IPs in it, then the table isn't doing anything.
check_sender_access operates on the sender email address, not the IP.
grep -il suhaskumar *
grep -l 'Domain is spam' *
-- Noel Jones
On 1/24/2018 5:50 AM, Voytek wrote:
> On Wed, January 24, 2018 9:34 am, Noel Jones wrote:
>
>> and a few seconds later STARTTLS succeeds, and that IP successfully sends
>> mail from user hr@ to 10 recipients.
>>
>> Are there many users on that same IP via a NAT?
>
On 1/23/2018 4:20 PM, Voytek wrote:
> On Wed, January 24, 2018 8:47 am, Noel Jones wrote:
>
>> Find the error in the postfix log for the user's IP address. The
>> postfix error may not be the same as what the user is presented with.
>
>
> Noel,
>
> thanks
>
fix log for the user's IP address. The
postfix error may not be the same as what the user is presented with.
-- Noel Jones
“ORIGINATING” instead of the default
> value in main.cf.
>
> Why is this done ?
>
> Thanks,
>
> - J
>
Some milters use that to change their behavior, such as dkim to sign
instead of verify.
-- Noel Jones
On 1/23/2018 1:06 AM, Dominic Raferd wrote:
> On 23 January 2018 at 04:20, Noel Jones <njo...@megan.vbhcs.org
> <mailto:njo...@megan.vbhcs.org>> wrote:
>
> Strong spam indicators for the HELO are
> (note: this is for mail coming from the internet. Authenti
k might
break any of these)
- a dynamic hostname (eg. 89-73-46-234.dynamic.chello.pl, which
resolves just fine)
- my own hostname or localhost (old spammer trick still in use)
- a bare IP address nn.nn.nn.nn (disallowed by RFC)
- an ip literal eg. [nn.nn.nn.nn] (allowed by RFC; but IME always spam)
-- Noel Jones
enewing
them. If you want to move away from self-signed certs and have
limited funds, these are worth looking into.
-- Noel Jones
ject_unknown_helo_hostname,
> permit
reject_unknown_helo_hostname is likely to reject legit mail. Use
with caution.
-- Noel Jones
>
> smtpd_sender_restrictions = permit_mynetworks,
> reject_unauth_pipelining,
> reject_non_fqdn_sender,
>
n.cf.
Although the non-tls smtpd_sasl_security_options won't really be
used as long as smtpd_tls_auth_only=yes, it's not unreasonable to
include it as a safety.
-- Noel Jones
Sorry, I've never used procmail, so can't really help with
that. Does procmail provide logging?
If you post your procmail recipe here, someone else may be able to help.
-- Noel Jones
identify the source of the issue. Please advise me on
> how I can
> find the problem.
>
> TIA,
>
> Rich
>
Pick one message and follow it through the logs. If postfix fails
or misdirects the message, postfix will log what happened. If the
message makes it through postfix and is handed off to procmail, then
that's where the problem is.
-- Noel Jones
don't have such service...
>
> so, I now have a bunch of emails failing with Temporary MTA failure
>
> how can I get these 'stuck' emails to 'skip' the non existent 10027 service ?
>
First, correct your settings if you haven't done so already.
The, run "postsuper -r ALL"
-- Noel Jones
hoo transport (in master.cf). Specifically, the
yahoo_destination_rate_delay limits the delivery to one mail per
second and automatically limits to one connection at a time.
Further documentation is found here:
http://www.postfix.org/documentation.html
http://www.postfix.org/postconf.5.html
-- Noel Jones
rebuild
some hash table to reload all the changes.
-- Noel Jones
and sample config.
>
> Can you help me develop a rule that will just log all requests for the
> submission service that includes the IP, time/date and sasl username?
>
> I don't understand which of the ITEMs to pick, and I'm assuming action
> would just be DUNNO?
>
Sorry, I don't know the recipe for that off the top of my head.
Maybe someone else can jump in here.
There is a postfwd-user list that can probably help.
-- Noel Jones
re a more convenient way to represent this information, or is it
> necessary to build something that parses multiple lines and somehow
> associates the IP with data from other lines?
A policy service can log the requested information.
-- Noel Jones
course we'd also like any of the anti-spam abuse
> protections from this as well.
If your intention is to reject mail with excess recipients, use a
policy service in smtpd_data_restrictions. The policy service has a
recipient_count attribute.
http://www.postfix.org/SMTPD_POLICY_README.html
http://postfwd.org/
-- Noel Jones
I
believe it's still widely used. It hasn't been updated lately
because it hasn't needed anything.
Some people recommend using the milter interface with amavisd-new
rather than smtp, pick whichever you like. Performance will be similar.
-- Noel Jones
ommands instead.
>
> Wietse
>
I was thinking "make install" rather than "make upgrade" is a good
enough indicator of first time install. Deciding if TLS is available
might be trickier.
Leaving it up to the vendors is fine.
-- Noel Jones
sual users
and probably won't trip up more experienced users.
-- Noel Jones
Kinda like me using polar
bear bait in Tennessee.
-- Noel Jones
this normally enabled ?
>
> Thanks,
>
> - J
>
> Sources
> [1] www.postfix.org/VIRTUAL_README.html
>
This messes with timeouts in a non-obvious manner, and can cause
legit slow-but-working connections to fail, especially if they use TLS.
Don't enable this unless you are actively experiencing a
slow-connection denial of service, which are pretty rare.
-- Noel Jones
from a specific provider, feel
free to block other countries at your firewall to cut down on the noise.
-- Noel Jones
rg/SASL_README.html
Note that if you've enabled smtpd_tls_auth_only=yes postfix won't
offer nor accept the AUTH command unless you connect with tls.
If you need more help, please see
http://www.postfix.org/DEBUG_README.html#mail
-- Noel Jones
he policy had whitelist support, that's
not the right place to whitelist a backup mx.
-- Noel Jones
ll
No, the sender could be any domain on the internet. The solution is
to whitelist the backup MX in postfix.
-- Noel Jones
service ... spf check
If you need more detailed help, please show your "postconf -n" output.
-- Noel Jones
I really
> should remove "reject_unknown_helo_hostname".
It is not required. I used this for a while here with
warn_if_reject and it appeared to catch more legit mail than spam.
-- Noel Jones
of their mistake.
-- Noel Jones
On 11/14/2017 12:11 PM, flowhosts wrote:
> Yes this is such a decent feature!
> I use it with the hold action now as this doesn't break things.
> So bad domains (in my case) which would never accept mails are now
> kept in place, i call it the bad dest
201 - 300 of 3787 matches
Mail list logo