Re: Setting the source port for outgoing email
* Graham Leggett <[EMAIL PROTECTED]>: > Hi all, > > I have a machine that is both a postfix mailserver, and a NAT router for > a number of machines behind the box. > > Because traffic from machines behind the box can cause the mailserver's > IP to be blacklisted, the mailserver machine has two IP addresses, one > for the mailserver, and one for NAT. > > There is a problem: postfix seems to be hell bent on choosing the NAT IP > address as a source IP for outgoing connections, instead of the IP > address specified by inet_interfaces: > > inet_interfaces = $myhostname smtp_bind_address = your.ip -- Ralf Hildebrandt ([EMAIL PROTECTED]) [EMAIL PROTECTED] Postfix - Einrichtung, Betrieb und Wartung Tel. +49 (0)30-450 570-155 http://www.arschkrebs.de I fit in my suit, my suit fits in my suitcase. Hence i fit in my suitcase.
Re: unintended relay
Sahil Tandon: > Jason Drage <[EMAIL PROTECTED]> wrote: > > > Hi All, I'm having trouble locking down relaying and I can't see what > > I'm doing wrong. > > > > I'm trying to configure the server to only send mail iff: > > 1. Sender is on mynetworks, or > > 2. Sender is authenticated > > > > Everything else should be rejected but it isn't, and I can't see whats > > wrong with my config. > > I just relayed mail to myself from your server. Interesting header: > > Received: from [10.0.1.198] (gateway [192.168.1.1]) > by mail.ibsglobalweb.com (Postfix) with ESMTP id 5D1FD8FD55 > for <[EMAIL PROTECTED]>; Thu, 7 Aug 2008 10:55:05 +1000 (EST) > > I can't be sure, but I suspect something is happening to packets (perhaps > due to your firewall/NAT configuration) before they hit Postfix, such > that it thinks all mail is arriving from 192.168.1.1. I relayed from two > different locations and each time your system thought mail arrived from > that same internal gateway IP. Thus, this would close an open relay hole: /etc/postfix/main.cf: mynetworks = !192.168.1.1 192.168.0.0/16 127.0.0.0/8 So would replacing this piece of junk with something that doesn't change the remote IP address. Wietse
Re: unintended relay
Jason Drage <[EMAIL PROTECTED]> wrote: > Hi All, I'm having trouble locking down relaying and I can't see what > I'm doing wrong. > > I'm trying to configure the server to only send mail iff: > 1. Sender is on mynetworks, or > 2. Sender is authenticated > > Everything else should be rejected but it isn't, and I can't see whats > wrong with my config. I just relayed mail to myself from your server. Interesting header: Received: from [10.0.1.198] (gateway [192.168.1.1]) by mail.ibsglobalweb.com (Postfix) with ESMTP id 5D1FD8FD55 for <[EMAIL PROTECTED]>; Thu, 7 Aug 2008 10:55:05 +1000 (EST) I can't be sure, but I suspect something is happening to packets (perhaps due to your firewall/NAT configuration) before they hit Postfix, such that it thinks all mail is arriving from 192.168.1.1. I relayed from two different locations and each time your system thought mail arrived from that same internal gateway IP. -- Sahil Tandon <[EMAIL PROTECTED]>
Re: Setting the source port for outgoing email
Aaron Wolfe wrote: Why can your end users "access an outgoing port"? You are not addressing this problem at it's source. Police your outbound traffic. If its from an end user and it isn't bound for port 80 or 443, why are you allowing the traffic to leave your network? Because that is throwing the baby out with the bathwater. The business requires the use of services that run on ports other than ports 80 and 443, and the business believes that IT must adapt to the needs of the business, not the other way around. Regards, Graham -- smime.p7s Description: S/MIME Cryptographic Signature
unintended relay
Hi All, I'm having trouble locking down relaying and I can't see what
I'm doing wrong.
I'm trying to configure the server to only send mail iff:
1. Sender is on mynetworks, or
2. Sender is authenticated
Everything else should be rejected but it isn't, and I can't see whats
wrong with my config.
Any help appreciated!
-- Jason
# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
home_mailbox = Maildir/
inet_interfaces = all
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
mailbox_size_limit = 0
message_size_limit = 4200
mydestination = mail.ibsglobalweb.com, ibsglobalweb.com,
ibsglobalweb.com.au, mail, localhost.localdomain, localhost
myhostname = mail.ibsglobalweb.com
mynetworks = 127.0.0.0/8, 192.168.168.0/24, 192.168.1.0/24, 10.5.0.0/24,
122.102.100.128/27, 60.224.85.141/32, 218.215.147.70/32,
144.132.35.109/32, 216.146.32.0/23
myorigin = /etc/mailname
receive_override_options = no_address_mappings
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Linux)
smtpd_recipient_limit = 4200
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/mail.ibsglobalweb.com.cert.pem
smtpd_tls_key_file = /etc/postfix/mail.ibsglobalweb.com.key.pem
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
Re: Setting the source port for outgoing email
On Wed, Aug 6, 2008 at 7:57 PM, Graham Leggett <[EMAIL PROTECTED]> wrote: > Aaron Wolfe wrote: > > Blocking outbound SMTP traffic from sources other than your mail server >> will prevent you from being blacklisted, plain and simple, unless of course >> you are sending spam from your mail server. >> > > It's not that simple. > > Blocking outbound SMTP traffic keeps you off 99% of blacklists, that > blacklist you based on mail received. We have had no problem to date in > achieving this, because we block outgoing smtp as you described. > > The last 1% of the blacklists are more wide in their detection of network > abuse, and will blacklist an IP based on portscanning or DoS, and various > other unsavory things typically committed by trojans that are inserted by > ignorant users, and that represent a constant battle to keep off the > network. > > The vast majority of the net chooses blacklists carefully, choosing from > the 99% of blacklists that block based on mail. A small subset of ISPs > however choose to throw caution to the wind and include that 1% of > aggressive blacklists to their mail filtering configurations, causing mail > to consistently bounce when sent to certain key email addresses. > > This causes end users to ask why is it that mail works for everybody else, > but doesn't want to work when they try email that particular client at that > particular ISP. > > (By way of an example we found recently, one particular ISP had decided to > reduce the maximum email size when the sender IP was blocked by at least one > of a list of 125 blacklists. The IP was on 1 out of the 125 lists, and so > all mails larger than 1MB were bounced. No I don't understand for a second > the twisted logic that led this ISP to create this configuration, but the > client insisted on staying with that ISP, and we had to work around the > problem or not communicate with that client). > > I don't know exactly what you are talking about with the port scans, but >> if you are scanning other people's networks without their permisson, do >> expect to be blocked. If you are allowing your users to do the same, expect >> to be blocked. Why you you not simply block this before it leaves your >> network, like (almost) everyone else does? >> > > Because it makes no difference - if an end user can access an outgoing > port, then that end user's machine can portscan across IPs on that port, or > simply DDoS to a specific accessible port on an accessible IP. > Why can your end users "access an outgoing port"? You are not addressing this problem at it's source. Police your outbound traffic. If its from an end user and it isn't bound for port 80 or 443, why are you allowing the traffic to leave your network? There will be a few necessary exceptions, but generally that's a good starting place. At first I was thinking, wtf, I've never heard of these blacklists you mention. But perhaps thats because no network I administer has ever been listed on them? This discussion is not relevant here on the postfix list. If you are interested in securing your network and controlling the traffic coming out of it, there are better forums or feel free to contact me directly. > As long as a user can see the net, a trojan can see the net too. It is that > simple. > > Regards, > Graham > -- >
Re: taRgrey - tarpit + greylist policy server and patch for sleep action (Re: Tarpitting policy server?)
