milter<->postfix debugging for disappearing headers

[Quanah Gibson-Mount]

We have a milter that examines emails and adds headers if it believes they 
are spam.  However, it looks like 33% of the time, the headers that we've 
added to the email are stripped out by postfix before delivery, which ends 
up causing a lot of spam to get delivered.  We've snooped the connection 
between postfix and the milter to verify that it is actually returning the 
spam headers:


bash-3.2$ grep -n xxx.yy.zzz.aa snoopit 
903921:..u)...Y...^DCj.xx.xxx..xx.x.xxx.{daemon_name}.xx.xxx..xxx.x.xxx.v.Postfix 
2.4.7"C[xxx.yy.zzz.aa].4..xxx.yy.zzz.aa. 
1022655:...|..b#iX-Spam-Detected.xxx.yy.zzz.aa. 
1022667:..cu...!iX-Rocket-Spam.xxx.yy.zzz.aa.iX-Spam-Track.[cat=SP; 
info=ip:BK;ipsh:UK;url2db:SP 
url=xyz.com>].c 
1725529:..w^DCj.xx.xxx..xxx.x.xxx.{daemon_name}.xx.xxx..xxx.x.xxx.v.Postfix 
2.4.7"C[xxx.yy.zzz.aa].4..xxx.yy.zzz.aa. 
1947733:...]...#iX-Spam-Detected.xxx.yy.zzz.aa. 
1947886:...!iX-Rocket-Spam.xxx.yy.zzz.aa.iX-Spam-Track.[cat=SP;



As you can see from the snoop, the X-Spam-Track, X-Rocket-Spam, and 
X-Spam-Detected headers are all present, which our code adds to the 
message.  But when this message is delivered, the headers are gone.  Any 
idea why this might be happening?  Is there some way to modify the logging 
on postfix so we can see what headers postfix thinks the message had?



Our master.cf (minus comments) has:

-bash-3.00$ more master.cf
xxx:25  inet n   -   n   -   -   smtpd
127.0.0.1:25 inet n   -   n   -   -   smtpd
xxx:587 inet n   -   n   -   -   smtpd
127.0.0.1:587inet n   -   n   -   -   smtpd
xxx:465 inet  n  -   n   -   -   smtpd
   -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
   -o smtpd_tls_cert_file=/home/y/etc/zimbra_cfg/ssl/zimbra.crt
   -o smtpd_tls_key_file=/home/y/etc/zimbra_cfg/ssl/zimbra.key
127.0.0.1:465inet  n  -   n   -   -   smtpd
   -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
   -o smtpd_tls_cert_file=/home/y/etc/zimbra_cfg/ssl/zimbra.crt
   -o smtpd_tls_key_file=/home/y/etc/zimbra_cfg/ssl/zimbra.key
pickupfifo  n   -   n   60  1   pickup
cleanup   unix  n   -   n   -   0   cleanup
qmgr  fifo  n   -   n   300 1   qmgr
tlsmgrunix  -   -   n   1000?   1   tlsmgr
rewrite   unix  -   -   n   -   -   trivial-rewrite
bounceunix  -   -   n   -   0   bounce
defer unix  -   -   n   -   0   bounce
trace unix  -   -   n   -   0   bounce
verifyunix  -   -   n   -   1   verify
flush unix  n   -   n   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
smtp  unix  -   -   n   -   -   smtp
relay unix  -   -   n   -   -   smtp
   -o fallback_relay=
showq unix  n   -   n   -   -   showq
error unix  -   -   n   -   -   error
discard   unix  -   -   n   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   n   -   -   lmtp
anvil unix  -   -   n   -   1   anvil
scacheunix  -   -   n   -   1   scache
maildrop  unix  -   n   n   -   -   pipe
 flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix  -   n   n   -   -   pipe
 flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
cyrus unix  -   n   n   -   -   pipe
 user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp  unix  -   n   n   -   -   pipe
 flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail 
($recipient)

ifmailunix  -   n   n   -   -   pipe
 flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix  -   n   n   -   -   pipe
 flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop 
$recipient

smtp-amavis unix -  -   n   -   10  smtp
   -o smtp_data_done_timeout=1200
   -o smtp_send_xforward_command=yes
   -o disable_dns_lookups=yes
   -o max_use=20
127.0.0.1:10025 inet n  -   n   -   -  smtpd
   -o content_filter=
   -o local_recipient_maps=
   -o virtual_mailbox_maps=
   -o virtual_alias_maps=
   -o relay_recipient_maps=
   -o smtpd_restriction_classes=
   -o smtpd_delay_reject=no
   -o smtpd_client_restrictions=permit_mynetworks,reject
   -o smtpd_helo_restrictions=
   

Re: Using SASL - dovecot sasl

[secSwami]

Thanks a bunch Thomas!!

One more thing do you create users on the system itself or use users and 
password from a file?


Thanks again...much much appreciated.

Thomas wrote:

secSwami wrote:
Thanks for you suggestion, could you please me get your dovecot.conf 
info too?  and do you startup "saslauthd" service?


As you wish:

grep -v ^\# dovecot.conf | grep -v "^ *\#" | grep -v ^$
protocols =imaps
disable_plaintext_auth = yes
log_timestamp = "%Y-%m-%d %H:%M:%S "
ssl_cert_file = /etc/ssl/certs/dovecot.pem
ssl_key_file = /etc/ssl/private/dovecot.pem
mail_location = mbox:%h/Mail:INBOX=/var/spool/mail/%u:INDEX=%h/.imap/%n
mail_privileged_group = mail
protocol imap {
}

protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
}
auth default {
mechanisms = plain
passdb pam {
}
userdb passwd {
}
user = root
socket listen {
  client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
  }
}
}
dict {
}
plugin {
}


About saslauthd:

ps -elf | grep -i sasl
0 R root  8302  8256  0  78   0 -   682 -  04:12 ttyp0
00:00:00 grep -i sasl


Does not seem so :)

Re: Using SASL - dovecot sasl

[Thomas]

secSwami wrote:
Thanks for you suggestion, could you please me get your dovecot.conf 
info too?  and do you startup "saslauthd" service?


As you wish:

grep -v ^\# dovecot.conf | grep -v "^ *\#" | grep -v ^$
protocols =imaps
disable_plaintext_auth = yes
log_timestamp = "%Y-%m-%d %H:%M:%S "
ssl_cert_file = /etc/ssl/certs/dovecot.pem
ssl_key_file = /etc/ssl/private/dovecot.pem
mail_location = mbox:%h/Mail:INBOX=/var/spool/mail/%u:INDEX=%h/.imap/%n
mail_privileged_group = mail
protocol imap {
}

protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
}
auth default {
mechanisms = plain
passdb pam {
}
userdb passwd {
}
user = root
socket listen {
  client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
  }
}
}
dict {
}
plugin {
}


About saslauthd:

ps -elf | grep -i sasl
0 R root  8302  8256  0  78   0 -   682 -  04:12 ttyp0
00:00:00 grep -i sasl


Does not seem so :)

Re: Using SASL - dovecot sasl

[Thomas]

secSwami wrote:
Thanks for you suggestion, could you please me get your dovecot.conf 
info too?  and do you startup "saslauthd" service?


As you wish:

grep -v ^\# dovecot.conf | grep -v "^ *\#" | grep -v ^$
protocols =imaps
disable_plaintext_auth = yes
log_timestamp = "%Y-%m-%d %H:%M:%S "
ssl_cert_file = /etc/ssl/certs/dovecot.pem
ssl_key_file = /etc/ssl/private/dovecot.pem
mail_location = mbox:%h/Mail:INBOX=/var/spool/mail/%u:INDEX=%h/.imap/%n
mail_privileged_group = mail
protocol imap {
}

protocol pop3 {
 pop3_uidl_format = %08Xu%08Xv
}
auth default {
 mechanisms = plain
 passdb pam {
 }
 userdb passwd {
 }
 user = root
 socket listen {
   client {
 path = /var/spool/postfix/private/auth
 mode = 0660
 user = postfix
 group = postfix
   }
 }
}
dict {
}
plugin {
}


About saslauthd:

ps -elf | grep -i sasl
0 R root  8302  8256  0  78   0 -   682 -  04:12 ttyp0
00:00:00 grep -i sasl


Does not seem so :)

Re: Using SASL - dovecot sasl

[secSwami]

Hi Thomas,

Thanks for you suggestion, could you please me get your dovecot.conf 
info too?  and do you startup "saslauthd" service?


Thanks again.

Thomas wrote:

secSwami wrote:
So after trying and trying other methods of making postfix send 
emails for the SASL authenticated users to work, I am trying to now 
use dovecot sasl config.
My main purpose is that I should be able to SEND email from anywhere 
on the internet using my POSTFIX mail server.  There is seems to be 
some problem with my config,

can someone shine some light on this:
   }
}



Just for a quit test, please try the following "^smtp..." settings:

smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = reject_invalid_hostname
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_hostname
smtpd_recipient_restrictions = permit_mynetworks, 
reject_unknown_recipient_domain, permit_sasl_authenticated, 
reject_unauth_destination

smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unknown_address
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes


That works for me an Thunderbird from everywhere i can connect to 
imaps (Dovecot) ...

Re: Properly Specifying RBL in main.cf

[Rich Shepard]

On Thu, 15 Jan 2009, Victor Duchovni wrote:


This misses the point, ...


Victor,

  I'm not at all surprised. I've never delved deeply into DNS; it's so
peripheral to our business that I have no time to spend learning all about
it.

  Your explanation is much appreciated.

