Re: [OT] What is a condition for ideal mail server?

[mat x]

On 23-Oct-08, at 8:38 PM, Byung-Hee HWANG wrote:


mouss wrote:

Byung-Hee HWANG a écrit :

[...]

- Use the submission port (587) with TLS+SASL.





What is different between using 25 and using 587?




Use port 587 for SSL (TLS), instead of 25 plain/non-encrypted


:)

Mat X

Re: [OT] What is a condition for ideal mail server?

[Byung-Hee HWANG]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

mouss wrote:
> Byung-Hee HWANG a écrit :
[...]
> - Use the submission port (587) with TLS+SASL.

What is different between using 25 and using 587?

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (FreeBSD)

iEYEARECAAYFAkkBQ0sACgkQB00DNxnlnTayJQCdG7s8H783PyWSOhuz84Oz4Z+x
m0IAn1CCxjqKX+J8sIYIgv/WW9hSDq/n
=W+z2
-END PGP SIGNATURE-

Re: Best anti-spam

[mouss]

Ron Winograd a écrit :
> I'm in the same boat. One suggestion (if you are not already doing so)
> is to take advantage of the fact that you can easily tell Postfix to
> send email for only the problem domains through your ISP and
> direct-deliver all the rest. Whenever I encounter a problem with a
> particular domain I just add it to the list of domains to transport
> through  my ISP.
> 

consider
- using a HELO that resolves. srv-vantis.novelics.com does not resolve.
- putting the server in your SPF record or remove the SPF record

Re: Best anti-spam

[Ron Winograd]

Stroller wrote:

On 22 Oct 2008, at 12:56, Richard Foley wrote:

...
spam_ip_regex file:

/[ax]dsl.*\..*\..*/i 450 AUTO_XDSL Email Rejected. You appear to be
connecting from a Dynamic IP address.
This looks fairly useful.  Does anyone else have any experience with 
this
approach, who might be able to offer insight into whether it's valid 
or not?
My experience is on the butt-end of such filters - they're a sure fire 
way to annoy me if I'm sending you mail.


I run a Postfix server on my home ADSL connection and it is extremely 
frustrating to have mail rejected because of that. The common response 
of admins to complaints about this is "you should use your ISP's mail 
server", but really it is just nice to have a a proper "receipt" for 
emails one has sent.


If a message appears undelivered (it may have been incorrectly have 
been classified  as spam by the recipient's filter) then, using 
Postfix & connecting directly, I can say "the mailserver listed in 
your domain's MX records acknowledged receipt for this message at 
$time on $date; here's the log entry". If I use my ISP's relay then 
the blame is uncertain
I'm in the same boat. One suggestion (if you are not already doing so) 
is to take advantage of the fact that you can easily tell Postfix to 
send email for only the problem domains through your ISP and 
direct-deliver all the rest. Whenever I encounter a problem with a 
particular domain I just add it to the list of domains to transport 
through  my ISP.


-- Ron

Re: Likely Spam.

[mouss]

Linux Addict a écrit :
> 
> Thank you guys!! It worked.
> 
> We have escalated to the DEV to fix the problem. Actually  spammers are
> exploiting "Email a Friend" option on our webpage inserting spam note,

I like calling that "Email a victim" :)

I once worked on a project which had a "Invite a friend" function. it
wasn't really abused, but it required a lot of work. I used "Invite a
victim" to explain the need for such work, and to motivate a "mailto:";
link instead, so that people invite their friends using their own mail
system ...

> but there are also legitimate referrals. Its a bit of politics as well
> as DEV is downplaying the issue.
> 
> Thank you again.
> 

Re: Likely Spam.

[Linux Addict]

On Thu, Oct 23, 2008 at 5:49 PM, mouss <[EMAIL PROTECTED]> wrote:

> Linux Addict a écrit :
> > Unfortuantly that hosts also sends some legitimate mails. I just want to
> > block those two mail ids for now.
>
> unfortunately for you, if the host is owned, it will find other sender
> addresses...
>
> >
> > smtpd_sender_restrictions = hash:/etc/postfix/sender_access
> >
>
> put the name of the check explicitely:
>
> smtpd_sender_restrictions =
>check_sender_access hash:/etc/postfix/sender_access
>
> don't forget to postmap the hash map.
>
> > sender_access has following entries, but not working.
> >
> > [EMAIL PROTECTED]   REJECT
> > [EMAIL PROTECTED]  REJECT
> >
> >
> > Anything wrong here?
> >
>
> it's ok, but see note above (a sender address is easily forged unless
> you use reject_sender_login_mismatch).
>





Thank you guys!! It worked.

We have escalated to the DEV to fix the problem. Actually  spammers are
exploiting "Email a Friend" option on our webpage inserting spam note, but
there are also legitimate referrals. Its a bit of politics as well as DEV is
downplaying the issue.

Thank you again.

Re: Likely Spam.

[Noel Jones]

mouss wrote:

Linux Addict a écrit :

smtpd_sender_restrictions = hash:/etc/postfix/sender_access



put the name of the check explicitely:

smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/sender_access



The OP is using deprecated but valid syntax.  Postfix will 
assume check_{section name}_access when given a bare map name.
(A holdover from ancient days before check_foo_access was 
invented.)


So the reported syntax isn't the problem, but should be fixed 
anyway.


We need to see logs and "postconf -n" to diagnose this further.

--
Noel Jones

Re: Likely Spam.

[Noel Jones]

Linux Addict wrote:


Unfortuantly that hosts also sends some legitimate mails. I just want to 
block those two mail ids for now.


smtpd_sender_restrictions = hash:/etc/postfix/sender_access

sender_access has following entries, but not working.

[EMAIL PROTECTED]    REJECT
[EMAIL PROTECTED]   REJECT


Anything wrong here?




My opinion is the host should removed from the network until 
it's fixed. You already know it's been compromised somehow. 
What if it starts attacking other hosts in your network?


If you can't remove it from the network, I think you should 
reject all mail from that host until it's fixed.  What if it 
starts using a random sender address (I'm surprised it doesn't 
already)?


If you insist on keeping the host on and accepting mail from 
it, you need to:


- press the [plain text] button before posting from gmail. 
The html crap makes it much harder to help you.


- show log entries of what you are trying to block

- show current "postconf -n" output

--
Noel Jones

Re: Likely Spam.

[mouss]

Linux Addict a écrit :
> Unfortuantly that hosts also sends some legitimate mails. I just want to
> block those two mail ids for now.

unfortunately for you, if the host is owned, it will find other sender
addresses...

> 
> smtpd_sender_restrictions = hash:/etc/postfix/sender_access
> 

put the name of the check explicitely:

smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/sender_access

don't forget to postmap the hash map.

> sender_access has following entries, but not working.
> 
> [EMAIL PROTECTED]   REJECT
> [EMAIL PROTECTED]  REJECT
> 
> 
> Anything wrong here?
> 

it's ok, but see note above (a sender address is easily forged unless
you use reject_sender_login_mismatch).

Re: Likely Spam.

