Re: Taking over for another admin

[Patrick Ben Koetter]

* David Bishop :
> On Wed, Feb 04, 2009 at 07:31:23AM +0100, Martin Schmitt wrote:
> > David Bishop schrieb:
> > 
> > > What are my options? I don't have a lot of experience with dovecot (it's
> > > been a few years for me) and thus don't really know anything about its 
> > > SASL implementation.  Should I move away from SASL completely?  Any
> > > suggestions (or requests for clarification) would be gratefully
> > > accepted.
> > 
> > I had written my own SASL implementation several years ago. Now I am in
> > the process of moving to Dovecot myself. It doesn't get any simpler than
> > Postfix+Dovecot.
> 
> 
> So are you recommending dropping courier for imap/pop completely? Or

Courier does read the complete maildir folder any time you access it. This
design decision has been made on purpose and will likely not change. Mr. Sam
told me so in an interview I made a year or so ago.

Dovecot on the other hand indexes maildir mailboxes when you access the
mailbox and, when using the Dovecot LDA deliver, updates the index whenever it
add new mails to the mailbox.

The difference is: Courier uses a lot more ressources that Dovecot. Ralf and I
had the amazing experience that load on a machine dropped from 60 (!) down to
2 when we exchanged Courier POP for Dovecot POP.

This alone is a reason to use Dovecot unless you have a good reason to waste
ressources (and wait longer ...).

See  for a comparison of IMAP
servers and how they scale (on regular Intel hardware using RAID 5 and SATA
discs):

  System Konfiguration
  Postfix 2.2.10
  Fujitsu-Siemens S150 T3
  Intel(R) Pentium(R) 4 CPU 3.60GHz
  3GB RAM
  store: 3 x 1 RAID-5



> just using the SASL portion of dovecot?  I guess I don't particularly
> care what imap/pop server I use, as long as it can use a
> crypted-password from a mysql database, and read/write maildir...

Dovecot can do that.

It is also under steady development. Timo does a real good job on his server.

p...@rick

-- 
The Book of Postfix

saslfinger (debugging SMTP AUTH):

postfix queue grep

[Marc Silver]

Hi guys,

First and foremost, apologies if this message shouldn't be going to this  
list, but it seemed like the logical place.


I have written a small tool for Postfix in Python that duplicates most of  
the functionality of exiqgrep, a tool that comes bundled with Exim making  
it easier for mail administrators to find messages in the queue.  I've  
been using it for a couple of months now with great success (Postfix  
2.3.3), so I thought I'd share it with the Postfix community in the hopes  
that some of you may find it useful.


The tool is available at http://draenor.org/public/python/pqgrep.py
Should you find any bugs/problems, please mail me.

Some examples:

 o List the message ID's for messages with a sender off x...@moo.com:
   pqgrep.py -s x...@moo.com -i

 o Show messages with a recipient of a...@b.c and provide log messages:
   pqgrep.py -r a...@b.c -l

 o Delete all messages from MAILER-DAEMON:
   for i in `pqgrep.py -s MAILER-DAEMON` ; do postsuper -d $i ; done

Thanks,
Marc

Re: Postfix mail archiving with maildrop

[Gabor Hasenfrasz]

I'll try to make that way today! Thanks for the advice!

2009/2/3 mouss 

> Gabor Hasenfrasz a écrit :
> > Dear All,
> >
> > A company asked me to configure an archiving system on a postfix server.
> > After a little i've made a choice to maildrop as an archiving solution.
> > I've configured main.cf  to forward mails to a virtual
> > user which will be the collector. I've made a transport map to use
> > maildrop for this user. I've successful made the archiving for outgoing
> > emails:
> >
> > if ( /^From:\s*(@domain.com )/ )
> > {
> > ADDR=getaddr($MATCH1)
> > ADDR=`echo $ADDR| sed '/^.*$/N;s/\r//g'`
> > `test -e /$DEFAULT/.${ADDR}SENT`
> >if ( $RETURNCODE != 0 )
> >   {
> >   `maildirmake -f "${ADDR}SENT" $DEFAULT`
> >   `chmod -R 0700 "/$DEFAULT/.${ADDR}SENT"`
> >   }
> > to "$DEFAULT/.${ADDR}SENT"
> > }
> >
>
> do not use headers. use the envelope. if you insist on using maildrop,
> run it with -f ${sender} and use $FROM.
>
> > It drops the email to the virtual user's folder which is collecting the
> > emails and they will use to restore emails if something happens.
> >
> > But with the incoming mails i have problem. There are cases when the
> > sender sends the email for about 30 email accounts. In this case what
> > can i do? I've seen in the document that there are foreach statement but
> > i can't figure it out how should i use it.
> >
> > foreach ( /^To:\s*(@domain.com )/ )
>
> do not use headers.
>
> you should take time to read about envelope addresses. mail transport
> doesn't rely on headers.
>
> > {
> > ADDR=getaddr($MATCH1)
> > foreach $ADDR
> > {
> > `test -e /$DEFAULT/.${ADDR}INBOX`
> > if ( $RETURNCODE != 0 )
> > {
> > `maildirmake -f "${ADDR}INBOX" $DEFAULT`
> > `chmod -R 0700 "/$DEFAULT/.${ADDR}INBOX"`
> > }
> > cc "$DEFAULT/.${ADDR}INBOX"
> > }
> > }
> > In this case nothing happens. I've made a config where it could make a
> > folder like us...@domain1.com 
> > us...@domain.com  us...@domain3.com
> >  but it's not a good solution (especially for
> > a 200 characters :) ).
> >
> > Is there anybody who can write me the script which will make a copy for
> > all of the users's archive folder?
> >
>
> use recipient_bcc_maps and/or sender_bcc_maps with pcre (to keep the
> "original" address).
>

Re: PCRE help - unsTubscribe URL in body_check

[Wietse Venema]

Steven Redlich:
> /http:\/\/baddomain.com\/uTnsub\//

There is no error with this PCRE pattern. It works as expected
on my (non-Redhat) machine.

% cat /tmp/x
/http:\/\/baddomain.com\/uTnsub\// foo
% postmap -q - pcre:/tmp/x 

User getting back scattered

[jeff donovan]

Greetings

i have a user who is getting a ton of postmaster bounces. who or what  
ever is spamming is using her address as the return reply, so all the  
bounces and postmaster warnings are coming back to her and filling up  
her account.


how can I alleviate this? I can't seem to get a handle on where it's  
coming from.


thanks for help

-jeff

Re: PCRE help - unsTubscribe URL in body_check

[Marc Silver]

Hi there,

I tested this on RHEL 5.2 and RHEL 5.3 and the PCRE matched correctly.

Cheers,
Marc

On Wed, 04 Feb 2009 13:51:36 +0200, Wietse Venema   
wrote:



Steven Redlich:

/http:\/\/baddomain.com\/uTnsub\//


There is no error with this PCRE pattern. It works as expected
on my (non-Redhat) machine.

% cat /tmp/x
/http:\/\/baddomain.com\/uTnsub\// foo
% postmap -q - pcre:/tmp/x 

stripping null characters

[Cory Coager]

We have a mainframe client sending emails with the body containing null 
characters.  I found the message_strip_characters and 
message_reject_characters options could resolve this issue but I'm 
wondering if 'message_strip_characters = \0' could cause problems with 
attachments containing null characters?





The information contained in this communication is intended
only for the use of the recipient(s) named above. It may
contain information that is privileged or confidential, and
may be protected by State and/or Federal Regulations. If
the reader of this message is not the intended recipient,
you are hereby notified that any dissemination,
distribution, or copying of this communication, or any of
its contents, is strictly prohibited. If you have received
this communication in error, please return it to the sender
immediately and delete the original message and any copy
of it from your computer system. If you have any questions
concerning this message, please contact the sender.

Re: Taking over for another admin

[Charles Marcus]

On 2/4/2009, David Bishop (t...@gnuconsulting.com) wrote:
> So are you recommending dropping courier for imap/pop completely? Or
> just using the SASL portion of dovecot?  I guess I don't particularly
> care what imap/pop server I use, as long as it can use a
> crypted-password from a mysql database, and read/write maildir...

I highly recommend changing to dovecot if you have the opportunity...
the performance difference is incredible, as Patrick pointed out, and I
have to say, Timo does far more than a 'good job' on dovecot... he
usually will have a fix for a well reported bug within hours, if not
sooner (depends on if he is sleeping or not when it is reported I
guess)... :)

-- 

Best regards,

Charles

Re: stripping null characters

[Kenneth Marshall]

On Wed, Feb 04, 2009 at 09:08:57AM -0500, Cory Coager wrote:
> We have a mainframe client sending emails with the body containing null 
> characters.  I found the message_strip_characters and 
> message_reject_characters options could resolve this issue but I'm 
> wondering if 'message_strip_characters = \0' could cause problems with 
> attachments containing null characters?
>
Attachments should be encoded so you will be fine.

Ken

Re: User getting back scattered

[jeff donovan]

On Feb 4, 2009, at 9:47 AM, Brian Evans - Postfix List wrote:


jeff donovan wrote:

here is a sample of the bounce: I have modified the real users name.



