RE: BackScatter Problem
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of jan gestre Sent: Wednesday, 27 May 2009 5:00 PM To: postfix-users@postfix.org Subject: Re: BackScatter Problem If it's backscatter, it should be coming from , not a valid company address. Please show your logs during delivery of the alleged backscatter. I don't have anymore the logs from Postfix and I'm not sure if it really is a backscatter problem, all I have right now is the following: -- -Original Message- From: Judy Aguilar [mailto:judyagui...@example.com] Sent: Tuesday, May 26, 2009 4:41 PM To: Sheila Villanueva Subject: Fw: No branding needed! Pls see VIAGRA.Official Site's email address -- creati...@example.com Fyi. - Original Message - From: Biba Cabuquit bibacabuq...@example.com To: VIAGRA . Official Site creati...@example.com Sent: Tuesday, May 26, 2009 3:16 PM Subject: No branding needed! --- end- The creati...@example.com is a valid email address and yet it has the name VIAGRA Official site, is the mail server the causing the issue or there is a worm on the users PC that' causing this. My /etc/postfix/header_checks contain only the following: /^Received:/ HOLD Very odd that you want to hold ALL email with this check. Does MailScanner examine messages in the hold queue and then release them? MailScanner really examines messages in the HOLD queue because all emails incoming/outgoing are tagged by MailScanner as having scanned or I'm totally wrong? While others might have better luck trying to divine why you're getting the spam, it's very difficult to do so with a couple of message snips (you haven't even included the full headers). However, as a guess, someone is spoofing the creati...@example.com to send spam, and now you're getting the backscatter. It could be any machine on the internet spoofing that address. As for Mailscanner, perhaps it's better to ask over on their support site. If you look at the Addons page on the postfix.org site, it says * mailscanner system, works with Postfix and other MTAs. WARNING: This software uses unsupported methods to manipulate Postfix queue files directly. This will result in corruption or loss of mail. The mailscanner authors have sofar refused to discuss a proper access API or protocol.
RE: Postfix with PostgreSQL
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Just E. Mail Sent: Wednesday, 20 May 2009 10:10 AM To: postfix-users@postfix.org Subject: Re: Postfix with PostgreSQL In my first post, I mentioned that I plan to use a PostgreSQL server at the backend to store emails. Now my question: How to build Postfix with PostgreSQL support? I noticed that http://www.postfix.org has example of Postfix PostgreSQL Howto but it is for Postfix installed source (tar.gz?). Is there a similar procedure when Postfix is installed from RPMs. PS: English is my 2nd language! Straight from The Book of Postfix: Execute: $ ldd `/usr/sbin/postconf -h daemon_directory`/smtpd On my RHEL system, I get the following, which is perfect since I didn't add any PostgreSQL support to my build. libldap-2.2.so.7 = /usr/lib64/libldap-2.2.so.7 (0x0035f9c0) liblber-2.2.so.7 = /usr/lib64/liblber-2.2.so.7 (0x0035f9e0) libpcre.so.0 = /lib64/libpcre.so.0 (0x0035f9a0) libsasl2.so.2 = /usr/lib64/libsasl2.so.2 (0x0035f7f0) libssl.so.4 = /lib64/libssl.so.4 (0x0035f910) libcrypto.so.4 = /lib64/libcrypto.so.4 (0x0035f930) libz.so.1 = /usr/lib64/libz.so.1 (0x0035f830) libdb-4.2.so = /lib64/tls/libdb-4.2.so (0x0035f8d0) libnsl.so.1 = /lib64/libnsl.so.1 (0x0035f890) libresolv.so.2 = /lib64/libresolv.so.2 (0x0035f8b0) libc.so.6 = /lib64/tls/libc.so.6 (0x0035f7a0) libdl.so.2 = /lib64/libdl.so.2 (0x0035f7d0) libcrypt.so.1 = /lib64/libcrypt.so.1 (0x0035f850) libgssapi_krb5.so.2 = /usr/lib64/libgssapi_krb5.so.2 (0x0035f8f0) libkrb5.so.3 = /usr/lib64/libkrb5.so.3 (0x0035f960) libcom_err.so.2 = /lib64/libcom_err.so.2 (0x0035f870) libk5crypto.so.3 = /usr/lib64/libk5crypto.so.3 (0x0035f980) libpthread.so.0 = /lib64/tls/libpthread.so.0 (0x0035f810) /lib64/ld-linux-x86-64.so.2 (0x0035f780)
RE: Postfix-2.6.0 RPM
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Victor Duchovni Sent: Thursday, 14 May 2009 9:04 AM To: postfix-users@postfix.org Subject: Re: Postfix-2.6.0 RPM On Wed, May 13, 2009 at 04:07:39PM -0600, Just E. Mail wrote: I noticed that Postfix V#2.6.0 is now out. Does anybody know where to get RPM files? GOOGLE did not help. If the purpose of using RPM files is to facilitate binary updates from distribution servers, wait until *your distribution* upgrades to a newer supported version of Postfix. If you incorporate your own Postfix into your O/S, why download some random stranger's binary RPM? Is there a real use case for binary RPMs not maintained by the distribution release engineering teams? What's wrong with the Postfix source, which is typically less likely to have ill-advised patches dropped into it? Yes, there is unfortunately such a need, because RHEL5 is only up to Postfix 2.3, and we require functionality from Postfix 2.5 and up (destination_rate_delay). The OS administrators do not permit GCC and devel libraries on the SMTP servers I maintain (and fair enough). Also, installing non-RPM packages can obviously cause clashes when installing other RH updates (at least RPM is clever enough not to try installing Postfix 2.3 patches when it finds 2.5 already installed). It would certainly be useful if an approved distributor provided reliable and up-to-date RPM and DEB packages with a sensible set of options compiled in.
