Re: Blocking Spam

2009-01-12 Thread bijayant kumar 


Bijayant Kumar


--- On Thu, 8/1/09, Chris Babcock  wrote:

> From: Chris Babcock 
> Subject: Re: Blocking Spam
> To: bijayan...@yahoo.com
> Cc: "postfix" 
> Date: Thursday, 8 January, 2009, 5:39 PM
> > > It's doing what you're asking...
> "REJECT"
> > > means bounce the message. You
> > > probably want to "DISCARD" it.
> > > 
> > DISCARD means nobody will receive the bounce message,
> right? If any
> > bodies mails is rejected from our server he/she will
> never know what
> > was the issue. 
> 
> Right, which is why you should be very careful about where
> you apply
> that rule. Specifically here you are making a policy to the
> effect of,
> "If mail claiming to to be from one of our users did,
> in fact, arrive
> from a foreign server then we do not want to send a bounce
> message."
> That is the rule you are asking how to enforce. Now that
> you know what
> it means you can make a decision about whether to do it.
> 
> > > There *MAY BE* legitimate reasons for for mail to
> come into
> > > your network
> > > from a server outsite the network addressed to
> one of your
> > > users and
> > > purporting to be from that user. For example,
> test messages
> > > from remote
> > > workers sending through their home ISP. Just so
> that you
> > > are aware of
> > > the other side of the issue.
> > > 
> > It means that we can not do any thing for that kind of
> mails at the
> > Postfix level. We have to receive those *SPAM* Mails
> in which from
> > and to address are same or spams coming from our one
> of the email
> > addresses to any users, right? If these types of mails
> can be
> > rejected by the Postfix then please let me know how or
> any pointer
> > any docs will be very useful to me.
> 
> http://www.postfix.org/access.5.html
> 
> The key is *where* you place the DISCARD action...
> 
> smtpd_recipient_restrictions =
>  permit_mynetworks,
>  reject_unauth_destination
>  YOUR CHECKS HERE
> 
> You've already permitted mail originating from your
> domain, so if you
> discard mail with addresses from your domain in your checks
> it only
> affects people claiming to be your users originating mail
> outside your
> network. That can include remote workers relaying through
> their home
> ISP's network.
> 
> If, however, you make a policy that your users are not to
> originate mail
> "from" their accounts outside of your network
> then you are not dropping
> any legitimate mail. The wisdom of the policy is outside
> the scope of
> the list, but there's no shortage of people who will
> either tell you
> "Don't do it," or "Fine, but you need to
> provide a way (auth) for users
> to follow the policy."
> 
> Chris Babcock

I have implemented this on my main server. I have included the check to reject 
the mails after reject_unauth_destination. Some relevant parts of  my postconf

smtpd_recipient_restrictions = 
permit_mynetworks
check_recipient_access pcre:/etc/postfix/ascii.pcre 
permit_sasl_authenticated
check_sender_access hash:/etc/postfix/check_backscatterer
reject_invalid_hostname
reject_non_fqdn_sender  
reject_non_fqdn_recipient   
reject_unauth_destination   
 check_sender_access hash:/etc/postfix/access_sender 
>From access_sender hashfiles I have started the rejection. But I am facing one 
>problem also, my clients have the different webservers/database/test servers 
>etc also hosted on another places outside my network. They use to send 
>test/alert mails from there to their own domain. Those mails are also getting 
>rejected due to this rules. 
I want to ask one thing, can it be possible to block only those mails in which 
"From and To" address are same with help of regular expression support? It 
means that reject mails if From and To address are same otherwise accept.


  New Email addresses available on Yahoo!
Get the Email name you've always wanted on the new @ymail and @rocketmail. 
Hurry before someone else does!
http://mail.promotions.yahoo.com/newdomains/aa/

Re: postfix implementation in forum like application - OT

2009-01-12 Thread vivek.agrawal 

well since last few days i was working on postfix... so i would like to know
that can we use postfix for this functionality. and if can use postfix which
other tools i will require... I will also go through the mailman. but just
for the correct information. let me know advantage and disadvantage of
postfix for this application.

Terry Carmen wrote:
> 
> vivek.agrawal wrote:
>> hello everyone,
>>  below i have described my application requirments. I need
>> your
>> comments/suggestion.
>>
>> Current appilcation - I have a web application which works like a forum
>> only. only difference is that user can create some thread and only
>> restricted users related with that thread can send and recieve message. 
>>
>> new requirment : 1. whenever user u1 will send a message to user u2 on a
>> thread t1 then a mail should send from thread t1's email id. to both the
>> user. 
>>
>> 2. recipent user u2 can reply to that mail by using their own mail
>> application (outlook, web base gui.). once user u2 has replied on that
>> message, replied message should get stored in my own web application
>> database. 
>>
>> currently i am using ubuntu and java for application. Please let me know
>> how
>> i can achive this functionality. 
>>   
> You're reinventing the wheel.
> 
> Look at mailman or other mailing list managers.
> 
> Terry
> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/postfix-implementation-in-forum-like-application-tp21409647p21430390.html
Sent from the Postfix mailing list archive at Nabble.com.

Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails

2009-01-12 Thread David Cottle 


On 13/01/2009, at 15:32, Jim Wright  wrote:

David, you've sent so many messages and replies that quoting  
anything at this point is just wasting bandwidth.  I'm going to jump  
in with a few notes on what I've read here:


First, you are fixating on the wrong problem.  If you have bounces  
that are queued up, this is because you are accepting mail that you  
cannot deliver.  THAT is the problem that needs to be fixed.   
Bounces are bad if you are generating them AFTER you have accepted  
email.  Reject such mails as they are being sent to your server.   
The postfix docs are your friend, read up on this.


You implied that you have postmaster/webmaster accounts but that  
these are not accepting mail?  This is wrong, these addresses should  
be reachable for legitimate email.  Tackle this issue after you've  
fixed the above.  At one point you indicated that these are being  
sent from users on your domain, more likely these are spoofed  
addresses, you need to use some method to authenticate users before  
they can send, accept certain IP ranges, local networks,  
authenticated SMTP users, etc.  Everyone else should be blocked from  
sending.


You claimed that the bounces are for mails that you never sent, and  
were forged.  Is your system an open relay?  Is it accepting mail  
from systems that it shouldn't be?  You will want to take a look at  
who is using your mail server, and only authorized users/systems are  
able to send mail via your mail server.



Tackle these issues, concentrate on one issue at a time.  Review the  
logs of mail as it arrives at your server, test repeatedly.  Out of  
the box, postfix is incredibly stable and secure, but with the wrong  
settings this can be undone.  Finally, if you still need help, run  
the command 'postconf -n', and post the output unfiltered to the  
list.  That will tell what non-standard settings you are using,  
which will likely shed clues to why you are having problems.


Hi Jim,

I found the issue. It's backscatter mail to real recipient addresses.  
At first I was getting non existent as well but stopped those.


I have to employ header and body checks.

Okay my question is I have multiple domains not just one like in the  
code example 'porcupine' given.


How do I code that?

Do I need to string a ton load of domain names or can you use a  
wildcard to match any domain?


If I could trouble for a snip of code I can apply it and let you know.  
It's a live server and I don't want to experiment code when I am not  
sure how to write it.


Thanks again!

Re: Question about reject_unauthenticated_sender_login_mismatch

2009-01-12 Thread jeff_homeip 
--- In post...@yahoogroups.com, Victor Duchovni  wrote:
>
> On Mon, Jan 12, 2009 at 09:35:14PM -0800, Jeff Weinberger wrote:
>
> > When a sender is not authenticated, and
> > reject_unauthenticated_sender_login_mismatch is specified, postfix takes
> > the MAIL FROM address, looks it up in smtpd_sender_login_maps and if
> > it's found, the message is rejected?
> >
> > Essentially the lookup is just for the existence of the MAIL FROM
> > address in the smtpd_sender_login_maps table?
>
> Yes, that's what I said.
>
> > Am I then correct in concluding that with:
> >
> > smtpd_sender_restrictions =
> > permit_sasl_authenticated,
> > reject_authenticated_sender_login_mismatch,
> > reject
>
> Observe that the order of the first two elements is not entirely
> correct.
>
> > that the permit_sasl_autheticated obviates the need for
> > reject_unauthenticated_sender_login_mismatch?
> > (as there would never be an unauthenticated sender permitted...)
>
> Yes. this saves you a table lookup before unauthenticated senders are
> rejected outright via "reject".
>
> > And am I also correct in concluding that if unauthenticated senders were
> > allowed (as they would have to be for smtpd to accept messages from the
> > internet), that reject_unauthenticated_sender_login_mismatch would
> > prevent any non-authenticated sender from sending a message from (with MAIL
> > FROM) any address listed in my smtpd_sender_login_maps?
>
> Yes, that's I said.

thank you for confirming, and allowing my still-growing knowledge of postfix to 
confirm
your answers. this will help quite a lot!

>
> --
>   Viktor.
>
> Disclaimer: off-list followups get on-list replies or get ignored.
> Please do not ignore the "Reply-To" header.
>
> To unsubscribe from the postfix-users list, visit
> http://www.postfix.org/lists.html or click the link below:
> 
>
> If my response solves your problem, the best way to thank me is to not
> send an "it worked, thanks" follow-up. If you must respond, please put
> "It worked, thanks" in the "Subject" so I can delete these quickly.
>

Re: Question about reject_unauthenticated_sender_login_mismatch

2009-01-12 Thread Victor Duchovni 
On Mon, Jan 12, 2009 at 09:35:14PM -0800, Jeff Weinberger wrote:

> When a sender is not authenticated, and
> reject_unauthenticated_sender_login_mismatch is specified, postfix takes
> the MAIL FROM address, looks it up in smtpd_sender_login_maps and if  
> it's found, the message is rejected?
> 
> Essentially the lookup is just for the existence of the MAIL FROM  
> address in the smtpd_sender_login_maps table?

Yes, that's what I said.

> Am I then correct in concluding that with:
> 
> smtpd_sender_restrictions =
>   permit_sasl_authenticated,
>   reject_authenticated_sender_login_mismatch,
>   reject

Observe that the order of the first two elements is not entirely
correct.

> that the permit_sasl_autheticated obviates the need for
> reject_unauthenticated_sender_login_mismatch?
> (as there would never be an unauthenticated sender permitted...)

Yes. this saves you a table lookup before unauthenticated senders are
rejected outright via "reject".

