Re: mail throttling

2008-10-21 Thread Andreas Schuldei 
* Wietse Venema ([EMAIL PROTECTED]) [081022 02:37]:
> Andreas Schuldei:
> > The goal is that the server starts sending mail every 10th
> > second, then after 50 mails increase to 2 mails every 10 seconds,
> > until it sends 10 mails every then seconds, ramping up
> > slowly.
> 
> It inserts 10s delay between INDIVIDUAL deliveries.
> 
> The documentation says:
> 
> default_destination_rate_delay (default: 0s)
>The  default amount of delay that is inserted between INDIVIDUAL deliv-
>eries to the same destination
> 
> Thus, with default_destination_rate_delay=10s, after one INDIVIDUAL
> delivery is completed, the next INDIVIDUAL delivery starts 10
> seconds later.
> 
> INDIVIDUAL delivery != PARALLEL delivery.

yes, i got that now. I had not gotten that impression when i read
the documentation the first few times and even when i observed
the behaviour. Partly because i dont see a good reason why the
delay cant be combined with the slow start.

Now if this is so i dont see a good way to not create peeks in my
mail delivery from my high bandwidth connection to other such
places, still dynamically ramp up the delivery volume as volume
increases and still not be branded as a spammer (who tend to send
email in bursts).

when looking at the recipent domains of our site, gmail and
hotmail take up a big percentage of our mail volume. Whenever i
send with default_destination_rate_delay = 0s, in order to be
able to use dynamicly increasing volume, I get these steep peeks
as mail delivery is virtually instantanious between hotmail,
gmail and our box. With default_destination_rate_delay set to a
non-zero value however i cant respond to increased mail volume anymore.

Therefor i ask to make both features combineable or create a way
to otherwise have dynamic slow delivery (with the option to
become faster over time).

/andreas

Re: Confirmation of TLS/SASL operation?

2008-10-21 Thread MrC 
Victor Duchovni wrote:
> 
> It is interesting to see an MUA negotiate an anonymous session. Clearly
> T-Bird did not care to ask for or verify the server certificate. Did
> it require special configuration to enable this, or is this default
> T-Bird behaviour?

I see the same in my logs - default setup + submission port.

Oct 21 22:00:53 glacier postfix/smtpd[2914]: Anonymous TLS connection
established from zion.mikecappella.com[10.0.0.10]: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits)


> 
> When I added support for anonymous TLS ciphers in Postfix, I expected
> these to mostly get used in MTA-to-MTA opportunistic TLS sessions.
>

Re: Unknown SASL Authentication

2008-10-21 Thread MrC 
mouss wrote:
> MrC a écrit :
>> [snip]
>> But, your entry discovered a bug in the parsing of the sasl_sender=
>> portion of smtpd's client= log line.  The output should look like:
>>
>>1   SASL authenticated relayed messages --
> 
> This may be misleading. something like "claimed SASL sender" would be
> "more clear"?

You're right as usual mouss - thanks for the clarification.  I recall
reading the RFC some time ago, but I wasn't clear about the
circumstances for the use of sasl_sender.

I'll update for the next release.

Thanks

> 
>>1  [EMAIL PROTECTED] (*unknown)
>>1 *unknown
>>1218.30.101.41unknown
>>
>> I've corrected the bug in 1.37.08

Re: libspf2 Vulnerability [from another list...]

2008-10-21 Thread Scott Kitterman 
On Tue, 21 Oct 2008 23:59:00 -0400 Victor Duchovni 
<[EMAIL PROTECTED]> wrote:
>
>All libspf2 users should read this post by Dan Kaminsky, and upgrade  
>libspf2 to 1.2.8 as soon as possible:
>
>http://www.doxpara.com/?p=1263
>
FWIW, the Ubuntu libspf2 packages for all releases have been patched to 
correct the buffer overflow mentioned in the article and 1.2.8 will be 
included in the next release.  There is also a patched version for Debian 
Lenny published and one for Etch is imminent.

Scott K

Re: Best anti-spam

2008-10-21 Thread Henrik K 
On Wed, Oct 22, 2008 at 01:59:07AM +, Duane Hill wrote:
>
> P.s. Even though policyd-weight may be old, I've heard good things about  
> it. We have a customer that uses it and swears by it.

It's fine, but doesn't have much that postfwd can't do. Postfwd has active
development and somewhat more robust codebase. Remember that they don't do
anything unless YOU configure them. Software by itself can't guess what
settings you require.

Btw, isn't there a good Spam-wiki/howto/kb anywhere? Isn't not like we get
every week someone asking about best software, greylisting etc, and then you
get dozens of posts with speculation and limited knowledge.. hmm, maybe I'll
whip a wiki up.

Re: qmgr rests when lots of mail is coming in

2008-10-21 Thread Victor Duchovni 
On Wed, Oct 22, 2008 at 12:06:40AM -0400, Ofer Inbar wrote:

> Victor Duchovni <[EMAIL PROTECTED]> wrote:
> > You can skip waiting for future occurences, the behaviour you describe
> > (especially on fallback relays where dead destinations are to be expected)
> > fits the known issue like a glove (and we are not at the OJ trial :-).
> 
> Regardless, I definitely sometimes get qmgr dying due to a watchdog
> timeout when it's deferring many thousands of messages to the same
> destination, without the deadlock.

Yes, the deadlock is infrequent and time dependent, the watchdog has
to fire right when qmgr(8) is already performing I/O ops inside syslog(3).
Most of the time it fires when qmgr(8) is doing something else.

> As a temporary workaround, I tried doubling daemon_timeout.
> 
> However, I'm puzzled - it defaults to 18000s but the watchdog timer
> seems to kill qmgr during these incidents after about a half hour,
> which is 1800 seconds.

Wrong timer. The watchdog timeout is hard-coded to 1000s.

> > You may also consider tuning the feedback controls on the fallback relay,
> > so that problematic destinations are throttled less aggressively, this
> > is appropriate when most of the deliveries fail, but the site  is not
> > dead and more than 0%, but less than 50%, of the deliveries succeed.
> 
> Thank you.  And yes, it's definitely the case with the domains that
> are involved, that some deliveries succeed, but fewer than 50% (at the
> times when this problem shows up).
> 
> It is not possible to tune the feedback controls on a version earlier
> than 2.5, correct?

No. This is a major queue manager design change in 2.5, and is not
available in earlier code. The watchdog issue is resolved in 2.4.

Note, the definition of "succeed" here is the opposite of a "failure",
where "failure" is not failure to deliver, but rather failure to connect,
active rejection at connect or HELO or an I/O timeout during the mail
transaction. Deliveries that fail with 4XX in response to "MAIL", "RCPT",
"DATA" or "." don't cause negative feedback...

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Confirmation of TLS/SASL operation?

2008-10-21 Thread Victor Duchovni 
On Tue, Oct 21, 2008 at 05:23:10PM -0400, Terry Carmen wrote:

> I just setup TLS and SASL to allow sending non-local mail only by 
> authenticated users, and to have the entire SMTP conversation with the 
> client software encrypted, and wanted to make sure it's operating correctly:
> 
> 
> The log from a session from my mail client  (Thunderbird) says:
> 
> Oct 21 17:15:02 wormhole postfix/smtpd[23828]: Anonymous TLS connection 
> established from rrcs-xx-xx-89-178.nys.biz.rr.com[xx.xx.89.178]: TLSv1 
> with cipher DH

It is interesting to see an MUA negotiate an anonymous session. Clearly
T-Bird did not care to ask for or verify the server certificate. Did
it require special configuration to enable this, or is this default
T-Bird behaviour?

When I added support for anonymous TLS ciphers in Postfix, I expected
these to mostly get used in MTA-to-MTA opportunistic TLS sessions.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: qmgr rests when lots of mail is coming in

2008-10-21 Thread Ofer Inbar 
Victor Duchovni <[EMAIL PROTECTED]> wrote:
> You can skip waiting for future occurences, the behaviour you describe
> (especially on fallback relays where dead destinations are to be expected)
> fits the known issue like a glove (and we are not at the OJ trial :-).

Regardless, I definitely sometimes get qmgr dying due to a watchdog
timeout when it's deferring many thousands of messages to the same
destination, without the deadlock.

As a temporary workaround, I tried doubling daemon_timeout.

However, I'm puzzled - it defaults to 18000s but the watchdog timer
seems to kill qmgr during these incidents after about a half hour,
which is 1800 seconds.  Is the value of daemon_timeout actually
representing tenths of seconds?  Or is daemon_timeout not really the
timer that controls how long the watchdog gives qmgr in these cases?

> You may also consider tuning the feedback controls on the fallback relay,
> so that problematic destinations are throttled less aggressively, this
> is appropriate when most of the deliveries fail, but the site  is not
> dead and more than 0%, but less than 50%, of the deliveries succeed.

Thank you.  And yes, it's definitely the case with the domains that
are involved, that some deliveries succeed, but fewer than 50% (at the
times when this problem shows up).

It is not possible to tune the feedback controls on a version earlier
than 2.5, correct?
  -- Cos

libspf2 Vulnerability [from another list...]

2008-10-21 Thread Victor Duchovni 

All libspf2 users should read this post by Dan Kaminsky, and upgrade  
libspf2 to 1.2.8 as soon as possible:

http://www.doxpara.com/?p=1263

Just in case anyone asks, and not surprisingly, the DNS code in Postfix
has no such lapses.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: qmgr rests when lots of mail is coming in

2008-10-21 Thread Victor Duchovni 
On Tue, Oct 21, 2008 at 07:07:02PM -0400, Ofer Inbar wrote:

> I have noticed occasional qmgr crashes with the "watchdog timer" error
> occurring, usually when it's in the middle of deferring thousands of
> messages for one domain all at once.  I meant to investigate those.
> 
> However, based on the logs, that's not what it was doing at the time
> this particular freeze happened.

Your observations are almost certainly in error. Wietse's analysis
is correct, and you should upgrade to 2.4 or later.

> I'll watch for future occurrences to collect more data,
> and try to get an upgrade soon.

You can skip waiting for future occurences, the behaviour you describe
(especially on fallback relays where dead destinations are to be expected)
fits the known issue like a glove (and we are not at the OJ trial :-).

You may also consider tuning the feedback controls on the fallback relay,
so that problematic destinations are throttled less aggressively, this
is appropriate when most of the deliveries fail, but the site  is not
dead and more than 0%, but less than 50%, of the deliveries succeed.

The new feedback controls in 2.5.5 allow you to tune Postfix to be less
pessimistic when sending bulk mail to highly problematic destinations.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

SMTP Local Delivery Delay per each Message Queue

2008-10-21 Thread JackyC 
Hi all, 
I would like to ask does Postfix has some local delivery delay 
parameter to set? Let's say delay for 1 second per each message id in 
qmgr. 
For example, if an user send a mail to 70 ncrpt (number of recipient) 
at a time, Postfix will handle it as two seperate message and queued 
at qmgr by default. The first queue is ncrpt = 50 and the second is 
ncrpt = 20. It is because by default, default_destination_recipient_limit 
= 50. But this two message queue 
will deliver most at the same second, I would like to just slightly 
delay the second message id delivery 1 second later than the first 
one. 
Because I have some performance issue on the recipient authentication 
when the ncrpt of the original message is large (i.e. 200), if such 
delay can be made, it can free up the load to the authenication server 
and then I assume can relax the performance heavy duty a little. 
Thank you very much! 

Yours Sincerely,
Jacky, Hoi Kei Chan.

Re: Best anti-spam

2008-10-21 Thread Jim Balo 
> > default_destination_concurrency_limit = 100
> 
> This default is normally set to 20. Some servers may frown
> on you 
> attempting to make 100 connections to their server.
> 
> > relay_domains =
> >  $mydestination
> > smtpd_recipient_limit = 5000
> > smtpd_recipient_restrictions = permit_mynetworks
> permit_sasl_authenticated r
> > eject_unauth_destination
> > smtpd_sasl_auth_enable = yes
> > smtpd_sasl_path = private/auth
> > smtpd_sasl_type = dovecot
> > unknown_local_recipient_reject_code = 550
> 
> I notice you are not using any blacklist checking. Is there
> a reason?
> 
> This is what I am using:
> 
> smtpd_client_restrictions =
>...
>reject_rbl_client zen.spamhaus.local,
>reject_rbl_client bl.spamcop.net,
>reject_rbl_client dnsbl.njabl.org
>...

Thanks for the feedback.  

