Re: LDAP schema for Postfix ?
Hi, > Does a Postfix specific (Open)LDAP schema exists ? > or a "mail server specific" ? I have a custom LDAP schema for my whole mail system, including Postfix, Dovecot and OpenDKIM. It is not perfect, but I can give it to you, if you want it. Best wishes Christain --- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com smime.p7s Description: S/MIME cryptographic signature
Re: Intermittent User unknown
> Yes, OpenDirectory. I don't know if it has any problems - was hoping someone > here would know. But it's a hint to search in that direction. I know from a collegue that he sometimes does have problems with OpenDirectory. His solution is to dump the database with the server tools (don't know exactly, what it is called) and then he restores it again. If you look inside a user account object, you may see some RSA-keys in attributes (maybe something with Kerberos) and at his system this sometimes gets out of sync for some reason. But as Wiets already said, could be thousand different things as well. Me personally also thinks about the filesystem HFS+. Did your server has a crash or something similar in the past? I know from my Mac that this always makes trouble with the filesystem. Maybe a test with the disk utility might be helpful as well (just because mapfile, mapfile.db mtime stuff). Sorry, no more ideas out of the box :-) Christian -- Roessner-Network-Solutions Bachelor of Science Informatik 50°34.725'N, 08°40.904'O, Nahrungsberg 81, 35390 Giessen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com signature.asc Description: OpenPGP digital signature
Re: Intermittent User unknown
Am 19.08.2011 14:56, schrieb Ray Davis: > What would cause valid email addresses to be unknown periodically? They are > valid before and after the following log entries and nothing on the server > was changed. > > This happens to something like 1-4 emails per day (sometimes 0). When it > happens, all the recipient addresses in the mail are rejected. > > Aug 16 09:44:29 mxs01 postfix/smtpd[15032]: NOQUEUE: reject: RCPT from > mf0.ffm0.de.carpe.net[212.96.133.20]: 550 5.1.1 : Recipient > address rejected: User unknown in virtual alias table; from= > to= proto=ESMTP helo= > Aug 16 09:44:29 mxs01 postfix/smtpd[15029]: NOQUEUE: reject: RCPT from > mf0.ffm0.de.carpe.net[212.96.133.20]: 550 5.1.1 : Recipient > address rejected: User unknown in virtual alias table; from= > to= proto=ESMTP helo= > > This is a Mac OS X Snow Leopard Server with no postfix config modifications. So you are using OpenDirectory for your user accounts? Maybe this service does have some problems? Christian -- Roessner-Network-Solutions Bachelor of Science Informatik 50°34.725'N, 08°40.904'O, Nahrungsberg 81, 35390 Giessen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com signature.asc Description: OpenPGP digital signature
OT: vim syntax files for main.cf _and_ master.cf
Hi, I had a nice phone call with Uwe and Patrick last night and while talking, I created a pfmaster.vim file, because I missed it always. It might be not perfect, but it looks nice :-) It was derived from the existing pfmain.cf. I updated it and changed some colors. If you have any suggestions, feel free to contact me. If I get some positive feedback, I try contacting the vim team and ask them, if they want to update their existing files with this version. http://www.roessner-network-solutions.com/vim/syntax/ Thanks Christian -- Roessner-Network-Solutions Bachelor of Science Informatik 50°34.725'N, 08°40.904'O, Nahrungsberg 81, 35390 Giessen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com signature.asc Description: OpenPGP digital signature
[SOLVED] Re: Milter makros
Hi,
> postconf -d milter_connect_macros
> milter_connect_macros = j {daemon_name} v
okay, got it:
milter_connect_macros = j {daemon_name} {client_ptr} {client_connections} v
Not sure about the "v" at the _end_ of the line. But it works.
Thanks
Christian
--
Roessner-Network-Solutions
Bachelor of Science Informatik
50°34.725'N, 08°40.904'O, Nahrungsberg 81, 35390 Giessen
F: +49 641 5879091, M: +49 176 93118939
USt-IdNr.: DE225643613
http://www.roessner-network-solutions.com
signature.asc
Description: OpenPGP digital signature
Milter makros
Hi,
I try to understand the documentation, but I fail :-)
I have looked for some valuse:
postconf -d milter_connect_macros
milter_connect_macros = j {daemon_name} v
I need {client_ptr} and {client_connections}, but do not know, how to
add them. What is the syntax? Is it:
milter_connect_macros = j {daemon_name} v i {client_ptr}
{client_connections}
Do sure about the "i" as I stll do not understand the letters "j", "v"
and "i".
Thanks in advance
Christian
--
Roessner-Network-Solutions
Bachelor of Science Informatik
50°34.725'N, 08°40.904'O, Nahrungsberg 81, 35390 Giessen
F: +49 641 5879091, M: +49 176 93118939
USt-IdNr.: DE225643613
http://www.roessner-network-solutions.com
signature.asc
Description: OpenPGP digital signature
Re: smtpd_proxy_options=speed_adjust
Am 21.07.2011 17:43, schrieb Robert Schetterer: > Hi, > is smtpd_proxy_options=speed_adjust > known for any problems ? Do you have any problems? What is the reason for your question? Best wishes Grüße Christian -- Roessner-Network-Solutions Bachelor of Science Informatik 50°34.725'N, 08°40.904'O, Nahrungsberg 81, 35390 Giessen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com signature.asc Description: OpenPGP digital signature
Re: Virtual domain aliases
> I have a Postfix/MailScanner front-end set up which works well, however
> I'm not sure I've configured it correctly (or in the best way)...
>
> The box uses header_checks to place all incoming messages in the hold
> queue (standard stuff) and transport_maps define which mail server the
> mail gets forwarded onto after scanning, per domain.
So you are relaying to other MTAs.
> The difficulty I'm finding is maintaining a list of 'valid users' per
> domain, so I can reject invalid recipients at SMTP level rather than
> accepting all into the queue and being a potential source of backscatter.
> The solution I've come up with is using "virtual_alias_maps".
> The problem I'm finding is that I can not get it to work without having
> the remote domain in $mydestination too. I understand the docs suggest
> that you shouldn't have the remote domain in both $mydestination and
> $virtual_alias_domains?
What about using relay_domains and relay_recipient_maps. I am using this
to forward mail do an IMAP-server, but this doesn't matter.
Example modified from my config:
relay_domains =
${ldap}/relay_domains.cf
relay_recipient_maps =
pcre:${map}/roleaccount.pcre,
${ldap}/relay_recipient_maps.cf
virtual_alias_maps =
${ldap}/relay_recipient_maps.cf
And do not add "it" to mydestination please.
