Multiple instances (incoming)

[David Cottle]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

I want to have multiple incoming hostnames to match my domains so it
passes spam checks better.

I found this:

http://www.linuxmail.info/postfix-multiple-ip-address-smtp-greeting/

exactly what I want except it does not work :(

master.cf (before)

smtp inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025
smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o
smtpd_tls_wrappermode=yes
submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject

master.cf (updated trying to do this - i am using real domain names
and ips)

#smtp inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025
localhost:smtp inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025
ipaddressgateway:smtp inet n - - - - smtpd -o
smtpd_proxy_filter=127.0.0.1:10025
ipaddress1:smtp inet n - - - - smtpd -o hostname=domain1 -o
smtpd_proxy_filter=127.0.0.1:10025
ipaddress2:smtp inet n - - - - smtpd -o hostname=domain2 -o
smtpd_proxy_filter=127.0.0.1:10025
ipaddress3:smtp inet n - - - - smtpd -o hostname=domain3 -o
smtpd_proxy_filter=127.0.0.1:10025
smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o
smtpd_tls_wrappermode=yes
submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject

Any ideas?

Thanks!


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmP18IACgkQi1lOcz5YUMgirgCg4Y92qCy2R5g8BPEn/aymIy2I
kPQAoKlqkScthh0qo6a39a0Vn1BkYmqf
=F+0K
-END PGP SIGNATURE-

begin:vcard
fn:David Cottle
n:Cottle;David
email;internet:webmas...@aus-city.com
title:Webmaster
version:2.1
end:vcard

Re: Sender-Recipient forged mail

[itsramesh_s]

Hi,

I have configured SMTP-AUTH, this is maily to allow sending from
outside network. as per your suggestion can i use check_sender_access?

Thanks & Regards,
Ramesh

--- In post...@yahoogroups.com, "MacShane, Tracy" 
wrote:
>
>
>
> > -Original Message-
> > From: owner-postfix-us...@...
> > [mailto:owner-postfix-us...@...] On Behalf Of itsramesh_s
> > Sent: Friday, 6 February 2009 4:25 PM
> > To: postfix-us...@...
> > Subject: Sender-Recipient forged mail
> >
> >
> > Hi,
> >
> > I have configured postfix postfix-2.4.5-2.fc8. all mail user are
> > getting forged mails as sender and recipient are same. we have
> > secondary mx i am sending both postconf output,
> >
> > Please help me to stop forged mail.
> >
> > Postconf -n of primary MTA
> >
> > smtpd_recipient_restrictions = permit_sasl_authenticated,
> > permit_mynetworks, reject_unauth_pipelining,
> > reject_unknown_recipient_domain, reject_non_fqdn_sender,
> > reject_unauth_destination
>
> You could do with a whole lot more smtpd restrictions, such as
> reject_non_fqdn_recipient, reject_non_fqdn_helo_hostname,
> reject_invalid_helo_hostname,  reject_unknown_sender_domain,
> reject_unknown_reverse_client_hostname (or
> reject_unknown_client_hostname, but this tends to give a lot of false
> positives due to admins who can't configure DNS properly,
> unfortunately).
>
> If all your senders are sending from hosts in mynetworks, then the
> easiest method is to do  "check_sender_access
> hash:/etc/postfix/sender_access" after reject_unauth_destination (and
> permit_mynetworks, of course), where /etc/postfix/sender_access is as
> follows:
>
> mydomain.comREJECT Mail from our senders must come from our
> hosts
>

Re: Redirect all mail from one domain to the same u...@otherdomain?

[Victor Duchovni]

On Sun, Feb 08, 2009 at 09:50:16PM -0800, Jeff Weinberger wrote:

>
> I am trying to figure out the best way to map one domain to another with 
> the same users...precisely the behavior I am trying to achieve is: when 
> mail is sent (from outside, or from another user within my postfix 
> installation) to u...@domain1.tld I want it redirected to u...@domain2.tld 
> - in otherwords, the user is preserved, but the domain is 
> translated/rewritten. To be more specific:
>
> us...@domain1.tld gets re-routed to us...@domain2.tld
> us...@domain1.tld gets re-routed to us...@domain2.tld

- Are you looking to rewrite just the envelope recipient, or also message
  From/To/Cc headers?

- Is all mail first passed through an SMTP content_filter?

- Are all the original and rewritten recipients delivered to another host
  via SMTP, or is some of the mail delivered locally (local, virtual, ...)?


>
> My initial guess is to use recipient_canonical_maps and use a pcre map:
>
> /^(.*)@domain1.tld/   {$1)@domain2.tld

This guess is wrong for many reasons, but I think it best to first
understand what problem you are really trying to solve, before we
tear apart the wrong answer to potentially the wrong question.

> I don't see a way to achieve this with alias_maps and header_checks (with 
> action REDIRECT) would miss messages sent to u...@domain1.tld where that is 
> not the To: or Cc: address (such as list mail).

This is worse.

> Really, I am just checking with experts more knowledgeable than I whether I 
> have chosen a good (or the best) way to achieve this, or if there is a 
> better way.

Yes, there is a correct way of solving your problem, but first describe
your problem in more detail.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Redirect all mail from one domain to the same u...@otherdomain?

[Jeff Weinberger]

Hi:

I would appreciate any advice anyone can offer on how best to achieve  
this behavior:


I am trying to figure out the best way to map one domain to another  
with the same users...precisely the behavior I am trying to achieve  
is: when mail is sent (from outside, or from another user within my  
postfix installation) to u...@domain1.tld I want it redirected to u...@domain2.tld 
 - in otherwords, the user is preserved, but the domain is translated/ 
rewritten. To be more specific:


us...@domain1.tld gets re-routed to us...@domain2.tld
us...@domain1.tld gets re-routed to us...@domain2.tld

and so on.

My initial guess is to use recipient_canonical_maps and use a pcre map:

/^(.*)@domain1.tld/   {$1)@domain2.tld

I don't see a way to achieve this with alias_maps and header_checks  
(with action REDIRECT) would miss messages sent to u...@domain1.tld  
where that is not the To: or Cc: address (such as list mail).


Really, I am just checking with experts more knowledgeable than I  
whether I have chosen a good (or the best) way to achieve this, or if  
there is a better way.


Any advice and help are much appreciated!

Thanks,

--Jeff






--

Jeff Weinberger
http://disruptivemarketing.jeffweinberger.com

Re: whitelisting not working

[webmaster]

Quoting Sahil Tandon :


On Mon, 09 Feb 2009, webmas...@aus-city.com wrote:


Quoting Sahil Tandon :


On Mon, 09 Feb 2009, David Cottle wrote:


Yes all the files (whitelist, check_backscatterer and
check_spamcannibal) have been postmap.

I assume that as long as the whitelist is done first, anything that
is ok in the file simply should 'brute force' past the rest of the
checks, no matter how many?


If an access table within smtpd_client_restrictions evaluates to   
OK, smtpd(8)

skips the remaining client_restrictions.  However, one of the following
smtpd_mumble_restrictions might still trigger a REJECT.  Please show
'postconf -n' and some relevant excerpts from your log.


Hi Sahil,

Here is the log:

Feb  9 09:36:55 server postfix/smtpd[26671]: warning: database
/etc/postfix/whitelist.db is older than source file
/etc/postfix/whitelist
Feb  9 09:36:55 server postfix/smtpd[26671]: connect from
unknown[64.202.189.90]
Feb  8 22:36:57 server postfix/smtpd[26671]: NOQUEUE: reject: RCPT from
unknown[64.202.189.90]: 554 5.7.1 Service unavailable; Client host
[64.202.189.90] blocked using dnsbl-1.uceprotect.net; IP 64.202.189.90 is
UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=64.202.189.90;
from= to= proto=SMTP
helo=
Feb  8 22:36:57 server postfix/smtpd[26671]: disconnect from
unknown[64.202.189.90]

Now I was playing with timestamps on the .db files, so if it detects
this does this mean the whitelist is ignored due to the error hence the
answer?  I just postmap the source files again to be sure, I assume its a
warning only?


Why were you playing with timestamps?  The warning means what it says; the
.db file was created during your last postmap; any changes to the source file
after that postmap are ignored.  So if you added the OK for a particular
client after your last postmap (at the time of the warning), that would
explain your problem.

And as you've already been warned, it is dangerous to use UCEPROTECT to
reject at SMTP.

--
Sahil Tandon 



Hi Sahil,

Thanks for the clarification, I dropped UCEPROTECT out.  The  
timestamps were just uploading and downloading files.