This might be a dumb question, but does the 
smtpd_client_restrictions really add anything in our scenario, 
since we already require authentication for smtp (and pop3):
"smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated 
reject_unauth_destination"

Thanks,
JB

Re: Best anti-spam

2008-10-21 Thread Duane Hill 

On Tue, 21 Oct 2008, Jim Balo wrote:


From: Jim Garrison <[EMAIL PROTECTED]>
I can highly recommend gray-listing.  It's all I use on
two Postfix servers, and SPAM is reduced by 98%.  A few
get through, but it's quite tolerable, and I
haven't seen
a false-positive in at least two years.


Hi,

Do you have any recommendation on how-tos on doing this with
Postfix (I know policy-weight is no longer developed, so I
rather not use it)?


I don't have a how-to. However, if you know anything about Perl and MySQL 
(or any other SQL backend), it shouldn't be too difficult to conjure 
something up.


I have a policy I wrote in Perl for greylisting with a MySQL backend. 
MySQL is shared between two servers. There is two cron jobs that run 
deleting records where:


  o) client IP's have not returned since the initial connection within 24
 hours
  o) client IP's have returned and are older than four weeks from the
 initial connection

The IP of the connecting server is stored in a user selectable format 
depending upon how many octets of the IP are recorded.


I have had a few customers and servers that I have whitelisted from 
greylisting because of the respective connecting server's inability to 
comprehend the SMTP 450 response code in thinking it is a 5xx response 
code.


I also have built into the policy a mandatory greylist if any of the MX 
records for the sending domain are found to contain a CNAME or an IP 
address. MX records are suppose to contain a fully qualified domain name 
(FQDN).


If you would like to know more, please see me off-list.

P.s. Even though policyd-weight may be old, I've heard good things about 
it. We have a customer that uses it and swears by it.


-d

Re: Best anti-spam

2008-10-21 Thread Jim Balo 
> From: Jim Garrison <[EMAIL PROTECTED]>
> I can highly recommend gray-listing.  It's all I use on
> two Postfix servers, and SPAM is reduced by 98%.  A few
> get through, but it's quite tolerable, and I
> haven't seen
> a false-positive in at least two years.

Hi,

Do you have any recommendation on how-tos on doing this with 
Postfix (I know policy-weight is no longer developed, so I 
rather not use it)?

Thanks,
JB


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Re: Best anti-spam

2008-10-21 Thread Duane Hill 

On Tue, 21 Oct 2008, Noel Jones wrote:


Duane Hill wrote:


"practically none" would depend upon your amount of traffic. Our filter 
servers get over seven million connections every 24 hours. Sane Security 
does a fair job here at pushing the SpamAssassin score above the default 
threshold. I would not suggest using the Sane Security updates at the MTA 
level. There are legit messages that will trigger and get rejected.


Please submit any Sanesecurity false positives to the contact address on the 
Sanesecurity web site.  They are usually fixed really quickly.


I'll keep that in mind. Thanks for the input as to the "fixed really 
quickly".

Re: Best anti-spam

2008-10-21 Thread Jim Balo 
Thanks to all for the input so far.  I realize that a big part of my
spam problem is the fact that I do not know this area very well, so
have not done a whole lot to tweak the config.  I really wish I had the
time to study this more in depth.

Anyhow, I added "smtpd_client_restrictions" to main.cf with the RegEx
suggested by Reinaldo.  I have posted exerpts from master.cf and 
main.cf below.  If anyone can see any glaring problems or stuff that
I overlooked, I would much appreciate suggestions.

Thanks,
JB


master.cf 
smtp  inet  n   -   n   -   100   smtpd
amavisfeed unix -   -   n    -  100   lmtp
    -o lmtp_data_done_timeout=1200
    -o lmtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20
    -o message_size_limit=1400
127.0.0.1:10025 inet n    -   y   -  100 smtpd
    -o content_filter=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o smtpd_restriction_classes=
    -o mynetworks=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks, 
no_unknown_recipient_checks, no_milters
    -o local_header_rewrite_clients=    
    
    
main.cf     
relay_domains = $mydestination
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated 
reject_unauth_destination    
smtpd_client_restrictions = 
  reject_unauth_pipelining, 
  permit_mynetworks, 
  check_client_access regexp:/etc/postfix/access.regexp, 
  reject_maps_rbl

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
content_filter=amavisfeed:[127.0.0.1]:10024

 
access.regexp --
/([0-9]{1,3}(\.|-)){3}.*\.[a-z]+/ reject Generic hostname
/(^a?dsl|a?dsl(\.|-)|(\.|-)a?dsl|(\.|-)d(yn|ip|ial)(\.|-)|(\.|-)cable(\.|-)|(\.|-)user(\.|-)|^dynamic|(\.|-)dynamic|dynamic(\.|-)|(\.|-)ppp(oe)?(\.|-|)|^ppp)/
 reject Generic hostname     

Re: mail throttling

2008-10-21 Thread Wietse Venema 
Andreas Schuldei:
> h?!
> 
> i have this in my main.cf:
> 
> destination_concurrency_feedback_debug = yes
> default_destination_rate_delay = 10s
> default_destination_concurrency_limit = 10
> default_destination_concurrency_positive_feedback = 0.05
> default_destination_concurrency_negative_feedback = 1
> default_initial_destination_concurrency = 1
> 
> The goal is that the server starts sending mail every 10th
> second, then after 50 mails increase to 2 mails every 10 seconds,
> until it sends 10 mails every then seconds, ramping up
> slowly.

It inserts 10s delay between INDIVIDUAL deliveries.

The documentation says:

default_destination_rate_delay (default: 0s)
   The  default amount of delay that is inserted between INDIVIDUAL deliv-
   eries to the same destination

Thus, with default_destination_rate_delay=10s, after one INDIVIDUAL
delivery is completed, the next INDIVIDUAL delivery starts 10
seconds later.

INDIVIDUAL delivery != PARALLEL delivery.

Wietse

Re: Best anti-spam

2008-10-21 Thread Noel Jones 

Duane Hill wrote:


"practically none" would depend upon your amount of traffic. Our filter 
servers get over seven million connections every 24 hours. Sane Security 
does a fair job here at pushing the SpamAssassin score above the default 
threshold. I would not suggest using the Sane Security updates at the 
MTA level. There are legit messages that will trigger and get rejected.


Please submit any Sanesecurity false positives to the contact 
address on the Sanesecurity web site.  They are usually fixed 
really quickly.


--
Noel Jones

Re: Best anti-spam

2008-10-21 Thread Nick Brown 
The smarter greylisting engines will make an attempt to identify if the 
mail is within the same /24 as a previously greylisted IP within the 
specified time period to overcome this issue.


While obviously its not guaranteed to get around this issue, we are 
greylisting for approximately 3000 domains and since enabling it see a 
reduction by almost 60% of mail. Over the last few months I can only 
think of 2 or 3 cases where a customer has complained about delayed 
email and we have found it to be the fault of greylisting. We do 
frequently query against our database to review connections that do not 
return where the IP looks legitimate etc in an attempt to maintain a 
workable solution. This is in addition to the usual header checks, RBL's 
(The Barracuda open RBL is a fantastic resource of late) and then 
finally SpamAssassin (Mailscanner).


While also somewhat a stubborn opinion, if administrators can't be 
bothered to bring their MTA's into alignment with the relevant RFC's 
they deserve the headaches complaining users will serve them.


Nick.

Terry Carmen wrote:  
I've used gray listing, but in the end abandoned it. Although it's 
moderately effective on spam, it also removed email's immediacy, and 
was completely undeliverable by some servers, which really annoys the 
users.


Some large organizations with multiple outbound servers will rotate 
failed mail among the servers, which all have different IPs, and each 
new IP will cause another greylist bounce. The mail will never get 
through because by the time it's sent again by the original server, 
there's a good chance it's greylist entry will have expired.


Although it's frowned on by some, I've had much better success using a 
combination of RBLs and RDNS pattern matching to reject spam. Since a 
huge proportion of spam comes from zombie networks that are identified 
by DHCP addresses, a dozen or so regular expressions like these will 
block a ton of spam.


Terry



---


smtpd_client_restrictions=reject_unknown_reverse_client_hostname . . .

check_client_access=regexp:/etc/postfix/spam_ip_regex

spam_ip_regex file:

/[ax]dsl.*\..*\..*/i 450 AUTO_XDSL Email Rejected. You appear to 
be connecting from a Dynamic IP address. /client.*\..*\..*/i   450 
AUTO_CLIENT Email Rejected. You appear to be connecting from a Dynamic 
IP address.
/cable.*\..*\..*/i   450 AUTO_CABLE Email Rejected. You appear to 
be connecting from a Dynamic IP address.
/dial.*\..*\..*/i 450 AUTO_DIAL Email Rejected. You appear to 
be connecting from a Dynamic IP address.

Re: Best anti-spam

2008-10-21 Thread Duane Hill 

On Tue, 21 Oct 2008, Jim Balo wrote:


>You should post the results of 'postconf -n'. Perhaps you are missing
>some 
>smtpd_*_restrictions items that could reduce the load.


broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 100


This default is normally set to 20. Some servers may frown on you 
attempting to make 100 connections to their server.



delay_warning_time = 1h
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
local_destination_concurrency_limit = 100
local_destination_recipient_limit = 5
local_recipient_maps = unix:passwd.byname $alias_maps
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 1800
mydestination = $mydomain, $myhostname, localhost, localhost.$mydomain
mynetworks = x.xxx.xxx.xxx/xx, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
proxy_interfaces = 140.239.184.230
queue_directory = /var/spool/postfix
readme_directory = no
relay_domains =
 $mydestination
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_recipient_limit = 5000
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated r
eject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
unknown_local_recipient_reject_code = 550


I notice you are not using any blacklist checking. Is there a reason?

This is what I am using:

smtpd_client_restrictions =
  ...
  reject_rbl_client zen.spamhaus.local,
  reject_rbl_client bl.spamcop.net,
  reject_rbl_client dnsbl.njabl.org
  ...

zen.spamhaus.local (we subscribe to the data feed service) rejects over 
two million connections every 24 hours.

Re: Best anti-spam

2008-10-21 Thread Duane Hill 

On Tue, 21 Oct 2008, Terry Carmen wrote:

/[ax]dsl.*\..*\..*/i 450 AUTO_XDSL Email Rejected. You appear to be 
connecting from a Dynamic IP address. /client.*\..*\..*/i   450 
AUTO_CLIENT Email Rejected. You appear to be connecting from a Dynamic IP 
address.
/cable.*\..*\..*/i   450 AUTO_CABLE Email Rejected. You appear to be 
connecting from a Dynamic IP address.
/dial.*\..*\..*/i 450 AUTO_DIAL Email Rejected. You appear to be 
connecting from a Dynamic IP address.


Why do you 450 causing the connecting servers to come back time and time 
again?

Re: Best anti-spam

2008-10-21 Thread Reinaldo de Carvalho 
>
> Terry
>
> ---
>
>
> smtpd_client_restrictions=reject_unknown_reverse_client_hostname . . .
>
> check_client_access=regexp:/etc/postfix/spam_ip_regex
>
> spam_ip_regex file:
>
> /[ax]dsl.*\..*\..*/i 450 AUTO_XDSL Email Rejected. You appear to be
> connecting from a Dynamic IP address. /client.*\..*\..*/i   450
> AUTO_CLIENT Email Rejected. You appear to be connecting from a Dynamic IP
> address.
> /cable.*\..*\..*/i   450 AUTO_CABLE Email Rejected. You appear to be
> connecting from a Dynamic IP address.
> /dial.*\..*\..*/i 450 AUTO_DIAL Email Rejected. You appear to be
> connecting from a Dynamic IP address.
>

I builld this:

/([0-9]{1,3}(\.|-)){3}.*\.[a-z]+/ reject generic hostname
/(^a?dsl|a?dsl(\.|-)|(\.|-)a?dsl|(\.|-)d(yn|ip|ial)(\.|-)|(\.|-)cable(\.|-)|(\.|-)user(\.|-)|^dynamic|(\.|-)dynamic|dynamic(\.|-)|(\.|-)ppp(oe)?(\.|-|)|^ppp)/
  reject generic hostname

-- 
Reinaldo de Carvalho
http://korreio.sf.net
http://python-cyrus.sf.net

Re: Best anti-spam

2008-10-21 Thread Jim Balo 
J.P. Trosclair wrote:
> ...
>> Could someone recommend a really good open source or affordable
>> commercial anti-spam solution?
>> ...
>> 
> I haven't done gray listing personally, but I've seen good remarks
made aobut it here on the list and in other places.

Depends on the source/nature of your spam. It's good for reducing the 
load on SpamAssassin et. al. and it blocks lots of virus-sent spam. 
Greylisting alone lets some through at work but I just rebuilt my *very* 
old (circa late-90s) server at home and added greylisting and the 
greylisting alone reduced the spam from 100+/day to 1 every day or two.


