Re: Postfix install error
On Tue, Feb 03, 2009 at 11:27:44AM -0800, Nandini Mocherla wrote: Hi I was installing Postfix postfix-2.5.5 on Solaris. At the time of compiling the Source with make I have defined the parameters (for changing the default values of the following from /etc/ to /opt etc.) -DDEF_COMMAND_DIR= -DDEF_SAMPLE_DIR= -DDEF_SENDMAIL_PATH= -DDEF_CONFIG_DIR= -DDEF_DAEMON_DIR= -DDEF_DATA_DIR= -DDEF_QUEUE_DIR -DDEF_MAILQ_PATH= -DDEF_MANPAGE_DIR= -DDEF_NEWALIAS_PATH= When I run make install, it asked a load of questions again about where I want the stuff located. One of the things it asks about is config files, which defaults to /etc/postfix and I change it to /opt/postfix/etc Sorry, you must compile-in the desired location of the default configuration directory. This cannot be set via main.cf, catch-22. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Postfix install error
On Tue, Feb 03, 2009 at 12:23:48PM -0800, Nandini Mocherla wrote: I have compiled it with the desired locations for all the parameters mentioned in my email. Then with make install it prompted me for the locations again and i have answered them changing the default ones. Then it copied/updated all the required files to the specified locations ,but later it is still looking for /etc/postfix. Yes, of course, because your overrides are stored in main.cf, and main.cf is in the compiled-in location. The correct main.cf location MUST be compiled-in. DO NOT override it when installing the primary Postfix instance on a system. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: SMTP sessions
On Tue, Feb 03, 2009 at 09:10:50PM +0100, Rocco Scappatura wrote: I fear that the problem is that for each session I can have an unsettled number of messages sent over that session (It could be happen? If yes, It could be depend on MTA settings?) other then an unsettled size of SMTP traffic (which it determs the latency of messages and it could make congestion of postfix active queue more or less heavy). Could someone give me some hint about this issue? I have no idea what this issue is, and I doubt anyone else does either. Unless you can present concrete information, rather than vague guesses, it is unlikely that you will get much help. Postfix is an I/O bandwidth limited MTA, running within fixed concurrency limits. When you add content filters, the filters may become CPU-limited. Throughput = Concurrency / Latency. If you are seeing low throughput, but the system has enough resources to provide more throughput, your concurrency may be too low, or your delivery agents are all tied up timing out deliveries to dead destinations (abnormally high latency). If you have run out of CPU, I/O or network bandwidth, add more hardware, or reduce demand for that resource. Sadly, you have to find the reason you are experiencing congestion, and quantify this with relevant measurements. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Postfix install error
On Tue, Feb 03, 2009 at 01:49:40PM -0800, Nandini Mocherla wrote: Yes, of course, because your overrides are stored in main.cf, and main.cf is in the compiled-in location. The correct main.cf location MUST be compiled-in. DO NOT override it when installing the primary Postfix instance on a system. How can i specify that. Is it with -DDEF_CONFIG_DIR=\/opt/oso/postfix/etc Yes. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: SMTP sessions
On Tue, Feb 03, 2009 at 11:59:37PM +0100, Rocco Scappatura wrote: Returning to my question, I'm trying to understand: 1) Once a client (or another MTA) establish a TCP connection with listening port bounded by the SMTP daemon of Postfix, could happen that more then one email messages are sent over that TCP connection, before it is closed? Sure this is possible, but it is unlikel to significantly impact your queues. 2) If 1), is there any limit on the number of messages that could be sent over that TCP connection? No. 3) Could the receiving MTA (i.e.: Postfix) decide how much times a TCP connection could used to transmit a messages by a client? Enforcing such limits is unwise. The solution causes more harm than the perceived problem. There is no evidence that sender-side connection re-use has any material impact on your queues. If you do want to enforce such limits, they should be applied selectively to just IP sources with poor reputations. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Postfix install error
On Tue, Feb 03, 2009 at 01:52:45PM -0800, Nandini Mocherla wrote: My makedefs.out does not say any thing about configurations i specified with make files other than PCRE and here is the output EXPORT = AUXLIBS=' -L/usr/lib -R/usr/lib -lpcre' CCARGS=' -Dstrcasecmp=fix_strcasecmp -Dstrncasecmp=fix_strncasecmp -DHAS_PCRE -I/usr/include/pcre' OPT='-O' DEBUG='-g' You built Postfix with default values for all the installation parameters. It is generally unnecessary to specify -L/usr/lib -R/usr/lib, but this may be a side-effect of running pcre-config, rather than active action on your part. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Mail sits in queue
On Tue, Feb 03, 2009 at 01:34:10PM -0500, Brian Evans - Postfix List wrote: The php mail() command (on *nix) defaults to come in through the pickup daemon (using the sendmail(1) command). It can also be sent in via the smtpd daemon. Intentionally send a message through your app and immediately check your log. Read and understand entry to delivery(or relay). If you need assistance with the logs, please post a transaction here. No log messages are generated when mail is deposited in the maildrop queue. If pickup is not finding the mail in a timely fashion it is because: - The pickup master.cf entry is busted (no wakeup timer) pickupfifo n - n 60 1 pickup - The pickup fifo has been deleted from /var/spool/postfix/public Make sure $queue_directory contains a private/pickup fifo. - File permissions are wrong postfix set-permissions - The O/S is buggy Disable SELinux, App-armor, ... or http://tomayko.com/writings/that-dilbert-cartoon -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: SMTP sessions
On Wed, Feb 04, 2009 at 02:21:31AM +0100, Rocco Scappatura wrote: There is no evidence that sender-side connection re-use has any material impact on your queues. If you do want to enforce such limits, they should be applied selectively to just IP sources with poor reputations. Indeed, it would be nice to have a tool that assigns a poor reputation to an IP source that impact on the queues.. Maybe one of these tool could be a Policyd server? Simply imposing a quota on the number of messages that could be sent in a unit of time? Or there exists some of more refined, for what you know? No, it would be nice to have to tools that assign fewer resources to senders with poor reputations, but just sending you a lot of legitimate mail is not sufficient cause. I still don't see why you believe that connection re-use by high-volume senders is the cause of the imbalance you observe. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Postfix install error
On Tue, Feb 03, 2009 at 04:58:42PM -0800, Nandini Mocherla wrote: Thank You! I changed the way, i was using quotes and it did compile and install successfully. But i saw these errors in my error file. Is it ok to ignore them. To reduce spurious noise: try gcc, or figure out which compiler options to use to turn off these warnings. We could use: #define __MAXINT__(T) ((T) ((T) 1) ((sizeof(T) * CHAR_BIT) - 2)) - 1) 1) + 1)) which, for example, with 64 bit off_t will be: 2 * (2^62 - 1) + 1 == 2^61 - 1, which is what we want without ever using negative values, but I doubt it is worth the trouble. file_limit.c, line 74: warning: integer overflow detected: op vstream.c, line 853: warning: integer overflow detected: op is_header.c, line 91: warning: statement not reached master.c, line 388: warning: integer overflow detected: op smtpd_check.c, line 971: warning: statement not reached This still leaves you with the statement not reached errors. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Mail sits in queue
On Wed, Feb 04, 2009 at 08:58:17AM -0500, Doug Jaquays wrote: - The pickup fifo has been deleted from /var/spool/postfix/public Make sure $queue_directory contains a private/pickup fifo. This is a /var/spool/postfix/public/pickup fifo, there is not a /var/spool/postfix/private/pickup fifo As you can tell from the first of the two lines, it is indeed public not private. - The O/S is buggy Disable SELinux, App-armor, ... This is entirely possible, though we have other SLES servers running the same environment without issue. I did just turn off AppArmor on the server with this problem, so we'll see what happens. Is the Postfix queue stored on an NFS server? Is the system clock correct? Otherwise, report your findings post AppArmor, ... Does: # postkick public pickup W move mail out of the queue in a more timely fashion? -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: TimeOut issues
On Wed, Feb 04, 2009 at 08:52:45AM -0600, Matthew Hebert wrote: smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_non_fqdn_sender reject_unknown_sender_domain reject_unknown_recipient_domain reject_unverified_recipient permit_mynetworks check_sender_access hash:/etc/postfix/sender_access check_sender_access hash:/etc/postfix/rhsbl_sender_exceptions Open relay! reject_unverified_recipient reject_unauth_destination Move, the sender checks beloe reject_unauth_destination or into smtpd_sender_restrictions. reject_unauth_pipelining reject_invalid_hostname reject_non_fqdn_hostname reject_rbl_client sbl-xbl.spamhaus.org Use zen.spamhaus.org instead, it is far more effective, with negligible FPs. reject_rbl_client list.dsbl.org This RBL is long dead. Remove it from your configuration. reject_rbl_client bl.spamcop.net reject_rhsbl_sender dsn.rfc-ignorant.org Not wise for outright SMTP rejects, too many FPs, and does not directly address spam. Remove this RBL. permit Make sure you have a correctly configured local DNS cache. Report your findings after fixing the above. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: postfix queue grep
On Wed, Feb 04, 2009 at 10:25:21AM +0200, Marc Silver wrote: The tool is available at http://draenor.org/public/python/pqgrep.py Should you find any bugs/problems, please mail me. The regexp parser is IMHO too fuzzy for production use outside your own environment. It will generated false positives with sufficiently interesting remote error messages, sender or recipient addresses in the postqueue -p output. You need a more context aware parser. Some examples: o List the message ID's for messages with a sender off x...@moo.com: pqgrep.py -s x...@moo.com -i Note, it is best to not call a queue-id a message ID. o Show messages with a recipient of a...@b.c and provide log messages: pqgrep.py -r a...@b.c -l o Delete all messages from MAILER-DAEMON: for i in `pqgrep.py -s MAILER-DAEMON` ; do postsuper -d $i ; done This is subject to race conditions. To safely delete messages, they have to moved (postsuper -h) out of the active queue, re-scanned to ensure they still meet the original criteria, selectively deleted, and the FPs moved back into the deferred queue (via postsuper -H), you can then flush FPs back into the incoming queue via postqueue -i. [ Wietse is it safe to move queue files active - hold - incoming in a short time? Could some recipients be delivered twice by two delivery agents in parallel (both deliveries starting after the second incoming to active transition)? ] -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
active - incoming migration (was: Re: postfix queue grep)
On Wed, Feb 04, 2009 at 12:24:23PM -0500, Wietse Venema wrote: Victor Duchovni: [ Wietse is it safe to move queue files active - hold - incoming in a short time? Could some recipients be delivered twice by two delivery agents in parallel (both deliveries starting after the second incoming to active transition)? ] Each delivery agent holds a read lock on the file that it delivers mail from. This will keep the queue manager from scheduling new deliveries. The mechanism prevents duplicate deliveries after postfix reload + postfix flush. Yes, this solves the queue-manager reload problem, because the active queue is empty when the queue-manager reloads. In the new scenario, the active queue is not empty, and an active file is surreptitiosly moved (multiple quick steps) to incoming. If all the recipients are at busy destinations, there may not (yet) be any delivery agent locks, and the file could enter the queue a second time. Is this possible? -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: TimeOut issues
On Wed, Feb 04, 2009 at 03:05:41PM -0600, Matthew Hebert wrote: Thanks for your assistance. We have implemented the changes you requested. We still have have time out issues. We try the following: When I try to telnet server 25 Trying XXX.XXX.XXX... telnet: Unable to connect to remote host: Connection timed out or getting connected and very slow response time from the smtpd Now see STRESS_README.html. Find out why all your smtpd(8) servers are busy and allocate more if necessary. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: gmail relay and certificates on Fedora 10
On Wed, Feb 04, 2009 at 06:58:52PM -0500, sean darcy wrote: I followed the instructions on http://www.wormly.com/blog/2008/11/05/relay-gmail-google-smtp-postfix/ to create your own certificate to use with google. You DO NOT need your own TLS-client certificate to submit mail to Google, and even if you have one, Google's SMTP server won't ask for it and you won't send it. Either you misunderstood the guide above, or the guide is wrong. You do however need to have a suitable set of trusted root CA certificates, if you want to verify *Google's* certificate, to make sure you are reaching the right service. smtp_use_tls = yes smtp_tls_enforce_peername = no The are parameters for Postfix 2.2 and earlier, with 2.3, you should be using smtp_tls_security_level. I get this error: Feb 4 17:01:52 asterisk postfix/smtp[17447]: certificate verification failed for smtp.gmail.com[74.125.47.111]:587: untrusted issuer /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailaddress=premium-ser...@thawte.com THis is not an error message, just informational chatter... What is your real problem, as this does not appear to be it. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Guidance on owner- prefix added to From and Return-Path
On Thu, Feb 05, 2009 at 06:42:33AM -0800, Damon Miller wrote: In case anyone else hits this problem, my issue was as follows: 1. 'owner_request_special' was enabled (by default) 2. My MySQL-based 'alias_maps' succeeded for all addresses, including those with an 'owner-' prefix. This was by design, as the query is dynamic--intended to parse addresses and convert them into a command used by our trouble ticketing system, Request Tracker. I was using 'local_recipient_maps' to control the addresses accepted by Postfix but I was not aware of the check done for 'owner-' addresses even though they aren't explicitly in the local_recipient_maps table. After setting 'owner_request_special' to 'no', everything the 'owner-' prefixes are gone. It is bestter to leave owner_request_special enabled, and fix the SQL query to not synthesize unintended implicit owners. Your RT integration may also need to be re-examined to see if it can be done more cleanly. [Perhaps an RT owned aliases file, ...]. Someday you'll have an alias list that desperately needs owner-list support, but the feature will be turned off and your successor won't notice or won't know why... -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Mail sits in queue
On Thu, Feb 05, 2009 at 10:02:47AM -0500, Doug Jaquays wrote: Does: # postkick public pickup W move mail out of the queue in a more timely fashion? It does not seem to be anymore effective than mailq -q. Is there any more verbose logging that I can enable for this situation? PHP just cares that the message gets dumped into the queue and only returns yes it worked or no it didn't, which of course it works. It really seems like the timer to wakeup pickup isn't working properly, though I can't find any reason why it wouldn't be and nothing solid to say it isn't. Search your logs for error/warning/panic/fatal messges from pickup. Add (temporarily) a -v flag to the pickup service in master.cf. Read your logs carefully. It's frustrating to see that other systems set up exactly Well, not *exactly* the same, but you have not yet found out how this one is different. The pickup daemon needs to be able read and write the maildrop queue, and the permissions of the public/pickup socket need to be correct. The maildrop queue should not contain any files that cause pickup severe indigestion (fatal error on processing the queue file in question). -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Corrupted To: header
