Re: Many lookup types are available. What is the guide for choosing one or another?
I'm sorry, but this thread seems to have taken a detour. Being a Dane, I run into these kinds of responses all the time, simply because I find it counter-productive to sugarcoat things when writing English. On Sat, 12 Jul 2014 14:41:51 +0200 li...@rhsoft.net li...@rhsoft.net wrote: Am 12.07.2014 14:35, schrieb Wietse Venema: li...@rhsoft.net: Am 12.07.2014 14:13, schrieb Wietse Venema: Arun: Is it wrong to ask questions? Is 'why' not allowable ? I guess it is because you say so! No, because it's already said in the docs, at Wikipedia, Google, ... Why should all this be explained again, when lots and lots of pages already covers it? And why is that not OK? If you don't know what to use, use the documentation examples. The examples will do a reasonable job. If you were expecting a free lecture about the pros and cons of hash versus btree versus lmdb and so on, then sorry, I consider that an unreasonable expectation maybe somebody else would have answered something different than use the Postfix documentation - demand from others always be nice and friendly should lead in practice what you preach It's time for me to stop trying to help people, because there are too many who read hostile intent in my replies no - i only tried to point out that responses sometimes appear to have unfriendly or bad intention even if they are not meant that way it's the same as you and Victor yesterday assumed bad intention in two posts of me finally with Stupid knee-jerk reactions in doubt assume good intentions even in case of bad chosen wording could prevent a lot of heat Yeah well, this should go both ways, but clearly does not. I would always prefer a short, no bullshit / sugarcoated answer, but apparently someone has concluded we can't use those, because someone gets upset. How can this even be an issue here, on a technical mailing list?
Re: New TLS Forward Secrecy document
On Wed, 18 Dec 2013 15:15:34 -0500 (EST) wie...@porcupine.org (Wietse Venema) wrote: Postfix has supported forward secrecy for TLS since version 2.2 when the TLS patch was adopted into Postfix. Things have changed a lot since then, both in TLS and in the real world. Viktor wrote up a FORWARD_SECRECY_README that summarizes the Postfix side of things all in one place. Available now: http://www.porcupine.org/postfix-mirror/FORWARD_SECRECY_README.html In the next 24 hours: http://www.postfix.org/FORWARD_SECRECY_README.html Wietse Wietse, Viktor Thanks for this, it's a great help. Cheers
Re: Blocking LinkedIn 'Intro' mail hijacking?
Fri, 25 Oct 2013 12:53:08 -0400 skrev Charles Marcus cmar...@media-brokers.com: Once you install the Intro app Well, if the app is not installed, it might solve the problem. Other than that, I think this is a bit off-topic for Postfix, since it only applys to Apples hand-held devices. Cheers, Titanus
Re: Setting up SPF in Postfix for sending
Thu, 15 Aug 2013 22:56:53 -0700 skrev Rob Tanner rtan...@linfield.edu: I've googled around a quite a bit and while I can find lots of instruction on what I need in order for Postfix to validate incoming mail, I find nothing about what I need to do to make sure Postfix does whatever it needs to do to make sure the MTA receiving the mail validates it. And the dearth of information in that category also You can't, since it's up to the receiver to do whatever checks they wish. That includes SPF. begs the question, is there a special header that Postfix need to include in the message (as in DKIM) or do the receiving MTAs, if they're setup to use SPF just automatically do the DNS lookups? What is it, besides adding the correct the DNS TXT records, do I need to do on my end. Nope, nothing to setup in Postfix to support SPF on outgoing mail, besides making sure the TXT / SPF record matches the sending server. I tend to simply use v=spf1 mx -all since my setup is simple, but you can see the entire syntax here http://www.openspf.org/SPF_Record_Syntax Thanks, Rob Cheers
Re: Virtual Hosting (Ubuntu 12.04)
Mon, 24 Jun 2013 20:22:00 -0500 skrev postfix2...@hushmail.com: Holy cow? Two things I didn't expect. Somebody would own a goofy name like that and somebody else would actually feel like pulling the records to test that. I suppose example.com is taken too, which is precisely why I avoided it. I'm sure they get bugged all the time as it is. No, example.com and example.org is reserved by IANA with the specific purpose of being used as examples. Try to visit one of them. Cheers
Re: myhostname and PTR
Thank you for the replys, they are very helpful. I own this domain, and the danish handler of .dk allows all settings in DNS to be altered, but the hosting provider does not. All records besides PTR is within my control at the provider, so I guess it's a design decision they have taken, and I will contact them about this. Cheers
myhostname and PTR
Hello I've searched several times about information on the PTR record, and what myhostname in main.cf should be. The problem is not the information, but the fact that I struggle to understand it... This server runs with the IP address 46.21.105.38 from a hosted VPS, and using dig to do a reverse lookup gives 46-21-105-38-static.serverhotell.net. Does this means I should use 46-21-105-38-static as myhostname? Thanks, titanus
Re: postfix munin graphs
Tue, 18 Jun 2013 07:38:38 -0700 skrev Grant emailgr...@gmail.com: I think I need to tell munin where my postfix logs are (/var/log/mail/current) since I use metalog. How can I do that? - Grant Try'n read some documentation http://munin.readthedocs.org/en/latest/ Then check out /etc/munin/plugin-conf.d/munin-node And then, if Munin still doesn't work, the Munin-folks might be better to help out http://munin-monitoring.org/wiki/HowToGetHelp
Re: Is it time for 2.x.y - x.y?
Fri, 31 May 2013 16:56:11 -0400 (EDT) skrev wie...@porcupine.org (Wietse Venema): After the confusion that Postfix 2.10 is not Postfix 2.1, maybe it is time to change the release numbering scheme. ... Wietse I think it would be ill advised to do so, since the current scheme conforms to history, and therefore what one might expect from version numbers. If one knows history, that is. Cheers, Titanus
Re: Serving Dovecot mailbox quota status to Postfix
Thu, 11 Apr 2013 22:58:36 +0200 skrev Ralf Hildebrandt r...@sys4.de: I wrote a little something about how to prevent delivery to mailboxes over quota while still being in the SMTP dialogue: http://sys4.de/en/blog/2013/04/08/postfix-dovecot-mailbox-quota/ (Postfix/Dovecot) Very useful, thank you for writing and sharing. May I suggest the english Wiki-article for background on backscatter? Cheers
Re: Serving Dovecot mailbox quota status to Postfix
Fri, 12 Apr 2013 15:27:26 +0200 skrev Ralf Hildebrandt r...@sys4.de: * Titanus Eramius tita...@aptget.dk: Very useful, thank you for writing and sharing. May I suggest the english Wiki-article for background on backscatter? URL? Sorry, off course http://en.wikipedia.org/wiki/Backscatter_(email)
Re: Trouble configuring backup MX to reject unauth destination
Solved it :-) When sending to unknown users, Postfix now rejects the mail with User unknown in virtual mailbox table, and it does so for hosted (that is, virtual mailbox domains) domains as well. It seems the SRS-daemon* I have been using with the main.cf parameters recipient_canonical_maps recipient_canonical_classes sender_canonical_maps sender_canonical_classes was the root of the problem. I have just commented them out to solve it. Reading through the documentation for those four parameters, does not seem to indicate why they would mess with Postfix' ability to use virtual_mailbox_maps. But I guess my lack of understanding about Postfix internals is a problem as well. I am sorry for the wasted time, and would like to thank all who helped out. Have a nice weekend * https://github.com/Fruneau/pfixtools
Re: Trouble configuring backup MX to reject unauth destination
Mon, 25 Mar 2013 14:09:04 -0400 (EDT) skrev Wietse Venema wie...@porcupine.org: Titanus Eramius: MAIL FROM: 250 2.1.0 Ok RCPT TO:real-u...@cogky.dk 250 2.1.5 Ok RCPT TO:non-exist...@cogky.dk 250 2.1.5 Ok If non-exist...@cogky.dk is substituted with non-exist...@aptget.dk, then it is still rejected with ... unknown in virtual mailbox table. You appear to have a wild-card rule that replaces @cogky.dk with @aptget.dk. Such a rule matches all addresses including invalid ones. Instead use a MySQL query as decribed in http://tech.groups.yahoo.com/group/postfix-users/message/247913 Wietse Thank you for the link, it was very informative, but didn't solve the problem. I also tried making a virtual_mailbox_maps MySQL query that always returned false, but Postfix still accepted all mail, and then bounced it after Dovecot rejected it. I have converted virtual_mailbox_maps and virtual_mailbox_domains to textfiles, so it should be easier to debug on the setup. Please note that I had to change server to experiment like this, since I depend on the other server. The servername is nt-data.dk, and the hosted domain (which all mail is accepted for) is nt-backup.dk. The behavior is the same, so mail sent to non_exist...@nt-data.dk is rejected, while mail sent to non_exist...@nt-backup.dk is accepted, and then bounced. In main.cf (please see the bottom for postconf -n) is virtual_mailbox_domains = hash:/etc/postfix/virtual_mailbox_domains.cf virtual_mailbox_maps= hash:/etc/postfix/virtual_mailbox_maps.cf And the content of those files is virtual_mailbox_domains.cf: nt-backup.dk OK nt-data.dk OK virtual_mailbox_maps.cf: t...@nt-backup.dkOK i...@nt-data.dk OK It all works like a charm, besides the point that Postfix accepts mail to non-existent users on the hosted domain. In addition I have read through the relevant documentation again, but I still can't figure out where or what the problem might be. Thanks again postconf -n alias_maps = hash:/etc/aliases bounce_template_file = /etc/postfix/bounce.cf broken_sasl_auth_clients = yes config_directory = /etc/postfix delay_warning_time = 4 disable_vrfy_command = yes inet_interfaces = all local_recipient_maps = $virtual_mailbox_maps maximal_queue_lifetime = 15 mydestination = myhostname = ntdata.nt-data.dk mynetworks = 127.0.0.0/8 recipient_canonical_classes = envelope_recipient recipient_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf, tcp:127.0.0.1:10002 sender_canonical_classes = envelope_sender sender_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf, tcp:127.0.0.1:10001 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit smtpd_helo_required = yes smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client truncate.gbudb.net, reject_unauth_destination, permit smtpd_sasl_auth_enable = yes smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_ask_ccert = yes smtpd_tls_cert_file = /etc/ssl/self-signed/smtpd.crt smtpd_tls_key_file = /etc/ssl/self-signed/smtpd.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport.cf virtual_mailbox_domains = hash:/etc/postfix/virtual_mailbox_domains.cf virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox_maps.cf virtual_transport = dovecot
