Re: [Mailman-Users] Queue problems

2008-06-18 Thread Allan Odgaard 

On 18 Jun 2008, at 17:49, Brad Knowles wrote:


[...]
It is not necessary to recommend to others that they disable this  
feature on their copy of postfix.  Instead, you should be  
recommending to them exactly what I recommended to you, which was to  
run a second copy of postfix with all checks disabled and have  
Mailman deliver to that second copy of postfix.


Wow… just wow…

I didn’t recommend anything, I reported my findings pointing to the  
setting which was problematic in this context. I figured people  
running into it will appreciate having the full info available before  
they decide what solution to pick.


Personally I prefer just disabling the check rather than run a new  
copy of Postfix, but each to his own.


--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] Queue problems

2008-06-18 Thread Jaco Kroon 

Allan Odgaard wrote:

On 17 Jun 2008, at 18:53, Mark Sapiro wrote:


Brad Knowles wrote:


On 6/17/08, Allan Odgaard wrote:

I transferred a lot of list members from a previous list. A dozen of 
these

has left errors like the following in `logs/smtp-failures`:

   delivery to <> failed with code 450:
   4.1.2 <>: Recipient address rejected:
   Domain not found


You're doing DNS validation on your outbound
mail.  Don't do that.  Pay attention to the stuff
in section 6 of the FAQ, especially including
6.6, 6.8, 6.12, etc


Also, fix your MTA configuration so it returns a 5xx status, not a 450
for a non-existant domain.


To the best of my knowledge, this can not be “fixed” (for Postfix). If 
Postfix is unable to obtain DNS settings for a domain, it will treat it 
as a temporary error, and will return 450, regardless of settings (and 
to me this seems correct, as not being able to obtain DNS settings is 
likely because something is down).


Unless you get an authoritative NXDOMAIN, in which case the domain does 
not exist.  Period.


If on the other hand it _does_ find a name server for the domain and 
there is no MX record, _then_ can it be treated as a permanent error.


NOT TRUE.  The RFC states that in the case of no MX record the domain 
name itself should be treated as the only MX record.


If others should run into this problem `reject_unknown_recipient_domain` 
was the setting I had to disable in Postfix’s 
`smtpd_recipient_restrictions`.


Oh.  Not normally a good idea, but in this case I'd agree.  With exim I 
simply accept everything being injected with the sendmail command (as 
well as connecting from localhost but destined for a non-local domain), 
which does something a little different from this, but works very well.


Jaco
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] Queue problems

2008-06-18 Thread Brad Knowles 

Allan Odgaard wrote:

If others should run into this problem `reject_unknown_recipient_domain` 
was the setting I had to disable in Postfix’s 
`smtpd_recipient_restrictions`.


We run postfix on python.org.  This option is not disabled on our machine, 
because we have a separate copy of postfix listening on a different port on 
the localhost IP address, and this copy of postfix disables all that 
anti-spam/DNS checking, etc


It is not necessary to recommend to others that they disable this feature on 
their copy of postfix.  Instead, you should be recommending to them exactly 
what I recommended to you, which was to run a second copy of postfix with 
all checks disabled and have Mailman deliver to that second copy of postfix.


--
Brad Knowles <[EMAIL PROTECTED]>
LinkedIn Profile: 
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] Queue problems

2008-06-18 Thread Stefan Förster 
* Allan Odgaard <[EMAIL PROTECTED]> wrote:
> On 17 Jun 2008, at 18:53, Mark Sapiro wrote:
> 
>> Brad Knowles wrote:
>> 
>>> On 6/17/08, Allan Odgaard wrote:
>>> 
 I transferred a lot of list members from a previous list. A dozen
 of these
 has left errors like the following in `logs/smtp-failures`:
 
   delivery to <> failed with code 450:
   4.1.2 <>: Recipient address rejected:
   Domain not found
>>> 
>>> You're doing DNS validation on your outbound
>>> mail.  Don't do that.  Pay attention to the stuff
>>> in section 6 of the FAQ, especially including
>>> 6.6, 6.8, 6.12, etc
>> 
>> Also, fix your MTA configuration so it returns a 5xx status, not a 450
>> for a non-existant domain.
> 
> To the best of my knowledge, this can not be “fixed” (for Postfix). If
> Postfix is unable to obtain DNS settings for a domain, it will treat
> it as a temporary error, and will return 450, regardless of settings
> (and to me this seems correct, as not being able to obtain DNS
> settings is likely because something is down).

postconf -e unknown_address_reject_code=550

Read the description of this setting - it will STILL return a 45x if
the error is _temporary_, whereas "temporary" is defined by your local
resolver library (this works very well in most cases).

> If on the other hand it _does_ find a name server for the domain and
> there is no MX record, _then_ can it be treated as a permanent error.

ITYM "no MX- and no A-RR".

> If others should run into this problem
> `reject_unknown_recipient_domain` was the setting I had to disable in
> Postfix’s `smtpd_recipient_restrictions`.