[Linux Addict]

On Thu, Oct 23, 2008 at 5:15 PM, Noel Jones <[EMAIL PROTECTED]> wrote:

> Linux Addict wrote:
>
>
>>
>> On Tue, Oct 21, 2008 at 7:33 AM, Noel Jones <[EMAIL PROTECTED]> [EMAIL PROTECTED]>> wrote:
>>
>>Linux Addict wrote:
>>
>>
>>Nevermind.. I did strings on one of the messages on "deferred"
>>and got the information.
>>
>>
>>use
>>postcat -q QUEUEID | more
>>to view the contents of a queued messsage.
>>
>>--Noel Jones
>>
>>
>>
>> I got the culprit. Its was one of the internal host. Now how do I reject
>> any mail from that particular email address. I tried with sender_access, but
>> not working. Any ideas?
>>
>> Thanks, LA
>>
>>
>>
>
> Use a check_client_access table to reject that host's IP.
>
> sample config:
>
> #main.cf
> smtpd_client_restrictions =
>  check_client_access hash:/etc/postfix/client_blacklist
>
>
> # /etc/postfix/client_blacklist
> 192.168.1.33  REJECT your computer has a virus.
>
> then run:
> # postmap client_blacklist
>
> # postfix reload
>
> If you don't have a smtpd_client_restrictions section in your main.cf yet,
> the above example should work fine as is.
>
> --
> Noel Jones
>

Unfortuantly that hosts also sends some legitimate mails. I just want to
block those two mail ids for now.

smtpd_sender_restrictions = hash:/etc/postfix/sender_access

sender_access has following entries, but not working.

[EMAIL PROTECTED]   REJECT
[EMAIL PROTECTED]  REJECT


Anything wrong here?

Re: Likely Spam.

[Noel Jones]

Linux Addict wrote:



On Tue, Oct 21, 2008 at 7:33 AM, Noel Jones <[EMAIL PROTECTED] 
> wrote:


Linux Addict wrote:


Nevermind.. I did strings on one of the messages on "deferred"
and got the information.


use
postcat -q QUEUEID | more
to view the contents of a queued messsage.

-- 
Noel Jones




I got the culprit. Its was one of the internal host. Now how do I reject 
any mail from that particular email address. I tried with sender_access, 
but not working. Any ideas?


Thanks, LA





Use a check_client_access table to reject that host's IP.

sample config:

#main.cf
smtpd_client_restrictions =
  check_client_access hash:/etc/postfix/client_blacklist


# /etc/postfix/client_blacklist
192.168.1.33  REJECT your computer has a virus.

then run:
# postmap client_blacklist

# postfix reload

If you don't have a smtpd_client_restrictions section in your 
main.cf yet, the above example should work fine as is.


--
Noel Jones

Re: Likely Spam.

[Linux Addict]

On Tue, Oct 21, 2008 at 7:33 AM, Noel Jones <[EMAIL PROTECTED]> wrote:

> Linux Addict wrote:
>
>>
>> Nevermind.. I did strings on one of the messages on "deferred" and got the
>> information.
>>
>>
> use
> postcat -q QUEUEID | more
> to view the contents of a queued messsage.
>
> --
> Noel Jones
>


I got the culprit. Its was one of the internal host. Now how do I reject any
mail from that particular email address. I tried with sender_access, but not
working. Any ideas?

Thanks, LA

Re: Problem sending to one user on domain

[Robert Fitzpatrick]

On Tue, 2008-10-21 at 20:36 +0200, mouss wrote:
> Robert Fitzpatrick a écrit :
> > On Tue, 2008-10-21 at 12:34 -0400, Brian Evans - Postfix List wrote:
> >> The current best use view of reject_unverified_(recipient|sender) is
> >> to
> >> use for your domains that you control.
> > 
> > Thanks, and yes, I agree this should be done. We currently use LDAP
> > lookups for transports. Is there a way to tie
> > reject_unverified_(recipient|sender) to domains using LDAP lookups? 
> 
> If it's LDAP, then use reject_unlisted_recipient. simply configure the
> list of valid users in the various mumble_recipient_maps and you're done.
> 
> note that recipient validation is done by default, so this is not
> necessary. but you can use it explictely to reject a transaction before
> doing expensive checks (reject_rbl_*...)
> 
> > [snip]

Thanks, but we don't use LDAP for storing addresses, only transport
maps. I need to do address verification only to our transports, we're
now using verification for all. So, I'm looking for a way to hopefully
use our entries for transport maps to determine which domains to do
address verification. Right now, our transport maps are determined as
follows...

esmtp# cat postfix/ldap/transport.cf
bind = no
server_host = ldapi:///
version = 3
search_base = ou=Domains,dc=example,dc=net
query_filter = (dc=%s)
result_attribute = mailRoutingAddress
result_format = smtp:[%s]
esmtp# ldapsearch -LLL "(dc=example.com)" mailRoutingAddress
dn: dc=example.com,ou=domains,dc=example,dc=net
mailRoutingAddress: 1.2.3.4
esmtp# postmap -q example.com ldap:/usr/local/etc/postfix/ldap/transport.cf
smtp:[1.2.3.4]

-- 
Robert

Re: Outgoing IP address

[mouss]

Robert Fitzpatrick a écrit :
> I have an SMTP server down and would like to use another box
> temporarily. The IP address of the down server is setup with reverse
> DNS. I added this IP address as an alias to the interface on the temp
> box, can Postfix control the IP used to send and allow me to use that
> alias IP address when sending out so the reverse DNS will keep working?
> Right now, it looks like mail is coming from the primary IP address of
> the interface. And will this work for my purposes?
> 


do these

1- Take this as a lesson, and setup reverse dns for all of your IPs.
so chose some names and use them. make sure reverse and forward match:

192.0.2.3  => foo.example.com
foo.example.com => 192.0.2.3

note that the name identifies the IP, not the mail domain or anything.

2- use
smtp_bind_address = 192.0.2.3
to set tell smtp to bind to this IP (smtp_bind_address6 if using IPv6).
note that with this smtp will always use this IP (contrast with the
default when smtp binds to "any address" and it is the routing code that
selects the source IP based on the route (outgoing interface).

Re: Outgoing IP address

[Jorey Bump]

Robert Fitzpatrick wrote, at 10/23/2008 03:58 PM:
> I have an SMTP server down and would like to use another box
> temporarily. The IP address of the down server is setup with reverse
> DNS. I added this IP address as an alias to the interface on the temp
> box, can Postfix control the IP used to send and allow me to use that
> alias IP address when sending out so the reverse DNS will keep working?
> Right now, it looks like mail is coming from the primary IP address of
> the interface. And will this work for my purposes?

http://www.postfix.org/postconf.5.html#smtp_bind_address

Outgoing IP address

[Robert Fitzpatrick]

I have an SMTP server down and would like to use another box
temporarily. The IP address of the down server is setup with reverse
DNS. I added this IP address as an alias to the interface on the temp
box, can Postfix control the IP used to send and allow me to use that
alias IP address when sending out so the reverse DNS will keep working?
Right now, it looks like mail is coming from the primary IP address of
the interface. And will this work for my purposes?

-- 
Robert

Re: fighting spam with recipient limits

[Noel Jones]

Eugene Vilensky wrote:

Hi,

I'd like to be able to set a hard limit on the number of recipients
that postfix will ever process, globally across my system.  I see
smtpd_recipient_limit but I think that would have the unintended
consequence of "legitimizing" a ridiculous amount of recipients into
multiple reasonable connection attempts.