> And am I also correct in concluding that if unauthenticated senders were
> allowed (as they would have to be for smtpd to accept messages from the
> internet), that reject_unauthenticated_sender_login_mismatch would  
> prevent any non-authenticated sender from sending a message from (with MAIL  
> FROM) any address listed in my smtpd_sender_login_maps?

Yes, that's I said.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Question about reject_unauthenticated_sender_login_mismatch

2009-01-12 Thread Jeff Weinberger 

Viktor Duchovni wrote:

On Mon, Jan 12, 2009 at 01:25:38PM -0800, Jeff Weinberger wrote:


reject_sender_login_mismatch checks the from address against
smtpd_sender_login_maps to be sure that the MAIL FROM address is  
owned

by

the SASL-authenticated sender.

But with reject_unauthenticated_sender_login_mismatch, there is no
SASL-authenticated sender.


This subsumes the functionality of both:

reject_authenticated_sender_login_mismatch,
reject_unauthenticated_sender_login_mismatch


OK, I missed the first one in the doc, so it makes sense.



if the session is authenticated the first test is applied, otherwise
the second test is applied.


http://www.postfix.com/postconf.5.html says that
reject_unauthenticated_sender_login_mismatch "Enforces the
reject_sender_login_mismatch restriction for unauthenticated clients

only"

(and nothing more)

All of that to get to my question:

What does reject_unauthenticated_sender_login_mismatch check the MAIL

FROM

address against?


The smtpd_sender_login_maps table.


Sorry, I mis-asked the question. When
reject_authenticated_sender_login_mismatch is specified, postfix takes  
the

MAIL FROM address, looks it up in the smtpd_sender_login_maps table, and
checks to make sure the authenticated sender is in there and the MAIL  
FROM

address is owned by the authenticated sender.
So



Or does it just check the smtpd_sender_login_maps for a valid MAIL  
FROM

address (regardless of ownership)?


s/valid//

If an address is found in the table, and the sender is not  
authenticated,

the message is rejected.



When a sender is not authenticated, and
reject_unauthenticated_sender_login_mismatch is specified, postfix takes
the MAIL FROM address, looks it up in smtpd_sender_login_maps and if  
it's

found, the message is rejected?

Essentially the lookup is just for the existence of the MAIL FROM  
address

in the smtpd_sender_login_maps table?

Am I then correct in concluding that with:

smtpd_sender_restrictions = permit_sasl_authenticated,
reject_authenticated_sender_login_mismatch, reject

that the permit_sasl_autheticated obviates the need for
reject_unauthenticated_sender_login_mismatch?
(as there would never be an unauthenticated sender permitted...)

And am I also correct in concluding that is unauthenticated senders were
allowed (as they would have to be for smtpd to accept messages from the
internet), that reject_unauthenticated_sender_login_mismatch would  
prevent
any non-authenticated sender from sending a message from (with MAIL  
FROM)

any address listed in my smtpd_sender_login_maps?



(yes, I'm trying to figure out if using this in my
smtpd_sender_restrictions would help and how it might do so)


If you are already using the combined restriction, there is no point
in adding either of the constituent building-block restrictions.


That makes perfect sense.



If you want to restrict your policy to either the authenticated, or  
the

unauthenticatd case, then replace the combined restriction with the
appropriate more specific restriction.



As you see, I'm more interested in whether
reject_unauthenticated_sender_login_mismatch makes sense at all for my
setup and if so, in which context. If my two conclusions above are  
correct,

it makes sense on the general access service, but not on the submission
service.

Thank you so much for your help!!


--
Viktor.

Re: having a problem - isp has been black listed in SBL just a test of a work around!

2009-01-12 Thread postmas...@klam.ca 
Jim Wright wrote:
> On Jan 12, 2009, at 10:11 PM, postmas...@klam.ca wrote:
>
>> I am not quit sure what that means. My ISP is Velcom's and all of
>> their ips have been blocked, so is Spamhaus saying that Velcom itself
>> are the N.A. branch of Ukrainian cybercrime spammers or that the
>> spammers are using Velcom's services.
>
> That means that you're sharing an IP range with some undesirables. 
> Get a new ISP ASAP, and be sure to let them know why you're leaving.
Its a pity, up until now they have been very good.
As I said before have to start looking for anew ISP which is a pain!

Re: having a problem - isp has been black listed in SBL just a test of a work around!

2009-01-12 Thread Jim Wright 

On Jan 12, 2009, at 10:11 PM, postmas...@klam.ca wrote:

I am not quit sure what that means. My ISP is Velcom's and all of  
their ips have been blocked, so is Spamhaus saying that Velcom  
itself are the N.A. branch of Ukrainian cybercrime spammers or that  
the spammers are using Velcom's services.


That means that you're sharing an IP range with some undesirables.   
Get a new ISP ASAP, and be sure to let them know why you're leaving.

Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails

2009-01-12 Thread Jim Wright 
David, you've sent so many messages and replies that quoting anything  
at this point is just wasting bandwidth.  I'm going to jump in with a  
few notes on what I've read here:


First, you are fixating on the wrong problem.  If you have bounces  
that are queued up, this is because you are accepting mail that you  
cannot deliver.  THAT is the problem that needs to be fixed.  Bounces  
are bad if you are generating them AFTER you have accepted email.   
Reject such mails as they are being sent to your server.  The postfix  
docs are your friend, read up on this.


You implied that you have postmaster/webmaster accounts but that these  
are not accepting mail?  This is wrong, these addresses should be  
reachable for legitimate email.  Tackle this issue after you've fixed  
the above.  At one point you indicated that these are being sent from  
users on your domain, more likely these are spoofed addresses, you  
need to use some method to authenticate users before they can send,  
accept certain IP ranges, local networks, authenticated SMTP users,  
etc.  Everyone else should be blocked from sending.


You claimed that the bounces are for mails that you never sent, and  
were forged.  Is your system an open relay?  Is it accepting mail from  
systems that it shouldn't be?  You will want to take a look at who is  
using your mail server, and only authorized users/systems are able to  
send mail via your mail server.



Tackle these issues, concentrate on one issue at a time.  Review the  
logs of mail as it arrives at your server, test repeatedly.  Out of  
the box, postfix is incredibly stable and secure, but with the wrong  
settings this can be undone.  Finally, if you still need help, run the  
command 'postconf -n', and post the output unfiltered to the list.   
That will tell what non-standard settings you are using, which will  
likely shed clues to why you are having problems.

Re: having a problem - isp has been black listed in SBL just a test of a work around!

2009-01-12 Thread postmas...@klam.ca 
Res wrote:
> On Mon, 12 Jan 2009, postmas...@klam.ca wrote:
>
>> ignore this message
>
> 206.53.50.0/24 is listed on the Spamhaus Block List (SBL)
>07-Jan-2009 12:37 GMT | SR04
>N. American base of Ukrainian cybercrime spammers
>
>>
>
> I'd say kinda justified blocking too :)
>
>
I am not quit sure what that means. My ISP is Velcom's and all of their
ips have been blocked, so is Spamhaus saying that Velcom itself are the
N.A. branch of Ukrainian cybercrime spammers or that the spammers are
using Velcom's services.

Started to look for another ISP!

having a problem - isp has been black listed in SBL just a test of a work around!

2009-01-12 Thread postmas...@klam.ca 
ignore this message

Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails

2009-01-12 Thread David Cottle 


On 13/01/2009, at 13:02, wie...@porcupine.org (Wietse Venema) wrote:


David Cottle:

Received: from server.engineering.idb (unknown [127.0.0.1])
by server.engineering.idb (Postfix) with ESMTP id C3F5B13C002D
for ; Sun, 11 Jan 2009 23:43:36 +

...

THIS WAS MAIL FOR webmas...@aus-city.com.


The postmaster address on every domain exists but does not accept  
mail

it will bounce.


This was mail for WEBMASTER, now being returned to the sender.

If you have a non-functional postmaster address, that is sufficient
grounds for getting your entire domains blacklisted.

   Wietse


Wietse,

I do appreciate the help but feel I am stuck in a catch 22.

Firstly I am no expert in configuring postfix I just know enough to  
get by.


Is there anything in those examples that stands out as fake I can  
screen in someway - the header_checks of which I have no idea how to  
use, I don't want to experiment with rules that will trash real emails  
it's a production server.


Are bounce emails filtered the same as all target addresses? If not  
how can you apply same rules?


Failing that as then it looks impossible to fix so is there a command  
in postfix to selectively delete queued emails from bounce?I  can have  
cron do this.


Or can I force spamassassin as no doubt it will delete them as Viagra  
and such crap in the body is killed off immediately.


It still confuses me why qmail does not do this, I never saw these so  
they were being filtered out / deleted. All I can think is all mail  
incoming is piped through spamassassin?


Also I am not alone other plesk users that swapped to postfix now have  
the same issue 'spam bounce emails'. Postfix is a new option in plesk  
now.


Thanks!

Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails

2009-01-12 Thread Wietse Venema 
David Cottle:
> >> Received: from server.engineering.idb (unknown [127.0.0.1])
> >>  by server.engineering.idb (Postfix) with ESMTP id C3F5B13C002D
> >>  for ; Sun, 11 Jan 2009 23:43:36 +
...
> > THIS WAS MAIL FOR webmas...@aus-city.com.
> 
> The postmaster address on every domain exists but does not accept mail  
> it will bounce.

This was mail for WEBMASTER, now being returned to the sender.

If you have a non-functional postmaster address, that is sufficient
grounds for getting your entire domains blacklisted.

Wietse

Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails

2009-01-12 Thread David Cottle 


On 13/01/2009, at 12:07, wie...@porcupine.org (Wietse Venema) wrote:


David Cottle:


On 13/01/2009, at 11:44, wie...@porcupine.org (Wietse Venema) wrote:


David Cottle:
On 13/01/2009, at 10:13, wie...@porcupine.org (Wietse Venema)  
wrote:



David Cottle:

Content-Description: Undelivered Message
Content-Type: message/rfc822
Content-Transfer-Encoding: 8bit

Received: from server.engineering.idb (unknown [127.0.0.1])
 by server.engineering.idb (Postfix) with ESMTP id C3F5B13C002D
 for ; Sun, 11 Jan 2009 23:43:36 +
(UTC)
Received-SPF: none (no valid SPF record)
Received: from hosting.mgapi.edu (unknown [82.179.217.2])
 by server.engineering.idb (Postfix) with SMTP
 for ; Sun, 11 Jan 2009 23:43:35 +
(UTC)
Received: from dpkpyv (181.138.153.218)
 by hosting.mgapi.edu; Mon, 12 Jan 2009 02:43:44 +0300

..

