Re: Variables for addresses in master.cf

[Linux Advocate]

not in anything i hv read so far



- Original Message 
> From: Daniel L. Miller 
> To: Postfix Users List 
> Sent: Wednesday, March 4, 2009 5:38:40 AM
> Subject: Variables for addresses in master.cf
> 
> Does Postfix support variables (I suppose defined in main.cf) to be used for 
> internet addresses in master.cf?  Example:
> 
> main.cf:
>inbound_interface = 192.168.0.10
>outbound_interface = 192.168.0.11
> 
> master.cf:
>inbound_interface:25   inet n - - - - smtpd
>outbound_interface:submission   inet n - - - - smtpd
> 
> 
> -- Daniel



  

Re: Postfix + Dovecot SASL authentication.

[Victor Duchovni]

On Wed, Mar 04, 2009 at 12:29:29AM -0200, Miguel Da Silva - Centro de 
Matem?tica wrote:

> Mar  2 18:42:02 smtp postfix/smtpd[15652]: NOQUEUE: reject: RCPT from
> r190-134-zz-xx.dialup.adsl.anteldata.net.uy[190.134.zz.
> xx]: 450 4.7.1 : Recipient address rejected:
> Greylisting in action, please come back later.; from= mat.edu.uy> to= proto=ESMTP helo=
>
> smtpd_recipient_restrictions =
> reject_rbl_client sbl.spamhaus.org
> reject_rbl_client bl.spamcop.net
> check_recipient_access hash:/etc/postfix/bloqueados
> permit_sasl_authenticated
> permit_mynetworks
> reject_unauth_destination
> reject_unknown_recipient_domain
> reject_unverified_recipient
> check_policy_service inet:127.0.0.1:10026
>
> Sugestions?! My idea is, if you are not part to $mynetworks, then 
> authenticating is the only way to get mail relaid trough this server.

The user was not "relaying" mail was sent to a domain you are responsible
for, so this was not blocked by "reject_unauth_destination". Nor should it
have been. On a port 25 MX host you can't distinguish roaming users submitting
mail to your domains from outside MTAs delivering mail to your domains.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Virtual Domains - creating an alias to a script

[Noel Jones]

Big Pizzle wrote:
On our old server that doesn't do any Virtual Domains, we have lines in 
our /etc/alias which look like the following: 
 
usera: "|/export/home/users/usera/blah/script.pl"
 
I just recently set up Postfix with Virtual Domains using a MySQL 
backend.  All aliases which forward to another mail account work just fine.


I added the following line per the Postfix documentation to 
/etc/postfix/main.cf :

virtual_transport = maildrop:

I uncommented the two lines for maildrop in /etc/postfix/master.cf 
 so maildrop would be available for use.


MySQL table looks like this:

address  
gotodomain  date 
created date modifiedactive


us...@domain1.com   
"|/home/users/blah/script.pl"  domain1.com   
2009-03-01 00:05:05  2009-03-01 00:05:05  1


When sending an email to us...@domain.com , I 
get the following message in the error logs:


Mar  3 17:54:18 hostname postfix/local[32599]: 6A68B2FBDA: 
to=<|/home/users/blah/script...@hostname.domain.com 
>, orig_to=>, relay=local, delay=0.07, 
delays=0.05/0.01/0/0.01, dsn=5.1.1, status=bounced (unknown user: 
"|/home/users/blah/script.pl")




[press the "plain text" button when posting from gmail]


virtual aliases do not support delivery to commands; you must 
rewrite the user to a domain listed in mydestination.


mydestination = localhost localhost.$mydomain

virtual_alias_maps:
us...@example.com  f...@localhost

aliases file:
foo:  "|/path/to/command"


  -- Noel Jones

Re: Postfix + Dovecot SASL authentication.

[Noel Jones]

Miguel Da Silva - Centro de Matemática wrote:
Dear users, I realized today that the local SMTP server is not working 
as expected.


I found these lines in the log files:

Mar  2 22:42:48 smtp postfix/smtpd[30427]: 1A66913105B:
client=r190-134-zz-xx.dialup.adsl.anteldata.net.uy[190.134.zz.xx], sa
sl_method=PLAIN, sasl_username=usuario1
Mar  2 22:42:49 mordred postfix/cleanup[30478]: 1A66913105B:
message-id=<49ac7fbf.1050...@cmat.edu.uy>

Mar  2 18:41:59 smtp postfix/smtpd[15652]: TLS connection established
from r190-134-zz-xx.dialup.adsl.anteldata.net.uy[190.134
.zz.xx]: TLSv1 with cipher RC4-MD5 (128/128 bits)
Mar  2 18:42:02 smtp postfix/smtpd[15652]: NOQUEUE: reject: RCPT from
r190-134-zz-xx.dialup.adsl.anteldata.net.uy[190.134.zz.
xx]: 450 4.7.1 : Recipient address rejected:
Greylisting in action, please come back later.; from= to= proto=ESMTP helo=

So, the first 2 lines shows usuario1 sending mail through this server 
and everything goes fine. His client is using SASL authentication and 
that's ok. On the other hand, the last 2 lines shows usuario2 can not 
use the SMTP server. The mail he is sending is being rejected. But, the 
rejection is due to greylisting (postgrey is being used), not due to 
lack of authentication. Note both users are sending mails from their homes.


Obviously usuario2 did not authenticate.



Here goes some lines from main.cf:

smtpd_recipient_restrictions =
reject_rbl_client sbl.spamhaus.org
reject_rbl_client bl.spamcop.net


Do you really want to subject authenticated users to the above 
checks?  Many users' home ISPs will be listed in spamhaus 
and/or spamcop and won't be able to submit mail.  These checks 
should be moved below reject_unauth_destination.  and you 
should probably use zen.spamhaus.org rather than sbl.



check_recipient_access hash:/etc/postfix/bloqueados


It's generally unwise to put access tables before 
reject_unauth_destination.  Accidental entries can make you an 
open relay.

http://www.postfix.org/SMTPD_ACCESS_README.html#danger


permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
reject_unknown_recipient_domain
reject_unverified_recipient
check_policy_service inet:127.0.0.1:10026

smtpd_sender_restrictions =
regexp:/etc/postfix/sender.regexp,
reject_non_fqdn_sender,
reject_unknown_sender_domain

Sugestions?! My idea is, if you are not part to $mynetworks, then 
authenticating is the only way to get mail relaid trough this server.


Greetings.


  -- Noel Jones

Re: Postfix + Dovecot SASL authentication.

[Noel Jones]

Miguel Da Silva - Centro de Matemática wrote:
Dear users, I realized today that the local SMTP server is not working 
as expected.


I found these lines in the log files:

Mar  2 22:42:48 smtp postfix/smtpd[30427]: 1A66913105B:
client=r190-134-zz-xx.dialup.adsl.anteldata.net.uy[190.134.zz.xx], sa
sl_method=PLAIN, sasl_username=usuario1
Mar  2 22:42:49 mordred postfix/cleanup[30478]: 1A66913105B:
message-id=<49ac7fbf.1050...@cmat.edu.uy>

Mar  2 18:41:59 smtp postfix/smtpd[15652]: TLS connection established
from r190-134-zz-xx.dialup.adsl.anteldata.net.uy[190.134
.zz.xx]: TLSv1 with cipher RC4-MD5 (128/128 bits)
Mar  2 18:42:02 smtp postfix/smtpd[15652]: NOQUEUE: reject: RCPT from
r190-134-zz-xx.dialup.adsl.anteldata.net.uy[190.134.zz.
xx]: 450 4.7.1 : Recipient address rejected:
Greylisting in action, please come back later.; from= to= proto=ESMTP helo=

So, the first 2 lines shows usuario1 sending mail through this server 
and everything goes fine. His client is using SASL authentication and 
that's ok. On the other hand, the last 2 lines shows usuario2 can not 
use the SMTP server. The mail he is sending is being rejected. But, the 
rejection is due to greylisting (postgrey is being used), not due to 
lack of authentication. Note both users are sending mails from their homes.


Obviously usuario2 did not authenticate.