Re: Trouble configuring backup MX to reject unauth destination
Fri, 05 Apr 2013 08:49:39 -0400 skrev Brian Evans grkni...@scent-team.com: Thank you for the link, it was very informative, but didn't solve the problem. I also tried making a virtual_mailbox_maps MySQL query that always returned false, but Postfix still accepted all mail, and then bounced it after Dovecot rejected it. You say you return false? Postfix expects to receive no results (a.k.a. 0 rows) if a virtual_mailbox_maps address in mysql does not exist. Do not return false, empty string, null, or any other value if it does not exist. False may be the wrong word, and I'm sorry if it is. What I mean is, virtual_mailbox_maps always returns nothing from MySQL, like so: titanus@ntdata:/etc/postfix$ sudo postmap -q t...@nt-backup.dk mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf titanus@ntdata:/etc/postfix$ echo $? 1 (this user exists) titanus@ntdata:/etc/postfix$ sudo postmap -q non_exist...@nt-backup.dk mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf titanus@ntdata:/etc/postfix$ echo $? 1 (this user does not) I did this because I had some trouble constructing the query-string Wietse recommended, and thought this would be a simple and easy way to test if virtual_mailbox_maps was the problem. When trying the syntax within the MySQL CLI, a Empty set is returned when querying for a non-existent user mysql SELECT username FROM mailbox - WHERE username = 'non_exist...@nt-backup.dk'; Empty set (0.00 sec) I hope this better explains what I meant Cheers
Re: Trouble configuring backup MX to reject unauth destination
Fri, 22 Mar 2013 19:12:40 -0400 (EDT) skrev Wietse Venema wie...@porcupine.org: Test your lookups: postmap -q cogky.dk the-virtual_mailbox_domains-table This should return a result (the value does not matter). aptget:~# postalias -q cogky.dk mysql:/etc/postfix/mysql_virtual_mailbox_domains.cf cogky.dk postmap -q real-u...@cogky.dk the-virtual_mailbox_maps-table This should return a result (the mailbox file name). aptget:~# postalias -q real-u...@cogky.dk mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf cogky.dk/real-user/ postmap -q bogus-u...@cogky.dk the-virtual_mailbox_maps-table This should return no result (Postfix treats this as user unknown in virtual mailbox table). And this does not return a result. Bash gives a error-status of 1. Sun, 24 Mar 2013 09:36:03 +0100 skrev mouss mo...@ml.netoyen.net: one possible reason is that you configured a wildcard alias: @cogky.dk == @aptget.dk (that is anything to cogky maps to same address in aptget.dk). As far as I can see that should not be the case. All addresses and aliases in the database have a left hand side to it. Is there a way to test this? I'm using Dovecot 2 as LDA for final delivery and IMAP-services, so virtual_transport is set to dovecot in main.cf and the following lines are in master.cf: dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient} When looking through the log, it looks like the user unknown response comes from Dovecot and not Postfix: Mar 25 13:43:53 aptget postfix/smtpd[24133]: connect from unknown[92.243.255.38] Mar 25 13:43:54 aptget postfix/smtpd[24133]: Anonymous TLS connection established from unknown[92.243.255.38]: TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits) Mar 25 13:43:54 aptget dovecot: auth-worker(24136): mysql(localhost): Connected to database postfix Mar 25 13:43:54 aptget postfix/smtpd[24133]: BB6AD371DDC4: client=unknown[92.243.255.38], sasl_method=LOGIN, sasl_username=hidden_u...@aptget.dk Mar 25 13:43:54 aptget postfix-policyd: connection from: 127.0.0.1 port: 48937 slots: 0 of 4096 used Mar 25 13:43:54 aptget postfix-policyd: connecting to mysql database: localhost Mar 25 13:43:54 aptget postfix-policyd: connected.. Mar 25 13:43:54 aptget postfix-policyd: rcpt=16, throttle=clear(a), host=92.243.255.38, from=tita...@aptget.dk, to=unknown-u...@cogky.dk, size=365/26214400, quota=365/18, count=1/125(10), rcpt=1/600(11), threshold=0%|0%|0%, sasl_username=hidden_u...@aptget.dk Mar 25 13:43:54 aptget postfix/cleanup[24138]: BB6AD371DDC4: message-id=20130325134351.5c2e0...@asrock.local.aptget.dk Mar 25 13:43:54 aptget postfix/qmgr[23982]: BB6AD371DDC4: from=tita...@aptget.dk, size=663, nrcpt=1 (queue active) Mar 25 13:43:55 aptget postfix/pipe[24140]: BB6AD371DDC4: to=unknown-u...@cogky.dk, relay=dovecot, delay=0.38, delays=0.26/0.03/0/0.09, dsn=5.1.1, status=bounced (user unknown) Mar 25 13:43:55 aptget postfix/cleanup[24138]: 16228371DE3E: message-id=20130325124355.16228371d...@aptget.aptget.dk Mar 25 13:43:55 aptget postfix/bounce[24142]: BB6AD371DDC4: sender non-delivery notification: 16228371DE3E Mar 25 13:43:55 aptget postfix/qmgr[23982]: 16228371DE3E: from=, size=2673, nrcpt=1 (queue active) Mar 25 13:43:55 aptget postfix/qmgr[23982]: BB6AD371DDC4: removed Mar 25 13:43:55 aptget postfix/smtpd[24133]: disconnect from unknown[92.243.255.38] Thank you again for helping Titanus postconf -n alias_maps = hash:/etc/aliases bounce_template_file = /etc/postfix/bounce.cf broken_sasl_auth_clients = yes config_directory = /etc/postfix delay_warning_time = 4 disable_vrfy_command = yes dovecot_destination_recipient_limit = 1 inet_interfaces = 46.21.105.38 local_recipient_maps = $virtual_mailbox_maps mailman_destination_recipient_limit = 1 maximal_queue_lifetime = 15 message_size_limit = 26214400 mydestination = localhost mydomain = aptget.dk myhostname = aptget.aptget.dk mynetworks = 127.0.0.0/8 postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = truncate.gbudb.net*2 b.barracudacentral.org*1 zen.spamhaus.org*1 bl.spamcop.net*1 postscreen_dnsbl_threshold = 2 postscreen_greet_action = enforce recipient_canonical_classes = envelope_recipient recipient_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf, tcp:127.0.0.1:10002 sender_canonical_classes = envelope_sender sender_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf, tcp:127.0.0.1:10001 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, smtpd_helo_required = yes smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, smtpd_sasl_auth_enable = yes smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_path = private/auth
Re: Trouble configuring backup MX to reject unauth destination
Mon, 25 Mar 2013 11:30:41 -0400 (EDT) skrev Wietse Venema wie...@porcupine.org: Titanus Eramius: Fri, 22 Mar 2013 19:12:40 -0400 (EDT) skrev Wietse Venema wie...@porcupine.org: Test your lookups: postmap -q cogky.dk the-virtual_mailbox_domains-table This should return a result (the value does not matter). aptget:~# postalias -q cogky.dk mysql:/etc/postfix/mysql_virtual_mailbox_domains.cf cogky.dk postmap -q real-u...@cogky.dk the-virtual_mailbox_maps-table This should return a result (the mailbox file name). aptget:~# postalias -q real-u...@cogky.dk mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf cogky.dk/real-user/ postmap -q bogus-u...@cogky.dk the-virtual_mailbox_maps-table This should return no result (Postfix treats this as user unknown in virtual mailbox table). And this does not return a result. Bash gives a error-status of 1. OK, the table is working as it should. Now let's find out why the bogus recipient is accepted: Next step: - Connect to the public (not content re-injection) SMTP port and try $ telnet hostname 25 ehlo ... mail from: rcpt to:real-u...@cogky.dk rcpt to:bogus-u...@cogky.dk quit One recipient should be accepted, the other not. - Same experiment for mail over the submission port, if you have one: $ openssl s_client -starttls smtp -connect hostname:587 ehlo ... mail from: rcpt to:real-u...@cogky.dk rcpt to:bogus-u...@cogky.dk quit This is just in case. Wietse Both RCPT TOs are successful titanus@asrock:~$ telnet 46.21.105.38 25 Trying 46.21.105.38... Connected to 46.21.105.38. Escape character is '^]'. 220 aptget.aptget.dk ESMTP Postfix EHLO Hej 250-aptget.aptget.dk 250-PIPELINING 250-SIZE 26214400 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN MAIL FROM: 250 2.1.0 Ok RCPT TO:real-u...@cogky.dk 250 2.1.5 Ok RCPT TO:non-exist...@cogky.dk 250 2.1.5 Ok QUIT 221 2.0.0 Bye Connection closed by foreign host. If non-exist...@cogky.dk is substituted with non-exist...@aptget.dk, then it is still rejected with ... unknown in virtual mailbox table. When trying with submission through telnet, I'm afraid I can't get the syntax right. But when using the mail client Claws Mail, Postfix accepts non-existent addresses for cogky.dk ... [17:51:52] ESMTP 235 2.7.0 Authentication successful [17:51:52] ESMTP MAIL FROM:ni...@aptget.dk SIZE=371 [17:51:52] SMTP 250 2.1.0 Ok [17:51:52] SMTP RCPT TO:non-exist...@cogky.dk [17:51:52] SMTP 250 2.1.5 Ok ... Thank you, Titanus
Re: Trouble configuring backup MX to reject unauth destination
