TLS handshake failed
Hello, a user of my mail gateway has got the following messages while have tried to send a message to recipie...@recipdomain.tld,recipie...@recipdomain.tld: - Original Message - From: Mail Delivery Subsystem mailer-dae...@recipserver.tld To: sen...@senddomain.tld Sent: Tuesday, July 07, 2009 12:52 AM Subject: Warning: could not send message for past 4 hours ** ** THIS IS A WARNING MESSAGE ONLY ** ** YOU DO NOT NEED TO RESEND YOUR MESSAGE ** ** The original message was received at Mon, 6 Jul 2009 15:30:05 +0200 from myserver.mydomain.tld [xxx.yyy.www.zzz] - Transcript of session follows - recipie...@recipdomain.tld,recipie...@recipdomain.tld... Deferred: 403 4.7.0 TLS handshake failed. Warning: message still undelivered after 4 hours Will keep trying until message is 4 days old . . . The recipient 'recipserver.tld' runs Sendmail: # telnet aaa.bbb.ccc.ddd 25 Trying aaa.bbb.ccc.ddd... Connected to aaa.bbb.ccc.ddd. Escape character is '^]'. 220 recipserver.tld ESMTP Sendmail 8.14.3/8.14.3; Thu, 9 Jul 2009 09:53:50 +0200 While I mind up that my server support TLS: (:-O) : # postconf -d | grep tls lmtp_enforce_tls = no lmtp_sasl_tls_security_options = $lmtp_sasl_security_options lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options lmtp_starttls_timeout = 300s lmtp_tls_CAfile = lmtp_tls_CApath = lmtp_tls_cert_file = lmtp_tls_dcert_file = lmtp_tls_dkey_file = $lmtp_tls_dcert_file lmtp_tls_enforce_peername = yes lmtp_tls_exclude_ciphers = lmtp_tls_fingerprint_cert_match = lmtp_tls_fingerprint_digest = md5 lmtp_tls_key_file = $lmtp_tls_cert_file lmtp_tls_loglevel = 0 lmtp_tls_mandatory_ciphers = medium lmtp_tls_mandatory_exclude_ciphers = lmtp_tls_mandatory_protocols = SSLv3, TLSv1 lmtp_tls_note_starttls_offer = no lmtp_tls_per_site = lmtp_tls_policy_maps = lmtp_tls_scert_verifydepth = 9 lmtp_tls_secure_cert_match = nexthop lmtp_tls_security_level = lmtp_tls_session_cache_database = lmtp_tls_session_cache_timeout = 3600s lmtp_tls_verify_cert_match = hostname lmtp_use_tls = no milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject} {cert_issuer} smtp_enforce_tls = no smtp_sasl_tls_security_options = $smtp_sasl_security_options smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options smtp_starttls_timeout = 300s smtp_tls_CAfile = smtp_tls_CApath = smtp_tls_cert_file = smtp_tls_dcert_file = smtp_tls_dkey_file = $smtp_tls_dcert_file smtp_tls_enforce_peername = yes smtp_tls_exclude_ciphers = smtp_tls_fingerprint_cert_match = smtp_tls_fingerprint_digest = md5 smtp_tls_key_file = $smtp_tls_cert_file smtp_tls_loglevel = 0 smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_exclude_ciphers = smtp_tls_mandatory_protocols = SSLv3, TLSv1 smtp_tls_note_starttls_offer = no smtp_tls_per_site = smtp_tls_policy_maps = smtp_tls_scert_verifydepth = 9 smtp_tls_secure_cert_match = nexthop, dot-nexthop smtp_tls_security_level = smtp_tls_session_cache_database = smtp_tls_session_cache_timeout = 3600s smtp_tls_verify_cert_match = hostname smtp_use_tls = no smtpd_client_new_tls_session_rate_limit = 0 smtpd_enforce_tls = no smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_starttls_timeout = 300s smtpd_tls_CAfile = smtpd_tls_CApath = smtpd_tls_always_issue_session_ids = yes smtpd_tls_ask_ccert = no smtpd_tls_auth_only = no smtpd_tls_ccert_verifydepth = 9 smtpd_tls_cert_file = smtpd_tls_dcert_file = smtpd_tls_dh1024_param_file = smtpd_tls_dh512_param_file = smtpd_tls_dkey_file = $smtpd_tls_dcert_file smtpd_tls_exclude_ciphers = smtpd_tls_fingerprint_digest = md5 smtpd_tls_key_file = $smtpd_tls_cert_file smtpd_tls_loglevel = 0 smtpd_tls_mandatory_ciphers = medium smtpd_tls_mandatory_exclude_ciphers = smtpd_tls_mandatory_protocols = SSLv3, TLSv1 smtpd_tls_received_header = no smtpd_tls_req_ccert = no smtpd_tls_security_level = smtpd_tls_session_cache_database = smtpd_tls_session_cache_timeout = 3600s smtpd_tls_wrappermode = no smtpd_use_tls = no tls_daemon_random_bytes = 32 tls_export_cipherlist = ALL:+RC4:@STRENGTH tls_high_cipherlist = ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH tls_low_cipherlist = ALL:!EXPORT:+RC4:@STRENGTH tls_medium_cipherlist = ALL:!EXPORT:!LOW:+RC4:@STRENGTH tls_null_cipherlist = eNULL:!aNULL tls_random_bytes = 32 tls_random_exchange_name = ${data_directory}/prng_exch tls_random_prng_update_period = 3600s tls_random_reseed_period = 3600s tls_random_source = dev:/dev/urandom Basically, I can't figure out why a TLS communication is attempted. After this, I can't figure out who try to start the comunication over TLS. For my latter question I fear that is my mail gateway, and just for this I would like to know if is it possible to disable TLS while there is the needing to communicate with 'recipserver.tld'. Could I disable the TLS with wathever server my mail gateway starts to communicate (i.e.:
RE: TLS handshake failed
Thanks, -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix- us...@postfix.org] On Behalf Of Charles Marcus Sent: Thursday, July 09, 2009 12:43 PM To: postfix-users@postfix.org Subject: Re: TLS handshake failed On 7/9/2009, Rocco Scappatura (rocco.scappat...@infracom.it) wrote: # postconf -d | grep tls ? This shows defaults... please use postconf -n output - and no need to filter it, it won't (shouldn't) be all that long... # postconf -n alias_maps = hash:/etc/aliases anvil_rate_time_unit = 60s bounce_size_limit = 1 command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 default_process_limit = 150 html_directory = no inet_interfaces = $myhostname, localhost local_recipient_maps = unix:passwd.byname $alias_maps mail_owner = postfix mail_spool_directory = /var/spool/mail mailq_path = /usr/bin/mailq manpage_directory = /usr/local/man message_size_limit = 3584 minimal_backoff_time = 1800s mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = name myhostname = name mynetworks = /etc/postfix/relayzahra2 myorigin = $mydomain newaliases_path = /usr/bin/newaliases proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf proxy:mysql:/etc/postfix/mysql-check-client-access.cf proxy:mysql:/etc/postfix/mysql-check-sender-access.cf proxy:mysql:/etc/postfix/mysql-relay-recipients.cf proxy:mysql:/etc/postfix/mysql-transport.cf proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf queue_directory = /var/spool/postfix readme_directory = no relay_domains = proxy:mysql:/etc/postfix/mysql-relay-domains.cf relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-relay-recipients.cf sample_directory = /etc/postfix sender_bcc_maps = hash:/etc/postfix/sender_bcc sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtp_connect_timeout = 10s smtp_discard_ehlo_keyword_address_maps = hash:/etc/postfix/mta_workarounds smtpd_banner = $myhostname smtpd_client_connection_count_limit = 20 smtpd_client_connection_rate_limit = 50 smtpd_client_event_limit_exceptions = 10.38.200.62, 10.3.253.11,... smtpd_client_message_rate_limit = 60 smtpd_client_recipient_rate_limit = 100 smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf smtpd_end_of_data_restrictions = smtpd_helo_restrictions = smtpd_recipient_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf permit_mynetworkspermit_sasl_authenticated reject_unauth_destinationreject_non_fqdn_sender reject_non_fqdn_recipientreject_unlisted_sender reject_unlisted_recipientreject_unknown_sender_domain reject_invalid_hostnamereject_rbl_client zen.spamhaus.org reject_rbl_client list.dsbl.org smtpd_sasl_auth_enable = yes smtpd_sender_restrictions = check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf check_recipient_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf check_recipient_access proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf strict_rfc821_envelopes = yes transport_maps = proxy:mysql:/etc/postfix/mysql-transport.cf unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550 rocsca
RE: TLS handshake failed
Hello, -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix- us...@postfix.org] On Behalf Of Wietse Venema Sent: Thursday, July 09, 2009 12:47 PM To: Postfix users Subject: Re: TLS handshake failed Rocco Scappatura: # postconf -d | grep tls What web page is telling you to use postconf -d for trouble shooting? It should say postconf -n instead. I have only shown that my postfix was compiled with TLS support.. rocsca
RE: TLS handshake failed
Thanks Victor, -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix- us...@postfix.org] On Behalf Of Victor Duchovni Sent: Thursday, July 09, 2009 2:11 PM To: postfix-users@postfix.org Subject: Re: TLS handshake failed On Thu, Jul 09, 2009 at 10:11:26AM +0200, Rocco Scappatura wrote: Hello, a user of my mail gateway has got the following messages while have tried to send a message to recipie...@recipdomain.tld,recipie...@recipdomain.tld: - Original Message - From: Mail Delivery Subsystem mailer-dae...@recipserver.tld To: sen...@senddomain.tld Sent: Tuesday, July 07, 2009 12:52 AM Subject: Warning: could not send message for past 4 hours ** ** THIS IS A WARNING MESSAGE ONLY ** ** YOU DO NOT NEED TO RESEND YOUR MESSAGE ** ** The original message was received at Mon, 6 Jul 2009 15:30:05 +0200 from myserver.mydomain.tld [xxx.yyy.www.zzz] - Transcript of session follows - recipie...@recipdomain.tld,recipie...@recipdomain.tld... Deferred: 403 4.7.0 TLS handshake failed. Warning: message still undelivered after 4 hours Will keep trying until message is 4 days old This problem is downstream of your server. The server that received the mail from you is unable to deliver it further, because it cannot establish a TLS connection as required by its policy settings. Ok. Could a downstream server require that my server (that so acts as an SMTP client) communicate using a TLS connection? Could I neglect TLS configuration aspect if I don't intend to use TLS for exchange electronic mail? (I compiled Postfix with tLS support because I need to use authentication in conjuction wit SMTP). Nothing you can do. The context below makes this rather clear... Still thanks, rocsca
RE: sender_bcc_maps and performance
Thanks Victor, On Wed, Jul 01, 2009 at 02:48:00PM +0200, Rocco Scappatura wrote: Hello, I have enabled sender_bcc_maps in my main.cf. The lookup file has just 2 entries. What fraction of your traffic is sent by these 2 entries. Do you have content filters downstream of the cleanup service that adds the bcc addresses? Report your configuration: http://www.postfix.org/DEBUG_README.html#mail A neglegible one. Yes, I have set up a content filter (amavisd-new). Anyway, here is my postconf output: alias_maps = hash:/etc/aliases anvil_rate_time_unit = 60s bounce_size_limit = 1 command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 default_process_limit = 150 html_directory = no inet_interfaces = $myhostname, localhost local_recipient_maps = unix:passwd.byname $alias_maps mail_owner = postfix mail_spool_directory = /var/spool/mail mailq_path = /usr/bin/mailq manpage_directory = /usr/local/man message_size_limit = 3584 minimal_backoff_time = 1800s mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = av2.sttspa.it myhostname = av2.sttspa.it mynetworks = /etc/postfix/relayzahra2 myorigin = $mydomain newaliases_path = /usr/bin/newaliases proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf proxy:mysql:/etc/postfix/mysql-check-client-access.cf proxy:mysql:/etc/postfix/mysql-check-sender-access.cf proxy:mysql:/etc/postfix/mysql-relay-recipients.cf proxy:mysql:/etc/postfix/mysql-transport.cf proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf queue_directory = /var/spool/postfix readme_directory = no relay_domains = proxy:mysql:/etc/postfix/mysql-relay-domains.cf relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-relay-recipients.cf sample_directory = /etc/postfix sender_bcc_maps = hash:/etc/postfix/sender_bcc sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtp_connect_timeout = 30s smtp_discard_ehlo_keyword_address_maps = hash:/etc/postfix/mta_workarounds smtpd_banner = $myhostname smtpd_client_connection_count_limit = 50 smtpd_client_connection_rate_limit = 100 smtpd_client_event_limit_exceptions = list of IPs smtpd_client_message_rate_limit = 60 smtpd_client_recipient_rate_limit = 250 smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf smtpd_end_of_data_restrictions = smtpd_helo_restrictions = smtpd_recipient_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf permit_mynetworkspermit_sasl_authenticated reject_unauth_destinationreject_non_fqdn_sender reject_non_fqdn_recipientreject_unlisted_sender reject_unlisted_recipientreject_unknown_sender_domain reject_invalid_hostnamereject_rbl_client zen.spamhaus.org reject_rbl_client list.dsbl.org smtpd_sasl_auth_enable = yes smtpd_sender_restrictions = check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf check_recipient_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf check_recipient_access proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf strict_rfc821_envelopes = yes transport_maps = proxy:mysql:/etc/postfix/mysql-transport.cf unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550 I have noticed that the number of message in active queue grews as soon as I enable this feature. Your observations are flawed, this processing happens before the message enters the active queue, so more latency upstream would actually reduce the size of the active queue unless you significantly increase the number of output messages per input message, which suggests a misconfigured content filter or similar. OK. I have applied configuration updating during a congested moment.. I fear that this has increased congestion as result. Then I have rolled back modifications and all (slowly) have returned to work normally. Finally, I have applied again configuration modification (which uses 'sender_bcc_maps') yesterday night and tomorrow all works fine without (at least at the moment) active queue congestion. What it could be happen? Thanks, rocsca
sender_bcc_maps and performance
Hello, I have enabled sender_bcc_maps in my main.cf. The lookup file has just 2 entries. I have noticed that the number of message in active queue grews as soon as I enable this feature. Is it so expensive? I otherwise can't figure out why active queues grows. Infact, I have verified that no configuration error are in mail log. rocsca
RE: Cryptic message for end users
Hello, Error 1: maildirmake: /pathto/user/: File exists Error 2: maildrop: maildir over quota. What you mean precisely? How I can find the mistake? Here my maildrop conf file: log test -d $HOME$DEFAULT `test -d $HOME$DEFAULT` if ($RETURNCODE != 0) { log mkdir -p $HOME$DEFAULT `mkdir -p $HOME$DEFAULT` log rmdir $HOME$DEFAULT `rmdir $HOME$DEFAULT` } log /usr/local/courier/bin/maildirmake $HOME$DEFAULT `/usr/local/courier/bin/maildirmake $HOME$DEFAULT` Either the line above log /usr/local/courier/bin/maildirmake -q $MAILDIRQUOTA $HOME$DEFAULT `/usr/local/courier/bin/maildirmake -q $MAILDIRQUOTA $HOME$DEFAULT` Or the line above is causing error 1! . . . TO $HOME$DEFAULT This causes error 2 Ok Ralph, I have solved the two holes in conf file of Maildrop. Now I get the following over quota message: posta.sttspa.it #5.7.0 x-unix; maildrop: maildir over quota. Which is still not completely 'human-readble'. Is it possible to do so that Postfix produce a custom message based on the error code returned by maildrop? Thanks, rocsca
RE: Cryptic message for end users
Wietse, Ok Ralph, I have solved the two holes in conf file of Maildrop. Now I get the following over quota message: posta.sttspa.it #5.7.0 x-unix; maildrop: maildir over quota. Which is still not completely 'human-readble'. The error message is produced by maildrop, so this is perhaps not the right mailing list. For example, maildrop could export an appropriate enhanced status code; 5.7.0 means other or undefined security status which makes little sense here. Is it possible to do so that Postfix produce a custom message based on the error code returned by maildrop? A universal error message translator would be an interesting project, but I am not sure that Postfix is the right place. Very clear. Thanks, rocsca
