smtpd banner problem
Hello, In main.cf I have : smtpd_banner = $myhostname ESMTP $mail_name (DATA TELECOM SERVICE) But when I do : telnet myserver.tld 25 from another server I get : 220 ** I don't find why I don't get the good banner. However,
smtpd banner problem
Hello, In main.cf I have : smtpd_banner = $myhostname ESMTP $mail_name (DATA TELECOM SERVICE) But when I do : telnet myserver.tld 25 from another server I get : 220 ** I don't find why I don't get the good banner. However, doing a telnet 25 from the server itself gives the good banner [r...@mx postfix]# telnet myserver.tld 25 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 myserver.tld ESMTP Postfix (DATA TELECOM SERVICE) (sorry for the bad mail sent earlier!) Best regards, Marco Tchi
Re: smtpd banner problem
Marco Tchi Hong escribi: Hello, In main.cf I have : smtpd_banner = $myhostname ESMTP $mail_name (DATA TELECOM SERVICE) But when I do : telnet myserver.tld 25 from another server I get : 220 ** I don't find why I don't get the good banner. That sounds like a CISCO PIX / ASA firewall filtering your SMTP traffic with the MAILGUARD feature. Ask your firewall administrator to disable that HORRIBLE and EVIL feature, it will cause more problems than benefits. When your fw admin disable MAILGUARD, smtp clients will connect directly to your port 25 and you'll see your nice banner :) -- Santiago Romero
Re: smtpd banner problem
On Tue, Jan 20, 2009 at 11:09:22AM +0300, Marco Tchi Hong wrote: But when I do : telnet myserver.tld 25 from another server I get : 220 ** I don't find why I don't get the good banner. You have a Cisco PIX in the way which have the smtp fuckup[1] feature enabled. Bastian [1]: They call it smtp fixup -- Captain's Log, star date 21:34.5...
Re: Upon IP address, restrict sending destination.
Magnus Bäck wrote: On Tuesday, January 20, 2009 at 03:33 CET, Jacky Chan jac...@wkg1.umac.mo wrote: Yeap, I finally got your idea. And I don't expect that is such easy to configure. Indeed for mynetwork parameter, I do have a list of IP to be restricted so I want it to be located on an external file but not in main.cf As advised by Magnus, how do I create the external iplist.cidr # main.cf mynetworks = cidr:/etc/postfix/iplist.cidr # /etc/postfix/iplist.cidr !192.168.1.1 !192.168.1.2 192.168.1.3 !192.168.0.0/16 In iplist.cidr, how about I don't supply the result, such as OK or REJECT? Is that OK? No, see cidr_table(5). You'll also note that the manual page doesn't say anything about using ! for negation, and that's because it's a special feature of mynetworks. Just drop the cidr: on the mynetworks line. [...] -- Magnus Bäck mag...@dsek.lth.se In summary, the configuration involved # main.cf mynetworks = /etc/postfix/iplist.cidr smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination # /etc/postfix/iplist.cidr 192.168.1.0OK !192.168.2.10 192.168.2.20 REJECT 192.168.0.0REJECT But I found the two REJECT statements don't work, I still can send mail from 192.168.2.20 where the destination is in mydestination or not. I don't know whether I understand REJECT correctly or not in cidr under mynetwork (which I can REJECT in man cidr_table), what should be the result supposed to be in this case? Or I can do it at firewall level too. Best, Jacky -- View this message in context: http://www.nabble.com/Upon-IP-address%2C-restrict-sending-destination.-tp21536576p21559931.html Sent from the Postfix mailing list archive at Nabble.com.
Postfix and ldap lookups
Hi, I don't really know if this is the good mailing-list but this is definitely postfix related. On some of our servers, we use postfix as our MX and smtp relay. On these servers, we use ldap authentication for our posix users. The problem is that when postfix receives/sends an email, it does a lookup in our LDAP proxy to get postfix's group and uid. This definitely ends up with a 0 entries found which is not a problem because /etc/nsswitch.conf contains the following : passwd: compat ldap group: compat ldap shadow: compat ldap Is there a way to tell postfix (and other services, as well) not to try ldap ? Thanks for your help. -- Emmanuel Lesouef
RE: your mail -- Virtual Domain with Postfix LDAP
On Tuesday.January 20,2009 Magnus Bäck wrote On Monday, January 19, 2009 at 10:50 CET, Goutam Baul goutam.b...@cesc.co.in wrote: I am trying to configure postfix 2.2.10 in a way that two of my group companies can get their mailing services from one physical server machine. The two companies are having their separate domains registered and the name space for them will be completely separate i.e. a...@company1.com will have a separate mailbox from that of a...@company2.com. The details of the users are all kept in LDAP. I have created the LDAP tree where the users of company1.com are under ou=company1.com,dc=my,dc=organization and those for company2.com are under ou=company2.com,dc=my,dc=organization. I have added company1.com and company2.com in mydestination and have defined the LDAP search_base as ou=%d,dc=my,dc=organization. Where have you made this definition? Two domains listed in mydestination by definition have the same set of localparts, i.e. I am giving below the portion of the main.cf to show the place where I defined it: virtual_mailbox_maps = ldap:accounts accounts_timeout = 60 accounts_server_host = 127.0.0.1 accounts_search_base = ou=%d,dc=my,dc=organization accounts_server_port = 389 accounts_query_filter = ((|(mail=%s) (mailAlternateAddress=%s)) (accountStatus=active)) accounts_result_attribute = mailMessageStore a...