Article rejected, un-authorized poster of realusern...@beth.k12.pa.us
Received: from XDYHONJUP [189.22.134.132] by john23.com with ESMTP
 (SMTPD32-8.00) id A6C57D10052; Wed, 04 Feb 2009 08:23:17 -0500
Received: from 189.22.134.132 by mail2.beth.k12.pa.us; Wed, 4 Feb  
2009

11:22:50 -0300

If this is to be believed, then:
grkni...@mx1 ~ $ host 132.134.22.189.zen.spamhaus.org
132.134.22.189.zen.spamhaus.org has address 127.0.0.4

Zen wins again and this is spam accepted by your server and not  
BackScatter.

Check logs to verify this is not forged.

Brian



thanks brian. I guess this is a a bad example. I picked one out of a  
hat. I have zen listed.


i have placed these two lines in my config. Hopefully this will  
eliminate some of the bounce messages.



header_check

if /^Received:/
/^Received: +from +(beth\.k12\.pa\.us) +/ reject forged client name in  
Received: header: $1
/^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(beth\.k12\.pa 
\.us)\)/ reject forged client name in Received: header: $2
/^Received:.* +by +(beth\.k12\.pa\.us)\b/ reject forged mail server  
name in Received: header: $1

endif


body check
if /^[> ]*Received:/
/^[> ]*Received: +from +(beth\.k12\.pa\.us) / reject forged client  
name in Received: header: $1
/^[> ]*Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(beth 
\.k12\.pa\.us)\)/ reject forged client name in Received: header: $2
/^[> ]*Received:.* +by +(beth\.k12\.pa\.us)\b/ reject forged mail  
server name in Received: header: $1

endif
/^[> ]*Message-ID:.* /^[> ]*Message-ID:.*@(beth\.k12\.pa\.us)/ reject forged domain name in  
Message-ID: header: $1

Understanding Message Headers

[Carlos Williams]

I received an email this morning that I was confused / concerned by. I
am looking at the headers however I am not sure exactly how to make
this out. This is obviously spam and I did not send myself spam.
The sender shows my email address as well as the recipient address
however when I view the full message headers, I can see the 'Return
Path' is to a different address. Does that mean that the headers were
spoofed to look
like I was the sender? Just trying to understand how to read this and
also make sure I don't have a serious problem here.

Return-Path: 
X-Original-To: carlosw...@example.com
Delivered-To: carlosw...@example.com
Received: from localhost (localhost [127.0.0.1])by $my_mail_server
(Postfix) with ESMTP id 9D1FD1FA4BBFfor ;
Wed,  4 Feb 2009 07:59:01 -0500 (EST)
Received: from $my_mail_server ([127.0.0.1])by localhost
($my_mail_server [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id
tax+kKxS6xrS for ;  Wed,  4 Feb 2009 07:58:59
-0500 (EST)
Received: from amerblind.outbound.ed10.com (pfz2203.tam.ne.jp
[210.133.173.203])  by $my_mail_server (Postfix) with SMTP id
935711FA4B51for ; Wed,  4 Feb 2009 07:58:58
-0500 (EST)

Re: Mail sits in queue

[Victor Duchovni]

On Wed, Feb 04, 2009 at 08:58:17AM -0500, Doug Jaquays wrote:

> > - The "pickup" fifo has been deleted from /var/spool/postfix/public
> > 
> > Make sure $queue_directory contains a private/pickup fifo.
> 
> This is a /var/spool/postfix/public/pickup fifo, there is not a 
> /var/spool/postfix/private/pickup fifo

As you can tell from the first of the two lines, it is indeed "public" not
"private".

> > - The O/S is buggy
> > 
> > Disable SELinux, App-armor, ...
> 
> This is entirely possible, though we have other SLES servers running
> the same environment without issue.  I did just turn off AppArmor on
> the server with this problem, so we'll see what happens.

Is the Postfix queue stored on an NFS server? Is the system clock correct?
Otherwise, report your findings post AppArmor, ...

Does:

# postkick public pickup W

move mail out of the queue in a more timely fashion?

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: User getting back scattered

[Paweł Leśniak]

body check
if /^[> ]*Received:/
/^[> ]*Received: +from +(beth\.k12\.pa\.us) / reject forged client 
name in Received: header: $1
/^[> ]*Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo 
+)(beth\.k12\.pa\.us)\)/ reject forged client name in Received: 
header: $2
/^[> ]*Received:.* +by +(beth\.k12\.pa\.us)\b/ reject forged mail 
server name in Received: header: $1

endif
/^[> ]*Message-ID:.* /^[> ]*Message-ID:.*@(beth\.k12\.pa\.us)/ reject forged domain name in 
Message-ID: header: $1


At least last part of rule is incorrect. Peaking at headers of your 
message to this mailing list we can see:


Message-Id: 

So this is probably not what you really want, to block massage 
containing this in body, because this way you'll block legitimate 
replies from mailer-daemon.
Have also a look at archives of this mailing list. I've started a thread 
on backscatter on january 26th and got some good ideas (replies) on how 
to resolve problem.



Pawel

DSN on deferring

[Rocco Scappatura]

Hello,

When I send a message to an inexistent email address and the receiving
MTA is down, like the following example:

av4 mail16:46:22postfix/smtppostfix/smtp[27440]:
11BD7750296: to=, relay=none, delay=10,
delays=0.03/0/10/0, dsn=4.4.1, status=deferred (connect to
mx1.destdomain.tld[xxx.yyy.zzz.111]: Connection timed out)

I don't get any notification about the status of delivery :-(.

I don't think that this is normal. Anyway I don't understand if I'm
wrong something in my Postfix configuration, or is the receiving part
that is missconfigured.. Could somebody help me?

rocsca

Re: TimeOut issues

[Victor Duchovni]

On Wed, Feb 04, 2009 at 08:52:45AM -0600, Matthew Hebert wrote:

> smtpd_recipient_restrictions =
> reject_non_fqdn_recipient
> reject_non_fqdn_sender
> reject_unknown_sender_domain
> reject_unknown_recipient_domain
> reject_unverified_recipient
> permit_mynetworks
> check_sender_access hash:/etc/postfix/sender_access
> check_sender_access hash:/etc/postfix/rhsbl_sender_exceptions

Open relay!

> reject_unverified_recipient
> reject_unauth_destination

Move, the sender checks beloe "reject_unauth_destination" or into
smtpd_sender_restrictions.


> reject_unauth_pipelining
> reject_invalid_hostname
> reject_non_fqdn_hostname
> reject_rbl_client sbl-xbl.spamhaus.org

Use zen.spamhaus.org instead, it is far more effective, with negligible
FPs.

> reject_rbl_client list.dsbl.org

This RBL is long dead. Remove it from your configuration.

> reject_rbl_client bl.spamcop.net
> reject_rhsbl_sender dsn.rfc-ignorant.org

Not wise for outright SMTP rejects, too many FPs, and does not directly
address spam. Remove this RBL.

> permit

Make sure you have a correctly configured local DNS cache.

Report your findings after fixing the above.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Understanding Message Headers

[Doug Jaquays]

Carlos,

  The important piece of the headers when you're trying to figure out if the 
headers are spoofed or your smtp config is broken isthe Received from/by lines. 
 See below

>>> On Wed, Feb 4, 2009 at 10:55 AM, Carlos Williams  
>>> wrote:

> I received an email this morning that I was confused / concerned by. I
> am looking at the headers however I am not sure exactly how to make
> this out. This is obviously spam and I did not send myself spam.
> The sender shows my email address as well as the recipient address
> however when I view the full message headers, I can see the 'Return
> Path' is to a different address. Does that mean that the headers were
> spoofed to look
> like I was the sender? Just trying to understand how to read this and
> also make sure I don't have a serious problem here.
> 
> Return-Path: 
> X-Original-To: carlosw...@example.com
> Delivered-To: carlosw...@example.com
> Received: from localhost (localhost [127.0.0.1])  by $my_mail_server
> (Postfix) with ESMTP id 9D1FD1FA4BBF  for ;
> Wed,  4 Feb 2009 07:59:01 -0500 (EST)
> Received: from $my_mail_server ([127.0.0.1])  by localhost
> ($my_mail_server [127.0.0.1]) (amavisd-new, port 10024)   with ESMTP id

These two lines show your mail routing through amavisd

> tax+kKxS6xrS for ;Wed,  4 Feb 2009 07:58:59
> -0500 (EST)
> Received: from amerblind.outbound.ed10.com (pfz2203.tam.ne.jp
> [210.133.173.203])by $my_mail_server (Postfix) with SMTP id

These lines show the originating server, which I'm guessing you are not 
associated with at all.

> 935711FA4B51  for ; Wed,  4 Feb 2009 07:58:58
> -0500 (EST)

-Doug

This email may contain confidential and privileged material for the sole use
of the intended recipient and MSU-KCMS. Any review or distribution
by others is strictly prohibited. If you are not the intended recipient,
please contact the sender and delete all copies.

