Re: Race in simplest after-queue content filter?

[Karl O. Pinc]

On 09/10/2008 06:14:44 PM, Wietse Venema wrote:

Karl O. Pinc:
> When there's more than one subscriber the same thing
> happens for mail sent to the first subscriber, but
> then the same message is sent to the second subscriber.
> Again, smtp sends a DATA command, gets back a 354,
> sends the message, ends with a period, and gets
> a 250 reply back.  At that point things have changed
> because the smtp side does not send a QUIT, instead it
> closes it's side of the TCP connection with a FIN, ACK.
> I presume that at this point spawn sends awk an EOF on stdin
> because the process tree then looks like this:

Nope, spawn does not close connections. Nor does it inform
the external command that a connection goes away.


I did not say that spawn closed the connection.  I said _smtp_ sent
a FIN/ACK and closed it's side of the TCP connection to
spawn.  At that point spawn can still send to smtp, just not
the reverse.  The smtp side initiates the TCP close handshake.
I'm sorry if this was not clear.

Spawn must inform the external command that no more data is
available on the connection by closing the stdin
of the external command.  Otherwise awk would not have terminated.
Am I misunderstanding?



It's up to the external command to handle an EOF condition
appropriately.  The spawn daemon just waits until the external
command decides to terminate.

In your case awk detects EOF on input and terminates, but apparently
netcat doesn't.


Netcat can.  I can tell it to close the connection as soon as
it receives an EOF.  But is that the appropriate behavior?


To handle mail with SMTP, use software that understands the SMTP
protocol.


"The simplest content filter just copies SMTP commands and data
between its inputs and outputs." says the FILTER_README.  No
understanding required.  So I thought I'd try it.  Here I've
found out otherwise; it is also necessary to understand what
happens when TCP close terminates SMTP early.

It seems sensible to ask here because here there are people
experienced with the corner cases of smtp, and postfix's
relationship with them.  There are enough "should"s,
rather than "must"s, in the SMTP standard and it seems
there's enough wiggle room for plenty of MTA
interoperability issues that I felt
better asking the experts than trying to reason my way
through all the relevant states in an SMTP state machine
using the RFC as a guide.  Even if I got it right there
might be things about postfix I need to know to understand
what will happen in the various cases.

I also thought you'd want to hear of apparent inconsistencies
in the postfix smtp program behavior, sending QUIT when
filtering mail sent to the first recipient of a message
but not to the second, although I'm not interested in
pursuing that if you're not.

So, the simplest possible smtp filter setup in master.cf is
either of the form:

localhost:10025 inet  n   n   n   -   10  spawn
user=filter argv=/bin/nc localhost 10026

or of the form:

localhost:10025 inet  n   n   n   -   10  spawn
user=filter argv=/bin/nc -q 0 localhost 10026

The latter tells netcat to shut down it's connection to smtpd
immediately upon receiving EOF.

Your response above implies that the latter is recommended,
that it won't cause any problems when the SMTP protocol is
terminated early by TCP closure.  I'm fine with that, but I do
want to verify my reading of your response before putting
such a configuration into production.

Thank you for your time.

Karl <[EMAIL PROTECTED]>
Free Software:  "You don't pay back, you pay forward."
 -- Robert A. Heinlein

Re: tracking sent emails

[Sahil Tandon]

Gerardo Herzig <[EMAIL PROTECTED]> wrote:

> Hi all. Im triyng to have some fun building a maillog analizer.
> My starting point is to locate the emails actually sent via the
> /var/log/mail
> 
> It is correct to look for the expression 'removed$' (that is, the word
> 'removed' at the end of the line)?
> That would returns lines like:
> postfix/qmgr[21861]: 49CAF2A5F12: removed
> 
> Those would be the files leaving the queue, rigth? After that, having
> the queue filename, i can do some grep and track the email circuit.
> 
> Im i guessin right? (i know im reinventing the wheel, this is just for 
> fun)
  
For clues, see how this and many other things are done in pflogsumm, 
postfix-logwatch etc.

-- 
Sahil Tandon <[EMAIL PROTECTED]>

Re: Proposing postfix to mgmt as an Exchange replacement

[Jose Ildefonso Camargo Tolosa]

Hi!

I just couldn't avoid reading this post.

I actually make a live out of replacing MS solutions with Open
Source-based solutions.  I know, it is not perfect, and there are some
features that you will not get, but in my experience these features
are not used very often.

Anyway, I would give a try to egroupware:

Postfix + Dovecot + eGroupWare + LDAP

That combination has worked very well for me.

Off course, you could, in theory, use Active Directory for the LDAP
(after all, on of AD's piece is a LDAP server), but I hasn't done that
myself yet.

I hope this helps,

Ildefonso Camargo


On Thu, Sep 11, 2008 at 11:57 AM, dnk <[EMAIL PROTECTED]> wrote:
>
>> As per the subject, I am about to pitch the idea of dumping
>> Exchange
>> and moving to Postfix.  From what I can observe, the Calendar and
>> Meeting functions are used very little if at all.
>
> If you want true drop in replacement, and so on (IE still use active
> directory, etc), you can check out postpath ( http://www.postpath.com/). It
> was just recently purchased by Cisco. It is apparently designed to be
> dropped into a MS environment without the MS environment even knowing it is
> a Linux box.
>
> I myself have not used it... Just been reading a lot of it lately.
>
> d
>

Re: Race in simplest after-queue content filter?

[Wietse Venema]

Karl O. Pinc:
> When there's more than one subscriber the same thing
> happens for mail sent to the first subscriber, but
> then the same message is sent to the second subscriber.
> Again, smtp sends a DATA command, gets back a 354,
> sends the message, ends with a period, and gets
> a 250 reply back.  At that point things have changed
> because the smtp side does not send a QUIT, instead it
> closes it's side of the TCP connection with a FIN, ACK.
> I presume that at this point spawn sends awk an EOF on stdin
> because the process tree then looks like this:

Nope, spawn does not close connections. Nor does it inform
the external command that a connection goes away. 

It's up to the external command to handle an EOF condition
appropriately.  The spawn daemon just waits until the external
command decides to terminate.

In your case awk detects EOF on input and terminates, but apparently
netcat doesn't.

To handle mail with SMTP, use software that understands the SMTP
protocol.

Wietse

Re: Race in simplest after-queue content filter?

[Karl O. Pinc]

On 09/09/2008 04:48:47 PM, Wietse Venema wrote:


Instead of guessing, run a network sniffer that captures the
packet content.


Thank you.  I knew someone would send a good idea my way.

Here's what I found:

Nc seems to be left hanging when there's more than
one subscriber to the email list; when two messages
go through the filter nc is left hanging after
the second pair TCP sessions.

Normally as the filter runs the process tree running
the mailman-filter filter looks like this:


11530 ?S  0:00  \_ spawn -l -n 127.0.0.1:11025 -t inet  
user=mfilter
11626 ?Ss 0:00  |   \_ /bin/sh  
/usr/local/sbin/mailman-filter 127.0.
11627 ?S  0:00  |   \_ awk -W Interactive BEGIN  
{headers = 1;?

