Re: postqueue -f delayed
At 26 October, 2020 Ron Wheeler wrote: > If you are very old, you will remember when networking was young and e-mail > was sent over dial-up connections that connected only once or twice a day. > The email system has to deal with the historical world where connections > where not "always on" so a successful send does not imply anything about > time. All of the good tech started with "uu": uucp, uuencode, uunet :P
Re: possible bottlenecks
At 17 October, 2020 Demi M. Obenour wrote: > > Postfix is not an HTTP server handling tens to hundreds of thousands of > > requests > > per second, and does not benefit from the optimisations needed for those > > kinds > > of workloads. Premature optimisations that sacrifice robustness and > > security > > for little gain are not part of the design. > > If one is Google or Microsoft and need to process hundreds of millions > of messages per day, then Postfix might not work. But if one needs > to handle that much mail, then one can probably afford to write a > bespoke MTA. A decade ago I helped create and run a mailbox hoster with a few million active accounts. We were nothing compared to gmail/hotmail, but we ran our border MTAs using postfix (with custom smtp content filters and custom LMTP services). My memory is rusty, but given the amount of spam we consumed, we definitely were doing 10s-100s of millions of messages per day (on the inbound side). Postfix did great -- our choke point was storage IOops being saturated by spam that no one would ultimately read, which is annoying but the truth of life. I no longer work in email, but I do work at a fairly large $MEGACORP and I was discussing something the other day with a coworker: When you're sitting on the internet with a service that needs to suport downtime, heavy load, etc., then having a service that fully supports RFCs is really important because you can't be taking postmaster@ emails from rando operators because you're doing something dumb. But once you're dealing with internal services, it's all custom code, because you can just message the engineer responsible for whichever subservice is acting up and sort it out asap. As such things tend to be much more narrow focused in implementation and written for narrowly scoped perf metrics in mind and are less robust (feature wise) than software like postfix.
Re: 421 service not available (connection refused, too many connections): ALL servers
2012/3/5 Stanisław Findeisen stf.list.postfix-us...@eisenbits.com: My bad suspicion is that they are in the process of installing some (more or less crappy) mail intercepting facility (i.e. to spy on users) and that this is probably the government who ordered that. This is Europe (Poland) but do you think such things are uncommon elsewhere? I think they are common. I think that spy on users is a bit harsh. Companies have been selling solutions like this for years: http://www.mailchannels.com/product/transparent-antispam.html
Re: spam to postmaster
On Fri, Feb 17, 2012 at 3:54 PM, Reindl Harald h.rei...@thelounge.net wrote: how do other people act with such braindead sh**t? Look into greylisting it. You'll find that greylisting could very well deal with most of the bots that things like zen.spamhaus.org would normally deal with. And strictly speaking, you're not filtering it -- just making a policy decision to not accept the transaction before the DATA section ;)
Re: Including state information in Received fields
On Thu, Jan 12, 2012 at 12:10 AM, Murray S. Kucherawy m...@cloudmark.com wrote: -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Wietse Venema Sent: Wednesday, January 11, 2012 5:46 PM To: Postfix users Subject: Re: Including state information in Received fields But design issues aside, would you consider implementing it at some point? Indications of interest like that would be useful input to the IETF. In my sysadmin career it would have saved me a lot of work figuring out why something was delayed at one particular hop. Log analysis tools might also find it useful, but I haven't tried to sell them on the idea yet. I've found that people don't always want to have this made known. When tracking down why did mail take X hours to reach my friend's inbox issues, it would be quite the embarrassment to have the tracer headers show that my work was being rate limited by ISP X.
Re: Vacation problems (again)
On Mon, Dec 19, 2011 at 11:22 AM, Claudio Prono claudio.pr...@atpss.net wrote: I have thinked also to this, so i have deleted the .vacation.db, re-do vacation -I [user] then do cat 1324286018.V811I1ea270M489235.mail | strace /usr/bin/vacation -t1 testmedia But no way, no results at all If you're really banging your head with no results, you can try to debug the local DB that's being used, and check for the actual epoch value that's being stored. Or, just throw away vacation, and roll your own: http://petermblair.com/2010/06/vacation-notification/ At least you'll know what you're dealing with.
Re: Printing received mails
On Thu, Nov 3, 2011 at 4:03 PM, Daniel L. Miller dmil...@amfes.com wrote: We're now using a hosted fax service and receive our faxes via email to a dedicated address. Is there a method via Postfix I can have these printed when received? Or do I handle this via mda scripting (at the moment, Dovecot with Sieve). You can update your master.cf to include a custom service: pmail unix - n n - - pipe user=printer argv=/usr/local/bin/script-to-parse-and-send-to-printer.pl Then, in the transport file, indicate that certain email addresse(s) should use the pmail: transport for delivery So, your script becomes the LDA, and sends to the printer. I'd recommend splitting the mailstream to a backup mailbox first ;)
Re: Issue with getting listed in spam again and again.