Tue, 19 Feb 2013 16:31:05 + skrev Viktor Dukhovni postfix-us...@dukhovni.org: On Tue, Feb 19, 2013 at 12:21:35PM +0100, Titanus Eramius wrote: I've tried with relay_domains, but it matches on domain-level which is too much. I then applied relay_recipient_maps, but it don't seem to have any effect, which means that addresses is still matched on domain basis. Every Postfix will have access to a complete list of recipients through MySQL. So the question becomes two-part: Why can't I get relay_recipient_maps to work? http://www.postfix.org/DEBUG_README.html#mail http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup Wildcard entries in canonical_maps and virtual_alias_maps are the most common reason for recipient validation failing to distinguish between valid and invalid recipients. Thank you for the response and sorry for the slow reply. The problem seems to be related with the virtual setup, but I'm not sure how to best describe and document it. Besides aptget.dk this server also hosts cogky.dk (among others), and while unknown recipients is being correctly rejected with a 550 when sent to aptget.dk, they are not when sent to the other virtual domains. Instead they are accepted and then returned by the MAILER_DAEMON, which in turn opens the server to backscatter. I have tried setting local_recipient_maps = $virtual_mailbox_maps in main.cf, but without any apparent effect. To be honest, I'm unsure if I have set virtual_mailbox_maps correct, but when testing it with postalias it seems to work titanus@aptget:/etc/postfix$ sudo postalias -q tita...@aptget.dk mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf aptget.dk/titanus/ When I test mysql_virtual_mailbox_maps.cf with a non-existent address, nothing is returned and the exit status is 1. What I would like to achieve, is that Postfix rejects mail to non-existent recipients before accepting mail. Thanks again, Titanus postconf -n alias_maps = hash:/etc/aliases bounce_template_file = /etc/postfix/bounce.cf broken_sasl_auth_clients = yes config_directory = /etc/postfix delay_warning_time = 4 disable_vrfy_command = yes dovecot_destination_recipient_limit = 1 inet_interfaces = 46.21.105.38 local_recipient_maps = $virtual_mailbox_maps mailman_destination_recipient_limit = 1 maximal_queue_lifetime = 15 message_size_limit = 26214400 mydestination = localhost mydomain = aptget.dk myhostname = aptget.aptget.dk mynetworks = 127.0.0.0/8 postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = truncate.gbudb.net*2 b.barracudacentral.org*1 zen.spamhaus.org*1 bl.spamcop.net*1 postscreen_dnsbl_threshold = 2 postscreen_greet_action = enforce recipient_canonical_classes = envelope_recipient recipient_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf, tcp:127.0.0.1:10002 sender_canonical_classes = envelope_sender sender_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf, tcp:127.0.0.1:10001 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, smtpd_helo_required = yes smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, smtpd_sasl_auth_enable = yes smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_ask_ccert = yes smtpd_tls_cert_file = /etc/ssl/self-signed/smtpd.crt smtpd_tls_key_file = /etc/ssl/self-signed/smtpd.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache spamassassin_destination_recipient_limit = 1 tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport.cf virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /home/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_transport = dovecot virtual_uid_maps = static:5000
Re: Trouble configuring backup MX to reject unauth destination
Fri, 22 Mar 2013 16:55:21 -0400 (EDT) skrev Wietse Venema wie...@porcupine.org: Titanus Eramius: Besides aptget.dk this server also hosts cogky.dk (among others), and while unknown recipients is being correctly rejected with a 550 when sent to aptget.dk, they are not when sent to the other virtual domains. Instead they are accepted and then returned by the MAILER_DAEMON, which in turn opens the server to backscatter. Where is cogky.dk defined: mydestination, virtual_alias_domains, virtual_mailbox_domains, relay_domains? It must be only one. This answer determines where the known recipients must be listed: local_recipient_maps, virtual_alias_maps,m virtual_mailbox_maps, relay_recipients. If you list the domain or recipients in the wrong place then mail will be rejected. See http://www.postfix.org/ADDRESS_CLASS_README.html Wietse The goal is a virtual only mailserver, so the domains is stored in MySQL and fetched through virtual_mailbox_domains. Besides virtual_mailbox_domains, I use virtual_mailbox_maps and virtual_alias_maps. The documentation is among the best documentation I have seen, but I can't seem to find the solution, even though I have read most of what I could find in relation to virtual handling. One more clue is the error messages when sending to non-existent users. When sending to aptget.dk Postfix responds with 550 5.1.1 non_exist...@aptget.dk: Recipient address rejected: User unknown in virtual mailbox table. When sending to cogky.dk the response is only non_exist...@cogky.dk: user unknown Thank you for your time, Titanus
Submission on 587 and check_policy_service
I have set Postfix only to allow relaying through submission on port 587, and as extra safety, I have installed the PolicyD* service to run some rate limiting, and is trying to configure it with Postfix. Since the PolicyD service only needs to check mail that gets relayed, I am trying to call it from the submission block in master.cf like so: submission inet n - - - - smtpd ... -o ... ,check_policy_service inet:127.0.0.1:10031,reject But it does not work. The log gives this: Mar 21 14:16:52 aptget postfix/smtpd[13513]: fatal: parameter smtpd_recipient_restrictions: specify at least one working instance of: check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit Is it possible to set this policy service up, so it only gets called when mail goes through submission on 587? Any pointers will be greatly appreciated * http://www.policyd.org Postfix version 2.9.3 from Debian backports postconf -n alias_maps = hash:/etc/aliases bounce_template_file = /etc/postfix/bounce.cf broken_sasl_auth_clients = yes config_directory = /etc/postfix delay_warning_time = 4 disable_vrfy_command = yes dovecot_destination_recipient_limit = 1 inet_interfaces = all mailman_destination_recipient_limit = 1 maximal_queue_lifetime = 15 message_size_limit = 26214400 myhostname = aptget.aptget.dk mynetworks = 127.0.0.0/8 postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = truncate.gbudb.net*2 b.barracudacentral.org*1 zen.spamhaus.org*1 bl.spamcop.net*1 postscreen_dnsbl_threshold = 2 postscreen_greet_action = enforce recipient_canonical_classes = envelope_recipient recipient_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf, tcp:127.0.0.1:10002 sender_canonical_classes = envelope_sender sender_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf, tcp:127.0.0.1:10001 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit smtpd_helo_required = yes smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, permit smtpd_sasl_auth_enable = yes smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_ask_ccert = yes smtpd_tls_cert_file = /etc/ssl/self-signed/smtpd.crt smtpd_tls_key_file = /etc/ssl/self-signed/smtpd.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache spamassassin_destination_recipient_limit = 1 tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport.cf virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /home/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_transport = dovecot virtual_uid_maps = static:5000
Re: Submission on 587 and check_policy_service
Thu, 21 Mar 2013 12:25:24 -0400 skrev Brian Evans grkni...@scent-team.com: submission inet n - - - - smtpd ... -o ... ,check_policy_service inet:127.0.0.1:10031,reject Change this to -o ... ,check_policy_service,inet:127.0.0.1:10031,reject You cannot use spaces with in-line options in master.cf Brian Thank you for help, it was spot on. Cheers, Titanus
Re: Trouble configuring backup MX to reject unauth destination
Thinking about this, I might have been to specific in my question. At the fundamental level I would like to have 2 or more Postfix servers capable of receiving virtual mail for multiple domains, where one of the servers also handles relaying and local delivery. The rest should function as backup MX. I've tried with relay_domains, but it matches on domain-level which is too much. I then applied relay_recipient_maps, but it don't seem to have any effect, which means that addresses is still matched on domain basis. Every Postfix will have access to a complete list of recipients through MySQL. So the question becomes two-part: Why can't I get relay_recipient_maps to work? How would you recommend to set up a backup MX? One obvious way is not to do it, but some of the mail is not mine, which is why I at least would like the option to run a backup MX.
Re: Trouble configuring backup MX to reject unauth destination
Sat, 09 Feb 2013 10:25:31 -0600 skrev Noel Jones njo...@megan.vbhcs.org: ... Nothing wrong with this setup. It's very easy to configure, requires no third-party software or additional packages, and it's easy to understand where your mail goes. I expect that's why it's used as an example on the spamassassin wiki, and doesn't necessarily mean it's the recommended or preferred method. It's not necessarily the highest performance or the most flexible, but if it suits your needs, no need to change. Folks who need more usually pick some third-party filtering software that can run pre-queue as an smtpd_proxy_filter or milter. These are, without exception, more complicated than the setup you currently have. The big advantage of a pre-queue filter is you can safely REJECT unwanted mail. Amavisd-new is a popular choice for pre-queue filtering since it's fast, reliable, flexible, and can integrate both SpamAssassin and antivirus. -- Noel Jones Sorry for the late response, it took some time to dig through all the information. The use of pre-queue filtering would solve another problem I've been working on: What to do with mail from (user)blacklisted senders. I plan on upgrading Debians stable Postfix to the current stable version of 2.10 so I may benefit from postscreen, and that will probably be a good time to install amavisd-new as a pre-queue filter. Thank you for the help once again.
Re: Trouble configuring backup MX to reject unauth destination
Sat, 16 Feb 2013 12:39:24 +0100 skrev DTNX Postmaster postmas...@dtnx.net: On Feb 16, 2013, at 12:18, Titanus Eramius tita...@aptget.dk wrote: I plan on upgrading Debians stable Postfix to the current stable version of 2.10 so I may benefit from postscreen, and that will probably be a good time to install amavisd-new as a pre-queue filter. Thank you for the help once again. A possible shortcut to getting postscreen is using the 2.9.3 version available in the Debian backports repository. That's what we currently use, instead of building custom packages. HTH, Jona Thank you for pointing the obvious out. I don't know why I didn't thought of backports, but I will surely be using 2.9.3 from there instead of building from source.