11628 ?R  0:00  |   \_ nc 127.0.0.1 11026


With one subscriber, the smtp end sends a packet with a
bunch of SMTP protocol ending with a DATA command,
gets back a bunch of 250 Oks and a 354 reply,
sends the message, ends with a period and then
a QUIT in the same packet, gets back a 250 (queued) reply
and  a 221 (bye) in the same packet.  Then
both the smtp and the smtpd ends close the tcp socket
and awk gets a EOF and ends and nc shuts down as well.
Just as expected.

When there's more than one subscriber the same thing
happens for mail sent to the first subscriber, but
then the same message is sent to the second subscriber.
Again, smtp sends a DATA command, gets back a 354,
sends the message, ends with a period, and gets
a 250 reply back.  At that point things have changed
because the smtp side does not send a QUIT, instead it
closes it's side of the TCP connection with a FIN, ACK.
I presume that at this point spawn sends awk an EOF on stdin
because the process tree then looks like this:

11530 ?S  0:00  \_ spawn -l -n 127.0.0.1:11025 -t inet  
user=mfilter
11537 ?Ss 0:00  |   \_ /bin/sh  
/usr/local/sbin/mailman-filter 127.0.

11539 ?S  0:00  |   \_ nc 127.0.0.1 11026

Spawn does not close it's side of the tcp connection
initiated by smtp.

The system stays in this state for 5 minutes until smtpd
times out.  Then smtpd sends a 421 (timeout exceeded)
back to nc, which sends it to stdout to spawn and
it goes back to smtp.  At that point smtp sends a RST
packet back to spawn and the connection is shut down.
Then smtpd sends a FIN, ACK back to nc, which responds
with it's own FIN, ACK and with a final ACK from smtpd
that side of the filter shuts down gracefully.

So (I think) the question becomes why smtp does not
send a QUIT to end delivery of the 2nd email as it
does the first.


Attached are 4 tcpdumps.  For testing I've used ports
11025 (for spawn) and 11026 (for smtpd) rather than
the 10025 and 10026 documented in my script and in
FILTER_README.

Two files record nc "hanging" there are 2 recipients
of the mailing list.

smtp_side2  Traffic between smtp and spawn.
smtpd_side2 Traffic between spawn (nc) and smtpd.

Two files record a "normal" filter event, there
is only 1 recipient of the mailing list message.

smtp_side3  Traffic between smtp and spawn.
smtpd_side3 Traffic between spawn and smtpd.

Thanks for the help.



Karl <[EMAIL PROTECTED]>
Free Software:  "You don't pay back, you pay forward."
 -- Robert A. Heinlein


smtp_side2
Description: Binary data


smtpd_side2
Description: Binary data


smtp_side3
Description: Binary data


smtpd_side3
Description: Binary data

Re: X-Postfix unknown user messages... please help

[Noel Jones]

Mel Brand wrote:

Hi all,

I have some issues with receiving mail on a server that I've set up.
In particular, when I try to send an email to a user that I know
exists, I get an error message:

Action: failed
Status: 5.1.1
Diagnostic-Code: X-Postfix; unknown user: "myusername"


Any ideas what I'm doing wrong? Any help is appreciated!!!
Thanks,
Mel

Sep 10 17:33:12 mx postfix/trivial-rewrite[3625]: warning: do not list
domain mydomain.org in BOTH mydestination and virtual_mailbox_domains


Postfix tells you what the problem is, and how to fix it.


Sep 10 17:33:12 mx postfix/local[3632]: 97F8E680E6:
to=<[EMAIL PROTECTED]>, relay=local, delay=0.11,
delays=0.09/0.01/0/0.01, dsn=5.1.1, status=bounced (unknown user:
"myusername")


Because the domain is listed in mydestination, postfix expects 
to find a local unix user with the login ID "myusername".


Sounds as if you want it delivered as a virtual user, not a 
local user, so don't list the domain in mydestination.


http://www.postfix.org/BASIC_CONFIGURATION_README.html
http://www.postfix.org/STANDARD_CONFIGURATION_README.html
http://www.postfix.org/VIRTUAL_README.html
http://www.postfix.org/ADDRESS_CLASS_README.html

http://www.postfix.org/DEBUG_README.html#mail

--
Noel Jones

X-Postfix unknown user messages... please help

[Mel Brand]

Hi all,

I have some issues with receiving mail on a server that I've set up.
In particular, when I try to send an email to a user that I know
exists, I get an error message:

Action: failed
Status: 5.1.1
Diagnostic-Code: X-Postfix; unknown user: "myusername"

And [EMAIL PROTECTED] does exist.

I use postfix.admin for admining and in there I have:

mx.mydmain.org  internal domain Aliases: 0 / 0  Mailboxes: 0 / 0
mydomain.orgNo Description  Aliases: 5 / 0  Aliases: 4 / 0  

The user that can't receive email, "myusername", is listed in Virtual
List in Mailboxes section an is Active.

Here's the errors and relevant sections from log and config files.

Any ideas what I'm doing wrong? Any help is appreciated!!!
Thanks,
Mel

PS: I've anonymized these logs by replacing actual domain with
mydomain and actual username with myusername etc.


Error message when trying to send to a user:

This is the mail system at host mx.mydomain.org.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

  The mail system

<[EMAIL PROTECTED]>: unknown user: "mysername"

Final-Recipient: rfc822; [EMAIL PROTECTED]
Original-Recipient: rfc822;[EMAIL PROTECTED]
Action: failed
Status: 5.1.1
Diagnostic-Code: X-Postfix; unknown user: "myusername"

Bounce message from (/var/log/mail.log):