On Tue, Oct 4, 2011 at 2:55 AM, Dhanraj Wadhe dhanraj.wa...@gmail.com wrote: We are public email provider with postfix at backend. We are facing issue with getting black listed again and again. Currently we have setup reverse lookup, DKIIM and SPF to avoid getting listed into rbl's and dnsbl. Great. Once your mailstream is being signed, you can start signing up to different FBLs ( http://blog.wordtothewise.com/isp-information/ ) and be able to audit some of the kinds of messages that users on the remote networks are marking as spam.
Re: automatic reply
On Fri, Sep 30, 2011 at 6:44 AM, Amira Othman a.oth...@cairosource.com wrote: Hi all, I want to configure automatic message but different one for different user. As I am not using MySQL in my postfix configuration and installation I didn’t use any other plug-in that may use MySQl too. I am using shell script that handles sending mail (from ,to and subject) with some changes in postfix configuration as follows: When you're given a hammer, everything looks like a nail. This sounds really neat and novel, but I think that you're inventing a new way of sending reply emails when that's already a solved problem. Why not have a transport that defines a delivery specific to procmail, then have the procmail decide which script to run, or which reply message to send. I wrote up a simple vacation application that would only send to work people, and only if I was in the To/CC, and not part of a distribution list: http://petermblair.com/2010/06/vacation-notification/ Good luck!
Re: Off Topic: Auto-whitelisting from sent mail?
On Tue, Sep 20, 2011 at 9:16 AM, Stan Hoeppner s...@hardwarefreak.com wrote: On 9/19/2011 5:38 PM, john wrote: I think this is off topic. I am running Ubuntu 11.04 as a SOHO server with postfix/dovecot/Amavis-new/Spamassassin/Clamav setup as my email service. Does anybody know of a program... that can white list inbound email based upon the addresses of emails that have been sent? This simple 7 line bash script does the trick superbly on Debian. Thus it should work fine on Ubuntu as well. http://www.hardwarefreak.com/whtlst_gen.sh.txt Drop it in an executable search path, then do a chmod +x and follow the instructions in the file. Nice. But if you're running a multi-tennant system, you'll need a way to map sender/recipient pairs to the inbound. We do that with a postfix policy server that hooks into the END-OF-MESSAGE stage, which will provide the SASL authenticated user, and the smtp-envelope recipient (there are problems with multi-recipients that you have to work out). Feed this into something like http://wiki.apache.org/spamassassin/ManualWhitelist and you're good to go.
Re: Inject email from web server to postfix queue
On Mon, Sep 12, 2011 at 9:37 AM, Jon Harris j.har...@digital-ink.co.uk wrote: Hi List I don't know if this is possible It's not. Search the list archives, and there are plenty of people wanting an API for dropping mail straight into the postfix queue. I thought if I could generate a postfix friendly file, I could create an SMB share and drop the 72,000 files into a folder that Postfix would see and then process. Sure, you just need some middleware that understands SMTP and file locking. Write something up in perl, that will pickup new files on the system, lock them, pass them to postfix (either via sendmail or TCP/SMTP) and then remove the message file. Just be sure that your middleware application has some callback mechanism for registering success/fails when injecting into postfix. Postfix on its own (AFAIK) won't do this for you.
Re: Switch to new server and forward existing mail from old server
On Mon, Sep 12, 2011 at 12:38 PM, Clarence Brown clabrown...@gmail.com wrote: On rare occasions I have had to manually mess around with the mail files, ie using an editor to remove a corrupt message messing up pop3. There is one file per user mailbox. [ ya, no longer on topic for postfix... ] Just be sure that the message store is using the same file types: http://en.wikipedia.org/wiki/MH_Message_Handling_System http://en.wikipedia.org/wiki/Mbox http://en.wikipedia.org/wiki/Maildir
Re: DKIM milter
On Wed, Sep 7, 2011 at 12:36 PM, Steve Jenkins stevejenk...@gmail.com wrote:
On Wed, Sep 7, 2011 at 8:57 AM, Wietse Venema wie...@porcupine.org wrote:
This means they broke it (assuming you aren't doing special
processing for Mail.RU etc. destinations).
Agreed. I generally test by sending a message to my GMail account. If
it says Signed by: in the header details, I'm satisfied that I'm
successfully sending mail with valid DKIM sigs. If anyone else says it
fails, it's likely they're breaking it themselves. GMail isn't
infallible, but they're reliable enough to depend on for testing.