@b == a...@c for all values of `a' given that `b' and `c' are listed in mydestination. Put differently, you will not be able to distinguish between j...@example.com and j...@example.net because they'll both map to the same local user joe. My SMTP transaction is going fine in a sense, the mails are getting delivered to the individual mailboxes. May I request you to kindly point out whether there is any issue in this approach? I have read that this sort of scenario is best tackled by using virtual hosting feature of postfix using things like virtual_mailbox_domains etc. Yes, that's what I'd recommend. I tried to take that route but could not achieve the result after lots of efforts. Mails for company1.com were getting delivered but those for company2.com were bouncing with user unknown result. Thus have taken to this route. Will there be any problem with this approach if I go live with it? Kindly guide me. Try again with the virtual mailbox domain and report back the problems you get. Your current design is simply broken unless it's feasible to use aliases to separate j...@example.com from j...@example.net -- the actual usernames could be joecom and joenet and the virtual alias table would resolve j...@example.com to joecom and j...@example.net to joenet. If I define the company1.com in the my destination and have company2.com in the parameter virtual_mailbox_domains then mail for company1.com gets delivered properly but those for company2.com gets rejected. I get the following type of message in the maillog Jan 20 15:17:39 mail postfix/virtual[1692]: 6E16F17E20: to=a...@company2.com, relay=virtual, delay=0, status=bounced (unknown user: a...@company2.com) I tried to increase the verbosity of virtual daemon at master.cf. But could not make much from the result. I am giving below the log output with the increased verbosity: Jan 20 15:38:59 mail postfix/virtual[2191]: dict_ldap_lookup: No existing connection for LDAP source accounts, reopening Jan 20 15:38:59 mail postfix/virtual[2191]: dict_ldap_connect: Connecting to server ldap://127.0.0.1:389 Jan 20 15:38:59 mail postfix/virtual[2191]: dict_ldap_connect: Actual Protocol version used is 2. Jan 20 15:38:59 mail postfix/virtual[2191]: dict_ldap_connect: Binding to server ldap://127.0.0.1:389 as dn Jan 20 15:38:59 mail postfix/virtual[2191]: dict_ldap_connect: Successful bind to server ldap://127.0.0.1:389 as Jan 20 15:38:59 mail postfix/virtual[2191]: dict_ldap_connect: Cached connection handle for LDAP source accounts Jan 20 15:38:59 mail postfix/virtual[2191]: dict_ldap_lookup: accounts: Searching with filter ((|(mail=a...@company2.com) (mailalternateaddress=a...@company2.com)) (accountStatus=active)) Jan 20 15:38:59 mail postfix/virtual[2191]: dict_ldap_get_values[1]: Search found 0 match(es) Jan 20 15:38:59 mail postfix/virtual[2191]: dict_ldap_get_values[1]: Leaving dict_ldap_get_values Jan 20 15:38:59 mail postfix/virtual[2191]: dict_ldap_lookup: Search returned nothing Jan 20 15:38:59 mail postfix/virtual[2191]: maps_find: virtual_mailbox_maps: a...@company2.com: not found Kindly advice me how to debug the situation. With regards, Goutam
Re: How to set client_encoding in Postfix - PostgreSQL lookups
Michael Monnerie: Dear list, I've read http://www.postfix.org/PGSQL_README.html but there's no word about encoding. I have a postfix making SQL queries to PostgreSQL, and can see from postgresql logs that postfix does set client_encoding to 'LATIN1' How can I change that to use UTF8? SMTP is an ASCII protocol, and that is likely not to change. Wietse
Re: Postfix and ldap lookups
Emmanuel Lesouef: Hi, I don't really know if this is the good mailing-list but this is definitely postfix related. On some of our servers, we use postfix as our MX and smtp relay. On these servers, we use ldap authentication for our posix users. The problem is that when postfix receives/sends an email, it does a lookup in our LDAP proxy to get postfix's group and uid. This definitely ends up with a 0 entries found which is not a problem because /etc/nsswitch.conf contains the following : passwd: compat ldap group: compat ldap shadow: compat ldap Is there a way to tell postfix (and other services, as well) not to try ldap ? Postfix does not look in /etc/nsswitch.conf. That is the job of the getpwnam SYSTEM LIBRARY ROUTINE. Wietse
RE: smtpd banner problem
Thanks for the replies. It was indeed due to our new ASA Firewall! Regards Marco -Message d'origine- De : owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] De la part de Bastian Blank Envoyé : mardi 20 janvier 2009 11:38 À : postfix-users@postfix.org Objet : Re: smtpd banner problem On Tue, Jan 20, 2009 at 11:09:22AM +0300, Marco Tchi Hong wrote: But when I do : telnet myserver.tld 25 from another server I get : 220 ** I don't find why I don't get the good banner. You have a Cisco PIX in the way which have the smtp fuckup[1] feature enabled. Bastian [1]: They call it smtp fixup -- Captain's Log, star date 21:34.5...