Ok.  I will read up more on this.  Based on your (and others') experience, what 
are the Pros and Cons compared to a traditionalAmavis + SA, etc.? Thanks,JB

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Re: Best anti-spam

2008-10-21 Thread Jim Balo 

>You should post the results of 'postconf -n'. Perhaps you are missing
>some 
>smtpd_*_restrictions items that could reduce the load.


broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 100
delay_warning_time = 1h
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
local_destination_concurrency_limit = 100
local_destination_recipient_limit = 5
local_recipient_maps = unix:passwd.byname $alias_maps
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 1800
mydestination = $mydomain, $myhostname, localhost, localhost.$mydomain
mynetworks = x.xxx.xxx.xxx/xx, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
proxy_interfaces = 140.239.184.230
queue_directory = /var/spool/postfix
readme_directory = no
relay_domains = $mydestination
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_recipient_limit = 5000
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated 
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
unknown_local_recipient_reject_code = 550

Re: Best anti-spam

2008-10-21 Thread Terry Carmen 



J.P. Trosclair wrote:

Tuesday, October 21, 2008, 5:29:59 PM, Jim Balo ([EMAIL PROTECTED]) wrote:
  

Hi,
 
I am currently using Postfix w/ Amavis-new, Pyzor, DCC and Clam.  
I have trained the Bayesian Classifier with over 2,000 ham and 2,000 
spam, but I am still getting quite a bit of spam.  
 
I am about to install a new mail server and I wonder if there is 
something better than SpamAssassin that works well with Postfix?
The whole combination of Amavis, Pyzor, DCC, etc. seems a bit 
complex and it also uses quite a bit of system resources.
 
I saw someone recommend policy-weightd, but that is no longer 
developed since February 2008.  I also came across ASSP, but I do 
not know much about it yet.
 
Could someone recommend a really good open source or affordable

commercial anti-spam solution?
 
Thanks,

JB
 
Ps. Maybe it is just that I need to tweak SpamAssassin better?

Some good links on this would be helpful as well.
 
 





I haven't done gray listing personally, but I've seen good remarks made aobut 
it here on the list and in other places. From what I've read it seems to be 
very effective in stopping spam by itself (without spamassassin, et. al.) I've 
contemplated implementing it here but the idea of any sort of delay in mail 
being delivered doesn't sit well with the people who ultimately make the call 
in what I can and can't do for reducing spam so we're stuck with spamaassassin.
  
I've used gray listing, but in the end abandoned it. Although it's 
moderately effective on spam, it also removed email's immediacy, and was 
completely undeliverable by some servers, which really annoys the users.


Some large organizations with multiple outbound servers will rotate 
failed mail among the servers, which all have different IPs, and each 
new IP will cause another greylist bounce. The mail will never get 
through because by the time it's sent again by the original server, 
there's a good chance it's greylist entry will have expired.


Although it's frowned on by some, I've had much better success using a 
combination of RBLs and RDNS pattern matching to reject spam. Since a 
huge proportion of spam comes from zombie networks that are identified 
by DHCP addresses, a dozen or so regular expressions like these will 
block a ton of spam.


Terry



---


smtpd_client_restrictions=reject_unknown_reverse_client_hostname . . .

check_client_access=regexp:/etc/postfix/spam_ip_regex

spam_ip_regex file:

/[ax]dsl.*\..*\..*/i 450 AUTO_XDSL Email Rejected. You appear to be 
connecting from a Dynamic IP address. 
/client.*\..*\..*/i   450 AUTO_CLIENT Email Rejected. You appear to 
be connecting from a Dynamic IP address.
/cable.*\..*\..*/i   450 AUTO_CABLE Email Rejected. You appear to be 
connecting from a Dynamic IP address.
/dial.*\..*\..*/i 450 AUTO_DIAL Email Rejected. You appear to be 
connecting from a Dynamic IP address.

Re: Management tool

2008-10-21 Thread Stephen Holmes 
Magnus Bäck wrote:
> On Tuesday, October 21, 2008 at 22:07 CEST,
>  Stephen Holmes <[EMAIL PROTECTED]> wrote:
>
>   
>> I've been browsing around for a bit but was wondering if any of you
>> could recommend a management tool for postfix.  I'm primarily
>> interested in queue management, the ability to move stuff from queue
>> to queue.  I'm already happily using postfix admin for mulit-domain
>> admin and mailgraph for basic monitoring.
>> 
>
> What do you really mean by "move stuff from queue to queue"? With the
> exception of putting messages on hold or releasing them from hold the
> Postfix queue isn't much about manual movement.
>
>   
Badly phrased on my part, I meant hold and release.  Thanks for the
response!

-- 
s  t  e  p  h  e  nh  o  l  m  e  s
stephen [at] gallopinggreen [dot] com

skype: stephen.holmes
aol  : i18ndoc
gtalk: [EMAIL PROTECTED]
msn  : [EMAIL PROTECTED]

Re: Best anti-spam

2008-10-21 Thread Duane Hill 

On Wed, 22 Oct 2008, James Brown wrote:


On 22/10/2008, at 9:29 AM, Jim Balo wrote:

  Hi,

I am currently using Postfix w/ Amavis-new, Pyzor, DCC and Clam. 
I have trained the Bayesian Classifier with over 2,000 ham and 2,000

spam, but I am still getting quite a bit of spam.

I am about to install a new mail server and I wonder if there is
something better than SpamAssassin that works well with Postfix?
The whole combination of Amavis, Pyzor, DCC, etc. seems a bit
complex and it also uses quite a bit of system resources.

I saw someone recommend policy-weightd, but that is no longer
developed since February 2008.  I also came across ASSP, but I do
not know much about it yet.

Could someone recommend a really good open source or affordable
commercial anti-spam solution?

Thanks,
JB

Ps. Maybe it is just that I need to tweak SpamAssassin better?
Some good links on this would be helpful as well.

ASSP with ClamAV (make sure you use the Sane Security sigs!) will cut your
spam to practically none.


"practically none" would depend upon your amount of traffic. Our 
filter servers get over seven million connections every 24 hours. Sane 
Security does a fair job here at pushing the SpamAssassin score above the 
default threshold. I would not suggest using the Sane Security updates at 
the MTA level. There are legit messages that will trigger and get 
rejected.

Re: qmgr rests when lots of mail is coming in

2008-10-21 Thread Ofer Inbar 
Wietse Venema <[EMAIL PROTECTED]> wrote:
> > # strace -p 31741
> > Process 31741 attached - interrupt to quit
> > futex(0x2a96b46930, FUTEX_WAIT, 2, NULL ^C
> 
> Postfix does not manipulate futexes. The word futex appears
> nowhere in Postfix source code.
> 
> However, there's a mutex deadlock in the LINUX C library when a
> Postfix < 2.4 watchdog timer goes off and syslog()s a warning
> message; the watchdog timer goes off when a Postfix < 2.4 qmgr
> defers massive amounts of mail because of a dead transport or
> nexthop.

Thanks!

I have noticed occasional qmgr crashes with the "watchdog timer" error
occurring, usually when it's in the middle of deferring thousands of
messages for one domain all at once.  I meant to investigate those.

However, based on the logs, that's not what it was doing at the time
this particular freeze happened.

I'll watch for future occurrences to collect more data,
and try to get an upgrade soon.
  -- Cos

Re: Best anti-spam

2008-10-21 Thread James Brown 


On 22/10/2008, at 9:29 AM, Jim Balo wrote:


Hi,

I am currently using Postfix w/ Amavis-new, Pyzor, DCC and Clam.
I have trained the Bayesian Classifier with over 2,000 ham and 2,000
spam, but I am still getting quite a bit of spam.

I am about to install a new mail server and I wonder if there is
something better than SpamAssassin that works well with Postfix?
The whole combination of Amavis, Pyzor, DCC, etc. seems a bit
complex and it also uses quite a bit of system resources.

I saw someone recommend policy-weightd, but that is no longer
developed since February 2008.  I also came across ASSP, but I do
not know much about it yet.

Could someone recommend a really good open source or affordable
commercial anti-spam solution?

Thanks,
JB

Ps. Maybe it is just that I need to tweak SpamAssassin better?
Some good links on this would be helpful as well.



ASSP with ClamAV (make sure you use the Sane Security sigs!) will cut  
your spam to practically none.


James.

smime.p7s
Description: S/MIME cryptographic signature

Re: Best anti-spam

2008-10-21 Thread Joe Sloan 
Jim Balo wrote:
> Hi,
>  
> I am currently using Postfix w/ Amavis-new, Pyzor, DCC and Clam. 
> I have trained the Bayesian Classifier with over 2,000 ham and 2,000
> spam, but I am still getting quite a bit of spam. 
>  
> I am about to install a new mail server and I wonder if there is
> something better than SpamAssassin that works well with Postfix?
> The whole combination of Amavis, Pyzor, DCC, etc. seems a bit
> complex and it also uses quite a bit of system resources.
>  
> I saw someone recommend policy-weightd, but that is no longer
> developed since February 2008.  I also came across ASSP, but I do
> not know much about it yet.
>  
> Could someone recommend a really good open source or affordable
> commercial anti-spam solution?
>  
> Thanks,
> JB
>  
> Ps. Maybe it is just that I need to tweak SpamAssassin better?
> Some good links on this would be helpful as well.
>  
>
>

We're using a spamassassin based solution called maia mailguard, along
with policyd v1 and clamav, to manage our spam. The policyd component
does greylisting and other policy measures, while mailguard provides a
web-based spam management interface. We also supplement spamassassin and
clamav with some extra rule sets which enhance effectiveness.

We've looked at some commercial solutions which cost $100k and more,
with no clear cut advantage over our free software based solution.

Links:

http://www.maiamailguard.com/
http://www.policyd.org

Joe

Re: Best anti-spam

2008-10-21 Thread Duane Hill 

On Tue, 21 Oct 2008, Jim Balo wrote:


Hi,

I am currently using Postfix w/ Amavis-new, Pyzor, DCC and Clam. 
I have trained the Bayesian Classifier with over 2,000 ham and 2,000

spam, but I am still getting quite a bit of spam.

I am about to install a new mail server and I wonder if there is
something better than SpamAssassin that works well with Postfix?
The whole combination of Amavis, Pyzor, DCC, etc. seems a bit
complex and it also uses quite a bit of system resources.

I saw someone recommend policy-weightd, but that is no longer
developed since February 2008.  I also came across ASSP, but I do
not know much about it yet.

Could someone recommend a really good open source or affordable
commercial anti-spam solution?

Thanks,
JB

Ps. Maybe it is just that I need to tweak SpamAssassin better?
Some good links on this would be helpful as well.


You should post the results of 'postconf -n'. Perhaps you are missing some 
smtpd_*_restrictions items that could reduce the load.

Re: Best anti-spam

2008-10-21 Thread Steve Crawford 

J.P. Trosclair wrote:

...

Could someone recommend a really good open source or affordable
commercial anti-spam solution?
...


I haven't done gray listing personally, but I've seen good remarks made aobut 
it here on the list and in other places.


Depends on the source/nature of your spam. It's good for reducing the 
load on SpamAssassin et. al. and it blocks lots of virus-sent spam. 
Greylisting alone lets some through at work but I just rebuilt my *very* 
old (circa late-90s) server at home and added greylisting and the 
greylisting alone reduced the spam from 100+/day to 1 every day or two.


Cheers,
Steve

Re: qmgr rests when lots of mail is coming in

2008-10-21 Thread Wietse Venema 
Ofer Inbar:
> Postfix 2.2, CentOS 4 (yes, I want to upgrade; can't for now).

Perhaps you should upgrade.

> # strace -p 31741
> Process 31741 attached - interrupt to quit
> futex(0x2a96b46930, FUTEX_WAIT, 2, NULL ^C

Postfix does not manipulate futexes. The word futex appears
nowhere in Postfix source code.

However, there's a mutex deadlock in the LINUX C library when a
Postfix < 2.4 watchdog timer goes off and syslog()s a warning
message; the watchdog timer goes off when a Postfix < 2.4 qmgr
defers massive amounts of mail because of a dead transport or
nexthop.

When it is not deadlocked inside the LINUX C library, Postfix
qmgr waits in select(2) for one of the following:
- Notice from cleanup server that there's new incoming mail
- Notice from delivery agent that it is ready to deliver mail
- Notice from delivery agent that it is done delivering mail
- Notice from event timer to re-activate a dead nexthop
- Notice from event timer to re-activate a dead transport
- Notice from event timer to scan the deferred/incoming queue

The watchdog timer uses alarm() and signal().

