Re: holding mail for recipient

[Christoph Erdle]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Am 12.02.2009 um 18:02 schrieb Noel Jones:


Christoph Erdle wrote:
I want to hold mails for a specific recipient which is an alias to  
multiple addresses so admin interaction is required to send to this  
alias. Problem is that the mail is now held twice (following is the  
output of mailq and releasing the message):


Feb 12 12:40:08 [postfix/smtpd] NOQUEUE: hold: RCPT from  
localhost[127.0.0.1]: : Recipient address  
testing hold with alias; from= to=> proto=ESMTP helo=


Your reinjection postfix listenter (defined in master.cf) is using  
the same access map.  See the README.postfix included with amavisd- 
new for suggested master.cf entries, or at a minimum add the  
following to your master.cf listener entry.


Thanks for your hint, I adapted master.cf to have the reinjection  
smtpd meet my needs, working like a charm.


Chris


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkmVGucACgkQqqYbNmv9eYm8bQCfYTr+1bmkVFIAoUxgfBnLRpRk
Zu0An1NwpyiOui/eF4sZhVfxGo8MORHs
=0zSm
-END PGP SIGNATURE-

Re: Add X-Envelope From/To into incoming mail

[Sahil Tandon]

On Thu, 12 Feb 2009, Petr Hude?ek wrote:

> I need add X-Envelope From: and X-Envelope To: into incoming mail from
> envelope mail, no from head mail! I use Postfix and procmail. Can you help
> me, please?

Would Return-Path: and X-Original-To: suffice?  Postfix adds these headers by
default.

-- 
Sahil Tandon 

How disk I/O affect postfix performance ?

[Yu (Irvin) Fan]

Hi,

We're building a box to run two postfix instances to receive and send high
volume of emails. According to the documentation it's better to run the two
instances on separate disks for performance reason. I'm trying to understand
how exactly does the disk I/O affect the postfix performance? By speed
(bytes per second) or activities (# of read/write per second)?

Let's say I have two hard disks. If I make a RAID0 array out of the two
disks the overall speed is twice as the speed of a single drive (I know it's
not exact twice the speed. just simplify it for discussion). If the postfix
performance depends on the disk speed then running two instances on two
separate disks or running two instances on one RAID0 array should not make
big difference, right? But if it depends on disk activities then running on
two separate disks is definitely better. I know no matter which case using
two disks is the choice. But if I have other reason to use RAID0 I just want
to know how much performance I lost in postfix?

Thanks

-Irvin

Re: rbl clients.

[Paweł Leśniak]

Victor Duchovni pisze:

On Thu, Feb 12, 2009 at 02:02:03PM -0500, Linux Addict wrote:

  

Please see below my smtpd_recipient_restrictions. On my rbl client list I
have multiple entries, but not sure how many of them actually maintained. Is
there one single place where I can find such a list. Any help is greatly
appreciated.



Replace all of them with just:

reject_rbl_client zen.spamhaus.org

If this still leaves you with way too much junk to filter with a content
filter, and you can afford to be more aggressive, add just

reject_rbl_client bl.spamcop.net

avoid all the rest, especially the ones long dead.

Make sure your DNS cache is not using an ISP upstream forwarder.

If your traffic is high enough, buy a SpamHaus data feed.
  

On my server I get following results in logs (last 4 days):
$ ~/dnsblcount /var/log/mail.1
zen.spamhaus.org3438
ips.backscatterer.org 98
hostkarma.junkemailfilter.com=127.0.0.2   28
bl.spamcannibal.org   17
cbl.abuseat.org3
=
Total DNSBL rejections:  3584

$ ~/dnsblcount /var/log/mail.2
zen.spamhaus.org6938
ips.backscatterer.org115
hostkarma.junkemailfilter.com=127.0.0.2   67
t1.dnsbl.net.au   33
bl.spamcannibal.org   13
dnsbl-1.uceprotect.net 3
bl.spamcop.net 2
=
Total DNSBL rejections:  7171

$ ~/dnsblcount /var/log/mail.3
zen.spamhaus.org   10810
hostkarma.junkemailfilter.com=127.0.0.2  164
ips.backscatterer.org 80
bl.spamcannibal.org   24
dnsbl.njabl.org7
dnsbl-1.uceprotect.net 4
cbl.abuseat.org2
=
Total DNSBL rejections: 11091


$ ~/dnsblcount /var/log/mail.4
zen.spamhaus.org   10875
hostkarma.junkemailfilter.com=127.0.0.2   98
bl.spamcannibal.org   25
ips.backscatterer.org 10
dnsbl.njabl.org2
cbl.abuseat.org1
=
Total DNSBL rejections: 11011


As you can see cbl.abuseat.org which is included in zen.spamhaus.org 
gives some more results than zen (actually it's simple - update takes 
some time).

backscatterer and spamcannibal are used only for <> and postmaster senders.
dnsbl-1.uceprotect.net gave me only false positives so it's turned off now.
I'm also using t1.dnsbl.net.au and bl.spamcop.net (this one I've got 
right after zen.spamhaus) - no results in last 4 days, but still testing.
I have a total of ~5-20k SMTP sessions per day which get to rbl tests. 
So after testing zen.spamhaus.org it's about 1 to 10k tests left to be 
done. And while I have local dns server it's even smaller number of DNS 
checks with BLs). I think that most of people here will say that it's 
(at least) stupid to have only ~0.1% more spams filtered with one more 
rbl check (with that low SMTP traffic).


Anyways before rejecting mails with any BL (besides those really "well 
known", like the two Victor gave), check if those won't give you too 
many false positives.


I'd also recommend to lower smtpd_recipient_limit from 300 to some 
reasonable amount, unless you really use that "large" bulk mailings.



Pawel

No virtual alias with diferent cleanup for submission service

[rafa]

Hello everyone,

I created a second cleanup for the submission service to have separate
header checks from incoming emails.

cleanup-out   unix  n   -   -   -   0   cleanup
-o header_checks=pcre:/etc/postfix/header_checks-out
-o body_checks=pcre:/etc/postfix/body_checks-out
-o mime_checks=pcre:/etc/postfix/mime_checks-out

After this change the recipients that have a virtual alias to an
external host or other virtual domain, in the example gmail.com, stop 
working for the mail submitted via the submission service ,mail received 
via port 25 flows as before.

The only change was in the submission service

Virtual user t...@riovia.com has virtual alias to t...@riovia.com and
remo...@gmail.com


pcre:/etc/postfix/header_checks-out:
---
/^Message-ID:.*/  IGNORE
/^Disposition-Notification-To/ IGNORE

pcre:/etc/postfix/body_checks-out
pcre:/etc/postfix/mime_checks-out
are empty files

Nevertheless the same happens also if
/etc/postfix/header_checks-out
is a empty file

Postfix 2.3.8 Debian Etch.