If you're capable of capturing a copy of the mail, then I find it
useful to do a sniff test on some of our mail with little scripts
like:
$ cat -n dkim-verify.pl
1 # verify a message
2use Mail::DKIM::Verifier;
3
4# create a verifier object
5my $dkim = Mail::DKIM::Verifier-new();
6
7# read an email from stdin, pass it into the verifier
8while ()
9{
10# remove local line terminators
11chomp;
12s/\015$//;
13
14# use SMTP line terminators
15$dkim-PRINT($_\015\012);
16}
17$dkim-CLOSE;
18
19# what is the result of the verify?
20my $result = $dkim-result;
21
22print Result: $result\n;
Re: Postfix talking smtp through stdio command?
On Tue, Sep 6, 2011 at 2:59 PM, Matthias Andree matthias.and...@gmx.de wrote: The problem is this: - I cannot connect to the remote SMTP relayhost via plain TCP, it's firewalled on all ports. - The relayhost does not offer submission STARTTLS or SSL-wrapped legacy ports. - I *can* (and am permitted to) connect to a computer in the same LAN as the SMTP server by SSH. - The authentication infrastructure only supports SSH-2 public/private key authentication. The current solution is (options are: -f = background, -M = master, so as to keep the command alive, -N = no command, -L = port forward) ssh -f -M -N -L :mailhub.example.org:25 sshgate.example.org After a couple of minutes of playing around, I can: pblair@pblair-laptop:~$ cat test-message.txt | ssh popc...@example.com ~/bin/smtp-cli --host=mail.EXAMPLE.COM --auth --user=popcorn --pass= --to=recipi...@example.com --from=sen...@example.com --data=- Using http://www.logix.cz/michal/devel/smtp-cli/ as the SMTP CLI client. You could hack up a local perl SMTP listener on you local system, which when it receives all of the SMTP back and forth, and then the ., it executes a SSH subshell, formatting the recipient/sender etc via the gateway, and pipes the DATA portion over its FH. Good luck!
Re: postscreen stats
On Tue, Aug 23, 2011 at 8:04 PM, Homer Parker hpar...@homershut.net wrote: On Tue, 2011-08-23 at 21:33 +0200, Patrick Ben Koetter wrote: I disabled greylisting since I started using postscreen and the spam ratio did not increase, but the immediacy at which mails from new senders arrive did. Anyone with similiar observations? That's what I've seen. I've only been using postscreen for a few weeks now, but started with no greylisting and saw no change from before (other than no delays as you've pointed out). You may have read in the news that spam is under control, etc etc. Which is a misnomer. It should read: Botnet spam is on the decline, but snowshoe spam and spear phishing is on the rise!. The botnet spam that greylisting was originally intended to deal with is becoming a lesser used vector, but you're probably seeing plenty of mail coming from places like romanian VIP hosting facilities that are plenty happy to rent out a /24 to a single machine for SMTP proxying.
Re: Automating regular checks that incoming outgoing mails are still working
On Tue, Aug 23, 2011 at 11:59 AM, Thomas Harold thomas-li...@nybeta.com wrote: On 8/21/2011 10:03 AM, Roger Goh wrote: There's often problem with our postfix mail server (that runs Cyrus / Cyrus-imapd) : I have scripts (using mutt) to send hourly mails out ( from another postfix server, I can send mails to it). I need a way / method such that if those hourly test mails were never sent out or received, I'll need to be alerted. Let me know the freeware tools method to go about doing this? Look into a monitoring solution like Nagios, Cacti, etc. You'll want to communicate failure of the email system over some non-mail communication channel (such as Jabber/XMPP alerts). Ok, now completely OT, but we're looking at replacing our Nagios solution with Zabbix. If you want to call your system production, then it needs to be monitored.
Re: Write a mail directly to postfix queue
On Fri, Aug 19, 2011 at 11:33 AM, Ram r...@netcore.co.in wrote: On 08/19/2011 07:50 PM, Reindl Harald wrote: Am 19.08.2011 16:05, schrieb Ram: I dont want to make smtpd connections in the app because that slows down the app significantly and also this is a serialized process. So sending mails serially slows down the general delivery it is a bad design sending hughe bulk and normal mail-traffic with the same server/ip a) your slowing down problem b) reputation of this machine will be degraded sooner or later Why reputation? These are mails which partners pay to receive , not spam. Also the numbers are not too huge. It could be 50k-100k mails ..Only that they have to get sent ideally within 10 minutes . $ units 2411 units, 71 prefixes, 33 nonlinear units You have: 10 seconds You want: 10 minutes * 166.7 / 0.006 Unless my quick math is wrong, that's 166 mail messages per second. I think that if you're worried about your harddrives not being up to snuff, you probably won't be sustaining these kinds of numbers. Especially if the message sizes are larger (ie, containing those base64 encoded attachments). Back to reputation, just because the recipient mailbox owner wants the mail, doesn't mean that the mailbox-owner's postmast will want the mail if you're bursting a lot of messages to multiple recipients under the same domain. Burstiness == spaminess in certain circles. If you're serious about this customer, consider placing them on a dedicated postfix instance, and if you're worried about IO latency, consider mounting the active queue as a tmpfs or ramdisk if you're system can support that VM-wise. But, that can be dangerous, since you will lose mail if your system goes down while a message is in a volatile storage mount. Good luck!