On Thu, Feb 05, 2009 at 07:54:39PM -0200, Clodoaldo Pinto Neto wrote: The To: header I'm sending appears like this in the log: Feb 5 21:27:03 centos5151155 postfix/cleanup[4595]: B1AD3FF9A7: warning: header To: =?utf-8?q?D=C3=A9ste_Sobrenome_Grande_P=C3=B4cas_da_Silva_=3Cclodoaldo=5F?=? =?utf-8?q?pinto=40yahoo=2Ecom=2Ebr=3E?= from localhost.localdomain[127.0.0.1]; from=ad...@carroarodo.com to=clodoaldo_pi...@yahoo.com.br proto=ESMTP helo=centos5151155.aspadmin.net But it arrives like this in both Yahoo and Gmail: To: =?utf-8?q?d=c3=a9ste_sobrenome_grande_p=c3=b4cas_da_silva_=3cclodoaldo=5...@centos5151155.aspadmin.net, =?utf-8?q?pinto=40yahoo=2ecom=2ebr=3...@centos5151155.aspadmin.net What broken piece of garbage is abusing RFC 2047 to encode recipient addresses rather than display names? In what form does this message enter your system? (capture full packets with tcpdump and decode the SMTP payload for both the original message coming in and the resulting message going out). -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: TLS certificate
On Fri, Feb 06, 2009 at 11:28:17AM +0100, Patrick Ben Koetter wrote: Here's your error: unable to verify the first certificate. Did you add your CA certificate to your CA certificate store ca-bundles.crt (in your case)? In what sense is that an error? He's got a private-label CA cert, why would one expect this to be verified and by whom? Most SMTP STARTTLS servers have similarly unverifiable certs, and yet SMTP deliveries continue to be made... -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Mail sits in queue
On Fri, Feb 06, 2009 at 11:00:31AM -0500, Doug Jaquays wrote: Just to not leave this open-ended. I decided to just switch to Pear::Mail and use that to send directly to our production mail server. I appreciate all of the help provided, but for the small scope of what Postfix was doing and the number of unknown possible issues, it was easier to port my current mail script over to using Pear than to spend who knows how much longer troubleshooting this issue. Good luck. You still have broken local submission on the system, so mail from cron or other system components that send mail will not be delivered in a timely fashion. Naturally, the problem is now less urgent, but you should probably pursue it at a lower priority. If you file-system is corrupted, or Postfix software damaged after installation, ... this should be fixed when you get a chance. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: How to set client_encoding in Postfix - PostgreSQL lookups
On Fri, Feb 06, 2009 at 11:49:07AM +0100, Michael Monnerie wrote: On Donnerstag 05 Februar 2009 Victor Duchovni wrote: Configure your Postgres database to use a LATIN-1 encoding. WIth this you get a single-byte per character encoding and all byte patterns are valid strings. The problem is IMAP and POP couldn't convert entries to the client's charset of course. That's what we have UTF-8 for. If the Postfix client declares its encoding to be LATIN-1 and the database is UTF-8, what problem are you seeing? All LATIN-1 input is representable in UTF-8, so the database should be able to process all Postfix queries, and return ASCII answers without any issues. If not, complain to the Postgres developers... -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Problems with Postfix / Round-Robin
On Fri, Feb 06, 2009 at 02:49:42PM -0200, Pablo Scheri wrote: mx.trendargentina.com.ar. 0INA10.0.0.207 mx.trendargentina.com.ar. 0INA10.0.0.208 postconf | grep dns disable_dns_lookups = no lmtp_host_lookup = dns smtp_host_lookup = dns --- grep '10\.0\.0\.20..:25' /var/log/maillog | grep -v status= That's one . too many -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Fwd: Re: TLS certificate
On Fri, Feb 06, 2009 at 07:13:17PM +0200, Tolga wrote: Who can't use the certificate? I, when I try with Thunderbird from another location. Well, it is Thunderbird that needs to extend its list of trusted CAs not Postfix. No amount of tweaking the Postfix server will make Thunderbird trust your locally-minted CA. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Problems with Postfix / Round-Robin
On Fri, Feb 06, 2009 at 09:11:43AM -0800, Roderick A. Anderson wrote: mx.trendargentina.com.ar. 0INA10.0.0.208 mx.trendargentina.com.ar. 0INA10.0.0.207 What this says to me is every time Postfix requests the MX for trendargentina.com.ar the name server software will look it up and come back with _either_ 10.0.0.208 or 10.0.0.207 and depending on how many other DNS requests are made it might be the same over and over. No, this is wrong. Postfix shuffles MX host A records of equal priority. If your zone file had trendargentina.com.ar.0INMX10 mx1.trendargentina.com.ar. trendargentina.com.ar.0INMX10 mx2.trendargentina.com.ar. ... mx1.trendargentina.com.ar. 0INA10.0.0.208 mx2.trendargentina.com.ar. 0INA10.0.0.207 Then when Postfix asked for the MX record for trendargentina.com.ar the DNS server would send back the two IP addresses and Postfix would round-robin/randomize them. This is wrong, see above. I got the DNS info from readings in Pro DNS and bind and the Postfix from this list and the online documentation. You implementation has DNS doing the round-robin with the results depending on how busy the name server is. Mine lets Postfix do it with a single query to the name server. Postfix does not rely on DNS servers shuffling the MX or A RRsets. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Enabling stress detection by default
On Fri, Feb 06, 2009 at 01:37:41PM -0500, Wietse Venema wrote: smtpd_timeout = ${stress?10s}${stress:300s} smtpd_hard_error_limit = ${stress?2}${stress:20} I guess disabling reverse DNS lookups under stress is too drastic. It would certainly not help folks with reject_unknown_client, even if implemented correctly as a transient (due to stress) lookup failure. Another issue is smtpd_timeout granularity. Currently it is the same for all SMTP commands, but some suggested it makes sense to distinguish between some of the SMTP stages. I think I once suggested shorter timeouts outside the mail transaction (before MAIL FROM or after .). This would prevent abuse of the MTA by software with poor connection caching strategies. If we limit it to just after ., the shorter timeout could be on by default, even with no stress. Did not envision short timeouts between MAIL and DATA, but that was long before -o stress. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Trying to write a log parser, need some clarifications about log enteries.
On Fri, Feb 06, 2009 at 01:30:01PM -0800, Chris St Denis wrote: Anyway, on to the problems. How do I deal with log entries like this. A queue ID is created, but nothing ever happens to it. There is no reject There was one valid recipient, but the mail transaction was not completed. This could be a header_checks rule, or a network failure or the client crashing. Any logfile processor will have to deal sessions that do not go from start to end. Wietse Thanks, but those particular causes doesn't seem to explain it. This system does not have any header checks (the server it's receiving the mail from does all the spam/etc. filtering) and if it was a network failure or client crashing there should be an additional error message like /^timeout after ([A-Z-]+) (.*)$/ or ^/lost connection after ([A-Z-]+).*from (.*)$/ Only if the connection was lost. The client may have been doing address validation or a dictionary attack, ... and so can just QUIT after RCPT TO. Presto-magic, no errors. No message implies connection loss only after DATA, not after RCPT TO. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: mailbox integration questions
On Fri, Feb 06, 2009 at 10:44:12PM -0500, Glen B wrote: I'm not asking for an LDA to deploy. Are you suggesting that I review Dovecot's LDA as an example of how to use a pipe transport? I'm writing a LDA which will be DB native and want some experience based input on which method of delivery is best for my situation. In this case can I implement something that isn't exit code oriented? Yes, implement an LMTP server, and respond with 2XX/4XX/5XX response codes. You can make your LMTP servers handle multiple transactions per process lifetime. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Trying to write a log parser, need some clarifications about log enteries.
On Fri, Feb 06, 2009 at 05:41:33PM -0800, Chris St Denis wrote: Noel Jones wrote: Victor Duchovni wrote: On Fri, Feb 06, 2009 at 01:30:01PM -0800, Chris St Denis wrote: Anyway, on to the problems. How do I deal with log entries like this. A queue ID is created, but nothing ever happens to it. There is no reject There was one valid recipient, but the mail transaction was not completed. This could be a header_checks rule, or a network failure or the client crashing. Any logfile processor will have to deal sessions that do not go from start to end. Wietse Thanks, but those particular causes doesn't seem to explain it. This system does not have any header checks (the server it's receiving the mail from does all the spam/etc. filtering) and if it was a network failure or client crashing there should be an additional error message like /^timeout after ([A-Z-]+) (.*)$/ or ^/lost connection after ([A-Z-]+).*from (.*)$/ Only if the connection was lost. The client may have been doing address validation or a dictionary attack, ... and so can just QUIT after RCPT TO. Presto-magic, no errors. No message implies connection loss only after DATA, not after RCPT TO. also you grepped for only smtpd processes. There is likely further information about this transaction logged by cleanup and qmgr, all with the same QUEUEID. No, I did a second grep for the queue ID (it's in the original post). That was the only process with it. There is a policy server however. Could a reject from a policy server cause this or would it generate a reject: line? Policy service lookups are just fancy access tables, they behave in much the same way as check_mumble_access... Queue-ids logged with smtpd[pid]: queue-id: client=... can and will simply disappear with no further logging from cleanup, qmgr, ... This happens when the remote client aborts the transaction after RCPT TO and before DATA. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: postfix blocking yahoo and gmail
On Sun, Feb 08, 2009 at 01:01:49PM +0800, jan gestre wrote: New logs with reject_rbl_client sbl-xbl.spamhaus.org added to main.cf eb 8 12:49:52 kartero postfix/smtpd[6465]: NOQUEUE: reject: RCPT from web57902.mail.re3.yahoo.com[68.142.236.95]: 554 5.7.1 Service unavailable; Client host [68.142.236.95] blocked using sbl-xbl.spamhaus.org; from=jan.ges...@yahoo.com to=jan.ges...@ddbphil.com proto=SMTP helo=web57902.mail.re3.yahoo.com Your DNS server is fabricating A records for non-existent hosts. The real spamhaus would have also returned a TXT record with a URL for looking up the reason for the block. Don't use ISP DNS servers that fabricate A records. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: postfix blocking yahoo and gmail
On Sun, Feb 08, 2009 at 01:23:43PM +0800, jan gestre wrote: Don't use ISP DNS servers that fabricate A records. I'm not using our ISP's DNS , I'm using OpenDNS, I'm using OpenDNS since way back it's only now that I'm getting this strange behavior in my SMTP server. You should not use OpenDNS or any similar external DNS forwarder with Postfix. Especially, when doing RBL lookups. Just run a stand-alone DNS cache on your system (127.0.0.1). If you are behind a NAT device that de-randomizes UDP query ports, you are likely vulnerable to the Kaminsky attack... Running a SOHO incoming mail server is getting increasingly difficult, you may need a real SMTP server at a hosting facility. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: postfix blocking yahoo and gmail
On Sun, Feb 08, 2009 at 02:55:28PM +0800, jan gestre wrote: Where is the best place to put the DNS caching resolver? in the NAT device? or in the Mail Server itself? What kind of NAT device is this? Is it capable of running a non-forwarding DNS cache? If the cache in question has sufficiently good port randomization, by all means run on the NAT device, otherwise run it on the Postfix server, and hope the NAT device port selection is not too predictable. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Replacing Message-Id for SASL authenticated senders
On Sun, Feb 08, 2009 at 06:22:17PM +0100, mouss wrote: I mean replacing or deleting already set Message-Id headers. And it will break MUA driven thread handling - very few people put their Sent mail in the same folders as received mail - even then, MUAs have heuristics to cope with such situations. Why break message-id threading for those (few) people? -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: postfix blocking yahoo and gmail
On Sun, Feb 08, 2009 at 03:37:20PM +0800, jan gestre wrote: On Sun, Feb 8, 2009 at 3:05 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Sun, Feb 08, 2009 at 02:55:28PM +0800, jan gestre wrote: Where is the best place to put the DNS caching resolver? in the NAT device? or in the Mail Server itself? What kind of NAT device is this? Is it capable of running a non-forwarding DNS cache? If the cache in question has sufficiently good port randomization, by all means run on the NAT device, otherwise run it on the Postfix server, and hope the NAT device port selection is not too predictable. It's a lightweight FreeBSD based firewall called pfSense, it also has an installable TinyDNS package. TinyDNS is an authoritative DNS server, you need a cache, is Dnscache also available? If so, that would be perfect, otherwise, you just install a DNS cache on your Postfix server. See: http://forum.pfsense.org/index.php?topic=10431.0 Anyway, this question is best asked on the pfSense lists, I know nothing more about this than what Google turns up... http://www.google.com/search?q=pfSense+Kaminsky+DNS -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Replacing Message-Id for SASL authenticated senders
On Sun, Feb 08, 2009 at 09:08:32PM +0100, mouss wrote: No, I was referring to the Sent folder, populated by the MUA, either in a local disk or using IMAP. I know some people clever-enough to set Sent == Inbox, yes this is not very common. I personally have rules that tag outgoing mail into non-default Fcc folders, replies are moved there too, and correct threading is expected. Still, clearly this will do only modest harm if any for some sets of users. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: result_attribute on ldap query
On Sun, Feb 08, 2009 at 06:38:31PM -0500, Manuel Mely wrote: Hi, I'm configuring postfix to use LDAP as backend db. I have to deal with something that i don't know how to do. For example, i have this conf file: server_host = localhost server_port = 389 bind = yes bind_dn = cn=admin,dc=foobar,dc=com bind_pw = aaa cache = no search_base = o=hosting,dc=foobar,dc=com query_filter = (((objectClass=VirtualMailAccount)(mail=%s))(permitFrom=inet)(accountActive=TRUE)(delete=FALSE)) result_attribute = final version = 3 final is the name of a postfix class, and i have the same attribute for all my users, as i want to simplify this (i mean delete this attr for all my users) i was thinking in create something like dc=postfix,o=hosting,dc=foobar,dc=cu and there i will put this attribute (i have many attributes that are classes in postfix), but i don't know if i can tell my conf file that result_attribute is in other part of the DIT... something like result_attribute= cn=final,dc=postfix ... i think i can't; this is an ldap stuff. Any idea? Postfix LDAP table support is describe in detail in: http://www.postfix.org/ldap_table.5.html if a feature is not described there, it does not exist. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Redirect all mail from one domain to the same u...@otherdomain?