Original submission service:
---

submission inet n  -   -   -   -   smtpd
-o smtpd_etrn_restrictions=reject
-o
smtpd_sender_restrictions=permit_mynetworks,reject_sender_login_mismatch
-o
smtpd_client_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
-o content_filter=
-o receive_override_options=no_header_body_checks
-o
smtpd_milters=unix:/clamav/clamav-milter.ctl,inet:localhost:10040
-o milter_default_action=accept
-o smtpd_discard_ehlo_keywords=silent-discard,8bitmime,etrn,dsn
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_security_options=noanonymous
#-o cleanup_service_name=cleanup-out


Modified submission service:
---

submission inet n  -   -   -   -   smtpd
-o smtpd_etrn_restrictions=reject
-o
smtpd_sender_restrictions=permit_mynetworks,reject_sender_login_mismatch
-o
smtpd_client_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
-o content_filter=
#-o receive_override_options=no_header_body_checks
-o
smtpd_milters=unix:/clamav/clamav-milter.ctl,inet:localhost:10040
-o milter_default_action=accept
-o smtpd_discard_ehlo_keywords=silent-discard,8bitmime,etrn,dsn
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_security_options=noanonymous
-o cleanup_service_name=cleanup-out



postconf -n:
---

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = pcre:/etc/postfix/body_checks
bounce_size_limit = 1
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
delay_warning_time = 1h
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_checks
inet_interfaces = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 31457280
mime_header_checks = pcre:/etc/postfix/mime_checks
minimal_backoff_time = 300
mydestination = localhost
myhostname = farallon.riovia.com
mynetworks = 127.0.0.0/8 xxx.xxx.xxx.xxx
myorigin = /etc/mailname
notify_classes = 2bounce, resource, software, delay
proxy_read_maps = $local_recipient_maps $mydestination
$virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
$virtual_mailbox_domains $relay_recipient_maps $relay_domains
$canonical_maps $sender_canonical_maps $recipient_canonical_maps
$relocated_maps $transport_maps $mynetworks $recipient_bcc_maps
$smtpd_sender_login_maps
queue_run_delay = 300
rbl_reply_maps = hash:/etc/postfix/rbl_reply_maps
receive_override_options = no_address_mappings
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql-recipient_bcc.cf
proxy:mysql:/etc/postfix/mysql-vacation_bcc.cf
recipient_delimiter = +
relayhost =
show_user_unknown_table_name = no
smtp_helo_name = farallon.riovia.com
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_cert_file = /etc/postfix/smtpd.cert
smtp_tls_key_file = /etc/postfix/smtpd.key
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache
smtp_use_tls = yes
smtpd_banner = farallon.riovia.com ESMTP Postfix
smtpd_data_restrictions = reject_unauth_pipelining permit_mynetworks
warn_if_reject check_sender_access hash:/etc/postfix/check_backscatterer
smtpd_discard_ehlo_keywords = silent-discard, etrn, dsn
smtpd_etrn_restrictions = reject
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks
permit_sasl_authenticated reject_unauth_destination check_client_access
pcre:/etc/postfix/dynamic_ip_clients.pcre reject_unlisted_recipient
check_client_access cidr:/etc/postfix/postfix-dnswl-permit
check_client_access cidr:/etc/postfix/postix-riovia-permit
check_client_access pcre:/etc/postfix/client_riovia_permit.pcre
check_helo_access hash:/etc/postfix/helo_checks
reject_invalid_helo_hostn

Re: rbl clients.

[mouss]

Rik a écrit :
> On Thu, 2009-02-12 at 14:07 -0500, Victor Duchovni wrote:
>> On Thu, Feb 12, 2009 at 02:02:03PM -0500, Linux Addict wrote:
>>
>>> Please see below my smtpd_recipient_restrictions. On my rbl client list I
>>> have multiple entries, but not sure how many of them actually maintained. Is
>>> there one single place where I can find such a list. Any help is greatly
>>> appreciated.
>> Replace all of them with just:
>>
>>  reject_rbl_client zen.spamhaus.org
>>
>> If this still leaves you with way too much junk to filter with a content
>> filter, and you can afford to be more aggressive, add just
>>
>>  reject_rbl_client bl.spamcop.net
>>
>> avoid all the rest, especially the ones long dead.
>>
>> Make sure your DNS cache is not using an ISP upstream forwarder.
>>
>> If your traffic is high enough, buy a SpamHaus data feed.
>>
> Currently this is free too:
> 
> b.barracudacentral.org
> 

this hits legitimate sites. I use this in SA, but not in postfix except
for suspicious mail. They will have to learn that spam forwarded to a
consenting user should not result in banning the forwarder IP.
otherwise, they can start by listing all spam filtering services that
tag and forward...

note that you need to subscribe to use the zone name above. if you don't
want to subscribe, add a leading 'b':
bb.barracudacentral.org

> [snip]

Re: recipient_delimiter and virtual users

[mouss]

post...@corwyn.net a écrit :
> [snip]
> 
> So while recipient_delimited works "out of the box" it doesn't quite do
> what I want (hence why I provided not only what wasn't working, but a
> detailed explanation of what I wanted to solve.)
> 

but you didn't talk about folders in your post, did you? you simply said
that mail failed with "unknown recipient".

>[snip]
> 
> Off to go see if I can find a "better" way with dovecot. Thanks.
> 

if you run dovecot with -m ${extension} it will use the extension as the
folder name. if you don't use -n, it will also create the folder.

Re: rbl clients.

[Rik]

On Thu, 2009-02-12 at 14:07 -0500, Victor Duchovni wrote:
> On Thu, Feb 12, 2009 at 02:02:03PM -0500, Linux Addict wrote:
> 
> > Please see below my smtpd_recipient_restrictions. On my rbl client list I
> > have multiple entries, but not sure how many of them actually maintained. Is
> > there one single place where I can find such a list. Any help is greatly
> > appreciated.
> 
> Replace all of them with just:
> 
>   reject_rbl_client zen.spamhaus.org
> 
> If this still leaves you with way too much junk to filter with a content
> filter, and you can afford to be more aggressive, add just
> 
>   reject_rbl_client bl.spamcop.net
> 
> avoid all the rest, especially the ones long dead.
> 
> Make sure your DNS cache is not using an ISP upstream forwarder.
> 
> If your traffic is high enough, buy a SpamHaus data feed.
> 
Currently this is free too:

b.barracudacentral.org

It's used in the Barracuda Spam Firewalls as the default 'reputation'
filter. I find it kills more than zen myself, and they have a UK based
support operation that deals with false positives that you can *call* on
the phone and get a sensible answer from.

However, respect none the less to Spamhaus for what they have do.

Ironically the growth of the Barracuda List has largely come from
Spamhaus shooting themselves in the foot trying to charge Barracuda
owners for a feed. My guess, however, is Barracuda will eventually
charge too - but at this time it is completely free. They do ask for
registration but the truth is it works find without it.

Test it before deployment like this (from a recent spammer at
188.16.211.205);

dig 205.211.16.188.b.barracudacentral.org

Presence of the answer section in the typical 127.0.0.X indicates
positive - just like the other RBL's.

Re: Redirect all mail from one domain to the same u...@otherdomain?

[Jeff Weinberger]

Mouss wrote:

Jeff Weinberger a �crit :
> [snip]
>
> This is helpful, but I still need the query to take all the other
> alias domains into account. So, I need the IF condition, or a  
second map.

>

I don't think so. I used this. I don't remember the details, but the
idea is that you can often get rid of flow control (if, ...) using
additional tables.


Thanks - yes, additional tables, maps, etc. would make the sql coding  
far simpler.




> Thank you for your help...it's informative as always!
>
> if the wildcard alias will produce the result I need then this is
> resolved.
>

@example.org @example.com

works, but smtpd will accept mail to anyth...@...
(virtual_alias_maps are used for recipient validation during the smtp
transaction). if all addresses are valid (catchall or whatver), this  
is
ok. otherwise, it's bad. in any case, you must make sure that mail  
isn't

bounced after it is accepted (queued). This is what happens by default
(after virtual alias expansion, a delivery error occurs, and an NDR is
generated).


Thank you - this will work well. I'll use a catchall mailbox to make  
sure that I don't generate an NDR.


thanks for your help!

Re: filtering mail

[Peter Blair]

Including every solicited bulk email.  They usually create unique
bounce addresses to track dead target mailboxes etc.

On Wed, Feb 11, 2009 at 9:30 AM, Michael Katz
 wrote:
> Ilo Lorusso wrote:
>> Hi
>>
>>
>> is their a way I can reject messages when its from address does not
>> match the envelope from address?
>
> Doing that will drop tons of legit email.
>
> Mike Katz
> http://messagepartners.com
>
>>
>> using postfix ofcourse
>>
>>
>> Thanks
>>
>> Regards
>>
>>
>> Ilo
>>
>>
>>
>
>

Re: rbl clients.