Wietse

Re: Best anti-spam

2008-10-21 Thread J.P. Trosclair 
Tuesday, October 21, 2008, 5:29:59 PM, Jim Balo ([EMAIL PROTECTED]) wrote:
> Hi,
>  
> I am currently using Postfix w/ Amavis-new, Pyzor, DCC and Clam.  
> I have trained the Bayesian Classifier with over 2,000 ham and 2,000 
> spam, but I am still getting quite a bit of spam.  
>  
> I am about to install a new mail server and I wonder if there is 
> something better than SpamAssassin that works well with Postfix?
> The whole combination of Amavis, Pyzor, DCC, etc. seems a bit 
> complex and it also uses quite a bit of system resources.
>  
> I saw someone recommend policy-weightd, but that is no longer 
> developed since February 2008.  I also came across ASSP, but I do 
> not know much about it yet.
>  
> Could someone recommend a really good open source or affordable
> commercial anti-spam solution?
>  
> Thanks,
> JB
>  
> Ps. Maybe it is just that I need to tweak SpamAssassin better?
> Some good links on this would be helpful as well.
>  
>  



I haven't done gray listing personally, but I've seen good remarks made aobut 
it here on the list and in other places. From what I've read it seems to be 
very effective in stopping spam by itself (without spamassassin, et. al.) I've 
contemplated implementing it here but the idea of any sort of delay in mail 
being delivered doesn't sit well with the people who ultimately make the call 
in what I can and can't do for reducing spam so we're stuck with spamaassassin.

There are some good sites out there that cover gray listing and the ins and 
outs of it. I suggest you do some reading about it before hand so you can make 
an informed decision on going that route.

J.P.

Best anti-spam

2008-10-21 Thread Jim Balo 
Hi,
 
I am currently using Postfix w/ Amavis-new, Pyzor, DCC and Clam.  
I have trained the Bayesian Classifier with over 2,000 ham and 2,000 
spam, but I am still getting quite a bit of spam.  
 
I am about to install a new mail server and I wonder if there is 
something better than SpamAssassin that works well with Postfix?
The whole combination of Amavis, Pyzor, DCC, etc. seems a bit 
complex and it also uses quite a bit of system resources.
 
I saw someone recommend policy-weightd, but that is no longer 
developed since February 2008.  I also came across ASSP, but I do 
not know much about it yet.
 
Could someone recommend a really good open source or affordable
commercial anti-spam solution?
 
Thanks,
JB
 
Ps. Maybe it is just that I need to tweak SpamAssassin better?
Some good links on this would be helpful as well.
 

Re: Confirmation of TLS/SASL operation?

2008-10-21 Thread Magnus Bäck 
On Tuesday, October 21, 2008 at 23:23 CEST,
 Terry Carmen <[EMAIL PROTECTED]> wrote:

> I just setup TLS and SASL to allow sending non-local mail only by
> authenticated users, and to have the entire SMTP conversation with the
> client software encrypted, and wanted to make sure it's operating
> correctly:
> 
> The log from a session from my mail client  (Thunderbird) says:
> 
> Oct 21 17:15:02 wormhole postfix/smtpd[23828]: Anonymous TLS connection 
> established from rrcs-xx-xx-89-178.nys.biz.rr.com[xx.xx.89.178]: TLSv1 
> with cipher DH
> 
> Oct 21 17:15:03 wormhole postfix/smtpd[23828]: 02614300D0: 
> client=rrcs-xx-xx-89-178.nys.biz.rr.com[xx.xx.89.178], 
> sasl_method=PLAIN, sasl_username=terry
> 
> Would I be correct in assuming that the client first established an
> anonymous encrypted session with the server, then authenticated as
> the user terry, via the encrypted connection?

That's correct.

> Once the TLS connection is established, is it used for the entire
> session, including the message data transfer, or just for the
> authentication?

The whole session will be encrypted.

-- 
Magnus Bäck
[EMAIL PROTECTED]

Confirmation of TLS/SASL operation?

2008-10-21 Thread Terry Carmen 
I just setup TLS and SASL to allow sending non-local mail only by 
authenticated users, and to have the entire SMTP conversation with the 
client software encrypted, and wanted to make sure it's operating correctly:



The log from a session from my mail client  (Thunderbird) says:

Oct 21 17:15:02 wormhole postfix/smtpd[23828]: Anonymous TLS connection 
established from rrcs-xx-xx-89-178.nys.biz.rr.com[xx.xx.89.178]: TLSv1 
with cipher DH


Oct 21 17:15:03 wormhole postfix/smtpd[23828]: 02614300D0: 
client=rrcs-xx-xx-89-178.nys.biz.rr.com[xx.xx.89.178], 
sasl_method=PLAIN, sasl_username=terry


Would I be correct in assuming that the client first established an 
anonymous encrypted session with the server, then authenticated as the 
user terry, via the encrypted connection?


Once the TLS connection is established, is it used for the entire 
session, including the message data transfer, or just for the 
authentication?


Thanks!

Terry

Re: Unknown SASL Authentication

2008-10-21 Thread Noel Jones 

Asai wrote:
Indeed it's a postfix logwatch entry.  Here's a grep of the IP address 
from /var/log/maillog


triata postfix/smtpd[11490]: connect from unknown[218.30.101.41]
Oct 20 23:56:49 triata sqlgrey: grey: from awl match: updating 
218.30.101.41(218.30.101.41), 
[EMAIL PROTECTED]([EMAIL PROTECTED])
Oct 20 23:56:49 triata postfix/smtpd[11490]: 76BE9FD8041: 
client=unknown[218.30.101.41], [EMAIL PROTECTED]
Oct 20 23:56:50 triata postfix/smtpd[11490]: disconnect from 
unknown[218.30.101.41]
Oct 20 23:57:00 triata amavis[11434]: (11434-01) Passed CLEAN, 
[218.30.101.41] [218.30.101.41] <[EMAIL PROTECTED]> -> 
<[EMAIL PROTECTED]>, Message-ID: 
<[EMAIL PROTECTED]>, mail_id: SULYJRvIb9wQ, 
Hits: -0.479, size: 25777, queued_as: 3299FFD8047, 9828 ms




Please don't top post.

OK, looks as if the mail was authenticated with
the account user [EMAIL PROTECTED]  If the mail wasn't 
really sent by that user, maybe you should disable that 
account, or at least change the password.


--
Noel Jones

qmgr rests when lots of mail is coming in

2008-10-21 Thread Ofer Inbar 
Postfix 2.2, CentOS 4 (yes, I want to upgrade; can't for now).

Note: I have a course of action, but not completely confident I
 understand the problem so seeking other eyes on it. See bottom.

On a fallback relay serving several first-pass postfix servers, qmgr
seems to sometimes stop and rest while mail is being relayed in.  It
looks like this:

Large mailing begins on the first-pass servers, and fallback starts
receiving a lot of relayed mail.  At first, both active and incoming
queues are growing, and mail is being delivered.  At some point:
 - qmgr stops moving messages from incoming to active
 - what's already in active stops being looked at at all
 - mail continues to pour into incoming
Active queue is *not* full when this happens, it has plenty of room.
(Plus, I've seen full active queues and postfix doesn't behave like this)

Mail log at this time is full of messages from smtpd & cleanup,
showing new messages coming in, but nothing else.  No errors at
the beginning indicating something wrong.  Tracing qmgr shows it's
just waiting ( probably for a message from master? )

# strace -p 31741
Process 31741 attached - interrupt to quit
futex(0x2a96b46930, FUTEX_WAIT, 2, NULL ^C

When this happens, it stays that way until I catch it.  Reloading
postfix fixes the problem, and from that point on postfix moves
messages from incoming to active, and attempts to deliver what's in
active, even though mail continues to get relayed in rapidly.

Also, this is intermittent.  It doesn't happen every time.  Often an
entire large mailing completes without this happening on the fallback
at all.

  .

I can see that messages are coming in too quickly for postfix to
handle, and I should increase in_flow_delay or reduce number of smtpd
processes in master.cf or both, to slow it down.

However, I can't see the effect of these changes until the next large
mailing, and not even then.  In the meantime, I want to try to understand
the problem better.  Since it's intermittent, I won't necessarily know
when I've fixed it even if I have.

* Is the behavior I'm seeing something I can expect when inflow is too fast?

 - What's qmgr waiting for, and why is it not happening?
 - Why does it take a reload to nudge it back into action?
Messages are coming in at about the same rate before and after the
reload, but before the reload qmgr is doing nothing (sometimes for
over an hour until I catch it); after the reload everything works.
  -- Cos

Re: Management tool

2008-10-21 Thread Magnus Bäck 
On Tuesday, October 21, 2008 at 22:07 CEST,
 Stephen Holmes <[EMAIL PROTECTED]> wrote:

> I've been browsing around for a bit but was wondering if any of you
> could recommend a management tool for postfix.  I'm primarily
> interested in queue management, the ability to move stuff from queue
> to queue.  I'm already happily using postfix admin for mulit-domain
> admin and mailgraph for basic monitoring.

What do you really mean by "move stuff from queue to queue"? With the
exception of putting messages on hold or releasing them from hold the
Postfix queue isn't much about manual movement.

-- 
Magnus Bäck
[EMAIL PROTECTED]

Re: Management tool

2008-10-21 Thread John R. Dennison 
On Tue, Oct 21, 2008 at 09:07:50PM +0100, Stephen Holmes wrote:
> I've been browsing around for a bit but was wondering if any of you
> could recommend a management tool for postfix.  I'm primarily interested
> in queue management, the ability to move stuff from queue to queue.  I'm
> already happily using postfix admin for mulit-domain admin and mailgraph
> for basic monitoring.

I like pfqueue (http://pfqueue.sourceforge.net).

Gives an ncurses (console) based interface to allow you to
hold, release requeue and delete messages from the various
queues.



John

-- 
"I'm sorry but our engineers do not have phones."
As stated by a Network Solutions Customer Service representative when asked to
be put through to an engineer.

"My other computer is your windows box."
 Ralf Hildebrandt
 trying to play sturgeon while it's under attack is apparently not fun.


pgpeiteYxTX0c.pgp
Description: PGP signature

Management tool

2008-10-21 Thread Stephen Holmes 
I've been browsing around for a bit but was wondering if any of you
could recommend a management tool for postfix.  I'm primarily interested
in queue management, the ability to move stuff from queue to queue.  I'm
already happily using postfix admin for mulit-domain admin and mailgraph
for basic monitoring.

Many thanks
Steve.

 

-- 
s  t  e  p  h  e  nh  o  l  m  e  s
stephen [at] gallopinggreen [dot] com

skype: stephen.holmes
aol  : i18ndoc
gtalk: [EMAIL PROTECTED]
msn  : [EMAIL PROTECTED]

Re: Unknown SASL Authentication

2008-10-21 Thread mouss 
MrC a écrit :
> [snip]
> But, your entry discovered a bug in the parsing of the sasl_sender=
> portion of smtpd's client= log line.  The output should look like:
> 
>1   SASL authenticated relayed messages --

This may be misleading. something like "claimed SASL sender" would be
"more clear"?

>1  [EMAIL PROTECTED] (*unknown)
>1 *unknown
>1218.30.101.41unknown
> 
> I've corrected the bug in 1.37.08:
> 
>http://www.mikecappella.com/logwatch/
> 
> MrC

Re: Unknown SASL Authentication

2008-10-21 Thread MrC 
Asai wrote:
> Greetings,
> 
> In the server log files I got back this morning, I see in the records
> this entry:
> 
> 1Unknown
>1 Unknown
>1218.30.101.41unknown
> 
> 
> Normally this will give me an email address on top, the AUTH type next,
> and the IP at the bottom with the reverse DNS there. I checked the IP
> address and it's in China, so it's definitely not one of our users.  Can
> anyone tell me how to interpret this, and to plug any holes which might
> be allowing this?
> 

This looks like partial postfix-logwatch output.  Show the log line in
question, and the Section header from where this output came.

[ edit: I see you've already shared log lines ]

I believe this is the SaslAuthRelay section.  The first level is the
SASL sender (and user if available).  The second level is the SASL
method (or Unknown if not available).  The third level is the host IP
and the Postfix reported host name (in this case, it was unknown).