Re: Trouble configuring backup MX to reject unauth destination
Fri, 08 Feb 2013 21:54:02 +0100 skrev Jeroen Geilman jer...@adaptr.nl: On 02/08/2013 06:02 PM, Titanus Eramius wrote: Feb 7 22:12:48 ntdata postfix/pickup[24843]: 048341743609: uid=5005 from=SRS0=3u76=L7=gmail.com=jimmiedcu...@nt-data.dk So you are...not re-injecting spamassassin traffic, but instead re-submitting it via sendmail ? That's weird. Feb 7 22:12:48 ntdata postfix/pipe[30177]: 39E441743607: to=a...@ubuntudanmark.dk, relay=spamassassin, delay=0.95, delays=0.53/0/0/0.41, dsn=2.0.0, status=sent (delivered via spamassassin service) THIS is a send to spamassassin, but delayed in logging for almost a second. It looks very much as if you're doing in-line spamassassin checks, but then not re-injecting it via SMTP. Why are you doing such a strange thing ? To be honest I've read quite a lot about Postfix, Dovecot, SA ... , but my experience is very limited and contained to about 3 months of running time. So SA is integrated as I found best after reading docs and guides, and it's more than likely it can be done in a better way. Normally though, the running time of SA is around ~200ms per text-mail. It's integrated as a content_filter on smtp like so: smtp inet n - - - - smtpd -o content_filter=spamassassin And then on it's own lines: spamassassin unix - n n - - pipe flags=Rq user=spamd argv=/usr/bin/spamc -u ${user}@${domain} -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} The sendmail-method seems to be preferred by the SA-folks https://wiki.apache.org/spamassassin/IntegratedSpamdInPostfix All of those examples uses sendmail. But again, in relation to Postfix, it might very well be possible to integrate SA in a better way. Maybe the method suggested by the docs on content_filters? http://www.postfix.org/FILTER_README.html#advanced_filter
Re: Is a late header check possible?
Thu, 07 Feb 2013 10:03:32 -0600 skrev Noel Jones njo...@megan.vbhcs.org: On 2/7/2013 8:58 AM, Titanus Eramius wrote: I'm running SpamAssassin as a content_filter on incoming mail which ads 4 spam-headers, one of them being X-Spam-Level:. The precise header varies, depending on the spamscore. SpamAssassin ads one * for each spampoint, so a example-header could be: X-Spam-Level: I would like to have the ability to redirect mails with that header to a account where I can store them. So basically I *think* I'm asking if Postfix have a header_checks feature that runs after the content filters? I'll assume your content_filter reinjects mail to localhost:10025 after processing. Note: make sure your post-filter header checks don't ever reject mail. That would make you a backscatter source and get you blacklisted. The cleanest way to do this is a separate postfix instance (not just a master.cf listener service) that listens on 10025, with its own header_checks. This also gives the very nice benefit of separation between pre-filter and post-filter mail. http://www.postfix.org/MULTI_INSTANCE_README.html Thank you for the reply Noel, it's very helpful as usual. The multi instance seems like the best solution, so I'll most likely go with that. And thanks for the warning.
Trouble configuring backup MX to reject unauth destination
Hi all Please note that the last time I asked about the behavior of Postfix it turned out I had misunderstood the concept of relaying mail. It might be the case again. I'm running the mailserver that serves this domain + a few others, the mailserver at ubuntudanmark.dk and the mailservers at nt-data.dk. So I'm running these servers, with this relation: mx01.aptget.dk -- Not a backup MX mx01.ubuntudanmark.dk -- Not a backup MX mx01.nt-data.dk-- Backup MX for mx01.aptget.dk and mx01.ubuntudanmark.dk mx02.nt-data.dk-- Backup MX for mx01.nt-data.dk The setup is entirely virtual, using MySQL to store aliases, addressees etc. The problem is, that *I think* the backup MX' can be used to spread backscatter. I routinely looks at the Postfix logging, and found these entries yesterday from mx01.nt-data.dk: --- titanus@ntdata:/var/log$ grep 048341743609 mail.log.1 Feb 7 22:12:48 ntdata postfix/pickup[24843]: 048341743609: uid=5005 from=SRS0=3u76=L7=gmail.com=jimmiedcu...@nt-data.dk Feb 7 22:12:48 ntdata postfix/cleanup[30176]: 048341743609: message-id=gi63z8-uskq93...@tdhhadcuneunhvooig.alumni.insead.edu Feb 7 22:12:48 ntdata postfix/qmgr[20252]: 048341743609: from=SRS0=3u76=L7=gmail.com=jimmiedcu...@nt-data.dk, size=5268, nrcpt=1 (queue active) Feb 7 22:12:48 ntdata postfix/smtp[30181]: 048341743609: to=a...@ubuntudanmark.dk, relay=mx01.ubuntudanmark.dk[31.192.231.5]:25, delay=0.71, delays=0/0.04/0.17/0.5, dsn=5.1.1, status=bounced (host mx01.ubuntudanmark.dk[31.192.231.5] said: 550 5.1.1 a...@ubuntudanmark.dk: Recipient address rejected: User unknown in virtual mailbox table (in reply to RCPT TO command)) Feb 7 22:12:48 ntdata postfix/bounce[30182]: 048341743609: sender non-delivery notification: B201D1743608 Feb 7 22:12:48 ntdata postfix/qmgr[20252]: 048341743609: removed --- Then mx01.nt-data.dk tries to send a bounce to gmail: --- Feb 7 22:12:52 ntdata postfix/smtp[30183]: B201D1743608: to=jimmiedcu...@gmail.com, orig_to=SRS0=3u76=L7=gmail.com=jimmiedcu...@nt-data.dk, relay=gmail-smtp-in.l.google.com[173.194.71.26]:25, delay=3.4, delays=0.01/0.01/0.29/3, dsn=5.1.1, status=bounced (host gmail-smtp-in.l.google.com[173.194.71.26] said: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 bc7si9536557lbb.184 - gsmtp (in reply to RCPT TO command)) --- The address a...@ubuntudanmark.dk does not exist - Neither at mx01.nt-data.dk nor at mx01.ubuntudanmark.dk, so I would like mx01.nt-data.dk to reject messages to it. I've tried with other non-existent addresses trough telnet, and mx01.nt-data.dk accepts them, as long as they are to one of the backup domains, and then bounces them (so currently they are disabled in the database). Following is postconf -n, the content of the 2 relay_* MySQL-files, and the structure of their database. If more is needed, then please let me know and I'll include it. Any pointers, examples or explanations will be appreciated. I've read in the documentation for virtual hosting and backup MX', but the answer seems to evades me. Thanks ntdata:/etc/postfix# postconf -n alias_maps = hash:/etc/aliases bounce_template_file = /etc/postfix/bounce.cf broken_sasl_auth_clients = yes config_directory = /etc/postfix delay_warning_time = 4 disable_vrfy_command = yes inet_interfaces = all maximal_queue_lifetime = 15 myhostname = ntdata.nt-data.dk mynetworks = 127.0.0.0/8 recipient_canonical_classes = envelope_recipient recipient_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf, tcp:127.0.0.1:10002 relay_domains = proxy:mysql:/etc/postfix/relay_domains.cf relay_recipient_maps = proxy:mysql:/etc/postfix/relay_recipient_maps.cf sender_canonical_classes = envelope_sender sender_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf, tcp:127.0.0.1:10001 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit smtpd_helo_required = yes smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client truncate.gbudb.net, reject_unauth_destination, permit smtpd_sasl_auth_enable = yes smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_ask_ccert = yes smtpd_tls_cert_file = /etc/ssl/self-signed/smtpd.crt smtpd_tls_key_file = /etc/ssl/self-signed/smtpd.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache tls_random_source =
Re: Trouble configuring backup MX to reject unauth destination
Fri, 8 Feb 2013 09:45:07 -0600 skrev /dev/rob0 r...@gmx.co.uk: snip --- titanus@ntdata:/var/log$ grep 048341743609 mail.log.1 Feb 7 22:12:48 ntdata postfix/pickup[24843]: 048341743609: uid=5005 from=SRS0=3u76=L7=gmail.com=jimmiedcu...@nt-data.dk pickup(8) picks up mail which was sent via sendmail(1). This is a local/system user's process (UID 5005, specifically) sending the mail. Your misunderstanding this time seems to be that you think it came from the network and could thus be rejected. If this seems to be some kind of abuse, it could be that something you're running on the server has been compromised; web/php scripts being the most common vector. I'm sorry, UID 5005 is SpamAssassin. The grep-command didn't got all the lines, so here they are: --- Feb 7 22:12:46 ntdata postfix/smtpd[30171]: connect from c-50-151-186-224.hsd1.in.comcast.net[50.151.186.224] Feb 7 22:12:47 ntdata postfix/smtpd[30171]: 39E441743607: client=c-50-151-186-224.hsd1.in.comcast.net[50.151.186.224] Feb 7 22:12:47 ntdata postfix/cleanup[30176]: 39E441743607: message-id=gi63z8-uskq93...@tdhhadcuneunhvooig.alumni.insead.edu Feb 7 22:12:47 ntdata postfix/qmgr[20252]: 39E441743607: from=SRS0=3u76=L7=gmail.com=jimmiedcu...@nt-data.dk, size=2182, nrcpt=1 (queue active) Feb 7 22:12:47 ntdata spamd[6887]: spamd: connection from localhost.localdomain [127.0.0.1] at port 58896 Feb 7 22:12:47 ntdata spamd[6887]: spamd: processing message gi63z8-uskq93...@tdhhadcuneunhvooig.alumni.insead.edu for a...@ubuntudanmark.dk:5005 Feb 7 22:12:47 ntdata postfix/smtpd[30171]: disconnect from c-50-151-186-224.hsd1.in.comcast.net[50.151.186.224] Feb 7 22:12:48 ntdata spamd[6887]: spamd: identified spam (11.6/5.0) for a...@ubuntudanmark.dk:5005 in 0.4 seconds, 2200 bytes. Feb 7 22:12:48 ntdata spamd[6887]: spamd: result: Y 11 - FH_HELO_EQ_D_D_D_D,HELO_DYNAMIC_IPADDR,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_DYNAMIC,SPF_FAIL scantime=0.4,size=2200,user=a...