Re: using postfix as a front end server in an exchange environment
On Fri, May 08, 2009 at 12:20:26PM -0400, Comtois, Andre wrote: I'm having mixed results getting this to work. My postfix server accepts emails and relays them to the exchange server just fine, however it also seems to have no issues relaying emails to gmail.com as well, so I'm not sure how to restrict it to only accepting messages destined for my domain. http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_from http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_to If your receiving system in the DMZ is behind a NAT device that translates source addresses from the Internet to a fixed DMZ source IP address, be SURE TO EXCLUDE that address from mynetworks. Viktor, could you please be a bit more specific on this one? Are you saying to exclude the NATed IP or the Internet IP? Be sure to not NAT internal clients (your Exchange servers), or NAT them to a different IP. This one is not clear to me either. I'm trying to setup 2 servers behind a Pix firewall, Postfix server before Exchange, both NAT'ed on the same subnet but both represented by 'real' external IP's on the ineternet. Will this not work properly? Tia, Chas. Of course, you really should NOT NAT source addresses at all, with source IPs masked you can't use RBL lists, and your logs are much less useful. -- Viktor.
Re: using postfix as a front end server in an exchange environment
On Sat, May 09, 2009 at 11:08:46AM -0400, Chas wrote: On Fri, May 08, 2009 at 12:20:26PM -0400, Comtois, Andre wrote: I'm having mixed results getting this to work. My postfix server accepts emails and relays them to the exchange server just fine, however it also seems to have no issues relaying emails to gmail.com as well, so I'm not sure how to restrict it to only accepting messages destined for my domain. http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_from http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_to If your receiving system in the DMZ is behind a NAT device that translates source addresses from the Internet to a fixed DMZ source IP address, be SURE TO EXCLUDE that address from mynetworks. Viktor, could you please be a bit more specific on this one? Are you saying to exclude the NATed IP or the Internet IP? Don't NAT the SOURCE IP addresses of clients that connect TO your server. Your server's own address can be subjected to NAT, but see the documentation for the proxy_interfaces parameter. Be sure to not NAT internal clients (your Exchange servers), or NAT them to a different IP. This one is not clear to me either. I'm trying to setup 2 servers behind a Pix firewall, Postfix server before Exchange, both NAT'ed on the same subnet but both represented by 'real' external IP's on the ineternet. Will this not work properly? It will work provided you don't SOURCE NAT. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: cannot connect to mysql. Too many conections.
On 8-May-2009, at 10:31, Wietse Venema wrote: Short reply: s/mysql/proxy:mysql/ Is there any reason to *NOT* do this? I mean, should you use proxy: every time you use a mysql lookup? -- Si Hoc Legere Scis Nimium Eruditionis Habes
Re: cannot connect to mysql. Too many conections.
On Sat, 09 May 2009, LuKreme wrote: On 8-May-2009, at 10:31, Wietse Venema wrote: Short reply: s/mysql/proxy:mysql/ Is there any reason to *NOT* do this? I mean, should you use proxy: every time you use a mysql lookup? You do not have to use the proxymap(8) service if your server is not busy and therefore unlikely to generate several concurrent mysql clients. From MYSQL_README: Busy mail servers using mysql maps will generate lots of concurrent mysql clients, so the mysql server(s) should be run with this fact in mind. You can reduce the number of concurrent mysql clients by using the Postfix proxymap(8) service. -- Sahil Tandon sa...@tandon.net
Re: cannot connect to mysql. Too many conections.
On Sat, May 09, 2009 at 10:20:02AM -0600, LuKreme wrote: On 8-May-2009, at 10:31, Wietse Venema wrote: Short reply: s/mysql/proxy:mysql/ Is there any reason to *NOT* do this? I mean, should you use proxy: every time you use a mysql lookup? Sophisticated users who know which tables are used by which services may avoid proxy: with tables used *only* in trivial-rewrite, as the indirection adds no value, just slightly raises latency. The main benefit of proxymap is with tables used by high-concurrency processes, such as smtpd(8), cleanup(8) and smtp(8). - access(5) tables used in smtpd(8) - canonical(5), virtual(5), ... tables used in smtpd(8) and cleanup(8) - generic(5) tables used in smtp(8) (aka lmtp(8)) Most other Postfix services don't interact with outside systems, and typically run at low concurrency (low latency, low demand or both). Privileged services avoid proxymap for security reasons: # # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # local unix - n n - - local virtual unix - n n - - virtual This means that proxy: is ignored with: - aliases(5) in local(8) - $virtual_mailbox_maps in virtual(8) However, both are usually also consulted by smtpd(8) when doing recipient validation, so you should have proxy: in these, as it is ignored when not applicable and very useful otherwise. Finally, proxy: is also ignored with: - mailbox_command_maps - virtual_uid_maps - virtual_gid_maps with these, it makes no difference wether you add a proxy: prefix or not, regardless, the table will be accessed directly. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: cannot connect to mysql. Too many conections.