Sep 10 17:33:11 mx postfix/smtpd[3621]: connect from
rv-out-0506.google.com[209.85.198.225]
Sep 10 17:33:12 mx postfix/trivial-rewrite[3625]: warning: do not list
domain mydomain.org in BOTH mydestination and virtual_mailbox_domains
Sep 10 17:33:12 mx postfix/smtpd[3621]: 408C168098:
client=rv-out-0506.google.com[209.85.198.225]
Sep 10 17:33:12 mx postfix/cleanup[3626]: 408C168098:
message-id=<[EMAIL PROTECTED]>
Sep 10 17:33:12 mx postfix/qmgr[2434]: 408C168098:
from=<[EMAIL PROTECTED]>, size=2137, nrcpt=1 (queue active)
Sep 10 17:33:12 mx clamsmtpd: 14: accepted connection from: 127.0.0.1
Sep 10 17:33:12 mx postfix/smtpd[3629]: connect from localhost[127.0.0.1]
Sep 10 17:33:12 mx postfix/trivial-rewrite[3625]: warning: do not list
domain mydomain.org in BOTH mydestination and virtual_mailbox_domains
Sep 10 17:33:12 mx postfix/smtpd[3629]: 97F8E680E6:
client=rv-out-0506.google.com[209.85.198.225]
Sep 10 17:33:12 mx postfix/cleanup[3626]: 97F8E680E6:
message-id=<[EMAIL PROTECTED]>
Sep 10 17:33:12 mx postfix/qmgr[2434]: 97F8E680E6:
from=<[EMAIL PROTECTED]>, size=2512, nrcpt=1 (queue active)
Sep 10 17:33:12 mx postfix/smtp[3627]: 408C168098:
to=<[EMAIL PROTECTED]>, relay=127.0.0.1[127.0.0.1]:10025,
delay=0.56, delays=0.41/0.01/0.05/0.09, dsn=2.0.0, status=sent (250
2.0.0 Ok: queued as 97F8E680E6)
Sep 10 17:33:12 mx clamsmtpd: 14: [EMAIL PROTECTED],
[EMAIL PROTECTED], status=CLEAN
Sep 10 17:33:12 mx postfix/trivial-rewrite[3625]: warning: do not list
domain mydomain.org in BOTH mydestination and virtual_mailbox_domains
Sep 10 17:33:12 mx postfix/qmgr[2434]: 408C168098: removed
Sep 10 17:33:12 mx postfix/smtpd[3629]: disconnect from localhost[127.0.0.1]
Sep 10 17:33:12 mx postfix/local[3632]: 97F8E680E6:
to=<[EMAIL PROTECTED]>, relay=local, delay=0.11,
delays=0.09/0.01/0/0.01, dsn=5.1.1, status=bounced (unknown user:
"myusername")
Sep 10 17:33:12 mx postfix/cleanup[3626]: B344068168:
message-id=<[EMAIL PROTECTED]>
Sep 10 17:33:12 mx postfix/qmgr[2434]: B344068168: from=<>, size=4313,
nrcpt=1 (queue active)
Sep 10 17:33:12 mx postfix/bounce[3633]: 97F8E680E6: sender
non-delivery notification: B344068168
Sep 10 17:33:12 mx postfix/qmgr[2434]: 97F8E680E6: removed
Sep 10 17:33:13 mx postfix/smtp[3634]: B344068168:
to=<[EMAIL PROTECTED]>,
relay=gmail-smtp-in.l.google.com[66.249.83.114]:25, delay=1.2,
delays=0.01/0.01/0.22/1, dsn=2.0.0, status=sent (250 2.0.0 OK
1221067993 h12si7839126wxd.14)
Sep 10 17:33:13 mx postfix/qmgr[2434]: B344068168: removed


Sending from the account works just fine (from /var/log/mail.log):
-
Sep 10 17:25:29 mx postfix/smtpd[3002]: connect from .com[]
Sep 10 17:25:30 mx postfix/smtpd[3002]: 5349168098:
client=.com[], sasl_method=PLAIN,
[EMAIL PROTECTED]
Sep 10 17:25:30 mx postfix/cleanup[3313]: 5349168098:
message-id=<[EMAIL PROTECTED]>
Sep 10 17:25:30 mx postfix/qmgr[2434]: 5349168098:
from=<[EMAIL PROTECTED]>, size=641, nrcpt=1 (queue active)
Sep 10 17:25:30 mx clamsmtpd: 13: accepted connection from: 127.0.0.1
Sep 10 17:25:30 mx postfix/smtpd[3317]: connect from localhost[127.0.0.1]
Sep 10 17:25:30 mx postfix/trivial-rewrite[3314]: warning: do not list
domain mydomain.org in BOTH mydestination and virtual_mailbox_domains
Sep 10 17:25:30 mx postfix/smtpd[3317]: 9FC45680E6:
client=.com[]
Sep 10 17:25:30 mx postfix/cleanup[3313]: 9FC45680E6:
message

Re: inet_trigger_event: read timeout for service

[Victor Duchovni]

On Wed, Sep 10, 2008 at 10:03:26AM -0700, Chris St Denis wrote:

> I have been recently seeing in my logs a fair amount of
> 
> postfix/master[64122]: warning: inet_trigger_event: read timeout for 
> service [x.x.x.x]:465

mistake in your master.cf file. Don't set a wakeup trigger time for
inet services.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

inet_trigger_event: read timeout for service

[Chris St Denis]

I have been recently seeing in my logs a fair amount of

postfix/master[64122]: warning: inet_trigger_event: read timeout for 
service [x.x.x.x]:465


Where x.x.x.x  is one of the mail server's IPs (not the server's main 
IP). The mail server listens on multiple IPs and ports however this only 
this one IP/port combination causes this warning.


I've searched for the error, but the only results have been the contents 
of inet_trigger.c


--
Chris St Denis
Programmer
SmarttNet (www.smartt.com)
Ph: 604-473-9700 Ext. 200
---
"Smart Internet Solutions For Businesses" 

Re: Proposing postfix to mgmt as an Exchange replacement

[dnk]

> As per the subject, I am about to pitch the idea of dumping
> Exchange
> and moving to Postfix.  From what I can observe, the Calendar and
> Meeting functions are used very little if at all.

If you want true drop in replacement, and so on (IE still use active
directory, etc), you can check out postpath ( http://www.postpath.com/). It
was just recently purchased by Cisco. It is apparently designed to be
dropped into a MS environment without the MS environment even knowing it is
a Linux box.

I myself have not used it... Just been reading a lot of it lately.

d

Re: About removing Received headers with internal IP addresses via header_checks

[mouss]

M. Fioretti wrote:

greetings,

I'm using a postfix server on a remote vps for all the email domains I
control. it is the official MX for all those domains and it only
accepts to relay email from my_networks and SASL authorized clients. I
am playing with the idea of making postfix remove all the Received
headers of authorized outgoing messages, before sending them to the
Internet.

The reasons is I've been asked to not show outside "where" an user was
when he or she composed an email: at the webmail interface in some
remote location, at home, office or anywhere else: "can you make it so
that all messages look like they were composed on the server itself?



The answer depends on the goal, or the exact meaning. There are other 
headers that may give infos on the message origin and path. for example:
- Message-Id. and if you play games with this one, you may break 
conversations (and besides, it is the one found in the Sent folder, 
which postfix does not access).

- X-Mailer, User-Agent, Mime-Version, ...
- the content-type may also give some indication, as different MUAs 
prefer different types and encodings.




Now, I have already done some research and found I could put:

/^Received:/ IGNORE


This will remove _all_ Received headers.

Instead remove selected headers. for example

/^Received:.* \[127\.0\.\.0\1\]\) by \S+\.nexaima\.net \(Postfix\)/
IGNORE

/^Received: by polaris\.local \(Postfix, from userid /
IGNORE

These may still remove "external" headers (either forged or the message 
was forwarded).


if you can get all your "outbound" mail to go through a specific path 
(port 587 for example), then the task will be easier.




in a header_checks file, but a couple of things aren't clear to me.

