Re: Question regarding this mailing list & privacy.

[Vince Sabio]

** At 23:24 +0100 on 02/24/2009, mouss wrote:


I don't know for you, but I get a lot of attempts to "funny" addresses
like <47f280be.9000...@netoyen.net>. one of my pseudo-traps is
/\d{5...@netoyen\.net$/.


Those "funny" addresses look a lot like Message-IDs. I suspect that 
harvesters (dumb harvesters, in this case) are parsing them out of 
the Message-ID headers -- probably just taking everything from the 
entire {header + body} of the message that has an "@" sign in it.


__
Vince Sabio  vi...@vjs.org

Re: Postfix support for NTLM

[Victor Duchovni]

On Tue, Feb 24, 2009 at 09:28:09PM -0600, Justin Pasher wrote:

> I have a client that wants us to setup the Postfix SMTP server on their web
> server to use authentication when relaying through their Exchange server
> (even though both are on the same local network). I'm working on just
> getting them to allow relay from the web server IP address, but in the
> meantime...

The Postfix SMTP client uses Cyrus SASL to authenticate to remote SMTP
servers.

> The exchange server only offers "AUTH NTLM" in the EHLO greeting. I did a
> little searching and I'm having trouble finding out whether Postfix (well, I
> guess Cyrus) supports NTLM authentication.

There is NTLM an plugin for Cyrus SASL. Never used it myself...

> cyrus), but I guess I'm trying to find out a way to test it manually outside
> of Postfix before I make the change in the Postfix config.

Good idea, the cyrus SASL sources come with a sample server and a sample
client, but it may be tricky to get the sample server configured to
verify NTLM creds. You should probably test with "ldapsearch" against
AD with NTLM authenticaion in LDAP. Once you get the LDAP client working
with NTLM, it should be possible to do the same with SMTP.

> I see in the
> SASL_README how you can test AUTH PLAIN authentication, but I don't see
> anything about NTLM (not fully understanding NTLM myself, it seems to be
> challenge-response protocol, so the same testing method wouldn't work).
> 
> Remember that I only need outgoing NTLM authentication for the SMTP client
> (not incoming NTLM), as this server is simply relaying all emails to the
> Exchange server. Is this something that would be more appropriate on the
> Cyrus list?

Yes. The Client is really making life difficult for you, if they supported
AUTH PLAIN or even GSSAPI, it would be a lot easier than NTLM.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Question regarding this mailing list & privacy.

[KLaM Postmaster]

mouss wrote:
> KLaM Postmaster a écrit :
>   
>> [snip]
>> 
>>>   
>>>   
>> An alternative is to put up a decoy address. One for which email appears
>> to be accepted, but where it is dropped, 
>> 
>
> I use what I call pseudo-traps here. they are only enabled from time to
> time. when they are enabled, I check the messages, and I use that to
> feed Bayes and other things (IP BL, uri bl, ... etc).
>   
That sounds like a good idea, could I trouble you for a few more details
(I saw the funny address item below).
>   
>> preferably while tar-pitting the sender.
>> 
>
> I am not a fan of tarpitting. the guys at the other end have more
> bandwidth and resources than myself. so I don't fight on their field.
>   
Good point, and particularly true in my case.
>   
>> I don't know if this is possible, but one can dream.
>> At the moment I think my approach will be to create series of addresses
>> for munging and add them to my blacklist, probably munge01 - 99.
>>
>> 
>
> I don't know for you, but I get a lot of attempts to "funny" addresses
> like <47f280be.9000...@netoyen.net>. one of my pseudo-traps is
> /\d{5...@netoyen\.net$/.
>   
So far I am not seeing a lot of "funny" addresses, however I am seeing a
fair number for non-existent recipients fortunately the standard checks
handle those very well.

Cheers
JLA

Postfix support for NTLM

[Justin Pasher]

Hello,

I have a client that wants us to setup the Postfix SMTP server on their web
server to use authentication when relaying through their Exchange server
(even though both are on the same local network). I'm working on just
getting them to allow relay from the web server IP address, but in the
meantime...

The exchange server only offers "AUTH NTLM" in the EHLO greeting. I did a
little searching and I'm having trouble finding out whether Postfix (well, I
guess Cyrus) supports NTLM authentication. I've looked through the
SASL_README and I can see how to enable SASL auth (BTW, "postconf -A" lists
cyrus), but I guess I'm trying to find out a way to test it manually outside
of Postfix before I make the change in the Postfix config. I see in the
SASL_README how you can test AUTH PLAIN authentication, but I don't see
anything about NTLM (not fully understanding NTLM myself, it seems to be
challenge-response protocol, so the same testing method wouldn't work).

Remember that I only need outgoing NTLM authentication for the SMTP client
(not incoming NTLM), as this server is simply relaying all emails to the
Exchange server. Is this something that would be more appropriate on the
Cyrus list?

Justin Pasher

Re: mailbox_size_limit , quota + some other questions

[Linux Advocate]

replies below


> > so, that box can handle with postfix's default settings, 1 users? 
> > that's 
> nice to know. thanx.
> > we wont be going to that size.
> > 
> 
> the problem you will have is not on the postfix side. content filters
> and imap are more hungry.


noted.


> >> one has working recipient validation, and subscribes to a SpamHaus
> >> data-feed for local zen.spamhaus.org lookups. With just 1500 users,
> >> the public RBL mirrors may be sufficient.
> > 
> > i have been thinking of using sorbs instead of spamhaus because sorbs 
> > allows 
> sites with upto 100k user to connect to them but with spamhaus u are limited 
> to 
> 100users max. Sorbs has a detection rate of about 68% and i was thinking of 
> beefing our spam wall with grey listing.
> > 
> > Do u have any suggestions about this?
> 
> where did you get the 100 users limit for spamhaus? spamhaus have no
> idea how many users you server, they only watch dns queries, which are
> related to how many messages you receive (minus those you reject before
> DNSBL query, minus caching when the same IP tries again). And besides,
> 100 is ridiculously low.

its on their website. i saw it ... but cant seem to locate it now. but what i 
got today was;

 Your use of the Spamhaus DNSBLs is non-commercial*, and
Your email traffic is less than 100,000 SMTP connections per day, and
Your DNSBL query volume is less than 300,000 queries per day.

So, guess its ok.



