Re: Spoofing on a test system
On Tue, Jun 16, 2015 at 8:59 AM, Steve Matzura numb...@noisynotes.com wrote: I have finished setting everything up on a test system using a different flavor of Linux and a more current version of everything than my production system. Let's call them prod.example.com and test.example.com. Without interrupting mail service on prod, which is half of what that system does so I really can't take it down and wait for DNS changeovers back and forth, what can be done on test to make it look like and work like prod? For instance, when I start Postfix on test, it's trying to deliver messages to prod and is unable to. I could extract stuff from maillog which might be of some help to figure out what's going on, but before I do that, is it even possible to do what I'm wanting to do--spoof my current Dovecot+Postfix setup to think it's on prod when it really isn't? By the way, it's OK for messages from test to get into prod, people on the mailing lists on prod know this could and probably will happen. So... I guess prod has the mailboxes, and you want to test test.example.com as a prospect replacement for prod. If that's the case, you will want to enable all the corresponding local delivery in test, and furthermore it could even start thinking it is prod (even though it will still only respond to its address for test). After doing this, you can configure an account on your mail client to connect to test, and do most of the tests there. This scenario is pretty common when you are configuring a new system, so, indeed is possible, and there are several ways of doing it, depending on the details of what you want to do. You could even setup a test subdomain in order to do a complete test including external mail sending, and before promoting to production. Now, the switchover planning (or promoting test as prod) is another history, and can be done by several different means, one of those being using (or creating and then using) a private network and redirecting traffic on prod to test system, and then doing the DNS change, effectively making all traffic that would originally go to prod, go to test (that now would be called prod, but I need a way to distinguish them), ... doing this would either expose you to some spam going through or require some heavy usage of advanced routing, so, before doing this it is recommended to have DNS TTL set to something like 60 seconds or so. After 2 minutes has passed, all new connections should be going to your new prod, and you should be able to stop prod. Oh, but there is more: what about mailboxes? (likely maildirs) that's yet another point that require planing, and will depend on your mailboxes format, so, won't start with that right now. Well, I hope this is useful, and if you want more help, please elaborate a bit more on what you want to do. Sincerely, -- Ildefonso Camargo Command Prompt, Inc. - http://www.commandprompt.com/ PostgreSQL Support, Training, Professional Services and Development High Availability, Oracle Conversion, Postgres-XC @cmdpromptinc - 509-416-6579
Re: High Availability
On Sun, Apr 6, 2014 at 2:05 PM, Ramesh itsrames...@yahoo.co.in wrote: Hi All, Hi! Presently we have primary MX and backup MX servers, when primary goes down mails will be queued in secondary MX, once primary restored all messages pushed from backup MX to primary MX, messages are not lost. I would like to know any solution sending and receiving messages from backup MX when primary MX is down? Appreciate suggestion, recently due to major internet service down, we are not able to check mails or send mails. As Wietse already said, you can just have a replicated message store, as long as you accept that outgoing mail queue (most sites have some messages lying there, waiting to retry) and *maybe* one or two messages in the intermediate queues (highly unlikely) will be unavailable until you restore primary, and could be potentially lost if primary dies. Otherwise you would need to replicate queue directories, likely using DRBD. Yes, you can use DRBD over long-distance links, but you will have increased latency and reduced write performance (search for DRBD Proxy for an explanation). I have implemented DRBD using softlayer's private network, but only for systems where reads/writes ratio is high. Ildefonso.
Re: Puzzled with smtp_bind_address
On Mon, Jan 20, 2014 at 7:25 AM, fr...@3dn.nl wrote: On 20.01.2014 12:42, li...@rhsoft.net wrote: Am 20.01.2014 12:25, schrieb fr...@3dn.nl: I'm trying to have postfix use smtp_bind_address with the address set to multiple IP-aliasses (eg. eth1:0, eth1:1 etc.). As the default gateway is on eth0 and IP packets get routed based on their destination, it still seems that despite the smtp_bind_address setting, packets get directed out of eth0. What's the proper solution to this? please *always* post your configuration and logfiles to show your problem instead a abstract description did you read http://www.postfix.org/postconf.5.html#smtp_bind_address? - you define *one* ip-address there - you define a ip-address there and *not* a interface name - eth1:0 is *not* a interface, the interface is eth1 the intention of smtp_bind_address is on machines with more then one ip-address to define the one used for outgoing connections to match hostname/PTR/SPF Yes I read that page and understand it. Sorry I wasn't more clear, I should have said 'eg. the IP-addresses configured on eth1:0, eth1:1. I know an IP address is not an interface. I can't simply attach the literal config file, my employer might not appreciate me disclosing such information, but let me show you what I've done. - First: in main.cf I added 'sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport' - Second: I create /etc/postfix/sender_transport with lines looking like: '@3dn.nl smtp3dn:' - Third: I ran postmap on the sender_transport file - Fourth: I added a line 'smtp3dn unix n - n - - smtpd -v -o smtp_bind_address=172.24.25.19' to master.cf 172.24.25.19 is configured to be on eth1:0. The default gateway goes out over eth0. Based on the destination IP-address of the remote MTA, the kernel decides that it's not in a local network so it sends it out over eth0 as that's where the default gateway is. eth0 and eth1 are in different VLAN's, I must send SMTP out over eth1[:*] as the source addresses are NAT'ed on their way out and the NAT device is in eth1's VLAN but not eth0's. Ok, so, I assume you have only one default gateway, through eth0. In that case, of course the kernel will use that interface. I also assume you are working on a relatively new Linux system. In order to use more than one default gateway, you have to add rules to help the kernel decide when to use each of them. The idea is adding something like this (this is an excerpt from a test debian system, /etc/network/interfaces): up ip route add 10.2.20.0/24 dev wlan0 table 200 up ip route add 10.27.27.0/24 dev eth0 table 200 up ip route add 10.27.20.0/24 dev eth2 table 200 up ip route add 10.20.20.0/24 via 10.17.10.15 dev eth2 table 200 up ip route add 10.27.21.0/24 via 10.17.10.15 dev eth2 table 200 up ip route add 10.20.27.0/24 via 10.17.7.128 dev eth0 table 200 up ip route add default via 10.27.28.7 dev tap0 table 200 These commands (remove the up if you need to run directly on a terminal session) will create a new routing table, with number 200, like that one: (obtained by running default via 10.27.28.7 dev tap0 10.21.20.0/24 dev wlan0 scope link 10.20.20.0/24 via 10.17.10.15 dev eth2 10.27.27.0/24 dev eth0 scope link 10.27.20.0/24 dev eth2 scope link 10.27.21.0/24 via 10.17.10.15 dev eth2 10.20.27.0/24 via 10.17.7.128 dev eth0 Then, you need to tell the kernel what packets to route through that routing table, you just add a rule: up ip rule add from 10.20.27.51/32 table 200 Still from the same configuration file. This will tell the kernel that if a packet is coming from IP 10.20.27.51 use table 200 (instead of default one) to find out where to send it. Please, feel free to ask if you have any doubts. Ildefonso.
Re: high-availability configurations?
On Wed, Mar 14, 2012 at 10:49 AM, Miles Fidelman mfidel...@meetinghouse.net wrote: Hi Folks, Hi. I'm currently running a pretty basic high-availability configuration for our mail server (postfix) - it simply runs in a Xen virtual machine, with mirrored disks across two machines (DRBD), and failover of the VM if something goes wrong (pacemaker). I'm thinking about migrating the failover host to a 2nd datacenter - which makes disk mirroring and VM migration a bit trickier, and I really don't like how brittle all that infrastructure is, so I'm starting to think about application layer redundancy - two mailservers, at remote locations, multiple DNS records, and doing something to replicate ques, configurations, and local delivery. The goal is the same: keep processing mail if a machine goes down, and don't lose any data to machine or disk crashes. Which leads to a question: Are any of you running such a configuration? If so, can you describe what you're doing? And.. are there any good Well, first question here: how much traffic are you going to handle? And now, my experience (please, postfix-list purists, stop reading now, this is more related to DRBD than it is to postfix): I have a HA cluster with two nodes on two locations, on softlayer, due that softlayer provides unlimited inter-server connectivity (please, if someone knows another hosting company that does this -unlimited communication between servers in different DCs-, let me know: softlayer is quite expensive), I'm just using the private network (that use to run at 200~500Mbps) to replicate the DRBD volume. I had several issues, but I suggest you try, and then post on the corresponding lists (DRBD, pacemaker, corosync, heartbeat, ). I have VM-level failover here, but it is pretty much the same to setup service-level failover. About multiple DNS records, etc... I just used low TTL DNS, and a dynamic DNS setup, so that the VM updates the DNS record on failover. On a side note: I personally believe that service-level HA configuration is better than VM-level. references, presentations, etc. that anybody knows about re. building high-availability, scalable, distributed mail processing infrastructure? You can use postfix's mail routing capabilities to have distributed mail processing, ie: have some users on one server, and others at the other server... it is neat. Sincerely, Ildefonso Camargo
Re: Unexpected Mail (Spam) Delivery
Hi!
