Re: virus scanning
Hi, There is no dovecot. This is a relay server and there are security constraints that must be follow. Zs. On 2022-03-08 16:07, Jeroen Geilman wrote: This is a very bad idea; google "mailscanner postfix" for why. Instead, scan your mailboxes after delivery, dovecot has hooks for this. If the smackafee product doesn't offer a service for this instead of messing with another process' files, it is not worth whatever it costs. Op 8 mrt. 2022 15:57 schreef Zsombor B : Hi, Can you please confirm that postfix creates a file from each and every email at least once? I'm asking this because we have to switch to McAfee AV and my plan is to use it's on-access-scan feature to scan the emails. If postfix really creates a file at least once of each email then this can be a solution. (The performance penalty will be different topic of course.) Thanks, Zs.
virus scanning
Hi, Can you please confirm that postfix creates a file from each and every email at least once? I'm asking this because we have to switch to McAfee AV and my plan is to use it's on-access-scan feature to scan the emails. If postfix really creates a file at least once of each email then this can be a solution. (The performance penalty will be different topic of course.) Thanks, Zs.
multi instance and always_bcc
Hi, We'd like to debug some emails sent through a multi instance withouth having any impact on the mail flow so I have added always_bcc=de...@whatever.com to the main.cf of that instance and reloaded it. But instead of sending copies of the emails to the debug address, postfix relays both the original and the bcc emails to the relayhost of the multi instance as well. This is postfix v3.2.10 on a SLES 12 SP5 server. Is this the expected behaviour? Thanks, Zsombor
Re: automatic config reload
Hi Wietse, Thanks for the explanation, now it's clear. Zsombor On 2021.08.25 03:54, Wietse Venema wrote: > Zsombor B: > > Hi All, > > > > > > We had a mail service outage caused by a storage issue (the volume > > with the custom config files went down) and postfix kept looking > > for config files which were unavailable. We also see in the logs > > that postfix keeps checking for modified config files and if it > > finds an updated config then automatically reloads itself. > > > > Is it possible to disable this automatic config file check and the > > automatic reload? > > You ask the wrong question. > > Postfix does not keep checking the file system for modified files > to reload. If you see "reload" logging from the master daemon, then > perhaps you are running some tool to do that for you. > > Most Postfix daemons will terminate after 100 connections or 100 > seconds of inactivity. > > When a new process is started, that process reads Postfix config > files as it starts up. > > You can't tell a Postfix process to read configuration files as it > starts up. You can configure Postfix to run its daemons forever, > but that is not recommended. > > Wietse
automatic config reload
Hi All, We had a mail service outage caused by a storage issue (the volume with the custom config files went down) and postfix kept looking for config files which were unavailable. We also see in the logs that postfix keeps checking for modified config files and if it finds an updated config then automatically reloads itself. Is it possible to disable this automatic config file check and the automatic reload? Thanks, Zsombor
time spent in queue
Hi, An email has spent ~6 hours in the queue: 2021-06-09T12:15:46+00:00 from=, size=1761, nrcpt=1 (queue active) 2021-06-09T18:25:43+00:00 postfix/smtp[26900]: 4G0R023WFLzNnVL: to=, relay=[]:587, delay=22197, delays=0/22197/0.07/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4G0bBv3dFHzyQk) There is nothing between the two events. Is there a way to find out why did the mail spent so much time in the queue? Thank you, Zsombor
empty sender in bounce message