Re: using header_checks to change message-id header
On Tue, Aug 16, 2011 at 2:35 AM, Ralf Hildebrandt ralf.hildebra...@charite.de wrote: * Peter Blair popc...@snickers.org: /Message-Id:\s+(.*?)@my.domain.com/ REPLACE Message-Id: $1...@my.domain.net Warning: this might also alter Resent-Message-Id: into Message-Id:!!! -1s/might/will/ Cheers! :)
Re: using header_checks to change message-id header
On Mon, Aug 15, 2011 at 10:30 AM, Jerico2day jerico2...@gmail.com wrote: I'd like to have postfix dynamically change my.domain.com only on Message-Id header to some arbitrary domain that would be public-facing for all outgoing mail and change it back for incoming mail. Unfortunately, I'm not quite sure how to do that. I would appreciate any assistance. First in your main.cf: header_checks = pcre:/etc/postfix/header_checks Secondly in your /etc/postfix/header_checks: /Message-Id:\s+(.*?)@my.domain.com/ REPLACE Message-Id: $1...@my.domain.net Thirdly, test it: $ postmap -q Message-Id: sdfsfsdf...@my.domain.com pcre:/etc/postfix/header_checks Thanks! Note, ensure that your postfix installation supports pcre. My desktop is debian, so I call: $ apt-cache search postfix-pcre postfix-pcre - PCRE map support for Postfix
Re: mail server on vm
The RFC stipulates that only an A record is required. Mind you, your /etc/hosts file isn't equivalent to an A record. Configure an override in your transport file for testing. Oh, and try not to send HTML mails to mailing lists. On Fri, Aug 12, 2011 at 9:46 AM, Amira Othman a.oth...@cairosource.com wrote: Hi all, I am configuring mail server on virtual machine for testing. I am using centos 5.6 and postfix-2.3.3-2.3.el5_6. I can send without problems but I can’t receive mails. I don’t have mx record I tried to add to hosts file but no change. is mx record a must even if I am using for testing only?? Is there any alternatives of using mx record locally something like hosts file Regards
Re: Sending massive mails
On Fri, Aug 5, 2011 at 4:13 AM, Bjron Mork bjron.m...@gmail.com wrote: I do have the same concerns, is there any way to implement users bases sending policies through postfix … Not really. Postfix accepts messages into one of its queues, and will pick those messages up (depending on its retry formula) and attempt to deliver them. What you want is some brains that will know how many messages to a particular class of message has been sent in a given time window. Say, X-thousand messages to Y-domain from Z-IP. Postfix doesn't do that. PowerMTA does. But then again, that's why most ESPs run with that software, so just go with them instead.
Re: main.cf best practices
On Mon, Aug 8, 2011 at 3:48 PM, Stephen Atkins satk...@skircr.com wrote: My main goal is to figure out what I should have in each section of main.cf (smptd/client restrictions to help stop spam and not to be a open relay or back scatter host. You won't be successful in stopping spam with any kind of set it and forget it configuration. But, if you want to test for open-relay-ness: http://www.abuse.net/relay.html Is a nice tool to test your server for different address conventions in an attempt to relay mail out via your server.
Re: sending mass mail
On Tue, Aug 9, 2011 at 10:38 AM, Ralf Hildebrandt ralf.hildebra...@charite.de wrote: * Amira Othman a.oth...@cairosource.com: Hi all I want to send mails to all users I have in my database and I am using postfix-2.3.3-2.3.el5_6. I am afraid that ISPs consider me spammer and add me to black list.Any one can suggest to me where to start to send mass mails and how to be protected from being considered spammer at ISP Your ISP would be a start. +1 In all seriousness, don't do this yourself. Engage an ESP like mailchimp etc. What you're describing sounds terribly spammy. A good/reputable ESP will either take your business if what you're trying to do is on the up-and-up (and do it well for you) or you'll fail their sniff test and that's a pretty good indicator that what you're trying to do won't be very successful.