  

Re: policy server continually timing out

[pablo]

On Tue, Feb 24, 2009 at 04:39:58PM -0800, pa...@compugenic.com wrote:

snip 

> 
> It's as if the 'policy_time_limit' line has no effect.  This is the
> second greylist server I've setup on this box with the exact same issue.
> I am thinking something else in my configuration must be wrong, but I
> can't find it. 

I found it.  Silly but I will share. My check_sender_access hash table
was using a single 'x' for the RHS instead of OK - guess I got it mixed
up with a recipient map.

Pablo

Re: Problem with ldap table lookups and TLS

[Victor Duchovni]

On Tue, Feb 24, 2009 at 06:48:12PM -0600, Nick Geron wrote:

> So as root or my limited rights postfix user this works:
>
> #postmap -q j...@example.com ldap:/etc/postfix/ldap/aliases.cf
> j...@example.com

You only show a test running as root, not "postfix". What versions of
Postfix and OpenLDAP are these? There was TLS API creep in OpenLDAP
between 2.0 and 2.1, and the Postfix LDAP driver was originally based
on OpenLDAP 2.0, this was resolved in Postfix 2.5 as described in
ldap_table(5) under "tls_require_cert".

Please show complete output from "postmap -q" running as the $mail_owner
user, just hide the bind password.

> Feb 24 18:15:27 smtp11 postfix/trivial-rewrite[17631]: dict_ldap_lookup: In 

Is trivial-rewrite in a chroot jail? Please show equivalent "dict_ldap"
logging (to that from postmap -q) from "trivial-rewrite -v" on an idle
Postfix system asked to deliver one message to one recipient.

> Feb 24 18:22:38 smtp11 postfix/trivial-rewrite[17698]: cfg_get_str: 
> /etc/postfix/ldap/aliases.cf: tls_ca_cert_file = 
> /etc/postfix/ssl/ldap13.crt

What's in this file? Is it a PEM file? Does your LDAP server expect
client certificates?

> I've been around and around with this all day and keep coming back to the 
> same conclusion - proxymap and/or trivial-rewrite (or whatever is 
> responsible for establishing the connection) is not loading my CA file, 
> though it's explicitly set in my ldap table conf file:
>
> (/etc/postfix/ldap/aliases.cf)
> start_tls = yes
> tls_ca_cert_file = /etc/postfix/ssl/ldap13.crt
> tls_random_file = /dev/urandom

Shouldn't this be "dev:/dev/urandom" (better yet, leave this out, it
should default sensibly in OpenSSL). Are you using OpenSSL or GnuTLS to
add TLS support in OpenLDAP?

> Again, if I tell postmap to use the proxymap daemon with 'postmap -q 
> j...@example.com proxy:ldap:/etc/postfix/ldap/aliases.cf', the same failure 
> to load the cert and an error -11 as in the above syslog output.

Is proxymap chrooted?

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Problem with ldap table lookups and TLS

[Quanah Gibson-Mount]

--On Tuesday, February 24, 2009 6:48 PM -0600 Nick Geron 
 wrote:



I'm in the process of putting together a postfix system with an ldap
back-end and have come
across something very odd regarding ldap_table.   Basically, postfix does
not load my private CA.
The CA is really a self signed cert generated by java keytool - try as I
might, I couldn't get keytool to
use our private CA generated by openssl.


It all works for me with OpenLDAP, and openssl generating all the certs. 
Have you tried using ldapsearch to do a startTLS session, using that same 
CA cert?  Are you sure it is a fully formed CA cert?  I usually use a CA 
Cert directory, so any intermediate certs are in the chain along with the 
root cert.


--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration

Problem with ldap table lookups and TLS

[Nick Geron]

I'm in the process of putting together a postfix system with an ldap 
back-end and have come
across something very odd regarding ldap_table.   Basically, postfix 
does not load my private CA.
The CA is really a self signed cert generated by java keytool - try as I 
might, I couldn't get keytool to

use our private CA generated by openssl.

Without a local copy of the 'CA', TLS connections fail with or without 
requiring a cert.  I found a similar thread in
the archive, but the root problem there was related to random number 
generation, GNUTLS and

the key in the log was an exit status 2 from trivial-rewrite.

http://archives.neohapsis.com/archives/postfix/2008-01/0764.html

Now, my tests are similar to this fellow, but I do not get the same exit 
status.  Also, all maps work fine without encryption.


So as root or my limited rights postfix user this works:

#postmap -q j...@example.com ldap:/etc/postfix/ldap/aliases.cf
j...@example.com

However, any lookup actions from the server fails to establish the TLS 
connection.


Feb 24 18:15:27 smtp11 postfix/trivial-rewrite[17631]: dict_ldap_lookup: 
In dict_ldap_lookup
Feb 24 18:15:27 smtp11 postfix/trivial-rewrite[17631]: dict_ldap_lookup: 
No existing connection for LDAP source /etc/postfix/ldap/aliases.cf, 
reopening
Feb 24 18:15:27 smtp11 postfix/trivial-rewrite[17631]: 
dict_ldap_connect: Connecting to server ldap://ldap13.example.com:389
Feb 24 18:15:27 smtp11 postfix/trivial-rewrite[17631]: 
dict_ldap_connect: Actual Protocol version used is 3.
Feb 24 18:15:27 smtp11 postfix/trivial-rewrite[17631]: error: 
dict_ldap_connect: Unable to set STARTTLS: -11: Connect error
Feb 24 18:15:27 smtp11 postfix/trivial-rewrite[17631]: fatal: 
ldap:/etc/postfix/ldap/aliases.cf(0,lock|fold_fix): table lookup problem


I do see that dict_ldap read my config here:
Feb 24 18:22:38 smtp11 postfix/trivial-rewrite[17698]: cfg_get_str: 
/etc/postfix/ldap/aliases.cf: tls_ca_cert_file = /etc/postfix/ssl/ldap13.crt


I've been around and around with this all day and keep coming back to 
the same conclusion - proxymap and/or trivial-rewrite (or whatever is 
responsible for establishing the connection) is not loading my CA file, 
though it's explicitly set in my ldap table conf file:


(/etc/postfix/ldap/aliases.cf)
bind = yes
bind_dn = uid=postfix,ou=ldap,cn=mailsystem
bind_pw = abc123
start_tls = yes
version = 3
tls_ca_cert_file = /etc/postfix/ssl/ldap13.crt
#tls_require_cert = yes
server_host = ldap://ldap13.example.com:389
search_base = ou=domains,cn=mailsystem
query_filter = (&(objectClass=CourierMailAlias)(mail=%s))
result_attribute = maildrop
#debuglevel = 1
tls_random_file = /dev/urandom

(in main.cf)
virtual_alias_maps = proxy:ldap:/etc/postfix/ldap/aliases.cf

Running strace for opened files shows that the server loads another 
private ca and cert for smtpd (smtp auth) and even system specified 
certificates it or openssl libs read out of /etc/ldap.conf.  Traces even 
show that something is loading /etc/openldap/ldap.conf, which I've also 
explicitly set a TLS_CAFILE entry for testing with openldap binaries.  I 
should also note that courier authlib and saslauthd both work fine with 
TLS to the same ldap server using the same ca.