Re: smtpd banner problem
On Tue, 20 Jan 2009, Marco Tchi Hong wrote: smtpd_banner = $myhostname ESMTP $mail_name (DATA TELECOM SERVICE) But when I do : telnet myserver.tld 25 from another server I get : 220 ** I don't find why I don't get the good banner. However, doing a telnet 25 from the server itself gives the good banner Are you kidding? Didn't you *just* send this email and receive an answer that it's your firewall? When you telnet from - to localhost, you are not subject to the firewall's smtp fixup feature. -- Sahil Tandon sa...@tandon.net
Re: smtpd banner problem
Marco Tchi Hong: But when I do : telnet myserver.tld 25 from another server I get : 220 ** That is a CISCO PIX firewall in f-up mode. Wietse
Re: Postfix and ldap lookups
Le Tue, 20 Jan 2009 06:40:57 -0500 (EST), wie...@porcupine.org (Wietse Venema) a écrit : Emmanuel Lesouef: Hi, I don't really know if this is the good mailing-list but this is definitely postfix related. On some of our servers, we use postfix as our MX and smtp relay. On these servers, we use ldap authentication for our posix users. The problem is that when postfix receives/sends an email, it does a lookup in our LDAP proxy to get postfix's group and uid. This definitely ends up with a 0 entries found which is not a problem because /etc/nsswitch.conf contains the following : passwd: compat ldap group: compat ldap shadow: compat ldap Is there a way to tell postfix (and other services, as well) not to try ldap ? Postfix does not look in /etc/nsswitch.conf. That is the job of the getpwnam SYSTEM LIBRARY ROUTINE. Wietse Ok. So I suppose I'll have to find what pam related issue this is related to. In my opinion, none of the system services should bind to ldap. Thanks. -- Emmanuel Lesouef
Re: Re: MAIL FROM confusion
- Originálna Správa - Od: Noel Jones Komu: Meno Poslaná: 16.01.2009 18:10 Predmet: Re: MAIL FROM confusion Meno wrote: Hi all, Does somebody know what may cause a confusion like this? In maillog you can see, that the sender is \\\from=msmith(at)acutecprecision(dot)com\\\ (see below) r...@smtp3 # cat /var/log/mail-smtp3-090115.log | grep 55BB716282 Jan 15 04:43:25 smtp3 postfix/smtpd[17488]: [ID 197553 mail.info] 55BB716282: client=localhost[127.0.0.1] Jan 15 04:43:25 smtp3 postfix/cleanup[15371]: [ID 197553 mail.info] 55BB716282: messageid Jan 15 04:43:25 smtp3 postfix/qmgr[1372]: [ID 197553 mail.info]5BB716282: from=msmith(at)acutecprecision(dot)com,size=2407, nrcpt=1 (queue active) Jan 15 04:43:25 smtp3 postfix/smtp[16197]: [ID 197553 mail.info] 55BB716282:to=jlopatka(at)notes(dot)mydomain(dot)com,orig_to=jlopatka(at)mydomain(dot)com,relay=notes.mydomain.com[10.10.10.174]:25,delay=0.21, delays=0.19/0/0.01/0.01, dsn=2.0.0, status=sent (250 Message accepted for delivery) Jan 15 04:43:25 smtp3 postfix/qmgr[1372]: [ID 197553 mail.info] 55BB716282: removed But when I get this mail to my inbox, the souce of this mail looks like this: The sender is \\\from=jlopatka(at)mydomain(dot)com\\\ which is my email address. Based on these source code, the email client assumes thet it was sent by me, which is not true. It was received from \\\unknown [211.203.243.81]\\\ Received: from smtp3.example.com ([211.51.20.89]) by smtp1.example.com (Lotus Domino Release 7.0.3FP1) with ESMTP id 2009011504432553-28468 ; Thu, 15 Jan 2009 04:43:25 +0100 Received: from smtp2.example.com (localhost [127.0.0.1]) by smtp3.example.com (Postfix) with ESMTP id 55BB716282 for ; Thu, 15 Jan 2009 04:43:25 +0100 (MET) X-Received-SPF: no SPF record found Received: from 3com.com (unknown [211.203.243.81])by smtp2.example.com (Postfix) with SMTP id 536831631for ; Thu, 15 Jan 2009 04:43:22 +0100 (CET) To: jlopatka(at)mydomain(dot)com Subject: RE: message 62625 From: jlopatka(at)mydomain(dot)com MIME-Version: 1.0 Importance: High Message-Id: Date: Thu, 15 Jan 2009 04:43:22 +0100 (CET) Does somebody know how to stop getting such mail? Either SPF cannot help me! Thankx, Chris The From: and To: in your logs and headers apparently got eaten somewhere, so I can\'t see what you\'re referring to. If you are getting mail claiming to be from your own domain, this has been discussed on the list several times recently. Check the archives. This particular client is listed in multiple RBLs, you could reject it and lots of other spam with \reject_rbl_client zen.spamhaus.org\. Check the www.spamhaus.org web site for usage restrictions. The client also has no rDNS hostname, you could reject such clients with \reject_unknown_reverse_client_hostname\. This restriction might reject legit mail, so watch your logs. The client used the HELO hostname \3com.com\, which is bogus. You could reject this HELO hostname with a check_helo_access map, but this would be less generally useful than the above two checks. See the archive for examples. Your system should already reject unknown recipients for your own domain. You can reject mail using nonexistent local sender addresses by setting in main.cf: smtpd_reject_unlisted_sender = yes -- Noel Jones Thank you Noel for quick answer, I do not know why these from: and to: addresses has disappeared...maybe my provider is blocking email add. in outgoing mails. hm!? I will try to use another convention - user(at)domain(dot)com I hope it will go through :) If you are getting mail claiming to be from your own domain, this has been discussed on the list several times recently. Check the archives. You are right, but I think this is a special case, because in my maillog, postfix assumes, that the sender is smith(at)acutecprecision(dot)com - it goes through the SPF check - but when I get it to my mailbox the from: address is my e-mail address : jlopatka(at)mydomain(dot)com and only in SMTPOriginator header information can find the smith(at)acutecprecision(dot)com I am curious how the attacker can confuse the address? Thanks, Chris __ http://sport.sme.sk - Najkomplexnejšie informácie zo športu
Re: smtpd_client_restrictions is EMPTY, beside setting in main.cf