1) I need to not remove headers of messages *coming* from the Internet
   to my users. Does this trick remove ONLY the Received headers of
   _outgoing_ messages? If yes, and here's the real question, why? Why
   is the check done only for outgoing messages? I'm missing how
   Postfix works here



see above.


2) In this thread 
http://www.nabble.com/Hide-internal-address-(Postfix)-td2300995.html
   a user said:

  If you do so, aren't your mails rejected by some mail servers
  because they consider that you have an illegal or incomplete
  header?

   how big such a risk is? I imagined that if mail seems "born" on a
   server which is the official MX of a domain it should look as legal
   and complete as it gets, isn't it? If the risk does exist, can it
   be removed, and how?


This (Hiding private infos) is known since a long time, so people should 
be prepared to deal with such mail. If you are worried, you can add one 
Received header (use REPLACE instead of IGNORE in one of your expressions).




Finally, besides looking spammish, are there any other reason NOT to
do this? Since this is not a public isp and I serve only a very small
number of users I know, diagnosing troubles that THEY (not external
senders) may have isn't a big deal


The problem is if someone reports spam to you, you will find it hard to 
track the origin and path. otherwise, I don't see any serious problem.

tracking sent emails

[Gerardo Herzig]

Hi all. Im triyng to have some fun building a maillog analizer.
My starting point is to locate the emails actually sent via the
/var/log/mail

It is correct to look for the expression 'removed$' (that is, the word
'removed' at the end of the line)?
That would returns lines like:
postfix/qmgr[21861]: 49CAF2A5F12: removed

Those would be the files leaving the queue, rigth? After that, having
the queue filename, i can do some grep and track the email circuit.

Im i guessin right? (i know im reinventing the wheel, this is just for fun)

Thanks!

Gerardo

Re: Proposing postfix to mgmt as an Exchange replacement

[Oskar Teran]

On Sep 10, 2008, at 10:38 AM, Quanah Gibson-Mount wrote:

--On Tuesday, September 09, 2008 10:50 PM -0400 Aaron Wolfe <[EMAIL PROTECTED] 
> wrote:



On Tue, Sep 9, 2008 at 10:12 PM, Adam Tauno Williams
<[EMAIL PROTECTED]> wrote:
The below isn't meant to shoot down your idea, but I'm an Open  
Source

groupware developer and am very familiar with the Exchange-vs-XYZ
equation.

As per the subject, I am about to pitch the idea of dumping  
Exchange

and moving to Postfix.  From what I can observe, the Calendar and
Meeting functions are used very little if at all.  We have roaming


"very little" is entirely different from not at all.  The
calendar/contact/etc functionality of Exchange is very powerful and
Postfix et al will not provide the same functionality (maybe with
something like $Zimbra) .  Are you sure your users don't need it, or
won't need it next month after the CEO sits next to somebody on a
plane that is real time syncing their Blackberry to their corporate
calendar, etc?


There's also the free version of Zimbra, although it is of course  
more limited in what it does, it does support IMAP/POP &  
calendaring, etc.


--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration


Hi,
I've been down this path before.  Most business owners I've met aren't  
interested in the details of what technologies are used in MS vs open  
source.

They just want the features and want the system to be reliable/stable.

I've installed exchange, zimbra and open-xchange at different sites  
depending on their business needs.


Zimbra is definitely a well designed piece of software.  It gives  
exchange a solid run for it's money while being more reliable and less  
expensive to run (integrated spam and anti-virus).


The thing you need to keep in mind is what other business software is  
this company running and does it REQUIRE OR DOES IT WORK BEST WITH  
exchange?


One place I work at decided to use zetafax ( a windows based fax  
server) without consulting with me.  I would've suggested hylafax (www.ifax.com 
).


Zetafax says it works with any email server via smtp but it's very  
obvious it's designed to work best with exchange.  I've had to do some  
PITA modifications on zimbra to make zetafax work with it.


Please keep this in mind.  What else is in your environment that may  
need to be integrated to your groupware server?


Hope this helps,

Oskar

 

Re: About removing Received headers with internal IP addresses via header_checks

[Noel Jones]

M. Fioretti wrote:

greetings,

I'm using a postfix server on a remote vps for all the email domains I
control. it is the official MX for all those domains and it only
accepts to relay email from my_networks and SASL authorized clients. I
am playing with the idea of making postfix remove all the Received
headers of authorized outgoing messages, before sending them to the
Internet.

The reasons is I've been asked to not show outside "where" an user was
when he or she composed an email: at the webmail interface in some
remote location, at home, office or anywhere else: "can you make it so
that all messages look like they were composed on the server itself?

Now, I have already done some research and found I could put:

/^Received:/ IGNORE

in a header_checks file, but a couple of things aren't clear to me.

1) I need to not remove headers of messages *coming* from the Internet
   to my users. Does this trick remove ONLY the Received headers of
   _outgoing_ messages? If yes, and here's the real question, why? Why
   is the check done only for outgoing messages? I'm missing how
   Postfix works here


header_checks apply to all mail, so something like
/^Recevied: / IGNORE
is far too broad; it will remove headers from incoming mail too.

You can make the expression more specific to just match mail 
from your local internal network.  Something like:

/^Received: .*\[192\.168\..*by
 myserver\.example\.com/ IGNORE

For remote authenticated senders, something like
# main.cf
smtpd_sasl_authenticated_header = yes
# header_checks
/^Received: .*\(Authenticated sender:.*by
 myserver\.example\.com/  IGNORE

For locally submitted mail (ie. via the sendmail(1) command):
/^Received: by myserver\.example\.com .*from userid [0-9]+\)/
 IGNORE

(beware line wrapping in the UNTESTED examples above!)



2) In this thread 
http://www.nabble.com/Hide-internal-address-(Postfix)-td2300995.html
   a user said:

  If you do so, aren't your mails rejected by some mail servers
  because they consider that you have an illegal or incomplete
  header?

   how big such a risk is? I imagined that if mail seems "born" on a
   server which is the official MX of a domain it should look as legal
   and complete as it gets, isn't it? If the risk does exist, can it
   be removed, and how?


Not a big risk.  Blocking mail on such a policy is unwise, but 
some people do unwise things.


If you are concerned about this, you can use the header_checks 
REPLACE action to alter the offending header to some generic 
value, such as replace the IP with some static internal IP. 
Be sure to leave the structure and format of the header intact 
so it doesn't become an invalid header, and leave the 
timestamp intact so it still looks legit.  A bad timestamp or 
badly-formed obviously forged header is a much stronger 
indication of spam than a missing non-required header.




Finally, besides looking spammish, are there any other reason NOT to
do this? Since this is not a public isp and I serve only a very small
number of users I know, diagnosing troubles that THEY (not external
senders) may have isn't a big deal


It does remove important tracking and diagnostic information. 
 But with a fairly small and somewhat trusted user base, it's 
not that bad.  All the some info is also in the mail logs if 
they haven't been rotated out of existence.




TIA,
Marco



--
Noel Jones

Re: Proposing postfix to mgmt as an Exchange replacement

[Quanah Gibson-Mount]

--On Tuesday, September 09, 2008 10:50 PM -0400 Aaron Wolfe 
<[EMAIL PROTECTED]> wrote:



On Tue, Sep 9, 2008 at 10:12 PM, Adam Tauno Williams
<[EMAIL PROTECTED]> wrote:

The below isn't meant to shoot down your idea, but I'm an Open Source
groupware developer and am very familiar with the Exchange-vs-XYZ
equation.


As per the subject, I am about to pitch the idea of dumping Exchange
and moving to Postfix.  From what I can observe, the Calendar and
Meeting functions are used very little if at all.  We have roaming


"very little" is entirely different from not at all.  The
calendar/contact/etc functionality of Exchange is very powerful and
Postfix et al will not provide the same functionality (maybe with
something like $Zimbra) .  Are you sure your users don't need it, or
won't need it next month after the CEO sits next to somebody on a
plane that is real time syncing their Blackberry to their corporate
calendar, etc?


There's also the free version of Zimbra, although it is of course more 
limited in what it does, it does support IMAP/POP & calendaring, etc.


--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration

About removing Received headers with internal IP addresses via header_checks

[M. Fioretti]

greetings,

I'm using a postfix server on a remote vps for all the email domains I
control. it is the official MX for all those domains and it only
accepts to relay email from my_networks and SASL authorized clients. I
am playing with the idea of making postfix remove all the Received
headers of authorized outgoing messages, before sending them to the
Internet.

The reasons is I've been asked to not show outside "where" an user was
when he or she composed an email: at the webmail interface in some
remote location, at home, office or anywhere else: "can you make it so
that all messages look like they were composed on the server itself?

Now, I have already done some research and found I could put:

/^Received:/ IGNORE

in a header_checks file, but a couple of things aren't clear to me.

1) I need to not remove headers of messages *coming* from the Internet
   to my users. Does this trick remove ONLY the Received headers of
   _outgoing_ messages? If yes, and here's the real question, why? Why
   is the check done only for outgoing messages? I'm missing how
   Postfix works here

2) In this thread 
http://www.nabble.com/Hide-internal-address-(Postfix)-td2300995.html
   a user said:

  If you do so, aren't your mails rejected by some mail servers
  because they consider that you have an illegal or incomplete
  header?

   how big such a risk is? I imagined that if mail seems "born" on a
   server which is the official MX of a domain it should look as legal
   and complete as it gets, isn't it? If the risk does exist, can it
   be removed, and how?

Finally, besides looking spammish, are there any other reason NOT to
do this? Since this is not a public isp and I serve only a very small
number of users I know, diagnosing troubles that THEY (not external
senders) may have isn't a big deal

TIA,
Marco
-- 
Your own civil rights and the quality of your life heavily depend on how
software is used *around* you:http://digifreedom.net/node/84

Re: postfix accepting mail for juno.com

[mouss]

Jorey Bump wrote:

Jason Noble wrote, at 09/10/2008 08:51 AM:

It was my DNS.
I am using a black list from here:
http://pgl.yoyo.org/adservers/
to block ad-servers at the dns level.

I'll have to remember this next time I have weird mail issues.


Your mail server should use a reliable, honest DNS server.

Set up a separate DNS server if you want to block ad sites for your your
LAN users. I do this, but I simply make the local DNS server
authoritative for the offensive domains (or subdomains) and point them
all to the same zone file, which has no A records defined. Why anyone
would point these to 127.0.0.1 or any other IP address is beyond me.




and is even dangerous. it allows a stranger to make you do a query on a 
local service. with FCSR and XSS attacks being so common these days, 
this is unwise. What would happens if say you get to click on

http://127.0.0.1:1234/disable_firewall
?

this is also the reason why it is not recommended to put private IPs in 
public dns zones (foo.example.com -> 192.168.1.2).

Re: postfix accepting mail for juno.com

[Jorey Bump]

Jason Noble wrote, at 09/10/2008 08:51 AM:
> It was my DNS.
> I am using a black list from here:
> http://pgl.yoyo.org/adservers/
> to block ad-servers at the dns level.
> 
> I'll have to remember this next time I have weird mail issues.

Your mail server should use a reliable, honest DNS server.

Set up a separate DNS server if you want to block ad sites for your your
LAN users. I do this, but I simply make the local DNS server
authoritative for the offensive domains (or subdomains) and point them
all to the same zone file, which has no A records defined. Why anyone
would point these to 127.0.0.1 or any other IP address is beyond me.

Re: postfix accepting mail for juno.com

[Jason Noble]

best_mx_transport = 
disable_dns_lookups = no
ignore_mx_lookup_error = no
parent_domain_matches_subdomains =
debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
permit_mx_backup_networks = 
smtp_defer_if_no_mx_address_found = no
smtp_host_lookup = dns
smtp_mx_address_limit = 0
smtp_mx_session_limit = 2



On Wed, 2008-09-10 at 14:29 +0200, Ralf Hildebrandt wrote:
> * Ralf Hildebrandt <[EMAIL PROTECTED]>:
> > * Jason Noble <[EMAIL PROTECTED]>:
> > > I tried commenting out a few more things now I get this error in the
> > > logs.
> > > 
> > > Sep 10 08:22:58 mail postfix/smtp[30058]: 8BF6718F79:
> > > to=<[EMAIL PROTECTED]>, relay=none, delay=0, status=bounced (mail for
> > > juno.com loops back to myself)
> > 
> > AHA! thus best_mx_transport triggers :)
> > 
> > host -t mx juno.com
> > host -t a juno.com
> > results in what?
> 
> postconf |egrep "(dns|mx)"
> results in what?
> 

Re: postfix accepting mail for juno.com

[Jason Noble]

It was my DNS.
I am using a black list from here:
http://pgl.yoyo.org/adservers/
to block ad-servers at the dns level.

I'll have to remember this next time I have weird mail issues.


Problem solved

Thanks for all the help

On Wed, 2008-09-10 at 14:36 +0200, Ralf Hildebrandt wrote:
> * Jason Noble <[EMAIL PROTECTED]>:
> > host -t mx juno.com
> > juno.com mail is handled by 10 mx.vgs.untd.com.
> > juno.com mail is handled by 10 mx.dca.untd.com.
> 
> Correct.
> 
> > host -t a juno.com
> > juno.com has address 64.136.53.46
> > juno.com has address 64.136.45.46
> 
> Correct.
>  
> > host -t a mx.vgs.untd.com 
> > mx.vgs.untd.com has address 127.0.0.1
> 
> Nope: $ host -t a mx.vgs.untd.com
> mx.vgs.untd.com has address 64.136.52.37
>  
> > host -t a mx.dca.untd.com
> > mx.dca.untd.com has address 127.0.0.1
> 
> mx.dca.untd.com has address 64.136.44.37
> 
> Check /etc/hosts or your DNS :(
> 
> > DOH... dns issue I though I ruled this out
> 
> :(
> 

Re: interesting log entries

[Wietse Venema]

Victor Duchovni:
> On Wed, Sep 10, 2008 at 05:09:16PM +1000, Colin Campbell wrote:
> 
> > Hi,
> > 
> > Can someone explain why we saw the following in our logs?
> > 
> > Sep  4 19:50:32 postfix postfix/cleanup[18097]: A68A6220005: message-id=: 
> > <[EMAIL PROTECTED]>
> > Sep  4 19:50:32 postfix postfix/cleanup[18097]: A68A6220005: 
> > message-id=newsletters.datapro.co.za
> > 
> 
> If a message has multiple "message-id" headers, cleanup(8) will log
> each one.