But, your entry discovered a bug in the parsing of the sasl_sender=
portion of smtpd's client= log line.  The output should look like:

   1   SASL authenticated relayed messages --
   1  [EMAIL PROTECTED] (*unknown)
   1 *unknown
   1218.30.101.41unknown

I've corrected the bug in 1.37.08:

   http://www.mikecappella.com/logwatch/

MrC

Re: Problem sending to one user on domain

2008-10-21 Thread mouss 
Robert Fitzpatrick a écrit :
> On Tue, 2008-10-21 at 12:34 -0400, Brian Evans - Postfix List wrote:
>> The current best use view of reject_unverified_(recipient|sender) is
>> to
>> use for your domains that you control.
> 
> Thanks, and yes, I agree this should be done. We currently use LDAP
> lookups for transports. Is there a way to tie
> reject_unverified_(recipient|sender) to domains using LDAP lookups? 

If it's LDAP, then use reject_unlisted_recipient. simply configure the
list of valid users in the various mumble_recipient_maps and you're done.

note that recipient validation is done by default, so this is not
necessary. but you can use it explictely to reject a transaction before
doing expensive checks (reject_rbl_*...)

> [snip]

Re: Problem sending to one user on domain

2008-10-21 Thread Robert Fitzpatrick 
On Tue, 2008-10-21 at 12:34 -0400, Brian Evans - Postfix List wrote:
> The current best use view of reject_unverified_(recipient|sender) is
> to
> use for your domains that you control.

Thanks, and yes, I agree this should be done. We currently use LDAP
lookups for transports. Is there a way to tie
reject_unverified_(recipient|sender) to domains using LDAP lookups? Is
it as easy as taking our transport.cf ldap conf file and modifying like
this below?

mx1# cat ldap/verification.cf
bind = no
server_host = ldapi:///
version = 3
search_base = ou=Domains,dc=example,dc=com
query_filter = 
(&(|(dc=%s)(cn=%s)(associatedDomain=%s))(objectClass=inetLocalMailRecipient))
result_attribute = mailRoutingAddress
result_format = reject_unverified_recipient

In main.cf:
smtpd_recipient_restrictions 
  check_recipient_access ldap:/etc/postfix/verification.cf
smtpd_sender_restrictions 
  check_sender_access ldap:/etc/postfix/verification.cf

mx1# postmap -q example.com ldap:/usr/local/etc/postfix/ldap/verification.cf
reject_unverified_recipient

-- 
Robert

Re: mail.btopenworld.com randomly transmogrifies into pop-smtp1-f.bt.mail.vip.ird.yahoo.com, defeating SASL.

2008-10-21 Thread Stroller 


On 21 Oct 2008, at 18:30, Brian Evans - Postfix List wrote:

...
SASL is already configured on the host:

$ sudo grep btopenworld.com /etc/postfix/*
/etc/postfix/main.cf:relayhost = [mail.btopenworld.com]
/etc/postfix/sasl_passwd:mail.btopenworld.com
[EMAIL PROTECTED]:password
Binary file /etc/postfix/sasl_passwd.db matches
$


mail.btopenworld.com does not necessarily match [mail.btopenworld.com]
From the docs:
#
The "[" and "]" prevent Postfix from looking up the MX (mail  
exchanger)
records for the enclosed name. If you use this form in main.cf, then  
you

must use the same form also in the smtp_sasl_password_maps file.
#

What happens if you make them match with the brackets?


Sweet!   :D

Oct 21 18:46:00 freds-computer postfix/smtp[9356]: 7D5B727B93A: to=<[EMAIL PROTECTED] 
>, relay=pop-smtp1-f.bt.mail.vip.ird.yahoo.com[217.146.188.192],  
delay=1, status=sent (250 ok 1224611164 qp 20852)
Oct 21 18:46:05 freds-computer postfix/smtp[9356]: 8072027B93C: to=<[EMAIL PROTECTED] 
>, relay=mail.btopenworld.com[217.146.188.192], delay=1, status=sent  
(250 ok 1224611169 qp 5579)

...

Many MANY thanks for your patient and expert help.


BTW, Postfix 2.1 is quite old.  You may consider moving to the latest
version 2.5.5 (currently)



Yeah, but it's the typical big fear of messing with any of the Unixy  
stuff shipped on a Mac - that an automated update will break something.


Stroller.

Re: mail.btopenworld.com randomly transmogrifies into pop-smtp1-f.bt.mail.vip.ird.yahoo.com, defeating SASL.

2008-10-21 Thread Brian Evans - Postfix List 
Stroller wrote:
> Hi Brian,
>
> I'll comment on your remarks regarding reject_unverified_sender later,
> when I've had the opportunity to read / test thoroughly.
>
>
> On 21 Oct 2008, at 17:24, Brian Evans - Postfix List wrote:
>> ...
>> BTW.. btopenworld.com use yahoo MXs:
>> [EMAIL PROTECTED] ~ $ host btopenworld.com
>> btopenworld.com has address 213.121.143.193
>> btopenworld.com mail is handled by 30 mx2.bt.mail.yahoo.com.
>> btopenworld.com mail is handled by 20 mx1.bt.mail.yahoo.com.
>>
>> The original message issue, that caused the bounce, can be solved by
>> using SASL on the smtp client to begin with.
>> See http://www.postfix.org/SASL_README.html#client_sasl for details.
>
>
> Unfortunately there's more to it than this.
>
> SASL is already configured on the host:
>
> $ sudo grep btopenworld.com /etc/postfix/*
> /etc/postfix/main.cf:relayhost = [mail.btopenworld.com]
> /etc/postfix/sasl_passwd:mail.btopenworld.com   
> [EMAIL PROTECTED]:password
> Binary file /etc/postfix/sasl_passwd.db matches
> $
>
mail.btopenworld.com does not necessarily match [mail.btopenworld.com]
>From the docs:
#
The "[" and "]" prevent Postfix from looking up the MX (mail exchanger)
records for the enclosed name. If you use this form in main.cf, then you
must use the same form also in the smtp_sasl_password_maps file.
#

What happens if you make them match with the brackets?

BTW, Postfix 2.1 is quite old.  You may consider moving to the latest
version 2.5.5 (currently)

Brian

Re: from=<> emails

2008-10-21 Thread Stroller 


On 21 Oct 2008, at 17:24, Brian Evans - Postfix List wrote:

Stroller wrote:

Hi there,

A customer of mine is, unfortunately, using BT Internet as her ISP,
and sending email via Postfix on Mac OS 10.4

It seems that she is not getting notification when mail is bounced
because this lame ISP rejects the "from" address of the bounce, and
another bounce is created. See the 946CA27AABB message below:

...
Oct 20 10:22:23 freds-computer postfix/smtp[5906]: 946CA27AABB:
to=<[EMAIL PROTECTED]>,  
relay=mail.btopenworld.com[217.146.188.192],

delay=2, status=bounced (host mail.btopenworld.com[217.146.188.192]
said: 553 From: address not verified; see
http://help.yahoo.com/l/us/yahoo/mail/original/manage/sendfrom-07.html 
 (in

reply to MAIL FROM command))

... can anyone tell
me, please, how to change the from address of the bounce messages,
please? At least if she has notification of the failures she knows to
call me & I can take a look at the problem; as things stand she just
discovers after some days that the recipient has  received no mail
from her.


The host mail.btopenworld.com is trying to use  
reject_unverified_sender

(or equivalent) for the null sender.
This is wrong and they need to fix it.


Yeah, and good luck to anyone who tries to get them to do so.
:(


To get some notifications, look at notify_classes (
http://www.postfix.org/postconf.5.html#notify_classes ).
Suggest 'notify_classes = resource, software, 2bounce' until you solve
the real first problem and contact the source of the 2nd.
2bounce allows double bounces to be saved to a mailbox.
The 2bounce recipient can be defined by 2bounce_notice_recipient


I think what you're saying is that I'll NEED to save the bounces to a  
mailbox.


Currently:
  $ postconf  | grep -e notify_classes -e 2bounce
  2bounce_notice_recipient = postmaster
  notify_classes = resource, software
  $

If I just add 2bounce into the notify_classes then it'll attempt to  
deliver in the same way, by SMTP, and the message will again be  
rejected by mail.btopenworld.com. Right?


Unfortunately mailboxes on OS X are an ugly mess. As far as I can see  
I'd have to deliver to /Users/fred/Library/Mail/[EMAIL PROTECTED] 
/INBOX.mbox/Messages/
And of course this is (once again) prone to breakage if the user (for  
instance) deletes this email address & adds a new one.


Stroller.

Re: Postfix + openldap deliver each emails to Cyrus imapd +any IMAP server. Possible???

2008-10-21 Thread Steven Truong 
On Tue, Oct 21, 2008 at 12:06 AM, mouss <[EMAIL PROTECTED]> wrote:
> Steven Truong a écrit :
>> Dear, all.  I am running into a scenario where I might need to deliver
>> the same incoming email for a user to 2 different IMAP servers.
>>
>> Is there anyway to implement it with Postfix with its various transport maps?
>>
>> I have for example [EMAIL PROTECTED] and I would like all emails for
>> this user to be delivered to 2 different imapd servers.  I would like
>> to do that because the first imap server store all emails in Mysql or
>> DB database and I do not like this architect so much.  I also have a
>> Cyrus IMAP server that has run for a couple of years without any
>> problems and I would like to have this Cyrus IMAP server as a
>> backup/archive of users emails.
>>
>> I also think of another possiblities that instead of having this Cyrus
>> IMAP server, I might have a Mail ARCHIVA http://www.mailarchiva.com/
>> to backup all emails.  In this scenario I only have one IMAP server
>> that stores all emails in MySQL or DB database and if the database got
>> corrupted and I failed to recover its database then that would be
>> extremely bad and unacceptable. I might recover users' emails from
>> Mail Archiva but the process might be very tedious and cumbersome.
>>
>> Is there anyway to achieve what I would like to do?
>>
>
>
> you can use virtual_alias_maps:
>
> [EMAIL PROTECTED][EMAIL PROTECTED], [EMAIL PROTECTED]
>
> and use transport_maps to route copy.example.com to a given transport
> (or MDA).
>
> You can also use recipient_bcc_maps.
>
>
> if copy.example.com is delivered via smtp, you can rewrite the address
> back to [EMAIL PROTECTED] using smtp_generic_maps.
>

Thank you very much for all the information.  I am going to look into
these suggestions.

Re: mail.btopenworld.com randomly transmogrifies into pop-smtp1-f.bt.mail.vip.ird.yahoo.com, defeating SASL.

2008-10-21 Thread Stroller 


On 21 Oct 2008, at 18:05, Stroller wrote:

...
I'm pretty sure that I read something about this a couple of weeks  
ago (when I was setting this system up) and that a later version of  
Postfix behaves in the desired manner, but I can't find the resource  
for this now. I obviously wanted to stick with the version installed  
by Apple and, having stuck the square brackets around  
[mail.btopenworld.com] in the relayhost line of main.cf it _seemed_  
to be all working.


Sorry... I meant to say:

$ postconf  | grep mail_version
mail_version = 2.1.5
$

Stroller.

mail.btopenworld.com randomly transmogrifies into pop-smtp1-f.bt.mail.vip.ird.yahoo.com, defeating SASL.

2008-10-21 Thread Stroller 

Hi Brian,

I'll comment on your remarks regarding reject_unverified_sender later,  
when I've had the opportunity to read / test thoroughly.



On 21 Oct 2008, at 17:24, Brian Evans - Postfix List wrote:

...
BTW.. btopenworld.com use yahoo MXs:
[EMAIL PROTECTED] ~ $ host btopenworld.com
btopenworld.com has address 213.121.143.193
btopenworld.com mail is handled by 30 mx2.bt.mail.yahoo.com.
btopenworld.com mail is handled by 20 mx1.bt.mail.yahoo.com.

The original message issue, that caused the bounce, can be solved by
using SASL on the smtp client to begin with.
See http://www.postfix.org/SASL_README.html#client_sasl for details.



Unfortunately there's more to it than this.