Just for your information: not all hosts have correctly set rDNS.
I suggest you try setting up an actual spam filter (like assp,
spamassasin or other), spam is everyday harder to fight.
Ildefonso.
On Fri, Mar 2, 2012 at 3:16 PM, Gary Chambers gwch...@gwcmail.com wrote:
All,
I had a piece of spam slip through this morning and I'm hoping it's
beneficial
that I post this information. Specifically, I'm wondering why the mail was
delivered from a host without rDNS. The relevant portion of the log is as
follows:
Mar 2 10:28:52 lollipop postfix/smtpd[3621]: warning: 88.151.91.185:
hostname ab88-151-91-185.mxc.ru verification failed: Name or service not
known
Mar 2 10:28:52 lollipop postfix/smtpd[3621]: connect from
unknown[88.151.91.185]
Mar 2 10:28:53 lollipop postfix/smtpd[3621]: 1D6ED24B7:
client=unknown[88.151.91.185]
Mar 2 10:28:53 lollipop postfix/cleanup[3632]: 1D6ED24B7:
message-id=96-4023-MN1.NQAg18AW362W+9895+69N73B7/0...@ab88-151-91-185.mxc.ru
Mar 2 10:28:53 lollipop postfix/qmgr[5554]: 1D6ED24B7:
from=d...@ahme.net, size=940, nrcpt=1 (queue active)
Mar 2 10:28:53 lollipop dovecot: deliver(m...@example.com): sieve:
msgid=96-4023-MN1.NQAg18AW362W+9895+69N73B7/0...@ab88-151-91-185.mxc.ru:
stored mail into mailbox 'INBOX'
Mar 2 10:28:53 lollipop postfix/pipe[3635]: 1D6ED24B7: to=m...@example.com,
relay=dovecot, delay=1.3, delays=1.2/0.01/0/0.08, dsn=2.0.0, status=sent
(delivered via dovecot service)
Mar 2 10:28:53 lollipop postfix/qmgr[5554]: 1D6ED24B7: removed
Mar 2 10:28:53 lollipop postfix/smtpd[3621]: lost connection after RSET
from unknown[88.151.91.185]
Mar 2 10:28:53 lollipop postfix/smtpd[3621]: disconnect from
unknown[88.151.91.185]
postconf -n output is as follows:
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
disable_vrfy_command = yes
home_mailbox = Maildir/
inet_interfaces = $myhostname, localhost
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
message_size_limit = 33554432
mydestination = $myhostname, $mydomain, lollipop.$mydomain,
localhost.$mydomain, localhost, mail.$mydomain, smtp.$mydomain
myhostname = mx1.example.com
mynetworks = 127.0.0.0/8 192.168.1.0/24
myorigin = /etc/mailname
readme_directory = no
recipient_bcc_maps = hash:/etc/postfix/recipient-bccs
relay_domains = lists.example.com
relay_recipient_maps = hash:/etc/postfix/mailman_listnames
relayhost =
smtp_bind_address = 192.168.1.7
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated,
check_client_access hash:/etc/postfix/client-access,
reject_unknown_reverse_client_hostname, reject_rbl_client
zen.spamhaus.org, reject_rhsbl_client dbl.spamhaus.org
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname,
reject_rhsbl_helo dbl.spamhaus.org
smtpd_recipient_restrictions = reject_unknown_recipient_domain,
permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks,
reject_unknown_sender_domain, permit_sasl_authenticated,
reject_rhsbl_sender dbl.spamhaus.org
smtpd_timeout = 30s
smtpd_tls_CAfile = /etc/ssl/certs/Example_Root_CA.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/postfix-server-wildcarded.crt
smtpd_tls_key_file = /etc/ssl/private/postfix-server-wildcarded.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = pgsql:/etc/postfix/virtual-aliases-pg.cf
virtual_gid_maps = static:60008
virtual_mailbox_base = /vhome
virtual_mailbox_domains = pgsql:/etc/postfix/virtual-mailbox-domains-pg.cf
virtual_mailbox_maps = pgsql:/etc/postfix/virtual-mailboxes-pg.cf
virtual_transport = dovecot
virtual_uid_maps = static:60008
Thank you for your time.
--
Gary Chambers
Re: Implement SMTP Auth in a non-disruptive way?
Greetings, Reindi, search through postfix docs for that: + permit_sasl_authenticated + permit_mynetworks (play with the mynetworks definition, so, initially you allow all mail from your local network, and when *all* of your users moved to new authenticated schema, you just removed local network from here) That one is not so important, but I have found it really useful in my environment: + reject_authenticated_sender_login_mismatch (this is an interesting one, that you can later replace with: reject_sender_login_mismatch ... now, I use LDAP with all of this). I am a little in a hurry now, but if you read the docs you may get the idea. I hope this helps, Ildefonso Camargo.
Re: Transport: Multiple routes to internal domain
On Tue, Feb 7, 2012 at 9:03 AM, Wietse Venema wie...@porcupine.org wrote: Greg Wilson: One attempt was to make 2 entries with the same host name in /etc/hosts e.g 10.222.100.1 exchange.mydomain.local exchange 10.333.200.2 exchange.mydomain.local exchange Then changed the transport map to mydomain.local smtp:[exchange.mydomain.local] My info is that the square brackets stop Postifix doing mx record lookups. This didn't work and I don't know why. It works fine with an That 's because LINUX does not support multiple /etc/hosts records per name. Use a better OS, use DNS, or use my smtp_fallback_relay solution. Wietse Eh, Linux *does* support that, from man host.conf (/etc/host.conf): multi Valid values are on and off. If set to on, the resolv+ library will return all valid addresses for a host that appears in the /etc/hosts file, instead of only the first. This is off by default, as it may cause a substantial performance loss at sites with large hosts files.
Re: Transport: Multiple routes to internal domain
Hi! I would answer you with another question: In the event of a server failure, how are users directed to the other server? I mean, there are several ways of doing that, and knowing your current one would be helpful. Sincerely, Ildefonso Camargo. On Mon, Feb 6, 2012 at 6:57 PM, Greg Wilson gr...@actionforms.com.au wrote: I'm using Postfix\Amavis\Spamassassin\Clamav to scan incoming emails for virus and spam and forward to our internal MS Exchange email system. Postifx shares the Internet domain with MS Exchange, each forwarding messages to unknown accounts to the other system. MS Exchange uses clustering to duplicate it's mailbox databases to 2 different servers. How do I setup Postfix to automatically forward messages to one of the MS Exchange servers if the other one goes offline? I currently use an IP number in square brackets in Postfix's transport map to route to one of the MS exchange servers. Thanks, Greg.
Re: Disable sending mails via telnet
2012/1/10 Leslie León Sinclair les...@electrica.cujae.edu.cu: Can anyone point me in the right direction, I´m stucked here and Google is not helping... define telnet here, do you mean: direct connection to port 25? or an *actual* telnet session (port 23). Ildefonso. Best regards. Participe en Universidad 2012, del 13 al 17 de febrero de 2012. Habana, Cuba: http://www.congresouniversidad.cu Consulte la enciclopedia colaborativa cubana. http://www.ecured.cu
Re: spamcop abusing mail systems worldwide
Greetings, On Thu, Nov 17, 2011 at 10:30 AM, Mark Goodge m...@good-stuff.co.uk wrote: On 17/11/2011 14:39, Dennis Clarke wrote: Today I had an unhappy unix student try to submit an assignment .. tell your students to use the email address provided by the school on the school domain. Also, as a policy, I blacklist all yahoo, gmail, hotmail junk and life is much better at the office. Not all schools provides email addresses to their students, and some students will just decide not to use them... why?, well, because, after all, these are temporary address, for as long as you are at the school, you can't keep those for the rest of your life, and thus some students decide not to use them. If someone does not have a valid email address at a reasonable domain then we don't want to hear from them anyways. Yes, but you're not selling anything or providing any kind of public service. So it doesn't matter if people can't email you. Those of us who work for commercial organisations or government bodies don't have that choice. Same here, that's exactly why I don't use a hard block policy, I use scoring (with ASSP) and even use Bayes filters (yeah, those that requires training and stuff), thanks to this combination I get rid of ~95% of the spam, while keeping over 99% of good mail (I almost never lose a legit mail because of the mail filter). yahoo, hotmail, gmail are domains used by all kind of persons (I have even seen customers that just uses companyn...@gmail.com as their corporate mail!!), so: just blocking them because a few send spam is non-sense you need to check message content, that's why I use Bayes as part of the scoring. Now, spam fight is everyday harder, because spammers are looking everyday more like legitimate senders... as a matter of fact, sometimes what I consider spam is not considered spam by other person, so... this is actually a complex topic. Ildefonso.
Re: spamcop abusing mail systems worldwide
Posting to list, sorry! On Thu, Nov 17, 2011 at 11:00 AM, Reindl Harald h.rei...@thelounge.net wrote: Am 17.11.2011 16:20, schrieb Tõnu Samuel: On Thu, 2011-11-17 at 15:39 +0100, Reindl Harald wrote: Spammers ARE blacklisted, even they are called yahoo. Just have good ISP with good reputation. My servers have never been blacklisted because I just keep spammers away from them in early stage. this is a lets say polite: not real smart argumentation if you are blocking major-providers like yahoo, google you can go ahead and turn your mailserver off and close your company because NO CLIENT will accept this with no argument and to say it clear: if someone thinks it is cool to block major-isp's for whatever reason maybe he is doing the wrong job I report about 500 mails daily to spamcop and this takes important part of my time. Sorry for being unpolite towards spammers but I believe that noone should be whitelisted because they are big and fat. They consume resources of ours. They are parasites. if you really report 500 mails each day you should give over your job to someone with more qualifications because we are hosting some thousand mail-addresses and i could never report 500 spam-mails per day because they are not received without blocking major providers http://www.barracudanetworks.com/ a) intention-filtering, hourly updated rules b) blacklist c) block by PTR to get rid of 99% of all spambots Neat, but expensive, and in my experience with Barracuda it has a high false-positive rate (ie, tends to block legit mail) that's one of the reasons I tolerate ASSP (it has some quirks, but it rocks as an spam filter).
Re: spamcop abusing mail systems worldwide
Ok, I agree with /dev/rob0 , this has gone way off topic for this list. All of us are free to handle spam as we decide to do it, if Dennis wants to block @yahoo.* @gmail.com @hotmail.com , that's his decision. In my case, the amount of spam I receive from these domains is minimal (and is catch by bayesian and/or IPBL and/or HELO filtering) , and thus: I have never considered to block these, also, I have customers whose address are on these domains, but: that's me, his history can be very different to mine, maybe he gets hundreds or thousands of spams from these domains a day!. Dennis, yes *some* schools provide internal emails, others don't... sometimes because they can't afford giving the service, or because they just don't want to! either way, the reality is that you can't force the world into doing what you want the university where I studied decided to move their mail from an internal server to gmail!!!, I, of course, let them know that I considered it a bad idea, but they still decided to do it I have seen sites blocking whole countries, because they don't care about receiving mail from these countries (and they started to get spam from there)... I'm open to global market, and blocking mail from any country would not make sense for me, but for other people it is a part of their spam solution. Other people want to spend a lot of money on commercial spam solutions: they are free to do it!, I mean, it is not my money they are spending, it is theirs! as long as it works: good for them! (there is also people paying others to maintain their open source-based anti-spam system, and that's also good). So, people, lets just agree on something: lets respect what everyone does, and lets not label anyone for what they decide to do, we can give our opinion in a respectful way, and let the other person think about it, then he/she can decide to keep doing what he/she does, or maybe change the way of doing things but lets respect each other, I think that's important. Sincerely, Ildefonso Camargo On Thu, Nov 17, 2011 at 4:18 PM, Dennis Clarke dcla...@blastwave.org wrote: On 17/11/2011 14:39, Dennis Clarke wrote: Today I had an unhappy unix student try to submit an assignment .. tell your students to use the email address provided by the school on the school domain. Also, as a policy, I blacklist all yahoo, gmail, hotmail junk and life is much better at the office. If someone does not have a valid email address at a reasonable domain then we don't want to hear from them anyways. Yes, but you're not selling anything or providing any kind of public service. Doing both, quite well and quite a while now. Regardless, I would think that the school would provide email service, web based interface of some sort or similar, which would any issues of the delivery of a paper. As for yahoo, hotmail and other cesspools, I block them, and life and revenue goes on just fine. dc -- -- http://pgp.mit.edu:11371/pks/lookup?op=vindexsearch=0x1D936C72FA35B44B +-+---+ | Dennis Clarke | Solaris and Linux and Open Source | | dcla...@blastwave.org | Respect for open standards. | +-+---+
Re: reverse the polarity of the neutron flow
Hi! People, I just don't get it, what is the point of comments such as: What did I forget? In my opinion ? A brain. and What did I forget? * rm -rf / (Read mail, really fast) * A name * http://www.postfix.org/DEBUG_README.html#mail Jeroen and Bastian, I think that was too rude, even if the way of asking a question is not correct, we are here to help. At least Bastian gave one URL that he can read (after giving one of many ways of rendering your *NIX system useless), but, come on! don't make fun of the people that still lacks knowledge, we all had to learn at some point. Sincerely, Ildefonso Camargo
Re: Rewriting Date header for local senders, or something like that.
Hi! Thanks for your answer! On Tue, Aug 24, 2010 at 7:31 PM, mouss mo...@ml.netoyen.net wrote: Le 23/08/2010 04:47, Jose Ildefonso Camargo Tolosa a écrit : Hi! I got a curiosity, I have noted that the Date header the mail takes comes from the client computer, so, if my computer have a wrong date, my mail will go out with a wrong date too. there is nothing curious about that. the Date header is specified by whomever writes the message. If I compose a message on 1st August and send it on 12 Septembre, the date is 1st Aug. let me restate it: many headers, including the Date, Subject, From, ... are written by the message author. the mailman has no business opening the envelope and changing whatever lines there are in. the fact that many people take headers for what they are is a problem, but the solution is not: let's rewrite the message... The curiosity is if it is possible to selectively rewrite the header, not the fact the header is written by the client, I already knew that, the issue came when discussing with a windows administrator (who loves exchange), and she told me that in exchange you was able to make the system put the Date header for mail coming from local clients (outlook clients), using the server's time instead of the client's time, and thus, I started to investigate how to do it with Postfix, but failed, and thus, came here to ask! I know the server will put its own timestamp when it process the message, but the destination mail client will use the Date header to order messages, and thus, if someone's computer has a date of now-3 days, there is a risk that the mail he/she sends is overseen by the receiver. these people must learn to move their incoming mail to folders, or they need to reparse their whole inbox. that said, I classify my (incoming) mail by order of reception, not by date... Yeah, but most people just click the date column header on the mail client, and believe that they will have most recent mails first (and try to explain a secretary that she have to classify her email). I also know that there should be a policy to keep all of the company's PCs clock synchronized to a central server: but that's not the case, and there are a few PCs with failing BIOS batteries (which shouldn't happen). and there's also this thing: I can compose a message and send it later. I want to specify the date. I don't want the receiving system change it. Nope, not the receiving system, the sending system (ie, your company's mail server). I have to ask: is there a way of making postfix rewrite Date header to server's time for authenticated mail? (or at list for a range of IPs), off course, a general header rewrite would not be good, because that would overwrite header for mail coming from the Internet (that would be really bad). the first recommendation is: forget about that. if you really insist, then I won't do it, I just wanted to know if that was possible, in order to tell my coworker: yes, I could do that with postfix too, just that I don't think it is such a good idea. you can use header_checks /^Date:(.*)/ Replace X-Date $1 Use this for a cleanup servic that is dedcated to outbound mail (this means you need to separate inbound and outbound mail). Yeah, it would be a really bad idea to put this on the inbound mail (like a said to my coworker who insisted on doing this). I took a quick look at the docs, and found nothing on this matter, nevertheless, if someone can point me to a doc where this is explained, that will be enough for me. What do you think on this? It's a bad idea. but postfix is flexible enough... Just what I though, Postfix is *really* flexible, you can do almost anything with it. Thanks! Ildefonso.
Re: Rewriting Date header for local senders, or something like that.
Hi! Thanks for your answer! On Mon, Aug 23, 2010 at 3:34 AM, Ansgar Wiechers li...@planetcobalt.net wrote: On 2010-08-22 Jose Ildefonso Camargo Tolosa wrote: I got a curiosity, I have noted that the Date header the mail takes comes from the client computer, so, if my computer have a wrong date, my mail will go out with a wrong date too. I know the server will put its own timestamp when it process the message, but the destination mail client will use the Date header to order messages, and thus, if someone's computer has a date of now-3 days, there is a risk that the mail he/she sends is overseen by the receiver. I also know that there should be a policy to keep all of the company's PCs clock synchronized to a central server: but that's not the case, and there are a few PCs with failing BIOS batteries (which shouldn't happen). NTP should take care of both issues. Yes, but this is not an option when you don't have control over all the PCs. I know it is the correct thing to do: just have all the computers synchronize their clock (I already said so, I just omited the technology, as a matter of fact, there is an NTP server, and I use it for all the servers). I have to ask: is there a way of making postfix rewrite Date header to server's time for authenticated mail? (or at list for a range of IPs), off course, a general header rewrite would not be good, because that would overwrite header for mail coming from the Internet (that would be really bad). I took a quick look at the docs, and found nothing on this matter, nevertheless, if someone can point me to a doc where this is explained, that will be enough for me. What do you think on this? Fix the problem rather than the symptom. Yes, I know, but it is not always an option. As I said: you don't always have control over the people's computer (say, the case of an ISP, where you have lots of clients, but you don't touch a client's computer, it is not the case, but I can think of that as an example). Still, I want to know if is there a way of selectively rewriting headers, actually, MS Exchange does this: it has an option to use server's time for outgoing mail from local users (no: I will not use Exchange). Once again, thanks for taking the time to answer me! Sincerely, Ildefonso.
Re: Speed up queue injection
Hi! On Mon, Aug 16, 2010 at 9:02 PM, Stan Hoeppner s...@hardwarefreak.com wrote: Stan Hoeppner put forth on 8/16/2010 6:56 PM: Wietse Venema put forth on 8/16/2010 2:36 PM: Stan Hoeppner: Google uses less than 1/10th of 1% Enterprise grade hardware, using the typical definition of Enterprise grade, in their operations. And Google is the undisputed single largest operator of servers on the planet. I think that qualifies them as an Enterprise. ;) Indeed, but then Google's scale of operations is not representative of most enterprises. Large companies (I work for one) can self-insure for small accidents, small companies can't. Wietse have you done any testing with SSDs? If not, would you like to? I'm sure various vendors would be glad to loan you some. Get a mix of consumer and enterprise SSDs. And make sure you get one of the Intel X25-E 80GB units. :) I should have made clear that they will do this for you, because you are, well, you. ;) I'm a nobody, so they won't loan me the hardware. :( I need to see if I can get a gig doing reviews for hardware sites. I kinda grew out of being a hardwarefreak a while back or I'd probably be doing reviews now. :( Ok, just do it! start your own technical blog, and do hardware reviews! Then: let us know to go there and put nice comments! You can start with whatever hardware you have, then, show your blog to your friends, and ask to review their hardware too, maybe, the college where you study or studied, there you could have some contact with the technical staff, and maybe you can get access to more hardware (after showing your site, and explaining politely). Also, don't you have a friend with a computer store? there you may get access to hardware for free (as long as you don't break it), and... more reviews! The more difficult part is: coming out with a nice domain name for the techblog :( . Ildefonso.
Re: Speed up queue injection
Hi! On Mon, Aug 23, 2010 at 12:30 PM, Wietse Venema wie...@porcupine.org wrote: On Tue, Aug 17, 2010 at 01:41:20PM -0500, Stan Hoeppner wrote: Anyway, if you had the time and inclination and were able to get your hands on a few units, it would be great to see some basic queue performance data from you on SSD vs a disk based test rig you use. Victor Duchovni: All benchmarks are artificial, some are more artificial than others. It is rate on enterprise-grade kit to find MTAs that are disk I/O constrained. More typicall, the CPU cost of filtering or downstream throughput are the limiting factors. I already mentioned off-list that I work for a company (IBM) which sells hardware, and that it would not be appropriate for me to post performance measurements. As a matter of fact, I don't think you can even publish any review without permission from your employee (even for IBM hardware). Last time I saw an IBM contract (around 5 years ago) it was basically a: We own you! kind of contract (they had ownership on anything one do, even on one's own free time). Now, on a side note: this thread is very interesting. I have always liked high-performance systems discussions. Ildefonso.
Rewriting Date header for local senders, or something like that.
Hi! I got a curiosity, I have noted that the Date header the mail takes comes from the client computer, so, if my computer have a wrong date, my mail will go out with a wrong date too. I know the server will put its own timestamp when it process the message, but the destination mail client will use the Date header to order messages, and thus, if someone's computer has a date of now-3 days, there is a risk that the mail he/she sends is overseen by the receiver. I also know that there should be a policy to keep all of the company's PCs clock synchronized to a central server: but that's not the case, and there are a few PCs with failing BIOS batteries (which shouldn't happen). I have to ask: is there a way of making postfix rewrite Date header to server's time for authenticated mail? (or at list for a range of IPs), off course, a general header rewrite would not be good, because that would overwrite header for mail coming from the Internet (that would be really bad). I took a quick look at the docs, and found nothing on this matter, nevertheless, if someone can point me to a doc where this is explained, that will be enough for me. What do you think on this? Thanks in advance, sincerely, Ildefonso.
Re: question about Postfix and DNS (maybe not for this list)
Hi! On Wed, Aug 11, 2010 at 7:50 PM, Christopher Adams adam...@gmail.com wrote: Hello all, I am having a bit of a problem and I am not sure that it is specifically Postfix-related, but I'll give it a shot. Feel free to flog me or tell me to go away. Ok: go away! No, just kidding, read on. I am running Postfix 2.3 on a CentOS Linux server. I noticed on our firewall that there were constant connections from the machine running Postfix to addresses all over the world. The interesting thing is that the connection is using OpenDNS [208.67.216.132], a public DNS server. I do not use OpenDNS in my /etc/resolv.conf file (I have 2 other nameservers listed) and I don't know where it is coming from. Here is an example: Aug 11 16:01:25 swiki postfix/smtp[7832]: E38F8DB4CCB: to=ysamo9...@sx.cn, relay=none, delay=30, delays=0/0/30/0, dsn=4.4.1, status=deferred (connect to sx.cn[208.67.216.132]: Connection timed out) Can you post the other lines of this log (same ID: E38F8DB4CCB), where there is the *from*, and see if the *from* is from your domain, if no: maybe you are an open relay. Also, take a look at your mail queue run: mailq If this is the appropriate place to post this question, can someone who knows more than me analyze this and come up with a theory as to what is going on? Yes, it is, at least judging by the log entry you sent, that's a postfix log. Thanks for any help you might want to provide. No problem. Ildefonso.
Re: restrict relay server to the Internet
Hi! On Mon, Aug 2, 2010 at 10:57 AM, Jorge Andrea G Carminati jcarmin...@pluspetrol.net wrote: hi all! I've a postfix server with a network table of around 100 IP addresses (net/host), is there a way to explicitly permit the relaying to the Internet from some of these IPs and others not? thanks in advance. Yes, there is, but I would suggest that you use user authentication, as it would be more secure. As for exactly how to do it, take a good read at the docs (no time for a complete answer right now). Maybe someone else will give it, maybe myself when I get a little more of free time. Ildefonso. Cuidar la naturaleza es vivir mejor... hagámoslo juntos. Imprime sólo lo necesario. La información transmitida en este mensaje está destinada únicamente a la persona o entidad a la cual el mismo está dirigido, y puede contener material confidencial, reservado o sujeto al secreto profesional. Cualquier revisión, retransmisión, divulgación u otro uso de la misma, o la realización de cualquier acción basada en ella por personas o entidades distintas de la indicada, no está permitida. Si usted ha recibido este mensaje por error, tenga la amabilidad de destruirlo, sin copiarlo ni divulgar su contenido. Muchas gracias. The information contained in this message is directed exclusively to the person or entity to whom the message is addressed, and it might contain information that is confidential, privileged or otherwise legally exempt from disclosure. Any action based on it, performed by an individual or entity different from the one it was intended, is not allowed and its contents should not be read, forwarded, disclosed, or used in any other way. If you have received it by mistake please delete it from your system, you should also not copy the message nor disclose its contents to anyone. Thank you.
Re: [SP] Re: [SP] Re: How to force SMTP AUTH to restrict Sender Addresses?
I *never* said it was easy. I only said it should be possible on most platforms. Also, I never said it was even necessary. Thanks for the tech discussion, I even feel my neurons getting out of lethargy! :) On Jun 18, 2010 9:47 AM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Fri, Jun 18, 2010 at 12:17:40AM -0430, Jose Ildefonso Camargo Tolosa wrote: The plug-ins you... Most platforms optionally compile-in LDAP support, and link against LDAP libraries (static or dynamic). Don't confuse run-time dynamic linking with dynamic loading of new modules. I mean, most platform actually support dynamic linking, so, just like it is done in Debian (and... - libtool is an abomination, I expect and very much hope that Postfix will not, any time soon, resort to using libtool. - The mechanisms for dynamic loading of modules are not standardized across various Unix-like systems. This feature requires a lot of abstraction code to to implement portably across AIX, MacOSX, Linux, HP-UX, ... I have seem similar things on Solaris too (.sl, if memory serves me). Don't confuse HP-UX with Solaris, Solaris has .so files, and a sensibly clean dynamic loading API (emulated by Linux). So, I would say that:most platforms support this. Please donate libtool-free code that works on most platforms supported by Postfix and: - Loads a shared object, with minimal pollution of the global symbol table (i.e. symbols of loaded object and dependencies are not visible outside the object and its dependency tree). - Finds a specific small set of symbols within the loaded object and returns a table of pointers to these. - Builds shared relocatable objects and constructs shared libraries on the various platforms in question. It is a good idea do not claim that something is easy until you've done it yourself. The difference between a novice and an expert is that experts know which problems are not as easy as they may seem. Off course, http://safarisbackpack.spaces.live.com/blog/cns!36664C9801636C53!216.entry -- Viktor.