Hi, I'm sending an email with a valid address to an invalid one (i.e. the destination domain doesn't exist). The bounce message is rejected by the valid sender's mail server because the sender address is empty. The question is why the sender is empty and how can be this solved? Example: Sender: address@valid.domain Recipient: address@invalid.domain Log: postfix/bounce[18367]: 4FvShX4dlszNkGd: sender non-delivery notification: 4FvShn5kHhzNkbj Log for 4FvShn5kHhzNkbj: [...] 4FvShn5kHhzNkbj: to=, relay=VALID.DEOMAIN, delay=88, delays=0/88/0.08/0.01, dsn=4.7.1, status=deferred (host VALID.DEOMAIN said: 453 4.7.1 <>: Sender address rejected: You are not authorized to send as <> (in reply to RCPT TO command)) Top rows of the queue file: *** ENVELOPE RECORDS /var/spool/postfix/deferred/C/4FvShn5kHhzNkbj *** message_size:2450 287 1 02450 0 message_arrival_time: Tue Jun 1 10:15:21 2021 create_time: Tue Jun 1 10:15:21 2021 named_attribute: log_message_origin=local named_attribute: trace_flags=0 sender: named_attribute: dsn_orig_rcpt=rfc822;address@valid.domain original_recipient: address@valid.domain recipient: address@valid.domain *** MESSAGE CONTENTS /var/spool/postfix/deferred/C/4FvShn5kHhzNkbj *** Received: by mymailserver (Postfix) id 4FvShn5kHhzNkbj; Tue, 1 Jun 2021 10:15:21 + (UTC) Date: Tue, 1 Jun 2021 10:15:21 + (UTC) From: MAILER-DAEMON@mymailserver (Mail Delivery System) Subject: Undelivered Mail Returned to Sender To: address@valid.domain Auto-Submitted: auto-replied Thank you in advance, Zsombor
replying with OK
Hi, Is there a way to reply with 'OK' to the sender instead of 'relay access denied'? Reason: thousands of junk emails per day are sent from DEV environment to forged recipients but there is only a couple of recipient domains are allowed. The others get 'relay access denied' but the developers are complaining that their automated tests are falsely failing because of the relay access denied response. (I got a promise that the tests will be fixed but that will take months and automated test reports will be red until then.) Thank you, Zsombor
email loops back from localhost
Hi, Can you help me please why does this fall into a loop? postfix > localhost:1 > localhost:1 > localhost:1 > etc. until too much hops. --- main.cf: transport_maps = hash:/etc/postfix/transport --- /etc/postfix/transport: recipi...@domain.com smtp:[127.0.0.1]:1 --- master.cf 127.0.0.1:1 inet n - y - - smtpd -o transport_maps=hash:/etc/postfix/custom_transport -o smtp_sasl_password_maps=hash:/etc/postfix/custom_auth --- /etc/postfix/custom_transport recipi...@domain.com smtp:[some.external.server]:25 Thank you Zsombor
Re: providing queue id for the clients
Hi, Please provide evidence. This is the point. :) External client sent us a mail we accepted with queue id "A". I have asked them to look for this "A" in their logs. I was told they can't find it in their logs. Zsombor Idézet (Wietse Venema ): Zsombor B: It turned out during an investigation that our postfix servers don't provide a queue id for the external clients when accepting a new email. Please provide evidence. Postfix SMTP client logging: ... status=sent (250 2.0.0 Ok: queued as AA92365E6F) Wietse
providing queue id for the clients
Hi, It turned out during an investigation that our postfix servers don't provide a queue id for the external clients when accepting a new email. However the very same servers do provide queue id for internal mail servers. Is there a specific configuration option to provide the queue id under any circumstances? Thank you, Zsombor
stop retransmitting failed delivery
Hi, Microsoft has this policy at https://postmaster.live.com/pm/policies.aspx "After given a numeric SMTP error response code between 500 and 599 (also known as a permanent non-delivery response), the sender must not attempt to retransmit that message to that recipient." How can this be done with postfix? Thank you, Zsombor
Re: limiting connections to a single host
Thanks All, I'll take a look. Zsombor Idézet ("Fazzina, Angelo" ): Maybe this section of the docs is what you are trying to accomplish ? http://www.postfix.org/TUNING_README.html#rope -ANGELO FAZZINA ang...@uconn.edu University of Connecticut, ITS, SSG, Server Systems 860-486-9075 -Original Message- From: owner-postfix-us...@postfix.org On Behalf Of Zsombor B Sent: Thursday, November 5, 2020 8:12 AM To: postfix-users@postfix.org Subject: limiting connections to a single host *Message sent from a system outside of UConn.* Hi, I have to relay mails to a mail gateway that often rejects connections because we are too pushy. The admin of that service suggested us to open X connections and send Y messages per connection. How can I set this up either for one specific destination or to all? Thanks in advance, Zsombor
limiting connections to a single host
Hi, I have to relay mails to a mail gateway that often rejects connections because we are too pushy. The admin of that service suggested us to open X connections and send Y messages per connection. How can I set this up either for one specific destination or to all? Thanks in advance, Zsombor
Re: multiple relay servers