Rich

--
Richard B. Shepard, Ph.D.   |  IntegrityCredibility
Applied Ecosystem Services, Inc.|Innovation
 Voice: 503-667-4517  Fax: 503-667-8863

Re: Properly Specifying RBL in main.cf

[Victor Duchovni]

On Thu, Jan 15, 2009 at 02:30:54PM -0800, Rich Shepard wrote:

> On Thu, 15 Jan 2009, Victor Duchovni wrote:
>
>> You don't need to run your own DNS server provided your cache does not
>> forward cache misses to the ISP. A local cache is sufficient.
>
> Victor,
>
> I assume that dnscache does forward misses up the line, and apparently
> zen.spamhaus.org never made it into the local cache.

This misses the point, the main thing is that a cache can either delegate
all cache misses to a single forwarder, or can directly query the proper
servers for each domain by obtaining the NS records from the parent domain
and so on up to the root servers.

The TTL for RBL zones is generally fairly short, so unless a single botnet
IP is repeatedly hitting your system, indeed the cache hit rate for the
Zen zone may be modest.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Question about reject_unauthenticated_sender_login_mismatch (additional information)

[Jeff Weinberger]

Viktor Wrote:

On Thu, Jan 15, 2009 at 10:01:51PM +0100, mouss wrote:

> jeff_homeip a ?crit :
> > [snip]
> > When I added this back, all worked fine. If I remove this one  
restriction

> > (check_sender_access), I can no longer send.
> >
> > is this check_sender_access, because it's not rejecting the  
sender, allowing it somehow?

> >
>
> no. it's more probable that you have errors in your config.
>


I this it's absolutely certain that I had errors in my config. As you  
noticed, I have been having a challenge trying to isolate and fix them.




> if you think you have a problem with one particular configuration,  
then

> we need to see that configuration, so
>
> 1) configure postfix to reproduce the problem
> 2) restart postfix
> 3) from now, don't change any setting until the end of this  
procedure

> 4) reproduce the problem (test...)
> 5) if you succeed, send us the
> -- contents of master.cf
> -- the output of 'postconf -n'
> -- the contents of main.cf (to see "custom" variables)

6) "postmap -q - " output for all relevant keys in all relevant
tables.
7) verbose logging from the smtpd(8) showing the events that lead
up to reject restriction. Configure via "debug_peer_list" or "-v"
entry in master.cf. It is enough to report just 10-20 lines of
logging above the "reject" event, that demonstrate which restrictions
is being processed and associated table lookup keys and results.


As I noted earlier, I restored my main.cf and master.cf from backup (a  
known working version) and started over.


I ran these tests with that version and found no problems. I then  
changed the configurations to the desired end-point and ran these (and  
a few other) tests again. Again no problems.


So I was not able to reproduce this. I have to conclude that I took  
interim steps on the way to the desired state, and one of those  
resulted in the errors I observed. Since I did not document my steps,  
only my goal, I cannot reproduce each one, and since I cannot find the  
combination that produced the error, I have to conclude that I did  
something seriously wrong at some point.


So I must apologize - I have asked  you to help chase an issue that  
seems to have been just an interim error. I appreciate your help and  
effort, but I am sorry that it appears unnecessary. (of course, if it  
recurs, I'll run these tests again, and if I can reproduce it, post  
all the information here)


I now have it working, as far as I can tell, as I want. The goal was  
to have a submission service that forces authentication and requires  
that authenticated users only send from addresses they own.


So I now have:

submission inet n   -   n   -   -   smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_restrictions= 
$ 
587_master_sender_restrictions 
,reject_sender_login_mismatch,permit_sasl_authenticated,reject

  -o milter_macro_daemon_name=ORIGINATING

with, in main.cf:

587_master_sender_restrictions=check_sender_access pcre:/etc/postfix/ 
smtpd_sender_restrictions.pcre


and

smtpd_sender_restrictions.pcre containing one line:

/^(.*)/ PREPEND X-Envelope-Sender: <${1}>

I was concerned that the "match" on PREPEND would obviate the further  
sender_restrictions, but that appears not to be the case, in limited  
testing so far.


The recipient_restrictions are solely meant to avoid the many checks  
( e.g. RBL, unauth_pipelining, etc.) in my main.cf for my smtp service.


This appears to work. I am of course, open to any and all suggestions  
on how this can be improved.


Again, sorry for dragging you down an dead-end path, but thank you for  
your  help - I've learned a lot along the way.


--Jeff

[ANN] milter manager 0.7.0

[Kouhei Sutou]

Hi,

milter manager 0.7.0 has been released.

  http://milter-manager.sourceforge.net/
  http://sourceforge.net/project/showfiles.php?group_id=236233

ClearCode Inc. is developing milter manager for a public
issue bussiness of IPA (INFORMATION-TECHNOLOGY PROMOTION
AGENCY). This is the first release of milter manager. This
release is developement release.

Release schedule is the last of this mail.

== About milter manager

milter manager is a milter that manages multiple milters.
It is a free software to help constructing flexibile and low
maintenance cost mail system.

milter is a pluggable message filter derived from Sendmail.
Each milter provides one or more features. We can construct
mail system for ourselves purporse by combining some
milters. The flexibility is advantage but also weakness.

The weakness is higher maintenance cost because we need to
have many configuration files and associate each milter with
MTA.

milter manager helps constructing mail system for ourselves
purporse with low maintainance cost by using milters'
advantages and covering milters' weaknesses.


milter manager embeds Ruby interpreter. Ruby is a real
programming language that provides easy to read syntax and
flexibility.

milter manager can detect installed milters in system and
register them dynamically by embeded Ruby interpreter. We
doesn't need to change MTA configuration even if milter's
socket configuration. We just change milter's configuration.
It covers a weakness caused when multipe milters are used.


It's milter's advantage that combine multiple milters. But
all registered milters are applied to all messages. We can't
select whether apply milters or not dynamically like
Postfix's SMTP Access Policy Delegation. If milter can be
applied like this, we will be able to share a whitelist with
all milters instead of maintaining a whitelist in each
milter.

milter manager has some check points in milter session. They
can be used for it.

== More about milter manager

  * http://milter-manager.sourceforge.net/reference/readme.html

README: License, How to get, Introductions of included tools

  * http://milter-manager.sourceforge.net/reference/ja/introduction.html

Introduction: More details about milter manager's advantages

  * http://milter-manager.sourceforge.net/reference/ja/install.html
* http://milter-manager.sourceforge.net/reference/ja/install-to-ubuntu.html
* http://milter-manager.sourceforge.net/reference/ja/install-to-freebsd.html

Install: How to install milter manager (for Ubuntu and FreeBSD)
 Used milters: milter-greylist, clamav-milter, spamass-milter

  * http://milter-manager.sourceforge.net/reference/ja/configuration.html

Configuration: How to configure milter manager

  * http://milter-manager.sourceforge.net/coverage/

Coverage

* Cutter: unit testing framework for C
  http://cutter.sourceforge.net/
* LCOV: coverage result formatter
  http://ltp.sourceforge.net/coverage/lcov.php

== Release schedule

2009/1: 0.7.0
* This release
2009/2: 0.8.0
* Add Web interface for administration
* Add log analyzer tool
* Improve documents
2009/3: 0.9.0
* 1.0.0 RC
* Freeze library API
* If it has problems, 0.9.1, 0.9.2, ... are released
2009/4: 1.0.0
* If 0.9.0 doesn't have problem
* If 0.9.0 has problem and 0.9.1, ... are released,
  1.0.0 will be released after 2009/4.

== Contact

Mailing list:
  https://lists.sourceforge.net/lists/listinfo/milter-manager-users-en

  The future release announce will be done the ML. If you
  interested in this project, please join the ML.

BTS:
  http://sourceforge.net/tracker/?atid=1099435&group_id=236233&func=browse


Thanks,
--
kou

Re: Using SASL - dovecot sasl

[Thomas]

secSwami wrote:
So after trying and trying other methods of making postfix send emails 
for the SASL authenticated users to work, I am trying to now use 
dovecot sasl config.
My main purpose is that I should be able to SEND email from anywhere 
on the internet using my POSTFIX mail server.  There is seems to be 
some problem with my config,

can someone shine some light on this:
   }
}



Just for a quit test, please try the following "^smtp..." settings:

smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = reject_invalid_hostname
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_hostname
smtpd_recipient_restrictions = permit_mynetworks, 
reject_unknown_recipient_domain, permit_sasl_authenticated, 
reject_unauth_destination

smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unknown_address
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes


That works for me an Thunderbird from everywhere i can connect to imaps 
(Dovecot) ...

Re: Properly Specifying RBL in main.cf

[Ralf Hildebrandt]

* Rich Shepard :
>   I'd like to fix a long-standing issue here; namely, I'm not calling the
> zen zone at spamhaus.org properly in main.cf. What I have is:
>
>   reject_rbl_client zen.spamhaus.org,
>
> as a smtpd_client_restrictions entry.

That's correct.

-- 
Ralf Hildebrandt (ralf.hildebra...@charite.de)  snick...@charite.de
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
Microsoft is not the answer -- Microsoft is the question.
No is the answer.