Cryptic message for end users
Hello, I have a postoffice system based on Postfix+MySQL+Courier-IMAP+Courier-authlib+Maildrop. I have enable quota checking with maildrop. When quota is overcame then Postfix get a permanent error by maildrop and generates a bounce with the following informations: mypostoffice.domain.tld #5.7.0 x-unix; maildirmake: /pathto/user/: File exists maildrop: maildir over quota. The message is 'as-is' reported by the MTA of the sender, to the sender. This message is clearly too technical for end user which claim that mail system has a fault! Could I configure Postfix so that the message generated by Postfix when the quota is exceeded, is easier to understand by end user? Or is a matter of maildrop? Thanks, rocsca
RE: Cryptic message for end users
Thanks Ralph, * Rocco Scappatura rocco.scappat...@infracom.it: Error 1: maildirmake: /pathto/user/: File exists Error 2: maildrop: maildir over quota. What you mean precisely? How I can find the mistake? Here my maildrop conf file: log test -d $HOME$DEFAULT `test -d $HOME$DEFAULT` if ($RETURNCODE != 0) { log mkdir -p $HOME$DEFAULT `mkdir -p $HOME$DEFAULT` log rmdir $HOME$DEFAULT `rmdir $HOME$DEFAULT` } log /usr/local/courier/bin/maildirmake $HOME$DEFAULT `/usr/local/courier/bin/maildirmake $HOME$DEFAULT` Either the line above log /usr/local/courier/bin/maildirmake -q $MAILDIRQUOTA $HOME$DEFAULT `/usr/local/courier/bin/maildirmake -q $MAILDIRQUOTA $HOME$DEFAULT` Or the line above is causing error 1! . . . TO $HOME$DEFAULT This causes error 2 I will write a more relaible conf from maildrop for the matter of error 1. While I remove line cousing error 2. BTW, still Brixen next summer? ;-) rocsca
private/hash
Hello, I get: warning: connect #3 to subsystem private/hash: No such file or directory In main.cf I set: virtual_alias_domains = domain.tld virtual_alias_maps = hash:/etc/postfix/virtual while in /etc/postfix/virtual kubasms@ domain.tld autogerma@ domain2.tld kubasms-notifiche@ domain.tld roberto.pellegrino@ domain2.tld and then: # postmap /etc/postfix/virtual # rcpostfix reload What is the problem? How I have to do to solve the warning in log messages? Thanks, rocsca
RE: private/hash
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix- us...@postfix.org] On Behalf Of Matt Hayes Sent: Friday, May 08, 2009 5:22 PM To: postfix-users@postfix.org Subject: Re: private/hash Rocco Scappatura wrote: Hello, I get: warning: connect #3 to subsystem private/hash: No such file or directory In main.cf I set: virtual_alias_domains = domain.tld virtual_alias_maps = hash:/etc/postfix/virtual while in /etc/postfix/virtual kubasms@ domain.tld autogerma@ domain2.tld kubasms-notifiche@ domain.tld roberto.pellegrino@ domain2.tld and then: # postmap /etc/postfix/virtual # rcpostfix reload What is the problem? How I have to do to solve the warning in log messages? Thanks, rocsca Did you make changes to master.cf? No rocsca
RE: private/hash
Hello, Rocco Scappatura: Hello, I get: warning: connect #3 to subsystem private/hash: No such file or directory You have configured a hash: LOOKUP TABLE where Postfix expects a SERVICE NAME (such as a content filter or policy service). Use ls -lt to find out what Postfix config files you have changed. /etc/postfix # ls -lta total 476 drwxr-xr-x 2 root root 4096 May 8 17:33 . -rw-r--r-- 1 root root 12288 May 8 17:18 virtual.db -rw-r--r-- 1 root root 12105 May 8 17:10 virtual -rw-r--r-- 1 root root 28460 May 8 17:09 main.cf drwxr-xr-x 63 root root 8192 May 8 14:59 .. -rwx-- 1 root root 14788 May 7 09:38 relayzahra2 -rw-r--r-- 1 root root 5554 Apr 10 12:47 master.cf -rw-r--r-- 1 root root 341 Mar 23 16:55 postgrey_whitelist_recipients -rw-r--r-- 1 root root 270 Jan 15 17:55 mysql-check-client-filter-access.cf -rwxr-xr-x 1 root root 36380 Jan 15 15:18 postgrey -rw-r--r-- 1 root root 7363 Jan 15 15:18 postgrey_whitelist_clients -rw-r--r-- 1 root root 16977 Jan 12 11:34 body_checks -rw-r--r-- 1 root root 16896 Jan 9 10:20 header_checks rocsca
RE: private/hash
Sorry, On Fri May 8 2009 10:20:22 Rocco Scappatura wrote: I get: warning: connect #3 to subsystem private/hash: No such file or directory And which process gives you this warning? You snipped out significant portions of the log, so definitive help is not possible. May 8 17:16:50 av3 postfix/local[3419]: fatal: connect #11 to subsystem private/hash: No such file or directory May 8 17:16:51 av3 postfix/qmgr[2075]: warning: premature end-of-input on private/local socket while reading input attribute name May 8 17:16:51 av3 postfix/qmgr[2075]: warning: private/local socket: malformed response May 8 17:16:51 av3 postfix/qmgr[2075]: warning: transport local failure -- see a previous warning/fatal/panic logfile record for the problem description May 8 17:16:51 av3 postfix/master[2071]: warning: process /usr/libexec/postfix/local pid 3419 exit status 1 May 8 17:16:51 av3 postfix/master[2071]: warning: /usr/libexec/postfix/local: bad command startup -- throttling May 8 17:16:51 av3 postfix/qmgr[2075]: BE6C2750131: to=postmas...@localhost.av3.sttspa.it, orig_to=postmas...@localhost, relay=none, delay=101, delays=0.11/101/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) In main.cf I set: virtual_alias_domains = domain.tld virtual_alias_maps = hash:/etc/postfix/virtual And you're showing a main.cf snippet rather than postconf(1) output. alias_maps = hash:/etc/aliases anvil_rate_time_unit = 60s body_checks = regexp:/etc/postfix/body_checks bounce_size_limit = 1 command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 default_process_limit = 150 header_checks = regexp:/etc/postfix/header_checks html_directory = no inet_interfaces = $myhostname, localhost local_recipient_maps = unix:passwd.byname $alias_maps mail_owner = postfix mail_spool_directory = /var/spool/mail mailbox_transport = hash:/etc/postfix/transport mailq_path = /usr/bin/mailq manpage_directory = /usr/local/man message_size_limit = 3584 minimal_backoff_time = 1800s mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = av3.domain2.tld myhostname = av3.domain2.tld mynetworks = /etc/postfix/relayzahra2 myorigin = $mydomain newaliases_path = /usr/bin/newaliases proxy_read_maps = $local_recipient_maps $mydestination $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf proxy:mysql:/etc/postfix/mysql-check-client-access.cf proxy:mysql:/etc/postfix/mysql-check-sender-access.cf proxy:mysql:/etc/postfix/mysql-relay-recipients.cf proxy:mysql:/etc/postfix/mysql-transport.cf proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf queue_directory = /var/spool/postfix readme_directory = no relay_domains = proxy:mysql:/etc/postfix/mysql-relay-domains.cf relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-relay-recipients.cf sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtp_connect_timeout = 10s smtp_discard_ehlo_keyword_address_maps = hash:/etc/postfix/mta_workarounds smtpd_banner = $myhostname smtpd_client_connection_count_limit = 50 smtpd_client_connection_rate_limit = 100 smtpd_client_event_limit_exceptions = 10.38.200.62 smtpd_client_message_rate_limit = 60 smtpd_client_recipient_rate_limit = 250 smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf smtpd_end_of_data_restrictions = smtpd_helo_restrictions = smtpd_recipient_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf permit_mynetworkspermit_sasl_authenticated reject_unauth_destinationreject_non_fqdn_sender reject_non_fqdn_recipientreject_unlisted_sender reject_unlisted_recipientreject_unknown_sender_domain reject_invalid_hostnamereject_rbl_client zen.spamhaus.org reject_rbl_client list.dsbl.orgcheck_policy_service inet:127.0.0.1:54000 smtpd_sasl_auth_enable = yes smtpd_sender_restrictions = check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf check_recipient_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf check_recipient_access proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf strict_rfc821_envelopes = yes transport_maps = proxy:mysql:/etc/postfix/mysql-transport.cf unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550 virtual_alias_domains = domain.tld virtual_alias_maps = hash:/etc/postfix/virtual thanks, rocsca
RE: private/hash
Thanks all! -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix- us...@postfix.org] On Behalf Of Magnus Bäck Sent: Friday, May 08, 2009 6:00 PM To: postfix-users@postfix.org Subject: Re: private/hash On Friday, May 08, 2009 at 17:45 CEST, Rocco Scappatura rocco.scappat...@infracom.it wrote: And which process gives you this warning? You snipped out significant portions of the log, so definitive help is not possible. May 8 17:16:50 av3 postfix/local[3419]: fatal: connect #11 to subsystem private/hash: No such file or directory [...] mailbox_transport = hash:/etc/postfix/transport mailbox_transport should specify a transport name, not a lookup table. Use mailbox_transport_maps if you need mailbox transport table lookups. [...] -- Magnus Bäck mag...@dsek.lth.se
RE: Redirect messages for just one recipient
Thanks Barney, thanks Noel, All works fine. Bye, rocsva -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix- us...@postfix.org] On Behalf Of Barney Desmond Sent: Wednesday, May 06, 2009 12:38 AM To: postfix users list Subject: Re: Redirect messages for just one recipient 2009/5/6 Noel Jones njo...@megan.vbhcs.org: If domain.tld isn't already in virtual_alias_domains then you need to add it, as well as the mapping to extdomain.tld No, domain.tld must not be added to virtual_alias_domains if postfix already accepts mail for that domain. A domain must not be listed in more than one address class. Yes, I probably should have qualified that for my own assumptions of the setup. But of course, without postconf -n we don't really know ;)
Redirect messages for just one recipient
Hello, I have a Postfix-based system which consist of a front end side (mail gateway) and a post office side. I receive messages for different domain. Every message destined for a domain, say domain.tld, is forwarded to the post office and there the recipient will eventually be translated and delivered into the appropriate mailbox. I need to deliver messages for a particular recipient belonging to the domain, say re...@domain.tld, which is an alias of a domain not managed on my post office, say re...@extdomain.tld. This is not a problem on my architecture obviously. But I would like to deliver message for re...@extdomain.tld without pass through my post office. Basically, I need to translate re...@domain.tld in re...@extdomain.tld and deliver re...@extdomain.tld from my mail gateway directly to the mail server responsible for extdomain.tld. Is it possible? I've tried to accomplish this inserting on /etc/aliases file of mail gateway the entry: re...@domain.tld: re...@extdomain.tld But I get: # newaliases postalias: warning: /etc/aliases, line 85: name must be local Anyone has any idea? Thanks, rocsca
Separating relay control from other checks
Hello, I felt interesting the discussion started by mouss in thread whitelist from spamhaus, and particularly the content of the email: http://archives.neohapsis.com/archives/postfix/2006-05/0598.html written by Viktor. Indeed, I have started since some weeks to use the Postfix SMTP policy access delegation. Because I need to apply a policy to the outgoing messages, I have been obliged to put the policy check delegation on top of smtpd_recipient_restrictions class: smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031 check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf permit_mynetworks permit_sasl_authenticated reject_unauth_destination . . . I don't like much this solution because doing so I apply policy even before to check If an IP is enabled to relay through my mail gateway. Neverthless, I could move down check_policy_service after reject_unauth_destination because the policy wouldn't be applied to the outgoing messages.. In the solution proposed by Viktor, it seems that I could separate the two stages (UCE control - including policy, and relay). So I can rewrite the stage above as the following: smtpd_rcpt_restriction_classes = smtpd_relay_restrictions smtpd_recipient_restrictions where smtpd_relay_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031 What do you think? Could be ok? A further question: How I say to postfix to use 'smtpd_rcpt_restriction_classes' and where it will be evaluated? Thanks, rocsca
RE: Separating relay control from other checks
A further question: How I say to postfix to use 'smtpd_rcpt_restriction_classes' and where it will be evaluated? You can't. This is a hypothetical feature. It has not yet been (and may never be) implemented. :-( What a shame! I think that it could be very nice.. rocsca
RE: Separating relay control from other checks
Viktor, A further question: How I say to postfix to use 'smtpd_rcpt_restriction_classes' and where it will be evaluated? You can't. This is a hypothetical feature. It has not yet been (and may never be) implemented. :-( What a shame! I think that it could be very nice.. Well, I thought it would be a cool idea too, but it is not clear that this is the right next step in the evolution of the Postfix restriction framework. Thanks, BTW, is still Morgan Stanley looking for a Senior Unix system/email administrator? :-) Let me know.. rocsca
RE: relayhost
Noel, I need to use 'mail()' PHP function on a UNIX system, which uses Postfix as MTA. On Linux systems, mail() function use the 'sendmail' program to transmit messages. And so, my PHP program uses postfix setup to transmit the messages. In particular, it looks up DNS for MX of destination domain an forward it to the correct destination. Now I have the problem, that indeed I need that some messages have to be forwarded directly to the destination, while the ones generated by my mail application should be sent trhough a smart host (setting up relayhost=smart.host.tld). How could I do? Is it possible to change the relayhost postfix parameter on the fly? Or what? Thanks, rocsca You can change it based on the envelope sender http://www.postfix.org/postconf.5.html#sender_dependent_relayhost_maps Magnifico! ;-) Thanks, rocsca
relayhost
Hello, I need to use 'mail()' PHP function on a UNIX system, which uses Postfix as MTA. On Linux systems, mail() function use the 'sendmail' program to transmit messages. And so, my PHP program uses postfix setup to transmit the messages. In particular, it looks up DNS for MX of destination domain an forward it to the correct destination. Now I have the problem, that indeed I need that some messages have to be forwarded directly to the destination, while the ones generated by my mail application should be sent trhough a smart host (setting up relayhost=smart.host.tld). How could I do? Is it possible to change the relayhost postfix parameter on the fly? Or what? Thanks, rocsca
RE: Postoffice with virtual mailbox and a Maildrop issue [SOLVED]