RE: How to change the log location
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Scott Haneda Sent: Friday, 24 April 2009 11:54 AM To: postfix-users@postfix.org Subject: How to change the log location I think I have traveled from one end of the internet to the other on this one :) How do you change the log location for postfix? Currently, the log is sent to /var/log/mail.log on Mac OS X. I would like to move it to /opt/local/var/log/postfix/mail.log since that is where postfix is. OS X has a log roller built in, that rolls things out, I need to keep my logs longer. If I edit the OS X log roller to exclude the mail.log, every system update seems to put it back. I did not see any log path in the configure options for building it out, or in any of the cf files. Thanks -- Scott * If you contact me off list replace talklists@ with scott@ * http://developer.apple.com/documentation/Darwin/Reference/ManPages/man5/ syslog.conf.5.html#//apple_ref/doc/man/5/syslog.conf http://developer.apple.com/documentation/Darwin/Reference/Manpages/man5/ newsyslog.conf.5.html#//apple_ref/doc/man/5/newsyslog.conf
RE: Strange Bounce
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Vince Sabio Sent: Friday, 24 April 2009 1:06 PM To: postfix-users@postfix.org Subject: Strange Bounce One of my users sent me the attached bounce (note: I've made some purely cosmetic changes to the bounce message, to remove the user's e-mail address and change FQDNs so that the server doesn't start getting spammed as a result of this posting -- but the content of the bounce has not been materially changed). It does not make sense to me ... the spool file no longer exists, but I cannot conceive of a reason why it would have two hard links (per the bounce message). None of the other spool files have multiple hard links. Is this a Postfix error? A known bug? An unknown bug? I am running Postfix v2.0.18 on FreeBSD v7.0. Any help/pointers greatly appreciated. Thanks, Vince While someone might have some immediate ideas, it'd be more helpful to post the relevant entries from the Postfix log, and the output of your postfix -n, as specified in the list welcome message. I'd also grep the postfix log for warning messages that might be related to the spool file. This all assumes you manage the hermes.mailbounce.net server.
RE: A better backscatter killer?
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of mouss Sent: Wednesday, 15 April 2009 7:11 AM To: postfix-users@postfix.org Subject: Re: A better backscatter killer? Ralf Hildebrandt a écrit : * MacShane, Tracy tracy.macsh...@airservicesaustralia.com: Then you won't receive some genuine messages, both bounce and non-bounce. Try the ips.backscatterer.org RBL; it works well for us. http://www.mailinglistarchive.com/postfix-users@postfix.org/msg57402. html They are retarded. mail.charite.de is listed in it. and I guess postfix members would be bothered to block: camomile.cloud9.net[168.100.1.3] english-breakfast.cloud9.net[168.100.1.7] $ host 3.1.100.168.ips.backscatterer.org 3.1.100.168.ips.backscatterer.org has address 127.0.0.2 $ host 7.1.100.168.ips.backscatterer.org 7.1.100.168.ips.backscatterer.org has address 127.0.0.2 so if one uses this list, then - use a whitelist (dnswl and possibly local WL) - use it in smtpd_data_restrictions to avoid blocking SAV sources. while you may hate SAV, it's different than backscatter. I do whitelist one of our backscatterers, since it's our Defence department. As it happens, it seems all of the backscatter I've trapped from them *is* backscatter, because they're bounces to non-existent addresses or evident spam messages. But I accept it all from them just in case. And yes, my restriction is in smtpd_data_restrictions, as shown in the original message I linked to. Frankly, I'm not that fussed about blocking potential bounces from list mail. Also, if I were running an ISP rather than a corporate email system, I probably wouldn't use this RBL. I do wish there were a slightly less problematic one - ie. one that would respond promptly to requests for removal without gouging 50 euro, and which didn't care so much about SAV - but I don't think it's *that* problematic. Our main source of spam that was getting through our header checks was from backscatter, and since I've instituted the RBL, it has entirely gone. Only a couple of hundred or so messages a day currently, but it makes a difference to our end-users, some of whom were disproportionally affected by the problem (we have a tag-and-forward content scanner, and some of these individuals were having to review and discard hundreds of messages a week).
RE: How to set catchall mailbox to /dev/null or remove at once?
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of wen.yongzheng Sent: Wednesday, 8 April 2009 1:04 PM To: postfix-users@postfix.org Subject: How to set catchall mailbox to /dev/null or remove at once? Hello everybody: I can set catchall mailbox in virtual_mailbox_map like this: @domain.name domain.name/catchall/ But I really do not want to check or read the catchall mails, The only thing I want to do is to remove all mails in catchall maildir. I wonder if I can set my catchall mailbox directly to /dev/null or remove at once. Can anybody help me ? Thanks. The usual requirement for a catch-all address is to train an antispam engine, or similar tasks. If you don't require a catch-all, then remove it. It also means you're not accepting mail for invalid addresses, which means that you should be able to employ some useful smtpd_recipient_restrictions and reduce your spam burden in general.
RE: Logging Postfix Activity
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Marky Yehezkiel (SNC) Sent: Tuesday, 31 March 2009 12:53 PM To: postfix-users@postfix.org Subject: Logging Postfix Activity Dear All, Is there any way to logging/record the activity pop3,IMAP when they deleted email via IMAP and POP3 ( outlook deleted email when outlook download it from server) I have problem when my customer he lost his email on my server he said he didn't deleted his email, he set his outlook 'leave copy on server' without set when it will be removed from server, but old his email were gone. Anyone can help? Thank you - Postfix does not do POP or IMAP. You need to look at the configuration and logs for whatever is running those services, eg. Dovecot/Cyrus/Courier/whatever you're using.
