UG_README.html#mail
-- Noel Jones
On 4/9/2016 8:00 AM, Wietse Venema wrote:
> Unfortunately, I don't have time to decode this discussion. Can
> someone post a tested diff, someone maybe post a revised version,
> and when there is agreement, then I can adopt it.
>
> Wietse
>
Does someone have a full, unmodified offending he
it
> [... other google server blocks ...]
>
> This is a workaround that shouldn't be needed.
>
> Any idea what the cause of this is? So far no legit mail except gmail
> gets caught here.
>
> Curtis
>
Look for other warnings and errors in your logs, maybe just before
the reject, maybe earlier.
-- Noel Jones
pick up changes to those tables without a
restart. Later, those blocks can be promoted to a firewall or
postscreen block.
-- Noel Jones
sing relay
protection.
Adding a ,reject to the end of your smtpd_recipient_restrictions
should allow you to use an empty smtpd_relay_restrictions. This
will also insure that clients not using your domain as sender will
be rejected.
-o {smtpd_recipient_restrictions=check_sender_access
hash:/etc/postfix/maps/submission_access, reject}
-o smtpd_relay_restrictions=
-- Noel Jones
On 4/6/2016 3:34 PM, John Stoffel wrote:
>>>>>> "Noel" == Noel Jones writes:
> masquerading. I've setup my /etc/postfix transport_maps like this:
>
> #
> # Added to make lotus notes and exchange happy
> #
> hdqmta.fo
general recommendation about it.
>
> --Quanah
>
You can test this RBL in smtpd_*_restrictions by using warn_if_reject.
You can test this RBL in postscreen by using a weight of *0.
Test rejections will be logged, but will not reject mail.
-- Noel Jones
?
>
> Or is it something else?
A third-party policy daemon or milter is required for SPF. Postfix
ships with support for these external third-party programs.
Postfix does not include nor officially recommend any particular
add-on SPF policy or milter.
-- Noel Jones
will
limit the number of connections postfix can service.
btree is suggested because it's fast and supports the features needed.
I don't use lmdb, so I can't really answer if it's suitable for the
postscreen cache.
-- Noel Jones
On 4/6/2016 10:11 AM, John Stoffel wrote:
>>>>>> "Noel" == Noel Jones writes:
>
> Noel> On 4/6/2016 8:06 AM, John Stoffel wrote:
>>> Can I force the fallback_transport to re-write, before using the
>>> fallback, john.t...@foo.bar.com into
le.com
# master.cf
# copy of standard smtp transport
hdqmta unix - - n - - smtp
-o smtp_generic_maps=hash:/etc/postfix/generic_htqmta
-- Noel Jones
e by hand (feed it input with
telnet or nc or similar, rather than postfix) and/or enable any
debug logging in the policy service.
But that's about all the help we can offer here.
-- Noel Jones
command rejected: TLD; proto=SMTP
> helo=
First the client's EHLO is rejected, then the client retries with HELO.
You may notice other oddities when you use "smtpd_delay_reject =
no", including clients that treat an early reject as temporary
failures and keep retrying.
-- Noel Jones
>
> or in one line
>
> check_helo_access lmdb:/path/table1,pcre:/path/table2.pcre
No.
-- Noel Jones
hitelist.com
It's my understanding that the Spamhaus whitelists are essentially
empty, and have been for quite a while, so they aren't particularly
useful at this time.
-- Noel Jones
n the
postscreen_access_list.
Postfix 3.1 introduced postscreen_dnsbl_min_ttl (and
postscreen_dnsbl_max_ttl) to reduce repeated DNS lookups in a short
period of time for DNSBL sites that use a very short timeout.
-- Noel Jones
On 3/30/2016 9:42 AM, Miles Fidelman wrote:
>
>
> On 3/30/16 10:11 AM, Noel Jones wrote:
>> On 3/30/2016 6:24 AM, Miles Fidelman wrote:
>>> Hi Folks,
>>>
>>> I'm busily trying to tune our system to reduce the amount of
>>> bounceb
g system stopped responding.