* Thomas Ackermann t...@tja-server.de: Hello, i seem to be unable to set the smtpd_client_restrictions Variable! In master.cf, there is an option for smtps that sets this to permit_sasl_authenticated,reject. In main.cf, i try to set this to reject_invalid_hostname. In postconf -n the variable is empty! postconf -n shows main.cf settings, not master.cf settings Why not use: postconf -e smtpd_client_restrictions=reject_invalid_hostname -- Ralf Hildebrandt (ralf.hildebra...@charite.de) snick...@charite.de Postfix - Einrichtung, Betrieb und Wartung Tel. +49 (0)30-450 570-155 http://www.arschkrebs.de Life is like sendmail: you're not sure you know how to handle it, but you know it'll end in tears. -- Malcolm Ray
Re: smtpd_client_restrictions is EMPTY, beside setting in main.cf
Thomas Ackermann wrote: Hello, i seem to be unable to set the smtpd_client_restrictions Variable! In master.cf, there is an option for smtps that sets this to permit_sasl_authenticated,reject. In main.cf, i try to set this to reject_invalid_hostname. In postconf -n the variable is empty! So, i assume that there is some other reference that prevents the variable to be set or used. OR, there is some major bug in my config :-/ Does anybody know, what i did wrong? Both files below, also a postfix -n output. main.cf: smtpd_client_restrictions = reject_invalid_hostname Seen. postconf -n: smtpd_client_restrictions = reject_invalid_hostname Seen. postconf -d smtpd_client_restrictions smtpd_client_restrictions = 'Postconf -d' means show me the DEFAULTS not what is current. Brian
Re: smtpd_client_restrictions is EMPTY, beside setting in main.cf
Ralf Hildebrandt schrieb: postconf -n shows main.cf settings, not master.cf settings Why not use: postconf -e smtpd_client_restrictions=reject_invalid_hostname But as far as i understand, this just sets the variable in main.cf - and there, it is already included! To show this: r...@localhost:/etc/postfix,$ postconf -d smtpd_client_restrictions smtpd_client_restrictions = r...@localhost:/etc/postfix,$ grep ^smtpd_client_restrictions main.cf smtpd_client_restrictions = reject_invalid_hostname r...@localhost:/etc/postfix,$ postconf -e smtpd_client_restrictions=reject_invalid_hostname r...@localhost:/etc/postfix,$ grep ^smtpd_client_restrictions main.cfsmtpd_client_restrictions = reject_invalid_hostname r...@localhost:/etc/postfix,$ postconf -d smtpd_client_restrictions smtpd_client_restrictions = Still empty :-O
Re: smtpd_client_restrictions is EMPTY, beside setting in main.cf
Brian Evans - Postfix List schrieb: 'Postconf -d' means show me the DEFAULTS not what is current. Uh.. I already feared a realy stupid mistake on my side :) I used it in this sense, so far - but assumed that this default will be overwritten (and displayed) when actually set in main.cf So, that -d outputs the complete settings for default settings and all new settings (instead of the default). So, i cannot save my config with -d and not with -n, but need to use the -n output and exchange any changed output from default to the new values. Will read man postconf again :D Thank you! (and out ...)
Re: smtpd_client_restrictions is EMPTY, beside setting in main.cf
On 20.01.2009 16:07 Thomas Ackermann wrote: ... r...@localhost:/etc/postfix,$ postconf -d smtpd_client_restrictions smtpd_client_restrictions = man postconf: -d Print default parameter settings instead of actual settings. use `postconf smtpd_client_restrictions` to see your current smtpd_client_restrictions. Regards, Pascal -- Ubuntu is an ancient African word meaning “I can’t install Debian.” -- unknown
Re: Postfix and ldap lookups
On Tue, Jan 20, 2009 at 02:43:03PM +0100, Emmanuel Lesouef wrote: The problem is that when postfix receives/sends an email, it does a lookup in our LDAP proxy to get postfix's group and uid. This definitely ends up with a 0 entries found which is not a problem because /etc/nsswitch.conf contains the following : passwd: compat ldap group: compat ldap shadow: compat ldap Is there a way to tell postfix (and other services, as well) not to try ldap ? Postfix does not look in /etc/nsswitch.conf. That is the job of the getpwnam SYSTEM LIBRARY ROUTINE. Wietse Ok. So I suppose I'll have to find what pam related issue this is related to. PAM has nothing to do with this, your nsswitch.conf specifies use of LDAP for getpwnam(3) and getgrnam(3). In my opinion, none of the system services should bind to ldap. Don't put LDAP in nsswitch.conf if you don't want to use it, but then of course your LDAP-listed users will have trouble logging in. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Richmond H Dyes/mchhosp.gov is out of the office.
I will be out of the office starting 01/20/2009 and will not return until 01/26/2009. If it is an emergency, the help line at 760-6277 -- Confidentiality Notice -- This email message, including all the attachments, is for the sole use of the intended recipient(s) and contains confidential information. Unauthorized use or disclosure is prohibited. If you are not the intended recipient, you may not use, disclose, copy or disseminate this information. If you are not the intended recipient, please contact the sender immediately by reply email and destroy all copies of the original message, including attachments.
Routing SMTP Auth Requests
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Is there any way that Postfix can route SMTP auth requests to a downstream SMTP server while still processing other SMTP traffic? Michael Katz http://messagepartners.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkl19ZAACgkQVetJ4xOLz/hTFgCfUcg/eVOmYiP5XOhlFQQFASf7 uyIAoNiF+Gd1AgYd8cNjbtd5liTh5FzN =cy95 -END PGP SIGNATURE-
Re: Routing SMTP Auth Requests
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Katz wrote: Is there any way that Postfix can route SMTP auth requests to a downstream SMTP server while still processing other SMTP traffic? I should add that for this specific application it is not necessary that Postfix knows the result of authentication. Michael Katz http://messagepartners.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkl19k8ACgkQVetJ4xOLz/i08ACgxSO38Oy2VA5doxfLA+Oybuo3 3CEAniXswsizRkpZAGip2dxVY6W/dD3X =Pux9 -END PGP SIGNATURE-
Re: Upon IP address, restrict sending destination.
