Re: postfix, use a custom mysql user table to reject messages
Andy, Should work just fine. Google postfix relay_recipient_maps mysql”. I have a similar issue in that my two edge servers deliver email to an Exchange server which is where user account live. The only difference is that I’ve been using LDAP rather than mysql. I also depend heavily on LDAP for aliases and and group distribution lists. If Postfix couldn’t do that kind of stuff I don’t know what I would do. And so I’d bet that with a little googling around you would discover how to do aliases out of mysql as well. Good luck. Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon ITS will never ask you for your password. Please don’t share yours with anyone! On Apr 16, 2014, at 3:00 PM, Andy Yen andy...@hep.caltech.edumailto:andy...@hep.caltech.edu wrote: Hi postfixers, To send fewer email bounce messages, I would like to reject messages at the SMTP session if either the user doesn't exist, or the user has exceeded their quota. My mail setup is a bit different in that I only use postfix for receiving messages, user accounts and local storage is handled completely outside of postfix. What I do have is a custom mysql table that lists usernames in my mail system, and whether they have exceeded quota or not. I can of course reformat this table or duplicate it. Is there a way to have postfix look in this mysql table, verify the user exists and is not over quota, and then reject or accept the message within the SMTP session? Looking through the docs, there doesn't appear to be an out of the box way to do this, but perhaps there is a way to take advantage of how postfix currently does its user lookup at this stage of message processing to achieve this functionality? Or is my only option to go in and modify the source code? Cheers, Andy
Sender based relaying
Because of compromised passwords that spammers are using to send high volumes of SPAM through our servers, I am using policyd to limit the number of emails a user can send in a given timeframe. The problems that our marketing division (aka the Admissions Office) normally send out high volumes of email to potential new students. We all have a specific server with Postfix configured to use a mailing service(Mandrill from MailChimp) and the largest numbers of emails, upwards of 10 to 15 thousand at a time are routed through that server. But also have individual Admission Counselors who send out mail merged messages under their own name. Is there anyway that I can configure postfix on our default server to relay messages from specific sender’s outgoing email through the server that’s configured to use Mandrill before the policy daemon sees them. Below is the configuration that implements the check_policy_service: smtpd_helo_restrictions = smtpd_client_restrictions = smtpd_sender_restrictions = smtpd_recipient_restrictions = hash:/etc/postfix/protected_destinations,proxy:ldap:limittag check_client_access hash:/etc/postfix/client_checks check_policy_service inet:127.0.0.1:10031 permit_mynetworks reject_unauth_destination reject_invalid_hostname reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031 Barring the ability to do tho in Postfix directly, is there any reliable front-end package that can examine the messages first and then decide whether to pass the message to the local copy of Postfix or rely the message to the Mandrill configure server? I would need someday for this front-end to make its determination based on some sort of dynamic list (preferably ldap based). Thanks, Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon ITS will never ask you for your password. Please don’t share yours with anyone!
How do I get Postfix to tell me when a message bounces and who sent it
When a user sends too many messages to bad addresses, it’s probably a spammer using a compromised account. Other than a very messy reading and parsing of the log files, is there a way to get postfix to tell me when a message has bounced and who the sender was (perhaps a hook in the main.cf or something??). When the number of such messages from a specific user reaches a certain threshold, I want to be able to block that user from sending outgoing messages. This latter part is simple enough but getting the bounces information in a way I can read it programmatically has got me baffled. Is that even possible? Thanks, Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon ITS will never ask you for your password. Please don’t share yours with anyone!
Re: Aliases cause policyd to miscount the number of message a user@domain sends
On Apr 9, 2014, at 9:17 PM, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Thu, Apr 10, 2014 at 02:38:32AM +, Rob Tanner wrote: The policyd daemon is a perfect tool for setting quotas (i.e., number of message per hour, day, etc). The problem is that we depend heavily of Postfix's extraordinary ability to do LDAP based aliasing of groups and when it each resulting message get counting against the sender. Is there some nice trick I can do so that the check_policy_service runs only once, before the lists are exploded? You can run the relevant policy check from smtpd_data_restrictions instead of smtpd_recipient_restrictions. The alias expansion clearly takes place upstream since policyd processing in smtpd(8) preceeds virtual alias expansion in cleanup(8). Changed the main.cf, removing the check_policy_service parameter from smtpd_recipient_restrictions and moved it to smtpd_data_restrictions as following: smtpd_data_restrictions = check_policy_service inet:127.0.0.1:10031 smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031 The result was that policyd never saw any messages. There were no cbpolicyd log entries in the maillog. I put the check_policy_service parameter back under smtpd_recipient_restrictions and policyd immediately began tracking the quotas again. Something else must be required. I’m open to any and all suggestions. ~ Rob smtpd_recipient_restrictions = hash:/etc/postfix/protected_destinations,proxy:ldap:limittag check_client_access hash:/etc/postfix/client_checks check_policy_service inet:127.0.0.1:10031 permit_mynetworks reject_unauth_destination reject_invalid_hostname reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain reject smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031 This is both too early and too late. Apply the relevant check in smtpd_data_restrictions, however you won't see each recipient in turn. It may also be possible to detect multiple recipients for the same envelope in a policy request and consildate the counts. -- Viktor.