I wrote a tarpitting policy server. It is patch for postgrey greylisting policy server. It needs Postfix-2.3.x or more. (use SLEEP action) taRgrey - S25R + tarpitting + greylisting http://k2net.hakuba.jp/targrey/index.en.html http://k2net.hakuba.jp/pub/targrey-0.30-postgrey-1.27.patch taRgrey is a patch that makes postgrey into a tarpitting policy server. Tarpitting means response delay for blocking spam. taRgrey is designed to decrease false positives. I had used greylisting combined with the S25R anti-spam system on my mail server.I named this system Rgrey. S25R defines reverse FQDN patterns to presume clients to have a dynamic IP address. The Selective SMTP Rejection (S25R) System http://www.gabacho-net.jp/en/anti-spam/anti-spam-system.html Rgrey greylists clients only when their reverse FQDN matches the S25R rules. Rgrey - S25R + greylisting http://k2net.hakuba.jp/rgrey/ (This page is written in Japanese only.) Therefore almost all legitimate mail servers are not greylisted, then, false positives get fewer. Rgrey on my mail server could block 94% of spam. After that, I had used tarpitting combined with S25R. I named this system Starpit. Starpit - S25R+tarpitting http://d.hatena.ne.jp/stealthinu/20060706/p5 (This page is written in Japanese only.) Tarpitting doesn't cause a long delay as in greylisting. It can accept mail servers even though they don't retry or retry with a different IP address each time. Starpit on my mail server could block 93% of spam when the delay time was set to 65 seconds. However, Starpit still caused false positives. Most of them were caused in case of email magazine and email news. taRgrey solves this problem. It accepts mail by greylisting when it is resent after blocked by tarpitting. We set parameters for taRgrey so that anti-greylisting spam cannot pass through. We can safely configure greylisting tight because there are few legitimate mail blocked by Starpit. Moreover, this patch enables us to specify the number of times of retry for greylisting. Most of anti-greylisting spam retries just once. Additional functions with this patch are as follows: * tarpitting: --tarpit=35 (35 second tarpitting and greylisting) * taRgrey mode: --tarpit=65 --targrey (greylists if blocked by 65 sec tarpitting) * greylisting retry threshold: --retry-count=2 (permits after 2 time retries) * auto-whitelist count delay: --auto-whitelist-delay=3600 (counts up once an hour) * outputs client's IP addresses to the auto-whitelist log. Sample of configuration file http://k2net.hakuba.jp/spam/postfix.conf.2.tar.gz Anybody using this? Is it an improvement vs postgrey alone? Which improvements? thanks Len
Re: Setting the source port for outgoing email
Aaron Wolfe wrote: Blocking outbound SMTP traffic from sources other than your mail server will prevent you from being blacklisted, plain and simple, unless of course you are sending spam from your mail server. It's not that simple. Blocking outbound SMTP traffic keeps you off 99% of blacklists, that blacklist you based on mail received. We have had no problem to date in achieving this, because we block outgoing smtp as you described. The last 1% of the blacklists are more wide in their detection of network abuse, and will blacklist an IP based on portscanning or DoS, and various other unsavory things typically committed by trojans that are inserted by ignorant users, and that represent a constant battle to keep off the network. The vast majority of the net chooses blacklists carefully, choosing from the 99% of blacklists that block based on mail. A small subset of ISPs however choose to throw caution to the wind and include that 1% of aggressive blacklists to their mail filtering configurations, causing mail to consistently bounce when sent to certain key email addresses. This causes end users to ask why is it that mail works for everybody else, but doesn't want to work when they try email that particular client at that particular ISP. (By way of an example we found recently, one particular ISP had decided to reduce the maximum email size when the sender IP was blocked by at least one of a list of 125 blacklists. The IP was on 1 out of the 125 lists, and so all mails larger than 1MB were bounced. No I don't understand for a second the twisted logic that led this ISP to create this configuration, but the client insisted on staying with that ISP, and we had to work around the problem or not communicate with that client). I don't know exactly what you are talking about with the port scans, but if you are scanning other people's networks without their permisson, do expect to be blocked. If you are allowing your users to do the same, expect to be blocked. Why you you not simply block this before it leaves your network, like (almost) everyone else does? Because it makes no difference - if an end user can access an outgoing port, then that end user's machine can portscan across IPs on that port, or simply DDoS to a specific accessible port on an accessible IP. As long as a user can see the net, a trojan can see the net too. It is that simple. Regards, Graham -- smime.p7s Description: S/MIME Cryptographic Signature
Re: Postfix anormal DNS lookup ?