Re: multiple content filter settings
On Fri, Nov 27, 2009 at 12:14 PM, Sharma, Ashish ashish.shar...@hp.com wrote: I have a Postfix mail server that needs to be set for two content filters as I have two content filters. One from AmaVis and another a custom content filter. Can you not have amavis feed to your second content filter, which will in turn feed back to postfix?
Re: multiple content filter settings
On Fri, Nov 27, 2009 at 12:58 PM, Sharma, Ashish ashish.shar...@hp.com wrote: Peter, I don't know how to do it, please post some sample for doing what you are suggesting. Read an Amavis document, and instead of pointing it to the postfix reinjection port, send it to your other content filter.
Re: Postfix Deployment
Well, I see no reason to have a MTA running on a public IP. As stated above in the thread, as long as your server is HELO'ing out as the name associated with the PTR record for its SRC-NAT, then you should be fine. On Fri, Nov 27, 2009 at 3:42 PM, Roman Gelfand rgelfa...@gmail.com wrote: On Fri, Nov 27, 2009 at 1:48 PM, Stan Hoeppner s...@hardwarefreak.com wrote: Ralf Hildebrandt put forth on 11/27/2009 6:20 AM: Then it of course needs a publich IP addresses Or, at least, a public IP NAT/PAT'd to it by your firewall. It will also obviously need PTR, A, and MX records. Also, this may be helpful: http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall I am at a loss here. This article seems to say that it is possible, I mean in the way it was designed to run, to run postfix in NATed network. In this case, is there still a reason why I would want to run postfix on public ip machine? Thanks again -- Stan
Re: outgoing spam
On Tue, Oct 20, 2009 at 4:40 AM, Martin Schiøtz mali...@gmail.com wrote:
Can I do any outgoing spam checks with postfix or I'm forced to
install lots of Amavis, spamassassin, etc. software to do that job.
I'm sorry to tell you that blocking outbound spam is at least harder
than blocking inbound spam.
- you certainly need an anti-virus
- you can use spamassassin. but it's not enough. (note that per
recipient Bayes is of no use here).
but you need to watch the behaviour of internal clients. you need to
detect abusive/abused clients. and to avoid problems, you want rate
limiting.
I just want to do some simple checks and rate limit seems like a good
idea and it can be performed by postfix.
Rate limiting would be done by adding the following to your main.cf:
smtpd_end_of_data_restrictions =
check_policy_service inet:{HOST}:{PORT}
Where a service is listening on HOST:PORT and can keep track of how
many messagesXrecipients a given _AUTHENTICATED_ user has sent over a
certain time period.
Listen to everyone else -- you also need to do deep content filtering,
otherwise your relays will be blocked by the Yahoo!s, Comcasts,
Hotmails, Outblazes, etc of the world.
Be sure that you're not running an open relay, that you're not sending
out spam/viruses (you will be! everyone's network leaks a bit) and
rate limiting will cause customer escalations, but helps with the
night-spammer scenario.
One other thing: if you decide to _not_ go with spam filtering,
announce your outbound IPs to this list so that we can all block you
:)
Re: Newbie configuration/installation question
On Mon, Apr 13, 2009 at 3:59 PM, Tashfeen Ekram ga...@rocketmail.com wrote: I have installed Postfix on Ubuntu to use to only send emails for my rails application. My rails application is not able to connect to it. Could this be because sendmail is listeneing at port 20? also, what configuration would suit me best if I only want to send emails ant not receive. This is onyl for testing purposes on my own laptop. Don't run bind( `cat /etc/services` ) :) http://www.postfix.org/STANDARD_CONFIGURATION_README.html
Re: RBL problems affect mail reception
On Sat, Apr 4, 2009 at 3:27 AM, Oguz Yilmaz oguzyilmazl...@gmail.com wrote: On my postfix mail server I have RBL definitions at smtpd_client_restrictions phase. At the moment 2 of 4 rbl's waiting until tcp timeout without an answer when I try with nslookup. It sounds like your dns recursor is having problems. Ensure that your recursor is a caching recursor, and that it's neither forwarding the zones, or that you're using a shared recursor. The latter could result in the recursor being temp-banned from doing too many lookups.