Here is my new main.cf

smtpd_client_restrictions = check_client_access  
hash:/etc/postfix/whitelist, check_client_access  
hash:/etc/postfix/check_backscatterer, check_client_access  
hash:/etc/postfix/check_spamcannibal, reject_rbl_client  
bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client  
cbl.abuseat.org, reject_rbl_client 2.0.0.127.b.barracudacentral.org


Question, should I run <>, postmaster and MAILER_DAEMON through the  
UCEPROTECT lists like I am doing with backscatter and spamcannibal -  
these stop so much blasted backscatter its not funny..


Lastly my syntax was correct to filer these three mail from above?

<> reject_rbl_client ips.backscatterer.org
postmaster reject_rbl_client ips.backscatterer.org
MAILER-DAEMON reject_rbl_client ips.backscatterer.org


Thanks again for the help!

Re: whitelisting not working

[Sahil Tandon]

On Mon, 09 Feb 2009, webmas...@aus-city.com wrote:

> Quoting Sahil Tandon :
>
>> On Mon, 09 Feb 2009, David Cottle wrote:
>>
>>> Yes all the files (whitelist, check_backscatterer and
>>> check_spamcannibal) have been postmap.
>>>
>>> I assume that as long as the whitelist is done first, anything that
>>> is ok in the file simply should 'brute force' past the rest of the
>>> checks, no matter how many?
>>
>> If an access table within smtpd_client_restrictions evaluates to OK, smtpd(8)
>> skips the remaining client_restrictions.  However, one of the following
>> smtpd_mumble_restrictions might still trigger a REJECT.  Please show
>> 'postconf -n' and some relevant excerpts from your log.
>
> Hi Sahil,
>
> Here is the log:
>
> Feb  9 09:36:55 server postfix/smtpd[26671]: warning: database  
> /etc/postfix/whitelist.db is older than source file  
> /etc/postfix/whitelist
> Feb  9 09:36:55 server postfix/smtpd[26671]: connect from  
> unknown[64.202.189.90]
> Feb  8 22:36:57 server postfix/smtpd[26671]: NOQUEUE: reject: RCPT from 
> unknown[64.202.189.90]: 554 5.7.1 Service unavailable; Client host 
> [64.202.189.90] blocked using dnsbl-1.uceprotect.net; IP 64.202.189.90 is 
> UCEPROTECT-Level 1 listed. See  
> http://www.uceprotect.net/rblcheck.php?ipr=64.202.189.90;  
> from= to= proto=SMTP 
> helo=
> Feb  8 22:36:57 server postfix/smtpd[26671]: disconnect from  
> unknown[64.202.189.90]
>
> Now I was playing with timestamps on the .db files, so if it detects  
> this does this mean the whitelist is ignored due to the error hence the 
> answer?  I just postmap the source files again to be sure, I assume its a 
> warning only?

Why were you playing with timestamps?  The warning means what it says; the
.db file was created during your last postmap; any changes to the source file
after that postmap are ignored.  So if you added the OK for a particular
client after your last postmap (at the time of the warning), that would 
explain your problem.

And as you've already been warned, it is dangerous to use UCEPROTECT to
reject at SMTP.

-- 
Sahil Tandon 

RE: whitelisting not working

[MacShane, Tracy]

 

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of 
> webmas...@aus-city.com
> Sent: Monday, 9 February 2009 3:21 PM
> To: postfix-users@postfix.org; Sahil Tandon
> Cc: postfix-users@postfix.org
> Subject: Re: whitelisting not working
> >
> 
> Sorry I forgot to ask another question...
> 
> The whitelist (assuming its the silly timestamp mismatch 
> causing the issue), can you whitelist actual email addresses 
> as well as the SMTP servers?
> 
> For instance if I have a friend like myfri...@hisdomain.com  
> can you put target email addresses in the whitelist and they pass?
> 

http://www.postfix.org/postconf.5.html#check_sender_access - check the
examples at the end of this section


It is not recommended that you do that globally, since everyone can
forge an envelope sender address. You're better off OKing a specific
client.

Re: whitelisting not working

[webmaster]

Quoting Sahil Tandon :


On Mon, 09 Feb 2009, David Cottle wrote:


Yes all the files (whitelist, check_backscatterer and
check_spamcannibal) have been postmap.

I assume that as long as the whitelist is done first, anything that
is ok in the file simply should 'brute force' past the rest of the
checks, no matter how many?


If an access table within smtpd_client_restrictions evaluates to OK, smtpd(8)
skips the remaining client_restrictions.  However, one of the following
smtpd_mumble_restrictions might still trigger a REJECT.  Please show
'postconf -n' and some relevant excerpts from your log.

--
Sahil Tandon 



Sorry I forgot to ask another question...

The whitelist (assuming its the silly timestamp mismatch causing the  
issue), can you whitelist actual email addresses as well as the SMTP  
servers?


For instance if I have a friend like myfri...@hisdomain.com  can you  
put target email addresses in the whitelist and they pass?


I realise if so there can be forgeries, so you would not want to list  
like @hisdomain.com


I wondered this?

PS - my mail logs no longer show the whitelist warning, so I assume  
that means the whitelist is processing now?  Unfortunately I can't  
test my friends server as he has used up is daily 1000 emails so my  
test mails are stuck in the queue awaiting his quota reset.


Thanks again!

David

Re: whitelisting not working

[webmaster]

Quoting Sahil Tandon :


On Mon, 09 Feb 2009, David Cottle wrote:


Yes all the files (whitelist, check_backscatterer and
check_spamcannibal) have been postmap.

I assume that as long as the whitelist is done first, anything that
is ok in the file simply should 'brute force' past the rest of the
checks, no matter how many?


If an access table within smtpd_client_restrictions evaluates to OK, smtpd(8)
skips the remaining client_restrictions.  However, one of the following
smtpd_mumble_restrictions might still trigger a REJECT.  Please show
'postconf -n' and some relevant excerpts from your log.

--
Sahil Tandon 



Hi Sahil,

Here is the log:

Feb  9 09:36:55 server postfix/smtpd[26671]: warning: database  
/etc/postfix/whitelist.db is older than source file  
/etc/postfix/whitelist
Feb  9 09:36:55 server postfix/smtpd[26671]: connect from  
unknown[64.202.189.90]
Feb  8 22:36:57 server postfix/smtpd[26671]: NOQUEUE: reject: RCPT  
from unknown[64.202.189.90]: 554 5.7.1 Service unavailable; Client  
host [64.202.189.90] blocked using dnsbl-1.uceprotect.net; IP  
64.202.189.90 is UCEPROTECT-Level 1 listed. See  
http://www.uceprotect.net/rblcheck.php?ipr=64.202.189.90;  
from= to=  
proto=SMTP helo=
Feb  8 22:36:57 server postfix/smtpd[26671]: disconnect from  
unknown[64.202.189.90]


Now I was playing with timestamps on the .db files, so if it detects  
this does this mean the whitelist is ignored due to the error hence  
the answer?  I just postmap the source files again to be sure, I  
assume its a warning only?


Here is my postconf dump:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = all
local_recipient_maps = $virtual_mailbox_maps
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 1024
mydestination = localhost.$mydomain, localhost, localhost.localdomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.5.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_send_xforward_command = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_authorized_xforward_hosts = 127.0.0.0/8
smtpd_client_restrictions = check_client_access  
hash:/etc/postfix/whitelist, check_client_access  
hash:/etc/postfix/check_backscatterer, check_client_access  
hash:/etc/postfix/check_spamcannibal, reject_rbl_client  
bl.spamcop.net, reject_rbl_client pbl.spamhaus.org, reject_rbl_client  
sbl-xbl.spamhaus.org, reject_rbl_client cbl.abuseat.org,  
reject_rbl_client dnsbl-1.uceprotect.net, reject_rbl_client  
dnsbl-2.uceprotect.net, reject_rbl_client dnsbl-3.uceprotect.net,  
reject_rbl_client 2.0.0.127.b.barracudacentral.org
smtpd_recipient_restrictions = permit_mynetworks,  
permit_sasl_authenticated, reject_unauth_destination

smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = check_sender_access  
hash:/var/spool/postfix/plesk/blacklists, reject_non_fqdn_sender

smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_use_tls = yes
transport_maps = hash:/var/spool/postfix/plesk/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_gid_maps = static:31
virtual_mailbox_base = /var/qmail/mailnames
virtual_mailbox_domains = $virtual_mailbox_maps,  
hash:/var/spool/postfix/plesk/virtual_domains

virtual_mailbox_maps = hash:/var/spool/postfix/plesk/vmailbox
virtual_transport = plesk_virtual
virtual_uid_maps = static:110


Lastly is my updated check_ files correct?  I want to only filter  
emails from <>, postmaster and MAILER_DAEMON


<> reject_rbl_client bl.spamcannibal.org
postmaster reject_rbl_client bl.spamcannibal.org
MAILER-DAEMON reject_rbl_client bl.spamcannibal.org

and

<> reject_rbl_client ips.backscatterer.org
postmaster reject_rbl_client ips.backscatterer.org
MAILER-DAEMON reject_rbl_client ips.backscatterer.org

Thanks again!