Exactly; postfix will process the first $smtpd_recipient_limit 
 recipients and the client is free to immediately reconnect 
and send the next batch.  This behavior is mandated in the RFCs.


Some zombies may not reconnect after the initial batch of 
recipients but greylisting is a better countermeasure against 
this behavior.




Are there any postfix configuration settings that would reject
messages from a client MUA if the message contains too many
recipients?

Thanks!
--Eugene


To reject messages exceeding some limit with a permanent error 
code, you need a policy service.

http://www.postfix.org/addon.html#policy

--
Noel Jones

fighting spam with recipient limits

[Eugene Vilensky]

Hi,

I'd like to be able to set a hard limit on the number of recipients
that postfix will ever process, globally across my system.  I see
smtpd_recipient_limit but I think that would have the unintended
consequence of "legitimizing" a ridiculous amount of recipients into
multiple reasonable connection attempts.

Are there any postfix configuration settings that would reject
messages from a client MUA if the message contains too many
recipients?

Thanks!
--Eugene

Re: Postfix - altermime - amavis - Too many hops

[Mark Martinec]

Peter,

> > >>> disclaimer unix-   n   n   -   -   pipe
> > >>> flags=Rq user=altermime argv=/etc/postfix/filter/disclaimer -f
> > >>> ${sender} -- ${recipient}
> > >>> It leads to error: Too many hops , in the log there is loop.
> > >> so your filter is passing mail back to an smtpd that passes it to
> > >> the same filter, and so on.

> > >>> So the question is where can I put the content_filter=disclaimer:
> > >>> work only for outgoing emails , into which smtpd process?

Amavisd can call altermime directly for adding disclaimers,
it already knows how to distinguish inbound vs. outbound mail
(by matching recipients to @local_domains_maps, and mail source
to @mynetworks or 'originating' attribute). As you are already
using it, it would probably simplify setup to call altermime
from there.

Search RELEASE_NOTES for:
- provided interface code to allow mangling/defanging/sanitation
  to be performed by an external utility, either by [...]

Mark

Re: lost connection after CONNECT from localhost[127.0.0.1]

[Wietse Venema]

Diego Liziero:
> Yes, definitely.
> 
> > Postfix reports a broken connection as coming from "localhost" only
> > when the kernel reports an errno of ENOTSOCK.
> 
> Forgive me if I'm asking something you might have already answered,
> is it easy to change the wrong error message for this case to
> something that could point the user to the fact that the socket
> disappeared before postfix could serve it?

By definition, a non-error result from accept(2) is a socket.
Reporting ENOTSOCK on such sockets is a kernel bug.

Postfix receives legitimate mail submissions via non-socket
inputs, and those submissions must not be reported as coming from
"unknown".

Wietse

Re: [UNDERSTOOD, THANKS] Inconsistency?

[Jan P. Kessler]

Victor Duchovni wrote:
> Yes, the lookup key in transport was historically domain only, and also
> supports parent-domain lookups via .parent, while the address mapping
> tables just support [EMAIL PROTECTED], @domain. So as not to confuse bare
> users (for domains in $mydestination) with bare domains.
>
> The transport never user bare user names.
>   

Thank you for clarification!

Re: Inconsistency?

[Victor Duchovni]

On Thu, Oct 23, 2008 at 05:37:56PM +0200, Jan P. Kessler wrote:

> Is there any reason why the transport_table wants
> 
> domain   

Actully, it wants:

domain  transport[:nexthop]

> while sender_dependent_relayhost_maps wants
> 
> @domain   

Yes, the lookup key in transport was historically domain only, and also
supports parent-domain lookups via .parent, while the address mapping
tables just support [EMAIL PROTECTED], @domain. So as not to confuse bare
users (for domains in $mydestination) with bare domains.

The transport never user bare user names.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

RE: Postfix - altermime - amavis - Too many hops

[Jevos, Peter]

> >> Jevos, Peter a écrit :
> >>> Dear all
> >>>
> >>> I'd like to ask you a question.
> >>>
> >>> In my master.cf is:
> >>>
> >>> [snip]
> >>> ##disclaimer
> >>> disclaimer unix-   n   n   -   -   pipe
> >>> flags=Rq user=altermime argv=/etc/postfix/filter/disclaimer -f
> >>> ${sender} -- ${recipient}
> >>>
> >>>
> >>> It leads to error: Too many hops , in the log there is loop.
> >> so your filter is passing mail back to an smtpd that passes it to
> the
> >> same filter, and so on.
> >>
> >> if your filter resubmits mail via the sendmail command and if you
> don't
> >> want to filter mail submitted via the sendmail command, then add
> >>
> >>-o content_filter=
> >>
> >> to the pickup service (in master.cf).
> >>
> >>
> >>
> >>> [snip]
> >>>
> >>> So the question is where can I put the content_filter=disclaimer:
> to
> >>> work only for outgoing emails , into which smtpd process?
> >>>
> >> you can use the FILTER statement in smtpd restrictions.
> >>
> > Thank you for your answer.  When I added o content_filter= into the
> pickup line it works. No more loops.
> >
> > But still I'm recieving the disclaimer also for incoming mail, which
> is clear cause filter is located in the amavis filter:
> > ...
> > 127.0.0.1:10025 inet n  -   n -   -  smtpd
> > -o content_filter=disclaimer:
> > -o local_recipient_maps=
> >
> > 
> >
> > So I have to take it away and put somewhere else.
> > Can you please describe more FILTER statement or better put some
> example for me ?
> 
> 
> 
> smtpd_sender_restrictions =
>   check_client_access pcre:/etc/postfix/filter_outbound
>   permit_mynetworks
>   permit_sasl_authenticated
>   check_client_access pcre:/etc/postfix/filter_inbound
> 
> == filter_outbound
> # filter for outbound mail
> /./   FILTER yourfilter:[127.0.0.1]:10587
> 
> = filter_inbound
> # filter for inbound mail
> /./   FILTER yourfilter:[127.0.0.1]:10030
> 
> 
> of course, you can't do this after amavisd-new, since at this time you
> don't know if mail is inbound or outbound.
> 
> you need to think your mail path carefully.

Thank you for your example, I already read FILTER_README and also Book of 
Postfix but I'm missing more examples.
If I understood it correctly I have created:

cat /etc/postfix/filter_outbound
/./ FILTER altermime:[127.0.0.1]:10587

cat /etc/postfix/filter_inbound
/./ FILTER smtp-amavis:[127.0.0.1]:10024

I have adjusted smtpd_sender_restrictions as you adviced and removed 
content_filter = smtp-amavis:[127.0.0.1]:10024 from main.cf


Now I have in my master.cf:

smtp-amavis unix -  -   n -   5  smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n  -   n -   -  smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
...

And where I can put the syntax for filter_outbound smtpd daemon in the 
master.cf?

I know that postfix cannot distinguished inbound or outbound traffic , but I'm 
still using only one eth card. I've found some examples with 2 smtpd instances 
but i'm not sure if it's right solution for me.
I just want to use altermime only for outgoing traffic

Thank you

BR

PEter

Inconsistency?