Re: postmaster@ and spam
On Thu, Mar 26, 2009 at 12:55 PM, LuKreme krem...@kreme.com wrote: Obviously I can't disable the account as it is required, but is there something that I can do to stop the connections for messages like this: Return-Path: postmas...@covisp.net X-Original-To: postmas...@covisp.net Delivered-To: postmas...@covisp.net Received: from 55.71.98-84.rev.gaoland.net (117.82.193-77.rev.gaoland.net [77.193.82.117]) by mail.covisp.net (Postfix) with SMTP id A4B17118BC8B for postmas...@covisp.net; Fri, 20 Mar 2009 18:18:44 -0600 (MDT) as it is now, anything to postmaster gets a complete free pass, and most the mail to that account is scoring on SA up in the 20's and 30's. Why not RBL it wish spamhaus? $ dig 117.82.193.77.zen.spamhaus.org a +short 127.0.0.10 127.0.0.4
Re: Looking for Anti-spam setting: local username/external IP
On Thu, Mar 19, 2009 at 3:28 PM, David A. Gershman dagershman_...@dagertech.net wrote: from an external source. I'm trying to see if there is a setting in master.cf (or other .cf file) which will reject any email from an external IP (other than my own) *and* is claiming to be from a local user account. You'll block mail that was sent from your system, to an offsite forward, which then redirects back to your system again.
Re: Dropping rejected mail from a transport server
If the exchange server is doing anti-spam analysis, then can't you setup the exchange server to be a before queue content filter? This will mean that your postfix server will still do all of the RBL and recipient checks, but the 5XX series block sent by postfix will be relayed via postfix to the upstream MTA. Of course, this means that you won't be queuing mail on your postfix server... On Tue, Mar 17, 2009 at 2:58 PM, Chris Cameron ch...@upnix.com wrote: I have a Postfix server that sits in front of Exchange. Exchange has anti-spam software running that will reject what it deems as spam. This is creating a problem for Postfix, which accepts a message, and tries to send it to Exchange, who then rejects it. That leaves Postfix with an email it has to try to bounce to a (usually) non-legitimate sender. It'd be nice if Exchange accepted and then silently dropped, but that doesn't seem to be coming. So, on my part, what can I do with Postfix to drop messages that Exchange (defined through the transport file) rejects? Thanks, Chris
Re: Intercepting Bounced Backs
On Mon, Feb 23, 2009 at 12:00 PM, Chris Dos ch...@chrisdos.com wrote: I've been tasked to figure out a way for our three postfix relay servers to intercept every hard bounced back e-mail and process it for our web application. We have about nine servers relaying mail through our three postfix servers. These servers send mail on behalf of our clients. I'm trying to figure out a way to intercept a hard bounce back from the destination server and process it internally instead of bouncing back the error to our clients. I've figured out a way to have a copy of the bounce that would have gone to the postmaster account and have that get processed, but it would have still bounced it back to our client as well. I don't understand-- can't your email generators use an evelope mail from that tags that message to a particular mail campaign, that is unique, and not at all what the header From: header is? Ie: blahblahblah=customer=domain@bounce.you.org As long as blahblahblah is a key to a recipient of a mail campaign owned by the account custo...@domain.com, then you can track your hard bounces this way. Just deliver to an application that parses the Return-Path (or whatever) and match it up against your db backend. Maybe I'm missing something, but this doesn't seem like a postfix question, but rather something for your company's application to address.
Re: Intercepting Bounced Backs
Well, your outbound postfix machines will route the bounces to whatever address is used in the mail from:foo envelope. Just run a catchall at the domain of choice and a script to parse the messages. Your outbound mail server doesn't send bounces to the addresses in the headers, it sends it to the address in the envelope. On Mon, Feb 23, 2009 at 1:23 PM, Chris Dos ch...@chrisdos.com wrote: Peter Blair wrote: On Mon, Feb 23, 2009 at 12:00 PM, Chris Dos ch...@chrisdos.com wrote: I've been tasked to figure out a way for our three postfix relay servers to intercept every hard bounced back e-mail and process it for our web application. We have about nine servers relaying mail through our three postfix servers. These servers send mail on behalf of our clients. I'm trying to figure out a way to intercept a hard bounce back from the destination server and process it internally instead of bouncing back the error to our clients. I've figured out a way to have a copy of the bounce that would have gone to the postmaster account and have that get processed, but it would have still bounced it back to our client as well. I don't understand-- can't your email generators use an evelope mail from that tags that message to a particular mail campaign, that is unique, and not at all what the header From: header is? Ie: blahblahblah=customer=domain@bounce.you.org As long as blahblahblah is a key to a recipient of a mail campaign owned by the account custo...@domain.com, then you can track your hard bounces this way. Just deliver to an application that parses the Return-Path (or whatever) and match it up against your db backend. Maybe I'm missing something, but this doesn't seem like a postfix question, but rather something for your company's application to address. Well, the simple fact is that they want me to process the bounce backs and not send the bounce back to the user, but process it internally. Is there a way to do this without using VERP? Chris