Aliases cause policyd to miscount the number of message a user@domain sends
Hi, Since, they as we might, folks still respond to phishing attacks with their email name and password, at least I can mitigate the damage to our network reputation when the bad boys use what they’ve caught as a vehicle for sending out 1000’s of SPAM messages. The policyd daemon is a perfect tool for setting quotas (i.e., number of message per hour, day, etc). The problem is that we depend heavily of Postfix’s extraordinary ability to do LDAP based aliasing of groups and when it each resulting message get counting against the sender. Is there some nice trick I can do so that the check_policy_service runs only once, before the lists are exploded? Immediately below is the configuration that evokes policyd and below that is the for a one to one alias (i.e., the uid returns a single address) and below that is a configuration that reads an LDAP group record with multiple DNs as a uniquemember (a multiply occurring attribute) and each DN results in a single mail address (i.e., a one to many alias). smtpd_helo_restrictions = smtpd_client_restrictions = smtpd_sender_restrictions = smtpd_recipient_restrictions = hash:/etc/postfix/protected_destinations,proxy:ldap:limittag check_client_access hash:/etc/postfix/client_checks check_policy_service inet:127.0.0.1:10031 permit_mynetworks reject_unauth_destination reject_invalid_hostname reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain reject smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031 ldaptag_server_host = $default_ldap_host ldaptag_bind_dn = the DN ldaptag_bind_pw = the password ldaptag_search_base = o=linfield.eduhttp://linfield.edu ldaptag_query_filter = (uid=%s) ldaptag_result_attribute = mailRoutingAddress grouptag_server_host = $default_ldap_host grouptag_bind_dn = the DN grouptag_bind_pw = the password grouptag_search_base = ou=groups,o=linfield.eduhttp://linfield.edu grouptag_query_filter = ((|(mailLocalAddress=%s)(uid=%s))) grouptag_special_result_attribute = uniquemember grouptag_result_attribute = mailRoutingAddress Any help would be greatly appreciated. Thanks. Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon ITS will never ask you for your password. Please don’t share yours with anyone!
Re: Compromised Passwords
On Mar 4, 2014, at 7:25 PM, Venkat mvenkat...@gmail.commailto:mvenkat...@gmail.com wrote: When a password gets compromised, spam starts to pour out of the server from endless numbers of IP's, to endless numbers of addresses. Rate limiting is interesting but doesn't really stop the spam. Counting client=[IP] addresses until a threshold is reached is highly effective, but then what? Change their password? We are using policyd to manage quotas on e-mail send outs. You can also use a log monitor like swatch to alert you if an account exceeds quota. At this point the account can be disabled till the user changes their password. Also, policyd supports things like rejecting or holding e-mails if the quota is exceeded so spam does not go out anymore. You can also script automatic disabling of accounts based on quota violations. We find that blacklisting usually only happens when a very large number of spam escapes, so rate limiting per account (e-mail address) is quite effective. I’ve got the same problem and I’ve installed policyd on a test server. Using the GUI the setup is simple enough, but I’ve yet to get it to work. Not bing sure whether I need to setup restrictions under Quotas or Accounting I’ve tried both and after I’ve sent a bunch of test messages, the one thing I notice is that nothing is being written to the either the accounting_tracking or the quotas_tracking tables. The policyd log file shows that every message (including those beyond the 5 limit I setup for testing) was processed and the modules both returned a CBP_SKIP which I gather means nothing to do. Did you have that same problem and if so, how did you get around it. ~ Rob
Using master.cf to modify main.cf options
We use Mandrill (a MailChimp offering) for the Admissions Office bulk emailing to perspective students. We have now set up a second Mandrill account that has to authenticate with a different username/password (or key as Mandrill calls it). The key is mapped to this hash below. smtp_sasl_password_maps=hash:/etc/postfix/sasl_passwd For the second account, I have created a second password file, sasl_passwd_campus and I’ve configured master.cf as follows: smtp inet n - n - - smtpd 2025 inet n - n - - smtpd -o smtp_sasl_password_maps=hash:/etc/postfix/sasl_passwd_campus My expectation is that when I connect to Postfix on port 2025, the one map will override the other, but it doesn’t appear to be doing do. All the messages being delivered to Mandrill are coming in on the Admissions account and not the new second account. What am I doing wrong here? Thanks, Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon ITS will never ask you for your password. Please don’t share yours with anyone!
How do i get Postfix to act like a mail client using TLS to talk to an upstream server
Hi, Our Admissions department is looking to use Mandrill to get a better handle on emails they send out to perspective students. With Mandril, we relay all the mail we generate to one on their servers using SMTP, but they want the connection encrypted. I already have one server setup that allows encrypted connections to be made to it (has a real vert and everything) but my problem now is the other way around, I need one of my postfix servers to initiate an encrypted connection to Mandrill. Can anybody point me to some documentation? Perhaps a howto? Thanks. Rob Tanner rtan...@linfield.edu
What are the LDAP config diffs between 2.2.10 and 2.10.1