Jacky Chan wrote: Magnus Bäck wrote: On Tuesday, January 20, 2009 at 03:33 CET, Jacky Chan jac...@wkg1.umac.mo wrote: Yeap, I finally got your idea. And I don't expect that is such easy to configure. Indeed for mynetwork parameter, I do have a list of IP to be restricted so I want it to be located on an external file but not in main.cf As advised by Magnus, how do I create the external iplist.cidr # main.cf mynetworks = cidr:/etc/postfix/iplist.cidr # /etc/postfix/iplist.cidr !192.168.1.1 !192.168.1.2 192.168.1.3 !192.168.0.0/16 In iplist.cidr, how about I don't supply the result, such as OK or REJECT? Is that OK? No, see cidr_table(5). You'll also note that the manual page doesn't say anything about using ! for negation, and that's because it's a special feature of mynetworks. Just drop the cidr: on the mynetworks line. [...] -- Magnus Bäck mag...@dsek.lth.se In summary, the configuration involved # main.cf mynetworks = /etc/postfix/iplist.cidr smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination # /etc/postfix/iplist.cidr 192.168.1.0OK !192.168.2.10 192.168.2.20 REJECT 192.168.0.0REJECT But I found the two REJECT statements don't work, I still can send mail from 192.168.2.20 where the destination is in mydestination or not. I don't know whether I understand REJECT correctly or not in cidr under mynetwork (which I can REJECT in man cidr_table), what should be the result supposed to be in this case? Or I can do it at firewall level too. Best, Jacky Why do you make this so hard? Why do you not just use one of the many examples sent to you? Please review the documentation for mynetworks. It is not an access table; access table syntax does not work. List exceptions first, then list IPs and cidr networks that are allowed internet access. Don't put anything on the right for a result. Or just don't list IPs if they're not allowed to relay. Remember to include localhost. mynetworks = /path/to/networks # networks !192.168.2.10 !192.168.2.20 127.0.0.1 192.168.1.0/24 Good luck. -- Noel Jones
Re: MAIL FROM confusion
Meno wrote: If you are getting mail claiming to be from your own domain, this has been discussed on the list several times recently. Check the archives. You are right, but I think this is a special case, because in my maillog, postfix assumes, that the sender is smith(at)acutecprecision(dot)com - it goes through the SPF check - but when I get it to my mailbox the from: address is my e-mail address : jlopatka(at)mydomain(dot)com and only in SMTPOriginator header information can find the smith(at)acutecprecision(dot)com I am curious how the attacker can confuse the address? Thanks, Chris The From: header is irrelevant. You will note that this mail says it's from me, yet I'm not the envelope sender. Also note that your postings to this list are From: your address, but you are not the envelope sender. -- Noel Jones
Re: Routing SMTP Auth Requests
Michael Katz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Katz wrote: Is there any way that Postfix can route SMTP auth requests to a downstream SMTP server while still processing other SMTP traffic? I should add that for this specific application it is not necessary that Postfix knows the result of authentication. Not possible. Arrange for your other server to listen on the submission port 587, and have your users submit mail there. -- Noel Jones
Re: Routing SMTP Auth Requests
On Tue, Jan 20, 2009 at 11:05:35AM -0500, Michael Katz wrote: Michael Katz wrote: Is there any way that Postfix can route SMTP auth requests to a downstream SMTP server while still processing other SMTP traffic? I should add that for this specific application it is not necessary that Postfix knows the result of authentication. What do you mean by route SMTP auth requests? - Use the remote server as an oracle for the SASL handshake. - Complete authentication locally, route mail from authenticated senders to another server? The second is possible with sufficiently clever use of the FILTER ... access(5) action. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Routing SMTP Auth Requests
Michael Katz: -- Start of PGP signed section. Is there any way that Postfix can route SMTP auth requests to a downstream SMTP server while still processing other SMTP traffic? Postfix is not a proxy. However, Postfix supports multiple SASL authentication implementations via the modular XSASL API. If someone writes code for that API, then they can plug in other authentication implementations, including one that proxies the request downstream. Wietse
speeding dkim filtering
Hi I have milter/dkim filter installed on a rhel4 linux server. I noticed a delay between dkim-filter and qmgr processes when the traffic becomes important. Jan 20 12:35:04 fe2 dkim-filter[3380]: 9E463127A68 DKIM-Signature header added Jan 20 12:43:14 fe2 postfix/qmgr[20888]: 9E463127A68: from=jairo.ab...@foo.com, size=11787, nrcpt=1 Is it possible to speed up dkim filter? By default I have : postfix mail_version = 2.3.13 milter9629 1 1 Jan19 ? 00:13:05 /usr/sbin/dkim-filter -x /etc/dkim-milter/dkim-filter.conf lsof -i TCP:10030 | grep dkim-filt | wc -l 53 Thanks for your help Alain
Re: bulk mails
Sahil Tandon a écrit : bharathan kailath wrote: one of our customer send mass mails thru our postfix server; is it possible to restrict number of mail recipient for a particular sender! help appreciated. Use a policy service. With postfwd, to limit m...@mailer.com to 20 recipients per message, something like: id=RULE_01; recipient_count=21; sender=m...@mailer.com; action=REJECT it may be better to limit on a per IP (or subnet) basis. this way, the rate limit doesn't depend on the sender address. unless they authenticate and the sender is controlled. You could also write your own policy service; read: http://www.postfix.org/SMTPD_POLICY_README.html an alternative is policyd.