@ubuntudanmark.dk,uid=5005,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=58896,mid=gi63z8-uskq93...@tdhhadcuneunhvooig.alumni.insead.edu,autolearn=no Feb 7 22:12:48 ntdata postfix/pickup[24843]: 048341743609: uid=5005 from=SRS0=3u76=L7=gmail.com=jimmiedcu...@nt-data.dk Feb 7 22:12:48 ntdata postfix/pipe[30177]: 39E441743607: to=a...@ubuntudanmark.dk, relay=spamassassin, delay=0.95, delays=0.53/0/0/0.41, dsn=2.0.0, status=sent (delivered via spamassassin service) Feb 7 22:12:48 ntdata postfix/qmgr[20252]: 39E441743607: removed Feb 7 22:12:48 ntdata postfix/cleanup[30176]: 048341743609: message-id=gi63z8-uskq93...@tdhhadcuneunhvooig.alumni.insead.edu Feb 7 22:12:48 ntdata postfix/qmgr[20252]: 048341743609: from=SRS0=3u76=L7=gmail.com=jimmiedcu...@nt-data.dk, size=5268, nrcpt=1 (queue active) Feb 7 22:12:48 ntdata spamd[6886]: prefork: child states: II Feb 7 22:12:48 ntdata postfix/smtp[30181]: certificate verification failed for mx01.ubuntudanmark.dk[31.192.231.5]:25: self-signed certificate Feb 7 22:12:48 ntdata postfix/smtp[30181]: 048341743609: to=a...@ubuntudanmark.dk, relay=mx01.ubuntudanmark.dk[31.192.231.5]:25, delay=0.71, delays=0/0.04/0.17/0.5, dsn=5.1.1, status=bounced (host mx01.ubuntudanmark.dk[31.192.231.5] said: 550 5.1.1 a...@ubuntudanmark.dk: Recipient address rejected: User unknown in virtual mailbox table (in reply to RCPT TO command)) Feb 7 22:12:48 ntdata postfix/cleanup[30176]: B201D1743608: message-id=20130207211248.b201d1743...@ntdata.nt-data.dk Feb 7 22:12:48 ntdata postfix/bounce[30182]: 048341743609: sender non-delivery notification: B201D1743608 Feb 7 22:12:48 ntdata postfix/qmgr[20252]: B201D1743608: from=, size=7699, nrcpt=1 (queue active) Feb 7 22:12:48 ntdata postfix/qmgr[20252]: 048341743609: removed Feb 7 22:12:49 ntdata postfix/smtp[30183]: certificate verification failed for gmail-smtp-in.l.google.com[173.194.71.26]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority Feb 7 22:12:52 ntdata postfix/smtp[30183]: B201D1743608: to=jimmiedcu...@gmail.com, orig_to=SRS0=3u76=L7=gmail.com=jimmiedcu...@nt-data.dk, relay=gmail-smtp-in.l.google.com[173.194.71.26]:25, delay=3.4, delays=0.01/0.01/0.29/3, dsn=5.1.1, status=bounced (host gmail-smtp-in.l.google.com[173.194.71.26] said: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 bc7si9536557lbb.184 - gsmtp (in reply to RCPT TO command)) Feb 7 22:12:52 ntdata postfix/qmgr[20252]: B201D1743608: removed --- snip FWIW, generally a backup MX is a bad idea. Why did you want it? [snip] Yeah, I start to see why. nt-data is my (soon to be) hosting company, and when handling other peoples mail, I think it's wise to have some sort of a backup system in place. I've been searching high and low for
Is a late header check possible?
I'm running SpamAssassin as a content_filter on incoming mail which ads 4 spam-headers, one of them being X-Spam-Level:. The precise header varies, depending on the spamscore. SpamAssassin ads one * for each spampoint, so a example-header could be: X-Spam-Level: I would like to have the ability to redirect mails with that header to a account where I can store them. So basically I *think* I'm asking if Postfix have a header_checks feature that runs after the content filters? Thanks titanus@ntdata:/etc/postfix$ sudo postconf -n (mail_version = 2.7.1) alias_maps = hash:/etc/aliases bounce_template_file = /etc/postfix/bounce.cf broken_sasl_auth_clients = yes config_directory = /etc/postfix delay_warning_time = 4 disable_vrfy_command = yes inet_interfaces = all maximal_queue_lifetime = 15 myhostname = ntdata.nt-data.dk mynetworks = 127.0.0.0/8 recipient_canonical_classes = envelope_recipient recipient_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf, tcp:127.0.0.1:10002 relay_domains = proxy:mysql:/etc/postfix/relay_domains.cf relay_recipient_maps = proxy:mysql:/etc/postfix/relay_recipient_maps.cf sender_canonical_classes = envelope_sender sender_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf, tcp:127.0.0.1:10001 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache smtpd_data_restrictions = reject_unauth_pipelining reject_multi_recipient_bounce permit smtpd_helo_required = yes smtpd_recipient_restrictions = reject_unauth_destination reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain reject_rbl_client truncate.gbudb.net permit smtpd_sasl_auth_enable = yes smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_ask_ccert = yes smtpd_tls_cert_file = /etc/ssl/self-signed/smtpd.crt smtpd_tls_key_file = /etc/ssl/self-signed/smtpd.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport.cf virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /home/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_minimum_uid = 5000 virtual_transport = dovecot virtual_uid_maps = static:5000
Re: slow down deferred destination
Tue, 29 Jan 2013 08:30:05 + skrev James Griffin jmz.grif...@kode5.net: * Birta Levente blevi.li...@gmail.com [2013-01-29 10:18:15 +0200]: Hi all How can I slow down deliveries to specified domain after temporary deferred? I have a list for marketing purposes and 2/3 part of subscribed users is on yahoo. This was discussed recently on the list, perhaps have a look at some of the responses given to the person whom asked about this before. It's this one http://postfix.1071664.n5.nabble.com/Balancing-destination-concurrency-rate-delay-td54147.html
Re: Integration of content filter in master.cf
Tue, 08 Jan 2013 16:24:11 -0600 skrev Noel Jones njo...@megan.vbhcs.org: On 1/8/2013 4:11 PM, Titanus Eramius wrote: I've had some trouble seeing the difference between -o overrides in main.cf and master.cf, but this really helps. main.cf parameters are used by all postfix services (but not all parameters apply to all services). Individual services defined in master.cf can override main.cf settings with -o ... options. http://www.postfix.org/postconf.5.html http://www.postfix.org/master.5.html -- Noel Jones Sorry for the delayed answer, it took some time to adjust the server to match the advices I got, but everything seems to run better than ever, so thanks for the help again. Some day one really ought to read the entire postconf(5) manual to get a sense of what Postfix is capable of, but so far I've only read about the settings I use. If I may ask one last thing, just to be sure. To integrate SpamAssassin I adjusted the smtp-line in master.cf to --- smtp inet n - - - - smtpd -o content_filter=spamassassin --- and then disallowed submission on port 25. In main.cf I have 7 reject_*-lines like so --- smtpd_recipient_restrictions = ... reject_invalid_helo_hostname reject_unknown_sender_domain ... permit --- Will the reject_*-rules still apply to incoming mail before Postfix hands it over to SpamAssassin?
Re: Integration of content filter in master.cf
Tue, 08 Jan 2013 23:59:31 +0100 skrev mouss mo...@ml.netoyen.net: This raises the question (or at least I think it do), if it's possible to force the users onto 587 by denying relay access to 25? fix the problem at the source: force the client to do the work: use different services for different uses: [MX service] port: 25 example DNS name: mx01.example.com = no relay virus and spam filtering... [submission service] example DNS name: smtp01.example.com port 587. if this is hard, port 25 with a specific IP is ok. SASL auth. when not desirable, IP based access control (thoug this may be implemented outside of postfix, such as on a firewall) virus filtering rate limit and custom checks as needed. [reverse MX] example DNS name: mailrelay01.example.com in small setups, this could be the same service as the submission one. in larger setups, make this dedicated. it'll take the complexity of mail routing and caching (retry). ... Thank you for the insights, together with a subdomain to the Dovecot IMAP service they have all been implemented so I later may split the services to multiple servers. However I'm not sure I understand the reverse MX part very well, perhaps I could trouble you for a link where I could do some reading on the subject?
Integration of content filter in master.cf
I'm a little unsure about best practice here, hence the question. Running /usr/sbin/spamd from the SpamAssassin package to scan mail, I've integrated it into /etc/postfix/master.cf with the following lines --- smtp inet n - n - - smtpd -o content_filter=spamassassin ... spamassassin unix - n n - - pipe flags=Rq user=spamd argv=/usr/bin/spamc -u ${user}@${domain} -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} --- And then in /etc/postfix/main.cf there's added the line --- spamassassin_destination_recipient_limit = 1 --- However, this scans both incoming and outgoing mail, but for outgoing I plan on using rate-limiting to avoid spamming the net (to much), in case an account gets hacked. So I searched the web, and constructed this alternative to use in master.cf --- 26 inet n - n - - smtpd -o content_filter=spamassassin smtp inet n - n - - smtpd --- Using iptables, all incoming connections to port 25 could then be directed to port 26. The server only have one ip-address. The question then is, is this a practical solution, or can it be done smarter, for example with less work and without using iptables, or maybe some other way entirely?
