Re: postfix + selinux - does it make sense ?

[Zalezny Niezalezny]

I think that Postfix is one of the most secure servers. I will stay with
basic SE settings.


On Tue, Jul 11, 2017 at 1:01 PM, Wietse Venema <wie...@porcupine.org> wrote:

> Zalezny Niezalezny:
> > Hi,
> >
> > I would like to know Your opinion about selinux + postfix ?
> >
> > Does onyone using it ? Does it make sense to setup some policies for
> > postfix ?
>
> Do what you like, but I won't provide help for platform-specific
> features. Postfix is a cross-platform system.
>
> Wietse
>

postfix + selinux - does it make sense ?

[Zalezny Niezalezny]

Hi,

I would like to know Your opinion about selinux + postfix ?

Does onyone using it ? Does it make sense to setup some policies for
postfix ?




Thanks in advance for your answers and suggestions.



Cheers

Zalezny

SMTP session failure: 501 5.1.7 - how to solve it ?

[Zalezny Niezalezny]

Dear Colleagues,


I have a problem with my Postfix/Mailman configuration. Basicly everything
is working fine except one thing.

When I`m sending message to mailman admins:

From: u...@example.com
To: mailman-ow...@list.example.com


Postfix generating SMTP session failure.


Jun 23 10:59:25 2017 (18113) SMTP session failure: 501, 5.1.7 Bad sender
address syntax, msgid: 

postfix client closing connection (email delivery) if one of multiple recipients failed/filtered

[Zalezny Niezalezny]

Hi,

I have exacly the same problem as described here in that post and I do not
know what to do.

http://postfix.1071664.n5.nabble.com/Customize-configure-postfix-with-multiple-recipients-td45030.html

In our network we are relaying messages using Postfix.

When our application sending a message with
From: b...@bla.com
To: va...@domain.com; discard_that_em...@domain.com



application -> local MTA -> LAN relay 1 -> Lan relay 2 -> Ironport ->
internet



The Problem is on the "LAN relay 1" and "LAN relay 2" where Postfix client
from relay1 closing connection if one of the recipient needs to be
discarded.


How to configure Postfix client on "LAN relay 1" to not closed connection
if one of the recipient is filtered or not_valid on the "LAN relay 2" ? Why
Postfix discarding complete message then ?



Thanks in advance for Your support


Cheers

Zalezny

TLS security rules - perfect setup and issue with anonymous cipher

[Zalezny Niezalezny]

Hi,

first of all I would like to say "thank You" for the answers on my previous
questions. I read all of them, they were helpful but I missed to say "BIG
THANKS!"


I have a security question. My Postfix 2.10.1 Server TLS configuration
looks like this at the moment.


#TLS Server configuration
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/postfix/ssl/2017.cer
smtpd_tls_key_file = /etc/postfix/ssl/2017.key


One time per month some external company doing security scan on all Postfix
instances. Last time there was a big discussion about anonymous Ciphers.

Do I need to disable them ?

What else should I configured for public server ?
Maybe somebody will be so kind and paste here some perfect, working TLS
configuration for public server ?



Cheers

Zalezny

relay server - mass mailing tuning

[Zalezny Niezalezny]

Hi,

in the next days our external service provider will push to our relay
server (Postfix) regulary ~300 000 - 500 000 E-mails with size 60-500kb.

External system provider has a SMTP server farm, so it will send messages
from ~20 IP`s to our single Postfix instance.

My question is, do I need to tune anything in our Postfix relay to receive
and transport such a big amount of messages in single session ?

What kind of settings should I setup to keep performance on the optimal
level and to avoid situation with too many connections etc.etc.


Could You please advice here ?



Thanks in advance for any support.


With kind regards

Konrad Wawryn

Re: message_size_limit - how to configure on multiple instances ?

[Zalezny Niezalezny]

thank You all :)

30 mar 2017 21:47 "Viktor Dukhovni" <postfix-us...@dukhovni.org> napisał(a):

>
> > On Mar 30, 2017, at 12:35 PM, Zalezny Niezalezny <
> zalezny.niezale...@gmail.com> wrote:
> >
> > # postconf -d | grep message
>
> The "postconf -d" command returns compiled-in defaults.
> For your actual settings, try "postconf", either with
> no options or as "postconf -n" for just non-default
> settings.  See postconf(1) for details.
>
> --
> Viktor.
>
>

Re: how to remove string "[MASSMAIL]" from the subject ?

[Zalezny Niezalezny]

I`m comming to You with this big bottle of virtual beer :))

http://craftbeernation.org/blog/wp-content/uploads/2014/05/very-big-beer.jpg


Thanks a lot my friend 

und viele Gruesse aus Nuernberg!





On Fri, Mar 31, 2017 at 1:56 PM, Ralf Hildebrandt <r...@sys4.de> wrote:

> * Ralf Hildebrandt <r...@sys4.de>:
> > * Zalezny Niezalezny <zalezny.niezale...@gmail.com>:
> > > As I see here header_checks can do it. There is only one problem. This
> rule
> > > searching for a subject with string [MASSMAIL] and replacing complete
> > > subject line with word "test".
> > >
> > > /^Subject:.*[MASSMAIL].*/ REPLACE Subject: test
> >
> > /^Subject:(.*)[MASSMAIL](.*)/ REPLACE Subject: $1$2
>
> Sorry:
>
> /^Subject:(.*)\[MASSMAIL\](.*)/ REPLACE Subject: $1$2
>
> --
> [*] sys4 AG
>
> http://sys4.de, +49 (89) 30 90 46 64
> Schleißheimer Straße 26/MG, 80333 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> Aufsichtsratsvorsitzender: Florian Kirstein
>

Re: how to remove string "[MASSMAIL]" from the subject ?

[Zalezny Niezalezny]

As I see here header_checks can do it. There is only one problem. This rule
searching for a subject with string [MASSMAIL] and replacing complete
subject line with word "test".

/^Subject:.*[MASSMAIL].*/ REPLACE Subject: test


How to replace only single string [MAILMAN] without interrupting the rest
of the subject ?


Subject: [MASSMAIL] test message blablabla

/^Subject:.*[MASSMAIL].*/ REPLACE Subject: test

Its replacing to
Subject: test


How to replace that string to:

Subject: test message blablabla



Maybe some one knows ?




Cheers

Zalezny


On Fri, Mar 31, 2017 at 1:29 PM, Zalezny Niezalezny <
zalezny.niezale...@gmail.com> wrote:

> This list (postfix-users) is so configured that when I`m clicking Reply on
> Your answer, system sending message to directly to you instead of the list.
> On mobile device some times its difficult. It was not my intention to write
> an E-mail directly to You... I prefer list.
>
> Mailman is connected as usual with Postfix. So its forwarding messages
> directly to Postfix and Postfix sending it to another relay.
> Its quite diffucult for me because on that host I have 180 mailing lists
> with ~5mln users. [MAILMAN] prefix is only on few of them and i`m searching
> for some fast solution.
>
> Thats why I`m here... On Postfix-users list. I also opened Topic on
> mailman list.
>
> Maybe somebody else knows how to monipulate Subject with Postfix ?
>
>
> Thanks in advance for any help.
>
>
> Cheers
>
> Zalezny
>
>
>
>
>
>
>
>
> On Fri, Mar 31, 2017 at 1:11 PM, Larry Stone <lston...@stonejongleux.com>
> wrote:
>
>> Neither do I as you have provided no information about your Postfix
>> configuration or anything else. As it says in the Postfix list welcome
>> email you received:
>> TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
>> But if you’ve verified Mailman is not adding it as a list prefix tag,
>> then you need to tell us what else is handling the email before it makes it
>> to your mailbox.
>>
>> Also, reply on list, not directly to me. Future emails sent directly to
>> me will be ignored.
>>
>> --
>> Larry Stone
>> lston...@stonejongleux.com
>>
>>
>>
>>
>>
>> > On Mar 31, 2017, at 6:03 AM, Zalezny Niezalezny <
>> zalezny.niezale...@gmail.com> wrote:
>> >
>> > hi larry,
>> >
>> > i have removed prefix but for some list system simply adding this
>> prefix.i dnt know what to do.
>> >
>> > Any how it would be great to know how to remove that string with
>> postfix.
>> >
>> >
>> > cheers
>> >
>> > zalezny
>> >
>> > 31 mar 2017 12:58 "Larry Stone" <lston...@stonejongleux.com>
>> napisał(a):
>> > This is a Mailman mailing list you run? That Mailman has the option to
>> add a tag in front of the subject (and it’s not the default so you would
>> have had to explicitly turn it on). There is a Mailman-users mailing list
>> and that would be the appropriate place for help.
>> >
>> > But, since it says [MASSMAIL] and MASS implies to me that it’s to
>> indicate that it’s being sent to a MASS of recipients, it sounds like it
>> might be a mail filter downline of Mailman that, for instance, sees the
>> “Precedence: bulk” header and tags the mail. In which case Mailman has
>> nothing to do with it.
>> >
>> > In any event, the [MASSMAIL] tag is a symptom of some other problem
>> adding the undesired (to you at least) tag. Fix the problem, not the
>> symptom.
>> >
>> > --
>> > Larry Stone
>> > lston...@stonejongleux.com
>> >
>> >
>> >
>> >
>> >
>> > > On Mar 31, 2017, at 5:32 AM, Zalezny Niezalezny <
>> zalezny.niezale...@gmail.com> wrote:
>> > >
>> > > Hi,
>> > >
>> > > will it be possible to remove string [MASSMAIL] from outgoing E-mails
>> ?
>> > >
>> > >
>> > > From: bla!@firma.com
>> > > to: *@gmail.com
>> > > Subject: [MASSMAIL] text of the messages
>> > >
>> > > I would like to have some thing like this.
>> > >
>> > > From: bla!@firma.com
>> > > to: *@gmail.com
>> > > Subject: text of the messages
>> > >
>> > >
>> > > Unfortunatelly Mailman adding this string to some of my mailing lists
>> and I do not know how to change it, maybe it will be possible to rewrite it
>> with Postfix ?
>> > >
>> > >
>> > >
>> > > Thanks in advance for any support.
>> > >
>> > >
>> > >
>> > > Cheeers
>> > >
>> > > Zalezn
>> >
>>
>>
>

Re: how to remove string "[MASSMAIL]" from the subject ?

[Zalezny Niezalezny]

This list (postfix-users) is so configured that when I`m clicking Reply on
Your answer, system sending message to directly to you instead of the list.
On mobile device some times its difficult. It was not my intention to write
an E-mail directly to You... I prefer list.

Mailman is connected as usual with Postfix. So its forwarding messages
directly to Postfix and Postfix sending it to another relay.
Its quite diffucult for me because on that host I have 180 mailing lists
with ~5mln users. [MAILMAN] prefix is only on few of them and i`m searching
for some fast solution.

Thats why I`m here... On Postfix-users list. I also opened Topic on mailman
list.

Maybe somebody else knows how to monipulate Subject with Postfix ?


Thanks in advance for any help.