Probably the spammer's system is overloaded with others trying to
return undeliverable mail.
Don't accept mail you can't deliver.
-- Noel Jones
and logs demonstrating the problem, maybe
someone can help you find a suitable solution.
Please see:
http://www.postfix.org/DEBUG_README.html#mail
-- Noel Jones
other workarounds.
smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_non_fqdn_helo_hostname
... any other stuff...
-- Noel Jones
>
> Mensaje original
> De: wie...@porcupine.org
> Fecha:25/03/2016 17:56 (GMT+00:00)
> Para: Postfix users
>
tion; instead it's just failing.
Failing how? Show config and logs.
-- Noel Jones
7;
> message/status? Or should I?
>
> Thanks for helping clear this up.
>
The response echos what postfix receives from the downstream server.
You can include some custom text, but you can't change the status code.
http://www.postfix.org/postconf.5.html#unverified_recipient_reject_reason
unverified_recipient_reject_reason = Recipient address unknown
-- Noel Jones
ps =
should take care of this.
-- Noel Jones
>
> $ telnet 192.168.1.5 587
> Trying 192.168.1.5...
> Connected to 192.168.1.5.
> Escape character is '^]'.
>
> 220 nw6.pointyears.net
> ehlo gmail.com
> 250-nw6.pointyears.net
> 250-AUTH LOGIN
> 250-8BI
probe, unless from mynetworks or SASL AUTH.
You testing from inside your network?
> soft_bounce = yes
And any reject will be turned into a 4xx defer.
>
> transport:
> pointyears.net smtp:[192.168.1.5]:587
> pointyears.org smtp:[192.168.1.5]:587
>
So what problem are you having?
-- Noel Jones
ntion to what they are doing.
If you still want to take a stab at this, please provide your
"postconf -n" and the actual error message from the postfix log.
-- Noel Jones
smtpd_sender_restrictions =
check_recipient_access
inline:{example.com=reject_unverified_recipient}
where example.com is the domain hosted on your linux box.
The inline: map type requires postfix 3.0 or newer. Older postfix
versions can use an external hash: table with the same values.
-- Noel Jones
postfix logging showing the unexpected behavior.
Include your 'postconf -n' output.
-- Noel Jones
a
policy service or a tcp table, either of which are fairly simple and
lightweight.
Or you could just use the Message-ID as your mostly-unique identifier.
-- Noel Jones
mail server) is nicely solved
by using a dns whitelist such as dnswl.org to bypass postscreen
tests for known mail servers... not necessarily "known good"
servers, just known to not be a bot. Then your smtpd and content
filtering can decide if you want the mail.
-- Noel Jones
On 3/11/2016 9:22 AM, gsotsas wrote:
> Thanks once again!
>
> Do you see any possibility to use the client IP from the XFORWARD
> header? And to pass it to an external policy daemon?
>
> Amda
No.
>
> On 09.03.2016 22:41, Wietse Venema wrote:
>> gsotsas:
>>> Dear postfix users,
>>> I have th
ld processes with new processes during normal
operation is rarely of concern and not explicitly logged.
You can identify a new process by a change in the process ID
recorded in the log.
-- Noel Jones
ostfix.org/OVERVIEW.html
http://www.postfix.org/postconf.5.html#max_use
http://www.postfix.org/postconf.5.html#max_idle
So yes, this is normal.
-- Noel Jones
Please explain in more detail the problem you're trying to solve.
-- Noel Jones
On 2/27/2016 9:38 AM, Olivier CALVANO wrote:
> Hi
>
> i's possible to configure Postfix for all mailer-daemon mail are
> sent to a other server ? (not directly)
>
> regards
> olivier
>
e.
I suggest you experiment with the simple greylist.pl policy service
included with postfix and see how it performs. You can find the
code included in the postfix source under
./examples/smtpd-policy/greylist.pl
Good luck and best wishes.
Over and out.
-- Noel Jones
is exactly what postfix does.
-- Noel Jones
request the answer belongs to, cause we're
> talking over 1 pipeline / socket. So with this design, it's not strange that
> Postfix wants an answer before sending the next request.