Re: Routing SMTP Auth Requests
Wietse Venema a écrit : Michael Katz: -- Start of PGP signed section. Is there any way that Postfix can route SMTP auth requests to a downstream SMTP server while still processing other SMTP traffic? Postfix is not a proxy. However, Postfix supports multiple SASL authentication implementations via the modular XSASL API. If someone writes code for that API, then they can plug in other authentication implementations, including one that proxies the request downstream. It looks like he wants postfix/smtp to authenticate to the final server using the auth infos that were given to postfix/smtpd. This is a bit complex as it means storing the authentication infos somewhere and that authentication can be replayed.
Re: smtpd_client_restrictions is EMPTY, beside setting in main.cf
Thomas Ackermann a écrit : Brian Evans - Postfix List schrieb: 'Postconf -d' means show me the DEFAULTS not what is current. Uh.. I already feared a realy stupid mistake on my side :) I used it in this sense, so far - but assumed that this default will be overwritten (and displayed) when actually set in main.cf So, that -d outputs the complete settings for default settings and all new settings (instead of the default). no, -d shows the default values only, the values postfix was built with. it doesn't show any new settings. So, i cannot save my config with -d and not with -n, but need to use the -n output and exchange any changed output from default to the new values. Will read man postconf again :D what you mean is unclear. To set a variable, use 'postconf -e' or edit main.cf To see the values of variables that are set in main.cf, use 'postconf -n' To see the defaut values, i.e. the values set when postfix is compiled, use 'postconf -d' notes: postconf -n does not show the values of custom variables. in particular, if you create smtpd_restriction_classes, you won't see how these classes are defined in the output of 'postconf -n' postconf -n does not parse master.cf. so a setting may be overriden in master.cf even if you don't see it in 'postconf -n' output.
Re: MAIL FROM confusion
Meno a écrit : - Originálna Správa - Od: Noel Jones Komu: Meno Poslaná: 16.01.2009 18:10 Predmet: Re: MAIL FROM confusion Meno wrote: Hi all, Does somebody know what may cause a confusion like this? In maillog you can see, that the sender is \\\from=msmith(at)acutecprecision(dot)com\\\ (see below) r...@smtp3 # cat /var/log/mail-smtp3-090115.log | grep 55BB716282 Jan 15 04:43:25 smtp3 postfix/smtpd[17488]: [ID 197553 mail.info] 55BB716282: client=localhost[127.0.0.1] Jan 15 04:43:25 smtp3 postfix/cleanup[15371]: [ID 197553 mail.info] 55BB716282: messageid Jan 15 04:43:25 smtp3 postfix/qmgr[1372]: [ID 197553 mail.info]5BB716282: from=msmith(at)acutecprecision(dot)com,size=2407, nrcpt=1 (queue active) Jan 15 04:43:25 smtp3 postfix/smtp[16197]: [ID 197553 mail.info] 55BB716282:to=jlopatka(at)notes(dot)mydomain(dot)com,orig_to=jlopatka(at)mydomain(dot)com,relay=notes.mydomain.com[10.10.10.174]:25,delay=0.21, delays=0.19/0/0.01/0.01, dsn=2.0.0, status=sent (250 Message accepted for delivery) Jan 15 04:43:25 smtp3 postfix/qmgr[1372]: [ID 197553 mail.info] 55BB716282: removed But when I get this mail to my inbox, the souce of this mail looks like this: The sender is \\\from=jlopatka(at)mydomain(dot)com\\\ which is my email address. Based on these source code, the email client assumes thet it was sent by me, which is not true. It was received from \\\unknown [211.203.243.81]\\\ Received: from smtp3.example.com ([211.51.20.89]) by smtp1.example.com (Lotus Domino Release 7.0.3FP1) with ESMTP id 2009011504432553-28468 ; Thu, 15 Jan 2009 04:43:25 +0100 Received: from smtp2.example.com (localhost [127.0.0.1]) by smtp3.example.com (Postfix) with ESMTP id 55BB716282 for ; Thu, 15 Jan 2009 04:43:25 +0100 (MET) X-Received-SPF: no SPF record found Received: from 3com.com (unknown [211.203.243.81])by smtp2.example.com (Postfix) with SMTP id 536831631for ; Thu, 15 Jan 2009 04:43:22 +0100 (CET) To: jlopatka(at)mydomain(dot)com Subject: RE: message 62625 From: jlopatka(at)mydomain(dot)com MIME-Version: 1.0 Importance: High Message-Id: Date: Thu, 15 Jan 2009 04:43:22 +0100 (CET) Does somebody know how to stop getting such mail? Either SPF cannot help me! Thankx, Chris The From: and To: in your logs and headers apparently got eaten somewhere, so I can\'t see what you\'re referring to. If you are getting mail claiming to be from your own domain, this has been discussed on the list several times recently. Check the archives. This particular client is listed in multiple RBLs, you could reject it and lots of other spam with \reject_rbl_client zen.spamhaus.org\. Check the www.spamhaus.org web site for usage restrictions. The client also has no rDNS hostname, you could reject such clients with \reject_unknown_reverse_client_hostname\. This restriction might reject legit mail, so watch your logs. The client used the HELO hostname \3com.com\, which is bogus. You could reject this HELO hostname with a check_helo_access map, but this would be less generally useful than the above two checks. See the archive for examples. Your system should already reject unknown recipients for your own domain. You can reject mail using nonexistent local sender addresses by setting in main.cf: smtpd_reject_unlisted_sender = yes -- Noel Jones Thank you Noel for quick answer, I do not know why these from: and to: addresses has disappeared...maybe my provider is blocking email add. in outgoing mails. hm!? That is unlikely. most probably, your mail system removes what looks like html tags. I will try to use another convention - user(at)domain(dot)com I hope it will go through :) remove the '' and '' around email addresses and see if they get out. If you are getting mail claiming to be from your own domain, this has been discussed on the list several times recently. Check the archives. You are right, but I think this is a special case, because in my maillog, postfix assumes, that the sender is smith(at)acutecprecision(dot)com - it goes through the SPF check - but when I get it to my mailbox the from: address is my e-mail address : jlopatka(at)mydomain(dot)com and only in SMTPOriginator header information can find the smith(at)acutecprecision(dot)com I am curious how the attacker can confuse the address? you confuse envelope addresses and header addresses. The address you see in postfix logs is the envelope sender. if there is an error, a bounce is sent to this address. The adress you see in your mailer is From: header. this is where a human would send a reply (unless the sender has specified a reply-To address... etc). If you look at _this_ message you receive from the list, you'll see that the From: header contains my address, but I didn't send it to you: the envelope sender is that of the