Best wishes
Christian
--
Roessner-Network-Solutions
Bachelor of Science Informatik
50°34.725'N, 08°40.904'O, Nahrungsberg 81, 35390 Giessen
F: +49 641 5879091, M: +49 176 93118939
USt-IdNr.: DE225643613
http://www.roessner-network-solutions.com
signature.asc
Description: OpenPGP digital signature
Re: Multiple Instances Question
> I have multiple domains and need to set up each domain with its own TLS > certificate. Can you explain this a little bit more? You could add several w1.x1.y1.z1:smtp ... smtpd w1.x1.y1.z1:submission ... smtpd w2.x2.y2.z2:smtp ... smtpd w2.x2.y2.z2:submission ... smtpd Example from my server: 88.198.xx.yy:smtp inet n - - - - smtpd [...] -o myhostname=mail. [...] -o smtpd_tls_cert_file=/ca/mail./newcert.pem -o smtpd_tls_key_file=/ca/mail./newkey.pem [...] 88.198.xx.yy:submission inet n - - - - smtpd [...] -o myhostname=mail. [...] -o smtpd_tls_cert_file=/ca/mail./newcert.pem -o smtpd_tls_key_file=/ca/mail./newkey.pem -o smtpd_tls_security_level=encrypt [...] with each having its own certificates in master.cf. Maybe I did not get the point yet :-) Christian -- Roessner-Network-Solutions Bachelor of Science Informatik 50°34.725'N, 08°40.904'O, Nahrungsberg 81, 35390 Giessen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com signature.asc Description: OpenPGP digital signature
Re: postscreen pregreeter DNS trick
> > Has the second-MX solution any advantages? Should I stay on the current > > setup? > > Your current setup looks fine. thanks for explaining the different aspects :) Christian -- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com
postscreen pregreeter DNS trick
Hi, I recently read about the trick by Wietse, defining a second DNS record to skip the 450 delay that follows some postscreen tests. I modified my DNS and it looks like this now: host -t mx roessner-network-solutions.com roessner-network-solutions.com mail is handled by 10 mx0.roessner-net.de. roessner-network-solutions.com mail is handled by 20 mx0-1.roessner-net.de. and that works. Could I also simply set a second A-RR for mx0.roessner-net.de. ? Do MTA implementations always use any A record, if one throws a 450? I looked inside smtp_addr.c to find answers (how Postfix might handle this) and saw the usage of getaddrinfo() and pointered lists and stuff; not sure if I really understood, but would Postfix use a next client IP, if one temp fails? Has the second-MX solution any advantages? Should I stay on the current setup? Thanks for bringing light :) Christian -- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com
Re: Starting postfix
Am Samstag, den 26.02.2011, 08:51 +0100 schrieb Christian Roessner: > Hi, > > > This got my attention because I run the Apple provided Postfix (2.5.5) on > > Mac OS X client (10.6.6 specifically). What do you know - when I look at the > > launchctl plist Apple provides to start Postfix, it does so by running > > master directly. Thanks Apple! > > Calling /usr/libexec/postfix/master in the plist. That should not be > critics. My friend Lars runs three X-Serve servers. One Tiger, Leopard > and before posting here, I asked him to please just look into the plist > and tell me, what is called. cat /System/Library/LaunchDaemons/org.postfix.master.plist http://www.apple.com/DTDs/PropertyList-1.0.dtd";> Label org.postfix.master Program /usr/libexec/postfix/master ProgramArguments master -e 60 QueueDirectories /var/spool/postfix/maildrop AbandonProcessGroup Here you see the plist. It must not start postfix by calling master directly. Christian -- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com
Re: Starting postfix
Hi, > This got my attention because I run the Apple provided Postfix (2.5.5) on > Mac OS X client (10.6.6 specifically). What do you know - when I look at the > launchctl plist Apple provides to start Postfix, it does so by running > master directly. Thanks Apple! Calling /usr/libexec/postfix/master in the plist. That should not be critics. My friend Lars runs three X-Serve servers. One Tiger, Leopard and before posting here, I asked him to please just look into the plist and tell me, what is called. I do not know for Snow Leopard I must admit. Was that said wrong? Christian -- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com
Re: Starting postfix
Hi, > That was the construct i tried to explain. A wrapper/pacifier whatever > is needed which does not terminate but does nothing until a "stop" or > some other event arrives. > > > They should not start and stop the master directly. Among other > > things, that does not work with multi-instance support. > > Agreed and understanded. may I ask, why postfix should find a solution? I explain my question: before I came here and started that thread, I took many hours of reading about upstart and doing many local tests here to figure out how I could get the job done. I also called strace start postfix and could see that there is some kind of message communication. Yet I did not find out, which destination receives upstart information. But at least I think, there could be more applications out there that have issues like this here. So wouldn't it make sense to ask upstart developers, if they can extend their upstart interfaces? Or if we really can find out, where upstart is comminicating to, maybe extend postfix' capabilities to send information to this place. Just thoughts and I only try to sort some ideas. If I am allowed to summarize, from what I learned here these days: Postfix does: - have a really stable master process that did not die in more than 10 years (Victor) - does not need a respawn feature upstart does: - start - stop - status - restart - what else? start, stop and status use the pid that a process had after starting it. So now I try to combine this: Some piece of software, call it dispatcher, call it wrapper, whatever, needs to call postfix start to not break any interfaces or anything else postfix related. Right? The wrapper that I showed here does this job. You can start and stop postfix cleanly. If I understood right, simply testing a status of postfix is not so easy, so Victor does the monitoring differently. So we can not simply check the status and the result may be a bogus result. This is, what I learned. So now my question: what do you have in mind Wietse, if you say, you may provide something? Do not get me wrong please. I really like to learn and even when you got me totally wrong at the beginning of this thread, I never had something bad in mind. Just coming here and trying to find a solution. Is that ok so far? Is there anything that I can do to help? Best wishes Christian -- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com
Re: Starting postfix
Hi, > > > Postfix "job" script: > > > > > > pre-start exec postfix start > > > post-stop exec postfix stop > > > > > > With this, the system will do the work for them, and everything > > > uses stable documented interfaces. sorry Wietse, if it really would have been so easy, I never had contaced the list for such trivial solutions ;-) In fact your code snipped would start, that is true, but upstart would catch a wrong pid and you could never stop postfix with upstart again. But we really can close this thread, as I already have shown a script that does the job. Thanks Christian -- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com
Re: Starting postfix
Hi, > That's why i said it may be useful to have a simple > "dispatcher/wrapper" which only is started to call "postfix start" and > keeps running to keep upstart happy and calls "postfix stop/restart" > when advised to do so by upstart. With this the supported way of > starting/stopping is possible *and* upstart could be used without > problems. The only problem to solve is the non-terminating behaviour > required by upstart, all other startup work can be done as usual > behind the scene. my upstart-postfix python script works. It does call "/usr/sbin/postfix start" and loops. So this is a very simple form of making upstart happy and also starting/stopping postfix as expected. That postfix must not be started directly by calling master should also be documented in the master man page, as people like me (and my idea was based on Apple's practise, like they DO START postfix with launchctl on Mac OS X Server edition). Anyways. If someone likes to help me doing further coding on the python code, he/she is welcome. @Andreas: Du bist doch aus Deutschland? Kannst mich gerne mal anschreiben; vielleicht finden wir beide eine gute Lösung. Danke Best wishes Christian -- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com
Re: Starting postfix
Hi,
> The "problem" is more of that distribution like Ubuntu and Redhat are
> moving to "upstart" for boot and starting services/daemons. The main
> difference for the started services is that upstart need the program
> to *not* daemonize or terminate itself because status is checked
> directly to do respawn and other things if necessary and not by
> monitoring a PID like it was with sys-v. So basically to get Postfix
> upstart compatibel a "postfix-start-stop" helper would be needed which
> is always running and only does dispatching of start/stop requests to
> the master(s) according to Postfix needs.
I was thinking the whole night how to solve it for upstart. I wrote a
python wrapper:
#
import os, sys
import time
program = "/usr/sbin/postfix"
# First start postfix and wait for the return code
try:
pid = os.fork()
except OSError, e:
Log.error("First fork failed")
print >>sys.stderr, ("Fork failed: (%d) %s" % (e.errno, e.strerror))
sys.exit(1)
if not pid:
try:
os.execvp(program, (program, "start"))
except OSError, e:
print >>sys.stderr, ("Exec failed: (%d) %s" % (e.errno,
e.strerror))
os._exit(1)
if os.wait()[1] != 0:
sys.exit(1)
# wait until we get killed
while True:
time.sleep(10)
#
This can be called with exec in upstart and doing a stop is easy, too,
because I simply call /usr/sbin/postfix stop in a post-stop script
block.
So if this is okay, I would use it. It is some kind of silly, but I
tested it here on my workstation and it does the job. But I also want to
ask the Ubuntu guys, if that is a working mechanism.