As one might expect, tracing the successful postmap command does show 
that it opens and reads the cert specified via tls_ca_cert_file:


#strace -e trace=open postmap -q j...@example.com 
ldap:/etc/postfix/ldap/aliases.cf

...
open("/etc/postfix/ssl/ldap13.crt", O_RDONLY) = 5
...

Again, if I tell postmap to use the proxymap daemon with 'postmap -q 
j...@example.com proxy:ldap:/etc/postfix/ldap/aliases.cf', the same 
failure to load the cert and an error -11 as in the above syslog output.


The test rig is on a recent build of gentoo with postfix 2.5.6 built 
against openssl 0.9.8g.  The LDAP server is running openDS 1.2.


Thanks for any help.  This one's got me baffled.  Please let me know if 
I should provide any additional output.


-Nick Geron

policy server continually timing out

[pablo]

I've setup a greylist policy server from http://mimo.gn.apc.org/gps/.
It works fine for a few minutes, then I start getting these types of
error messages:

--
Feb 23 11:21:20 router postfix/smtpd[28012]: warning: problem talking to server 
private/policy: Connection timed out
Feb 23 11:21:20 router postfix/smtpd[28012]: NOQUEUE: reject: RCPT from 
xtinmta03-187.exacttarget.com[207.250.68.187]: 451 4.3.5 Server configuration 
problem; 
from= 
to= proto=ESMTP helo=
--

Here's my relevant master.cf line:
--
policy  unix  -   n   n   -   -   spawn
user=nobody argv=/usr/bin/gps /etc/gps.conf
--

Here's my main.cf lines:
--
smtpd_recipient_restrictions =
...
check_policy_service unix:private/policy
permit
policy_time_limit = 3600
--

It's as if the 'policy_time_limit' line has no effect.  This is the
second greylist server I've setup on this box with the exact same issue.
I am thinking something else in my configuration must be wrong, but I
can't find it. 

Any ideas would sure be appreciated.


Thanks,

Pablo

Re: reject header question

[Jim McIver]

Thx Magnus. I had the work 'approved' in the header_checks and just 
didn't read what the message in the maillog was telling.

-jm

Magnus Bäck wrote:

On Wednesday, February 25, 2009 at 00:15 CET,
 Jim McIver  wrote:

  

I'm running Postfix 2.1 on Freebsd 4.10 and would like to know where I
can get more information on the following message in the maillog, and
if it's my problem or the senders problem. Maybe a possible fix?

I can send an email to this user ,
but never get their reply. I believe the message is getting rejected
by postfix and don't know what to tell the user by phone as to why I
can't receive their email.



[...]

  
Feb 24 13:50:15 mail postfix/cleanup[75895]: 69F8F264: reject: header 
X-TM-AS-User-Approved-Sender: Yes from NS98
.statefarm.com[205.242.229.33]; from= 
to= proto=ESMTP he

lo=: approved



You have an expression in your header_checks file that matches the
header line in question. We can't tell you what that line is doing
there.

[...]

  

Re: reject header question

[Magnus Bäck]

On Wednesday, February 25, 2009 at 00:15 CET,
 Jim McIver  wrote:

> I'm running Postfix 2.1 on Freebsd 4.10 and would like to know where I
> can get more information on the following message in the maillog, and
> if it's my problem or the senders problem. Maybe a possible fix?
> 
> I can send an email to this user ,
> but never get their reply. I believe the message is getting rejected
> by postfix and don't know what to tell the user by phone as to why I
> can't receive their email.

[...]

> Feb 24 13:50:15 mail postfix/cleanup[75895]: 69F8F264: reject: header 
> X-TM-AS-User-Approved-Sender: Yes from NS98
> .statefarm.com[205.242.229.33]; from= 
> to= proto=ESMTP he
> lo=: approved

You have an expression in your header_checks file that matches the
header line in question. We can't tell you what that line is doing
there.

[...]

-- 
Magnus Bäck
mag...@dsek.lth.se

reject header question

[Jim McIver]

Greetings,

I'm running Postfix 2.1 on Freebsd 4.10 and would like to know where I 
can get more information on the following message in the maillog, and if 
it's my problem or the senders problem. Maybe a possible fix?


I can send an email to this user , but 
never get their reply. I believe the message is getting rejected by 
postfix and don't know what to tell the user by phone as to why I can't 
receive their email.


"reject: header X-TM-AS-User-Approved-Sender: Yes from NS98"

Full listing of message in maillog:
Feb 24 13:50:14 mail postfix/smtpd[75448]: connect from 
NS98.statefarm.com[205.242.229.33]
Feb 24 13:50:15 mail postfix/smtpd[75448]: 69F8F264: 
client=NS98.statefarm.com[205.242.229.33]
Feb 24 13:50:15 mail postfix/cleanup[75895]: 69F8F264: 
message-id=<4c22816c98c37d49b4a4d824803b97dc05f6c...@wpscv