In this case, one of the message-id headers looked like this:

message-id:: <5 [EMAIL PROTECTED]>

and the second one:

message-id: newsletters.datapro.co.za

where "message-id" may have been spelled as "Message-ID", "Message-Id",
or some other combination of upper or lower case characters.

So, neither header was "normal".

Wietse

Re: postfix accepting mail for juno.com

[Ralf Hildebrandt]

* Jason Noble <[EMAIL PROTECTED]>:
> host -t mx juno.com
> juno.com mail is handled by 10 mx.vgs.untd.com.
> juno.com mail is handled by 10 mx.dca.untd.com.

Correct.

> host -t a juno.com
> juno.com has address 64.136.53.46
> juno.com has address 64.136.45.46

Correct.
 
> host -t a mx.vgs.untd.com 
> mx.vgs.untd.com has address 127.0.0.1

Nope: $ host -t a mx.vgs.untd.com
mx.vgs.untd.com has address 64.136.52.37
 
> host -t a mx.dca.untd.com
> mx.dca.untd.com has address 127.0.0.1

mx.dca.untd.com has address 64.136.44.37

Check /etc/hosts or your DNS :(

> DOH... dns issue I though I ruled this out

:(

-- 
Ralf Hildebrandt ([EMAIL PROTECTED])  [EMAIL PROTECTED]
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de  I'm looking for a job
I'm not insane, just an ISP. 
Although people may consider that to be a mark of an insane person!

Re: postfix accepting mail for juno.com

[Jason Noble]

host -t mx juno.com
juno.com mail is handled by 10 mx.vgs.untd.com.
juno.com mail is handled by 10 mx.dca.untd.com.

host -t a juno.com
juno.com has address 64.136.53.46
juno.com has address 64.136.45.46

host -t a mx.vgs.untd.com 
mx.vgs.untd.com has address 127.0.0.1

host -t a mx.dca.untd.com
mx.dca.untd.com has address 127.0.0.1

DOH... dns issue I though I ruled this out

On Wed, 2008-09-10 at 14:27 +0200, Ralf Hildebrandt wrote:
> * Jason Noble <[EMAIL PROTECTED]>:
> > I tried commenting out a few more things now I get this error in the
> > logs.
> > 
> > Sep 10 08:22:58 mail postfix/smtp[30058]: 8BF6718F79:
> > to=<[EMAIL PROTECTED]>, relay=none, delay=0, status=bounced (mail for
> > juno.com loops back to myself)
> 
> AHA! thus best_mx_transport triggers :)
> 
> host -t mx juno.com
> host -t a juno.com
> results in what?
> 

Re: postfix accepting mail for juno.com

[Ralf Hildebrandt]

* Ralf Hildebrandt <[EMAIL PROTECTED]>:
> * Jason Noble <[EMAIL PROTECTED]>:
> > I tried commenting out a few more things now I get this error in the
> > logs.
> > 
> > Sep 10 08:22:58 mail postfix/smtp[30058]: 8BF6718F79:
> > to=<[EMAIL PROTECTED]>, relay=none, delay=0, status=bounced (mail for
> > juno.com loops back to myself)
> 
> AHA! thus best_mx_transport triggers :)
> 
> host -t mx juno.com
> host -t a juno.com
> results in what?

postconf |egrep "(dns|mx)"
results in what?

-- 
Ralf Hildebrandt ([EMAIL PROTECTED])  [EMAIL PROTECTED]
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de  I'm looking for a job
If you tie pig to turbojet, it will fly. It is not right, but it
works. You can even have lunch after launch.

Re: postfix accepting mail for juno.com

[Ralf Hildebrandt]

* Jason Noble <[EMAIL PROTECTED]>:
> I tried commenting out a few more things now I get this error in the
> logs.
> 
> Sep 10 08:22:58 mail postfix/smtp[30058]: 8BF6718F79:
> to=<[EMAIL PROTECTED]>, relay=none, delay=0, status=bounced (mail for
> juno.com loops back to myself)

AHA! thus best_mx_transport triggers :)

host -t mx juno.com
host -t a juno.com
results in what?

-- 
Ralf Hildebrandt ([EMAIL PROTECTED])  [EMAIL PROTECTED]
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de  I'm looking for a job
"Plonk /excl./: The sound a newbie makes as he falls to the bottom of a
kill file."  - From the Jargon File. 

Re: postfix accepting mail for juno.com

[Jason Noble]

I tried commenting out a few more things now I get this error in the
logs.

Sep 10 08:22:58 mail postfix/smtp[30058]: 8BF6718F79:
to=<[EMAIL PROTECTED]>, relay=none, delay=0, status=bounced (mail for
juno.com loops back to myself)


On Tue, 2008-09-09 at 13:29 -0400, Victor Duchovni wrote:
> On Tue, Sep 09, 2008 at 01:13:50PM -0400, Jason Noble wrote:
> 
> > I commented it out and tried again, it didnt make a difference.
> > 
> > I cant think of any reason this server would think it should deliver
> > messages destine for juno.com locally.
> > 
> 
> Who said "juno.com" is the reason it is delivered locally. Your log
> excerpt also had a 2nd message recipient, likely that 2nd recipient
> triggers a "FILTER" action...
> 

Re: interesting log entries

[Victor Duchovni]

On Wed, Sep 10, 2008 at 05:09:16PM +1000, Colin Campbell wrote:

> Hi,
> 
> Can someone explain why we saw the following in our logs?
> 
> Sep  4 19:50:32 postfix postfix/cleanup[18097]: A68A6220005: message-id=: 
> <[EMAIL PROTECTED]>
> Sep  4 19:50:32 postfix postfix/cleanup[18097]: A68A6220005: 
> message-id=newsletters.datapro.co.za
> 

If a message has multiple "message-id" headers, cleanup(8) will log
each one.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: bounced email

[mouss]

Jittinan Suwanrueangsri wrote:

Dear sir

What cause this error? How should I fix it?



the server on a.b.c.d refuses the message but doesn't say why. if you 
have access to the logs of that server, check them. there isn't much we 
can do to help you.



note:
I replace sender by [EMAIL PROTECTED] ,replace recipient by 
[EMAIL PROTECTED] , replace an ip address by  a.b.c.d