Cheers

Zalezny








On Fri, Mar 31, 2017 at 1:11 PM, Larry Stone <lston...@stonejongleux.com>
wrote:

> Neither do I as you have provided no information about your Postfix
> configuration or anything else. As it says in the Postfix list welcome
> email you received:
> TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
> But if you’ve verified Mailman is not adding it as a list prefix tag, then
> you need to tell us what else is handling the email before it makes it to
> your mailbox.
>
> Also, reply on list, not directly to me. Future emails sent directly to me
> will be ignored.
>
> --
> Larry Stone
> lston...@stonejongleux.com
>
>
>
>
>
> > On Mar 31, 2017, at 6:03 AM, Zalezny Niezalezny <
> zalezny.niezale...@gmail.com> wrote:
> >
> > hi larry,
> >
> > i have removed prefix but for some list system simply adding this
> prefix.i dnt know what to do.
> >
> > Any how it would be great to know how to remove that string with postfix.
> >
> >
> > cheers
> >
> > zalezny
> >
> > 31 mar 2017 12:58 "Larry Stone" <lston...@stonejongleux.com> napisał(a):
> > This is a Mailman mailing list you run? That Mailman has the option to
> add a tag in front of the subject (and it’s not the default so you would
> have had to explicitly turn it on). There is a Mailman-users mailing list
> and that would be the appropriate place for help.
> >
> > But, since it says [MASSMAIL] and MASS implies to me that it’s to
> indicate that it’s being sent to a MASS of recipients, it sounds like it
> might be a mail filter downline of Mailman that, for instance, sees the
> “Precedence: bulk” header and tags the mail. In which case Mailman has
> nothing to do with it.
> >
> > In any event, the [MASSMAIL] tag is a symptom of some other problem
> adding the undesired (to you at least) tag. Fix the problem, not the
> symptom.
> >
> > --
> > Larry Stone
> > lston...@stonejongleux.com
> >
> >
> >
> >
> >
> > > On Mar 31, 2017, at 5:32 AM, Zalezny Niezalezny <
> zalezny.niezale...@gmail.com> wrote:
> > >
> > > Hi,
> > >
> > > will it be possible to remove string [MASSMAIL] from outgoing E-mails ?
> > >
> > >
> > > From: bla!@firma.com
> > > to: *@gmail.com
> > > Subject: [MASSMAIL] text of the messages
> > >
> > > I would like to have some thing like this.
> > >
> > > From: bla!@firma.com
> > > to: *@gmail.com
> > > Subject: text of the messages
> > >
> > >
> > > Unfortunatelly Mailman adding this string to some of my mailing lists
> and I do not know how to change it, maybe it will be possible to rewrite it
> with Postfix ?
> > >
> > >
> > >
> > > Thanks in advance for any support.
> > >
> > >
> > >
> > > Cheeers
> > >
> > > Zalezn
> >
>
>

how to remove string "[MASSMAIL]" from the subject ?

[Zalezny Niezalezny]

Hi,

will it be possible to remove string [MASSMAIL] from outgoing E-mails ?


From: bla!@firma.com
to: *@gmail.com
Subject: [MASSMAIL] text of the messages

I would like to have some thing like this.

From: bla!@firma.com
to: *@gmail.com
Subject: text of the messages


Unfortunatelly Mailman adding this string to some of my mailing lists and I
do not know how to change it, maybe it will be possible to rewrite it with
Postfix ?



Thanks in advance for any support.



Cheeers

Zalezn

message_size_limit - how to configure on multiple instances ?

[Zalezny Niezalezny]

Hi,

I have a serious Problem. On my server I have 2 postfix instances.

On the master instance I have changed message size limit from 10Mb to 30Mb.
Unfortuantely postconf shows still 10MB. How may I change this?

Postfix instances on my server:

[root@unixserver5 opt]# postmulti -l
-   massmailing y /etc/postfix
postfix-mail massmailing y /etc/postfix-mail



This is configured in /etc/postfix/main.cf

[root@unixsmtp05 opt]# cat /etc/postfix/main.cf | grep ^messag
message_size_limit = 3072
[root@unixsmtp05 opt]#


Postconf still keeping default configuration. How to change message size
globaly on all instances ?

[root@unixserver5 opt]# postconf -d | grep message
message_reject_characters =
postconf: warning: inet_protocols: disabling IPv6 name/address support:
Address family not supported by protocol
message_size_limit = 1024
message_strip_characters =
qmgr_message_active_limit = 2
qmgr_message_recipient_limit = 2
qmgr_message_recipient_minimum = 10
smtpd_client_message_rate_limit = 0




Please help me.





With kind regards

Zalezny

Re: transport table - and regular expression for dynamic generated e-mails tha

[Zalezny Niezalezny]

thanks !! it was always hard for me tonunderstand how may route some
strange adresses. i always used check_sender_regexp and
check_recipient_regexp. but it seems that with regexp transport table i
will be able to do lot more.virtual beeer fir you!

thanks a lot!!!

28 mar 2017 17:16 "Noel Jones" <njo...@megan.vbhcs.org> napisał(a):

On 3/28/2017 2:59 AM, Zalezny Niezalezny wrote:
> Hi,
>
> I would like to route some dynamic generated E-mails to some server.
>
> My E-mail looks as follow:
>
> Original E-mail: testm...@example.com <mailto:testm...@example.com>
>
> I have a problem with routing that E-mail:
> Dynamic generate E-mail: testmail-3995485839...@example.com
> <mailto:testmail-3995485839...@example.com>
> Domain: example.com <http://example.com>
>
>
> /etc/postfix/transport file looks as follow:
>
>
> testm...@example.com <mailto:testm...@example.com>
> relay:some.server.relay
> /^testmail-.*@example\.com/   relay:some.second.server
> example.com <http://example.com>
> relay:some.domain
>
>
>
> Unfortunately E-mail
>
> testmail-3995485839...@example.com
> <mailto:testmail-3995485839...@example.com>
>
>  is routed to some.domain. (routing for example.com
> <http://example.com>).
>
>
>
> How to send that message to some.second.server.
>
>
> I appreciate Your support.
>
>
> With kind regards
>
> Zalezny


Looks as if you're mixing regular expressions with indexed lookups
in your transport file.  Don't do that.

Use a regexp: or pcre: transport map type, and write all the entries
as regular expressions.

# main.cf
transport_maps = regexp:/etc/postfix/transport.regexp

# transport.regexp
# in regexp maps, first match wins
/^testmail-.*@example\.com$/   relay:some.second.server
/^testmail@example\.com$/  relay:some.server.relay
/@example\.com$/   relay:some.domain


Alternately, you can use both a regexp: and a hash: map.  This may
be more convenient if you have a large number of transport entries.
# main.cf
transport_maps = regexp:/etc/postfix/transport.regexp
hash:/etc/postfix/transport

http://www.postfix.org/postconf.5.html#transport_maps
http://www.postfix.org/regexp_table.5.html

Re: transport table - and regular expression for dynamic generated e-mails

[Zalezny Niezalezny]

HI

You mean /etc/postfix/transport in main.cf ?


Zalezny

On Tue, Mar 28, 2017 at 10:02 AM, Wolfe, Robert <
robert.wo...@robertwolfe.org> wrote:

> Do  you have a transport mapping file set up  by any chance?
>
> --
> *From:* Zalezny Niezalezny [mailto:zalezny.niezale...@gmail.com]
> *To:* Postfix users [mailto:postfix-users@postfix.org]
> *Sent:* Tue, 28 Mar 2017 02:59:07 -0500
> *Subject:* transport table - and regular expression for dynamic generated
> e-mails
>
>
> Hi,
>
> I would like to route some dynamic generated E-mails to some server.
>
> My E-mail looks as follow:
>
> Original E-mail: testm...@example.com
>
> I have a problem with routing that E-mail:
> Dynamic generate E-mail: testmail-3995485839...@example.com
> Domain: example.com
>
>
> /etc/postfix/transport file looks as follow:
>
>
> testm...@example.com  relay:some.server.relay
> /^testmail-.*@example\.com/   relay:some.second.server
> example.comrelay:some.domain
>
>
>
> Unfortunately E-mail
>
> testmail-3995485839...@example.com
>
>  is routed to some.domain. (routing for example.com).
>
>
>
> How to send that message to some.second.server.
>
>
> I appreciate Your support.
>
>
> With kind regards
>
> Zalezny
>
>

separate TLS certificates for virtual domains - how ?

[Zalezny Niezalezny]

Hi,

is it possible to setup separate SSL certificates for an each virtual
domain ?


Thanks in advance for any support.


Cheers

Konrad

Re: postfix relay - mass mailing - how to properly send messages

[Zalezny Niezalezny]

Hi,

thanks for an all hints! I will simply do not change anything on my Postfix
MTA with Mailman. Make no sens as I see.

My Postfix is relaying at the moment ~26mln E-mails per Month and its
stable. Most of that messages are with multiple recipients inside. Compare
to the Cisco IronPort its different, where each E-mail is extracted from
the recipient list and managed by separate policy. I thought it would be
better do send one recipient per message. In that case I will no do it.
Never touch running system.


Thanks for Your hints and support !


With kind regards


Zalezny


On Wed, Mar 22, 2017 at 7:38 PM, Viktor Dukhovni <postfix-us...@dukhovni.org
> wrote:

>
> > On Mar 22, 2017, at 3:27 PM, Zalezny Niezalezny <
> zalezny.niezale...@gmail.com> wrote:
> >
> > My Mailman server is connected to one of my mail gateways responsible
> for forwarding messages to the client from the internet. As I see in the
> logs Postfix from Mailman server sending each message with multiple
> recipients inside. Is this correct or I need to change here something?
>
> The most efficient, and least disruptive to other non-list traffic, way
> to deliver mail to large lists is to avoid forwarding to intermediate
> gateways, and have the list server connected directly to the Internet,
> sending email directly to the MX hosts of each recipient's domain.
>
> The list manager should emit a single message addressed to all
> the recipients, with VERP enabled to disambiguate bounces.
>
> I don't know whether Mailman can do this or not.
>
> The most natural way to create large mailings with Postfix is to
> use the ":include:" feature of aliases(5) to expand the subscriber
> list to the underlying recipient list, set an "owner-alias" to
> direct all bounces to the bounce processing engine and enable VERP
> (the "-XV" sendmail(1) option) when injecting the message so that
> bounce processing sees the actual failed recipient.
>
> When all the recipients are in a single message, Postfix will
> schedule delivery of other messages interspersed with delivery
> of recipients of the jumbo message, and thus not starve out
> other messages that arrive after delivery of the jumbo message
> begins.
>
> If you're routinely sending sending mail to large subscriber
> lists, a dedicated outbound MTA just for the list traffic
> may be a good idea.
>
> Of course you'll have deliverability issues to deal with at
> all the major providers, be prepared to enroll in their
> whitelist programs, and work with their support staff to
> resolve issues.
>
> --
> Viktor.

postfix relay - mass mailing - how to properly send messages

[Zalezny Niezalezny]

Hi,

I have a short question. How to properly send messages from the big mailing
lists. For example Mailman list with 50 000 or 100 000 subscribers. How to
do it in the right way with which Postfix settings ?