Seblu: > > and after a test my binary return a good resolution > > ./a.out > server: got connection from 192.42.42.1 > host=toto.titi > > and the function gethostbyaddr return also a good answer ! Ok, now you should learn to find out what configuration files your program uses. $ krtrace ./a.out $ kdump | grep NAMI | grep /etc Obviously, the Postfix smtpd process is not using those files. Have you considered the possiblity of a mis-configured /var/spool/postfix/etc/resolv.conf /var/spool/postfix/etc/hosts or some other configuration file used by getnameinfo()? Wietse > I don't do a system OpenBSD bug report because, because all others > soft have a normal behaviour. > > If you don't have an idear, i can try with openbsd dev, like Wietse > suggest to me. > > -- > S?bastien Luttringer > www.seblu.net > >
mail forwarding, envelope sender and canonical_maps
Hi, until now I worked around the SPF / mail forwarding / envelope-from problem with using expand_owner_alias and having two local aliases for every virtual user who wants his mail delivered to another account: virtual: [EMAIL PROTECTED] john aliases: john: [EMAIL PROTECTED] aliases: owner-john:postmaster main.cf: expand_owner_alias = yes A few days ago I've read on postfix-users that the same can be achieved with using canonical_maps and canonical_classes. I tried this, set the latter variable to envelope_sender and created a regexp canonical map like this one: !/^.*@(doe.com|bar.net)$/ [EMAIL PROTECTED] The obvious problem with that setup is that postfix is not only going to rewrite the envelope from before passing the mail to smtp -- it will also do it when resubmitting the mail locally. Afterwards I considered adding: -o receive_override_options=no_address_mappings to smtpd in master.cf but since I was no longer sure about what I was doing so I gave it up. Is it even possible to use canonical_maps in order to rewrite envelope senders for smtp(8) only? Or are there even better ways to accomplish the same? Any help appreciated, Petar
Re: Setting the source port for outgoing email
Graham Leggett: [ Charset ISO-8859-1 unsupported, converting... ] > Hi all, > > I have a machine that is both a postfix mailserver, and a NAT router for > a number of machines behind the box. > > Because traffic from machines behind the box can cause the mailserver's > IP to be blacklisted, the mailserver machine has two IP addresses, one > for the mailserver, and one for NAT. > > There is a problem: postfix seems to be hell bent on choosing the NAT IP > address as a source IP for outgoing connections, instead of the IP > address specified by inet_interfaces: > > inet_interfaces = $myhostname > > According to the docs at http://www.postfix.org/postconf.5.html, "When > inet_interfaces specifies just one IPv4 and/or IPv6 address that is not > a loopback address, the Postfix SMTP client will use this address as the > IP source address for outbound mail" > > This doesn't seem to be happening. Instead, postfix wants to choose the > other IP address (which happens to be the NAT address) on the interface, > rather than IP address @myhostname, which is the first IP on the interface. > > Can anyone confirm whether setting the source address in postfix is even > possible, and how to force postfix to use a specific IP as a source address? > > I am using postfix-2.3.3-2 as shipped with RHEL5. Prove it. Show actual evidence, instead of an eyewitness report. Wietse
Re: Setting the source port for outgoing email
On Wed, Aug 6, 2008 at 7:12 PM, Graham Leggett <[EMAIL PROTECTED]> wrote: > Aaron Wolfe wrote: > > If your network is doing things to get itself blacklisted, fix the >> problem! Filter outbound SMTP, cleanup your network clients, whatever. >> > > Been there, done that, way ahead of you. > > You may not be aware of this, but while filtering outbound SMTP stops > outgoing spam, it does not stop portscans, or various other activities which > will cause that IP to be blacklisted on various networks, as they are free > and should be free to do. You also may not be aware that performing frequent > network scans and cleanups as we do does not make you immune to infection > from new online threats. > Blocking outbound SMTP traffic from sources other than your mail server will prevent you from being blacklisted, plain and simple, unless of course you are sending spam from your mail server. I don't know exactly what you are talking about with the port scans, but if you are scanning other people's networks without their permisson, do expect to be blocked. If you are allowing your users to do the same, expect to be blocked. Why you you not simply block this before it leaves your network, like (almost) everyone else does? > > "Whatever" is not a network abuse strategy, I am afraid. > Seems to be yours. Police your outbound traffic if you don't want to be blocked. If this was a big problem for most admins, we'd all be blocked, no? > > > Don't try to use a different IP to avoid doing the right thing and then >> ask other mail admins for help so your network can continue to pollute our >> networks! >> > > So an ill informed knee jerk reaction from you means that a potential bug > in postfix goes unfixed. > First, I am not a postfix developer, and my postings on this list do not represent the postfix project in any way. Nothing I say will make any difference in anything that happens with postfix. Second, there is no bug in postfix. You have a broken NAT config. If you'd like to argue to the contrary, please provide netstat output and your current NAT configuration. > > Thanks for your help so far, it is appreciated. > I have told you what your problem is. I hope you do appreciate that. > > Regards, > Graham > -- >
Re: Setting the source port for outgoing email
Aaron Wolfe wrote: This doesn't prove Postfiix is using the wrong interface. It simply means the traffic is seen by the upstream server as coming from the wrong interface. It is much more likely that your NAT config is wrong and is SNATing the mail traffic to the same address that it SNATs everything else. You were 100% right - the iptables setting had incorrectly left out the private source address, and was SNATing the public traffic when it wasn't supposed to. Telling the SNAT to only touch 192.168.0.0/16 solved the problem. As I said before, thank you for the help. Regards, Graham -- smime.p7s Description: S/MIME Cryptographic Signature
Re: Postfix anormal DNS lookup ?
On Wed, Aug 6, 2008 at 8:28 PM, Wietse Venema <[EMAIL PROTECTED]> wrote:
> Seblu:
>> On Tue, Aug 5, 2008 at 12:56 PM, Wietse Venema <[EMAIL PROTECTED]> wrote:
>> > Seblu:
>> > [ Charset ISO-8859-1 unsupported, converting... ]
>> >> Hello,
>> >>
>> >> i use postfix postfix 2.5.1 on an OpenBSD 4.3 and i have a stange
>> >> behaviour (for me) with DNS lookup in logs.