## 

Sep  9 09:13:47 MailGateway postfix/smtpd[13230]: 813311BC80B6: 
client=localhost.localdomain[127.0.0.1]
Sep  9 09:13:47 MailGateway postfix/cleanup[13550]: 813311BC80B6: 
message-id=<[EMAIL PROTECTED]>
Sep  9 09:13:47 MailGateway postfix/qmgr[3830]: 813311BC80B6: 
from=<[EMAIL PROTECTED]>, size=21184, nrcpt=1 (queue active)
Sep  9 09:13:47 MailGateway postfix/smtp[12951]: 85BAE1BC806F: 
to=<[EMAIL PROTECTED]>, relay=127.0.0.1[127.0.0.1]:10025, delay=1, 
delays=0.09/0/0/0.96, dsn=2.0.0, status=sent (250 OK, sent 
48C5DBDA_10629_1149010_1 813311BC80B6)
Sep  9 09:13:48 MailGateway postfix/smtp[13184]: 813311BC80B6: 
to=<[EMAIL PROTECTED]>, relay=a.b.c.d[a.b.c.d]:25, delay=1.2, 
delays=0.04/0/0.01/1.1, dsn=5.7.1, status=bounced (host a.b.c.d[a.b.c.d] 
said: 550 5.7.1 Requested action not taken: message refused (in reply to 
end of DATA command))
Sep  9 09:13:48 MailGateway postfix/bounce[13462]: 813311BC80B6: sender 
non-delivery notification: AE8DB1BC80DA

Sep  9 09:13:48 MailGateway postfix/qmgr[3830]: 813311BC80B6: removed
## 



Sincarely,
Jittinan Suwanrueangsri

bounced email

[Jittinan Suwanrueangsri]

Dear sir

What cause this error? How should I fix it?

note:
I replace sender by [EMAIL PROTECTED] ,replace recipient by 
[EMAIL PROTECTED] , replace an ip address by  a.b.c.d



##
Sep  9 09:13:47 MailGateway postfix/smtpd[13230]: 813311BC80B6: 
client=localhost.localdomain[127.0.0.1]
Sep  9 09:13:47 MailGateway postfix/cleanup[13550]: 813311BC80B6: 
message-id=<[EMAIL PROTECTED]>
Sep  9 09:13:47 MailGateway postfix/qmgr[3830]: 813311BC80B6: 
from=<[EMAIL PROTECTED]>, size=21184, nrcpt=1 (queue active)
Sep  9 09:13:47 MailGateway postfix/smtp[12951]: 85BAE1BC806F: 
to=<[EMAIL PROTECTED]>, relay=127.0.0.1[127.0.0.1]:10025, delay=1, 
delays=0.09/0/0/0.96, dsn=2.0.0, status=sent (250 OK, sent 
48C5DBDA_10629_1149010_1 813311BC80B6)
Sep  9 09:13:48 MailGateway postfix/smtp[13184]: 813311BC80B6: 
to=<[EMAIL PROTECTED]>, relay=a.b.c.d[a.b.c.d]:25, delay=1.2, 
delays=0.04/0/0.01/1.1, dsn=5.7.1, status=bounced (host a.b.c.d[a.b.c.d] 
said: 550 5.7.1 Requested action not taken: message refused (in reply to 
end of DATA command))
Sep  9 09:13:48 MailGateway postfix/bounce[13462]: 813311BC80B6: sender 
non-delivery notification: AE8DB1BC80DA

Sep  9 09:13:48 MailGateway postfix/qmgr[3830]: 813311BC80B6: removed
##

Sincarely,
Jittinan Suwanrueangsri

Re: Proposing postfix to mgmt as an Exchange replacement

[Charles Marcus]

On 9/9/2008, Adam Tauno Williams ([EMAIL PROTECTED]) wrote:
> Yes, Thunderbird works with roaming profiles;  albeit rather badly.
> Thunderbird has no auto-configuration mechanism so every user's
> account(s) need to be setup manually and it is prone to making HUGE
> cache files if not setup carefully.

So set it up correctly... ;)

I always set the local imap mail store to the Local Settings folder so
it doesn't get copied with the roaming profile. Worst case scenario is
their pc dies and they have to re-download all of the message headers
the first time they access their mail again. No biggie.

I also use www.scheduleworld.com to keep tbird contacts/calendar in sync
across multiple machines (home/work) and phones... works very well, and
their is an OTA client for almost all phones.

> All-in-all it is a rather lousy IMAP client compared to others.

In my opinion, Outlook is MUCH worse IMAP client than Thunderbird. We've
been using Thunderbird exclusively on 60+ machines for years, *with*
roaming profiles*, with nary a hiccup.

I keep copies of Outlook (2003) and Outlook Express because I do support
these for people who want to use them from home, and frankly, these are
the only clients I ever get complaints about, and if the user takes me
up on my standard 'why don't you try Thunderbird' response, they always
are happy they did.

I have heard that Outlook 2007 has improved IMAP support (*finally* has
direct support for saving Sent messages to the IMAP server), but have no
experience with it.

Thunderbird ain't perfect, but it is an EXCELLENT IMAP client.

> Why not just stick with Outlook? Your likely to have a much easier
> time with the users if they are used to Outlook (and you already paid
> for it anyway).

You are correct that one drawback is there is no way to config TBird
using Active Directory Group Policies... I'd dearly love to see support
for this someday for bith TBird and Firefox - and a proper signature
manager too.

As for IMAP servers, I much prefer dovecot to Cyrus - MUCH easier to
setup, and better performance too imho... Cyrus has more features - FOR
NOW (dovecot is catching up very fast, and will probably surpass it
within a year or two), but is 'not fun' to install/configure/support for
anyone new to it.

I totally agree with the rest of the comments though. We don't use
Exchange here because the boss refused to pay for Server/Exchange/Office
many years ago (back in 2000), and told me to 'find an alternative' (to
the $40,000 it would have cost for licenses for everything for 50+
users). That was my forced introduction to the world of free software.

If I were the OP, and assuming he already has Exchange (and the Exchange
CALs) and Office, I'd stick with what he has (the licenses for just
Server and CALs won't be too bad).

On the other hand - if he is using pirated software, and it might cost
$20k+ to get legal, then using postfix+dovecot+thunderbird/lightning, or
even one of the groupware alternatives, might be worth considering.

-- 

Best regards,

Charles

Re: How can I increase size or time of parse active queue?

[mouss]

Andrew Sukharew wrote:

Hello!

When I do next settings

smtpd_client_restrictions =
permit_mynetworks,
permit



this is equivalent to a simple permit, which is the default.

Active queue slowly grow up and postfix can't deliver all this messages which 
contains in active queue..


How can resolve this ?


what fills up the queue? do you accept mail for addresses that don't exist?

otherwise, visit
http://www.postfix.org/DEBUG_README.html
and if you have more infos to post here, make sure to read
http://www.postfix.org/DEBUG_README.html#mail

Re: can send mail, but cannot receive (through ISP smtp)

[mouss]

Benny Pedersen wrote:

On Wed, September 10, 2008 08:53, mouss wrote:


and while you are at it, ask them to give you a custom reverse DNS.