Here goes some lines from main.cf:

smtpd_recipient_restrictions =
reject_rbl_client sbl.spamhaus.org
reject_rbl_client bl.spamcop.net


Do you really want to subject authenticated users to the above 
checks?  Many users' home ISPs will be listed in spamhaus 
and/or spamcop and won't be able to submit mail.  These checks 
should be moved below reject_unauth_destination.  and you 
should probably use zen.spamhaus.org rather than sbl.



check_recipient_access hash:/etc/postfix/bloqueados


It's generally unwise to put access tables before 
reject_unauth_destination.  Accidental entries can make you an 
open relay.

http://www.postfix.org/SMTPD_ACCESS_README.html#danger


permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
reject_unknown_recipient_domain
reject_unverified_recipient
check_policy_service inet:127.0.0.1:10026

smtpd_sender_restrictions =
regexp:/etc/postfix/sender.regexp,
reject_non_fqdn_sender,
reject_unknown_sender_domain

Sugestions?! My idea is, if you are not part to $mynetworks, then 
authenticating is the only way to get mail relaid trough this server.


Greetings.


  -- Noel Jones

Virtual Domains - creating an alias to a script

[Big Pizzle]

On our old server that doesn't do any Virtual Domains, we have lines in our
/etc/alias which look like the following:

usera: "|/export/home/users/usera/blah/script.pl"

I just recently set up Postfix with Virtual Domains using a MySQL backend.
All aliases which forward to another mail account work just fine.

I added the following line per the Postfix documentation to /etc/postfix/
main.cf:
virtual_transport = maildrop:

I uncommented the two lines for maildrop in /etc/postfix/master.cf so
maildrop would be available for use.

MySQL table looks like this:

address  goto
domain  date created date
modifiedactive

us...@domain1.com  "|/home/users/blah/script.pl"  domain1.com
2009-03-01 00:05:05  2009-03-01 00:05:05  1

When sending an email to us...@domain.com, I get the following message in
the error logs:

Mar  3 17:54:18 hostname postfix/local[32599]: 6A68B2FBDA:
to=<|/home/users/blah/script...@hostname.domain.com>, orig_to=<
us...@domain1.com>, relay=local, delay=0.07, delays=0.05/0.01/0/0.01,
dsn=5.1.1, status=bounced (unknown user: "|/home/users/blah/script.pl")

postconf -n shows this:

alias_database = hash:/etc/postfix/aliases
alias_maps = $alias_database
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = no
html_directory = no
inet_interfaces = all
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, $transport_maps
mydomain = hostname
myhostname = hostname.domain.com
mynetworks = 127.0.0.0/24
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
recipient_delimiter = +
relayhost =
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/ssl/mailserver/cacert.pem
smtpd_tls_key_file = /etc/postfix/ssl/mailserver/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = no
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 450
virtual_alias_maps = mysql:$config_directory/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:1
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = mysql:$config_directory/
mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:$config_directory/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 1
virtual_transport = maildrop:
virtual_uid_maps = static:1

I'll mention that I'm using Postfix Admin to manage these domains, however
using it to create aliases to a script is not necessary.  I just need a way
for it to work.  I do need the ability to continue using Postfix Admin for
managing standard aliases and e-mail addresses.

Thanks in advance.

TEST2*

[dusty - linuxgeek]

Please ignore this email.

Postfix + Dovecot SASL authentication.

[Miguel Da Silva - Centro de Matemática]

Dear users, I realized today that the local SMTP server is not working 
as expected.


I found these lines in the log files:

Mar  2 22:42:48 smtp postfix/smtpd[30427]: 1A66913105B:
client=r190-134-zz-xx.dialup.adsl.anteldata.net.uy[190.134.zz.xx], sa
sl_method=PLAIN, sasl_username=usuario1
Mar  2 22:42:49 mordred postfix/cleanup[30478]: 1A66913105B:
message-id=<49ac7fbf.1050...@cmat.edu.uy>

Mar  2 18:41:59 smtp postfix/smtpd[15652]: TLS connection established
from r190-134-zz-xx.dialup.adsl.anteldata.net.uy[190.134
.zz.xx]: TLSv1 with cipher RC4-MD5 (128/128 bits)
Mar  2 18:42:02 smtp postfix/smtpd[15652]: NOQUEUE: reject: RCPT from
r190-134-zz-xx.dialup.adsl.anteldata.net.uy[190.134.zz.
xx]: 450 4.7.1 : Recipient address rejected:
Greylisting in action, please come back later.; from= to= proto=ESMTP helo=

So, the first 2 lines shows usuario1 sending mail through this server 
and everything goes fine. His client is using SASL authentication and 
that's ok. On the other hand, the last 2 lines shows usuario2 can not 
use the SMTP server. The mail he is sending is being rejected. But, the 
rejection is due to greylisting (postgrey is being used), not due to 
lack of authentication. Note both users are sending mails from their homes.


Here goes some lines from main.cf:

smtpd_recipient_restrictions =
reject_rbl_client sbl.spamhaus.org
reject_rbl_client bl.spamcop.net
check_recipient_access hash:/etc/postfix/bloqueados
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
reject_unknown_recipient_domain
reject_unverified_recipient
check_policy_service inet:127.0.0.1:10026

smtpd_sender_restrictions =
regexp:/etc/postfix/sender.regexp,
reject_non_fqdn_sender,
reject_unknown_sender_domain

Sugestions?! My idea is, if you are not part to $mynetworks, then 
authenticating is the only way to get mail relaid trough this server.


Greetings.
--
Miguel Da Silva
Administrador Junior de Sistemas Unix
Centro de Matemática - http://www.cmat.edu.uy
Facultad de Ciencias - http://www.fcien.edu.uy
Universidad de la República - http://www.rau.edu.uy

Re: Force otherwise local address to be considered non local

[Noel Jones]

Daniel L. Miller wrote:

Noel Jones wrote:
 

--- Original Message ---
From: "Daniel L. Miller" 
Would I do this using the transport_maps?  Something like:
myu...@otherdomain.com   smtp:[192.168.0.72]:25
--
Daniel




yes, exactly.

Sounds like a firewall problem.

  -- Noel Jones
Ok - wasn't quite that simple.  I added the transport line - but now I 
have the new server complaining about "loops back on myself".


If the transport specifically says which server to use, and the target 
server is the designated local/virtual server for that domain - where's 
the loop?




Probably because the destination server answers with the same 
hostname.  Postfix detects this as a loop.


To fix this, change either smtp_helo_name on the sending 
client, smtpd_banner on the receiving server, or myhostname on 
either.


  -- Noel Jones

Re: Problem with ldap table lookups and TLS

[Victor Duchovni]

On Tue, Mar 03, 2009 at 07:30:39PM -0500, Wietse Venema wrote:

> Victor Duchovni:
> > With OpenLDAP 2.4 it is possible to set the TLS properties for
> > a particular LDAP connection (not just global properties), and to
> > associate a new OpenLDAP managed TLS context for the connection via the
> > new "LDAP_OPT_X_TLS_NEWCTX" option.
> > 
> > Try this completely untested patch (it may not even compile, but it
> > looks promising):
> 
> Is this the version that is ready, or have there been furth changes?
> 

No changes. It worked as originally posted.