Hi Wietse,

Sorry I am now totally confused as webmas...@aus-city.com is not
invalid it's this address!


If webmas...@aus-city.com is valid, then the problem is that
your own system is returning mail for webmas...@aus-city.com
as undeliverable.

That problem has NOTHING to do with spam.

  Wietse


Hi Wietse,

Sorry that is incorrect I am not sending out Viagra emails. I look at


THIS WAS MAIL FOR webmas...@aus-city.com.

IT IS NOW BEING RETURNED AS UNDELIVERABLE.

THIS MESSAGE DOES NOT HAVE YOU AS THE SENDER.

   Wietse


Wietse,

Hang on idea.

All the tags I sent you said postmaster right?

The postmaster address on every domain exists but does not accept mail  
it will bounce.


So is this generating these undeliverable bounces?

Can you set an address to accept mail but blackhole it into /dev/null?

Or can I turn off bounce emails only for postmaster and any other  
addresses that exist but don't accept mail?


Thanks!

Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails

2009-01-12 Thread Wietse Venema 
David Cottle:
> 
> On 13/01/2009, at 11:44, wie...@porcupine.org (Wietse Venema) wrote:
> 
> > David Cottle:
> >> On 13/01/2009, at 10:13, wie...@porcupine.org (Wietse Venema) wrote:
> >>
> >>> David Cottle:
>  Content-Description: Undelivered Message
>  Content-Type: message/rfc822
>  Content-Transfer-Encoding: 8bit
> 
>  Received: from server.engineering.idb (unknown [127.0.0.1])
>    by server.engineering.idb (Postfix) with ESMTP id C3F5B13C002D
>    for ; Sun, 11 Jan 2009 23:43:36 +
>  (UTC)
>  Received-SPF: none (no valid SPF record)
>  Received: from hosting.mgapi.edu (unknown [82.179.217.2])
>    by server.engineering.idb (Postfix) with SMTP
>    for ; Sun, 11 Jan 2009 23:43:35 +
>  (UTC)
>  Received: from dpkpyv (181.138.153.218)
>    by hosting.mgapi.edu; Mon, 12 Jan 2009 02:43:44 +0300
> > ..
> >> Hi Wietse,
> >>
> >> Sorry I am now totally confused as webmas...@aus-city.com is not
> >> invalid it's this address!
> >
> > If webmas...@aus-city.com is valid, then the problem is that
> > your own system is returning mail for webmas...@aus-city.com
> > as undeliverable.
> >
> > That problem has NOTHING to do with spam.
> >
> >Wietse
> 
> Hi Wietse,
> 
> Sorry that is incorrect I am not sending out Viagra emails. I look at  

THIS WAS MAIL FOR webmas...@aus-city.com.

IT IS NOW BEING RETURNED AS UNDELIVERABLE.

THIS MESSAGE DOES NOT HAVE YOU AS THE SENDER. 

Wietse

Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails

2009-01-12 Thread David Cottle 


On 13/01/2009, at 11:35, Res  wrote:


On Tue, 13 Jan 2009, David Cottle wrote:

If I understand some spammer uses valid email addresses on my  
server and sends them via another server. They bounce as the  
addresses they spamming are invalid or fail for what ever reason.


SPF

--
Res

"All we need, is just a little patience"  -- William Bruce (Axl) Rose


Hi Res,

I already have strict SPF policy and records that strictly specify  
valid sender servers.


Also on incoming I already run the highest level delete mail that SPF  
records do not resolve to pass.

Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails

2009-01-12 Thread David Cottle 


On 13/01/2009, at 11:44, wie...@porcupine.org (Wietse Venema) wrote:


David Cottle:

On 13/01/2009, at 10:13, wie...@porcupine.org (Wietse Venema) wrote:


David Cottle:

Content-Description: Undelivered Message
Content-Type: message/rfc822
Content-Transfer-Encoding: 8bit

Received: from server.engineering.idb (unknown [127.0.0.1])
  by server.engineering.idb (Postfix) with ESMTP id C3F5B13C002D
  for ; Sun, 11 Jan 2009 23:43:36 +
(UTC)
Received-SPF: none (no valid SPF record)
Received: from hosting.mgapi.edu (unknown [82.179.217.2])
  by server.engineering.idb (Postfix) with SMTP
  for ; Sun, 11 Jan 2009 23:43:35 +
(UTC)
Received: from dpkpyv (181.138.153.218)
  by hosting.mgapi.edu; Mon, 12 Jan 2009 02:43:44 +0300

..

Hi Wietse,

Sorry I am now totally confused as webmas...@aus-city.com is not
invalid it's this address!


If webmas...@aus-city.com is valid, then the problem is that
your own system is returning mail for webmas...@aus-city.com
as undeliverable.

That problem has NOTHING to do with spam.

   Wietse


Hi Wietse,

Sorry that is incorrect I am not sending out Viagra emails. I look at  
all these bounces and I did not send one of these single emails. My  
SMTP is closed and not an open relay either.


Now you see my questions I am perplexed at how to stop these. Qmail  
somehow dealt with these I never saw them in queue. But I believe  
postfix is a better program!


So they are indeed spam bounces.

Also how many could be being sent out that do get delivered?

But as I also said all these bounces i see they are stuck in queue as  
they are not deliverable.


So can rules like you use for someone sending out an email on the  
server as a user be applied to postmaster of bounces?


Simply test the recipients if invalid reject and it's resolved so  
filer bounces.


Else can a postfix command be issued to delete only undeliverable  
bounces only from mailerdaemon at my server in the queue? I can run  
this by cron.


It seems crazy for me to log in daily into plesk, tick all these in  
the mail queue and delete them manually.


Thanks!

Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails

2009-01-12 Thread Wietse Venema 
David Cottle:
> On 13/01/2009, at 10:13, wie...@porcupine.org (Wietse Venema) wrote:
> 
> > David Cottle:
> >> Content-Description: Undelivered Message
> >> Content-Type: message/rfc822
> >> Content-Transfer-Encoding: 8bit
> >>
> >> Received: from server.engineering.idb (unknown [127.0.0.1])
> >>by server.engineering.idb (Postfix) with ESMTP id C3F5B13C002D
> >>for ; Sun, 11 Jan 2009 23:43:36 +  
> >> (UTC)
> >> Received-SPF: none (no valid SPF record)
> >> Received: from hosting.mgapi.edu (unknown [82.179.217.2])
> >>by server.engineering.idb (Postfix) with SMTP
> >>for ; Sun, 11 Jan 2009 23:43:35 +  
> >> (UTC)
> >> Received: from dpkpyv (181.138.153.218)
> >>by hosting.mgapi.edu; Mon, 12 Jan 2009 02:43:44 +0300
..
> Hi Wietse,
> 
> Sorry I am now totally confused as webmas...@aus-city.com is not  
> invalid it's this address!

If webmas...@aus-city.com is valid, then the problem is that 
your own system is returning mail for webmas...@aus-city.com
as undeliverable.

That problem has NOTHING to do with spam.

Wietse

Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails

2009-01-12 Thread David Cottle 

On 13/01/2009, at 10:13, wie...@porcupine.org (Wietse Venema) wrote:


David Cottle:

Content-Description: Undelivered Message
Content-Type: message/rfc822
Content-Transfer-Encoding: 8bit

Received: from server.engineering.idb (unknown [127.0.0.1])
   by server.engineering.idb (Postfix) with ESMTP id C3F5B13C002D
   for ; Sun, 11 Jan 2009 23:43:36 +  
(UTC)

Received-SPF: none (no valid SPF record)
Received: from hosting.mgapi.edu (unknown [82.179.217.2])
   by server.engineering.idb (Postfix) with SMTP
   for ; Sun, 11 Jan 2009 23:43:35 +  
(UTC)

Received: from dpkpyv (181.138.153.218)
   by hosting.mgapi.edu; Mon, 12 Jan 2009 02:43:44 +0300


This is your problem. If webmas...@aus-city.com is invalid,
then hosting.mgapi.edu MUST NOT ACCEPT MAIL FOR THAT RECIPIENT.

To learn more about blocking invalid recipients on an inbound
transit mail server, see the archives, as this is discussed here
about every other week.

See also:

http://www.postfix.org/postconf.5.html#relay_recipient_maps
http://www.postfix.org/postconf.5.html#relay_domains

http://www.postfix.org/ADDRESS_VERIFICATION_README.html

   Wietse


Hi Wietse,

Sorry I am now totally confused as webmas...@aus-city.com is not  
invalid it's this address! I already reject invalid addresses on my  
server I do not cache all @domain.


These bounces are not email I sent they are forgeries using my address  
and the other example gib...@gibgib.com is also a real address.


Can filtering be applied to delete these spam bounces?

If I understand some spammer uses valid email addresses on my server  
and sends them via another server. They bounce as the addresses they  
spamming are invalid or fail for what ever reason.


As supposedly valid users on the domain sent them they come in as mail  
bounces to the postmas...@my domains.


This is what is happening?

I swapped mail program from qmail to postfix the other week. Since  
then I am getting 50 of these bounces where I did not get them before  
(I use plesk) a day.


I read and read the postfix documentation hence my asking for help.

So far by rejecting invalid users I cut back to 10 per day, but I can  
not figure out how to stop these :(


Thanks!

Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails

2009-01-12 Thread Victor Duchovni 
On Mon, Jan 12, 2009 at 06:13:52PM -0500, Wietse Venema wrote:

> David Cottle:
> > Content-Description: Undelivered Message
> > Content-Type: message/rfc822
> > Content-Transfer-Encoding: 8bit
> > 
> > Received: from server.engineering.idb (unknown [127.0.0.1])
> > by server.engineering.idb (Postfix) with ESMTP id C3F5B13C002D
> > for ; Sun, 11 Jan 2009 23:43:36 + (UTC)
> > Received-SPF: none (no valid SPF record)
> > Received: from hosting.mgapi.edu (unknown [82.179.217.2])
> > by server.engineering.idb (Postfix) with SMTP
> > for ; Sun, 11 Jan 2009 23:43:35 + (UTC)
> > Received: from dpkpyv (181.138.153.218)
> > by hosting.mgapi.edu; Mon, 12 Jan 2009 02:43:44 +0300
> 

Interestingly, the 181.0.0.0/8 Network is IANA reserved:

OrgName:Internet Assigned Numbers Authority
OrgID:  IANA
Address:4676 Admiralty Way, Suite 330
City:   Marina del Rey
StateProv:  CA
PostalCode: 90292-6695
Country:US

NetRange:   181.0.0.0 - 181.255.255.255
CIDR:   181.0.0.0/8
NetName:NET181
NetHandle:  NET-181-0-0-0-0
Parent:
NetType:IANA Reserved
Comment:
RegDate:1993-05-01
Updated:2003-04-06

I wonder how hosting.mgapi.edu managed to receive connections from the
181.138.153.218 address.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Question about particular Relay configuration

2009-01-12 Thread mouss 
Giovanni Mancuso a écrit :
> Hi to all,
> i have a question about a particular postfix configuration.
> In my test machine, i try to  create a particular enviroment. I have one
> postfix istance that bind in 0.0.0.0:25 and in this postfix istance i
> use a relay_domains and relay_transport to redirect all mail from one
> domain to another postfix instance that bind in localhost:2525.
> For example:
> 
> relay_domains = example.com
> relay_transport = smtp:localhost:2525
> 
> The second istance is use to manage the users and other particular
> condition, and in my configuration would that this istance is separate
> for my first instance.
> 
> Now it works very well, but there is a problem.
> If my second postfix istance (localhost:2525) return for example Error
> 554 or Error 551 after "rcpt to" command, my first postfix instance,
> send the notification for bounce. This isn't very well because i could
> be attacked form spammer.
> 
> My question specifically is: " Can i configure my fisrt istance to proxy
> all SMTP comunication only for one domain??"
> 
> Else, For you is there another mode to configure my enviroment?
> 

you can use reject_unverified_recipient, called from a
check_recipient_access.

but it's better to do recipient validation on the first instance,
without querying the second one.


> Thanks to all and sorry for my bad English ;-)

Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails

2009-01-12 Thread Wietse Venema 
David Cottle:
> Content-Description: Undelivered Message
> Content-Type: message/rfc822
> Content-Transfer-Encoding: 8bit
> 
> Received: from server.engineering.idb (unknown [127.0.0.1])
> by server.engineering.idb (Postfix) with ESMTP id C3F5B13C002D
> for ; Sun, 11 Jan 2009 23:43:36 + (UTC)
> Received-SPF: none (no valid SPF record)
> Received: from hosting.mgapi.edu (unknown [82.179.217.2])
> by server.engineering.idb (Postfix) with SMTP
> for ; Sun, 11 Jan 2009 23:43:35 + (UTC)
> Received: from dpkpyv (181.138.153.218)
> by hosting.mgapi.edu; Mon, 12 Jan 2009 02:43:44 +0300

This is your problem. If webmas...@aus-city.com is invalid,
then hosting.mgapi.edu MUST NOT ACCEPT MAIL FOR THAT RECIPIENT.

To learn more about blocking invalid recipients on an inbound
transit mail server, see the archives, as this is discussed here
about every other week.

See also:

http://www.postfix.org/postconf.5.html#relay_recipient_maps
http://www.postfix.org/postconf.5.html#relay_domains

http://www.postfix.org/ADDRESS_VERIFICATION_README.html

Wietse

Question about particular Relay configuration

2009-01-12 Thread Giovanni Mancuso 
Hi to all,
i have a question about a particular postfix configuration.
In my test machine, i try to  create a particular enviroment. I have one
postfix istance that bind in 0.0.0.0:25 and in this postfix istance i
use a relay_domains and relay_transport to redirect all mail from one
domain to another postfix instance that bind in localhost:2525.
For example:

relay_domains = example.com
relay_transport = smtp:localhost:2525

The second istance is use to manage the users and other particular
condition, and in my configuration would that this istance is separate
for my first instance.

Now it works very well, but there is a problem.
If my second postfix istance (localhost:2525) return for example Error
554 or Error 551 after "rcpt to" command, my first postfix instance,
send the notification for bounce. This isn't very well because i could
be attacked form spammer.

My question specifically is: " Can i configure my fisrt istance to proxy
all SMTP comunication only for one domain??"

Else, For you is there another mode to configure my enviroment?

Thanks to all and sorry for my bad English ;-)

Re: Having problem with SMTP AUTH

2009-01-12 Thread mouss 
postmas...@klam.ca a écrit :
> This may be a duplicate request, if so sorry but its been a bad day so 
> far!
> I don't seem to be able to get SMTP Auth to work. I have read the Postfix how 
> toes, and several other peoples how toes and nothing I do seems to work.
> 
> If I telnet into may mail server I get the following output:
> 220 mail.mumble.ca ESMTP
> EHLO example.com
> 250-mail.klam.ca
> 250-PIPELINING
> 250-SIZE 32768000
> 250-ETRN
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> 
> I believe that I should see 250-AUTH/250-AUTH=, but as you can see nothing! 

http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only

you can use openssl client to see the EHLO response after a starttls.

> [snip]

Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails

2009-01-12 Thread mouss 
David Cottle a écrit :
> Magnus Bäck wrote:
>> On Monday, January 12, 2009 at 22:19 CET,
>>  David Cottle  wrote:
> 
>>> The messages are all faked spam supposedly sent from mail addresses
>>> that are valid off the server domains. So therefore non valid
>>> addresses are being rejected.  So how can these be dealt with they all
>>> look genuine in the headers.  My domains all run strict SPF policy
>>> with reject mail when SPF does not resolve to pass, but as these are
>>> bounce emails the servers of course have no SPF records therefore
>>> don't get skimmed off.
>> Please follow the instructions and post logs showing how these messages
>> enter your system. Had the messages been rejected they would not have
>> ended up in your queue. They are instead bounced, and you haven't
>> provided us with any details about why this happens. Therefore we cannot
>> suggest any course of action without resorting to guessing.
> 
> Thanks all, I just can't figure out why they get bounced, so I attach
> here..  I will only attach two:
> 

Please take the time to understand what others have tried to tell you.
the answer to your problem is in postfix logs, not in the bounces, nor
in the mailq.


1- find out where are postfix logs. they may be in /var/log/maillog or
/var/log/mail.log or another file (the location is specified in
/etc/syslog.conf if you use the "standard" syslog)

2- search for a message that arrived _for_ webmas...@aus-city.com (not a
bounce).

3- show the logs for this message from the time it gets into postfix
until it causes an error. the first log line here should contain
"postfix/smtpd" or "postfix/pickup".

if webmas...@aus-city.com is not a valid user, then remove it from your
address lists and from alias (and virtual_aliases). BTW, don't put
$virtual_* in local_recipient_maps.


> [snip]

Re: Having problem with SMTP AUTH

2009-01-12 Thread Kenneth Marshall 
You need to turn on TLS to encrypt you connection and ask again.

Cheers,
Ken

On Mon, Jan 12, 2009 at 05:21:13PM -0500, postmas...@klam.ca wrote:
> This may be a duplicate request, if so sorry but its been a bad day so 
> far!
> I don't seem to be able to get SMTP Auth to work. I have read the Postfix how 
> toes, and several other peoples how toes and nothing I do seems to work.
> 
> If I telnet into may mail server I get the following output:
> 220 mail.mumble.ca ESMTP
> EHLO example.com
> 250-mail.klam.ca
> 250-PIPELINING
> 250-SIZE 32768000
> 250-ETRN
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> 
> I believe that I should see 250-AUTH/250-AUTH=, but as you can see nothing! 
> My first thought was that as I am coming in from my own network I was 
> considered to be a "friendly" so  I removed the local network from the 
> mynetworks parameter. made no difference. 
> I turned off Dovecot authentication and when with a straight POstfix/Sasl, 
> again no difference.
> As far as i can tell everything in main.cf (see postconf -n below) looks to 
> be OK, just it does not work.
> There does not appear to be anything in the maillog, but I am seeing his in 
> the messsage log "... auxpropfunc error invalid parameter supplied" 
> What am I doing wrong? What am I too dumb to see?
>  
> Help would be appreciated
> TIA
> John A
> KLaM
> 
> 
> 
> alias_database = $alias_maps
> alias_maps = hash:/etc/aliases
> allow_untrusted_routing = no
> biff = no
> body_checks = regexp:/etc/postfix/maps/body_checks
> bounce_size_limit = 65536
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> content_filter = amavisfeed:[127.0.0.1]:10024
> daemon_directory = /usr/libexec/postfix
> data_directory = /var/lib/postfix
> debug_peer_level = 2
> default_privs = nobody
> default_process_limit = 20
> delay_warning_time = 12
> disable_vrfy_command = yes
> header_checks = regexp:/etc/postfix/maps/header_checks
> header_size_limit = 32768
> home_mailbox = Maildir/
> html_directory = no
> in_flow_delay = 1s
> inet_protocols = all
> local_destination_concurrency_limit = 5
> mail_owner = postfix
> mailbox_command = /usr/libexec/dovecot/deliver
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> message_size_limit = 32768000
> mydestination = localhost, localhost.localdomain, localdomain
> mydomain = mumble.ca
> myhostname = mail.$mydomain
> mynetworks = 127.0.0.0/8 #, 192.168.10.0/26
> myorigin = $mydomain
> newaliases_path = /usr/bin/newaliases.postfix
> proxy_interfaces = 206.53.50.206
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix-2.5.5/README_FILES
> recipient_delimiter = +
> relay_domains = 
> relayhost = 
> relocated_maps = hash:/etc/postfix/maps/relocated
> sample_directory = /usr/share/doc/postfix-2.5.5/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtp_tls_note_starttls_offer = yes
> smtp_use_tls = yes
> smtpd_banner = $myhostname ESMTP
> smtpd_delay_reject = no
> smtpd_error_sleep_time = 5s
> smtpd_hard_error_limit = 20
> smtpd_helo_required = yes
> smtpd_recipient_limit = 128
> smtpd_recipient_restrictions = reject_non_fqdn_sender,
>   reject_non_fqdn_recipient,
>   permit_mynetworks, 
> permit_sasl_authenticated,
>   reject_unauth_destination,
>   reject_unlisted_recipient,
>   reject_unlisted_sender,
>   check_client_access hash:/etc/postfix/maps/client_access,
>   reject_unknown_client_hostname,
>   reject_rbl_client zen.spamhaus.org,
>   reject_rbl_client bl.spamcop.net,
>   reject_invalid_helo_hostname,
>   reject_non_fqdn_helo_hostname,
>   check_helo_access pcre:/etc/postfix/maps/helo_checks,
>   check_helo_access pcre:/etc/postfix/maps/helo_access,
>   reject_unknown_helo_hostname,
>   check_recipient_access hash:/etc/postfix/maps/recipient_access
>   reject_unknown_sender_domain,
>   check_policy_service unix:postgrey/socket,
>   permit
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain = $myhostname
> smtpd_sasl_path = private/auth
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_type = dovecot
> smtpd_soft_error_limit = 10
> smtpd_tls_CAfile = /etc/pki/CA/sub.class2.server.ca.crt
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/pki/tls/certs/klam.crt
> smtpd_tls_key_file = /etc/pki/tls/private/klam.key
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes
> soft_bounce = no
> strict_rfc821_envelopes = yes
> tls_random_source = dev:/dev/urandom
> unknown_address_reject_code = 554
> unknown_client_reject_code = 554
> unknown_hostname_reject_code = 554
> unknown_local_recipient_reject_code = 550
> unknown_relay_recipient_reject_code = 550
> unknown_virtual_alias_reject_code = 550
> unknown_virtual_mailbox_reject_c

Re: Problem with 'Mail server host name in greeting' assistance

2009-01-12 Thread Noel Jones 

David Cottle wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

One last issue I have is each domain has its own static IP address.
Naturally postfix answers on the main gateway address.