$ host 79.116.195.248
248.195.116.79.in-addr.arpa domain name pointer
79-116-195-248.dynamic.brasov.rdsnet.ro.

with this, many sites will block you, put your mail in a junk folder or
even discard it.


even if the reverse dns is example.org it will still be a dynamic ip

so a little more then just a better reverse dns is needed :)




indeed.

$ host 100.192.116.79.pbl.spamhaus.org
100.192.116.79.pbl.spamhaus.org has address 127.0.0.11

Re: Proposing postfix to mgmt as an Exchange replacement

[James Robertson]

On Wed, 2008-09-10 at 13:50 +1000, MacShane, Tracy wrote:
> > > -Original Message-
> > > From: [EMAIL PROTECTED] 
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Adam Tauno 
> > > Williams
> > > Sent: Wednesday, 10 September 2008 12:13 PM
> > > To: postfix-users@postfix.org
> > > Subject: Re: Proposing postfix to mgmt as an Exchange replacement
> > > 
> > > The below isn't meant to shoot down your idea, but I'm an 
> > Open Source 
> > > groupware developer and am very familiar with the Exchange-vs-XYZ 
> > > equation.
> > > 
> > > > As per the subject, I am about to pitch the idea of 
> > dumping Exchange 
> > > > and moving to Postfix.
> > > ...
> > > 
> > > Is that true? "Everything we use exchange for" needs to be
> > > *very* carefully researched.  
> > >  
> > > > I hate trying to sell this kind of thing when my impulse 
> > is to wave 
> > > > my arms around yelling "IT'S OBVIOUS!" :)
> > > 
> > > But it isn't.
> > 
> > I totally agree with these remarks, not least the confusion 
> > between the roles that Postfix and Exchange carry out. I'd be 
> > extremely surprised to find any organisation that has more 
> > than 6 users on Exchange that doesn't use 
> > calendaring/scheduling, just as one example. How are you 
> > judging the use of that functionality organisation-wide?
> > 
> > Really, if you hate Exchange that much - and I actually think 
> > it's fairly robust (these days) and good at doing what it 
> > does (if we don't talk to much about TLS) - you need to 
> > research something like Zimbra, which uses Postfix as the 
> > MTA, but incorporates IMAP mailboxes and calendaring via 
> > Webdav (I think).
> > 
> > Of course, my primary role is that of an Exchange admin, so 
> > you can take my opinion FWIW.

My 2 cents

I work for a IT support business that has a large amount of different
clients who use Exchange.

My IT career started with Windows and when I first got into open source
software and so forth I was hell bent on getting rid of anything MS.
However as time has gone by it has become fairly apparent that there
isn't much out there that can do what Exchange does.  There is things
like Zimbra, Open-Xchange and Scalix but if you want the extra features
you have to pay for them.  If you want Exchange features.. use
Exchange.  Unless the business you work for are really tight then having
them fork out for Exchange and Windows Server shouldn't be a hassle and
it might cost them more for you to research, test, troubleshoot and
implement an Exchange replacement anyway.

Other things to consider

Who troubleshoots/maintains things when you are on holiday/away.
What happens when a staff member says "I want this feature that joe
bloggs' Company has" and you can't add it on to your setup.

Postfix is a superb MTA and in conjunction with other open source
software we use it to plug the holes that Exchange has such as Spam
filtering and the stupid "feature" (yes that's what MS claim it to be)
when it try's to deliver mail to the A record of a domain instead of the
MX.

I developed an Antispam Gateway and relay to/from an Exchange server
based on some excellent documentation such as
http://www200.pair.com/mecham/spam but I digress

I think you need to consider the ramifications of the system from the
users perspective not one of personal choice and Administration.  After
all that's what we IT support types are supposed to do I think :P

Certainly not trying to curb your enthusiasm for Postfix but I wouldn't
want a bad decision to bite you in the behind.

MS new what they were doing when they developed Exchange Server and new
that it would get them a heap of $$ as a result.

How can I increase size or time of parse active queue?

[Andrew Sukharew]

Hello!

When I do next settings

smtpd_client_restrictions =
permit_mynetworks,
permit

Active queue slowly grow up and postfix can't deliver all this messages which 
contains in active queue..

How can resolve this ?

Thanks!

Re: can send mail, but cannot receive (through ISP smtp)

[Benny Pedersen]

On Wed, September 10, 2008 08:53, mouss wrote:

> and while you are at it, ask them to give you a custom reverse DNS.
>
> $ host 79.116.195.248
> 248.195.116.79.in-addr.arpa domain name pointer
> 79-116-195-248.dynamic.brasov.rdsnet.ro.
>
> with this, many sites will block you, put your mail in a junk folder or
> even discard it.

even if the reverse dns is example.org it will still be a dynamic ip

so a little more then just a better reverse dns is needed :)


-- 
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

Re: interesting log entries

[mouss]

Colin Campbell wrote:

Hi,

Can someone explain why we saw the following in our logs?

Sep  4 19:50:32 postfix postfix/cleanup[18097]: A68A6220005: message-id=: <[EMAIL 
PROTECTED]>
Sep  4 19:50:32 postfix postfix/cleanup[18097]: A68A6220005: 
message-id=newsletters.datapro.co.za



There's nothing special. cleanup logs the message-id together with the 
queueid.


note that this comes in handy for log correlation. for example, if you 
deliver with dovecot, dovecot will log the message-id too, so you know 
which is which. same if you have a content filter (when the same mail 
passes twice in postfix, but will have two different queueid's).



# postconf mail_version
mail_version = 2.3.6

Colin

RE: localhost postfix/master: fatal: bind 127.0.0.1 port 125: Permission denied

[Chris Morley]

> you probably have an selinux problem.> > a workaround is to disable selinux 
> ('setenforce permissive'. also check > /etc/selinux/config).> > If you want 
> selinux, ask on centos lists how to setup a working policy. > you probably 
> have a policy for port 25, which you can adapt to other > ports (it's not a 
> very good idea to use port 125. if you want a "custom" > port, use something 
> > 1024. the 10xxx range is common on this list).
Dear all, thank you very much for the replies and i can confirm that it was 
SeLinux. Postfix is now starting up.
 
Many thanks again,
 
Chris
_
Make a mini you and download it into Windows Live Messenger
http://clk.atdmt.com/UKM/go/111354029/direct/01/

interesting log entries

[Colin Campbell]

Hi,

Can someone explain why we saw the following in our logs?

Sep  4 19:50:32 postfix postfix/cleanup[18097]: A68A6220005: message-id=: 
<[EMAIL PROTECTED]>
Sep  4 19:50:32 postfix postfix/cleanup[18097]: A68A6220005: 
message-id=newsletters.datapro.co.za

# postconf mail_version
mail_version = 2.3.6

Colin
-- 
Colin Campbell
Unix Support/Postmaster/Hostmaster
Citec
+61 7 3227 6334