5YT.OPR.STATEFARM.ORG>
Feb 24 13:50:15 mail postfix/cleanup[75895]: 69F8F264: reject: header 
X-TM-AS-User-Approved-Sender: Yes from NS98
.statefarm.com[205.242.229.33]; from= 
to= proto=ESMTP he

lo=: approved

#postconf -n
alias_database = hash:/etc/mail/aliases
alias_maps = hash:/etc/mail/aliases
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
content_filter = smtp:[127.0.0.1]:10024
daemon_directory = /usr/local/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
header_checks = regexp:/usr/local/etc/postfix/header_checks
html_directory = no
mail_name = TPC Holdings, We report spam
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 500
mydestination = xx.xx.com .xxx.com
mydomain = xxx.com
myhostname = .x.com
mynetworks = xxx.xxx.xxx.0/24 192.168.0.0/16 127.0.0.0/8
mynetworks_style = subnet
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
relay_domains = xx.com
relay_recipient_maps = hash:/usr/local/etc/postfix/relay_recipients
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = check_client_access 
hash:/usr/local/etc/postfix/client_access   permit

smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks
reject_unauth_destination   reject_invalid_hostname warn_if_reject 
reject_unknown_hostname   reject_unauth_pipelining
reject_non_fqdn_sender  reject_unknown_sender_domain 
reject_non_fqdn_recipient   reject_unknown_recipient_domain 
warn_if_reject reject_unknown_client reject_non_fqdn_hostname
check_client_access hash:/usr/local/etc/postfix/access_client   
check_helo_access hash:/usr/local/etc/postfix/helo_access
check_sender_access hash:/usr/local/etc/postfix/sender_access
check_recipient_access hash:/usr/local/etc/postfix/recipient_access

smtpd_restriction_classes = restrictive, permissive
smtpd_sender_restrictions = check_sender_access 
hash:/usr/local/etc/postfix/sender_access

smtpd_soft_error_limit = 10
strict_rfc821_envelopes = yes
transport_maps = hash:/usr/local/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual

thx,
-jm

Re: alias question

[Magnus Bäck]

On Tuesday, February 24, 2009 at 22:08 CET,
 Leonardo Coelho  wrote:


> On Tue, Feb 24, 2009 at 4:30 PM, Magnus Bäck  wrote:
> 
> > On Tuesday, February 24, 2009 at 20:18 CET,
> >  Leonardo Coelho  wrote:
> >
> > > This is my first time that I send a message on this list and I
> > > hope that you guys can help me!
> > > I'm using the postfix package form Debian last Stable version and
> > > my aliases redirections stop to redirect the mysql table is there
> > > the file configuration is working (postmap -q file user) but on
> > > the running postfix the alias is ignored completed. I try to do
> > > another table and file and still not working.
> > > I don't know if is something form the package or a error on
> > > configuration.
> >
> > Start by posting logs that exhibit the problem together with
> > "postconf -n" output. See DEBUG_README.
>
> The "postconf -n" log:  http://rafb.net/p/JLbjbi42.html
> 
> Debug Log: http://rafb.net/p/LDBCNL67.html
> 
> On the secound log i see that the alias_maps really works but do not
> pass the email to another address.
> 

You're still giving us to little information. What alias mapping
isn't working? Does it work if you revert to a simple index map
(hash/btree/cdb)?

Please stop top-posting.

-- 
Magnus Bäck
mag...@dsek.lth.se

Re: Your Email

[mouss]

Daniel C a écrit :
> What would be the best strategy? Create a new user and change postfix, amavis 
> and Courier-IMAP to use this user for message storing? 

No. do not the same user for different services:

- keep the 'postfix' account for the postfix "server"
- use amavis or vscan or whatever for amavisd-new
- create a mailbox user and configure postfix to deliver mail as this user
- courier-imap is generally run as root. if this is not needed, you can
run it as the "mailbox" user


> Is it easy to adjust configuration for this new user?
> 
> Also, I think this is not causing my duplicate email, right?
> 

as Viktor said, this makes troubleshooting harder. in this particular
case, we have a message submitted by user 207, but we have no idea which
service or program submitted the message.

Re: Time-Out ability?

[mouss]

Sahil Tandon a écrit :
> On Feb 24, 2009, at 5:08 PM, Aaron Abramson 
> wrote:
> 
>> Is it possible to configure postfix with a threshold where if a
>> certain user or IP address sends 1000 emails or more in an hour, they
>> are blocked from sending email for a period of time?
>>
>>
>> We occasionally have users on our network with infected machines, or
>> perhaps they are actually spammers...  and I'd like a mechanism by
>> which a "power user" can get put into "time out"... and then re-enable
>> access after a period of time.
>>
>>
>> (We manage a network of wi-fi hotpsots around the country, so blocking
>> an IP would block smtp access for all of the users at that hotspot,
>> thus the automatic re-enabling of access after 30mins or so).
> 
> Do this in a policy server like policyd.

Alternatively, write a script that parses logs and updates an access
table. cron and perl are bread and water...

Re: ACL for outbound email

[mouss]

Joe Benson a écrit :
> Does anyone know how to configure Postfix to only allow outgoing email
> to a set list of email addresses? I would like to have anything going
> out to an unlisted address to go to a local mailbox.
> 

define "outgoing". is it mail from mynetworks? is it SASL authenticated
mail? is it mail received on port 587?

you can use smtpd restriction classes with a REDIRECT. check the docs to
see if this fits your needs.

Re: alias question

[mouss]

Leonardo Coelho a écrit :
> The "postconf -n" log:  http://rafb.net/p/JLbjbi42.html
> 
> Debug Log: http://rafb.net/p/LDBCNL67.html
> 

please:
- use normal logging. do not enable verbose logging until asked. verbose
logs take longer to "parse"
- post the infos (logs and postconf -n) inline (here, not on a URL)

Re: mailbox_size_limit , quota + some other questions

[mouss]

Linux Advocate a écrit :
> [snip]
> so, that box can handle with postfix's default settings, 1 users? that's 
> nice to know. thanx.
> we wont be going to that size.
> 

the problem you will have is not on the postfix side. content filters
and imap are more hungry.

>> one has working recipient validation, and subscribes to a SpamHaus
>> data-feed for local zen.spamhaus.org lookups. With just 1500 users,
>> the public RBL mirrors may be sufficient.
> 
> i have been thinking of using sorbs instead of spamhaus because sorbs allows 
> sites with upto 100k user to connect to them but with spamhaus u are limited 
> to 100users max. Sorbs has a detection rate of about 68% and i was thinking 
> of beefing our spam wall with grey listing.
> 
> Do u have any suggestions about this?

where did you get the 100 users limit for spamhaus? spamhaus have no
idea how many users you server, they only watch dns queries, which are
related to how many messages you receive (minus those you reject before
DNSBL query, minus caching when the same IP tries again). And besides,
100 is ridiculously low.