You can easily create a dedicated smtpd instance for injection of
mails generated by mailman. Have a look at
http://wiki.list.org/pages/viewpage.action?pageId=4030642 - I use

SMTPPORT = 10026 in /etc/mailman/mm_cfg.py and in
/etc/postfix/master.cf:

127.0.0.1:10026 inet n  -   - -   -  smtpd
-o content_filter=
-o mynetworks=127.0.0.0/8
-o 
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_delay_reject=no
-o local_header_rewrite_clients=


Cheers
Stefan
-- 
Stefan Förster http://www.incertum.net/ Public Key: 0xBBE2A9E9
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] Queue problems

2008-06-18 Thread Allan Odgaard 

On 17 Jun 2008, at 18:53, Mark Sapiro wrote:


Brad Knowles wrote:


On 6/17/08, Allan Odgaard wrote:

I transferred a lot of list members from a previous list. A dozen  
of these

has left errors like the following in `logs/smtp-failures`:

   delivery to <> failed with code 450:
   4.1.2 <>: Recipient address rejected:
   Domain not found


You're doing DNS validation on your outbound
mail.  Don't do that.  Pay attention to the stuff
in section 6 of the FAQ, especially including
6.6, 6.8, 6.12, etc


Also, fix your MTA configuration so it returns a 5xx status, not a 450
for a non-existant domain.


To the best of my knowledge, this can not be “fixed” (for Postfix). If  
Postfix is unable to obtain DNS settings for a domain, it will treat  
it as a temporary error, and will return 450, regardless of settings  
(and to me this seems correct, as not being able to obtain DNS  
settings is likely because something is down).


If on the other hand it _does_ find a name server for the domain and  
there is no MX record, _then_ can it be treated as a permanent error.


If others should run into this problem  
`reject_unknown_recipient_domain` was the setting I had to disable in  
Postfix’s `smtpd_recipient_restrictions`.


--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] Queue problems

2008-06-17 Thread Mark Sapiro 
Brad Knowles wrote:

>On 6/17/08, Allan Odgaard wrote:
>
>>  I transferred a lot of list members from a previous list. A dozen of these
>>  has left errors like the following in `logs/smtp-failures`:
>>
>> delivery to <> failed with code 450:
>> 4.1.2 <>: Recipient address rejected:
>> Domain not found
>
>You're doing DNS validation on your outbound
>mail.  Don't do that.  Pay attention to the stuff
>in section 6 of the FAQ, especially including
>6.6, 6.8, 6.12, etc


Also, fix your MTA configuration so it returns a 5xx status, not a 450
for a non-existant domain.

-- 
Mark Sapiro <[EMAIL PROTECTED]>The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] Queue problems

2008-06-17 Thread Brad Knowles 

Stefan Förster wrote:


Not 100% related: What happens if my MTA does DNS validation and
rejects addresses who yield an NXDOMAIN (as opposed to a SERVFAIL)
with a permanent error code instead of creating a bounce?


You should turn off the DNS validation in the first place.

That said, I think Mailman should be able to handle a permanent error in the 
correct way, by treating that as a bounce and handling it through the bounce 
mechanism.


--
Brad Knowles <[EMAIL PROTECTED]>
Member of the Python.org Postmaster Team & Co-Moderator of the
mailman-users and mailman-developers mailing lists
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] Queue problems

2008-06-17 Thread Stefan Förster 
* Brad Knowles <[EMAIL PROTECTED]> wrote:
> On 6/17/08, Allan Odgaard wrote:
> 
>> I transferred a lot of list members from a previous list. A dozen of these
>> has left errors like the following in `logs/smtp-failures`:
>> 
>>delivery to «address» failed with code 450:
>>4.1.2 «address»: Recipient address rejected:
>>Domain not found
> 
> You're doing DNS validation on your outbound
> mail.  Don't do that.  Pay attention to the stuff
> in section 6 of the FAQ, especially including
> 6.6, 6.8, 6.12, etc

Not 100% related: What happens if my MTA does DNS validation and
rejects addresses who yield an NXDOMAIN (as opposed to a SERVFAIL)
with a permanent error code instead of creating a bounce?


Ciao
Stefan
-- 
Stefan Förster http://www.incertum.net/ Public Key: 0xBBE2A9E9
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] Queue problems

2008-06-16 Thread Brad Knowles 

On 6/17/08, Allan Odgaard wrote:


 I transferred a lot of list members from a previous list. A dozen of these
 has left errors like the following in `logs/smtp-failures`:

delivery to «address» failed with code 450:
4.1.2 «address»: Recipient address rejected:
Domain not found


You're doing DNS validation on your outbound 
mail.  Don't do that.  Pay attention to the stuff 
in section 6 of the FAQ, especially including 
6.6, 6.8, 6.12, etc


--
Brad Knowles <[EMAIL PROTECTED]>
LinkedIn Profile: 
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

[Mailman-Users] Queue problems

2008-06-16 Thread Allan Odgaard 
I transferred a lot of list members from a previous list. A dozen of  
these has left errors like the following in `logs/smtp-failures`:


delivery to «address» failed with code 450:
4.1.2 «address»: Recipient address rejected:
Domain not found

This is interpreted as a temporary failure so Mailman will put the  
letter into `qfiles/retry`. Every 15th minute the retry qrunner will  
move all the retry letters back into `qfiles/out`.


My queue had gathered around 70 emails and had 10 recipients or so  
with this error, so it took more than half an hour to get through all  
of the queue (only to start over).


Since the queue is FIFO _without_ lowering the priority for retries,  
it meant that normal subscribers saw a long delay before their letter  
was delivered to other list subscribers.


I unsubscribed all addresses that were listed in `logs/smtp-failures`  
and then I had to manually delete letters from the qfiles.


But now I see another subscriber has a similar problem and is causing  
letters to pile up in qfiles affecting delivery to healthy recipients.


Seems to me that there is a flaw in this system (having retries pile  
up and starve regular delivery).



Using Mailman 2.1.9 (Ubuntu installation).

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp