t you need to upgrade your
postfix.
--
Noel Jones
"submission" port 587 (that's what it's for) and
disable smtpd_proxy_filter on that port.
Yes, this requires a setting change on the client, but the
additional benefit is that their mail is far less likely to be
blocked by their ISP.
--
Noel Jones
only.
--
Noel Jones
check_sender_access table before
permit_mynetworks?
If you need more help, please see:
http://www.postfix.org/DEBUG_README.html#mail
--
Noel Jones
interfere with one another.
Yes, multiple instances sounds like what you need.
This is a little old, but should still work:
http://advosys.ca/papers/postfix-instance.html
--
Noel Jones
ck with the "standard" config,
you're OK as is. You should probably document what you've
done so you remember what you did and why 10 months from now.
TIA
-- DJ Lucas
--
Noel Jones
olute worst.
Those numbers should be OK.
http://www.postfix.org/TUNING_README.html#hammer
http://www.postfix.org/QSHAPE_README.html#backlog
http://www.postfix.org/SCHEDULER_README.html
--
Noel Jones
broken firewall is eating the EHLO command or STARTTLS.
--
Noel Jones
e
http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname
The behavior you see is correct and consistent with the
documentation.
--
Noel Jones
sible, the other solutions are:
a) patch postfix local delivery agent to not force lowercase
during delivery.
b) use something other than the postfix local delivery agent.
Maybe maildrop or procmail...
--
Noel Jones
Xn Nooby wrote:
On Mon, Dec 29, 2008 at 3:51 PM, Noel Jones wrote:
Bryan Irvine wrote:
On Mon, Dec 29, 2008 at 11:12 AM, Xn Nooby wrote:
I am using Postfix to replace an existing email system, and I am
inheriting usernames that are in uppercase. Apparently Postfix
converts all email
}:(6[2-9]|[
7-9][0-9]))/ HOLD Invalid time header. Correct your clock
and resend please.
ENDIF
### END DATE CHECKS
I have these set to HOLD since they rarely catch anything
other than the occasional legit mail with a bad year. YMMV.
--
Noel Jones
es that you show your "postconf -n"
output, *and* postfix logging associated with these failed
deliveries, *and* details of how you deliver your mail.
We'll look forward to hearing from you tomorrow after you have
access to your server.
--
Noel Jones
fic answer.
--
Noel Jones
ostconf -n" output and unaltered
log entries demonstrating the problem.
--
Noel Jones
entries demonstrating the problem.
Over and out.
--
Noel Jones
th_enable = yes
unknown_local_recipient_reject_code = 550
virtual_alias_domains = fakessh.eu
No, do not list the same domain in multiple address classes.
Either remove the above line, or remove fakessh.eu from
mydestination. (likely you want to remove the above line).
--
Noel Jones
that. If you are delivering mail locally you should remove
the virtual_alias_domains parameter from main.cf.
--
Noel Jones
ounces.
- If you don't want your users to send lots of mail, use a
policy service with per-user rate limits.
- If you don't want your users using "unauthorized" envelope
sender, use reject_sender_login_mismatch and friends.
- If your queue is full of mail you know will never be
delivered, use postsuper -d QUEUEID to delete it.
--
Noel Jones
jittinan suwanrueangsri wrote:
Dear Noel Jones
In our environment
1. a user can not connect to other mailserver directly such as gmail,aol
etc. except our mailserver.
2. a user have right to use his/her other domain sender (aol,gmail) in
message which have to relay via our mailserver.if our
\d+)\s+\d+\.\d+\.\d+\.\d+[.:]\d+/
&& $1 eq "25");
++$out if (/ESTABLISHED/
&&
/(?:^|\s)\d+\.\d+\.\d+\.\d+[.:]\d+\s+\d+\.\d+\.\d+\.\d+[.:](\d+)/
&& $1 eq "25");
END {print $ARGV[0], "Port 25 status: ", $in, "
Established incoming, ", $out, " Established outgoing"};
'
--
Noel Jones
or
adjust the sendmail command line in your list software.
To fix the From: header, fix whatever parameter in your list
software is putting the extra stuff in the headers.
--
Noel Jones
real domain
list you already maintain. Size of the table is not an issue.
Your postconf output looks OK.
--
Noel Jones
ave more specific questions later, please see
http://www.postfix.org/DEBUG_README.html#mail
--
Noel Jones
Roman Medina-Heigl Hernandez wrote:
Noel Jones escribió:
Roman Medina-Heigl Hernandez wrote:
Hello,
I don't want my mail queue to fill due to fake mail (spam) so I'd like to
reject as much mail as I could at the smtp stage (avoiding mail entering
into my queues). My setup is mu
LS_README.html#client_smtps
But rather use TLS on port 587 if your new location allows
connections to that port. Try "telnet smtp.gmail.com 587" and
see if you get connected with the 220 greeting, or a timeout.