[Peter Blair]

http://stats.dnsbl.com/

As victor said, ZEN is usually enough for most people, but it's always
good to know why you're not using the rest.

On Thu, Feb 12, 2009 at 2:02 PM, Linux Addict  wrote:
> Please see below my smtpd_recipient_restrictions. On my rbl client list I
> have multiple entries, but not sure how many of them actually maintained. Is
> there one single place where I can find such a list. Any help is greatly
> appreciated.
>
> smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname,
>   reject_invalid_hostname, permit
> smtpd_recipient_limit = 300
> smtpd_recipient_restrictions = permit_mynetworks,
>  permit_sasl_authenticated,reject_unauth_destination,
>  reject_invalid_hostname,reject_unauth_pipelining,
>  reject_non_fqdn_sender,reject_unknown_sender_domain,
>  reject_non_fqdn_recipient,reject_unknown_recipient_domain,
>  reject_rbl_client blackholes.easynet.nl,reject_rbl_client
> cbl.abuseat.org,reject_rbl_client proxies.blackholes.wirehub.net,
>  reject_rbl_client bl.spamcop.net,reject_rbl_client sbl.spamhaus.org,
>  reject_rbl_client dnsbl.njabl.org,reject_rbl_client list.dsbl.org,
>  reject_rbl_client multihop.dsbl.org,permit
>
> ~LA

Re: virtual_alias_maps against local_recipient_maps

[Noel Jones]

jakjr wrote:

Hello,

Is there a way to check the result of a iteration(email address) on
virtual_alias_maps(cleanup) against the local_recipient_maps (smtp) ?

Best Regards

Jakjr



No.  If you describe your problem maybe someone can give some 
helpful suggestions.


 -- Noel Jones

Re: how to accept some addresses but relay the rest?

[Wietse Venema]

Andy Spiegl:
> But I couldn't get it to work.  I set:
> 
>  smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, 
> hash:/etc/postfix/recipient_access

Meaning: do not examine the access map if the client is in mynetworks.

Wietse

Re: recipient_delimiter and virtual users

[postfix]

At 12:47 PM 2/12/2009, Victor Duchovni wrote:

On Thu, Feb 12, 2009 at 12:33:57PM -0500, post...@corwyn.net wrote:

> At 04:28 AM 2/12/2009, mouss wrote:
>> recipient_delimiter works "out of the box". there is no need to change
>> your tables, your sql statements nor add users.
This up to your LDA. No LDA bundled with Postfix understands "folders".


So while recipient_delimited works "out of the box" it doesn't quite 
do what I want (hence why I provided not only what wasn't working, 
but a detailed explanation of what I wanted to solve.)



These issues are dealt with by Mailstore aware delivery agents, not
the MTA. Deploy a delivery agent that co-operates with your mailstore
(Cyrus, Dovecot, ...). Postfix will pass the address and extension to
the delivery agent.


Thank you, that answers that receipient_delimiter alone will not 
solve the thing I want it to.


Well, I tinkered with it for a while, and  changed 
mysql_virtual_user_maps SQL to:
query = select 
if(instr('%s','+'),concat(maildir,'Maildir/.',mid('%s',instr('%s','+')+1,instr('%s','@') 
- instr('%s','+')-1),'/'),CONCAT(maildir,'Maildir/')) from mailbox 
where 
username=if(instr('%s','+'),concat(left('%s',instr('%s','+')-1),right('%s',length('%s') 
- instr('%s','@')+1)),'%s') AND active=1;


My previous sql I had managed to remove all references to the input 
address, but with recipient_delimiter, the first query to validate 
deliver is as user+...@example.com, but the second query is to 
u...@example.com, thus I no longer have available what the +foo part 
is for evaulation.



While this new SQL  does permit random folders be created on the 
drive, they're forced into the appropriate mail structure and 
everything works as per my desired solution. Mail sent to 
u...@example.com delivers to inbox, mail sent to user+...@example.com 
will deliver to the foo folder.  It doesn't exactly what I want it to 
(potential vulnerabilities aside, but everything looks like it 
escapes out properly to inhibit SQL injection issues).


Off to go see if I can find a "better" way with dovecot. Thanks.

Rick

Re: rbl clients.

[Victor Duchovni]

On Thu, Feb 12, 2009 at 02:02:03PM -0500, Linux Addict wrote:

> Please see below my smtpd_recipient_restrictions. On my rbl client list I
> have multiple entries, but not sure how many of them actually maintained. Is
> there one single place where I can find such a list. Any help is greatly
> appreciated.

Replace all of them with just:

reject_rbl_client zen.spamhaus.org

If this still leaves you with way too much junk to filter with a content
filter, and you can afford to be more aggressive, add just

reject_rbl_client bl.spamcop.net

avoid all the rest, especially the ones long dead.

Make sure your DNS cache is not using an ISP upstream forwarder.

If your traffic is high enough, buy a SpamHaus data feed.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

rbl clients.

[Linux Addict]

Please see below my smtpd_recipient_restrictions. On my rbl client list I
have multiple entries, but not sure how many of them actually maintained. Is
there one single place where I can find such a list. Any help is greatly
appreciated.


smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname,
  reject_invalid_hostname, permit
smtpd_recipient_limit = 300
smtpd_recipient_restrictions = permit_mynetworks,
 permit_sasl_authenticated,reject_unauth_destination,
 reject_invalid_hostname,reject_unauth_pipelining,
 reject_non_fqdn_sender,reject_unknown_sender_domain,
 reject_non_fqdn_recipient,reject_unknown_recipient_domain,
 reject_rbl_client blackholes.easynet.nl,reject_rbl_client
cbl.abuseat.org,reject_rbl_client proxies.blackholes.wirehub.net,
 reject_rbl_client bl.spamcop.net,reject_rbl_client sbl.spamhaus.org,
 reject_rbl_client dnsbl.njabl.org,reject_rbl_client list.dsbl.org,
 reject_rbl_client multihop.dsbl.org,permit


~LA

Re: how to accept some addresses but relay the rest?

[Andy Spiegl]

On 2009-02-11, 09:32, Noel Jones wrote:
> Andy Spiegl wrote:
>
>> Hm, but I don't have the list of valid recipients. :-(
>>
>> All I have is the list of valid LOCAL recipients.  Everything else
>> I have to relay to the MX of example.com...
>
> If the receiving server rejects unknown recipients during SMTP (it
> should), you can use reject_unverified_recipient and let postfix
> maintain the list of valid users for you.
It does but I can only reach it through a relayhost, so that doesn't
work.  But I just found out that it seems to work alright without
keeping a list of valid recipients.  It does what I want: locally
known addresses (in virtual) are delivered and the rest is relayed to
the smarthost without further testing.  Bingo! :-)

> http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient
Just out of curiosity I tried the option reject_unverified_recipient
(with a different domain where the relayhost is not necessary).
But I couldn't get it to work.  I set:

 smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, 
hash:/etc/postfix/recipient_access

and recipient_access:
 example2.com reject_unverified_recipient

and I overruled the routing:
 address_verify_relayhost =

But still, postfix tries to deliver the message instead of first
probing.  Is it obvious to you what I am missing?

Thanks a lot,
 Andy.

-- 
 BAYERISCHER RUNDFUNK  |  Programmbereich Multimedia und Jugend
 Rundfunkplatz 1   |  Fon +49 (0)89 5900 16062
 D-80335 Muenchen  |  Fax +49 (0)89 5900 16120

virtual_alias_maps against local_recipient_maps

[jakjr]

Hello,

Is there a way to check the result of a iteration(email address) on
virtual_alias_maps(cleanup) against the local_recipient_maps (smtp) ?