>> >>
>> >> i've a local dns, which resolv 192.42.42.1 to toto.titi
>> >>
>> >> # host 192.42.42.1
>> >> 1.42.42.192.in-addr.arpa domain name pointer toto.titi.
>> >
>> > Not here:
>> >
>> > % host 192.42.42.1
>> > 1.42.42.192.in-addr.arpa domain name pointer accessa.unine.ch.
>> >
>> > Check your resolv.conf files.
>>
>> My resolv.conf is :
>>
>> search toto
>> nameserver 127.0.0.1
>> lookup file bind
>>
>>
>> but if my resolv.conf was not good, host command not answer corrrectly. No ?
>>
>> I paste the dig result.
>>
>>
>> # dig -t ptr 1.42.42.192.in-addr.arpa @127.0.0.1
>>
>> ; <<>> DiG 9.4.2 <<>> -t ptr 1.42.42.192.in-addr.arpa @127.0.0.1
>> ;; global options: printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10197
>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>>
>> ;; QUESTION SECTION:
>> ;1.42.42.192.in-addr.arpa. IN PTR
>>
>> ;; ANSWER SECTION:
>> 1.42.42.192.in-addr.arpa. 3600 IN PTR raptor.toto.
>>
>> ;; AUTHORITY SECTION:
>> 42.42.192.in-addr.arpa. 3600IN NS ns.toto.
>>
>> ;; ADDITIONAL SECTION:
>> ns.toto. 3600IN A 192.42.42.254
>>
>> ;; Query time: 2 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> ;; WHEN: Wed Aug 6 18:54:28 2008
>> ;; MSG SIZE rcvd: 110
>>
>>
>> and the arp command has a right answer
>>
>> # arp -a
>> toto.titi (192.42.42.1) at 00:1d:7d:03:6a:zb on vlan42
>>
>>
>> I'm really lost.
>
> Postfix does not use DNS to look up the SMTP client hostname.
> Postfix uses the getnameinfo() system library routine.
>
> If the getnameinfo() system library routine does not produce the
> answer that you like to see, then that is not a problem in Postfix.
> It can be solved by someone who is familiar with the implementation
> details of OpenBSD.
ok but
cerber /tmp # cat test2.c
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define MYPORT 3490// the port users will be connecting to
int main(void)
{
int sockfd, new_fd; // listen on sock_fd, new connection on new_fd
struct sockaddr_in my_addr;// my address information
struct sockaddr_in their_addr; // connector's address information
socklen_t sin_size;
int yes=1;
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket");
exit(1);
}
if (setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(int)) == -1) {
perror("setsockopt");
exit(1);
}
my_addr.sin_family = AF_INET; // host byte order
my_addr.sin_port = htons(MYPORT); // short, network byte order
my_addr.sin_addr.s_addr = INADDR_ANY; // automatically fill with my IP
memset(my_addr.sin_zero, '\0', sizeof my_addr.sin_zero);
if (bind(sockfd, (struct sockaddr *)&my_addr, sizeof my_addr) == -1) {
perror("bind");
exit(1);
}
if (listen(sockfd, 2) == -1) {
perror("listen");
exit(1);
}
while(1) { // main accept() loop
sin_size = sizeof their_addr;
if ((new_fd = accept(sockfd, (struct sockaddr *)&their_addr, \
&sin_size)) == -1) {
perror("accept");
continue;
}
printf("server: got connection from %s\n", \
inet_ntoa(their_addr.sin_addr));
if (send(new_fd, "Hello, world!\n", 14, 0) == -1) {
perror("send");
}
char hbuf[NI_MAXHOST];
int ret = getnameinfo((struct sockaddr *) &their_addr, ((struct
sockaddr *) &their_addr)->sa_len, hbuf, sizeof(hbuf), NULL, 0,
NI_NAMEREQD);
if (ret)
errx(1, gai_strerror(ret));
else
printf("host=%s\n", hbuf);
close(new_fd); // parent doesn't need this
}
return 0;}
and after a test my binary return a good resolution
./a.out
server: got connection from 192.42.42.1
host=toto.titi
and the function gethostbyaddr return also a good answer !
I don't do a system OpenBSD bug report because, because all others
soft have a normal behaviour.
If you don't have an idear, i can try with openbsd dev, like Wietse
suggest to me.