If you get a timeout, contact whoever is in charge of the
firewall there.
--
Noel Jones
ter to use canonical_maps
rather than {sender, recipient}_canonical_maps so that you get
consistent results.
--
Noel Jones
happen
to be spam) in your queue.
So why are you bouncing mail at all? Don't do that.
Please give us more details
http://www.postfix.org/DEBUG_README.html#mail
--
Noel Jones
//www.postfix.org/DEBUG_README.html
and especially
http://www.postfix.org/DEBUG_README.html#mail
--
Noel Jones
David Cottle wrote:
Hi Noel,
Thanks for your help!
I will firstly forward the postconf dump as requested.
I will have to forward as another message - will call it postconf as I
am on my iPhone.
At least you can firstly look at that and perhaps find it is accepting
during SMTP for undeliver
David Cottle wrote:
Sent from my iPhone
Out of context, this doesn't provide anything meaningful.
You need to examine your logs to see why postfix is bouncing
messages, then provide *all* the information requested.
--
Noel Jones
greeting when you receive mail, please see
http://www.postfix.org/postconf.5.html#smtpd_banner
http://www.postfix.org/postconf.5.html#myhostname
--
Noel Jones
webmas...@aus-city.com wrote:
Quoting Noel Jones :
You'll need to investigate where your bounces are coming from by
examining your log - find out why postfix generated a bounce.
Start by searching your logfile for the QUEUEID displayed by the
"mailq" command.
The "usual
ending to
that address, please see the examples in
http://www.postfix.org/RESTRICTION_CLASS_README.html#external
--
Noel Jones
to
be from this domain but obviously are not since they never authed ).
SASL is not an option since it refuses to work ( either crashes or fails
to start ).
Put permit_mynetworks, permit_sasl_authenticated before the
zen check.
--
Noel Jones
it's own sending certificate, you can set
smtp_tls_cert_file in master.cf for different transports or
just just separate instances of postfix for each personality.
--
Noel Jones
are using - either cyrus or dovecot.
--
Noel Jones
ed: 15
How do I this?
[]´s
You'll need a policy service with per-user limits.
Here's some already written:
http://www.postfix.org/addon.html#policy
or you can write your own.
--
Noel Jones
David Cottle wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Noel Jones wrote:
David Cottle wrote:
Hi Noel,
Thanks for your help!
I will firstly forward the postconf dump as requested.
I will have to forward as another message - will call it postconf
as I am on my iPhone.
At least
run.
If you want to give each hosted domain the appearance of
having its own mail server with customized hostname matching
the domain name, you will need to run multiple postfix
instances. This is a lot of extra work, and is not necessary
for proper mail operation.
--
Noel Jones
at rfc-ignorant is intended for a scoring
system (such as SpamAssassin), not outright rejects. There is
a strong possibility of rejecting legit mail when used as an
SMTP RBL.
--
Noel Jones
atching their capabilities and management
tools to what you want.
For pretty much any tool you name, you'll find someone who
thinks it's the greatest thing ever, and others who think it's
worthless... so make up your own mind.
--
Noel Jones
ver happened before so I do not suspect hardware problems, just too
much of something talking to us.
Without details we're just guessing. My guess is this isn't a
real problem.
73,
--
Noel Jones
://www.mikecappella.com/logwatch/
Maybe your postfix-logwatch module needs updating.
73,
--
Noel Jones
compare two headers in postfix.
Do u have any solution I could test on my config?
I guess can find the solution with spamassassin but I'd like to find a
solution with postfix in preference.
Yes, spamassassin would help.
--
Noel Jones
ing what's wrong. I would appreciate some help.
thanks
---eric
You need to send the XFORWARD commands before MAIL FROM.
--
Noel Jones
(including legit
bounces).
--
Noel Jones
e=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
--
Noel Jones
mouss wrote:
Noel Jones a écrit :
smtpd_data_restrictions =
permit_mynetworks
check_sender_access hash:/etc/postfix/no_backscatter
# no_backscatter
<> reject_rbl_client ips.backscatterer.org
Which will reject only bounces from them (including legit bounces).
as well as SAV probe
to be some spam
filter in your email delivery path that is bouncing unwanted
mail. Don't do that.
I can't help you any further. Good luck.
--
Noel Jones
il and look for
patterns other than the From=To, such as the client being
listed on some RBL, client in dynamic/home user space, rogue
ISP, suspect HELO name, etc.
--
Noel Jones
already, there are no plans to add
postfix internal support for this.
--
Noel Jones
checks for this is unreliable; there is no guarantee the recipient
will be listed in the To: header. You're not listed in To: in this message, but
you receive it anyway.
You can use HOLD with a check_recipient_access map reliably, that's another
good way to temporarily pause delivery.