Re: result_attribute on ldap query

[Victor Duchovni]

On Sun, Feb 08, 2009 at 06:38:31PM -0500, Manuel Mely wrote:

> Hi,
>
> I'm configuring postfix to use LDAP as backend db. I have to deal
> with something that i don't know how to do.
>
> For example, i have this conf file:
>
> server_host = localhost
> server_port = 389
> bind = yes
> bind_dn = cn=admin,dc=foobar,dc=com
> bind_pw = aaa
> cache = no
> search_base = o=hosting,dc=foobar,dc=com
> query_filter = 
> (&(&(objectClass=VirtualMailAccount)(mail=%s))(permitFrom=inet)(accountActive=TRUE)(delete=FALSE))
> result_attribute = final
> version = 3
>
> "final" is the name of a postfix class, and i have the same attribute for 
> all my users, as i want to simplify this (i mean delete this attr for all 
> my users) i was thinking in create something like 
> "dc=postfix,o=hosting,dc=foobar,dc=cu" and there i will put this attribute 
> (i have many attributes that are classes in postfix), but i don't know if i 
> can tell my conf file that "result_attribute" is in other part of the 
> DIT... something like "result_attribute= cn=final,dc=postfix ..." i think i 
> can't; this is an ldap stuff. Any idea?

Postfix LDAP table support is describe in detail in:

http://www.postfix.org/ldap_table.5.html

if a feature is not described there, it does not exist.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: whitelisting not working

[Duane Hill]

-d

On Mon, 9 Feb 2009, David Cottle wrote:


I have got RBL tests and I got a client on godaddy.  Naturally their
outgoing server (secureserver.net) is listed.  I made changes to postfix
but its still rejecting, here is the extract of the main.cf and the rules.

I don't understand why its not working..  If I remove all the rbl checks
the emails arrive..

Any ideas?

Here is the configs that apply:

smtpd_client_restrictions = check_client_access
hash:/etc/postfix/whitelist, check_client_access
hash:/etc/postfix/check_backscatterer, check_client_access
hash:/etc/postfix/check_spamcannibal, reject_rbl_client bl.spamcop.net,
reject_rbl_client pbl.spamhaus.org, reject_rbl_client
sbl-xbl.spamhaus.org, reject_rbl_client cbl.abuseat.org,


Why are you doing three DNS queries when you can do one with:

reject_rbl_client zen.spamhaus.org


reject_rbl_client dnsbl-1.uceprotect.net, reject_rbl_client
dnsbl-2.uceprotect.net, reject_rbl_client dnsbl-3.uceprotect.net,


Here, these are only worth scoring in SpamAssassin. There is no way I 
would reject on them at the MTA level.



reject_rbl_client 2.0.0.127.b.barracudacentral.org



the /etc/postfix/whitelist file (yes its been mapped to .cf)

k2smtpout01-01.prod.mesa1.secureserver.net OK
k2smtpout02-01.prod.mesa1.secureserver.net OK
k2smtpout03-01.prod.mesa1.secureserver.net OK
k2smtpout04-01.prod.mesa1.secureserver.net OK
k2smtpout05-01.prod.mesa1.secureserver.net OK
k2smtpout06-01.prod.mesa1.secureserver.net OK



the check_backscatterer (also mapped)

<> reject_rbl_client ips.backscatterer.org
postmaster reject_rbl_client ips.backscatterer.org
MAILER-DAEMON reject_rbl_client ips.backscatterer.org


the check_spamcannibal (also mapped)

<> reject_rbl_client bl.spamcannibal.org
postmaster reject_rbl_client bl.spamcannibal.org
MAILER-DAEMON reject_rbl_client bl.spamcannibal.org

Re: whitelisting not working

[Sahil Tandon]

On Mon, 09 Feb 2009, David Cottle wrote:

> Yes all the files (whitelist, check_backscatterer and  
> check_spamcannibal) have been postmap.
>
> I assume that as long as the whitelist is done first, anything that  
> is ok in the file simply should 'brute force' past the rest of the  
> checks, no matter how many?

If an access table within smtpd_client_restrictions evaluates to OK, smtpd(8)
skips the remaining client_restrictions.  However, one of the following
smtpd_mumble_restrictions might still trigger a REJECT.  Please show
'postconf -n' and some relevant excerpts from your log. 

-- 
Sahil Tandon 

Re: reject_unverified_sender vs greylisting

[Wietse Venema]

Jo?o Miguel Neves:
> Good evening,
> 
> I recently enabled reject_unverified_sender in my postfix configuration,
> but it seems like it fails when the server against which the sender is
> verified uses greylisting. I've been getting log entries like (@ were
> replaced by _AT_):
> 
> Feb  8 07:56:49 atlas postfix/smtpd[25949]: NOQUEUE: reject: RCPT from
> cpe-71-66-121-221.neo.res.rr.com[71.66.121.221]: 450 4.1.7  _AT_ xave.org>: Sender address rejected: unverified address: host
> mail.odwulf.net[88.191.13.232] said: 450 4.2.0  xave.org>: Recipient address rejected: Greylisted, see
> http://postgrey.schweikert.ch/help/xave.org.html (in reply to RCPT TO
> command); from= to= agr848.org> proto=ESMTP helo=
> 
> Is that the expected behaviour? I'd expect that if
> reject_unverified_sender encounters a soft bounce like this, that the
> message should be queued for later testing. Is it possible to implement
> this somehow?

Yes, the message is queued. It is queued at the SENDER side.

Wietse

reject_unverified_sender vs greylisting

[João Miguel Neves]

Good evening,

I recently enabled reject_unverified_sender in my postfix configuration,
but it seems like it fails when the server against which the sender is
verified uses greylisting. I've been getting log entries like (@ were
replaced by _AT_):

Feb  8 07:56:49 atlas postfix/smtpd[25949]: NOQUEUE: reject: RCPT from
cpe-71-66-121-221.neo.res.rr.com[71.66.121.221]: 450 4.1.7 : Sender address rejected: unverified address: host
mail.odwulf.net[88.191.13.232] said: 450 4.2.0 : Recipient address rejected: Greylisted, see
http://postgrey.schweikert.ch/help/xave.org.html (in reply to RCPT TO
command); from= to= proto=ESMTP helo=

Is that the expected behaviour? I'd expect that if
reject_unverified_sender encounters a soft bounce like this, that the
message should be queued for later testing. Is it possible to implement
this somehow?

Thanks in advance,
João Miguel Neves

-- 
Intraneia
http://www.intraneia.com/

Suporte a Software Livre
Tradução/Localização de software e sítios web
Desenvolvimento de software

Ao seu serviço...

Re: whitelisting not working

[David Cottle]

Sent from my iPhone

On 09/02/2009, at 11:12, Terry Carmen  wrote:




David Cottle wrote:



Sent from my iPhone

On 09/02/2009, at 10:38, Terry Carmen  wrote:




David Cottle wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

I have got RBL tests and I got a client on godaddy.  Naturally  
their
outgoing server (secureserver.net) is listed.  I made changes to  
postfix
but its still rejecting, here is the extract of the main.cf and  
the rules.


I don't understand why its not working..  If I remove all the rbl  
checks

the emails arrive..

Any ideas?

Here is the configs that apply:

smtpd_client_restrictions = check_client_access
hash:/etc/postfix/whitelist, check_client_access
hash:/etc/postfix/check_backscatterer, check_client_access
hash:/etc/postfix/check_spamcannibal, reject_rbl_client  
bl.spamcop.net,

reject_rbl_client pbl.spamhaus.org, reject_rbl_client
sbl-xbl.spamhaus.org, reject_rbl_client cbl.abuseat.org,
reject_rbl_client dnsbl-1.uceprotect.net, reject_rbl_client
dnsbl-2.uceprotect.net, reject_rbl_client dnsbl-3.uceprotect.net,
reject_rbl_client 2.0.0.127.b.barracudacentral.org



the /etc/postfix/whitelist file (yes its been mapped to .cf)


Assuming you're making a hash file, postmap outputs a ".db" file.

Terry



Hi Terry,

Yes all the files (whitelist, check_backscatterer and  
check_spamcannibal) have been postmap.


I assume that as long as the whitelist is done first, anything that  
is ok in the file simply should 'brute force' past the rest of the  
checks, no matter how many?


My point was that postmap outputs a db file, and  
"check_client_access hash:/etc/postfix/whitelist" looks for /etc/ 
postfix/whitelist.db, while you stated that you "mapped" (renamed?)  
the file to .cf, which is not what postfix is looking for. This  
means that it will not find your whitelist file.