SASL is already configured on the host:

$ sudo grep btopenworld.com /etc/postfix/*
/etc/postfix/main.cf:relayhost = [mail.btopenworld.com]
/etc/postfix/sasl_passwd:mail.btopenworld.com	 
[EMAIL PROTECTED]:password

Binary file /etc/postfix/sasl_passwd.db matches
$

Unfortunately, something random appears to be happening involving the  
relayhost mail.btopenworld.com randomly transmogrifying into pop-smtp1- 
f.bt.mail.vip.ird.yahoo.com - presumably this is what's preventing  
postfix from authenticating to it:


$ for foo in 1 2 3 4 5 6 7 8 9 10 ; do echo "Subject: test $foo of 10  
from [EMAIL PROTECTED]" |  /usr/sbin/sendmail -f [EMAIL PROTECTED] [EMAIL PROTECTED] 
 ; sleep 5 ; done

$ grep stellar /var/log/mail.log
Oct 21 18:00:46 freds-computer postfix/smtp[9252]: E17D427B8F8: to=<[EMAIL PROTECTED] 
>, relay=mail.btopenworld.com[217.146.188.192], delay=2, status=sent  
(250 ok 1224608450 qp 17271)
Oct 21 18:00:50 freds-computer postfix/smtp[9252]: EA10027B8FA: to=<[EMAIL PROTECTED] 
>, relay=mail.btopenworld.com[217.146.188.192], delay=1, status=sent  
(250 ok 1224608454 qp 28650)
Oct 21 18:00:57 freds-computer postfix/smtp[9252]: B730927B8FC: to=<[EMAIL PROTECTED] 
>, relay=mail.btopenworld.com[217.146.188.192], delay=2, status=sent  
(250 ok 1224608461 qp 65459)
Oct 21 18:01:02 freds-computer postfix/smtp[9252]: BC9BF27B8FE: to=<[EMAIL PROTECTED] 
>, relay=mail.btopenworld.com[217.146.188.192], delay=2, status=sent  
(250 ok 1224608465 qp 56539)
Oct 21 18:01:06 freds-computer postfix/smtp[9252]: C20EF27B900: to=<[EMAIL PROTECTED] 
>, relay=mail.btopenworld.com[217.146.188.192], delay=1, status=sent  
(250 ok 1224608470 qp 18520)
Oct 21 18:01:13 freds-computer postfix/smtp[9252]: C79AC27B902: to=<[EMAIL PROTECTED] 
>, relay=mail.btopenworld.com[217.146.188.192], delay=3, status=sent  
(250 ok 1224608477 qp 65839)
Oct 21 18:01:19 freds-computer postfix/smtp[9252]: CD6D427B904: to=<[EMAIL PROTECTED] 
>, relay=mail.btopenworld.com[217.146.188.192], delay=4, status=sent  
(250 ok 1224608483 qp 33693)
Oct 21 18:01:21 freds-computer postfix/smtp[9252]: D31C427B906: to=<[EMAIL PROTECTED] 
>, relay=mail.btopenworld.com[217.146.188.192], delay=1, status=sent  
(250 ok 1224608485 qp 65680)
Oct 21 18:01:26 freds-computer postfix/smtp[9252]: D89AE27B908: to=<[EMAIL PROTECTED] 
>, relay=pop-smtp1-f.bt.mail.vip.ird.yahoo.com[217.146.188.192],  
delay=1, status=bounced (host pop-smtp1- 
f.bt.mail.vip.ird.yahoo.com[217.146.188.192] said: 530 authentication  
required - for help go to http://help.yahoo.com/help/us/mail/pop/pop-11.html 
 (in reply to MAIL FROM command))
Oct 21 18:01:32 freds-computer postfix/smtp[9252]: DE04A27B90D: to=<[EMAIL PROTECTED] 
>, relay=mail.btopenworld.com[217.146.188.192], delay=2, status=sent  
(250 ok 1224608495 qp 66901)

$ host mail.btopenworld.com
mail.btopenworld.com has address 217.146.188.192
mail.btopenworld.com is an alias for pop-smtp.bt.mail.yahoo.com.
pop-smtp.bt.mail.yahoo.com is an alias for pop-smtp1- 
f.bt.mail.vip.ird.yahoo.com.

mail.btopenworld.com is an alias for pop-smtp.bt.mail.yahoo.com.
pop-smtp.bt.mail.yahoo.com is an alias for pop-smtp1- 
f.bt.mail.vip.ird.yahoo.com.

pop-smtp1-f.bt.mail.vip.ird.yahoo.com mail is handled by 0 .
$ host 217.146.188.192
192.188.146.217.in-addr.arpa domain name pointer mail.btopenworld.com.


I'm pretty sure that I read something about this a couple of weeks ago  
(when I was setting this system up) and that a later version of  
Postfix behaves in the desired manner, but I can't find the resource  
for this now. I obviously wanted to stick with the version installed  
by Apple and, having stuck the square brackets around  
[mail.btopenworld.com] in the relayhost line of main.cf it _seemed_ to  
be all working. As you can see from all the output above, the problem  
is not consistent, so I didn't notice it in my testing and it was only  
after a week or two of use that the user became aware that SOME  
recipients were not receiving messages.


The temptation is obviously to stick pop-smtp.bt.mail.yahoo.com and  
pop-smtp1-f.bt.mail.vip.ird.yahoo.com in the sasl_passwd.db with the  
same credentials, but I fear this will break in the future when BT  
alias to yet another different mailserver.


Stroller.

Re: Problem sending to one user on domain

2008-10-21 Thread Brian Evans - Postfix List 
Robert Fitzpatrick wrote:
> I have a certain user that I try to send mail to on an Earthlink domain
> and receive this error...
>
> RCPT TO <[EMAIL PROTECTED]> failed: <[EMAIL PROTECTED]>:
> Recipient address rejected: unverified address: connect to
> mx00-dom.earthlink.net[207.217.125.16]:25: Operation timed out
>
> As you can see, we do address verification, but the problem appears to
> be timing out. But I send to another user on the same domain and the
> message goes out without delay both before and after this error. I
> looked up this other user message in the logs and their address was
> verified OK and used the same IP address for successful delivery. What
> does this tell me?
>
>   
I suggest that you do *not* use reject_unverified_recipient for the
entire internet.
If you accept the mail from reliable sources, your server will retry
until it gets an answer.


The current best use view of reject_unverified_(recipient|sender) is to
use for your domains that you control.


Brian

Re: from=<> emails

2008-10-21 Thread Brian Evans - Postfix List 
Stroller wrote:
> Hi there,
>
> A customer of mine is, unfortunately, using BT Internet as her ISP,
> and sending email via Postfix on Mac OS 10.4
>
> It seems that she is not getting notification when mail is bounced
> because this lame ISP rejects the "from" address of the bounce, and
> another bounce is created. See the 946CA27AABB message below:
>
> Oct 20 10:22:21 freds-computer postfix/smtp[5906]: E7B8B27AAB6:
> to=<[EMAIL PROTECTED]>,
> relay=pop-smtp1-f.bt.mail.vip.ird.yahoo.com[217.146.188.192],
> delay=29, status=bounced (host
> pop-smtp1-f.bt.mail.vip.ird.yahoo.com[217.146.188.192] said: 530
> authentication required - Your email could not be sent. To fix this
> you must make a simple change to your email (known as SMTP
> authentication). For advice visit www.btyahoo.com/smtp (in reply to
> MAIL FROM command))
> Oct 20 10:22:21 freds-computer postfix/qmgr[5905]: 946CA27AABB:
> from=<>, size=52364, nrcpt=1 (queue active)
> Oct 20 10:22:21 freds-computer postfix/qmgr[5905]: E7B8B27AAB6: removed
> Oct 20 10:22:23 freds-computer postfix/smtp[5906]: 946CA27AABB:
> to=<[EMAIL PROTECTED]>, relay=mail.btopenworld.com[217.146.188.192],
> delay=2, status=bounced (host mail.btopenworld.com[217.146.188.192]
> said: 553 From: address not verified; see
> http://help.yahoo.com/l/us/yahoo/mail/original/manage/sendfrom-07.html (in
> reply to MAIL FROM command))
>
> I'll start poking at the SMTP authentication part in a moment, but
> leaving that (message E7B8B27AAB6) aside completely, can anyone tell
> me, please, how to change the from address of the bounce messages,
> please? At least if she has notification of the failures she knows to
> call me & I can take a look at the problem; as things stand she just
> discovers after some days that the recipient has  received no mail
> from her.
>
The host mail.btopenworld.com is trying to use reject_unverified_sender
(or equivalent) for the null sender.
This is wrong and they need to fix it.

To get some notifications, look at notify_classes (
http://www.postfix.org/postconf.5.html#notify_classes ). 
Suggest 'notify_classes = resource, software, 2bounce' until you solve
the real first problem and contact the source of the 2nd.
2bounce allows double bounces to be saved to a mailbox.
The 2bounce recipient can be defined by 2bounce_notice_recipient

BTW.. btopenworld.com use yahoo MXs:
[EMAIL PROTECTED] ~ $ host btopenworld.com
btopenworld.com has address 213.121.143.193
btopenworld.com mail is handled by 30 mx2.bt.mail.yahoo.com.
btopenworld.com mail is handled by 20 mx1.bt.mail.yahoo.com.

The original message issue, that caused the bounce, can be solved by
using SASL on the smtp client to begin with.
See http://www.postfix.org/SASL_README.html#client_sasl for details.

Brian

Re: Unknown SASL Authentication

2008-10-21 Thread Asai 
Indeed it's a postfix logwatch entry.  Here's a grep of the IP address 
from /var/log/maillog


triata postfix/smtpd[11490]: connect from unknown[218.30.101.41]
Oct 20 23:56:49 triata sqlgrey: grey: from awl match: updating 
218.30.101.41(218.30.101.41), 
[EMAIL PROTECTED]([EMAIL PROTECTED])
Oct 20 23:56:49 triata postfix/smtpd[11490]: 76BE9FD8041: 
client=unknown[218.30.101.41], [EMAIL PROTECTED]
Oct 20 23:56:50 triata postfix/smtpd[11490]: disconnect from 
unknown[218.30.101.41]
Oct 20 23:57:00 triata amavis[11434]: (11434-01) Passed CLEAN, 
[218.30.101.41] [218.30.101.41] <[EMAIL PROTECTED]> -> 
<[EMAIL PROTECTED]>, Message-ID: 
<[EMAIL PROTECTED]>, mail_id: SULYJRvIb9wQ, 
Hits: -0.479, size: 25777, queued_as: 3299FFD8047, 9828 ms


Noel Jones wrote:

Asai wrote:

Greetings,

In the server log files I got back this morning, I see in the records 
this entry:


1Unknown
1 Unknown
1218.30.101.41unknown


Normally this will give me an email address on top, the AUTH type 
next, and the IP at the bottom with the reverse DNS there. I checked 
the IP address and it's in China, so it's definitely not one of our 
users.  Can anyone tell me how to interpret this, and to plug any 
holes which might be allowing this?


--
asai



This isn't a postfix log entry, and without context I can't tell what 
you are looking at or what problem you are trying to solve.  Maybe 
this is just a failed AUTH attempt, which isn't terribly unusual.


Showing postfix logs of the incident you are investigating would be 
most helpful.


http://www.postfix.org/DEBUG_README.html#mail



--
asai

Re: Unknown SASL Authentication

2008-10-21 Thread Noel Jones 

Asai wrote:

Greetings,

In the server log files I got back this morning, I see in the records 
this entry:


1   Unknown
1 Unknown
1218.30.101.41unknown


Normally this will give me an email address on top, the AUTH type next, 
and the IP at the bottom with the reverse DNS there. I checked the IP 
address and it's in China, so it's definitely not one of our users.  Can 
anyone tell me how to interpret this, and to plug any holes which might 
be allowing this?


--
asai



This isn't a postfix log entry, and without context I can't 
tell what you are looking at or what problem you are trying to 
solve.  Maybe this is just a failed AUTH attempt, which isn't 
terribly unusual.


Showing postfix logs of the incident you are investigating 
would be most helpful.


http://www.postfix.org/DEBUG_README.html#mail

--
Noel Jones

from=<> emails

2008-10-21 Thread Stroller 

Hi there,

A customer of mine is, unfortunately, using BT Internet as her ISP,  
and sending email via Postfix on Mac OS 10.4


It seems that she is not getting notification when mail is bounced  
because this lame ISP rejects the "from" address of the bounce, and  
another bounce is created. See the 946CA27AABB message below:


Oct 20 10:22:21 freds-computer postfix/smtp[5906]: E7B8B27AAB6: to=<[EMAIL PROTECTED] 
>, relay=pop-smtp1-f.bt.mail.vip.ird.yahoo.com[217.146.188.192],  
delay=29, status=bounced (host pop-smtp1- 
f.bt.mail.vip.ird.yahoo.com[217.146.188.192] said: 530 authentication  
required - Your email could not be sent. To fix this you must make a  
simple change to your email (known as SMTP authentication). For advice  
visit www.btyahoo.com/smtp (in reply to MAIL FROM command))
Oct 20 10:22:21 freds-computer postfix/qmgr[5905]: 946CA27AABB:  
from=<>, size=52364, nrcpt=1 (queue active)

Oct 20 10:22:21 freds-computer postfix/qmgr[5905]: E7B8B27AAB6: removed
Oct 20 10:22:23 freds-computer postfix/smtp[5906]: 946CA27AABB: to=<[EMAIL PROTECTED] 
>, relay=mail.btopenworld.com[217.146.188.192], delay=2,  
status=bounced (host mail.btopenworld.com[217.146.188.192] said: 553  
From: address not verified; see http://help.yahoo.com/l/us/yahoo/mail/original/manage/sendfrom-07.html 
 (in reply to MAIL FROM command))


I'll start poking at the SMTP authentication part in a moment, but  
leaving that (message E7B8B27AAB6) aside completely, can anyone tell  
me, please, how to change the from address of the bounce messages,  
please? At least if she has notification of the failures she knows to  
call me & I can take a look at the problem; as things stand she just  
discovers after some days that the recipient has  received no mail  
from her.