Re: choosing random ip address for outgoing smtp connection
It's easier to do with a src-nat within network gear. But let me tell you that this is referred to as snowshoeing as it expands your IP footprint, and is seen in the deliverability world as a slimy thing to do. People do it to mitigate the effects of their IP addresses being blacklisted. But the cleaner solution is to ensure that the mail egressing from your platform shouldn't warrent a ban. On Thu, Feb 19, 2009 at 9:45 AM, Artem Bokhan art...@academ.org wrote: Hi, can someone give me a hint how to randomly spread outgoing smtp traffic over pool of ip-addresses? As I understand it's necessary to create several transports and use transport tables, but I do not see a way how to make lookups truly random. smtp1 unix - - n - 100 smtp -o smtp_helo_name=smtpout1.do -o smtp_bind_address=1.1.1.1 smtp2 unix - - n - 100 smtp -o smtp_helo_name=smtpout2.do -o smtp_bind_address=2.2.2.2 smtp2 unix - - n - 100 smtp -o smtp_helo_name=smtpout3.do -o smtp_bind_address=3.3.3.3
Re: Policy for outgoing messages
On Thu, Feb 19, 2009 at 9:02 AM, Rocco Scappatura rocco.scappat...@infracom.it wrote: Thanks Peter, My aim, anyway, is to apply a such policy for outgoing messages (including internal-to-internal messages). So I have to define a group which contains the IPs enabled for relay through my mail server. smtpd_end_of_data_restrictions = check_policy_service inet:foo:12345 Postfix will send something like: request=smtpd_access_policy protocol_state=END-OF-MESSAGE protocol_name=ESMTP client_address=1.2.3.4 client_name=4.3.2.1.rfc1918.com reverse_client_name=4.3.2.1.rfc1918.com helo_name=[1.2.3.4] sender=sen...@example.com recipient...@domain.org recipient_count=1 instance=581.4821e789.60a46.0 size=500 etrn_domain= sasl_method=PLAIN sasl_username=sen...@example.com sasl_sender= ccert_subject= ccert_issuer= ccert_fingerprint= encryption_protocol= encryption_cipher= encryption_keysize=0 What do you mean? When Postix sends thevalues above? That's an example payload from postfix to a policy server at the end-of-message section (when the client sends a \r\n.\r\n). My suggestion assumes that a simple policy server act as the outbound throttle. It can reference whatever backend suits you. Take the sasl_username, and use it as a key to lookup the number of messages sent in your homebrew database. Then add an entry with a count equal to recipient_count. If the number some pre-defined threshold within time period, then allow it. Otherwise reject it with some meaningful text. How do I take the sasl_username? So youre solution assumes that anybody uses sasl? This is not in general true.. True. But you can be creative, and employ a policy like: * SASL auth'd users can send X messages per T period * Unauth'd users are key'd to their IP, so that IP can send X messages per T period * whatever, whatever, etc. etc. I have no fields that maintain the number of messages sent for each mailbox. Anyway, from my Ips there are users that use their own email addresses as sender for outgoing email (i.e.: email address in domains other then mine). With you re solution I can't manage such situations.. Ok, without your DB schema, I'm left to my imagination. The thing is that you can use any unique identifier. In my scenerio, the sasl username + FQDN is unique enough, so it doesn't matter what domain the user is in. And, if you support domainless authentication, you can always code in a provision that authentications without a @ have a certain domain name appended, etc etc. Anyway, I thought to some mechanism to point out an email als outgoing and then to input it to the policyd server.. It is possible to implemnt a such mechanism? Sorry, I'm missing your point here. -P
Re: Best way to set up an open relay postfix
I'm certain that you should rephrase that to: Best way to NOT setup an open relay Feel free to test your config against: http://www.abuse.net/relay.html To ensure that your host isn't an open-relay to the Internet (Say hi to hinet if it is) On Thu, Feb 19, 2009 at 2:42 PM, Rich rhd...@gmail.com wrote: I want to setup postfix so that my users who use laptops can access their email from anywhere and then reply to those emails through the smtp server. What kind of security should I setup?
Re: Best way to set up an open relay postfix
0/0 is the entire internet. Take the approach of least privileges. The idea that laptop users VPN in if they want to be given a free ride (no auth) etc works, since you can place your VPN subnet into mynetworks. Perhaps your initial posting was too ambiguous. On Thu, Feb 19, 2009 at 3:00 PM, Rich rhd...@gmail.com wrote: I used the term open relay because I don't want to limit the by setting mynetworks to a couple of networks. I was thinking by using sasl and tls I could set mynetworks to 0/0. On Thu, Feb 19, 2009 at 2:42 PM, Rich rhd...@gmail.com wrote: I want to setup postfix so that my users who use laptops can access their email from anywhere and then reply to those emails through the smtp server. What kind of security should I setup?