Re: [SP] Re: [SP] Re: How to force SMTP AUTH to rest rict Sender Addresses…
Greetings, On Thu, Jun 17, 2010 at 10:00 AM, Andrew G. Grant andrew.gr...@caddock.com wrote: Jose, Unfortunately, looking at another server OS doesn't help me to find the answer to this question. But thank you for the suggestion. I know, but it would simplify your life. I am still trying to find out how Apple OS X Server 10.6.3 (Darwin Kernel Version 10.3.0), running Postfix 2.5.5, Amavisd, ClamAV, SpamAssassin, Dovecot, and Squirrel Mail can have SASL access Open Directory's LDAP when Postfix isn't compiled on my system to use LDAP library types? Postfix doesn't do SASL on its own, it depends on Dovecot or Cyrus, just read here: http://www.postfix.org/SASL_README.html This all revolves around finding a way to use: reject_sender_login_mismatch on smtpd_sender_restrictions without having to keep a separate smtpd_sender_login_maps hash file updated. If you want to be able to use postfix with ldap tables, you *must* have the ldap support, off course, postfix support plug-ins architecture, so, it is likely that you just need to add the ldap part. As for Mac: I don't know exactly how to do it, but in the worst of the cases, it would involved recompiling postfix (or, maybe, compile the plug-in). I don't know how to do it, because I use Debian, and I just had to install the package: postfix-ldap, and everything was just fine after that. Currently, I believe SASL is using Open Directory to reference User Name and Password information for SASL to work, as I haven't duplicated this information anywhere. Since my Postfix is not compiled to use LDAP, how is SASL accessing Open Directory information? By default this uses cyrus sasl, so, you should check for it on your system. If SASL can access Open Directory, why can't Postfix access Open Directory to lookup smtpd_sender_login_maps? I hope this helps, Ildefonso Camargo
Re: [SP] Re: [SP] Re: How to force SMTP AUTH to restrict Sender Addresses?
Greetings, On Thu, Jun 17, 2010 at 11:15 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Thu, Jun 17, 2010 at 11:01:16PM -0430, Jose Ildefonso Camargo Tolosa wrote: Of course, postfix support plug-ins architecture, so, it is likely that you just need to add the ldap part. As for Mac: I don't know exactly how to do it, but in the worst of the cases, it would involved recompiling postfix (or, maybe, compile the plug-in). I don't know how to do it, because I use Debian, and I just had to install the package: postfix-ldap, and everything was just fine after that. The plug-ins you speak of are a Debian-specific feature, they are not part of the official Postfix release and not available on most platforms. So most platforms statically link ldap support with postfix? I mean, most platform actually support dynamic linking, so, just like it is done in Debian (and Ubuntu, and likely on other distros), that it just adds the file dict_ldap.so , it should be possible to do something similar on most architectures (DLL's on Windows, for example). I have seem similar things on Solaris too (.sl, if memory serves me). So, I would say that:most platforms support this. Off course, there could be a problem if you don't have *the same* compiler used to build the already installed version, it may be just easier to recompile postfix (or find a package for your platform that includes ldap support). I have not needed to compile postfix myself (but that would not be a problem anyway, I have been around unix systems for over 14 years now), but to tell the truth: I'm thankful to have a distro that just works, it saves me time when it comes to basic config, and leave me plenty of extra time to work on things that are more important. I mean, why build the wheel, if it is already done, unless, off course, I believe I can do it better, or I need a better wheel (but that's not the case most of the time). And I really believe that people should read the docs, he didn't even knew who provided SASL (cyrus by default, and I actually use dovecot), that means that he didn't read the SASL readme on the postfix's site! I mean, postfix has one of the best documentation for any software I have ever used (I could only compare it to PostgreSQL's one), and people just don't use it! come on! I just can't understand. Sincerely, Ildefonso Camargo
Re: [SP] Re: [SP] Re: How to force SMTP AUTH to rest rict Sender Addresses…
Greetings, What are you using for SASL authentication, in my case, I'm using dovecot, which in turn uses pam, which in turn uses LDAP. And then use: smtpd_sender_login_maps = ldap:/etc/postfix/sender_login.cf and permit_sasl_authenticated on smtpd_recipient_restrictions and reject_sender_login_mismatch on smtpd_sender_restrictions. For SASL: smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth Off course, my postfix *does* support ldap. I'm using Debian Lenny. If you are configuring a server, you should really try Debian or Ubuntu Server, your live will be really simpler. I hope this helps, Ildefonso Camargo On Wed, Jun 16, 2010 at 10:26 AM, Andrew G. Grant andrew.gr...@caddock.com wrote: Charles, Just for clarification, and remember, I am very new at all of this. Postfix is requiring SASL Authentication. I have not listed any user names or passwords anywhere except in Apple Open Directory as User Short Names for use with login to network resources. Postfix seems to reference these user Short Names in OD and the user's password, also from within OD, when performing SASL Authentication. These same user Short Names are also seen as valid Email addresses at my domain when receiving email. This information is not listed anywhere else in my configuration. For that reason, I am asking if Postfix can't also see the User Short Names as Email addresses when performing reject_sender_login_mismatch under smtpd_sender_restrictions. My whole goal is to avoid creating and updating another separate list of Email Addresses and User Names for smtpd_sender_login_maps. On Jun 16, 2010, at 3:49 AM, Charles Marcus wrote: On 2010-06-15 6:29 PM, Andrew G. Grant wrote: Can anyone answer the question about how SASL is able to authenticate Users with their Passwords stored in Open Directory, but not pull their Email addresses? What do you mean by 'pull their email addresses'? If you mean that you have assigned multiple email addresses for each user in some attribute in OD, and you want 'sender_login_mismatch' to only allow the user to send if they are sending from one of these multiple email addresses, I'm not sure how you would do that, but I'm trying to more precisely define what it is you are trying to do... -- Best regards, Charles
Re: Postfix architecture + Ldap + Courier IMAP
Hi! On Mon, May 10, 2010 at 6:47 AM, spambox spam...@fastwebnet.it wrote: On Mon, 10 May 2010 01:00:29 -0430 Jose Ildefonso Camargo Tolosa ildefonso.cama...@gmail.com wrote: Hi! Yes, I know, this is kinda off-topic, but looks interesting. Thank you for your interest! |-| | postfix1 | very big storage | LDAP1 |-| | server1 | | * |-| | /home1 * | | * | |---* |-| | * | postfix2 | | * | LDAP2 |-| /home2 * | server2 | | * |-| | * | |---* | | * |-| | /home3 * | postfix3 | | * | LDAP3 |-| | server3 | |-| Ok, so, load balancing here, with different homes for each server, so, each server have its own set of users, right? Yes, each LDAP have list of his users. For each LDAP entry we have a record telling us, who is the Mail server for that user. So if the balancer send user test to mail server1 and from the LDAP we see that test user belong to server1 then test request is served, ELSE if user test has mail server set on mailserver3 for example, the request is redirect to mailserver3 that will handle his request. Cool, I have implemented a similar approach, but on postfix level, ie, each smtp server can receive mail for any user, and then look for the smtp server on a ldap attribute (I use maildrop attr for that). I use this to have a distributed email system, so that each user have its mail locally on the locality he/she works. If one server is unavailable, the system will keep the mail queued until the corresponding server is back, so: no HA here. if one server goes down, the one next to him will Up his ip address and mount his partition on the storage untill the server restarts correctly. Now, this is more typical of HA clusters, what gets me confused is what I asked on the last question, so, when say, server 1 goes down, server 2 mount server1's home partition and start getting mails (and serving IMAP requests) as if it were server1, right? I'll reserve my other comments until I get more information on this. Yes, if server1 goes down the cluster will mount up server1 interface and home partition on server2. Server2 will temporarily act as server1 and server2 untill server1 is back on line. Ok. 1) I've never used Courier IMAP, but reading on the internet i've found that it use gethostbyname() to resolve and this may cause an infinite loop for a host with 2 interface but one hostname if one server goes down. So, i'm afraid that i will be able to installa courier-imap on each server and this will cause a big problem to the scalability of the system. 2) Has anyone ever tryed something like this and its ablet to redirect me to some good documentation? I don't use Courier (several reasons, off-topic here), I use Dovecot (I can even use SASL from Dovecot to authenticate Postifx's smtp, really handy along with reject_authenticated_sender_login_mismatch and smtpd_sender_login_maps on ldap). Nice, i gave a look to this Dovecot and its looks pretty nice! i'vent tested it yet but it seems it can be a valid alternative. Im trying to move from Qmail to postfix because Qmail is patch-project(dead), while i think Postfix is a valid alternative that will make life a lot easyer. postfix is extremely flexible. Believe me: you can replace qmail with *no* changes to your ldap entries. Your project looks interesting, Ildefonso Camargo
Re: Relaying to SPF protected server
Hi! This is getting interesting. How, exactly, does mailman (or other mailing list manager) handles this? I mean, I have seen several SPF-enabled domains, and these domains have subscriptions to one or more lists... now, reading the headers for one of the messages of this lists, I got this: Sender: owner-postfix-us...@postfix.org So... my guess is that the SPF check will go against this mail address, not the one on the From field. am I right? What do you think? lldefonso Camargo
Re: Unknown Users
Greetings, On Thu, Feb 11, 2010 at 10:11 AM, te...@cnysupport.com wrote: Quoting Jonathan Tripathy jon...@abpni.co.uk: Hi Folks, Does anyone know how to make a backup MX server query the primary mx server if a mailbox exsists, before accept the contents of the mail? I have a problem with MAILER-DAEMON messages... Thanks That might not be the right problem to fix. If the primary mx is down, the backup mx might not have anything to query. You might want to have the primary mx export a list of valid users periodically as a text file, then have the backup server pick it up with rsync, then postfix can use it to validate recipients. Or, maybe: integrate both MXs to *one* user database, like LDAP, or *SQL, and have replication, then make the destination verification use that database, if the primary MX is death, the secondary will still have a valid, and up-to-date DB to verify its destinations. I hope this helps, Ildefonso Camargo
Re: suitable webmail
Hi! On Tue, Feb 9, 2010 at 11:44 AM, Mark Goodge m...@good-stuff.co.uk wrote: On 09/02/2010 16:00, Jose Ildefonso Camargo Tolosa wrote: Possibly, although there are different reasons for detesting OE and Outlook. OE and Outlook are crap desktop clients; most experienced high-volume mail users prefer better clients such as Thunderbird. If your users also detest Thunderbird, then yes, Squirrelmail is probably right up their street. But if they like Thunderbird, then they'll probably find Squirrelmail rather limited by comparison. ... it depends, if you use squirrelmail, you will be able to read your mail using any phone using operamini, that's a neat feature. Yes, and that's an important consideration when choosing a webmail client. It's very difficult to make a webmail cient work equally well as a mobile client and as a replacement for a desktop client. 80 would be a very low figure for the type of use I'm thinking of. The people I know who complain about Squirrelmail's limitations generally get several hundred emails a day. Please, just tell me: what does the volume of mail has to do with the webmail client? I mean, I could get 1000 mails at once, and squirrel would just show me the latest when I refresh the page: no delays, no problems, also felamimail (egroupware), and IMP (horde) so, what do you want a mail client to do with your 1000's mails? read them for you and parse them, so that you get the most important first I mean, there is no web client that do that, and if you really need to do something like that, use dovecot and sieve!. Any client-side filtering for 1000's of mails a day, could be slow, unless it is a desktop client. The main issues with large volumes of mail are being able to visually scan through it using a preview pane instead of having to step through each message in turn, and being able to mass-move multiple emails by click-select and drag-and-drop. These are things that are easy to implement on a desktop client, but hard to do on a webmail client. Also, for list mail, threading is an essential feature for many people (including myself), and a client (either desktop or web) that doesn't support it is simply too non-functional to be used except as a backup. As for threading: it depends on the imap server: http://squirrelmail.org/wiki/SquirrelMailFeatures --- the question: Can I view my mail list in threaded view? , look at it. Ildefonso
Re: suitable webmail
Hi! On Tue, Feb 9, 2010 at 1:47 PM, LuKreme krem...@kreme.com wrote: On 8-Feb-2010, at 17:34, Jose Ildefonso Camargo Tolosa wrote: 100% of the servers I have access to, have, at least once in the last year, been scanned by a bot (or person, who knows) for /roundcoube or similar And? I have thousands of servers trying to access my machines via sshd every single day. This does not mean sshd is insecure. SSH bots are brute force attempts. It means nothing about the security of ssh itself. How many servers have you had be compromised by roundcube installs? I don't use roundcube. So: No. (I have had a server get compromised from Squirrelmail, awstats, and phpbb in the past, but none from Roundcube and all were exploited because I did not update software quickly enough. Usual cause: lack of updates, the question is, sometimes: the response time to get the issues solved. The thing is: I'm currently avoiding roundcube, for the same reason why I used to avoid bind: bad security history. It looks like a really promising project, and if they keep up the good work, they will become a really, really good webmail system, and not just nice, but also secure.
Re: [OT] suitable webmail
Hi! Sorry for keeping the off-topic... but I had to answer On Mon, Feb 1, 2010 at 4:35 PM, Stan Hoeppner s...@hardwarefreak.com wrote: Kay put forth on 2/1/2010 11:49 AM: In my job (hosting company) I see boxes exploited via roundcube all the time. Squirrelmail? Not one so far. Part of the reason is that squirrelmail comes with RHEL, so it's kept up to date automatically, while customers install their own roundcube and then don't maintain it. Me too, not just on DCs, even home (DSL dynamic) IPs, these are bots scanning, and I have found A LOT of roundcube-targeted scans. I have found lots of access attempts on *all* of the servers I have access to: more than 10 of them, on different geographical locations. I think you're making some incorrect assumptions. Squirrelmail has had a pretty abysmal security track record of its own over the years. One reason for that is True: really old ones. probably exactly what you're calling out Roundcube for here, which has nothing to do with the software, but the administration of the system. That said, you appear to think the world runs on Red Hat, and if Red Hat doesn't have a Roundcube package, admins will install from source or an external RPM that doesn't get updated by Red Hat's uptodate or whatever it's called. The world doesn't run on Red Hat, and many admins _do_ keep their Roundcube (and other) packages up to date. For instance, I do security updates on my Debian servers once a week. My Roundcube package is currently up to date, and it is a standard Debian package: I use Debian too. That said, it's not the only webmail client (or any other web app) that gets the installneglect treatment, it's just the one most frequently exploited. Do you have any empirical data showing that Roundcube is exploited more often today than Squirrelmail? Claims like this really need to be backed up. Data for only your data center doesn't count, the sample size is way too small. This is called anecdotal evidence, not empirical evidence. Ok, you want a sample: 100% of the servers I have access to, have, at least once in the last year, been scanned by a bot (or person, who knows) for /roundcoube or similars, and none of them included scans for squirrelmail-related files. My sample size: around 20 servers on ~4 different geographical locations. One of the servers gets hits constantly by scans looking for files like roundcube/something and roundcube3/something (yes, 3, I don't know why, it should be 0.3), and roundcoube0.2/something and so on. I have never ever used roundcube, because I studied a little about it, and found that it was still too young, I mean: it needs to grow as a project to get to a point where major security issues gets uncommon. The other case: my own PC, I have a test web server there, and it have been hit by these *scans* a lot and it has a dynamic IP... I recently decided to block the port 80 from outside, and only open it when I need it to be accessed from outside (it just gets annoying). Once again, sorry about off-topic, but this is an interesting discussion, Sincerely, Ildefonso Camargo
Re: LDAP user lookup
Hi!
IMHO, you have two choices:
1. Integrate your OS to LDAP, thus making LDAP users also OS (local)
users, in this case, you should make the shell for every mail-only
users to /bin/false, or maybe a menu-like shell that only let them
run a mail client or something like that (really old-school the
menu-thing).
2. Run virtual-only users, so, mail users doesn't exists for the OS.
Each of them have their own advantages and disadvantages. I selected
the first one, because I was too lazy to implement the 2nd, and this
far I'm able to:
1. Use dovecot as pop3/imap/sasl provider.
2. Use fs quotas, this has a nice side-effect, if I implement a file
server on the same machine and filesystem, I get a *shared* storage
size for mail/files.
3. Group-based quotas, well, I actually made a script that read quota
configuration from a file, and apply quota to the members of groups
according to that configuration, this allows me to manage user's quota
size just by changing users from one group to another.
This thread brings me a question: can all of these things be achieved
in a virtual-only environment? (I know, the info should be in the
docs, but I already stated I was a little lazy). I ask this, because
I'm thinking on moving to a virtual environment, in order to take
advantage of dovecot's proxy features (I think I could do this by
modifying only dovecot's configs, but now that I'm working on it, I
believe it could be a good time/excuse to modify postfix's ones).
I hope this helps, and thanks in advance,
Ildefonso Camargo
On Sat, Sep 5, 2009 at 2:28 PM, Raimund Eimannraim...@busy-byte.de wrote:
Hi,
maybe it's me having completely weird ideas, but the existing Google
results for postfix ldap howto are not very satisfactory for me:
All I would like to do is to have a separate user base (stored in LDAP)
from /etc/{passwd/shadow} on my Linux box for all email-related issues. So
far I was always annoyed that the default setup of Postfix (openSuSE,
dunno about other distros) uses /etc/passwd to look up users, because that
means evry added mail-user automatically also becomes an SSH user (for
instance) without me intending this. This becomes particularly tricky if
such a user pick secret as his/her password.
What I find in the howto(s) are discussions about alias mapping via LDAP
or setting up some catchall user or setting up mail distribution groups.
Far too advanced for me. All I want is LDAP user lookup for incoming mail
and user authentication for outgoing mail. Ideally, I would like to use
two different branches of the LDAP tree for OS logins and mail logins.
Either the info how to do this is very well hidden, or I'm looking for the
wrong keywords, or my idea is so strange that no one's ever done such
nonsense before (hence the apparent lack of documentation), or I simply
missed the right spots in the howto(s).
I turn to this group with some questions:
a) is my idea completely crazy so that I should not do this at all?
b) hoping for a no in a):
can someone here point me into the right direction/docs?
c) if someone did this before, can I snaffle some config snippets?
Cheers,
Raimund
Re: Postfix SMTP Auth and OpenLDAP
Hi! On Tue, Jul 7, 2009 at 3:16 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Mon, Jul 06, 2009 at 09:36:17PM +0200, Patrick Ben Koetter wrote: * Terry L. Inzauro tinza...@ha-solutions.net: What is the recommended and most scalable method for implementing SMTP Auth against OpenLDAP that currently manages all IMAP accounts? Cyrus SASL ldapdb plugin: The ldapdb auxprop plugin provides access to credentials stored in an OpenLDAP LDAP server. It is the only plugin that implements proxy authorization. Proxy authorization in this context means: The ldapdb plugin must SASL authenticate with the OpenLDAP server. The server then decides if the ldapdb plugin should be authorized to read the authenticating users password. Once the ldapdb plugin has gone through proxy authorization it may proceed and authenticate the submitted credentials. Is there another plugin which authenticates users by binding to LDAP *as the user*, and using the success/failure of that to decide whether a user's password is valid? This could perhaps also be accomplished via a suitable PAM stack or via indirect mechanisms such as rimap or dovecot auth. I actually use: postfix -- SASL -- dovecot -- PAM -- LDAP There is no particular reason why you can't do: postfix -- dovecot -- LDAP You just need to check dovecot's documentation, I used pam because I was already using it. Ildefonso Camargo -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: bcc for email archiving
Hi! I use to use assp along with postfix, and I do the archiving configuration on ASSP, so that I can have separate SPAM and NOTSPAM archives. Anyway, I use Maildir format, and run a script that deletes messages older that 15 days, but I believe that a similar script can be used for moving/compressing old messages. I just use the find command to do the searching, I use the -atime command, because messages that are read on the archive are given a longer live time, but if you just care about when the file was modified, you could use -mtime. I hope this helps, Ildefonso Camargo On Sun, Mar 8, 2009 at 10:09 AM, KLaM Postmaster postmas...@klam.ca wrote: I am currently using always_bcc to archive email for the group I work with, I am not sure that we need an archive, but that not my call. The bcc option is attached to in the cleanup service in master.cf cleanup unix n - n - 0 cleanup .. -o always_bcc=archi...@example.com two questions. is there a better way of creating an archive? is there a way of using plus addressing in order to break the archive into manageable chunks, something like archives+...@example.com? TIA JLA
Re: OT: Diagnose blocked mail
Hi! On Thu, Mar 5, 2009 at 7:11 PM, Ray r...@stilltech.net wrote: On Wednesday 04 March 2009 16:35:01 Magnus Bäck wrote: On Thursday, March 05, 2009 at 00:26 CET, Ray r...@stilltech.net wrote: On Wednesday 04 March 2009 16:12:32 Terry Carmen wrote: Ray wrote: Alice (al...@example.com) sends Bob an Email (b...@myserver.com) CC (b...@3rdserver.com) I run myserver.com. message goes through to b...@3rdserver.com, but not b...@myserver.com. there is absolutely no trace of alice's domain in the mail logs. am I being blocked up stream, is my server discarding the mail somewhere or ...? any suggestions including alternate mail lists or google search terms very much appreciated. Post the appropriate section of /var/log/maillog showing the misbehaving transfer. That's the problem, there's nothing in the logs. Is Postfix running? Is it accepting port 25 connections on the Internet-facing network interface? Is there any firewall in the way? Are the MX records pointing towards your server? Does your ISP block inbound port 25? Can you connect to port 25 from an outside network? ... Sorry, I should have filled in all this information before hand :( Server is live and fully functional. it deals with thousands of messages per day and has for over a year. One user can't receive messages from one contact. That contact doesn't even show up in the logs as spam or lost connection or anything. So, let me see: one user can't receive mail from on specific mail address, but can other users receive mail from that address?, ie, if al...@example.com sends a mail to us...@myserver.com , is the mail delivered? Do you have some kind of spam filter before your actual mail server? if yes: which one, and: can you temporarily disable/remove it and test? I hope this helps, Ildefonso Camargo
Re: whitelisting trusted addresses
Hi! On Sun, Mar 1, 2009 at 8:11 AM, Paul Hutchings paul.hutchi...@mira.co.uk wrote: I appreciate that it's hard to make up for the failings of other peoples email/internet infrastructure, but I'm looking for options/suggestions on how to deal with that old problem of Blocking unwanted mail when the occasional wanted mail has all the characteristics of unwanted mail. duh... that's a problem. There should be a pattern on spam and a pattern on wanted mail, because that's not common mail where you get an offer for cheap rolex or anything like that. We use RBL's and basic checks such as rejecting mail with no rdns at all, and it stops thousands of spam, but of course as a business, in an ideal world I want to accept all legitimate mail regardless of characteristics. Sure I can manually create whitelists but that requires me to know there was a problem with a certain domain/host/address. I think I'm asking the impossible, but I'm curious how other people go about handling this problem both technically and politically? I use assp http://assp.sourceforge.net/ . It includes some ways of automagicallly managing whitelists, and other stuff which make it a very interesting project. Politically no idea, that's a difficult part, because users don't want to understand that spam is an always evolving problem, and that adapting usually requires time. I hope this helps, Ildefonso Camargo Cheers, Paul -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited.
Re: whitelisting trusted addresses
On Sun, Mar 1, 2009 at 8:37 AM, Paul Hutchings paul.hutchi...@mira.co.uk wrote: When I say stop spam we use Cloudmark on what gets to Exchange and it's deathly accurate - really I'm only talking about the perimeter and what gets through postfix restrictions so not really message content, just the envelope stuff that the restrictions will look at. I told you: I use assp, and works really well, as a matter of fact, it learns out of your usual mail flow, so, you have to retrain it's system from a couple of directories: spam and notspam, and it also have automatic whitelisting. Believe me: it worth taking a look at it. On the other hand: I have no experience with Cloudmark, but I have seem many commercial spam filters which overacts, and thus, get you blocked so much mail (authentic mail), that you start to seriously think about just letting the spam in. Assp has proved to be very good, and its free. If you need any further assistance (maybe help replacing your exchange with something just as good, and a lot cheaper), don't hesitate to contact me :) . Once again, I hope this helps, Ildefonso Camargo -Original Message- From: Jose Ildefonso Camargo Tolosa [mailto:ildefonso.cama...@gmail.com] Sent: 28 February 2009 13:05 To: Paul Hutchings Cc: postfix users list Subject: Re: whitelisting trusted addresses Hi! On Sun, Mar 1, 2009 at 8:11 AM, Paul Hutchings paul.hutchi...@mira.co.uk wrote: I appreciate that it's hard to make up for the failings of other peoples email/internet infrastructure, but I'm looking for options/suggestions on how to deal with that old problem of Blocking unwanted mail when the occasional wanted mail has all the characteristics of unwanted mail. duh... that's a problem. There should be a pattern on spam and a pattern on wanted mail, because that's not common mail where you get an offer for cheap rolex or anything like that. We use RBL's and basic checks such as rejecting mail with no rdns at all, and it stops thousands of spam, but of course as a business, in an ideal world I want to accept all legitimate mail regardless of characteristics. Sure I can manually create whitelists but that requires me to know there was a problem with a certain domain/host/address. I think I'm asking the impossible, but I'm curious how other people go about handling this problem both technically and politically? I use assp http://assp.sourceforge.net/ . It includes some ways of automagicallly managing whitelists, and other stuff which make it a very interesting project. Politically no idea, that's a difficult part, because users don't want to understand that spam is an always evolving problem, and that adapting usually requires time. I hope this helps, Ildefonso Camargo Cheers, Paul -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited.
Re: how to send mail to gmail account
On Fri, Dec 19, 2008 at 7:19 AM, Jorey Bump l...@joreybump.com wrote: Jose Ildefonso Camargo Tolosa wrote, at 12/18/2008 06:28 AM: I think you should send more info on your config, for example: MX record for your domain. myhostname entry from main.cf these two should match. There is no requirement that these match. They are completely unrelated. I said: should. There are some spam filters which uses the hostname provided by the server and make several verifications like: + Is the hostname listed as a MX for the domain? + Does the hostname *forward* resolve to the IP I'm being contacted from? + Does the IP *reverse* resolve to the hostname? The OP needs to describe the problem more accurately. In general, no special configuration is required to send mail to any domain. Correct, as long as there are no spam filters around. c-ya! Ildefonso.