On Sun, Feb 08, 2009 at 09:50:16PM -0800, Jeff Weinberger wrote: I am trying to figure out the best way to map one domain to another with the same users...precisely the behavior I am trying to achieve is: when mail is sent (from outside, or from another user within my postfix installation) to u...@domain1.tld I want it redirected to u...@domain2.tld - in otherwords, the user is preserved, but the domain is translated/rewritten. To be more specific: us...@domain1.tld gets re-routed to us...@domain2.tld us...@domain1.tld gets re-routed to us...@domain2.tld - Are you looking to rewrite just the envelope recipient, or also message From/To/Cc headers? - Is all mail first passed through an SMTP content_filter? - Are all the original and rewritten recipients delivered to another host via SMTP, or is some of the mail delivered locally (local, virtual, ...)? My initial guess is to use recipient_canonical_maps and use a pcre map: /^(.*)@domain1.tld/ {$1)@domain2.tld This guess is wrong for many reasons, but I think it best to first understand what problem you are really trying to solve, before we tear apart the wrong answer to potentially the wrong question. I don't see a way to achieve this with alias_maps and header_checks (with action REDIRECT) would miss messages sent to u...@domain1.tld where that is not the To: or Cc: address (such as list mail). This is worse. Really, I am just checking with experts more knowledgeable than I whether I have chosen a good (or the best) way to achieve this, or if there is a better way. Yes, there is a correct way of solving your problem, but first describe your problem in more detail. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Delaying some email addresses
On Mon, Feb 09, 2009 at 02:44:09PM +, Jo?o Miguel Neves wrote: Good morning, I'm using spamassassin thru amavisd. I also have a bunch of spamtraps (addresses that were never used by persons, but that receive spam regularly) feeding automatically its bayes filter. Sometimes I get some spam that goes to regular addresses and to the spamtraps around the same time. Is there a way or, what is the correct way of delaying some addresses? Don't delay, if your spamtrap addresses are well chosen, have never existed as valid email addresses, and are unlikely to be mistyped accidentally by a human sender, you can just REDIRECT all mail for a spamtrap address to that same spamtrap address, this drops all the other recipients. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Delaying some email addresses
On Mon, Feb 09, 2009 at 12:00:12PM -0500, Terry Carmen wrote: Don't delay, if your spamtrap addresses are well chosen, have never existed as valid email addresses, and are unlikely to be mistyped accidentally by a human sender, you can just REDIRECT all mail for a spamtrap address to that same spamtrap address, this drops all the other recipients. Does this mean that if a single message has multiple recipients, and one of the recipients is spamt...@mydomain, that the message will only be delivered to spamt...@mydomain? Yes. A lot of spam is sent to one recipient at a time, so this won't solve your spam problem, but there is no point in delivering spam trap messages to additional users when that does happen. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Building postfix for packaging
On Mon, Feb 09, 2009 at 09:41:49AM -0800, Quanah Gibson-Mount wrote: We currently use postfix as a part of our overall product, which means that it ends up being packaged inside our own RPM (or deb, etc) packages, and then redeployed when our product is installed. One thing I've noticed about the postfix build system in this is that it assumes you are building postfix specifically to be run on the box you're building it on, which in what we are doing is not really the case. Please explain what you mean by this. As a part of all this, we also allow people to check out and build the FOSS edition of our product. To make it easier on those who want to do this, I'm trying to make it so they can build postfix as whatever user they want, since our own install process takes care of setting up permission, etc, for postfix. I build and install (for deployment to other systems) Postfix as viktor all the time. http://www.postfix.org/PACKAGE_README.html The only thing that requires root is actually making postdrop and postqueue setgid as $setdig_group, this is a post-install step. However, the postfix-install script doesn't seem to have a concept of this, which makes it somewhat annoying to use, as I have to essentially patch around it. You have not read PACKAGE_README. Of the numerous software applications we build as the underlying components to our product, Postfix is the only one that goes to such pains. Is there a way that I'm missing to turn off this behavior in postfix-install besides patching it to turn off its checks? What checks are you objecting to? When I install for packaging, I run: sh ./postfix-install -non-interactive install_root=$iroot \ config_directory=${INSTALL_EXEC_PREFIX}/etc \ command_directory=${INSTALL_EXEC_PREFIX}/sbin \ data_directory=${BUILD}/data \ daemon_directory=${INSTALL_EXEC_PREFIX}/libexec \ manpage_directory=${INSTALL_PREFIX}/man \ queue_directory=${BUILD}/spool \ readme_directory=${INSTALL_PREFIX}/readme \ sample_directory=${INSTALL_PREFIX}/sample \ html_directory=${INSTALL_PREFIX}/html \ mailq_path=${INSTALL_EXEC_PREFIX}/sbin/mailq \ newaliases_path=${INSTALL_EXEC_PREFIX}/sbin/newaliases \ sendmail_path=${INSTALL_EXEC_PREFIX}/sbin/sendmail This delivers all the files to the (desired by me) locations with no fuss. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Building postfix for packaging
On Mon, Feb 09, 2009 at 10:02:33AM -0800, Quanah Gibson-Mount wrote: You have not read PACKAGE_README. This is really the answer. I missed this document, things should work fine with it. One minor nit in the document, it uses xargs to collect a file list for tar, but the file list may be too long for one command invocation: % cd INSTALL_ROOT % rm -f SOMEWHERE/outputfile % find . \! -type d -print | xargs tar cf SOMEWHERE/outputfile % gzip SOMEWHERE/outputfile With tar c, only the last batch of files are in the tar archive. The command should be tar rf not tar cf. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Building postfix for packaging
On Mon, Feb 09, 2009 at 01:17:08PM -0500, Victor Duchovni wrote: On Mon, Feb 09, 2009 at 10:02:33AM -0800, Quanah Gibson-Mount wrote: You have not read PACKAGE_README. This is really the answer. I missed this document, things should work fine with it. One minor nit in the document, it uses xargs to collect a file list for tar, but the file list may be too long for one command invocation: % cd INSTALL_ROOT % rm -f SOMEWHERE/outputfile % find . \! -type d -print | xargs tar cf SOMEWHERE/outputfile % gzip SOMEWHERE/outputfile With tar c, only the last batch of files are in the tar archive. The command should be tar rf not tar cf. Of course you can build packages more sophisticatd than tar, and in that case you can use the postfix-files file to determine which files in the install_root to include in the package, and what metadata to assign to those files (including which files need to preserve user-modified copies, ...). The tar variant is just an example, in practice, on most platforms, you do something more sophisiticated. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Building postfix for packaging
On Mon, Feb 09, 2009 at 02:13:55PM -0500, Wietse Venema wrote: One minor nit in the document, it uses xargs to collect a file list for tar, but the file list may be too long for one command invocation: % cd INSTALL_ROOT % rm -f SOMEWHERE/outputfile % find . \! -type d -print | xargs tar cf SOMEWHERE/outputfile % gzip SOMEWHERE/outputfile With tar c, only the last batch of files are in the tar archive. The command should be tar rf not tar cf. On what systems does the list exceed the NCARGS command length limit? xargs(1) does not use NCARGS, rather it uses various smaller limits: ( exec 2/dev/null for i in 1 10 100 1000 do printf -- --- %d ---\n $i yes $(printf %0${i}d 0) | head -n1 | wc yes $(printf %0${i}d 0) | head -n1 | xargs echo 2/dev/null | head -1 | wc done ) RHEL 3.0: ~24k input buffer: --- 1 --- 1 1 2 110242048 --- 10 --- 1 1 11 11024 11264 --- 100 --- 1 1 101 1 238 24038 --- 1000 --- 1 11001 1 24 24024 RHEL 4.0: ~24k input buffer --- 1 --- 1 1 2 110242048 --- 10 --- 1 1 11 11024 11264 --- 100 --- 1 1 101 1 252 25452 --- 1000 --- 1 11001 1 25 25025 SunOS 5.8: ~2k input buffer --- 1 --- 1 1 2 1 254 508 --- 10 --- 1 1 11 1 1852035 --- 100 --- 1 1 101 1 202020 --- 1000 --- 1 11001 1 22002 -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Building postfix for packaging
On Mon, Feb 09, 2009 at 02:59:02PM -0500, Victor Duchovni wrote: On Mon, Feb 09, 2009 at 02:13:55PM -0500, Wietse Venema wrote: One minor nit in the document, it uses xargs to collect a file list for tar, but the file list may be too long for one command invocation: % cd INSTALL_ROOT % rm -f SOMEWHERE/outputfile % find . \! -type d -print | xargs tar cf SOMEWHERE/outputfile % gzip SOMEWHERE/outputfile With tar c, only the last batch of files are in the tar archive. The command should be tar rf not tar cf. On what systems does the list exceed the NCARGS command length limit? xargs(1) does not use NCARGS, rather it uses various smaller limits: More specifically, on SunOS 5.8 and 5.10, the standard /usr/bin/xargs uses 6 invocations to process all the installed Postfix files in a tree of the form: $ find .exec common -type d -print .exec/ .exec/x86_64.sunos64.5.10/ .exec/x86_64.sunos64.5.10/etc/ .exec/x86_64.sunos64.5.10/libexec/ .exec/x86_64.sunos64.5.10/sbin/ common/ common/html/ common/man/ common/man/man1/ common/man/man5/ common/man/man8/ common/readme/ With files in the various directories above. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Building postfix for packaging
On Mon, Feb 09, 2009 at 12:19:26PM -0800, Quanah Gibson-Mount wrote: --On Monday, February 09, 2009 12:57 PM -0500 Victor Duchovni victor.ducho...@morganstanley.com wrote: http://www.postfix.org/PACKAGE_README.html And just to confirm, the steps here worked beautifully, thank you. :) I did have to use an install root of /../ since it won't take /. I build with a prefix of /opt/zimbra/postfix-version already, so it kept installing into /opt/zimbra/postfix-version/opt/zimbra/postfix-version and /opt/zimbra/postfix-version/opt/zimbra/data/spool/postfix. It would be nice if there was someway for it to recognize it was already built with a prefix, so no need to go down multiple layers. But I have an easily working solution to it. :) This is easily solved with symbolic links: $ ln -s / /some/where/.root postfix-install install_root=/some/where/.root ... Also, you can use custom installation parameters when installing, and them postconf -e to updat them back to the correct paths. postfix-install ... \ config_directory=/etc \ command_directory=/sbin \ html_directory=/html \ ... This will put everything directly under the install-root. The resulting main.cf will record these installation parameters, so you update them with postconf -c /some/where/ -e after the install. Update both the config_directory and daemon_directory copies to put back the compile-time defaults for all the parameters. In any case, main.cf installation is a tricky business, since you MUST not clobber existing main.cf files from users, and potentially need to support installation into user-selected $command_directory, ... taking all the locations from the existing main.cf. The only thing the user can't move is the default config_directory (/etc/postfix in may cases). -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Building postfix for packaging
On Mon, Feb 09, 2009 at 03:41:34PM -0500, Wietse Venema wrote: It would be nice if there was someway for it to recognize it was already built with a prefix, so no need to go down multiple layers. But I have an easily working solution to it. :) It's good to hear that the instructions are still (mostly) correct. This was released in 2002 and there have plenty of opportunities for bit-rot to creep in. I do nearly 100 package builds a year (various snapshot releases and occasional official patches) on multiple variants of SunOS and Linux. The build process has not changed dramatically since ~2.0. The core install_root + config parameters interface is still the same. If the old package interface broke, I would have noticed. Even with multi-instance support coming in 2.6, the basics won't change. Just don't forget to run: # postfix set-permissions upgrade-configuration when upgrading a system with an existing configuration. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Getting localhost put in my From field
On Mon, Feb 09, 2009 at 09:43:49PM -0500, Xn Nooby wrote: I have been trying to figure out how to get Postfix to not append localhost in to the From: field. I am sending email mostly between two local users, using RHEL5/Squirrelmail/Postfix/Dovecot. When I send an email from user_...@schoolretail.local to user_...@schoolretail.local it arrives from user_...@localhost.schoolretail.local What version of Postfix is this? Does the mail ever leave the Postfix system, or is just delivered to a local mailbox? Where are the logs for the delivery and the Received headers? mydestination = $mydomain, $myhostname, localhost.$mydomain mydomain = schoolretail.local myhostname = schoolmail.schoolretail.local mynetworks = 127.0.0.0/8 myorigin = schoolretail.local relayhost = 192.168.1.16 This should result in a local delivery with no rewriting. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: reject_unverified_sender vs greylisting