I am upgrading from 2.2.10 to the current 2.10.1 primarily because the former does not understand milters and we are trying to implement DKIM. The problem is that LDAP appears to be broken and we make extensive use of LDAP. When I first copied the production main.cf over to my development box and tried to start Postfix, I got 100's of warning bout unused parameters, and always, they were LDAP configurations that were used and worked on 2.2.10. A quick look at the Postfix HowTo at Postfix.orghttp://Postfix.org, I see I need to create an ldap-aliases.cf file and add it to the alias_maps parameter. But I also do virtual aliases which I specify using a virtual_alias_maps parameter. So, to get me off to a good start, could someone please translate the virtual configuration below into something that will work in 2.10.1: virtual_alias_maps = ldap:ldaptag,ldap:grouptag,ldap:dormtag,ldap:deptag,ldap:divtag ldaptag_server_host = $default_ldap_host ldaptag_bind_dn = cn=Postfix,ou=Special Users,o=linfield.eduhttp://linfield.edu ldaptag_bind_pw = pwd ldaptag_search_base = o=linfield.eduhttp://linfield.edu ldaptag_query_filter = ((|(mailLocalAddress=%s)(uid=%s))(!(ou=Alumni Email Users))) ldaptag_result_attribute = mailRoutingAddress grouptag_server_host = $default_ldap_host grouptag_bind_dn = cn=Postfix,ou=Special Users,o=linfield.eduhttp://linfield.edu grouptag_bind_pw = pwd grouptag_search_base = ou=groups,o=linfield.eduhttp://linfield.edu grouptag_query_filter = ((|(mailLocalAddress=%s)(uid=%s))) grouptag_special_result_attribute = uniquemember grouptag_result_attribute = mailRoutingAddress dormtag_server_host = $default_ldap_host dormtag_bind_dn = cn=Postfix,ou=Special Users,o=linfield.eduhttp://linfield.edu dormtag_bind_pw = pwd dormtag_search_base = ou=DormLists,o=linfield.eduhttp://linfield.edu dormtag_query_filter = (uid=%s) dormtag_special_result_attribute = uniquemember dormtag_result_attribute = mailRoutingAddress deptag_server_host = $default_ldap_host deptag_bind_dn = cn=Postfix,ou=Special Users,o=linfield.eduhttp://linfield.edu deptag_bind_pw = pwd deptag_search_base = ou=departments,o=linfield.eduhttp://linfield.edu deptag_query_filter = (|(mailLocalAddress=%s)(uid=%s)) deptag_special_result_attribute = uniquemember deptag_result_attribute = mailRoutingAddress divtag_server_host = $default_ldap_host divtag_bind_dn = cn=Postfix,ou=Special Users,o=linfield.eduhttp://linfield.edu divtag_bind_pw = pwd divtag_search_base = ou=divisions,o=linfield.eduhttp://linfield.edu divtag_query_filter = (uid=%s) divtag_special_result_attribute = uniquemember divtag_result_attribute = mailRoutingAddress In all but the ldaptag above, the query filter will return a single entry which has a number of uniqueMember attributes, each of which contains the DN of an entry that has a mailRoutingAddress attribute that contains the actual email address. The divtag uniqueMember attribute actually returns the DNs for departments in the division which, in turn, have uniqueMember attributes, each of which contains the DN of an actual person with a mailRoutingAddress attribute. A translation of the above should give me what I need to translate the rest of my LDAP configuration. Thanks. Rob Tanner rtan...@linfield.edumailto:rtan...@linfield.edu
Trying to build Postfix 2.10.1 with LDAP support
I'm trying to build Postfix with LDAP support on Red Hat ES 5. As per the LDAP_README, I added: make tidy make makefiles CCARGS=-I/usr/include -DHAS_LDAP -I/usr/include/sasl -DUSE_LDAP_SASL \ AUXLIBS=-L/usr/lib -lldap -L/usr/lib -llber to the build process and then make and make install. No errors. But when I bring over the configuration from my current production server, I get warnings on postfix start. Since I use LDAP extensively, it's a long list so I've just included this little bit: /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: content_filter_search_base=o=linfield.edu /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: rsrctag_result_attribute=mailRoutingAddress /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: buildtag_query_filter=(uid=%s) /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: rsrctag_bind_dn=cn=Postfix,ou=Special Users,o=linfield.edu /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: buildtag_result_attribute=transport /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: rsrctag_query_filter=(|(uniqueIdentifier=%d)(uid=%u)) /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: rsrctag_search_base=ou=Resources,o=linfield.edu /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: buildtag_search_base=ou=buildings,o=linfield.edu /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: rsrctag_server_host=$default_ldap_host /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: content_filter_result_attribute=spamfiltertransport /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: content_filter_query_filter=(mail=%s) /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: buildtag_server_host=$default_ldap_host Any idea what's going on here?
Using Postfix as a client to an upstream server
Is it possible to use Postfix as a client to an upstream server? And by a client I mean, can Postfix use auth SMTP to authenticate to that upstream server and can it use STARTTLS while acting like a client to the upstream server? If any of the above questions are yes i there specific documentation or a how to available anywhere on the net? Thanks, Rob Tanner rtan...@linfield.edumailto:rtan...@linfield.edu
Setting up SPF in Postfix for sending
I've googled around a quite a bit and while I can find lots of instruction on what I need in order for Postfix to validate incoming mail, I find nothing about what I need to do to make sure Postfix does whatever it needs to do to make sure the MTA receiving the mail validates it. And the dearth of information in that category also begs the question, is there a special header that Postfix need to include in the message (as in DKIM) or do the receiving MTAs, if they're setup to use SPF just automatically do the DNS lookups? What is it, besides adding the correct the DNS TXT records, do I need to do on my end. Thanks, Rob
how can I tweak the logging?
Hi, I'm trying to come up with mechanisms to catch compromised accounts sending SPAM. Since spammers don't necessarily have all good addresses a large number of their SPAM messages bounce with 550 errors (mailbox unavailable or doesn't even exist). I would like to monitor men logs and catch that pattern. The problem is that the log entry that includes the 550 error only shows where the message was intended to go and not where it came from. That's found on another log entry line. Is there anyway to tweak the logging mechanism so both bits of data appear on the same log line? Thanks. Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon ITS will never ask you for your password. Please don’t share yours with anyone!
Re: how can I tweak the logging?