--
Sébastien Luttringer
www.seblu.net
Re: Setting the source port for outgoing email
Aaron Wolfe wrote: If your network is doing things to get itself blacklisted, fix the problem! Filter outbound SMTP, cleanup your network clients, whatever. Been there, done that, way ahead of you. You may not be aware of this, but while filtering outbound SMTP stops outgoing spam, it does not stop portscans, or various other activities which will cause that IP to be blacklisted on various networks, as they are free and should be free to do. You also may not be aware that performing frequent network scans and cleanups as we do does not make you immune to infection from new online threats. "Whatever" is not a network abuse strategy, I am afraid. Don't try to use a different IP to avoid doing the right thing and then ask other mail admins for help so your network can continue to pollute our networks! So an ill informed knee jerk reaction from you means that a potential bug in postfix goes unfixed. Thanks for your help so far, it is appreciated. Regards, Graham -- smime.p7s Description: S/MIME Cryptographic Signature
Re: Setting the source port for outgoing email
On Wed, Aug 6, 2008 at 6:48 PM, Graham Leggett <[EMAIL PROTECTED]> wrote: > Aaron Wolfe wrote: > > What makes you think postfix is choosing the wrong interface? >> > > The Received line added by the upstream mailserver receiving the test > messages from this box clearly shows that it received the email from the > second (NAT) public IP, instead of the primary public IP of the mailserver. > This doesn't prove Postfiix is using the wrong interface. It simply means the traffic is seen by the upstream server as coming from the wrong interface. It is much more likely that your NAT config is wrong and is SNATing the mail traffic to the same address that it SNATs everything else. If you want me to believe for a second that Postfix is not working correctly, show us netstat output. > > The IP address in the Received line does not match the IP address > configured as the source address. Both public IPs are aliased on the same > interface. > > > Regards, > Graham > -- >
Re: Setting the source port for outgoing email
On Wed, Aug 6, 2008 at 6:23 PM, Graham Leggett <[EMAIL PROTECTED]> wrote: > Graham Leggett wrote: > > Because traffic from machines behind the box can cause the mailserver's IP >> to be blacklisted, the mailserver machine has two IP addresses, one for the >> mailserver, and one for NAT. >> > > Just to be clear - the box has two public routeable IPs on the same > interface. > > The first public routable IP address is used by the mailserver to bind to, > and this IP is where the mailserver receives mail, and is the IP address > listed in inet_interfaces and should in theory be the source address. > > The second public routable IP address is the address to which the NAT > network is translated to. In practice, postfix is using this address as a > source address, when it shouldn't do so, causing outgoing mail to be > blacklisted and bounced anyway. > If your network is doing things to get itself blacklisted, fix the problem! Filter outbound SMTP, cleanup your network clients, whatever. Don't try to use a different IP to avoid doing the right thing and then ask other mail admins for help so your network can continue to pollute our networks! > > Regards, > Graham > -- >
Re: Setting the source port for outgoing email
Aaron Wolfe wrote: What makes you think postfix is choosing the wrong interface? The Received line added by the upstream mailserver receiving the test messages from this box clearly shows that it received the email from the second (NAT) public IP, instead of the primary public IP of the mailserver. The IP address in the Received line does not match the IP address configured as the source address. Both public IPs are aliased on the same interface. Regards, Graham -- smime.p7s Description: S/MIME Cryptographic Signature
Re: Setting the source port for outgoing email
On Wed, Aug 6, 2008 at 6:16 PM, Graham Leggett <[EMAIL PROTECTED]> wrote: > Hi all, > > I have a machine that is both a postfix mailserver, and a NAT router for a > number of machines behind the box. > > Because traffic from machines behind the box can cause the mailserver's IP > to be blacklisted, the mailserver machine has two IP addresses, one for the > mailserver, and one for NAT. > > There is a problem: postfix seems to be hell bent on choosing the NAT IP > address as a source IP for outgoing connections, instead of the IP address > specified by inet_interfaces: > > inet_interfaces = $myhostname > > According to the docs at http://www.postfix.org/postconf.5.html, "When > inet_interfaces specifies just one IPv4 and/or IPv6 address that is not a > loopback address, the Postfix SMTP client will use this address as the IP > source address for outbound mail" > > This doesn't seem to be happening. Instead, postfix wants to choose the > other IP address (which happens to be the NAT address) on the interface, > rather than IP address @myhostname, which is the first IP on the interface. > What makes you think postfix is choosing the wrong interface? Show us netstat output. I'd bet postfix is doing exactly what you'd configured it to do, and your NAT setup is incorrectly configured. > > Can anyone confirm whether setting the source address in postfix is even > possible, and how to force postfix to use a specific IP as a source address? > > I am using postfix-2.3.3-2 as shipped with RHEL5. > > > Regards, > Graham > -- >
Re: Setting the source port for outgoing email
Graham Leggett wrote: Because traffic from machines behind the box can cause the mailserver's IP to be blacklisted, the mailserver machine has two IP addresses, one for the mailserver, and one for NAT. Just to be clear - the box has two public routeable IPs on the same interface. The first public routable IP address is used by the mailserver to bind to, and this IP is where the mailserver receives mail, and is the IP address listed in inet_interfaces and should in theory be the source address. The second public routable IP address is the address to which the NAT network is translated to. In practice, postfix is using this address as a source address, when it shouldn't do so, causing outgoing mail to be blacklisted and bounced anyway. Regards, Graham -- smime.p7s Description: S/MIME Cryptographic Signature
Use a recipients_map for spamassassin
Hello. I'm looking for a solution to desactivate antispam solution for a few recipients. By default, spamassassin is activated for all mails, with a rule like: smtp inet n - n - - smtpd -o content_filter=spamassassin I would like to know if you have a solution to launch spamassassin *only* if the recipient want to have an antispam solution. For example, to have a recipients_map with all domains to analyse with spamassassin. I think a solution could be customize master.cf, but I don't have any idea of how do this. Do you have some ideas? Thanks! Regards, -- - Nicolas.
Setting the source port for outgoing email
Hi all, I have a machine that is both a postfix mailserver, and a NAT router for a number of machines behind the box. Because traffic from machines behind the box can cause the mailserver's IP to be blacklisted, the mailserver machine has two IP addresses, one for the mailserver, and one for NAT. There is a problem: postfix seems to be hell bent on choosing the NAT IP address as a source IP for outgoing connections, instead of the IP address specified by inet_interfaces: inet_interfaces = $myhostname According to the docs at http://www.postfix.org/postconf.5.html, "When inet_interfaces specifies just one IPv4 and/or IPv6 address that is not a loopback address, the Postfix SMTP client will use this address as the IP source address for outbound mail" This doesn't seem to be happening. Instead, postfix wants to choose the other IP address (which happens to be the NAT address) on the interface, rather than IP address @myhostname, which is the first IP on the interface. Can anyone confirm whether setting the source address in postfix is even possible, and how to force postfix to use a specific IP as a source address? I am using postfix-2.3.3-2 as shipped with RHEL5. Regards, Graham -- smime.p7s Description: S/MIME Cryptographic Signature
Re: newbie - postfix filter
I already have a program that works externally from Postfix. It is
getting it to work from within Postfix that is the issue. Even the
script from http://www.postfix.org/FILTER_README.html#simple_filter
does not work. I think there is something I need to set something in
main.cf.