On Tue, Feb 10, 2009 at 07:15:06AM +0100, Juergen P. Meier wrote: If everyone would use SAV, the ammount of SMTP traffic in the Internet would *double*. I bet most heavy duty mailssystems don't scale double. An address probe is MUCH cheaper to process than a message. Address probe results are cached. This estimate is likely substantially in error. The main issue with SAV is that it can be abused to launch indirect dictionary attacks, the target system sees connections from legitimate MTAs doing SAV that are in turn address harvesting oracles for botnet nodes forging sender addresses. Another issue is that small domains that are victims of joe-job attacks can temporarily see very high traffic loads if SAV is used by a high volume provider (e.g. Verizon in the past). Finally, some legitimate mail will be lost, as many developers tasked with automating business-to-consumer email communications don't really understand email, and just think of it as a which API do I call to send problem. Questions of valid sender addresses, bounce processing, ... are foreign to them, and they are often tasking with sending messages that could be important or time-sensitive for the recipients. SAV raises the bar on poorly conceived/executed non-spam to a level where not all important non-spam will continue to arrive. These are good reasons to not use SAV or use it with caution: - Your site should be small to very small, so that the probe volume you emit is negligible. - You should carefully choose which domains to SAV or exclude from SAV. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Delaying some email addresses
On Tue, Feb 10, 2009 at 10:29:28AM +, Jo?o Miguel Neves wrote: Don't delay, if your spamtrap addresses are well chosen, have never existed as valid email addresses, and are unlikely to be mistyped accidentally by a human sender, you can just REDIRECT all mail for a spamtrap address to that same spamtrap address, this drops all the other recipients. That's a good addition, but I already have that working. What I'm trying is dealing with the spam sent for a single address. My idea is the following: 1) Spammer sends emails to existing users and spamtraps; 2) Normal users email is frozen for 2 to 5 minutes; 3) Spamtraps are queued and teach spamassassin bayes filter; 4) Normal users email is unfrozen, spamassassin catches the spam, and it doesn't reach the user mailbox. Why bother delivering the normal users if you are definitely going to catch the junk. This is needlessly complex and pointless. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Delaying some email addresses
On Tue, Feb 10, 2009 at 04:43:15PM +, Jo?o Miguel Neves wrote: What I'm trying is dealing with the spam sent for a single address. My idea is the following: 1) Spammer sends emails to existing users and spamtraps; 2) Normal users email is frozen for 2 to 5 minutes; 3) Spamtraps are queued and teach spamassassin bayes filter; 4) Normal users email is unfrozen, spamassassin catches the spam, and it doesn't reach the user mailbox Why bother delivering the normal users if you are definitely going to catch the junk. This is needlessly complex and pointless. If I don't do the delay, what happens is that the junk goes thru because, in a lot of cases, spamassassin doesn't know it's junk yet. You still have not understood what REDIRECT does. Please see the access(5) documentation. http://www.postfix.org/access.5.html -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Delaying some email addresses
On Tue, Feb 10, 2009 at 06:55:11PM +, Jo?o Miguel Neves wrote: Victor Duchovni escreveu: On Tue, Feb 10, 2009 at 04:43:15PM +, Jo?o Miguel Neves wrote: What I'm trying is dealing with the spam sent for a single address. My You still have not understood what REDIRECT does. Please see the access(5) documentation. http://www.postfix.org/access.5.html Unless you're claiming that REDIRECT will redirect different messages that look like the redirected one, you're the one that didn't understand when I said that I'm trying to deal with different spam messages sent to a single email address. When a single message with multiple recipients hits a spam-trap, REDIRECT it to just the spam-trap. When multiple messages are sent by a single IP address, and one of that hits a spam-trap, you can consult a policy service that adds a header that tags the mail as coming from a suspect source. Such mail can be quarantined and released after a time delay, with potentially more up-to-date rules able to filter the mail at that point. Implementation of a quarantine is outside the scope of the Postfix system, you can put mail in the hold queue, or build an LMTP server that feeds the quarantine, and use FILTER to route mail to the quarantine. The quantine server can feed Bayesian filters when mail comes in, and hope that the filters are well trained when the mail is finally released to the recipients. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: best way to serve as specific system relay
On Tue, Feb 10, 2009 at 02:23:45PM -0500, post...@corwyn.net wrote: machines that send FROM: the local address but TO: somewhere else I think I need postfix to serve as a relay for those machines. I think I can fix it by setting check_client_access hash:/etc/postfix/remotebranches BEFORE reject_unauth_destination with the IP addresses of each of the branches listed as OK. Just add the machines to mynetworks. You can use a cidr: table if that's helpful. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Create additional sub-folders postfix/courier
On Wed, Feb 11, 2009 at 12:55:31AM -0500, post...@corwyn.net wrote: At 11:04 PM 2/10/2009, post...@corwyn.net wrote: At 05:24 PM 2/10/2009, mouss wrote: While I can readily create a user b...@example.com, who has a default maildir location for that sql of 'example.com/bob/' I can't quite figure out how to change the SQL to get the folder for bob+t...@example.com to return: 'example.com/bob/Maildir/.test' without breaking everything else? To answer my own question (more correctly) SELECT CONCAT(maildir,'Maildir/',if(INSTR(username,'+'),'.',''),if(INSTR(username,'+'),MID(username,INSTR(username,'+')+1,INSTR(username,'@')-INSTR(username,'+')-1),'')) FROM mailbox This is a bad idea. You are allowing external parties to construct mailbox filenames on your system. Potential for various directory pathname injection attacks: user+./../../not/where/you/exp...@example.com You must specifically designate which folders are addressible in this way, or at least limit the character-set of acceptable extensions. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: 451 Remote TLS ERROR - Connection closed by peer
On Wed, Feb 11, 2009 at 04:27:07PM +0100, Ralf Hildebrandt wrote: When sending to nashfinch.com I get: Feb 11 16:23:36 mail postfix/smtp[22382]: setting up TLS connection to nashfinch.com.s5a1.psmtp.com[64.18.4.10]:25 Feb 11 16:23:37 mail postfix/smtp[22382]: Trusted TLS connection established to nashfinch.com.s5a1.psmtp.com[64.18.4.10]:25: TLSv1 with cipher AES256-SHA (256/256 bits) The nashfinch.com email service is proxied by Postini. Feb 11 16:23:42 mail postfix/smtp[22382]: BDCC11C35E9: host nashfinch.com.s5a1.psmtp.com[64.18.4.10] said: 451 Remote TLS ERROR - Connection closed by peer (state:SSLv2/v3 read server hello A) (host:[63.85.29.124]) - psmtp (in reply to RCPT TO command) on all of their 4 Postini MX hosts. Postini connects to the remote system at RCPT TO and tries to maintain the same security level by using STARTTLS with the next-hop server. This fails, and Postini gives you the bad news. This started shortly after midnight (local time), thus no changes to the system. The real nashfinch.com server is not feeling well. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: postfix logs, spams and bounce messages
On Wed, Feb 11, 2009 at 08:05:56PM +0200, ddaas wrote: Feb 3 14:45:57 softexp postfix/smtpd[23394]: NOQUEUE: reject: RCPT from unknown[117.87.x.x]: 554 5.7.1 Service unavailable; Client host [117.87.x.x] blocked using sbl-xbl.spamhaus.org; [1]http://www.spamhaus.org/query/bl?ip=117.87.x.x; from=[2]x...@yahoo.com.au to=[3]experienceoff...@ourdomain.ro proto=ESMTP helo=PC-20090752 Feb 3 14:45:58 softexp postfix/smtp[23424]: 56966AC86D: to=[4]x...@yahoo.com.au, relay=d.mx.mail.yahoo.com[66.196.82.7]:25, delay=7.6, delays=0/0.01/7.6/0, dsn=4.7.0, status=undeliverable (host d.mx.mail.yahoo.com[66.196.82.7] refused to talk to me: 421 4.7.0 [TS02] Messages from 80.96.148.194 temporarily deferred due to user complaints - 4.16.56.1; see [5]http://postmaster.yahoo.com/421-ts02.html) You are doing Sender Address Verification (reject_unverified_sender) before doing RBL checks. Fix this. Do the RBL checks first, and consider not doing SAV at all, but if you do use it, do SAV *last*. smtpd_client_restrictions = ... no reject_unverified_sender ... smtpd_helo_restrictions = ... no reject_unverified_sender ... smtpd_sender_restrictions = ... no reject_unverified_sender ... smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_rbl_client zen.spamhaus.org ... no reject_unverified_sender ... smtpd_data_restrictions = reject_unverified_sender -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: postfix benchmark performance
On Wed, Feb 11, 2009 at 01:41:19PM -0500, Silas Boyd-Wickizer wrote: Hello, I'm doing some experiments with a synthetic benchmark and postfix. My current postfix configuration can deliver ~3000 msg/sec to 1000 virtual mailboxes; however, the system (16 core/4x4 AMD opteron) is ~90% idle. All logs and queues reside in a RAM filesystem, so disk IO is not a bottleneck. I am generating the incoming load locally using (a slightly modified) smtp-source, so the network is not a bottleneck. smtp-source is generating 10k emails and smtpd/cleanup can put the incoming emails on the incoming queue much faster than the qmgr can pull them off. Besides the incoming and active queues, all queues are empty during the benchmark. Ideally I want the system to be 0% idle. Any suggestions on how to achieve this? With 16 logical CPUs, in this configuration you'll find your CPU load to be 1/16th of the theoretical maximum + overhead. Your report of 10% is about right. What exactly are you trying to measure with this benchmark? No realistic configuration has the same critical resource, and you'll run out of disk I/O throughput or CPU first depending on how CPU hungry your content-filters are. If you really are planning to host all spools in RAM disk, and need more than 3000 msgs/sec, I am most curious what use-case motivates this design and performance requirement. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: postfix benchmark performance
On Wed, Feb 11, 2009 at 02:28:40PM -0500, Silas Boyd-Wickizer wrote: With 16 logical CPUs, in this configuration you'll find your CPU load to be 1/16th of the theoretical maximum + overhead. Your report of 10% is about right. The system has 16 physical execution units: four quad core AMD Opterons. In the configuration I described, 90% of total cycles are unused. Yes, but in this configuration, 1 CPU is pegged, and the others are idle, actually the others are working baout as hard combined, so that's where you get the ~10%. What exactly are you trying to measure with this benchmark? I'm measuring how many emails Postfix can deliver per-sec to some number of virtual aliases. I'm not interested so much in the absolute throughput performance, but in the reasons for the performance. Why is this an interseting measurement? In practice, your performance will be at least a factor of 10 (more likely 30-100) lower, once you add real disk latency, and other real loads. No realistic configuration has the same critical resource, and you'll run out of disk I/O throughput or CPU first depending on how CPU hungry your content-filters are. I understand this. If you really are planning to host all spools in RAM disk, and need more than 3000 msgs/sec, I am most curious what use-case motivates this design and performance requirement. I don't have a real use-case in mind. This benchmark is essentially meaningless, it proves that Postfix switching won't be a problem util you reach 3000 msgs/sec. Since your real loads will be much lower, you don't have to worry about it. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Create additional sub-folders postfix/courier
On Wed, Feb 11, 2009 at 09:24:25PM +0100, mouss wrote: post...@corwyn.net a ?crit : And a last betterer/simpler way to do it. SELECT if(INSTR(maildir,'+'),concat(left(maildir,instr(maildir,'+')-1),'/Maildir/.',right(maildir,length(maildir)-instr(maildir,'+'))),CONCAT(maildir,'Maildir/')) from mailbox where username ='%s' and active='1' you are still allowing random folder names. That's what I thought at first, but now I am not so sure. Perhaps all this string munging is based on an attribute from the table, not the input address. It sems that the database does not hold mailbox paths, and they are always constructed from the user name, with special logic for user+spam user names. That's OK, provided the OP controls user names. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: How to safely re-inject an archived queue file?