As requested. I suppose I could grab the queue ID and back track to the sender but when the logs get long (which they do, half a million or more lines) these scans can take a while and I'm trying to capture this info in real time (more or less): Jun 13 15:10:47 neskowin postfix/qmgr[13765]: 6D97E7778E: from=rtan...@linfield.edumailto:rtan...@linfield.edu, size=3993, nrcpt=1 (queue active) Jun 13 15:10:47 neskowin postfix/qmgr[13765]: 767641453B: skipped, still being delivered Jun 13 15:10:47 neskowin postfix/smtpd[23646]: disconnect from mail.wfo.linfield.eduhttp://mail.wfo.linfield.edu[10.170.131.75] Jun 13 15:10:47 neskowin postfix/smtpd[22320]: connect from localhost.localdomain[127.0.0.1] Jun 13 15:10:47 neskowin postfix/smtpd[22320]: 7F7AF77C96: client=localhost.localdomain[127.0.0.1] Jun 13 15:10:47 neskowin postfix/cleanup[23328]: 7F7AF77C96: message-id=71da23e7-a7fb-4409-962a-a4b31dbbc...@linfield.edumailto:a7fb-4409-962a-a4b31dbbc...@linfield.edu Jun 13 15:10:47 neskowin postfix/qmgr[13765]: 7F7AF77C96: from=rtan...@linfield.edumailto:rtan...@linfield.edu, size=4190, nrcpt=1 (queue active) Jun 13 15:10:47 neskowin postfix/smtp[23326]: 6D97E7778E: to=sillyputty...@gmail.commailto:sillyputty...@gmail.com, relay=localhost.linfield.eduhttp://localhost.linfield.edu[127.0.0.1], delay=0, status=sent (250 OK, sent 51BA4367_13111_1998_1 250 Ok: queued as 7F7AF77C96) Jun 13 15:10:47 neskowin postfix/smtpd[22320]: disconnect from localhost.localdomain[127.0.0.1] Jun 13 15:10:47 neskowin postfix/qmgr[13765]: 6D97E7778E: removed Jun 13 15:10:47 neskowin postfix/smtp[23198]: 7F7AF77C96: to=sillyputty...@gmail.commailto:sillyputty...@gmail.com, relay=gmail-smtp-in.l.google.comhttp://gmail-smtp-in.l.google.com[173.194.79.27], delay=0, status=bounced (host gmail-smtp-in.l.google.comhttp://gmail-smtp-in.l.google.com[173.194.79.27] said: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 ol10si12569562pbb.214 - gsmtp (in reply to RCPT TO command)) Thanks, Rob On Jun 13, 2013, at 2:44 PM, Newton Pasqualini Filho newtonpasqual...@gmail.commailto:newtonpasqual...@gmail.com wrote: Can you cut part of you log file and send to the list? I am able to detect in a single line when I find NOQUEUE in log. Regards, Newton Pasqualini Filho newtonpasqual...@gmail.commailto:newtonpasqual...@gmail.com Em 13/06/2013, às 18:34, Rob Tanner rtan...@linfield.edumailto:rtan...@linfield.edu escreveu: Hi, I'm trying to come up with mechanisms to catch compromised accounts sending SPAM. Since spammers don't necessarily have all good addresses a large number of their SPAM messages bounce with 550 errors (mailbox unavailable or doesn't even exist). I would like to monitor men logs and catch that pattern. The problem is that the log entry that includes the 550 error only shows where the message was intended to go and not where it came from. That's found on another log entry line. Is there anyway to tweak the logging mechanism so both bits of data appear on the same log line? Thanks. Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon ITS will never ask you for your password. Please don’t share yours with anyone!
Is there a limit on incoming messages on a single connection?
Hi, Our admissions office sends out mass mailings to prospective students, anywhere from 5,000 to 25,000 at a time. They are mail-merged and sent via outlook to the postfix server, one recipient per message. The user reports that outlook sends out 500 messages and then stops. If he restarts outlook, it will send out another 500 and then stop again. If he leaves it overnight, it might send several more thousand by morning. When I look in the mail logs, somewhere around 500 messages, followed by a disconnect. What I don¹t know is whether outlook is disconnecting or whether postfix is closing the connection. Is there a limit, configurable or otherwise, to the number of messages postfix can receive on a single connection? And at that point, does postfix close the connection to the client? Thanks, Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon
Re: Is there a limit on incoming messages on a single connection?
On 11/12/10 10:27 AM, Jeroen Geilman jer...@adaptr.nl wrote: On 11/12/2010 07:06 PM, Rob Tanner wrote: Is there a limit on incoming messages on a single connection? Hi, Our admissions office sends out mass mailings to prospective students, anywhere from 5,000 to 25,000 at a time. They are mail-merged and sent via outlook to the postfix server, one recipient per message. The user reports that outlook sends out 500 messages and then stops. If he restarts outlook, it will send out another 500 and then stop again. If he leaves it overnight, it might send several more thousand by morning. When I look in the mail logs, somewhere around 500 messages, followed by a disconnect. What I don¹t know is whether outlook is disconnecting or whether postfix is closing the connection. Examine the log more carefully. If the client disconnects, this is logged as postfix/smtpd[PID]: disconnect from hostname[IP]. Unless the client exceeded a configured error limit, postfix will not disconnect the client. Is there a limit, configurable or otherwise, to the number of messages postfix can receive on a single connection? And at that point, does postfix close the connection to the client? How do you know it is a single connection ? The connects and disconnects are logged and I don¹t see multiple connects from the client (i.e., I don¹t see a connect followed by another connect without a disconnect in between). And from your comments above, it¹s clear that the client disconnected from the server and not the other way around which strongly suggests that this is an outlook/user issue and not at all related to the server. If this known-to-be-fairly-braindead MUA sends each message on a new SMTP connection, postfix may well exceed the configured error limit and start throttling the client. You need to figure out what is really happening :) Thanks, Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon
Problems using STARTTLS off campus
Hi, This is a weird one. From on campus (from any 10.0.0.0/8 address), when I telnet to post 25 of the Postfix server and type in the ehlo start of the handshake, I expect and get the following response: ehlo beowulf 250-neskowin.linfield.edu 250-PIPELINING 250-SIZE 1500 250-VRFY 250-ETRN 250-STARTTLS 250 8BITMIME Bur from off-campus, I get this response: ehlo cheshire 250-neskowin.linfield.edu 250-PIPELINING 250-SIZE 1500 250-VRFY 250-ETRN 250-XXXA 250 8BITMIME Since I¹m doing smtpd_tls_auth_only specifically for off-campus access, this is rather problematic. Any idea what¹s going on and how I may have inadvertently configured it that way? Thanks, Rob -- Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon 503-883-2558
Re: Problems using STARTTLS off campus
Yep. That fixed it. Thanks. On 3/16/10 1:00 PM, Brian Evans - Postfix List grkni...@scent-team.com wrote: On 3/16/2010 3:55 PM, Rob Tanner wrote: Hi, ehlo cheshire 250-neskowin.linfield.edu 250-PIPELINING 250-SIZE 1500 250-VRFY 250-ETRN 250-XXXA Firewall SMTP fixup that breaks everything. Commonly seen in Cisco PIX routers/firewalls. Best option is to disable fixup. 250 8BITMIME Since I¹m doing smtpd_tls_auth_only specifically for off-campus access, this is rather problematic. Any idea what¹s going on and how I may have inadvertently configured it that way?