> > Index: src/global/dict_ldap.c
> > --- src/global/dict_ldap.c  28 Jan 2008 04:29:48 -  1.1.1.2
> > +++ src/global/dict_ldap.c  26 Feb 2009 00:04:18 -
> > @@ -484,10 +484,16 @@
> >  {
> >  const char *myname = "dict_ldap_set_tls_options";
> >  int rc;
> > +#ifdef LDAP_OPT_X_TLS_NEWCTX
> > +int am_server = 0;
> > +LDAP   *ld = dict_ldap->ld;
> > +#else
> > +LDAP   *ld = 0;
> > +#endif
> >  
> >  if (dict_ldap->start_tls || dict_ldap->ldap_ssl) {
> > if (*dict_ldap->tls_random_file) {
> > -   if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
> > +   if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_RANDOM_FILE,
> >dict_ldap->tls_random_file)) != LDAP_SUCCESS) {
> > msg_warn("%s: Unable to set tls_random_file to %s: %d: %s",
> >  myname, dict_ldap->tls_random_file,
> > @@ -496,7 +502,7 @@
> > }
> > }
> > if (*dict_ldap->tls_ca_cert_file) {
> > -   if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
> > +   if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE,
> >   dict_ldap->tls_ca_cert_file)) != LDAP_SUCCESS) {
> > msg_warn("%s: Unable to set tls_ca_cert_file to %s: %d: %s",
> >  myname, dict_ldap->tls_ca_cert_file,
> > @@ -505,7 +511,7 @@
> > }
> > }
> > if (*dict_ldap->tls_ca_cert_dir) {
> > -   if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR,
> > +   if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR,
> >dict_ldap->tls_ca_cert_dir)) != LDAP_SUCCESS) {
> > msg_warn("%s: Unable to set tls_ca_cert_dir to %s: %d: %s",
> >  myname, dict_ldap->tls_ca_cert_dir,
> > @@ -514,7 +520,7 @@
> > }
> > }
> > if (*dict_ldap->tls_cert) {
> > -   if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE,
> > +   if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE,
> >   dict_ldap->tls_cert)) != LDAP_SUCCESS) {
> > msg_warn("%s: Unable to set tls_cert to %s: %d: %s",
> >  myname, dict_ldap->tls_cert,
> > @@ -523,7 +529,7 @@
> > }
> > }
> > if (*dict_ldap->tls_key) {
> > -   if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE,
> > +   if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE,
> >   dict_ldap->tls_key)) != LDAP_SUCCESS) {
> > msg_warn("%s: Unable to set tls_key to %s: %d: %s",
> >  myname, dict_ldap->tls_key,
> > @@ -532,7 +538,7 @@
> > }
> > }
> > if (*dict_ldap->tls_cipher_suite) {
> > -   if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
> > +   if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CIPHER_SUITE,
> >   dict_ldap->tls_cipher_suite)) != LDAP_SUCCESS) {
> > msg_warn("%s: Unable to set tls_cipher_suite to %s: %d: %s",
> >  myname, dict_ldap->tls_cipher_suite,
> > @@ -540,13 +546,21 @@
> > return (-1);
> > }
> > }
> > -   if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
> > +   if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT,
> >&(dict_ldap->tls_require_cert))) != LDAP_SUCCESS) {
> > msg_warn("%s: Unable to set tls_require_cert to %d: %d: %s",
> >  myname, dict_ldap->tls_require_cert,
> >  rc, ldap_err2string(rc));
> > return (-1);
> > }
> > +#ifdef LDAP_OPT_X_TLS_NEWCTX
> > +   if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &am_server))
> > +   != LDAP_SUCCESS) {
> > +   msg_warn("%s: Unable to allocate new TLS context %d: %s",
> > +myname, rc, ldap_err2string(rc));
> > +   return (-1);
> > +   }
> > +#endif
> >  }
> >  return (0);
> >  }
> > @@ -592,10 +606,6 @@
> >  
> >  #ifdef LDAP_OPT_NETWORK_TIMEOUT
> >  #ifdef LDAP_API_FEATURE_X_OPENLDAP
> > -if (dict_ldap_set_tls_options(dict_ldap) != 0) {
> > -   dict_errno = DICT_ERR_RETRY;
> > -   return (-1);
> > -}
> >  ldap_initialize(&(dict_ldap->ld), dict_ldap->server_host);
> >  #else
> >  dict_ldap->ld = ldap_init(dict_ldap->server_host,
> > @@ -700,6 +710,8 @@
> >  #endif
> >  
> >  #ifdef LDAP_API_FEATURE_X_OPENLDAP
> > +if (dict_ldap_set_tls_options(dict_ldap) 

Re: Force otherwise local address to be considered non local

[Daniel L. Miller]

Noel Jones wrote:
  

--- Original Message ---
From: "Daniel L. Miller" 
Would I do this using the transport_maps?  Something like:
myu...@otherdomain.com   smtp:[192.168.0.72]:25
--
Daniel




yes, exactly.

Sounds like a firewall problem.

  -- Noel Jones  
  
Ok - wasn't quite that simple.  I added the transport line - but now I 
have the new server complaining about "loops back on myself".


If the transport specifically says which server to use, and the target 
server is the designated local/virtual server for that domain - where's 
the loop?


--
Daniel

Re: Force otherwise local address to be considered non local

[Noel Jones]

> --- Original Message ---
> From: "Daniel L. Miller" 
> Would I do this using the transport_maps?  Something like:
> myu...@otherdomain.com   smtp:[192.168.0.72]:25
> -- 
> Daniel
>

yes, exactly.

Sounds like a firewall problem.

  -- Noel Jones  

Re: smtpd_recipient_restrictions suddenly stopping mail

[Noel Jones]

> --- Original Message ---
> From: LuKreme 
> To: "postfix-users@postfix.org" 
> Sent: 03-Mar-09, 18:18:15
> Subject: Re: smtpd_recipient_restrictions suddenly stopping mail
> 
> On Mar 3, 2009, at 15:21, Charles Marcus   
> wrote:
> 
> > On 3/3/2009 2:17 PM, LuKreme wrote:
> >>> host -t a 27a28250f4b7c74acc01d042687e2273.com
> >
> >> Perhaps they are using OpenDNS?
> >
> > opendns works very well, as long as you disable the helper crap, so,  
> > no,
> > has nothing to do with opendns.
> 
> Since one of the features of OpenDNS Is the so-called helper crap, and  
> is enabled by default, this can easily be a problem.


No, OpenDNS actually has a clue.  They automatically disable the helper crap 
for all RBLs they know about, which includes all the ones frequently mentioned 
on this list.

The OP's problem is some other less-clueful service.

  -- Noel Jones 

Force otherwise local address to be considered non local

[Daniel L. Miller]

This will probably sound weird - but...

Is there a _maps parameter, or other method, I can use to force an 
address found in my virtual_mailbox_maps to be considered non-local/virtual?


You're scratching your head asking why...well, it's simple.  I'm a 
moron.  I'm trying to setup a new mail server, and I'm doing some 
creative relay things that don't seem to be working correctly.  I'm 
trying to debug the process.  Since I have a valid hotmail account, I 
was trying to send to that account - however the log shows:


Mar  3 15:46:57 mailserver postfix/qmgr[3692]: 506AA89: 
from=, size=361, nrcpt=1 (queue active)
Mar  3 15:47:27 mailserver postfix/smtp[3759]: connect to 
mx4.hotmail.com[65.54.245.104]:25: Connection timed out
Mar  3 15:47:57 mailserver postfix/smtp[3759]: connect to 
mx2.hotmail.com[65.54.245.40]:25: Connection timed out
Mar  3 15:48:27 mailserver postfix/smtp[3759]: connect to 
mx1.hotmail.com[65.55.37.88]:25: Connection timed out
Mar  3 15:48:57 mailserver postfix/smtp[3759]: connect to 
mx3.hotmail.com[65.54.245.72]:25: Connection timed out
Mar  3 15:49:28 mailserver postfix/smtp[3759]: connect to 
mx2.hotmail.com[65.55.37.72]:25: Connection timed out
Mar  3 15:49:28 mailserver postfix/smtp[3759]: 506AA89: 
to=, relay=none, delay=855, 
delays=704/0.03/151/0, dsn=4.4.1, status=deferred (connect to 
mx2.hotmail.com[65.55.37.72]:25: Connection timed out)


Those timeouts don't tell me anything specific about what's broken.  
Since my other server talks to hotmail just fine, I'm sure it's not a 
hotmail problem - I'm sure it's something stupid I've done (and as I 
write this I can see the invalid address I'm sending from in the log).  
So, I want to send to a server I control so I can watch the log on that 
side.  I'm using an LDAP lookup in the new server - the same one as my 
production server since I'm looking to migrate over when I'm finished.  
I was hoping that instead of writing some new maps to describe a limited 
valid set of recipients, their was a way to override the LDAP virtual 
lookup and tell Postfix to try to lookup the mailserver via DNS (which 
still points to the old server) and send it that way.


Would I do this using the transport_maps?  Something like:
   myu...@otherdomain.com   smtp:[192.168.0.72]:25
--
Daniel

Re: Problem with ldap table lookups and TLS

[Wietse Venema]

Victor Duchovni:
> With OpenLDAP 2.4 it is possible to set the TLS properties for
> a particular LDAP connection (not just global properties), and to
> associate a new OpenLDAP managed TLS context for the connection via the
> new "LDAP_OPT_X_TLS_NEWCTX" option.
> 
> Try this completely untested patch (it may not even compile, but it
> looks promising):

Is this the version that is ready, or have there been furth changes?