Hi Wietse, Postfix 3.5 supports multiple relayhosts: Currently we are on 3.2 If these folks want to receive mail in six places, why can't they set up DNS records like everyone else does? I'm already over this discussion, that's why I have asked the question. :( Big company, rigid people, dumb rules. Thanks, Zsombor Idézet (Wietse Venema ): Zsombor B: Hi All, Customer asked us to relay their mails to a specific smtp server. Actually they provided 6 possible destination servers. When add them to sender_dependent_relayhost_maps postmap complains that there are duplicate entries: @foo.bar [mail1.whatever]:123 @foo.bar [mail2.whatever]:123 @foo.bar [mail3.whatever]:123 There can be only one table entry with the name @foo.bar. The postmap command ignores the rest with a warning. How can I solve this? Postfix 3.5 supports multiple relayhosts: transport_maps example: example.com relay:[mail1.example]:123, [mail2.example]:123, ... sender_dependent_relayhost_maps example: @foo.bar [mail1.example]:123, [mail2.example]:123, .. This is a fixed order (as if you had multiple records in /etc/hosts). If these folks want to receive mail in six places, why can't they set up DNS records like everyone else does? Wietse binG8w4XuAMPH.bin Description: PGP nyilvános kulcs
Re: multiple relay servers
I can' force the customer changing their DNS. Any postfix solution? BTW it looks like postfix delivers mails to all the relay servers so the postmap warning is a bit misleading as if it won't work. But this brings up another question: if any of the relay servers can't accept mail will postfix try any other relay server in the list at the next attempt? Zsombor How can I solve this? Create mail.whatever with A or CNAME records that point to each server. Then you use: @foo.bar [mail.whatever]:123 binZfTkJ7aRgS.bin Description: PGP nyilvános kulcs
multiple relay servers
Hi All, Customer asked us to relay their mails to a specific smtp server. Actually they provided 6 possible destination servers. When add them to sender_dependent_relayhost_maps postmap complains that there are duplicate entries: @foo.bar [mail1.whatever]:123 @foo.bar [mail2.whatever]:123 @foo.bar [mail3.whatever]:123 etc. How can I solve this? Thanks, Zsombor binqfKEemZKu_.bin Description: PGP nyilvános kulcs
possible bottlenecks
Hi, I know this is a complicated question but what/where do you see possible bottlenecks in postfix? Is it CPU? RAM? Disk IO? I'm building an infra to send out ~3-5 million emails a day. There are no known peak periods of the day but that's also sure that the load will be uneven (no emails for a while then suddenly 10-100K mails in a very short period of time). The plan is to start with 4 VMs and about ~10% of the planned daily mail amount but it will reach the planned maximum very soon. Do you have any experience based recommendations on CPU, RAM or other tuning parameters? Thanks, Zsombor
Re: repeated connect and disconnect
Just set up fail2ban, it will take care of this. Idézet (li...@lazygranch.com): Is there something I should be doing to mitigate this problem? Oct 8 02:11:42 myserver postfix/smtpd[11630]: connect from unknown[180.123.163.212] Oct 8 02:11:43 myserver postfix/smtpd[11632]: connect from unknown[180.123.163.212] Oct 8 02:11:43 myserver postfix/smtpd[11632]: lost connection after EHLO from unknown[180.123.163.212] Oct 8 02:11:43 myserver postfix/smtpd[11632]: disconnect from unknown[180.123.163.212] ehlo=1 commands=1 Oct 8 02:11:44 myserver postfix/smtpd[11632]: connect from unknown[180.123.163.212] Oct 8 02:11:45 myserver postfix/smtpd[11632]: lost connection after EHLO from unknown[180.123.163.212] Oct 8 02:11:45 myserver postfix/smtpd[11632]: disconnect from unknown[180.123.163.212] ehlo=1 commands=1 Oct 8 02:11:45 myserver postfix/smtpd[11632]: connect from unknown[180.123.163.212] Oct 8 02:11:46 myserver postfix/smtpd[11632]: lost connection after EHLO from unknown[180.123.163.212] Oct 8 02:11:46 myserver postfix/smtpd[11632]: disconnect from unknown[180.123.163.212] ehlo=1 commands=1 Oct 8 02:11:46 myserver postfix/smtpd[11630]: lost connection after CONNECT from unknown[180.123.163.212] Oct 8 02:11:46 myserver postfix/smtpd[11630]: disconnect from unknown[180.123.163.212] commands=0/0 Oct 8 02:11:46 myserver postfix/smtpd[11632]: connect from unknown[180.123.163.212] Oct 8 02:11:47 myserver postfix/smtpd[11632]: lost connection after EHLO from unknown[180.123.163.212] Oct 8 02:11:47 myserver postfix/smtpd[11632]: disconnect from unknown[180.123.163.212] ehlo=1 commands=1 Oct 8 02:11:47 myserver postfix/smtpd[11630]: connect from unknown[180.123.163.212] Oct 8 02:11:48 myserver postfix/smtpd[11630]: lost connection