I added the following to my master.cf per the instructions(zenoss is
the user name)(all one line):
filterunix - n n - 10 pipe flags=Rq
user=zenoss argv=/tmp/tmp.filter.sh -f ${sender} -- ${recipient}
$ ll /tmp/tmp.filter.sh
-r-xr-xr-x 1 zenoss users 780 Aug 6 15:51 /tmp/tmp.filter.sh
/tmp/tmp.filter.sh
#!/bin/sh
# Simple shell-based filter. It is meant to be invoked as follows:
# /path/to/script -f sender recipients...
# Localize these. The -G option does nothing before Postfix 2.3.
INSPECT_DIR=/var/spool/filter
SENDMAIL="/usr/sbin/sendmail -G -i" # NEVER NEVER NEVER use "-t" here.
# Exit codes from
EX_TEMPFAIL=75
EX_UNAVAILABLE=69
# Clean up when done or when aborting.
#trap "rm -f in.$$" 0 1 2 3 15
# Start processing.
cd $INSPECT_DIR || {
echo $INSPECT_DIR does not exist; exit $EX_TEMPFAIL; }
cat >in.$$ || {
echo Cannot save mail to file; exit $EX_TEMPFAIL; }
# Specify your content filter here.
# filter /tmp/tmp.msg.$$
$SENDMAIL "$@" wrote:
> Jamie Bohr:
>> Hello,
>>
>> I am a newbie for advanced Postfix configure, I use Postfix at work
>> but the setting are given to me. I would like to add a filter but am
>> having trouble understanding what I need to do. Postfix is a great
>> tool and very extensive, that being said there are a lot of options/
>> configurations an administrator needs to understand; I am hoping the
>> group will get me going the the right direction.
>>
>> I need to write a filter for outgoing mail on a server that runs an
>> external script the analyzes the message (body and header) and
>> determine if:
>>
>> 1. the message should be sent or discarded
>> 2. changes the content of the message when/if appropriate
>>
>> I have the script (Perl) already done, I am having trouble getting
>> Postfix to run the script. I am using
>> http://www.postfix.org/FILTER_README.html#simple_filter
>> as a guide but am having no success. I am using postfix-2.3.3-2 on
>> RHEL 5 server. Some guidance would be greatly appreciated.
>
> If you have difficulties writing a program that runs as a content
> filter, then I strongly suggest that you don't do that. Instead,
> use a program that already works.
>
>Wietse
>
--
Jamie Bohr
Tarpitting - postfix vs spamd
I was looking into doing some tarpit testing and i was wondering if the implementation of tarpitting built into postfix acts the same way as "spamd" handles it. i read a summary for spamd and then read what the postfix configurations did and it doesn't sound like they do the same thing but they're both called tarpitting. As far as i understand spamd actually holds the connection open while postfix just stops responding to concurrent connections for a certain amount of time? Was wondering if someone could correct me on this. These are the summaries i'm reading. spamd: Spamd will decreases the TCP window length to one to slow the connection down to one byte per second and will not let the connection go. Postfix: When a remote SMTP client makes errors, the Postfix SMTP server can insert delays before responding. This can help to slow down run-away software. As a last note. Is there anyway to automatically set a postfix mta to automatically tarpit all incoming mail to a set time? like set smtpd_soft_error_limit=0 maybe that works, i dunno cause i haven't tried yet. Thanks, James
Re: newbie - postfix filter
Jamie Bohr: > Hello, > > I am a newbie for advanced Postfix configure, I use Postfix at work > but the setting are given to me. I would like to add a filter but am > having trouble understanding what I need to do. Postfix is a great > tool and very extensive, that being said there are a lot of options/ > configurations an administrator needs to understand; I am hoping the > group will get me going the the right direction. > > I need to write a filter for outgoing mail on a server that runs an > external script the analyzes the message (body and header) and > determine if: > > 1. the message should be sent or discarded > 2. changes the content of the message when/if appropriate > > I have the script (Perl) already done, I am having trouble getting > Postfix to run the script. I am using > http://www.postfix.org/FILTER_README.html#simple_filter > as a guide but am having no success. I am using postfix-2.3.3-2 on > RHEL 5 server. Some guidance would be greatly appreciated. If you have difficulties writing a program that runs as a content filter, then I strongly suggest that you don't do that. Instead, use a program that already works. Wietse
newbie - postfix filter
Hello, I am a newbie for advanced Postfix configure, I use Postfix at work but the setting are given to me. I would like to add a filter but am having trouble understanding what I need to do. Postfix is a great tool and very extensive, that being said there are a lot of options/ configurations an administrator needs to understand; I am hoping the group will get me going the the right direction. I need to write a filter for outgoing mail on a server that runs an external script the analyzes the message (body and header) and determine if: 1. the message should be sent or discarded 2. changes the content of the message when/if appropriate I have the script (Perl) already done, I am having trouble getting Postfix to run the script. I am using http://www.postfix.org/FILTER_README.html#simple_filter as a guide but am having no success. I am using postfix-2.3.3-2 on RHEL 5 server. Some guidance would be greatly appreciated. -- Jamie Bohr
Re: Postfix anormal DNS lookup ?
Seblu: > On Tue, Aug 5, 2008 at 12:56 PM, Wietse Venema <[EMAIL PROTECTED]> wrote: > > Seblu: > > [ Charset ISO-8859-1 unsupported, converting... ] > >> Hello, > >> > >> i use postfix postfix 2.5.1 on an OpenBSD 4.3 and i have a stange > >> behaviour (for me) with DNS lookup in logs. > >> > >> i've a local dns, which resolv 192.42.42.1 to toto.titi > >> > >> # host 192.42.42.1 > >> 1.42.42.192.in-addr.arpa domain name pointer toto.titi. > > > > Not here: > > > > % host 192.42.42.1 > > 1.42.42.192.in-addr.arpa domain name pointer accessa.unine.ch. > > > > Check your resolv.conf files. > > My resolv.conf is : > > search toto > nameserver 127.0.0.1 > lookup file bind > > > but if my resolv.conf was not good, host command not answer corrrectly. No ? > > I paste the dig result. > > > # dig -t ptr 1.42.42.192.in-addr.arpa @127.0.0.1 > > ; <<>> DiG 9.4.2 <<>> -t ptr 1.42.42.192.in-addr.arpa @127.0.0.1 > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10197 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 > > ;; QUESTION SECTION: > ;1.42.42.192.in-addr.arpa. IN PTR > > ;; ANSWER SECTION: > 1.42.42.192.in-addr.arpa. 3600 IN PTR raptor.toto. > > ;; AUTHORITY SECTION: > 42.42.192.in-addr.arpa. 3600IN NS ns.toto. > > ;; ADDITIONAL SECTION: > ns.toto. 3600IN A 192.42.42.254 > > ;; Query time: 2 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Wed Aug 6 18:54:28 2008 > ;; MSG SIZE rcvd: 110 > > > and the arp command has a right answer > > # arp -a > toto.titi (192.42.42.1) at 00:1d:7d:03:6a:zb on vlan42 > > > I'm really lost. Postfix does not use DNS to look up the SMTP client hostname. Postfix uses the getnameinfo() system library routine. If the getnameinfo() system library routine does not produce the answer that you like to see, then that is not a problem in Postfix. It can be solved by someone who is familiar with the implementation details of OpenBSD. Wietse
Re: Postfix anormal DNS lookup ?