Using SASL - dovecot sasl

[secSwami]

Hi,

So after trying and trying other methods of making postfix send emails 
for the SASL authenticated users to work, I am trying to now use dovecot 
sasl config.
My main purpose is that I should be able to SEND email from anywhere on 
the internet using my POSTFIX mail server.  There is seems to be some 
problem with my config,

can someone shine some light on this:

*From grepping maillog I only see the following:*
Jan  3 06:12:56 localhost postfix/smtpd[17074]: 
xsasl_dovecot_server_create: SASL service=smtp, realm=(null)
Jan  3 06:12:56 localhost postfix/smtpd[17074]: generic_checks: 
name=permit_sasl_authenticated
Jan  3 06:12:56 localhost postfix/smtpd[17074]: generic_checks: 
name=permit_sasl_authenticated status=0



*And of course I get relay access denied:*
Jan  3 06:12:56 localhost postfix/smtpd[17074]: NOQUEUE: reject: RCPT 
from unknown[12.51.212.254]: 554 5.7.1 : Relay access 
denied; from=
ingle.com> to= proto=SMTP helo=<[192.168.74.129]>
Jan  3 06:12:56 localhost postfix/smtpd[17074]: generic_checks: 
name=reject_unauth_destination status=2
Jan  3 06:12:56 localhost postfix/smtpd[17074]: > 
unknown[12.51.212.254]: 554 5.7.1 : Relay access denied



Here is my postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = mydomain.com
myhostname = mx.mydomain.com
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains =
relay_recipient_maps = hash:/etc/postfix/relay_recipients
relayhost =
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,reject_unauth_destination

smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
unknown_local_recipient_reject_code = 550


r...@wutang ~]# cat /etc/postfix/master.cf
#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ==
# service type  private unpriv  chroot  wakeup  maxproc command + args
#   (yes)   (yes)   (yes)   (never) (100)
# ==
smtp  inet  n   -   n   -   -   smtpd -v
#submission inet n   -   n   -   -   smtpd
#  -o smtpd_enforce_tls=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps inet  n   -   n   -   -   smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#628  inet  n   -   n   -   -   qmqpd
pickupfifo  n   -   n   60  1   pickup
cleanup   unix  n   -   n   -   0   cleanup
qmgr  fifo  n   -   n   300 1   qmgr
#qmgr fifo  n   -   n   300 1   oqmgr
tlsmgrunix  -   -   n   1000?   1   tlsmgr
rewrite   unix  -   -   n   -   -   trivial-rewrite
bounceunix  -   -   n   -   0   bounce
defer unix  -   -   n   -   0   bounce
trace unix  -   -   n   -   0   bounce
verifyunix  -   -   n   -   1   verify
flush unix  n   -   n   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
smtp  unix  -   -   n   -   -   smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix  -   -   n   -   -   smtp -v
   -o fallback_relay=
#   -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix  n   -   n   -   -   showq
error unix  -   -   n   -   -   error
discard   unix  -   -   n   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   n   -   -   lmtp
anvil unix  -   -   n   -   1   anvil
scache  unix--n-1scache
#
# 
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the

Re: Properly Specifying RBL in main.cf

[Rich Shepard]

On Thu, 15 Jan 2009, J Sloan wrote:


Dunno about djbdbs - last I checked it was rather long in the tooth - but
using the standard bind9, out of the box, as shipped by linux vendors and
used as a caching dns server is a very cheap and easy speedup.


Joe,

  I've been running DJB's dnscache for a long time, don't know that it's
worth replacing with something new.

Thanks,

Rich

--
Richard B. Shepard, Ph.D.   |  IntegrityCredibility
Applied Ecosystem Services, Inc.|Innovation
 Voice: 503-667-4517  Fax: 503-667-8863

Re: Properly Specifying RBL in main.cf -- RESOLVED

[Rich Shepard]

On Fri, 16 Jan 2009, Res wrote:


It's been proven time after time after time this is not so, and/or
whatever they use to calculate this, is horribly inaccurate and has been
for a long time.


  THank you, Res. I changed DNS nameservers and resolved the issue.

Rich

--
Richard B. Shepard, Ph.D.   |  IntegrityCredibility
Applied Ecosystem Services, Inc.|Innovation
 Voice: 503-667-4517  Fax: 503-667-8863

Re: Properly Specifying RBL in main.cf

[J Sloan]

Rich Shepard wrote:
> On Thu, 15 Jan 2009, J Sloan wrote:
>
>> I find that having a local unix-based dns server is often orders of
>> magnitude faster than relying on an upstream isp for dns resolution.
>
> Joe,
>
>   I don't know that the effort to set up and maintain djbdns is worth any
> speed increase. I've no basis for comparison.

Dunno about djbdbs - last I checked it was rather long in the tooth -
but using the standard bind9, out of the box, as shipped by linux
vendors and used as a caching dns server is a very cheap and easy speedup.

Joe

Re: Properly Specifying RBL in main.cf

[Rich Shepard]

On Thu, 15 Jan 2009, Victor Duchovni wrote:


You don't need to run your own DNS server provided your cache does not
forward cache misses to the ISP. A local cache is sufficient.


Victor,

  I assume that dnscache does forward misses up the line, and apparently
zen.spamhaus.org never made it into the local cache.

Thanks,

Rich

--
Richard B. Shepard, Ph.D.   |  IntegrityCredibility
Applied Ecosystem Services, Inc.|Innovation
 Voice: 503-667-4517  Fax: 503-667-8863

Re: Properly Specifying RBL in main.cf

[Rich Shepard]

On Thu, 15 Jan 2009, J Sloan wrote:


I find that having a local unix-based dns server is often orders of
magnitude faster than relying on an upstream isp for dns resolution.


Joe,

  I don't know that the effort to set up and maintain djbdns is worth any
speed increase. I've no basis for comparison.

Thanks for the insight,

Rich

--
Richard B. Shepard, Ph.D.   |  IntegrityCredibility
Applied Ecosystem Services, Inc.|Innovation
 Voice: 503-667-4517  Fax: 503-667-8863

Re: Properly Specifying RBL in main.cf

[Victor Duchovni]

On Thu, Jan 15, 2009 at 01:56:11PM -0800, Rich Shepard wrote:

> On Thu, 15 Jan 2009, mouss wrote:
>
>> if you forward DNS queries to your ISP, then the rate limit applies to
>> your ISP. spamhaus don't see mail hitting your servers. They only see DNS
>> queries.
>
>   Ah, so! That explains it. I run Dan Bernstein's dnscache here, but use my
> ISP's DNS servers otherwise.
>
>   So, now I need to consider whether to remove the spamhaus line from
> main.cf or set up and maintain my own dns server.

You don't need to run your own DNS server provided your cache does not
forward cache misses to the ISP. A local cache is sufficient.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Properly Specifying RBL in main.cf

[J Sloan]

Rich Shepard wrote:
>
>   Ah, so! That explains it. I run Dan Bernstein's dnscache here, but
> use my
> ISP's DNS servers otherwise.
>
>   So, now I need to consider whether to remove the spamhaus line from
> main.cf or set up and maintain my own dns server.
>

I find that having a local unix-based dns server is often orders of
magnitude faster than relying on an upstream isp for dns resolution.

Joe

Re: Properly Specifying RBL in main.cf

[Rich Shepard]

On Thu, 15 Jan 2009, mouss wrote:


if you forward DNS queries to your ISP, then the rate limit applies to
your ISP. spamhaus don't see mail hitting your servers. They only see DNS
queries.


  Ah, so! That explains it. I run Dan Bernstein's dnscache here, but use my
ISP's DNS servers otherwise.

  So, now I need to consider whether to remove the spamhaus line from
main.cf or set up and maintain my own dns server.

Many thanks, mouss!

Rich

--
Richard B. Shepard, Ph.D.   |  IntegrityCredibility
Applied Ecosystem Services, Inc.|Innovation
 Voice: 503-667-4517  Fax: 503-667-8863

Re: Properly Specifying RBL in main.cf

[Rich Shepard]

On Thu, 15 Jan 2009, Rich Shepard wrote:


 Interesting. There are only two of us users at this domain and the
overwhelming majority of incoming messages are spam that's rejected by
postfix. We probably average 300 incoming messages per day (mostly on
technical mail lists), but have thousands of rejections.


Matt,

  The three criteria for free use are:

   1. Your use of the Spamhaus DNSBLs is non-commercial, and
   2. Your email traffic is less than 100,000 SMTP connections per day, and
   3. Your DNSBL query volume is less than 300,000 queries per day.

They define non-commercial as "A company that uses our DNSBLs solely to
filter their own email qualifies as a non-commercial user and may use our
free public DNSBLs if that company's email volume and DNSBL query volume is
below the free use limits. The same is true for any non-profit organization,
school, religious organization, or private individual who operates their own
mail server."

  IIRC, the highest volume shown for a single day was about 10,000 messages;
those were rejected by postfix and a few hundred were accepted. That's well
below their limits.

Rich

--
Richard B. Shepard, Ph.D.   |  IntegrityCredibility
Applied Ecosystem Services, Inc.|Innovation
 Voice: 503-667-4517  Fax: 503-667-8863

Re: Properly Specifying RBL in main.cf

[mouss]

Rich Shepard a écrit :
> On Thu, 15 Jan 2009, Matt Hayes wrote:
> 
>> This usually happens when you are going above their amount of queries
>> they limit free use to.
> 
> Matt,
> 
>   Interesting. There are only two of us users at this domain and the
> overwhelming majority of incoming messages are spam that's rejected by
> postfix. We probably average 300 incoming messages per day (mostly on
> technical mail lists), but have thousands of rejections.
> 

if you forward DNS queries to your ISP, then the rate limit applies to
your ISP. spamhaus don't see mail hitting your servers. They only see
DNS queries.

Re: Properly Specifying RBL in main.cf

[mouss]

Rich Shepard a écrit :
>   I'd like to fix a long-standing issue here; namely, I'm not calling the
> zen zone at spamhaus.org properly in main.cf. What I have is:
> 
> reject_rbl_client zen.spamhaus.org,
> 
> as a smtpd_client_restrictions entry.
> 

This works.

>   Reading the spamhaus web site FAQs I see that zen is a DNS zone combining
> their three other zones, not a host name. This explains the multiple
> entries
> in /var/log/maillog:
> 
> Jan 15 13:13:59 salmo postfix/smtpd[13598]: warning:
> 43.29.121.87.zen.spamhaus.org: RBL lookup error: Host or domain name not
> found. Name service error for name=43.29.121.87.zen.spamhaus.org type=A:
> Host not found, try again
> 


dns issues?

can you try a manual lookup:

host 43.29.121.87.zen.spamhaus.org

here I get:

43.29.121.87.zen.spamhaus.org has address 127.0.0.4


>   How do I properly refer lookups to zen.spamhaus.org? I did not find
> anything relevant on the web site.
> 

http://www.google.fr/search?q=reject_rbl_client+zen.spamhaus.org
gives me 7130 results.


if you type "zen" in the search box on www.postfix.org, you get
http://www.postfix.org/STRESS_README.html
look for zen on that page.