Terry



Hi Terry,

The files were all done with:

postmap /etc/postfix/whitelist
postmap /etc/postfix/check_backscatterer
postmap /etc/postfix/check_spamcannibal

I simply meant I had done this when I said I have already mapped them  
using postmap.


Also are my check_backscatterer and check_spamcannibal checks correct?

The origional script parses emails only from <> and postmaster, I  
added the MAILER_DAEMON as well.


I was hoping it would be some syntax wrong in the main.cf or  
particularily the check_ db's


Thanks!
David

Re: Virtual domains + address rewriting + transport ?

[Tony Demark]

On Feb 8, 2009, at 6:10 PM, Wietse Venema wrote:

To make this work without false matches, you will need to enumerate
the user names.

/^(user1|user2|user3)(-.+)?...@example\.com$/$...@example.com
/^(user4|user5|user6)(-.+)?...@example\.com$/$...@example.com

False positives will cause your machine to accept spam, find out
that Google rejects the non-existent username, and then your Postfix
will try to return the spam to people who did not send it.


I have the Google account set to silently drop any email whose address  
doesn't exist.


Not nearly as good as killing the message during the initial  
conversation, but at least there is no backscatter. Once things settle  
down a little, I'll probably go back and enumerate the user names.


Thanks.

Re: whitelisting not working

[Terry Carmen]

David Cottle wrote:



Sent from my iPhone

On 09/02/2009, at 10:38, Terry Carmen  wrote:




David Cottle wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

I have got RBL tests and I got a client on godaddy.  Naturally their
outgoing server (secureserver.net) is listed.  I made changes to 
postfix
but its still rejecting, here is the extract of the main.cf and the 
rules.


I don't understand why its not working..  If I remove all the rbl 
checks

the emails arrive..

Any ideas?

Here is the configs that apply:

smtpd_client_restrictions = check_client_access
hash:/etc/postfix/whitelist, check_client_access
hash:/etc/postfix/check_backscatterer, check_client_access
hash:/etc/postfix/check_spamcannibal, reject_rbl_client bl.spamcop.net,
reject_rbl_client pbl.spamhaus.org, reject_rbl_client
sbl-xbl.spamhaus.org, reject_rbl_client cbl.abuseat.org,
reject_rbl_client dnsbl-1.uceprotect.net, reject_rbl_client
dnsbl-2.uceprotect.net, reject_rbl_client dnsbl-3.uceprotect.net,
reject_rbl_client 2.0.0.127.b.barracudacentral.org



the /etc/postfix/whitelist file (yes its been mapped to .cf)


Assuming you're making a hash file, postmap outputs a ".db" file.

Terry



Hi Terry,

Yes all the files (whitelist, check_backscatterer and 
check_spamcannibal) have been postmap.


I assume that as long as the whitelist is done first, anything that is 
ok in the file simply should 'brute force' past the rest of the 
checks, no matter how many?


My point was that postmap outputs a db file, and "check_client_access 
hash:/etc/postfix/whitelist" looks for /etc/postfix/whitelist.db, while 
you stated that you "mapped" (renamed?) the file to .cf, which is not 
what postfix is looking for. This means that it will not find your 
whitelist file.


Terry

Re: whitelisting not working

[David Cottle]

Sent from my iPhone

On 09/02/2009, at 10:38, Terry Carmen  wrote:




David Cottle wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

I have got RBL tests and I got a client on godaddy.  Naturally their
outgoing server (secureserver.net) is listed.  I made changes to  
postfix
but its still rejecting, here is the extract of the main.cf and the  
rules.


I don't understand why its not working..  If I remove all the rbl  
checks

the emails arrive..

Any ideas?

Here is the configs that apply:

smtpd_client_restrictions = check_client_access
hash:/etc/postfix/whitelist, check_client_access
hash:/etc/postfix/check_backscatterer, check_client_access
hash:/etc/postfix/check_spamcannibal, reject_rbl_client  
bl.spamcop.net,

reject_rbl_client pbl.spamhaus.org, reject_rbl_client
sbl-xbl.spamhaus.org, reject_rbl_client cbl.abuseat.org,
reject_rbl_client dnsbl-1.uceprotect.net, reject_rbl_client
dnsbl-2.uceprotect.net, reject_rbl_client dnsbl-3.uceprotect.net,
reject_rbl_client 2.0.0.127.b.barracudacentral.org



the /etc/postfix/whitelist file (yes its been mapped to .cf)


Assuming you're making a hash file, postmap outputs a ".db" file.

Terry



Hi Terry,

Yes all the files (whitelist, check_backscatterer and  
check_spamcannibal) have been postmap.


I assume that as long as the whitelist is done first, anything that is  
ok in the file simply should 'brute force' past the rest of the  
checks, no matter how many?


Thanks!

Re: Replacing Message-Id for SASL authenticated senders

[Jorey Bump]

Victor Duchovni wrote, at 02/08/2009 03:37 PM:
> On Sun, Feb 08, 2009 at 09:08:32PM +0100, mouss wrote:
> 
>> No, I was referring to the "Sent" folder, populated by the MUA, either
>> in a local disk or using IMAP.
> 
> I know some people clever-enough to set "Sent == Inbox", yes this is not
> very common.

I do this, and also use the Thunderbird feature "Place replies in the
folder of the message being replied to" to keep the entire thread in a
single folder. This makes it a lot easier to review the thread in
progress and then properly archive it.

> I personally have rules that tag outgoing mail into non-default Fcc
> folders, replies are moved there too, and correct threading is expected.
> 
> Still, clearly this will do only modest harm if any for some sets of users.

Some MUAs are better than others at organizing threads. Nonetheless, I'd
be more than a little miffed if an admin broke threading and justified
it because most users are unaware of the feature.

Re: whitelisting not working

[Terry Carmen]

David Cottle wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

I have got RBL tests and I got a client on godaddy.  Naturally their
outgoing server (secureserver.net) is listed.  I made changes to postfix
but its still rejecting, here is the extract of the main.cf and the rules.

I don't understand why its not working..  If I remove all the rbl checks
the emails arrive..

Any ideas?

Here is the configs that apply:

smtpd_client_restrictions = check_client_access
hash:/etc/postfix/whitelist, check_client_access
hash:/etc/postfix/check_backscatterer, check_client_access
hash:/etc/postfix/check_spamcannibal, reject_rbl_client bl.spamcop.net,
reject_rbl_client pbl.spamhaus.org, reject_rbl_client
sbl-xbl.spamhaus.org, reject_rbl_client cbl.abuseat.org,
reject_rbl_client dnsbl-1.uceprotect.net, reject_rbl_client
dnsbl-2.uceprotect.net, reject_rbl_client dnsbl-3.uceprotect.net,
reject_rbl_client 2.0.0.127.b.barracudacentral.org



the /etc/postfix/whitelist file (yes its been mapped to .cf)
  

Assuming you're making a hash file, postmap outputs a ".db" file.

Terry

Re: whitelisting not working

[David Cottle]

Sent from my iPhone

On 09/02/2009, at 10:09, Sahil Tandon  wrote:


On Mon, 09 Feb 2009, David Cottle wrote:


I have got RBL tests and I got a client on godaddy.  Naturally their
outgoing server (secureserver.net) is listed.  I made changes to  
postfix
but its still rejecting, here is the extract of the main.cf and the  
rules.


I don't understand why its not working..  If I remove all the rbl  
checks

the emails arrive..

Any ideas?

Here is the configs that apply:


Show 'postconf -n' instead of snippets from main.cf.  Also provide  
some logs

related to the problem.

--
Sahil Tandon 


Hi Sahil,

Difficult as I am away from any access except my iPhone for a week.

I only sent that part as that is what is effecting it, it's all in the  
recipient client line.


I was thinking it's too long, or my whitelist command or the  
check_backscatterer or check_spancannibal statements are wrong?


Simply removing the blaclisting rbl servers off that recipient client  
line and leaving the othets and emails arrive so I know that is where  
the problem is.


Does the whitelist match the sending SMTP servers by name or IP?

I have confirmed they are correct by removing the blacklisting servers  
and looking then at the received emails.


For some reason the whitelisting is not working or the OK is being  
ignored or overwritten (these ips are on like about 3 to 4 of the rbl  
servers.


I can certainly dump a postfix -n and put it on a www page (iPhone  
does not cut and paste) and could copy my mail log if needed.


Thanks!

result_attribute on ldap query

[Manuel Mely]

Hi,

I'm configuring postfix to use LDAP as backend db. I have to deal
with something that i don't know how to do.