Re: upgrading amavisd

[mouss]

deconya a écrit :
> Hi!
> 
> Im upgrading a server with Postfix and in the part to upgrade the Amaisd
> from 2.1.2 version to 2.6.1 it appears the next message when Im in the
> debug part:
> 
> Problem in Amavis::DB or Amavis::DB::SNMP code: Can't locate loadable
> object for module BerkeleyDB in @INC (@INC contains:
> /usr/lib/perl5/5.8.0/i386-
> linux-thread-multi /usr/lib/perl5/5.8.0
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi
> /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl
> /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi
> /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl
> /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0) at
> (eval 34) line 19
> Compilation failed in require at (eval 34) line 19.
> BEGIN failed--compilation aborted at (eval 34) line 19.
> Undefined subroutine &BerkeleyDB::Term::close_everything called at
> /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/BerkeleyDB.pm
> line 1649.
> END failed--call queue aborted.
> 
> Anyone can say me what Im making bad? Is the first time than I make and
> upgrade and I don't know more.
> 
> Thanks and sorry if's not the correct list to make the question.
> 

 is probably a better place, though
it looks like you have a perl module installation issue, which may be
better answered on a forum dedicated to your system (OS or
distribution). make sure you have the perl BerkeleyDB module installed.

Re: Question regarding this mailing list & privacy.

[mouss]

KLaM Postmaster a écrit :
> [snip]
>>   
> An alternative is to put up a decoy address. One for which email appears
> to be accepted, but where it is dropped, 

I use what I call pseudo-traps here. they are only enabled from time to
time. when they are enabled, I check the messages, and I use that to
feed Bayes and other things (IP BL, uri bl, ... etc).

> preferably while tar-pitting the sender.

I am not a fan of tarpitting. the guys at the other end have more
bandwidth and resources than myself. so I don't fight on their field.

> I don't know if this is possible, but one can dream.
> At the moment I think my approach will be to create series of addresses
> for munging and add them to my blacklist, probably munge01 - 99.
> 

I don't know for you, but I get a lot of attempts to "funny" addresses
like <47f280be.9000...@netoyen.net>. one of my pseudo-traps is
/\d{5...@netoyen\.net$/.

Re: Time-Out ability?

[Sahil Tandon]

On Feb 24, 2009, at 5:08 PM, Aaron Abramson   
wrote:


Is it possible to configure postfix with a threshold where if a  
certain user or IP address sends 1000 emails or more in an hour,  
they are blocked from sending email for a period of time?



We occasionally have users on our network with infected machines, or  
perhaps they are actually spammers...  and I'd like a mechanism by  
which a "power user" can get put into "time out"... and then re- 
enable access after a period of time.



(We manage a network of wi-fi hotpsots around the country, so  
blocking an IP would block smtp access for all of the users at that  
hotspot, thus the automatic re-enabling of access after 30mins or so).


Do this in a policy server like policyd.

Time-Out ability?

[Aaron Abramson]

Is it possible to configure postfix with a threshold where if a  
certain user or IP address sends 1000 emails or more in an hour, they  
are blocked from sending email for a period of time?



We occasionally have users on our network with infected machines, or  
perhaps they are actually spammers...  and I'd like a mechanism by  
which a "power user" can get put into "time out"... and then re-enable  
access after a period of time.



(We manage a network of wi-fi hotpsots around the country, so blocking  
an IP would block smtp access for all of the users at that hotspot,  
thus the automatic re-enabling of access after 30mins or so).



Thanks,
~Aaron

Re: Prevent vacation autoreply for recipient_delimiter?

[mouss]

post...@corwyn.net a écrit :
> [snip]
>>
>> 1- explain in _detail_ how mail reaches your vacation script.
> 
> That presumes I know :-) but I'll give it a try. When a user is on
> vacation, they have an table entry in mysql, and an additional alias
> that is something like:
> test#example@autoreply.example.com  There is a transport defined in
> /etc/postfix/transport  (hashed to transport.db):
> autoreply.example.com  vacation:
> 
> so that mail addressed to autoreply.example.com is handed to the
> vacation (as defined in master.cf). somewhere in there it also passes
> through amavisd (setting recipient_delimiters).
> 


so vacation is probably called via virtual_alias_maps.

when using a content filter, address rewrite should only be enabled in
one smtpd/cleanup in a chain. This is because if a rewite like:
joe -> joe, jim

is expanded twice, it would become:
joe -> joe, jim, jim
so jim gets the message twice.

I see from your other post that you already fixed this.

ACL for outbound email

[Joe Benson]

Does anyone know how to configure Postfix to only allow outgoing email 
to a set list of email addresses? I would like to have anything going 
out to an unlisted address to go to a local mailbox.


Thanks
Joe

Re: alias question

[Leonardo Coelho]

The "postconf -n" log:  http://rafb.net/p/JLbjbi42.html

Debug Log: http://rafb.net/p/LDBCNL67.html

On the secound log i see that the alias_maps really works but do not pass
the email to another address.


On Tue, Feb 24, 2009 at 4:30 PM, Magnus Bäck  wrote:

> On Tuesday, February 24, 2009 at 20:18 CET,
>  Leonardo Coelho  wrote:
>
> > This is my first time that I send a message on this list and I hope
> > that you guys can help me!
> > I'm using the postfix package form Debian last Stable version and my
> > aliases redirections stop to redirect the mysql table is there the
> > file configuration is working (postmap -q file user) but on the
> > running postfix the alias is ignored completed. I try to do another
> > table and file and still not working.
> > I don't know if is something form the package or a error on
> configuration.
>
> Start by posting logs that exhibit the problem together with "postconf -n"
> output. See DEBUG_README.
>
> --
> Magnus Bäck
> mag...@dsek.lth.se
>



-- 
"First they ignore you, then they laugh at you, then they fight you, then
you win." - Mahatma Gandhi
Linux User #373408
cabelohw.blogspot.com
GPGkey ID  8AEEAAEB -->> http://pgp.mit.edu

FIXED: Re: Prevent vacation autoreply for recipient_delimiter?

[postfix]

At 06:41 PM 2/23/2009, Rick Steeves wrote:
So I would guess that how it should work is that it should be mail > 
postfix > amavisd > expanding aliases > delivery and vacation > 
vacation response delivery  ?