Thanks
Christian
--
Roessner-Network-Solutions
Bachelor of Science Informatik
Nahrungsberg 81, 35390 Gießen
F: +49 641 5879091, M: +49 176 93118939
USt-IdNr.: DE225643613
http://www.roessner-network-solutions.com
Re: Starting postfix
> If you must persist along this path then I request that you stop > distributing Postfix. I will get all the complaints about the things > that you break, and I will have to deal with the consequences for > Postfix's reputation. Don't fear it. I am not going to do something that breaks postfix. That is the reason why I ask here/you to learn and to understand and in this case: to find another solution. Thanks Christian --- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com PGP.sig Description: Signierter Teil der Nachricht
Re: Starting postfix
Hi, > The only supported way to start Postfix is "postfix start", using > the commands provided with /etc/postfix/postfix-script. > > DO NOT TINKER WITH THIS. > > SUSE people discovered years ago that their home-grown approach to > stop Postfix would terminate a lot more processes than just Postfix. I take your warning really serious. That is the reason I wrote here to the list. But it brings me to a conflict that I do not know, how to solve else. The problem with using /usr/sbin/postfix is that it starts master and upstart never will have control over that process, which in my opinion it must have. Can you tell me what postfix does differently while starting master, than an exec call from upstart would do? Maybe if I understand more from the "behind the scenes" I can find a solution. Maybe at the end I will accept that it might be impossible to use upstart and that a classical sysvinit might be the only way. But I do not want to give up so early ;-) Regards Christian PGP.sig Description: Signierter Teil der Nachricht
Starting postfix
Hi, I am currently preparing an upstart script for Ubuntu. I tried several ways do use /usr/sbin/postfix, but I never would get the master PID. So I looked at the postfix.c code. Is it a problem to start /usr/lib/postfix/master -c /etc/postfix from the init system? I believe I have seen in upstarts man page that they close stdin, stdout and stderr before starting a job. Would the upstart script lack of some functionality or do have other problems? My systems currently run with this upstart script and yet I don't see any differences. Thanks Christian --- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com PGP.sig Description: Signierter Teil der Nachricht
automatically rewrite sender address depending on RCPT TO
Hi, since I started using mail addresses with an extension, it lately happened that I forgot to choose the "right" address for sending out mail. In detail I have a couple of defined addresses that I all use for mailing lists. c+some_extens...@roessner-network-solutions.com There are two problems with it: 1. I must choose the correct address that belongs to the mailing list 2. I have several computers, where I would have to setup all the addresses. So in my case, it really would be nice to always send with i.e. c...@roessner-network-solutioons.com and Postfix would do: RCPT TO == postfix-users@postfix.org -> Sender domain is (.*)@roessner-network-solutions.com -> Do some canonical tricks, make local part c+postfix_org_en Same for several other destinations, too. Can I do this with some restriction_classes and how can I define canonical_maps that are recipient dependent? Maybe I think too complicated. I would use this only on the submission port, which is defined in master.cf. Thanks in advance Christian -- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com
Re: Postfix stable release 2.8.1 available
Hi, > > I have not modified the init script, so people still can do chrooting > > and the init script will work as always. > > I didn't take anything. The primary maintainer of the package uploaded 2.8.0 > much as he always does. As I said before, this isn't the place to discuss > it. > This is my last comment on this thread. your answer overlapped my last personal answer to you. Never mind Christian -- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com
Re: Postfix stable release 2.8.1 available
Hi, > > - I dropped HP-UX patches from Debain, as they are useless in Ubuntu > > - I dropped chroot environment, as discussed lately on this list > > What to do about chrooting by default is a conversation we should have at the > distro level. I know it's a long standing disagreement between upstream and > the Debian/Ubuntu maintainer, but this isn't the place to resolve it. Excuse me, but you took different packages for Ubuntu and my PPA is a backport or even does not exist in current Ubuntu releases. Removing chroot does even not hurt anybody, because existing configurations won't be touched by the distro and newly installed instances do not have disadvantages. I have not modified the init script, so people still can do chrooting and the init script will work as always. Regards Christian -- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com
Re: Postfix stable release 2.8.1 available
Hi, > Postfix stable release 2.8.1 is available. This release fixes one > "signal 11" bug with SMTP server debug logging, and cleans up some > code and documentation. Ubuntu packages done. https://launchpad.net/~christian-roessner-net/+archive/ppa - I dropped HP-UX patches from Debain, as they are useless in Ubuntu - I dropped chroot environment, as discussed lately on this list Christian -- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com
Re: question about single user
Am Dienstag, den 22.02.2011, 12:47 +0100 schrieb Matteo Cazzador: > hello i've a strange question about a request, is it possible to create > an account (not alias) that can only receive mail and not send? > I've a virtual server with mysql backend and saslauth that uses imap login. > Thank's > I guess, it depends on your MySQL tables. What you could do is adding extra fields (boolean) for sending and receiving directions. Then you could combine the regular MySQL queries with the boolean values. So if one account has the sending field set to false, the SQL query should not give a result for that user. I am not a SQL expert, but I do the same with LDAP. And if that works with saslauthd, no idea, too, because I use sasl-auxprop (ldapdb). Regards Christian -- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com
Re: greylisting with postscreen?
Hi, > I am trying out the postscreen server - and am very impressed so far. My > original interest was in greylisting - so I have the deep protocol tests > turned on so that the temporary failure code 45x is returned for > non-whitelisted clients. > > During my testing - I noticed that the small trickle of spam that still makes > it past postscreen reattempts immediately after a 45x with no delay, whereas > genuine mail will wait at least a few minutes before reattempting after a 45x. I hope, I may ask, but if a client is able to queue mail after a 45x, wouldn't this same client come back after 300 seconds, too? And so skipping the greylisting barrier? Or are there some bots outside that can do that? But even then, they might be lucky at a later time, when the host, where they live on, returns (even with dynamic IP; just a question of patients). Christian --- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com PGP.sig Description: Signierter Teil der Nachricht
Re: Ubuntu/Debian Postfix 2.8.x repository -- general chroot question
>> For the sake of curiosity and education, why is running chroot'd Postfix >> complicated? > > Late binding. Cyrus SASL may dynamically load plugins. Table drivers may > dynamically do hostname lookups, CA certificates may need to retrieved, ... > > The more features you enable that use external libraries, or resources or > talk to external services, the more supporting files are needed in the > chroot jail... But I also could say: The more features you enable, the more experienced you probably are. Christian --- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com PGP.sig Description: Signierter Teil der Nachricht
Re: PATCH: smtpd/tls segfault with smtpd_tls_loglevel >= 3