Re: Properly Specifying RBL in main.cf

[Rich Shepard]

On Thu, 15 Jan 2009, Matt Hayes wrote:


This usually happens when you are going above their amount of queries
they limit free use to.


Matt,

  Interesting. There are only two of us users at this domain and the
overwhelming majority of incoming messages are spam that's rejected by
postfix. We probably average 300 incoming messages per day (mostly on
technical mail lists), but have thousands of rejections.

Thanks,

Rich

--
Richard B. Shepard, Ph.D.   |  IntegrityCredibility
Applied Ecosystem Services, Inc.|Innovation
 Voice: 503-667-4517  Fax: 503-667-8863

Re: Properly Specifying RBL in main.cf

[Matt Hayes]

Rich Shepard wrote:
>   I'd like to fix a long-standing issue here; namely, I'm not calling the
> zen zone at spamhaus.org properly in main.cf. What I have is:
> 
> reject_rbl_client zen.spamhaus.org,
> 
> as a smtpd_client_restrictions entry.
> 
>   Reading the spamhaus web site FAQs I see that zen is a DNS zone combining
> their three other zones, not a host name. This explains the multiple
> entries
> in /var/log/maillog:
> 
> Jan 15 13:13:59 salmo postfix/smtpd[13598]: warning:
> 43.29.121.87.zen.spamhaus.org: RBL lookup error: Host or domain name not
> found. Name service error for name=43.29.121.87.zen.spamhaus.org type=A:
> Host not found, try again
> 
>   How do I properly refer lookups to zen.spamhaus.org? I did not find
> anything relevant on the web site.
> 
> TIA,
> 
> Rich
> 


This usually happens when you are going above their amount of queries
they limit free use to.

-Matt

Re: Multiple PTRs

[mouss]

Halassy Zoltán a écrit :
> Hello!
> 
> (sorry for my trash-english)
> 
> Will Postfix handle properly multiple PTR records when
> reject_unknown_client_hostname is in effect?
> 

this has nothing to do with PTRs. this only checks that helo resolves.
the resulting IP doesn't matter.

> Like would it accept an e-mail when it comes from 1.2.3.4 and
> 2001::1234:2 if smtp_helo_name is mail.example.com when the DNS records
> are the following?
> 
> example.com. MX 10 mail.example.com.
> www.example.com. A 1.2.3.4
> mail.example.com. A 1.2.3.4
> www.example.com.  2001::1234:1
> mail.example.com.  2001::1234:2
> 1.0.0.0.4.3.2.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.2.ip6.arpa.
> PTR www.example.com.
> 2.0.0.0.4.3.2.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.2.ip6.arpa.
> PTR mail.example.com.
> 4.3.2.1.in-addr.arpa. PTR www.example.com.
> 4.3.2.1.in-addr.arpa. PTR mail.example.com.


There is really no reason to use multiple PTRs.

$ host 91.121.103.130
130.103.121.91.in-addr.arpa domain name pointer imlil.netoyen.net.
$ host www.netoyen.net
www.netoyen.net has address 91.121.103.130
$ host mx.netoyen.net
mx.netoyen.net has address 91.121.103.130
...

The IP has one PTR, but multiple names resolve to this IP.

Properly Specifying RBL in main.cf

[Rich Shepard]

  I'd like to fix a long-standing issue here; namely, I'm not calling the
zen zone at spamhaus.org properly in main.cf. What I have is:

reject_rbl_client zen.spamhaus.org,

as a smtpd_client_restrictions entry.

  Reading the spamhaus web site FAQs I see that zen is a DNS zone combining
their three other zones, not a host name. This explains the multiple entries
in /var/log/maillog:

Jan 15 13:13:59 salmo postfix/smtpd[13598]: warning:
43.29.121.87.zen.spamhaus.org: RBL lookup error: Host or domain name not
found. Name service error for name=43.29.121.87.zen.spamhaus.org type=A:
Host not found, try again

  How do I properly refer lookups to zen.spamhaus.org? I did not find
anything relevant on the web site.

TIA,

Rich

--
Richard B. Shepard, Ph.D.   |  IntegrityCredibility
Applied Ecosystem Services, Inc.|Innovation
 Voice: 503-667-4517  Fax: 503-667-8863

multiple relayhosts

[bharathan kailath]

hi
i've got smtpout1 and smtpout2 servers; can i specify a particular domain to
send thru smtpout1 (as relayhost) and another domain thru smtpout2 (as
relayhost) in postfix!?

Re: Question about reject_unauthenticated_sender_login_mismatch (additional info

[Victor Duchovni]

On Thu, Jan 15, 2009 at 10:01:51PM +0100, mouss wrote:

> jeff_homeip a ?crit :
> > [snip]
> > When I added this back, all worked fine. If I remove this one restriction 
> > (check_sender_access), I can no longer send.
> > 
> > is this check_sender_access, because it's not rejecting the sender, 
> > allowing it somehow?
> > 
> 
> no. it's more probable that you have errors in your config.
> 
> if you think you have a problem with one particular configuration, then
> we need to see that configuration, so
> 
> 1) configure postfix to reproduce the problem
> 2) restart postfix
> 3) from now, don't change any setting until the end of this procedure
> 4) reproduce the problem (test...)
> 5) if you succeed, send us the
>  -- contents of master.cf
>  -- the output of 'postconf -n'
>  -- the contents of main.cf (to see "custom" variables)

  6) "postmap -q - " output for all relevant keys in all relevant
 tables.
  7) verbose logging from the smtpd(8) showing the events that lead
 up to reject restriction. Configure via "debug_peer_list" or "-v"
 entry in master.cf. It is enough to report just 10-20 lines of
 logging above the "reject" event, that demonstrate which restrictions
 is being processed and associated table lookup keys and results.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Question about reject_unauthenticated_sender_login_mismatch (additional info

[mouss]

jeff_homeip a écrit :
> [snip]
> When I added this back, all worked fine. If I remove this one restriction 
> (check_sender_access), I can no longer send.
> 
> is this check_sender_access, because it's not rejecting the sender, allowing 
> it somehow?
> 

no. it's more probable that you have errors in your config.

if you think you have a problem with one particular configuration, then
we need to see that configuration, so

1) configure postfix to reproduce the problem
2) restart postfix
3) from now, don't change any setting until the end of this procedure
4) reproduce the problem (test...)
5) if you succeed, send us the
 -- contents of master.cf
 -- the output of 'postconf -n'
 -- the contents of main.cf (to see "custom" variables)

Re: forwarding problem

[Noel Jones]

bharathan kailath wrote:

 hi
  in smtp out server i configured the following:
  smtpd_sender_restrictions =
  check_sender_access hash:/etc/postfix/mydomains
  reject_unauth_destination

it works but later on i realised that one email user is using smtp out 
server to forward mails to his another id; and these mails get 'access 
denied'; how can solve this problem; help appreciatd
 


Well, there's the rub...

Add a check_recipient_access table and list allowed forward 
recipients, just above the reject_unauth_destination.


# main.cf
smtpd_sender_restrictions =
  check_sender_access hash:/etc/postfix/mydomains
  check_recipient_access hash:/etc/postfix/allowed_forwards
  reject_unauth_destination

# allowed_forwards
# list of external recipient addresses
# internal mail can be forwarded to
exam...@gmail.com   OK
bga...@msn.com   OK

--
Noel Jones

Re: Multiple A's per MX hostname vs. 1:1 A:MX all with equal priority vs. different priorities

[Victor Duchovni]

On Thu, Jan 15, 2009 at 12:41:52AM -0800, Darren Pilgrim wrote:

> A while back someone posted a message about how MTAs generally respond 
> to an unresponsive server given three different ways of setting up 
> multiple MX mail servers:

There are really only two scenarios, the only impact of weights is on
the ordering of the hosts tried, not on the number of hosts tried or
what happens when they are tried.

Some MTAs will try multiple MAIL transactions per-delivery if some
recipients temp-fail at the first MX host. The treatment of logical
hosts vs. multiple MX records is the same as with connection retries
(see below).

Do you mean this message?

http://groups.google.com/group/list.postfix.users/msg/cf58585e240d9b8a

> 1. A single MX record with multiple A's for the hostname:
> 
>   example.com mail is handled by 10 a.mx.example.com
>   a.mx.example.com has address 192.0.2.100
>   a.mx.example.com has address 192.0.2.101
>   a.mx.example.com has address 192.0.2.102

At least some Sendmail systems will try at most one connection per
delivery.

> 2. Multiple MX records with equal priority with a single A for each 
> hostname:
> 
>   example.com mail is handled by 10 a.mx.example.com
>   example.com mail is handled by 10 b.mx.example.com
>   example.com mail is handled by 10 c.mx.example.com
>   a.mx.example.com has address 192.0.2.100
>   b.mx.example.com has address 192.0.2.101
>   c.mx.example.com has address 192.0.2.102

If multiple connections are supported, most MTAs will try multiple
connections per-delivery (until one succeeds or a limit is reached).

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

forwarding problem

[bharathan kailath]

 hi
  in smtp out server i configured the following:
  smtpd_sender_restrictions =
  check_sender_access hash:/etc/postfix/mydomains
  reject_unauth_destination

it works but later on i realised that one email user is using smtp out
server to forward mails to his another id; and these mails get 'access
denied'; how can solve this problem; help appreciatd

Re: Multiple PTRs

[Wietse Venema]

Halassy Zolt??n:
> Hello!
> 
> (sorry for my trash-english)
> 
> Will Postfix handle properly multiple PTR records when 
> reject_unknown_client_hostname is in effect?