One socket with thousands of long-running connections to it. This is
a common high performance design.
-- Noel Jones
You should end up with about the same number of connections as there
are active smtpd processes, with new connections happening only when
expired smtpd processes are replaced.
-- Noel Jones
nd for any domains other than those, to go either
> /dev/null or to a local postmaster or such.
>
> Any thoughts?
>
>
> Thanks
> Rich
>
There are several ways... Here's one:
# main.cf
default_transport = error:invalid destination domain
http://www.postfix.org/
he tcp_table,
> and your TCP server could do the DNSBL query.
>
> man 5 tcp_table
>
> Wietse
>
A good example for a tcp_table is the checkdbl.pl script found here:
https://people.freebsd.org/~sahil/scripts/checkdbl.pl.txt
That script would only need trivial changes to work as a
check_*_ns_access table.
-- Noel Jones
error for name=70.14.214.162.list.dsbl.org type=A: Host not
> found, try again
>
>
>
dsbl.org has been closed for 5+ years. Remove it from your config.
-- Noel Jones
nected from IP
171.96.116.78 using a HELO hostname of [127.0.0.1].
As for how the attacker got the user's credentials, likely either
they were phished or they reused a password from some other site
that was hacked. The user should consider that password compromised
and never use it again for anything.
-- Noel Jones
ix/CA_Bundle.pem
This should do what you ask when you use the right option names.
-o smtp_tls_security_level=encrypt
-o smtp_tls_CAfile=/etc/postfix/CA_Bundle.pem
The smtp_use_tls keyword is deprecated by smtp_tls_security_level.
Note there must be no spaces around the "=" in mas
used by
DKIM. That's what DMARC is for. And DKIM keys have v=DKIM1 or such.
Looks like they're asking for Domainkeys records, not DKIM.
It probably won't hurt anything to add Domainkeys records, but
nobody uses those anymore.
-- Noel Jones
tor (or DNS record) to be used for verifying, and a domain can
have multiple selectors.
-- Noel Jones
use AUTH. If you
have some that can't/don't AUTH, you'll need to add
permit_mynetworks here.
-- Noel Jones
www.postfix.org/TUNING_README.html
http://www.postfix.org/QSHAPE_README.html
and seems particularly relevant:
http://www.postfix.org/QSHAPE_README.html#backlog
-- Noel Jones
nd - - - - - - - - - - - - - - - - - - -
> - -
>
>
> Can somebody drive me toward a solution?
>
>
>
> ---
> Michel Donais
This sounds like what you're missing:
http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_from
-- Noel Jones
org/postconf.5.html#warn_if_reject
-- Noel Jones
ute the overall performance difference is
negligible. In the case of a flood of connections, a firewall block
is probably a better solution anyway.
So the bottom line is that although it is possible to remove a
client from the postscreen automatic whitelist cache, it's not worth
the trouble.
-- Noel Jones
n_reverse_client_hostname
somewhere in your config. It's quite rare for a legit mail server
to fail this check. The few failures I see are typically when
someone moved to a new IP and forgot to set up the rDNS.
>
> Presumably if I want more I need to change the verbosity.
Everything you need is in the normal logs.
-- Noel Jones
been much more interesting to see the
original connection from the outside client.
I didn't really look at your postconf output, other than noticing
that you use some good RBLs already, and have some questionable
settings for alias_maps, local_recipient_maps, and
virtual_alias_maps.
eneric
# smtp_generic -- wildcards OK here
@new.example.com @example.com
References:
http://www.postfix.org/ADDRESS_REWRITING_README.html
http://www.postfix.org/postconf.5.html#transport_maps
http://www.postfix.org/postconf.5.html#smtp_generic_maps
http://www.postfix.org/postconf.5.html#virtual_alias_maps
-- Noel Jones
se the default transport, or will postfix always log an error and
> defer the emails?
Postfix will always defer mail when any map or lookup table is
unavailable.
This is not configurable.
-- Noel Jones
ss technical details of SPF within postfix.