Using DIGEST MD5 SMTP-AUTH on RedHat
Hi, I have TLS turned on on my server but since that server also accepts incoming mail from the internet, I can¹t require it¹s use and so it is certainly possible that some of our users using AUTH-SMTP are still connecting unencrypted. Currently the only authentication mechanism we are using is PLAIN and so I want to use CRAM or DIGEST MD5. All the helps I can find on the web give instructions on building from source but I¹m running a RedHat Enterprise server and all the libraries are already installed. The problem is that I can¹t find any instructions on how to configure to use mechanisms beyond PLAIN and if I specify noplaintext in main.cf, Postfix just hangs. Is anybody using any of the secure authentication mechanisms and would you be willing to share your configuration with me? Thanks, Rob Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon
Re: Problems getting Gmail to use my SMTP server rather than theirs
Found a far superior solution. The problem that the powers that be thought it would fix, it wouldn't fix anyway. I finally convinced them of that and so that's the end of that. Nevertheless, thanks to all who replied. -- Rob On 2/12/10 9:30 AM, Noel Jones njo...@megan.vbhcs.org wrote: On 2/12/2010 11:21 AM, Michael Saldivar wrote: On Wed, Feb 10, 2010 at 5:54 PM, Rob Tanner rtan...@linfield.edu mailto:rtan...@linfield.edu wrote: TLS is enabled on port 25 of our server and it has a regular Thawte certificate behind it. Tests with Thunderbird using PLAIN authentication (SASL method) work perfectly. From our point of view, all we really want to protect in any SMTP transaction are the user credentials (uid/passwd) and what we are doing is currently sufficient. Google, on the other hand is doing something different or expecting something different and I have no idea what. If you are successfully using a similar setup with Gmail, could you please pass on your wisdom. Watch your postfix logs and start debugging when gmail tries to authenticate against your server The problem is the log files are rather large (a quarter million lines since the 4 am roll this morning, and there are lots of google entries. In other words I've already spent time just trying to find the entries. Any idea about particular keywords that I might look for? . Thanks, Rob An easy way to watch is to tail -f the logfile, tell Gmail to send a message, and then watch the log scroll past. You will see the authorization attempt and your server's response. Also, in your Gmail account, check the submission port. There's a drop down list from which you can choose 25, 465, and 587; it defaults to 587. And another great trick for finding stuff in your logs is to tag submission entries with a different syslog_name. # master.cf submission ... smtpd -o syslog_name=postfix-submission ... http://www.postfix.org/postconf.5.html#syslog_name -- Noel Jones
Problems getting Gmail to use my SMTP server rather than theirs
If you¹re familiar with email, you know you can add ³Send mail as² identities and when you setup a second identity, you have the option of using Gmail¹s SMTP server or the SMTP server for the domain to which the ³send as² identity belongs. My problem is I can¹t get it to work. The error I get is: Authentication failed. Please check your username/password. [Server response: Remote server does not support TLS code(500) ] TLS is enabled on port 25 of our server and it has a regular Thawte certificate behind it. Tests with Thunderbird using PLAIN authentication (SASL method) work perfectly. From our point of view, all we really want to protect in any SMTP transaction are the user credentials (uid/passwd) and what we are doing is currently sufficient. Google, on the other hand is doing something different or expecting something different and I have no idea what. If you are successfully using a similar setup with Gmail, could you please pass on your wisdom. Thanks, Rob Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon
Re: Problems getting Gmail to use my SMTP server rather than theirs
On 2/10/10 4:40 PM, Jorge Armando Medina jmed...@e-compugraf.com wrote: Rob Tanner wrote: If you¹re familiar with email, you know you can add ³Send mail as² identities and when you setup a second identity, you have the option of using Gmail¹s SMTP server or the SMTP server for the domain to which the ³send as² identity belongs. My problem is I can¹t get it to work. The error I get is: *Authentication failed. Please check your username/password. [Server response: Remote server does not support TLS code(500) ] * TLS is enabled on port 25 of our server and it has a regular Thawte certificate behind it. Tests with Thunderbird using PLAIN authentication (SASL method) work perfectly. From our point of view, all we really want to protect in any SMTP transaction are the user credentials (uid/passwd) and what we are doing is currently sufficient. Google, on the other hand is doing something different or expecting something different and I have no idea what. If you are successfully using a similar setup with Gmail, could you please pass on your wisdom. Watch your postfix logs and start debugging when gmail tries to authenticate against your server The problem is the log files are rather large (a quarter million lines since the 4 am roll this morning, and there are lots of google entries. In other words I've already spent time just trying to find the entries. Any idea about particular keywords that I might look for? . Thanks, Rob *Rob Tanner *UNIX Services Manager Linfield College, McMinnville Oregon
How do I deliver to a program using a wild card
Hi, I get email forwarded to me from a FAX server that I need to process and then forward to a different server. The ³to² email address is always in the form of FAXnumber@send.fax. The FAX number could be the phone number for any FAX machine in the country and only the �...@send.fax² is a constant. Right now, I¹ve set up an alias that looks like ³*.send.fax ³/opt/local/adm/aliasFilters/FAX.filter faxfilter² which seems like it should work. When I point alias_maps to that file, and include the send.fax domain in mydestination, the message bounces because it doesn¹t recognize the user (which is simply one of an infinite possible phone numbers). When I move the send.fax domain to relay_domains and point virtual_alias_maps to the alias file, Postfix happily forward the message on to the regilar mail server, substituting the file path for the ³to² address. In no case does the message ever get delivered to the program. Can someone please tell me what I need to do to get this to work right? I¹m running this in a separate instance of Postfix, so no matter what I do, I won¹t screw up the main mail system. Thanks. Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon 503-883-2558