Hi, >> It works around an undocumented OpenSSL mis-feature, by moving the >> SSL_set_fd() call from tlsproxy(8) into the Postfix TLS library. >> Apparently, SSL_set_fd() destroys call-back information that is >> already set up on an SSL handle. That was causing tlsproxy(8)'s >> verbose logging to go nowhere. > > This behavior is actually documented (SSL_set_fd() destroys > a BIO already on the SSL handle, and creates a new BIO). thanks a lot. Feb 7 19:17:43 mx postfix/smtpd[1092]: connect from mx0.roessner-net.de[78.46.253.227] Feb 7 19:17:43 mx postfix/smtpd[1092]: setting up TLS connection from mx0.roessner-net.de[78.46.253.227] Feb 7 19:17:43 mx postfix/smtpd[1092]: mx0.roessner-net.de[78.46.253.227]: TLS cipher list "ALL:+RC4:@STRENGTH" Feb 7 19:17:43 mx postfix/smtpd[1092]: SSL_accept:before/accept initialization Feb 7 19:17:43 mx postfix/smtpd[1092]: SSL_accept:SSLv3 read client hello A Feb 7 19:17:43 mx postfix/smtpd[1092]: SSL_accept:SSLv3 write server hello AFeb 7 19:17:43 mx postfix/smtpd[1092]: SSL_accept:SSLv3 write key exchange A Feb 7 19:17:43 mx postfix/smtpd[1092]: SSL_accept:SSLv3 write server done AFeb 7 19:17:43 mx postfix/smtpd[1092]: SSL_accept:SSLv3 flush dataFeb 7 19:17:44 mx postfix/smtpd[1092]: SSL_accept:SSLv3 read client key exchange A Feb 7 19:17:44 mx postfix/smtpd[1092]: SSL_accept:SSLv3 read finished AFeb 7 19:17:44 mx postfix/smtpd[1092]: SSL_accept:SSLv3 write session ticket A Feb 7 19:17:44 mx postfix/smtpd[1092]: SSL_accept:SSLv3 write change cipher spec A Feb 7 19:17:44 mx postfix/smtpd[1092]: SSL_accept:SSLv3 write finished AFeb 7 19:17:44 mx postfix/smtpd[1092]: SSL_accept:SSLv3 flush dataFeb 7 19:17:44 mx postfix/smtpd[1092]: Anonymous TLS connection established from mx0.roessner-net.de[78.46.253.227]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) It is working now. @Mark: New packages are available, including this fix. Christian --- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com PGP.sig Description: Signierter Teil der Nachricht
Re: PATCH: smtpd/tls segfault with smtpd_tls_loglevel >= 3
Hi, Am 07.02.2011 um 15:39 schrieb Wietse Venema: > Wietse Venema: >> Christian Roessner: >>> I double checked that cacert.org's cert is in that path as well >>> and that the c_hash exists, too. I did not find an answer and so >>> I only changed the log level of smtpd_tls_loglevel = 1 to 3. This >>> brought the segfault and this in the logs: >>> >>> Feb 6 19:11:54 mx postfix/master[14500]: warning: process >>> /usr/lib/postfix/smtpd pid 14526 killed by signal 11 >>> Feb 6 19:13:15 mx postfix/master[14736]: warning: process >>> /usr/lib/postfix/smtpd pid 14784 killed by signal 11 >>> >> >> That's easy enough to verify with default configuration and >> >>openssl s_client -starttls smtp -connect 127.0.0.1:25 >> >> For now, just don't set smtpd_tls_loglevel >= 3. > > Or apply the patch below (Postfix 2.8 and later). > Patch applied: Feb 7 16:25:55 mx postfix/tlsproxy[10233]: initializing the server-side TLS engine Feb 7 16:25:55 mx postfix/tlsproxy[10233]: CONNECT from [127.0.0.1]:41711 Feb 7 16:25:55 mx postfix/tlsproxy[10233]: setting up TLS connection from [127.0.0.1]:41711 Feb 7 16:25:55 mx postfix/tlsproxy[10233]: [127.0.0.1]:41711: TLS cipher list "ALL:+RC4:@STRENGTH" Feb 7 16:25:55 mx postfix/master[9964]: warning: process /usr/lib/postfix/tlsproxy pid 10233 killed by signal 11 Feb 7 16:26:18 mx postfix/smtpd[10367]: initializing the server-side TLS engine Feb 7 16:26:18 mx postfix/smtpd[10367]: connect from dslb-088-068-165-221.pools.arcor-ip.net[88.68.165.221] Feb 7 16:26:18 mx postfix/smtpd[10368]: initializing the server-side TLS engine Feb 7 16:26:18 mx postfix/smtpd[10368]: connect from unknown[193.239.104.18] Feb 7 16:26:18 mx postfix/smtpd[10368]: setting up TLS connection from unknown[193.239.104.18] Feb 7 16:26:18 mx postfix/smtpd[10368]: unknown[193.239.104.18]: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH" Feb 7 16:26:18 mx postfix/master[9964]: warning: process /usr/lib/postfix/smtpd pid 10368 killed by signal 11 Feb 7 16:26:18 mx postfix/master[9964]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling Feb 7 16:26:18 mx postfix/smtpd[10367]: setting up TLS connection from dslb-088-068-165-221.pools.arcor-ip.net[88.68.165.221] Feb 7 16:26:18 mx postfix/smtpd[10367]: dslb-088-068-165-221.pools.arcor-ip.net[88.68.165.221]: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH" Feb 7 16:26:18 mx postfix/master[9964]: warning: process /usr/lib/postfix/smtpd pid 10367 killed by signal 11 Feb 7 16:26:18 mx postfix/smtpd[10193]: connect from dslb-088-068-165-221.pools.arcor-ip.net[88.68.165.221] Feb 7 16:26:18 mx postfix/smtpd[10193]: setting up TLS connection from dslb-088-068-165-221.pools.arcor-ip.net[88.68.165.221] Feb 7 16:26:18 mx postfix/smtpd[10193]: dslb-088-068-165-221.pools.arcor-ip.net[88.68.165.221]: TLS cipher list "ALL:+RC4:@STRENGTH" Feb 7 16:26:18 mx postfix/master[9964]: warning: process /usr/lib/postfix/smtpd pid 10193 killed by signal 11 Feb 7 16:26:41 mx postfix/tlsproxy[10435]: initializing the server-side TLS engine Feb 7 16:26:41 mx postfix/tlsproxy[10435]: CONNECT from [127.0.0.1]:41778 Feb 7 16:26:41 mx postfix/tlsproxy[10435]: setting up TLS connection from [127.0.0.1]:41778 Feb 7 16:26:41 mx postfix/tlsproxy[10435]: [127.0.0.1]:41778: TLS cipher list "ALL:+RC4:@STRENGTH" Feb 7 16:26:41 mx postfix/master[9964]: warning: process /usr/lib/postfix/tlsproxy pid 10435 killed by signal 11 And: [1660694.703414] tlsproxy[10435]: segfault at 8 ip 7f3ab6f92620 sp 7fff5f99de08 error 6 in libcrypto.so.0.9.8[7f3ab6ed2000+168000] [1660730.381308] smtpd[10545]: segfault at 8 ip 7fac70890620 sp 7fffccd97ce8 error 6 in libcrypto.so.0.9.8[7fac707d+168000] [1660743.542428] smtpd[10556]: segfault at 8 ip 7fb04c381620 sp 7fffd2b07198 error 6 in libcrypto.so.0.9.8[7fb04c2c1000+168000] [1660743.742590] smtpd[10557]: segfault at 8 ip 7f9752c12620 sp 7fff297ac138 error 6 in libcrypto.so.0.9.8[7f9752b52000+168000] Now tlsproxy segfaults, too. I do debugging tonight... Christian --- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com PGP.sig Description: Signierter Teil der Nachricht
Postfix smtpd/tls segfault problem
Hi,
yesterday I encountered a problem. I already sent it to Wietse and he in turn
suggests to contact this list and ask, if somebody else out there can reproduce
this bug.
Here is the mail I sent to him:
Hi,
for some reason I encountered a segfault in smtpd - Postfix 2.8.0.
[1584207.718333] smtpd[14526]: segfault at 8 ip 7fe896496620 sp
7fff8baaff88 error 6 in libcrypto.so.0.9.8[7fe8963d6000+168000]
[1584287.876688] smtpd[14784]: segfault at 8 ip 7fc43532b620 sp
7fffaef24198 error 6 in libcrypto.so.0.9.8[7fc43526b000+168000]
Before I start enabling gdb in debugging_command, can you tell me, if this is
libcrypto-related or postfix? Or, if this is impossible to say so, what
information could help you?
What happened:
smtpd_use_tls = yes
smtpd_tls_auth_only = no
smtpd_tls_loglevel = 1
tls_append_default_CA = no
smtpd_tls_CApath= /etc/ssl/certs
smtpd_tls_cert_file =
${config_directory}/ssl/mx_deltaweb_de.crt
smtpd_tls_key_file =
${config_directory}/ssl/mx_deltaweb_de.key
smtpd_tls_session_cache_database=
sdbm:${data_directory}/smtpd_session_cache
smtpd_sasl_tls_security_options = noanonymous
smtpd is running chroot. I copied /etc/ssl/certs/* to the chroot environment.
Because under Debian/Ubuntu, these files are just symlinks, I also copied the
corresponding folder /usr/share/ca-certificates into the jail.
I saw in postconf(5) that it is required to concatenate the client cert with
the CA file, if a remote MTA shall be able to verify the cert. So I did on my
server, which is another machine. From that I sent a test mail to the MTA, I
just described above. In the logs, it always told me "Untrusted":
Feb 6 19:10:44 mx postfix/smtpd[14222]: mx0.roessner-net.de[78.46.253.227]:
Untrusted: subject_CN=mx0.roessner-net.de, issuer=CA Cert Signing Authority,
fingerprint=F3:2D:15:E3:08:93:53:12:A2:93:3D:CC:AA:B8:AF:26
Feb 6 19:10:44 mx postfix/smtpd[14222]: Untrusted TLS connection established
from mx0.roessner-net.de[78.46.253.227]: TLSv1 with cipher DHE-RSA-AES256-SHA
(256/256 bits)
I double checked that cacert.org's cert is in that path as well and that the
c_hash exists, too. I did not find an answer and so I only changed the log
level of smtpd_tls_loglevel = 1 to 3. This brought the segfault and this in the
logs:
Feb 6 19:11:54 mx postfix/master[14500]: warning: process
/usr/lib/postfix/smtpd pid 14526 killed by signal 11
Feb 6 19:13:15 mx postfix/master[14736]: warning: process
/usr/lib/postfix/smtpd pid 14784 killed by signal 11
Turning the loglevel back, everything works as before.
So I thought, you might be interested in that report.
Tonight I am going to turn on GDB and try to get a backtrace. But maybe someone
else might confirm this in the meantime.
Best wishes
Christian
---
Roessner-Network-Solutions
Bachelor of Science Informatik
Nahrungsberg 81, 35390 Gießen
F: +49 641 5879091, M: +49 176 93118939
USt-IdNr.: DE225643613
http://www.roessner-network-solutions.com
PGP.sig
Description: Signierter Teil der Nachricht
Re: Ubuntu/Debian Postfix 2.8.x repository
Hi, > Do you know any reliable Debian/Ubuntu repositories for the > newest Postfix 2.8? http://mysourceco.de Is my repo. Clean patches to Postfix. It is in fact cloned from the Debian 2.7.0, but with review! It also has Dovecot 2.09+Pigeonhole in it. Regards Christian --- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com
Re: smtpd running chrooted
> > I have no idea, what libs, etc. are also required to be copied to
> > chroot.
>
> To find out what files are missing, use strace, as described in
> the DEBUG_README file. This will show the explicit names of files
> and directories in open(), stat() etc. calls.
>
> It won't show you the implicit names that a program is looking for
> when it uses opendir/readdir to discover what names exist.