My Mailman server is connected to one of my mail gateways responsible for
forwarding messages to the client from the internet. As I see in the logs
Postfix from Mailman server sending each message with multiple recipients
inside. Is this correct or I need to change here something ?

I`m not 100% sure if each server will accept messages with some many
recipients inside. Would it be better to send 1 message with 1 recipient or
not ?

Maybe somebody has some experience and can help me to tune my Postfix
settings to speed up delivery process ?


Cheers

Zalezny

send an email with specified sender/recipient address to different servers

[Zalezny Niezalezny]

Hi,

I just would like to know, how may send specified messages to different
hosts.


/etc/postfix/transport

domain.comrelay:mx-domain.local
*   host


All E-mails To: u...@domain.com system sending to mx-domain.local.
This is working fine.

But what should I do, if I would like to send an e-mail To:
user_...@domain.com to some other system with IP 10.204.2.2 ? What should I
do ?


The same question for senders. How to send message From:
sender@domain.example not via my default gateway ("*   host" like the rest
of not defined E-mails ) but via some other system "host2" ?


How to properly do it ?


Thanks in advance for Your support.



Cheers

Zalezny

send an email with specified sender/recipient address to different servers

[Zalezny Niezalezny]

Hi,

I just would like to know, how may send specified messages to different
hosts.


/etc/postfix/transport

domain.comrelay:mx-domain.local
*   host


All E-mails To: u...@domain.com system sending to mx-domain.local.
This is working fine.

But what should I do if I would like to send an e-mail To:
user_...@domain.com to some other system with IP 10.204.2.2 ? What should I
do ?


The same question for senders. How to send message From:
sender@domain.example not via my default gateway ("*   host" like the rest
of not defined E-mails ) but via some other system "host2" ?


How to properly do it ?


Thanks in advance for Your support.



Cheers

Zalezny

check_sender_regexp - problem

[Zalezny Niezalezny]

Hi,

in our environment we have two domains:

example.com - 1.1.1.1
news.example.com   - 2.2.2.2

configured on the external gateway. Each domain using separate IP
addresses.


Postfix mail server with mailboxes has been configured on the separate
system:

3.3.3.3


>From this system we would like to send messages
 From: @example.com to 1.1.1.1
and messages
 From: @news.example.com to 2.2.2.2

How to do it properly ?

On my postfix I have configured:

smtpd_sender_restrictions =
check_sender_access regexp:/etc/postfix/check_sender_regexp

/.*@example.com/FILTERsmtp:1.1.1.1
/.*@news.example.com/ FILTER smtp:2.2.2.2


For some reason its not working. System sending messages to default relay
1.1.1.1. How to configure it properly to send messages with specified
sender domain to specified gateways ?



Cheers

Zalezny

Re: TLS issue

[Zalezny Niezalezny]

Problem is generated by one of our Ironport systems which is trying to
establish TLS connection.
In Postfix server I already configured it:

smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3

I suspect that TLS client is not properly configured to establish
connection.

How to properly configure Postfix to enable all type of TLS connections ?


With kind regards

Zalezny


On Sat, Dec 3, 2016 at 5:40 PM, @lbutlr  wrote:

> On 12/2/16 12:16 PM, Wietse Venema wrote:
>
> With 'no shared ciphers' happening frequently, do we want to set
>> up a TLS troubleshooting document, or is the decision tree too
>> complex for such a document to be useful?
>>
> Considering how often the question is asked, probably.
>
> However, I think the error message in the logs is partly to blame since it
> will come up in a grep search for 'error'. (yes, people should grep for
> "error:" but they don't.)
>
> Instead of "Protocol error;" I'd suggest maybe "no protocol match;" or
> similar wording that doesn't include 'error'.
>
>
>
>
>

TLS issue

[Zalezny Niezalezny]

Hi,

we have a problem with TLS on our Postfix server


ec  2 10:12:03 postfix-server01 postfix/smtpd[37036]: connect from
smtptransit.de.net.intra[152.21.2.44]
Dec  2 10:12:03 postfix-server01 postfix/smtpd[37036]: SSL_accept error
from smtptransit.de.net.intra[152.21.2.44]: -1
Dec  2 10:12:03 postfix-server01 postfix/smtpd[37036]: warning: TLS library
problem: 37036:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
cipher:s3_srvr.c:1352:
Dec  2 10:12:03 postfix-server01 postfix/smtpd[37036]: lost connection
after STARTTLS from smtptransit.de.net.intra[152.21.2.44]
Dec  2 10:12:03 postfix-server01 postfix/smtpd[37036]: disconnect from
smtptransit.de.net.intra[152.21.2.44]




But to be honest I do not understand what is this. Maybe somebody will be
able to help here and explain.


Thanks in advance.

Zalezny

ezmlm idx and postfix

[Zalezny Niezalezny]

Hi,

I have a short question. Is it possible to integrate ezmlm-idx with Postfix
? Does ony one of You knows how to do it ?

I`m searching for some documentation for it, but everwhere is written that
ezmlm working only with qmail...



Thanks in advance for Your time and support.



Cheers

Zalezny

e-mail filtering base on the IP

[Zalezny Niezalezny]

Hi,

is it possible to route messages base on the sender IP address ?

So for example from host A I would like to route all messages to host Z and
from the rest of the hosts to host Y.


Is it possible some how to configure it ?


With kind regards

Zalezny

Re: bouce table - where to bounce specified E-mail

[Zalezny Niezalezny]

Thank You Wietse for Your time and patient. I will read RFC first - for now
topic is closed for me.


On Thu, Sep 1, 2016 at 5:14 PM, Wietse Venema <wie...@porcupine.org> wrote:

> Zalezny Niezalezny:
> > Hi ,
> >
> > You suggest to remove sender address.
>
> No, you SPECIFY the null sender address. This concept was introduced
> more than 30 years ago. The current definition is in RFC 5321.
>
> With the SMTP protocol:
> MAIL FROM:<>
>
> With the Postfix sendmail command:
> sendmail -f '' recipients...
> sendmail -f '' -t
>
> Wietse
>
> >
> > MfG
> >
> > Zalezny
> >
> > On Thu, Sep 1, 2016 at 4:19 PM, Wietse Venema <wie...@porcupine.org>
> wrote:
> >
> > > Zalezny Niezalezny:
> > > > Hi,
> > > >
> > > > just a short question, is there any possibility in Postfix to control
> > > which
> > > > E-mail should be bounced and which not ?
> > >
> > > Postfix implements RFC 5321. If an email message has the null envelope
> > > sender address
> > >
> > > MAIL FROM:<>
> > >
> > > then that email message will not result in a non-delivery notification.
> > >
> > > Wietse
> > >
>

Re: bouce table - where to bounce specified E-mail

[Zalezny Niezalezny]

Hi ,

You suggest to remove sender address. How to do it in Postfix ?


MfG

Zalezny

On Thu, Sep 1, 2016 at 4:19 PM, Wietse Venema <wie...@porcupine.org> wrote:

> Zalezny Niezalezny:
> > Hi,
> >
> > just a short question, is there any possibility in Postfix to control
> which
> > E-mail should be bounced and which not ?
>
> Postfix implements RFC 5321. If an email message has the null envelope
> sender address
>
> MAIL FROM:<>
>
> then that email message will not result in a non-delivery notification.
>
> Wietse
>

bouce table - where to bounce specified E-mail

[Zalezny Niezalezny]

Hi,

just a short question, is there any possibility in Postfix to control which
E-mail should be bounced and which not ?

We have some relay server which should not bounce some specified test
e-mails (with error). Is there any bounce table ?


Thanks in advance

Zalezny

Re: relay outage - bounce or deffered queue

[Zalezny Niezalezny]

Ok Thanks.

On Wed, Aug 31, 2016 at 3:32 PM, Wietse Venema <wie...@porcupine.org> wrote:

> Zalezny Niezalezny:
> > Dear Colleagues,
> >
> > in our infrastructure we are using Postfix as a relay server which is
> > responsible for transfering messages from our MS Exchange and Production
> > systems. Our infrastructure include several Postfix relays:
> >
> > M$Exchange(lan) ---> Postfix1(middleware lan) ---> Postfix2(application
> > lan) ---> Postfix3(web lan) ---> Internet
> >
> > I would like to ask You, what will happend if Postfix2 will be offline ?
> > How Postfix1 will behave ?
>
> As required by SMTP mail standard, Postfix will retry the email up
> to some time limit (with Postfix, maximal_queue_lifetime, default 7d).
>
> > M$ Exchange sending every minute ~10 000 E-mails.
>
> I recommend implementing Postfix2 etc. with multiple MTAs, perhaps
> behind HaProxy load balancers.
>
> > *If outage will take longer, we need to store thousands of E-mails in the
> > deffered queue, is there any limit for number of messages stored in the
> > deffered queue ?*
>
> Your math is off. With 1 messages per minute, that is over a
> million email messages queued for every two hours of downtime. You
> simply cannot afford days of downtime with such a volume.
>
> Wietse
>

relay outage - bounce or deffered queue

[Zalezny Niezalezny]

Dear Colleagues,

in our infrastructure we are using Postfix as a relay server which is
responsible for transfering messages from our MS Exchange and Production
systems. Our infrastructure include several Postfix relays:

M$Exchange(lan) ---> Postfix1(middleware lan) ---> Postfix2(application
lan) ---> Postfix3(web lan) ---> Internet

I would like to ask You, what will happend if Postfix2 will be offline ?
How Postfix1 will behave ?

a) will it bounce all messages from M$ Exchange users with answer that host
is not able to deliver messages ?

b) or maybe it will store all messages in the deffared queue for the
certain amount of time and will try to resent them every 300s ?

In case of any outage of Postfix2 or 3 I would like to store all E-mails in
the deffered queue till moment when Postfix2/3 will be again available ? M$
Exchange sending every minute ~10 000 E-mails.

How to configure it properly then ?

Using this parameter ?

*bounce_queue_lifetime*



*If outage will take longer, we need to store thousands of E-mails in the
deffered queue, is there any limit for number of messages stored in the
deffered queue ?*



*Thanks in advance for any hints*


*Cheers*

*Zalezny*

Re: recipient filtering and transport table - problem

[Zalezny Niezalezny]

I think I know where is my problem.
In the /etc/postfix/transport I have this configuration

mydomain.com  relay:relay.server.local
*   discard




To discard some specified E-mail address I used this settings:

smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/bad_recipients, permit_mynetworks,
reject_unauth_destination, permit


/etc/postfix/bad_recipients

supp...@mydomain.com REJECT




Now its working fine. In transport table I can put only IP or Domain, but
its not working with an E-mail addresses.


I hope this is the right configuration and it will work properly.To filter
my e-mails I will use


check_recipient_access hash:/etc/postfix/bad_recipients



Its also working perfectly with multiple recipients in the To: field.




If my understanding is wrong please reply.