[Jan P. Kessler]

Is there any reason why the transport_table wants

domain   

while sender_dependent_relayhost_maps wants

@domain   

regards, Jan

Re: Content Filter - Advanced [SOLVED]

[Duane Hill]

Disregard.

On Wed, 22 Oct 2008, Duane Hill wrote:

I've been able to get a simple content filter running using the example from 
(http://www.postfix.org/FILTER_README.html). However, am having problems 
getting it to run configured as shown under the advanced content filter 
section. I'm not seeing something right. The error shown in the logs is:


Oct 22 19:44:40 duane postfix/smtp[52112]: D769D2E01A: 
to=<[EMAIL PROTECTED]>, relay=192.168.1.10[192.168.1.10]:10025, 
delay=429, delays=129/0.03/300/0, dsn=4.4.2, status=deferred (conversation 
with 192.168.1.10[192.168.1.10] timed out while receiving the initial server 
greeting)
Oct 22 19:44:40 duane postfix/smtp[52117]: 117B42E059: 
to=<[EMAIL PROTECTED]>, orig_to=<10026>, 
relay=192.168.1.10[192.168.1.10]:10025, delay=301, delays=0.73/0.02/300/0, 
dsn=4.4.2, status=deferred (conversation with 192.168.1.10[192.168.1.10] 
timed out while receiving the initial server greeting)
Oct 22 19:44:40 duane postfix/smtp[52117]: 117B42E059: 
to=<[EMAIL PROTECTED]>, orig_to=<192.168.1.10>, 
relay=192.168.1.10[192.168.1.10]:10025, delay=301, delays=0.73/0.02/300/0, 
dsn=4.4.2,status=deferred (conversation with 192.168.1.10[192.168.1.10] timed 
out while receiving the initial server greeting)


# postconf -n
alias_database = $alias_maps
alias_maps = hash:/usr/local/etc/postfix/aliases
biff = no
body_checks = pcre:/usr/local/etc/postfix/body_checks
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
content_filter = msgcolor:192.168.1.10:10025
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
disable_vrfy_command = yes
header_checks = pcre:/usr/local/etc/postfix/header_checks
html_directory = no
inet_interfaces = 192.168.1.10
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 262144000
mime_header_checks = pcre:/usr/local/etc/postfix/mime_header_checks
mydestination = $myhostname
mydomain = $myhostname
mynetworks = 192.168.1.10
nested_header_checks =
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
receive_override_options = no_address_mappings
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_client_port_logging = yes
smtpd_helo_required = yes
strict_rfc821_envelopes = yes
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550

duane# egrep '^[^#]' master.cf
smtp   inet  n   -   n   -   -   smtpd
msgcolor   unix  -   -   n   -   10  smtp
 -o smtp_send_xforward_command=yes
 -o disable_mime_output_conversion=yes
 -o smtp_generic_maps=
192.168.1.10:10025 inet n n  n   -   10  spawn
 user=filter argv=/usr/local/etc/postfix/filter/msgcolor.sh 192.168.1.10 
10026

192.168.1.10:10026 inet n -  n   -   10  smtpd
 -o content_filter=
 -o 
receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters

 -o smtpd_helo_restrictions=
 -o smtpd_client_restrictions=
 -o smtpd_sender_restrictions=
 -o smtpd_recipient_restrictions=permit_mynetworks,reject
 -o mynetworks=192.168.1.0/24
 -o smtpd_authorized_xforward_hosts=192.168.1.0/24
pickupfifo  n   -   n   60  1   pickup
cleanup   unix  n   -   n   -   0   cleanup
qmgr  fifo  n   -   n   300 1   qmgr
tlsmgrunix  -   -   n   1000?   1   tlsmgr
rewrite   unix  -   -   n   -   -   trivial-rewrite
bounceunix  -   -   n   -   0   bounce
defer unix  -   -   n   -   0   bounce
trace unix  -   -   n   -   0   bounce
verifyunix  -   -   n   -   1   verify
flush unix  n   -   n   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
proxywrite unix -   -   n   -   1   proxymap
smtp  unix  -   -   n   -   -   smtp
relay unix  -   -   n   -   -   smtp
   -o smtp_fallback_relay=
showq unix  n   -   n   -   -   showq
error unix  -   -   n   -   -   error
retry unix  -   -   n   -   -   error
discard   unix  -   -   n   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   n   -   -   lmtp
anvil unix  -   -   n   -   1   anvil
scacheunix  -   -   n   -   1   scache

-d

Any good way to make this mail setup work

[Paul Cocker]

Having had my awareness of backscatter increased by this list (thanks
everyone) I'm looking to improve the behaviour of our mail servers (and
we've already taken a number of steps). Unfortunately I think our setup
makes this pretty impossible without using a fairly unwieldy setup, but
ideas welcome.

Two mail servers on Barracuda spam filter and one postfix, Barracuda
being the primary MX.

Under the existing setup the postfix (secondary MX) doesn't deliver mail
internally, it passes it on to the Barracuda. The idea being that should
the Barracuda fail we can allow temporary internal delivery from this
server but for 99% of the time manage all mail via a single interface.
The postfix box does run recipient checks on incoming mail but that's
it.

The problem I see is that once the Barracuda bounces a mail forwarded by
postfix with an SPF failure or RBL block we generate backscatter because
Barracuda tells postfix that it's not taking that mail and postfix then
sends a bounce notification.

We could resolve this by allowing the postfix box to deliver internally,
but at that point we now need to check two servers for rejected e-mails,
maintain two white lists, two spam scoring databases etc. I assume this
is more graceful with multiple postfix boxes, but with two differing
systems the potential for human error to cause problems is too great,
plus it doubles the administrative effort required.

At this point I'm left thinking that trying to use these two systems
alongside each other is doomed to either backscatter or administrative
nightmare, but I thought I'd put it out there in case there's some good
way to have them work together. Otherwise it's something for me to raise
when the Barracuda is up for renewal.

Thanks all.

Paul Cocker



TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), 
TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT 
Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post 
Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary 
and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd 
(02556692). All companies are registered in England and Wales; registered 
address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, 
SL7 1HY.

Maillog pattern grep script

[Kenneth Kalmer]

Hi all

http://gist.github.com/19021

It seems quite trivial now that its done, but hopefully someone else can
benefit from it.

The script greps for a pattern in the maillog, extracts the message id's and
then greps for all lines matching the message id. The script is expensive to
run, at 1+N (N == number of matching message id's) greps through the log
file.