Re: choosing random ip address for outgoing smtp connection
On Thu, Feb 19, 2009 at 3:15 PM, Bokhan Artem art...@academ.org wrote: Peter Blair пишет: It's easier to do with a src-nat within network gear. I understand, I just wanted to know if there is an intelligence way to bind every ip address its own helo. Well, you could place a slim smtp proxy between postfix and the Internet. Say you have a /24, and you want your egress servers to HELO from the unique PTR addresses on your spread, then you'd want to do something like this in postfix: virtual_transport = smtp:127.0.0.1:12345 Now, have your server have virtual interfaces for each of your IPs. Have a small little SMTP proxy sitting on 0:12345 that bind a local socket to one of your virtual IPs, and then just blindly relay all communications from postfix - remote MX, while replacing your local postfix's HELO/EHLO with a predefined EHLO/HELO that matches the PTR of the IP address that you've just bound yourself to. *shudder* - Ok, I feel like a spammer now :) But let me tell you that this is referred to as snowshoeing as it expands your IP footprint, and is seen in the deliverability world as a slimy thing to do. People do it to mitigate the effects of their IP addresses being blacklisted. But the cleaner solution is to ensure that the mail egressing from your platform shouldn't warrent a ban. Also some systems have too high limits, so legitimate mail is delivered with delays... True enough. With today's virtualization technologies, it isn't that hard to roll out several linux images, and place them behind a load balancer. That way you deliver to your virtual ip, and allow the load balancer to relay the message to your local relays, which will just act as normal servers. This will maintain a 1:1 ratio between your virtual server and IP address.
Re: choosing random ip address for outgoing smtp connection
True enough-- but that won't help your HELO matching up with the reverse of the IP that its bound to. 2009/2/19 Bokhan Artem art...@academ.org: Peter Blair пишет: Well, you could place a slim smtp proxy between postfix and the Internet. It's easier to write a small tcp server for tcp_table which will randomize transport :) smtp1 unix - - n - 100 smtp -o smtp_helo_name=smtpout1.do -o smtp_bind_address=1.1.1.1 smtp2 unix - - n - 100 smtp -o smtp_helo_name=smtpout2.do -o smtp_bind_address=2.2.2.2
Re: choosing random ip address for outgoing smtp connection
2009/2/19 Bokhan Artem art...@academ.org: smtp1 unix - - n - 100 smtp -o smtp_helo_name=smtpout1.do -o smtp_bind_address=1.1.1.1 smtp2 unix - - n - 100 smtp -o smtp_helo_name=smtpout2.do -o smtp_bind_address=2.2.2.2 smtp1 unix - - n - 100 smtp -o smtp_helo_name=smtpout1.do -o smtp_bind_address=1.1.1.1 Why? Transport smtp1 is randomly selected by tcp server, helo smtpout1.do is bind to ip address 1.1.1.1, PTR record of 1.1.1.1 is smtpout1.do, A record of smtpout1.do is 1.1.1.1. Everythnig looks clean, except tcp_table and separate tcp server look ugly here. *tips hat* - I stand corrected! :)
Re: rbl clients.
http://stats.dnsbl.com/ As victor said, ZEN is usually enough for most people, but it's always good to know why you're not using the rest. On Thu, Feb 12, 2009 at 2:02 PM, Linux Addict linuxaddi...@gmail.com wrote: Please see below my smtpd_recipient_restrictions. On my rbl client list I have multiple entries, but not sure how many of them actually maintained. Is there one single place where I can find such a list. Any help is greatly appreciated. smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit smtpd_recipient_limit = 300 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,reject_unauth_destination, reject_invalid_hostname,reject_unauth_pipelining, reject_non_fqdn_sender,reject_unknown_sender_domain, reject_non_fqdn_recipient,reject_unknown_recipient_domain, reject_rbl_client blackholes.easynet.nl,reject_rbl_client cbl.abuseat.org,reject_rbl_client proxies.blackholes.wirehub.net, reject_rbl_client bl.spamcop.net,reject_rbl_client sbl.spamhaus.org, reject_rbl_client dnsbl.njabl.org,reject_rbl_client list.dsbl.org, reject_rbl_client multihop.dsbl.org,permit ~LA
Re: filtering mail
Including every solicited bulk email. They usually create unique bounce addresses to track dead target mailboxes etc. On Wed, Feb 11, 2009 at 9:30 AM, Michael Katz mkn...@messagepartners.com wrote: Ilo Lorusso wrote: Hi is their a way I can reject messages when its from address does not match the envelope from address? Doing that will drop tons of legit email. Mike Katz http://messagepartners.com using postfix ofcourse Thanks Regards Ilo