RE: Postfix - Yahoo parameters settings
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Andrew Long Sent: Monday, 30 March 2009 9:58 AM To: Jacky Chan Cc: postfix-users@postfix.org Subject: Re: Postfix - Yahoo parameters settings In short, the principle of the setting is to delay the delivery from your Postfix to yahoo. In which rate yahoo can accept. Basically, you may take the following steps as reference, 1. Create a seperate mail for the destination is yahoo, let's name it 'slow' queue (You may search in this mailling list too, someone has asked before) Jumping in here because I am interested in the same solution but not quite clear how to bind the new transport to the destination (yahoo.com). I did the googling and afraid I'm no closer. - Andrew (my slow transport is VERY slow, due to one domain we send to that only accepts one message every 30 seconds) master.cf - # transport for delicate domains slowunix- - n - 1smtp -o syslog_name=postfix-slow transport -- yahoo.com slow:
RE: [maybe OT] postfix HA
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of J.P. Trosclair Sent: Thursday, 26 March 2009 11:05 AM To: mouss+nob...@netoyen.net Cc: postfix-users@postfix.org Subject: Re: [maybe OT] postfix HA mouss wrote: I am trying to collect methods to setup postfix in an HA configuration, for outbound relay (no MUA involved). a use case is using multiple postfix boxes to relay mail out for one or more exchange servers. there are many possibilities. which one is good/recommended/easy/blahblah? This is somewhat off topic since the problem is mostly on the client (exchange or other) side rather than postfix. but I think this is a real need. and if I get enough infos, I can aggregate them and submit that as a howto/readme. We have an Exchange infrastructure (9 servers) with two Postfix servers as the sole outbound MUAs in geographically-diverse sites. All we use is simply a DNS round-robin alias that points to both Postfix servers, which the external STMP connector for the Exchange org (and all the servers inside it) is configured to use. Fairly standard setup - some round-robin implementations can also do some smarts to determine which hosts are actually up before returning the IP to the enquirer. Since these are real SMTP connections, if the first host that is resolved via the round-robin is unavailable, the Exchange server will simply retry until get gets a host that replies. If you want to direct outbound traffic via a specific Postfix server/round robin alias for specific Exchange servers, and perhaps another group of Exchange servers via a different outbound route, there is no problem with setting up more than one SMTP connecter in the Exchange org, and adding the appropriate servers/round-robin alias to that specific SMTP connector.
RE: Too strict?
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Alberto Lepe Sent: Monday, 16 March 2009 4:18 PM To: postfix-users@postfix.org Subject: Too strict? Hello, and thank you in advance for your time! I have been setting up a mail server since more than a week and after reading several posts/articles and some pages of the Postfix manual, I'm a little confused about how to setup the security. The mail server is outside my LAN and it will be used to serve some domains, with maybe 10 users per domain. This is my main.cf (restrictions): smtpd_data_restrictions = reject_unauth_pipelining smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, permit_mynetworks, permit_sasl_authenticated, # reject_unknown_sender_domain, # reject_unknown_recipient_domain, reject_unauth_destination, reject_invalid_helo_hostname, reject_unlisted_recipient, reject_unlisted_sender, reject_invalid_hostname, # reject_non_fqdn_hostname, # reject_unknown_client_hostname, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit Leaving aside the other comments people have made, I have reject_unknown_sender_domain (AFTER reject_unauth_destination) and reject_non_fqdn_hostname configured. The latter check in particular rejects thousands of connections a day so I don't have to keep hitting the Zen lookups. No FPs that I've ever been made aware of. reject_unlisted_recipient is redundant, since it's yes by default (but no harm leaving it in).
RE: Spam attacks
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Pawel Lesniak Sent: Wednesday, 4 March 2009 7:32 PM To: postfix users list Subject: Re: Spam attacks W dniu 2009-03-03 23:34, MacShane, Tracy pisze: We have a very clear policy that users are only permitted to relay mail from our networks. So you too advocate (if I clearly understand you) my point of view, where those legit mails, which Noel was talking about, are just misconfigurations of others' servers. I believe that we share opinion that restricting own users to sending from my_networks and/or authenticated clients works perfectly to stop getting spam from u...@example.com to u...@example.com. Pawel Lesniak = Actually, no, I wouldn't go that far. I'm fortunate in that I can dictate such a policy, because it's existed since we've had email in this organisation (well before my time), and we don't generally have users subscribing to mailers that use this technique to get the mail through. I do think it's a silly practice, but it's not technically a misconfiguration, nor is it necessarily spam, if a user signed up to such a service. For my organisation, it works perfectly as far as it goes, but that's because of the established history and _clear policy_. We may one day encounter a situation where we need to create an exemption for a specific purpose. We only catch a couple of hundred or so messages a day using this measure at present (it was higher when the botnets were more active, and before we implemented Fail2ban), but that's a couple of hundred lookups to Zen we don't have to do each day (not even 0.5% of the total, though).
RE: Spam attacks
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Pawel Lesniak Sent: Wednesday, 4 March 2009 4:19 AM To: postfix users list Subject: Re: Spam attacks W dniu 2009-03-03 17:46, Noel Jones pisze: Some people reject their own domain from outside, unauthenticated clients, but this will certainly reject some amount of legit mail. Could you write a little bit how is it possible to reject legit mail by rejecting unauthenticated clients when all users do use SASL authentication or are in my_networks? Pawel Lesniak We have a very clear policy that users are only permitted to relay mail from our networks. If they are sending from home, they use webmail. We've had one or two instances where external organisations have used some kind of auto-reply mechanism which purports to send from our users, but we simply tell them to fix the sender address. We use a sender access map to reject the spurious senders that aren't coming from my_networks. You can use warn_if_reject to test the impact of this measure for a few days or weeks. main.cf == smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_sender, check_sender_access hash:/etc/postfix/sender_access # cat /etc/postfix/sender_access ourdomain.com REJECT ourdomain.gov.au REJECT
RE: mysql lookup errors
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of /dev/rob0 Sent: Tuesday, 3 March 2009 7:31 AM To: postfix-users@postfix.org Subject: Re: mysql lookup errors On Mon March 2 2009 12:51:23 kj wrote: I'm seeing this in the logs: Mar 2 18:18:05 web postfix/cleanup[27207]: warning: mysql query failed: MySQL server has gone away snip Mar 2 18:18:30 web postfix/pickup[26468]: E381E7102B3: uid=48 from=apache snip RHEL5, with the stock Red Hat rpm recompiled with mysql support. That RPM is probably chroot'ed by the distributor. My first guess is that you're seeing a chroot problem. My second guess, SELinux. In either case, seek support from your vendor for these problems. RedHat does not have Postfix chrooting enabled in the distro by default - it seems to be more the Debian-based distros that have that problem. Also, I've never had any problems with SELinux and Postfix in stock RH installs (although I haven't used it with MySql)
RE: reject_unverified_sender vs greylisting
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of mouss Sent: Tuesday, 10 February 2009 8:39 AM To: postfix-users@postfix.org Subject: Re: reject_unverified_sender vs greylisting João Miguel Neves a écrit : Yes, I was. Thanks for the heads up. I don't have high traffic, but I'm limiting the effect of SAV. and how do you limit it? 71.66.121.221 is listed on zen.spamhaus.org (via cbl) and spamcop (as well as Barracuda BRBL, SORBS, ... etc). it is also a residential IP as can be seen from the rDNS (.res.rr.com). My simple solution to this is have a line in a client_access map of res.rr.com REJECT Please relay mail via your ISP. I've more recently added biz.rr.com as well (and plenty of others). There is just a set of (mainly consumer) domains I'm not going to accept mail from. Also, Spamhaus Zen catches these.