Hello, Rocco Scappatura a écrit : [snip] Why the message is not delivered immediately to the virtual mailbox after vacation filter? because the domain is not listed as a virtual mailbox domain At first glance, I shoud say as above too, but I swear that the query is exactly the one I have reported. # postmap -q t...@receiver.tld proxy:mysql:/etc/postfix/mysql-virtual-domain.cf receiver.tld virtual_mailbox_domains is looked up with the domain name as the key, not the email address. Show the output from the right command. # postmap -q domain.tld proxy:mysql:/etc/postfix/mysql-virtual- domain.cf # :-( But: # cat /etc/postfix/mysql-virtual-domain.cf . . query = select domain from domain where domain = '%d' and active = 1 return me correctly: ++ | domain | ++ | domain.tld | ++ mmmhhh!?!?!? you'll need to make sure you run the right sql queries when testing and that your .cf has the right hosts, user, ... etc. Also the db configuration parameter in postfix configuration files are correct.. Not completely.. Infact, I have read carefully mysql_table man and I see that the right query is: query = select domain from domain where domain = '%s' and active = 1 because postfix evidently passes the domain part of the recipient for lookup.. while I erroneously thought the the entire recipient was looked up.. I'm sorry, rocsca
Re: Postoffice with virtual mailbox and a Maildrop issue
Thanks Magnus, append_at_myorigin = no deleted. I have the problem that mail destined to local virtual mailbox is not delivered locally, even if all looks up succesfully confirm tha the message have to be delivered locally: So what does happen to the messages? At the moment, I'm configuring the platform, so the messages tries to go to the mail server pointed out by the MX for the domain receiver.tld: Mar 7 10:06:01 mail1 postfix/smtpd[14046]: connect from gw.tld[xxx.yyy.zzz.uuu] Mar 7 10:06:01 mail1 postfix/smtpd[14046]: EF43674001: client=gw.tld[xxx.yyy.zzz.uuu] Mar 7 10:06:01 mail1 postfix/cleanup[14049]: EF43674001: message-id=362aba71262c41a898506470939c1...@stt.loc Mar 7 10:06:02 mail1 postfix/smtpd[14046]: disconnect from gw.tld[xxx.yyy.zzz.uuu] Mar 7 10:06:02 mail1 postfix/qmgr[13967]: EF43674001: from=sen...@domain.tld, size=2893, nrcpt=1 (queue active) Mar 7 10:06:02 mail1 postfix/pickup[13966]: 2A6A174002: uid=7011 from=sen...@domain.tld Mar 7 10:06:02 mail1 postfix/cleanup[14049]: 2A6A174002: message-id=362aba71262c41a898506470939c1...@stt.loc Mar 7 10:06:02 mail1 postfix/pipe[14050]: EF43674001: to=Mar 7 10:06:01 mail1 postfix/smtpd[14046]: connect from gw.tld[xxx.yyy.zzz.uuu] Mar 7 10:06:01 mail1 postfix/smtpd[14046]: EF43674001: client=gw.tld[xxx.yyy.zzz.uuu] Mar 7 10:06:01 mail1 postfix/cleanup[14049]: EF43674001: message-id=362aba71262c41a898506470939c1...@stt.loc Mar 7 10:06:02 mail1 postfix/smtpd[14046]: disconnect from gw.tld[xxx.yyy.zzz.uuu] Mar 7 10:06:02 mail1 postfix/qmgr[13967]: EF43674001: from=sen...@domain.tld, size=2893, nrcpt=1 (queue active) Mar 7 10:06:02 mail1 postfix/pickup[13966]: 2A6A174002: uid=7011 from=sen...@domain.tld Mar 7 10:06:02 mail1 postfix/cleanup[14049]: 2A6A174002: message-id=362aba71262c41a898506470939c1...@stt.loc Mar 7 10:06:02 mail1 postfix/pipe[14050]: EF43674001: to=r...@domain.tld, relay=filter, delay=0.2, delays=0.04/0/0/0.16, dsn=2.0.0, status=sent (delivered via filter service) Mar 7 10:06:02 mail1 postfix/qmgr[13967]: EF43674001: removed Mar 7 10:06:02 mail1 postfix/qmgr[13967]: 2A6A174002: from=sen...@domain.tld, size=3006, nrcpt=1 (queue active) Mar 7 10:06:05 mail1 postfix/smtp[14061]: connect to mx1.for.domain.tld[xxx1.yyy.zzz.uuu]:25: No route to host Mar 7 10:06:08 mail1 postfix/smtp[14061]: connect to mx2.for.domain.tld[xxx2.yyy.zzz.uuu]:25: No route to host Mar 7 10:06:08 mail1 postfix/smtp[14061]: 2A6A174002: to=r...@domain.tld, relay=none, delay=6.1, delays=0.08/0/6/0, dsn=4.4.1, status=deferred (connect to mx1.for.domain.tld[xxx1.yyy.zzz.uuu]:25: No route to host) , relay=filter, delay=0.2, delays=0.04/0/0/0.16, dsn=2.0.0, status=sent (delivered via filter service) Mar 7 10:06:02 mail1 postfix/qmgr[13967]: EF43674001: removed Mar 7 10:06:02 mail1 postfix/qmgr[13967]: 2A6A174002: from=sen...@domain.tld, size=3006, nrcpt=1 (queue active) Mar 7 10:06:05 mail1 postfix/smtp[14061]: connect to mx1.for.domain.tld[xxx1.yyy.zzz.uuu]:25: No route to host Mar 7 10:06:08 mail1 postfix/smtp[14061]: connect to mx2.for.domain.tld[xxx2.yyy.zzz.uuu]:25: No route to host Mar 7 10:06:08 mail1 postfix/smtp[14061]: 2A6A174002: to=r...@domain.tld, relay=none, delay=6.1, delays=0.08/0/6/0, dsn=4.4.1, status=deferred (connect to mx1.for.domain.tld[xxx1.yyy.zzz.uuu]:25: No route to host) Indeed, I'm using a vacation filter too. But, as there is no vacation configured for recipient r...@domain.tld, the message should be delivered in (local) virtual mailbox after vacation filter. Instead, I suspect that the dns is looked up and the message is tried to be delivered to the responsible MX for domain domain.tld (mx1.for.domain.tld and mx2.for.domain.tld, which is not reacheable from the network on which I setting up the postoffice). Why the message is not delivered immediately to the virtual mailbox after vacation filter? # postmap -q t...@receiver.tld proxy:mysql:/etc/postfix/mysql-virtual-domain.cf receiver.tld virtual_mailbox_domains is looked up with the domain name as the key, not the email address. Show the output from the right command. # postmap -q domain.tld proxy:mysql:/etc/postfix/mysql-virtual-domain.cf # :-( But: # cat /etc/postfix/mysql-virtual-domain.cf . . query = select domain from domain where domain = '%d' and active = 1 return me correctly: ++ | domain | ++ | domain.tld | ++ mmmhhh!?!?!? rocsca
Postoffice with virtual mailbox and a Maildrop issue
Hello, I'm setting up a postoffice platform based on Postfix+Courier-authlib-Courier-IMAP-Maildrop. Here my postfix parameters: # postconf -n alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases append_at_myorigin = no append_dot_mydomain = no bounce_size_limit = 1 command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 disable_vrfy_command = yes html_directory = no local_recipient_maps = $alias_maps, unix:passwd.byname mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/local/man message_size_limit = 3584 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = posta.domain.tld myhostname = posta.domain.tld mynetworks = xxx.yyy.zzz.uuu/27, 127.0.0.0/8 myorigin = $mydomain newaliases_path = /usr/bin/newaliases proxy_read_maps = $virtual_mailbox_domains $virtual_alias_maps $virtual_mailbox_maps proxy:mysql:/etc/postfix/mysql-virtual-domain.cf proxy:mysql:/etc/postfix/mysql-virtual-alias.cf proxy:mysql:/etc/postfix/mysql-virtual-mailbox.cf queue_directory = /var/spool/postfix readme_directory = no sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail setgid_group = maildrop smtpd_data_restrictions = reject_unauth_pipelining smtpd_etrn_restrictions = reject smtpd_helo_required = yes smtpd_sasl_auth_enable = no unknown_local_recipient_reject_code = 550 virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual-alias.cf virtual_gid_maps = static:1021 virtual_mailbox_base = /home/virtual virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual-domain.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual-mailbox.cf virtual_transport = maildrop virtual_uid_maps = static:1021 I have the problem that mail destined to local virtual mailbox is not delivered locally, even if all looks up succesfully confirm tha the message have to be delivered locally: # postmap -q t...@receiver.tld proxy:mysql:/etc/postfix/mysql-virtual-domain.cf receiver.tld # postmap -q test@ receiver.tld proxy:mysql:/etc/postfix/mysql-virtual-alias.cf test@ receiver.tld # postmap -q t...@receiver.tld proxy:mysql:/etc/postfix/mysql-virtual-mailbox.cf receiver.tld /test@ receiver.tld/ Indeed it could be a matter of maildrop filter: maildrop unix - n n - - pipe flags=Ru user=vmail argv=/usr/local/bin/maildrop -d ${recipient} But I have also tried to disable it (commenting the lines above in /etc/postfix/master.cf and commenting the interested lines in /etc/postfix/main.cf). Where is the mistake? Thanks rocsca
policy service question
Hello, I'm trying to use a policy service to limit use of my SMTP gateway platform 'cause of heavy load that usually means hard delays to transmit messages. The policy service is bound to 10031 TCP port. I have so set postfix the use policy service at the and of recipient restriction and at the end of the end-of-data restriction: smtpd_recipient_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_non_fqdn_sender reject_non_fqdn_recipient reject_unlisted_sender reject_unlisted_recipient reject_unknown_sender_domain reject_invalid_hostname reject_rbl_client zen.spamhaus.org reject_rbl_client list.dsbl.org check_policy_service inet:127.0.0.1:54000 check_policy_service inet:127.0.0.1:10031 smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031 What happens is that if the message is from external message than the sender is tracked. On the other hand, the sender is not tracked. In the first case, the policy service logs says the state is RCPT when the message is tracked. In the second case, instead, logfile says that the state is 'END-OF-MESSAGES'. (Why these messages are not matched in the RCPT stage? Way these messages are neverthless matched at the end of data stage?). Indeed I would like exactly the contrary (that is, the outgoing messages have to be checked, while the others not), but I really can't figure out where I'm wronging. Any help is appreciated. rocsca
Re: SMTP relay only
Rocco Scappatura a écrit : Hello, I need to setup a mail server for outgoing email only. I clearly would like to restrict access to my networks only. Moreover, I would like to permit only to some envelope senders to relay email trhough a such MTA. And no other envelope sender should be able to relay trhough this MTA. So the restriction classes are made so: smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf -- this let me disable some content checking through filter (Amavisd-new). No matter. smtpd_helo_restrictions = smtpd_sender_restrictions = smtpd_recipient_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf reject If I understand you, you want something like: - if IP is in a list of allowed IPs, _and_ if sender is in a list of allowed sender, permit - anything else is rejected right? yes, exactly. what you did above is - if IP _OR_ ... which is not the same thing. (I am assuming your maps return OK). you want smtpd_sender_restrictions = check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf reject smtpd_recipient_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf reject This is also safer (if check_sender_access accidentally returns an OK, you don't become an open relay). NowI have understood quite all. I ve tried new config and works pretty well! Please note that I use check_client_access restriction together with: mynetworks = /etc/postfix/relay to limit access to SMTP relay server per IP. I don't understand this part. I see no permit_mynetworks in the snippet you posted. Infact, I haven't reported it.. I just forgot! :-( smtpd_recipient_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf permit_mynetworks reject This should be ok! [snip] This configuration doesn't work. What is conceptually wrong in my config? Finally I would like to deny message delivery to my mail server.. It should suffice to unset relay_domains or it is too restrictive doing so? to disable local delivery, check the FIREWALL README. :-) In addition, if you don't have relay domains, then set relay_domains = Indeed, I don't want to do so for delivery efficiency rights! Infact if i set: relay_domains = every message destined to my domain goes on another my mail server that accept email for that domain, and the is delivered to the post office. While, actually now the email for one of my domain is delivered quickly to the postoffice specified as transport for that domain. Maybe the best solution is to deny incoming (from outside of my network) connection on port 25.. thanks, rocsca
Re: SMTP relay only
Victor, Finally I would like to deny message delivery to my mail server.. It should suffice to unset relay_domains or it is too restrictive doing so? to disable local delivery, check the FIREWALL README. I think this means: http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall I have just finished to explain better what I would like to implement in another post.. The link above doesn't seems that is worth for my porpouse.. Thanks as well, rocsca
RE: Timing question
Sorry for the delay.. Could you explain - in the same terms - how is quantified the time before a message is passed to the queue manager, after it is processed by the content filter? The time to deliver is measured as the time between MAIL FROM and end-of-data. Sorry for my bad english.. To be clearer, given delays=a/b/c/d I asked for the meaning of a delay. I need this definition to understand better the difference of time between d in 1) and d in 2) in the example above. Citing from the HISTORY file: The information is now logged as delays=a/b/c/d where a=time before queue manager, including message transmission; a=time from MAIL FROM until queue manager. Ok, Wietse so considering my example: 1) Jan 30 10:02:17 av5 postfix/smtp[10603]: C0AFB226F23: to=recei...@domain.tld, relay=127.0.0.1[127.0.0.1]:10026, delay=8.9, delays=1.3/0/0/7.7, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 95CEE226F30) 2) Jan 30 10:02:17 av5 postfix/smtp[5441]: 95CEE226F30: to=recei...@domain.tld, relay=server[xxx.yyy.zzz.uuu]:25, delay=0.11, delays=0.03/0.04/0.01/0.03, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5C7951098002) and that: i) There are 7.7 seconds between the time that the Postfix SMTP client sends the MAIL FROM command to the filter, and the time that the filter sends the end-of-data reply to the Postfix SMTP client. ii) a=time from MAIL FROM until queue manager = 0.3 in 2) No, 0.03 not 0.3. Indeed, I thought (wrong) that they was the same transmission (and I cannot justify it because there was an evident timing difference - 7.7 and 0.3). The filter is likely buffering the SMTP dialogue, and not initiating the downstream connection until it has processed the data. Instead, i) is the transmission from Postfix to the content filter, while ii) should be the reinjection of the message back to the normal MTA flow. This happens when filters buffer the envelope, not just the payload. A last trivial question on this argument.. In a such configuration (Postfix+Amavisd-new), is the total latency of a message from the time it is transmitted from the client SMTP to the time the receinving MTA sends end-of-data, given by summing the delay 1) and 2) reported above? Thanks, rocsca
SMTP relay only
Hello, I need to setup a mail server for outgoing email only. I clearly would like to restrict access to my networks only. Moreover, I would like to permit only to some envelope senders to relay email trhough a such MTA. And no other envelope sender should be able to relay trhough this MTA. So the restriction classes are made so: smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf -- this let me disable some content checking through filter (Amavisd-new). No matter. smtpd_helo_restrictions = smtpd_sender_restrictions = smtpd_recipient_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf reject Please note that I use check_client_access restriction together with: mynetworks = /etc/postfix/relay to limit access to SMTP relay server per IP. The /etc/postfix/mysql-check-sender-access.cf verifies if the envelope sender is enabled for relay (I'm assuming that on my networks none forges email sender). The lookup return OK if sender is enabled. Nothing otherwise (the sender should be rejected at the next restriction..). This configuration doesn't work. What is conceptually wrong in my config? Finally I would like to deny message delivery to my mail server.. It should suffice to unset relay_domains or it is too restrictive doing so? Thanks, rocsca
DSN on deferring