Ciao

-- 
Kenneth Kalmer
[EMAIL PROTECTED]
http://opensourcery.co.za

Re: Postfix - altermime - amavis - Too many hops

[mouss]

Jevos, Peter a écrit :
>> -Original Message-
>> From: mouss [mailto:[EMAIL PROTECTED]
>> Sent: Thursday, October 23, 2008 3:01 PM
>> To: Jevos, Peter
>> Cc: Postfix users
>> Subject: Re: Postfix - altermime - amavis - Too many hops
>>
>> Jevos, Peter a écrit :
>>> Dear all
>>>
>>> I'd like to ask you a question.
>>>
>>> In my master.cf is:
>>>
>>> [snip]
>>> ##disclaimer
>>> disclaimer unix-   n   n   -   -   pipe
>>> flags=Rq user=altermime argv=/etc/postfix/filter/disclaimer -f
>>> ${sender} -- ${recipient}
>>>
>>>
>>> It leads to error: Too many hops , in the log there is loop.
>> so your filter is passing mail back to an smtpd that passes it to the
>> same filter, and so on.
>>
>> if your filter resubmits mail via the sendmail command and if you don't
>> want to filter mail submitted via the sendmail command, then add
>>
>>  -o content_filter=
>>
>> to the pickup service (in master.cf).
>>
>>
>>
>>> [snip]
>>>
>>> So the question is where can I put the content_filter=disclaimer: to
>>> work only for outgoing emails , into which smtpd process?
>>>
>> you can use the FILTER statement in smtpd restrictions.
>>
> Thank you for your answer.  When I added o content_filter= into the pickup 
> line it works. No more loops.
> 
> But still I'm recieving the disclaimer also for incoming mail, which is clear 
> cause filter is located in the amavis filter:
> ...
> 127.0.0.1:10025 inet n  -   n -   -  smtpd
> -o content_filter=disclaimer:
> -o local_recipient_maps=
> 
> 
> 
> So I have to take it away and put somewhere else.
> Can you please describe more FILTER statement or better put some example for 
> me ?



smtpd_sender_restrictions =
check_client_access pcre:/etc/postfix/filter_outbound
permit_mynetworks
permit_sasl_authenticated
check_client_access pcre:/etc/postfix/filter_inbound

== filter_outbound
# filter for outbound mail
/./ FILTER yourfilter:[127.0.0.1]:10587

= filter_inbound
# filter for inbound mail
/./ FILTER yourfilter:[127.0.0.1]:10030


of course, you can't do this after amavisd-new, since at this time you
don't know if mail is inbound or outbound.

you need to think your mail path carefully.

RE: Postfix - altermime - amavis - Too many hops

[Jevos, Peter]

> -Original Message-
> From: mouss [mailto:[EMAIL PROTECTED]
> Sent: Thursday, October 23, 2008 3:01 PM
> To: Jevos, Peter
> Cc: Postfix users
> Subject: Re: Postfix - altermime - amavis - Too many hops
> 
> Jevos, Peter a écrit :
> > Dear all
> >
> > I'd like to ask you a question.
> >
> > In my master.cf is:
> >
> > [snip]
> > ##disclaimer
> > disclaimer unix-   n   n   -   -   pipe
> > flags=Rq user=altermime argv=/etc/postfix/filter/disclaimer -f
> > ${sender} -- ${recipient}
> >
> >
> > It leads to error: Too many hops , in the log there is loop.
> 
> so your filter is passing mail back to an smtpd that passes it to the
> same filter, and so on.
> 
> if your filter resubmits mail via the sendmail command and if you don't
> want to filter mail submitted via the sendmail command, then add
> 
>   -o content_filter=
> 
> to the pickup service (in master.cf).
> 
> 
> 
> > [snip]
> >
> > So the question is where can I put the content_filter=disclaimer: to
> > work only for outgoing emails , into which smtpd process?
> >
> 
> you can use the FILTER statement in smtpd restrictions.
> 
Thank you for your answer.  When I added o content_filter= into the pickup line 
it works. No more loops.

But still I'm recieving the disclaimer also for incoming mail, which is clear 
cause filter is located in the amavis filter:
...
127.0.0.1:10025 inet n  -   n -   -  smtpd
-o content_filter=disclaimer:
-o local_recipient_maps=



So I have to take it away and put somewhere else.
Can you please describe more FILTER statement or better put some example for me 
?
Thank you

Br

peter

Re: Postfix - altermime - amavis - Too many hops

[mouss]

Jevos, Peter a écrit :
> Dear all
> 
> I'd like to ask you a question.
> 
> In my master.cf is:
> 
> [snip]
> ##disclaimer
> disclaimer unix-   n   n   -   -   pipe
> flags=Rq user=altermime argv=/etc/postfix/filter/disclaimer -f
> ${sender} -- ${recipient}
> 
> 
> It leads to error: Too many hops , in the log there is loop.

so your filter is passing mail back to an smtpd that passes it to the
same filter, and so on.

if your filter resubmits mail via the sendmail command and if you don't
want to filter mail submitted via the sendmail command, then add

-o content_filter=

to the pickup service (in master.cf).



> [snip]
> 
> So the question is where can I put the content_filter=disclaimer: to
> work only for outgoing emails , into which smtpd process?
> 

you can use the FILTER statement in smtpd restrictions.

RE: Altermime and postfix - permission denied, SOLVED - workaround

[Jevos, Peter]