after EHLO from unknown[180.123.163.212] Oct 8 02:11:48 myserver postfix/smtpd[11630]: disconnect from unknown[180.123.163.212] ehlo=1 commands=1 Oct 8 02:11:48 myserver postfix/smtpd[11632]: connect from unknown[180.123.163.212] Oct 8 02:11:48 myserver postfix/smtpd[11632]: lost connection after EHLO from unknown[180.123.163.212] Oct 8 02:11:48 myserver postfix/smtpd[11632]: disconnect from unknown[180.123.163.212] ehlo=1 commands=1 Oct 8 02:11:50 myserver postfix/smtpd[11630]: connect from unknown[180.123.163.212] Oct 8 02:11:53 myserver postfix/smtpd[11630]: lost connection after EHLO from unknown[180.123.163.212] Oct 8 02:11:53 myserver postfix/smtpd[11630]: disconnect from unknown[180.123.163.212] ehlo=1 commands=1 Oct 8 02:11:54 myserver postfix/smtpd[11632]: connect from unknown[180.123.163.212] Oct 8 02:11:54 myserver postfix/smtpd[11632]: lost connection after EHLO from unknown[180.123.163.212] Oct 8 02:11:54 myserver postfix/smtpd[11632]: disconnect from unknown[180.123.163.212] ehlo=1 commands=1 Oct 8 02:11:54 myserver postfix/smtpd[11630]: connect from unknown[180.123.163.212] Oct 8 02:11:55 myserver postfix/smtpd[11630]: lost connection after EHLO from unknown[180.123.163.212] Oct 8 02:11:55 myserver postfix/smtpd[11630]: disconnect from unknown[180.123.163.212] ehlo=1 commands=1 Oct 8 02:11:55 myserver postfix/smtpd[11632]: connect from unknown[180.123.163.212] Oct 8 02:11:55 myserver postfix/smtpd[11632]: warning: Connection rate limit exceeded: 11 from unknown[180.123.163.212] for service smtp Oct 8 02:11:55 myserver postfix/smtpd[11632]: disconnect from unknown[180.123.163.212] commands=0/0 Oct 8 02:11:55 myserver postfix/smtpd[11630]: connect from unknown[180.123.163.212] Oct 8 02:11:55 myserver postfix/smtpd[11630]: warning: Connection rate limit exceeded: 12 from unknown[180.123.163.212] for service smtp Oct 8 02:11:55 myserver postfix/smtpd[11630]: disconnect from unknown[180.123.163.212] commands=0/0 Oct 8 02:15:15 myserver postfix/anvil[11633]: statistics: max connection rate 12/60s for (smtp:180.123.163.212) at Oct 8 02:11:55 Oct 8 02:15:15 myserver postfix/anvil[11633]: statistics: max connection count 2 for (smtp:180.123.163.212) at Oct 8 02:11:43 Oct 8 02:15:15 myserver postfix/anvil[11633]: statistics: max cache size 1 at Oct 8 02:11:42 - postconf mail_version mail_version = 3.5.7 smtpd_client_auth_rate_limit = 20 smtpd_client_connection_count_limit = 10 smtpd_client_connection_rate_limit = 10 smtpd_client_new_tls_session_rate_limit = 3 smtpd_client_recipient_rate_limit = 40 smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre, reject_unknown_reverse_client_hostname, check_client_access hash:/etc/postfix/spamsources smtpd_error_sleep_time = 2s smtpd_hard_error_limit = 6 smtpd_helo_required = yes smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893 smtpd_recipient_limit = 20 smtpd_recipient_restrictions = permit_sasl_authenticated,
Re: strangely incoming mails
Hi, Thanks everyone for the replies. Sorry I can only answer this way now. This is postconf -n: https://pastebin.com/SmZG9SxG This is master.cf: https://pastebin.com/S6h83rxi 1) Bastian Blank: I started to check the steps on http://www.postfix.org/DEBUG_README.html but it will take some time. 2) Fred Morris: Is the address in the Received: header your address or the spammer's or someone else's? This is an actual "Received" header of such a spam mail: Received: from SOME.EXTERNAL.DOMAIN (SOME.EXTERNAL.DOMAIN [A.B.C.D]) by MY.MAIL.SERVER (Postfix) with ESMTP id 4AC1F8DF7D for ; Mon, 14 Sep 2020 16:16:01 +0200 (CEST) * Someone sends mail (using smtp auth) which is from their local account and delivered locally? I have sent a mail from my local account to myself with thunderbird: https://pastebin.com/ZCfX5GXg Also these are the headers of a "good" incoming mail (with lots of headers added by rspamd): https://pastebin.com/qQvmKp1K * Someone relays mail (using smtp auth) which is delivered locally? I don't get this, sorry. 3) Viktor Dukhovni: But it was not at the top of the message headers! Unless the message headers got reordered along the way, this header was NOT prepended by Postfix. Hmm... I'm sure I didn't reorder the headers. Are you saying that someone has caught the content of this extra header in an outbound mail and put it back when they send emails to me mimicking that it was sent from my server? BTW I don't use the content of this header anymore, it's just kind of a legacy stuff so it will be removed. Thanks again, Zsombor
strangely incoming mails