Re: Integration of content filter in master.cf
Tue, 08 Jan 2013 12:39:58 -0600 skrev Noel Jones njo...@megan.vbhcs.org: On 1/8/2013 10:47 AM, Titanus Eramius wrote: I'm a little unsure about best practice here, hence the question. Running /usr/sbin/spamd from the SpamAssassin package to scan mail, I've integrated it into /etc/postfix/master.cf with the following lines --- smtp inet n - n - - smtpd -o content_filter=spamassassin ... spamassassin unix - n n - - pipe flags=Rq user=spamd argv=/usr/bin/spamc -u ${user}@${domain} -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} --- And then in /etc/postfix/main.cf there's added the line --- spamassassin_destination_recipient_limit = 1 --- However, this scans both incoming and outgoing mail, but for outgoing I plan on using rate-limiting to avoid spamming the net (to much), in case an account gets hacked. So I searched the web, and constructed this alternative to use in master.cf --- 26 inet n - n - - smtpd -o content_filter=spamassassin smtp inet n - n - - smtpd --- Using iptables, all incoming connections to port 25 could then be directed to port 26. The server only have one ip-address. The question then is, is this a practical solution, or can it be done smarter, for example with less work and without using iptables, or maybe some other way entirely? Using iptables to separate traffic is a reasonable solution. Probably a good idea to add a comment to master.cf documenting what you've done. The more typical way to do this is for local mail to use the submission port 587. Sometimes folks redirect port 25 on the local network to 587 as a migration aid. -- Noel Jones OK, but using submission more or less removes the problem with SpamAssassin. Thank you for the pointer, I'll be sure to use 587 for relaying from the users. This raises the question (or at least I think it do), if it's possible to force the users onto 587 by denying relay access to 25?
Re: Integration of content filter in master.cf
Tue, 8 Jan 2013 20:29:30 +0100 skrev DTNX Postmaster postmas...@dtnx.net: ... The more typical way to do this is for local mail to use the submission port 587. Sometimes folks redirect port 25 on the local network to 587 as a migration aid. This. Using the submission port is highly recommended, as it avoids all kinds of trouble, such as access providers blocking port 25. It also allows you to tailor each service to its specific needs; postscreen on 25, required authentication plus TLS and rate limiting on 587, and so on. HTH, Jona Thank you for the pointer on submission, I'll be sure to make use of it. But it raises a question (like i wrote in the reply to Noel), and that is (as far as i know) that I need to ensure the use of 587 so users can't go around rate limiting on 587 by using 25 for relaying. Would such a thing be possible to do?
Re: Integration of content filter in master.cf
Tue, 08 Jan 2013 22:06:26 +0100 skrev Reindl Harald h.rei...@thelounge.net: Am 08.01.2013 21:48, schrieb Titanus Eramius: This raises the question (or at least I think it do), if it's possible to force the users onto 587 by denying relay access to 25? it's more a human problem than a technically to force a large amount of users to change their for a long time wrong usage of port 25 submission inet n - n - 50 smtpd -o smtpd_client_connection_count_limit=15 -o smtpd_client_connection_rate_limit=80 -o smtpd_sasl_auth_enable=yes -o smtpd_delay_reject=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o max_idle=1h -o max_use=500 remove permit_sasl_authenticated at the same time from main.cf and you should be more or less done, but as said. how to explain all users that thheir config is wrong since the first day they are using it Thankfully I still have a few months before I start to have actual costumers, so this is my one chance to avoid some of the common problems. But I suspect you might be right with 587 anyway, because at least this client (Claws Mail) uses 25 as the standard port when sending through POP. Thank you for the example to deactivate client relaying through 25. I think this solves my problem, so thanks again for the replies.
Re: Integration of content filter in master.cf
Tue, 08 Jan 2013 15:54:41 -0600 skrev Noel Jones njo...@megan.vbhcs.org: ... This raises the question (or at least I think it do), if it's possible to force the users onto 587 by denying relay access to 25? It's certainly possible to prevent relaying via port 25, and many sites do so. The choice is a local policy decision; do what fits your needs best. Typically this is done by giving submission and port 25 different settings via master.cf -o ... overrides. A quick incomplete example: # main.cf mynetworks = 127.0.0.1 submission_mynetworks = 127.0.0.1, 192.168.0.0/16 smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination ... anti-spam controls ... submission_smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject # master.cf submission inet n - n - - smtpd -o syslog_name=postfix/submission -o mynetworks=$submission_mynetworks -o smtpd_recipient_restrictions=$submission_smtpd_recipient_restrictions ... more -o overrides ... Common variations are to require sasl AUTH on the submission port by removing permit_mynetworks, and to require TLS with AUTH by using -o smtpd_tls_auth_only=yes. -- Noel Jones Thank you for the additional information, it's very helpful in the understanding of Postfix. I've had some trouble seeing the difference between -o overrides in main.cf and master.cf, but this really helps.
Happy holidays to all
Hi list I would like to express my gratitude to all the people on this list, whom helps new folks like me to run a mailserver. Especially Wietse would I like to thank, for making Postfix possible. I can't really imagine using anything else. So thank you all and happy holidays. Cheers, Titanus
Re: RoundCube vs squirrelmail (pros and cons)
Thu, 27 Dec 2012 11:00:34 -0500 skrev Robert Moskowitz r...@htt-consult.com: On 12/27/2012 01:38 AM, Muhammad Yousuf Khan wrote: i want a web interface for our email access. To me roundcube seems more attractive/better then squirrel-mail (look wise) however i dont want to overlook better options/features if there are any in squirrelmail. so my question to all the users who have experience with both UI. would you please suggest me which one to pick and which one is good/better/stable to use? There was a recent thread on this over on the Centos list, and Roundcube was strongly perferred. It seems that my search fu is low today, could I please trouble you for a link? Thanks
Re: Postfix used as End to End and relaying to external SMTP server based on FROM address (possible?)
On Sun, 16 Dec 2012 17:18:38 -0500 ashleygriffin.ca - Contact cont...@ashleygriffin.ca wrote: Hi Just so I understand this, what this really means is after version v2.03, and I have version v2.10? Some more general reading on the subject could include Wikipedia https://en.wikipedia.org/wiki/Versioning Cheers
Re: SASL auth and (local) relaying through telnet
On Sun, 09 Dec 2012 16:37:12 +0100 mouss mo...@ml.netoyen.net wrote: humour mew :) you like cats too? or is it the pipe that you like? $ sudo grep /var/log/mail.log saves a few keystorkes For some odd reason I kindda do. Maybe it's the concept of a data-pipe itself, but I imagine I from now on is to lacy to use it together with grep :) /humour If at all possible, I would like the system not to accept the mail. why not? because you sent it using the telnet client program? there is no fundamental difference between mail sent using a standard MUA (thunderbird, outlook, ...) or a program such as telnet, netcat, ... or a script using perl, python, php, ... and no, spammers do not use the telnet program. that would be too slow! they (generally) use spam bots, which can send masse mails in a short time. trying to detect such bots is teh subject of anti-spam measures such as postcreen, greylisting, spam filters (that look for specific headers or other). I see. It makes plenty of sense, and yes, off course this could be scriptet as well, I just thought the example with telnet was easy to illustrate. It might just be me and my wicked way of thinking that made me ask this question, but I'm glad I did even though the premises was wrong, since I leaned some new things. Thanks for all the replies. Cheers
Re: SASL auth and (local) relaying through telnet
On Thu, 6 Dec 2012 20:32:17 -0600 /dev/rob0 r...@gmx.co.uk wrote: On Fri, Dec 07, 2012 at 01:23:21AM +0100, Titanus Eramius wrote: My highest concern is to setup an open relay by accident, so in the process I've used an online anti-spam tester several times: http://www.antispam-ufrj.pads.ufrj.br/test-relay.html That need not be your highest concern. Thanks for the reply. I am not sure I follow here, could you please elaborate a bit? ... Your munging makes it hard to say for sure, but I'm going to go out on a limb and venture a guess that you host my_domain.tld on this Postfix. That's not what relaying means. That's accepting for delivery. Relaying means taking mail for some OTHER site and sending it on for the client. What exactly are you trying to prevent here? ... So? Your telnet was to port 25. Yes, sorry about the munging and the inconsistency, I'm not sure why I did that. I see your point about submission and port 25, and I guess I still have some learning to do. Thanks for the pointer. In that light I realize my question is wrong, and I hope instead the following example might help to show what I mean. The example is without munging, and Postfix accepts a mail through telnet, and locally hands it over to Dovecot, which in turn delivers the mail. The delivery address exists on the server, and if it doesn't, then Postfix says Recipient address rejected: User unknown in virtual mailbox table just as it says Relay access denied if I try to relay mail through Postfix. $ dig nt-data.dk mx ;; ANSWER SECTION: nt-data.dk. 5860 IN MX 10 mx01.nt-data.dk. ... mx01.nt-data.dk. 5860 IN A 94.247.168.138 ... titanus@asrock:~$ telnet 94.247.168.138 25 Trying 94.247.168.138... Connected to 94.247.168.138. Escape character is '^]'. 220 ntdata.nt-data.dk ESMTP Postfix EHLO fake 250-ntdata.nt-data.dk 250-PIPELINING 250-SIZE 1024 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN MAIL FROM:s...@veryfakeaddress548562.tld 250 2.1.0 Ok RCPT TO:m...@nt-data.dk 250 2.1.5 Ok DATA 354 End data with CRLF.CRLF content here . 250 2.0.0 Ok: queued as EDB151746A80 quit 221 2.0.0 Bye Connection closed by foreign host. The maillog on the server looks like this: titanus@ntdata:~$ sudo cat /var/log/mail.log | grep EDB151746A80 Dec 7 17:51:38 ntdata postfix/smtpd[26112]: EDB151746A80: client=unknown[92.243.255.38] Dec 7 17:51:51 ntdata postfix/cleanup[26118]: EDB151746A80: message-id= Dec 7 17:51:51 ntdata postfix/qmgr[3981]: EDB151746A80: from=SRS0=QfAL=KB=veryfakeaddress548562.tld=s...@nt-data.dk, size=396, nrcpt=1 (queue active) Dec 7 17:51:51 ntdata postfix/pipe[26119]: EDB151746A80: to=m...@nt-data.dk, relay=dovecot, delay=36, delays=36/0.01/0/0.17, dsn=2.0.0, status=sent (delivered via dovecot service) Dec 7 17:51:51 ntdata postfix/qmgr[3981]: EDB151746A80: removed If at all possible, I would like the system not to accept the mail. Cheers