Well, here at least is what seems to fix is based on all the guidance 
I've received.


With my previous config, mail (master.cf and content_filter) was 
processed postfix:25 > amavisd:10024 > postfix:10025


When mail was sent to a user on vacation, the user's address would be 
expanded twice (once for each postfix instance). The second expansion 
was also after amavis, and thus the autoreply wouldn't get checked 
for spam, and would not be checked for spam (nor have the 
recipient_delimiter ("+Spam") set).


But two expansions meant that the recipient because 3 recipients, as 
each time the original address was expanded it added a vacation 
address (user#dom...@autoreply.domain). Whee.


I added:
receive_override_options = no_address_mappings
to main.cf, but that then affected both postfix instances, and was 
even more broken, as I'd stopped all expansion. Oops.

So I added:
-o 
receive_override_options=no_unknown_recipient_checks,no_header_body_checks


to the second instance of postfix, the one that received the mail 
back from amavisd, to override the setting in main.cf and have the 
address expansion occur. (also added 
no_unknown_recipient_checks,no_header_body_checks because those 
checks shouldn't be necessary as they should have been checked as the 
mail entered the system.)


That appears to fix it.  woot!

With that new understanding, I added :
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=

to that same localhost:10025 instance, as, again, those checks have 
already taken place once already, and there's no need to check again. 
(Without that, I believe I was, for example, performing the RBL 
checks defined in main.cf AGAIN, so I now have

127.0.0.1:10025  inet   n  - n- -   smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o 
receive_override_options=no_unknown_recipient_checks,no_header_body_checks

-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=


If I've missed anything please let me know, as everything appears to 
be finally working.


I've added this for completeness for anyone else as I hadn't ever run 
across the instructions for receive_override_options in the context of amavisd


Rick

Re: alias question

[Magnus Bäck]

On Tuesday, February 24, 2009 at 20:18 CET,
 Leonardo Coelho  wrote:

> This is my first time that I send a message on this list and I hope
> that you guys can help me!
> I'm using the postfix package form Debian last Stable version and my
> aliases redirections stop to redirect the mysql table is there the
> file configuration is working (postmap -q file user) but on the
> running postfix the alias is ignored completed. I try to do another
> table and file and still not working.
> I don't know if is something form the package or a error on configuration.

Start by posting logs that exhibit the problem together with "postconf -n"
output. See DEBUG_README.

-- 
Magnus Bäck
mag...@dsek.lth.se

alias question

[Leonardo Coelho]

Hello List,
This is my first time that I send a message on this list and I hope that you
guys can help me!
I'm using the postfix package form Debian last Stable version and my aliases
redirections stop to redirect the mysql table is there the file
configuration is working (postmap -q file user) but on the running postfix
the alias is ignored completed. I try to do another table and file and still
not working.
I don't know if is something form the package or a error on configuration.

Thks you guys

-- 
"First they ignore you, then they laugh at you, then they fight you, then
you win." - Mahatma Gandhi
Linux User #373408
cabelohw.blogspot.com
GPGkey ID  8AEEAAEB -->> http://pgp.mit.edu

Re: regexp header_check failure

[Victor Duchovni]

On Tue, Feb 24, 2009 at 09:43:16AM -0800, Corey Chandler wrote:

> I have a regexp header_checks rule as follows:
>
> /^Received: from (.* \([-._[:alnum:]]+ 
> \[[.[:digit:]]{7,15}\]\)).*\(Authenticated sender: ([^)]+)\).*by 
> (alcatraz\.sequestered\.net) \(([^)]+)\) with (E?SMTP) id 
> ([A-F[:digit:]]+)(.*)/
>  REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated 
> sender: $2) with $5 id $6 $7
>
> The header it's failing to replace:
>
> Received: from Singularity.local 
> (pool-71-106-82-23.lsanca.dsl-w.verizon.net
>[71.106.82.23])
>(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
>(No client certificate requested)
>(Authenticated sender: j...@sequestered.net)
>by alcatraz.sequestered.net (Postfix) with ESMTPSA id 177CBBDE66
>for ; Sun, 22 Feb 2009 01:09:02 -0800 (PST)
>
> What am I doing wrong in this instance?

ESMTPSA does not match (E?SMTP). There may be other issues, test this
expression one part at a time. Also avoid multiple ".*" rules. Consider
using PCRE and .*? to reduce backtracking, use (PCRE) \S+ instead of .*
whenever possible.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

regexp header_check failure

[Corey Chandler]

I have a regexp header_checks rule as follows:

/^Received: from (.* \([-._[:alnum:]]+ 
\[[.[:digit:]]{7,15}\]\)).*\(Authenticated sender: ([^)]+)\).*by 
(alcatraz\.sequestered\.net) \(([^)]+)\) with (E?SMTP) id 
([A-F[:digit:]]+)(.*)/
 REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1]) 
(Authenticated sender: $2) with $5 id $6 $7


The header it's failing to replace:

Received: from Singularity.local (pool-71-106-82-23.lsanca.dsl-w.verizon.net
   [71.106.82.23])
   (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
   (No client certificate requested)
   (Authenticated sender: j...@sequestered.net)
   by alcatraz.sequestered.net (Postfix) with ESMTPSA id 177CBBDE66
   for ; Sun, 22 Feb 2009 01:09:02 -0800 (PST)

What am I doing wrong in this instance?
--
Corey Chandler / KB1JWQ
Living Legend / Systems Exorcist
Today's Excuse: You're out of memory

Re: Deferr mail for only certain users

[Victor Duchovni]

On Tue, Feb 24, 2009 at 10:03:08AM -0700, Joseph L. Casale wrote:

> >> Direct mail for those users to the retry transport via transport maps.
> >
> >This is not very efficient, because the mail moves between the deferred
> >and active queues until the user's transport setting is updated, and then
> >all mail for the user (old and new) is released. The OP probably wants
> >a quarantine system. Postfix does not come with a built-in quarantine
> >system.
> 
> Sahil/Victor,
> 
> I actually need to work on the mailbox of ~4 users downstream from the
> postfix MTA for a few hours, then I won't do this again unless I need to
> perform maintenance again. I trust Sahils suggestion would work fine for
> this scenario?

Yes, a temporary delivery delay with no filtering after the fact is
adequately handled via "retry".