Wietse

> Index: src/global/dict_ldap.c
> --- src/global/dict_ldap.c28 Jan 2008 04:29:48 -  1.1.1.2
> +++ src/global/dict_ldap.c26 Feb 2009 00:04:18 -
> @@ -484,10 +484,16 @@
>  {
>  const char *myname = "dict_ldap_set_tls_options";
>  int rc;
> +#ifdef LDAP_OPT_X_TLS_NEWCTX
> +int am_server = 0;
> +LDAP   *ld = dict_ldap->ld;
> +#else
> +LDAP   *ld = 0;
> +#endif
>  
>  if (dict_ldap->start_tls || dict_ldap->ldap_ssl) {
>   if (*dict_ldap->tls_random_file) {
> - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
> + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_RANDOM_FILE,
>  dict_ldap->tls_random_file)) != LDAP_SUCCESS) {
>   msg_warn("%s: Unable to set tls_random_file to %s: %d: %s",
>myname, dict_ldap->tls_random_file,
> @@ -496,7 +502,7 @@
>   }
>   }
>   if (*dict_ldap->tls_ca_cert_file) {
> - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
> + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE,
> dict_ldap->tls_ca_cert_file)) != LDAP_SUCCESS) {
>   msg_warn("%s: Unable to set tls_ca_cert_file to %s: %d: %s",
>myname, dict_ldap->tls_ca_cert_file,
> @@ -505,7 +511,7 @@
>   }
>   }
>   if (*dict_ldap->tls_ca_cert_dir) {
> - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR,
> + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR,
>  dict_ldap->tls_ca_cert_dir)) != LDAP_SUCCESS) {
>   msg_warn("%s: Unable to set tls_ca_cert_dir to %s: %d: %s",
>myname, dict_ldap->tls_ca_cert_dir,
> @@ -514,7 +520,7 @@
>   }
>   }
>   if (*dict_ldap->tls_cert) {
> - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE,
> + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE,
> dict_ldap->tls_cert)) != LDAP_SUCCESS) {
>   msg_warn("%s: Unable to set tls_cert to %s: %d: %s",
>myname, dict_ldap->tls_cert,
> @@ -523,7 +529,7 @@
>   }
>   }
>   if (*dict_ldap->tls_key) {
> - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE,
> + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE,
> dict_ldap->tls_key)) != LDAP_SUCCESS) {
>   msg_warn("%s: Unable to set tls_key to %s: %d: %s",
>myname, dict_ldap->tls_key,
> @@ -532,7 +538,7 @@
>   }
>   }
>   if (*dict_ldap->tls_cipher_suite) {
> - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
> + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CIPHER_SUITE,
> dict_ldap->tls_cipher_suite)) != LDAP_SUCCESS) {
>   msg_warn("%s: Unable to set tls_cipher_suite to %s: %d: %s",
>myname, dict_ldap->tls_cipher_suite,
> @@ -540,13 +546,21 @@
>   return (-1);
>   }
>   }
> - if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
> + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT,
>  &(dict_ldap->tls_require_cert))) != LDAP_SUCCESS) {
>   msg_warn("%s: Unable to set tls_require_cert to %d: %d: %s",
>myname, dict_ldap->tls_require_cert,
>rc, ldap_err2string(rc));
>   return (-1);
>   }
> +#ifdef LDAP_OPT_X_TLS_NEWCTX
> + if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &am_server))
> + != LDAP_SUCCESS) {
> + msg_warn("%s: Unable to allocate new TLS context %d: %s",
> +  myname, rc, ldap_err2string(rc));
> + return (-1);
> + }
> +#endif
>  }
>  return (0);
>  }
> @@ -592,10 +606,6 @@
>  
>  #ifdef LDAP_OPT_NETWORK_TIMEOUT
>  #ifdef LDAP_API_FEATURE_X_OPENLDAP
> -if (dict_ldap_set_tls_options(dict_ldap) != 0) {
> - dict_errno = DICT_ERR_RETRY;
> - return (-1);
> -}
>  ldap_initialize(&(dict_ldap->ld), dict_ldap->server_host);
>  #else
>  dict_ldap->ld = ldap_init(dict_ldap->server_host,
> @@ -700,6 +710,8 @@
>  #endif
>  
>  #ifdef LDAP_API_FEATURE_X_OPENLDAP
> +if (dict_ldap_set_tls_options(dict_ldap) != 0)
> + DICT_LDAP_UNBIND_RETURN(dict_ldap->ld, DICT_ERR_RETRY, -1);
>  if (dict_ldap->start_tls) {
>   if ((saved_alarm = signal(SIGALRM, dict_ldap_timeout)) == SIG_ERR) {
> 

Re: modify ldap return query value

[Wietse Venema]

Evelio Vila:
> so I would like to modify the return_attribute to pass postfix only the user
> part of the mail field.

See: man ldap_table | less +/result_format

> Also, could several queries can be combined to form the desired result?

You can't make multiple queries per result.

Wietse

Re: smtpd_recipient_restrictions suddenly stopping mail

[LuKreme]

On Mar 3, 2009, at 15:21, Charles Marcus   
wrote:



On 3/3/2009 2:17 PM, LuKreme wrote:

host -t a 27a28250f4b7c74acc01d042687e2273.com



Perhaps they are using OpenDNS?


opendns works very well, as long as you disable the helper crap, so,  
no,

has nothing to do with opendns.


Since one of the features of OpenDNS Is the so-called helper crap, and  
is enabled by default, this can easily be a problem.

modify ldap return query value

[Evelio Vila]

Hi everyone!

 

I have the following issue:

Suppose that I have an ldap directory which can not be modified at all (new
fields can not be added in the

existing schema)

The directory already stores a mail field which contains the user´s mail in
the form

u...@domain.com

For the purpose of  delivering the mail in the right  mailbox
(virtual_mailbox_maps), I would like to split the return query 

to have only the user value and use it for the mailbox. How could I
accomplish that without

creating a new field in the directory. I have something like this:

 

server_host = localhost

search_base = dc=example,dc=com

query_filter = (mail=%s)

result_attribute = mail

scope = sub

cache = yes

bind = yes

bind_dn = cn=admin,dc=example,dc=com

bind_pw = secret

version = 3

 

so I would like to modify the return_attribute to pass postfix only the user
part of the mail field.

Also, could several queries can be combined to form the desired result?

 

Thanks in advance,

 

vila.

VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y 
Educación Energética
9 - 12 de Junio 2009, Palacio de las Convenciones
...Por una cultura energética sustentable
www.ciercuba.com

Re: smtpd_recipient_restrictions suddenly stopping mail

[Noel Jones]

> --- Original Message ---
> From: Charles Marcus 
> To: LuKreme 
> Sent: 03-Mar-09, 16:21:07
> Subject: Re: smtpd_recipient_restrictions suddenly stopping mail
> 
> On 3/3/2009 2:17 PM, LuKreme wrote:
> >>  host -t a 27a28250f4b7c74acc01d042687e2273.com
> 
> > Perhaps they are using OpenDNS?
> 
> opendns works very well, as long as you disable the helper crap, so, no,
> has nothing to do with opendns.
> 

OpenDNS is smart enough that they will not return false results for RBLs, even  
with default settings.   

You still need to disable their "typo correction" feature to detect unknown 
domains, but RBLs work regardless of this setting.

  -- Noel Jones 

RE: Spam attacks

[MacShane, Tracy]

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Pawel Lesniak
> Sent: Wednesday, 4 March 2009 4:19 AM
> To: postfix users list
> Subject: Re: Spam attacks
> 
> W dniu 2009-03-03 17:46, Noel Jones pisze:
> > Some people reject their own domain from outside, unauthenticated 
> > clients, but this will certainly reject some amount of legit mail.
> 
> Could you write a little bit how is it possible to reject 
> legit mail by rejecting unauthenticated clients when all 
> users do use SASL authentication or are in my_networks?
> 
> 
> Pawel Lesniak
> 
> 

We have a very clear policy that users are only permitted to relay mail
from our networks. If they are sending from home, they use webmail.
We've had one or two instances where external organisations have used
some kind of auto-reply mechanism which purports to send from our users,
but we simply tell them to fix the sender address. We use a sender
access map to reject the spurious senders that aren't coming from
my_networks. You can use warn_if_reject to test the impact of this
measure for a few days or weeks.

main.cf
==
smtpd_recipient_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination,
  reject_non_fqdn_sender,
  check_sender_access hash:/etc/postfix/sender_access


# cat /etc/postfix/sender_access
ourdomain.com   REJECT
ourdomain.gov.au  REJECT

Re: Variables for addresses in master.cf

[Wietse Venema]

Daniel L. Miller:
> Does Postfix support variables (I suppose defined in main.cf) to be used 
> for internet addresses in master.cf?  Example:
> 
> main.cf:
> inbound_interface = 192.168.0.10
> outbound_interface = 192.168.0.11
> 
> master.cf:
> inbound_interface:25   inet n - - - - smtpd
> outbound_interface:submission   inet n - - - - smtpd

Currently, you can have main.cf variables only where Postfix daemon
processes expect to find them, that is, on the daemon process
command line.

man 5 master

Wietse

Re: smtpd_recipient_restrictions suddenly stopping mail

[Charles Marcus]

On 3/3/2009 2:17 PM, LuKreme wrote:
>>  host -t a 27a28250f4b7c74acc01d042687e2273.com

> Perhaps they are using OpenDNS?

opendns works very well, as long as you disable the helper crap, so, no,
has nothing to do with opendns.