RE: whitelisting not working
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of webmas...@aus-city.com Sent: Monday, 9 February 2009 3:21 PM To: postfix-users@postfix.org; Sahil Tandon Cc: postfix-users@postfix.org Subject: Re: whitelisting not working Sorry I forgot to ask another question... The whitelist (assuming its the silly timestamp mismatch causing the issue), can you whitelist actual email addresses as well as the SMTP servers? For instance if I have a friend like myfri...@hisdomain.com can you put target email addresses in the whitelist and they pass? http://www.postfix.org/postconf.5.html#check_sender_access - check the examples at the end of this section It is not recommended that you do that globally, since everyone can forge an envelope sender address. You're better off OKing a specific client.
RE: postfix blocking yahoo and gmail
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of jan gestre Sent: Friday, 6 February 2009 12:16 PM To: postfix users list Subject: postfix blocking yahoo and gmail Hi Guys, Why is it that whenever I send emails using yahoo/gmail from a connection that uses dynamic ip address to the company's smtp server, postfix blocks them and say it comes from a dynamic ip address using sbl-xbl, and whenever I send emails using the same yahoo/gmail account in the office that has a public static ip address, the mail is received. TIA Jan Here's my postconf -n: reject_rbl_client sbl-xbl.spamhaus.org reject_rbl_client zen.spamhaus.org reject_rhsbl_sender dsn.rfc-ignorant.org reject_rbl_client bl.spamcop.net Because the dynamic address you're relaying from is on the Spamhaus list, and the static address is not? You should also not have *both* zen.spamhaus.org AND sbl-xbl.spamhaus.org - the Zen list includes sbl-xbl. You can query the zen list for your dynamic host by running dig rev.erse.IP.addr.zen.spamhaus.org and seeing if there are any entries. Show some logs for your rejected emails, if that doesn't seem to be the problem.
RE: Sender-Recipient forged mail
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of itsramesh_s Sent: Friday, 6 February 2009 4:25 PM To: postfix-users@postfix.org Subject: Sender-Recipient forged mail Hi, I have configured postfix postfix-2.4.5-2.fc8. all mail user are getting forged mails as sender and recipient are same. we have secondary mx i am sending both postconf output, Please help me to stop forged mail. Postconf -n of primary MTA smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_pipelining, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_unauth_destination You could do with a whole lot more smtpd restrictions, such as reject_non_fqdn_recipient, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_sender_domain, reject_unknown_reverse_client_hostname (or reject_unknown_client_hostname, but this tends to give a lot of false positives due to admins who can't configure DNS properly, unfortunately). If all your senders are sending from hosts in mynetworks, then the easiest method is to do check_sender_access hash:/etc/postfix/sender_access after reject_unauth_destination (and permit_mynetworks, of course), where /etc/postfix/sender_access is as follows: mydomain.comREJECT Mail from our senders must come from our hosts
OT: iPhone replies
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of MacShane, Tracy Sent: Monday, 12 January 2009 3:34 PM To: postfix-users@postfix.org Subject: RE: Re: smtp_helo_name ignored Unfortunately, in a similar way to Blackberries, iPhones do not permit bottom posting or in-line comments in reply to a message. I for one wish they would fix it on a Blackberry, which is supposed to be a *business* tool. Well, it turns out I'm talking through a hole in my head with regard to iPhones. Apologies for the confusion!
RE: Using Postfix for business continuity
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Kenneth Kalmer Sent: Tuesday, 6 January 2009 11:49 PM To: Postfix users Subject: Re: Using Postfix for business continuity On Mon, Jan 5, 2009 at 3:25 PM, Wietse Venema wie...@porcupine.org wrote: Kenneth Kalmer: Hi all Just got asked by one our sales guys if we could implement a Postfix business continuity service, by his definition it means that Postfix acts as a normal backup MX but gives the users access to their email via webmail of sorts. I understand the issues of user authentication, validating users, etc. I'd just like to find out if anyone has implemented something similar, or have any pointers for implementing something like this. The way we envisioned it it would be an offsite server acting as a normal backup MX, giving the users access to their email through a web interface. This would involve reading through the spool files, which for high volumes would be horribly slow. Most of our potential clients would be running MS Exchange (I see this as the continuity issue) and we'll be far removed from them. Exchange 2007 has pretty good clustering and cross-site replication (using log-shipping) these days. Of course, any replication partner would need to be in the same domain, but it might be possible to host several instances on one box using a virtual server solution. Naturally, if a business has multiple sites, they'd be much better off doing any replication internally anyway. Otherwise, Victor's suggestion about BCCing everything and hosting an IMAP server is the best other option (given all the account co-ordination hassles).
RE: helo being rejected
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Joey Sent: Wednesday, 17 December 2008 12:06 AM To: postfix-users@postfix.org Subject: RE: helo being rejected -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of MacShane, Tracy Sent: Monday, December 15, 2008 9:18 PM To: postfix-users@postfix.org Subject: RE: helo being rejected From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Joey Sent: Tuesday, 16 December 2008 1:05 PM To: postfix-users@postfix.org Subject: helo being rejected Hello All, I have a clients who's email server is getting a lot of helo rejects from it (windows box). The client has a .NET domain for their servers ( hardware ) and a .COM for their email address. I manually had a conversation with my postfix server that has these settings: reject_invalid_helo_hostname, check_helo_access hash:/etc/postfix/helo_access, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, [...] = That error message is not coming from the *_helo_hostname checks, it must be coming from your helo_access map. Show the transaction logging from the maillog and the contents of your helo_access. I see what you are saying... I have this in helo_access ... sendingserver.net REJECT Helo Check sendingserver.com REJECT Helo Check Whoever set this up was trying from what I can tell to reject spoofers from those domains... and had a rule to bypass their own servers in mynetworks. This basically brute force stopped it right? Thanks! Yep, it's common (and often explicitly recommended) to have a helo check that rejects external hosts that announce themselves with your own domain. I would suggest putting a more meaningful reject message - REJECT External host spoofing internal HELO or whatever, while ensuring that all the appropriate servers are in mynetworks, and that you have permit_mynetworks occuring before the helo check.