On Thu, Feb 12, 2009 at 06:51:20AM -0700, Curtis wrote: So, on a box that I know has nothing else feeding into the maildrop queue, it would be safe to skip the step of dropping it in the idle queue of a second instance (on the same filesystem) and running postsuper -s to get a properly named queue file? I would, of course, use a queue file name that would never be used by postfix. The queue file should be created mode 0600, owner $mail_owner, and changed to 0700 once the contents are fully copied into the file. The file-name must be alphanumeric. Postfix queue-ids only use [0-9A-F], so in the maildrop directory you can avoid collisions by prefixing the original filename with X. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: How to safely re-inject an archived queue file?
On Thu, Feb 12, 2009 at 08:46:51AM -0700, Curtis wrote: Perfect. Does the pickup command have a trigger like qmgr that I can use with postkick to get the queue file picked up from the maildrop queue immediately? I'm guessing not since there's no mention of it in the man page, but I thought I'd check anyway. Or is there another way to make this happen? Yes, it does: # postkick public pickup W all public services with a wakeup timer in master.cf support the W trigger, that's how master(8) wakes them up. $ perl -lane ' $F[0] =~ /^[^#\s]/ or next; $F[2] eq n or next; $F[5] ne - or next; print;' \ /etc/postfix/master.cf pickupfifo n - n 60 1 pickup qmgr fifo n - n 300 1 qmgr flush unix n - n 1000? 0 flush You don't really want to wake the flush service manually, that's just internal house-keeping, but waking pickup(8) or qmgr(8) is fine. I am not sure whether not documenting the pickup(8) trigger is deliberate or an oversight. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: recipient_delimiter and virtual users
On Thu, Feb 12, 2009 at 12:33:57PM -0500, post...@corwyn.net wrote: At 04:28 AM 2/12/2009, mouss wrote: recipient_delimiter works out of the box. there is no need to change your tables, your sql statements nor add users. The problem is I don't know what the out of the box behavior should be. If I set recipient_delimiter = + then mail to u...@example.com, user+...@example.com, and user+spam all deliver to INBOX, regardless of whether there is a spam or foo folder created. What I want is, without having to set filters in the client, for mail to deliver to the appropriate folder. This up to your LDA. No LDA bundled with Postfix understands folders. Cyrus IMAP understands folders, and even knows that user+foo only goes to folder foo when the folder's ACL allows anonymous POST, otherwise mail goes to the Inbox. These issues are dealt with by Mailstore aware delivery agents, not the MTA. Deploy a delivery agent that co-operates with your mailstore (Cyrus, Dovecot, ...). Postfix will pass the address and extension to the delivery agent. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: relay through smtps
On Fri, Feb 13, 2009 at 11:03:31AM -0500, Charles Marcus wrote: On 2/13/2009, gianluca...@interfree.it (gianluca...@interfree.it) wrote: Is it possible relay mail trhough smstps under postfix? Assuming you meant smtps, you can enable this in master.cf, by uncommenting these lines (I'm unsure what the last line does though): #smtps inet n - n - - smtpd # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING That's accepting mail not relaying it through a remote smtps server. The OP needs to ask the question more clearly. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Protocol error: host said: 250 2.0.0 Ok (in reply to DATA command)
On Fri, Feb 13, 2009 at 12:53:23PM -0500, Brian Evans - Postfix List wrote: Carver Banks wrote: Hello Everyone, I am seeing weird bounces on my postfix server and can't quite figure out why... It looks like it is failing while passing the mail off to a spam appliance, but from the spam appliance side I see no record of the message. Also Any ideas, I have a couple examples below? Example Mail.log entry: Feb 12 06:17:53 mail01 postfix/smtp[24220]: C06165CE92: to=user.n...@domain.com, relay=175.21.0.67[175.21.0.67]:2525, conn_use=18, delay=16, delays=1.4/13/0/1.7, dsn=5.5.0, status=bounced (Protocol error: host 175.21.0.67[175.21.0.67] said: 250 2.0.0 Ok (in reply to DATA command)) The 175.0.0.0/8 block is IANA reserved space. It should not be in use on private or public networks. I think someone confused 172.16.0.0/12 with 175.16.0.0/12. If the OP is using 175.16 instead of RFC 1918 private networks, he has some renumbering to do... -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: SMTP relay only
On Sun, Feb 15, 2009 at 03:20:55PM +0100, mouss wrote: Finally I would like to deny message delivery to my mail server.. It should suffice to unset relay_domains or it is too restrictive doing so? to disable local delivery, check the FIREWALL README. I think this means: http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: postmap changed between 2.3.8 and 2.5.5
On Mon, Feb 16, 2009 at 10:14:21AM -0500, Wietse Venema wrote: hash == berkly db? that would mean its a poor choice by postfix itself There are plenty platforms where the on-disk format of Berkeley DB database files is stable across many operating system releases. And the only sensible default database type is one for which the libraries are included with the base platform. CDB is not nearly as ubiquitous as Berkeley DB. The choice of Berkeley DB is not poor, even if the file format changes periodically. When you upgrade your O/S, be prepared to rebuild indexed tables. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: bounced msg
On Tue, Feb 17, 2009 at 02:19:19PM -0600, Noel Jones wrote: bharathan kailath wrote: i understood but why two folders 'defer' and 'deferred'! using OpenSuse 10.3 thanks deferred stores the reason why the message is in defer. The other way around, but the idea is right. The defer queue stores bounce logs, while the deferred queue stores messages. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: choosing random ip address for outgoing smtp connection
On Thu, Feb 19, 2009 at 02:20:39PM -0500, Wietse Venema wrote: /etc/postfix/main.cf check_recipient_access pcre:/etc/postfix/random.pcre /etc/postfix/random.pcre /^(.)(.*)/FILTER smtp$1:$1$2 Regexp recipient lookups are keyed by the full user address, and the character-set of locaparts is less predictable than with domains, so I would suggest a refinement: /^(.*)@([a-z0-9])(.*)/ FILTER smtp$2:$2$3 -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: postfix - amavisd - SMTP or LMTP (was: TLS)
On Thu, Feb 19, 2009 at 07:17:14PM +0100, Mark Martinec wrote: So in summary: either will do, I currently don't have strong arguments to prefer one over the other. Perhaps somebody from the Postfix side can show a preference. If the proxy is not configured to do content-dependent selective accept/reject/defer after ., stick with SMTP, otherwise this can only be done with LMTP. For messages queued atomically, LMTP is just overhead. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Your Email
On Sat, Feb 21, 2009 at 07:02:41PM +, Daniel C wrote: Message #1 --- Received: from localhost (homer.mydomain.com [10.0.32.13]) by mail.mydomain.com (Postfix) with ESMTP id 561804498EF for ; Sat, 21 Feb 2009 13:37:41 -0500 (EST) Received: from mail.mydomain.com ([10.0.32.13]) by localhost (homer.mydomain.com [10.0.32.13]) (amavisd-new, port 10024) with LMTP id NHSD4caH1jdE for ; Sat, 21 Feb 2009 13:37:38 -0500 (EST) Received: from [10.0.0.120] (ip-xxx.xxx.xxx.xxx.dsl-xxx.xxx [xxx.xxx.xxx.xxx]) by mail.mydomain.com (Postfix) with ESMTP id 0421137074D for ; Sat, 21 Feb 2009 13:37:37 -0500 (EST) This is an incomplete set of message headers. Message #2 --- Received: from localhost (homer.mydomain.com [10.0.32.13]) by mail.mydomain.com (Postfix) with ESMTP id 79CF64498EC for ; Sat, 21 Feb 2009 13:37:41 -0500 (EST) Received: from mail.mydomain.com ([10.0.32.13]) by localhost (homer.mydomain.com [10.0.32.13]) (amavisd-new, port 10024) with LMTP id QgPsqaEw4tIc for ; Sat, 21 Feb 2009 13:37:38 -0500 (EST) [... something missing here ...] by mail.mydomain.com (Postfix, from userid 207) id 314664498FC; Sat, 21 Feb 2009 13:37:38 -0500 (EST) This is an corruped and incomplete set of message headers. And yet, it is fairly clear that the two messages are unrelated and not the same, since one arrives via SMTP and other is submmitted locally by user 207. Showing the headers separately from the related mail logs is not terribly useful. Read the headers and related logs carefully. Make sure they are not broken and match up. Then if you still believe Postfix is duplicating your message, post the associated headers and logs. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Your Email
On Sun, Feb 22, 2009 at 03:35:34AM +, Daniel C wrote: As for Postfix, it has to be used No, this is wrong, the postfix user must not be the owner the virtual mailboxes, and should not be used by the IMAP server to access them. Fix your configuration to avoid this problem. by courrier-imap in order to access the virtual maildir correctly, without having to change the ownership of the directories to allow group or other. I hope I'm using a right strategy. ;) Use a suitable imap user, not postfix. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Sending SSL/TLS state to Dovecot auth
On Mon, Feb 23, 2009 at 02:18:01PM -0500, Timo Sirainen wrote: In some setups it's useful for authentication handling to know if the connection is SSL/TLS secured. The patch below should tell this to Dovecot. It compiles, but other than that I haven't yet tested it. How is this useful? It seems to me that a SASL implementation should validate the credentials and leave policy questions to the MTA. The MTA can decide whether SASL without TLS is sufficient or not. Also mere use of TLS says nothing about the security of the channel in the absense of client certification verification, the server cannot exclude MITM attackers even when a TLS session is used. I don't think that the TLS on/off bit you propose is semantically sound. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Sending SSL/TLS state to Dovecot auth
On Mon, Feb 23, 2009 at 05:40:05PM -0500, Timo Sirainen wrote: It's too late for a few times (until user fixes the client configuration), but not forever (because it won't work until the configuration is fixed). Also with a laptop the initial setup is often done in a relatively safe location such as home or office, while the connections afterwards could be done in all kinds of insecure places. Perhaps, but often the setting is TLS when available, so you only get illusory protection. With Postfix, the right place to enforce this is in the MTA. If some users need non-TLS MTAs, point them at alternative submission server. Which mainstream MUAs can't do TLS submission at this point in time? -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: mailbox_size_limit , quota + some other questions
On Mon, Feb 23, 2009 at 09:13:11PM -0800, Linux Advocate wrote: 2. For a setup of about 1500 virtual users on a centos 5.2 machine with a raid10 array and with 8gb of ram, what settings do i need to change in postfix for better performance with regards to main.cf /master.cf. Dovecot provides POP/IMAP services. Sorry. Allow me to rephrase, is there any setting in postfix (main.cf, master.cf) whereby we can increase the number of threads, memory usage ,etc to allow for higher concurrency? 1500 users is not very many. You probably don't need higher than default concurrency. http://www.postfix.org/TUNING_README.html -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: mailbox_size_limit , quota + some other questions
On Mon, Feb 23, 2009 at 09:28:18PM -0800, Linux Advocate wrote: Sorry. Allow me to rephrase, is there any setting in postfix (main.cf, master.cf) whereby we can increase the number of threads, memory usage ,etc to allow for higher concurrency? 1500 users is not very many. You probably don't need higher than default concurrency. http://www.postfix.org/TUNING_README.html 1500 users is not much? wow, how much users can a xeon dual processor box with a RAID10 array, 8 gigs of ram handle. i would appreciate a rough estimate? Depends on how much content processing you force on the CPU. If it is a webmail server, IMAP server, virus scanner, anti-spam filter, ... your constraint will be CPU, and there won't be any idle cycles to use by increasing concurrency. If you don't design-in a lot of CPU demand, the MTA alone will easily forward traffic for 10,000+ users with near default settings, provided one has working recipient validation, and subscribes to a SpamHaus data-feed for local zen.spamhaus.org lookups. With just 1500 users, the public RBL mirrors may be sufficient. I am guessing you are CPU constrained, and that tuning Postfix for higher concurrency is not likely a good idea in that case. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: mailbox_size_limit , quota + some other questions
On Mon, Feb 23, 2009 at 10:41:07PM -0800, Linux Advocate wrote: i have been thinking of using sorbs instead of spamhaus because sorbs allows sites with upto 100k user to connect to them but with spamhaus u are limited to 100users max. Sorbs has a detection rate of about 68% and i was thinking of beefing our spam wall with grey listing. I can't speak about RBLs I don't use. The main strength of SpamHaus is: - PBL lists ~500 million dynamic IPs with a remarkably low FP rate. - XBL lists additional botnet nodes with a remarkably low FP rate. - SBL lists spammer networks with a very low FP rate. I've not heard of any RBLs that are as effective as Zen. Yes, Zen is only free for small (personal use) sites and charges a fee to keep the infrastructure running for larger sites. The data-feed costs were not unreasonable last time I looked. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Deferr mail for only certain users