LuKreme: On 8-May-2009, at 10:31, Wietse Venema wrote: Short reply: s/mysql/proxy:mysql/ Is there any reason to *NOT* do this? I mean, should you use proxy: every time you use a mysql lookup? It adds latency. This is not a problem for high-concurrency services such as smtpd. It is bad for the services that the queue manager depends on, such as the trivial-rewrite service with its address class lookups and transport map lookups. Wietse
Postfix with PostgreSQL
This question is about installing Postfix with PostgreSQL. I am posting on this Forum hoping that somebody has done it and help me out. CentOS 5.3, PostgreSQL-8.3.7, Postfix-2.5.6 I have setup a PostgreSQL Server and PostgreSQL Client under DEFAULT folders. I can connect PostgreSQL Server from PostgreSQL Client. Now I am trying to install Postfix on the pgsql Client machine. Postfix has the following command to 'Building Postfix with PostgreSQL support': % make -f Makefile.init makefiles \ 'CCARGS=-DHAS_PGSQL -I/usr/local/include/pgsql' \ 'AUXLIBS=-L/usr/local/lib -lpq' Since I have pg Server Client machines, I have no idea where is '-I/usr/local/include/pgsql' '-L/usr/local/lib -lpq'. Can somebody help. Jennefer PS: My English is poor.
Re: Postfix with PostgreSQL
On Sat May 9 2009 16:31:43 Just E. Mail wrote: This question is about installing Postfix with PostgreSQL. I am posting on this Forum hoping that somebody has done it and help me out. CentOS 5.3, PostgreSQL-8.3.7, Postfix-2.5.6 CentOS probably has PostgreSQL in their RPM repository. If so, I would recommend that you install that via RPM, and get a SRPM for Postfix. Simon Mudd has Postfix SRPMs whereby you can simply set your choices in the spec file and rpmbuild(1) it. I only ever did one RHEL machine, and it was long ago, but that is how I did it. I have setup a PostgreSQL Server and PostgreSQL Client under DEFAULT folders. I can connect PostgreSQL Server from PostgreSQL Client. Now I am trying to install Postfix on the pgsql Client machine. Postfix has the following command to 'Building Postfix with PostgreSQL support': % make -f Makefile.init makefiles \ 'CCARGS=-DHAS_PGSQL -I/usr/local/include/pgsql' \ 'AUXLIBS=-L/usr/local/lib -lpq' Since I have pg Server Client machines, I have no idea where is '-I/usr/local/include/pgsql' '-L/usr/local/lib -lpq'. Can somebody help. The local/ path element will not be correct for most (if not all) distributor-provided packages of PostgreSQL. You might, however, need to have *-devel packages installed. See your CentOS / RHEL documentation. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: Is it possible to not bounce after smtp?
On Fri, May 8, 2009 at 6:30 PM, Wietse Venema wie...@porcupine.org wrote: Curtis: What I'd prefer to do here is have the bounces held for customer review so that they can realize that they've got an email address that isn't delivering and fix the problem on their end. Sorry, that does not work. Even my two-user domain sometimes gets thousands of email messages a day for non-existent recipients. No-one is going to review such garbage for mis-directed legitimate mail. I'm not talking about invalid recipients. We bounce email sent to invalid recipients at smtp time. I'm talking about addresses that the client thinks are supposed to be deliverable. As I said, we'll be keeping a valid recipient list. There's just no way to make sure it's perfect when you're talking about tens of thousands of recipients. Companies that provide out-sourced email filtering service often don't have up-to-date recipient lists. Instead they verify addresses in real-time. The Postfix implementation of this is described in http://www.postfix.org/ADDRESS_VERIFICATION_README.html. It supports routing overrides, positive caching and negative caching. Yeah, I looked at that option too... but the part about getting black listed didn't sound too appealing. (Some clients will be able to whitelist our server's IP, but we expect that a few of our clients will be on shared hosts were they will have little to no control of such things.) I just hate the thought of a spam filtering company that actually generates any amount of backscatter spam of it's own. I'd like our service to be completely clean. I'm sure we'll come up with something. As always, I really appreciate the amazing support you offer on Postfix. :-) Curtis P.S. I got a complaint that my messages are going to this list in HTML... I'm using gmail at the moment... trying their plain text option... hopefully that fixes it. Wietse
Re: Is it possible to not bounce after smtp?
On Fri, May 8, 2009 at 6:34 PM, Trey Briggs tbri...@api-digital.com wrote:
On Fri, May 8, 2009 at 7:07 PM, Curtis postfixu...@isparks.com wrote:
On Fri, May 8, 2009 at 5:22 PM, Wietse Venema wie...@porcupine.org wrote:
Curtis:
I'm building a spam filtering appliance using Postfix. We will be
making
every effort to reject invalid recipient addresses at SMTP time, but
since
we will not always be made aware when an email box on a final
destination
server is no longer valid, we'd like to disable all bouncing after SMTP
time.
I saw one person suggest disabling the bounce service in
/etc/master.cf...which does disable bouncing, but the logs now show
the following error:
status=deferred (bounce or trace service failure)
What is the correct way to disable bounces?
None. You need to keep the valid recipient list up-to-date. Postfix
does not (and will not, over my dead body) do what you ask for.