Re: A question about the instance attribute in policy delegation
On 6/25/09 10:16 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Thu, Jun 25, 2009 at 10:36:09PM -0400, Sahil Tandon wrote: IIRC, the instance attribute identifies a mail transaction and is assigned before the queue-id. My bad reading of src/smtpd/smtpd_check.c, then. But does that mean an instance can exist *before* the first recipient is accepted? For context: http://www.irbs.net/internet/postfix/0412/0896.html Yes. An instance (transaction) id is assigned at MAIL FROM: time, provided the MAIL command iis not rejected. Problem is that none of that actually answers my original question about why I'm receiving some requests with no instance attribute. Here's the pertinent bit from main.cf: smtpd_helo_restrictions = smtpd_client_restrictions = smtpd_sender_restrictions = smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:9250 hash:/etc/postfix/protected_destinations,proxy:ldap:limittag permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_invalid_hostname reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain check_client_access hash:/etc/postfix/client_checks I never found it useful to separate smtpd restrictions (which may be wrong). Since I am just listening and not yet actually implementing policies, I had the check service first so that every message generates a request. In actual production, the policy checks will follow after the rejects. So the question remains, how do I interpret those requests that lack the instance attribute? Thanks. Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon 503-883-2558
Policy delegation client request question
Hi, I¹ve got the front-end of a policy engine in place and connected to postfix on a test server. All it¹s really doing is logging what postfix sends and returning an ³OK². What I notice is that when I¹ve sent emails through that server with multiple recipients, rather than getting multiple recipient attributes, I get multiple delegation requests. Is that always the case and therefore no delegation request has multiple instances of the same attribute, or is it that I haven¹t sent the right test message to see the multiples in a singe request? Thanks, Rob -- Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon 503-883-2558
What happens when the policy server crashes
Hi, We have some email policies that we want to implement and it looks like a policy server is the perfect tool. We have two edge servers on which we want to implement the policies. My thought is to build a threaded server in Java and run it actually one the machine that the databases it will consult are already running. My question is what happens if for any reason the policy server hangs, crashes, etc, and stops accepting connections. Does Postfix also hang and stop processing mail or does Postfix simply timeout and is the timeout length a settable parameter in main.cf? Thanks, Rob -- Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon 503-883-2558
Need to make sure content filter sees messages before aliases are evaluated
HI, I use Sophos PureMessage for anti-SPAM/anti-Virus and I¹m having an issue that I think may be related to when an alias with multiple addresses gets exploded (i.e., before or after the message is run through the content filter. PureMessage marks all SPAM but it does not quarantine messages coming from inside our address space, in this case 10.0/8. In some cases, aliases are actually feeds to a program that calculates the recipient list and then feeds it back into the server and in other cases they are simply LDAP based exploders. My concern is to make sure that when a message first hits the server it¹s piped directly to the content filter and only after the filter feeds it back into the server are aliases evaluated. Is that always the default case or do I need to something, possibly in master.cf to insure it? Thanks, Rob -- Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon 503-883-2558
Question about how Postfix sends the EHLO/HELO
Hi, We are having problems sending email to a particular site on the internet that uses SpamAssassin to filter for spam. They send me back the headers on a particular message and here is the spam portion: X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on microthunder.com X-Spam-Level: X-Spam-Status: Yes, score=4.4 required=4.0 tests=HTML_MESSAGE, MIME_QP_LONG_LINE,RCVD_NUMERIC_HELO autolearn=no version=3.2.0 X-Spam-Report: * 2.6 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO * 0.0 HTML_MESSAGE BODY: HTML included in message * 1.8 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars What I don¹t get is the first test in the X-Spam-Report header which received a 2.6. Does postfix strictly send the IP address on the HELO/EHLO? If so, what parameter to I need to set to $myhostname? Or, am I entirely misunderstanding what that test tests for? Thanks. -- Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon 503-883-2558
Re: Question about how Postfix sends the EHLO/HELO
Thanks for your feedback. I do have $myhostname defined and you've confirmed what I thought. It's their issue and they need to fix it. Again, thanks. -- Rob On 3/4/09 12:19 PM, LuKreme krem...@kreme.com wrote: On 4-Mar-2009, at 12:33, Rob Tanner wrote: X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on microthunder.com They really *really* need to update their two-year old SA install. X-Spam-Level: X-Spam-Status: Yes, score=4.4 required=4.0 They really *REALLY* need to understand the consequences of lowering the threshold, as this is nearly always a very very bad idea. SA does not think your message is spamish, their mailadmin does. RCVD_NUMERIC_HELO Well, that one is possibly your fault, and you should certainly fix it if it is. What I don¹t get is the first test in the X-Spam-Report header which received a 2.6. Does postfix strictly send the IP address on the HELO/EHLO? Only if it has no choice. If so, what parameter to I need to set to $myhostname? Or, am I entirely misunderstanding what that test tests for? # INTERNET HOST AND DOMAIN NAMES # # The myhostname parameter specifies the internet hostname of this # mail system. The default is to use the fully-qualified domain name # from gethostname(). $myhostname is used as a default value for many # other configuration parameters. # #myhostname = host.domain.tld #myhostname = virtual.domain.tld However, your headers to the list look perfectly fine. My suspicion, irrational without the full headers you sent them and the full message they sent back, is that they screwed something up on their end with the RCVD_NUMERIC_HELO test and that some eager-beaver sysadmin changed something they didn't understand to get better results. I base this on the evidence that some eager-beaver sysadmin lowered the threshold to 4.0 without understanding the consequences to get better results. Feel free to forward my comments along to David Sosnowski @ microthunder@gmail.com