RE: helo being rejected
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Joey Sent: Tuesday, 16 December 2008 1:05 PM To: postfix-users@postfix.org Subject: helo being rejected Hello All, I have a clients who's email server is getting a lot of helo rejects from it (windows box). The client has a .NET domain for their servers ( hardware ) and a .COM for their email address. I manually had a conversation with my postfix server that has these settings: reject_invalid_helo_hostname, check_helo_access hash:/etc/postfix/helo_access, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, I verified reverse DNS, all domains exist etc. Here are my results: 220 receivingserver.net ESMTP Postfix EHLO sendingserver.net 250-receivingserver.net 250-PIPELINING 250-SIZE 2400 250-ETRN 250-AUTH DIGEST-MD5 PLAIN LOGIN CRAM-MD5 250-AUTH=DIGEST-MD5 PLAIN LOGIN CRAM-MD5 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN MAIL From: m...@sendingserver.com250 mailto:m...@sendingserver.com%3e250 2.1.0 O RCPT To: b...@localemailaddress.net554 5.7.1 sendingserver.net: Helo command rejected: Helo Chec Any ideas appreciated! Thanks! = That error message is not coming from the *_helo_hostname checks, it must be coming from your helo_access map. Show the transaction logging from the maillog and the contents of your helo_access.
OT: RE: Postfix does not dot the i's when client sends gibberish
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Larry Stone Sent: Friday, 12 December 2008 3:53 PM To: postfix-users@postfix.org Subject: Re: Postfix does not dot the i's when client sends gibberish On 12/11/08 9:41 PM, Victor Duchovni at victor.ducho...@morganstanley.com wrote: On Fri, Dec 12, 2008 at 12:59:41AM +0100, klondike wrote: According to section 4.2.4 on the RFC 282, the SMTP server should return 502 only when a command is recognised but not implemented, and 500 if it isn't recognised. This is not a bug, but it is admittedly an unecessary deviation from SHOULD normative language in the RFC when the client is in flagrant violation by sending garbage. At the risk of moving away from Postfix technical issues, RFC 2821 is poorly written. SHOULD, despite much misuse in commonly used English, is the past tense of SHALL. Something that SHALL be done is mandatory yet in common but incorrect use, SHOULD is often used to mean present tense MAY (as in you can do so but it is not mandatory). As a formal document, the RFC ought to say either SHALL (mandatory) or MAY (optional) with SHOULD, being in the past tense, completely incorrect in the context of that paragraph. Unfortunately, given the incorrect use of SHOULD, it is unclear to me what the RFC really means. -- Larry Stone lston...@stonejongleux.com http://www.stonejongleux.com/ I don't know when it happened (I don't have the OED to hand), but for quite some time (at least decades), should has not *solely* been the past tense of shall. As an _auxiliary_ verb, it has the following accepted senses: 1. ought (to be or do something); Indicates that the subject of the sentence has some obligation to execute the sentence predicate. You should go to the doctor if you have a severe fever. 2. will likely (become or do something) Indicates that the subject of the sentence is likely to execute the sentence predicate. You should be fine soon if he treats you with an anti-pyretic. 3. If; in case of; Indicates that its subordinate clause refers to a hypothetical condition for the event expressed by main clause. Should you need to contact the doctor right away, you will need to use the after-hours number. To insist you don't understand a common and accepted modern usage of should is disingenous in the extreme. I do think ought is often better in formal documentation, though. But as long as the use of a term is clearly defined in a document - as it is in the RFCs - it actually doesn't matter what might be correct. Technical, scientific and academic English can be quite different to Standard English.
RE: mail forward based on user to specific filter then to another address
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J.P. Trosclair Sent: Thursday, 11 December 2008 10:32 AM To: postfix-users@postfix.org Subject: mail forward based on user to specific filter then to another address Hi, I've got a user that wants their mail forwarded to their blackberry account. No big deal. The catch is they want attachments stripped first. I've found this tool called renattach that does just that. I set this up in main.cf: This is not solving the question you asked, but what is wrong with the user not selecting the option on his/her Blackberry to download the attachments? Attachments are not delivered to the device until such time as you specifically prompt to download them. The attachment pointer is just that, a *pointer*.
RE: SuSE repository - old postfix ?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexander Grüner Sent: Monday, 8 December 2008 7:16 PM To: postfix-users@postfix.org Subject: SuSE repository - old postfix ? Hello, I am installing a new server with SuSE Linux Enterprise SP2 and want to use the SuSE mail repository. http://download.opensuse.org/repositories/server:/mail/SLE_10/ x86_64/?C=M;O=D They offer a postfix24-2.4.5-1.1.x86_64.rpm which seems to be quite old from August 2007 and even unsecure (?). http://download.opensuse.org/repositories/server:/mail/SLE_10/ repodata/repoview/postfix24-0-2.4.5-1.1.html Is there a better rpm source available ? (Yes, I might compile it by myself...) Or is this the right release for a productive environment ? Sorry if this is slightly OT, but I have not found an answer, yet. Regards, Alexander Open SUSE includes more recent posfix rpms (but in the factory not the repos): http://download.opensuse.org/factory/repo/oss/suse/x86_64/postfix-2.5.5-6.6.x86_64.rpm http://download.opensuse.org/factory/repo/oss/suse/i586/postfix-2.5.5-6.5.i586.rpm Obviously, there may be dependencies you need to meet. There are also SRC rpms available.