Re: DSN on deferring

[Brian Evans - Postfix List]

Rocco Scappatura wrote:
> Hello,
>
> When I send a message to an inexistent email address and the receiving
> MTA is down, like the following example:
>
> av4   mail16:46:22postfix/smtppostfix/smtp[27440]:
> 11BD7750296: to=, relay=none, delay=10,
> delays=0.03/0/10/0, dsn=4.4.1, status=deferred (connect to
> mx1.destdomain.tld[xxx.yyy.zzz.111]: Connection timed out)
>
> I don't get any notification about the status of delivery :-(.
>
> I don't think that this is normal. Anyway I don't understand if I'm
> wrong something in my Postfix configuration, or is the receiving part
> that is missconfigured.. Could somebody help me?
>
> rocsca
>   
Postfix queues mail up to maximal_queue_lifetime (default: 5d).
To receive notice of deferred mail, set delay_warning_time (see
http://www.postfix.org/postconf.5.html#delay_warning_time )

To check DNS at receipt time, add reject_unknown_recipient_domain before
permit_mynetworks in smtpd_recipient_restrictions.
(NOTE: if DNS/network fails, all messages could be rejected.  Setup a
local DNS caching server to help prevent this)

Brian

Re: Taking over for another admin

[David Bishop]

On Wed, Feb 04, 2009 at 09:12:10AM -0500, Charles Marcus wrote:
> I highly recommend changing to dovecot if you have the opportunity...
> the performance difference is incredible, as Patrick pointed out, and I
> have to say, Timo does far more than a 'good job' on dovecot... he
> usually will have a fix for a well reported bug within hours, if not
> sooner (depends on if he is sleeping or not when it is reported I
> guess)... :)
 

So, the group-mind consensus is to use the following for a (relatively)
small virtual-hosting mail environment:

postfix (obviously) + dovecot's SASL for smtp-auth and maildir
dovecot for imap/pop
maia for spam/virus filtering (with clamav)

Anyone of a contrary mindset?  Like I said, I have a rare opportunity
here to build (mostly) from scratch, and as such would like to do it
right...

David


signature.asc
Description: Digital signature

Re: Mail sits in queue

[Doug Jaquays]

>>> On Tue, Feb 3, 2009 at  1:49 PM, Victor Duchovni
 wrote: 
> On Tue, Feb 03, 2009 at 01:34:10PM -0500, Brian Evans - Postfix List wrote:
> 
>> The php mail() command (on *nix) defaults to come in through the pickup
>> daemon (using the sendmail(1) command).
>> It can also be sent in via the smtpd daemon.
>> 
>> Intentionally send a message through your app and immediately check your
>> log.
>> Read and understand entry to delivery(or relay).
>> 
>> If you need assistance with the logs, please post a transaction here.
> 
> No log messages are generated when mail is deposited in the "maildrop"
> queue. If "pickup" is not finding the mail in a timely fashion it is
> because:
> 
> - The "pickup" master.cf entry is busted (no wakeup timer)
> 
>   pickupfifo  n   -   n   60  1   pickup

This line appears correct.  There is no difference between it and the pickup 
lines in the other postfix installations we have that work properly.

> 
> - The "pickup" fifo has been deleted from /var/spool/postfix/public
> 
>   Make sure $queue_directory contains a private/pickup fifo.

This is a /var/spool/postfix/public/pickup fifo, there is not a 
/var/spool/postfix/private/pickup fifo

> 
> - File permissions are wrong
>   
>   postfix set-permissions

I didn't see anything wrong, and it would seem that permissions would 
completely stop delivery not just stop it until something jolts it back into 
action.

>   
> - The O/S is buggy
> 
>   Disable SELinux, App-armor, ...

This is entirely possible, though we have other SLES servers running the same 
environment without issue.  I did just turn off AppArmor on the server with 
this problem, so we'll see what happens.

>   
>   or 
I'm guessing this won't help :)

-Doug

This email may contain confidential and privileged material for the sole use
of the intended recipient and MSU-KCMS. Any review or distribution
by others is strictly prohibited. If you are not the intended recipient,
please contact the sender and delete all copies.

Re: Taking over for another admin

[Udo Rader]

Patrick Ben Koetter wrote:

* David Bishop :

On Wed, Feb 04, 2009 at 07:31:23AM +0100, Martin Schmitt wrote:

David Bishop schrieb:


What are my options? I don't have a lot of experience with dovecot (it's
been a few years for me) and thus don't really know anything about its 
SASL implementation.  Should I move away from SASL completely?  Any

suggestions (or requests for clarification) would be gratefully
accepted.

I had written my own SASL implementation several years ago. Now I am in
the process of moving to Dovecot myself. It doesn't get any simpler than
Postfix+Dovecot.


So are you recommending dropping courier for imap/pop completely? Or


Courier does read the complete maildir folder any time you access it. This
design decision has been made on purpose and will likely not change. Mr. Sam
told me so in an interview I made a year or so ago.

Dovecot on the other hand indexes maildir mailboxes when you access the
mailbox and, when using the Dovecot LDA deliver, updates the index whenever it
add new mails to the mailbox.

The difference is: Courier uses a lot more ressources that Dovecot. Ralf and I
had the amazing experience that load on a machine dropped from 60 (!) down to
2 when we exchanged Courier POP for Dovecot POP.

This alone is a reason to use Dovecot unless you have a good reason to waste
ressources (and wait longer ...).

See  for a comparison of IMAP
servers and how they scale (on regular Intel hardware using RAID 5 and SATA
discs):

  System Konfiguration
  Postfix 2.2.10
  Fujitsu-Siemens S150 T3
  Intel(R) Pentium(R) 4 CPU 3.60GHz
  3GB RAM
  store: 3 x 1 RAID-5




just using the SASL portion of dovecot?  I guess I don't particularly
care what imap/pop server I use, as long as it can use a
crypted-password from a mysql database, and read/write maildir...


Dovecot can do that.


Hmm, I've never heard of dovecot being able to deal with non-plaintext 
passwords in connection with SASL. Are you sure that that can be done 
without patching?


--
Udo Rader
http://www.bestsolution.at

Re: Taking over for another admin

[Eray Aslan]

On 04.02.2009 18:14, David Bishop wrote:
[...]
> So, the group-mind consensus is to use the following for a (relatively)
> small virtual-hosting mail environment:
> 
> postfix (obviously) + dovecot's SASL for smtp-auth and maildir
> dovecot for imap/pop
> maia for spam/virus filtering (with clamav)

Is maia really necessary for your setup?  Consider just "tag and
deliver" (possibly to a seperate folder) with amavisd-new and let the
user decide what to do with spam.

-- 
Eray

> Anyone of a contrary mindset?  Like I said, I have a rare opportunity
> here to build (mostly) from scratch, and as such would like to do it
> right...
> 
> David

TimeOut issues

[Matthew Hebert]

Thanks in advance for any feedback.

Our Postfix server is a gateway that forwards email to an internal
SPAM server configured to communicate with GroupWise.

We have noticed a recent slow down in email delivery to and from our
Postfix Servers.  The queues do not show any email build up.

When attempting to telnet to the port 25 it may take 1 sec to 60
seconds before the connected message, it may take another 10-60 secs
for the banner to show up.

It may also Time out and disconnect you session.

Depending on the senders retry intervals on their mail server it may
take up to 30 minutes to a day.

No changes to the config files were done prior to noticing the slow
email delivery.

Our environment
postfix-2.2.9-10.2
sles 10
clamav-0.88.2-3.2
amavisd-new-2.3.3-17.2

My main.cf:
address_verify_map = btree:/etc/postfix/verify
alias_maps = hash:/etc/aliases
biff = no
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
defer_transports =
disable_dns_lookups = no
disable_mime_output_conversion = no
header_checks = pcre:/etc/postfix/header_checks
html_directory = /usr/share/doc/packages/postfix/html
inet_interfaces = all
inet_protocols = all
local_recipient_maps =
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 0
mailbox_transport =
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
maximal_backoff_time = 4000s
maximal_queue_lifetime = 5d
message_size_limit = 31457280
minimal_backoff_time = 1000s
mydestination = $myhostname localhost.$mydomain
localhost   $mydomain
mydomain = mydomain.com
myhostname = myhostname.com
mynetworks = 10.XXX,XXX,XXX, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
queue_run_delay = 1000s
readme_directory = /usr/share/doc/packages/postfix/README_FILES
relayhost =
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_sasl_auth_enable = no
smtp_use_tls = no
smtpd_banner = $myhostname NO UCE ESMTP (NO UCE)
smtpd_client_restrictions =
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_recipient_restrictions =
reject_non_fqdn_recipient
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_unknown_recipient_domain
reject_unverified_recipient
permit_mynetworks
check_sender_access hash:/etc/postfix/sender_access
check_sender_access hash:/etc/postfix/rhsbl_sender_exceptions
reject_unverified_recipient
reject_unauth_destination
reject_unauth_pipelining
reject_invalid_hostname
reject_non_fqdn_hostname
reject_rbl_client sbl-xbl.spamhaus.org
reject_rbl_client list.dsbl.org
reject_rbl_client bl.spamcop.net
reject_rhsbl_sender dsn.rfc-ignorant.org
permit
smtpd_sasl_auth_enable = no
smtpd_use_tls = no
strict_8bitmime = no
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_mailbox_domains =
myvirtual1.com
myvirtual2.com

Again any help would be appreciated.

Thanks,

Matt


-- 
Matthew Hebert
mbheb...@gmail.com

Re: User getting back scattered

[jeff donovan]

On Feb 4, 2009, at 8:59 AM, Matthias Andree wrote:

Am 04.02.2009, 14:42 Uhr, schrieb jeff donovan  
:



Greetings

i have a user who is getting a ton of postmaster bounces. who or  
what ever is spamming is using her address as the return reply, so  
all the bounces and postmaster warnings are coming back to her and  
filling up her account.


how can I alleviate this? I can't seem to get a handle on where  
it's coming from.