Postfix does not handle PTR records.

Postfix takes the first hostname that the getnameinfo() system
library function returns, and if the first hostname resolves to
the client IP address, then Postfix considers the first hostname
as "good".  Postfix never looks at the second etc. hostname.

Wietse

Re: How to avoid duplicate header when inserting one with PREPEND

[Victor Duchovni]

On Thu, Jan 15, 2009 at 05:39:29PM +0600, Artem Bokhan wrote:

> I want to add header
> 
> smtpd_data_restrictions = check_client_access pcre:add_header.cf
> 
> add_header.cf:
> "PREPEND X-Sender-IP: $1"
> 
> Is any way to delete this header from input message, but do not delete 
> header inserted by postfix?

The one inserted by Postfix will be the top-most one. No need to delete
any that appear below it (and not possible with header_checks, you'd
need a content filter that parses XFORWARD).

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Multiple PTRs

[Halassy Zoltán]

Hello!

(sorry for my trash-english)

Will Postfix handle properly multiple PTR records when 
reject_unknown_client_hostname is in effect?


Like would it accept an e-mail when it comes from 1.2.3.4 and 
2001::1234:2 if smtp_helo_name is mail.example.com when the DNS records 
are the following?


example.com. MX 10 mail.example.com.
www.example.com. A 1.2.3.4
mail.example.com. A 1.2.3.4
www.example.com.  2001::1234:1
mail.example.com.  2001::1234:2
1.0.0.0.4.3.2.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.2.ip6.arpa. 
PTR www.example.com.
2.0.0.0.4.3.2.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.2.ip6.arpa. 
PTR mail.example.com.

4.3.2.1.in-addr.arpa. PTR www.example.com.
4.3.2.1.in-addr.arpa. PTR mail.example.com.

Re: Multiple SMTP relays based on sender's domain

[jeff donovan]

On Jan 15, 2009, at 11:25 AM, Gilles Albusac wrote:

Is it possible to set up Postfix to choose an SMTP relayhost when  
routing

outbound mail based on the domain name of the sender ?


try using transport  map
http://www.postfix.org/ADDRESS_REWRITING_README.html#transport

# TRANSPORT MAP
#
# See the discussion in the ADDRESS_REWRITING_README document.
#transport_maps = hash:/etc/postfix/transport
#transport_maps = ldap:/etc/postfix/ldaptransport
#transport_maps = hash:/etc/postfix/transport

Re: Requirement to "always_bcc" except when email is internal

[Eric Sammons]

Thank you, that works...

On Thu, Jan 15, 2009 at 9:30 AM, Wietse Venema  wrote:

> Eric Sammons:
> > I have a requirement to always_bcc except when email is internal.
>
> Instead of always_bcc use sender_bcc_maps or recipient_bcc_maps.
>
> >  I have
> > investigated options such as always_bcc, sender|recipient_bcc_maps and
> none
> > seem to fully address the issue.
>
> Yes they do. Just configure them so that the archive copy is
> made when:
>
>the sender is remote OR the receiver is remote.
>
> /etc/postfix/main.cf:
>sender_bcc_maps = pcre:/etc/postfix/archive-check
>recipient_bcc_maps = pcre:/etc/postfix/archive-check
>
> /etc/postfix/archive-check:
>!/@example\.com$/   arch...@example.com
>
> This is a predicate transformation, from (NOT (local AND local)),
> what you asked for, into ((NOT local) OR (NOT local)), shown above.
>
> Now, if it takes a PhD in nuclear physics to configure an MTA, then
> that is another issue.
>
>Wietse
>
> > Sample scenario.
> >
> > My domain is example.com; when a email's RECIPIENT and SENDER are both @
> > example.com then process email WITHOUT forwarding a copy to
> > arch...@archive.example.com.  IF the email's RECIPIENT and / or SENDER
> are
> > not @example.com then process email AND forward a copy to
> > arch...@archive.example.com.
> >
> > Is this possible with postfix, postfix filters, and / or postfix +
> procmail?
> >
> > Thank you!
> > Eric
>
>

Re: Posfix gateway one domain to multiple smtp servers

[Brian Evans - Postfix List]

Tim Tyler wrote:
>
> Postfix users,
>
>   I see a number of examples on how to configure Postfix as a gateway
> for multiple domains.  However, I would like to configure Postfix for
> one domain that splits users to different smtp servers depending upon
> their ldap group.  Does anyone have an example of how I could split
> addresses coming into a domain to go out in multiple directions?
>
>   For Instance, If I have stud...@example.com
>  and st...@example.com
>  I would like to validate their accounts
> against their ldap gidNumber field and then relay them to the
> appropriate mail server. 
>
>  
>
You want a a transport_maps lookup.
See http://www.postfix.org/ADDRESS_REWRITING_README.html#transport for
details.
(Also http://www.postfix.org/STANDARD_CONFIGURATION_README.html)

Since these have unique results, you should create another map file and
do not try to reuse another.

Note: using LDAP is certainly allowed, just make sure the source is
highly available.
Recommend a local, replicated LDAP server for such a purpose

You may wish to dump these to a hashed file via script if you do not
want to store the relay server in the LDAP.

Brian

Re: Multiple SMTP relays based on sender's domain

[Gilles Albusac]

It works but I need to install a new instance of postfix (with 
sender_dependent_relayhost_maps) in front of the relayhosts to route.


   +---> postfix-domain1
postfix-routing ->|
   +---> postfix-domain2

Thanks

- Original Message - 
From: "Neil" 

To: "Gilles Albusac" 
Cc: 
Sent: Wednesday, January 14, 2009 2:04 PM
Subject: Re: Multiple SMTP relays based on sender's domain




On Wed, Jan 14, 2009 at 5:01 AM, Gilles Albusac
 wrote:


Is it possible to set up Postfix to choose an SMTP relayhost when routing
outbound mail based on the domain name of the sender ?



If you're okay with using addresses instead of domains, I think
sender_dependent_relayhost_maps might do the trick for you.

Posfix gateway one domain to multiple smtp servers

[Tim Tyler]

Postfix users,

  I see a number of examples on how to configure Postfix as a gateway for
multiple domains.  However, I would like to configure Postfix for one domain
that splits users to different smtp servers depending upon their ldap group.
Does anyone have an example of how I could split addresses coming into a
domain to go out in multiple directions?

  For Instance, If I have stud...@example.com and st...@example.com I would
like to validate their accounts against their ldap gidNumber field and then
relay them to the appropriate mail server.  

 

Tim Tyler

Network Engineer

Beloit College

 

Re: Delivery problem when recipient address has a trailing period character (postfix 2.5.4)

[Wietse Venema]

Eddy Beliveau:
> Hi!
> 
> I'm using postfix 2.5.4 on our academic server and it worked great.  
> Thanks ;-)
> 
> I created a mailbox associated with an email address of 
> 
> # echo t...@hec.ca | postmap -q - ldap:ldap_users
> t...@hec.ca mailtest1
> 
> and delivery to it work correctly.
> 
> Jan 15 08:56:20 postfix postfix/lmtp[25990]: 20DA1BAFC5: 
> to=, orig_to=,
> relay=cyrus[132.111.1.1]:24, delay=0.09, delays=0.04/0/0/0.05, 
> dsn=2.1.5, status=sent (250 2.1.5 Ok)
> 
> 
> 
> Now, I create another mailbox with email 
> (note the period preceding the at sign)
> 
> # echo te...@hec.ca | postmap -q - ldap:ldap_users
> te...@hec.camailtest2

RFC **21 and **22 require that a non-atom (such as test.) be enclosed
in quotes.  Same deal with . at the beginning. Just don't use such
addresses, they break everywhere.

Wietse

> Now, delivery failed with:
> 
> Jan 15 08:57:30 postfix postfix/lmtp[24689]: E90ACBAFC2: to=,
> relay=cyrus[132.111.1.1]:24, delay=0.18, delays=0.12/0.02/0.01/0.04, 
> dsn=5.1.1, status=bounced (host cyrus[132.111.1.1] said: 550-Mailbox 
> unknown. 
> Either there is no mailbox associated with this 550-name or you do not 
> have authorization to see it. 550 5.1.1 User unknown (in reply to RCPT 
> TO command))
> 
> 
> Did I missed something ?
> 
> Thanks,
> Eddy
> 
> -- 
> Eddy Beliveau
> HEC Montreal
> Montreal (Quebec)
> Canada
> 
> 
> 

Re: Requirement to "always_bcc" except when email is internal

[Wietse Venema]

Eric Sammons:
> I have a requirement to always_bcc except when email is internal.

Instead of always_bcc use sender_bcc_maps or recipient_bcc_maps.

>  I have
> investigated options such as always_bcc, sender|recipient_bcc_maps and none
> seem to fully address the issue.

Yes they do. Just configure them so that the archive copy is
made when:

the sender is remote OR the receiver is remote.

/etc/postfix/main.cf:
sender_bcc_maps = pcre:/etc/postfix/archive-check
recipient_bcc_maps = pcre:/etc/postfix/archive-check

/etc/postfix/archive-check:
!/@example\.com$/   arch...@example.com

This is a predicate transformation, from (NOT (local AND local)),
what you asked for, into ((NOT local) OR (NOT local)), shown above.

Now, if it takes a PhD in nuclear physics to configure an MTA, then
that is another issue.

Wietse

> Sample scenario.
> 
> My domain is example.com; when a email's RECIPIENT and SENDER are both @
> example.com then process email WITHOUT forwarding a copy to
> arch...@archive.example.com.  IF the email's RECIPIENT and / or SENDER are
> not @example.com then process email AND forward a copy to
> arch...@archive.example.com.
> 
> Is this possible with postfix, postfix filters, and / or postfix + procmail?
> 
> Thank you!
> Eric

Delivery problem when recipient address has a trailing period character (postfix 2.5.4)

[Eddy Beliveau]

Hi!