My domains all violate RFC821
 4.3 (and RFC2821
 4.3.1)

|mail.aus-city.com claims to be non-existent host
server.engineering.idb:  220 *server.engineering.idb* ESMTP
Postfix |

I tackled this using smtpd_banner as my server's hostname is not a
valid 'internet domain name':

smtpd_banner = gateway.aus-city.com ESMTP $mail_name


Your MX record, the A record for the MX, the rDNS for that IP, 
and the hostname should all match.


Yours are all over the place.



|mail.aus-city.com claims to be host gateway.aus-city.com [but that
host is at 202.129.79.106 (may be cached), not 203.206.129.129]. |

Being creative is there any way you can do something clever like:

smtpd_banner = $mydomain ESMTP $mail_name

So it would respond that the same address as what the request is?  


That would be a really cool trick considering that the SMTP 
protocol requires the 220 greeting be sent before it knows who 
the mail is for.  No, not possible.




I
can't set mail.aus-city.com as then this domain passes, but the other
27 fail.  I tried this but it fails:

|mail.aus-city.com claims to be non-existent host engineering.idb:  220 *engineering.idb* ESMTP Postfix 

|There must be a way to set this up?


Pick *one* IP and *one* hostname to be the MX for *all* your 
hosted domains.  The MX hostname does *not* need to match the 
hosted domain.


Your DNS/rDNS/MX/hostname is inconsistent.  Fix the 
inconsistencies and all your domains should pass whatever 
tests you want to run.


If you want to give each hosted domain the appearance of 
having its own mail server with customized hostname matching 
the domain name, you will need to run multiple postfix 
instances.  This is a lot of extra work, and is not necessary 
for proper mail operation.


--
Noel Jones

Re: Having problem with SMTP AUTH

2009-01-12 Thread postmas...@klam.ca 
you can tell its been a bad day when I can't even edit my own files
properly!

mumble <-> klam

Having problem with SMTP AUTH

2009-01-12 Thread postmas...@klam.ca 
This may be a duplicate request, if so sorry but its been a bad day so far!
I don't seem to be able to get SMTP Auth to work. I have read the Postfix how 
toes, and several other peoples how toes and nothing I do seems to work.

If I telnet into may mail server I get the following output:
220 mail.mumble.ca ESMTP
EHLO example.com
250-mail.klam.ca
250-PIPELINING
250-SIZE 32768000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

I believe that I should see 250-AUTH/250-AUTH=, but as you can see nothing! 
My first thought was that as I am coming in from my own network I was 
considered to be a "friendly" so  I removed the local network from the 
mynetworks parameter. made no difference. 
I turned off Dovecot authentication and when with a straight POstfix/Sasl, 
again no difference.
As far as i can tell everything in main.cf (see postconf -n below) looks to be 
OK, just it does not work.
There does not appear to be anything in the maillog, but I am seeing his in the 
messsage log "... auxpropfunc error invalid parameter supplied" 
What am I doing wrong? What am I too dumb to see?
 
Help would be appreciated
TIA
John A
KLaM



alias_database = $alias_maps
alias_maps = hash:/etc/aliases
allow_untrusted_routing = no
biff = no
body_checks = regexp:/etc/postfix/maps/body_checks
bounce_size_limit = 65536
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
default_privs = nobody
default_process_limit = 20
delay_warning_time = 12
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/maps/header_checks
header_size_limit = 32768
home_mailbox = Maildir/
html_directory = no
in_flow_delay = 1s
inet_protocols = all
local_destination_concurrency_limit = 5
mail_owner = postfix
mailbox_command = /usr/libexec/dovecot/deliver
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 32768000
mydestination = localhost, localhost.localdomain, localdomain
mydomain = mumble.ca
myhostname = mail.$mydomain
mynetworks = 127.0.0.0/8 #, 192.168.10.0/26
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
proxy_interfaces = 206.53.50.206
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.5/README_FILES
recipient_delimiter = +
relay_domains = 
relayhost = 
relocated_maps = hash:/etc/postfix/maps/relocated
sample_directory = /usr/share/doc/postfix-2.5.5/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP
smtpd_delay_reject = no
smtpd_error_sleep_time = 5s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_recipient_limit = 128
smtpd_recipient_restrictions = reject_non_fqdn_sender,
reject_non_fqdn_recipient,
permit_mynetworks, 
permit_sasl_authenticated,
reject_unauth_destination,
reject_unlisted_recipient,
reject_unlisted_sender,
check_client_access hash:/etc/postfix/maps/client_access,
reject_unknown_client_hostname,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
check_helo_access pcre:/etc/postfix/maps/helo_checks,
check_helo_access pcre:/etc/postfix/maps/helo_access,
reject_unknown_helo_hostname,
check_recipient_access hash:/etc/postfix/maps/recipient_access
reject_unknown_sender_domain,
check_policy_service unix:postgrey/socket,
permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_soft_error_limit = 10
smtpd_tls_CAfile = /etc/pki/CA/sub.class2.server.ca.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/klam.crt
smtpd_tls_key_file = /etc/pki/tls/private/klam.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 550
unknown_relay_recipient_reject_code = 550
unknown_virtual_alias_reject_code = 550
unknown_virtual_mailbox_reject_code = 550
unverified_sender_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/maps/valiases
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_domains = /etc/postfix/maps/vdomains
virtual_mailbox_maps = hash:/etc/postfix/maps/vmailbox
virtual_minimum_uid = 100
virtual_transport = dovecot
virtual_uid_maps = static:5000

Zenoss Monitoring.

2009-01-12 Thread Linux Addict 
Apologies if its offlist. If Anyone using zenoss to monitor postfix, 
please reply only to me with whatever details you may have. Thank you 
very much in advance.


~LA

Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails

2009-01-12 Thread David Cottle 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Magnus Bäck wrote:
> On Monday, January 12, 2009 at 22:19 CET,
>  David Cottle  wrote:
>
>> The messages are all faked spam supposedly sent from mail addresses
>> that are valid off the server domains. So therefore non valid
>> addresses are being rejected.  So how can these be dealt with they all
>> look genuine in the headers.  My domains all run strict SPF policy
>> with reject mail when SPF does not resolve to pass, but as these are
>> bounce emails the servers of course have no SPF records therefore
>> don't get skimmed off.
>
> Please follow the instructions and post logs showing how these messages
> enter your system. Had the messages been rejected they would not have
> ended up in your queue. They are instead bounced, and you haven't
> provided us with any details about why this happens. Therefore we cannot
> suggest any course of action without resorting to guessing.
>
Thanks all, I just can't figure out why they get bounced, so I attach
here..  I will only attach two:

**ONE**

*** ENVELOPE RECORDS deferred/B/B831F13C003E ***
message_size:3039 213
1   03039
message_arrival_time: Mon Jan 12 10:43:42 2009
create_time: Mon Jan 12 10:43:42 2009
named_attribute: log_message_origin=local
named_attribute: trace_flags=0
sender:
original_recipient: donboe...@cfbnet.com
recipient: donboe...@cfbnet.com
*** MESSAGE CONTENTS deferred/B/B831F13C003E ***
Received: by server.engineering.idb (Postfix)
id B831F13C003E; Mon, 12 Jan 2009 10:43:42 +1100 (EST)
Date: Mon, 12 Jan 2009 10:43:42 +1100 (EST)
From: mailer-dae...@server.engineering.idb (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: donboe...@cfbnet.com
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="C3F5B13C002D.1231717422/server.engineering.idb"
Content-Transfer-Encoding: 8bit
Message-Id: <20090111234342.b831f13c0...@server.engineering.idb>

This is a MIME-encapsulated message.