Thanks a lot. Fixed it. Just for people looking in mail archive:
Under Ubuntu you do not need to copy /usr/lib/sasl2. List of files
(some):
/etc/postfix/sasl/smtpd.conf
--> Inside point ldapdb_rc to i.e. /etc/ldap.conf, which is here:
/var/spool/postfix/etc/ldap.conf
--> Inside point cert, key and ca to i.e. /etc/ssl/certs, here:
/var/spool/postfix/etc/ssl/certs/{newcert.pem,newkey.pem,cacert_org.crt}
/var/spool/postfix/etc/ldap/ldap.conf
--> which needs to be copied from /etc/ldap/ldap.conf
Create random and urandom devices in /var/spool/postfix/dev
After that postfix/smtpd will run fine with sasl/external/ldapdb in a
chroot environment.
Christian
--
Roessner-Network-Solutions
Bachelor of Science Informatik
Nahrungsberg 81, 35390 Gießen
F: +49 641 5879091, M: +49 176 93118939
USt-IdNr.: DE225643613
http://www.roessner-network-solutions.com
signature.asc
Description: This is a digitally signed message part
smtpd running chrooted
Hi, I just finished setting up Postfix to use sasl/external with auxprop plugin ldapdb. So far, anything works like a charm. But I had to disable chroot. Currently with not chrooting, I have: /etc/postfix/sasl/smtpd.conf (yes, it is Ubuntu): /etc/postfix/.ldaprc /ca/cacert_org.crt /ca/mx0.roessner-net.de/new(cert|key).pem smtpd.conf looks like this: pwcheck_method: auxprop auxprop_plugin: ldapdb mech_list: PLAIN LOGIN NTLM CRAM-MD5 DIGEST-MD5 ldapdb_uri: ldap://db.roessner-net.de ldapdb_mech: EXTERNAL ldapdb_starttls: demand ldapdb_rc: /etc/postfix/.ldaprc #log_level: 7 And the .ldaprc like this: TLS_CERT /ca/mx0.roessner-net.de//newcert.pem TLS_KEY /ca/mx0.roessner-net.de/newkey.pem TLS_CACERT /ca/cacert_org.crt TLS_REQCERT demand Could someone tell me, which files and folders now need to be put into the chroot environment? CHROOT := /var/spool/postfix I already copied /usr/lib/sasl2 to CHROOT/usr/lib/sasl2 And I tried to put the certs under CHROOT/etc/ssl/certs and modifying the paths in the ldap.conf file. I also copied the latter one to CHROOT/etc/ldap.conf and modified the ldapdb_rc to point to /etc/ldap.conf (instead of /etc/postfix/.ldaprc) But this seems not to be enough. I have no idea, what libs, etc. are also required to be copied to chroot. Thanks for helping me in advance Christian -- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com signature.asc Description: This is a digitally signed message part
Re: SASL auxprop ldapdb result attribute
> Now how can I tell auxprop ldapdb to ask for this attribute and not > userPassword? > > I know this question is somewhat off topic. But which is the right > place? Guess post_masters_ for sure can help me :-) Sometimes you just write to a mailing list, because you did not find a solution. And you did not have finished pressing the "send" button, you find answers elsewhere. ldapdb only supports userPassword. Hard coded. So either I would find a ldap overlay that can modify a query for a special user and return for an asked attribute A->B, or it is impossible (if not modifying ldapdb code, which I am not going to do). So dovecot seams to be really a great solution for authentication ;-) Never mind Christian -- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com signature.asc Description: This is a digitally signed message part
SASL auxprop ldapdb result attribute
Hi, I want to have postfix do sasl with auxprop ldapdb and not with dovecot anymore. Reason: I have a rnsMSDovecotEnable flag in ldap to disable imap/pop3 accounts. But this also would disable postfix as well, which I do not want for accounts that just relay mail over postfix. I need to have this "disable" flag, because iterate_query in dovecot shall not list accounts that do not have an existing mailbox on the filesystem. So: saslauthd->PAM->LDAP saslauthd->LDAP If I read correctly, these solutions are simple but only provide PLAIN and LOGIN mechs. All users here use CRAM-MD5. auxprop ldapdb I would like this one, because I already use sasl/external and have all necessary authz-regexp, authzTo and ACL stuff done so far. But! :-) I use the attribute userPassword for Apache/FTP and therefor have another attribute rnsMSCleartextPassword for mail. Now how can I tell auxprop ldapdb to ask for this attribute and not userPassword? I know this question is somewhat off topic. But which is the right place? Guess post_masters_ for sure can help me :-) Thanks Christian -- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com signature.asc Description: This is a digitally signed message part
Re: delay some particular addresses ?
Hi, >>> Would it be possible to delay the arrival of some particular addresses ? >>> ( ala greylisting but only for a list of addresses ) >> This requires a Milter or policy plugin. you can use postgrey and a (pcre-) map, which triggers a restriction_class Not sure, if you want it for sender or recipients. main.cf: smtpd_recipient_restrictions = ..., check_sender_access pcre:/path/to/map/greylist.pcre, ... smtpd_restriction_classes = greylist greylist = check_policy_service inet:localhost:10023 /path/to/map/greylist.pcre: /^sender1@example\.org$/greylist Not sure, if that's what you were looking for. Christian
Re: Success story: smtpd_reject_footer
Hi, >> Off topic, but on this subject, I am planning to implement this with >> a web page, and maybe a contact form. Does anyone have a preferred >> simple and yet spam-resistant means of doing this? Ideally I'd like >> something that's more blind-friendly than Captcha. > > I dislike graphic captchas. If they're good enough to defeat bots then > they're awkward for humans. I have normal eyesight, and I find that I often > have to refresh a captcha image before I can answer it. It must be > considerably harder for anyone with any level of visual impairment. > > My preferred option is the question and answer system, otherwise known as a > Q&A captcha or gatekeeper, whereby a simple and easily answered random > question is posed to the visitor and they have to answer it correctly in > order to proceed. In my experience, this has a 100% success rate in defeating > spambots. > > The only downside of the Q&A system is that it requires the user to be > reasonably fluent in the language in which the questions are posed. For that > reason, it may not be appropriate if you expect to get contact form > submissions from people whose first language is different to that in which > your website is written. Why adding a contact form? If a postmaster really does his/her job and scans the logs, finds your assistance info and enters the website, don't you think the same admin is also able to write a mail to you (postmaster@...)? OT: Concerning captchas: Yes, I hate them a lot. I have many problems with my eyes. And sites working with captchas are often a stopper for me. Left eye nearly blind, right eye with 60-70% and yes, color blind, too. So captchas are really a cool idea *ironic* IMO: Adding the page is really nice and should give a remote postmaster enough information to either fix his/her setup or contact you (postmaster@). Christian --- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com PGP.sig Description: Signierter Teil der Nachricht
vim syntax for 2.8.0
Hi, I have added all dnsblog*, tlsproxy*, postscreen* and main keywords to pfmain.vim (this file is taken from Ubuntu Lucid). If you like to have syntax highlighting for vi, put it under .vim/syntax/ Regards Christian pfmain.vim.gz Description: GNU Zip compressed data --- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com
relay question
Hi, sorry, if this question might sound a bit stupid, but if I specify relay_recipient_maps with all valid recipients that postfix should relay for, why does it need relay_domains set? As an example: I have connected relay_domains to LDAP and have an object that returns all domains. I also have all users defined in LDAP (the mail addresses). dn: ou=virtualDomains,ou=mail,ou=it,dc=roessner-net,dc=de objectClass: rnsMSPostfixGroup objectClass: organizationalUnit objectClass: top ou: virtualDomains rnsMSVirtDomain: service.intern rnsMSVirtDomain: roessner-net.com rnsMSVirtDomain: testsetup.de rnsMSVirtDomain: roessner-network-solutions.com ... dn: uid=de1,ou=users,ou=people,dc=roessner-net,dc=de objectClass: amavisAccount objectClass: top objectClass: rnsMSDovecotAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: posixAccount objectClass: rnsMSPostfixAccount ... rnsMSDeliverToAddress: de1@service.intern rnsMSEnableDovecot: TRUE rnsMSEnablePostfix: TRUE rnsMSMailboxHome: /var/mail/virtual/de1 rnsMSQuota: 5242880 rnsMSRecipientAddress: christ...@roessner-net.com rnsMSRecipientAddress: i...@roessner-net.com ... You see, the recipient address already specifies the domain (implicit). So why is relay_domains required, or isn't it and I just don't know how to unset it :) Thanks Christian
Re: postqueue command error???