On Tue, Aug 5, 2008 at 12:56 PM, Wietse Venema <[EMAIL PROTECTED]> wrote: > Seblu: > [ Charset ISO-8859-1 unsupported, converting... ] >> Hello, >> >> i use postfix postfix 2.5.1 on an OpenBSD 4.3 and i have a stange >> behaviour (for me) with DNS lookup in logs. >> >> i've a local dns, which resolv 192.42.42.1 to toto.titi >> >> # host 192.42.42.1 >> 1.42.42.192.in-addr.arpa domain name pointer toto.titi. > > Not here: > > % host 192.42.42.1 > 1.42.42.192.in-addr.arpa domain name pointer accessa.unine.ch. > > Check your resolv.conf files. My resolv.conf is : search toto nameserver 127.0.0.1 lookup file bind but if my resolv.conf was not good, host command not answer corrrectly. No ? I paste the dig result. # dig -t ptr 1.42.42.192.in-addr.arpa @127.0.0.1 ; <<>> DiG 9.4.2 <<>> -t ptr 1.42.42.192.in-addr.arpa @127.0.0.1 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10197 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;1.42.42.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 1.42.42.192.in-addr.arpa. 3600 IN PTR raptor.toto. ;; AUTHORITY SECTION: 42.42.192.in-addr.arpa. 3600IN NS ns.toto. ;; ADDITIONAL SECTION: ns.toto. 3600IN A 192.42.42.254 ;; Query time: 2 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Aug 6 18:54:28 2008 ;; MSG SIZE rcvd: 110 and the arp command has a right answer # arp -a toto.titi (192.42.42.1) at 00:1d:7d:03:6a:zb on vlan42 I'm really lost. -- Sébastien Luttringer www.seblu.net
Re: Postfix SASL connectivity problem
[EMAIL PROTECTED] wrote: Dear users, We have installed postfix 2.4.7 from source with openldap and cyrus-sasl support. we have also installed openldap 2.3.39 and cyrus-sasl-2.1.21. cyrus-sasl is installed in /usr/local/cyrus-sasl directory. How to tell Postfix to look for cyrus-SASL in this directory ? Anant Please refer to the following pages: TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html Thank you for using Postfix. See Also: http://www.postfix.org/SASL_README.html Brian
Re: smart hosting issues
Stan Hoeppner: > Henrik K wrote: > > Sorry if I don't offer sympathies, but Postfix is notoriously well > > documented and maintained. A quick look into the man page will show you how > > it's spelled. > > You missed my point entirely, it seems... Take this discussion off-list or I will terminate subscriptions.
Re: smart hosting issues
Henrik K wrote: Sorry if I don't offer sympathies, but Postfix is notoriously well documented and maintained. A quick look into the man page will show you how it's spelled. You missed my point entirely, it seems... I agree that Postfix should warn in that case. I don't understand why it doesn't, and it baffles me that the two spellings have different functionality. And, given this state of affairs, what was that you were saying about the documentation? Care to point me to the docs that detail all of this? ;)
Re: smart hosting issues
On Wed, Aug 06, 2008 at 04:59:48AM -0500, Stan Hoeppner wrote: > > And if you mention "man pages" I'll kick you in the teeth Henrik. No > one would ever write a "how-two" if man pages were the holy grail of > implementation. And I don't have the time to sift through man pages > trying to find why "relay_host" is different than "relayhost". The > answer isn't likely to be found there anyway. Sorry if I don't offer sympathies, but Postfix is notoriously well documented and maintained. A quick look into the man page will show you how it's spelled. I agree that Postfix should warn in that case.