RE: Stopping backscatter with before-queue
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Turan Sent: Tuesday, 9 December 2008 7:39 AM To: Terry Carmen Cc: postfix-users@postfix.org Subject: Re: Stopping backscatter with before-queue Terry Carmen wrote: To eliminate *sending* backscatter, all you need to do is not accept mail you won't be able to deliver: I am rejecting unknown recipients but the bounces are coming from messages with a spamassassin score above 12. Hmmm. I did get a suggestion about checking the headers against RBL's using builtin postfix content filters. After that, it can be passed onto the real scanners. I get 10K emails per day, so its still fairly small. Do you have a before-queue scanner installed? There are warnings all over amavisd-new's documentation saying not to use it as a before queue scanner and rightly so. Back to your actual problem, if you can post the output from postconf -n, someone can probably tell you what's wrong. [EMAIL PROTECTED] /]# postconf -n alias_maps = hash:/etc/aliases bounce_queue_lifetime = 4h command_directory = /usr/sbin config_directory = /etc/postfix content_filter = amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 home_mailbox = Maildir/ html_directory = no inet_interfaces = all local_recipient_maps = mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man maximal_queue_lifetime = 1d message_size_limit = 20971520 mynetworks = a.a.a.a/32, b.b.b.b/32, c.c.c.c/32, d.d.d.d/32, e.e.e.e/32 newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.4.5/README_FILES receive_override_options = no_address_mappings relay_domains = hash:/etc/postfix/relay_domains relay_recipient_maps = hash:/etc/postfix/relay_recipient_maps sample_directory = /usr/share/doc/postfix-2.4.5/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_tls_CAfile = /etc/postfix/certs/gd_intermediate_bundle.crt smtpd_tls_CApath = /etc/postfix/certs smtpd_tls_cert_file = /etc/postfix/certs/.crt smtpd_tls_key_file = /etc/postfix/certs/.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_use_tls = yes transport_maps = hash:/etc/postfix/transport_maps unknown_local_recipient_reject_code = 550 I don't see the smtpd_*_restrictions. Sensible ones there cut down on acres of spam and take load off the content scanner, without much in the way of false positives (in fact, I have none). I suggest (after permit_mynetworks, for each set): smtpd_helo_restrictions = reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, (this one traps the most from bots) smtpd_client_restrictions = reject_non_fqdn_hostname, reject_unknown_reverse_client_hostname OR reject_unknown_client_hostname (this one tends to cause more false positives, due to idiots configuring their DNS) smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain smtpd_recipient_restrictions = reject_unauth_destination reject_non_fqdn_recipient, reject_rbl_client zen.spamhaus.org, smtpd_data_restrictions = reject_unauth_pipelining Also set strict_rfc821_envelopes = yes (unless you have ancient mail clients you need to support) All my senders are in mynetworks (or I'd be using auth, in any case), so I can have a sender access map (after permit_mynetworks) that basically consists of @mydomain.com REJECT. You can have helo access maps that reject servers purporting to be your own.
RE: Body checks and warning log
- Original Message
From: mouss [EMAIL PROTECTED]
To: Postfix users postfix-users@postfix.org
Sent: Friday, November 14, 2008 7:58:45 AM
Subject: Re: Body checks and warning log
MacShane, Tracy wrote:
I'm trying to create a very simple body check for a limited time
to
get an indicative idea of how many users may be sending credit
card
numbers via email. ...
Our security people are having wibbles about this logging regime,
so
I was wondering if there was some way to ensure the WARN action
doesn't log the matched line (I can obviously append a truncated
version of the apparent number with the optional text), or if
there
might be a better way to do this auditing task.
you can use HOLD, then have a cron job to check the message and
release it.
Alternatively, you can use FILTER to pass the message to another
smtpd. example:
== body_checks:
//FILTER filter:[127.0.0.1]:25666
== master.cf
127.0.0.1:25666.smtpd
-o syslog_name=postwatch
-o receive_override_options=no_address_mappings
-o mynetworks=127.0.0.1
-o smtpd_recipient_restrictions=${smtpd666_recipient_restrictions}
...
== main.cf
smtpd666_recipient_restrictions=
check_client_access pcre:/etc/postfix/logcard
permit_mynetworks
reject
== logcard
/./WARN credit card blah blah
note that this will override your content filter setting. if you had
one, then make sure it is used in the :25666 smtpd (either explicit
-o content_filter=...
in master.cf, or a content_filter=... in main.cf will do).
PS. if you use clamav, check its Data Loss Protection feature.
Do you have American Express cards covered and other store
based credit cards? Also do you account for the expiration
date and 3 digit security code?
Thanks for the great suggestions, mouss. We use Trend Micro IMSS, which
is very similar to amavisd. I'm sure we can work around it.
Daniel, I'm not too concerned about absolute accuracy at this stage,
since I just want to assess whether we need to take firmer measures. The
regexp I have should trap Amex numbers, although there may be a number
of false positives. I'll be reviewing them manually in any case. I'm not
worried about the expiration date or security code (with the latter, I
know of at least one example of a pay-by-email form that didn't
require that number at all) - I'm not planning to *use* the cards, heh.
Also, I believe crooks can use a credit card number to generate both an
expiry date and security code using some algorithm.
RE: Authenticating aginst ActiveDirectory?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ville Walveranta Sent: Friday, 14 November 2008 3:27 PM To: Postfix users Subject: Authenticating aginst ActiveDirectory? There is very little on the topic on the web and on the Postfix Users archives. The little I find seems to imply it's very difficult to extract password information from AD (say, to sync to OpenLDAP). Since the last thread about this topic in this group is from last year, I'm asking whether a solution exists at this point. There is a product called PowerADvantage that would seem to do the job, but the fact that they don't post their prices on their website probably suggests that the cost is likely in four figures which exceeds the available budget (I'm checking with them anyway). The environment where I'd need this solution is small, with a dozen or so AD logins, and so I may just have to maintain the domain passwords separately from the mail passwords. AD will be kept around to facilitate resource sharing on the Windows LAN but the mail is moving from Exchange 2003 to Postfix as soon as possible. An OpenSource solution would be preferable, though on Windows/AD side a utility worth few hundred dollars might skirt the budget. Many thanks again for any advice! I'm sorry, why do you need to sync passwords to relay mail to your Exchange servers? To do relay recipient validation, you just need to do a simple LDAP lookup to the AD to verify valid email addresses. Since you only have a single Exchange server, you don't even need to do anything out of the ordinary with LDAP queries to specify the destination relay server for your recipients. If you want AD users to logon to *nix boxes (which is nothing to do with mail services), enable Services for Unix on the AD, and setup LDAP authentication for the specified users in PAM.