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

RE: Deferr mail for only certain users

[Joseph L. Casale]

>> Direct mail for those users to the retry transport via transport maps.
>
>This is not very efficient, because the mail moves between the deferred
>and active queues until the user's transport setting is updated, and then
>all mail for the user (old and new) is released. The OP probably wants
>a quarantine system. Postfix does not come with a built-in quarantine
>system.

Sahil/Victor,

I actually need to work on the mailbox of ~4 users downstream from the
postfix MTA for a few hours, then I won't do this again unless I need to
perform maintenance again. I trust Sahils suggestion would work fine for
this scenario?

Thank you both,
jlc

bounced, loopback

[Mark Halverson]

I've scanned previous issues, and tweaked the main.cf and .db files to 
try to resolve this -


when I send mail to an address that is supposed to be forwarded to an 
internal (exchange) MX I was getting bounce notices like this:


  The mail system

 (expanded from ):
   mail for internal.corp-infotech.com loops back to myself


accompanied by log entries:
Feb 24 10:16:00 smtp postfix/qmgr[32041]: EF08718F5D9: 
from=, size=1046, nrcpt=2 (queue active)
Feb 24 10:16:00 smtp postfix/smtp[32095]: EF08718F5D9: 
to=, orig_to=, 
relay=none, delay=0.44, delays=0.42/0.03/0/0, dsn=5.4.6, status=bounced 
(mail for internal.corp-infotech.com loops back to myself)

Feb 24 10:16:00 smtp postfix/smtpd[32061]: disconnect from vader[10.192.1.1]
Feb 24 10:16:01 smtp postfix/smtp[32083]: EF08718F5D9: 
to=, relay=smtp-mx6.mac.com[17.148.20.69]:25, 
delay=1.4, delays=0.42/0.01/0.42/0.61, dsn=2.5.0, status=sent (250 2.5.0 
Ok.)
Feb 24 10:16:01 smtp postfix/cleanup[32046]: 5355318F5DC: 
message-id=<20090224151601.5355318f...@smtp.corp-infotech.com>
Feb 24 10:16:01 smtp postfix/bounce[32096]: EF08718F5D9: sender 
non-delivery notification: 5355318F5DC
Feb 24 10:16:01 smtp postfix/qmgr[32041]: 5355318F5DC: from=<>, 
size=3010, nrcpt=1 (queue active)

Feb 24 10:16:01 smtp postfix/qmgr[32041]: EF08718F5D9: removed
Feb 24 10:16:01 smtp postfix/local[32047]: 5355318F5DC: 
to=, relay=local, delay=0.04, 
delays=0.03/0/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox)

Feb 24 10:16:01 smtp postfix/qmgr[32041]: 5355318F5DC: removed

-
so - I followed (scrambling, because this is our life's blood) some 
recommendations I googled and wound up adding the internal. addy to 
$mydestinations:
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, 
internal.$mydomain


this caused the log entries to change to 'don't know who help is' :
Feb 24 11:18:21 smtp postfix/local[32520]: 204CA18F5DA: 
to=, orig_to=, relay=local, 
delay=0.1, delays=0.05/0.02/0/0.03, dsn=5.1.1, status=bounced (unknown 
user: "help")


- I added help to /etc/aliases;newaliases
but I get the same response.

I KNOW that the user help exists on internal. .


I'd rub a magic lamp about this time in the fairy tale

Thanks,
Mark

Re: Deferr mail for only certain users

[Victor Duchovni]

On Tue, Feb 24, 2009 at 11:35:07AM -0500, Sahil Tandon wrote:

> On Feb 24, 2009, at 11:31 AM, "Joseph L. Casale" 
>  wrote:
>
>> Is it possible to hold mail destined to only certain users in a queue 
>> until I then
>> release it manually?
>
> Direct mail for those users to the retry transport via transport maps.

This is not very efficient, because the mail moves between the deferred
and active queues until the user's transport setting is updated, and then
all mail for the user (old and new) is released. The OP probably wants
a quarantine system. Postfix does not come with a built-in quarantine
system.

The easist is to deliver the mail into suitable maildirs for review,
and then use an IMAP client to forward appropriate mail to the real
destination or discard it instead. More complex solutions require
custom code.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Your Email

[Victor Duchovni]

On Tue, Feb 24, 2009 at 04:31:55PM +, Daniel C wrote:

> What would be the best strategy? Create a new user and change postfix,
> amavis and Courier-IMAP to use this user for message storing? Is it easy
> to adjust configuration for this new user?

Yes, create a new user that will own IMAP mailboxes, and arrange for
this user to be used during mail delivery and access.

> Also, I think this is not causing my duplicate email, right?

Probably not, but it makes diagnostics more complex.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Deferr mail for only certain users

[Sahil Tandon]

On Feb 24, 2009, at 11:31 AM, "Joseph L. Casale" > wrote:


Is it possible to hold mail destined to only certain users in a  
queue until I then

release it manually?


Direct mail for those users to the retry transport via transport maps.

RE: Your Email

[Daniel C]

What would be the best strategy? Create a new user and change postfix, amavis 
and Courier-IMAP to use this user for message storing? Is it easy to adjust 
configuration for this new user?

Also, I think this is not causing my duplicate email, right?


Daniel


> No, this is wrong, the "postfix" user must not be the owner the virtual
> mailboxes, and should not be used by the IMAP server to access them.
> Fix your configuration to avoid this problem.
>
> Use a suitable imap user, not "postfix".

Deferr mail for only certain users

[Joseph L. Casale]

Is it possible to hold mail destined to only certain users in a queue until I 
then
release it manually?

Thanks!
jlc

Re: user getting spoofed

[Noel Jones]

jeff donovan wrote:


On Feb 20, 2009, at 12:18 PM, Noel Jones wrote:


jeff donovan wrote:

On Feb 20, 2009, at 9:56 AM, J.P. Trosclair wrote:


You should see the REJECT please... from Noel's example in the logs.

J.P.

got it working.


You can also
# grep 'reject: .*backscatterer' /var/log/maillog
to see how your RBL is working.

Feb 20 11:07:51 mail2 postfix/smtpd[28710]: NOQUEUE: reject: RCPT 
from mailrelay1.msp.eschelon.com[209.150.200.11]: 557 <>: Sender 
address rejected: please don't send notices to forged sender; from=<> 
to= proto=ESMTP helo=


Why are you using a reject code "557"?  Please don't make up your own 
reject codes, the default is correct and sufficient.