Hello, When I send a message to an inexistent email address and the receiving MTA is down, like the following example: av4 mail16:46:22postfix/smtppostfix/smtp[27440]: 11BD7750296: to=abcd...@destdomain.tld, relay=none, delay=10, delays=0.03/0/10/0, dsn=4.4.1, status=deferred (connect to mx1.destdomain.tld[xxx.yyy.zzz.111]: Connection timed out) I don't get any notification about the status of delivery :-(. I don't think that this is normal. Anyway I don't understand if I'm wrong something in my Postfix configuration, or is the receiving part that is missconfigured.. Could somebody help me? rocsca
RE: SMTP sessions
Hi, I have a mail gateway system that consists of several Postfix+MySQL+Amavisd-new machines behind a load balancer. I have defined a balancing policy based on number of SMTP sessions that every server has to manage. New connections are given to the server with the fewest connections? Yes. But, even if the session is perfectly balanced, I see that the average latency of a message in Postfix queues is too high on some machines and quite zero on other. Are the same servers overloaded over a long period of time? And lightly loaded servers remain lightly loaded? Usually. What is the critical resource? Disk I/O? CPU? Output concurrency? Indeed, the number of sessions is correctly proportional to the weight I have assigned to each server on balancer. But the load of the CPUs of each machine not. I have watched Disk I/O with vmstat and OS never swaps. I have a good quantity of RAM free. I monitored each machine's parameters using vmstat and what I could have noted I is the number of blocked procs which is often nonzero (from 0 to 3) when the mchine is overloaded. What do you mean for output concurrency? I have raised maxproc for amavis-filter to reduce the number of blocked procs. What I infer is that every session can be used to devilver/send different email messages (other then every message as inerently a different size). It is right my argument or Im wrong in something? If yes, has Postfix the control of the number of message that could be manage by each SMTP session? Take a look at qshape, is there a lot of deferred mail on some systems and not others? Are you doing recipient validation, or accepting and bouncing a lot of mail? I constantly have monitored the Postfix queues with qshape, particularly active queue: # watch perl /usr/local/src/postfix-2.5.2/auxiliary/qshape/qshape.pl -s active| head I have a reasonably normal number of deferred emails (no more than 100 messages). Nevertheless, I'm doing recipient validation for each mailbox that I manage and verification on each email of every domain for which I forward messages. I fear that the problem is that for each session I can have an unsettled number of messages sent over that session (It could be happen? If yes, It could be depend on MTA settings?) other then an unsettled size of SMTP traffic (which it determs the latency of messages and it could make congestion of postfix active queue more or less heavy). Could someone give me some hint about this issue? TIA, rocsca
Re: SMTP sessions
Victor, I fear that the problem is that for each session I can have an unsettled number of messages sent over that session (It could be happen? If yes, It could be depend on MTA settings?) other then an unsettled size of SMTP traffic (which it determs the latency of messages and it could make congestion of postfix active queue more or less heavy). Could someone give me some hint about this issue? I have no idea what this issue is, and I doubt anyone else does either. Unless you can present concrete information, rather than vague guesses, it is unlikely that you will get much help. Postfix is an I/O bandwidth limited MTA, running within fixed concurrency limits. When you add content filters, the filters may become CPU-limited. Throughput = Concurrency / Latency. If you are seeing low throughput, but the system has enough resources to provide more throughput, your concurrency may be too low, or your delivery agents are all tied up timing out deliveries to dead destinations (abnormally high latency). If you have run out of CPU, I/O or network bandwidth, add more hardware, or reduce demand for that resource. Sadly, you have to find the reason you are experiencing congestion, and quantify this with relevant measurements. I agree with all of your argumntation. But, basically my question is another one. Maybe I'm wrong to try to submit the problem describing whatever comes around which only contributes to complicate the understending for the list. I'm sorry for this. Returning to my question, I'm trying to understand: 1) Once a client (or another MTA) establish a TCP connection with listening port bounded by the SMTP daemon of Postfix, could happen that more then one email messages are sent over that TCP connection, before it is closed? 2) If 1), is there any limit on the number of messages that could be sent over that TCP connection? 3) Could the receiving MTA (i.e.: Postfix) decide how much times a TCP connection could used to transmit a messages by a client? I'm sorry again if my answer are trivial or that make no sense.. rocsca
Re: SMTP sessions
Thanks Viktor, 1) Once a client (or another MTA) establish a TCP connection with listening port bounded by the SMTP daemon of Postfix, could happen that more then one email messages are sent over that TCP connection, before it is closed? Sure this is possible, but it is unlikel to significantly impact your queues. 2) If 1), is there any limit on the number of messages that could be sent over that TCP connection? No. 3) Could the receiving MTA (i.e.: Postfix) decide how much times a TCP connection could used to transmit a messages by a client? Enforcing such limits is unwise. The solution causes more harm than the perceived problem. There is no evidence that sender-side connection re-use has any material impact on your queues. If you do want to enforce such limits, they should be applied selectively to just IP sources with poor reputations. Indeed, it would be nice to have a tool that assigns a poor reputation to an IP source that impact on the queues.. Maybe one of these tool could be a Policyd server? Simply imposing a quota on the number of messages that could be sent in a unit of time? Or there exists some of more refined, for what you know? rocsca
RE: SMTP sessions
Hello, I have a mail gateway system that consists of several Postfix+MySQL+Amavisd-new machines behind a load balancer. I have defined a balancing policy based on number of SMTP sessions that every server has to manage. New connections are given to the server with the fewest connections? Yes. But, even if the session is perfectly balanced, I see that the average latency of a message in Postfix queues is too high on some machines and quite zero on other. Are the same servers overloaded over a long period of time? And lightly loaded servers remain lightly loaded? Usually. What is the critical resource? Disk I/O? CPU? Output concurrency? Indeed, the number of sessions is correctly proportional to the weight I have assigned to each server on balancer. But the load of the CPUs of each machine not. I have watched Disk I/O with vmstat and OS never swaps. I have a good quantity of RAM free. I monitored each machine's parameters using vmstat and what I could have noted I is the number of blocked procs which is often nonzero (from 0 to 3) when the mchine is overloaded. What do you mean for output concurrency? I have raised maxproc for amavis-filter to reduce the number of blocked procs. What I infer is that every session can be used to devilver/send different email messages (other then every message as inerently a different size). It is right my argument or Im wrong in something? If yes, has Postfix the control of the number of message that could be manage by each SMTP session? Take a look at qshape, is there a lot of deferred mail on some systems and not others? Are you doing recipient validation, or accepting and bouncing a lot of mail? I constantly have monitored the Postfix queues with qshape, particularly active queue: # watch perl /usr/local/src/postfix-2.5.2/auxiliary/qshape/qshape.pl -s active| head I have a reasonably normal number of deferred emails (no more than 100 messages). Nevertheless, I'm doing recipient validation for each mailbox that I manage and verification on each email of every domain for which I forward messages. I fear that the problem is that for each session I can have an unsettled number of messages sent over that session (It could be happen? If yes, It could be depend on MTA settings?) other then an unsettled size of SMTP traffic (which it determs the latency of messages and it could make congestion of postfix active queue more or less heavy). Have someone further wideing to provide about this argument? rocsca
Re: check_client_access
Mouss, and your explanation was about a receiver. That's 3 different things... So.. What I have to do to block a message based on the receiver? check_recipient_access. PS. it would be safer to put your check_sender_access in smtpd_sender_restrictions so that an error in your sql query doesn't make you an open relay. Why is safer? Could have any side effect in my configuration? Thanks. it's ok if you don't return OK in your map (Annie, are you OK?). but one day, you'll be tired and you'll add an entry to your map... this is why it is generally safer to put check_*_access after reject_unauth_destination in smtpd_recipient_restrictions, or to put them in other restrictions (latter if you want them to apply to both inbound and outbound mail). This is the restictions in my main.cf file: smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf smtpd_helo_restrictions = smtpd_sender_restrictions = smtpd_recipient_restrictions = check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf check_recipient_access proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf permit_mynetworks permit_sasl_authenticated check_policy_service inet:127.0.0.1:54000 reject_unauth_destination . . . How do I have to modify it so that I could block an email address either if is the sender or one of the recipients, AND either if the message is incoming or outgoing? Maybe so (assuming that the action will never be OK)... smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf smtpd_helo_restrictions = smtpd_sender_restrictions = check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf check_recipient_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf smtpd_recipient_restrictions = check_recipient_access proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf permit_mynetworks permit_sasl_authenticated check_policy_service inet:127.0.0.1:54000 reject_unauth_destination . . . Or you have another configuration to propose the is safer? rocsca
Re: check_client_access
How do I have to modify it so that I could block an email address either if is the sender or one of the recipients, AND either if the message is incoming or outgoing? Maybe so (assuming that the action will never be OK)... smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf smtpd_helo_restrictions = smtpd_sender_restrictions = check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf check_recipient_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf smtpd_recipient_restrictions = check_recipient_access proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf this one is already in smtpd_sender_restrictions, so just remove it I can't remove it because this lookup return reject_unverified_address for the domains that I maintain but for wich I have no a list of valid recipient: query = select restriction from domain where domain='%s' maybe could I put both lookups in smtpd_sender_restrictions? check_recipient_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf, proxy:mysql:/etc/postfix/mysql-check-sender-access.cf is it ok? check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf what's this for? it's already in smtpd_client_restrictions, so you may or may not need it here. It integrate mynetworks (i.e.: return OK id an IP is enabled to relay trhough my SMTP gateway). I need it. permit_mynetworks permit_sasl_authenticated check_policy_service inet:127.0.0.1:54000 what's this for? you probably want to put this after reject_unauth_destination. postgrey remember: reject_unauth_destination is what prevents open relay. so avoid putting a lot of stuff before it, because you increase the risks. and reject_unauth_destination is a very safe a very cheap check, so it's good to have it as soon as possible. reject_unauth_destination . . . Or you have another configuration to propose the is safer? see above. as a general rule of thumb, put anti-spam checks (I'm talking about inbound spam. outbound spam is a different subject) after reject_unauth_destination, and put general restrictions (that also apply to your users) in one of smtpd_(client|helo|sender)_restrictions. thanks, rocsca
Re: check_client_access
Mouss, [snip] :-D [snip] dogs ate logs? Very cool from you.. as usual! You have won a prize.. :-) -- Is it ok so? ;-) - show logs that prove what you claimed Feb 1 06:02:50 av5 postfix/smtpd[32172]: NOQUEUE: reject: RCPT from unknown[83.103.67.197]: 550 5.1.1 st...@receiver.tld: Recipient address rejected: undeliverable address: host srvmailvb.domain.intranet[10.36.20.100] said: 550 5.1.1 User unknown (in reply to RCPT TO command); from= to=st...@receiver.tld proto=ESMTP helo=clus2.istge.it - show 'postmap -q' results (for all the keys that postfix uses. see the man page of access for the lookup order). Cound you instruct me about the order postfix applies the restrictions (you can see postconf output in my previous email.. Thanks.) Anyway, # postmap -q st...@receiver.tld proxy:mysql:/etc/postfix/mysql-check-sender-access.cf REJECT you also need to make your mind: the subject contains check_client_access. your question was about check_sender_access, OK. Sorry I have wrong my subject.. and your explanation was about a receiver. That's 3 different things... So.. What I have to do to block a message based on the receiver? PS. it would be safer to put your check_sender_access in smtpd_sender_restrictions so that an error in your sql query doesn't make you an open relay. Why is safer? Could have any side effect in my configuration? Thanks. rocsca
Re: check_client_access
Sorry, How do I have to modify it so that I could block an email address either if is the sender or one of the recipients, AND either if the message is incoming or outgoing? Maybe so (assuming that the action will never be OK)... smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf smtpd_helo_restrictions = smtpd_sender_restrictions = check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf check_recipient_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf smtpd_recipient_restrictions = check_recipient_access proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf this one is already in smtpd_sender_restrictions, so just remove it I can't remove it because this lookup return reject_unverified_address for the domains that I maintain but for wich I have no a list of valid recipient: query = select restriction from domain where domain='%s' maybe could I put both lookups in smtpd_sender_restrictions? check_recipient_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf, proxy:mysql:/etc/postfix/mysql-check-sender-access.cf I'm saying: check_recipient_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf, proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf is it ok? check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf what's this for? it's already in smtpd_client_restrictions, so you may or may not need it here. It integrate mynetworks (i.e.: return OK id an IP is enabled to relay trhough my SMTP gateway). I need it. permit_mynetworks permit_sasl_authenticated check_policy_service inet:127.0.0.1:54000 what's this for? you probably want to put this after reject_unauth_destination. postgrey remember: reject_unauth_destination is what prevents open relay. so avoid putting a lot of stuff before it, because you increase the risks. and reject_unauth_destination is a very safe a very cheap check, so it's good to have it as soon as possible. reject_unauth_destination . . . Or you have another configuration to propose the is safer? see above. as a general rule of thumb, put anti-spam checks (I'm talking about inbound spam. outbound spam is a different subject) after reject_unauth_destination, and put general restrictions (that also apply to your users) in one of smtpd_(client|helo|sender)_restrictions. thanks, rocsca