Hi, > > What's wrong with postqueue -f? > > > config_directory = /usr/local/etc/postfix > What, if you specify postqueue -c /usr/local/etc/postfix -f Christian
postscreen question
Hi, do you have nearer information on this: Jan 1 06:35:00 mx postfix/postscreen[5599]: close database /var/lib/postfix/ps_cache.db: No such file or directory (possible Berkeley DB bug) Jan 1 07:16:56 mx postfix/postscreen[6289]: close database /var/lib/postfix/ps_cache.db: No such file or directory (possible Berkeley DB bug) Jan 1 07:19:59 mx postfix/postscreen[7574]: close database /var/lib/postfix/ps_cache.db: No such file or directory (possible Berkeley DB bug) Jan 1 07:38:25 mx postfix/postscreen[7806]: close database /var/lib/postfix/ps_cache.db: No such file or directory (possible Berkeley DB bug) Jan 1 07:54:07 mx postfix/postscreen[8171]: close database /var/lib/postfix/ps_cache.db: No such file or directory (possible Berkeley DB bug) Jan 1 08:23:38 mx postfix/postscreen[8635]: close database /var/lib/postfix/ps_cache.db: No such file or directory (possible Berkeley DB bug) Jan 1 08:57:49 mx postfix/postscreen[9640]: close database /var/lib/postfix/ps_cache.db: No such file or directory (possible Berkeley DB bug) Jan 1 09:01:10 mx postfix/postscreen[10697]: close database /var/lib/postfix/ps_cache.db: No such file or directory (possible Berkeley DB bug) Jan 1 09:16:45 mx postfix/postscreen[10828]: close database /var/lib/postfix/ps_cache.db: No such file or directory (possible Berkeley DB bug) Jan 1 10:02:22 mx postfix/postscreen[11685]: close database /var/lib/postfix/ps_cache.db: No such file or directory (possible Berkeley DB bug) Jan 1 15:17:14 mx postfix/postscreen[13261]: close database /var/lib/postfix/ps_cache.db: No such file or directory (possible Berkeley DB bug) Good new year Christian --- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com PGP.sig Description: Signierter Teil der Nachricht
Re: Available: preliminary postscreen STARTTLS support
Hi, > This is uploaded as postfix-2.8-20101230-nonprod. The code has had > limited testing, so keep an eye on things if you intend to expose > it to the network. Minor questions: postfix/tlsproxy[30864]: CONNECT [2a01:4f8:120:31e2::165]51824 It is just, because I saw it: Missing ":" between address and port. And by the way: For postscreen and dnsblog and ... are you planning on making these modules behave like $smtpd_client_port_logging (default: no) ? And one minor thing. When rebuilding Ubuntu packages for the 20101230-nonprod, I reviewed master.cf for the tlsproxy line. I added it with a comment sign, read from the POSTSCREEN_README. The current master.cf is missing it. So far, hope you don't mind my little comments :-) I wish you all a good change from old->new year. Christian --- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com
Re: How not to reject invalid recipient domains (here: aol.com)
>> How can I have postfix queue mails to AOL and retry delivery in that case >> instead of bouncing the mails? > > Did you play with this parameter? > > maximal_queue_lifetime (default: 5d) > The maximal time a message is queued before it is sent back as > undeliverable. Sorry, my fault. Same problem here. Christian PGP.sig Description: Signierter Teil der Nachricht
Re: How not to reject invalid recipient domains (here: aol.com)
> apparently, aol.com is currently not resolved via DNS (at least in Germany). > > How can I have postfix queue mails to AOL and retry delivery in that case > instead of bouncing the mails? Did you play with this parameter? maximal_queue_lifetime (default: 5d) The maximal time a message is queued before it is sent back as undeliverable. Christian PGP.sig Description: Signierter Teil der Nachricht
Re: PREPEND problems
Hi all, really thanks for all info, but the problem already is fixed. It needed help here for the check_sender_access adding to smtpd_data_restrictions and the help of Mark Martinec for amavisd-new, to get header_checks working in a dual setup MSA/MTA. Many thanks for all your help. It works pretty fine now. Christian PGP.sig Description: Signierter Teil der Nachricht
Re: PREPEND problems
>> With the default smtpd_delay_reject=yes, smtpd_{client, helo, sender,
>> recipient}_restrictions are repeated for each recipient, but
>> smtpd_data_restrictions are run only once.
>>
> That is really good to know and makes things much easier now. I give it a try.
Thanks :-) Works. It is frustrating, how complicated I sometimes think and how
easy solutions can be.
Christian
Re: PREPEND problems
>> DATA
>> . <-- Testing after this point, if in smtpd_data_restrictions. But
>> does this behave differently then the above?
>
>
> Of course it works. And BTW, smtpd_data_restrictions are run after the DATA
> command, not after the dot -- that's smtpd_end_of_data_restrictions.
>
:-)
> With the default smtpd_delay_reject=yes, smtpd_{client, helo, sender,
> recipient}_restrictions are repeated for each recipient, but
> smtpd_data_restrictions are run only once.
>
That is really good to know and makes things much easier now. I give it a try.
> You could also fix this particular problem by setting smtpd_delay_reject=no
> and putting your check in smtpd_sender_restrictions, but that causes other
> problems best avoided.
Yes, I try to put everything under smtpd_recipient_restrictions.
Thanks for your help
Christian
Re: PREPEND problems
> > Yes, that will work fine if you put your check_sender_access rule under > smtpd_data_restrictions. > I am unsure if that works. I thought that check_sender_access only uses the envelope-from tag. So where is the difference between putting it in smtpd_recipient_restrictions or waiting for the end of the DATA phase? Think, I don't understand :-) MAIL FROM: 220 OK RCPT TO:<> <-- Testing here, if in smtpd_recipient_restrictions 220 OK RCPT TO:<> <-- and again, producing the duplicate?? 220 OK DATA . <-- Testing after this point, if in smtpd_data_restrictions. But does this behave differently then the above? >> So I thought I need a different method and configured header_checks: >> >> # header_checks >> >> if !/^VBR-Info:.*roessner-net(work-solutions)?/ >> /^From:@roessner-net\.com/ PREPEND VBR-Info: >> md=roessner-net.com; mv=dwl.spamhaus.org; mc=all >> /^From:@roessner-network-solutions\.com/ PREPEND VBR-Info: >> md=roessner-network-solutions.com; mv=dwl.spamhaus.org; mc=all >> endif > > Headers are checked one at a time with no state kept, so the above will never > work. Put your check_sender_access rule in smtpd_data_restrictions. > The rules shown above are for header_checks. That seems to do the trick, but I have to add no_header_body_checks to the receive_overide_options in the return socket. Unfortunately this also disables header checking for incoming MTA connections. I would need a different return socket for amavis, but I do not know how to tell amavis in its policy_banks to use a different forward-/notify-method :-( So this is something I asked on the amavis-users list right now. Christian
Re: PREPEND problems
Hi again, > # header_checks > > if !/^VBR-Info:.*roessner-net(work-solutions)?/ > /^From:@roessner-net\.com/ PREPEND VBR-Info: > md=roessner-net.com; mv=dwl.spamhaus.org; mc=all > /^From:@roessner-network-solutions\.com/ PREPEND VBR-Info: > md=roessner-network-solutions.com; mv=dwl.spamhaus.org; mc=all > endif > > # Any other checks for incoming and outgoing mail goes here > First I tried -o header_checks= in master.cf, but I need to add no_header_body_checks to the smtpd which receives from amavis. Christian
PREPEND problems
Hi, I am a little bit stuck with prepending one and exactly one additional header to outgoing mails that are sent from local users. In fact I want to add a VBR-Info:- header for outgoing mails. Local users use a seperate MSA port (own IP-socket in master.cf). The socket is configured with smtpd_proxy_filter off and using content_filter. So the whole mails gets queued before giving it to amavis (in my setup). Inside the MSA part, I first defined a check_sender_access rule and thought that would do the job. But today I saw that for _each_ To: address a header is prepended. So if I write a mail with eight recipients, I see eight VBR-Info:-header lines in the result. So I thought I need a different method and configured header_checks: # header_checks if !/^VBR-Info:.*roessner-net(work-solutions)?/ /^From:@roessner-net\.com/ PREPEND VBR-Info: md=roessner-net.com; mv=dwl.spamhaus.org; mc=all /^From:@roessner-network-solutions\.com/ PREPEND VBR-Info: md=roessner-network-solutions.com; mv=dwl.spamhaus.org; mc=all endif # Any other checks for incoming and outgoing mail goes here But this does not change anything. Same result. And I fear I understand why. It is the cleanup that does the checks for each outgoing mail. Is that right? Do you have any idea, how I could solve this? Thanks in advance Christian
Re: Understanding TLS
> Take a look at postscreen(8): > | BUGS > | The postscreen(8) built-in SMTP protocol engine does not announce > | support for STARTTLS, AUTH, XCLIENT or XFORWARD Thanks. That helps ;-) Christian PGP.sig Description: Signierter Teil der Nachricht
Re: Understanding TLS
>> When I use telnet to connect to mx0.roessner-net.de 25, waiting for >> postscreen to allow me sending EHLO, I only get the following list of >> commands: >> >> Trying 78.46.253.227... >> Connected to mx0.roessner-net.de. >> Escape character is '^]'. >> 220-mx0.roessner-net.de ESMTP >> 220 mx0.roessner-net.de ESMTP >> EHLO client.unitymedia.org >> 250-mx0.roessner-net.de >> 250-SIZE 31457280 >> 250-ETRN >> 250-ENHANCEDSTATUSCODES >> 250-8BITMIME >> 250 DSN >> >> Where is the STARTTLS? When I look at the logs, I see that servers use TLS >> to communicate with my server. So could someone tell me, how the trick >> works? To do TLS without seeing the STARTTLS command? And I do not have 465 >> open. Only 25. >> >> Thanks to anybody who might like to bring light into dark for me :-) > > telnet is the wrong tool. > openssl s_client -connect mx0.roessner-net.de:25 -startls smtp \ >-CAfile /path/to/ca But how does a client know that the server _offers_ starttls, if not connecting plain and looking for the STARTTLS keyword? Christian PGP.sig Description: Signierter Teil der Nachricht
Understanding TLS
Hi,
first of all, I am not an SSL expert, so I hope you could help me understanding
something. I have Postfix configured as MSA/MTA with latest postfix
experimental. On port 25 of the mx0.roessner-net, which is the main mail
exchanger for other MTAs, I do not offer AUTH, but want to offer STARTTLS.