Have you read BACKSCATTER_README yet? If not, I'd recommend it, it  
has some pointers on where to start.
Run the command "postconf readme_directory" to find the directory  
that is supposed to contain said document on your system.


--
Matthias Andree



greetings and thanks for the reply.
yes, I read the http://www.postfix.org/BACKSCATTER_README.html

and it looks like this is just what I need. before I place a header or  
body check i want to make sure i'm blocking it correctly.



are the sample body checks going to wrk in my case ?

thanks
-jeff



here is a sample of the bounce: I have modified the real users name.


Viewing Full Header - View message
Return-Path: 
Received: from murder ([unix socket])
 by imap1.beth.k12.pa.us (Cyrus v2.2.12-OS X 10.4.8) with LMTPA;
 Wed, 04 Feb 2009 08:21:51 -0500
X-Sieve: CMU Sieve 2.2
Received: from smtp2.beth.k12.pa.us (smtp2.beth.k12.pa.us [10.135.1.8])
 by imap1.beth.k12.pa.us (Postfix) with ESMTP id 7C6C214F7845
 for ; Wed, 4 Feb 2009 08:21:51  
-0500 (EST)

Received: from localhost (mx1.beth.k12.pa.us [10.135.1.6])
 by smtp2.beth.k12.pa.us (Postfix) with ESMTP id 0D714F3AA34
 for ; Wed, 4 Feb 2009 08:24:00  
-0500 (EST)

Received: from mx1.beth.k12.pa.us ([127.0.0.1])
 by localhost (mx1.beth.k12.pa.us [127.0.0.1]) (amavisd-new, port  
10024)

 with ESMTP id 08743-07 for ;
 Wed, 4 Feb 2009 08:25:03 -0500 (EST)
Received: from mail2.beth.k12.pa.us (mail2.beth.k12.pa.us  
[192.227.0.10])

 by mx1.beth.k12.pa.us (Postfix) with ESMTP id 7065953ED5D4
 for ; Wed, 4 Feb 2009 08:25:02  
-0500 (EST)

Received: from john23.com (john23.com [216.117.171.26])
 by mail2.beth.k12.pa.us (Postfix) with ESMTP id 3BA40811002
 for ; Wed, 4 Feb 2009 08:23:52  
-0500 (EST)

Date: Wed, 4 Feb 2009 08:23:51 -0500
Message-Id: <20090204082351236.aa72e1c...@john23.com>
From: financecouncil-ow...@john23.com
To: realusern...@beth.k12.pa.us
Subject: Article rejected, un-authorized poster of realusern...@beth.k12.pa.us
X-Spam-Status: No, hits=0.537 tagged_above=-999 required=5
 tests=ADDRESS_IN_SUBJECT, BAYES_00, NO_REAL_NAME
X-Spam-Level:


Article rejected, un-authorized poster of realusern...@beth.k12.pa.us
Received: from XDYHONJUP [189.22.134.132] by john23.com with ESMTP
  (SMTPD32-8.00) id A6C57D10052; Wed, 04 Feb 2009 08:23:17 -0500
Received: from 189.22.134.132 by mail2.beth.k12.pa.us; Wed, 4 Feb 2009  
11:22:50 -0300

Date:Wed, 4 Feb 2009 11:22:50 -0300
From:"Leann Norris" <51dzoxaw0...@beth.k12.pa.us>
X-Mailer: The Bat! (v3.5.25) Professional
Reply-To: realusern...@beth.k12.pa.us
X-Priority: 3 (Normal)
Message-ID: <>
To: dde...@john23.com
Subject: Crazy sale prices  hmf kqqpoaxd
MIME-Version: 1.0
Content-Type: multipart/alternative;
  boundary="--5EE5E1DDB4291CD2"

5EE5E1DDB4291CD2
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit


http://lineyakiq.cn


Get beautiful women easily


- Get the desired act duration
- Get hard-on of one passing thought
- Make your activity last more
5EE5E1DDB4291CD2
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: 7bit






http://lineyakiq.cn";>
http://lineyakiq.cn


Get beautiful women easilyfont>



- Get the desired act duration
- Get hard-on of one passing thought
- Make your activity last more


5EE5E1DDB4291CD2--

Re: User getting back scattered

[Brian Evans - Postfix List]

jeff donovan wrote:
> here is a sample of the bounce: I have modified the real users name.
>
>
>
> Article rejected, un-authorized poster of realusern...@beth.k12.pa.us
> Received: from XDYHONJUP [189.22.134.132] by john23.com with ESMTP
>   (SMTPD32-8.00) id A6C57D10052; Wed, 04 Feb 2009 08:23:17 -0500
> Received: from 189.22.134.132 by mail2.beth.k12.pa.us; Wed, 4 Feb 2009
> 11:22:50 -0300
If this is to be believed, then:
grkni...@mx1 ~ $ host 132.134.22.189.zen.spamhaus.org
132.134.22.189.zen.spamhaus.org has address 127.0.0.4

Zen wins again and this is spam accepted by your server and not BackScatter.
Check logs to verify this is not forged.

Brian

Re: postfix queue grep

[Victor Duchovni]

On Wed, Feb 04, 2009 at 10:25:21AM +0200, Marc Silver wrote:

>
> The tool is available at http://draenor.org/public/python/pqgrep.py
> Should you find any bugs/problems, please mail me.

The regexp parser is IMHO too fuzzy for production use outside your
own environment. It will generated false positives with sufficiently
interesting remote error messages, sender or recipient addresses in the
"postqueue -p" output. You need a more context aware parser.

> Some examples:
>
>  o List the message ID's for messages with a sender off x...@moo.com:
>pqgrep.py -s x...@moo.com -i

Note, it is best to not call a "queue-id" a "message ID".

>  o Show messages with a recipient of a...@b.c and provide log messages:
>pqgrep.py -r a...@b.c -l
>
>  o Delete all messages from MAILER-DAEMON:
>for i in `pqgrep.py -s MAILER-DAEMON` ; do postsuper -d $i ; done

This is subject to race conditions. To safely delete messages, they have
to moved (postsuper -h) out of the "active" queue, re-scanned to ensure
they still meet the original criteria, selectively deleted, and the FPs
moved back into the deferred queue (via postsuper -H), you can then
flush FPs back into the incoming queue via "postqueue -i".

[ Wietse is it safe to move queue files active -> hold -> incoming in
  a short time? Could some recipients be delivered twice by two delivery
  agents in parallel (both deliveries starting after the second incoming
  to active transition)? ]

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: postfix queue grep

[Wietse Venema]

Victor Duchovni:
> [ Wietse is it safe to move queue files active -> hold -> incoming in
>   a short time? Could some recipients be delivered twice by two delivery
>   agents in parallel (both deliveries starting after the second incoming
>   to active transition)? ]

Each delivery agent holds a read lock on the file that it delivers
mail from.  This will keep the queue manager from scheduling new
deliveries. The mechanism prevents duplicate deliveries after
"postfix reload" + "postfix flush".

Wietse

Re: Taking over for another admin

[David Bishop]

On Wed, Feb 04, 2009 at 06:28:36PM +0200, Eray Aslan wrote:
> On 04.02.2009 18:14, David Bishop wrote:
> [...]
> > So, the group-mind consensus is to use the following for a (relatively)
> > small virtual-hosting mail environment:
> > 
> > postfix (obviously) + dovecot's SASL for smtp-auth and maildir
> > dovecot for imap/pop
> > maia for spam/virus filtering (with clamav)
> 
> Is maia really necessary for your setup?  Consider just "tag and
> deliver" (possibly to a seperate folder) with amavisd-new and let the
> user decide what to do with spam.

The same machine is both the endpoint for multiple domains, and an
mx-based mail scrubber, where we peel off spam and just forward on the
ham.  Apparently our customers have made it very clear that they would
rather not have to deal with the spam and viruses themselves[1], so tagging
the subject (or whatever) and sending it on to their various exchange
servers isn't an option.  Now, if you have any suggestions for something
like maia, where they *can* log in and check for false positives and mark
false negatives (learning is fun!), I'm all ears for that as well.  I
can say that I've had poor experiences with dspam in the past, and the
maia portion has apparently run "mostly good" for the last couple years.
It doesn't appear to be the fastest software in the world, though...

David

[1] Even in a separate mail folder


signature.asc
Description: Digital signature

active -> incoming migration (was: Re: postfix queue grep)

[Victor Duchovni]

On Wed, Feb 04, 2009 at 12:24:23PM -0500, Wietse Venema wrote:

> Victor Duchovni:
> > [ Wietse is it safe to move queue files active -> hold -> incoming in
> >   a short time? Could some recipients be delivered twice by two delivery
> >   agents in parallel (both deliveries starting after the second incoming
> >   to active transition)? ]
> 
> Each delivery agent holds a read lock on the file that it delivers
> mail from.  This will keep the queue manager from scheduling new
> deliveries. The mechanism prevents duplicate deliveries after
> "postfix reload" + "postfix flush".

Yes, this solves the queue-manager reload problem, because the active
queue is empty when the queue-manager reloads. In the new scenario,
the active queue is not empty, and an active file is "surreptitiosly"
moved (multiple quick steps) to "incoming". If all the recipients
are at busy destinations, there may not (yet) be any delivery agent
locks, and the file could enter the queue a second time.

Is this possible?

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

postfix + ubuntu 8.04

[Kaushal Shriyan]

Hi

Is there a guide to make use of postfix to send bulk email using postfix

Thanks and Regards

Kaushal

Re: active -> incoming migration (was: Re: postfix queue grep)

[Wietse Venema]

Victor Duchovni:
> On Wed, Feb 04, 2009 at 12:24:23PM -0500, Wietse Venema wrote:
> 
> > Victor Duchovni:
> > > [ Wietse is it safe to move queue files active -> hold -> incoming in
> > >   a short time? Could some recipients be delivered twice by two delivery
> > >   agents in parallel (both deliveries starting after the second incoming
> > >   to active transition)? ]
> > 
> > Each delivery agent holds a read lock on the file that it delivers
> > mail from.  This will keep the queue manager from scheduling new
> > deliveries. The mechanism prevents duplicate deliveries after
> > "postfix reload" + "postfix flush".
> 
> Yes, this solves the queue-manager reload problem, because the active
> queue is empty when the queue-manager reloads. In the new scenario,
> the active queue is not empty, and an active file is "surreptitiosly"
> moved (multiple quick steps) to "incoming". If all the recipients
> are at busy destinations, there may not (yet) be any delivery agent
> locks, and the file could enter the queue a second time.
> 
> Is this possible?

Perhaps. This would require a hash of queue IDs, which can be hidden
entirely behind qmgr_message_mumble(). It's peanuts compared to
what happened when nqmgr introduced one hash table per "job".

Wietse

Re: Taking over for another admin

[Patrick Ben Koetter]

* Udo Rader :
> Hmm, I've never heard of dovecot being able to deal with non-plaintext  
> passwords in connection with SASL. Are you sure that that can be done  
> without patching?

I haven't used Dovecot like that myself, but the documentation indicates you
can set a $default_pass_scheme which allows for non-plaintext password schemes
or are even able to do this on an individual base:

  

The details of this should be discussed on the Dovecot mailing list, I guess:

  

p...@rick


-- 
The Book of Postfix

saslfinger (debugging SMTP AUTH):

Re: Taking over for another admin

[Darren Pilgrim]

Udo Rader wrote:
Hmm, I've never heard of dovecot being able to deal with non-plaintext 
passwords in connection with SASL. Are you sure that that can be done 
without patching?


Dovecot supports[1] quite a few non-plaintext mechanisms.

1: http://wiki.dovecot.org/Authentication/Mechanisms

Which mechanisms you may use heavily depends on how you store passwords.

Re: User getting back scattered

[mouss]

jeff donovan a écrit :
> 
> On Feb 4, 2009, at 9:47 AM, Brian Evans - Postfix List wrote:
> 
>> jeff donovan wrote:
>>> here is a sample of the bounce: I have modified the real users name.
>>>
>>>
>>>
>>> Article rejected, un-authorized poster of realusern...@beth.k12.pa.us
>>> Received: from XDYHONJUP [189.22.134.132] by john23.com with ESMTP
>>>  (SMTPD32-8.00) id A6C57D10052; Wed, 04 Feb 2009 08:23:17 -0500
>>> Received: from 189.22.134.132 by mail2.beth.k12.pa.us; Wed, 4 Feb 2009
>>> 11:22:50 -0300
>> If this is to be believed, then:
>> grkni...@mx1 ~ $ host 132.134.22.189.zen.spamhaus.org
>> 132.134.22.189.zen.spamhaus.org has address 127.0.0.4
>>
>> Zen wins again and this is spam accepted by your server and not
>> BackScatter.

it is backscatter. john23.com has accepted the message from
189.22.134.132. the "Received: from 189... by mail2..." is obviously
forged.

>> [snip]
> /^[> ]*Message-ID:.*  /^[> ]*Message-ID:.*@(beth\.k12\.pa\.us)/ reject forged domain name in
> Message-ID: header: $1


The message-id examples work for Wietse, not for you. better not unless
you know the format of all message-id generated by all MUAs of all your
users!

AFAICT, you can however reject if
/^Message-ID: <>/   REJECT blah blah

Re: postfix + ubuntu 8.04

[mouss]

Kaushal Shriyan a écrit :
> Hi
> 
> Is there a guide to make use of postfix to send bulk email using postfix
> 


use a mailing-list manager. mailman, sympa, ... etc.

Re: TimeOut issues

[Matthew Hebert]

Thanks for your assistance.

We have implemented the changes you requested.  We still have have
time out issues.

We try the following:

When I try to "telnet server 25
Trying XXX.XXX.XXX...
telnet: Unable to connect to remote host: Connection timed out"
or getting connected and very slow response time from the smtpd



On Wed, Feb 4, 2009 at 10:11 AM, Victor Duchovni
 wrote:
> On Wed, Feb 04, 2009 at 08:52:45AM -0600, Matthew Hebert wrote:
>
>> smtpd_recipient_restrictions =
>> reject_non_fqdn_recipient
>> reject_non_fqdn_sender
>> reject_unknown_sender_domain
>> reject_unknown_recipient_domain
>> reject_unverified_recipient
>> permit_mynetworks
>> check_sender_access hash:/etc/postfix/sender_access
>> check_sender_access hash:/etc/postfix/rhsbl_sender_exceptions
>
>Open relay!
>
>> reject_unverified_recipient
>> reject_unauth_destination
>
> Move, the sender checks beloe "reject_unauth_destination" or into
> smtpd_sender_restrictions.
>
>
>> reject_unauth_pipelining
>> reject_invalid_hostname
>> reject_non_fqdn_hostname
>> reject_rbl_client sbl-xbl.spamhaus.org
>
> Use zen.spamhaus.org instead, it is far more effective, with negligible
> FPs.
>
>> reject_rbl_client list.dsbl.org
>
> This RBL is long dead. Remove it from your configuration.
>
>> reject_rbl_client bl.spamcop.net
>> reject_rhsbl_sender dsn.rfc-ignorant.org
>
> Not wise for outright SMTP rejects, too many FPs, and does not directly
> address spam. Remove this RBL.
>
>> permit
>
> Make sure you have a correctly configured local DNS cache.
>
> Report your findings after fixing the above.
>
> --
>Viktor.
>
> Disclaimer: off-list followups get on-list replies or get ignored.
> Please do not ignore the "Reply-To" header.
>
> To unsubscribe from the postfix-users list, visit
> http://www.postfix.org/lists.html or click the link below:
> 
>
> If my response solves your problem, the best way to thank me is to not
> send an "it worked, thanks" follow-up. If you must respond, please put
> "It worked, thanks" in the "Subject" so I can delete these quickly.
>



-- 
Matthew Hebert
mbheb...@gmail.com

Re: TimeOut issues

[Victor Duchovni]

On Wed, Feb 04, 2009 at 03:05:41PM -0600, Matthew Hebert wrote:

> Thanks for your assistance.
> 
> We have implemented the changes you requested.  We still have have
> time out issues.
> 
> We try the following:
> 
> When I try to "telnet server 25
> Trying XXX.XXX.XXX...
> telnet: Unable to connect to remote host: Connection timed out"
> or getting connected and very slow response time from the smtpd

Now see STRESS_README.html. Find out why all your smtpd(8) servers
are busy and allocate more if necessary.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Aliases/Aliases maps problem

[KLaM Postmaster]

Would some kind soul tell me what i am missing/mucking up here.
I haven an almost bog standard aliases file in /etc the only changes I
have made are (and yes I ran newaliases against it and the aliases.db
looks OK) -

root:   postmaster+exam...@example.ca  
postmaster: postmaster+exam...@example.ca

for some reason mail is still being delivered to local root and postmaster.
I also tried
postmaster: postmas...@klam.ca, ab...@klam.ca
it did not work either.
What am I missing as both seem to meet the syntax laid out in the a
aliases readme?