- --C3F5B13C002D.1231717422/server.engineering.idb
Content-Description: Notification
Content-Type: text/plain; charset=us-ascii

This is the mail system at host server.engineering.idb.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

   The mail system

: Invalid destination status

- --C3F5B13C002D.1231717422/server.engineering.idb
Content-Description: Delivery report
Content-Type: message/delivery-status

Reporting-MTA: dns; server.engineering.idb
X-Postfix-Queue-ID: C3F5B13C002D
X-Postfix-Sender: rfc822; donboe...@cfbnet.com
Arrival-Date: Mon, 12 Jan 2009 10:43:36 +1100 (EST)

Final-Recipient: rfc822; webmas...@aus-city.com
Original-Recipient: rfc822;webmas...@aus-city.com
Action: failed
Status: 5.1.3
Diagnostic-Code: x-unix; Invalid destination status

- --C3F5B13C002D.1231717422/server.engineering.idb
Content-Description: Undelivered Message
Content-Type: message/rfc822
Content-Transfer-Encoding: 8bit

Received: from server.engineering.idb (unknown [127.0.0.1])
by server.engineering.idb (Postfix) with ESMTP id C3F5B13C002D
for ; Sun, 11 Jan 2009 23:43:36 + (UTC)
Received-SPF: none (no valid SPF record)
Received: from hosting.mgapi.edu (unknown [82.179.217.2])
by server.engineering.idb (Postfix) with SMTP
for ; Sun, 11 Jan 2009 23:43:35 + (UTC)
Received: from dpkpyv (181.138.153.218)
by hosting.mgapi.edu; Mon, 12 Jan 2009 02:43:44 +0300
Date: Mon, 12 Jan 2009 02:43:44 +0300
From:  
X-Mailer: The Bat! (v2.01)
Reply-To:  
X-Priority: 3 (Normal)
Message-ID: <017606528.20080502031...@cfbnet.com>
To:  
Subject: =?iso-8859-5?B?QmUgYSB3aW5uZXIgaW4gYmVk?=
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="--F63EA71C6CF12E"

- F63EA71C6CF12E
Content-Type: text/html; charset=iso-8859-5
Content-Transfer-Encoding: 8bit

Our specil offer today NEW ONLINE PHARMACY STORE  http://agdavletovocypic.narod.ru";>HERE
- F63EA71C6CF12E--



- --C3F5B13C002D.1231717422/server.engineering.idb--
*** HEADER EXTRACTED deferred/B/B831F13C003E ***
named_attribute: encoding=8bit
*** MESSAGE FILE END deferred/B/B831F13C003E ***



**TWO**

*** ENVELOPE RECORDS deferred/2/202B613C007B ***
message_size:   17228 225
1   0   17228
message_arrival_time: Tue Jan 13 01:49:46 2009
create_time: Tue Jan 13 01:49:46 2009
named_attribute: log_message_origin=local
named_attribute: trace_flags=0
sender:
original_recipient: thaddeus8s...@autotown.com
recipient: thaddeus8s...@autotown.com
*** MESSAGE CONTENTS deferred/2/202B613C007B ***
Received: by gateway.aus-city.com (Postfix)
id 202B613C007B; Tue, 13 Jan 2009 01:49:46 +1100 (ES

Re: bad command startup --throttling

2009-01-12 Thread mouss 
Nathan Huesken a écrit :
> Hello,
> 
> I am trying to configure my postfix mail server using this guide:
> http://wiki.dovecot.org/HowTo/DovecotLDAPostfixAdminMySQL
> 
> So it is a mysql, dovecot, postfix, postfixadmin setup.
> 
> In my mail.warn, I get lots of messages like this:
> postfix/master[9506]: warning: /usr/lib/postfix/smtpd: bad command startup -- 
> throttling
>  

the "real" error is in other log lines. probably few lines before the
throttling line.

> (often with pipe or trivial-rewrite instead of smtpd).
> 
> At the same time, I get "Cannot allocate memory" in all types of contextes.
> The server has 256MB of ram and ~40MB free most of time. Should that be 
> enough?
>

Problem with 'Mail server host name in greeting' assistance

2009-01-12 Thread David Cottle 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

One last issue I have is each domain has its own static IP address.
Naturally postfix answers on the main gateway address.

My domains all violate RFC821
 4.3 (and RFC2821
 4.3.1)

|mail.aus-city.com claims to be non-existent host
server.engineering.idb:  220 *server.engineering.idb* ESMTP
Postfix |

I tackled this using smtpd_banner as my server's hostname is not a
valid 'internet domain name':

smtpd_banner = gateway.aus-city.com ESMTP $mail_name

|mail.aus-city.com claims to be host gateway.aus-city.com [but that
host is at 202.129.79.106 (may be cached), not 203.206.129.129]. |

Being creative is there any way you can do something clever like:

smtpd_banner = $mydomain ESMTP $mail_name

So it would respond that the same address as what the request is?  I
can't set mail.aus-city.com as then this domain passes, but the other
27 fail.  I tried this but it fails:

|mail.aus-city.com claims to be non-existent host engineering.idb:  220 *engineering.idb* ESMTP Postfix 

|There must be a way to set this up?

Thanks!
|
|
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklrvTMACgkQi1lOcz5YUMjEggCffSggTbF8lSh+fZ4pb4ugjo0+
5BUAn1nQwORP/Rh9CziCQcd2uh3/DSCq
=IxUv
-END PGP SIGNATURE-

begin:vcard
fn:David Cottle
n:Cottle;David
email;internet:webmas...@aus-city.com
title:Webmaster
version:2.1
end:vcard

Re: smtp_helo_name ignored

2009-01-12 Thread mouss 
David Cottle a écrit :
> 
> 
> Sent from my iPhone
> 
> On 12/01/2009, at 15:36, Sahil Tandon  wrote:
> 
>> On Mon, 12 Jan 2009, David Cottle wrote:
>>
>>> smtpd_banner = gateway.aus-city.com
>>>
>>> I want the helo to say that name. I assume I drop the hostname and what
>>> about the ESMTP?
>>
>> I think you may be confused about the HELO; the smtpd_banner is simply
>> what
>> follows the 220 when a client connects to your smtpd.  It is common
>> practice
>> for servers that support ESMTP to indicate this in their banner; no
>> harm in
>> leaving it there.  Although Postfix by default sends EHLO even if
>> ESMTP does
>> not appear in the banner, some other MTAs might need to see ESMTP to know
>> your server supports it.
>>
>> -- 
>> Sahil Tandon 
> 
> The top posting is what the iPhone does I tried manually forcing it to
> the bottom.
> 
> Okay I set myhostname = gateway.aus-city.com
> 
> Now it replies properly, bit it still fails RFC, I get this now (it's
> better as atleast now the name exists not a unknown server)
> 
> mail.aus-city.com claims to be host gateway.aus-city.com but that host
> is at 202.129.79.106 (may be cached) not 203.206.129.129
> 


smtp_helo_name = mail.aus-city.com

assuming, 203.206.129.129 is the "outgoing" IP.

if you have multiple "outgoing" IPs, just live with that. most people
won't check this (unless you server has a "bad" reputation that causes
additionnal/aggressive checks).


> There are 28 domains on the server all on individual IPs.
> 

when it comes to email, all domains can be served with one IP. so if
203.206.129.129 is the "outgoing" IP, use it for all these domains (for
smtp I mean).

the alternative is to run one postfix instance per IP/domain, but that's
a lot of work (and may be tricky).


> Any solution or live with it? I assume it's much better having a real
> name rather than a non existent one?
>

Re: Question about reject_unauthenticated_sender_login_mismatch

2009-01-12 Thread Victor Duchovni 
On Mon, Jan 12, 2009 at 01:25:38PM -0800, Jeff Weinberger wrote:

> reject_sender_login_mismatch checks the from address against
> smtpd_sender_login_maps to be sure that the MAIL FROM address is owned by
> the SASL-authenticated sender.
> 
> But with reject_unauthenticated_sender_login_mismatch, there is no
> SASL-authenticated sender.

This subsumes the functionality of both:

reject_authenticated_sender_login_mismatch,
reject_unauthenticated_sender_login_mismatch

if the session is authenticated the first test is applied, otherwise
the second test is applied.

> http://www.postfix.com/postconf.5.html says that
> reject_unauthenticated_sender_login_mismatch  "Enforces the
> reject_sender_login_mismatch restriction for unauthenticated clients only"
> (and nothing more)
> 
> All of that to get to my question:
> 
> What does reject_unauthenticated_sender_login_mismatch check the MAIL FROM
> address against?

The smtpd_sender_login_maps table.

> Or does it just check the smtpd_sender_login_maps for a valid MAIL FROM
> address (regardless of ownership)?

s/valid//

If an address is found in the table, and the sender is not authenticated,
the message is rejected.

> (yes, I'm trying to figure out if using this in my
> smtpd_sender_restrictions would help and how it might do so)

If you are already using the combined restriction, there is no point
in adding either of the constituent building-block restrictions.

If you want to restrict your policy to either the authenticated, or the
unauthenticatd case, then replace the combined restriction with the
appropriate more specific restriction.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails

2009-01-12 Thread Noel Jones 

David Cottle wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Noel Jones wrote:

David Cottle wrote:

Hi Noel,

Thanks for your help!

I will firstly forward the postconf dump as requested.

I will have to forward as another message - will call it postconf
as I am on my iPhone.

At least you can firstly look at that and perhaps find it is
accepting during SMTP for undeliverable.

Many thanks!

David

Sent from my iPhone

Stop top posting - put your answers below the text you refer to.




Hi Noel,

The messages are all faked spam supposedly sent from mail addresses
that are valid off the server domains. So therefore non valid
addresses are being rejected.  So how can these be dealt with they all
look genuine in the headers.  My domains all run strict SPF policy
with reject mail when SPF does not resolve to pass, but as these are
bounce emails the servers of course have no SPF records therefore
don't get skimmed off.

Thanks!



Sorry, that description is far from clear...

As detailed earlier, use postcat to view some of the messages 
in the queue and examine your logs to find why your postfix is 
generating bounces.


If you're not sure how to interpret what you find or what to 
do about it, please post the evidence here.  Posting evidence 
is more likely to get useful suggestions than posting a 
conclusion with no evidence.


At this point I have no idea what you're trying to describe. 
Posting of evidence would be a great help.


You also would probably benefit from spending a few hours 
reading the list archives.  Very likely someone else has 
experienced your problem and found a solution.


Possibly this may help you:
http://www.postfix.org/BACKSCATTER_README.html

Good luck.

--
Noel Jones
Sent from my two year old lAptop

Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails

2009-01-12 Thread Magnus Bäck 
On Monday, January 12, 2009 at 22:19 CET,
 David Cottle  wrote:

> The messages are all faked spam supposedly sent from mail addresses
> that are valid off the server domains. So therefore non valid
> addresses are being rejected.  So how can these be dealt with they all
> look genuine in the headers.  My domains all run strict SPF policy
> with reject mail when SPF does not resolve to pass, but as these are
> bounce emails the servers of course have no SPF records therefore
> don't get skimmed off.

Please follow the instructions and post logs showing how these messages
enter your system. Had the messages been rejected they would not have
ended up in your queue. They are instead bounced, and you haven't
provided us with any details about why this happens. Therefore we cannot
suggest any course of action without resorting to guessing.

-- 
Magnus Bäck
mag...@dsek.lth.se

Question about reject_unauthenticated_sender_login_mism atch

2009-01-12 Thread Jeff Weinberger 
Hi:

This question is just a request for information on this...

I currently use reject_sender_login_mismatch in my
smtpd_sender_restrictions as an added precaution against someone sending
undesirable mail.

I see that I can also use reject_unauthenticated_sender_login_mismatch, but
I don't understand how this would work.

reject_sender_login_mismatch checks the from address against
smtpd_sender_login_maps to be sure that the MAIL FROM address is owned by
the SASL-authenticated sender.