Re: check_client_access
Mouss, How do I have to modify it so that I could block an email address either if is the sender or one of the recipients, AND either if the message is incoming or outgoing? Maybe so (assuming that the action will never be OK)... smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf smtpd_helo_restrictions = smtpd_sender_restrictions = check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf check_recipient_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf smtpd_recipient_restrictions = check_recipient_access proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf this one is already in smtpd_sender_restrictions, so just remove it I can't remove it sorry, I didn't notice that it was a different map. because this lookup return reject_unverified_address for the domains that I maintain but for wich I have no a list of valid recipient: query = select restriction from domain where domain='%s' maybe could I put both lookups in smtpd_sender_restrictions? yes. check_recipient_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf, proxy:mysql:/etc/postfix/mysql-check-sender-access.cf I'm saying: check_recipient_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf, proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf check_foo_access checks only one map. so you need to do it like this: check_recipient_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf check_recipient_access proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf is it ok? check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf what's this for? it's already in smtpd_client_restrictions, so you may or may not need it here. It integrate mynetworks (i.e.: return OK id an IP is enabled to relay trhough my SMTP gateway). I need it. that's ok. permit_mynetworks permit_sasl_authenticated check_policy_service inet:127.0.0.1:54000 what's this for? you probably want to put this after reject_unauth_destination. postgrey then put it at the end. no point to greylist a relay attempt. remember: reject_unauth_destination is what prevents open relay. so avoid putting a lot of stuff before it, because you increase the risks. and reject_unauth_destination is a very safe a very cheap check, so it's good to have it as soon as possible. reject_unauth_destination . . . Or you have another configuration to propose the is safer? see above. as a general rule of thumb, put anti-spam checks (I'm talking about inbound spam. outbound spam is a different subject) after reject_unauth_destination, and put general restrictions (that also apply to your users) in one of smtpd_(client|helo|sender)_restrictions. All works fine.. Annie is OK! ;-) Thanks, rocsca
Re: Timing question
Thanks Wietse and Victor, For example consider the log relative to the relay entries (to the cntent filer and to postfix without conten filter): 1) Jan 30 10:02:17 av5 postfix/smtp[10603]: C0AFB226F23: to=recei...@domain.tld, relay=127.0.0.1[127.0.0.1]:10026, delay=8.9, delays=1.3/0/0/7.7, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 95CEE226F30) Postfix measures 7.7 seconds from start of delivery to end of delivery. You are saying the time the SMTP connection with 127.0.0.1:10026 to the time that the same connection is ended? And this interval includes the processing too? There are 7.7 seconds between the time that the Postfix SMTP client sends the MAIL FROM command to the filter, and the time that the filter sends the end-of-data reply to the Postfix SMTP client. Either the content filter has a very slow SMTP implementation, or the content filter spends a lot of time to inspect the message. You can easily verify which it is, by looking with top or some other performance measurement tool. You can find out how much of the 7.7 seconds is spent on CPU time, and how much of that time is spent waiting for DNS, disk I/O, or something else. I won't do that for you, for obvious reasons. 2) Jan 30 10:02:17 av5 postfix/smtp[5441]: 95CEE226F30: to=recei...@domain.tld, relay=server[xxx.yyy.zzz.uuu]:25, delay=0.11, delays=0.03/0.04/0.01/0.03, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5C7951098002) There are 0.3 seconds between the time that the Postfix SMTP client sends the MAIL FROM command to xxx.yyy.zzz.uuu, and the time that xxx.yyy.zzz.uuu sends the end-of-data reply to the Postfix SMTP client. So.. raising maxprocs value for the contet filter could not reduce delay d in 1) anyway.. Right? To raise maxprocs value for the contet filter helps only when is the active queue congested.. I think.. Could you explain - in the same terms - how is quantified the time before a message is passed to the queue manager, after it is processed by the content filter? Thanks, rocsca
Recipient verification from post-office in down stream issue
Hello, My postfix server i configured to reject unverified server for a domain recipient.tld. The record MX for this domain points to my server. When my MTA receive messages for recipient.tld, then the messages are forwarded to the server with IP 10.30.32.7. In main.cf I have. smtpd_recipient_restrictions = check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf check_recipient_access proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf permit_mynetworks permit_sasl_authenticated check_policy_service inet:127.0.0.1:54000 reject_unauth_destination . . . where the query in check_recipient_access is select restriction from domain where domain='%s' and active='1' which returns reject_unverified_recipient for the domain recipient.tld. As an example I report a log for an unverified recipient: Jan 31 19:52:52 av5 postfix/smtpd[6764]: NOQUEUE: reject: RCPT from unknown[89.105.251.144]: 450 4.1.1 gsin...@recipient.tld: Recipient address rejected: undeliverable address: host 10.30.32.7[10.30.32.7] said: 550 gsin...@recipient.tld... No such user (in reply to RCPT TO command); from=gs...@cablenet.com.ni to=gsin...@recipient.tld proto=SMTP helo=amerblind.outbound.ed10.com Jan 31 19:52:52 av5 postfix/smtp[9373]: 0923C226ED8: to=gsin...@recipient.tld, relay=10.30.32.7[10.30.32.7]:25, delay=0.11, delays=0.01/0/0.07/0.03, dsn=5.0.0, status=undeliverable (host 10.30.32.7[10.30.32.7] said: 550 gsin...@recipient.tld... No such user (in reply to RCPT TO command)) The second log is not clear for me because it is queued and sent to the server in downstream. Infact: Jan 31 19:52:52 av5 postfix/cleanup[7729]: 0923C226ED8: message-id=20090131185252.0923c226...@av5.sttspa.it Jan 31 19:52:52 av5 postfix/qmgr[10277]: 0923C226ED8: from=postmas...@av5.mydomain.tld, size=257, nrcpt=1 (queue active) Jan 31 19:52:52 av5 postfix/smtp[9373]: 0923C226ED8: to=gsin...@recipient.tld, relay=10.30.32.7[10.30.32.7]:25, delay=0.11, delays=0.01/0/0.07/0.03, dsn=5.0.0, status=undeliverable (host 10.30.32.7[10.30.32.7] said: 550 gsin...@recipient.tld... No such user (in reply to RCPT TO command)) Jan 31 19:52:52 av5 postfix/qmgr[10277]: 0923C226ED8: removed It is possible to modify postfix configuration so that message from postmas...@av5.mydomain.tld is avoided? Or it is is necessary for address verification of the addresses managedon the server in downstream? My second question is, why I see a SMTP status 450 even if my server reject the message? Maybe I have set: unverified_recipient_reject_code = 550 ? rocsca
check_client_access
In smtpd_recipient_restrictions I put as first line: check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf The check looks up the database for an address or a domain ad returns an action (OK, REJECT, and so on). Last day my server receives a lot of messages for an email address in one of the domain maintained by me. Say it recei...@domain.tld. Even if the looks up for this email addres is succesfull and returns REJECT, all messages was correctly received and then delivered to the postoffice server. Why that messages was not blocked? What I have missed? thanks, rocsca
Re: Timing question
For example consider the log relative to the relay entries (to the cntent filer and to postfix without conten filter): 1) Jan 30 10:02:17 av5 postfix/smtp[10603]: C0AFB226F23: to=recei...@domain.tld, relay=127.0.0.1[127.0.0.1]:10026, delay=8.9, delays=1.3/0/0/7.7, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 95CEE226F30) Postfix measures 7.7 seconds from start of delivery to end of delivery. You are saying the time the SMTP connection with 127.0.0.1:10026 to the time that the same connection is ended? And this interval includes the processing too? There are 7.7 seconds between the time that the Postfix SMTP client sends the MAIL FROM command to the filter, and the time that the filter sends the end-of-data reply to the Postfix SMTP client. Either the content filter has a very slow SMTP implementation, or the content filter spends a lot of time to inspect the message. You can easily verify which it is, by looking with top or some other performance measurement tool. You can find out how much of the 7.7 seconds is spent on CPU time, and how much of that time is spent waiting for DNS, disk I/O, or something else. I won't do that for you, for obvious reasons. 2) Jan 30 10:02:17 av5 postfix/smtp[5441]: 95CEE226F30: to=recei...@domain.tld, relay=server[xxx.yyy.zzz.uuu]:25, delay=0.11, delays=0.03/0.04/0.01/0.03, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5C7951098002) There are 0.3 seconds between the time that the Postfix SMTP client sends the MAIL FROM command to xxx.yyy.zzz.uuu, and the time that xxx.yyy.zzz.uuu sends the end-of-data reply to the Postfix SMTP client. So.. raising maxprocs value for the contet filter could not reduce delay d in 1) anyway.. Right? To raise maxprocs value for the contet filter helps only when is the active queue congested.. I think.. That depends on how much of that time the filter is busy in the CPU, and how much it spends waiting for DNS or disk I/O. If the filter spends 100% of its time busy in the CPU, then the optimal number of filter processes is a few times the number of CPUs. If the filter spends 50% of its time in the CPU, then the optimal number of filter processes is twice as large. Very interesting! I will observe closely this a spect.. Thanks. Could you explain - in the same terms - how is quantified the time before a message is passed to the queue manager, after it is processed by the content filter? The time to deliver is measured as the time between MAIL FROM and end-of-data. Sorry for my bad english.. To be clearer, given delays=a/b/c/d I asked for the meaning of a delay. I need this definition to understand better the difference of time between d in 1) and d in 2) in the example above. rocsca
Re: Timing question
Wietse, Could you explain - in the same terms - how is quantified the time before a message is passed to the queue manager, after it is processed by the content filter? The time to deliver is measured as the time between MAIL FROM and end-of-data. Sorry for my bad english.. To be clearer, given delays=a/b/c/d I asked for the meaning of a delay. I need this definition to understand better the difference of time between d in 1) and d in 2) in the example above. Citing from the HISTORY file: The information is now logged as delays=a/b/c/d where a=time before queue manager, including message transmission; a=time from MAIL FROM until queue manager. Ok, Wietse so considering my example: 1) Jan 30 10:02:17 av5 postfix/smtp[10603]: C0AFB226F23: to=recei...@domain.tld, relay=127.0.0.1[127.0.0.1]:10026, delay=8.9, delays=1.3/0/0/7.7, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 95CEE226F30) 2) Jan 30 10:02:17 av5 postfix/smtp[5441]: 95CEE226F30: to=recei...@domain.tld, relay=server[xxx.yyy.zzz.uuu]:25, delay=0.11, delays=0.03/0.04/0.01/0.03, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5C7951098002) and that: i) There are 7.7 seconds between the time that the Postfix SMTP client sends the MAIL FROM command to the filter, and the time that the filter sends the end-of-data reply to the Postfix SMTP client. ii) a=time from MAIL FROM until queue manager = 0.3 in 2) Indeed, I thought (wrong) that they was the same transmission (and I cannot justify it because there was an evident timing difference - 7.7 and 0.3). Instead, i) is the transmission from Postfix to the content filter, while ii) should be the reinjection of the message back to the normal MTA flow. Now is all clear. Thanks. rocsca
Re: check_client_access
Thanks, In smtpd_recipient_restrictions I put as first line: check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf The check looks up the database for an address or a domain ad returns an action (OK, REJECT, and so on). This sounds bad; you should not OK based on sender addresses which are easily spoofed. But without more information about your configuration, we can only guess. Indeed, I never use OK.. :-) Last day my server receives a lot of messages for an email address in one of the domain maintained by me. Say it recei...@domain.tld. Even if the looks up for this email addres is succesfull and returns REJECT, all messages was correctly received and then delivered to the postoffice server. Why that messages was not blocked? What I have missed? You missed an important part of this mailing list's welcome message: TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail :-D alias_maps = hash:/etc/aliases anvil_rate_time_unit = 60s body_checks = regexp:/etc/postfix/body_checks bounce_size_limit = 1 broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 default_process_limit = 150 header_checks = regexp:/etc/postfix/header_checks html_directory = no inet_interfaces = $myhostname, localhost local_recipient_maps = unix:passwd.byname $alias_maps mail_owner = postfix mail_spool_directory = /var/spool/mail mailq_path = /usr/bin/mailq manpage_directory = /usr/local/man message_size_limit = 3584 minimal_backoff_time = 1800s mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = av5.sttspa.it myhostname = av5.sttspa.it mynetworks = /etc/postfix/relayzahra2 myorigin = $mydomain newaliases_path = /usr/bin/newaliases proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf proxy:mysql:/etc/postfix/mysql-check-client-access.cf proxy:mysql:/etc/postfix/mysql-check-sender-access.cf proxy:mysql:/etc/postfix/mysql-relay-recipients.cf proxy:mysql:/etc/postfix/mysql-transport.cf proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf queue_directory = /var/spool/postfix readme_directory = no relay_domains = proxy:mysql:/etc/postfix/mysql-relay-domains.cf relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-relay-recipients.cf sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtp_connect_timeout = 10s smtp_discard_ehlo_keyword_address_maps = hash:/etc/postfix/mta_workarounds smtpd_banner = $myhostname smtpd_client_connection_count_limit = 50 smtpd_client_connection_rate_limit = 100 smtpd_client_message_rate_limit = 60 smtpd_client_recipient_rate_limit = 250 smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031 smtpd_helo_restrictions = smtpd_recipient_restrictions = check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf check_recipient_access proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf permit_mynetworkspermit_sasl_authenticated check_policy_service inet:127.0.0.1:54000reject_unauth_destination reject_non_fqdn_senderreject_non_fqdn_recipient reject_unlisted_senderreject_unlisted_recipient reject_unknown_sender_domainreject_invalid_hostname reject_rbl_client zen.spamhaus.orgreject_rbl_client list.dsbl.org check_policy_service inet:127.0.0.1:10031 smtpd_sasl_auth_enable = yes smtpd_sender_restrictions = strict_rfc821_envelopes = yes transport_maps = proxy:mysql:/etc/postfix/mysql-transport.cf unknown_local_recipient_reject_code = 550 rocsca