Problem forwarding to a program
I set up a separate instance of Postfix on one of my mail servers so that I can deal with a special instance of a FAX server without messing up production mail. The email messages it handles are always addressed to FAX number@send.fax and the messages are to be delivered to a program that swaps from and reply-to headers and then directly forwards the mail to the FAX server which, in turn, sends it to the FAX machine identified in the local part of the email address. The problem is that Postfix is trying to send the message directly instead of delivering it to a program. This is what is contained in the aliases file: @send.fax |/opt/local/adm/aliasfilters/FAX.filter faxfilter The alias is domain only because there are millions of possible FAX machines in the world. Postfix recognizes the @send.fax pattern at least for accepting the message in the first place (no error about unknown local recipient), but I'm wondering if the way the alias is declared is the reason the message is not being delivered to the program. Thanks, Rob Tanner Linfield College McMinnville, Oregon
Re: Problem forwarding to a program
On 12/18/08 5:34 PM, Wietse Venema wrote: Rob Tanner: I set up a separate instance of Postfix on one of my mail servers so that I can deal with a special instance of a FAX server without messing up production mail. The email messages it handles are always addressed to FAX number@send.fax and the messages are to be delivered to a program that swaps from and reply-to headers and then directly forwards the mail to the FAX server which, in turn, sends it to the FAX machine identified in the local part of the email address. The problem is that Postfix is trying to send the message directly instead of delivering it to a program. This is what is contained in the aliases file: @send.fax |/opt/local/adm/aliasfilters/FAX.filter faxfilter Which aliases file? The local aliases(5) file is not indexed by domain. The virtual alias maps does not execute commands. Wietse The alias is domain only because there are millions of possible FAX machines in the world. Postfix recognizes the @send.fax pattern at least for accepting the message in the first place (no error about unknown local recipient), but I'm wondering if the way the alias is declared is the reason the message is not being delivered to the program. Thanks, Rob Tanner Linfield College McMinnville, Oregon The local aliases file and I was afraid of that. Since the only thing going through this Postfix instance is the FAX stuff which needs to be delivered to the program, is there some way to force all delivery to the program unconditionally? -- Rob
Denying specific senders from sending to self
Hi, Most of our group mailing lists (which are defined via an LDAP entry directly accessed by Postfix) are restricted so that you must have or be spoofing a local email address -- checked via check_sender_access and rejecting anything not from our own domain. Each list entry in LDAP for which this restriction applies contains an attribute that defines the restriction class which contains a check_sender_access parameter that points to a hash that has just one item, our domain name. And it works well and cuts down on SPAM and UCE, rejecting the email before it ever hits the content filter. Now we are having a problem with SPAM being sent to the lists and claiming it comes from the list (the From address is the list address). People get offended and they get angry and they reply to the email which means it goes to the list and you can see what the intention is. I would like to be able to use the same mechanism of an attribute in the LDAP entry for each group email list that we want to restrict from mailing to itself. Basically, I want to create a restriction class that only rejects the email when to to and from addresses are the same. I've gotten nowhere so far. Can anyone offer me a few pointers. Thanks, Rob Tanner Linfield College
Re: Denying specific senders from sending to self
On 11/10/08 12:32 PM, Noel Jones wrote: Rob Tanner wrote: Hi, Most of our group mailing lists (which are defined via an LDAP entry directly accessed by Postfix) are restricted so that you must have or be spoofing a local email address -- checked via check_sender_access and rejecting anything not from our own domain. Each list entry in LDAP for which this restriction applies contains an attribute that defines the restriction class which contains a check_sender_access parameter that points to a hash that has just one item, our domain name. And it works well and cuts down on SPAM and UCE, rejecting the email before it ever hits the content filter. Now we are having a problem with SPAM being sent to the lists and claiming it comes from the list (the From address is the list address). People get offended and they get angry and they reply to the email which means it goes to the list and you can see what the intention is. I would like to be able to use the same mechanism of an attribute in the LDAP entry for each group email list that we want to restrict from mailing to itself. Basically, I want to create a restriction class that only rejects the email when to to and from addresses are the same. I've gotten nowhere so far. Can anyone offer me a few pointers. Thanks, Rob Tanner Linfield College To do this with postfix restriction classes you would need a separate restriction class for each list. This will quickly get cumbersome if you have more than a couple lists. For a more scalable solution, you need an external policy server. Looks as if postfwd should be able to do this if you tell it the lists you want to protect. http://www.postfix.org/addon.html#policy Noel, I haven't played with policy servers yet and it looks very interesting. I also went to the Postfix README on access policy delegation and it looks very easy to roll your own. I would rather keep the information on which lists to protect in the LDAP entry for that list rather than writing numerous rules and making sure they are consistent across both edge servers, I'm very tempted to roll my own. Is it possible use check_policy_service command inside a restriction class rather than check_sender_access. That way Postfix would only access the policy server when the destination is one of the lists I wish to protect. Thanks, Rob
Re: Getting error: queue file size limit exceeded