TIA
JLA









2bounce_notice_recipient = postmaster
access_map_reject_code = 554
address_verify_default_transport = $default_transport
address_verify_local_transport = $local_transport
address_verify_map = 
address_verify_negative_cache = yes
address_verify_negative_expire_time = 3d
address_verify_negative_refresh_time = 3h
address_verify_poll_count = 3
address_verify_poll_delay = 3s
address_verify_positive_expire_time = 31d
address_verify_positive_refresh_time = 7d
address_verify_relay_transport = $relay_transport
address_verify_relayhost = $relayhost
address_verify_sender = $double_bounce_sender
address_verify_sender_dependent_relayhost_maps = 
$sender_dependent_relayhost_maps
address_verify_service_name = verify
address_verify_transport_maps = $transport_maps
address_verify_virtual_transport = $virtual_transport
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, nis:mail.aliases
allow_mail_to_commands = alias, forward
allow_mail_to_files = alias, forward
allow_min_user = no
allow_percent_hack = yes
allow_untrusted_routing = no
alternate_config_directories = 
always_bcc = 
anvil_rate_time_unit = 60s
anvil_status_update_time = 600s
append_at_myorigin = yes
append_dot_mydomain = yes
application_event_drain_time = 100s
authorized_flush_users = static:anyone
authorized_mailq_users = static:anyone
authorized_submit_users = static:anyone
backwards_bounce_logfile_compatibility = yes
berkeley_db_create_buffer_size = 16777216
berkeley_db_read_buffer_size = 131072
best_mx_transport = 
biff = yes
body_checks = 
body_checks_size_limit = 51200
bounce_notice_recipient = postmaster
bounce_queue_lifetime = 5d
bounce_service_name = bounce
bounce_size_limit = 5
bounce_template_file = 
broken_sasl_auth_clients = no
canonical_classes = envelope_sender, envelope_recipient, header_sender, 
header_recipient
canonical_maps = 
cleanup_service_name = cleanup
command_directory = /usr/sbin
command_execution_directory = 
command_expansion_filter = 
12345678...@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
command_time_limit = 1000s
config_directory = /etc/postfix
connection_cache_protocol_timeout = 5s
connection_cache_service_name = scache
connection_cache_status_update_time = 600s
connection_cache_ttl_limit = 2s
content_filter = 
cyrus_sasl_config_path = 
daemon_directory = /usr/libexec/postfix
daemon_timeout = 18000s
data_directory = /var/lib/postfix
debug_peer_level = 2
debug_peer_list = 
default_database_type = hash
default_delivery_slot_cost = 5
default_delivery_slot_discount = 50
default_delivery_slot_loan = 3
default_destination_concurrency_failed_cohort_limit = 1
default_destination_concurrency_limit = 20
default_destination_concurrency_negative_feedback = 1
default_destination_concurrency_positive_feedback = 1
default_destination_rate_delay = 0s
default_destination_recipient_limit = 50
default_extra_recipient_limit = 1000
default_minimum_delivery_slots = 3
default_privs = nobody
default_process_limit = 100
default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] 
blocked using $rbl_domain${rbl_reason?; $rbl_reason}
default_recipient_limit = 2
default_recipient_refill_delay = 5s
default_recipient_refill_limit = 100
default_transport = smtp
default_verp_delimiters = +=
defer_code = 450
defer_service_name = defer
defer_transports = 
delay_logging_resolution_limit = 2
delay_notice_recipient = postmaster
delay_warning_time = 0h
deliver_lock_attempts = 20
deliver_lock_delay = 1s
destination_concurrency_feedback_debug = no
detect_8bit_encoding_header = yes
disable_dns_lookups = no
disable_mime_input_processing = no
disable_mime_output_conversion = no
disable_verp_bounces = no
disable_vrfy_command = no
dont_remove = 0
double_bounce_sender = double-bounce
duplicate_filter_limit = 1000
empty_address_recipient = MAILER-DAEMON
empty_address_relayhost_maps_lookup_key = <>
enable_original_recipient = yes
error_notice_recipient = postmaster
error_service_name = error
execution_directory_expansion_filter = 
12345678...@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
expand_owner_alias = no
export_environment = TZ MAIL_CONFIG LANG
fallback_transport = 
fallback_transport_maps = 
fast_flush_domains = $relay_domains
fast_flush_purge_time = 7d
fast_flush_refresh_time = 12h
fault_injection_code = 0
flush_service_name = flush
fork_attempts = 5
fork_delay = 1s
forward_expansion_filter = 
12345678...@%-_=+:,./abcdefghijk

Guidance on "owner-" prefix added to From and Return-Path

[Damon Miller]

Hi all,

I'm having a difficult time understanding why one of my machines is
showing modified "Return-Path" and "From" headers while another is not.
I'm hoping someone can point me in the right direction.  Here's the
environment:

Two CentOS 4 servers, both running the same version of Postfix (2.2.10).
This was installed via binary RPM so I'm certain the Postfix build is
identical.



My issue is this:  When mail is sent to one of the servers ('cam-d3'),
the "From" header is modified to have "owner-" prefixing the actual
address from which it was sent.  Similarly, "Return-Path" is updated to
include an "owner-" prefix.  This is not happening on the other server
('imps') and I have no idea why.



I don't know what information would be relevant here so here are some
selected data points (taken from root's 'mbox' and live configuration
data).  First, I've attached an example of a message sent to an address
on the machine which adds "owner-".  Here are abbreviated headers
showing the "From" and "Return-Path" changes:

>From owner-dtmtest-...@helpdesk.thinkingphones.com  Wed Feb  4 14:35:04
2009
Return-Path: 
X-Original-To: dtmtest-...@helpdesk.thinkingphones.com
Delivered-To: r...@helpdesk.thinkingphones.com

[cut -- see attached "cam-d3.txt" for full headers] 

From: "Damon Miller" 
To: 
X-OriginalArrivalTime: 04 Feb 2009 19:35:08.0941 (UTC)
FILETIME=[B04D53D0:01C986FF]
Status: RO

The address is an alias to root and the "owner-" prefix is added
regardless of source address.



Contrast this with a message sent to an address on the other machine:

>From testacco...@gmail.com  Wed Feb  4 09:30:44 2009
Return-Path: 
X-Original-To: thinkingphones-supp...@thinkingphonenetworks.com
Delivered-To: r...@thinkingphonenetworks.com

[cut -- see attached "imps.txt" for full headers

From: Damon Miller 
To: thinkingphones-supp...@thinkingphonenetworks.com
Content-Type: multipart/alternative;
boundary=0015174bdfd82a282d046218a2f3
Status: RO



I'm quite confused by this.  The "owner-" prefix is similar to a VERP
address, but I can't find any VERP-related configuration settings
enabled on either server.



I also dumped the full configs on both servers via 'postconf' and
diff'ed them.  There are three differences:

1.  alias_maps on the server adding "owner-" contains an additional
MySQL-based alias_maps entry, but since I'm using a hash-based entry for
my test this should not be hit.  (Testing confirms this.)

-alias_maps = hash:/etc/postfix/maps/hash/aliases
+alias_maps = hash:/etc/postfix/maps/hash/aliases,
mysql:/etc/postfix/maps/mysql/mysql-alias-maps.cf


2.  local_recipient_maps is using a hash instead of a MySQL for
local_recipient_maps.  (MySQL isn't installed on one of the hosts.)  The
content is identical between the hash file and the MySQL table.

-local_recipient_maps = proxy:unix:passwd.byname
hash:/etc/postfix/maps/hash/local-recipient-maps
+local_recipient_maps = proxy:unix:passwd.byname
mysql:/etc/postfix/maps/mysql/mysql-local-recipient-maps.cf


3.  'mydomain', 'myhostname', and 'mynetworks' differ since the servers
are listening serving different domains, have different hostnames, and
are on different networks.  These all match the OS-level configuration
data.



Any guidance would be much-appreciated.


Regards,

Damon
From owner-dtmtest-...@helpdesk.thinkingphones.com  Wed Feb  4 00:36:21 2009
Return-Path: 
X-Original-To: dtmtest-...@helpdesk.thinkingphones.com
Delivered-To: r...@helpdesk.thinkingphones.com
Received: by cam-d3.sip.thinkingphones.net (Postfix)
id 90590844042; Wed,  4 Feb 2009 00:36:21 -0500 (EST)
Delivered-To: dtmtest-...@helpdesk.thinkingphones.com
Received: from mail-ew0-f20.google.com (mail-ew0-f20.google.com [209.85.219.20])
by cam-d3.sip.thinkingphones.net (Postfix) with ESMTP id 5C88D84403C
for ; Wed,  4 Feb 2009 00:35:56 
-0500 (EST)
Received: by ewy13 with SMTP id 13so3164217ewy.16
for ; Tue, 03 Feb 2009 
21:35:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:received:date:message-id:subject
 :from:to:content-type;
bh=vvJLbAs/L25vIiWXiYMOVhaWOnh6grEG9dI3eLW4rZc=;
b=IDIl02/vC0n1msftqeNLvvlisaPqVbbpDMGgVTQhoBAEy34KxRqgAllLqeY11SKvhW
 8hFRp0aBqNMTDCkZmozN8LPycAwhe1fahW69WsHy5pIqX8IuRHtQA39H/ZrOziTbvtx8
 XedC1y8wBW0Sgn3VXiBS4wMxef2/64tG1SQ/s=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=mime-version:date:message-id:subject:from:to:content-type;
b=p1XhOWrGEBwS83YXIAi++/jW6eXDx525XQCVFbqcuhuNoYMgGPEgT+S50LiGwm3YhY
 PaJFY4vlGr/xd9CESkThrNtZIFdFYcKW1Y4Lg/OXVIccwjwSWENcQ2d13zP2THLL3WMj
 gCiV42Cia474Of44R1JSlrjjRbUXqJJxuYFV4=
MIME-Version: 1.0
Received: by 10.210.58.17 with SMTP id g17mr6571081eba.149.1233725756192; Tue, 
03 Feb 2009 21:35:56 -0800 (PST)
Date: Wed, 4 Feb 2009 00:35:56 -0500
Message-ID: <4dc60d940902032135i42f472b5xe590ed1d9faca...@mail.gmail.com>
Subject: t

Re: Aliases/Aliases maps problem

[KLaM Postmaster]

sorry I screwed up, the xxx.txt attachment is my postconf -n output., I
should have made sure was correctly named.

JLA

Re: TimeOut issues

[Matthew Hebert]

We are running much better now.

We have increased out maxproc to 200 and added smtpd_timeout = 10 to
the main.cf.

It states that reducing the smtpd_timeout = should only be temporary.

"No mail should be lost, as long as this measure is used only temporarily"

We are running an older version of Postfix.  We are hoping to update soon.

Thanks for your guidance.