Re: root delivery for monitoring services

[Daniel L. Miller]

Cameron Camp wrote:

I have monitoring applications on boxes on the same subnet as a box I
want to use for mailing list notification using Postfix/mailman to
notify several users. An example is some box throwing an snmp trap,
where a notification would try to send to notification_l...@example.com
so several people would know. Right now that e-mail would be seen to be
coming from r...@the_monitor_node_box_name, which won't deliver. What
are best practices for this? I would only ever have about 15 boxes
reporting. Sorry if this has been already covered.
--
Best,
Cam

  
Each box that has mail services should at least have an alias that maps 
root to a deliverable address.  So typically in your /etc/aliases file, 
you'd have a line like:


root: ad...@domain.com

Then use that admin address for your snmp processes.
--
Daniel

root delivery for monitoring services

[Cameron Camp]

I have monitoring applications on boxes on the same subnet as a box I
want to use for mailing list notification using Postfix/mailman to
notify several users. An example is some box throwing an snmp trap,
where a notification would try to send to notification_l...@example.com
so several people would know. Right now that e-mail would be seen to be
coming from r...@the_monitor_node_box_name, which won't deliver. What
are best practices for this? I would only ever have about 15 boxes
reporting. Sorry if this has been already covered.
--
Best,
Cam

Re: virtual_mailbox_limit

[Barney Desmond]

2009/3/4 LuKreme :
>>>  virtual_mailbox_limit (default: 5120)
>
> OK. Then this setting is largely useless if the number is >= to the maximum
> message size, right?

Indeed. I was playing with this recently, and Postfix complains if
it's set below message_size_limit (ie. there's the possibility a
single message could exceed this limit). For what it's worth, I tried
setting virtual_mailbox_limit a little higher than message_size_limit
and it was behaving a little erratically too (in a virtual mailbox
config). You'll need to find another way to have quotas on maildirs.

Variables for addresses in master.cf

[Daniel L. Miller]

Does Postfix support variables (I suppose defined in main.cf) to be used 
for internet addresses in master.cf?  Example:


main.cf:
   inbound_interface = 192.168.0.10
   outbound_interface = 192.168.0.11

master.cf:
   inbound_interface:25   inet n - - - - smtpd
   outbound_interface:submission   inet n - - - - smtpd


--
Daniel

Re: mysql lookup errors [solved]

[Steve Crawford]

kj wrote:

Hi guys,

Thanks for all the suggestions.  It turns out rolling back to MySQL 
5.0.x solves the problem.  I guess I'm affected by something in 5.1 - 
just don't know what.


--kj


Perhaps something Monty has discussed: 
http://monty-says.blogspot.com/2008/11/oops-we-did-it-again-mysql-51-released.html


Cheers,
Steve

Re: mysql lookup errors [solved]

[kj]

Hi guys,

Thanks for all the suggestions.  It turns out rolling back to MySQL 
5.0.x solves the problem.  I guess I'm affected by something in 5.1 - 
just don't know what.


--kj

Re: smtpd_recipient_restrictions suddenly stopping mail

[LuKreme]

On 3-Mar-2009, at 11:48, Wietse Venema wrote:

 host -t a 27a28250f4b7c74acc01d042687e2273.com



Perhaps they are using OpenDNS?

--
Hamburgers. The cornerstone of any nutritious breakfast.

Re: denyhosts-like postfix brute force block?

[Terry Carmen]

Cameron Camp wrote:
I've been happily using denyhosts for ssh brute force attacks, 


1. What are best practices for the same functionality for Postfix
2. Are there "gotcha's" for trying to use denyhosts/fail2ban for this
3. Should I use something else?

I'd like to stop attacks at the iptable/tcpwrapper level before it eats
up postfix resources. Sorry if that has already been asked.

Best,
Cam
  
It works great! I've been using it for a while to catch dictionary 
attacks and relay attempts.


I have this in /etc/fail2ban/filter.d:

failregex = reject: RCPT from (.*)\[\]: 5

--

and this in /etc/fail2ban/jail.conf:
[postfix]
enabled  = true
filter   = postfix
action   = iptables-allports[name=postfix]
  sendmail-whois[name=postfix, dest=r...@cnysupport.com, 
sender=s...@cnysupport.com]

logpath  = /var/log/maillog
maxretry = 6


Depending on how fast your email addresses change, 6 might be too low, 
so you'll probably need to adjust it.


--

which catches log entries like this:

Mar  2 19:24:40 wormhole postfix/smtpd[23869]: NOQUEUE: reject: RCPT 
from unknown[122.110.167.253]: 554 5.7.1 ters.com>: Relay access denied; from= 
to= proto=SMTP helo=<122.110.167.253.

optusnet.com.au>



Terry

Re: smtpd_recipient_restrictions suddenly stopping mail

[/dev/rob0]

On Tue March 3 2009 12:48:59 Wietse Venema wrote:
> Kevin Bailey:
> > Today, about 80% of emails started getting bounced back with:
> > So we commented out the spamcop line...  then we got
> > So we commented out the spamhaus line...  then we got
> > Then we commented out the rfc-ignorant.org line and the mail is
> > getting through.  So the restrictions line now looks like:
>
> Looks like your DNS service is making up replies for names that
> don't exist.
>
> This is easily verified.
>
> $ host -t a 27a28250f4b7c74acc01d042687e2273.com
> $ host -t a 27a28250f4b7c74acc01d042687e2273.org
> $ host -t a 27a28250f4b7c74acc01d042687e2273.net

0.0.0.0.zen.spamhaus.org. 150   IN  A   205.234.170.218
(as seen at http://pastebin.ca/1352096 )

http://205.234.170.218/ appears to be affiliated with this outfit:
http://www.dnsmadeeasy.com/

People who don't understand how DNS works, and yet think they can  
charge money for a DNS service ...
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Re: smtpd_recipient_restrictions suddenly stopping mail

[Wietse Venema]

Kevin Bailey:
> Today, about 80% of emails started getting bounced back with:
> So we commented out the spamcop line...  then we got
> So we commented out the spamhaus line...  then we got
> Then we commented out the rfc-ignorant.org line and the mail is getting 
> through.  So the restrictions line now looks like:

Looks like your DNS service is making up replies for names that
don't exist.

This is easily verified.

$ host -t a 27a28250f4b7c74acc01d042687e2273.com
$ host -t a 27a28250f4b7c74acc01d042687e2273.org
$ host -t a 27a28250f4b7c74acc01d042687e2273.net

Wieste

Re: smtpd_recipient_restrictions suddenly stopping mail

[Sahil Tandon]

On Mar 3, 2009, at 1:14 PM, Kevin Bailey   
wrote:



Hiya,

We have had this setting on a mail server for a long time.

smtpd_recipient_restrictions =
permit_sasl_authenticated
reject_non_fqdn_recipient
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_unknown_recipient_domain
permit_mynetworks
reject_unauth_destination
reject_multi_recipient_bounce
reject_non_fqdn_hostname
reject_invalid_hostname
reject_rbl_client bl.spamcop.net
reject_rbl_client sbl.spamhaus.org
reject_rhsbl_sender dsn.rfc-ignorant.org
check_policy_service inet:127.0.0.1:6
permit

Today, about 80% of emails started getting bounced back with:

Action: failed
Status: 5.7.1
Remote-MTA: dns; mail.psctraining.co.uk
Diagnostic-Code: smtp; 554 5.7.1 Service unavailable; Client host
  [80.177.179.85] blocked using bl.spamcop.net

So we commented out the spamcop line...  then we got

Action: failed
Status: 5.7.1
Remote-MTA: dns; mail.psctraining.co.uk
Diagnostic-Code: smtp; 554 5.7.1 Service unavailable; Client host
  [80.177.179.85] blocked using sbl.spamhaus.org


So we commented out the spamhaus line...  then we got

: host mail.psctraining.co.uk[217.45.142.233 
] said:
  554 5.7.1 Service unavailable; Sender address [kbai...@freewayprojects.com 
]

  blocked using dsn.rfc-ignorant.org (in reply to RCPT TO command)


Then we commented out the rfc-ignorant.org line and the mail is  
getting through.  So the restrictions line now looks like:


smtpd_recipient_restrictions =
permit_sasl_authenticated
reject_non_fqdn_recipient
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_unknown_recipient_domain
permit_mynetworks
reject_unauth_destination
reject_multi_recipient_bounce
reject_non_fqdn_hostname
reject_invalid_hostname
# nstone - 03/03/2009
# commented to bypass the blacklists
#  reject_rbl_client bl.spamcop.net
#  reject_rbl_client sbl.spamhaus.org
#  reject_rhsbl_sender dsn.rfc-ignorant.org
check_policy_service inet:127.0.0.1:6
permit



OK.  We don't have full access to the routers etc.  We also can no  
longer access the web interface for their router which is on ports  
81 and 445.