With kind regards

Zalezny





On Wed, Jul 13, 2016 at 3:36 PM, Wietse Venema <wie...@porcupine.org> wrote:

> Zalezny Niezalezny:
> > If I will put this to my transport file:
> >
> > supp...@mydomain.com  discard
> > mydomain.com  relay:relay.server.local
> > *   discard
> >
> > It will not work.
>
> That is insufficient information.  Include "postconf -n" output,
> "postmap -s" output for the transport map, logging of what happens,
> and a description of what should happen instead.
>
> Wietse
>

Re: recipient filtering and transport table - problem

[Zalezny Niezalezny]

Hallo Wietse,

in my /etc/postfix/transport I have this

mydomain.com  relay:relay.server.local
*   discard


This configuration accept all E-mails addressed to @mydomain.com.


If I will put this to my transport file:

supp...@mydomain.com  discard
mydomain.com  relay:relay.server.local
*   discard

It will not work. How to do it properly ? Accept all To: *@mydomain.com
except supp...@mydomain.com


MfG

Zalezny

On Wed, Jul 13, 2016 at 1:06 PM, Wietse Venema <wie...@porcupine.org> wrote:

> Zalezny Niezalezny:
> > Dear Colleagues,
> >
> > in our test app environment we are using real e-mail addresses to test.
> > Each test application sending to our test relay server some e-mails. On
> > that machine we are filtering all incoming E-mails from our test
> > environment.
> >
> >
> > - we are accepting E-mails addressed to our internal domain (TO:
> > u...@mydomain.com)
> > - we are dropping all external e-mails (TO: @gmail, @hotmail etc.etc.)
> with
> > transport table (* error: )
> >
> >
> > Unfortunately pool of our internal domains, include also technical
> > accounts. How to properly discard all E-mails addressed for example TO:
> > supp...@mydomain.com ?
>
> Use a transport table that returns "discard:" for those recipients.
>
> Wietse
>

recipient filtering and transport table - problem

[Zalezny Niezalezny]

Dear Colleagues,

in our test app environment we are using real e-mail addresses to test.
Each test application sending to our test relay server some e-mails. On
that machine we are filtering all incoming E-mails from our test
environment.


- we are accepting E-mails addressed to our internal domain (TO:
u...@mydomain.com)
- we are dropping all external e-mails (TO: @gmail, @hotmail etc.etc.) with
transport table (* error: )


Unfortunately pool of our internal domains, include also technical
accounts. How to properly discard all E-mails addressed for example TO:
supp...@mydomain.com ?

In the transport table e-mail to mydomain.com will be routed to the next
hop. How to properly discard technical accounts ?


Accept TO: user1...@mydomain.com
DROP: TO: supp...@mydomain.com

Also how to do it correctly, if TO: field include multiple E-mails ?


Thank in advance for any hints!

With kind regards

Zalezny

server / client configuration for Authenticated Relay server

[Zalezny Niezalezny]

Dear Colleagues,

I`m trying to configure authenticated relay server (SASL) using RHEL
Postfix 2.6.6.

System will transport E-mails only from authenticated clients.
1) Most of that clients are in the same subnet, does it make sense to
authtenicate that clients with passwords ? Do we need to use sasl if host
is in the same subnet ?

2) How to understand, permit_mynetworks and permit_sasl_authenticated. If
host is mentioned in the mynetworks list, what will happend with it if we
will use that settings:

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject

Postfix will also ask for user name and password ?



 I`m strugling that topic since days and I do not how to manage that. SASL
documentation from Wietse I read already multiple times, but it still not
working.
Does any one can send me client / server (main.cf) config which is working.

Maybe somebody here will be able to support me.



Here is my client configuration main.cf:
# SASL client configuration
smtp_sasl_auth_enable = yes
smtp_tls_security_level = encrypt
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
#smtp_sasl_mechnism_filter = digest-md5
broken_sasl_auth_clients = yes

smtp_use_tls=yes
smtp_sasl_auth_enable = yes

# 


and here You have my server configuration:

#TLS Server configuration
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/mail.domain.tld.key
smtpd_tls_cert_file = /etc/postfix/ssl/mail.domain.tld.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
tls_random_source = dev:/dev/urandom
# SASL configuration - user authentication
smtpd_sasl_path = smtpd
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_mechanism_filter = plain, login

smtpd_client_restrictions = permit_mynetworks, reject
smtpd_helo_restrictions = reject_unknown_helo_hostname
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject
smtpd_recipient_restrictions = permit_sasl_authenticated, reject


My sasl configuration is located in /etc/postfix/sasl/smtpd.conf.
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN


Thanks in advance for Your support


Zalezny

Re: header_checks bypassing discard rules

[Zalezny Niezalezny]

Hi,


@Wietse, than You for Your feedback.


Now its working with transport map.

domain.com  relay:[smtp1.domain.local]
domain.com  relay:[smtp.domain.local]
*   error: Only one is allowed


With "error:" parameter Postfix filtering is working like a charm. :)

When I used "discard:"  its not working. Postfix simply sending all E-mails
out, but it should drop only those not listed before "* discard:".



@Noel, Wietse - ThanXX


Greetings

Zalezny




On Wed, Jun 29, 2016 at 3:01 PM, Wietse Venema <wie...@porcupine.org> wrote:

> Zalezny Niezalezny:
> > Hi Noel,
> >
> > I just tested Your solution, but its not working with multiple RCPT TO:
> >
> > When I`m sending an E-mail using telnet command, an email with single
> RCPT
> > TO: zalezny.niezale...@gmail.com is working fine. its blocked.
> > But when I will put second RCPT TO: u...@domain.com, then both E-mails
> are
> > send, even that restricted by transport table.
>
> Then you made a mistake. Noel's suggestion does not depend on the
> number of RCPT TO addresses (his suggestion to use transport_map
> for "good" destinations, and to use default_transport to resolve
> other destinations to the error transport).
>
> > @Wietse , maybe You will be able to help me here ?
>
> I would follow Noel's suggestion.
>
> Wietse
>

Re: header_checks bypassing discard rules

[Zalezny Niezalezny]

Hi Noel,

I just tested Your solution, but its not working with multiple RCPT TO:

When I`m sending an E-mail using telnet command, an email with single RCPT
TO: zalezny.niezale...@gmail.com is working fine. its blocked.

But when I will put second RCPT TO: u...@domain.com, then both E-mails are
send, even that restricted by transport table.



@Wietse , maybe You will be able to help me here ?



With kind regards

Zalezny



On Mon, Jun 27, 2016 at 5:29 PM, Zalezny <zalezny.niezale...@gmail.com>
wrote:

> Wow, thanks for that perfect tip.
>
>
>
>
> On June 27, 2016 5:15:52 PM GMT+02:00, Noel Jones <njo...@megan.vbhcs.org>
> wrote:
>>
>> On 6/27/2016 3:39 AM, Zalezny Niezalezny wrote:
>>
>>>  Hi,
>>>
>>>  using header_checks configuration we are dropping all outgoing
>>>  E-mails except some of them.
>>>
>>>
>>>  # discard all mails not going to cortalconsors.(de|fr)
>>>  if /^to:/
>>>  !/^to:?$/ DISCARD discarded
>>>  endif
>>>
>>>  Following rules dropping all outgoing e-mails with recipeint domains
>>>  different than
>>>
>>>  extern.domain.com <http://extern.domain.com>
>>>  domain.com <http://domain.com>
>>>
>>>  When You sending an E-mail to:
>>>
>>>  To:<zalezny.niezale...@gmail.com <mailto:zalezny.niezale...@gmail.com>>
>>>
>>>
>>> Postfix dropping that E-mail.
>>>
>>>
>>>
>>>  But when You will send an e-mail to two recipients
>>>
>>>  To:<u...@extern.domain.com
>>>  <mailto:u...@extern.domain.com>>,<zalezny.niezale...@gmail.com
>>>  <mailto:zalezny.niezale...@gmail.com>>
>>>
>>>  system will deliver both.
>>>
>>>
>>>
>>>
>>>  Why system not dropping E-mail addressed to
>>>  <zalezny.niezale...@gmail.com <mailto:zalezny.niezale...@gmail.com>>
>>>  ? Its clear described in the rule, drop all except...
>>>
>>>
>>>  I will appreciate for any help.
>>>
>>>
>>>
>>>
>>>  With kind regards
>>>
>>>  zalezny
>>>
>>>
>>>
>>
>> The failure you're seeing when there are two addresses in the header
>> is because your expression only matches when there is a single
>> address.  But header_checks is the wrong tool for this job; the To:
>> header does not control where mail is delivered.
>>
>> A
>> more robust solution is to limit where postfix can deliver mail.
>>
>> # main.cf
>> default_transport = error:remote delivery disabled
>> transport_maps = hash:/etc/postfix/transport
>>
>> # /etc/postfix/transport
>> domain.com  smtp:
>> extern.domain.com  smtp:
>>
>>
>>
>> http://www.postfix.org/transport.5.html
>>
>>
>>
>>   -- Noel Jones
>>
>>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>

header_checks bypassing discard rules

[Zalezny Niezalezny]

Hi,

using header_checks configuration we are dropping all outgoing E-mails
except some of them.


# discard all mails not going to cortalconsors.(de|fr)
if /^to:/
!/^to:?$/ DISCARD discarded
endif

Following rules dropping all outgoing e-mails with recipeint domains
different than

extern.domain.com
domain.com

When You sending an E-mail to:

To:

Postfix dropping that E-mail.



But when You will send an e-mail to two recipients

To:,

system will deliver both.




Why system not dropping E-mail addressed to 
? Its clear described in the rule, drop all except...


I will appreciate for any help.




With kind regards

zalezny

check_sender_regexp - multiple relay IP`s

[Zalezny Niezalezny]

Hi,

I just would like to know if its possible to configure muliple IP`s of SMTP
servers in this configuration file:

check_sender_access regexp:/etc/postfix/check_sender_regexp



At the moment we are forwarding message with following sender E-mail
address to one of our MS Exchange servers.


/zelezny.niezale...@domain.com/ FILTER smtp:[192.168.2.100]


How may I setup in this file some kind of "backup MX" server if
smtp:[192.168.2.100] will be down.
Is it possible to setup for example 3x IP`s ? If yes, how to do it ?

Single IP address of smtp relay in our high available environment is not
allowed. I cannot use local domain with MX records because dns lookup has
been disabled.

Maybe somebody will be able to support me here ?


Thanks in advance for any hints !