Matt

On Wed, Feb 4, 2009 at 3:08 PM, Victor Duchovni
 wrote:
> On Wed, Feb 04, 2009 at 03:05:41PM -0600, Matthew Hebert wrote:
>
>> Thanks for your assistance.
>>
>> We have implemented the changes you requested.  We still have have
>> time out issues.
>>
>> We try the following:
>>
>> When I try to "telnet server 25
>> Trying XXX.XXX.XXX...
>> telnet: Unable to connect to remote host: Connection timed out"
>> or getting connected and very slow response time from the smtpd
>
> Now see STRESS_README.html. Find out why all your smtpd(8) servers
> are busy and allocate more if necessary.
>
> --
>Viktor.
>
> Disclaimer: off-list followups get on-list replies or get ignored.
> Please do not ignore the "Reply-To" header.
>
> To unsubscribe from the postfix-users list, visit
> http://www.postfix.org/lists.html or click the link below:
> 
>
> If my response solves your problem, the best way to thank me is to not
> send an "it worked, thanks" follow-up. If you must respond, please put
> "It worked, thanks" in the "Subject" so I can delete these quickly.
>



-- 
Matthew Hebert
mbheb...@gmail.com

gmail relay and certificates on Fedora 10

[sean darcy]

I followed the instructions on 
http://www.wormly.com/blog/2008/11/05/relay-gmail-google-smtp-postfix/

to create your own certificate to use with google.

main.cf:
..
## this to use certificate I created:
##  www.wormly.com/blog/2008/11/05/relay-gmail-google-smtp-postfix/
relayhost = [smtp.gmail.com]:587
smtp_connection_cache_destinations = smtp.gmail.com
relay_destination_concurrency_limit = 1
default_destination_concurrency_limit = 5
smtp_sasl_auth_enable=yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_note_starttls_offer = yes
tls_random_source = dev:/dev/urandom
smtp_tls_scert_verifydepth = 5
smtp_tls_key_file=/etc/postfix/postfixclient.key
smtp_tls_cert_file=/etc/postfix/postfixclient.pem
smtp_tls_enforce_peername = no
smtpd_tls_req_ccert =no
smtpd_tls_ask_ccert = yes
soft_bounce = yes

I get this  error:

Feb  4 17:01:52 asterisk postfix/smtp[17447]: certificate verification 
failed fo
r smtp.gmail.com[74.125.47.111]:587: untrusted issuer /C=ZA/ST=Western 
Cape/L=Ca
pe Town/O=Thawte Consulting cc/OU=Certification Services 
Division/CN=Thawte Prem

ium Server CA/emailaddress=premium-ser...@thawte.com

The error message is weird since it refers to thawte.com.

/etc/postfix/postfixclient.pem:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=us, ST=new york, O=n/a, OU=section, 
CN=seandarcy/emailaddress=seanda...@gmail.com

Validity
Not Before: Feb  4 21:40:25 2009 GMT
Not After : Feb  4 21:40:25 2010 GMT
Subject: C=us, ST=new york, O=n/a, OU=section, 
CN=seandarcy/emailaddress=seanda...@gmail.com

Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
...

So I should be the issuer. Or is referring to the issuer of its certificate?

In any event, anyone else have this working?

sean

Re: gmail relay and certificates on Fedora 10

[J Sloan]

Sounds like fedora's missing a ca-bundle.crt...

Joe

sean darcy wrote:
> I followed the instructions on
> http://www.wormly.com/blog/2008/11/05/relay-gmail-google-smtp-postfix/
> to create your own certificate to use with google.
>
> main.cf:
> ..
> ## this to use certificate I created:
> ##  www.wormly.com/blog/2008/11/05/relay-gmail-google-smtp-postfix/
> relayhost = [smtp.gmail.com]:587
> smtp_connection_cache_destinations = smtp.gmail.com
> relay_destination_concurrency_limit = 1
> default_destination_concurrency_limit = 5
> smtp_sasl_auth_enable=yes
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_use_tls = yes
> smtp_sasl_security_options = noanonymous
> smtp_sasl_tls_security_options = noanonymous
> smtp_tls_note_starttls_offer = yes
> tls_random_source = dev:/dev/urandom
> smtp_tls_scert_verifydepth = 5
> smtp_tls_key_file=/etc/postfix/postfixclient.key
> smtp_tls_cert_file=/etc/postfix/postfixclient.pem
> smtp_tls_enforce_peername = no
> smtpd_tls_req_ccert =no
> smtpd_tls_ask_ccert = yes
> soft_bounce = yes
>
> I get this  error:
>
> Feb  4 17:01:52 asterisk postfix/smtp[17447]: certificate verification
> failed fo
> r smtp.gmail.com[74.125.47.111]:587: untrusted issuer /C=ZA/ST=Western
> Cape/L=Ca
> pe Town/O=Thawte Consulting cc/OU=Certification Services
> Division/CN=Thawte Prem
> ium Server CA/emailaddress=premium-ser...@thawte.com
>
> The error message is weird since it refers to thawte.com.
>
> /etc/postfix/postfixclient.pem:
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 1 (0x1)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=us, ST=new york, O=n/a, OU=section,
> CN=seandarcy/emailaddress=seanda...@gmail.com
> Validity
> Not Before: Feb  4 21:40:25 2009 GMT
> Not After : Feb  4 21:40:25 2010 GMT
> Subject: C=us, ST=new york, O=n/a, OU=section,
> CN=seandarcy/emailaddress=seanda...@gmail.com
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> ...
>
> So I should be the issuer. Or is referring to the issuer of its
> certificate?
>
> In any event, anyone else have this working?
>
> sean
>

Re: gmail relay and certificates on Fedora 10

[sean darcy]

J Sloan wrote:

Sounds like fedora's missing a ca-bundle.crt...

Joe

sean darcy wrote:

I followed the instructions on
http://www.wormly.com/blog/2008/11/05/relay-gmail-google-smtp-postfix/
to create your own certificate to use with google.

main.cf:
..
## this to use certificate I created:
##  www.wormly.com/blog/2008/11/05/relay-gmail-google-smtp-postfix/
relayhost = [smtp.gmail.com]:587
smtp_connection_cache_destinations = smtp.gmail.com
relay_destination_concurrency_limit = 1
default_destination_concurrency_limit = 5
smtp_sasl_auth_enable=yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_note_starttls_offer = yes
tls_random_source = dev:/dev/urandom
smtp_tls_scert_verifydepth = 5
smtp_tls_key_file=/etc/postfix/postfixclient.key
smtp_tls_cert_file=/etc/postfix/postfixclient.pem
smtp_tls_enforce_peername = no
smtpd_tls_req_ccert =no
smtpd_tls_ask_ccert = yes
soft_bounce = yes

I get this  error:

Feb  4 17:01:52 asterisk postfix/smtp[17447]: certificate verification
failed fo
r smtp.gmail.com[74.125.47.111]:587: untrusted issuer /C=ZA/ST=Western
Cape/L=Ca
pe Town/O=Thawte Consulting cc/OU=Certification Services
Division/CN=Thawte Prem
ium Server CA/emailaddress=premium-ser...@thawte.com

The error message is weird since it refers to thawte.com.

/etc/postfix/postfixclient.pem:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=us, ST=new york, O=n/a, OU=section,
CN=seandarcy/emailaddress=seanda...@gmail.com
Validity
Not Before: Feb  4 21:40:25 2009 GMT
Not After : Feb  4 21:40:25 2010 GMT
Subject: C=us, ST=new york, O=n/a, OU=section,
CN=seandarcy/emailaddress=seanda...@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
...

So I should be the issuer. Or is referring to the issuer of its
certificate?

In any event, anyone else have this working?

sean






I can get the thawte cert, but what do I do with it?

sean

Re: How to set client_encoding in Postfix -> PostgreSQL lookups

[Michael Monnerie]

On Dienstag 20 Januar 2009 Wietse Venema wrote:
> I have a postfix making SQL queries
>
> > to PostgreSQL, and can see from postgresql logs that postfix does
> > set client_encoding to 'LATIN1'
> > How can I change that to use UTF8?
>
> SMTP is an ASCII protocol, and that is likely not to change.

But sometimes there is e-mail arriving with bad encoding, example german 
umlauts in headers (that's done by Incredimail when used on a mid-
european timezone: Mitteleuropäische Sommerzeit, Incredimail writes the 
Umlaut-a in the header). Is there a way I can get postfix handle this?

I use dbmail with PostgreSQL, and occasionaly I see errors of wrong 
encoding. Now I don't know if I need to fix that in postfix, postgres or 
dbmail, and if it's fixable at all. As you said, SMTP is ASCII, but that 
Incredimail wrong headers exist and I'd like to fix...

mfg zmi
-- 
// Michael Monnerie, Ing.BSc-  http://it-management.at
// Tel: 0660 / 415 65 31  .network.your.ideas.
// PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
// Keyserver: wwwkeys.eu.pgp.net  Key-ID: 1C1209B4



signature.asc
Description: This is a digitally signed message part.

Re: gmail relay and certificates on Fedora 10

[sean darcy]

sean darcy wrote:

J Sloan wrote:

Sounds like fedora's missing a ca-bundle.crt...