On the MSA side, the side to my clients, I wish to offer STARTTLS and AUTH. So
I put the smtpd_sasl_auth_enable=yes option into master.cf.
So far so good.
When I use telnet to connect to mx0.roessner-net.de 25, waiting for postscreen
to allow me sending EHLO, I only get the following list of commands:
Trying 78.46.253.227...
Connected to mx0.roessner-net.de.
Escape character is '^]'.
220-mx0.roessner-net.de ESMTP
220 mx0.roessner-net.de ESMTP
EHLO client.unitymedia.org
250-mx0.roessner-net.de
250-SIZE 31457280
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
Where is the STARTTLS? When I look at the logs, I see that servers use TLS to
communicate with my server. So could someone tell me, how the trick works? To
do TLS without seeing the STARTTLS command? And I do not have 465 open. Only 25.
Thanks to anybody who might like to bring light into dark for me :-)
Christian
postconf -n:
alias_database = ${default_database_type}:/etc/aliases
alias_maps = ${default_database_type}:/etc/aliases
anvil_rate_time_unit = 60s
anvil_status_update_time = 1h
biff = no
bounce_queue_lifetime = 1d
bounce_template_file = ${config_directory}/bounce.de-DE.cf
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
default_database_type = btree
delay_warning_time = 2h
disable_vrfy_command = yes
html_directory = /usr/share/doc/postfix/html
inet_interfaces = 78.46.253.227, 2A01:4F8:61:8222:0:0:0:50
inet_protocols = ipv4, ipv6
lmtp_bind_address = 127.0.0.1
lmtp_bind_address6 = ::1
mailbox_size_limit = 0
maximal_queue_lifetime = 1d
message_size_limit = 31457280
minimal_backoff_time = 5m
mydomain = roessner-net.de
myhostname = mx0.roessner-net.de
mynetworks = 127.0.0.0/8, 10.1.0.0/16, [::1]/128, [2A01:4F8:61:8222::]/64
owner_request_special = no
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = yes
postscreen_blacklist_action = enforce
postscreen_blacklist_networks = cidr:${map}/postscreen_blacklist.cidr
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org,spam.ipv6.kutukupret.com,
bl.spamcop.net,dnsbl.njabl.org,ix.dnsbl.manitu.net,
dsn.rfc-ignorant.org
postscreen_dnsbl_threshold = 2
postscreen_greet_action = enforce
proxy_read_maps = ${local_recipient_maps},${virtual_mailbox_maps},
${virtual_mailbox_domains},${virtual_alias_maps},
${ldap}/helo_access.cf,${ldap}/relay_domains.cf,
${ldap}/relay_recipient_maps.cf
queue_minfree = 47185920
readme_directory = /usr/share/doc/postfix
recipient_bcc_maps = pcre:${map}/backup_bcc.pcre
recipient_delimiter = +
relay_domains = ${mydestination},lists.roessner-net.de,
${ldap}/relay_domains.cf
relay_recipient_maps = ${ldap}/relay_recipient_maps.cf,
${default_database_type}:/var/lib/mailman/data/virtual-mailman
relay_transport = lmtp:[::1]:24
smtp_bind_address = 78.46.253.227
smtp_bind_address6 = 2A01:4F8:61:8222:0:0:0:50
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_cert_file = /ca/mx0.roessner-net.de/newcert.pem
smtp_tls_key_file = /ca/mx0.roessner-net.de/newkey.pem
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = sdbm:${data_directory}/smtp_session_cache
smtp_use_tls = yes
smtpd_banner = ${myhostname} ESMTP
smtpd_client_event_limit_exceptions = ${mynetworks}, 208.31.42.77
smtpd_data_restrictions = reject_multi_recipient_bounce,
reject_unauth_pipelining
smtpd_etrn_restrictions = reject
smtpd_hard_error_limit = 5
smtpd_helo_required = yes
smtpd_policy_service_timeout = 5m
smtpd_proxy_timeout = 300s
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_non_fqdn_sender,reject_unknown_recipient_domain,
reject_unknown_sender_domain,reject_unlisted_recipient,
reject_unauth_destination,reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,check_sender_access ${mapidx}/sender_access,
check_client_access pcre:${map}/client_access.pcre,check_client_access
cidr:${map}/client_access.cidr,check_policy_service inet:[::1]:12527,
check_sender_access ${mapidx}/backscatter,check_helo_access
pcre:${map}/helo_access.pcre,check_policy_service inet:[::1]:12526,
check_client_access pcre:${map}/dynamic_ip.pcre,
reject_unknown_reverse_client_hostname,reject_unknown_helo_hostname,
check_sender_ns_access ${mapidx}/bogus_dns,check_recipient_access
pcre:${map}/roleaccount_exceptions.pcre,check_helo_access
${ldap}/helo_access.cfcheck_sender_access pcre:${map}/greylist.pcre
smtpd_restriction_classes = greylist
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = n
Re: Spamhaus DWL in postfix
>> I am interested in including the DWL feature from SpamHaus into >> postfix. > Wietse: >> DWL requires content external content inspection. For example, a >> Milter, or a before-or-after-queue SMTP-based filter. Either approach >> can be used to verify the DKIM signature and the VBR header. > > I'm working on a SpamAssassin plugin to implement Spamhaus DWL > (and other 'SA tag'- based DNS lookups). It is a bit more tricky > than it seems at first glance. Coupled with amavisd-new 2.7.0 > in a pre-queue proxy mode this could accomplish the job (i.e. > meeting Spamhaus DWL requirements, not a general VBR implementation). That's great to hear :) My only problem is that I think that there needs to be "something" inside postfix that prevents postfix from rejecting a mail, beofre it was checked against DWL/DKIM. So this is, where I think the milter comes and where the smtpd_restrictions need to be shifted to smtpd_data_restrictions. Could it mean that it might be enough to run amavis not as smtpd_proxy_filter, but as milter; maybe? Could this be a solution? Thanks Christian PGP.sig Description: Signierter Teil der Nachricht
Re: Spamhaus DWL in postfix
>> Because my guess is that I have to use some kind of a pre-queue-milter >> to check for the VBR-Header and if it exists doing some DWL-DNS >> lookup. > > Please be careful. The mere existence of a VBR-Info header is > insufficient; before performing any DWL lookups, be sure to use a > suitable validation mechanism as described in RFC 5518. > I think implementing this is not as easy, as I hoped in the beginning. Are there people here, who would like to start a project together with me? Just a couple of thoughts: - Language: Python or C (because I can't do Perl) - Good design; trying good OOP - Doing theory and implementing all protocols necessary (VBR, ...) - Using GIT - ... I think that I alone can not do this. But I have seen, there are several other VBR using websites, so this really could be interesting. Yet I do not know, how to deal with the DKIM verification, as of writing this, I use amavis for signing/verifying. So one question is, if DKIM verify for VBR must be done in the milter, too, or if we can find another mechanism. If people are interested in such a project, I would open extra mailing lists. Feedback is welcome Christian --- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com PGP.sig Description: Signierter Teil der Nachricht
Spamhaus DWL in postfix
Hi, I am interested in including the DWL feature from SpamHaus into postfix. First question: Is there already a working mechanism to include this service and if not, how could this be done? As far as I understood, DWL works in the way that a sender includes a VBR-Info:-Header. That can simply be done with client_sender_access and PREPEND, ok. But on the receiving side, it becomes a bit more complicated: I use smtpd_recipient_restrictions for all of my tests. With DWL, this could become a problem, because the VBR-Header is sent in the DATA phase. So first question: Do I have to shift all my rules from smtpd_recipient_restrictions to smtpd_data_restrictions? Because my guess is that I have to use some kind of a pre-queue-milter to check for the VBR-Header and if it exists doing some DWL-DNS lookup. Finally an OK or DUNNO or whatever. If I leave the tests under smtpd_recipient_restrictions, an earlier rule could reject a client, even it was in the DWL list. I am trying to make my home-work, so I first ask here, if I really understood the way, how DWL should be used and how it could be done. I am also interested in implementing the milter, if there doesn't exist one already. Many thanks in advance Christian --- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com PGP.sig Description: Signierter Teil der Nachricht
Re: DNS Whitelisting