With kind regards

Zalezny

postfix password authorisation not working

[Zalezny Niezalezny]

Hi,

I just woudl like to know what I`m doing wrong.
I read postfix documentation several times and I configured SASL
authentication exacly as it was described. But even with this I do not see
in the telnet output lines similar to this

250-AUTH DIGEST-MD5 PLAIN CRAM-MD5


This is my telnet output:

ehlo localhost
250-ip-172-31-28-250.eu-central-1.compute.internal
250-PIPELINING
250-SIZE 1024
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN


This is my main.cf configuration:
# ###
#TLS
smtpd_tls_auth_only = yes
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/server.key
smtpd_tls_cert_file = /etc/postfix/ssl/server.crt
#smtpd_tls_CAfile = /etc/postfix/ssl/startssl-ca-bundle.pem
smtp_tls_CAfile = $smtpd_tls_CAfile
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
tls_random_source = dev:/dev/urandom

#SASL
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
#smtp_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
#smtpd_sasl_type = cyrus
#smtpd_sasl_path = private/auth
#smtpd_tls_auth_only = yes
smtpd_relay_restrictions =
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
# ###


And this is master.cf

# ##
# ==
# service type  private unpriv  chroot  wakeup  maxproc command + args
#   (yes)   (yes)   (yes)   (never) (100)
# ==
smtp  inet  n   -   n   -   -   smtpd
#smtp  inet  n   -   n   -   1   postscreen
#smtpd pass  -   -   n   -   -   smtpd
#dnsblog   unix  -   -   n   -   0   dnsblog
#tlsproxy  unix  -   -   n   -   0   tlsproxy
submission inet n   -   n   -   -   smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
#smtps inet  n   -   n   -   -   smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
# #


How to enable TLS with SASL in Postfix properly ?



Thanks in advance for an any hints!


With kind regards

Zalezny

relay server - allow connections from DSL with dynamic IP

[Zalezny Niezalezny]

hi,

my local MTA using DSL with dynamic IP address so I need to forward my
messages to some external relay server with static IP.

Unfortunately I`m not able to setup, my dynamic IP on the relay server in
the network_table (or in the mynetworks). Base on the (ONLY) username and
password (SASL) I would like to permit any external host to relay any
messages. Is it possible ?

If my local MTA sending message to relay server, with
From: u...@domainexample.com

do I need to configure "domainexample.com" somewhere in the postfix ?

I have all the time problem with "access relay denied"...

Maybe somebody will be able to support me here.


With kind regards

Zalezny

Re: resolve local domain with MX records

[Zalezny Niezalezny]

Perfect! Thank You very much!

On Sun, May 29, 2016 at 9:15 AM, Wietse Venema <wie...@porcupine.org> wrote:

> Zalezny Niezalezny:
> > Hallo Wietse,
> >
> > yes I understand Your point.
> >
> > In my internal host, dns lookup is disabled. I simply would like to know
> > how may I specified some additional hosts in case of accidents one of
> them.
>
> IF you can't rely on DNS, list all gateway IP addresses in /etc/hosts.
>
> /etc/postfix/main.cf:
> relayhost = [gateway]
> smtp_host_lookup = native
>
> /etc/hosts:
> gateway 10.0.0.1
> gateway 10.0.0.2
> gateway 10.0.0.3
> gateway 10.0.0.4
>
> /etc/host.conf:
> multi on
>
> Wietse
>

Re: resolve local domain with MX records

[Zalezny Niezalezny]

I`m sorry, I sent my last email too fast.

example.com:[192.168.2.10, 192.168.2.11]

Will it be possible something like this ?


Thanks in advance for Your support.

Zalezny

On Sun, May 29, 2016 at 10:44 AM, Zalezny Niezalezny <
zalezny.niezale...@gmail.com> wrote:

> Hallo Wietse,
>
> yes I understand Your point.
>
> In my internal host, dns lookup is disabled. I simply would like to know
> how may I specified some additional hosts in case of accidents one of them.
> For example, in the transport table we have something like this:
>
>
>
>
> *example.com <http://example.com>  :[gateway.example.com 
> <http://gateway.example.com>]*
>
>
>
> *Once dnslookup is disabled, E-mail will not be deliver to the gateway. At 
> the moment gateway.example.com <http://gateway.example.com> include MX record 
> with 2 systems.*
>
>
>
> *mx1.example.com <http://mx1.example.com> / mx2.example.com 
> <http://mx2.example.com>*
>
>
>
>
> *Is it possible somehow to specified in the transport table multiple hosts 
> when dnslookup is off ?*
>
>
> *example.com <http://example.com>*
>
>
> On Fri, May 27, 2016 at 7:29 PM, Wietse Venema <wie...@porcupine.org>
> wrote:
>
>> Please read my email again. Postfix does not use DNS do decide what
>> domains to ***receive*** email for; you must specify those domains
>> with mydestination, relay_domains, vrtial_alias_domains or
>> virtual_mailbox_domains.
>>
>> Of course Postfix will use DNS to decide how to ***deliver*** mail.
>> Sending email without DNS would be problematic.
>>
>> Wietse
>>
>
>

Re: resolve local domain with MX records

[Zalezny Niezalezny]

Hallo Wietse,

yes I understand Your point.

In my internal host, dns lookup is disabled. I simply would like to know
how may I specified some additional hosts in case of accidents one of them.
For example, in the transport table we have something like this:




*example.com   :[gateway.example.com
]*



*Once dnslookup is disabled, E-mail will not be deliver to the
gateway. At the moment gateway.example.com
 include MX record with 2 systems.*



*mx1.example.com  / mx2.example.com
*




*Is it possible somehow to specified in the transport table multiple
hosts when dnslookup is off ?*


*example.com *


On Fri, May 27, 2016 at 7:29 PM, Wietse Venema  wrote:

> Please read my email again. Postfix does not use DNS do decide what
> domains to ***receive*** email for; you must specify those domains
> with mydestination, relay_domains, vrtial_alias_domains or
> virtual_mailbox_domains.
>
> Of course Postfix will use DNS to decide how to ***deliver*** mail.
> Sending email without DNS would be problematic.
>
> Wietse
>

Re: resolve local domain with MX records

[Zalezny Niezalezny]

Hallo Vietse,

thank You very much for Your support and Postfix!

I have one more question, maybe here You will be also able to help. You
said that "Postfix will not look in DNS...".
Our E-mail environment base on Postfix and Exchange and we are using local
domains to balance E-mail traffic between nodes.

If DNS look up is only intentional, then how to properly configured SMTP
relay ? In my environment E-mail is going thru several network zones to
different departments and in most cases everything is configured using
/etc/postfix/transport table.


domain.com   relay:mydomain.local


Internal domain with MX records is kind of loadbalancer (with high
availability) in that case. So how to properly route E-mails to different
domains where each department has 2-3 mail servers.
In the configuration files, should I specified "IPs" with comas etc.etc. ?


Thank You in advance for any hint.


Zalezny


On Fri, May 27, 2016 at 2:53 PM, Wietse Venema  wrote:

> By design, Postfix will not look in DNS to find out what domains
> it should receive mail for. This is intentional, so that Postfix
> behaves predictably when some network infrastructure is down.
>
> Postfix configuration requires that you configure ALL domains that
> Postfix receives mail for with mydestination, relay_domains,
> virtual_alias_domains or virtual_mailbox_domains.
>
> Wietse
>

resolve local domain with MX records

[Zalezny Niezalezny]

Hi Everyone,

in my Postfix I have configured something like this:


/etc/postfix/main.cf
# ###
smtpd_sender_restrictions =
check_sender_access regexp:/etc/postfix/check_sender_regexp
# ###

/etc/postfix/check_sender_regexp
# #
/.*@domain.com/ FILTER relay:mydomain.local
# ##


mydomain.local - its local domain in our internal environment which include
3 x MX records


How should I write the rule in /etc/postfix/check_sender_regexp, to force
Postfix to resolve MX records from "mydomain.local" and choose one of them
to deliver message ?


With current configuration all the time I getting following error:

Remote Server returned '< #5.3.0 X-Postfix; unable to look up host
mydomain.local: No address associated with hostname>'



How to properly configured ?



Thanks in advance for any hints.



Cheers

Zalezny

Re: Postfix relay - allow authenticated users from any ip

[Zalezny Niezalezny]

Thank You very much for Your explanation. That sounds more clear for me.
I will configure SASL Auth then.

Thanks a lot every one!

On Fri, May 27, 2016 at 2:14 PM, /dev/rob0 <r...@gmx.co.uk> wrote:

> On Fri, May 27, 2016 at 10:11:59AM +0200, Zalezny Niezalezny wrote:
> > What about user ? Do i need to create simply OS user (/etc/passwd)
> > and it will be enought ? Or some dedicated configuration file is
> > required ?
>
> If you take Victor's advice and use TLS certificate validation, no
> user is necessary.
>
> If you choose the SASL AUTH way, yes, you need some kind of user
> configured that your SASL backend[s] can authenticate.  A system
> user would be the easiest way to do this.
>
> For SASL, you'd need Cyrus SASL on the client side, and either of
> Cyrus or Dovecot on the server side.  I agree with Victor in that
> check_ccert_access sounds simple and easier in this case.
> --
>   http://rob0.nodns4.us/
>   Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
>

Re: Postfix relay - allow authenticated users from any ip

[Zalezny Niezalezny]

Hi Viktor,

thank You very much for Your hints.

What about user ? Do i need to create simply OS user (/etc/passwd) and it
will be enought ? Or some dedicated configuration file is required ?


Thanks in advance

Zalezny

On Fri, May 27, 2016 at 12:07 AM, Viktor Dukhovni <
postfix-us...@dukhovni.org> wrote:

> On Thu, May 26, 2016 at 11:40:22PM +0200, Zalezny Niezalezny wrote:
>
> > 1. How to configure relay server which will relay all E-mails from
> > authenticated users from any IP.
>
> main.cf:
> indexed = ${default_database_type}:${config_directory}/
> smtpd_tls_fingerprint_digest = sha256
> smtpd_tls_auth_only = yes
> # Note Postfix >= 2.10
> mua_relay_restrictions =
> permit_sasl_authenticated,
> check_ccert_access ${indexed}relay-ccerts,
> reject
>
> master.cf:
> submission inet ... smtpd
>   -o smtpd_relay_restrictions=$mua_relay_restrictions
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_tls_ask_ccert=yes
>   ...
>
> relay-ccerts:
> #   OK
>
> e3:b0:c4:42:98:fc:1c:14:9a:fb:f4:c8:99:6f:b9:24:27:ae:41:e4:64:9b:93:4c:a4:95:99:1b:78:52:b8:55
> OK
> ...
>
> Or configure SASL, but frankly client certs are much easier on the
> server side, and simple enough on the client side, at least with
> Postfix as the client.
>
> --
> Viktor.
>

Postfix relay - allow authenticated users from any ip

[Zalezny Niezalezny]

Dear Colleague,

I have small server at home (with dynamic IP) with Postfix as MTA.

Because I`m using dynamic IP address, I decided to create simple relay
server with static IP on amazon aws cloud. Here comes my question:

1. How to configure relay server which will relay all E-mails from
authenticated users from any IP.
My home server external IP is changing very often, so relay server needs to
relay messages from all IPs. I would really appreciete for any example
configuration for a MTA and for a relay server.


I simply would like to setup one username/password for all my e-mail
accounts and base on that relay massages to the internet.


Thank You in advance for any hints and support.



With kind regards

Zalezny

Re: filtering domains and e-mails - how ?

[Zalezny Niezalezny]

Its working for me. Thank You very much!