Best Regards

Jakjr

Re: recipient_delimiter and virtual users

[Victor Duchovni]

On Thu, Feb 12, 2009 at 12:33:57PM -0500, post...@corwyn.net wrote:

> At 04:28 AM 2/12/2009, mouss wrote:
>> recipient_delimiter works "out of the box". there is no need to change
>> your tables, your sql statements nor add users.
>
> The problem is I don't know what the "out of the box" behavior should be.
>
> If I set recipient_delimiter = + then mail to u...@example.com, 
> user+...@example.com, and user+spam all deliver to INBOX, regardless of 
> whether there is a spam or foo folder created.
>
> What I want is, without having to set filters in the client, for mail to 
> deliver to the appropriate folder.

This up to your LDA. No LDA bundled with Postfix understands "folders".
Cyrus IMAP understands folders, and even knows that "user+foo" only
goes to folder "foo" when the folder's ACL allows anonymous "POST",
otherwise mail goes to the "Inbox".

These issues are dealt with by Mailstore aware delivery agents, not
the MTA. Deploy a delivery agent that co-operates with your mailstore
(Cyrus, Dovecot, ...). Postfix will pass the address and extension to
the delivery agent.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: How to safely re-inject an archived queue file?

[Wietse Venema]

Victor Duchovni:
> On Thu, Feb 12, 2009 at 08:46:51AM -0700, Curtis wrote:
> 
> > Perfect.  Does the pickup command have a trigger like qmgr that I can
> > use with postkick to get the queue file picked up from the maildrop
> > queue immediately?  I'm guessing not since there's no mention of it in
> > the man page, but I thought I'd check anyway.  Or is there another way
> > to make this happen?
> 
> Yes, it does:
> 
>   # postkick public pickup W
> 
> all "public" services with a wakeup timer in master.cf support the
> "W" trigger, that's how master(8) wakes them up.
> 
> $ perl -lane '
>   $F[0] =~ /^[^#\s]/ or next;
>   $F[2] eq "n" or next;
>   $F[5] ne "-" or next;
>   print;' \
>   /etc/postfix/master.cf
> pickupfifo  n   -   n   60  1   pickup
> qmgr  fifo  n   -   n   300 1   qmgr
> flush unix  n   -   n   1000?   0   flush
> 
> You don't really want to wake the flush service manually, that's
> just internal house-keeping, but waking pickup(8) or qmgr(8) is fine.
> 
> I am not sure whether not documenting the pickup(8) trigger is deliberate
> or an oversight.

There is no need to publish it, since there is no need for manual
triggers. Mail will be picked up in a few seconds anyway.

Wietse

Re: recipient_delimiter and virtual users

[postfix]

At 04:28 AM 2/12/2009, mouss wrote:

recipient_delimiter works "out of the box". there is no need to change
your tables, your sql statements nor add users.


The problem is I don't know what the "out of the box" behavior should be.

If I set recipient_delimiter = + then mail to u...@example.com, 
user+...@example.com, and user+spam all deliver to INBOX, regardless 
of whether there is a spam or foo folder created.


What I want is, without having to set filters in the client, for mail 
to deliver to the appropriate folder.


What is the default behavior I should expect from recipient_delimiter 
with user+...@example.com? Should mail:

go to the default inbox always, or
go to a folder foo if it's been created and inbox otherwise
go to a folder foo if it's been created, or if the folder isn't there 
create foo and place the mail in that folder?


Once I know what it should do, it's a lot easier for me to figure out 
what's broken/misconfigured :-) and ask for help appropriately.


Thanks!

Rick

Re: holding mail for recipient

[Noel Jones]

Christoph Erdle wrote:
I want to hold mails for a specific recipient which is an alias to 
multiple addresses so admin interaction is required to send to this 
alias. Problem is that the mail is now held twice (following is the 
output of mailq and releasing the message):


Feb 12 12:40:08 [postfix/smtpd] NOQUEUE: hold: RCPT from localhost[127.0.0.1]: : Recipient address testing hold with alias; from= to= proto=ESMTP helo= 


Your reinjection postfix listenter (defined in master.cf) is 
using the same access map.  See the README.postfix included 
with amavisd-new for suggested master.cf entries, or at a 
minimum add the following to your master.cf listener entry.


# master.cf
...
127.0.0.1:10025 inet  n  -   n  -   -  smtpd
(you should already have something similar to the above)
(add these entries just underneath)
   -o mynetworks=127.0.0.0/8
   -o smtpd_client_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_data_restrictions=
   -o smtpd_end_of_data_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject

note there is no space in "permit_mynetworks,reject".
You will probably want to add -o receive_override_options=... 
if you haven't already, and there are some other parameters 
that may be useful to you.  See the README.postfix included 
with amavisd-new for details.

http://www.ijs.si/software/amavisd/README.postfix.html

  -- Noel Jones

Re: How to safely re-inject an archived queue file?

[Victor Duchovni]

On Thu, Feb 12, 2009 at 08:46:51AM -0700, Curtis wrote:

> Perfect.  Does the pickup command have a trigger like qmgr that I can
> use with postkick to get the queue file picked up from the maildrop
> queue immediately?  I'm guessing not since there's no mention of it in
> the man page, but I thought I'd check anyway.  Or is there another way
> to make this happen?

Yes, it does:

# postkick public pickup W

all "public" services with a wakeup timer in master.cf support the
"W" trigger, that's how master(8) wakes them up.

$ perl -lane '
$F[0] =~ /^[^#\s]/ or next;
$F[2] eq "n" or next;
$F[5] ne "-" or next;
print;' \
/etc/postfix/master.cf
pickupfifo  n   -   n   60  1   pickup
qmgr  fifo  n   -   n   300 1   qmgr
flush unix  n   -   n   1000?   0   flush

You don't really want to wake the flush service manually, that's
just internal house-keeping, but waking pickup(8) or qmgr(8) is fine.

I am not sure whether not documenting the pickup(8) trigger is deliberate
or an oversight.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Add X-Envelope From/To into incoming mail

[John Villalovos]

On Thu, Feb 12, 2009 at 7:10 AM, Petr Hudeček  wrote:
> Hi everybody!
> I need add X-Envelope From: and X-Envelope To: into incoming mail from 
> envelope mail, no from head mail! I use Postfix and procmail. Can you help 
> me, please?

I believe by default there is an: X-Original-To  header which does the
same as X-Envelope-To.  At least my postfix does it and I didn't do
anything to get that behaviour

Re: How to safely re-inject an archived queue file?

[Curtis]

On Thu, Feb 12, 2009 at 8:46 AM, Curtis  wrote:
> Perfect.  Does the pickup command have a trigger like qmgr that I can
> use with postkick to get the queue file picked up from the maildrop
> queue immediately?  I'm guessing not since there's no mention of it in
> the man page, but I thought I'd check anyway.  Or is there another way
> to make this happen?
>
> Curtis
>

Never mind... while no triggers are mentioned in the man page for
pickup, running "postkick public pickup W" does appear to do the
trick.  Sorry, I'm new to postfix... perhaps this was obvious.
Thanks for all the feedback on this thread, it was super helpful.

Curtis

Re: How to safely re-inject an archived queue file?

[Curtis]

On Thu, Feb 12, 2009 at 7:13 AM, Victor Duchovni
 wrote:
> On Thu, Feb 12, 2009 at 06:51:20AM -0700, Curtis wrote:
>
>> So, on a box that I know has nothing else feeding into the maildrop
>> queue, it would be safe to skip the step of dropping it in the idle
>> queue of a second instance (on the same filesystem) and running
>> "postsuper -s" to get a properly named queue file?  I would, of
>> course, use a queue file name that would never be used by postfix.
>
> The queue file should be created mode 0600, owner $mail_owner, and
> changed to 0700 once the contents are fully copied into the file.
> The file-name must be alphanumeric. Postfix queue-ids only use [0-9A-F],
> so in the maildrop directory you can avoid collisions by prefixing the
> original filename with "X".