> > I'm working on Spamhaus' new whitelist where our goal is to list only > mail sources clean enough that you can skip the rest of the filtering. > (So far so good, but it's still pretty small.) > > You're welcome to use it. The IP address version is at swl.spamhaus.org. > > For people who like DKIM, there's also domain version at > dwl.spamhaus.org. It lists domains, with the ONLY use that we support > being DKIM d= signing domains on mail with valid signatures. See RFC > 5518. > > The terms of use are the same as the rest of the Spamhaus lists, moderate > number of queries are fine, larger than that and you have to buy a feed. > If you already have a Spamhaus feed, the SWL and DWL should now be > included in it. > > The plan for the SWL and DWL is that we will eventually charge for > listings, but for now it's free, in limited beta. See > http://www.spamhauswhitelist.com/en/, and drop me a line if you'd like > an invitation. Because I like Spamhaus and dnswl.org, I had written a policy service for postfix several weeks ago. It is stable, as far as I could test it. Maybe you also like to have a look at this project. I won't talk about it here anymore, if somebody feels bothered. Promised! http://www.roessner-network-solutions.com/?page_id=639 I really, really would appreciate a feedback. ;-) Thx Christian PGP.sig Description: Signierter Teil der Nachricht
Re: postfix in an IPv6 network
>>> 1. Problem: format of IPv6 address in mynetworks >>> >>> After many trials, I have found out that the ipv6 Address in the >>> mynetworks attribute must have a double semicolon at the end, >>> otherwise the smtpd server throttles: >>> >>> Oct 25 12:40:10 mailhost postfix/smtpd[5019]: connect from >>> myclient.mydomain.com[2002:::1::21] >>> Oct 25 12:40:10 mailhost postfix/smtpd[5019]: fatal: bad net/mask >>> pattern: "2002:::/64" >> I can not say much about it, but maybe you want to lool lat my settings and compare them: inet_protocols = ipv4, ipv6 inet_interfaces = 78.46.253.227, 2A01:4F8:61:8222:0:0:0:50 smtp_bind_address6 = 2A01:4F8:61:8222:0:0:0:50 mynetworks = 127.0.0.0/8, 10.1.0.0/16, [::1]/128, [2a01:4f8:61:8222::]/64 These settings work for me. So maybe it gives you an idea. Regards Christian --- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com PGP.sig Description: Signierter Teil der Nachricht
recipient limit in policy service
Hi, sorry to ask that, but I try to understand a problem that I found by writing a policy server. If I put it into smtpd_resipient_restrictions and a remote MTA connects, sentds its EHLO, MAIL FROM and then a list of RCPT TOs, postfix switches right after the first user to the policy server and waits for the reply, then comes back and maybe does 250 Ok and after all further RCPT TOs, the policy server is not queried again. I expected that Postfix uses recipient as multi value in the delegation protocol. I know that it might be a problem, if 20 RCPT TOs are generated, 19 say DUNNO and one says REJECT, but this is a problem of the policy server, in my opinion :-) Please keep in mind that English is a foreign language for me. It might sound like attack, but it's because of missing words :-) Is it able to make Postfix waiting until DATA and then giving the full list of all RCPT TOs to the policy server. Maybe in the smtpd_data_restrictions? I tried it, but I only receive an empty list and the recipient counter. But that does not help me. I really need all recipients in the policy server. Maybe the policy server needs to be queried after _each_ given RCPT TO. Maybe it would be able to make that configurable? I think, if the problem (20 user, one reject) happens, a policy server would have to decide DUNNO in such a situation. Or is that something that needs to be implemented in a pre-queue milter? Any help is welcome And many thanks in advance Christian --- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com PGP.sig Description: Signierter Teil der Nachricht
Re: OT: dns whitelisting with a postfix policy service
Hi, today I added full IPv6 support and the amavisd-new bindings. Now it's possible to have dnswl.py used as policy-service in postfix and if it find a MTA on a whitelist, it automatically gets soft-whitelisted in amavis (using SQL). I will put the new version on my side later on. Have fun Christian Am 14.10.2010 um 15:49 schrieb Christian Roessner: > Hi, > >> Actually using a WL to let email through does not appear to have any >> advanatage except for the WL vendor. >> >>> Ah and yes, of course that is open source. >> >> Thanks for providing this! > > well, at the one side you a right that currently the WL vendor may earn > money. But I fear the moment, where IPv6 is used in wide areas. Then there > need to be new strategies. Because blacklists will become less useful. But > whitelists would gain importance. > > I think that in several years, a MTA could handle incoming mail from unknown > MTAs very strict and only users who have proven good reputation will have a > chance of easy going mail traffic. > > That is the idea behind it. Maybe I am wrong. > > Christian > > > --- > Roessner-Network-Solutions > Bachelor of Science Informatik > Nahrungsberg 81, 35390 Gießen > F: +49 641 5879091, M: +49 176 93118939 > USt-IdNr.: DE225643613 > http://www.roessner-network-solutions.com > PGP.sig Description: Signierter Teil der Nachricht
Re: OT: dns whitelisting with a postfix policy service
Hi, > Actually using a WL to let email through does not appear to have any > advanatage except for the WL vendor. > >> Ah and yes, of course that is open source. > > Thanks for providing this! well, at the one side you a right that currently the WL vendor may earn money. But I fear the moment, where IPv6 is used in wide areas. Then there need to be new strategies. Because blacklists will become less useful. But whitelists would gain importance. I think that in several years, a MTA could handle incoming mail from unknown MTAs very strict and only users who have proven good reputation will have a chance of easy going mail traffic. That is the idea behind it. Maybe I am wrong. Christian --- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com PGP.sig Description: Signierter Teil der Nachricht
OT: dns whitelisting with a postfix policy service
Hi, I have seen that several services on the internet started with DNS whitelists. So I was looking for a way on how to integrate it into Postfix. Blacklisting seems to be easy, but whitelisting not. So I was looking how to write a policy service. I have coded a python daemon called dnswl.py that currently can deal with spamhaus whitelists and dnswl.org lists as well. It is in early stage, but seems to work here. My MTA is not under heavy stress, so I do not have really good results yet. I want to add a SQL interface that can fill amavisd-new (soft whitelisting). Maybe you like to visit the project page here: http://www.roessner-network-solutions.com/?p=626 One feature is the debug mode that shows very nicely, what is coming from postfix ;-) Any feedback is welcome. And please do not cut my head off, if you follow a completely different philosophy in handling mail :-) Ah and yes, of course that is open source. Thanks for feedback and maybe helping hands?? Best wishes Christian --- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com PGP.sig Description: Signierter Teil der Nachricht
Question to Wietse
Hi, sorry to use the list to contact you, but I tried to send you a mail off the list and it is not deliverable (yet): mailq -Queue ID- --Size-- Arrival Time -Sender/Recipient--- 5191D520B4 6013 Sat Oct 9 09:54:10 c...@roessner-network-solutions.com (host spike.porcupine.org[168.100.189.2] said: 450 4.1.7 : Sender address rejected: unverified address: host mx0.roessner-net.de[78.46.253.227] said: 450 4.3.2 Service currently unavailable (in reply to RCPT TO command) (in reply to RCPT TO command)) wie...@porcupine.org I had spoken with Patrick and it would be nice, if I could write you directly. By the way: My server also sometime makes these: 450 4.3.2 Service currently unavailable What causes postscreen to raise such temp failures? Best wishes Christian N.B.: Your IPv6 is refusing the connection as well ;-) --- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com