SASL auth and (local) relaying through telnet
I'm not entirely sure how to formulate this question best in English, so please bear over with me. In the past 6 months I've set up several Postfix 2.7.1 servers, which uses Dovecot as LDA and as SASL auth. One of them runs this domain, but they are still in testing. My highest concern is to setup an open relay by accident, so in the process I've used an online anti-spam tester several times: http://www.antispam-ufrj.pads.ufrj.br/test-relay.html It has always (and still does) reported the servers to reject relaying. I therefore thought it was only possible to relay mail through the servers if a valid username (an active email-address) and a password were given to the server (unless it's a systemuser logged in through ssh). That is how I would like the servers to behave. However, trying to learn a little I played around with telnet from my computer today, and was able to relay mail through the servers from the internet, without having to log in. It appears though, that it's only possible to relay mail if the server holds the address in the database, which suggest that the servers only are open to some limited backscatter, since the recipient address has to be known and given to Postfix. Some testing seems to support this. Even so, I would like Postfix to deny relaying in this case also, if at all possible. A telnet session goes like this, on either the server containing my_address or the backup MX: $ telnet X.X.X.X 25 Trying X.X.X.X... Connected to X.X.X.X. Escape character is '^]'. 220 machinename.domain.tld ESMTP Postfix EHLO fake-name.domain.tld 250-machinename.domain.tld 250-PIPELINING 250-SIZE 1024 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN $ MAIL FROM:s...@dont-exists.tld 250 2.1.0 Ok $ RCPT TO:my_address@my_domain.tld 250 2.1.5 Ok DATA 354 End data with CRLF.CRLF Test something . 250 2.0.0 Ok: queued as 3653E371BAA1 quit 221 2.0.0 Bye Connection closed by foreign host. Then grep'ing the query ID from the log gives 5 lines: Dec 6 23:30:40 machinename postfix/smtpd[3184]: 3653E371BAA1: client=unknown[my wan-IP] Dec 6 23:30:51 machinename postfix/cleanup[3557]: 3653E371BAA1: message-id= Dec 6 23:30:51 machinename postfix/qmgr[4628]: 3653E371BAA1: from=SRS0=nFZn=KA=dont-exists.tld=spam@my_domin.tld, size=379, nrcpt=1 (queue active) Dec 6 23:30:51 machinename postfix/pipe[3577]: 3653E371BAA1: to=my_address@my_domain.tld, relay=dovecot, delay=56, delays=56/0/0/0, dsn=2.0.0, status=sent (delivered via dovecot service) Dec 6 23:30:51 machinename postfix/qmgr[4628]: 3653E371BAA1: removed And the mail is indeed delivered. In master.cf the submission-part looks like this: submission inet n - - - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_local_domain=$myhostname -o smtpd_client_restrictions= permit_sasl_authenticated reject -o smtpd_sender_login_maps=proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf -o smtpd_sender_restrictions=reject_sender_login_mismatch -o smtpd_recipient_restrictions= reject_non_fqdn_recipient reject_unknown_recipient_domain permit_sasl_authenticated reject And postconf -n on the server my_address gives: alias_maps = hash:/etc/aliases bounce_template_file = /etc/postfix/bounce.cf broken_sasl_auth_clients = yes config_directory = /etc/postfix delay_warning_time = 4 disable_vrfy_command = yes inet_interfaces = all maximal_queue_lifetime = 15 myhostname = machinename.my_domain.tld mynetworks = 127.0.0.0/8 recipient_canonical_classes = envelope_recipient recipient_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf, tcp:127.0.0.1:10002 sender_canonical_classes = envelope_sender sender_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf, tcp:127.0.0.1:10001 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache smtpd_data_restrictions = reject_unauth_pipelining reject_multi_recipient_bounce permit smtpd_helo_required = yes smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination warn_if_reject reject_invalid_helo_hostname warn_if_reject reject_non_fqdn_helo_hostname warn_if_reject reject_non_fqdn_sender warn_if_reject reject_non_fqdn_recipient warn_if_reject reject_unknown_sender_domain warn_if_reject reject_unknown_recipient_domain warn_if_reject reject_rbl_client truncate.gbudb.net check_policy_service unix:private/spfcheck permit smtpd_sasl_auth_enable = yes smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_ask_ccert = yes smtpd_tls_cert_file = /etc/ssl/self-signed/smtpd.crt smtpd_tls_key_file = /etc/ssl/self-signed/smtpd.key
Re: Sending of several delayed warnings
On Mon, 19 Nov 2012 08:47:35 -0500 (EST) Wietse Venema wie...@porcupine.org wrote: Titanus Eramius: Running Postfix 2.7.x I have set delay_warning_time to 4 hours, but was wondering if it is possible to send out two or more bounce messages about a delayed message? If you want to know if mail is finally out the door, turn on the DSN success notify option. Message multipliers are unsafe. Don't do it. Thank you for the answer and the explanation. I've will indeed read up on the notify system, and use that instead. - Titanus
Sending of several delayed warnings
Running Postfix 2.7.x I have set delay_warning_time to 4 hours, but was wondering if it is possible to send out two or more bounce messages about a delayed message? What I am aiming for is, that if a message can not be delivered to the destination, then Postfix will inform the sender immediately, or close to immediately, about it. Then later on, if the message gets delivered before max query_time is reached, sends a confirmation to the user, that the message now have been delivered to the destination. I have tried to find the answer by searching the net and reading man pages but without any luck, since I do not really know what to search for, so any pointers will be greatly appreciated. Thanks If need be, a postconf -n from the server: --- alias_maps = hash:/etc/aliases bounce_template_file = /etc/postfix/bounce.cf broken_sasl_auth_clients = yes config_directory = /etc/postfix delay_warning_time = 4 disable_vrfy_command = yes inet_interfaces = all maximal_queue_lifetime = 15 myhostname = removed mynetworks = 127.0.0.0/8 recipient_canonical_classes = envelope_recipient recipient_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf, tcp:127.0.0.1:10002 relay_domains = proxy:mysql:/etc/postfix/relay_domains.cf relay_recipient_maps = proxy:mysql:/etc/postfix/relay_recipient_maps.cf sender_canonical_classes = envelope_sender sender_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf, tcp:127.0.0.1:10001 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache smtpd_data_restrictions = reject_unauth_pipelining reject_multi_recipient_bounce permit smtpd_helo_required = yes smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination warn_if_reject reject_invalid_helo_hostname warn_if_reject reject_non_fqdn_helo_hostname warn_if_reject reject_non_fqdn_sender warn_if_reject reject_non_fqdn_recipient warn_if_reject reject_unknown_sender_domain warn_if_reject reject_unknown_recipient_domain warn_if_reject reject_rbl_client truncate.gbudb.net check_policy_service unix:private/spfcheck permit smtpd_sasl_auth_enable = yes smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_ask_ccert = yes smtpd_tls_cert_file = /etc/ssl/self-signed/smtpd.crt smtpd_tls_key_file = /etc/ssl/self-signed/smtpd.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /home/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_minimum_uid = 5000 virtual_transport = dovecot virtual_uid_maps = static:5000 ---
Re: [OT] SPF - Do you use it
On Fri, 05 Oct 2012 15:50:37 +0200 Reindl Harald h.rei...@thelounge.net wrote: forgot to mention you should use BOTH types TXT and SPF I did not even know that a SPF record type existed in DNS. At the homepage of SPF and other places I have read, it is indicated that SPF = TXT RR in DNS, but I may have read too little on the subject to notice. The SPF RR is functionally identical to a TXT record with SPF data. BIND 9.4+ supports the SPF RR type, however previous versions, and most other DNS software (as of July 2007), do not yet support the SPF RR type. Thus, the RFC's recommendation is to always provide a TXT based SPF RR and, if your DNS software supports the SPF RR type, duplicate the information from the TXT version of the SPF RR in a native SPF RR. The reason for this procedure is simply because while the master/slave DNS may support the SPF RR, querying name servers - such as name servers used by receiving MTAs - may not. Some, but not all, of the examples below have been updated to reflect the use of both record types to illustrate usage. In all cases the TXT and SPF RRs are shown with a comment line between containing the word AND as a reminder of the current policy recommendation. It is safe to assume for the foreseeable future that only using a TXT version of the SPF will always work. This is a wealth of information and highly appreciated, thank you. At the moment my service provider does not support the usage of SPF records, so for the time being I will stick to TXT, and keep an eye out for SPF RR.