Cheers,

Stroller.

Problem sending to one user on domain

2008-10-21 Thread Robert Fitzpatrick 
I have a certain user that I try to send mail to on an Earthlink domain
and receive this error...

RCPT TO <[EMAIL PROTECTED]> failed: <[EMAIL PROTECTED]>:
Recipient address rejected: unverified address: connect to
mx00-dom.earthlink.net[207.217.125.16]:25: Operation timed out

As you can see, we do address verification, but the problem appears to
be timing out. But I send to another user on the same domain and the
message goes out without delay both before and after this error. I
looked up this other user message in the logs and their address was
verified OK and used the same IP address for successful delivery. What
does this tell me?

-- 
Robert

Unknown SASL Authentication

2008-10-21 Thread Asai 

Greetings,

In the server log files I got back this morning, I see in the records 
this entry:


1   Unknown
   1 Unknown
   1218.30.101.41unknown


Normally this will give me an email address on top, the AUTH type next, 
and the IP at the bottom with the reverse DNS there. I checked the IP 
address and it's in China, so it's definitely not one of our users.  Can 
anyone tell me how to interpret this, and to plug any holes which might 
be allowing this?


--
asai

Re: mail throttling

2008-10-21 Thread Victor Duchovni 
On Tue, Oct 21, 2008 at 12:56:12PM +0200, Andreas Schuldei wrote:

> h??!
> 
> i have this in my main.cf:
> 
> destination_concurrency_feedback_debug = yes
> default_destination_rate_delay = 10s
> default_destination_concurrency_limit = 10
> default_destination_concurrency_positive_feedback = 0.05
> default_destination_concurrency_negative_feedback = 1
> default_initial_destination_concurrency = 1

Wow, that's extremely conservative concurrency growth!

> The goal is that the server starts sending mail every 10th
> second, then after 50 mails increase to 2 mails every 10 seconds,
> until it sends 10 mails every then seconds, ramping up
> slowly.
> 
> But i dont see that happen. If i have
> default_destination_rate_delay set to something other 0s it
> keeps sending mails every 10s only, no increase in volume.

That's right, the rate delay feature enforces strict (single) message
spacing, the concurrency features are turned off.

> Sometimes, without any aparent errors occuring in the delivery
> queue of that domain, it pauses the delivery to that destination
> domain alltogether.

When the unit concurrency channel is slow no new deliveries happen until
the slow message drains.

> how can i combine the "slow start" with the slow sending with
> pauses inbetween? i use postfix 2.5.5-1.1 from debian testing.

There is no support for this.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: multiple IP addresses/hosts to send/receive email + signed with DKIM+DomainKeys

2008-10-21 Thread Victor Duchovni 
On Tue, Oct 21, 2008 at 10:58:21PM +1100, Barney Desmond wrote:

> Oh, it's also meant to be high-performance, something I've done some
> testing on but haven't yet completed.

Comparisons are only fair if it actually takes the trouble to make mail
delivery *reliable* by calling fsync() to commit queued messages to disk
before sending 250 after "." to the sending client.

> The one instance we run for a
> customer has a ceiling of 1200 outgoing connections, which is does hit
> at times.

Postfix has no compiled-in total outgoing connection ceiling, but you
do need a machine that supports epoll, kqueue or devpoll to get past
1024 parallel deliveries.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: My first config - unable to telnet to port 25, virtual.db missing

2008-10-21 Thread Noel Jones 

Natxo Asenjo wrote:

On Tue, Oct 21, 2008 at 12:21 PM, Paul Cocker <[EMAIL PROTECTED]> wrote:

I assume from your example that I need to insert an OK at the end of
each line, but the documentation
http://www.postfix.org/postconf.5.html#relay_recipient_maps seems to
suggest I just need a list of addresses.


it's an access table, so the rules for access tables apply
http://www.postfix.org/access.5.html



No, it's not an access table, and the rules are different.
Specifically, the table search order is different.

To answer the original question, the table *must* have a 
result (all postfix tables require a result), but the actual 
value of the result is not used.  What is used in this case is 
whether a result is returned or not.


--
Noel Jones

Re: My first config - unable to telnet to port 25, virtual.db missing

2008-10-21 Thread Natxo Asenjo 
On Tue, Oct 21, 2008 at 12:21 PM, Paul Cocker <[EMAIL PROTECTED]> wrote:
> I assume from your example that I need to insert an OK at the end of
> each line, but the documentation
> http://www.postfix.org/postconf.5.html#relay_recipient_maps seems to
> suggest I just need a list of addresses.

it's an access table, so the rules for access tables apply
http://www.postfix.org/access.5.html

-- 
groeten,
Natxo Asenjo

Re: My first config - unable to telnet to port 25, virtual.db missing

2008-10-21 Thread Brian Evans - Postfix List 
Paul Cocker wrote:
>>
>> Postfix expects this format:
>> [EMAIL PROTECTED] OK
>>  ^ -> this is a tab
>> 
>
> Thanks for the pointers. I've now set something up, but being more
> comfortable in Windows I've set it all up on that side:
>
> =
> @echo off
> adfind -list -sc exchaddresses:SMTP > validrecipients.txt
> cut -c 6- validrecipients.txt > validrecipients2.txt
> pscp -i "somepath\exchangeuser.ppk"
> "somepath\Validrecipients.txt"
> [EMAIL PROTECTED]:/home/someuser
> =
>
> I used -list in adfind to cleanup the output, that way I only need to
> trim the SMTP: bit.
>
> Cut comes from the UnxUtils package, it removes SMTP:
>
> I assume from your example that I need to insert an OK at the end of
> each line, but the documentation
> http://www.postfix.org/postconf.5.html#relay_recipient_maps seems to
> suggest I just need a list of addresses.
>
> Am I missing a page somewhere?
>
>   
All map files are expected to have a result, even if it's discarded
(like in this case).

Since you are using a flat lookup, you still need to run postmap on the
unix or linux side to have Postfix recognize the map
If you do not have a result, postmap will complain:
postmap: warning: test_map, line 1: expected format: key whitespace value

This will not give the expected result and all lookups will fail.

Brian

Re: multiple IP addresses/hosts to send/receive email + signed with DKIM+DomainKeys

2008-10-21 Thread Barney Desmond 
Erbil KARAMAN:
>> actually 'letting MTA figure out how to get it to the internet' is not
>> a great approach for high volume senders.

I meant just in terms of letting the primary postfix instance figure out
 which other postfix instance to pass it to. It's a good generalised
solution that doesn't require mailing software that's smart enough to
send via different instances.

I mention this as being useful because if, like one of our customers,
you sell a service that lets them relay mail via your MTA, you can give
everyone a single entry point and let the MTA do what you want it to do.

>> you want to control 'logically' that no MTA out there supports. If you
>> compare the config options of powerMTA and postfix you will see how
>> they differ as a delivery agent. i wish i had time to implement all
>> those features and more on postfix, but after investigating a little
>> bit seemed like a lot of work to me... because of that i usually use a
>> software 'email sending engine' as an independent middleware to those
>> MTAs..
> 

Wietse Venema wrote:
> Can you be give examples of such features?

Sure, I can think of a few. Selling points of PowerMTA:
 * Goodmail compliance/endorsement/whatever
 * Built-in DKIM/Domainkeys signing
 * Ability to define round-robin pools of src addresses for outgoing mail
 * Ability to associate sender-domains with one or more pools
 * Some amount of reporting/stats/things that marketing people like
 * Might have inbuilt support for "mail merge" type of campaigns

In short, it makes some things easier, in an all-in-one turnkey
e-solution that leverages your assets, letting you better synergise with
your target demographic. Or something. :/

Oh, it's also meant to be high-performance, something I've done some
testing on but haven't yet completed. The one instance we run for a
customer has a ceiling of 1200 outgoing connections, which is does hit
at times. It uses a 2(?) tier directory structure on the filesystem to
help improve performance as well.



signature.asc
Description: OpenPGP digital signature

Re: Likely Spam.

2008-10-21 Thread Noel Jones 

Linux Addict wrote:


Nevermind.. I did strings on one of the messages on "deferred" and got 
the information.




use
postcat -q QUEUEID | more
to view the contents of a queued messsage.

--
Noel Jones

Re: Likely Spam.

2008-10-21 Thread Noel Jones 

Linux Addict wrote:

Regarding your problem, do what Noel said. check how the message entered
your system by finding all message



Could someone please point to the direction of documents for tracking 
Queue ID.?


grep QUEUEID /var/log/maillog
if the mail entered via the "pickup" service, that means a 
local mail submission using the sendmail(1) compatibility 
shim.  If the mail arrived via "smtpd" that means a network 
submission and the source address will be logged.


If the message you track has been in the queue a while the 
originating log entry could be in an older rotated log file.


--
Noel Jones

Re: Likely Spam.

2008-10-21 Thread Linux Addict 
On Tue, Oct 21, 2008 at 7:19 AM, Linux Addict <[EMAIL PROTECTED]>wrote:

>
>
> On Tue, Oct 21, 2008 at 3:29 AM, mouss <[EMAIL PROTECTED]> wrote:
>
>> Linux Addict a écrit :
>>
>> > [snip]
>> > local_recipient_maps = proxy:unix:passwd.byname $virtual_alias_maps
>> > $alias_maps
>>
>> remove $virtual_alias_maps from local_recipient_maps.
>>
>> > [snip]
>> > mynetworks_style = class
>>
>> remove mynetworks_style (mynetworks is enough).
>>
>> > [snip] relay_domains = $mydestination
>>
>> set
>> relay_domains =
>>
>> The $mydestination setting is for compatibility reasons, and given your
>> mydestination setting, you don't need it (you don't want mail to
>> [EMAIL PROTECTED]).
>>
>> > [snip]
>> > smtpd_recipient_restrictions = permit_mynetworks,
>> >  permit_sasl_authenticated,reject_unauth_destination,
>> >  reject_invalid_hostname,reject_unauth_pipelining,
>>
>> reject_unauth_pipelining is useless here.
>>
>> >  reject_non_fqdn_sender,reject_unknown_sender_domain,
>> >  reject_non_fqdn_recipient,reject_unknown_recipient_domain,
>>
>> reject_unknown_recipient_domain is useless here. it only checks your own
>> domains.
>>
>> >  reject_rbl_client blackholes.easynet.nl,
>> >reject_rbl_client cbl.abuseat.org,
>> >reject_rbl_client proxies.blackholes.wirehub.net,
>> >reject_rbl_client bl.spamcop.net,
>> >reject_rbl_client sbl.spamhaus.org,
>> >reject_rbl_client dnsbl.njabl.org,
>> >reject_rbl_client list.dsbl.org,
>> >reject_rbl_client multihop.dsbl.org,
>> >permit
>>
>>
>> you should check that the DNSBLs you use are active. You can start with
>>http://spamlinks.net/filter-dnsbl-dead.htm
>> In particular, blackholes.easynet.nl and *.dsbl.org are gone.
>>
>> and I don't think blackholes.wirehub.net does anything (it once (2003)
>> became blackholes.easynet.nl, which is dead now).
>>
>> and instead of using cbl and sbl, use xbl-sbl.spamhaus.org. Or better
>> yet, use zen.spamhaus.org.
>>
>> > [snip]
>>
>>
>> Regarding your problem, do what Noel said. check how the message entered
>> your system by finding all message
>>
>>
>
> Could someone please point to the direction of documents for tracking Queue
> ID.?
>


Nevermind.. I did strings on one of the messages on "deferred" and got the
information.

Re: Likely Spam.