I'm using postfix 2.5.4 on our academic server and it worked great.  
Thanks ;-)


I created a mailbox associated with an email address of 

# echo t...@hec.ca | postmap -q - ldap:ldap_users
t...@hec.ca mailtest1

and delivery to it work correctly.

Jan 15 08:56:20 postfix postfix/lmtp[25990]: 20DA1BAFC5: 
to=, orig_to=,
relay=cyrus[132.111.1.1]:24, delay=0.09, delays=0.04/0/0/0.05, 
dsn=2.1.5, status=sent (250 2.1.5 Ok)




Now, I create another mailbox with email 
(note the period preceding the at sign)

# echo te...@hec.ca | postmap -q - ldap:ldap_users
te...@hec.camailtest2

Now, delivery failed with:

Jan 15 08:57:30 postfix postfix/lmtp[24689]: E90ACBAFC2: to=,
relay=cyrus[132.111.1.1]:24, delay=0.18, delays=0.12/0.02/0.01/0.04, 
dsn=5.1.1, status=bounced (host cyrus[132.111.1.1] said: 550-Mailbox 
unknown. 
Either there is no mailbox associated with this 550-name or you do not 
have authorization to see it. 550 5.1.1 User unknown (in reply to RCPT 
TO command))



Did I missed something ?

Thanks,
Eddy

--
Eddy Beliveau
HEC Montreal
Montreal (Quebec)
Canada

Requirement to "always_bcc" except when email is internal

[Eric Sammons]

I have a requirement to always_bcc except when email is internal.  I have
investigated options such as always_bcc, sender|recipient_bcc_maps and none
seem to fully address the issue.

Sample scenario.

My domain is example.com; when a email's RECIPIENT and SENDER are both @
example.com then process email WITHOUT forwarding a copy to
arch...@archive.example.com.  IF the email's RECIPIENT and / or SENDER are
not @example.com then process email AND forward a copy to
arch...@archive.example.com.

Is this possible with postfix, postfix filters, and / or postfix + procmail?

Thank you!
Eric

Re: running on different ports

[Wietse Venema]

Leonardo Rodrigues Magalh?es:
> 
> Let's suppose i have postfix running smtpd processes in two 
> different ports. 25 and 587, for example.
> 
> is it possible, in the logs, to differ which connections came from 
> 25 and which came from 587 ?? I know i can analyze the full transaction 

http://www.postfix.org/postconf.5.html#syslog_name
http://www.postfix.org/master.5.html

master.cf: smtp .. smtpd -o syslog_name=foobar

Wietse

> and look for sasl authentications on 587 or deliveries on 25 ... but 
> i would like to filter logs and easily see all connections that came on 
> one port and all connections that came on the other.
> 
> if some change on master.cf is needed, there's no problem at all.
> 
> is this kind of configuration possible ?
> 
> -- 
> 
> 
>   Atenciosamente / Sincerily,
>   Leonardo Rodrigues
>   Solutti Tecnologia
>   http://www.solutti.com.br
> 
>   Minha armadilha de SPAM, N?O mandem email
>   gertru...@solutti.com.br
>   My SPAMTRAP, do not email it
> 
> 
> 
> 
> 
> 
> 

Re: Share postfix config directory

[Thomas Ackermann]

Rocco Scappatura schrieb:


myhostname = 

mydomain = 

 

If the hostname is not valid, postfix fails to start. It have to be 
resolved by DNS and the IP must be the IP of one of the interface of 
the server which run Postfix.


 


So I have to use a name that is resolved in many different IPs, I think

 



No, that is not true - on my servers at least :)

myhostname ist not required, it works perfectly as default - when not 
specified in the main.cf

It will then automatically be set to the servers hostname.
Therefor, you can have the same main.cf everywhere ...

running on different ports

[Leonardo Rodrigues Magalhães]

   Let's suppose i have postfix running smtpd processes in two 
different ports. 25 and 587, for example.


   is it possible, in the logs, to differ which connections came from 
25 and which came from 587 ?? I know i can analyze the full transaction 
and look for sasl authentications on 587 or deliveries on 25 ... but 
i would like to filter logs and easily see all connections that came on 
one port and all connections that came on the other.


   if some change on master.cf is needed, there's no problem at all.

   is this kind of configuration possible ?

--


Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it

Re: vServer system resources

[Wietse Venema]

Nathan H?sken:
> Hi,
> 
> I have installed postfix on a small vServer (256Mb Ram, 10GB HD). I
> installed it with dovecot, mysql and postfixadmin.
> When I tested it, I got lots of "Cannot allocate Memory" errors.

The primary MX for porcupine.org runs on a "non-virtual" machine
with 256MB and never has resource problems.  It runs, however, with
default_process_limit=30, and there are no other resource-hungry
processes.

> vzfree told me, that I have enough memory. So I assumed a problems
> with open sockets.

When systems lie about errors, use strace and see what system
calls are failing.

# strace -f -o outputfile /usr/libexec/postfix/master -d

Be prepared for massive amounts of output once you get past the
point that things break immediately.

Wietse

Re: vServer system resources

[lst_hoe02]

Zitat von Nathan Hüsken :


Hi,

I have installed postfix on a small vServer (256Mb Ram, 10GB HD). I
installed it with dovecot, mysql and postfixadmin.
When I tested it, I got lots of "Cannot allocate Memory" errors.


With the most crippled vServers sold today you get in trouble for a  
full fledged mailserver. Not because of RAM but because of  
numothersock (Postfix!), numfiles (shared libraries) and sometimes  
shmpages (database). You have to stripe down every service that is  
running to limit the max number of processes *and* the shared libs  
loaded (modules) by the application.

This is very timeconsuming and may (will) fail under load.
We have a similar system runnig but with more "numothersock" and  
"numfile" as these are the critical parameters which bite you first!!!


Regards

Andreas

Re: Share postfix config directory

[Wietse Venema]

Rocco Scappatura:
> > > > > I have different SMTP gateways each one configurred exactly at
> > the
> > > > same
> > > > > manner. The only difference is the hostname.
> > > > >
> > > > > I would like to know if I could define "/etc/postfix" as an NFS
> > > share
> > > > > somewhere and export it on each of my SMTP gateways. The aim is
> > > > > obviously to change only one configuration file each time that a
> > > > postfix
> > > > > configuration update is needed.
> > > >
> > > > Let the computer do the work for you. See: man 1 make. If you are
> > > > not familiar with this tool, then you work too hard.
> > >
> > > I know that make is a really powerfull tool. I have used it (in the
> > > sense that I have write down some Makefile) for compiling rather few
> > C
> > > projects. At the moment I can't guess how I could use 'make' for my
> > > purpouse. I feel that in some manner it could be a substitution
> > matter
> > > that 'make' is very clever to manage. But I can't infere anything
> > more..
> > >
> > > Could you give me further insight? :-)
> > >
> > 
> > # cat Makefile
> > FILES: main.cf-a main.cf-b main.cf-c
> > 
> > all: $(FILES)
> > 
> > main.cf-a: Makefile main.cf-template
> > sed 's/whatever/whatever/' main.cf-template >$@
> > rsync -av $@ hosta:/etc/postfix
> > 
> > main.cf-b: Makefile main.cf-template
> > sed 's/whatever/whatever/' main.cf-template >$@
> > rsync -av $@ hostb:/etc/postfix
> > 
> > main.cf-c: Makefile main.cf-template
> > sed 's/whatever/whatever/' main.cf-template >$@
> > rsync -av $@ hostc:/etc/postfix
> 
> Thanks Wietse,
> 
> you are asserting implicitily that is better to avoid the use of an NFS
> filesystem mounted on /etc/postfix of each SMTP gateway?

No. You can change the pathnames in my example, and use
/some/where/hosta/etc/postfix instead of hosta:/etc/postfix.  There
are lots of ways to set up NFS shares and I won't speculate on how
you did it.

You still need something to tell the remote host that the file has
changed.

Wietse

Re: vServer system resources

[Mattias Berge]

Sorry, and numfile. Means you have too many open files(which explains why
you can't open new sockets)

On Thu, Jan 15, 2009 at 1:10 PM, Mattias Berge wrote:

> seem to be both lack of RAM (privvmpages) and way to small tcprcvbuf
>
>
> On Thu, Jan 15, 2009 at 12:58 PM, Nathan Hüsken <
> nathan.hues...@googlemail.com> wrote:
>
>> Hi,
>>
>> I have installed postfix on a small vServer (256Mb Ram, 10GB HD). I
>> installed it with dovecot, mysql and postfixadmin.
>> When I tested it, I got lots of "Cannot allocate Memory" errors.
>>
>> vzfree told me, that I have enough memory. So I assumed a problems with
>> open sockets.
>> I added
>> default_process_limit
>> =3
>> to main.cf and removed some service I do not use from master.cf. First it
>> worked, but then I tried some more load (20 mails at the same time).
>>
>> I got:
>> Jan 15 11:19:53 postfix/smtpd[30335]: warning: connect #1 to subsystem
>> public/cleanup: Cannot allocate memory
>> Jan 15 11:19:53  postfix/smtpd[26327]: connect from unknown[]
>> Jan 15 11:19:53  postfix/master[26419]: fatal: pipe: Cannot allocate
>> memory
>> Jan 15 11:19:53  postfix/smtpd[26327]: warning: connect #1 to subsystem
>> public/cleanup: Cannot allocate memory
>> Jan 15 11:19:54  postfix/anvil[18292]: statistics: max connection rate
>> 3/60s for (smtp:) at Jan 15 11:19:53
>> Jan 15 11:19:54  postfix/anvil[18292]: statistics: max connection count 2
>> for (smtp:) at Jan 15 11:19:53
>> Jan 15 11:19:54  postfix/anvil[18292]: statistics: max cache size 2 at Jan
>> 15 11:15:15
>> Jan 15 11:20:03  postfix/smtpd[30335]: warning: connect #2 to subsystem
>> public/cleanup: Connection refused
>> ...
>> Jan 15 11:21:33  postfix/smtpd[30335]: fatal: connect #11 to subsystem
>> public/cleanup: Connection refused
>>
>> Postfix just needs to many sockets :(.
>>
>> Below is the output of /proc/user_beancounters without posftix running.
>> postfix needs about 100 more in numothersock.
>> My questions:
>> - Can I somehow reduce the number of used sockets?
>> - Is it at all possible to run postfix in this system?
>>
>> Thanks!
>> Nathan
>>
>> cat /proc/user_beancounters
>> Version: 2.5
>>uid  resource   heldmaxheldbarrier  limit
>> failcnt
>>  9176:  kmemsize501088550108858270282
>> 9097310  0
>> lockedpages   0  0 79
>> 79152
>> privvmpages   38214  38260  76800
>> 84480 84
>> shmpages   3445   3445  25600
>> 25600  0
>> dummy 0  0 2147483647
>> 2147483647  0
>> numproc  52 52164
>> 164  0
>> physpages  9878   9878  0
>> 2147483647  0
>> vmguarpages   0  0  76800
>> 2147483647  0
>> oomguarpages  10119  10119  76800
>> 2147483647  0
>> numtcpsock   14 15164
>> 164  0
>> numflock  4  4262
>> 288  0
>> numpty5  5 16
>> 16  0
>> numsiginfo0  1512
>> 512  0
>> tcpsndbuf140868 1443161137635
>> 1809379  0
>> tcprcvbuf139640 1439241137635
>> 1809379 10
>> othersockbuf  21660  21660 568817
>> 1240561  0
>> dgramrcvbuf   0  0 568817
>> 568817  0
>> numothersock 35 35164164
>> 1508
>> dcachesize   337716 3414331209139
>> 1245413  0
>> numfile2025   2025   3008   3008
>> 1085
>> dummy 0  0  0
>> 0  0
>> dummy 0  0  0
>> 0  0
>> dummy 0  0  0
>> 0  0
>> numiptent14 14 35
>> 35  0
>>
>>
>>
>
>
> --
> Mattias Berge
> Direct +46 (0)40-690 3825
>



-- 
Mattias Berge
Direct +46 (0)40-690 3825

Re: vServer system resources

[Mattias Berge]

seem to be both lack of RAM (privvmpages) and way to small tcprcvbuf

On Thu, Jan 15, 2009 at 12:58 PM, Nathan Hüsken <
nathan.hues...@googlemail.com> wrote:

> Hi,
>
> I have installed postfix on a small vServer (256Mb Ram, 10GB HD). I
> installed it with dovecot, mysql and postfixadmin.
> When I tested it, I got lots of "Cannot allocate Memory" errors.
>
> vzfree told me, that I have enough memory. So I assumed a problems with
> open sockets.
> I added
> default_process_limit
> =3
> to main.cf and removed some service I do not use from master.cf. First it
> worked, but then I tried some more load (20 mails at the same time).
>
> I got:
> Jan 15 11:19:53 postfix/smtpd[30335]: warning: connect #1 to subsystem
> public/cleanup: Cannot allocate memory
> Jan 15 11:19:53  postfix/smtpd[26327]: connect from unknown[]
> Jan 15 11:19:53  postfix/master[26419]: fatal: pipe: Cannot allocate memory
> Jan 15 11:19:53  postfix/smtpd[26327]: warning: connect #1 to subsystem
> public/cleanup: Cannot allocate memory
> Jan 15 11:19:54  postfix/anvil[18292]: statistics: max connection rate
> 3/60s for (smtp:) at Jan 15 11:19:53
> Jan 15 11:19:54  postfix/anvil[18292]: statistics: max connection count 2
> for (smtp:) at Jan 15 11:19:53
> Jan 15 11:19:54  postfix/anvil[18292]: statistics: max cache size 2 at Jan
> 15 11:15:15
> Jan 15 11:20:03  postfix/smtpd[30335]: warning: connect #2 to subsystem
> public/cleanup: Connection refused
> ...
> Jan 15 11:21:33  postfix/smtpd[30335]: fatal: connect #11 to subsystem
> public/cleanup: Connection refused
>
> Postfix just needs to many sockets :(.
>
> Below is the output of /proc/user_beancounters without posftix running.
> postfix needs about 100 more in numothersock.
> My questions:
> - Can I somehow reduce the number of used sockets?
> - Is it at all possible to run postfix in this system?
>
> Thanks!
> Nathan
>
> cat /proc/user_beancounters
> Version: 2.5
>uid  resource   heldmaxheldbarrier  limit
> failcnt
>  9176:  kmemsize501088550108858270282
> 9097310  0
> lockedpages   0  0 79 79
> 152
> privvmpages   38214  38260  76800
> 84480 84
> shmpages   3445   3445  25600
> 25600  0
> dummy 0  0 2147483647
> 2147483647  0
> numproc  52 52164
> 164  0
> physpages  9878   9878  0
> 2147483647  0
> vmguarpages   0  0  76800
> 2147483647  0
> oomguarpages  10119  10119  76800
> 2147483647  0
> numtcpsock   14 15164
> 164  0
> numflock  4  4262
> 288  0
> numpty5  5 16
> 16  0
> numsiginfo0  1512
> 512  0
> tcpsndbuf140868 1443161137635
> 1809379  0
> tcprcvbuf139640 1439241137635
> 1809379 10
> othersockbuf  21660  21660 568817
> 1240561  0
> dgramrcvbuf   0  0 568817
> 568817  0
> numothersock 35 35164164
> 1508
> dcachesize   337716 3414331209139
> 1245413  0
> numfile2025   2025   3008   3008
> 1085
> dummy 0  0  0
> 0  0
> dummy 0  0  0
> 0  0
> dummy 0  0  0
> 0  0
> numiptent14 14 35
> 35  0
>
>
>


-- 
Mattias Berge
Direct +46 (0)40-690 3825

Re: Working example of main.cf with virtual domains

[ram]

On Wed, 2009-01-14 at 22:56 -0800, secSwami wrote:
> Hi,
> 
> After trying for another day to get my postfix config to work for 
> virtual domains, I would really appreciate if someone can give me an 
> example of WORKING main.cf file.
> The problem I am having is whenever a MOBILE user is trying to send 
> email to ANYWHERE using the postfix server and Thunderbird/Outlook 
> Express client, they get error message saying relay access denied.
> 
> I would appreciate some help on this.
> 
> Thanks in advance.

How does postfix differentiate "Mobile" users from
"non-mobile" (office?) users 
I assume you must have configured the office ips in mynetworks 

Do a postconf -n and post the output 

vServer system resources

[Nathan Hüsken]

Hi,

I have installed postfix on a small vServer (256Mb Ram, 10GB HD). I
installed it with dovecot, mysql and postfixadmin.
When I tested it, I got lots of "Cannot allocate Memory" errors.

vzfree told me, that I have enough memory. So I assumed a problems with open
sockets.
I added
default_process_limit
=3
to main.cf and removed some service I do not use from master.cf. First it
worked, but then I tried some more load (20 mails at the same time).

I got:
Jan 15 11:19:53 postfix/smtpd[30335]: warning: connect #1 to subsystem
public/cleanup: Cannot allocate memory
Jan 15 11:19:53  postfix/smtpd[26327]: connect from unknown[]
Jan 15 11:19:53  postfix/master[26419]: fatal: pipe: Cannot allocate memory
Jan 15 11:19:53  postfix/smtpd[26327]: warning: connect #1 to subsystem
public/cleanup: Cannot allocate memory
Jan 15 11:19:54  postfix/anvil[18292]: statistics: max connection rate 3/60s
for (smtp:) at Jan 15 11:19:53
Jan 15 11:19:54  postfix/anvil[18292]: statistics: max connection count 2
for (smtp:) at Jan 15 11:19:53
Jan 15 11:19:54  postfix/anvil[18292]: statistics: max cache size 2 at Jan
15 11:15:15
Jan 15 11:20:03  postfix/smtpd[30335]: warning: connect #2 to subsystem
public/cleanup: Connection refused
...
Jan 15 11:21:33  postfix/smtpd[30335]: fatal: connect #11 to subsystem
public/cleanup: Connection refused

Postfix just needs to many sockets :(.

Below is the output of /proc/user_beancounters without posftix running.
postfix needs about 100 more in numothersock.
My questions:
- Can I somehow reduce the number of used sockets?
- Is it at all possible to run postfix in this system?