Re: smart hosting issues
Noel Jones wrote: # main.cf relayhost = [smtp.sbc.mail.yahoo4.akadns.net] # transport hardwarefreak.com smtp:[192.168.100.2] All mail is sent to the relayhost, except for overrides listed in the transport map. Thank you Noel and to others who answered. Apparently what was breaking this before was that I was using "relay_host" with the underscore in the middle (I know this because the line is commented out in my main.cf with a date of Oct 2005). Using "relayhost" today works. Using "relay_host" causes the situation I describe down below. Anyway, Thanks! It's working now! Yay! Finally! Henrik K wrote: > Three years you didn't look at any documentation? I'm beginning not to > wonder.. /begin rant Henrik, you make a *very* incorrect assumption here. The last time I tried to get this working I spent an enormous amount of time in docs and how-to's and spent the better part of 2 days in IRC #Postfix chatting with with MANY Postfix experts, also with SBC tech support tracking the outbound connections, and *nobody* could figure it out. Again, this was quite a while ago (3 years), and we were working on many different issues in my setup, this being one, so I don't have an exact recollection of everything we did. A correct assumption you should make would be that the entire process back then become so damn frustrating that once I got things working "good enough" I left the frustration behind and moved on. Anyway, using 'relay_host' causes the outbound mail to route through a different set of Yahoo servers than the ones that support SASL. It's the same thing that happened 3 years ago IIRC. Why we didn't catch this 'relayhost' spelling issue back then I don't know, but it does seem odd that we didn't. Maybe the underscore was proper back then, I don't know. What's strange is that there is no error generated in /var/log/mail.log when I use "relay_host" in main.cf instead of "relayhost". Why is no error being logged? Is "relay_host" actually valid and used somewhere? I'm on 2.3.8 if that matters. The worldwide documentation situation for Postfix is atrocious. I cannot be the only person to have noticed this. There are too damn many articles, guides, and how-to's along with 'official' documentation indexed by Google et al that are out of date, conflicting, or not 'versioned'. I'm not slinging mud at anyone, I'm just making an observation. Here's a prime example. Google for Postfix UCE and this is the first page hit you get: http://www.postfix.org/uce.html#smtpd_client_restrictions ** Note: this web page is no longer maintained. It exists only to avoid breaking links in web pages that describe earlier versions of the Postfix mail system. And if you mention "man pages" I'll kick you in the teeth Henrik. No one would ever write a "how-two" if man pages were the holy grail of implementation. And I don't have the time to sift through man pages trying to find why "relay_host" is different than "relayhost". The answer isn't likely to be found there anyway. Henrik, maybe now you have a better understanding of why this has been such a huge PITA trying to get this working. So please don't make the juvenile assumption in the future that people who ask questions about "simple" or "easy" issues haven't read the documentation! /end rant Stan
Postfix SASL connectivity problem
Dear users, We have installed postfix 2.4.7 from source with openldap and cyrus-sasl support. we have also installed openldap 2.3.39 and cyrus-sasl-2.1.21. cyrus-sasl is installed in /usr/local/cyrus-sasl directory. How to tell Postfix to look for cyrus-SASL in this directory ? Anant This message was sent using IMP, the Internet Messaging Program.
Re: Deferred queue directories
* ram <[EMAIL PROTECTED]>: > postfix has defer & deferred queue directories > > In what directory are the mails stored when they get deferred due to a > "unknown mail transport" error > I want to keep monitoring mymail server for such mails Use mailq and/or qshape -- Ralf Hildebrandt ([EMAIL PROTECTED]) [EMAIL PROTECTED] Postfix - Einrichtung, Betrieb und Wartung Tel. +49 (0)30-450 570-155 http://www.arschkrebs.de "A crash is when your competitor's program dies. When your program dies, it is an 'idiosyncrasy'. Frequently, crashes are followed with a message like 'ID 02'. 'ID' is an abbreviation for idiosyncrasy and the number that follows indicates how many more months of testing the product should have had."-Guy Kawasaki
Deferred queue directories
postfix has defer & deferred queue directories In what directory are the mails stored when they get deferred due to a "unknown mail transport" error I want to keep monitoring mymail server for such mails Thanks Ram
Re: lmtp port in 2.1.5 vs 2.3.8
Wietse Venema wrote: Rudy Gevaert: Hi, Previously we were running postfix 2.1.5 (Debian Sarge) and now have upgraded to 2.3.8 (Etch). We have several lmtp transports in master.cf: mail1 unix - - n - - lmtp mail2 unix - - n - - lmtp mail3 unix - - n - - lmtp We used an ldap directory to route to the correct backend: umTransport: mail1:mail1.ugent.be In postfix 2.1.5 the destination port of our lmtp connections was *by default* 2003. No, the built-in default LMTP TCP port was 24. However the precedence has changed. With 2.1.5, Postfix would use lmtp_tcp_port only if /etc/services had no entry for LMTP. Ok, that clarifies it. Because we had the following entry in /etc/services: lmtp 2003/tcp When I did the upgrade to 2.3.8 I noticed that was not the case anymore. It connected to an other port (I can't remember what anymore). The built-in default LMTP TCP port is still 24. However the precedence has changed. The lmtp_tcp_port parameter now overrides /etc/services. If you want to use /etc/services, you now need to specify: lmtp_tcp_port = lmtp I tried changing lmtp_tcp_port to 2003 but that didn't help. You mis-typed something. You are probably right. It checked it again and that works. I think the best way out is to drop support for lmtp_tcp_port, for consistency with SMTP. Thank you for your help. -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Rudy Gevaert [EMAIL PROTECTED] tel:+32 9 264 4734 Directie ICT, afd. Infrastructuur ICT Department, Infrastructure office Groep SystemenSystems group Universiteit Gent Ghent University Krijgslaan 281, gebouw S9, 9000 Gent, Belgie www.UGent.be -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Re: smart hosting issues
Zitat von Stan Hoeppner <[EMAIL PROTECTED]>: Hello fellow smart hosters, I've been running this way for 3 years now because I could never figure out how to wildcard "everything else". Here's the top of my transport file (a very small portion of it): hardwarefreak.com smtp:[192.168.100.2] earthlink.net smtp:[smtp.sbc.mail.yahoo4.akadns.net] .earthlink.net smtp:[smtp.sbc.mail.yahoo4.akadns.net] sbcglobal.net smtp:[smtp.sbc.mail.yahoo4.akadns.net] .sbcglobal.net smtp:[smtp.sbc.mail.yahoo4.akadns.net] swbell.net smtp:[smtp.sbc.mail.yahoo4.akadns.net] .swbell.net smtp:[smtp.sbc.mail.yahoo4.akadns.net] sbc.com smtp:[smtp.sbc.mail.yahoo4.akadns.net] .sbc.comsmtp:[smtp.sbc.mail.yahoo4.akadns.net] yahoo.com smtp:[smtp.sbc.mail.yahoo4.akadns.net] .yahoo.com smtp:[smtp.sbc.mail.yahoo4.akadns.net] aol.com smtp:[smtp.sbc.mail.yahoo4.akadns.net] .aol.comsmtp:[smtp.sbc.mail.yahoo4.akadns.net] Is there a way to wildcard everything other than hardwarefreak.com? I'd sure like to have a two line transport file instead of 200. It's maybe the "relayhost" parameter you are looking for??? Regards Andi -- All your trash belong to us ;-) www.spamschlucker.org To: [EMAIL PROTECTED]