--
Noel Jones
rev...@morris.com mysql:/path/to/xxx.cf
Note there is a difference between "not found" and an empty response.
--
Noel Jones
Yes, HOLD affects all recipients, which might not always be what one wants.
--
Noel Jones
(via lame smartphone mail)
-Original Message-
From: Sahil Tandon
Sent: Wednesday, January 14, 2009 9:05 PM
To: postfix-users@postfix.org
Subject: Re: holding messages for one address or
der_access hash:/etc/postfix/mydomains
check_recipient_access hash:/etc/postfix/allowed_forwards
reject_unauth_destination
# allowed_forwards
# list of external recipient addresses
# internal mail can be forwarded to
exam...@gmail.com OK
bga...@msn.com OK
--
Noel Jones
an reject mail using nonexistent local
sender addresses by setting in main.cf:
smtpd_reject_unlisted_sender = yes
--
Noel Jones
smtpd_sasl_security_options = noanonymous
smtpd_sasl_exceptions_networks =
(ie. empty value)
After successful testing, read the description of each of
those parameters and decide if you need them set differently
for production use.
http://www.postfix.org/postconf.5.html
--
Noel Jones
or legit senders, and does
nothing to slow spammers. There is also some evidence that
such systems are "spam attractors", getting magnitudes more
than their expected share of mail to unknown recipients.
So, it´s valid questions and a valid configuration, IMHO!
IMHO it's a
other
action is needed.
The bounce message you receive is generated by gmail, not by
your list server. The universe is in harmony.
--
Noel Jones
properly
rejecting unknown recipients, there is no extra configuration
you need to reject unknown local senders, other than adding
reject_unlisted_sender to your restrictions.
HTH,
--
Noel Jones
onf.5.html#mynetworks
# main.cf
mynetworks =
!192.168.1.55
!192.168.1.56
192.168.1.0/24
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
--
Noel Jones
need
smtpd_restriction_classes, nor an access map. The mynetworks
parameter is intended exactly for what you have asked for.
--
Noel Jones
OK
subdomain2.abc.comOK
No, this won't work either. Use the example already provided.
You're making this too hard. Simply set mynetworks correctly
and you're done.
--
Noel Jones
pient.pcre
/^n...@example\.com$/ REJECT user not allowed
/^name\.s...@example\.com$/ REJECT your text here
# main.cf
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
check_recipient_access pcre:/etc/postfix/recipient.pcre
--
Noel Jones
hanks
The signature on the message you sent to the list verifies as
good with both dkim-milter and SpamAssassin, so your signature
is fine.
Seems as if everyone but Yahoo! is moving to dkim. Any
particular reason you are using DomainKeys?
--
Noel Jones
iving a
reason.
Thanks
The signature on the message you sent to the list verifies as
good with both dkim-milter and SpamAssassin, so your signature
is fine.
Seems as if everyone but Yahoo! is moving to dkim. Any
particular reason you are using DomainKeys?
--
Noel Jones
I have domainkey
hen list IPs and cidr networks that
are allowed internet access. Don't put anything on the right
for a result. Or just don't list IPs if they're not allowed
to relay. Remember to include localhost.
mynetworks = /path/to/networks
# networks
!192.168.2.10
!192.168.2.20
127.0.0.1
192.168.1.0/24
Good luck.
--
Noel Jones
,
Chris
The From: header is irrelevant.
You will note that this mail says it's from me, yet I'm not
the envelope sender.
Also note that your postings to this list are From: your
address, but you are not the envelope sender.
--
Noel Jones
Postfix knows the result of authentication.
Not possible. Arrange for your other server to listen on the
"submission" port 587, and have your users submit mail there.
--
Noel Jones
hen examine the list to decide what to do about it.
(a few entries will always display in this list)
--
Noel Jones
=1 (queue active)
That feature isn't enabled by default. To activate it, you
need to set in main.cf:
strict_rfc821_envelopes = yes
http://www.postfix.org/postconf.5.html#strict_rfc821_envelopes
--
Noel Jones
ostfix.org/ADDRESS_VERIFICATION_README.html#recipient
The second step isn't required, but will reduce load on your
system. Convince them (use a creative explanation about
system security) to log in as root and run this one-line patch
to their system:
postconf -e unknown_local_recipient_reject_code=550
--
Noel Jones
.168.2.226]
--
Noel Jones
gging of mail that you think should have been
rejected will help.
http://www.postfix.org/DEBUG_README.html#mail
--
Noel Jones
g
this behavior. Does outbound mail still get checked against access
tables if relayhost is non-empty?
Setting relayhost does not affect the behavior of
check_recipient_mx_access.
--
Noel Jones
SMTP. You could use a wrapper command
such as mini_sendmail to simulate the standard sendmail command. Note
that some programs will respond "ungracefully" when mail submission fails.