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:owner-postfix-
> [EMAIL PROTECTED] On Behalf Of Jevos, Peter
> Sent: Thursday, October 23, 2008 2:43 PM
> To: Postfix users
> Subject: RE: Altermime and postfix - permission denied, Command died
> with status 1
> 
>  -Original Message-
> > From: [EMAIL PROTECTED] [mailto:owner-postfix-
> > [EMAIL PROTECTED] On Behalf Of Jevos, Peter
> > Sent: Thursday, October 23, 2008 9:56 AM
> > To: Postfix users
> > Subject: RE: Altermime and postfix - permission denied, Command died
> > with status 1
> >
> >
> > > Hi all
> > >
> > > I installed altermime to the working postfix + amavisd mail system
> > >
> > > Unfortunatelly altermime is not working properly.
> > >
> > > cat /etc/postfix/disclaimer
> > > #!/bin/sh
> > >
> > > # System dependent settings
> > > ALTERMIME=/usr/local/bin/altermime
> > > ALTERMIME_DIR=/var/spool/altermime
> > > SENDMAIL=/usr/sbin/sendmail
> > >
> > > # Exit codes of commands invoked by Postfix are expected
> > > # to follow the conventions defined in .
> > > TEMPFAIL=75
> > > UNAVAILABLE=69
> > >
> > > # Change in to alterMIME's working directory
> > > # Notify Postfix if 'cd' fails.
> > > cd $ALTERMIME_DIR || { echo $ALTERMIME_DIR does not exist; exit
> > > $TEMPFAIL; }
> > >
> > > # Clean up when done or when aborting.
> > > trap "rm -f in.$$" 0 1 2 3 15
> > >
> > > # Write mail to a temporary file
> > > # Notify Postfix if this fails
> > > cat >in.$$ || { echo Cannot write to $ALTERMIME_DIR; exit
> $TEMPFAIL;
> > }
> > >
> > > # Call alterMIME, hand over the message and
> > > # tell alterMIME what to do with it
> > > $ALTERMIME --input=in.$$ \
> > > --disclaimer=/etc/postfix/disclaimer.txt \
> > > --disclaimer-html=/etc/postfix/disclaimer.txt \
> > > --xheader="X-Copyrighted-Material: Mycompany Inc.'s
> > Message
> > > Disclaimer" || \
> > > { echo Message content rejected; exit $UNAVAILABLE; }
> > >
> > > # Call sendmail to reinject the message into Postfix
> > > $SENDMAIL -i "$@"  > >
> > > # Use sendmail's EXIT STATUS to tell Postfix
> > > # how things went.
> > > exit $?
> > >
> > > My master.cf looks like:
> > >
> > > 
> > > 127.0.0.1:10025 inet n  -   n -   -  smtpd
> > > -o content_filter=disclaimer:
> > > -o local_recipient_maps=
> > > -o relay_recipient_maps=
> > > -o smtpd_restriction_classes=
> > > -o smtpd_delay_reject=no
> > > -o smtpd_client_restrictions=permit_mynetworks,reject
> > > -o smtpd_helo_restrictions=
> > > -o smtpd_sender_restrictions=
> > > -o
> smtpd_recipient_restrictions=permit_mynetworks,reject
> > > -o smtpd_data_restrictions=reject_unauth_pipelining
> > > -o smtpd_end_of_data_restrictions=
> > > -o mynetworks=127.0.0.0/8
> > > -o strict_rfc821_envelopes=yes
> > > -o smtpd_error_sleep_time=0
> > > -o smtpd_soft_error_limit=1001
> > > -o smtpd_hard_error_limit=1000
> > > -o smtpd_client_connection_count_limit=0
> > > -o smtpd_client_connection_rate_limit=0
> > > -o receive_override_options=no_header_body_checks
> > > ##disclaimer
> > > disclaimer unix-   n   n   -   -
pipe
> > > flags=Rq user=filter argv=/etc/postfix/disclaimer -f ${sender}
> --
> > > ${recipient}
> > >
> > > 
> > >
> > > test:/etc/postfix # ls -all /etc/postfix/disclaimer*
> > > -rwxr-x--- 1 root filter 1167 Oct 22 17:15 /etc/postfix/disclaimer
> > > -rw-r- 1 root filter   21 Oct 22 17:16
> > /etc/postfix/disclaimer.txt
> > >
> > > ls -all /usr/local/bin/altermime
> > > -rwxr-xr-x 1 root root 94K Oct 22 16:44 /usr/local/bin/altermime*
> > >
> > > ls -all /var/spool/filter/
> > > total 8
> > > drwxr-x---  2 filter filter 4096 Oct 22 16:21 .
> > > drwxr-xr-x 16 root   root   4096 Oct 22 16:21 ..
> > >
> > > I guess all permissions are right.
> > >
> > > Log shows:
> > >
> > > Oct 22 17:20:20 testmonit pipe[15358]: fatal: pipe_comand: execvp
> > > /etc/postfix/disclaimer: Permission denied
> > > Oct 22 17:20:20 testmonit imapd: Connection, ip=[:::127.0.0.1]
> > > ..
> > > ...
> > > Oct 22 17:20:21 testmonit postfix/pipe[15355]: 32CDE65B2C:
> > > to=<[EMAIL PROTECTED]>, relay=disclaimer, delay=1, status=bo
> > > unced (Command died with status 1: "/etc/postfix/disclaimer")
> > >
> > > I'm using opensuse, therefore I don't have installed SELinux
> > >
> > > Thanks for any advice
> > >
> > > BR
> > >
> > > Peter
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:owner-postfix-
> > > [EMAIL PROTECTED] On Behalf Of Wietse Venema
> > > Sent: Wednesday, October 22, 2008 6:52 PM
> > > To: Postfix users
> > > Subject: Re: Altermime and postfix - permission denied, Command
> died
> > > with status 1
> > >
> > > When reasonable file permissions don't work, consider fixing
> > > k

Postfix - altermime - amavis - Too many hops

[Jevos, Peter]

Dear all

I'd like to ask you a question.

In my master.cf is:

smtp  inet  n   -   n   -   -   smtpd


127.0.0.1:10025 inet n  -   n -   -  smtpd
-o content_filter=disclaimer:
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks
##disclaimer
disclaimer unix-   n   n   -   -   pipe
flags=Rq user=altermime argv=/etc/postfix/filter/disclaimer -f
${sender} -- ${recipient}


It leads to error: Too many hops , in the log there is loop.

When I change it to:

smtp  inet  n   -   n   -   -   smtpd
-o content_filter=disclaimer:

127.0.0.1:10025 inet n  -   n -   -  smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks
##disclaimer
disclaimer unix-   n   n   -   -   pipe
flags=Rq user=altermime argv=/etc/postfix/filter/disclaimer -f
${sender} -- ${recipient}

It works fine but also for incoming emails too, which is clear

So the question is where can I put the content_filter=disclaimer: to
work only for outgoing emails , into which smtpd process?

Thanks

Br

peter

RE: Altermime and postfix - permission denied, Command died with status 1

[Jevos, Peter]

 -Original Message-
> From: [EMAIL PROTECTED] [mailto:owner-postfix-
> [EMAIL PROTECTED] On Behalf Of Jevos, Peter
> Sent: Thursday, October 23, 2008 9:56 AM
> To: Postfix users
> Subject: RE: Altermime and postfix - permission denied, Command died
> with status 1
> 
> 
> > Hi all
> >
> > I installed altermime to the working postfix + amavisd mail system
> >
> > Unfortunatelly altermime is not working properly.
> >
> > cat /etc/postfix/disclaimer
> > #!/bin/sh
> >
> > # System dependent settings
> > ALTERMIME=/usr/local/bin/altermime
> > ALTERMIME_DIR=/var/spool/altermime
> > SENDMAIL=/usr/sbin/sendmail
> >
> > # Exit codes of commands invoked by Postfix are expected
> > # to follow the conventions defined in .
> > TEMPFAIL=75
> > UNAVAILABLE=69
> >
> > # Change in to alterMIME's working directory
> > # Notify Postfix if 'cd' fails.
> > cd $ALTERMIME_DIR || { echo $ALTERMIME_DIR does not exist; exit
> > $TEMPFAIL; }
> >
> > # Clean up when done or when aborting.
> > trap "rm -f in.$$" 0 1 2 3 15
> >
> > # Write mail to a temporary file
> > # Notify Postfix if this fails
> > cat >in.$$ || { echo Cannot write to $ALTERMIME_DIR; exit $TEMPFAIL;
> }
> >
> > # Call alterMIME, hand over the message and
> > # tell alterMIME what to do with it
> > $ALTERMIME --input=in.$$ \
> > --disclaimer=/etc/postfix/disclaimer.txt \
> > --disclaimer-html=/etc/postfix/disclaimer.txt \
> > --xheader="X-Copyrighted-Material: Mycompany Inc.'s
> Message
> > Disclaimer" || \
> > { echo Message content rejected; exit $UNAVAILABLE; }
> >
> > # Call sendmail to reinject the message into Postfix
> > $SENDMAIL -i "$@"  >
> > # Use sendmail's EXIT STATUS to tell Postfix
> > # how things went.
> > exit $?
> >
> > My master.cf looks like:
> >
> > 
> > 127.0.0.1:10025 inet n  -   n -   -  smtpd
> > -o content_filter=disclaimer:
> > -o local_recipient_maps=
> > -o relay_recipient_maps=
> > -o smtpd_restriction_classes=
> > -o smtpd_delay_reject=no
> > -o smtpd_client_restrictions=permit_mynetworks,reject
> > -o smtpd_helo_restrictions=
> > -o smtpd_sender_restrictions=
> > -o smtpd_recipient_restrictions=permit_mynetworks,reject
> > -o smtpd_data_restrictions=reject_unauth_pipelining
> > -o smtpd_end_of_data_restrictions=
> > -o mynetworks=127.0.0.0/8
> > -o strict_rfc821_envelopes=yes
> > -o smtpd_error_sleep_time=0
> > -o smtpd_soft_error_limit=1001
> > -o smtpd_hard_error_limit=1000
> > -o smtpd_client_connection_count_limit=0
> > -o smtpd_client_connection_rate_limit=0
> > -o receive_override_options=no_header_body_checks
> > ##disclaimer
> > disclaimer unix-   n   n   -   -   pipe
> > flags=Rq user=filter argv=/etc/postfix/disclaimer -f ${sender}
--
> > ${recipient}
> >
> > 
> >
> > test:/etc/postfix # ls -all /etc/postfix/disclaimer*
> > -rwxr-x--- 1 root filter 1167 Oct 22 17:15 /etc/postfix/disclaimer
> > -rw-r- 1 root filter   21 Oct 22 17:16
> /etc/postfix/disclaimer.txt
> >
> > ls -all /usr/local/bin/altermime
> > -rwxr-xr-x 1 root root 94K Oct 22 16:44 /usr/local/bin/altermime*
> >
> > ls -all /var/spool/filter/
> > total 8
> > drwxr-x---  2 filter filter 4096 Oct 22 16:21 .
> > drwxr-xr-x 16 root   root   4096 Oct 22 16:21 ..
> >
> > I guess all permissions are right.
> >
> > Log shows:
> >
> > Oct 22 17:20:20 testmonit pipe[15358]: fatal: pipe_comand: execvp
> > /etc/postfix/disclaimer: Permission denied
> > Oct 22 17:20:20 testmonit imapd: Connection, ip=[:::127.0.0.1]
> > ..
> > ...
> > Oct 22 17:20:21 testmonit postfix/pipe[15355]: 32CDE65B2C:
> > to=<[EMAIL PROTECTED]>, relay=disclaimer, delay=1, status=bo
> > unced (Command died with status 1: "/etc/postfix/disclaimer")
> >
> > I'm using opensuse, therefore I don't have installed SELinux
> >
> > Thanks for any advice
> >
> > BR
> >
> > Peter
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:owner-postfix-
> > [EMAIL PROTECTED] On Behalf Of Wietse Venema
> > Sent: Wednesday, October 22, 2008 6:52 PM
> > To: Postfix users
> > Subject: Re: Altermime and postfix - permission denied, Command died
> > with status 1
> >
> > When reasonable file permissions don't work, consider fixing
> > killing Selinux, Apparmor, and so on.
> >
> > Wietse
> 
> Dear Wietse, thank you for your answer
> 
> 
> I'm using opensuse, and i don't have installed Selinux or Apparmor
> 
> Can anybody think about this prblem ?
> 
> I have used setting from Book Of Postfix and I repaired it with
current
> Errata (http://www.postfix-book.com/errata.html ) from the pages
> 
> Thanks in advance
> 
> peter