For example, i have this conf file:

server_host = localhost
server_port = 389
bind = yes
bind_dn = cn=admin,dc=foobar,dc=com
bind_pw = aaa
cache = no
search_base = o=hosting,dc=foobar,dc=com
query_filter =  
(&(&(objectClass=VirtualMailAccount)(mail=%s))(permitFrom=inet)(accountActive=TRUE)(delete=FALSE))

result_attribute = final
version = 3

"final" is the name of a postfix class, and i have the same attribute  
for all my users, as i want to simplify this (i mean delete this attr  
for all my users) i was thinking in create something like  
"dc=postfix,o=hosting,dc=foobar,dc=cu" and there i will put this  
attribute (i have many attributes that are classes in postfix), but i  
don't know if i can tell my conf file that "result_attribute" is in  
other part of the DIT... something like "result_attribute=  
cn=final,dc=postfix ..." i think i can't; this is an ldap stuff. Any  
idea?



This message was sent using IMP, the Internet Messaging Program.

Re: Virtual domains + address rewriting + transport ?

[Wietse Venema]

Tony Demark:
> >> If the original server gets an email addressed to 'me-
> >> foo...@example.com', I need the email to be relayed to
> >> 'm...@example.com', not 'me-foo...@example.com'.
> >
> > /^(.+)(-.+)?...@example\.com$/$...@example.com
> >
> 
> OK ... I think I got this figured out. It ended up that the searches I  
> was referencing for configuration were from 2002 ... things have  
> changed somewhat since then. Combine that with a typo in a file name  
> and things really start not adding up.
> 
> I started fresh with an unused domain, used only the official docs,  
> and got it working. Sometimes you end up so far down the wrong path,  
> it's hard to comprehend just how far you have to backtrack to right  
> yourself, even if you have access to the best and brightest!

To make this work without false matches, you will need to enumerate
the user names.

/^(user1|user2|user3)(-.+)?...@example\.com$/$...@example.com
/^(user4|user5|user6)(-.+)?...@example\.com$/$...@example.com

False positives will cause your machine to accept spam, find out
that Google rejects the non-existent username, and then your Postfix
will try to return the spam to people who did not send it.

Wietse

Re: whitelisting not working

[Sahil Tandon]

On Mon, 09 Feb 2009, David Cottle wrote:

> I have got RBL tests and I got a client on godaddy.  Naturally their
> outgoing server (secureserver.net) is listed.  I made changes to postfix
> but its still rejecting, here is the extract of the main.cf and the rules.
> 
> I don't understand why its not working..  If I remove all the rbl checks
> the emails arrive..
> 
> Any ideas?
> 
> Here is the configs that apply:

Show 'postconf -n' instead of snippets from main.cf.  Also provide some logs
related to the problem.

-- 
Sahil Tandon 

whitelisting not working

[David Cottle]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

I have got RBL tests and I got a client on godaddy.  Naturally their
outgoing server (secureserver.net) is listed.  I made changes to postfix
but its still rejecting, here is the extract of the main.cf and the rules.

I don't understand why its not working..  If I remove all the rbl checks
the emails arrive..

Any ideas?

Here is the configs that apply:

smtpd_client_restrictions = check_client_access
hash:/etc/postfix/whitelist, check_client_access
hash:/etc/postfix/check_backscatterer, check_client_access
hash:/etc/postfix/check_spamcannibal, reject_rbl_client bl.spamcop.net,
reject_rbl_client pbl.spamhaus.org, reject_rbl_client
sbl-xbl.spamhaus.org, reject_rbl_client cbl.abuseat.org,
reject_rbl_client dnsbl-1.uceprotect.net, reject_rbl_client
dnsbl-2.uceprotect.net, reject_rbl_client dnsbl-3.uceprotect.net,
reject_rbl_client 2.0.0.127.b.barracudacentral.org



the /etc/postfix/whitelist file (yes its been mapped to .cf)

k2smtpout01-01.prod.mesa1.secureserver.net OK
k2smtpout02-01.prod.mesa1.secureserver.net OK
k2smtpout03-01.prod.mesa1.secureserver.net OK
k2smtpout04-01.prod.mesa1.secureserver.net OK
k2smtpout05-01.prod.mesa1.secureserver.net OK
k2smtpout06-01.prod.mesa1.secureserver.net OK



the check_backscatterer (also mapped)

<> reject_rbl_client ips.backscatterer.org
postmaster reject_rbl_client ips.backscatterer.org
MAILER-DAEMON reject_rbl_client ips.backscatterer.org


the check_spamcannibal (also mapped)

<> reject_rbl_client bl.spamcannibal.org
postmaster reject_rbl_client bl.spamcannibal.org
MAILER-DAEMON reject_rbl_client bl.spamcannibal.org



Thanks!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmPZAIACgkQi1lOcz5YUMhWiwCgwyFK5iatzaui1NiSMH+rnaRi
tpAAoOSKDhwvXne23LgpnJXJNjJ5zg2C
=oYZE
-END PGP SIGNATURE-
begin:vcard
fn:David Cottle
n:Cottle;David
email;internet:webmas...@aus-city.com
title:Webmaster
version:2.1
end:vcard

Re: Virtual domains + address rewriting + transport ?

[mouss]

Tony Demark a écrit :
> 
> On Feb 8, 2009, at 2:31 PM, Wietse Venema wrote:
> 
>> Tony Demark:
>>> I would like to move some of my virtual domains to have their email
>>> hosted via a "Google for Domains" account. While there are only a
>>> handful of accounts, most of the accounts have many aliases and have
>>> used '-' as a recipient delimiter for years. As such, the actual
>>> number of addresses is probably in the thousands. Since Google uses
>>> '+' as the recipient delimiter, there is no easy way to just switch
>>> the domains over. I would like to use my Postfix server to filter /
>>> rewrite incoming addresses and then relay them on to Google, with my
>>> server being the MX server for the domain and using a smtp "transport"
>>> entry to direct the messages to the right place.
>>
>> http://www.postfix.org/virtual.5.html
>> http://www.postfix.org/pcre_table.5.html
> 
> I tried PCREs at one point, and got close, but I kept hitting a wall
> that original left hand side of the address would get relayed to the new
> server, as opposed to the one that was specified in the virtual table. 
> For example:
> 
> virtural_regex:
> /^(.*?)-(.*)@example.com$/$...@example.com
> 
> If the original server gets an email addressed to
> 'me-foo...@example.com', I need the email to be relayed to
> 'm...@example.com', not 'me-foo...@example.com'.
> 

you can test lookups using 'postmap -q'.


/^(me)-...@example\.com$/   m...@example.com

do this for all valid addresses.


If you use a wildcard like

/^([^-]+)-...@example\.com$/$...@example.com

you will break recipient validation and your postfix will accept mail
for any doesnotexist-ran...@example.com.

Re: Virtual domains + address rewriting + transport ?

[Tony Demark]

On Feb 8, 2009, at 4:23 PM, Wietse Venema wrote:


Tony Demark:


On Feb 8, 2009, at 2:31 PM, Wietse Venema wrote:


Tony Demark:

I would like to move some of my virtual domains to have their email
hosted via a "Google for Domains" account. While there are only a
handful of accounts, most of the accounts have many aliases and  
have

used '-' as a recipient delimiter for years. As such, the actual
number of addresses is probably in the thousands. Since Google uses
'+' as the recipient delimiter, there is no easy way to just switch
the domains over. I would like to use my Postfix server to filter /
rewrite incoming addresses and then relay them on to Google, with  
my

server being the MX server for the domain and using a smtp
"transport"
entry to direct the messages to the right place.


http://www.postfix.org/virtual.5.html
http://www.postfix.org/pcre_table.5.html


I tried PCREs at one point, and got close, but I kept hitting a wall
that original left hand side of the address would get relayed to the
new server, as opposed to the one that was specified in the virtual
table.  For example:

virtural_regex:
/^(.*?)-(.*)@example.com$/$...@example.com

If the original server gets an email addressed to 'me-
foo...@example.com', I need the email to be relayed to
'm...@example.com', not 'me-foo...@example.com'.


/^(.+)(-.+)?...@example\.com$/$...@example.com



OK ... I think I got this figured out. It ended up that the searches I  
was referencing for configuration were from 2002 ... things have  
changed somewhat since then. Combine that with a typo in a file name  
and things really start not adding up.


I started fresh with an unused domain, used only the official docs,  
and got it working. Sometimes you end up so far down the wrong path,  
it's hard to comprehend just how far you have to backtrack to right  
yourself, even if you have access to the best and brightest!


Thanks for the help.

Re: Replacing Message-Id for SASL authenticated senders

[mouss]

Victor Duchovni a écrit :
> On Sun, Feb 08, 2009 at 09:08:32PM +0100, mouss wrote:
> 
>> No, I was referring to the "Sent" folder, populated by the MUA, either
>> in a local disk or using IMAP.
> 
> I know some people clever-enough to set "Sent == Inbox", yes this is not
> very common.
> 
> I personally have rules that tag outgoing mail into non-default Fcc
> folders, replies are moved there too, and correct threading is expected.
> 
> Still, clearly this will do only modest harm if any for some sets of users.
> 

I just enabled this here. I tested and it looks like it works (threads
not broken) on
- Thunderbird
- kmail
- Claws

but are broken on Evolution.