On Tue, Feb 24, 2009 at 11:35:07AM -0500, Sahil Tandon wrote: On Feb 24, 2009, at 11:31 AM, Joseph L. Casale jcas...@activenetwerx.com wrote: Is it possible to hold mail destined to only certain users in a queue until I then release it manually? Direct mail for those users to the retry transport via transport maps. This is not very efficient, because the mail moves between the deferred and active queues until the user's transport setting is updated, and then all mail for the user (old and new) is released. The OP probably wants a quarantine system. Postfix does not come with a built-in quarantine system. The easist is to deliver the mail into suitable maildirs for review, and then use an IMAP client to forward appropriate mail to the real destination or discard it instead. More complex solutions require custom code. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Problem with ldap table lookups and TLS
On Tue, Feb 24, 2009 at 06:48:12PM -0600, Nick Geron wrote: So as root or my limited rights postfix user this works: #postmap -q j...@example.com ldap:/etc/postfix/ldap/aliases.cf j...@example.com You only show a test running as root, not postfix. What versions of Postfix and OpenLDAP are these? There was TLS API creep in OpenLDAP between 2.0 and 2.1, and the Postfix LDAP driver was originally based on OpenLDAP 2.0, this was resolved in Postfix 2.5 as described in ldap_table(5) under tls_require_cert. Please show complete output from postmap -q running as the $mail_owner user, just hide the bind password. Feb 24 18:15:27 smtp11 postfix/trivial-rewrite[17631]: dict_ldap_lookup: In Is trivial-rewrite in a chroot jail? Please show equivalent dict_ldap logging (to that from postmap -q) from trivial-rewrite -v on an idle Postfix system asked to deliver one message to one recipient. Feb 24 18:22:38 smtp11 postfix/trivial-rewrite[17698]: cfg_get_str: /etc/postfix/ldap/aliases.cf: tls_ca_cert_file = /etc/postfix/ssl/ldap13.crt What's in this file? Is it a PEM file? Does your LDAP server expect client certificates? I've been around and around with this all day and keep coming back to the same conclusion - proxymap and/or trivial-rewrite (or whatever is responsible for establishing the connection) is not loading my CA file, though it's explicitly set in my ldap table conf file: (/etc/postfix/ldap/aliases.cf) start_tls = yes tls_ca_cert_file = /etc/postfix/ssl/ldap13.crt tls_random_file = /dev/urandom Shouldn't this be dev:/dev/urandom (better yet, leave this out, it should default sensibly in OpenSSL). Are you using OpenSSL or GnuTLS to add TLS support in OpenLDAP? Again, if I tell postmap to use the proxymap daemon with 'postmap -q j...@example.com proxy:ldap:/etc/postfix/ldap/aliases.cf', the same failure to load the cert and an error -11 as in the above syslog output. Is proxymap chrooted? -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Problem with ldap table lookups and TLS
On Wed, Feb 25, 2009 at 03:30:51PM -0600, Nick Geron wrote: Well, I have found my problem. I probably should have mentioned earlier (how many times has than appeared on this list?) that ldap is used on this system for local user authentication, meaning pam/nss are tied into ldap. I noticed in traces that the system configs and certificates were being loaded/read by proxymap and wondered if proxymap was not resetting the value of the ca cert or ca dir as one would expect after it reads in the alias map config. This is an OpenLDAP API design issue. The OpenLDAP library (at least up to version 2.3) has a single global SSL_CTX object, that is initialized just once by the first call that creates an SSL-protected LDAP connection. All requests to set the global SSL context properties are ignored silently after that point. To solve your problem you must make sure that your nsswitch CAfile and CAfile include all the certificates needed by Postfix. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Problem with ldap table lookups and TLS
On Wed, Feb 25, 2009 at 05:34:26PM -0600, Nick Geron wrote: This is an OpenLDAP API design issue. The OpenLDAP library (at least up to version 2.3) has a single global SSL_CTX object, that is initialized just once by the first call that creates an SSL-protected LDAP connection. All requests to set the global SSL context properties are ignored silently after that point. To solve your problem you must make sure that your nsswitch CAfile and CAfile include all the certificates needed by Postfix. Understood. Thanks again to Victor and Quanah. Note, the OpenLDAP API design issue is resolved with OpenLDAP 2.4. With OpenLDAP 2.4 it is possible to set the TLS properties for a particular LDAP connection (not just global properties), and to associate a new OpenLDAP managed TLS context for the connection via the new LDAP_OPT_X_TLS_NEWCTX option. Try this completely untested patch (it may not even compile, but it looks promising): Index: src/global/dict_ldap.c --- src/global/dict_ldap.c 28 Jan 2008 04:29:48 - 1.1.1.2 +++ src/global/dict_ldap.c 26 Feb 2009 00:04:18 - @@ -484,10 +484,16 @@ { const char *myname = dict_ldap_set_tls_options; int rc; +#ifdef LDAP_OPT_X_TLS_NEWCTX +int am_server = 0; +LDAP *ld = dict_ldap-ld; +#else +LDAP *ld = 0; +#endif if (dict_ldap-start_tls || dict_ldap-ldap_ssl) { if (*dict_ldap-tls_random_file) { - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_RANDOM_FILE, + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_RANDOM_FILE, dict_ldap-tls_random_file)) != LDAP_SUCCESS) { msg_warn(%s: Unable to set tls_random_file to %s: %d: %s, myname, dict_ldap-tls_random_file, @@ -496,7 +502,7 @@ } } if (*dict_ldap-tls_ca_cert_file) { - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, dict_ldap-tls_ca_cert_file)) != LDAP_SUCCESS) { msg_warn(%s: Unable to set tls_ca_cert_file to %s: %d: %s, myname, dict_ldap-tls_ca_cert_file, @@ -505,7 +511,7 @@ } } if (*dict_ldap-tls_ca_cert_dir) { - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR, + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, dict_ldap-tls_ca_cert_dir)) != LDAP_SUCCESS) { msg_warn(%s: Unable to set tls_ca_cert_dir to %s: %d: %s, myname, dict_ldap-tls_ca_cert_dir, @@ -514,7 +520,7 @@ } } if (*dict_ldap-tls_cert) { - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE, + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, dict_ldap-tls_cert)) != LDAP_SUCCESS) { msg_warn(%s: Unable to set tls_cert to %s: %d: %s, myname, dict_ldap-tls_cert, @@ -523,7 +529,7 @@ } } if (*dict_ldap-tls_key) { - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE, + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, dict_ldap-tls_key)) != LDAP_SUCCESS) { msg_warn(%s: Unable to set tls_key to %s: %d: %s, myname, dict_ldap-tls_key, @@ -532,7 +538,7 @@ } } if (*dict_ldap-tls_cipher_suite) { - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CIPHER_SUITE, + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CIPHER_SUITE, dict_ldap-tls_cipher_suite)) != LDAP_SUCCESS) { msg_warn(%s: Unable to set tls_cipher_suite to %s: %d: %s, myname, dict_ldap-tls_cipher_suite, @@ -540,13 +546,21 @@ return (-1); } } - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, (dict_ldap-tls_require_cert))) != LDAP_SUCCESS) { msg_warn(%s: Unable to set tls_require_cert to %d: %d: %s, myname, dict_ldap-tls_require_cert, rc, ldap_err2string(rc)); return (-1); } +#ifdef LDAP_OPT_X_TLS_NEWCTX + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, am_server)) + != LDAP_SUCCESS) { + msg_warn(%s: Unable to allocate new TLS context %d: %s, +myname, rc, ldap_err2string(rc)); + return (-1); + } +#endif } return (0); } @@ -592,10 +606,6 @@ #ifdef LDAP_OPT_NETWORK_TIMEOUT #ifdef LDAP_API_FEATURE_X_OPENLDAP -if (dict_ldap_set_tls_options(dict_ldap) != 0) { - dict_errno = DICT_ERR_RETRY; - return (-1); -} ldap_initialize((dict_ldap-ld),
Re: weird postfix TLS behaviour
On Wed, Feb 25, 2009 at 04:50:49PM -0800, J Sloan wrote: We have just started doing business with a firm that uses an ironport device, and discovered that postfix will not issue a STARTTLS to that host, whether it's listed in tls_policy_maps with may or encrypt protocols=TLSv1 The policy table lookup key does not match the destination nexthop, or your indexed table does not contain what you believe it does. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: weird postfix TLS behaviour
On Wed, Feb 25, 2009 at 05:50:07PM -0800, J Sloan wrote: Victor Duchovni wrote: On Wed, Feb 25, 2009 at 04:50:49PM -0800, J Sloan wrote: We have just started doing business with a firm that uses an ironport device, and discovered that postfix will not issue a STARTTLS to that host, whether it's listed in tls_policy_maps with may or encrypt protocols=TLSv1 The policy table lookup key does not match the destination nexthop, or ---=== your indexed table does not contain what you believe it does. That's probably what I would have said to someone with the same symptoms. Dunno. In any case, I can always benefit from a fresh perspective. That's exactly the problem. Here is the relevant entry from tls_policy_maps: kenion.com encrypt protocols=TLSv1 Feb 25 17:43:17 freeside postfix/smtp[16139]: ADA1130FED: to=u...@kenion.com, relay=65.246.216.42[65.246.216.42]:25, delay=0.68, delays=0.1/0/0.5/0.08, dsn=5.0.0, status=bounced (host 65.246.216.42[65.246.216.42] said: 530 #5.7.0 Must issue a STARTTLS command first (in reply to MAIL FROM command)) The one thing different about this domain is that we have a transport entry for them which specifies the IP of their ironport device. (long story) It's not clear to me how that would affect the TLS settings, but I'll entertain any ideas at this point. I think you should be able to figure this out, even without reading the below, but if you are in a hurry try the documentation: http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps http://www.postfix.org/TLS_README.html#client_tls_policy -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Second candidate documentation update: smtp_tls_CAfile
On Wed, Feb 25, 2009 at 08:03:24PM +0100, Manuel P??gouri??-Gonnard wrote: Hmm, isn't it twice the same paragrah (or two versions of it)? May I suggest to update the description of smtpd_tls_CA_file By the way, I'm not sure still whether I understand correctly smptd_CA_path. Would the following description be adequate? How about this version? Index: proto/TLS_README.html *** proto/TLS_README.html 25 Feb 2009 04:38:56 - 1.1.1.4.42.1 --- proto/TLS_README.html 25 Feb 2009 17:33:17 - *** *** 266,276 clients without special cipher choices, the RSA certificate is preferred. /p ! p In order for remote SMTP clients to check the Postfix SMTP ! server certificates, the CA certificate (in case of a certificate ! chain, all CA certificates) must be available. You should add any ! intermediate CA certificates to the server certificate: the server ! certificate first, then the intermediate CA(s). /p p Example: the certificate for server.example.com was issued by intermediate CA which itself has a certificate issued by root --- 266,276 clients without special cipher choices, the RSA certificate is preferred. /p ! p To enable a remote SMTP client to verify the Postfix SMTP server ! certificate, the issuing CA certificates must be made available to the ! client. You should include the required certificates in the server ! certificate file, the server certificate first, then the issuing ! CA(s) (bottom-up order). /p p Example: the certificate for server.example.com was issued by intermediate CA which itself has a certificate issued by root *** *** 1001,1014 password. Both parts (certificate and private key) may be in the same file. /p ! p In order for remote SMTP servers to verify the Postfix SMTP ! client certificates, the CA certificate (in case of a certificate ! chain, all CA certificates) must be available. You should add ! these certificates to the client certificate, the client certificate ! first, then the issuing CA(s). /p p Example: the certificate for client.example.com was issued by ! intermediate CA which itself has a certificate of root CA. Create the client.pem file with: /p blockquote --- 1001,1014 password. Both parts (certificate and private key) may be in the same file. /p ! p To enable remote SMTP servers to verify the Postfix SMTP client ! certificate, the issuing CA certificates must be made available to the ! server. You should include the required certificates in the client ! certificate file, the client certificate first, then the issuing ! CA(s) (bottom-up order). /p p Example: the certificate for client.example.com was issued by ! intermediate CA which itself has a certificate issued by root CA. Create the client.pem file with: /p blockquote Index: proto/postconf.proto *** proto/postconf.proto25 Feb 2009 04:38:56 - 1.1.1.22.16.1 --- proto/postconf.proto26 Feb 2009 14:42:42 - *** *** 890,896 pre debug_peer_list = 127.0.0.1 ! debug_peer_list = some.domain /pre %PARAM default_database_type see postconf -d output --- 890,896 pre debug_peer_list = 127.0.0.1 ! debug_peer_list = example.com /pre %PARAM default_database_type see postconf -d output *** *** 2876,2882 /p pre ! myhostname = host.domain.tld /pre %PARAM mynetworks see postconf -d output --- 2876,2882 /p pre ! myhostname = host.example.com /pre %PARAM mynetworks see postconf -d output *** *** 3508,3514 pre relayhost = $mydomain ! relayhost = [gateway.my.domain] relayhost = uucphost relayhost = [an.ip.add.ress] /pre --- 3508,3514 pre relayhost = $mydomain ! relayhost = [gateway.example.com] relayhost = uucphost relayhost = [an.ip.add.ress] /pre *** *** 8430,8441 presented to the client. For Netscape and OpenSSL clients without special cipher choices the RSA certificate is preferred. /p ! p In order to verify a certificate, the CA certificate (in case ! of a certificate chain, all CA certificates) must be available. ! You should add these certificates to the server certificate, the ! server certificate first, then the issuing CA(s). /p ! p Example: the certificate for server.dom.ain was issued by intermediate CA which itself has a certificate of root CA. Create the server.pem file with cat server_cert.pem intermediate_CA.pem root_CA.pem gt; server.pem. /p --- 8430,8442 presented to the client. For Netscape and OpenSSL clients without special cipher choices the RSA certificate is preferred. /p ! p To enable a remote SMTP client to verify the Postfix SMTP server ! certificate, the issuing CA certificates must be made available to the ! client. You should include the required certificates in the server ! certificate file, the server certificate first, then the issuing ! CA(s)