For SPF questions or discussion not related to postfix, please see
http://www.openspf.org/Forums
-- Noel Jones
_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
... other stuff you like ...
-- Noel Jones
recommended to enable AUTH only on port 587
submission, and not on the general-use port 25 smtpd.
If you restrict AUTH to only port 587, it's easy to add "-o
smtpd_tls_req_ccert=yes" to the master.cf submission entry.
-- Noel Jones
On 2/1/2016 12:30 AM, John A @ KLaM wrote:
>
> My question is what is the /best/ way of getting postfix to forward
> mail to the signing policy bank.
> In one example the submission section of master.cf had the following
> lines added
> smtpd_proxy_filter=[127.0.0.1]:10026
> milter_macro_deamon_na
appear in maillog or am I running amavis AND spamd?
amavisd does not use spamd, it calls the perl modules directly. It
is not necessary to run spamd on the server.
See the amavisd-new docs for details.
-- Noel Jones
>
> So, two stupid questions then.
>
x version is
> 2.11.3-1 on debian Jessie. My setup have just postfix with sasl
> authentication, authentication is working fine.
>
>
> --
> Thanks
>
> Amit Bondwal
>
>
>
>
You can map sasl login names to allowed MAIL FROM names using
reject_sender_login_mismatch (or the
reject_authenticated_sender_login_mismatch,
reject_unauthenticated_sender_login_mismatch variants).
http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch
-- Noel Jones
an I get postfix's dnswl_client check to return with DUNNO when I
> want this check to decide if I want to end (skip) a custom restriction
> class?
>
> Thanks!
>
>
No. Put the continued restrictions in smtpd_helo_restrictions.
-- Noel Jones
On 1/25/2016 11:25 AM, Igor Sverkos wrote:
> My problem is that any PERMIT/OK in my custom restriction classes would
> also immediately end smtpd_client_restrictions causing quota check for
> example to be skipped.
Use DUNNO rather than OK to skip to the next restriction.
-- Noel Jones
ing?
>
> Thanks,
> Steve
http://www.postfix.org/postconf.5.html#show_user_unknown_table_name
-- Noel Jones
7;ve made to master.cf, and logs demonstrating the
problem.
http://www.postfix.org/DEBUG_README.html#mail
-- Noel Jones
ng base64 or quoted-printable
encoded. You'll need to examine the raw mail message with vi on
your imap server store to see what's really in there.
-- Noel Jones
ime in the Received: header and does not alter
the Date: header.
The correct solution is to fix the time on the sending machine.
-- Noel Jones
n send mail to every domain
>
> t...@example.com can send mail only to example.com domain and
> relative users
>
> How i can do this please.
> Thanks a lot.
>
Please see
http://www.postfix.org/RESTRICTION_CLASS_README.html#external
-- Noel Jones
get tagged by SA. However,
> the /next/ set of emails shoudl be blocked by postfix. If that
> isn't happening, then I'd be concerned.
>
> --Quanah
>
In addition to "0-moment" timing issues SA may, depending on
configuration, look at URLs inside the message, or at other
Received: headers. Postfix only considers the connecting client,
which is appropriate for a first-line defense.
It's not clear from the post if SA was complaining about the
connecting client, or some other IP.
-- Noel Jones
al logging you need on a regular basis?
-- Noel Jones
y_domains.
> Is it picking this from mydomain setting in main.cf perhaps?
> Or somewhere else?
This is in your lookup map definition.
-- Noel Jones
recipient_maps. Don't use any
of the virtual_mailbox_* parameters.
-- Noel Jones
s, it is correct to use
mydestination = localhost.example.com
virtual_mailbox_domains = example.com
-- Noel Jones
> The readme clearly says that you can`t list mydomain.xy in
> mydestination and virtual_mailbox_domains at the same time.
> My bad, i was talking about virtual_alias_domains inste
out. :)
>
> Dennis
Sounds as if you want a virtual MAILBOX domain, not a virtual ALIAS
domain
http://www.postfix.org/ADDRESS_CLASS_README.html#virtual_mailbox_class
You can find an example setup in
http://www.postfix.org/VIRTUAL_README.html
-- Noel Jones
g reports to people who haven't worked here in
> years.