- You can use firewall rules to prevent your host from
contacting smtp.secureserver.net
--
Noel Jones
tput was a way to see what rules postfix is matching
> on for permit/deny, sort of the way procmail does when verbose logging
> is set.
>
... because the mail isn't submitted via over the network.
--
Noel Jones
On Thu, Jan 22, 2009 at 10:46:09AM +0530, ram wrote:
>
> On Wed, 2009-01-21 at 12:56 -0600, Noel Jones wrote:
> > ram wrote:
> That was just an example. In real life I dont have the exact same key
> but I have matches in both
Don't put matches in both files.
> >
file being down?
Anyway, if you don't want to put special entries in DNS you
can add entries to your hosts file to simulate multiple A records.
--
Noel Jones
a specific mail using the id that appears at
posqueue -p? What do you use for that task?
Thanks!
Cheers
Martín
I use
postcat -q QUEUEID | less
http://www.postfix.org/postcat.1.html
--
Noel Jones
lter is NOT set
smtpd_sender_restrictions =
permit_sasl_authenticated
permit_mynetworks
check_client_access regexp:/etc/postfix/set_filter
# contents of set_filter
/^/ FILTER smtp:[some.ip.addr.ess]:PORT
--
Noel Jones
would you check the HELO name of local clients?
Many user mail programs will send junk HELO names; it's nearly
universal practice to exclude local and/or authenticated
clients from such checks.
--
Noel Jones
550 invalid address
/[...@].*@/ 550 weird addresses
--
Noel Jones
t speak SMTP.
You can work around this error by setting in postfix main.cf
smtp_connection_cache_on_demand = no
--
Noel Jones
://www.postfix.org/DEBUG_README.html#mail
--
Noel Jones
Noel Jones wrote:
Bill Loy wrote:
After adding the lines smtpd_recipient_restrictions =
check_sender_access hash:/etc/postfix/restricted_senders
smtpd_restriction_classes = local_only
local_only = check_recipient_access
hash:/etc/postfix/local_domains, reject
to
T rule set.
Are there any other tools/strategies that people are using
to tackle this?
reject_unknown_reverse_client_hostname
reject_rbl_client zen.spamhaus.org
{a greylisting policy service}
YMMV.
--
Noel Jones
requested for the hostname. Either the MX lookup or
the A lookup may return a result different from the original
bare IP; this is why you should always enclose a literal IP
address relayhost in brackets.
Actual lookups are performed by system libraries, not by postfix.
--
Noel Jones
Voytek Eymont wrote:
On Sat, January 24, 2009 1:39 am, Noel Jones wrote:
reject_unknown_reverse_client_hostname reject_rbl_client zen.spamhaus.org
{a greylisting policy service}
Noel,
is that a good place to add reject_unknown_reverse_client_hostname ?
smtpd_recipient_restrictions
own life harder if you try to enforce
HELO checks on your own clients.
--
Noel Jones
tual_alias_maps to rewrite the
"old" set of users to a different subdomain, and use
transport_maps to direct the mail. You could then use
smtp_generic_maps to rewrite the domain back to the original
when it's transferred to the old server.
Just listing everyone in transport_maps is probably easier.
--
Noel Jones
smtpd ?
mail_version = 2.2.9
Thanks
Alexandre Carlim
This requires two separate postfix instances, each with its
own config directory and queue directory.
--
Noel Jones
-ignorant.org/policy-dsn.php
--
Noel Jones
quot;?
Thanks,
Dennis
No white space.
--
Noel Jones
to do recipient verification to an MX relay that is not
the final destination? It is not working in my test case.
Yes, it is possible, but the MX relay must respond correctly
to the RCPT TO command; ie. reject invalid recipients, accept
valid recipients.
--
Noel Jones
resses.
Don't use wildcard or catchall address rewrites.
If postfix can't find the destination server on its own, then
you can add transport_maps entries for those servers, but
don't do this unless necessary.
http://www.postfix.org/postconf.5.html#transport_maps
--
Noel Jones
the first action should be to reduce the number of
smtp connections to the content_filter to a number it's able
to consistently handle.
If that's ineffective for some reason, then implement the
suggestions outlined in
http://www.postfix.org/QSHAPE_README.html#backlog
--
Noel Jones
Martijn Brinkers wrote:
On Fri, 2009-01-30 at 11:43 -0600, Noel Jones wrote:
Seems to me the first action should be to reduce the number of
smtp connections to the content_filter to a number it's able
to consistently handle.
There is a big difference in filtering speed between messages
xy. Let Postfix
do all the queueing, it is much better at this than the filter.
I didn't consider that the filter might not be a proxy.
If that's the case, the design of the filter is broken and it
will be difficult to "fix" in postfix.
--
Noel Jones
1 - 100 of 4093 matches
Mail list logo