PS. In the message-id, claws uses the hostname, while TB and kmail use
the sender domain.
Note that the test used a test folder which only contains the test
messages. I have no idea if threads will still be correctly detected
with a folder full of mail.

I would conjecture that it "works" because the response comes from a
user listed in the recipients of the original mail. so threads would
break if a message is sent to a group alias (or a list) or if the
recipient responds with a different address. I might test this...

Re: Virtual domains + address rewriting + transport ?

[Wietse Venema]

Tony Demark:
> 
> On Feb 8, 2009, at 2:31 PM, Wietse Venema wrote:
> 
> > Tony Demark:
> >> I would like to move some of my virtual domains to have their email
> >> hosted via a "Google for Domains" account. While there are only a
> >> handful of accounts, most of the accounts have many aliases and have
> >> used '-' as a recipient delimiter for years. As such, the actual
> >> number of addresses is probably in the thousands. Since Google uses
> >> '+' as the recipient delimiter, there is no easy way to just switch
> >> the domains over. I would like to use my Postfix server to filter /
> >> rewrite incoming addresses and then relay them on to Google, with my
> >> server being the MX server for the domain and using a smtp  
> >> "transport"
> >> entry to direct the messages to the right place.
> >
> > http://www.postfix.org/virtual.5.html
> > http://www.postfix.org/pcre_table.5.html
> 
> I tried PCREs at one point, and got close, but I kept hitting a wall  
> that original left hand side of the address would get relayed to the  
> new server, as opposed to the one that was specified in the virtual  
> table.  For example:
> 
> virtural_regex:
> /^(.*?)-(.*)@example.com$/$...@example.com
> 
> If the original server gets an email addressed to 'me- 
> foo...@example.com', I need the email to be relayed to  
> 'm...@example.com', not 'me-foo...@example.com'.

/^(.+)(-.+)?...@example\.com$/$...@example.com

Wietse

Re: Virtual domains + address rewriting + transport ?

[Tony Demark]

On Feb 8, 2009, at 2:31 PM, Wietse Venema wrote:


Tony Demark:

I would like to move some of my virtual domains to have their email
hosted via a "Google for Domains" account. While there are only a
handful of accounts, most of the accounts have many aliases and have
used '-' as a recipient delimiter for years. As such, the actual
number of addresses is probably in the thousands. Since Google uses
'+' as the recipient delimiter, there is no easy way to just switch
the domains over. I would like to use my Postfix server to filter /
rewrite incoming addresses and then relay them on to Google, with my
server being the MX server for the domain and using a smtp  
"transport"

entry to direct the messages to the right place.


http://www.postfix.org/virtual.5.html
http://www.postfix.org/pcre_table.5.html


I tried PCREs at one point, and got close, but I kept hitting a wall  
that original left hand side of the address would get relayed to the  
new server, as opposed to the one that was specified in the virtual  
table.  For example:


virtural_regex:
/^(.*?)-(.*)@example.com$/$...@example.com

If the original server gets an email addressed to 'me- 
foo...@example.com', I need the email to be relayed to  
'm...@example.com', not 'me-foo...@example.com'.


Thanks.

Re: Replacing Message-Id for SASL authenticated senders

[Victor Duchovni]

On Sun, Feb 08, 2009 at 09:08:32PM +0100, mouss wrote:

> No, I was referring to the "Sent" folder, populated by the MUA, either
> in a local disk or using IMAP.

I know some people clever-enough to set "Sent == Inbox", yes this is not
very common.

I personally have rules that tag outgoing mail into non-default Fcc
folders, replies are moved there too, and correct threading is expected.

Still, clearly this will do only modest harm if any for some sets of users.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Replacing Message-Id for SASL authenticated senders

[mouss]

M. Fioretti a écrit :
> On Sun, Feb 08, 2009 18:22:17 PM +0100, mouss wrote:
>>> I mean replacing or deleting already set Message-Id headers. And
>>> it will break MUA driven thread handling
>> - very few people put their Sent mail in the same folders as
>> - received mail even then, MUAs have heuristics to cope with such
>> - situations.
> 
> ??? Maybe I'm missing something, but having sent and received messages
> in the same folder is exactly what happens whenever you have a folder
> receiving or storing mailing list messages, isn't it?

No, I was referring to the "Sent" folder, populated by the MUA, either
in a local disk or using IMAP.

I am not talking about mail you get via the MTA (which is the case for
mail forwarded by a list server).

> 
> And if I participate to a thread my sent email goes right in the
> middle of many received emails and I do want to see to which ones I
> replied and who replied directly to me. Ditto for almost everybody I
> know who uses email. Why are you saying this is a rare case?
> 

under my Thunderbird, when I send a message, a copy is put in a folder
named "Sent" (actually "Envoyés" here). The messages in this folder
don't have much infos (no Received headers, no X-Spam-* headers, ... etc).

In the case of list mail, such copies are not really useful regarding
threading, since I also have the copy of my message that was remailed by
the list server. (the copies in "Sent" may be useful for other purposes).

The only case where there would be a problem is if:

(1) I configure my MUA to save copies of my "sent" mail in the same
folder(s) as received mail is stored.

_and_

(2) I use a threaded view

Note that I am not saying that it is ok to "punish" a minority of users.

Re: Virtual domains + address rewriting + transport ?

[Wietse Venema]

Tony Demark:
> Good day.
> 
> I am have spent spent some time trying to figure out if the following  
> Postfix config is possible and am hoping for some guidance.
> 
> Short Synopsis:
> 
> I would like to move some of my virtual domains to have their email  
> hosted via a "Google for Domains" account. While there are only a  
> handful of accounts, most of the accounts have many aliases and have  
> used '-' as a recipient delimiter for years. As such, the actual  
> number of addresses is probably in the thousands. Since Google uses  
> '+' as the recipient delimiter, there is no easy way to just switch  
> the domains over. I would like to use my Postfix server to filter /  
> rewrite incoming addresses and then relay them on to Google, with my  
> server being the MX server for the domain and using a smtp "transport"  
> entry to direct the messages to the right place.

http://www.postfix.org/virtual.5.html
http://www.postfix.org/pcre_table.5.html

Wietse

Virtual domains + address rewriting + transport ?

[Tony Demark]

Good day.

I am have spent spent some time trying to figure out if the following  
Postfix config is possible and am hoping for some guidance.


Short Synopsis:

I would like to move some of my virtual domains to have their email  
hosted via a "Google for Domains" account. While there are only a  
handful of accounts, most of the accounts have many aliases and have  
used '-' as a recipient delimiter for years. As such, the actual  
number of addresses is probably in the thousands. Since Google uses  
'+' as the recipient delimiter, there is no easy way to just switch  
the domains over. I would like to use my Postfix server to filter /  
rewrite incoming addresses and then relay them on to Google, with my  
server being the MX server for the domain and using a smtp "transport"  
entry to direct the messages to the right place.


Long Synopsis:

I currently have several virtual domains setup similar to:

example.com example.com
m...@example.comlastname1
f...@example.comlastname1
b...@example.comlastname1
b...@example.comlastname2
b...@example.comlastname3

where my aliases are like:

lastname1   /var/boxes/lastname1/
lastname2   lastna...@example.org
lastname3   /var/boxes/lastname3/, lastna...@example.org

Since my recipient_delimeter is set to '-', this allows emails  
addressed to:


me-...@example.com
bill-baz-...@example.com

to get to the right account.

I am trying to get rid of all local delivery and have this machine  
just act a gateway that does some basic address filtering and routes  
the email to the new email server (Google for Domains). For example,  
this server would know that 'm...@example.com', 'f...@example.com' 'b...@example.com 
', and 'me-anyth...@example.com' should all be relayed to 'lastna...@example.com 
' at Google.


While I realize this doesn't work, imagine that I updated aliases to:

lastname1   lastna...@example.com

and make a transport entry:

example.com smtp:[newserver.example.google.com]

and you hopefully can get an idea of what I am trying to do.

Is something like this possible with Postfix?

Thanks.

Re: Replacing Message-Id for SASL authenticated senders

[M. Fioretti]

On Sun, Feb 08, 2009 18:22:17 PM +0100, mouss wrote:
> > I mean replacing or deleting already set Message-Id headers. And
> > it will break MUA driven thread handling
> 
> - very few people put their Sent mail in the same folders as
> - received mail even then, MUAs have heuristics to cope with such
> - situations.

??? Maybe I'm missing something, but having sent and received messages
in the same folder is exactly what happens whenever you have a folder
receiving or storing mailing list messages, isn't it?