So I have found out when I change permission for disclaimer files it
works fine, so it means the other user is accessing these 2 files

testmon

Re: Best anti-spam

[MailingListe]

Zitat von Leonardo Rodrigues Magalhães <[EMAIL PROTECTED]>:




Roman Medina-Heigl Hernandez escreveu:

- I wouldn't set up a global greylist filter, because all my receiving mail
is going to be delayed (I guess my users don't like this ;-))



   after years deploying mail servers with greylisting enabled, i think
you should definitely, at least, try to greylist all your users. After
years doing that, i can guarantee that only quite a few users will even
notice the initial delay. The majority of users wont notice the mail
delay. And for those who noticed, most of them are quite happy knowing
that that's a new anti-spam feature, because they indeed are receiving
less spams.

   and you should notice, as well, that deploying greylist may require
a good work on building some whitelists for matching your traffic. That
can help a lot avoiding the initial mail delay for messages coming from
big ISPs from your country and for big worldwide mail ISPs, like
Hotmail, Gmail, Yahoo, etc etc.

   but what about SPAMs that cames from hotmail/gmail/yahoo ?
Greylist wont help there  greylist only tries to separate real mail
servers and one-shoot softwares that spammers uses. If some spammers
uses a real server for sending spam messages, than it would pass
greylist anyway, as the server, at some point, would retry to send and
the message would be accepted.



100% Ack

We use greylisting with automatic whitelisting of clients which have  
retried (MTAs) and some short list of the most used providers  
(gmx,web.de,hotmail,yahoo...) which we do not greylist. After some  
time nearly all the mailservers used by busines contacts are in the  
whitelist anyway an for new contacts delay of some hours does not  
matter at all.
This saved us form blocking all sort of proviers,TLDs, dynamic-dial-up  
etc. to get rid of most spam. The most affected accounts now get  
around 1 spam a day compared to more then 50 before greylisting.


Regards

Andreas



--
All your trash belong to us ;-)  www.spamschlucker.org
To: [EMAIL PROTECTED]

RE: My first config - unable to telnet to port 25, virtual.db missing

[Paul Cocker]

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Paul Cocker
> Sent: 23 October 2008 10:29
> To: postfix-users@postfix.org
> Subject: RE: My first config - unable to telnet to port 25, 
> virtual.db missing
> 
> > ==
> > #!/usr/bin/perl
> > 
> > use warnings;
> > use strict;
> > use File::Copy;
> > 
> > my $valid_recpts = "/home/exchange/virtual.txt"; # original 
> file from 
> > exchange my $relay_recps = 
> "/home/exchange/relay_recipients"; # final 
> > file that will be postmapped my $dos2unix = `/usr/bin/dos2unix 
> > $valid_recpts`; # fix those pesky differences between dos 
> en unix my 
> > $postfix_relayrcpts = "/etc/postfix/relay_recipients.db"; # final 
> > relay_recipients map my $relay_recpsdb = 
> > "/home/exchange/relay_recipients.db"; # original 
> relay_recipients map
> > 
> > open(VALID,"< $valid_recpts") or die "$!\n"; open(RELAY,">
> > $relay_recps") or die "$!\n";
> > 
> > while() {
> > next unless $_ =~ /^.*(smtp:)(.*\.nl)$/i;
> > print RELAY "$2\tOK\n";
> > }
> > 
> > close(VALID);
> > close(RELAY);
> > 
> > chown exchangeuser, exchangeuser, $valid_recpts; # 
> otherwise exchange 
> > cannot overwrite it
> > 
> > my $postmap = `/usr/sbin/postmap $relay_recps`;
> > 
> > move($relay_recpsdb, $postfix_relayrcpts);
> > 
> > 
> > 
> For me this generates the error:
> 
> Bareword "exchange" not allowed while "strict subs" in use at 
> ./parserelay line 23.
> Bareword "exchange" not allowed while "strict subs" in use at 
> ./parserelay line 23.
> Execution of ./parserelay aborted due to compilation errors.
> 

I've worked around this using unlink to remove the file, but I'd still
be interested to know the reason.



TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), 
TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT 
Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post 
Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary 
and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd 
(02556692). All companies are registered in England and Wales; registered 
address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, 
SL7 1HY.