Timing question
Hello. I have a Postfix+Amavisd-new+MySQL+ClamAV mail gateway system. I'm observing time spent by a messagge in (Amavisd-new) content_filter of postfix (I trascure deliberately the time spent by a message to be processed by postfix, because it is neglegible with respect to the filter). I grep a maillog line with match delays=, 127.0.0.1 and status=sent (250 2.0.0 (I don't consider rejected messages, and blocked message by content_filter). The aim is to get an average latency of a message of processing. Once I get all 4-ple delays=a/b/c/d, I calculate the average time during a specified time period. What I note is that the average of Time to transmit the message (the term pointed as d in 4-ple above) is a little bit to high for what I can perceive. For example, I obtain: Every 1.0s: cat /tmp/filter.latencies.txt Fri Jan 30 19:54:26 2009 5.844000/0.00/0.001000/4.049000 I can accept that the value Time Before Queued is a little bit high, as it represent the time for the content filter to queue the message since it has been trasmitted by the sender. But I can't figure out why the Time to transmit the message is high at the same manner, even if it represent (at least I think) the time employed by the content filter to transmit the message back to Postfix. Sorry for my not completely clear exposition, but I'ld like to have a better one that possibly explay better the messages timing inside a such architecture. I appreciate any comment about. Thanks, rocsca
Re: Timing question
I have a Postfix+Amavisd-new+MySQL+ClamAV mail gateway system. I'm observing time spent by a messagge in (Amavisd-new) content_filter of postfix (I trascure deliberately the time spent by a message to be processed by postfix, because it is neglegible with respect to the filter). I grep a maillog line with match delays=, 127.0.0.1 and status=sent (250 2.0.0 (I don't consider rejected messages, and blocked message by content_filter). The aim is to get an average latency of a message of processing. Once I get all 4-ple delays=a/b/c/d, I calculate the average time during a specified time period. What I note is that the average of Time to transmit the message (the term pointed as d in 4-ple above) is a little bit to high for what I can perceive. For example, I obtain: Every 1.0s: cat /tmp/filter.latencies.txt Fri Jan 30 19:54:26 2009 5.844000/0.00/0.001000/4.049000 I can accept that the value Time Before Queued is a little bit high, as it represent the time for the content filter to queue the message since it has been trasmitted by the sender. But I can't figure out why the Time to transmit the message is high at the same manner, even if it represent (at least I think) the time employed by the content filter to transmit the message back to Postfix. Sorry for my not completely clear exposition, but I'ld like to have a better one that possibly explay better the messages timing inside a such architecture. I appreciate any comment about. For example consider the log relative to the relay entries (to the cntent filer and to postfix without conten filter): 1) Jan 30 10:02:17 av5 postfix/smtp[10603]: C0AFB226F23: to=recei...@domain.tld, relay=127.0.0.1[127.0.0.1]:10026, delay=8.9, delays=1.3/0/0/7.7, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 95CEE226F30) 2) Jan 30 10:02:17 av5 postfix/smtp[5441]: 95CEE226F30: to=recei...@domain.tld, relay=server[xxx.yyy.zzz.uuu]:25, delay=0.11, delays=0.03/0.04/0.01/0.03, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5C7951098002) - Why d in 1) is high? It includes the processing mase by content filter? - How could I tune Postfix to lower this delay? Maybe raising maxprocs value for the contet filter? Are there other tunings to apply? - Why d) in 1) and a) in 2) are different values? - How could raise the concurrency in postfix so that the queue manager is faster in managing the messages and deliver it to the delivery processes? - It is possible to lower d) in 2)? Or depends exclusively from other factors (network, receiving MTA and other)? Thanks, rocsca
RE: SMTP sessions
I have a mail gateway system that consists of several Postfix+MySQL+Amavisd-new machines behind a load balancer. I have defined a balancing policy based on number of SMTP sessions that every server has to manage. New connections are given to the server with the fewest connections? Yes. But, even if the session is perfectly balanced, I see that the average latency of a message in Postfix queues is too high on some machines and quite zero on other. Are the same servers overloaded over a long period of time? And lightly loaded servers remain lightly loaded? Usually. What is the critical resource? Disk I/O? CPU? Output concurrency? Indeed, the number of sessions is correctly proportional to the weight I have assigned to each server on balancer. But the load of the CPUs of each machine not. I have watched Disk I/O with vmstat and OS never swaps. I have a good quantity of RAM free. I monitored each machine's parameters using vmstat and what I could have noted I is the number of blocked procs which is often nonzero (from 0 to 3) when the mchine is overloaded. What do you mean for output concurrency? I have raised maxproc for amavis-filter to reduce the number of blocked procs. What I infer is that every session can be used to devilver/send different email messages (other then every message as inerently a different size). It is right my argument or Im wrong in something? If yes, has Postfix the control of the number of message that could be manage by each SMTP session? Take a look at qshape, is there a lot of deferred mail on some systems and not others? Are you doing recipient validation, or accepting and bouncing a lot of mail? I constantly have monitored the Postfix queues with qshape, particularly active queue: # watch perl /usr/local/src/postfix-2.5.2/auxiliary/qshape/qshape.pl -s active| head I have a reasonably normal number of deferred emails (no more than 100 messages). Nevertheless, I'm doing recipient validation for each mailbox that I manage and verification on each email of every domain for which I forward messages. I fear that the problem is that for each session I can have an unsettled number of messages sent over that session (It could be happen? If yes, It could be depend on MTA settings?) other then an unsettled size of SMTP traffic (which it determs the latency of messages and it could make congestion of postfix active queue more or less heavy). rocsca
SMTP sessions
Hello. I have a mail gateway system that consists of several Postfix+MySQL+Amavisd-new machines behind a load balancer. I have defined a balancing policy based on number of SMTP sessions that every server has to manage. But, even if the session is perfectly balanced, I see that the average latency of a message in Postfix queues is too high on some machines and quite zero on other. And the same happens for CPU's load. What I infer is that every session can be used to devilver/send different email messages (other then every message as inerently a different size). It is right my argument or Im wrong in something? If yes, has Postfix the control of the number of message that could be manage by each SMTP session? Thanks, rocsca
RE: Share postfix config directory
myhostname = hostname mydomain = hostname If the hostname is not valid, postfix fails to start. It have to be resolved by DNS and the IP must be the IP of one of the interface of the server which run Postfix. So I have to use a name that is resolved in many different IPs, I think rocsca From: Thomas [mailto:t...@tja-server.de] Sent: Thursday, January 15, 2009 2:58 AM To: Rocco Scappatura Cc: postfix users list Subject: Re: Share postfix config directory I never had a problem to do exactly this ... For what do you need the hostname of the server? My main.cf does not contain a hostname - it can easily be used over an NFS share: mkdir /data mount server:/data /data /etc/init.d/postfix stop cp -rp /etc/postfix /data/postfix_nfs mv /etc/postfix /etc/postfix_ORIG ln -s /data/postfix_nfs /etc/postfix /etc/init.d/postfix start echo `hostname`| Mail -s `hostname` account@yourdomain Works :) My simple client server main.cf: postconf -n config_directory = /etc/postfix mydomain = yourdomain mynetworks = 127.0.0.0/8 myorigin = $mydomain relayhost = your relay Where does the hostname kick in at your site? Rocco Scappatura wrote: Hello, I have different SMTP gateways each one configurred exactly at the same manner. The only difference is the hostname. I would like to know if I could define /etc/postfix as an NFS share somewhere and export it on each of my SMTP gateways. The aim is obviously to change only one configuration file each time that a postfix configuration update is needed. TIA, rocsca
RE: Share postfix config directory
I have different SMTP gateways each one configurred exactly at the same manner. The only difference is the hostname. I would like to know if I could define /etc/postfix as an NFS share somewhere and export it on each of my SMTP gateways. The aim is obviously to change only one configuration file each time that a postfix configuration update is needed. Let the computer do the work for you. See: man 1 make. If you are not familiar with this tool, then you work too hard. I know that make is a really powerfull tool. I have used it (in the sense that I have write down some Makefile) for compiling rather few C projects. At the moment I can't guess how I could use 'make' for my purpouse. I feel that in some manner it could be a substitution matter that 'make' is very clever to manage. But I can't infere anything more.. Could you give me further insight? :-) # cat Makefile FILES: main.cf-a main.cf-b main.cf-c all: $(FILES) main.cf-a: Makefile main.cf-template sed 's/whatever/whatever/' main.cf-template $@ rsync -av $@ hosta:/etc/postfix main.cf-b: Makefile main.cf-template sed 's/whatever/whatever/' main.cf-template $@ rsync -av $@ hostb:/etc/postfix main.cf-c: Makefile main.cf-template sed 's/whatever/whatever/' main.cf-template $@ rsync -av $@ hostc:/etc/postfix Thanks Wietse, you are asserting implicitily that is better to avoid the use of an NFS filesystem mounted on /etc/postfix of each SMTP gateway? rocsca
Share postfix config directory
Hello, I have different SMTP gateways each one configurred exactly at the same manner. The only difference is the hostname. I would like to know if I could define /etc/postfix as an NFS share somewhere and export it on each of my SMTP gateways. The aim is obviously to change only one configuration file each time that a postfix configuration update is needed. TIA, rocsca
RE: Share postfix config directory
I have different SMTP gateways each one configurred exactly at the same manner. The only difference is the hostname. I would like to know if I could define /etc/postfix as an NFS share somewhere and export it on each of my SMTP gateways. The aim is obviously to change only one configuration file each time that a postfix configuration update is needed. Let the computer do the work for you. See: man 1 make. If you are not familiar with this tool, then you work too hard. I know that make is a really powerfull tool. I have used it (in the sense that I have write down some Makefile) for compiling rather few C projects. At the moment I can't guess how I could use 'make' for my purpouse. I feel that in some manner it could be a substitution matter that 'make' is very clever to manage. But I can't infere anything more.. Could you give me further insight? :-) Thanks, rocsca
RE: User unknown in relay recipient table (SOLVED)
Rocco Scappatura a écrit : Dec 12 16:55:33 av1 postfix/smtpd[25586]: NOQUEUE: reject: RCPT from unknown[IP Primary MX for extdomain.tld]: 550 5.1.1 u...@extdomain.tld: Recipient address rejected: User unknown in relay recipient table; from=em...@domain.tld to= u...@extdomain.tld proto=ESMTP helo=MYPC The error message indicates you have defined relay_recipient_maps but the recipient is not found in that map. Your postconf -n output shows no relay_recipient_maps entry, so you either deleted it from your post or you're looking at the wrong postfix install. I swear that no! Im not using any relay_recipient_maps. [r...@svxcom120 log]# postconf -n | grep relay_recipient_maps [r...@svxcom120 log]# cat /etc/postfix/main.cf| grep relay_recipient_maps # The relay_recipient_maps parameter specifies optional lookup tables #relay_recipient_maps = hash:/etc/postfix/relay_recipients relay_recipient_maps may be defined in master.cf (-o ...). or you may have removed it but postfix was still using the previous configuration. you can check this by trying to send to the same address again. or you may have multiple instances... Only after I realize that the message was rejected by my MTAs. Infact, as I ve extdomain.tld in relay_domains, so the domain is treated as local. :-( Sorry, rocsca
Avoiding spam scan for a specific recipient
Hello, I have a Postfix+MySQL+Amavisd-new platform. Time ago I get some hint for avoiding spam scan for a particular sender an a particular client. In particular, in /etc/postfix/main.cf I put: smtpd_restriction_classes = from_policy_bank_senders from_policy_bank_senders = check_sender_access hash:/etc/postfix/policy_bank_senders, permit Now I would like to avoi spam scanning for a particular recipient. Is it possible? Thanks, rocsca
User unknown in relay recipient table
Hello, I have a Postfix MTA which is configured to check recipients for a domain listed in table relay_domains, before to forward the message to the appropriate post office. All has worked fine, until the MTA has been configured as backup MX for an external domain, say extdomain.tld. Since then, every time that a user (enabled to relay message trhough my MTA) tries to send a message to the domain extdomain.tld, get an error: Dec 12 16:55:33 av1 postfix/smtpd[25586]: NOQUEUE: reject: RCPT from unknown[IP Primary MX for extdomain.tld]: 550 5.1.1 u...@extdomain.tld: Recipient address rejected: User unknown in relay recipient table; from=em...@domain.tld to= u...@extdomain.tld proto=ESMTP helo=MYPC The Primary MX for extdomain.tld is a Postfix platform too (IMSS). How do I do so that that MTA don't checks users locally but does recipient validation on downstream Post-office server? PS: I don't want taht the backup MX deliver mail directly to Postoffice because on primary MX I can manage the quarantine, whereas on secondary MX I couldn't. PPS: Here the postconf -n alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases command_directory = /usr/sbin config_directory = /etc/postfix content_filter = imss:localhost:10025 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 default_process_limit = 200 inet_interfaces = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, $mydomain mydomain = ... myhostname = name mynetworks = 10.100.5.159/32,10.100.5.160/32,10.100.5.161/32,127.0.0.1/32,10.100.2.12 0/32,10.100.5.162/32,10.100.5.128/26,10.100.2.121/32 newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.0.16/README_FILES relay_domains = extdomain.tld sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_banner = ESMTP smtpd_recipient_restrictions = permit_mynetworks, permit_mx_backup, permit_sasl_authenticated, check_relay_domains smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 450 virtual_alias_maps = hash:/etc/postfix/mapdomain tnx, rocsca