Re: [OT] SPF - Do you use it
On Fri, 05 Oct 2012 17:17:49 +0200 lst_ho...@kwsoft.de wrote: Zitat von Reindl Harald h.rei...@thelounge.net: Am 05.10.2012 16:04, schrieb lst_ho...@kwsoft.de: Zitat von Titanus Eramius tita...@aptget.dk: Slightly off topic. I hope it's OK when the mail is marked as such. I was just wondering if the users of this list use SPF in any way, and if so, to what extend? We have considered SPF some five years ago but after second thought ditched it completely: - It dos not really help against spam because the spam-farms also can set proper SPF this point is simply wrong a spam-farm CAN NOT set a SPF that whatever ip is allowed to send mails with my envelope - simply because they are not the dns-admin of my zones SPF is NOT a spam-protection it is designed to prevent forged sender-addresses which in the worst case results in multiple auto-replies between completly univolved persons which may over-react and start blacklisting servers which are not the root-cause the real problem is that not EVERY domain has SPF records and that is why it doe snot help as much as it could, you are part of this problem because ANYBODY can send me spam with yur sender-address and only blacklists and bayesian filters prevents my server to send you auto-replies for such messages if i am at vacation This is your opinion. Mine is i don't care what sender-addresses spam has but i care about preventing spam from reaching end users. The most spam we see are from well connected spam-farms with their own throw-away domains and proper SPF/DKIM set. So no, SPF/DKIM is not useful for us in any way but certainly you are free to use it the way you like and as long as you like. Regards Andreas As a newcomer to both this list and Postfix in general, I did'nt realize this subject could be touchy, and I don't hope my question has been seen as an attempt to stir the dam. I'm asking out of a real world exampel from the other day, where I was emailed by the support of a company, I had phoned and asked for some details of a product earlier on. Since the email contained some sensitive information I wanted to make sure, at the very least, that the mail actually came from one of their servers, and in the past I have checked the SPF-header of the mail. And before you say it, I know SPF in itself is not enough to verify an email, but it should be (IMHO) enough to ensure the email is not spam or something similar. All your replies have reaised a couple of questions I was hoping could be answered as well. * As far as I understand, it should then be safe to drop mails with a SPF that does not match? I know this is not a antispam policy, for that I use rules in smtpd_recipient_restrictions. * Is there any advantage in using v=spf1 ip4:1.2.3.4 -all compared to v=spf1 mx -all or the other way around?
[OT] SPF - Do you use it
Slightly off topic. I hope it's OK when the mail is marked as such. I was just wondering if the users of this list use SPF in any way, and if so, to what extend? My former provider of mail added a header with the SPF-info retrived from DNS, and I'm considering to do the same with policyd-spf-perl. There is already a running DNS on the system, so the extra lookup should not have a lag. I already have Perl installed through the use of postfixAdmins auto reply script, so it seems natural to choose a solution written in Perl (if a choice exists). The only policy deamon I am currently using is greylisting by SQLGrey. The mailserver only provides me with my personal mail, so the load is very light.
Re: Danish letters in bounce_template_file
On Thu, 27 Sep 2012 10:15:09 -0400 (EDT) Wietse Venema wie...@porcupine.org wrote: Instead it looks like this: Det her mailsystemet p?? v??rten mydomain. Bounce templates have supported non-ASCII from the start. I suspect that something after Postfix is stripping them. I just confirmed that Postfix bounce deliveries are 8-bit clean. A template with 0xff characters delivers as expected (sendmail -bv -f wietse@localhost wietse@localhost with delivery by the local(8) delivery agent to mailbox file). Wietse Thank you for the answer, it's much appreciated. I'm sorry to admit I had to look both 8 bit clean and 0xff up, but then again, how else is one to learn? As Viktor also suggests, I never doubted that Postfix can use other charsets, so for the next test I will try UTF-8 and see what happens. I'll return later, when Postfix sends out the bounce.
Re: Danish letters in bounce_template_file
On Thu, 27 Sep 2012 14:24:37 + Viktor Dukhovni postfix-us...@dukhovni.org wrote: postconf -b just stuffs the raw bits down your terminal, so this just means that your terminal charset matches the encoding of Danish characters in the file. What is your $LANG environment variable set to? It may also be helpful to post any related LC_* variables. I see. Then it makes better sense, especially because $LANG is set to Danish together with most of the LC_'s: titanus@machine:~$ locale LANG=da_DK.UTF-8 LANGUAGE= LC_CTYPE=da_DK.UTF-8 LC_NUMERIC=da_DK.UTF-8 LC_TIME=da_DK.UTF-8 LC_COLLATE=da_DK.UTF-8 LC_MONETARY=da_DK.UTF-8 LC_MESSAGES=da_DK.UTF-8 LC_PAPER=da_DK.UTF-8 LC_NAME=da_DK.UTF-8 LC_ADDRESS=da_DK.UTF-8 LC_TELEPHONE=da_DK.UTF-8 LC_MEASUREMENT=da_DK.UTF-8 LC_IDENTIFICATION=da_DK.UTF-8 LC_ALL= However, when Postfix returns a answer after 4 hours plus some, the localized letters are gone. For example, this English line we all know: This is the mail system at host myhost. I have translated it to this: Det her mailsystemet p? v?rten mydomain. This almost certainly means that the characters in the template file are encoded in a charset different from the one you declared in the template and identical to the one supported by your terminal, editor program, ... Frequently these days, that charset is utf-8. I have tried to set the charset of bounce.cf to UTF-8 and then sent a few mails to the server to test it. When a bounce returns we'll know if UTF-8 did the trick. Thanks for the help so far and the additional information.
Re: Danish letters in bounce_template_file
On Fri, 28 Sep 2012 11:13:15 +0200 Reindl Harald h.rei...@thelounge.net wrote: Am 28.09.2012 11:11, schrieb Titanus Eramius: I have tried to set the charset of bounce.cf to UTF-8 and then sent a few mails to the server to test it. When a bounce returns we'll know if UTF-8 did the trick. Thanks for the help so far and the additional information. mail non-existent-address the shell mail-command works not with SMTP, so it does not get rejected and postfix is forced to bounce.. Thats a nice trick to know, which works very well. Thanks for the information
Danish letters in bounce_template_file
I have translated bounce_template_file to Danish, and besides the localized letters, it works fine (the English part is still present in the error). In /etc/postfix/main.cf I have set delay_warning_time = 4 bounce_template_file = /etc/postfix/bounce.cf When I run postconf -b /etc/postfix/bounce.cf it works great - the Danish letters are shown in my terminal, and postconf gives no errors. However, when Postfix returns a answer after 4 hours plus some, the localized letters are gone. For example, this English line we all know: This is the mail system at host myhost. I have translated it to this: Det her mailsystemet på værten mydomain. (the first localized Danish letter is å, and it's suppose to look like this: https://en.wikipedia.org/wiki/%C3%85 ) Instead it looks like this: Det her mailsystemet pÃ¥ værten mydomain. In /etc/postfix/bounce.cf I have tried ISO-8859-1 and ISO-8859-4 as charset at the beginning of all 4 parts. The header of the delay_template part looks like this: delay_template = EOF Charset: ISO-8859-1 From: MAILER-DAEMON (Mail Delivery System) Subject: Forsinket email Postmaster-Subject: Postmaster Warning: Delayed Mail I guess the problem is this advice from bounce(5) Specify an appropriate superset of US-ASCII. I mean, not the advice itself, but more the fact that I can't find such a list. Does anyone know what subset to use for Danish?
Re: Backup MXs and databases
On Tue, 04 Sep 2012 01:50:42 +0200 Reindl Harald h.rei...@thelounge.net wrote: Like this http://www.iheavy.com/2012/04/26/bulletproofing-mysql-replications-with-checksums/ * mixed transactional and non-transactional tables not relevant in this context why would someone mix innodb/myisam a database and transaction? * use of non-deterministic functions such as uuid() not relevant in this context * stored procedures and functions not relevant in this context * update with LIMIT clause not relevant in this context even if, combined with a clear order by no problem for postfix lookup tables you have usually a very simple database scheme with very few changes and 99.9% of all queries are readonly because postfix does even not need any write permissions to the database (and does not have it in any of my setups) so you have a simple webinterface for updates or if you have only a few domains/users maybe phpMyAdmin or terminal would be enough so there is virtually zero danger for get out of sync Thank you very much for the answer, it covers all my questions in full detail. Why someone would use something like uuid() on the primary database and then call it an error when it does not work on the slave, I can not understand. Thank you for clearing that up to.
Backup MXs and databases
Hello good folks I have recently brought my very first mailserver online, and have been testing it for the past month or so. Since the setup needs to be redundant, I have also brought a secondary mailserver online on it's own domain, and everything seems to run smoothly. It's a Debian, Postfix, Dovecot, postfixAdmin, SQLGrey and Squrriel Mail setup, with virtual users only, and MySQL as the central component. The database is what my question is about. As far as I know, the best way to fight of spam and backscatter, is if the backup MX uses the same database as the primary. I've been reading up on the subject, but seems to lack the experince to take a dissicion on what way to keep the backup MX database updated. It does not need to be real-time, or anywhere close to it. For this setup twice a day will probably be fine. So, I guess my question is: How do you, good and experienced folks, keep your backup MXs updated? I've looked at two solutions so far: MySQL Replication, which seems a bit dodgy, with the risk of silent data corruption. Bash scipting with rsync could do the job, but seems like a less clean solution. Thank you for your time
Re: Backup MXs and databases
On Tue, 04 Sep 2012 00:39:08 +0200 Reindl Harald h.rei...@thelounge.net wrote: Am 03.09.2012 23:56, schrieb Titanus Eramius: MySQL Replication, which seems a bit dodgy, with the risk of silent data corruption. where do you see a risk of silent data corruption? if htis would be the case it would be simply impossible have a omplete dbmail-database running on a replication salve over 3 years with a lot of foreign constraints and a major scheme update there is BO silent corruption please do not post FUD I'm somewhat sorry for being unable to ask my question in a manner that can't be misunderstood, but I suppose it's always possible to find someting negative if you are looking for it. Like I said I've been reading up on the subject, but seems to lack the experince ... which should be understood as I don't know anything about the subject besides what I have read. Like this http://www.iheavy.com/2012/04/26/bulletproofing-mysql-replications-with-checksums/ And this http://www.xaprb.com/blog/2007/11/08/how-mysql-replication-got-out-of-sync/ (which I found here http://forums.mysql.com/read.php?27,216438,216438 ) And so on http://www.pythian.com/news/1273/mysql-replication-failures/ So I'm sorry, I don't see the FUD, and because I know next to nothing about databases, I simply can not see these replication errors as anything else than corruption*. But please enlighten me, that was why I posted to the list. --- * Data corruption refers to errors in computer data that occur during writing, reading, storage, transmission, or processing, which introduce unintended changes to the original data. https://en.wikipedia.org/wiki/Data_corruption