Re: Local mail listener

[Daniel L. Miller]

Magnus Bäck wrote:

On Thursday, March 05, 2009 at 00:25 CET,
 "Daniel L. Miller"  wrote:

  

What I have/had now was the following:
master.cf:
192.168.0.11:smtp  inet  n   -   -   -   -   smtpd
 -o relayhost=[192.168.0.10]:225
192.168.0.11:125  inet  n   -   -   -   -   smtpd
 -o relayhost=

The intent was to have local clients connect to 192.168.0.11:25.  
Postfix should then relay it to 192.168.0.10:225.  That relay will then 
process and return it to 192.168.0.11:125 - which would then send it to 
the destination.


Right now, the above config "functions" in that it receives a message 
from a client and delivers it to the destination - but it never hits my 
filter.



No, because smtpd(8) doesn't pay attention to the relayhost parameter
and doesn't pass it on to the rest of Postfix. Postfix is modular, and
the relayhost is not a per-message property.

You're on the right track, just use content_filter instead. See
FILTER_README.

  
I'm closing in on it - now for some fine-tuning.  Now, a test master.cf 
contains:

192.168.0.11:smtp  inet  n   -   -   -   -   smtpd
 -o smtpd_proxy_filter=inet:192.168.0.11:325
192.168.0.11:325  inet  n   -   -   -   -   smtpd
 -o smtpd_proxy_filter=

This actually works - I can see in the log the relay between the 
processes and then the handoff to the remote server.
Mar  4 23:22:54 mailserver postfix/smtpd[21006]: connect from 
unknown[192.168.0.90]
Mar  4 23:22:54 mailserver postfix/smtpd[21010]: connect from 
smtp-local.amfeslan.local[192.168.0.11]
Mar  4 23:22:54 mailserver postfix/smtpd[21006]: NOQUEUE: 
client=unknown[192.168.0.90]
Mar  4 23:22:54 mailserver postfix/smtpd[21010]: F20D476031: 
client=smtp-local.amfeslan.local[192.168.0.11]
Mar  4 23:22:55 mailserver postfix/cleanup[21011]: F20D476031: 
message-id=<49af7dc3.10...@amfes.com>
Mar  4 23:22:55 mailserver postfix/qmgr[21005]: F20D476031: 
from=, size=835, nrcpt=1 (queue active)
Mar  4 23:22:55 mailserver postfix/smtpd[21010]: disconnect from 
smtp-local.amfeslan.local[192.168.0.11]
Mar  4 23:22:55 mailserver postfix/smtpd[21006]: disconnect from 
unknown[192.168.0.90]
Mar  4 23:22:55 mailserver postfix/smtp[21012]: F20D476031: 
to=, relay=mx3.hotmail.com[65.55.37.120]:25, 
delay=0.42, delays=0.1/0.01/0.18/0.13, dsn=2.0.0, status=sent (250  
<49af7dc3.10...@amfes.com> Queued mail for delivery)

Mar  4 23:22:55 mailserver postfix/qmgr[21005]: F20D476031: removed

Now - to see what's broken.  When the smtpd_proxy_filter line is pointed 
to the real proxy, and the proxy is pointed to return to the :325 port, 
my log shows:
Mar  4 23:21:33 mailserver postfix/smtpd[20964]: connect from 
unknown[192.168.0.90]
Mar  4 23:21:33 mailserver postfix/smtpd[20970]: connect from 
smtp-local.amfeslan.local[192.168.0.11]
Mar  4 23:21:33 mailserver postfix/smtpd[20964]: NOQUEUE: 
client=unknown[192.168.0.90]
Mar  4 23:21:33 mailserver postfix/smtpd[20970]: A812D76031: 
client=smtp-local.amfeslan.local[192.168.0.11]
Mar  4 23:21:33 mailserver postfix/smtpd[20964]: warning: proxy 
inet:192.168.0.10:225 rejected "DATA": "250 2.1.5 Ok"
Mar  4 23:21:33 mailserver postfix/smtpd[20964]: warning: non-SMTP 
command from unknown[192.168.0.90]: Message-ID: <49af7d71.70...@amfes.com>
Mar  4 23:21:33 mailserver postfix/smtpd[20964]: disconnect from 
unknown[192.168.0.90]
Mar  4 23:21:33 mailserver postfix/smtpd[20970]: lost connection after 
DATA (0 bytes) from smtp-local.amfeslan.local[192.168.0.11]
Mar  4 23:21:33 mailserver postfix/smtpd[20970]: disconnect from 
smtp-local.amfeslan.local[192.168.0.11]


Does this indicate a Postfix problem?  Or is my proxy filter mangling 
something?