RE: User unknown in relay recipient table
Dec 12 16:55:33 av1 postfix/smtpd[25586]: NOQUEUE: reject: RCPT from unknown[IP Primary MX for extdomain.tld]: 550 5.1.1 u...@extdomain.tld: Recipient address rejected: User unknown in relay recipient table; from=em...@domain.tld to= u...@extdomain.tld proto=ESMTP helo=MYPC The error message indicates you have defined relay_recipient_maps but the recipient is not found in that map. Your postconf -n output shows no relay_recipient_maps entry, so you either deleted it from your post or you're looking at the wrong postfix install. I swear that no! Im not using any relay_recipient_maps. [r...@svxcom120 log]# postconf -n | grep relay_recipient_maps [r...@svxcom120 log]# cat /etc/postfix/main.cf| grep relay_recipient_maps # The relay_recipient_maps parameter specifies optional lookup tables #relay_recipient_maps = hash:/etc/postfix/relay_recipients Please see http://www.postfix.org/postconf.5.html#relay_recipient_maps http://www.postfix.org/ADDRESS_CLASS_README.html http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient PS: I don't want taht the backup MX deliver mail directly to Postoffice because on primary MX I can manage the quarantine, whereas on secondary MX I couldn't. PPS: Here the postconf -n ... relay_domains = extdomain.tld OK, you only relay for this one external domain. If you don't have a list of recipients for that domain, you don't need relay_recipeint_maps. smtpd_banner = ESMTP This must be at least: smtpd_banner = $myhostname ESMTP Or better, just remove it and leave the default. smtpd_recipient_restrictions = permit_mynetworks, permit_mx_backup, permit_sasl_authenticated, check_relay_domains You should avoid using permit_mx_backup, and check_relay_domains has been deprecated for years - it's not even documented anymore. Much better is: smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination and make sure the domains you are responsible for are listed in the proper address class. http://www.postfix.org/ADDRESS_CLASS_README.html If you want to add a verification probe for your relay domain, add at the end of smtpd_recipient_restrictions: check_recipient_access hash:/etc/postfix/verify_domains And the contents of verify_domains will look like: # verify_domains extdomain.tld reject_unverified_recipient be sure to run # postmap verify_domains after you edit the file. unknown_local_recipient_reject_code = 450 You should change this to 550 Ok thanks, rocsca
RE: Postfix and quota clarification
On Mon, Nov 24, 2008 at 4:49 AM, mouss [EMAIL PROTECTED] wrote: Jose Ildefonso Camargo Tolosa a écrit : However, Postfix supports access maps that can reject mail for over-quota users, if you are willing to periodically add up all the mail each user has. I have been using filesystem quotas for this purpose, and it works just fine. Off course, I have a dedicated filesystem for mail storage. The problem is that this is detected at delivery time, which will cause backscatter if it happens too often and your filter misses a lot of spam. if this doesn't happen often, then yes, it's the easy way. otherwise, an access check as suggested by Wietse may be necessary. True, that's why I try to implement many quota warning systems, so the user knows that he/she have to clean their mailbox, also, there is a side-effect to the fs quota: it is pretty much likely that the imap server (dovecot) fail to access the user mailbox once the hard limit is over (unless you fix it, but I didn't), and they just call support, and then one tells them to clean up the mailbox asap, and just reenable the access (by deleting a couple of dovecot's files, and extending their quota for a while). Well, I also try to have a good spam filter (ASSP). 2- there is no safe quota support in any MTA. most quota implementations will send a bounce, which may resultin backscatter true. but quotas are necessary: the more disk space the users have, the more garbage they store. but this doesn't require checking quota in real time or at delivery time. populating an access list (periodically or opportunistically) should be enough. maybe, but can also prove to be slow, and even more when you have thousands of users. I think that... maybe... using soft-quotas (as a counter) and having unlimited hard-quota and grace periods could have a similar effect, and can be faster (I don't know if this actually works, I hasn't tried) Infact, this is exactly the problem that I have. I'm using Postfix as post-office platform too. And I need to check disk usage. First time I ve patched with VDA patch. Then I have upgraded postfix and I have no more appliad the relative patch. Indeed I read that is not good to use VDA patch so I have believed that that there was a native support for quota by Postfix. Anyway I share the fact that MTA has not to face quota issues, as mouss pointed out in a previous email. But I have to check quota exactly for the same needs that you have exposed. Have you a pratical alternative to VDA patch to suggest me? 3- if you can queue mail, you can deliver it ;-p As I just have pointed out, I'm using as Post office. 4- disks don't cost too much now. true, but when you have 10k users, the cost of each not so expensive hard drive starts to add, and not only that, in a public organization you can have wait-times of around 6 months just to get a hard drive. Oh, and don't forget: you have plug these hard drives somewhere: every server has they hard drives limit, and you could take a PC and lots of SATA controllers, and build a nice low-cost NAS-like thing, but a few people qualify this as unreliable, they need to spend lots of money on IBM or HP storage systems, and because of the cost, they just don't buy them, and thus: we have a limited amount of disk space :( . Agreed. 5- if your users abuse mail, destroy their heads, not ours. I don't think my boss let me do that, jejejeje :D you must make it look like an accident :) ... jejejejeje :D Very smart! I will try.. ;-)
Postfix and quota clarification
Hello, I have a post-office platform based on Postfix-2.5.2+Courier-IMAP-4.0.1-Courier-authlib-0.53+MySQL-5.0.33. Can someone give some hint on how enable (and verify that works) quota on mailboxes? Thanks, rocsca
RE: SOLVED: SMTP transaction interrupted
Here is one event in a tcpdump file that I received a few hours ago (full context is below the signature): 10:49:57.930285 80.74.176.142.25 217.11.85.59.2528: . ack 1998901 win 32767 nop,nop,sack sack 1 {1994821:1996181} (DF) What happens is that the receiver (80.74.176.142) says: I have received all data up to offset 1998901 But the receiver (80.74.176.142) also sends a selective ACK for offset range 1994821:1996181, that is, for data that it has already acknowledged. I have a correction to my earlier analysis. This behavior is defined in RFC 2883 (duplicate selective acknowledgment, or D-SACK). Look for the example in section 4.1.1 with ACK=4000, SACK=3000:3500. I'm never too old to learn new stuff. The receiver can use D-SACK to tell the sender that it has received 1994821:1996181 multiple times already while the ACK is at 1998901. This is exactly what happens in the recording fragment that I included a few posts ago. Great.. I've read the RFC too, and indeed seems to me that this behaviour is feasible. So the server behave correctly. What it could be wrong is something on the client side (infact, the client - I don't know exactly if the guilty is the router interconnecting the client LAN to the Internet, or the PC behind it - send packets that the server claims has already received). Just for this I don't think that is the case to disable SACK on the server side. It should be the client (Windows workstation or router XXX) ro disable SACK, if anything.. rocsca
RE: SMTP transaction interrupted
Rocco Scappatura: 12:31:06.808714 O client.1395 server.25: . 1931191:1932551(1360) ack 358 win 65178 (DF) Can you show the TCP handshake (SYN/SYN+ACK/ACK) with TCP options. You are right, there is no TCP option. I will try to dump another SMTP session. This time directly on mail gateway server with command: # tcpdump -s 0 -w /var/dump host client and port 25 Here the tcpdump output of a typical failing transaction (I see a lot of duplicate ack): ncr_ccl smtp [SYN] Seq=0 Win=65535 Len=0 MSS=1360 smtp ncr_ccl [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 ncr_ccl smtp [ACK] Seq=1 Ack=1 Win=65535 Len=0 smtp ncr_ccl [ACK] Seq=20 Ack=13 Win=5840 Len=0 ncr_ccl smtp [ACK] Seq=51 Ack=53 Win=65483 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=1541 Win=8160 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=2901 Win=10880 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=4261 Win=13600 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=5621 Win=16320 Len=0 [TCP Dup ACK 28#1] smtp ncr_ccl [ACK] Seq=195 Ack=5621 Win=16320 Len=0 SLE=6981 SRE=8341 [TCP Dup ACK 28#2] smtp ncr_ccl [ACK] Seq=195 Ack=5621 Win=16320 Len=0 SLE=6981 SRE=9701 [TCP Dup ACK 28#3] smtp ncr_ccl [ACK] Seq=195 Ack=5621 Win=16320 Len=0 SLE=6981 SRE=11061 [TCP Dup ACK 28#4] smtp ncr_ccl [ACK] Seq=195 Ack=5621 Win=16320 Len=0 SLE=6981 SRE=12421 [TCP Dup ACK 28#5] smtp ncr_ccl [ACK] Seq=195 Ack=5621 Win=16320 Len=0 SLE=6981 SRE=13781 [TCP Dup ACK 28#6] smtp ncr_ccl [ACK] Seq=195 Ack=5621 Win=16320 Len=0 SLE=6981 SRE=15141 [TCP Dup ACK 28#7] smtp ncr_ccl [ACK] Seq=195 Ack=5621 Win=16320 Len=0 SLE=6981 SRE=16501 [TCP Dup ACK 28#8] smtp ncr_ccl [ACK] Seq=195 Ack=5621 Win=16320 Len=0 SLE=6981 SRE=17861 [TCP Dup ACK 28#9] smtp ncr_ccl [ACK] Seq=195 Ack=5621 Win=16320 Len=0 SLE=6981 SRE=19221 [TCP Dup ACK 28#10] smtp ncr_ccl [ACK] Seq=195 Ack=5621 Win=16320 Len=0 SLE=6981 SRE=20581 [TCP Dup ACK 28#11] smtp ncr_ccl [ACK] Seq=195 Ack=5621 Win=16320 Len=0 SLE=6981 SRE=21941 smtp ncr_ccl [ACK] Seq=195 Ack=21941 Win=19040 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=23301 Win=21760 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=24661 Win=24480 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=26021 Win=27200 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=27381 Win=29920 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=28741 Win=32640 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=30101 Win=32767 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=31461 Win=32767 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=32821 Win=32767 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=32949 Win=32767 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=34309 Win=32767 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=35669 Win=32767 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=37029 Win=32767 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=38389 Win=32767 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=39749 Win=32767 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=41109 Win=32767 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=42469 Win=32767 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=43829 Win=32767 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=45189 Win=32767 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=46549 Win=32767 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=47909 Win=32767 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=49269 Win=32767 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=50629 Win=32767 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=51989 Win=32767 Len=0 [TCP Dup ACK 98#1] smtp ncr_ccl [ACK] Seq=195 Ack=51989 Win=32767 Len=0 SLE=53349 SRE=54709 [TCP Dup ACK 98#2] smtp ncr_ccl [ACK] Seq=195 Ack=51989 Win=32767 Len=0 SLE=56069 SRE=57429 SLE=53349 SRE=54709 [TCP Dup ACK 98#3] smtp ncr_ccl [ACK] Seq=195 Ack=51989 Win=32767 Len=0 SLE=56069 SRE=58789 SLE=53349 SRE=54709 [TCP Dup ACK 98#4] smtp ncr_ccl [ACK] Seq=195 Ack=51989 Win=32767 Len=0 SLE=56069 SRE=60149 SLE=53349 SRE=54709 [TCP Dup ACK 98#5] smtp ncr_ccl [ACK] Seq=195 Ack=51989 Win=32767 Len=0 SLE=56069 SRE=61509 SLE=53349 SRE=54709 [TCP Dup ACK 98#6] smtp ncr_ccl [ACK] Seq=195 Ack=51989 Win=32767 Len=0 SLE=56069 SRE=62869 SLE=53349 SRE=54709 [TCP Dup ACK 98#7] smtp ncr_ccl [ACK] Seq=195 Ack=51989 Win=32767 Len=0 SLE=56069 SRE=64229 SLE=53349 SRE=54709 [TCP Dup ACK 98#8] smtp ncr_ccl [ACK] Seq=195 Ack=51989 Win=32767 Len=0 SLE=56069 SRE=65589 SLE=53349 SRE=54709 smtp ncr_ccl [ACK] Seq=195 Ack=54709 Win=32767 Len=0 SLE=56069 SRE=65589 smtp ncr_ccl [ACK] Seq=195 Ack=65589 Win=32767 Len=0 smtp ncr_ccl [ACK] Seq=195 Ack=65717 Win=32767 Len=0 [TCP Dup ACK 120#1] smtp ncr_ccl [ACK] Seq=195 Ack=65717 Win=32767 Len=0 SLE=67077 SRE=68437 [TCP Dup ACK 120#2] smtp ncr_ccl [ACK] Seq=195 Ack=65717 Win=32767 Len=0 SLE=67077 SRE=69797 [TCP Dup ACK 120#3] smtp ncr_ccl [ACK] Seq=195 Ack=65717 Win=32767 Len=0 SLE=67077 SRE=71157 [TCP Dup ACK 120#4] smtp ncr_ccl [ACK] Seq=195 Ack=65717 Win=32767 Len=0 SLE=67077 SRE=72517 smtp ncr_ccl [ACK] Seq=195 Ack=72517 Win=32767 Len=0 [TCP Dup ACK 130#1] smtp ncr_ccl [ACK] Seq=195 Ack=72517 Win=32767 Len=0 SLE=73877 SRE=75237 [TCP Dup ACK 130#2] smtp ncr_ccl [ACK] Seq=195 Ack=72517 Win=32767 Len=0 SLE=73877 SRE=76597 smtp ncr_ccl [ACK] Seq=195 Ack=76597 Win=32767 Len=0 smtp ncr_ccl [ACK
RE: SMTP transaction interrupted
Which tcpdump version is this? Where are the time stamps and the packets with data (Len0)? tcpdump show only initial packet data by default and -s0 show all data. Is usefull when decode HEX (-xX) or ASCII (-A) I repeat, there is no need to look at the data itself. However, this trace is worthless for the following reasons: 1) There are no time stamps, sequence numbers, IP addresses. 2) There is no information about packets that have data length 0. And, with a thread that has one message per week, it might also help to summarize what the problem was. Sorry for the bad information that I have submitted! :-( I hope that this time they are correct (please, refer at http://80.74.176.104/dump_no_detail). Moreover I want to report some rows that describe shortly the problem that I have encountered: I can't identify the cause of impossibility to relay emails through my Postifix mail gateway, from a Outlook express client. From mail log, I saw: postfix/smtpd[16988]: connect from unknown[xxx.yyy.www.zzz] postfix/smtpd[16988]: 7B98D75008D: client=unknown[xxx.yyy.www.zzz] postfix/cleanup[22797]: 7B98D75008D: message-id=[EMAIL PROTECTED] From client side I get a pop-up window that points out problems with server communication or even network.. And $ egrep 'postfix/cleanup\[22797\]|postfix/smtpd\[16988\]' /var/log/maillog Oct 29 10:27:58 av3 postfix/smtpd[16988]: connect from unknown[xxx.yyy.www.zzz] Oct 29 10:27:58 av3 postfix/smtpd[16988]: 7B98D75008D: client=unknown[xxx.yyy.www.zzz] Oct 29 10:34:25 av3 postfix/smtpd[16988]: timeout after DATA from unknown[xxx.yyy.www.zzz] Oct 29 10:34:25 av3 postfix/smtpd[16988]: disconnect from unknown[xxx.yyy.www.zzz] After the I would to investigate deeply about the cause and I have collected data with tcpdump for one problematic session: # tcpdump -s 0 -w /var/dump host client and port 25 And got the data showed at url above (hoping that this time they are the worth ones! ;-)) Thanks, rocsca
RE: SOLVED: SMTP transaction interrupted