Hello, I'm confused and need your help. I run a small server with rspamd as spam filter (smtpd_milters = inet:localhost:11332). There are only a limited number of users, they only can send emails with smtp auth. Until recently everything was fine but in the last couple of days huge amount of undetected spam arrived to all mailboxes. The thing is that all these emails are avoiding rspam completely (but other incoming mails are filtered as it supposed to happen). I started some investigation and found this: - for years now, because of reasons I put an extra header to all outgoing emails (with header_checks and PREPEND) - I have tested again and "normal" incoming emails (spam & ham) don't contain this extra header just outgoing mails so this works fine - however the mentioned spam seemingly comes from the internet (there is an "external" IP and hostname in the "Received: from" header) this extra outgoing header ("X-Original-Outgoing-Mail") can be seen in the mail headers as it was sent out from my server The whole mail header can be found here: https://pastebin.com/UVK3d2V8 (there's nothing special in it, except there is no rspamd invoked). My first thought was that some of the "internal" senders (family & friends) got infected and they are sending these mails somehow but I also have rspamd in "non_smtpd_milters" and it's also not triggered) and there is an "external" IP and hostname in the incoming mails. Any idea what's going on (especially for the extra outgoing header that appears in the incoming spam)? Any advice is appreciated, Zsombor
Re: more recipients on the same relay server with smtp auth
Wietse, Viktor, Thanks for your kind answer. It seems a bit difficult but I'll try to understand and apply it. This request (redirect emails of certain domains to 3rd party mail providers with auth) can't be denied because we are moving from commercial mail security appliance to postfix and this feature is already provided to customers. (TBH I don't know how the current appliance is processing such things under the hood.) Thanks again, Zsombor Idézet (Viktor Dukhovni ): On Mon, Aug 24, 2020 at 09:35:51AM -0400, Wietse Venema wrote: > Some of our customers wanted us to forward all emails sent to some > recipient domains to 3rd party relay servers instead of the mail > server defined in the recipient domain's MX records. > > Also they provided smtp username and password for these relay servers. > > I.e. > - *@foo1.bar is sent to mailprovider-X.com with foo1user + foo1pass > - *@foo2.bar is sent to mailprovider-Y.com with foo2user + foo2pass > - etc. If these email messages are sent by your customers, you need: - In master.cf, one dedicated Postfix SMTP client per customer, with its own "-o smtp_sasl_passwd_maps=maptype:mapname" setting with that customer's login information for the remote servers. smtp-custxxx unix - - - - - smtp -o smtp_sasl_passwd_maps==hash:/etc/postfix/sasl-custxxx - In main.cf, "smtp_sender_dependent_default_transport_maps = maptype:mapname", and use that table select the dedicated Postfix SMTP client for each customer. And also SASL auth, with reject_known_sender_login_mismatch or similar, so that nobody else can impersonate these customers. This ensures that the right customer's login is used with the right renote SMTP server, and only for email sent by that customer. Given authentication of the customer's credentials *and* envelope sender address. This can be a difficult combination of things to get right. Caution is highly recommended, and perhaps best to not offer the feature at all. The risk/reward ratio may not be high enough. -- Viktor.
more recipients on the same relay server with smtp auth
Hi All, I need your thoughts. Some of our customers wanted us to forward all emails sent to some recipient domains to 3rd party relay servers instead of the mail server defined in the recipient domain's MX records. Also they provided smtp username and password for these relay servers. I.e. - *@foo1.bar is sent to mailprovider-X.com with foo1user + foo1pass - *@foo2.bar is sent to mailprovider-Y.com with foo2user + foo2pass - etc. All is fine but I'm wondering what will happen if two or more customers will provide the same 3rd part relay server (i.e. outlook, gmail, etc.). I.e. - *@foo3.bar has to be sent to bigrelay.com with foo3user + foo3pass - *@foo4.bar has to be sent to bigrelay.com with foo4user + foo4pass How will postfix know which user/pass belongs to which recipient domain because the relay server will be the same. Currently we are using "transport_maps" and "smtp_sasl_password_maps" parameters. All advice is welcome, Zsombor