RE: Authenticating aginst ActiveDirectory?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ville Walveranta Sent: Friday, 14 November 2008 4:29 PM To: Postfix users Subject: Re: Authenticating aginst ActiveDirectory? On Thu, Nov 13, 2008 at 10:32 PM, MacShane, Tracy [EMAIL PROTECTED] wrote: I'm sorry, why do you need to sync passwords to relay mail to your Exchange servers? Actually there won't be an Exchange server any more; I'm replacing it with Postfix. It's a small environment and there isn't a dedicated server for Exchange available; it's been sharing a server with AD which is a bad idea in the first place. ... Ahah, light dawns. If you want AD users to logon to *nix boxes (which is nothing to do with mail services), enable Services for Unix on the AD, and setup LDAP authentication for the specified users in PAM. Perhaps this mechanism could be used for the mail authentication as well in the above scenario. Postfix/Dovecot should be able to do LDAP authentication via PAM (http://www.dovecot.org/list/dovecot/2006-April/012454.html, http://www.lxtreme.nl/index.pl/docs/linux/dovecot_postfix_pam). Ville Yes, I certainly haven't had any problem with Unix services when enabling regular logons to a *nix server via AD authentication (I haven't tried Postfix/Dovecot authentication myself, but there's plenty of info for that, as you have found). It should certainly make your solution a lot simpler to implement.
Body checks and warning log
I'm trying to create a very simple body check for a limited time to get
an indicative idea of how many users may be sending credit card numbers
via email. I have a simple pcre body_check map that is logging a warning
when it encounters a match. Unfortunately, the entire message line that
triggers the warning is added to the mail log, naturally with the
potential credit card number in plain text.
cat /etc/postfix/body_checks.pcre
/\b(?:\d[ -]*){13,16}\b/WARN Credit card number
Nov 14 11:54:28 smtptest postfix/cleanup[21394]: 98D7015E0091: warning:
body text 1243 1211 1232 1232 blah blah from
localhost.localdomain[127.0.0.1]; from=[EMAIL PROTECTED]
to=test.user mailto:[EMAIL PROTECTED] @
mailto:[EMAIL PROTECTED] domain.example.com proto=SMTP
helo=server.example.com: Credit card number
Our security people are having wibbles about this logging regime, so I
was wondering if there was some way to ensure the WARN action doesn't
log the matched line (I can obviously append a truncated version of the
apparent number with the optional text), or if there might be a better
way to do this auditing task.
OT: Email courtesy
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vince LaMonica Sent: Tuesday, 28 October 2008 4:11 AM To: Patrick Ben Koetter Cc: postfix-users@postfix.org Subject: Re: problems authenticating [snip] TIA once again, /vjl/ Could you please remove the annoying header that tells me I should use Pine instead of Outlook if I'm worried about Outlook viruses? I have the courtesy not to tell you that Pine doesn't have the functionality I (and my corporate environment) require in each and every one of my emails, so please have the courtesy not to give unsolicited opinions by default. Especially when they're based on misleading information (what Outlook viruses? Also, many of the vulnerabilities in older versions of Outlook have been fixed).
RE: Postfix listening on 25, unable to telnet to 25 - my first config
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Cocker Sent: Monday, 13 October 2008 8:58 PM To: postfix-users@postfix.org Subject: Postfix listening on 25, unable to telnet to 25 - my first config Okay, so last week I posted an issue about the above with lots of errors and it turns out I hadn't generated the relevant .db files, along with a couple of other problems. So, I sorted all that out and fired up postfix, checked that the server was listening on port 25 and then tried to telnet: Connecting To 10.100.1.1...Could not open connection to the host, on port 25: Connect failed Then tried to send a test message using blat from another machine: Blat v2.6.2 w/GSS encryption (build : Feb 25 2007 12:06:19) unexpected error 10065 from winsock Error: Can't connect to server (timed out if winsock.dll error 10060) I checked /var/log/secure and found no record of the connection being dumped; messages contained nothing, nor did maillog tell me anything useful. Oct 13 09:56:17 server postfix/postfix-script: starting the Postfix mail system Oct 13 09:56:17 server postfix/master[30342]: daemon started -- version 2.3.3, configuration /etc/postfix As well as telnetting to localhost/25, can you telnet to the FQDN hostname from the host itself? If you're on the server mail, what happens if you telnet mail.example.com 25?
RE: cannot find reverse hostname for ip with enormous result
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Wolfe Sent: Saturday, 11 October 2008 5:58 AM To: postfix-users@postfix.org Subject: cannot find reverse hostname for ip with enormous result Hello, We use reject_unknown_client to fail messages from hosts with no rDNS. We have a situation with the host 216.163.249.229, which give the following results: NOQUEUE: reject: RCPT from unknown[216.163.249.229]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [216.163.249.229]; There actually is reverse DNS for this address... 239 PTR records! using 'host' returns them all, with a warning: ;; Truncated, retrying in TCP mode. .. and then all the results So I guess the result is so large that UDP cannot contain it, and within postfix the TCP method either isn't being tried or isn't working. Is this a problem with my resolver or something I can fix in postfix? The lookup does work on this machine using 'host' with the above error. -Aaron While there may be problems with the fact that some of the PTRs are unresolvable, I also suggest checking what might be thought of as the obvious, namely, that your firewall is not blocking *UDP* DNS lookup. I had this same problem a few months back, and didn't initially think to ask the question. It turned out that our external firewall (maintained by a separate group) was only permitting TCP queries. The problem didn't emerge until we tried resolving hosts with many multiple PTRs (36 for one particular host); the 10s of thousands of other DNS queries were working perfectly. Enabling UDP over port 53 fixed things for that one host as if by magic.
FW: how to specify any/catch_all domain/email in HASH access map?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, 8 October 2008 2:12 PM To: postfix-users@postfix.org Subject: how to specify any/catch_all domain/email in HASH access map? For example in this hash I wanna OK for all domains except mail.ru and yandex.ru: hash:/etc/postfix/maps/check_sender: mail.ru REJECT yandex.ru REJECT all other OK So what I must write insteed of all other? Maybe . (single point)? Thanks. Are you *sure* you want to explictly pass all mail from every other domain in the Internet other than those two - that means all mail originating from other domains will skip the rest of any checks you may have. You don't need to specify anything for all other domains if you are just intending to block the two domains you list - the default action for any message that's traversing the header checks is DUNNO (which will then pass the message onto the next header check, if you have one, or the message is accepted for delivery).