My feeling is that something has changed with their firewall or  
traffic.


Now, if Postfix can not connect to bl.spamcop.net would it reject  
the mail by default?  Also, to test this connection - what port does  
Postfix try to connect to bl.spamcop.net on? - we could then try  
telnet to test the connection.  Also, what port(s) does  
bl.spamcop.net connect back on?


The RBLs are queried via DNS; you don't 'connect' or 'telnet' to them  
in the conventional sense.  I suspect something has gone awry with  
your DNS resolver.

smtpd_recipient_restrictions suddenly stopping mail

[Kevin Bailey]

Hiya,

We have had this setting on a mail server for a long time.

smtpd_recipient_restrictions =
 permit_sasl_authenticated
 reject_non_fqdn_recipient
 reject_non_fqdn_sender
 reject_unknown_sender_domain
 reject_unknown_recipient_domain
 permit_mynetworks
 reject_unauth_destination
 reject_multi_recipient_bounce
 reject_non_fqdn_hostname
 reject_invalid_hostname
 reject_rbl_client bl.spamcop.net
 reject_rbl_client sbl.spamhaus.org
 reject_rhsbl_sender dsn.rfc-ignorant.org
 check_policy_service inet:127.0.0.1:6
 permit

Today, about 80% of emails started getting bounced back with:

Action: failed
Status: 5.7.1
Remote-MTA: dns; mail.psctraining.co.uk
Diagnostic-Code: smtp; 554 5.7.1 Service unavailable; Client host
   [80.177.179.85] blocked using bl.spamcop.net

So we commented out the spamcop line...  then we got

Action: failed
Status: 5.7.1
Remote-MTA: dns; mail.psctraining.co.uk
Diagnostic-Code: smtp; 554 5.7.1 Service unavailable; Client host
   [80.177.179.85] blocked using sbl.spamhaus.org


So we commented out the spamhaus line...  then we got

: host mail.psctraining.co.uk[217.45.142.233] said:
   554 5.7.1 Service unavailable; Sender address [kbai...@freewayprojects.com]
   blocked using dsn.rfc-ignorant.org (in reply to RCPT TO command)


Then we commented out the rfc-ignorant.org line and the mail is getting 
through.  So the restrictions line now looks like:


smtpd_recipient_restrictions =
 permit_sasl_authenticated
 reject_non_fqdn_recipient
 reject_non_fqdn_sender
 reject_unknown_sender_domain
 reject_unknown_recipient_domain
 permit_mynetworks
 reject_unauth_destination
 reject_multi_recipient_bounce
 reject_non_fqdn_hostname
 reject_invalid_hostname
# nstone - 03/03/2009
# commented to bypass the blacklists
#  reject_rbl_client bl.spamcop.net
#  reject_rbl_client sbl.spamhaus.org
#  reject_rhsbl_sender dsn.rfc-ignorant.org
 check_policy_service inet:127.0.0.1:6
 permit



OK.  We don't have full access to the routers etc.  We also can no 
longer access the web interface for their router which is on ports 81 
and 445.


My feeling is that something has changed with their firewall or traffic.

Now, if Postfix can not connect to bl.spamcop.net would it reject the 
mail by default?  Also, to test this connection - what port does Postfix 
try to connect to bl.spamcop.net on? - we could then try telnet to test 
the connection.  Also, what port(s) does bl.spamcop.net connect back 
on?  Maybe these are firewalled.


Obviously, we're up and running again with the lines commented out - but 
we would like to

use the spam databases.

Thanks for any help.

Kevin Bailey

Re: Spam attacks

[Noel Jones]

Paweł Leśniak wrote:

W dniu 2009-03-03 17:46, Noel Jones pisze:
Some people reject their own domain from outside, unauthenticated 
clients, but this will certainly reject some amount of legit mail.


Could you write a little bit how is it possible to reject legit mail by 
rejecting unauthenticated clients when all users do use SASL 
authentication or are in my_networks?



Pawel Lesniak




Some legit "reminder" type services, some meeting 
notifications, and other legit mail might arrive with you as 
the sender.  Maybe not best practices, but it's legit mail and 
such a policy will reject it.


You can send yourself mail via eg. gmail or your home ISP with 
your postfix domain as sender address.  Some people really do 
this.


The "some amount" of legit mail you will reject is highly 
dependent on your users. Some sites will see quite a bit, 
others very little.  Some people consider this a horrible 
idea, others a useful policy with an acceptable risk.  You get 
to pick which side of the fence you live on.



  -- Noel Jones

Re: Spam attacks

[Gerardo Herzig]

Paweł Leśniak wrote:
> W dniu 2009-03-03 17:46, Noel Jones pisze:
>> Some people reject their own domain from outside, unauthenticated
>> clients, but this will certainly reject some amount of legit mail.
> 
> Could you write a little bit how is it possible to reject legit mail by
> rejecting unauthenticated clients when all users do use SASL
> authentication or are in my_networks?
> 
> 
> Pawel Lesniak
> 
> 
> 
Well, some ppl can configure to use their @myhost email, via, lets say
@yahoo smtp. This is a legit mail that will be rejected.

Re: Spam attacks

[Gerardo Herzig]

Dave Johnson wrote:
> Hi all
> 
> Is there anyway of stopping the from "j...@foo.com" to "j...@foo.com" spam
> attacks?
> 
> Regards
> 
>  
> 
Well. If you are delivering via procmail, you can have a procmail rule
like this one (untested, and posibly larger than a experienced procmail
user will do, but should work):

SHELL=/bin/bash
__TO=`formail -z -x 'To:'`
__FROM=`formail -z -x 'From:'`

:0fw
* __TO ?? __FROM
| formail -I "X-From-And-To-Are-The-Same: Yes"

## This will forward the mail, with a X-header that you can chase via a
spamassasin rule. I will prefer this way instead of just droping the
mail, cause, as many has told you, will probably block legitimate mail.

HTH
Gerardo

Re: virtual_mailbox_limit

[Noel Jones]

LuKreme wrote:



On Mar 3, 2009, at 9:38, Noel Jones  wrote:


LuKreme wrote:

The postfix docs say:
 virtual_mailbox_limit (default: 5120)
 The maximal size in bytes of an individual mailbox or maildir file, 
or zero (no limit)
but since a maildir is a directory, does this limit apply to an 
individual email (a file in the maildir) or to the directory size of 
the entire maildir?


With a maildir, the mailbox limit applies per file (per message), and 
postfix will not impose a limit on the total storage used.


OK. Then this setting is largely useless if the number is >= to the 
maximum message size, right?


Right.

  -- Noel Jones

Re: Spam attacks

[Paweł Leśniak]

W dniu 2009-03-03 17:46, Noel Jones pisze:
Some people reject their own domain from outside, unauthenticated 
clients, but this will certainly reject some amount of legit mail.


Could you write a little bit how is it possible to reject legit mail by 
rejecting unauthenticated clients when all users do use SASL 
authentication or are in my_networks?



Pawel Lesniak

Re: denyhosts-like postfix brute force block?