But with reject_unauthenticated_sender_login_mismatch, there is no
SASL-authenticated sender.

http://www.postfix.com/postconf.5.html says that
reject_unauthenticated_sender_login_mismatch  "Enforces the
reject_sender_login_mismatch restriction for unauthenticated clients only"
(and nothing more)

All of that to get to my question:

What does reject_unauthenticated_sender_login_mismatch check the MAIL FROM
address against?

Or does it just check the smtpd_sender_login_maps for a valid MAIL FROM
address (regardless of ownership)?

(yes, I'm trying to figure out if using this in my
smtpd_sender_restrictions would help and how it might do so)

Thank you!!

--Jeff

Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails

2009-01-12 Thread David Cottle 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Noel Jones wrote:
> David Cottle wrote:
>> Hi Noel,
>>
>> Thanks for your help!
>>
>> I will firstly forward the postconf dump as requested.
>>
>> I will have to forward as another message - will call it postconf
>> as I am on my iPhone.
>>
>> At least you can firstly look at that and perhaps find it is
>> accepting during SMTP for undeliverable.
>>
>> Many thanks!
>>
>> David
>>
>> Sent from my iPhone
>
> Stop top posting - put your answers below the text you refer to.
>
>
>
Hi Noel,

The messages are all faked spam supposedly sent from mail addresses
that are valid off the server domains. So therefore non valid
addresses are being rejected.  So how can these be dealt with they all
look genuine in the headers.  My domains all run strict SPF policy
with reject mail when SPF does not resolve to pass, but as these are
bounce emails the servers of course have no SPF records therefore
don't get skimmed off.

Thanks!


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklrs94ACgkQi1lOcz5YUMih+ACgnUSkImCDLKRG32TcqikzPXiN
kH4Ani1R+DYzGZjd4AIiemOW45fUkGCd
=dqor
-END PGP SIGNATURE-

begin:vcard
fn:David Cottle
n:Cottle;David
email;internet:webmas...@aus-city.com
title:Webmaster
version:2.1
end:vcard

Re: access question

2009-01-12 Thread swilting 
users can send mail to any address


Le lundi 12 janvier 2009 à 07:37 -0600, Noel Jones a écrit :
> Res wrote:
> > Hi All,
> > I have a situation where I need to allow a remote user to email in (yes, 
> > that's whitelisted and working fine), but, deny local users from emailing
> > that remote user.
> > 
> > I use check_recipient_access and check_sender_access already under 
> > smtpd_recipient_restrictions, both of these come after the permit 
> > mynetworks, I'm sure I can place another check_recipient_access
> > before the permits with the remote u...@host, will this work or is there 
> > a better way?
> > 
> > Thanks
> > 
> > 
> 
> If your intention is to prevent anyone from sending mail to 
> that particular recipient, then yes, placing another 
> check_recipient_access map above permit_mynetworks would work.
> 
> A safer solution is to put that check under 
> smtpd_sender_restrictions as the only entry.  That way a 
> mistake in the table won't make you an open relay.
> 
> If you need to restrict a subset of your users from sending to 
> that address, please see the examples in
> http://www.postfix.org/RESTRICTION_CLASS_README.html#external
>

Re: Number of Recipients different to a account

2009-01-12 Thread Sahil Tandon 
On Jan 12, 2009, at 11:51 AM, "Eduardo Júnior"   
wrote:




Hi, all


I pretend release to a account in specific the quantity of  
recipients in a message be bigger than the default.


For example:


userf...@mydomain.com
number of recipicients allowed: 100

other
number of recipicients allowed: 15


How do I this?


With a policy service; FWIW, I use postfwd (postfwd.org) to do  
something similar.

Re: Number of Recipients different to a account

2009-01-12 Thread Noel Jones 

Eduardo Júnior wrote:


Hi, all


I pretend release to a account in specific the quantity of recipients in 
a message be bigger than the default.


For example:


userf...@mydomain.com 
number of recipicients allowed: 100

other
number of recipicients allowed: 15


How do I this?



[]´s



You'll need a policy service with per-user limits.
Here's some already written:
http://www.postfix.org/addon.html#policy
or you can write your own.

--
Noel Jones

Number of Recipients different to a account

2009-01-12 Thread Eduardo Júnior 
Hi, all


I pretend release to a account in specific the quantity of recipients in a
message be bigger than the default.

For example:


userf...@mydomain.com
number of recipicients allowed: 100

other
number of recipicients allowed: 15


How do I this?



[]´s


-- 
Eduardo Júnior
GNU/Linux user #423272

:wq

Re: postfix implementation in forum like application - OT

2009-01-12 Thread Terry Carmen 

vivek.agrawal wrote:

hello everyone,
 below i have described my application requirments. I need your
comments/suggestion.

Current appilcation - I have a web application which works like a forum
only. only difference is that user can create some thread and only
restricted users related with that thread can send and recieve message. 


new requirment : 1. whenever user u1 will send a message to user u2 on a
thread t1 then a mail should send from thread t1's email id. to both the
user. 


2. recipent user u2 can reply to that mail by using their own mail
application (outlook, web base gui.). once user u2 has replied on that
message, replied message should get stored in my own web application
database. 


currently i am using ubuntu and java for application. Please let me know how
i can achive this functionality. 
  

You're reinventing the wheel.

Look at mailman or other mailing list managers.

Terry

Re: hello,I would like to offer more of authentication option

2009-01-12 Thread Noel Jones 

john.swilting wrote:

john.swilting a écrit :

hello
I would like to offer more of authentication option

currently only auth plain login



We heard you the first time...

SASL authentication methods are set by your SASL software, not 
by postfix.  See the documentation for the SASL software you 
are using - either cyrus or dovecot.


--
Noel Jones

Re: Problem with Zen filtering legit e-mail

2009-01-12 Thread Sahil Tandon 

On Jan 12, 2009, at 10:27 AM, Roland Plüss  wrote:

Since I got Zen and the other spam stuff working things went fine  
until
one of our road workers tried to send his email from his laptop  
which is
hooked up on a cheap ISP. This ISP happens to be fully in Zen and he  
can
not send mails using our mail server. He has to log in using IMAP/ 
TLS to
send the mails. Is there a way ( inside the recipient restrictions )  
to
allow mails only from a domain if send by a logged in user?  
Currently I

use a recipient access map to whitelist the domain but this works only
until spammers start to send mails with faked domains ( aka claiming  
to

be from this domain but obviously are not since they never authed ).
SASL is not an option since it refuses to work ( either crashes or  
fails

to start ).


Fix the problem instead of plugging in these makeshift solutions.  Why  
does SASL not work?  What do the logs say?  Show the output of  
'postconf -n' and relevant excerpts from your log.  Also see the  
DEBUG_README, to which you were referred upon joining this list; it  
contains useful troubleshooting tips and advice on how to get help  
from this list.


--
Sahil Tandon

Re: TLS for multiple relays

2009-01-12 Thread Noel Jones 

ram wrote:

I want to send mails from my postfix server to different relay
servers(non postfix) on TLS for different domains

The readme 
http://www.postfix.org/TLS_README.html

describes how to use tls over smtp using  smtp_tls_cert_file. But how
can I store certificates for multiple servers because I am going to
relay to multiple servers and each one will have their own certificates



Thanks
Ram


Hmm, *your* certificate goes in smtp_tls_cert_file, nothing 
particular to do with who you're sending to.


If your host has multiple personalities and you want each 
personality to have it's own sending certificate, you can set 
smtp_tls_cert_file in master.cf for different transports or 
just just separate instances of postfix for each personality.


--
Noel Jones

Re: Problem with Zen filtering legit e-mail

2009-01-12 Thread Noel Jones 

Roland Plüss wrote:

Since I got Zen and the other spam stuff working things went fine until
one of our road workers tried to send his email from his laptop which is
hooked up on a cheap ISP. This ISP happens to be fully in Zen and he can
not send mails using our mail server. He has to log in using IMAP/TLS to
send the mails. Is there a way ( inside the recipient restrictions ) to
allow mails only from a domain if send by a logged in user? Currently I
use a recipient access map to whitelist the domain but this works only
until spammers start to send mails with faked domains ( aka claiming to
be from this domain but obviously are not since they never authed ).
SASL is not an option since it refuses to work ( either crashes or fails
to start ).



Put permit_mynetworks, permit_sasl_authenticated before the 
zen check.


--
Noel Jones

Problem with Zen filtering legit e-mail

2009-01-12 Thread Roland Plüss 
Since I got Zen and the other spam stuff working things went fine until
one of our road workers tried to send his email from his laptop which is
hooked up on a cheap ISP. This ISP happens to be fully in Zen and he can
not send mails using our mail server. He has to log in using IMAP/TLS to
send the mails. Is there a way ( inside the recipient restrictions ) to
allow mails only from a domain if send by a logged in user? Currently I
use a recipient access map to whitelist the domain but this works only
until spammers start to send mails with faked domains ( aka claiming to
be from this domain but obviously are not since they never authed ).
SASL is not an option since it refuses to work ( either crashes or fails
to start ).

-- 
Yours sincerely
Plüss Roland



signature.asc
Description: OpenPGP digital signature

hello,I would like to offer more of authentication option

2009-01-12 Thread john.swilting 

john.swilting a écrit :

hello
I would like to offer more of authentication option

currently only auth plain login

[r...@r13151 ~]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 r13151.ovh.net ESMTP Postfix (2.3.3)
helo localhost
250 r13151.ovh.net
ehlo localhost
250-r13151.ovh.net
250-PIPELINING
250-SIZE 1024
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
[r...@r13151 ~]# nano /etc/postfix/main.cf

or pass md5 and other

my postconf -n

[r...@r13151 ~]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
local_recipient_maps = unix:passwd.byname $alias_maps
luser_relay = admin+$local
mail_spool_directory = /var/spool/mail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = fakessh.eu
mynetworks = 192.168.0.0/24, 127.0.0.0/8 ,87.98.186.232
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains =
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_client_restrictions = permit_mynetworks 
reject_unknown_reverse_client_hostname reject_unauth_pipelining 
reject_non_fqdn_recipient permit_tls_all_clientcerts
smtpd_recipient_restrictions = permit_mynetworks, 
permit_inet_interfaces ,permit_sasl_authenticated, permit_mx_backup, 
reject_unauth_destination

smtpd_sasl_auth_enable = yes
unknown_local_recipient_reject_code = 550
virtual_alias_domains = fakessh.eu renelacroute.fr swilting.biz
virtual_alias_maps = hash:/etc/postfix/virtual
[r...@r13151 ~]#

bad command startup --throttling

2009-01-12 Thread Nathan Huesken 
Hello,

I am trying to configure my postfix mail server using this guide:
http://wiki.dovecot.org/HowTo/DovecotLDAPostfixAdminMySQL

So it is a mysql, dovecot, postfix, postfixadmin setup.