On Mon, Feb 15, 2016 at 2:46 PM, Matthew McGehrin <drinking.cof...@gmail.com
> wrote:

> Hello.
>
> See: http://www.postfix.org/transport.5.html
>
> Per the table search order,  user accounts need to be listed first, before
> the domain
>
> IE:
>
> us...@domain.com relay:[smtp1.server.com]
> domain.com relay:[smtp.server.com]
>
>
> See: Postfix users <postfix-users@postfix.org>
>
> Zalezny Niezalezny wrote:
>
>> Hi All, by default in my Postfix configuration I`m routing all E-mails
>> for the domain:
>> *@domain.com <http://domain.com> to some external SMTP server. I
>> configure it in the /etc/postfix/transport
>> domain.com <http://domain.com> relay:[smtp.server.com <
>> http://smtp.server.com>]
>> Now comes my question, how may I redirect following E-mail
>> us...@domain.com <mailto:us...@domain.com>
>> to some other server   smtp1.server.com <http://smtp1.server.com>.
>>
>> I simply would like to redirect all E-mails with domain @domain.com <
>> http://domain.com> to smtp.server.com <http://smtp.server.com> and one
>> e-mail us...@domain.com <mailto:us...@domain.com> to some specified
>> server smtp1.server.com <http://smtp1.server.com>.
>>
>> How to do it properly ?
>>
>> Thanks in advance for any hints.
>>
>>
>> Zalezny
>>
>>
>>
>>
>>

filtering domains and e-mails - how ?

[Zalezny Niezalezny]

Hi All,

by default in my Postfix configuration I`m routing all E-mails for the
domain:

*@domain.com

 to some external SMTP server. I configure it in the


/etc/postfix/transport

domain.com relay:[smtp.server.com]



Now comes my question, how may I redirect following E-mail


us...@domain.com

to some other server   smtp1.server.com.


I simply would like to redirect all E-mails with domain @domain.com to
smtp.server.com and one e-mail us...@domain.com to some specified server
smtp1.server.com.


How to do it properly ?



Thanks in advance for any hints.


Zalezny

sasl authentication - how to hash password maps

[Zalezny Niezalezny]

Dear Colleagues,

I`m trying to establish TLS connection between our postfix MTA and Postfix
relay server protected by password.

At the moment my password map file looks like this. Plain text with domain,
username and password.

[root@server01 postfix]# cat sasl_passwd
relay01.local test:testXX


Is it possible to hash that password some how ? This password shouldnt be
visible for the user.
If yes, how to do it then ?



Thanks in advance for any hints.



Zalezny

Re: postfix and multiple TLS certificates

[Zalezny Niezalezny]

Hi,

thanks for Your feedback. I just solved my issue.

I will simply generate normal key and csr with openssl command. My local
certify authority will provide me certificate which will be signed with the
list of specified by me domains. Then we can have single certificate which
will be able to encrypt traffic for all specified domains.


This is solution for my internal relay system but I believe it should also
works with external domains.



Thanks for Your support..

Cheers

Zalezny

On Fri, Dec 11, 2015 at 2:24 PM, Tobias Reckhard <
tobias.reckh...@secunet.com> wrote:

> On 11.12.2015 09:11, Zalezny Niezalezny wrote:
> > is it possible to configure in Postfix multiple TLS certificates.
>
> AFAIK, you can configure each smtp and smtpd instance with a certificate
> of its own, so you could, for instance, have several smtpds listening on
> different IP addresses, each with an individual certificate. You could
> also specify different smtp transports services and have them use
> different certificates or CAs. But one smtpd and one smtp can be
> equipped with only one certificate.
>
> > For example, on my LAN relay server I must configure TLS for the unix
> > domains and for windows domains. Both domains use different names. How
> > to manage that part ?
>
> You're talking about receiving mail from the Internet, right? Typically,
> you'll have shared MX records for both domains. Your relay servers'
> certificates would typically reflect their host names, which doesn't
> necessarily need to have any similarities with the domains it's
> receiving mail for. You typically use the same name as the one in
> $myhostname as the CN of a server's certificate.
>
> > How to generate certificates than ? Is it possible to map some how TLS
> > certificates for the different domains ?
>
> Supposing that you have different MX records for your two domains, then
> I suppose that you might be able to generate or request certificates
> with corresponding SubjectAlternativeNames. I'm not sure whether those
> are widely supported in Internet MTAs, though.
>
> Cheers,
> Tobias
>

postfix and multiple TLS certificates

[Zalezny Niezalezny]

Hi,

is it possible to configure in Postfix multiple TLS certificates.
For example, on my LAN relay server I must configure TLS for the unix
domains and for windows domains. Both domains use different names. How to
manage that part ?

How to generate certificates than ? Is it possible to map some how TLS
certificates for the different domains ?


Thanks in advance for Your support.


Zalezny

relay not working - dns problem ?

[Zalezny Niezalezny]

Dear Colleagues,

for some reason my relay sever is not able to relay messages to the next
hoop. Maybe somebody would be able to support me here.

In the Postfix Log I found this:

Dec  8 13:47:15 ismtp01 mail.info: "postfix-outgoing-25"/smtp[5982]:
51808B1C: to=, relay=none, delay=0.03,
delays=0.01/0.01/0.01/0, dsn=4.4.3, status=deferred (Host or domain name
not found. Name service error for name=domain.fr type=MX: Host not found,
try again)



What I`m planning to do ?

I would like to transfer message from our MS Exchange server to the
external SMTP gateway:
It looks like this:


msexch(LAN) --- > Relay01(LAN) ---> Relay02(LAN) ---> Gateway(DMZ) >
customer(domain.fr)

In this scenario only GatewayDMZ is able to resolve MX records from the
internet.
If only GatewayDMZ is able to resolve MX records why I see that error on
the first relay server - Relay01 ?

On Relay01 I have configured /etc/postfix/transport file like this:

domain.fr relay:Relay02

Why in that case I see that error ?



I will really appreciate for any advice.



Cheeers

Zalezny

Re: Domain MX record vs SMTP Loadbalancer

[Zalezny Niezalezny]

Hi,

thank You for Your feedback.

Does this solution is also described by RFC ?
I reviewed RFC but I see that SMTP loadbalancing should be done using DNS
with proper setup MX records.

With kind regards

Zalezny


On Fri, Nov 27, 2015 at 2:10 PM, Wietse Venema <wie...@porcupine.org> wrote:

> Zalezny Niezalezny:
> > Hi,
> >
> > I have a question regarding Domain MX record and physical SMTP
> Loadbalancer.
> >
> > In my infrastructure we have several Postfix machines with local
> mailboxes.
> > Each system sending messages to relay servers using internal relay
> domains
> > with MX records. My team colleague told me that we will not use anymore
> > local relay domains with MX records but Virtual host (with preconfigured
> > relay systems behind) and F5 loadbalancer to transfer message from
> Postfix
> > servers to the relay hosts.
> >
> > I would like to know Your opinion about it ? I know that MX record has
> been
> > designed to avoid problems like E-mail loop etc.etc. Till now its working
> > perfect for me.
> >
> > Does loadbalancer will not affect smtp communication ?
>
> The load balancer MUST provide Postfix with the remote SMTP client
> IP address. Postfix has support for doing that with:
>
> - HAproxy protocol (uses the Postfix smtpd_upstream_proxy_protocol
>   and smtpd_upstream_proxy_timeout features).
>
> - nginx (uses the XCLIENT protocol).
>
> If your load balancer does not support one of the above protocols
> then Postfix will not work properly, because all SMTP connections
> will have the IP addres of the load balancer instead of the real
> client.
>
> To prevent mailer loops, configure:
>
> /etc/postfix/main.cf:
> proxy_interfaces = the loadbalancer external IP address(es)
>
> With these things taken care of, load balancers should work.
>
> Wietse
>

Re: Domain MX record vs SMTP Loadbalancer

[Zalezny Niezalezny]

Thank You once again for Your support !

We can close that topic, I got all informations.

I really appreciate that mailing list and people which doing support on it
! :)




On Fri, Nov 27, 2015 at 3:48 PM, Wietse Venema <wie...@porcupine.org> wrote:

> Zalezny Niezalezny:
> > Hi,
> >
> > thank You for Your feedback.
> >
> > Does this solution is also described by RFC ?
>
> Load balancers are not described in the SMTP RFC. Nor does the RFC
> say how an MTA must be implemented. The RFC gives requirements for
> how different SMTP implementations can communicate with each other.
>
> What I described are requirements so that an MTA can provide SMTP
> service behind a load balancer:
>
> - The server must know the remote SMTP client address so that it
>   can maintain an audit trail of service requests. and so that
>   it can make decisions about what service it will provide.
>
> - The server must know the external SMTP server IP address, so that
>   it can correctly implement MX preferences without looping.
>
> > I reviewed RFC but I see that SMTP loadbalancing should be done
> > using DNS with proper setup MX records.
>
> The RFC does not *require* that SMTP receivers have MX records, but
> it requires that SMTP senders do MX lookups before doing A lookups.
> You can do SMTP with just A records, for example:
>
> example.com IN A 192.168.1.1
> example.com IN A 192.168.1.2
>
> "should" work as well as:
>
> example.com IN MX 10 mail.example.com
> mail.example.com IN A 192.168.1.1
> mail.example.com IN A 192.168.1.2
>
>     Wietse
>
> > With kind regards
> >
> > Zalezny
> >
> >
> > On Fri, Nov 27, 2015 at 2:10 PM, Wietse Venema <wie...@porcupine.org>
> wrote:
> >
> > > Zalezny Niezalezny:
> > > > Hi,
> > > >
> > > > I have a question regarding Domain MX record and physical SMTP
> > > Loadbalancer.
> > > >
> > > > In my infrastructure we have several Postfix machines with local
> > > mailboxes.
> > > > Each system sending messages to relay servers using internal relay
> > > domains
> > > > with MX records. My team colleague told me that we will not use
> anymore
> > > > local relay domains with MX records but Virtual host (with
> preconfigured
> > > > relay systems behind) and F5 loadbalancer to transfer message from
> > > Postfix
> > > > servers to the relay hosts.
> > > >
> > > > I would like to know Your opinion about it ? I know that MX record
> has
> > > been
> > > > designed to avoid problems like E-mail loop etc.etc. Till now its
> working
> > > > perfect for me.
> > > >
> > > > Does loadbalancer will not affect smtp communication ?
> > >
> > > The load balancer MUST provide Postfix with the remote SMTP client
> > > IP address. Postfix has support for doing that with:
> > >
> > > - HAproxy protocol (uses the Postfix smtpd_upstream_proxy_protocol
> > >   and smtpd_upstream_proxy_timeout features).
> > >
> > > - nginx (uses the XCLIENT protocol).
> > >
> > > If your load balancer does not support one of the above protocols
> > > then Postfix will not work properly, because all SMTP connections
> > > will have the IP addres of the load balancer instead of the real
> > > client.
> > >
> > > To prevent mailer loops, configure:
> > >
> > > /etc/postfix/main.cf:
> > > proxy_interfaces = the loadbalancer external IP address(es)
> > >
> > > With these things taken care of, load balancers should work.
> > >
> > > Wietse
> > >
>

Domain MX record vs SMTP Loadbalancer

[Zalezny Niezalezny]

Hi,

I have a question regarding Domain MX record and physical SMTP Loadbalancer.