[Bill Landry]

Cameron Camp wrote:
> I've been happily using denyhosts for ssh brute force attacks, 
> 
> 1. What are best practices for the same functionality for Postfix
> 2. Are there "gotcha's" for trying to use denyhosts/fail2ban for this
> 3. Should I use something else?
> 
> I'd like to stop attacks at the iptable/tcpwrapper level before it eats
> up postfix resources. Sorry if that has already been asked.
> 
> Best,
> Cam

I use fail2ban with this:

failregex = reject: RCPT from (.*)\[\]: (550|554).*(Recipient
address rejected: User unknown|Relay access denied)

watch for wrapping, as this is all on one line in the
/etc/fail2ban/filter.d/postfix.conf

I have it set in /etc/fail2ban/jail.conf to block the source IP address
for 1 hour after 5 associated maillog entries, and it's been working
fine here for quite some time.

Bill

Re: virtual_mailbox_limit

[LuKreme]

On Mar 3, 2009, at 9:38, Noel Jones  wrote:


LuKreme wrote:

The postfix docs say:
 virtual_mailbox_limit (default: 5120)
 The maximal size in bytes of an individual mailbox or maildir  
file, or zero (no limit)
but since a maildir is a directory, does this limit apply to an  
individual email (a file in the maildir) or to the directory size  
of the entire maildir?


With a maildir, the mailbox limit applies per file (per message),  
and postfix will not impose a limit on the total storage used.


OK. Then this setting is largely useless if the number is >= to the  
maximum message size, right?


Or does that restriction not apply to virtual_*?

--

Re: Spam attacks

[Noel Jones]

Dave Johnson wrote:

Hi all

Is there anyway of stopping the from "j...@foo.com" 
 to "j...@foo.com" spam attacks?


Regards



If you're not using zen.spamhaus.org already, you should 
start.  If your site is too large to qualify for their free 
use, the paid feed is well worth it.


You can use a policy server that rejects mail when the sender 
and recipient are the same.  It's reported that postfwd can do 
this, probably others too.

http://www.postfix.org/addon.html#policy

Some people reject their own domain from outside, 
unauthenticated clients, but this will certainly reject some 
amount of legit mail.


  -- Noel Jones

denyhosts-like postfix brute force block?

[Cameron Camp]

I've been happily using denyhosts for ssh brute force attacks, 

1. What are best practices for the same functionality for Postfix
2. Are there "gotcha's" for trying to use denyhosts/fail2ban for this
3. Should I use something else?

I'd like to stop attacks at the iptable/tcpwrapper level before it eats
up postfix resources. Sorry if that has already been asked.

Best,
Cam

Re: virtual_mailbox_limit

[Noel Jones]

LuKreme wrote:

The postfix docs say:

  virtual_mailbox_limit (default: 5120)
  The maximal size in bytes of an individual mailbox or maildir file, or 
zero (no limit)
but since a maildir is a directory, does this limit apply to an 
individual email (a file in the maildir) or to the directory size of the 
entire maildir?




With a maildir, the mailbox limit applies per file (per 
message), and postfix will not impose a limit on the total 
storage used.


  -- Noel Jones

Re: anvil limiting for subnets

[Wietse Venema]

Ondrej Holecek:
> hello,
> 
> is there a possibility to limit connection count for whole subnet?
> 
> when I have:
> smtpd_client_connection_count_limit = 2
> 
> it limits each IP to max 2 connections, but when attacker has /24
> subnet, he can easily create 508
> connections

If the attacker has a botnet, then every connection comes from a
different subnet.

> how do you anticipate this kind of attacks?

Use a traffic shaping tool. Postfix is a mail server, it does
not have to solve every problem.

Wietse

Re: there is no pipe process running

[Victor Duchovni]

On Tue, Mar 03, 2009 at 11:07:50AM -0500, Erik Morton wrote:

> I guess I only expected logging output because I can't see to figure out 
> why the following:
>
> filterunix  -   n   n   -   10  pipe -v flags=Rq 
> user=my_user argv=/usr/bin/receiver -f ${sender} -- ${recipient}
>
> Doesn't seem to work.

It works exactly as configured. You've configured a new transport ready
and willing to process mail, but not configured Postfix to *use* that
transport to deliver any mail. You are probably not using the "discard"
transport either, and yet it is defined correctly in master.cf.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: there is no pipe process running

[Erik Morton]

I guess I only expected logging output because I can't see to figure  
out why the following:


filterunix  -   n   n   -   10  pipe -v  
flags=Rq user=my_user argv=/usr/bin/receiver -f ${sender} -- $ 
{recipient}


Doesn't seem to work. When I run the script via the command line (as  
shown in the readme) it works like a charm. But for whatever reason I  
can't even figure out if postfix is trying to use the filter, let  
alone if it is failing. Getting log output from pipe would have been  
nice, but if that's not the correct way to proceed then I'm at a loss  
for what to look at next.


Any tips on getting to the bottom of it?

On Mar 3, 2009, at 10:58 AM, Victor Duchovni wrote:


On Tue, Mar 03, 2009 at 10:39:36AM -0500, Erik Morton wrote:


Mar  3 10:32:03 my_host postfix/local[2862]: A2629A967B:
to=, relay=local, delay=0.09,
delays=0.07/0.01/0/0.01, dsn=2.0.0, status=sent (forwarded as  
B0274A969F)


This message is delivered via local(8) which forwards it


Mar  3 10:32:04 my_host postfix/smtp[2863]: B0274A969F:
to=, orig_to=,
relay=my_relay_ip[my_relay_ip]:587, delay=0.33,  
delays=0/0.01/0.16/0.16,

dsn=2.0.0, status=sent (250 2.0.0 n23AcrHO026291 Message accepted for
delivery)


via smtp(8) to a remote relay. Why do you expect to see log entries  
from

pipe(8)?

--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.


Erik Morton
readMedia
518.429.2832
www.readmedia.com

Re: there is no pipe process running

[Victor Duchovni]

On Tue, Mar 03, 2009 at 10:39:36AM -0500, Erik Morton wrote:

> Mar  3 10:32:03 my_host postfix/local[2862]: A2629A967B: 
> to=, relay=local, delay=0.09, 
> delays=0.07/0.01/0/0.01, dsn=2.0.0, status=sent (forwarded as B0274A969F)

This message is delivered via local(8) which forwards it

> Mar  3 10:32:04 my_host postfix/smtp[2863]: B0274A969F: 
> to=, orig_to=, 
> relay=my_relay_ip[my_relay_ip]:587, delay=0.33, delays=0/0.01/0.16/0.16, 
> dsn=2.0.0, status=sent (250 2.0.0 n23AcrHO026291 Message accepted for 
> delivery)

via smtp(8) to a remote relay. Why do you expect to see log entries from
pipe(8)?

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

anvil limiting for subnets

[Ondrej Holecek]

hello,

is there a possibility to limit connection count for whole subnet?

when I have:
smtpd_client_connection_count_limit = 2

it limits each IP to max 2 connections, but when attacker has /24 subnet, he 
can easily create 508
connections

how do you anticipate this kind of attacks?

thanks
Ondrej

Re: there is no pipe process running

[Erik Morton]

Very true. I had -D on the smtpd process. When I add -D to the filter  
I sent in my previous email I don't get any log output that is  
relevant to the pipe process. Note that I'm looking in /var/log/maillog.


Here is the session for an inbound email. Note that "newswire" is  
aliased to some_user, who has a .forward in this home directory that  
points to e...@readmedia.com. The mail is forwarded correctly, but the  
filter is never handed to pipe.


Mar  3 10:32:03 my_host postfix/smtpd[2856]: connect from yx- 
out-2324.google.com[74.125.44.28]
Mar  3 10:32:03 my_host postfix/smtpd[2856]: A2629A967B: client=yx- 
out-2324.google.com[74.125.44.28]
Mar  3 10:32:03 my_host postfix/cleanup[2860]: A2629A967B: message-id=<221b7bd2-026a-4278-93e8-8e13e1a50...@gmail.com 
>
Mar  3 10:32:03 my_host postfix/qmgr[2861]: A2629A967B: from=>, size=2006, nrcpt=1 (queue active)
Mar  3 10:32:03 my_host postfix/cleanup[2860]: B0274A969F: message-id=<221b7bd2-026a-4278-93e8-8e13e1a50...@gmail.com 
>
Mar  3 10:32:03 my_host postfix/qmgr[2861]: B0274A969F: from=< my_n...@gmail.com 
>, size=2139, nrcpt=1 (queue active)
Mar  3 10:32:03 my_host postfix/local[2862]: A2629A967B: to=>, relay=local, delay=0.09, delays=0.07/0.01/0/0.01, dsn=2.0.0,  
status=sent (forwarded as B0274A969F)

Mar  3 10:32:03 my_host postfix/qmgr[2861]: A2629A967B: removed
Mar  3 10:32:04 my_host postfix/smtp[2863]: B0274A969F: to=>, orig_to=, relay=my_relay_ip[my_relay_ip]: 
587, delay=0.33, delays=0/0.01/0.16/0.16, dsn=2.0.0, status=sent (250  
2.0.0 n23AcrHO026291 Message accepted for delivery)

Mar  3 10:32:04 my_host postfix/qmgr[2861]: B0274A969F: removed
Mar  3 10:32:33 my_host postfix/smtpd[2856]: disconnect from yx- 
out-2324.google.com[74.125.44.28]


My debug command is:

debugger_command = PATH=/bin:/usr/bin:/usr/local/bin;(strace -p  
$process_id 2>&1 | logger -p mail.info) & sleep 5


Many thanks again for the help.