I think I have solved the mystery. But I can offer you only a workaround, to turn off selective ACK support. Here is one event in a tcpdump file that I received a few hours ago (full context is below the signature): 10:49:57.930285 80.74.176.142.25 217.11.85.59.2528: . ack 1998901 win 32767 nop,nop,sack sack 1 {1994821:1996181} (DF) After this, things go bad very quickly. What happens is that the receiver (80.74.176.142) says: I have received all data up to offset 1998901 But the receiver (80.74.176.142) also sends a selective ACK for offset range 1994821:1996181, that is, for data that it has already acknowledged. Is it awesome! '80.74.176.142' is the interface of my smtp server. And I collected data with tcpdump exactly on that interface. So I infere that something goes wrong on that machine! Why it behaves so? It is maybe a bug in TCP implementation on the OS used by that machine and so an OS bug, or some problem tight to hardware device? That would be a bug in the TCP implementation. Sending SACK for segments already acknowledged makes no sense. First of all I will tell to the client to disable SACK on its side, while I will look for a patch for the OS that I'm using.. :-) However The sender (217.11.85.59) then goes crazy and keeps retransmitting the data in 1994821:1996181 until the connection times out. That is also a bug. All this happens on a connection with an insane packet loss rate. Of course it is possible that there is a firewall in-between that is screwing things up. Otherwise, you may want to advise your vendor(s) of a problem in the receiver's tcp stack, and in the sender's handling of an incorrect receiver response. Thank very much I'll never should be able to point out a such subtle thing! Once I had a tcpdump recording, it took only a few minutes. And as I wrote earlier, this did not need any information abuot the content of the SMTP session. I will try to imit you next time I'll face a similar issue.. ;-) Tnx rocsca
Re: SOLVED: SMTP transaction interrupted
Rocco Scappatura: I think I have solved the mystery. But I can offer you only a workaround, to turn off selective ACK support. Here is one event in a tcpdump file that I received a few hours ago (full context is below the signature): 10:49:57.930285 80.74.176.142.25 217.11.85.59.2528: . ack 1998901 win 32767 nop,nop,sack sack 1 {1994821:1996181} (DF) After this, things go bad very quickly. What happens is that the receiver (80.74.176.142) says: I have received all data up to offset 1998901 But the receiver (80.74.176.142) also sends a selective ACK for offset range 1994821:1996181, that is, for data that it has already acknowledged. Is it awesome! '80.74.176.142' is the interface of my smtp server. What is the OS type/version? SUSE Linux Enterprise Server 10 (i586) VERSION = 10 Linux av5 2.6.16.21-0.8-smp #1 SMP Mon Jul 3 18:25:39 UTC 2006 i686 i686 i386 GNU/Linux Of course the bigger problem is that the sender keeps retransmitting the data offset range 1994821:1996181 over several minutes. Either way, if you turn off SACK support (RFC 2018) on the receiver it should stop triggering this bug on the sender side. It could impact heavily on performance of SMTP service? rocsca
RE: authentication failed
postfix/smtpd[19545]: warning: unknown[xxx.yyy.www.zzz]: SASL LOGIN authentication failed: authentication failure I do get those all the time. Users mistyping their passwords, usernames, client's getting AUTH all wrong and so on. OK. then postfix/smtpd[19545]: lost connection after AUTH from unknown[xxx.yyy.www.zzz] The client disconnects. Add that particular client to debug_peer_list to see what's going on, but this is not a Postfix problem, it's the client which disconnects after authentication doesn't succeed. I will try to get some more info. I have collect an SMTP session with tcpdup eavesdroppin on the listening interface on mail gateway. Here the output: Command: EHLO sender.tld Response: 250-server.tld Command: AUTH LOGIN Response: 334 VXNlcm5hbWU6 [TCP Retransmission] Response: 334 VXNlcm5hbWU6 [TCP Retransmission] Response: 334 VXNlcm5hbWU6 Command: aW52aW9Ad2ludmFyaWEuaXQ= Response: 334 UGFzc3dvcmQ6 Command: aW52aW8= Response: 535 5.7.0 Error: authentication failed: authentication failure It seems that client try to authenticate. While is not required. But is supported. I don't understand if the client simply use a wrong cople of authentication credential or nevertheless wrong authentication method.. The second strange thing is the three retrassimission of response to the AUTH LOGIN command.. Why? Is it a symthom of network problems or what? rocsca
RE: authentication failed
I'm facing a problem with a client that can't send email trough my mail gateway.. After connection, in mail log, I get: postfix/smtpd[19545]: warning: unknown[xxx.yyy.www.zzz]: SASL LOGIN authentication failed: authentication failure then postfix/smtpd[19545]: lost connection after AUTH from unknown[xxx.yyy.www.zzz] and finally: postfix/smtpd[19545]: disconnect from unknown[xxx.yyy.www.zzz] But I think that - being authentication failure a warning, the smtp dialog shoulnt be broken. Then I ask why the connection with the client is lost? Any idea? Any suggestion? Is an authentication matter? rocsca
RE: authentication failed
postfix/smtpd[19545]: warning: unknown[xxx.yyy.www.zzz]: SASL LOGIN authentication failed: authentication failure I do get those all the time. Users mistyping their passwords, usernames, client's getting AUTH all wrong and so on. OK. then postfix/smtpd[19545]: lost connection after AUTH from unknown[xxx.yyy.www.zzz] The client disconnects. Add that particular client to debug_peer_list to see what's going on, but this is not a Postfix problem, it's the client which disconnects after authentication doesn't succeed. I will try to get some more info. But I think that - being authentication failure a warning, the smtp dialog shoulnt be broken. Seen from an smtpd's point of view, failure to authenticate is not fatal, so it is logged as a warning. Ok Then I ask why the connection with the client is lost? Go ask the client's programmers ;-) I'm going to.. ;-) rocsca
RE: SMTP transaction interrupted
Oct 29 10:27:58 av3 postfix/smtpd[16988]: connect from unknown[xxx.yyy.www.zzz] Oct 29 10:27:58 av3 postfix/smtpd[16988]: 7B98D75008D: client=unknown[xxx.yyy.www.zzz] Oct 29 10:34:25 av3 postfix/smtpd[16988]: timeout after DATA from unknown[xxx.yyy.www.zzz] Oct 29 10:34:25 av3 postfix/smtpd[16988]: disconnect from unknown[xxx.yyy.www.zzz] What I can suspect about the cause? Firewall, Protection software on sending client or what? All of the above, including firewalls that break IP path MTU discovery or TCP window scaling. A tcpdump recording will help to distinguish between these. I don't think that packet content is needed for this. Indeed, I have already dumped TCP communication on network device between the client (client) and the server (server). 12:31:06.808714 O client.1395 server.25: . 1931191:1932551(1360) ack 358 win 65178 (DF) 12:31:06.810488 I server.25 client.1395: . ack 1932551 win 32767 (DF) 12:31:06.852564 O client.1395 server.25: . 1932551:1933911(1360) ack 358 win 65178 (DF) 12:31:06.854144 I server.25 client.1395: . ack 1933911 win 32767 (DF) 12:31:06.894753 O client.1395 server.25: . 1933911:1935271(1360) ack 358 win 65178 (DF) 12:31:06.896266 I server.25 client.1395: . ack 1935271 win 32767 (DF) 12:31:06.936602 O client.1395 server.25: . 1935271:1936631(1360) ack 358 win 65178 (DF) 12:31:06.938700 I server.25 client.1395: . ack 1936631 win 32767 (DF) 12:31:06.980516 O client.1395 server.25: . 1936631:1937991(1360) ack 358 win 65178 (DF) 12:31:06.982220 I server.25 client.1395: . ack 1937991 win 32767 (DF) 12:31:07.522337 O client.1395 server.25: . 1932551:1933911(1360) ack 358 win 65178 (DF) 12:31:07.524024 I server.25 client.1395: . ack 1937991 win 32767 nop,nop,sack [EMAIL PROTECTED] [EMAIL PROTECTED] (DF) 12:31:08.944525 O client.1395 server.25: . 1932551:1933911(1360) ack 358 win 65178 (DF) 12:31:08.946030 I server.25 client.1395: . ack 1937991 win 32767 nop,nop,sack [EMAIL PROTECTED] [EMAIL PROTECTED] (DF) 12:31:11.788665 O client.1395 server.25: . 1932551:1933911(1360) ack 358 win 65178 (DF) 12:31:11.789996 I server.25 client.1395: . ack 1937991 win 32767 nop,nop,sack [EMAIL PROTECTED] [EMAIL PROTECTED] (DF) 12:31:14.124361 I server.25 client.1383: FP 0:49(49) ack 1 win 32767 nop,nop,sack [EMAIL PROTECTED] [EMAIL PROTECTED] (DF) 12:31:17.366904 O client.1395 server.25: . 1932551:1933911(1360) ack 358 win 65178 (DF) 12:31:17.368809 I server.25 client.1395: . ack 1937991 win 32767 nop,nop,sack [EMAIL PROTECTED] [EMAIL PROTECTED] (DF) 12:31:28.524960 O client.1395 server.25: . 1932551:1933911(1360) ack 358 win 65178 (DF) 12:31:28.527685 I server.25 client.1395: . ack 1937991 win 32767 nop,nop,sack [EMAIL PROTECTED] [EMAIL PROTECTED] (DF) 12:31:48.433164 I server.25 client.1383: FP 0:49(49) ack 1 win 32767 nop,nop,sack [EMAIL PROTECTED] [EMAIL PROTECTED] (DF) But I'm not completely able to give a correct interpretation of the output. The only relevant thing that I strongly suspect is that the last raw points out that server has noticed that since long time client does not respond and send FIN packet. But no other info about the cause of the 'communication breaking' is possible to get. rocsca
authentication failed
Hello, I'm facing a problem with a client that can't send email trough my mail gateway.. After connection, in mail log, I get: postfix/smtpd[19545]: warning: unknown[xxx.yyy.www.zzz]: SASL LOGIN authentication failed: authentication failure then postfix/smtpd[19545]: lost connection after AUTH from unknown[xxx.yyy.www.zzz] and finally: postfix/smtpd[19545]: disconnect from unknown[xxx.yyy.www.zzz] But I think that - being authentication failure a warning, the smtp dialog shoulnt be broken. Then I ask why the connection with the client is lost? Thanks, rocsca
SMTP transaction interrupted
Hello, I can't identify the cause of impossibility to relay emails through my Postifix mail gateway, from a Outlook express client. From mail log, I saw: postfix/smtpd[16988]: connect from unknown[xxx.yyy.www.zzz] postfix/smtpd[16988]: 7B98D75008D: client=unknown[xxx.yyy.www.zzz] postfix/cleanup[22797]: 7B98D75008D: message-id=[EMAIL PROTECTED] From client side I get a pop-up window that points out problems with server communication or even network.. What it couuld be inferred from postfix log above? How could continue to investigate to get the cause of interruption? TIA, rocsca
RE: SMTP transaction interrupted
I can't identify the cause of impossibility to relay emails through my Postifix mail gateway, from a Outlook express client. Indeed, I get the problem while sending email with attachment with size above 5-6 MB.. From mail log, I saw: postfix/smtpd[16988]: connect from unknown[xxx.yyy.www.zzz] postfix/smtpd[16988]: 7B98D75008D: client=unknown[xxx.yyy.www.zzz] postfix/cleanup[22797]: 7B98D75008D: message-id=[EMAIL PROTECTED] From client side I get a pop-up window that points out problems with server communication or even network.. What it couuld be inferred from postfix log above? How could continue to investigate to get the cause of interruption? TIA, rocsca
RE: SMTP transaction interrupted
I can't identify the cause of impossibility to relay emails through my Postifix mail gateway, from a Outlook express client. Indeed, I get the problem while sending email with attachment with size above 5-6 MB.. From mail log, I saw: postfix/smtpd[16988]: connect from unknown[xxx.yyy.www.zzz] postfix/smtpd[16988]: 7B98D75008D: client=unknown[xxx.yyy.www.zzz] postfix/cleanup[22797]: 7B98D75008D: message-id=[EMAIL PROTECTED] From client side I get a pop-up window that points out problems with server communication or even network.. What it couuld be inferred from postfix log above? How could continue to investigate to get the cause of interruption? Look for the records at the END of the SMTP session. $ egrep 'postfix/cleanup\[22797\]|postfix/smtpd\[16988\]' /var/log/maillog Thanks Wietse: Oct 29 10:27:58 av3 postfix/smtpd[16988]: connect from unknown[xxx.yyy.www.zzz] Oct 29 10:27:58 av3 postfix/smtpd[16988]: 7B98D75008D: client=unknown[xxx.yyy.www.zzz] Oct 29 10:34:25 av3 postfix/smtpd[16988]: timeout after DATA from unknown[xxx.yyy.www.zzz] Oct 29 10:34:25 av3 postfix/smtpd[16988]: disconnect from unknown[xxx.yyy.www.zzz] What I can suspect about the cause? Firewall, Protection software on sending client or what? rocsca
RE: Postfix statistics from log stored on RDBMS
I have hacked pflogsumm so that it could be read log from database used by PHP-syslog-ng. If someone is interested, I will make it public. rocsca -Original Message- From: [EMAIL PROTECTED] [mailto:owner-postfix- [EMAIL PROTECTED] On Behalf Of Rocco Scappatura Sent: Friday, September 19, 2008 3:20 PM To: Robert Schetterer Cc: postfix-users@postfix.org Subject: RE: Postfix statistics from log stored on RDBMS look http://code.google.com/p/php-syslog-ng/ OK, it is very nice even if it takes a long time to analyze very large database. Moreover, it not represents much information about mail log. I prefer a tool like pflogsumm so that it can run 'off time' and it cointains many other information that are more interesting for a postmaster. Thanks a lot. rocsca
Postfix statistics from log stored on RDBMS
Hello, I have several Postfix+Amavisd-new+MySQL mail gateways. I have configured syslog service on that machines to send logs to a centralized syslog server, which stores received logs on mysql DBMS. BTW, I lookup the logs using Php-Syslog-NG. Anyway, logs on each machine are stored also as usual (into files, /var/log/mail and so on). From '/var/log/mail' I also tell to 'pflogsumm' to compute mail gateway statistics. Now, I would like to switch off logging into files and to do so I need to get statistics from log stored into mysql. Could someone suggest me an utility to do so? Or, better, point me if there already exists an hacked version of 'pflogsumm' that does so? TIA, rocsca
RE: Postfix statistics from log stored on RDBMS
-Original Message- From: Robert Schetterer [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 3:06 PM To: Rocco Scappatura Cc: postfix-users@postfix.org Subject: Re: Postfix statistics from log stored on RDBMS Rocco Scappatura schrieb: Hello, I have several Postfix+Amavisd-new+MySQL mail gateways. I have configured syslog service on that machines to send logs to a centralized syslog server, which stores received logs on mysql DBMS. BTW, I lookup the logs using Php-Syslog-NG. Anyway, logs on each machine are stored also as usual (into files, /var/log/mail and so on). From '/var/log/mail' I also tell to 'pflogsumm' to compute mail gateway statistics. Now, I would like to switch off logging into files and to do so I need to get statistics from log stored into mysql. Could someone suggest me an utility to do so? Or, better, point me if there already exists an hacked version of 'pflogsumm' that does so? TIA, rocsca look http://code.google.com/p/php-syslog-ng/ Cool! I'm taking a look at it! I will let you know. rocsca
advanced mysql lookup
Hello, I would like to add further condition for delivery of email messages. In my main.cf I have this setting: virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-transport.cf where mysql-trasport.cf contains: select_field = domain where_field = domain additional_conditions = and active = 1 I would like to do so that a message is delivered localy only if the 'trasport' for the domain specified by the domain part of the recipient, is the local server. Otherwise the message have to be forwarded to the responsible post office server for the recipient domain. So I have to add the condition: additional_conditions = and active = 1 and transport='smtp:host.domain.tld' where 'host.domain.tld' is the name of local machine. Now I would like to make safer the lookup table configuration. So I have thought of modify the additional condition so: additional_conditions = and active = 1 and LOWER(transport) in ('smtp:`hostname -f`', 'smtp:[`hostname -i`]') But postfix does not interpolate the shell command.. Is there a way to make safer my lookup condition? TIA, rocsca