Re: Routing SMTP Auth Requests
On Tue, Jan 20, 2009 at 08:43:58PM +0100, mouss wrote: It looks like he wants postfix/smtp to authenticate to the final server using the auth infos that were given to postfix/smtpd. This is a bit complex as it means storing the authentication infos somewhere and that authentication can be replayed. This is not how SASL works, it is an interactive protocol, in many mechanisms the server cannot effectively replay the client side of the protocol. What can work is proxying the protocol, though with GSSAPI the target server needs to have keys for the original server's Kerberos principal. It is certainly possible to design a SASL plugin that proxies to another server, or a new Postfix-SASL type that does the same. The rimap SASL plugin is an example of what's possible. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: your mail -- Virtual Domain with Postfix LDAP
On Tuesday, January 20, 2009 at 11:23 CET, Goutam Baul goutam.b...@cesc.co.in wrote: On Tuesday.January 20,2009 Magnus Bäck wrote Where have you made this definition? Two domains listed in mydestination by definition have the same set of localparts, i.e. I am giving below the portion of the main.cf to show the place where I defined it: virtual_mailbox_maps = ldap:accounts accounts_timeout = 60 accounts_server_host = 127.0.0.1 accounts_search_base = ou=%d,dc=my,dc=organization accounts_server_port = 389 accounts_query_filter = ((|(mail=%s) (mailAlternateAddress=%s)) (accountStatus=active)) accounts_result_attribute = mailMessageStore Okay, but since you allegedly list both domains in mydestination this will never be used. mydestination wins over virtual_mailbox_domains. Unless, of course, you've set local_transport = virtual. Anyway, time to see the postconf -n output. Note that your configuration method is obsolete (but still works). Prefer the newer way of putting the table configuration in a separate file. See ldap_table(5). Try again with the virtual mailbox domain and report back the problems you get. Your current design is simply broken unless it's feasible to use aliases to separate j...@example.com from j...@example.net -- the actual usernames could be joecom and joenet and the virtual alias table would resolve j...@example.com to joecom and j...@example.net to joenet. If I define the company1.com in the my destination and have company2.com in the parameter virtual_mailbox_domains then mail for company1.com gets delivered properly but those for company2.com gets rejected. I get the following type of message in the maillog Jan 20 15:17:39 mail postfix/virtual[1692]: 6E16F17E20: to=a...@company2.com, relay=virtual, delay=0, status=bounced (unknown user: a...@company2.com) Then your virtual_mailbox_maps lookup doesn't work. Show the output of the following command: postmap -q a...@example.com ldap:accounts || echo Not found This command should return the path to the mailbox. (Please use example.com, example.net etc as example domains and not company2.com etc.) [...] -- Magnus Bäck mag...@dsek.lth.se
After queue filter - avoid filtering forwarded mail with dspam
Hello again, To filter only incoming foreign mail with dspam i'm using access maps: smtpd_sender_restrictions = reject_unknown_sender_domain permit_mynetworks permit_sasl_authenticated check_sender_access hash:/usr/local/etc/postfix/sender_access check_client_access pcre:/usr/local/etc/postfix/filter_default My filter_default contains: /./ FILTER lmtp:unix:/var/run/dspam/sock (dspam is running as daemon and is reinjecting mail to Postfix using SMTP at localhost:10026) All is working as I want. But some of my users needs to be forwarded to other machine (running postfix+dspam to) to avoid NFS mount, so I would like to filter their mail only on destination machine. Filter is triggered depend on client info/envelope from etc., so even when mail needs to be forwarded it goes to dspam first. Is there a possibility to trigger content filters _after_ expanding aliases (virtual/local)? I would like to filter only mail which destination is local machine and let the others to be forwarded untouched after expanding aliases. I know I can call dspam as mailbox_command of course, but this solution has big disadvantage - filtering can be bypassed by ~/.forward file, so it forbids users to call their own LDA. Thanks for any suggestions. Cheers, P.S. Some sysinfo: FreeBSD Current, postfix-current-2.6.20081109,4,dspam-devel-3.8.0 -- Marcin Rzepecki m.rzepecki(at)iem.pw.edu.pl
Re: milter-postfix debugging for disappearing headers
--On Friday, January 16, 2009 10:08 AM -0800 Quanah Gibson-Mount qua...@zimbra.com wrote: We use postfix to accept and deliver the email, and have the email run through the milter and amavisd for delivery. eh, through the milter and amavisd /before/ delivery. :P We were able to track this down to a bug in the milter we inherited. Thanks again for the help on the postfix side of things! --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Question on sendmail submission and master.cf -o overrides