I had individual numbers so I could tell which access list was doing what.
#unknown_local_recipient_reject_code = 550
#unknown_address_reject_code  = 554
#unknown_hostname_reject_code = 555
#unknown_client_reject_code   = 556
#access_map_reject_code = 557
#maps_rbl_reject_code = 558

i commented them out.



Good. There is no need to change the codes to to differentiate 
the rejections.


The postfix "built-in" restrictions, such as 
reject_unknown_client_hostname, each give a unique and clear 
description of what rule rejected the client.


For access tables, use custom text like the example I provided 
earlier to see what rule caused the rejection.


The *reject_code parameters mean something to remote MTAs and 
generally should not be changed from their carefully selected 
default values.


  -- Noel Jones

Re: mailbox_size_limit , quota + some other questions

[Victor Duchovni]

On Mon, Feb 23, 2009 at 10:41:07PM -0800, Linux Advocate wrote:

> i have been thinking of using sorbs instead of spamhaus because sorbs
> allows sites with upto 100k user to connect to them but with spamhaus
> u are limited to 100users max. Sorbs has a detection rate of about 68%
> and i was thinking of beefing our spam wall with grey listing.

I can't speak about RBLs I don't use. The main strength of SpamHaus is:

- PBL lists ~500 million dynamic IPs with a remarkably low FP rate.
- XBL lists additional botnet nodes with a remarkably low FP rate.
- SBL lists spammer networks with a very low FP rate.

I've not heard of any RBLs that are as effective as Zen. Yes, Zen is
only free for small (personal use) sites and charges a fee to keep the
infrastructure running for larger sites. The data-feed costs were not
unreasonable last time I looked.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: user getting spoofed

[jeff donovan]

On Feb 20, 2009, at 12:18 PM, Noel Jones wrote:


jeff donovan wrote:

On Feb 20, 2009, at 9:56 AM, J.P. Trosclair wrote:


You should see the REJECT please... from Noel's example in the logs.

J.P.

got it working.


You can also
# grep 'reject: .*backscatterer' /var/log/maillog
to see how your RBL is working.

Feb 20 11:07:51 mail2 postfix/smtpd[28710]: NOQUEUE: reject: RCPT  
from mailrelay1.msp.eschelon.com[209.150.200.11]: 557 <>: Sender  
address rejected: please don't send notices to forged sender;  
from=<> to= proto=ESMTP  
helo=


Why are you using a reject code "557"?  Please don't make up your  
own reject codes, the default is correct and sufficient.


I had individual numbers so I could tell which access list was doing  
what.

#unknown_local_recipient_reject_code = 550
#unknown_address_reject_code  = 554
#unknown_hostname_reject_code = 555
#unknown_client_reject_code   = 556
#access_map_reject_code = 557
#maps_rbl_reject_code = 558

i commented them out.




Remove any *reject_code entries from your main.cf and let postfix  
use the defaults.

done.



 -- Noel Jones

Re: Postfix problems when system spool has files

[Wietse Venema]

Quanah Gibson-Mount:
> --On Thursday, February 19, 2009 11:48 AM -0800 Quanah Gibson-Mount 
>  wrote:
> 
> >>> Anyone have an insight into why?  Postfix version is 2.4.7.
> >>
> >> This is really a platform-specific question, that can be answered
> >> only by people who have access to the affected OS.
> >
> > Ok, but it's also something directly related to postfix.  Restarting the
> > postfix process will let proxymap run again for a while, until the
> > STARTTLS failures show up again.  Cleaning out the /var/spool location is
> > the only thing that permanently resolves it.
> 
> Further investigation tracks this down to something failing with DNS 
> resolution after a while.  Don't know why, but it does seem to be a problem 
> with OS X and catastrophic failure.

Since I don't maintain copies of every Postfix-enabled platform (*)
I will rely on you to provide accurate observations.

Wietse

(*) I have a couple representaive platforms running in VMware, but
that is only for testing my own Postfix distribution.

Re: user getting spoofed :; update ::

[jeff donovan]

On Feb 20, 2009, at 11:51 AM, Noel Jones wrote:


jeff donovan wrote:

okay,..
no errors in logs


I beg to differ...  Just not the errors you've looked for.

I am now the proud recipient of a million of these. all from  
different domains.

Transcript of session follows.
Out: 220 mail2.beth.k12.pa.us ESMTP Postfix
In:  EHLO svma15-2.kanden.ne.jp
Out: 250-my.mx.server
Out: 250-PIPELINING
Out: 250-SIZE 10485760
Out: 250-VRFY
Out: 250-ETRN
Out: 250-AUTH LOGIN PLAIN
Out: 250 8BITMIME
In:  MAIL FROM:<> SIZE=5783 BODY=8BITMIME
Out: 250 Ok
In:  RCPT TO:
Out: 250 Ok
In:  DATA
Out: 451 Server configuration error
In:  RSET
Out: 250 Ok
In:  QUIT
Out: 221 Bye


Good, apparently you aren't receiving (some of) them any more.
Bad, you goofed somewhere in the setup so postfix is tempfailing the  
messages rather than rejecting them.


yeah typos, i fixed them.



More information is in the postfix log.  Grep for "Server  
configuration error" and look at that line and other nearby lines  
for clues to the problem.


 -- Noel Jones

Re: anvil - dynamical limits

[Wietse Venema]

Andre H?bner:
> Hello,
> 
> i try to find further infos for anvil-service and how to use it.
> In my Maillogs i see some statistics written by anvil but i do not 
> understand the plan to use anvil to do a client based session/request 
> control.

anvil is not a policy tool. It is a safty mechanism.

For policies, use a policy daemon.

Wietse

anvil - dynamical limits

[Andre Hübner]

Hello,

i try to find further infos for anvil-service and how to use it.
In my Maillogs i see some statistics written by anvil but i do not 
understand the plan to use anvil to do a client based session/request 
control.
In german list i got one answer that i should write own policy-service. Ist 
this the way to control anvil? i did some small policy-service some time ago 
but data which came from postfix only reference to current handled 
connection. i had to get stats on other way...

Is there a how-to or something for anvil?


Thanks,
Andre