And if I participate to a thread my sent email goes right in the
middle of many received emails and I do want to see to which ones I
replied and who replied directly to me. Ditto for almost everybody I
know who uses email. Why are you saying this is a rare case?

Thanks,
Marco
-- 
Your own civil rights and the quality of your life heavily depend on how
software is used *around* you:http://digifreedom.net/node/84

Re: Replacing Message-Id for SASL authenticated senders

[Sahil Tandon]

On Feb 8, 2009, at 1:02 PM, mouss  wrote:


Victor Duchovni a écrit :

On Sun, Feb 08, 2009 at 06:22:17PM +0100, mouss wrote:

I mean replacing or deleting already set Message-Id headers. And  
it will

break MUA driven thread handling
- very few people put their Sent mail in the same folders as  
received mail

- even then, MUAs have heuristics to cope with such situations.


Why break message-id threading for those (few) people?



it would be interesting to see if that would break. I may test with a
few MUAs.

As for the argument, the common one I heard is "hiding internal
information". sure, this is not a very satisfactory argument. but if a
customer says so and they "have no users who use a threaded view", I  
can

hardly find a counter-argument.


Exactly.

Re: Replacing Message-Id for SASL authenticated senders

[Sahil Tandon]

On Feb 8, 2009, at 12:01 PM, Bastian Blank > wrote:



On Sun, Feb 08, 2009 at 11:13:53AM -0500, Sahil Tandon wrote:

On Sun, 08 Feb 2009, Bastian Blank wrote:

Yes. It will break the complete mail handling of the client. _Never_
ever touch a message id.
Do explain how adding/replacing a valid Message-ID only to  
submitted mail

will "break the complete mail handling of the client".


I mean replacing or deleting already set Message-Id headers. And it  
will

break MUA driven thread handling and similar things which is based on
the original submitted ID.


   And how do you
reconcile your last sentence with section 8.3 of RFC 4409?


Please read the RFC again. This sentence only speaks about _adding_  
this

header, not about replacing or deleting it. There is however no other
point which allows arbitrary modifications to the messages.


There *is* mention of replacing and the replacing is not arbitrary.   
The breaking of threading is interesting but  irrelevant in my  
particular case.  Thanks everyone for the input.


- Sahil

Re: Replacing Message-Id for SASL authenticated senders

[mouss]

Victor Duchovni a écrit :
> On Sun, Feb 08, 2009 at 06:22:17PM +0100, mouss wrote:
> 
>>> I mean replacing or deleting already set Message-Id headers. And it will
>>> break MUA driven thread handling 
>> - very few people put their Sent mail in the same folders as received mail
>> - even then, MUAs have heuristics to cope with such situations.
> 
> Why break message-id threading for those (few) people?
> 

it would be interesting to see if that would break. I may test with a
few MUAs.

As for the argument, the common one I heard is "hiding internal
information". sure, this is not a very satisfactory argument. but if a
customer says so and they "have no users who use a threaded view", I can
hardly find a counter-argument.

Re: postfix blocking yahoo and gmail

[Victor Duchovni]

On Sun, Feb 08, 2009 at 03:37:20PM +0800, jan gestre wrote:

> On Sun, Feb 8, 2009 at 3:05 PM, Victor Duchovni
>  wrote:
> > On Sun, Feb 08, 2009 at 02:55:28PM +0800, jan gestre wrote:
> >
> >> Where is the best place to put the DNS caching resolver? in the NAT
> >> device? or in the Mail Server itself?
> >
> > What kind of NAT device is this? Is it capable of running a non-forwarding
> > DNS cache? If the cache in question has sufficiently good port
> > randomization, by all means run on the NAT device, otherwise run it
> > on the Postfix server, and hope the NAT device port selection is not
> > too predictable.
> >
> 
> It's a lightweight FreeBSD based firewall called "pfSense", it also
> has an installable TinyDNS package.

TinyDNS is an authoritative DNS server, you need a cache, is Dnscache
also available? If so, that would be perfect, otherwise, you just
install a DNS cache on your Postfix server. See:

http://forum.pfsense.org/index.php?topic=10431.0

Anyway, this question is best asked on the pfSense lists, I know nothing
more about this than what Google turns up...

http://www.google.com/search?q=pfSense+Kaminsky+DNS

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Replacing Message-Id for SASL authenticated senders

[Victor Duchovni]

On Sun, Feb 08, 2009 at 06:22:17PM +0100, mouss wrote:

> > I mean replacing or deleting already set Message-Id headers. And it will
> > break MUA driven thread handling 
> 
> - very few people put their Sent mail in the same folders as received mail
> - even then, MUAs have heuristics to cope with such situations.

Why break message-id threading for those (few) people?

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Replacing Message-Id for SASL authenticated senders

[rafa]

mouss wrote:

and if a spam filter blocks/discards/quarantines mail because of this,
it is the filter that should be blamed.



I use this setup for detecting Backscatter. Until now without problems, 
but it's difficult to know.

Re: Replacing Message-Id for SASL authenticated senders

[mouss]

Bastian Blank a écrit :
> On Sun, Feb 08, 2009 at 11:13:53AM -0500, Sahil Tandon wrote:
>> On Sun, 08 Feb 2009, Bastian Blank wrote:
>>> Yes. It will break the complete mail handling of the client. _Never_
>>> ever touch a message id.
>> Do explain how adding/replacing a valid Message-ID only to submitted mail 
>> will "break the complete mail handling of the client".
> 
> I mean replacing or deleting already set Message-Id headers. And it will
> break MUA driven thread handling 

- very few people put their Sent mail in the same folders as received mail
- even then, MUAs have heuristics to cope with such situations.

> and similar things which is based on
> the original submitted ID.
> 

other than spam filters that try to detect forged mail, the original
message-id, if replaced by the MSA, is irrelevant.

and if a spam filter blocks/discards/quarantines mail because of this,
it is the filter that should be blamed.

after all, the practice of hiding private infos is not new. whether it
is called "security by obscurity" or "an additional layer of security",
it's there.

I might give this a try and see what happens...

>> And how do you
>> reconcile your last sentence with section 8.3 of RFC 4409?
> 
> Please read the RFC again. This sentence only speaks about _adding_ this
> header, not about replacing or deleting it. There is however no other
> point which allows arbitrary modifications to the messages.
> 

correction: The rfc speaks about _replacing_ the message-id if it is
malformed. (and what Sahil wants to do is replace the MUA generated
message-id with one generated by postfix).

while this doesn't say anything about replacing a well formed
message-id, it indirectly acknowledges the fact that message-id's may be
replaced. and such things do happen.

In case you missed it: Sahil wants to _replace_ the message-id generated
by the MUA by one generated by postfix. He uses the fact that postfix
will add a message-id if one is missing.

Re: Replacing Message-Id for SASL authenticated senders

[Bastian Blank]

On Sun, Feb 08, 2009 at 11:13:53AM -0500, Sahil Tandon wrote:
> On Sun, 08 Feb 2009, Bastian Blank wrote:
> > Yes. It will break the complete mail handling of the client. _Never_
> > ever touch a message id.
> Do explain how adding/replacing a valid Message-ID only to submitted mail 
> will "break the complete mail handling of the client".

I mean replacing or deleting already set Message-Id headers. And it will
break MUA driven thread handling and similar things which is based on
the original submitted ID.

> And how do you
> reconcile your last sentence with section 8.3 of RFC 4409?

Please read the RFC again. This sentence only speaks about _adding_ this
header, not about replacing or deleting it. There is however no other
point which allows arbitrary modifications to the messages.

Bastian

-- 
If a man had a child who'd gone anti-social, killed perhaps, he'd still
tend to protect that child.
-- McCoy, "The Ultimate Computer", stardate 4731.3

Re: Replacing Message-Id for SASL authenticated senders

[Sahil Tandon]

On Sun, 08 Feb 2009, Bastian Blank wrote:

> On Sun, Feb 08, 2009 at 03:38:22AM -0500, Sahil Tandon wrote:
> > This works as I'd expect, but will it break anything else?
> 
> Yes. It will break the complete mail handling of the client. _Never_
> ever touch a message id.

Do explain how adding/replacing a valid Message-ID only to submitted mail 
will "break the complete mail handling of the client".  And how do you
reconcile your last sentence with section 8.3 of RFC 4409?