In my mail.warn, I get lots of messages like this:
postfix/master[9506]: warning: /usr/lib/postfix/smtpd: bad command startup -- 
throttling
 
(often with pipe or trivial-rewrite instead of smtpd).

At the same time, I get "Cannot allocate memory" in all types of contextes.
The server has 256MB of ram and ~40MB free most of time. Should that be enough?

Thanks!
Nathan

hello,I would like to offer more of authentication option

2009-01-12 Thread john.swilting 

hello
I would like to offer more of authentication option

currently only auth plain login

[r...@r13151 ~]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 r13151.ovh.net ESMTP Postfix (2.3.3)
helo localhost
250 r13151.ovh.net
ehlo localhost
250-r13151.ovh.net
250-PIPELINING
250-SIZE 1024
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
[r...@r13151 ~]# nano /etc/postfix/main.cf

or pass md5 and other

my postconf -n

[r...@r13151 ~]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
local_recipient_maps = unix:passwd.byname $alias_maps
luser_relay = admin+$local
mail_spool_directory = /var/spool/mail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = fakessh.eu
mynetworks = 192.168.0.0/24, 127.0.0.0/8 ,87.98.186.232
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains =
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_client_restrictions = permit_mynetworks 
reject_unknown_reverse_client_hostname reject_unauth_pipelining 
reject_non_fqdn_recipient permit_tls_all_clientcerts
smtpd_recipient_restrictions = permit_mynetworks, permit_inet_interfaces 
,permit_sasl_authenticated, permit_mx_backup, reject_unauth_destination

smtpd_sasl_auth_enable = yes
unknown_local_recipient_reject_code = 550
virtual_alias_domains = fakessh.eu renelacroute.fr swilting.biz
virtual_alias_maps = hash:/etc/postfix/virtual
[r...@r13151 ~]#

TLS for multiple relays

2009-01-12 Thread ram 
I want to send mails from my postfix server to different relay
servers(non postfix) on TLS for different domains

The readme 
http://www.postfix.org/TLS_README.html
describes how to use tls over smtp using  smtp_tls_cert_file. But how
can I store certificates for multiple servers because I am going to
relay to multiple servers and each one will have their own certificates



Thanks
Ram

Re: access question

2009-01-12 Thread Noel Jones 

Res wrote:

Hi All,
I have a situation where I need to allow a remote user to email in (yes, 
that's whitelisted and working fine), but, deny local users from emailing

that remote user.

I use check_recipient_access and check_sender_access already under 
smtpd_recipient_restrictions, both of these come after the permit 
mynetworks, I'm sure I can place another check_recipient_access
before the permits with the remote u...@host, will this work or is there 
a better way?


Thanks




If your intention is to prevent anyone from sending mail to 
that particular recipient, then yes, placing another 
check_recipient_access map above permit_mynetworks would work.


A safer solution is to put that check under 
smtpd_sender_restrictions as the only entry.  That way a 
mistake in the table won't make you an open relay.


If you need to restrict a subset of your users from sending to 
that address, please see the examples in

http://www.postfix.org/RESTRICTION_CLASS_README.html#external

--
Noel Jones

Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails

2009-01-12 Thread Noel Jones 

webmas...@aus-city.com wrote:

Quoting Noel Jones :

You'll need to investigate where your bounces are coming from by
examining your log - find out why postfix generated a bounce.
Start by searching your logfile for the QUEUEID displayed by the
"mailq" command.

The "usual" source of unwanted bounces is accepting mail for
undeliverable recipients rather than rejecting such mail during SMTP.
The postfix method of recipient validation depends on the address class
of the recipient domain.
http://www.postfix.org/ADDRESS_CLASS_README.html

Also note that any address matched by virtual_alias_maps or
*canonical_maps is considered valid, so "@domain @domain" wildcard
mapping effectively disables recipient validation.


Please see
http://www.postfix.org/DEBUG_README.html
and especially
http://www.postfix.org/DEBUG_README.html#mail


--
Noel Jones



Hi Noel,

The mailq dump as requested:

-Queue ID- --Size-- Arrival Time -Sender/Recipient---
91B8113C0040 3168 Mon Jan 12 13:57:12  MAILER-DAEMON
(host mx1.atomz.com[64.191.197.46] said: 450 4.1.1 : 
Recipient address rejected: User unknown in relay recipient table (in 
reply to RCPT TO command))

 ben...@atomz.com

AF41E13C0042 2849 Mon Jan 12 14:58:09  MAILER-DAEMON
(connect to losxpertos.com[69.64.147.19]:25: Connection 
timed out)

 whirredfih0...@losxpertos.com

EC83913C0033 2710 Mon Jan 12 10:12:22  MAILER-DAEMON
   (connect to aimnona.com[66.79.162.22]:25: Connection 
timed out)

 r...@aimnona.com

8F54113C0028 2941 Mon Jan 12 09:20:39  MAILER-DAEMON
 (connect to mailno.opens.com[255.255.255.255]:25: Network is 
unreachable)

 tandcr...@opens.com

B831F13C003E 3039 Mon Jan 12 10:43:42  MAILER-DAEMON
(connect to mail.cfbnet.com[67.79.170.115]:25: Connection 
refused)

 donboe...@cfbnet.com

-- 18 Kbytes in 5 Requests.


OK, so you have some bounces in your queue.  We already knew 
that, so this posting is rather useless.


You'll need to investigate where your bounces are coming from 
by examining your log - find out why postfix generated a 
bounce.  Start by searching your logfile for the QUEUEID 
displayed by the  "mailq" command.  You can also examine the 
contents of the bounce with


# postcat -q QUEUEID | more

The QUEUEID is displayed by the mailq command in the "QUEUE 
ID" column.


You'll need to do those parts of the investigation yourself. 
Come back with details if you need help interpreting what you 
find.


--
Noel Jones

Re: Catchall with exceptions

2009-01-12 Thread Robert Schetterer 
Nathan Huesken schrieb:
> Hello,
> 
> I am just switching to postfix for my mailserver.
> I wonder, if and how the following is possible:
> 
> I have a catchall for a certain domain (lets call it catch-all.com).
> But certain addresses (like i...@catch-all.com) just get to much spam.
> So I want to block them!
> But I do not want to bounce them, it causes to much traffic. I want to block 
> them on the smtp level.
> If someone sends an mail to i...@catch-all.com, he should get an "user not 
> found" response.
> 
> Thanks!
> Nathan

Hi Nathan, i wouldnt recommend any kind of catch all
these spam days
however you alway can use a recipient reject
i.e

smtpd_recipient_restrictions =
...
check_recipient_access hash:/etc/postfix/recipient_access_blacklist,


/etc/postfix/recipient_access_blacklist

i...@catch-all.com REJECT this mail adress doesnt accept incomming mail

be aware that you might not recieve any bounces etc this way
( dont know if this is ok at your site )
you might use other sender tables before this rule ( perhaps using
smtpd_restriction_classes )
to make bounces work for typical bounce senders like i.e <>, postmaster
etc ( on the other side these addresses often are backscatter source or
spam faked ) so there is no "Gold" way

reject as many mails you can by other rules before this rule by i.e
rbls, unknown domain checks etc

stuff like this depends deeply on amount and kind of incomming
spam and backscatter mails and may changing during runtime by analysing
logs

using real mailaddresses only, instead of catch all ist better
anytime anyway


-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Catchall with exceptions

2009-01-12 Thread Nathan Huesken 
Hello,

I am just switching to postfix for my mailserver.
I wonder, if and how the following is possible:

I have a catchall for a certain domain (lets call it catch-all.com).
But certain addresses (like i...@catch-all.com) just get to much spam.
So I want to block them!
But I do not want to bounce them, it causes to much traffic. I want to block 
them on the smtp level.
If someone sends an mail to i...@catch-all.com, he should get an "user not 
found" response.

Thanks!
Nathan

Re: safe wildcard aliasing with mysql [Was: Reject_unlisted_recipient and "wide" aliasing]

2009-01-12 Thread Roman Medina-Heigl Hernandez 
mouss escribió:
> Roman Medina-Heigl Hernandez a écrit :
>> [snip]
>> Any ideas to improve this? I think this could be solved with more mysql
>> magic...
>>
> 
> let's use these "simplistic" tables (no id/keys... for simplicity):
> 
> - a User table, with the following columns
>  * user: the user-part of an email address
>  * domain: the domain part.
> 
> 
> - a DomainAlias table, with the following columns
>  * alias: This is a domain name
>  * destination: This too is a domain name
> 
> 
> now, we set
> 
> virtual_alias_maps =
>   # user aliases
>   proxy:mysql:/etc/postfix/maps/mysql/user_alias
>   # domain aliases
>   proxy:mysql:/etc/postfix/maps/mysql/domain_alias
> 
> 
> user_alias is used for "user" aliases (no wildcard alias). You already
> know how to do this so I'll skip it.
> 
> domain_alias is used for domain aliasing. The query is
> 
> query =
>   SELECT
>   user
>   FROM
>   DomainAlias, User
>   SELECT

s/SELECT/WHERE

>   alias = '%d'
>   AND
>   User.user = '%u'
>   AND
>   User.domain = destination
> 
> so there are two things:
> - we use two maps in virtual_alias_maps. one for users and one for
> domains. the latter implements wildcard aliases
> - but we only return a result if the "destination" user exists (in the
> User table).
> 
> is it clear now?

Yes, this is indeed my proposed solution... (see my former post; it seems a
bit different but that's because I don't have user and domain separated so
I need to "calculate" them from the whole email). Your former solution (in
former post) returned a domain as a result of the query, so it was not good
(recurssion wouldn't work, even for user aliases), and it didn't explain
that is was a separate table for virtual_alias_maps either. But as I said,
only the idea you gave to me was great and I thank you for it!

I don't have time now to rethink about this (I don't recall now, but the
solution has drawbacks), I'll probably return into it after 1 o 2 months...
and I'll share my results in this thread.

Thank you all for your partipation :)

Cheers,
-Román