> Better to drop in those cases
You can assign specific bad users to the discard: transport.
# transport table
previousresid...@example.com discard:
Or maybe better, use virtual_alias_maps to redirect the mail to the
appropri
if you're using virtual_mailbox_domains, but not for
relay_domains.
> Is there a way to have Postfix DROP the message if the recipient is invalid?
> As opposed to sending an NDR?
Postfix will reject invalid recipients. Discarding invalid
recipients is a terrible idea.
-- Noel Jones
alid users for relay_domains are listed in relay_recipient_maps.
That's where your ldap: map goes.
http://www.postfix.org/ADDRESS_CLASS_README.html#relay_domain_class
You're not using virtual_mailbox_domains, so it would not be
appropriate to add your ldap: lookup there.
-- Noel Jones
or client IP.
When you specify reject_unlisted_recipient, postfix checks to see if
postfix controls that domain, and if it does, if the recipient
address exists. Nonexistent recipients are rejected. More details in
http://www.postfix.org/ADDRESS_CLASS_README.html
Other restrictions control what senders or client IPs are acceptable.
-- Noel Jones
"valid
addresses."
http://www.postfix.org/ADDRESS_CLASS_README.html
If you need more help, please see:
http://www.postfix.org/DEBUG_README.html#mail
-- Noel Jones
the domain you're trying to validate users?
Where is the domain defined in postfix?
-- Noel Jones
ains defined in $virtual_mailbox_domains are listed in
$virtual_mailbox_maps
Additionally, wildcard rewrites in virtual_alias_maps or
*canonical_maps will disable address validation. Don't use wildcard
rewrites.
-- Noel Jones
hese table types will support (at
least) hundreds of thousands of entries. See the docs for details
http://www.postfix.org/postconf.5.html#mynetworks
Please note that indexed mynetworks tables such as hash:, cdb: *sql
support single IP lookup only, not network lookup.
-- N
need to run "postfix reload" after editing the
file.
# main.cf
mynetworks = /path/to/mynetworks
# mynetwork
192.168.1.101
10.10.1.100
...
Other supported formats are listed in the docs.
Note that when you specify mynetworks by hand, the mynetworks_style
parameter is ignored.
-- Noel Jones
database :
>
> domaine1.com <http://domaine1.com> .exe;.bat;.cab
> domaine2.com <http://domaine2.com> .exe
To perform blocking with exceptions, you'll need a milter,
smtpd_proxy_filter, or content_filter outside of postfix, such as
mimedefang or amavisd-new.
-- Noel Jones
On 12/21/2015 6:44 PM, Jeffrey 'jf' Lim wrote:
> On Tue, Dec 22, 2015 at 7:26 AM, Noel Jones
> I quit using reject_unknown_helo_hostname a couple years ago when it
> quickly became clear that a significant percentage of the clients
> rejected were le
uot;localhost", and variants of my own domain, and I use
"smtpd_helo_required = yes". They don't catch a lot of spam, but
they rarely hit legit mail either, which is why I leave them in.
-- Noel Jones
les in one place.
http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions
see the part near the bottom about "other restrictions valid in this
context".
Is this client listed in $mynetworks? If so, that's why it didn't
work before, and works now.
-- Noel Jones
ext
header.
So each header that matches will be replaced, and each header will
only match one pattern.
-- Noel Jones
he access table documentation, pattern search order section for
details.
http://www.postfix.org/access.5.html
-- Noel Jones
se let me know if there's other information I can provide to help.
>>>>
>>>> Thanks,
>>>> Alex
>>
>> perhaps more what you want
>>
>> https://www.void.gr/kargig/blog/2013/11/24/anonymize-headers-in-postfix/
>
> That's pretty much exactly the steps I followed, and I believe I even
> used that page as a reference.
>
> I was hoping someone could spot my errors.