On 8/28/08 11:25 AM, Wietse Venema wrote: Rob Tanner: Hi, We have a printer IP segment/VLAN which is only printers and these printers are also scanners, and they email the scan back to the user. Since the scan outputs frequently exceed the configured message_size_limit of 7.5MB, in master.cf I configured a non-standard port (2526) that is restricted to the printer segment and sets to message_size_limit back to the default of 1024. So, this changes the size limit as reported by the Postfix SMTP server. As of a few releases ago, the SMTP server will also enforce the size limit, to avoid wasting resources sending too large mail to a before-queue content filter. Now, when I send an oversize message (6.2MB, not even that large), I no longer get the message telling me that I have exceeded the 7.5MB message size limit (6.2MB, when BASE64 encoded will more than exceed the message_size_limit being bypassed), but instead, I am getting the message from cleanup: queue file size limit exceeded. Indeed. The cleanup server implements the message size limit. In early Postfix days, this was the only place where the message size limit was enforced. Aug 28 08:45:04 neskowin postfix/cleanup[14971]: warning: E6F3B580F3: queue file size limit exceeded I did a bit of googling, and all I found was to check the amount of free space left in the queue and whether the message size exceeds queue_minfree. The message says that the queue file exceeds the size limit. The message has nothing to do with free disk space. Wietse Thanks. I defined an alternate cleanup_service_name and set the larger message_size_limit and by golly gosh, it all works now. -- Rob
Having problems with smtpd_client_restrictions=check_client_access
Hi, I have set up a second port for postfix to listen on specifically to bypass the message_size_limit parameter. Basically, we have a couple of IP segments that have printer scanners and the scanners email the scan to the user and so I also want to restrict access to the port so that only devices in the specific IP segments can use it. This is the configuration for the additional port in the master.cf file: 2526 inet n - n - - smtpd -o cleanup_service_name=pre-cleanup -o message_size_limit=1024 -o smtpd_client_restrictions=check_client_access hash:/etc/postfix/printer_access The contents of printer_access is: 10.169OK 10.219OK 10 REJECT I don't think it should matter where the REJECT line is, but I have tried both in the first and the last position. When I try to telnet to port 2526 fom a machine with a 10.219/16 address, the connection comes up momemtarily (i.e., I get the telnet connected response) and that's followed immediately by Connection closed by foreign host. In the maillog, I see the connect and disconnect log entries and nothing else. If I comment out the smtpd_client_restrictions line in master.cf, it connects just fine. Any ideas about what I'm doing wrong? Thanks, Rob Tanner Linfield College
Re: Getting a mailing loop on mailman delivery host
Problem partially solved. The transport map was * smtp:smtp.linfield.edu and so everything was immediately relayed to that server and it, in turn,sent it right back. If I remove the transport entry in main.cf, the mail gets delivered to mailman but when mailman responds, postfix doesn't seem to know where to send it (the next hop has to be smtp.linfield.edu). What does the transport table need to look like to make this all happen as it should? Thank, Rob On 8/12/08 10:10 AM, Rob Tanner wrote: Hi, I am hosting the mailman mailing list manager on a machine named socrates.linfield.edu. Any mail addressed to any name@mailman.linfield.edu is forwarded to this box by the two edge servers. But, instead of accepting the mail, postfix is forwarding it of to my primary internal smtp server which, in turn, sends it right back. Here are what I think are the pertinent parameters: myhostname = socrates.linfield.edu mydomain = linfield.edu mydestination = $myhostname, localhost.$mydomain, mailman.$mydomain alias_maps = hash:/etc/postfix/aliases,hash:/etc/mailman/aliases Is there some other parameter or parameters that I need to set? Thanks, Rob Tanner Linfield College
Re: Getting a mailing loop on mailman delivery host
On 8/12/08 2:50 PM, Noel Jones wrote: Rob Tanner wrote: Problem partially solved. The transport map was * smtp:smtp.linfield.edu and so everything was immediately relayed to that server and it, in turn,sent it right back. If I remove the transport entry in main.cf, the mail gets delivered to mailman but when mailman responds, postfix doesn't seem to know where to send it (the next hop has to be smtp.linfield.edu). What does the transport table need to look like to make this all happen as it should? Thank, Rob On 8/12/08 10:10 AM, Rob Tanner wrote: Hi, I am hosting the mailman mailing list manager on a machine named socrates.linfield.edu. Any mail addressed to any name@mailman.linfield.edu is forwarded to this box by the two edge servers. But, instead of accepting the mail, postfix is forwarding it of to my primary internal smtp server which, in turn, sends it right back. Here are what I think are the pertinent parameters: myhostname = socrates.linfield.edu mydomain = linfield.edu mydestination = $myhostname, localhost.$mydomain, mailman.$mydomain alias_maps = hash:/etc/postfix/aliases,hash:/etc/mailman/aliases Is there some other parameter or parameters that I need to set? Thanks, Rob Tanner Linfield College Please don't top post. I don't feel as if I fully understand your problem, but maybe a transport_maps like this will help: mailman.linfield.edu : *smtp:smtp.linfield.edu If that doesn't help, please see: http://www.postfix.org/documentation.html http://www.postfix.org/BASIC_CONFIGURATION_README.html http://www.postfix.org/transport.5.html and particularly: http://www.postfix.org/DEBUG_README.html#mail Noel, Thanks. That fixed the transport. Messages now get delivered to mailman and mailman messages get properly forwarded on to the next hop. -- Rob
What does auxpropfunc error no mechanism available mean
Hi, I have 2 edge servers in my mail setup. Both are running Postfix 2.2. Both are configured to use a content filter that feeds back into Postfix which then forwards the mail to the delivery host (Exchange -- yuck). Both servers also make heavy use of LDAP and SASLAUTHD (LDAP again) for authentication. One of the two servers is repeatedly logging the following every couple of minutes: Aug 7 08:40:35 neskowin postfix/smtpd[29650]: auxpropfunc error no mechanism available Aug 7 08:40:47 neskowin postfix/smtpd[29660]: sql_select option missing What is this and is it something that I need to worry about? Thanks, Rob Tanner Linfield College