In my infrastructure we have several Postfix machines with local mailboxes.
Each system sending messages to relay servers using internal relay domains
with MX records. My team colleague told me that we will not use anymore
local relay domains with MX records but Virtual host (with preconfigured
relay systems behind) and F5 loadbalancer to transfer message from Postfix
servers to the relay hosts.

I would like to know Your opinion about it ? I know that MX record has been
designed to avoid problems like E-mail loop etc.etc. Till now its working
perfect for me.

Does loadbalancer will not affect smtp communication ?
 Does it really working the same like DNS MX records ?
Does Postfix will be able to work properly with Virtual Host and
loadbalancer ?



Thanks in advance for any opinion.


With kind regards

Zalezny

Re: Planning disk size/deffered queue for relay system base on Postfix

[Zalezny Niezalezny]

Hi,

thank You very much for Your support.


Cheers

Zalezny

On Wed, Nov 25, 2015 at 12:22 PM, Wietse Venema <wie...@porcupine.org>
wrote:

> Zalezny Niezalezny:
> > 1) what will happend with an E-mails if RELAY02 will not be available
> for a
> > few hours ? In my understanding Postfix will put all E-mails to the
> > deffered queue and it will store messages there till RELAY02 will not be
> > available again.
> > Is this correct ?
>
> This is required by the SMTP protocol, see RFC 5321.
>
> > 2) If Outage will take few hours (till one day).
> > How much disk space do I need to prepare for all messages ? Is there any
> > parameter in Postfix which limiting number of messages in the deffered
> > queue ? What kind of message will be send to the client if deffered queue
> > will be full ?
>
> Perhaps a surprise: Postfix stops accepting mail when the queue is
> full (queue_minfree parameter).  As required by the SMTP protocol,
> the up-stream SMTP client retries deliveries until Postfix accepts
> mail again.
>
> > How to properly plan disk space and queues for high loaded systems.
>
> With multiplication and addition.
>
> Wietse
>

Planning disk size/deffered queue for relay system base on Postfix

[Zalezny Niezalezny]

Hi,

in my current infrastructure we have several Relay systems which are
responsible for transferering message thru different subnets to the
internet.

At the moment our system sending aproximately ~30 000 E-mails per day, each
E-mail is transfer thru few mail relay systems.

Here You have some example:

MTA CLIENT --- sent --- > RELAY01 --- sent ---> RELAY02  sent ---> SMTP
GATEWAY -> INTERNET


My first question:

1) what will happend with an E-mails if RELAY02 will not be available for a
few hours ? In my understanding Postfix will put all E-mails to the
deffered queue and it will store messages there till RELAY02 will not be
available again.
Is this correct ?


2) If Outage will take few hours (till one day).
How much disk space do I need to prepare for all messages ? Is there any
parameter in Postfix which limiting number of messages in the deffered
queue ? What kind of message will be send to the client if deffered queue
will be full ?

How to properly plan disk space and queues for high loaded systems.




Thanks in advance for all comments.


With kind regards

Zalezny

Re: receiving message - checking mx record by postfix

[Zalezny Niezalezny]

Thank You for all previous answers.


We have two systems which are dedicated only to send E-mails. Mostly for
massmailing. These two machines will not receive any E-mails. Do we realy
need to configure MX records for that systems if they are not receiving any
E-mails ? From my point of view checking MX record from the client which
sending message is ... strange... if not stupid... In the SPF record we can
have a lot of systems which are not necesserly configured in the MX record.
Does it realy make sense ?



On Tue, Nov 10, 2015 at 6:32 PM, Viktor Dukhovni <postfix-us...@dukhovni.org
> wrote:

> On Tue, Nov 10, 2015 at 01:29:43PM +0100, Zalezny Niezalezny wrote:
>
> > I would like to understand how Postfix receiving message. I expect that
> > Postfix has been written base on the RFC rules so maybe somebody will be
> > able to explain me how its working inside - how this system receiving
> > message and what is going on in the background.
>
> You need to ask a more concrete question.  It is unlikely that
> anyone will post a comprehensive architecture overview of Postfix,
> or a detailed walk-through of the multiple relevant email RFCs.
>
> You can read the Postfix book by Patrick Koetter and Ralf Hildebrandt,
> and the multiple documents at: <http://www.postfix.org/documentation.html
> >.
>
> http://www.postfix.org/OVERVIEW.html
> http://www.postfix.org/SMTPD_ACCESS_README.html
> http://www.postfix.org/postfix-manuals.html
> http://www.postfix.org/smtpd.8.html
>
> > Our consultant hardly trying to tell us that server during receiving
> phase
> > checking MX record of the domain from which coming the E-mail. Does it
> > really working this way ? I always thought that Postfix checking first
> DNS
> > A record (reverse dns), then SPF etc.etc.
>
> If you're having a problem receiving mail, post the relevant logs and
> information about your configuration as described in:
>
> http://www.postfix.org/DEBUG_README.html#mail
>
> and explained in the Welcome message you received when you joined
> the list.
>
> > Does system check mx record when its receiving message or not?
>
> Only if you configure Postfix to do that, directly or indirectly.
>
> > Do You know where may I find RFC which fully describing this SMTP
> process?
>
> There is no single RFC that describes everything SMTP servers do
> behind the scenes when receiving messages, even the entire collection
> of email-related RFCs is properly silent on many implementation-specific
> and local policy issues.
>
> http://www.faqs.org/rfcs/np.html#SMTP
> http://www.faqs.org/rfcs/np.html#Other
>
> --
> Viktor.
>

Re: receiving message - checking mx record by postfix

[Zalezny Niezalezny]

Hi Viktor,

thank You for Your explanation. I searched for some opinion from external
people. I understand how mail system is working. The problem for me and my
team is our consultant which completly do not understand how mail system is
working and he trying to push some strange configurations to our mail
system. With Your E-mail it will be much easier for me to force also some
other topics.

@All, thank You very much for Your efficient (and super fast!) support.

For me topic is closed.

Short summary:

Incoming messages:
a) DNS A, PTR, MX

Outgoing messages:
a) DNS A, PTR, SPF


Once again thanks for Your support.


On Tue, Nov 10, 2015 at 9:49 PM, Viktor Dukhovni <postfix-us...@dukhovni.org
> wrote:

> On Tue, Nov 10, 2015 at 09:29:19PM +0100, Zalezny Niezalezny wrote:
>
> > We have two systems which are dedicated only to send E-mails.  Mostly for
> > massmailing.  These two machines will not receive any E-mails.
>
> Don't confuse "systems" (SMTP servers) with email domains (the
> domain part of an rfc822 email address).  Your *systems* do not
> need MX records.  They just need FQDN hostnames, and their IP
> addresses need to a PTR record that provides each system's hostname.
>
> Nor do the MX records of the envelope sender domain of the message
> being sent need to point at the sending systems.  It is not unusual
> to have separate systems sending and receiving mail.
>
> > Do we realy
> > need to configure MX records for that systems if they are not receiving
> any
> > E-mails?
>
> No MX records are required for your *systems* (SMTP servers).
>
> > From my point of view checking MX record from the client which
> > sending message is ... strange... if not stupid... In the SPF record we
> can
> > have a lot of systems which are not necesserly configured in the MX
> record.
>
> If you have SPF records for the envelope sender domain, then the
> sending IP addresses should be listed there.  In any case the
> envelope sender domain need to resolve to a set of valid public
> addresses or a set of MX hosts with valid public addresses.
>
> --
> Viktor.
>

receiving message - checking mx record by postfix

[Zalezny Niezalezny]

Dear Colleagues,

I would like to understand how Postfix receiving message. I expect that
Postfix has been written base on the RFC rules so maybe somebody will be
able to explain me how its working inside - how this system receiving
message and what is going on in the background.

Our consultant hardly trying to tell us that server during receiving phase
checking MX record of the domain from which coming the E-mail. Does it
really working this way ? I always thought that Postfix checking first DNS
A record (reverse dns), then SPF etc.etc.

I always thought that MX record is provide clear information about the
servers to which client needs to send a message. But right now I`m
completly out of space...


Does system check mx record when its receiving message or not ?


Do You know where may I find RFC which fully describing this SMTP process ?



With kind regards

Zalezny

Re: receiving message - checking mx record by postfix

[Zalezny Niezalezny]

Hi,

thanks for Your fast feedback. I have found the same document, but to be
honest I didnt found there information what is happening on the server side.
Maybe somebody could explain in detail that part ?

thanks in advance

Zalezny

On Tue, Nov 10, 2015 at 1:36 PM, L.P.H. van Belle <be...@bazuin.nl> wrote:

> Read :  http://www.sorbs.net/faq/rfc_helo_enforcement.shtml
>
> I contains also the links to the RFC’s
>
>
>
> Greetz,
>
>
>
> Louis
>
>
>
>
>
>
> --
>
> *Van:* zalezny.niezale...@gmail.com [mailto:
> owner-postfix-us...@postfix.org] *Namens *Zalezny Niezalezny
> *Verzonden:* dinsdag 10 november 2015 13:30
> *Aan:* Postfix users
> *Onderwerp:* receiving message - checking mx record by postfix
>
>
>
> Dear Colleagues,
>
>
>
> I would like to understand how Postfix receiving message. I expect that
> Postfix has been written base on the RFC rules so maybe somebody will be
> able to explain me how its working inside - how this system receiving
> message and what is going on in the background.
>
>
>
> Our consultant hardly trying to tell us that server during receiving phase
> checking MX record of the domain from which coming the E-mail. Does it
> really working this way ? I always thought that Postfix checking first DNS
> A record (reverse dns), then SPF etc.etc.
>
>
>
> I always thought that MX record is provide clear information about the
> servers to which client needs to send a message. But right now I`m
> completly out of space...
>
>
>
>
>
> Does system check mx record when its receiving message or not ?
>
>
>
>
>
> Do You know where may I find RFC which fully describing this SMTP process ?
>
>
>
>
>
>
>
> With kind regards
>
>
>
> Zalezny
>
>
>
>
>
>
>

Multiple SMTP gateways in one MX record

[Zalezny Niezalezny]

Dear Colleagues,

one of my team colleagues decided to configure multiple SMTP gateways for a
single domain.

domain.com

MX
10 gate1-1.com
10 gate1-2.com
30 gate2-1.com
30 gate2-2.com
60 gate3-1.com
60 gate3-2.com

Each SMTP gate belong to separate domain and its manage by separate team.

domain.com - gate1
domain2.com - gate2
domain3.com - gate3

If SMTP server on one domain will not be available, then client will use
another one.


I`m sceptic about this because my team has access only on to gate1 and in
case of problems (eventual bounce) it will be hard to analyse the problem.
Does it make sense ?