Hi: I am hoping someone can offer help in determining this information about the specifics of how sendmail submits mail. I have three different services configured in master.cf to accept mail: 1) the regular smtpd service on port 25, 2) a submission service for authenticated clients, and 3) a reinjection service (localhost: 10026) to accept mail after an after-queue content filter (which is specified as an - o override on the port 25 service in master.cf, not in main.cf). I am about to add a different after-queue content filter to the submission service (also via an -o override in master.cf), and this content filter re-injects mail via the sendmail command. There is no content_filter specified in main.cf. In this configuration, when mail is submitted via the sendmail command, will the content filter specified on the port 25 service apply? or will postfix only pay attention to the settings in main.cf for the purposes of transferring that mail? I suppose the more general question is which set of configuration options is mail submitted via the sendmail command subject to? (yes, I read the sendmail(1) documentation and did not find this information. The architecture documentation indicates only that it is subject to pretty much anything that local submission is subject to, but it's not clear what that is). Any help or pointers are very much appreciated! Thanks, --Jeff
Re: Question on sendmail submission and master.cf -o overrides
On Tue, Jan 20, 2009 at 07:11:16PM -0800, Jeff Weinberger wrote: I am hoping someone can offer help in determining this information about the specifics of how sendmail submits mail. The postdrop(1) helper places the mail in the maildrop sub-directory of the Postfix queue. The pickup(8) daemon asynchronously injects mail into the incoming queue (via cleanup(8)) one message at a time. There is no content_filter specified in main.cf. In this configuration, when mail is submitted via the sendmail command, will the content filter specified on the port 25 service apply? or will postfix only pay attention to the settings in main.cf for the purposes of transferring that mail? Local submission via sendmail(1) does not use SMTP, so the smtpd(8) service on port 25 never sees the mail. Ergo, settings there do not apply. I suppose the more general question is which set of configuration options is mail submitted via the sendmail command subject to? 1. -o options in the pickup(8) service master.cf(5) entry. 2. main.cf parameter settings (yes, I read the sendmail(1) documentation and did not find this information. The architecture documentation indicates only that it is subject to pretty much anything that local submission is subject to, but it's not clear what that is). Submission via sendmail(1) *is* local submission. The latter is a term of art for the former. http://www.postfix.org/OVERVIEW.html#receiving o Local submissions are received with the Postfix sendmail(1) compatibility command, and are queued in the maildrop queue by the privileged postdrop(1) command. This arrangement even works while the Postfix mail system is not running. The local pickup(8) server picks up local submissions, enforces some sanity checks to protect Postfix, and gives the sender, recipients and message content to the cleanup(8) server. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Create Custom Mail Queue
Dear all, Can I create custom mail queue in /var/spool/postfix to hold the mails for specific detinsation and schedule to deliver one by one for period of time, let's say 2 mins. Thanks, Jacky -- View this message in context: http://www.nabble.com/Create-Custom-Mail-Queue-tp21577217p21577217.html Sent from the Postfix mailing list archive at Nabble.com.
Re: Question on sendmail submission and master.cf -o overrides
Viktor Wrote: Date: Tue, 20 Jan 2009 22:26:23 -0500 From: Victor Duchovni victor.ducho...@morganstanley.com Subject: Re: Question on sendmail submission and master.cf -o overrides On Tue, Jan 20, 2009 at 07:11:16PM -0800, Jeff Weinberger wrote: I am hoping someone can offer help in determining this information about the specifics of how sendmail submits mail. The postdrop(1) helper places the mail in the maildrop sub-directory of the Postfix queue. The pickup(8) daemon asynchronously injects mail into the incoming queue (via cleanup(8)) one message at a time There is no content_filter specified in main.cf. In this configuration, when mail is submitted via the sendmail command, will the content filter specified on the port 25 service apply? or will postfix only pay attention to the settings in main.cf for the purposes of transferring that mail? Local submission via sendmail(1) does not use SMTP, so the smtpd(8) service on port 25 never sees the mail. Ergo, settings there do not apply. I suppose the more general question is which set of configuration options is mail submitted via the sendmail command subject to? 1. -o options in the pickup(8) service master.cf(5) entry. 2. main.cf parameter settings Thank you . Make sense. If I wanted to change any of the pickup(8) options, I'd need to define an alternate pickup service (not likely to do this). (yes, I read the sendmail(1) documentation and did not find this information. The architecture documentation indicates only that it is subject to pretty much anything that local submission is subject to, but it's not clear what that is). Submission via sendmail(1) *is* local submission. The latter is a term of art for the former. http://www.postfix.org/OVERVIEW.html#receiving o Local submissions are received with the Postfix sendmail(1) compatibility command, and are queued in the maildrop queue by the privileged postdrop(1) command. This arrangement even works while the Postfix mail system is not running. The local pickup(8) server picks up local submissions, enforces some sanity checks to protect Postfix, and gives the sender, recipients and message content to the cleanup(8) server. - -- Viktor. Thank you for your help - this is very clear.
Re: Question on sendmail submission and master.cf -o overrides
On Tue, Jan 20, 2009 at 10:19:46PM -0800, Jeff Weinberger wrote: If I wanted to change any of the pickup(8) options, I'd need to define an alternate pickup service (not likely to do this). You can't have an alternate pickup service inside the same Postfix instance. There is only one maildrop directory per queue directory. Its name is not configurable, and postdrop(1) will deposit all mail there. If you want multiple pickup profiles run multiple Postfix instances, and set MAIL_CONFIG in the sendmail(1) environment to select the right Postfix queue (instance). -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.