FW: Proposing postfix to mgmt as an Exchange replacement
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adam Tauno Williams Sent: Wednesday, 10 September 2008 12:13 PM To: postfix-users@postfix.org Subject: Re: Proposing postfix to mgmt as an Exchange replacement The below isn't meant to shoot down your idea, but I'm an Open Source groupware developer and am very familiar with the Exchange-vs-XYZ equation. As per the subject, I am about to pitch the idea of dumping Exchange and moving to Postfix. ... Is that true? Everything we use exchange for needs to be *very* carefully researched. I hate trying to sell this kind of thing when my impulse is to wave my arms around yelling IT'S OBVIOUS! :) But it isn't. I totally agree with these remarks, not least the confusion between the roles that Postfix and Exchange carry out. I'd be extremely surprised to find any organisation that has more than 6 users on Exchange that doesn't use calendaring/scheduling, just as one example. How are you judging the use of that functionality organisation-wide? Really, if you hate Exchange that much - and I actually think it's fairly robust (these days) and good at doing what it does (if we don't talk to much about TLS) - you need to research something like Zimbra, which uses Postfix as the MTA, but incorporates IMAP mailboxes and calendaring via Webdav (I think). Of course, my primary role is that of an Exchange admin, so you can take my opinion FWIW.
RE: my networks exclusions not working?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris St Denis Sent: Tuesday, 9 September 2008 10:41 AM To: postfix-users@postfix.org Subject: my networks exclusions not working? I have the following mynetworks defined Dispite having 69.31.160.0/20 defined and !69.31.174.220 defined, I can still relay mail from 69.31.174.220 without smtp authentication. Why is this? Does order matter or is there another problem with my syntax? mynetworks = 69.31.160.0/20, [...] !69.31.174.220, Table lookups generally return the first match encountered, and since it's a trivial change, try putting the exclusion before the broader inclusion to see if that makes the difference. But I'm sure someone can give us the official word if that's not quite right.
RE: [SPAM?] Re: First Time Configuration assistance
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Cocker Sent: Friday, 5 September 2008 11:56 PM To: postfix-users@postfix.org Subject: RE: [SPAM?] Re: First Time Configuration assistance With an ever changing list of over 600 e-mail addresses, manually maintaining relay_recepient_maps doesn't strike me as appealing, or practical. Unsurprisingly we have an AD back-end, is there any way for the two to communicate? I see this as being the only practical way to check valid recipients, though let me know if there is a better way. Thanks for all the advice. Paul Cocker And for where you are using Postfix as a bridgehead server and relaying to multiple Exchange hosts, I have a solution that builds on a script that grabs all the valid email recipients from the AD: http://postfixnotes.wiki.zoho.com/HomePage.html. I also prefer not to be doing constant AD lookups for mail from servers in the DMZ - it's a wee bit better for performance to have the map files sitting on the Postfix servers.
Outbound rate throttling
I realise this has been covered before, but I'm having a problem with getting outbound mail to a destination domain. The ISP in question has an interesting policy of refusing messages sent to a single email address in excess of 30/min. Their servers also go on and offline at random intervals, due to telecoms issues. We have an application that sends messages to a single recipient on the destination domain, usually in excess of 200 a day. If a server has gone offline for a while, naturally we have a backlog of mail waiting to deliver when the server is up again, and we quickly exceed the 30/min limit. I've upgraded a server to Postfix 2.5.2 (from 2.2) and tried implementing a slow transport for this purpose: master.cf --- # transport for touchy domains slowunix- - n - 1smtp main.cf - slow_destination_concurrency_limit = 1 slow_destination_rate_delay = 2 transport --- solomon.com.sb slow: However, at the next retry interval, the entire queue is trying to empty itself concurrently: Aug 13 15:59:14 smtptest postfix/error[4456]: 4569E15E00F9: to=[EMAIL PROTECTED], relay=none, delay=3283, delays=3282/0.08/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx.telekom.net.sb[202.1.161.20]:25: Connection refused) Aug 13 15:59:14 smtptest postfix/error[4468]: F40FE15E00BD: to=[EMAIL PROTECTED], relay=none, delay=4906, delays=4906/0.08/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx.telekom.net.sb[202.1.161.20]:25: Connection refused) Aug 13 15:59:14 smtptest postfix/error[4476]: 6023715E009D: to=[EMAIL PROTECTED], relay=none, delay=4905, delays=4905/0.08/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx.telekom.net.sb[202.1.161.20]:25: Connection refused) Aug 13 15:59:14 smtptest postfix/error[4460]: 4061815E00C0: to=[EMAIL PROTECTED], relay=none, delay=4906, delays=4905/0.08/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx.telekom.net.sb[202.1.161.20]:25: Connection refused) [... 75 messages in the queue] I expect the messages to try filtering themselves out at a rate of one every two seconds to this destination, not all of them in the same second. Could someone please clarify what I've omitted or misunderstood here? Thanks.
RE: Outbound rate throttling
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noel Jones Sent: Wednesday, 13 August 2008 10:53 PM To: MacShane, Tracy Cc: postfix-users@postfix.org Subject: Re: Outbound rate throttling I've upgraded a server to Postfix 2.5.2 (from 2.2) and tried implementing a slow transport for this purpose: master.cf --- # transport for touchy domains slowunix- - n - 1smtp You can add -o syslog_name=postfix-slow to the above to differentiate it in the logs so you know it's being used. Great, that's showing up beautifully now. 15:59:14 smtptest postfix/error[4460]: 4061815E00C0: to=[EMAIL PROTECTED] mailto:[EMAIL PROTECTED], relay=none, delay=4906, delays=4905/0.08/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx.telekom.net.sb[202.1.161.20]:25: Connection refused) [ These are not delivery attempts. Delivery attempts are logged by postfix/smtp. These are all from the error: service notifying you that the destination has been throttled because of multiple previous connection refused error. Ahah! Clear as day, once you see the difference between postfix/smtp and postfix/error. It looks like it's working perfectly, then - postfix-slow is trying a connection every few minutes at present, and the rest are the errors/backoffs. So it should be fine, once they start accepting my mail again.