RE: My first config - unable to telnet to port 25, virtual.db missing

[Paul Cocker]

> ==
> #!/usr/bin/perl
> 
> use warnings;
> use strict;
> use File::Copy;
> 
> my $valid_recpts = "/home/exchange/virtual.txt"; # original 
> file from exchange my $relay_recps = 
> "/home/exchange/relay_recipients"; # final file that will be 
> postmapped my $dos2unix = `/usr/bin/dos2unix $valid_recpts`; 
> # fix those pesky differences between dos en unix my 
> $postfix_relayrcpts = "/etc/postfix/relay_recipients.db"; # 
> final relay_recipients map my $relay_recpsdb = 
> "/home/exchange/relay_recipients.db"; # original relay_recipients map
> 
> open(VALID,"< $valid_recpts") or die "$!\n"; open(RELAY,"> 
> $relay_recps") or die "$!\n";
> 
> while() {
> next unless $_ =~ /^.*(smtp:)(.*\.nl)$/i;
> print RELAY "$2\tOK\n";
> }
> 
> close(VALID);
> close(RELAY);
> 
> chown exchangeuser, exchangeuser, $valid_recpts; # otherwise 
> exchange cannot overwrite it
> 
> my $postmap = `/usr/sbin/postmap $relay_recps`;
> 
> move($relay_recpsdb, $postfix_relayrcpts);
> 
> 
> 
For me this generates the error:

Bareword "exchange" not allowed while "strict subs" in use at
./parserelay line 23.
Bareword "exchange" not allowed while "strict subs" in use at
./parserelay line 23.
Execution of ./parserelay aborted due to compilation errors.



TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), 
TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT 
Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post 
Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary 
and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd 
(02556692). All companies are registered in England and Wales; registered 
address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, 
SL7 1HY.

RE: Altermime and postfix - permission denied, Command died with status 1

[Jevos, Peter]

> Hi all
> 
> I installed altermime to the working postfix + amavisd mail system
> 
> Unfortunatelly altermime is not working properly.
> 
> cat /etc/postfix/disclaimer
> #!/bin/sh
> 
> # System dependent settings
> ALTERMIME=/usr/local/bin/altermime
> ALTERMIME_DIR=/var/spool/altermime
> SENDMAIL=/usr/sbin/sendmail
> 
> # Exit codes of commands invoked by Postfix are expected
> # to follow the conventions defined in .
> TEMPFAIL=75
> UNAVAILABLE=69
> 
> # Change in to alterMIME's working directory
> # Notify Postfix if 'cd' fails.
> cd $ALTERMIME_DIR || { echo $ALTERMIME_DIR does not exist; exit
> $TEMPFAIL; }
> 
> # Clean up when done or when aborting.
> trap "rm -f in.$$" 0 1 2 3 15
> 
> # Write mail to a temporary file
> # Notify Postfix if this fails
> cat >in.$$ || { echo Cannot write to $ALTERMIME_DIR; exit $TEMPFAIL; }
> 
> # Call alterMIME, hand over the message and
> # tell alterMIME what to do with it
> $ALTERMIME --input=in.$$ \
> --disclaimer=/etc/postfix/disclaimer.txt \
> --disclaimer-html=/etc/postfix/disclaimer.txt \
> --xheader="X-Copyrighted-Material: Mycompany Inc.'s
Message
> Disclaimer" || \
> { echo Message content rejected; exit $UNAVAILABLE; }
> 
> # Call sendmail to reinject the message into Postfix
> $SENDMAIL -i "$@"  
> # Use sendmail's EXIT STATUS to tell Postfix
> # how things went.
> exit $?
> 
> My master.cf looks like:
> 
> 
> 127.0.0.1:10025 inet n  -   n -   -  smtpd
> -o content_filter=disclaimer:
> -o local_recipient_maps=
> -o relay_recipient_maps=
> -o smtpd_restriction_classes=
> -o smtpd_delay_reject=no
> -o smtpd_client_restrictions=permit_mynetworks,reject
> -o smtpd_helo_restrictions=
> -o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o smtpd_data_restrictions=reject_unauth_pipelining
> -o smtpd_end_of_data_restrictions=
> -o mynetworks=127.0.0.0/8
> -o strict_rfc821_envelopes=yes
> -o smtpd_error_sleep_time=0
> -o smtpd_soft_error_limit=1001
> -o smtpd_hard_error_limit=1000
> -o smtpd_client_connection_count_limit=0
> -o smtpd_client_connection_rate_limit=0
> -o receive_override_options=no_header_body_checks
> ##disclaimer
> disclaimer unix-   n   n   -   -   pipe
> flags=Rq user=filter argv=/etc/postfix/disclaimer -f ${sender} --
> ${recipient}
> 
> 
> 
> test:/etc/postfix # ls -all /etc/postfix/disclaimer*
> -rwxr-x--- 1 root filter 1167 Oct 22 17:15 /etc/postfix/disclaimer
> -rw-r- 1 root filter   21 Oct 22 17:16 /etc/postfix/disclaimer.txt
> 
> ls -all /usr/local/bin/altermime
> -rwxr-xr-x 1 root root 94K Oct 22 16:44 /usr/local/bin/altermime*
> 
> ls -all /var/spool/filter/
> total 8
> drwxr-x---  2 filter filter 4096 Oct 22 16:21 .
> drwxr-xr-x 16 root   root   4096 Oct 22 16:21 ..
> 
> I guess all permissions are right.
> 
> Log shows:
> 
> Oct 22 17:20:20 testmonit pipe[15358]: fatal: pipe_comand: execvp
> /etc/postfix/disclaimer: Permission denied
> Oct 22 17:20:20 testmonit imapd: Connection, ip=[:::127.0.0.1]
> ..
> ...
> Oct 22 17:20:21 testmonit postfix/pipe[15355]: 32CDE65B2C:
> to=<[EMAIL PROTECTED]>, relay=disclaimer, delay=1, status=bo
> unced (Command died with status 1: "/etc/postfix/disclaimer")
> 
> I'm using opensuse, therefore I don't have installed SELinux
> 
> Thanks for any advice
> 
> BR
> 
> Peter
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:owner-postfix-
> [EMAIL PROTECTED] On Behalf Of Wietse Venema
> Sent: Wednesday, October 22, 2008 6:52 PM
> To: Postfix users
> Subject: Re: Altermime and postfix - permission denied, Command died
> with status 1
> 
> When reasonable file permissions don't work, consider fixing
> killing Selinux, Apparmor, and so on.
> 
>   Wietse

Dear Wietse, thank you for your answer


I'm using opensuse, and i don't have installed Selinux or Apparmor

Can anybody think about this prblem ?

I have used setting from Book Of Postfix and I repaired it with current
Errata (http://www.postfix-book.com/errata.html ) from the pages

Thanks in advance

peter

Re: postmaster.rfc-ignorant.org, Blacklists verwendbar?

[Matthias Haegele]

mouss schrieb:
> mouss a écrit :
>> Matthias Haegele a écrit :

>>> reject_rhsbl_sender bogusmx.abuseat.org
>> ??? do you mean bogusmx.ref-ignorant.org?
> 
> argh. bogusmx.rfc-ignorant.org.
> 
> if there's a typo.keyboard-ignorant.org, count me in.
> 

Argh. Thanks. Seems i totally confused something, should be
bogusmx.rfc-ignorant.org ofc.


-- 
Gruesse/Greetings
MH


Dont send mail to: [EMAIL PROTECTED]
--