Joe

sean darcy wrote:

I followed the instructions on
http://www.wormly.com/blog/2008/11/05/relay-gmail-google-smtp-postfix/
to create your own certificate to use with google.

main.cf:
..
## this to use certificate I created:
##  www.wormly.com/blog/2008/11/05/relay-gmail-google-smtp-postfix/
relayhost = [smtp.gmail.com]:587
smtp_connection_cache_destinations = smtp.gmail.com
relay_destination_concurrency_limit = 1
default_destination_concurrency_limit = 5
smtp_sasl_auth_enable=yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_note_starttls_offer = yes
tls_random_source = dev:/dev/urandom
smtp_tls_scert_verifydepth = 5
smtp_tls_key_file=/etc/postfix/postfixclient.key
smtp_tls_cert_file=/etc/postfix/postfixclient.pem
smtp_tls_enforce_peername = no
smtpd_tls_req_ccert =no
smtpd_tls_ask_ccert = yes
soft_bounce = yes

I get this  error:

Feb  4 17:01:52 asterisk postfix/smtp[17447]: certificate verification
failed fo
r smtp.gmail.com[74.125.47.111]:587: untrusted issuer /C=ZA/ST=Western
Cape/L=Ca
pe Town/O=Thawte Consulting cc/OU=Certification Services
Division/CN=Thawte Prem
ium Server CA/emailaddress=premium-ser...@thawte.com

The error message is weird since it refers to thawte.com.

/etc/postfix/postfixclient.pem:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=us, ST=new york, O=n/a, OU=section,
CN=seandarcy/emailaddress=seanda...@gmail.com
Validity
Not Before: Feb  4 21:40:25 2009 GMT
Not After : Feb  4 21:40:25 2010 GMT
Subject: C=us, ST=new york, O=n/a, OU=section,
CN=seandarcy/emailaddress=seanda...@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
...

So I should be the issuer. Or is referring to the issuer of its
certificate?

In any event, anyone else have this working?

sean






I can get the thawte cert, but what do I do with it?

sean


In fact the thawte certificate is already in Fedora 10 
/etc/pki/tls/cert.pem:


.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting 
cc, OU=Certification Services Division, CN=Thawte Premium Server

CA/emailaddress=premium-ser...@thawte.com
Validity
Not Before: Aug  1 00:00:00 1996 GMT
Not After : Dec 31 23:59:59 2020 GMT
Subject: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte 
Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server

 CA/emailaddress=premium-ser...@thawte.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):


Any suggestions appreciated.

sean

Re: gmail relay and certificates on Fedora 10

[Joe Sloan]

What values does postconf show for the following parameters?

smtp_tls_CAfile
smtpd_tls_CAfile

?

Joe

sean darcy wrote:

sean darcy wrote:

J Sloan wrote:

Sounds like fedora's missing a ca-bundle.crt...

Joe

sean darcy wrote:

I followed the instructions on
http://www.wormly.com/blog/2008/11/05/relay-gmail-google-smtp-postfix/
to create your own certificate to use with google.

main.cf:
..
## this to use certificate I created:
##  www.wormly.com/blog/2008/11/05/relay-gmail-google-smtp-postfix/
relayhost = [smtp.gmail.com]:587
smtp_connection_cache_destinations = smtp.gmail.com
relay_destination_concurrency_limit = 1
default_destination_concurrency_limit = 5
smtp_sasl_auth_enable=yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_note_starttls_offer = yes
tls_random_source = dev:/dev/urandom
smtp_tls_scert_verifydepth = 5
smtp_tls_key_file=/etc/postfix/postfixclient.key
smtp_tls_cert_file=/etc/postfix/postfixclient.pem
smtp_tls_enforce_peername = no
smtpd_tls_req_ccert =no
smtpd_tls_ask_ccert = yes
soft_bounce = yes

I get this  error:

Feb  4 17:01:52 asterisk postfix/smtp[17447]: certificate verification
failed fo
r smtp.gmail.com[74.125.47.111]:587: untrusted issuer /C=ZA/ST=Western
Cape/L=Ca
pe Town/O=Thawte Consulting cc/OU=Certification Services
Division/CN=Thawte Prem
ium Server CA/emailaddress=premium-ser...@thawte.com

The error message is weird since it refers to thawte.com.

/etc/postfix/postfixclient.pem:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=us, ST=new york, O=n/a, OU=section,
CN=seandarcy/emailaddress=seanda...@gmail.com
Validity
Not Before: Feb  4 21:40:25 2009 GMT
Not After : Feb  4 21:40:25 2010 GMT
Subject: C=us, ST=new york, O=n/a, OU=section,
CN=seandarcy/emailaddress=seanda...@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
...

So I should be the issuer. Or is referring to the issuer of its
certificate?

In any event, anyone else have this working?

sean






I can get the thawte cert, but what do I do with it?

sean


In fact the thawte certificate is already in Fedora 10 
/etc/pki/tls/cert.pem:


.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte 
Consulting cc, OU=Certification Services Division, CN=Thawte Premium 
Server

CA/emailaddress=premium-ser...@thawte.com
Validity
Not Before: Aug  1 00:00:00 1996 GMT
Not After : Dec 31 23:59:59 2020 GMT
Subject: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte 
Consulting cc, OU=Certification Services Division, CN=Thawte Premium 
Server

 CA/emailaddress=premium-ser...@thawte.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):


Any suggestions appreciated.

sean

How to re-email for SRS / SPF compliance

[David Cottle]

Hi,

Can someone tell me how can you make postfix re-email on forwarded  
mail accounts instead of forwarding so postfix complies with SRS / SPF  
policy please?


There are SRS plugins for qmail but not for postfix - specifically  
interested in the latest 2.6 version I built and am running.


Many thanks!
David

Sent from my iPhone

Re: gmail relay and certificates on Fedora 10

[Victor Duchovni]

On Wed, Feb 04, 2009 at 06:58:52PM -0500, sean darcy wrote:

> I followed the instructions on 
> http://www.wormly.com/blog/2008/11/05/relay-gmail-google-smtp-postfix/
> to create your own certificate to use with google.

You DO NOT need your own TLS-client certificate to submit mail to Google,
and even if you have one, Google's SMTP server won't ask for it and you
won't send it. Either you misunderstood the guide above, or the guide
is wrong.

You do however need to have a suitable set of trusted root CA certificates,
if you want to verify *Google's* certificate, to make sure you are reaching
the right service.

> smtp_use_tls = yes
> smtp_tls_enforce_peername = no

The are parameters for Postfix 2.2 and earlier, with 2.3, you should
be using smtp_tls_security_level.

> I get this  error:
>
> Feb  4 17:01:52 asterisk postfix/smtp[17447]: certificate verification 
> failed for smtp.gmail.com[74.125.47.111]:587: untrusted issuer
> /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification 
> Services Division/CN=Thawte Premium Server 
> CA/emailaddress=premium-ser...@thawte.com

THis is not an "error" message, just informational chatter... What is
your real problem, as this does not appear to be it.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: postfix queue grep

[Marc Silver]

Victor,

Thanks for taking the time to look at this.

On Wed, 04 Feb 2009 19:17:45 +0200, Victor Duchovni  
 wrote:

The regexp parser is IMHO too fuzzy for production use outside your
own environment. It will generated false positives with sufficiently
interesting remote error messages, sender or recipient addresses in the
"postqueue -p" output. You need a more context aware parser.


Point taken.  It didn't occur to me that remote error messages could  
contain strings that may break the parser.  I'll work on improving that as  
well as improve detection of addresses.



   for i in `pqgrep.py -s MAILER-DAEMON` ; do postsuper -d $i ; done


This is subject to race conditions. To safely delete messages, they have
to moved (postsuper -h) out of the "active" queue, re-scanned to ensure
they still meet the original criteria, selectively deleted, and the FPs
moved back into the deferred queue (via postsuper -H), you can then
flush FPs back into the incoming queue via "postqueue -i".


Fair enough... I've only ever done this with mails in the deferred queue.   
Moving mails into different queues is somewhat beyond the scope of the  
tool, so ideally (and what I still want to implement) the ability to  
specify a particular queue to match against would help prevent against  
this.  Is that a correct assumption?


Thanks again for the feedback...

Marc

Re: postfix queue grep

[Magnus Bäck]

On Thursday, February 05, 2009 at 07:10 CET,
 Marc Silver  wrote:

> On Wed, 04 Feb 2009 19:17:45 +0200, Victor Duchovni  
>  wrote:
>
> > This is subject to race conditions. To safely delete messages,
> > they have to moved (postsuper -h) out of the "active" queue,
> > re-scanned to ensure they still meet the original criteria,
> > selectively deleted, and the FPs moved back into the deferred
> > queue (via postsuper -H), you can then flush FPs back into the
> > incoming queue via "postqueue -i".
> 
> Fair enough... I've only ever done this with mails in the deferred
> queue.  Moving mails into different queues is somewhat beyond the
> scope of the tool, so ideally (and what I still want to implement)
> the ability to specify a particular queue to match against would
> help prevent against this.  Is that a correct assumption?

No, that doesn't fix the race condition. Between your scan of the queue
and the actual removal of the message it could be delivered and replaced
by another message with the same queue id.

-- 
Magnus Bäck
mag...@dsek.lth.se

Re: postfix queue grep

[Marc Silver]

Thanks... I better understand Viktor's original reply now.

On Thu, 05 Feb 2009 08:22:25 +0200, Magnus Bäck  wrote:


No, that doesn't fix the race condition. Between your scan of the queue
and the actual removal of the message it could be delivered and replaced
by another message with the same queue id.