Perfect.  Does the pickup command have a trigger like qmgr that I can
use with postkick to get the queue file picked up from the maildrop
queue immediately?  I'm guessing not since there's no mention of it in
the man page, but I thought I'd check anyway.  Or is there another way
to make this happen?

Curtis

Re: Add X-Envelope From/To into incoming mail

[Victor Duchovni]

On Thu, Feb 12, 2009 at 07:18:56AM -0500, Wietse Venema wrote:

> /etc/postfix/sender_access:
>/(.*)/  prepend X-Envelope-From: <$1>
> 
> /etc/postfix/check_recipient_access:
>/(.*)/  prepend X-Envelope-To: <$1>
> 
> Beware, this breaks the privacy of BCC recipients.

Note also that the addresses in question will not be in RFC822 form,
they will in Postfix internal (i.e. de-quoted) form. So for example:

MAIL FROM:<"spaces in this mailbox"@example.com>

will appear as:

X-Envelope-From: spaces in this mail...@example.com

Adding quoting is possible (PCRE):

# Reject addresses with <"> in the localpart or domain
#
/"/ REJECT
# Use dot-a...@domain verbatim (untested)
#

/([^\x00-\x20\x7f-\xff\(\)<>@,;:\\\[\]\.]+(?:\.[^\x00-\x20\x7f-\xff\(\)<>@,;:\\\[\]\.]+)*...@[^@]*)/
 PREPEND X-Envelope-From: <$1>
# Everthing else needs quoting:
#
/(.*)@(.*)/ PREPEND X-Envelope-From: <"${1}"@${2}>

provided you are willing to REJECT (often problematic and in any case
rare) addresses whose de-quoted (internal) form contains double-quotes:

<"there are \"quotes\" in this mailbox"@example.com>

If you want to handle these correctly, you need  a content filter or
milter with robust address parsing. Note, parsing RFC822 addresses
*correctly* is NOT easy.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Enforcing TLS by recipient and sender domain

[Wietse Venema]

Victor Duchovni:
> On Thu, Feb 12, 2009 at 08:33:35AM -0500, Wietse Venema wrote:
> 
> > > > > is there a way to enforce TLS dependent on the sender domain?
> >
> > This would have to be simulated with sender_dependent_relayhost_maps.
> > Specify a Postfix instance that encrypts all outbound mail. Postfix
> > multi-instance support will go alpha in a few days.
> 
> To expand this a bit, you deploy (at least) two Postfix instances on
> your system.
> 
> The input instance accepts mail from senders and normally delivers it
> directly to the nexthop gateway for the destination. You already have
> this.
> 
> The (TLS) output instance has a separate config_directory, queue_directory
> and data_directory, but shares the Postfix executables and docs. In the
> output instance, TLS is enforced for certain destinations.
> 
> The input instance uses sender_dependent_relayhost_maps to route some
> mail to the (TLS) output instance.
> 
> This scales poorly if different customers want to enforce TLS for
> different sets of destinations at different security levels. If that
> happens, it is much better to just field a separate input MTA for
> "special-needs" customers, and have the input instances do all the work.
> 
> The main difficulty with multiple input instances is that it is difficult
> to get the process limits right. If loads on all the input instances
> spike at the same time, your system may not have enough disk I/O or CPU
> to handle the load.
> 
> There is no sender_dependent_tls_policy_maps, nor any lookup key syntax
> for TLS policy by sender *and* recipient domain combined.

In addition, when people say "sender" they sometimes mean the client
IP address, instead of the envelope sender domain or address.

If the poster wants encryption depending on client IP address, then
they will have to direct those clients directly to an MTA instance
that encrypts all outbound mail. That also gives more assurance that
bounces will be encrypted.

Wietse

Re: Sending hangs for no apparent reason..

[Gaute Amundsen]

It happened again :(
Not in connection with backup, but in another situation with high load.

Output of ps
http://div.org/postfix_debug/postfix.processes.txt  

http://div.org/postfix_debug/stack_trace.28848  - qmgr
http://div.org/postfix_debug/stack_trace.7175 - smtp

http://div.org/postfix_debug/core.28848  
http://div.org/postfix_debug/core.7175   

the bit of log with the last qmgr and smtp lines before hang.
no hits for grep -i "watchdog"
http://div.org/postfix_debug/maillog.12.02.09

> I am guessing a "ready" indication arrived for the private/smtp socket,
> but accept() blocked indefinitely. This would then be a kernel issue.

Does this look like that?

Thanks
Gaute


> On Mon, Feb 02, 2009 at 05:26:10PM +0100, Gaute Amundsen wrote:
> > On Monday 02 February 2009 15:43:19 Victor Duchovni wrote:
> > > On Mon, Feb 02, 2009 at 01:50:30PM +0100, Gaute Amundsen wrote:
> > > > Jan 25 05:59:19 hotell01 postfix/smtp[595]: fatal: watchdog timeout
> > > > Jan 25 05:59:20 hotell01 postfix/master[734]: warning: process
> > > > /usr/libexec/postfix/smtp pid 595 exit status 1
> > > > Jan 25 05:59:20 hotell01 postfix/master[734]: warning:
> > > > /usr/libexec/postfix/smtp: bad command startup -- throttling
> > >
> > > This happens when the smtp(8) process has been stuck waiting for
> > > something to happen for 5 hours. What was happening around 00:59:xx on
> > > the same day?
> >
> > Apparently nothing in particular:
> >
> > http://pastebin.ca/1325397
>
> Jan 25 00:56:53 hotell01 postfix/qmgr[738]: B75CA147967:
> from=, size=29074, nrcpt=1 (queue active)
>
> The delivery agent scheduled to handle this message locked up for 5
> hours and gave up. It got stuck before reporting "busy" to the master
> daemon, so no other smtp(8) processes were allocated.
>
> > our Munin http://munin.projects.linpro.no/
> > has lost the fine details that far back but there is a regular high peak
> > on IOstsat just before 01:00 every night. Backup related I guess.
> >
> > both today and Jan 25 was a monday, so I had a look at cron.weekly which
> > runs
>
> Perhaps your system runs out of resources during backup, and perhaps when
> this happens the system behaves in ways it should not.
>
> I am guessing a "ready" indication arrived for the private/smtp socket,
> but accept() blocked indefinitely. This would then be a kernel issue.
>
> If this happens again, you need to catch the stuck smtp(8) *before* the
> watchdog timer expires, and get a core file via "gcore". Then report a
> stack trace of the process.

Re: Enforcing TLS by recipient and sender domain

[Victor Duchovni]

On Thu, Feb 12, 2009 at 08:33:35AM -0500, Wietse Venema wrote:

> > > > is there a way to enforce TLS dependent on the sender domain?
>
> This would have to be simulated with sender_dependent_relayhost_maps.
> Specify a Postfix instance that encrypts all outbound mail. Postfix
> multi-instance support will go alpha in a few days.

To expand this a bit, you deploy (at least) two Postfix instances on
your system.

The input instance accepts mail from senders and normally delivers it
directly to the nexthop gateway for the destination. You already have
this.

The (TLS) output instance has a separate config_directory, queue_directory
and data_directory, but shares the Postfix executables and docs. In the
output instance, TLS is enforced for certain destinations.

The input instance uses sender_dependent_relayhost_maps to route some
mail to the (TLS) output instance.

This scales poorly if different customers want to enforce TLS for
different sets of destinations at different security levels. If that
happens, it is much better to just field a separate input MTA for
"special-needs" customers, and have the input instances do all the work.

The main difficulty with multiple input instances is that it is difficult
to get the process limits right. If loads on all the input instances
spike at the same time, your system may not have enough disk I/O or CPU
to handle the load.

There is no sender_dependent_tls_policy_maps, nor any lookup key syntax
for TLS policy by sender *and* recipient domain combined.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: How to safely re-inject an archived queue file?