Re: using postfix with exchange 2003
On Thu, Feb 26, 2009 at 10:33:42AM -0500, Nick Smith wrote: Please excuse me if this has been discussed before, i tried searching the archives and the documentation and google and the info seems a bit dated and incomplete and for exchange 5.5. We have an exchange server 2003 (not sbs) at our office and several pop accounts which we pop for email to be delivered to accounts in AD. Exchange is just an SMTP server, in this conext the version is irrelevant. these machine are both on the local network, is it possible to have postfix hand the mail off to be delivered to exchange? Certainly, just route it there. is it possible to do this in the transport mappings? Yes. http://www.postfix.org/ADDRESS_REWRITING_README.html http://www.postfix.org/transport.5.html how would exchange know to except mail from this internal mail server? If Exchange is not connected to the Internet, configure it to accept all mail, otherwise allow the Postfix server. This is not a Postfix question. how do i tell postfix to hand off the mail to the exchange server either by local ip address or other? Add transport entries as necessary. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Multiple Bcc: recipients and delivery after fetchmail
On Thu, Feb 26, 2009 at 05:05:26PM +0100, Magnus B?ck wrote: Is there a way to solve this on server1? I mean adding recipients somewhere to the mail header so server2 knows where to deliver? I already tried to set enable_original_recipient to yes - in that case a X-Original-To: is added but one copy of the mail is delivered for each recipient on server1. Or would adding other header information solve this (e.g. X-Envelope-To)? Is it a problem that you get one message per recipient? More data, yes, but on the other hand you get correct deliveries. Note, this notion of correctness is not one of those pedantic types of correctness that is optional. Systems that forward mail to all header recipients are severely broken, and will cause mail loops, blacklisting by annoyed incorrect recipients, abuse by spammers, ... So in short, forwarding systems must PRESERVE the original message envelope and must not re-create fresh envelopes from message To/Cc headers. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Postfix + Remote Ldap Server problem
On Fri, Feb 27, 2009 at 01:04:37PM +0200, vtzan wrote: I have setup Postfix LDAP (postfix-2.5.4-2.sasl2.vda.rhel5) on Centos 5.2 x64 and all features that i have configured are working great EXCEPT from REMOTE LDAP SERVER. I have configured OpenLDAP Server to some other ip on the network(its a different server) but Postfix still looks for LOCAL LDAP DATABASE all the time. When i move password database from remote Ldap server to localhost and start ldap service on localhost everything works OK. The thing is that i want LDAP Server to be another machine on the network. message: --- postfix/trivial-rewrite[18638]: warning:dict_ldap_connect: Unable to bind to server ldap://localhost:389 as : -1(Can't contact LDAP server) postfix/trivial-rewrite[18638]: fatal:ldap:ldaplists(0,lock|fold_fix): table lookup problem In my config i have set: From main.cf ## LDAP SERVER ## ldap_server_host = remoteipaddress ldap_server_port = 389 ldap_bind = no ldap_search_base = ou=accounts,dc=***,dc=** ldap_scope = sub ldap_cache = no These settings are for a table called ldap, but your table is called ldaplists. These days it is advised to use the /some/file.cf way of defining LDAP tables. virtual_alias_maps = hash:/etc/postfix/virtual ldap:ldapmailfwonly ldap:ldaplists ldap:ldapalias You really should define virtual_alias_domains explicitly (perhaps empty), otherwise it defaults to the above, and you are doing transport lookups via LDAP. Switch to: proxy:ldap:/etc/postfix/ldaplists.cf and in the file set: server_host = ... server_port = ... search_base = ... query_filter = ... result_attribute = ... ... -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Problem with ldap table lookups and TLS
On Fri, Feb 27, 2009 at 09:35:39AM -0800, Quanah Gibson-Mount wrote: --On Wednesday, February 25, 2009 7:12 PM -0500 Victor Duchovni victor.ducho...@morganstanley.com wrote: Note, the OpenLDAP API design issue is resolved with OpenLDAP 2.4. With OpenLDAP 2.4 it is possible to set the TLS properties for a particular LDAP connection (not just global properties), and to associate a new OpenLDAP managed TLS context for the connection via the new LDAP_OPT_X_TLS_NEWCTX option. Try this completely untested patch (it may not even compile, but it looks promising): Victor, If you are unable to test this patch at this time, I can do some testing on my systems using OpenLDAP 2.4.15 Postfix 2.5.6. That would be great. My ability to test LDAP with TLS is very limited. I have (only since this morning) access to one LDAP + TLS server. The patch should support the ability to establish separate SSL verification, CA list, cipher, ... requirements for different LDAP tables. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Can't fix Untrusted TLS connection established
On Fri, Feb 27, 2009 at 12:56:34PM -0500, Adam Rosi-Kessel wrote: Victor Duchovni wrote, on 2/27/2009 12:50 PM: I'm running postfix on server and client, forcing TLS on both. No matter what I do, I can't seem to solve Untrusted TLS connection established to [...]:587: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) warning messages in the client log file. Aside from those warnings, mail delivery actually works fine. This is not a warning. It is an informational message. Postfix 2.6 will use Anonymous instead of Untrusted, which may be less confusing. Thanks -- that explains a lot. So it just means there is no client-certificate, right? Is this to be expected, even if I do have a unique cert/key installed on the client? It means that the client negotiated an anonymous cipher with the server, and there were no certificates on either side. When Postfix is not doing certificate checks (opportunistic TLS: may), no certificates are required. But I'm not sure it's actually checking the server certificate at all, Clearly it is not, because you did not ask the client to check the server certificate, so why waste time doing that. which may just be a separate issue. If I take out any mention of cacert in main.cf, I don't see any warning or error in the log file. Shouldn't the postfix client be checking the server certificate against the local trusted CA? Only if you ask it to, generally unwise as the vast majority of SMTP STARTTLS servers are self-signed. You can use secure-channel configurations to selected destinations via the policy table. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Problem with ldap table lookups and TLS
On Fri, Feb 27, 2009 at 09:35:39AM -0800, Quanah Gibson-Mount wrote: If you are unable to test this patch at this time, I can do some testing on my systems using OpenLDAP 2.4.15 Postfix 2.5.6. The patch is working for me, please confirm that it is working for you also. It is simple enough that the only possible isue is a misreading of the new OpenLDAP 2.4 API or implementation bugs in OpenLDAP. The new Postfix code itself is obviously correctly trying set up connection specific SSL parameters, so the question is only whether there is some additional subtle steps needed to make this happen. So far it looks like the changes in the patch are a correct interpretation of the LDAP API: - Set TLS parameters for the current LDAP handle, not the NULL (global) handle. - After all the parameters are in place, request a dedicated SSL context for the current LDAP handle. Provided this is the right approach, we are good to go. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Integrating Lotus Domino Ldap
On Fri, Feb 27, 2009 at 08:24:32AM -0500, Rich wrote: Has any ever integrated Lotus Domino Ldap with postfix and used it for authentication? If LDAP is providing user login via PAM/nss, you can just use saslauthd -a pam if you want to verify password hashes of non system users, you will need custom glue, although pam is not necessarily excluded if you prepare the right PAM module for smtp that pulls user account data from somewhere other than /etc/passwd. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: postsuper -r not re-resolving aliases
On Fri, Feb 27, 2009 at 02:34:23PM -0800, Harold Paulson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, I have a number of messages in my deferred queue that are destined for an offsite alias, which is currently unreachable. I have changed the alias to point to a local mailbox so the mail can be retrieved by the owner. New messages sent to this alias are delivered as expected to this new mailbox. However, if I 'postsuper -r queueid' one of the deferred messages, it is re-queued to go to the old offsite destination. I was expecting it to re-resolve the alias, and send the message to the new mailbox. postsuper(1) says that when I re-queue a message with the -r option: The message is subjected again to mail address rewriting and substitution. This is useful when rewriting rules or virtual mappings have changed. Obviously I am doing something wrong here. How can I re-queue these deferred messages so they are sent to the new destination instead of the old one? It is again subjected to rewriting, but the input to the rewrite is the output of the previous rewrites. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Plus addressing not delivering to folder
On Fri, Feb 27, 2009 at 05:48:35PM -0500, Charles Marcus wrote: I'm sure this is something I'm totally missing but I have a system I'm trying to get plus addressing working, and not having any luck. The email is delivered, but just to the Inbox, not to the folder... Plus addressing is working, mail for user+test is delivered to the mailbox of user. Feb 27 17:26:07 myhost postfix/virtual[14449]: 87CA049C274: to=user+t...@example.com, relay=virtual, delay=0.47, delays=0.47/0/0/0.01, dsn=2.0.0, status=sent (delivered to maildir) Feb 27 17:26:07 myhost postfix/qmgr[1524]: 87CA049C274: removed -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Your Email