Re: how to send mail to gmail account
Hi! Well, I don't know what are you doing, but I'm able to send mail to gmail accounts with no problem at all (from my house's test server, which is on a DSL line (dynamic IP), by the way, and have a dyndns domain). I think you should send more info on your config, for example: MX record for your domain. myhostname entry from main.cf these two should match. c-ya! Ildefonso Camargo On Fri, Dec 19, 2008 at 4:06 AM, vivek.agrawal vivek.agra...@radicalsystems.co.in wrote: hello everyone, I want to use postfix to send email to gmail accounts. Currently i am able to send and receive mail in my localnetwork. Can you please describe what will be next step if i want to send mail to gmail account. on some sites i have read to use gmail account we need sasl certificates. i have tried creating sasl certificates 4-5 times. and i am getting error peer name verification fail common name mistmatched : smtp.gmail.com. Do we really require this gmail account sasl for sending new mails from localnetwork to gmail account. thanks in advance -- View this message in context: http://www.nabble.com/how-to-send-mail-to-gmail-account-tp21068496p21068496.html Sent from the Postfix mailing list archive at Nabble.com.
Re: Postfix and quota clarification
hi! On Tue, Nov 25, 2008 at 4:18 AM, Rocco Scappatura [EMAIL PROTECTED] wrote: On Mon, Nov 24, 2008 at 4:49 AM, mouss [EMAIL PROTECTED] wrote: Jose Ildefonso Camargo Tolosa a écrit : However, Postfix supports access maps that can reject mail for over-quota users, if you are willing to periodically add up all the mail each user has. I have been using filesystem quotas for this purpose, and it works just fine. Off course, I have a dedicated filesystem for mail storage. The problem is that this is detected at delivery time, which will cause backscatter if it happens too often and your filter misses a lot of spam. if this doesn't happen often, then yes, it's the easy way. otherwise, an access check as suggested by Wietse may be necessary. True, that's why I try to implement many quota warning systems, so the user knows that he/she have to clean their mailbox, also, there is a side-effect to the fs quota: it is pretty much likely that the imap server (dovecot) fail to access the user mailbox once the hard limit is over (unless you fix it, but I didn't), and they just call support, and then one tells them to clean up the mailbox asap, and just reenable the access (by deleting a couple of dovecot's files, and extending their quota for a while). Well, I also try to have a good spam filter (ASSP). 2- there is no safe quota support in any MTA. most quota implementations will send a bounce, which may resultin backscatter true. but quotas are necessary: the more disk space the users have, the more garbage they store. but this doesn't require checking quota in real time or at delivery time. populating an access list (periodically or opportunistically) should be enough. maybe, but can also prove to be slow, and even more when you have thousands of users. I think that... maybe... using soft-quotas (as a counter) and having unlimited hard-quota and grace periods could have a similar effect, and can be faster (I don't know if this actually works, I hasn't tried) Infact, this is exactly the problem that I have. I'm using Postfix as post-office platform too. And I need to check disk usage. First time I ve patched with VDA patch. Then I have upgraded postfix and I have no more appliad the relative patch. Indeed I read that is not good to use VDA patch so I have believed that that there was a native support for quota by Postfix. Anyway I share the fact that MTA has not to face quota issues, as mouss pointed out in a previous email. But I have to check quota exactly for the same needs that you have exposed. Have you a pratical alternative to VDA patch to suggest me? Well I don't know, I just installed Postfix, and configured fs quota (Debian GNU/Linux), and it just worked. I also use Dovecot, and configured the quota plug-in and used the fs backend, just to let the webmail app get quota info and show a nice quota bar. I also run warnquota from a cron job every day at 08:00, to send a warning mail to overquota users (over soft quota, off course).
Re: Postfix and quota clarification
On Mon, Nov 24, 2008 at 4:49 AM, mouss [EMAIL PROTECTED] wrote: Jose Ildefonso Camargo Tolosa a écrit : However, Postfix supports access maps that can reject mail for over-quota users, if you are willing to periodically add up all the mail each user has. I have been using filesystem quotas for this purpose, and it works just fine. Off course, I have a dedicated filesystem for mail storage. The problem is that this is detected at delivery time, which will cause backscatter if it happens too often and your filter misses a lot of spam. if this doesn't happen often, then yes, it's the easy way. otherwise, an access check as suggested by Wietse may be necessary. True, that's why I try to implement many quota warning systems, so the user knows that he/she have to clean their mailbox, also, there is a side-effect to the fs quota: it is pretty much likely that the imap server (dovecot) fail to access the user mailbox once the hard limit is over (unless you fix it, but I didn't), and they just call support, and then one tells them to clean up the mailbox asap, and just reenable the access (by deleting a couple of dovecot's files, and extending their quota for a while). Well, I also try to have a good spam filter (ASSP). 2- there is no safe quota support in any MTA. most quota implementations will send a bounce, which may resultin backscatter true. but quotas are necessary: the more disk space the users have, the more garbage they store. but this doesn't require checking quota in real time or at delivery time. populating an access list (periodically or opportunistically) should be enough. maybe, but can also prove to be slow, and even more when you have thousands of users. I think that... maybe... using soft-quotas (as a counter) and having unlimited hard-quota and grace periods could have a similar effect, and can be faster (I don't know if this actually works, I hasn't tried) 3- if you can queue mail, you can deliver it ;-p 4- disks don't cost too much now. true, but when you have 10k users, the cost of each not so expensive hard drive starts to add, and not only that, in a public organization you can have wait-times of around 6 months just to get a hard drive. Oh, and don't forget: you have plug these hard drives somewhere: every server has they hard drives limit, and you could take a PC and lots of SATA controllers, and build a nice low-cost NAS-like thing, but a few people qualify this as unreliable, they need to spend lots of money on IBM or HP storage systems, and because of the cost, they just don't buy them, and thus: we have a limited amount of disk space :( . Agreed. 5- if your users abuse mail, destroy their heads, not ours. I don't think my boss let me do that, jejejeje :D you must make it look like an accident :) ... jejejejeje :D c-ya! Ildefonso.
Re: Postfix and quota clarification
Hi! On Sat, Nov 22, 2008 at 9:53 PM, Wietse Venema [EMAIL PROTECTED] wrote: mouss: Rocco Scappatura a ?crit : Hello, I have a post-office platform based on Postfix-2.5.2+Courier-IMAP-4.0.1-Courier-authlib-0.53+MySQL-5.0.33. Can someone give some hint on how enable (and verify that works) quota on mailboxes? 1- there is no quota support in postfix. However, Postfix supports access maps that can reject mail for over-quota users, if you are willing to periodically add up all the mail each user has. I have been using filesystem quotas for this purpose, and it works just fine. Off course, I have a dedicated filesystem for mail storage. Wietse 2- there is no safe quota support in any MTA. most quota implementations will send a bounce, which may resultin backscatter true. but quotas are necessary: the more disk space the users have, the more garbage they store. 3- if you can queue mail, you can deliver it ;-p 4- disks don't cost too much now. true, but when you have 10k users, the cost of each not so expensive hard drive starts to add, and not only that, in a public organization you can have wait-times of around 6 months just to get a hard drive. Oh, and don't forget: you have plug these hard drives somewhere: every server has they hard drives limit, and you could take a PC and lots of SATA controllers, and build a nice low-cost NAS-like thing, but a few people qualify this as unreliable, they need to spend lots of money on IBM or HP storage systems, and because of the cost, they just don't buy them, and thus: we have a limited amount of disk space :( . 5- if your users abuse mail, destroy their heads, not ours. I don't think my boss let me do that, jejejeje :D c-ya! Ildefonso.
Re: restricted aliases
Hi! On Tue, Sep 23, 2008 at 3:43 PM, Chris St Denis [EMAIL PROTECTED] wrote: I need to add support for (multi-recipient) aliases that are only able to receive messages from selected users. I was initially looking at mailman or majordomo, however from what I understand of them, they authenticate only on the from address so it looks like it would be easy to forge. (Correct me if this is wrong). I also thought of smtpd_restriction_classes however that is also subject to easy spoofing and the documentation even says Postfix restriction classes aren't really the right solution So I am wondering. What IS a good way to do this. Optimally, I would like to restrict based on the SASL username. As far as I know, you can actually restrict the from address that each username can use, I have no time to get the info right now, but it *is* in postfix's documentation. Another solution would be use mailman with a PGP patch added, and it will validate the PGP signature. I hope this helps, Ildefonso Camargo.
Re: Proposing postfix to mgmt as an Exchange replacement
Hi! I just couldn't avoid reading this post. I actually make a live out of replacing MS solutions with Open Source-based solutions. I know, it is not perfect, and there are some features that you will not get, but in my experience these features are not used very often. Anyway, I would give a try to egroupware: Postfix + Dovecot + eGroupWare + LDAP That combination has worked very well for me. Off course, you could, in theory, use Active Directory for the LDAP (after all, on of AD's piece is a LDAP server), but I hasn't done that myself yet. I hope this helps, Ildefonso Camargo On Thu, Sep 11, 2008 at 11:57 AM, dnk [EMAIL PROTECTED] wrote: As per the subject, I am about to pitch the idea of dumping Exchange and moving to Postfix. From what I can observe, the Calendar and Meeting functions are used very little if at all. If you want true drop in replacement, and so on (IE still use active directory, etc), you can check out postpath ( http://www.postpath.com/). It was just recently purchased by Cisco. It is apparently designed to be dropped into a MS environment without the MS environment even knowing it is a Linux box. I myself have not used it... Just been reading a lot of it lately. d