[Victor Duchovni]

On Thu, Feb 12, 2009 at 06:51:20AM -0700, Curtis wrote:

> So, on a box that I know has nothing else feeding into the maildrop
> queue, it would be safe to skip the step of dropping it in the idle
> queue of a second instance (on the same filesystem) and running
> "postsuper -s" to get a properly named queue file?  I would, of
> course, use a queue file name that would never be used by postfix.

The queue file should be created mode 0600, owner $mail_owner, and
changed to 0700 once the contents are fully copied into the file.
The file-name must be alphanumeric. Postfix queue-ids only use [0-9A-F],
so in the maildrop directory you can avoid collisions by prefixing the
original filename with "X".

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: How to safely re-inject an archived queue file?

[Curtis]

On Wed, Feb 11, 2009 at 6:51 PM, Wietse Venema  wrote:
> Curtis:
>> Hi,
>>
>> I'm looking for a safe way to re-inject an archived queue file that
>> was backed up and removed (via postsuper) from the hold queue.  (Not
>> just this once, but on a regular basis.)  I realize that it would be
>> possible to use postcat to grab the raw contents of the archived
>> message and feed it back through sendmail (after first parsing and
>> then removing the envelope information), but before I went through
>> that much trouble, I wanted to see if there was an easier way.
>>
>> On a test machine, I threw it into the incoming queue and ran
>> "postkick public qmgr I" and it seemed to deliver to all original
>> recipients of the message.  But, I have a feeling that direct
>> insertion into the incoming directory is not the right way to do this.
>>
>> If the above method is unsafe, is there a postfix command that I can
>> pipe an archived queue file to that would safely re-inject the
>> message?  Or, am I stuck with the sendmail method?
>>
>> Thanks for any advice anyone has on this...
>
> On a quiet system, put it into the maildrop directory, as a file
> that is owned by the postfix user.
>
> If you manually insert files into the incoming/active/deferred
> queues then you may lose mail. Postfix ensures that queue files
> have unique names, but that guarantee fails when you insert queue
> files in by hand.
>
>Wietse
>

So, on a box that I know has nothing else feeding into the maildrop
queue, it would be safe to skip the step of dropping it in the idle
queue of a second instance (on the same filesystem) and running
"postsuper -s" to get a properly named queue file?  I would, of
course, use a queue file name that would never be used by postfix.

Curtis

Re: Mail Annotation in Postfix

[Patrick Ben Koetter]

* Zoltan Balogh :
> Hello All,
> 
> I work on a project where we annotate emails coming through a mail server.
> By annotation I mean attaching additional possibly useful information to
> email body based on the email content. Annotation is enacted selectively
> based on users preferences.
> 
> What is your opinion, what is the best mechanism to integrate such
> annotation particularly for Postfix? Recently we have implemented the
> annotator as a pre-queue mail filter and through maildrop MDA. Do you see
> any other (possibly better) mechanism to integrate such solution?

Have you had a look at Postfix milter interface? Your milter might work for
Sendmail too.

p...@rick



> 
> Thanks for your opinion.
> 
> Regards,
> Zoltan

-- 
The Book of Postfix

saslfinger (debugging SMTP AUTH):

Re: Enforcing TLS by recipient and sender domain

[Wietse Venema]

Urban Hillebrand:
> On Thu, Feb 12, 2009 at 07:13:19AM -0500, Wietse Venema wrote:
> > Urban Hillebrand:
> > > Hello list,
> > > 
> > > is there a way to enforce TLS dependent on the sender domain?
> > 
> > Yes. Use "check_sender_access" and "reject_plaintext_session".
> 
> Thank you Wietse, but isn?t this a smtpD setting? My problem is about
> outgoing mails. We act as SMTP relay for our customers, who want to send
> TLS encrypted SMTP to destinations in the internet. Sorry if I wasn?t
> clear.

This would have to be simulated with sender_dependent_relayhost_maps.
Specify a Postfix instance that encrypts all outbound mail. Postfix
multi-instance support will go alpha in a few days.

TLS is a hop-by-hop security protocol. TLS provides no security
after the sender gives the message to the relay. This includes
bounce messages for mail that was received via TLS.

Wietse

> [...]
> > > Background:
> > > Many customers are using our SMTP infrastructure (opportunistic TLS is
> > > active). Now one customer wants to enforce TLS to a certain destination;
> > > can I do this without affecting all other customers (who might as well
> > > send mails to this destination, but did not ask for enforced TLS)?
> > > 
> > > The only ways I can think of involve more SMTP servers (or at least
> > > instances). Is there an easy solution to this?
> 
> 

Re: Enforcing TLS by recipient and sender domain

[Urban Hillebrand]

On Thu, Feb 12, 2009 at 07:13:19AM -0500, Wietse Venema wrote:
> Urban Hillebrand:
> > Hello list,
> > 
> > is there a way to enforce TLS dependent on the sender domain?
> 
> Yes. Use "check_sender_access" and "reject_plaintext_session".

Thank you Wietse, but isn´t this a smtpD setting? My problem is about
outgoing mails. We act as SMTP relay for our customers, who want to send
TLS encrypted SMTP to destinations in the internet. Sorry if I wasn´t
clear.

[...]
> > Background:
> > Many customers are using our SMTP infrastructure (opportunistic TLS is
> > active). Now one customer wants to enforce TLS to a certain destination;
> > can I do this without affecting all other customers (who might as well
> > send mails to this destination, but did not ask for enforced TLS)?
> > 
> > The only ways I can think of involve more SMTP servers (or at least
> > instances). Is there an easy solution to this?

Mail Annotation in Postfix

[Zoltan Balogh]

Hello All,

I work on a project where we annotate emails coming through a mail server.
By annotation I mean attaching additional possibly useful information to
email body based on the email content. Annotation is enacted selectively
based on users preferences.

What is your opinion, what is the best mechanism to integrate such
annotation particularly for Postfix? Recently we have implemented the
annotator as a pre-queue mail filter and through maildrop MDA. Do you see
any other (possibly better) mechanism to integrate such solution?

Thanks for your opinion.

Regards,
Zoltan

Re: Add X-Envelope From/To into incoming mail

[Wietse Venema]

Petr Hude?ek:
> Hi everybody!
> I need add X-Envelope From: and X-Envelope To: into incoming mail from 
> envelope mail, no from head mail! I use Postfix and procmail. Can you help 
> me, please?

Use PREPEND actions in access maps.

http://www.postfix.org/SMTPD_ACCESS_README.5.html
http://www.postfix.org/access.5.html
http://www.postfix.org/postconf.5.html#check_sender_access
http://www.postfix.org/postconf.5.html#check_recipient_access

/etc/postfix/main.cf:
smtpd_recipient_restrictions = 
check_recipient_access pcre:/etc/postfix/recipient_access
smtpd_data_restrictions = 
check_sender_access pcre:/etc/postfix/sender_access

/etc/postfix/sender_access:
   /(.*)/  prepend X-Envelope-From: <$1>

/etc/postfix/check_recipient_access:
   /(.*)/  prepend X-Envelope-To: <$1>

Beware, this breaks the privacy of BCC recipients.

Wietse

Re: Enforcing TLS by recipient and sender domain

[Wietse Venema]

Urban Hillebrand:
> Hello list,
> 
> is there a way to enforce TLS dependent on the sender domain?

Yes. Use "check_sender_access" and "reject_plaintext_session".

Wietse

> Background:
> Many customers are using our SMTP infrastructure (opportunistic TLS is
> active). Now one customer wants to enforce TLS to a certain destination;
> can I do this without affecting all other customers (who might as well
> send mails to this destination, but did not ask for enforced TLS)?
> 
> The only ways I can think of involve more SMTP servers (or at least
> instances). Is there an easy solution to this?
> 
> Thanks in advance!
> 
> 

Add X-Envelope From/To into incoming mail

[Petr Hudeček]

Hi everybody!
I need add X-Envelope From: and X-Envelope To: into incoming mail from envelope 
mail, no from head mail! I use Postfix and procmail. Can you help me, please?