How to analyze eventual Postfix mail bounces in such a constelation ?


p.s. I know that is not fully Postfix related question, but maybe somebody
will be able to put some hint/opinion about it. Thanks in advance.


Cheers

Zalezny

E-mail encoding problem

[Zalezny Niezalezny]

Dear Colleagues,

I`m trying to understand how E-mail encoding is working, maybe somebody
will be able to explain me how its working with Postfix and some E-mail
client like Thunderbird for example.

When I`m sending an E-mail from server command line (telnet localhost 25)
my E-mail has following header. If I good understand charset=us-ascii
come from the system local settings.
On the server I have installed us_US settings. Is that right ?

My local setting for an encoding is: LANG=en_US.utf8

# ##

Subject: test message
User-Agent: Heirloom mailx 12.4 7/29/08
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

# ##


My server is also used by some other application servers as an relay
machine to resend messages. One of the application sending an E-mails
using german encoding.

Now comes my question. My Postfix is running in the environment with
LANG=en_US.utf8. So if I good understand each E-mail which will be
send by my Postfix server will have changed encoding from german to
english ? I mean from de_DE.utf8 to en_US.utf8. Is that right ?


Where encoding should be setup ? On the server or on the client side ?


Thanks in advance for an any hints !


With kind regards


Zalezny

check if user received messages

[Zalezny Niezalezny]

Dear Colleagues,

is it possible to check in the Postfix logs if user delete/receive message ?

Or to check if message was dropped by the server ?


Thanks in advance

Zalezny

Duplicate E-mails with different ID and timestamp

[Zalezny Niezalezny]

Hello Colleagues,

on the one of our SMTP servers we are receiving a lot of duplicate messages
with different time stamp and ID. The same message(with the same content)
is received at : 11:20, 13:50, 16:30.

What could be a reason for it ? Could it be a problem with Postfix server
on the our client side ? For example, our client Postfix server wasn't able
to send message first time but for some reason our server received message.
And then after two hours its tried to sent the same message again... and
again.


What could be a reason of duplicate messages received in the different time
stamps ?


Thanks in advance for any hints!

Zalezny

spamhaus - reasons of ban IP

[Zalezny Niezalezny]

Hi All,


I would like to ask You what could be a reason of ban in Spamhaus.
Today morning we have got message from our client that our system is not
able to send E-mails.
In did, system IP has been putted to black list.

I have reviewed all logs and didnt found any good reason. System with
Postfix which we are using to distribute an E-mails to our clients for some
reason has been blocked. This is massmailer system. Till now, we havent got
any problems with, we have simply send 100k E-mails and everything was
fine. TIll today.


From Spamhause we have got feedback that it could be: virus, malware, spam
content etc.etc. but nothing was described in detail, what is exacly the
reason.

In the Postfix log I have found a lot of 550 Errors.

550 Uknown user local...

In this case I suspect that system bounced a lot of messages. Is this a
reason ?


Also in the header of the message, I found an E-mail address which is not
exist.
Some kind of reply E-mail, which simply not existing. Maybe this is the
reason ?


Would be great if somebody could support me here. Or maybe somebody will be
so kind and tell me how to trace this kind of problems. Seriously I dont
know how to find a reason of ban.

Maybe Postfix will have some kind of debugging mode etc.etc.



Thank You in advance for Your support!



Zalezny

Re: spamhaus - reasons of ban IP

[Zalezny Niezalezny]

Paul, thank You very much for Your support.

@Michael J Wise, that was question partly about Postfix. Please read more
carefully all posts...



 Maybe Postfix will have some kind of debugging mode etc.etc.



Any how, thanks for Your support!


On Mon, Jun 1, 2015 at 9:55 PM, Michael J Wise mjw...@kapu.net wrote:


  Hi All,

 This is *NOT* the list for questions about spamfighting in general, and
 certainly not about Spamhaus in particular.

 They have a site:

 http://www.spamhaus.org/

  I would like to ask You what could be a reason of ban in Spamhaus.
  Today morning we have got message from our client that our system is not
  able to send E-mails.
  In did, system IP has been putted to black list.
 
  I have reviewed all logs and didnt found any good reason. System with
  Postfix which we are using to distribute an E-mails to our clients for
  some
  reason has been blocked. This is massmailer system. Till now, we havent
  got
  any problems with, we have simply send 100k E-mails and everything was
  fine. TIll today.
 
 
  From Spamhause we have got feedback that it could be: virus, malware,
  spam
  content etc.etc. but nothing was described in detail, what is exacly the
  reason.
 
  In the Postfix log I have found a lot of 550 Errors.
 
  550 Uknown user local...
 
  In this case I suspect that system bounced a lot of messages. Is this a
  reason ?
 
 
  Also in the header of the message, I found an E-mail address which is not
  exist.
  Some kind of reply E-mail, which simply not existing. Maybe this is the
  reason ?
 
 
  Would be great if somebody could support me here. Or maybe somebody will
  be
  so kind and tell me how to trace this kind of problems. Seriously I dont
  know how to find a reason of ban.
 
  Maybe Postfix will have some kind of debugging mode etc.etc.
 
 
 
  Thank You in advance for Your support!
 
 
 
  Zalezny
 


 Aloha mai Nai`a.
 --
  So this is how Liberty dies ...  http://kapu.net/~mjwise/
  To Thunderous Applause.

Re: Postfix migration from 2.0 to 2.6.6

[Zalezny Niezalezny]

Greetz to all and thanks for Your efficient support!

Its perfect community :)

On Fri, Feb 20, 2015 at 12:30 PM, Zalezny Niezalezny 
zalezny.niezale...@gmail.com wrote:

 I will simply stop postfix and copy all files. I dont see any other
 solution here.We will see if it will work properly.

 On Fri, Feb 20, 2015 at 11:28 AM, Michael m...@michi.su wrote:

 Quoting Zalezny Niezalezny zalezny.niezale...@gmail.com:

  I dont want to route any E-mails. I simply would like to stop old server,
 tar everything in the proper way and migrate on the new host. This is my
 target.


 Then just block all incoming traffic on port 25 and 587 (or whatever your
 users are using).
 After everything has been processed and the Que is empty, tar compress
 everything and move it to the new server.
 Once that is done, change the MX entries to point to the new server and
 you are done.

 No mails will be lost in the meantime.

 If you additionally change the TTL of the according Zone entries of your
 domain to something very small (5 min), the propagation of the new entries
 will be faster.

 Regards,
 Michael

Re: Postfix migration from 2.0 to 2.6.6

[Zalezny Niezalezny]

I will simply stop postfix and copy all files. I dont see any other
solution here.We will see if it will work properly.

On Fri, Feb 20, 2015 at 11:28 AM, Michael m...@michi.su wrote:

 Quoting Zalezny Niezalezny zalezny.niezale...@gmail.com:

  I dont want to route any E-mails. I simply would like to stop old server,
 tar everything in the proper way and migrate on the new host. This is my
 target.


 Then just block all incoming traffic on port 25 and 587 (or whatever your
 users are using).
 After everything has been processed and the Que is empty, tar compress
 everything and move it to the new server.
 Once that is done, change the MX entries to point to the new server and
 you are done.

 No mails will be lost in the meantime.

 If you additionally change the TTL of the according Zone entries of your
 domain to something very small (5 min), the propagation of the new entries
 will be faster.

 Regards,
 Michael

Re: Postfix migration from 2.0 to 2.6.6

[Zalezny Niezalezny]

I dont want to route any E-mails. I simply would like to stop old server,
tar everything in the proper way and migrate on the new host. This is my
target.

On Fri, Feb 20, 2015 at 11:05 AM, Test t...@icolombi.net wrote:

 What about just routing messages from old server to the new one with
 relayhost? We are just talking about messages in queue right?


 2015-02-20 10:54 GMT+01:00 Zalezny Niezalezny 
 zalezny.niezale...@gmail.com:

 Thanks for Your explanation. I see that Postfix community is very strong
 and fast :) Its good to know :)

 If I will stop Postfix, for sure some of them will stay in the queue
 folders. How to migrate that part without loosing data ? Should I simply
 copy files with proper permissions and ownership between two servers ? Is
 there any commands which needs to be executed afterwards ?


 Thanks in advance for Your support.


 Zalezny

Re: Postfix migration from 2.0 to 2.6.6

[Zalezny Niezalezny]

Thanks for Your explanation. I see that Postfix community is very strong
and fast :) Its good to know :)

Back to subject.

We are using Red Hat distro so I`m not planning to use Postfix version
higher than its in the repository. What can I say, RHEL is crap if we are
talking about updates for the common packages. They are supporting latest
release 2.6.6 and I will stay with this release. Of course it would be
great to build new package even with version 3 but then I must support it
till end. Its enterprise environment so we need to follow some rules (some
times stupid...).

This what I dont understand is, what exactly Postfix doing during stop
command.
If I good understand queue model, Postfix storing files in the queue
folders. My server sending thousands of E-mails per day. If I will stop
Postfix, for sure some of them will stay in the queue folders. How to
migrate that part without loosing data ? Should I simply copy files with
proper permissions and ownership between two servers ? Is there any
commands which needs to be executed afterwards ?


Thanks in advance for Your support.


Zalezny


On Fri, Feb 20, 2015 at 10:18 AM, DTNX Postmaster postmas...@dtnx.net
wrote:

 On 20 Feb 2015, at 09:14, Zalezny Niezalezny zalezny.niezale...@gmail.com
 wrote:

 on one of my servers I`m planning to migrate very old Postfix 2.0 to quite
 new one 2.6.6.
 I migrated already all Postfix instances, so all Postfix configuration
 files are already on the new machine (/etc/postfix*). Now its time to
 migrate /var/spool/postfix and all other Postfix data files.

 Will it work properly if I will simply:
 - stop old server
 - zip all /var/spool/postfix*  and /var/spool/mail/*

 - copy all /var/spool/postfix* and /var/spool/mail/* on the new one
 - start all instances

 Will it work ?

 Here is written, that it will not work properly...

 http://www.postfix.org/faq.html#copying

 How to migrate Postfix data in the best way ?


 Do note that 2.6.6 is anything but new; 2.6.6 is from 2010, and the last
 legacy release of the 2.6.x series was two years ago.

 At this point, for new systems, you should be using 2.9.x as the
 absolute minimum, since 2.8.x is already out as well. See the Postfix
 announcements page for details;

 http://www.postfix.org/announcements.html

 As far as the migration itself; review the documentation for changes,
 both to settings you have in your configuration as well as changes to
 default settings, as the gap between 2.0 and whatever you move to is
 quite big. Start here;

 http://www.postfix.org/postconf.5.html

 Once you have reviewed the documentation for anything you might need to
 change, set it up on the new machine, and test all your assumptions
 about how it should work.

 Your '/var/spool/postfix' should be empty, and there should be no need
 to copy that over. How you migrate stored messages on the server
 depends on how your users access their mail, which is outside the scope
 of Postfix.

 In other words; move to a supported version of Postfix, and test your
 migration extensively. Good luck!

 Mvg,
 Joni