-- 
Sahil Tandon 

Re: problem with virtual domains and mailman

[mouss]

Göran Höglund a écrit :
> Hi
> Sorry my fault! I did change the original listname and made an error in
> the snippet.
> Here is the correct errorlog:
> Feb  8 13:06:05 apollo postfix/smtpd[12115]: NOQUEUE: reject: RCPT from
> unknown[172.16.254.4]: 550 5.1.1 : Recipient
> address rejected: User unknown in virtual mailbox table;
> from= to= proto=ESMTP
> helo=<[192.168.0.4]>
> 
> And my alias file looks as below. It seems as if Postfix ignores this
> alias file or do I need to define a mailbox for the list, I have lost
> track here.
> 

alias_maps is only used for local domains (domains listed in
mydestination). but telemar.se is listed in virtual_mailbox_maps.

if you want to use alias_maps, you need to use virtual_alias_maps to
pass the addresses to a domain that is listed in mydestination
(localhost?). note that virtual won't execute commands, so you can't
simply put your aliases in virtual_alias_maps. you need a two-steps
process (first to pass mail to a local domain, and then use alias_maps
to exec mailman).

a better idea is to use a dedicated domain, say lists.telemar.se. you
can then simply list this domain in mydestination, and alias_maps will
do the rest.

Re: problem with virtual domains and mailman

[Göran Höglund]

Hi
Sorry my fault! I did change the original listname and made an error in 
the snippet.

Here is the correct errorlog:
Feb  8 13:06:05 apollo postfix/smtpd[12115]: NOQUEUE: reject: RCPT from 
unknown[172.16.254.4]: 550 5.1.1 : Recipient 
address rejected: User unknown in virtual mailbox table; 
from= to= proto=ESMTP 
helo=<[192.168.0.4]>


And my alias file looks as below. It seems as if Postfix ignores this 
alias file or do I need to define a mailbox for the list, I have lost 
track here.


/GH


mouss skrev:

Göran Höglund a écrit :
  

[snip]

Feb  8 11:34:11 apollo postfix/smtpd[11557]: NOQUEUE: reject: RCPT from
unknown[172.16.254.4]: 550 5.1.1 : Recipient address
rejected: User unknown in virtual mailbox table; from=
to= proto=ESMTP helo=<[192.168.0.4]>

[snip]
test_all: "|/usr/local/mailman/mail/mailman post test_all"
[snip]

Any one who out there who might tell me what I have done wrong??
regards Göran



test-all != test_all

  

Re: problem with virtual domains and mailman

[mouss]

Göran Höglund a écrit :
> [snip]
> 
> Feb  8 11:34:11 apollo postfix/smtpd[11557]: NOQUEUE: reject: RCPT from
> unknown[172.16.254.4]: 550 5.1.1 : Recipient address
> rejected: User unknown in virtual mailbox table; from=
> to= proto=ESMTP helo=<[192.168.0.4]>
> 
> [snip]
> test_all: "|/usr/local/mailman/mail/mailman post test_all"
> [snip]
> 
> Any one who out there who might tell me what I have done wrong??
> regards Göran

test-all != test_all

Re: Replacing Message-Id for SASL authenticated senders

[mouss]

Sahil Tandon a écrit :
> I have been asked to replace the MUA Message-ID of SASL senders with a
> Postfix-generated ID.  The Message-ID of incoming mail which arrives via the
> same Postfix instance, but does not originate from a SASL authenticated
> sender, should not be touched. The submission service runs on port 587.  Are 
> there any unintended consequences with (or more efficient alternatives to)
> the following implementation?
> 
> In master.cf:
> 
> - create cleanup clone called "special" with its own header_checks setting.
> - add "-o cleanup_service_name=special" under the submission service
> 
> In header_checks.submit, which is referenced by the cleanup clone:
> /^Message-/ IGNORE
> 
> This works as I'd expect, but will it break anything else?
> 

as long as you only modify "submitted" mail, it should be ok. after all,
LookOut no more generates a message-id. and the fact that the generated
message-id will differ from the one in the Sent folder is moot.

While I am in, RFC 4409, 8.3, says:

   The MSA SHOULD add or replace the 'Message-ID' field, if it lacks it,
   or it is not valid syntax (as defined by [MESSAGE-FORMAT]).  Note
   that a number of clients still do not generate Message-ID fields.

problem with virtual domains and mailman

[Göran Höglund]

Hi

I have been running a postfix/courier mailserver with virtual users and 
Maildir for a while.

Now I need to setup a mailinglist and I have choosen mailman.

The installation of mailman did work well but somewhere I fail to get 
the aliasing work properlly.

I get the following errorlog in maillog:

Feb  8 11:34:11 apollo postfix/smtpd[11557]: NOQUEUE: reject: RCPT from 
unknown[172.16.254.4]: 550 5.1.1 : Recipient address 
rejected: User unknown in virtual mailbox table; from= 
to= proto=ESMTP helo=<[192.168.0.4]>


My main.cf is configured as follows:

alias_maps = hash:/etc/aliases, hash:/usr/local/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/usr/local/mailman/data/aliases
virtual_alias_maps =
proxy:mysql:/etc/postfix/mysql-virtual-alias-maps.cf,
proxy:mysql:/etc/postfix/mysql-virtual-mailbox-to-alias-maps.cf
hash:/usr/local/mailman/data/aliases

The aliases in /usr/local/mailman/data/aliases looks like
# STANZA START: mailman
# CREATED: Thu Feb  5 17:30:26 2009
mailman: "|/usr/local/mailman/mail/mailman post mailman"
mailman-admin:   "|/usr/local/mailman/mail/mailman admin mailman"
mailman-bounces: "|/usr/local/mailman/mail/mailman bounces mailman"
mailman-confirm: "|/usr/local/mailman/mail/mailman confirm mailman"
mailman-join:"|/usr/local/mailman/mail/mailman join mailman"
mailman-leave:   "|/usr/local/mailman/mail/mailman leave mailman"
mailman-owner:   "|/usr/local/mailman/mail/mailman owner mailman"
mailman-request: "|/usr/local/mailman/mail/mailman request mailman"
mailman-subscribe:   "|/usr/local/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe: "|/usr/local/mailman/mail/mailman unsubscribe mailman"
# STANZA END: mailman

# STANZA START: test_all
# CREATED: Sun Feb  8 11:22:01 2009
test_all: "|/usr/local/mailman/mail/mailman post test_all"
test_all-admin:   "|/usr/local/mailman/mail/mailman admin test_all"
test_all-bounces: "|/usr/local/mailman/mail/mailman bounces test_all"
test_all-confirm: "|/usr/local/mailman/mail/mailman confirm test_all"
test_all-join:"|/usr/local/mailman/mail/mailman join test_all"
test_all-leave:   "|/usr/local/mailman/mail/mailman leave test_all"
test_all-owner:   "|/usr/local/mailman/mail/mailman owner test_all"
test_all-request: "|/usr/local/mailman/mail/mailman request test_all"
test_all-subscribe:   "|/usr/local/mailman/mail/mailman subscribe test_all"
test_all-unsubscribe: "|/usr/local/mailman/mail/mailman unsubscribe 
test_all"

# STANZA END: test_all

Any one who out there who might tell me what I have done wrong??
regards Göran

Re: Replacing Message-Id for SASL authenticated senders

[Bastian Blank]

On Sun, Feb 08, 2009 at 03:38:22AM -0500, Sahil Tandon wrote:
> This works as I'd expect, but will it break anything else?

Yes. It will break the complete mail handling of the client. _Never_
ever touch a message id.

Bastian

-- 
Fascinating, a totally parochial attitude.
-- Spock, "Metamorphosis", stardate 3219.8

Re: how to know if the message is coming from an authenticated SASL session

[nik600]

On Sun, Feb 8, 2009 at 8:58 AM, Sahil Tandon  wrote:
> On Sun, 08 Feb 2009, nik600 wrote:
>
>> filterunix  -   n   n   -   20  pipe
>> flags=Rq user=filter argv=/var/script/my_spamc_1.5 -f
>> ${sender} -- ${recipient}
>>
>> Is there the possibility to know in some variables like ${sender} if
>> the mail is coming from an authenticated sasl session?
>
> See pipe(8) for information on ${sasl_username} and ${sasl_sender}.
>
> --
> Sahil Tandon 
>
  ${sasl_username}
 This  macro expands to the SASL user name used during the
 reception of the message. An empty string  is  passed  if
 the  message  has  been received without SASL authentica‐
 tion.

Exactly what i need!
Thanks a lot!



-- 
/*/
nik600
http://www.kumbe.it

Replacing Message-Id for SASL authenticated senders

[Sahil Tandon]

I have been asked to replace the MUA Message-ID of SASL senders with a
Postfix-generated ID.  The Message-ID of incoming mail which arrives via the
same Postfix instance, but does not originate from a SASL authenticated
sender, should not be touched. The submission service runs on port 587.  Are 
there any unintended consequences with (or more efficient alternatives to)
the following implementation?

In master.cf:

- create cleanup clone called "special" with its own header_checks setting.
- add "-o cleanup_service_name=special" under the submission service

In header_checks.submit, which is referenced by the cleanup clone:
/^Message-/ IGNORE

This works as I'd expect, but will it break anything else?

-- 
Sahil Tandon