Thanks!
Nathan

cat /proc/user_beancounters
Version: 2.5
   uid  resource   heldmaxheldbarrier  limit
failcnt
 9176:  kmemsize501088550108858270282
9097310  0
lockedpages   0  0 79 79
152
privvmpages   38214  38260  76800  84480
84
shmpages   3445   3445  25600
25600  0
dummy 0  0 2147483647
2147483647  0
numproc  52 52164
164  0
physpages  9878   9878  0
2147483647  0
vmguarpages   0  0  76800
2147483647  0
oomguarpages  10119  10119  76800
2147483647  0
numtcpsock   14 15164
164  0
numflock  4  4262
288  0
numpty5  5 16
16  0
numsiginfo0  1512
512  0
tcpsndbuf140868 1443161137635
1809379  0
tcprcvbuf139640 14392411376351809379
10
othersockbuf  21660  21660 568817
1240561  0
dgramrcvbuf   0  0 568817
568817  0
numothersock 35 35164164
1508
dcachesize   337716 3414331209139
1245413  0
numfile2025   2025   3008   3008
1085
dummy 0  0  0
0  0
dummy 0  0  0
0  0
dummy 0  0  0
0  0
numiptent14 14 35
35  0

Re: null return path

[ram]

On Thu, 2009-01-15 at 10:35 +0200, bharathan kailath wrote:
> hi
> in smtp out server i configured the following:
>  smtpd_sender_restrictions =
>  check_sender_access hash:/etc/postfix/mydomains
>  reject_unauth_destination
> 

This is what I do 

smtpd_sender_restrictions =
check_sender_access regexp:/etc/postfix/sender_regex
check_sender_access hash:/etc/postfix/mydomains
reject_unauth_destination


In file /etc/postfix/sender_regex
put 
/<>/OK





> and  in mydomains i specified the domains that are allowed to send
> out; but now sender with a null address is getting blocked; how can i
> override this!
> help appreciatd
> thanks
> 

How to avoid duplicate header when inserting one with PREPEND

[Artem Bokhan]

I want to add header

smtpd_data_restrictions = check_client_access pcre:add_header.cf

add_header.cf:
"PREPEND X-Sender-IP: $1"

Is any way to delete this header from input message, but do not delete 
header inserted by postfix?

RE: Share postfix config directory

[Rocco Scappatura]

> > > > I have different SMTP gateways each one configurred exactly at
> the
> > > same
> > > > manner. The only difference is the hostname.
> > > >
> > > > I would like to know if I could define "/etc/postfix" as an NFS
> > share
> > > > somewhere and export it on each of my SMTP gateways. The aim is
> > > > obviously to change only one configuration file each time that a
> > > postfix
> > > > configuration update is needed.
> > >
> > > Let the computer do the work for you. See: man 1 make. If you are
> > > not familiar with this tool, then you work too hard.
> >
> > I know that make is a really powerfull tool. I have used it (in the
> > sense that I have write down some Makefile) for compiling rather few
> C
> > projects. At the moment I can't guess how I could use 'make' for my
> > purpouse. I feel that in some manner it could be a substitution
> matter
> > that 'make' is very clever to manage. But I can't infere anything
> more..
> >
> > Could you give me further insight? :-)
> >
> 
> # cat Makefile
> FILES: main.cf-a main.cf-b main.cf-c
> 
> all: $(FILES)
> 
> main.cf-a: Makefile main.cf-template
>   sed 's/whatever/whatever/' main.cf-template >$@
>   rsync -av $@ hosta:/etc/postfix
> 
> main.cf-b: Makefile main.cf-template
>   sed 's/whatever/whatever/' main.cf-template >$@
>   rsync -av $@ hostb:/etc/postfix
> 
> main.cf-c: Makefile main.cf-template
>   sed 's/whatever/whatever/' main.cf-template >$@
>   rsync -av $@ hostc:/etc/postfix

Thanks Wietse,

you are asserting implicitily that is better to avoid the use of an NFS
filesystem mounted on /etc/postfix of each SMTP gateway?

rocsca

Re: how to block emails in unwanted language?

[Andrzej Adam Filip]

Michael Tokarev  wrote:
> [...]
> More and more email software uses UTF8 encoding nowadays, instead of
> a single-byte encodings like KOI8, WINDOWS1251 and the like above.
> And with UTF8, there's no simple way anymore to detect the language
> actually used.

It is possible to *guess* language used anyway 
e.g. based on "typical sequences of chars" in text itself.

see "man Mail::SpamAssassin::Plugin::TextCat" - it supports ok_languages
lists, it should be possible to add "per specific guessed language" scores.

> It's worse: for example, thunderbird running with russian as a default
> language will put "charset=koi8-r" even for 100% ascii emails unless
> explicitly told to use ascii charset.  "Charset=koi8-r" and 100% ascii
> inside does not contradict with each other since ascii is a subset of
> koi8-r, but obviously does not help to filter those.

Very good point.

-- 
[pl>en: Andrew] Andrzej Adam Filip : a...@onet.eu : a...@xl.wp.pl
Man has made his bedlam; let him lie in it.
  -- Fred Allen

RE: Share postfix config directory

[Rocco Scappatura]

myhostname = 

mydomain = 

 

If the hostname is not valid, postfix fails to start. It have to be
resolved by DNS and the IP must be the IP of one of the interface of the
server which run Postfix.

 

So I have to use a name that is resolved in many different IPs, I think

 

rocsca

 

 

From: Thomas [mailto:t...@tja-server.de] 
Sent: Thursday, January 15, 2009 2:58 AM
To: Rocco Scappatura
Cc: postfix users list
Subject: Re: Share postfix config directory

 

I never had a problem to do exactly this ... 

For what do you need the hostname of the server? 
My main.cf does not contain a hostname - it can easily be used over an
NFS share: 

mkdir /data 
mount server:/data /data 
/etc/init.d/postfix stop 
cp -rp /etc/postfix /data/postfix_nfs 
mv /etc/postfix /etc/postfix_ORIG 
ln -s /data/postfix_nfs /etc/postfix 
/etc/init.d/postfix start 
echo `hostname`| Mail -s `hostname` @ 

Works :) 

My simple client server main.cf: 

postconf -n 
config_directory = /etc/postfix 
mydomain =  
mynetworks = 127.0.0.0/8 
myorigin = $mydomain 
relayhost =  

Where does the hostname kick in at your site? 



Rocco Scappatura wrote: 



Hello, 

I have different SMTP gateways each one configurred exactly at the same 
manner. The only difference is the hostname. 

I would like to know if I could define "/etc/postfix" as an NFS share 
somewhere and export it on each of my SMTP gateways. The aim is 
obviously to change only one configuration file each time that a postfix

configuration update is needed. 

TIA, 

rocsca 
  

 

Re: Working example of main.cf with virtual domains

[Magnus Bäck]

On Thu, January 15, 2009 7:56 am, secSwami said:

> After trying for another day to get my postfix config to work for
> virtual domains, I would really appreciate if someone can give me an
> example of WORKING main.cf file.
> The problem I am having is whenever a MOBILE user is trying to send
> email to ANYWHERE using the postfix server and Thunderbird/Outlook
> Express client, they get error message saying relay access denied.

This has nothing to do with virtual domains. Virtual domains are for
receiving messages, not sending them. To have mobile users without a known
IP address use your server for relaying, take a look at SASL
authentication.

http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_from
http://www.postfix.org/SASL_README.html

-- 
Magnus Bäck
mag...@dsek.lth.se

Re: how to block arabic emails ?

[Michael Tokarev]

Res wrote:
[]
> on our internal email servers (and on my personal one) I use
> milter-regex to stop all those pesky cable/dial/dsl users, its great
> because i can also use this rule in milter-regex.conf :
> 
> reject "Access Denied ; Please use the English language when
> communicating with us"
> header /Subject/i   
> /=[?](KOI8-[RU]|GB2312|GB2312_CHARSET|ISO-2022-JP|SHIFT[-_]JIS|BIG5|WINDOWS-125[156])[?][QB][?]/ie
> 
> header /Subject/i   
> /charset=(3D)?"?(KOI8-[RU]|GB2312|GB2312_CHARSET|ISO-2022-JP|SHIFT[-_]JIS|BIG5)/ie
> 
> header /Subject/i/[-]{6}/e
> header /Content-Type/i  ,text/(plain|html);
> *charset="?(KOI8-[RU]|GB2312(_CHARSET)?|ISO-2022-JP|SHIFT[-_]JIS|BIG5),ie

Too bad it does not work very well for legitimate email...  You
don't know because you don't have correspondents in those countries,
which is why it works for you ;)

More and more email software uses UTF8 encoding nowadays, instead of
a single-byte encodings like KOI8, WINDOWS1251 and the like above.
And with UTF8, there's no simple way anymore to detect the language
actually used.

It's worse: for example, thunderbird running with russian as a default
language will put "charset=koi8-r" even for 100% ascii emails unless
explicitly told to use ascii charset.  "Charset=koi8-r" and 100% ascii
inside does not contradict with each other since ascii is a subset of
koi8-r, but obviously does not help to filter those.

/mjt

Multiple A's per MX hostname vs. 1:1 A:MX all with equal priority vs. different priorities

[Darren Pilgrim]

A while back someone posted a message about how MTAs generally respond 
to an unresponsive server given three different ways of setting up 
multiple MX mail servers:


1. A single MX record with multiple A's for the hostname:

example.com mail is handled by 10 a.mx.example.com
a.mx.example.com has address 192.0.2.100
a.mx.example.com has address 192.0.2.101
a.mx.example.com has address 192.0.2.102

2. Multiple MX records with equal priority with a single A for each 
hostname:


example.com mail is handled by 10 a.mx.example.com
example.com mail is handled by 10 b.mx.example.com
example.com mail is handled by 10 c.mx.example.com
a.mx.example.com has address 192.0.2.100
b.mx.example.com has address 192.0.2.101
c.mx.example.com has address 192.0.2.102

3. Multiple MX records with different priorities with a single A for 
each hostname:


example.com mail is handled by 10 a.mx.example.com
example.com mail is handled by 20 b.mx.example.com
example.com mail is handled by 30 c.mx.example.com
a.mx.example.com has address 192.0.2.100
b.mx.example.com has address 192.0.2.101
c.mx.example.com has address 192.0.2.102

I can't find the message, mostly due to lack of sufficiently-narrow 
search criteria.  Would anyone who recalls the message post it?

null return path

[bharathan kailath]

hi
in smtp out server i configured the following:
 smtpd_sender_restrictions =
 check_sender_access hash:/etc/postfix/mydomains
 reject_unauth_destination

and  in mydomains i specified the domains that are allowed to send out; but
now sender with a null address is getting blocked; how can i override this!
help appreciatd
thanks