2008-10-21 Thread Linux Addict 
On Tue, Oct 21, 2008 at 3:29 AM, mouss <[EMAIL PROTECTED]> wrote:

> Linux Addict a écrit :
>
> > [snip]
> > local_recipient_maps = proxy:unix:passwd.byname $virtual_alias_maps
> > $alias_maps
>
> remove $virtual_alias_maps from local_recipient_maps.
>
> > [snip]
> > mynetworks_style = class
>
> remove mynetworks_style (mynetworks is enough).
>
> > [snip] relay_domains = $mydestination
>
> set
> relay_domains =
>
> The $mydestination setting is for compatibility reasons, and given your
> mydestination setting, you don't need it (you don't want mail to
> [EMAIL PROTECTED]).
>
> > [snip]
> > smtpd_recipient_restrictions = permit_mynetworks,
> >  permit_sasl_authenticated,reject_unauth_destination,
> >  reject_invalid_hostname,reject_unauth_pipelining,
>
> reject_unauth_pipelining is useless here.
>
> >  reject_non_fqdn_sender,reject_unknown_sender_domain,
> >  reject_non_fqdn_recipient,reject_unknown_recipient_domain,
>
> reject_unknown_recipient_domain is useless here. it only checks your own
> domains.
>
> >  reject_rbl_client blackholes.easynet.nl,
> >reject_rbl_client cbl.abuseat.org,
> >reject_rbl_client proxies.blackholes.wirehub.net,
> >reject_rbl_client bl.spamcop.net,
> >reject_rbl_client sbl.spamhaus.org,
> >reject_rbl_client dnsbl.njabl.org,
> >reject_rbl_client list.dsbl.org,
> >reject_rbl_client multihop.dsbl.org,
> >permit
>
>
> you should check that the DNSBLs you use are active. You can start with
>http://spamlinks.net/filter-dnsbl-dead.htm
> In particular, blackholes.easynet.nl and *.dsbl.org are gone.
>
> and I don't think blackholes.wirehub.net does anything (it once (2003)
> became blackholes.easynet.nl, which is dead now).
>
> and instead of using cbl and sbl, use xbl-sbl.spamhaus.org. Or better
> yet, use zen.spamhaus.org.
>
> > [snip]
>
>
> Regarding your problem, do what Noel said. check how the message entered
> your system by finding all message
>
>

Could someone please point to the direction of documents for tracking Queue
ID.?

Re: Books on Postfix

2008-10-21 Thread James Brown 


On 21/10/2008, at 9:27 AM, Stephen Holmes wrote:


Well, there's the de facto 'POSTFIX - state of the art message
transport' by Hilderbrandt and Koetter.  I found it invaluable,  
readable

and relatively thorough.  That said, this list is populated with some
incredible minds that would complement any text!

Guy wrote:

Hi guys,

I'm running a few postfix servers at the moment, but I don't really
understand postfix very well so I'm looking for some good books on  
it.

Preferably one that includes the basics to start with.
Can anyone recommend one or two good books for me to start with? The
Book of Postfix has good recommendations after a quick bit of
googling, but I figured it wouldn't hurt to ask about any others.


I second "The Book of Postfix: State-of-the-art Message Transport"!

Another is "Postfix: The Definitive Guide" by Kyle Dent, published by  
O'Reilly.


James.


smime.p7s
Description: S/MIME cryptographic signature

mail throttling

2008-10-21 Thread Andreas Schuldei 
hі!

i have this in my main.cf:

destination_concurrency_feedback_debug = yes
default_destination_rate_delay = 10s
default_destination_concurrency_limit = 10
default_destination_concurrency_positive_feedback = 0.05
default_destination_concurrency_negative_feedback = 1
default_initial_destination_concurrency = 1

The goal is that the server starts sending mail every 10th
second, then after 50 mails increase to 2 mails every 10 seconds,
until it sends 10 mails every then seconds, ramping up
slowly.

But i dont see that happen. If i have
default_destination_rate_delay set to something other 0s it
keeps sending mails every 10s only, no increase in volume.

Sometimes, without any aparent errors occuring in the delivery
queue of that domain, it pauses the delivery to that destination
domain alltogether.

from the debugging info i dont see any increase of the "success"
value in

limit 5 window 5 success 0 failure 0 fail_cohorts 0 


how can i combine the "slow start" with the slow sending with
pauses inbetween? i use postfix 2.5.5-1.1 from debian testing.

RE: My first config - unable to telnet to port 25, virtual.db missing

2008-10-21 Thread Paul Cocker 
> -Original Message-
> From: Natxo Asenjo [mailto:[EMAIL PROTECTED] 
> Sent: 07 October 2008 15:54
> To: Paul Cocker
> Cc: postfix-users@postfix.org
> Subject: Re: My first config - unable to telnet to port 25, 
> virtual.db missing
> 
> On Tue, Oct 7, 2008 at 4:06 PM, Paul Cocker 
> <[EMAIL PROTECTED]> wrote:
> > This server is only the secondary mail server for incoming 
> mail, so it 
> > won't be bouncing anything just passing it onto the primary server 
> > which does perform valid recipient checks. I don't see any 
> point doing 
> > it here too as it just means more hits against the AD 
> servers for no 
> > greater effect, unless I needed to lessen the load on the 
> primary MX 
> > server which I don't.
> 
> please do get a relay_recipients map. That way you block all 
> mail at the gate which should not be there. Otherwise you are 
> becoming a source of backscatter.
> 
> We have a similar setup here. I have writtten a simple batch 
> file which dumps all the e-mail addresses of AD to a file. I 
> copy this file to the postfix gateway, a bit of perl and it 
> is done. It is quite simple actually.
> 
> the batch file uses adfind.exe
> (http://www.joeware.net/freetools/tools/adfind/index.htm) and 
> pscp (from putty); you need to create a key to be able to 
> copy the files to the unix host (but this is not the place to 
> ask). I use a unix user at the postfix box with inlogname: 
> exchangeuxdf
> 
> -===batch.bat==
> @echo off
> 
> d:
> 
> cd d:\scripts\ldap
> 
> adfind -sc exchaddresses:smtp > d:\scripts\ldap\virtual.txt
> 
> 
> pscp -i "d:\scripts\ldap\exchangeuser.ppk"
> "D:\Scripts\ldap\virtual.txt"
> [EMAIL PROTECTED]:/home/exchangeuser
> 
> =
> 
> adfind dumps all smtp addresses to the file virtual.txt and 
> then that file gets copied to the postfix server.
> 
> The format of the virtual.txt is this:
> 
> dn:CN=cn,OU=ou,OU=ou,DC=dc,DC=dc
> >proxyAddresses: SMTP:[EMAIL PROTECTED]
> >proxyAddresses: smtp:[EMAIL PROTECTED]
> >proxyAddresses: smtp:[EMAIL PROTECTED]
> 
> Postfix expects this format:
> [EMAIL PROTECTED] OK
>  ^ -> this is a tab
> 
> so using your favourite scripting langauge you can quite 
> easily parse it and adapt it to the format postifx wants. I 
> have this script, it works for me:
> 
> ==
> #!/usr/bin/perl
> 
> use warnings;
> use strict;
> use File::Copy;
> 
> my $valid_recpts = "/home/exchange/virtual.txt"; # original 
> file from exchange my $relay_recps = 
> "/home/exchange/relay_recipients"; # final file that will be 
> postmapped my $dos2unix = `/usr/bin/dos2unix $valid_recpts`; 
> # fix those pesky differences between dos en unix my 
> $postfix_relayrcpts = "/etc/postfix/relay_recipients.db"; # 
> final relay_recipients map my $relay_recpsdb = 
> "/home/exchange/relay_recipients.db"; # original relay_recipients map
> 
> open(VALID,"< $valid_recpts") or die "$!\n"; open(RELAY,"> 
> $relay_recps") or die "$!\n";
> 
> while() {
> next unless $_ =~ /^.*(smtp:)(.*\.nl)$/i;
> print RELAY "$2\tOK\n";
> }
> 
> close(VALID);
> close(RELAY);
> 
> chown exchangeuser, exchangeuser, $valid_recpts; # otherwise 
> exchange cannot overwrite it
> 
> my $postmap = `/usr/sbin/postmap $relay_recps`;
> 
> move($relay_recpsdb, $postfix_relayrcpts);
> 
> 
> 
> in main.cf the relevant part for relay_recipients is:
> relay_recipient_maps = hash:/etc/postfix/relay_recipients
> 
> We run those scripts every 6 hours. This setup has been 
> working for over a year now and e-mail has stopped being an 
> issue for us.
> 

Thanks for the pointers. I've now set something up, but being more
comfortable in Windows I've set it all up on that side:

=
@echo off
adfind -list -sc exchaddresses:SMTP > validrecipients.txt
cut -c 6- validrecipients.txt > validrecipients2.txt
pscp -i "somepath\exchangeuser.ppk"
"somepath\Validrecipients.txt"
[EMAIL PROTECTED]:/home/someuser
=

I used -list in adfind to cleanup the output, that way I only need to
trim the SMTP: bit.

Cut comes from the UnxUtils package, it removes SMTP:

I assume from your example that I need to insert an OK at the end of
each line, but the documentation
http://www.postfix.org/postconf.5.html#relay_recipient_maps seems to
suggest I just need a list of addresses.

Am I missing a page somewhere?

> HTH.
> --
> Groeten,
> J.Asenjo
> 



TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), 
TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT 
Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post 
Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary 
and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd 
(02556692). All companies are registered in England and Wales; registered 
addr

Re: Likely Spam.

2008-10-21 Thread mouss 
Linux Addict a écrit :

> [snip]
> local_recipient_maps = proxy:unix:passwd.byname $virtual_alias_maps
> $alias_maps

remove $virtual_alias_maps from local_recipient_maps.

> [snip]
> mynetworks_style = class

remove mynetworks_style (mynetworks is enough).

> [snip] relay_domains = $mydestination

set
relay_domains =

The $mydestination setting is for compatibility reasons, and given your
mydestination setting, you don't need it (you don't want mail to
[EMAIL PROTECTED]).

> [snip]
> smtpd_recipient_restrictions = permit_mynetworks,  
>  permit_sasl_authenticated,reject_unauth_destination,  
>  reject_invalid_hostname,reject_unauth_pipelining,  

reject_unauth_pipelining is useless here.

>  reject_non_fqdn_sender,reject_unknown_sender_domain,  
>  reject_non_fqdn_recipient,reject_unknown_recipient_domain,  

reject_unknown_recipient_domain is useless here. it only checks your own
domains.

>  reject_rbl_client blackholes.easynet.nl,
>reject_rbl_client cbl.abuseat.org,  
>reject_rbl_client proxies.blackholes.wirehub.net,
>reject_rbl_client bl.spamcop.net,
>reject_rbl_client sbl.spamhaus.org,
>reject_rbl_client dnsbl.njabl.org,
>reject_rbl_client list.dsbl.org,
>reject_rbl_client multihop.dsbl.org,
>permit


you should check that the DNSBLs you use are active. You can start with
http://spamlinks.net/filter-dnsbl-dead.htm
In particular, blackholes.easynet.nl and *.dsbl.org are gone.

and I don't think blackholes.wirehub.net does anything (it once (2003)
became blackholes.easynet.nl, which is dead now).

and instead of using cbl and sbl, use xbl-sbl.spamhaus.org. Or better
yet, use zen.spamhaus.org.

> [snip]


Regarding your problem, do what Noel said. check how the message entered
your system by finding all message

Re: Postfix + openldap deliver each emails to Cyrus imapd +any IMAP server. Possible???

2008-10-21 Thread mouss 
Steven Truong a écrit :
> Dear, all.  I am running into a scenario where I might need to deliver
> the same incoming email for a user to 2 different IMAP servers.
> 
> Is there anyway to implement it with Postfix with its various transport maps?
> 
> I have for example [EMAIL PROTECTED] and I would like all emails for
> this user to be delivered to 2 different imapd servers.  I would like
> to do that because the first imap server store all emails in Mysql or
> DB database and I do not like this architect so much.  I also have a
> Cyrus IMAP server that has run for a couple of years without any
> problems and I would like to have this Cyrus IMAP server as a
> backup/archive of users emails.
> 
> I also think of another possiblities that instead of having this Cyrus
> IMAP server, I might have a Mail ARCHIVA http://www.mailarchiva.com/
> to backup all emails.  In this scenario I only have one IMAP server
> that stores all emails in MySQL or DB database and if the database got
> corrupted and I failed to recover its database then that would be
> extremely bad and unacceptable. I might recover users' emails from
> Mail Archiva but the process might be very tedious and cumbersome.
> 
> Is there anyway to achieve what I would like to do?
> 


you can use virtual_alias_maps:

[EMAIL PROTECTED]   [EMAIL PROTECTED], [EMAIL PROTECTED]

and use transport_maps to route copy.example.com to a given transport
(or MDA).

You can also use recipient_bcc_maps.


if copy.example.com is delivered via smtp, you can rewrite the address
back to [EMAIL PROTECTED] using smtp_generic_maps.