>
> Thanks,
> Alex
>
Your expression looks OK. You can test it with
postmap -hq - pcre:auth_header_checks.pcre < testfile
where testfile is a saved message including the headers you want to
replace.
Are you seeing log entries with "auth-cleanup" to verify your
cleanup_service_name override is working as expected? Any warnings
in the log?
-- Noel Jones
On 12/18/2015 12:18 PM, Ben Greenfield wrote:
>
>> On Dec 18, 2015, at 12:35 PM, Noel Jones wrote:
>> - consider using
>> http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch
>> to reject messages where the MAIL FROM address doesn't match the
>&
o you. In
particular, do not use a dnsbl that lists all home/dynamic/dialup IP
addresses. The IP you reported is listed in both cbl and sbl and
would be rejected (listed now, maybe it wasn't then).
-- Noel Jones
t; 12/17/15 4:02:38 PMpostfix/qmgr[12965]433039B83D9A: removed
>
User rgarrity is spamming. Most likely the password got
phished/compromised. Disable that account or manually change the
password.
The messages from 127.0.0.1 are the output of your content_filter,
and normal. As you correctly d
w retries at
$maximal_backoff_time (default 4000s) to see if the destination will
accept mail.
>
> Second question, the domain.aaa and domain.bbb returned by the
> command on the deferred queue correspond to the sender domain or the
> recipient domain ?
recipient.
-- Noel Jones
automated without
too much trouble. There's sample perl code lying around to parse
SPF records.
>
> Would I then not be able to use the check_sender_access to reject mail
> coming as my domain from unauthorized servers?
Pick one way to deal with forged mail. Either reject in postfix or
tag in SpamAssassin. You can't do both; neither is inherently
better. Use what suits your needs and expectations.
-- Noel Jones
for routing, but
don't add $transport_maps to relay_domains. If it's necessary to
share a map -- maybe for large number of domains -- it's better to
use a dedicated map with an obvious name, like
"relay_domains_transport" or whatever makes sense to you, and just
share that one map rather than the whole $transport_maps setting.
And in your particular case, you probably don't need any extra
relay_domains entries because of parent_domain_matches_subdomains
-- Noel Jones
.
Anyway, the default value of parent_domain_matches_subdomains
includes relay_domains, so "X.example.com" is already included by
way of "example.com". If they aren't really related subdomains,
just include them in relay_domains explicitly.
-- Noel Jones
net:127.0.0.1:2501,
> check_recipient_access pcre:/etc/postfix/relay_recips_access,
> permit
> smtpd_sender_restrictions = check_sender_ns_access
> hash:/etc/postfix/blacklist_ns.cf
> check_sender_access hash:/etc/postfix/sender_checks,
> reject_unknown_sender_domain
Missing permit_mynetworks.
> transport_maps = hash:/etc/postfix/transport
> virtual_alias_maps = hash:/etc/postfix/virtual
>
-- Noel Jones
On 12/5/2015 1:36 PM, sb wrote:
> On 12/4/15 9:39 PM, Noel Jones wrote:
>
>> Is this even the IP the sender domain pointed to?
>> That isn't clear in your posting.
>
> Answered 4h earlier, althoughthe particular case of
> 78-134-2-123.v4.ngi.it was just a convers
On 12/4/2015 12:57 PM, sb wrote:
> On 12/4/15 7:08 PM, Noel Jones wrote:
>
>> The sender domain must have either an MX or an A record.
>> You can reply to a domain with only an A record.
>
> If I send mail to the above address, there is no server that can
> receive it
t;-o smtpd_milters=${spf_milter},${dkim_milter},${dmarc_milter}
>-o cleanup_service_name=pre-cleanup
>
> Postscreen is currently disabled.
Probably worth investigating using postscreen with a few dnsbls.
-- Noel Jones
"reject_unlisted_recipient" rule
somewhere above the reject_unknown_helo_hostname to reject
non-existent recipients earlier.
http://www.postfix.org/postconf.5.html#reject_unlisted_recipient
-- Noel Jones
601 - 700 of 4093 matches
Mail list logo