Erik
On Mar 3, 2009, at 10:27 AM, Victor Duchovni wrote:


On Tue, Mar 03, 2009 at 10:19:50AM -0500, Erik Morton wrote:

Thanks. I am running with -D (strace) and -v enabled and I'm not  
seeing

anything fatal or related to a pipe process.

i've defined my filter in master.cf like so:

filterunix  -   n   n   -   10  pipe -v  
flags=Rq

user=my_user argv=/usr/bin/receiver -f ${sender} -- ${recipient}

The receiver script is based on the example from the content filter  
readme.

It basically just curls the email to a web service.

Is it strange that I'm not seeing any debugging information for the  
pipe

process?


No, there's no "-D" in this master.cf entry, and you have not shown  
the

"debugger_command" setting from main.cf.

--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.


Erik Morton
readMedia
518.429.2832
www.readmedia.com

virtual_mailbox_limit

[LuKreme]

The postfix docs say:

  virtual_mailbox_limit (default: 5120)
  The maximal size in bytes of an individual mailbox or maildir file,  
or zero (no limit)
but since a maildir is a directory, does this limit apply to an  
individual email (a file in the maildir) or to the directory size of  
the entire maildir?


--

How do you feel?  I'm lonely
What do you think?  Cant take it all
Whatcha gonna do?  Gonna live my life

Re: there is no pipe process running

[Victor Duchovni]

On Tue, Mar 03, 2009 at 10:19:50AM -0500, Erik Morton wrote:

> Thanks. I am running with -D (strace) and -v enabled and I'm not seeing 
> anything fatal or related to a pipe process.
>
> i've defined my filter in master.cf like so:
>
> filterunix  -   n   n   -   10  pipe -v flags=Rq 
> user=my_user argv=/usr/bin/receiver -f ${sender} -- ${recipient}
>
> The receiver script is based on the example from the content filter readme. 
> It basically just curls the email to a web service.
>
> Is it strange that I'm not seeing any debugging information for the pipe 
> process? 

No, there's no "-D" in this master.cf entry, and you have not shown the
"debugger_command" setting from main.cf.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: there is no pipe process running

[Wietse Venema]

Erik Morton:
> Thanks. I am running with -D (strace) and -v enabled and I'm not  
> seeing anything fatal or related to a pipe process.

So what does Postfix log when delivering mail?

http://www.postfix.org/DEBUG_README.html#mail

Wietse

Re: there is no pipe process running

[Erik Morton]

Thanks. I am running with -D (strace) and -v enabled and I'm not  
seeing anything fatal or related to a pipe process.


i've defined my filter in master.cf like so:

filterunix  -   n   n   -   10  pipe -v  
flags=Rq user=my_user argv=/usr/bin/receiver -f ${sender} -- $ 
{recipient}


The receiver script is based on the example from the content filter  
readme. It basically just curls the email to a web service.


Is it strange that I'm not seeing any debugging information for the  
pipe process?


On Mar 3, 2009, at 10:12 AM, Victor Duchovni wrote:


On Tue, Mar 03, 2009 at 09:17:55AM -0500, Erik Morton wrote:


I am assuming that I should
have a pipe process running. Is that not the case?


Only during a delivery and shortly thereafter, unless pipe(8) exits
with a fatal error. On a low-volume server pipe(8) may not be running
at any given moment, and this is fine.

--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.


Erik Morton
readMedia
518.429.2832
www.readmedia.com

Re: there is no pipe process running

[Victor Duchovni]

On Tue, Mar 03, 2009 at 09:17:55AM -0500, Erik Morton wrote:

> I am assuming that I should 
> have a pipe process running. Is that not the case?

Only during a delivery and shortly thereafter, unless pipe(8) exits
with a fatal error. On a low-volume server pipe(8) may not be running
at any given moment, and this is fine.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: there is no pipe process running

[Noel Jones]

Erik Morton wrote:
Indeed it does. I've found /var/log/maillog very helpful. However I 
don't see any logging at all from the pipe process. I am assuming that I 
should have a pipe process running. Is that not the case?




So what does postfix log during a delivery attempt?

http://www.postfix.org/DEBUG_README.html#mail

  -- Noel Jones

Re: there is no pipe process running

[Erik Morton]

Indeed it does. I've found /var/log/maillog very helpful. However I  
don't see any logging at all from the pipe process. I am assuming that  
I should have a pipe process running. Is that not the case?


On Mar 3, 2009, at 9:13 AM, Wietse Venema wrote:


Erik Morton:

Hello,
I've been following the Content Filter tutorial
(http://www.postfix.org/FILTER_README.html ) with little success.


Postfix logs ALL delivery attempts, successful or otherwise,
in the maillog file.

http://www.postfix.org/DEBUG_README.html#logging


Erik Morton
readMedia
518.429.2832
www.readmedia.com

Re: there is no pipe process running

[Wietse Venema]

Erik Morton:
> Hello,
> I've been following the Content Filter tutorial
> (http://www.postfix.org/FILTER_README.html ) with little success.

Postfix logs ALL delivery attempts, successful or otherwise,
in the maillog file.

http://www.postfix.org/DEBUG_README.html#logging

there is no pipe process running

[Erik Morton]

Hello,
I've been following the Content Filter tutorial (http://www.postfix.org/FILTER_README.html 
) with little success.


I realized that I don't have a pipe process running, which I'm  
thinking could be a problem. There are the postfix related processes  
that I see running:


root/usr/libexec/postfix/master
qmgr -l -t fifo -u
pickup -l -t fifo -u
local -t unix
bounce -z -n defer -t unix -u
local -t unix
bounce -z -n defer -t unix -u

Then again, in the OVERVIEW.html file I don't see a process for all of  
the daemons it mentions: "The queue manager (the qmgr(8) server  
process in the figure) is the heart of Postfix mail delivery. It  
contacts the smtp(8), lmtp(8), local(8), virtual(8), pipe(8),  
discard(8) or error(8) delivery agents, and sends a delivery request  
for one or more recipient addresses. "


Anyway, I guess my first question is do I need a pipe process running  
to create a content filter as described in the FILTER_README doc. Many  
thanks in advance.


I'm using version 2.5.5.

Erik

Re: Postfix Query

[Baghwant]

Thx for reply sahil

__

DISCLAIMER

This message(including any attachments) contains confidential information 
intended for a
specific individual and purpose,and is protected by law. If you have received 
it by mistake
please notify the sender by return e-mail and delete this message from your 
system. Any
unauthorised use or dissemination of this message in whole or in part is 
strictly prohibited.
Please note that e-mails are susceptible to change. Eon Infotech Limited shall not be liable 
for the improper or incomplete transmission.

__

Re: Postfix Query

[Sahil Tandon]

On Tue, 03 Mar 2009, Baghwant wrote:

>  Can u tell me how can block particular machine or email ID  
> to send mail to any outer domain except local domain. Mean one user of  
> ur domain can only send mail locally,

http://www.postfix.org/RESTRICTION_CLASS_README.html

-- 
Sahil Tandon 

Postfix Query

[Baghwant]

Hi ,
 Can u tell me how can block particular machine or email ID 
to send mail to any outer domain except local domain. Mean one user of 
ur domain can only send mail locally,


Thx in advance
Waiting for reply

__

DISCLAIMER

This message(including any attachments) contains confidential information 
intended for a
specific individual and purpose,and is protected by law. If you have received 
it by mistake
please notify the sender by return e-mail and delete this message from your 
system. Any
unauthorised use or dissemination of this message in whole or in part is 
strictly prohibited.
Please note that e-mails are susceptible to change. Eon Infotech Limited shall not be liable 
for the improper or incomplete transmission.

__