Enforcing TLS by recipient and sender domain

[Urban Hillebrand]

Hello list,

is there a way to enforce TLS dependent on the sender domain?

Background:
Many customers are using our SMTP infrastructure (opportunistic TLS is
active). Now one customer wants to enforce TLS to a certain destination;
can I do this without affecting all other customers (who might as well
send mails to this destination, but did not ask for enforced TLS)?

The only ways I can think of involve more SMTP servers (or at least
instances). Is there an easy solution to this?

Thanks in advance!

Re: holding mail for recipient

[Christoph Erdle]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Additionally here is a log file excerpt of such a delivery:

Feb 12 12:39:43 [postfix/smtpd] connect from  
e181105164.adsl.alicedsl.de[85.181.105.164]
Feb 12 12:39:44 [postfix/smtpd] setting up TLS connection from  
e181105164.adsl.alicedsl.de[85.181.105.164]
Feb 12 12:39:44 [postfix/smtpd] Anonymous TLS connection established  
from e181105164.adsl.alicedsl.de[85.181.105.164]: TLSv1 with cipher  
AES128-SHA (128/128 bits)
Feb 12 12:39:44 [postfix/smtpd] NOQUEUE: hold: RCPT from  
e181105164.adsl.alicedsl.de[85.181.105.164]: :  
Recipient address testing hold with alias; from= to=> proto=ESMTP helo=<[192.168.2.101]>
Feb 12 12:39:44 [postfix/smtpd] 9BE4FE083B9:  
client=e181105164.adsl.alicedsl.de[85.181.105.164], sasl_method=PLAIN, sasl_usernam...@team-erdle.de
Feb 12 12:39:44 [postfix/cleanup] 9BE4FE083B9: message-id=>

Feb 12 12:40:02 [postfix/postsuper] Released from hold: 1 message
Feb 12 12:40:04 [postfix/qmgr] 9BE4FE083B9: from=,  
size=727, nrcpt=1 (queue active)

Feb 12 12:40:08 [postfix/smtpd] connect from localhost[127.0.0.1]
Feb 12 12:40:08 [postfix/smtpd] NOQUEUE: hold: RCPT from  
localhost[127.0.0.1]: : Recipient address testing  
hold with alias; from= to=  
proto=ESMTP helo=

Feb 12 12:40:08 [postfix/smtpd] 4BED9E08471: client=localhost[127.0.0.1]
Feb 12 12:40:08 [postfix/cleanup] 4BED9E08471: message-id=>

Feb 12 12:40:08 [postfix/smtpd] disconnect from localhost[127.0.0.1]
Feb 12 12:40:08 [amavis] (10773-17) Passed CLEAN, [85.181.105.164]  
[85.181.105.164]  -> , Message- 
ID: , mail_id: KB0Z 
+Ile8OCp, Hits: -4.308, size: 727, queued_as: 4BED9E08471, Subject:  
"test hold", From: Christoph_Erdle_, X-Mailer:  
Apple_Mail_(2.930.3), Tests:  
[ALL_TRUSTED 
=-1.8,AWL=0.090,BAYES_00=-2.599,LOCAL_DEMONSTRATION_RULE=0.001],  
autolearn=ham, 4531 ms
Feb 12 12:40:08 [postfix/lmtp] 9BE4FE083B9: to=,  
relay=127.0.0.1[127.0.0.1]:10024, delay=24, delays=20/0.01/0/4.5,  
dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10773-17, from  
MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4BED9E08471)

Feb 12 12:40:08 [postfix/qmgr] 9BE4FE083B9: removed
Feb 12 12:40:24 [postfix/postsuper] Released from hold: 1 message
Feb 12 12:40:27 [postfix/qmgr] 4BED9E08471: from=,  
size=1169, nrcpt=2 (queue active)
Feb 12 12:40:27 [postfix/virtual] 4BED9E08471: to=,  
orig_to=, relay=virtual, delay=19,  
delays=19/0.04/0/0.06, dsn=2.0.0, status=sent (delivered to maildir)
Feb 12 12:40:27 [postfix/pipe] 4BED9E08471: to=,  
orig_to=, relay=procmail, delay=19,  
delays=19/0.02/0/0.13, dsn=2.0.0, status=sent (delivered via procmail  
service)


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkmUDQAACgkQqqYbNmv9eYkFAACfV2a0Gz97xCErqfNP2gF2p2HX
lMAAn0FFGUZuVjfdnTFo6HmlC16WaY6C
=gG03
-END PGP SIGNATURE-

holding mail for recipient

[Christoph Erdle]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi list,

after having implemented dynamic aliases using ldap I have the  
following problem:


I want to hold mails for a specific recipient which is an alias to  
multiple addresses so admin interaction is required to send to this  
alias. Problem is that the mail is now held twice (following is the  
output of mailq and releasing the message):


srvopt postfix # mailq
- -Queue ID- --Size-- Arrival Time -Sender/Recipient---
594C5E083A8! 751 Thu Feb 12 11:49:10  i...@team-erdle.de
 t...@team-erdle.de

- -- 1 Kbytes in 1 Request.
srvopt postfix # postsuper -H 594C5E083A8
postsuper: 594C5E083A8: released from hold
postsuper: Released from hold: 1 message
srvopt postfix # mailq
- -Queue ID- --Size-- Arrival Time -Sender/Recipient---
594C5E083A8  751 Thu Feb 12 11:49:10  i...@team-erdle.de
 t...@team-erdle.de

- -- 1 Kbytes in 1 Request.
srvopt postfix # postqueue -f
srvopt postfix # mailq
- -Queue ID- --Size-- Arrival Time -Sender/Recipient---
DD553E08409!1193 Thu Feb 12 11:50:13  i...@team-erdle.de
 i...@team-erdle.de
 y...@team-erdle.de

- -- 1 Kbytes in 1 Request.

How can I prevent this so that the message is only held once from  
delivery?


Thanks in advance,
Christoph Erdle

the file hold-distributions to hold the delivery:

t...@team-erdle.de HOLD testing hold with alias

postconf -n:

2bounce_notice_recipient = sys...@partofus.org
address_verify_sender = sendverf...@partofus.org
alias_maps = hash:/usr/local/mailman/data/virtual-mailman, hash:/etc/ 
mail/aliases

body_checks_size_limit = 512000
bounce_notice_recipient = sys...@partofus.org
bounce_size_limit = 5
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
delay_notice_recipient = sys...@partofus.org
delay_warning_time = 1h
deliver_lock_delay = 10s
double_bounce_sender = double-bou...@partofus.org
error_notice_recipient = sys...@partofus.org
fast_flush_domains = $relay_domains
header_checks = regexp:/etc/postfix/rcvd_check
header_size_limit = 102400
home_mailbox = .maildir/
html_directory = /usr/share/doc/postfix-2.2.10/html
in_flow_delay = 1s
inet_interfaces = all
local_recipient_maps = $alias_maps $virtual_mailbox_maps  
unix:passwd.byname

local_transport = local
mail_name = Postfix
mail_owner = postfix
mail_release_date = 19071224
mail_version = 2010
mailbox_command = /usr/bin/procmail -a "$EXTENSION"
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maximal_backoff_time = 2500s
message_size_limit = 8192
minimal_backoff_time = 170s
mydestination =
mydomain = partofus.org
myhostname = srvopt.partofus.org
mynetworks = 127.0.0.0/8
myorigin = partofus.org
newaliases_path = /usr/bin/newaliases
owner_request_special = no
queue_directory = /var/spool/postfix
queue_run_delay = 180s
readme_directory = /usr/share/doc/postfix-2.2.10/readme
recipient_delimiter = +
relay_domains = $mydestination, localhost
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = permit_sasl_authenticated,  
permit_mynetworks, reject_unauth_destination, hash:/etc/postfix/ 
client_restrictions