Wietse
We have every intention of keeping our valid recipient lists up-to-date,
because we want to reject all email sent to invalid recipients at smtp time.
However, since we don't control the remote servers that we filter email
for and because we'll be managing thousands of domains and tens of thousands
of email addresses, it's possible, that from time to time, that we'll not be
made aware of recipients that are no longer valid. In those cases, if we
bounce after smtp, postfix is going to start spewing backscatter. I guess
the good news is that since we're filtering out most spam, that
the likelihood of backscatter is greatly reduced, but I was hoping for total
elimination.
What I'd prefer to do here is have the bounces held for customer review so
that they can realize that they've got an email address that isn't
delivering and fix the problem on their end.
Curtis
I'm doing something similar to what you are looking for. You can set
unverified_sender_reject_code = 550 and
unverified_recipient_reject_reason = Custom Message
Then set up something like syslog-ng to grep out 'Custom Message' from
your maillog in realtime and send those lines to a named pipe (man
mkfifo). Then create a daemon (I used perl) to read from that pipe,
grep out the invalidr...@domain.tld and perform any action you want
beyond that (for example email the IT guy at domain.tld).
Here's an example daemon and syslog-ng config:
daemon:
#!/usr/local/bin/perl
sysopen(FIFO, '/usr/local/bin/invldrcptpipe', O_RDONLY) or die Can't
open pipe\n;
while(my $log_entry = FIFO)
{
$log_entry =~ /\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]/;
$ip = $1;
}
close(FIFO);
# I am grabbing IP instead of email address
syslog-ng:
destination d_pipe { pipe(/usr/local/bin/invldrcptpipe); };
filter f_user_unk {
program(postfix\/smtp) and
match(User unknown); };
log { source(src); filter(f_mail); filter(f_info); filter(f_user_unk);
destination(d_pipe); };
It seems pretty quick (this server can still handle 5mil messages a
day with lots of spam scans), mine actually counts IP address hits in
a DB and postfix will block if the count is higher than 20 in 10
minutes (a cleanup script handles the expiration). Seems to help curb
dictionary attacks.
--
Trey Briggs
Advanced Systems Engineer
API Digital
tbri...@apid.com
256-508-2368
Interesting. You just made me realize that the solution is really
pretty simple... we can parse the logs for bounces, and just
automatically shut off those addresses. (And send an automated email
to the domain administrator once per day of addresses that have been
automatically shut down.) Certainly a lot simpler said that done, but
doable.
Thanks,
Curtis
Re: Is it possible to not bounce after smtp?
Curtis: Companies that provide out-sourced email filtering service often don't have up-to-date recipient lists. Instead they verify addresses in real-time. ?The Postfix implementation of this is described in http://www.postfix.org/ADDRESS_VERIFICATION_README.html. ?It supports routing overrides, positive caching and negative caching. Yeah, I looked at that option too... but the part about getting black listed didn't sound too appealing. ?(Some clients will be able to whitelist our server's IP, but we expect that a few of our clients will be on shared hosts were they will have little to no control of such things.) Blacklisted by whom? By your own customer? That would be stupid. Wietse
Re: Is it possible to not bounce after smtp?
On Sat, May 9, 2009 at 7:38 PM, Wietse Venema wie...@porcupine.org wrote: Curtis: Companies that provide out-sourced email filtering service often don't have up-to-date recipient lists. Instead they verify addresses in real-time. ?The Postfix implementation of this is described in http://www.postfix.org/ADDRESS_VERIFICATION_README.html. ?It supports routing overrides, positive caching and negative caching. Yeah, I looked at that option too... but the part about getting black listed didn't sound too appealing. ?(Some clients will be able to whitelist our server's IP, but we expect that a few of our clients will be on shared hosts were they will have little to no control of such things.) Blacklisted by whom? By your own customer? That would be stupid. It would be unintentional, of course, and not by any action of our direct customers. As I said, there are millions of domains out there that are hosted in shared hosting environments. Our customers that are in these environments have little to zero control over the policies of their hosting providers. Coincidentally, I own a shared web hosting company and our automated systems actually did unintentionally black list a spam filtering service (not for this reason but for another), so I have a little experience with how things like that happen. But, perhaps we could experiment with this.. the idea that doing address verification might cause our servers to get black listed by the receiving server was something I read on the page you referred to ( http://www.postfix.org/ADDRESS_VERIFICATION_README.html ). Curtis Wietse
Re: Postfix with PostgreSQL
2009/5/10 Just E. Mail justem...@imwell-usa.com: This question is about installing Postfix with PostgreSQL. I am posting on this Forum hoping that somebody has done it and help me out. Indeed, I've done this before. Enable the centosplus repo, then you can get a build of Postfix with the pgsql and mysql maps enabled. Example like to the x64 RPM: http://mirror.centos.org/centos/5/centosplus/x86_64/RPMS/postfix-2.3.3-2.1.centos.mysql_pgsql.x86_64.rpm It also works nicely for RHEL, but any official package updates will clobber your postfix, so you either need to add postfix to yum's ignore-list, or keep a close eye on things, and get the centos update when it comes out.