On Sun, Mar 01, 2009 at 03:49:18AM +, Daniel C wrote: I just changed the owner of the IMAP folder and assigned Postfix and courier-authlib to use this new user. It has a UID and GID of 1000. What user does amavis run as? What you say that Postfix uses this new user, what do you mean by that? Here a new set of headers (from both duplicated mails), and a copy of my log from this. Sorry if I put a link in my message, it's because I can't include all the header's data from Hotmail... http://www.myrandor.com/postfix2.txt From what I can see in there, the email is picked up only once from my mail client. So I suspect something's wrong in Postfix... Come on, there is no basis for this conclusion, indeed the opposite seems likely, the extra copy has: Received: by mail.mydomain.com (Postfix, from userid 1000) id 1E671420CF8; Sat, 28 Feb 2009 22:17:41 -0500 (EST) X-IMAP-Sender: jac...@mydomain.com Are you saying that Postfix adds the X-IMAP-Sender header that is not in the original SMTP message? The second copy is injected by user 1000, what is running as that user now? Seems like it delivered the mail to Amavis, but doing a copy to itself at the same time...? Don't waste your time looking for Postfix bugs. The unwanted duplication will be found in non-Postfix code, unless you find it, you will make no progress. Pursue this on the amavis list. From your logs, below are shown the ONLY deliveries performed by Postfix. No Postfix delivery is via a delivery agent that is capable of calling sendmail(1) to fork the message, because lmtp(8) and virtual(8) simply don't have code to do this. All deliveries before virtual(8) delivery are to amavis, which is presumably still running as the wrong user (1000 just like virtual(8) and the IMAP server, instead of a dedicated user). Your amavis config forks the message. Don't do that. In via smtpd(8) out via lmtp(8) to amavis: Feb 28 22:17:40 homer postfix/smtpd[23674]: B82157EDC6: client=ip-xxx.xxx.xxx.xxx.dsl-xxx.net[xxx.xxx.xxx.xxx], sasl_method=PLAIN,sasl_username=jac...@mydomain.com Feb 28 22:17:40 homer postfix/cleanup[23681]: B82157EDC6: message-id=49a9fe50.1090...@mydomain.com Feb 28 22:17:44 homer postfix/lmtp[23682]: B82157EDC6: to=jac...@mydomain.com, relay=10.0.32.13[10.0.32.13]:10024, delay=3.4, delays=0.08/0.01/0/3.3, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=15794-04, from MTA([10.0.32.13]:10025): 250 2.0.0 Ok: queued as 0FF3437098E) In via sendmail(1) out via lmtp(8) to amavis: Feb 28 22:17:41 homer postfix/pickup[23038]: 1E671420CF8: uid=1000 from=jac...@mydomain.com Feb 28 22:17:41 homer postfix/cleanup[23681]: 1E671420CF8: message-id=49a9fe50.1090...@mydomain.com Feb 28 22:17:44 homer postfix/lmtp[23697]: 1E671420CF8: to=jac...@mydomain.com, relay=10.0.32.13[10.0.32.13]:10024, delay=3.5, delays=0.05/0.01/0.01/3.4, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=23199-01, from MTA([10.0.32.13]:10025): 250 2.0.0 Ok: queued as 887707EDC6) In via smtpd(8) from amavis out via virtual(8) to maildir: Feb 28 22:17:44 homer postfix/smtpd[23706]: 0FF3437098E: client=homer.mydomain.com[10.0.32.13] Feb 28 22:17:44 homer postfix/cleanup[23681]: 0FF3437098E: message-id=49a9fe50.1090...@mydomain.com Feb 28 22:17:44 homer postfix/virtual[23709]: 0FF3437098E: to=jac...@mydomain.com, relay=virtual, delay=0.08, delays=0.06/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to maildir) In via smtpd(8) from amavis out via virtual(8) to maildir: Feb 28 22:17:44 homer postfix/smtpd[23706]: 887707EDC6: client=homer.mydomain.com[10.0.32.13] Feb 28 22:17:44 homer postfix/cleanup[23681]: 887707EDC6: message-id=49a9fe50.1090...@mydomain.com Feb 28 22:17:44 homer postfix/virtual[23709]: 887707EDC6: to=jac...@mydomain.com, relay=virtual, delay=0.02, delays=0.01/0/0/0.01, dsn=2.0.0, status=sent (delivered to maildir) -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Prioritising outgoing mail
On Mon, Mar 02, 2009 at 10:44:21PM +0800, Wouter van Marle wrote: Hi list, From me a question that seems to be asked now and then here, but I could not find any answers even on whether this is possible in the first place. I would like to be able to prioritise outgoing e-mail so they do not get stuck in the queue. This as I now and then send out a large number of e-mails with attachments, and that saturates my connection for a prolonged time. It doesn't matter that those mails get out slower, as long as they get out eventually I'm happy. Use a custom transport for these messages with a low concurrency limit, or use traffic shaping in the TCP stack to limit the bandwidth per SMTP connection. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Prioritising outgoing mail
On Tue, Mar 03, 2009 at 11:25:55AM +0800, Wouter van Marle wrote: On Mon, 2009-03-02 at 11:18 -0500, Victor Duchovni wrote: On Mon, Mar 02, 2009 at 11:59:31PM +0800, Wouter van Marle wrote: Use a custom transport for these messages with a low concurrency limit, You mean like installing sendmail or so in parallel to postfix and then have sendmail send out the lower-priority mails? No I mean a Postfix transport, as in transport(5) and master(5). The problem of a transport map (I have just read the man page, which as usual is highly technical so I am not sure whether I fully understand the purpose and working of transport maps) is that there is a huge overlap between receivers of the low-priority mail list and regular e-mail receivers. Most of the regular e-mail receivers also receive this mail list. You may need to do sender-dependent routing for this sender, and inject the mail into a different queue, or get the originating system to do this directly. It would not, but you won't saturate the entire link with any given email, leaving enough room for other traffic. If you can limit the concurrency of this particular message, then you'll have some bandwidth left over for other messages. I don't like that idea very much: when I have only a few mails to send out, I want them to go with the maximum speed possible. I have 2 Mbit available, so with 100 smtp connections could limit it to say 20 kbit per smtp process. But that would leave the rest of my bandwidth idle when there are less than 100 active smtp connections, which is the case like 90% of the time. Does limiting bandwidth for small messages signicantly impact delivery latency? Also who said you should divide the bandwidth 100-fold? You give the slow transport 5 parallel threads, and up to half the bandwidth, so each channel gets 10% of the bandwidth. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: there is no pipe process running
On Tue, Mar 03, 2009 at 09:17:55AM -0500, Erik Morton wrote: I am assuming that I should have a pipe process running. Is that not the case? Only during a delivery and shortly thereafter, unless pipe(8) exits with a fatal error. On a low-volume server pipe(8) may not be running at any given moment, and this is fine. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: there is no pipe process running
On Tue, Mar 03, 2009 at 10:19:50AM -0500, Erik Morton wrote: Thanks. I am running with -D (strace) and -v enabled and I'm not seeing anything fatal or related to a pipe process. i've defined my filter in master.cf like so: filterunix - n n - 10 pipe -v flags=Rq user=my_user argv=/usr/bin/receiver -f ${sender} -- ${recipient} The receiver script is based on the example from the content filter readme. It basically just curls the email to a web service. Is it strange that I'm not seeing any debugging information for the pipe process? No, there's no -D in this master.cf entry, and you have not shown the debugger_command setting from main.cf. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: there is no pipe process running
On Tue, Mar 03, 2009 at 11:07:50AM -0500, Erik Morton wrote: I guess I only expected logging output because I can't see to figure out why the following: filterunix - n n - 10 pipe -v flags=Rq user=my_user argv=/usr/bin/receiver -f ${sender} -- ${recipient} Doesn't seem to work. It works exactly as configured. You've configured a new transport ready and willing to process mail, but not configured Postfix to *use* that transport to deliver any mail. You are probably not using the discard transport either, and yet it is defined correctly in master.cf. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Problem with ldap table lookups and TLS
On Tue, Mar 03, 2009 at 07:30:39PM -0500, Wietse Venema wrote: Victor Duchovni: With OpenLDAP 2.4 it is possible to set the TLS properties for a particular LDAP connection (not just global properties), and to associate a new OpenLDAP managed TLS context for the connection via the new LDAP_OPT_X_TLS_NEWCTX option. Try this completely untested patch (it may not even compile, but it looks promising): Is this the version that is ready, or have there been furth changes? No changes. It worked as originally posted. Index: src/global/dict_ldap.c --- src/global/dict_ldap.c 28 Jan 2008 04:29:48 - 1.1.1.2 +++ src/global/dict_ldap.c 26 Feb 2009 00:04:18 - @@ -484,10 +484,16 @@ { const char *myname = dict_ldap_set_tls_options; int rc; +#ifdef LDAP_OPT_X_TLS_NEWCTX +int am_server = 0; +LDAP *ld = dict_ldap-ld; +#else +LDAP *ld = 0; +#endif if (dict_ldap-start_tls || dict_ldap-ldap_ssl) { if (*dict_ldap-tls_random_file) { - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_RANDOM_FILE, + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_RANDOM_FILE, dict_ldap-tls_random_file)) != LDAP_SUCCESS) { msg_warn(%s: Unable to set tls_random_file to %s: %d: %s, myname, dict_ldap-tls_random_file, @@ -496,7 +502,7 @@ } } if (*dict_ldap-tls_ca_cert_file) { - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, dict_ldap-tls_ca_cert_file)) != LDAP_SUCCESS) { msg_warn(%s: Unable to set tls_ca_cert_file to %s: %d: %s, myname, dict_ldap-tls_ca_cert_file, @@ -505,7 +511,7 @@ } } if (*dict_ldap-tls_ca_cert_dir) { - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR, + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, dict_ldap-tls_ca_cert_dir)) != LDAP_SUCCESS) { msg_warn(%s: Unable to set tls_ca_cert_dir to %s: %d: %s, myname, dict_ldap-tls_ca_cert_dir, @@ -514,7 +520,7 @@ } } if (*dict_ldap-tls_cert) { - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE, + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, dict_ldap-tls_cert)) != LDAP_SUCCESS) { msg_warn(%s: Unable to set tls_cert to %s: %d: %s, myname, dict_ldap-tls_cert, @@ -523,7 +529,7 @@ } } if (*dict_ldap-tls_key) { - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE, + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, dict_ldap-tls_key)) != LDAP_SUCCESS) { msg_warn(%s: Unable to set tls_key to %s: %d: %s, myname, dict_ldap-tls_key, @@ -532,7 +538,7 @@ } } if (*dict_ldap-tls_cipher_suite) { - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CIPHER_SUITE, + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CIPHER_SUITE, dict_ldap-tls_cipher_suite)) != LDAP_SUCCESS) { msg_warn(%s: Unable to set tls_cipher_suite to %s: %d: %s, myname, dict_ldap-tls_cipher_suite, @@ -540,13 +546,21 @@ return (-1); } } - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, (dict_ldap-tls_require_cert))) != LDAP_SUCCESS) { msg_warn(%s: Unable to set tls_require_cert to %d: %d: %s, myname, dict_ldap-tls_require_cert, rc, ldap_err2string(rc)); return (-1); } +#ifdef LDAP_OPT_X_TLS_NEWCTX + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, am_server)) + != LDAP_SUCCESS) { + msg_warn(%s: Unable to allocate new TLS context %d: %s, +myname, rc, ldap_err2string(rc)); + return (-1); + } +#endif } return (0); } @@ -592,10 +606,6 @@ #ifdef LDAP_OPT_NETWORK_TIMEOUT #ifdef LDAP_API_FEATURE_X_OPENLDAP -if (dict_ldap_set_tls_options(dict_ldap) != 0) { - dict_errno = DICT_ERR_RETRY; - return (-1); -} ldap_initialize((dict_ldap-ld), dict_ldap-server_host); #else dict_ldap-ld = ldap_init(dict_ldap-server_host, @@ -700,6 +710,8 @@ #endif #ifdef LDAP_API_FEATURE_X_OPENLDAP +if (dict_ldap_set_tls_options(dict_ldap) != 0) + DICT_LDAP_UNBIND_RETURN(dict_ldap-ld, DICT_ERR_RETRY, -1); if (dict_ldap-start_tls) { if ((saved_alarm = signal(SIGALRM, dict_ldap_timeout)) == SIG_ERR) { msg_warn(%s: Error setting signal handler for STARTTLS timeout: %m
Re: Postfix + Dovecot SASL authentication.
On Wed, Mar 04, 2009 at 12:29:29AM -0200, Miguel Da Silva - Centro de Matem?tica wrote: Mar 2 18:42:02 smtp postfix/smtpd[15652]: NOQUEUE: reject: RCPT from r190-134-zz-xx.dialup.adsl.anteldata.net.uy[190.134.zz. xx]: 450 4.7.1 dest...@cmat.edu.uy: Recipient address rejected: Greylisting in action, please come back later.; from=usuar...@c mat.edu.uy to=dest...@cmat.edu.uy proto=ESMTP helo=UserPC smtpd_recipient_restrictions = reject_rbl_client sbl.spamhaus.org reject_rbl_client bl.spamcop.net check_recipient_access hash:/etc/postfix/bloqueados permit_sasl_authenticated permit_mynetworks reject_unauth_destination reject_unknown_recipient_domain reject_unverified_recipient check_policy_service inet:127.0.0.1:10026 Sugestions?! My idea is, if you are not part to $mynetworks, then authenticating is the only way to get mail relaid trough this server. The user was not relaying mail was sent to a domain you are responsible for, so this was not blocked by reject_unauth_destination. Nor should it have been. On a port 25 MX host you can't distinguish roaming users submitting mail to your domains from outside MTAs delivering mail to your domains. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: That Relay Access Denied Thing
On Wed, Mar 04, 2009 at 09:31:21AM -0500, Charles Marcus wrote: On 3/4/2009, Robert A. Ober (ro...@robob.com) wrote: # dovecot -n command gives a clean output of the changed settings. Use it # instead of copypasting this file when posting to the Dovecot mailing list. # --with-ssldir=/etc/ssl You need to read the welcome message you got... ONLY provide postfix -n output, and if needed, dovecot -n output. Also description of what you are trying to do and logs of the error... If I recall correctly the OP reported using Postfix 2.2 and should see: http://www.postfix.org/postconf.5.html#smtpd_sasl_type attempts to use Dovecot SASL auth with Postfix 2.2 are unlikely to get very far. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Postfix + Dovecot SASL authentication.
On Wed, Mar 04, 2009 at 09:35:38AM -0200, Miguel Da Silva - Centro de Matem?tica wrote: The user was not relaying: mail was sent to a domain you are responsible for, so this was not blocked by reject_unauth_destination. Well... I don't think so, maybe I am not understandig reject_unauth_destinations correctly. You are the one asking the question, so it would be wise to take time to research and test the (correct) answer you were given. * Postfix is the final destination: the resolved RCPT TO domain matches $mydestination, $inet_interfaces, $proxy_interfaces, $virtual_alias_domains, or $virtual_mailbox_domains, and contains no sender-specified routing (u...@elsewhere@domain). But, reading the second one I would say every local user sending mail to another local user will get it done through the server. Any client (regardless of envelope sender address) passes this restriction when sending to a local destination address. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.