smtpd_helo_required = yes
smtpd_recipient_restrictions = check_recipient_access hash:/etc/ 
postfix/hold-recipients, permit_sasl_authenticated, permit_mynetworks,  
reject_unauth_destination, check_recipient_access ldap:/etc/postfix/ 
ldap-block.cf, check_recipient_access hash:/etc/postfix/blocked- 
teamerdle, check_policy_service inet:127.0.0.1:10030

smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions =  
reject_unknown_sender_domain,
permit_mynetworks

smtpd_tls_CAfile = /etc/ssl/PartOfUs.CA/ca.partofus.org_cert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/PartOfUs.CA/mail.partofus.org_cert.pem
smtpd_tls_key_file = /etc/ssl/PartOfUs.CA/mail.partofus.org_key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport, ldap:/etc/postfix/ldap- 
otherTransport.cf, ldap:/etc/postfix/ldap-transport.cf

unknown_local_recipient_reject_code = 450
unverified_recipient_reject_code = 450
virtual_alias_maps = hash:/usr/local/mailman/data/virtual-mailman,  
ldap:/etc/postfix/ldap-accountsmap.cf, ldap:/etc/postfix/ldap- 
aliases.cf, ldap:/etc/postfix/ldap-distributionlists.cf

virtual_gid_maps = static:800

Re: recipient_delimiter and virtual users

[mouss]

post...@corwyn.net a écrit :
> 
> 
> OK, so I've become intrigued with recipient delimiters.
> 
> My users are currently stored in a mysql database, 'postfix'.  The table
> format is as postfixadmin sets it up, so in the  username is the user
> email address u...@example.com
> 
> Before I started tinkering, email to u...@example.com worked. Email to
> user+...@example.com failed with "unknown recipient", all well and good.
> 
> It looks like even with recipient_delimiter = + set, mail is still
> bounced for the same reason. I theorize that recipient_delimiter is
> actually checked at the end of the address such that with it enabled
> what I really have is u...@example.com+foo working (which, of course,
> won't work).
> 
> Does this mean that I can't really use recipient_delimiter with my users
> defined as u...@example.com? If so, I presume I need to munge up (even
> more) my SQL statement so that instead of checking for username='%s' 
> I'm going to need to strip %s apart into its constituent components and
> then reassemble it, so that user+...@example.com, user+...@example.com
> works?  Or would I just use '%d', which looks like it might be the left
> side of the email address (tho I'd still have to make the SQL match that).
> 
> The end result that would be cool would be that if foo was defined as a
> folder, mail would get delivered there, and if not mail would be
> delivered to the default inbox.
> 
> I can currently (with my existing sql) create a second user
> user+...@example.com and get mail to deliver to inbox/foo , but that
> means that a) I have to maintain a u...@example.com AND a
> user+...@example.com, and additionally if I want to add additional
> extensions I have to create additional accounts, which seems tiresome.
> 
> Thanks for any guidance!
> 

recipient_delimiter works "out of the box". there is no need to change
your tables, your sql statements nor add users.

if it doesn't work for you, then you have something misconfigured. to
get help, follow the directions in
http://www.postfix.org/DEBUG_README.html#mail

In particular:
- logs
- postconf -n

Re: postfix logs, spams and bounce messages

[mouss]

Justin Piszcz a écrit :
> 
> 
> On Wed, 11 Feb 2009, Victor Duchovni wrote:
> 
>> You are doing Sender Address Verification (reject_unverified_sender)
>> before doing RBL checks. Fix this. Do the RBL checks first, and consider
>> not doing SAV at all, but if you do use it, do SAV *last*.
>>
> 
>> smtpd_data_restrictions =
>> reject_unverified_sender
>>
>> -- 
>> Viktor.
>>
> 
> Hi,
> 
> Quick question, if one has all of his restrictions in
> smtpd_recipient_restrictions, why is it(?) better to put the
> reject_unverified_sender within the smtpd_data_restrictions?
> 

it helps making sure that SAV will only be done for mail that is not
otherwise rejected or greylisted. it also helps avoiding sorcerer
apprentice SAV on SAV issues.

if you don't use greylisting, you can put the check at the end of
smtpd_recipient_restrictions. but if you use greylisting and your GL
returns defer_if_permit, then SAV will be performed when you prefer to
wait until the client retries.

Re: postfix benchmark performance

[lst_hoe02]

Zitat von Silas Boyd-Wickizer :


Why do you believe that this should use 100% of ALL Cpus?

If you look at your synthetic test then you will likely find that
there are at any point in time only a few mail receiving processes
and mail delivering processes, and that these processes will all
be waiting for kernel system calls to complete.

With this synthetic test you really have only a low-concurrency load.


Yes, there are only a few mail delivering processes (virtual).
Why is this a function of my load?  There are many messages
waiting for delivery, so why doesn't postfix run more virtuals
to increase concurrency?

I'm not sure what you mean by "waiting for kernel system calls to
complete".  Do you mean "executing kernel system calls" (reading
from a pipe), or "blocked on kernel system calls" (i.e. waiting
on a pipe)?


As far as i understand all mail must "pass" (by means of decide what  
to do with) the qmgr which is a single process and therefore limited  
to one CPU. As you have show it is able to manage around 3000 mail/sec  
(which means around 10 mio. a hour btw) on a low cost CPU core.
In practice you will never be able to push mail that fast to any  
permanent storage available today...
If you will be able to do so in the far future one CPU core will be  
even faster and therefore qmgr will still not be the bottleneck in any  
real mailsystem.
This is why your "benchmark" is only useful to see qmgr working hard  
because in any real-world scenario it is nearly idle waiting for the  
disk I/O.
Be aware that this is a "naive" explantation and the internal details  
are more complex than this.


Regards

Andreas

Re: postfix logs, spams and bounce messages

[mouss]

ddaas a écrit :
> I did the modification and it seems it work better. Since that
> modification I got no message rejected from yahoo.
> 
> 1. Could you please explain to me why should the RBL checks be done
> before Sender Address Verification? And why it is not advisable to do
> SAV at all?
> 
> 2. It is correct that my server received spams with forged yahoo address
> and for every spam it responded to yahoo and yahoo got upset?
> 

There was a recent thread about this. look for
Subject: reject_unverified_sender vs greylisting
(initial post: 9 Feb 2009).

postfix docs already say a little about this:
http://www.postfix.org/ADDRESS_VERIFICATION_README.html#limitations

if you like reading, take a look at:

http://www.circleid.com/posts/sender_address_verification/
http://en.wikipedia.org/wiki/Callback_verification#Drawbacks
http://taint.org/2007/03/16/134743a.html
http://www.spamresource.com/2007/01/whatever-happened-to-vrfy.html

Re: postfix logs, spams and bounce messages

[ddaas]

I did the modification and it seems it
work better. Since that modification I got no message rejected from
yahoo.

1. Could you please explain to me why should the RBL
checks be done before Sender Address Verification? And why it is not
advisable to do SAV at all?

2. It is correct that my server
received spams with forged yahoo address and for every spam it
responded to yahoo and yahoo got upset?




Thanks everybody.



Victor Duchovni wrote:

  
You are doing Sender Address Verification (reject_unverified_sender)
before doing RBL checks. Fix this. Do the RBL checks first, and consider
not doing SAV at all, but if you do use it, do SAV *last*.

	smtpd_client_restrictions =
	... no reject_unverified_sender ...

	smtpd_helo_restrictions =
	... no reject_unverified_sender ...

	smtpd_sender_restrictions =
	... no reject_unverified_sender ...

	smtpd_recipient_restrictions =
		permit_mynetworks,
		reject_unauth_destination,
		reject_rbl_client zen.spamhaus.org
		... no reject_unverified_sender ...

	smtpd_data_restrictions =
	reject_unverified_sender