--
Daniel

Re: OT: Diagnose blocked mail

[Bill Weiss]

Ray(r...@stilltech.net)@Wed, Mar 04, 2009 at 08:32:40PM -0700:
> On Wednesday 04 March 2009 18:10:22 Bill Weiss wrote:
(lots of content snipped for context)
> > Have you tried getting a pcap while the mystery server is supposed to be
> > sending you mail?
> 
> Haven't done this yet, but I will try it. 
> Assuming that the connection isn't getting to me, what kind of things do I 
> check? 

If bits are leaving one machine and not getting to another, you need to go
step-by-step between them and see where they're getting lost.  Check any
host-based firewalls first, then your upstream router, then upstream of
that... once you're lost in the internet (where you'll have less luck
asking for tap information), ask the other side to do the same thing.

Being able to point at the device and say "bits go in one side of this
but they don't come out the other" means you're most of the way there.

-- 
Bill Weiss
 
What is it with the beard thing.. honestly. Give a man a beard and he
thinks he rules the world... add sandals to that and suddenly they become
a unix expert.
-- Matt Hubbard

Re: OT: Diagnose blocked mail (Summary)

[Ray]

Summary: 
I realize that the problem most likely is not due to postfix (thus the OT in 
the subject), but I figured someone here might have seen this before 

Server is live and fully functional. it deals with thousands of messages per 
day and has for over a year. One user can't receive  messages from one 
contact. That contact doesn't even show up in the  logs as spam or lost 
connection or anything.

not previously stated, but I can't find my server name or IP address on any 
blacklists, and I did confirm that the email address was correct. 

the recommendations made (please correct me if I'm wrong or tell me if I'm 
missing anything):

1) have a message sent to another account on same server
2) "smtpd_delay_reject = yes" is set, so try to figure out sending ip address 
and search for it in maillog. 
3) get administrator of sending server to check his logs
4) pcap during a communication attempt

1 is easy, I'll do this one.
I think I can do 2.
i've already asked for 3 to be done, but it's out of my control.
I'll do number 4 if It comes down to it, but frankly I've never done anything 
with packet capture and it's a little intimidating. 

Thanks everyone for your input. If I get a resolution, I'll post back.
Ray

Accept undeliverable mails and send NDR

[ram]

One of my clients sends mail using a custom application which *cannot*
recognize a smtpd error message .. like user-not-found, or
invalid-domain etc 
Now they want our postfix server to accept all mails without checks and
send NDR's for undeliverable mails. 

Can I write a special transport in postfix to simply accept the mail and
bounce back for some addresses. So that I waste none of my servers
processing for trying to even deliver these messages



for eg I would like to have a transport map file like this

/@hoatmail.com$/ accept_and_bounce:[127.0.0.1]

Re: Spam attacks

[Mihira Fernando]

On Wednesday 04 March 2009 20:18:18 Paweł Leśniak wrote:
[snip]
> Sure. I'm sending myself emails sometime. But I'm using server which is
> permitted to send with address from my domain. So that's surely not 100%
> spam when sender eq recipient. But then we come to definition of spam. It's 
in simple words unwanted message. And when someone spoofs my email address, 
it's certainly not obeying with my image of legit mail
[snip]

Have you ever tried sending an e-greeting to someone via 123greeting.com or 
some other similar site ?

Regards,
Mihira.

OT: Diagnose blocked mail

[Michael Orlitzky]

Ray wrote:
Alice (al...@example.com) sends Bob an Email (b...@myserver.com) CC 
(b...@3rdserver.com) I run myserver.com. message goes through to 
b...@3rdserver.com, but not b...@myserver.com.

there is absolutely no trace of alice's domain in the mail logs.


Do you have "smtpd_delay_reject = yes" set in main.cf? If not, searching 
for Alice's domain might not help. In that case, you'd need to search 
for her outgoing mail server's IP address in your logs to see why it is 
unable to connect to your server. Note that it may not be easy (read: 
possible) to determine that IP address without assistance.


If either,

a) you have set smtpd_delay_reject = yes
b) you don't, but can't find her outgoing server IP in the logs, either

then the message is never making it to Postfix. Regardless, the easiest 
and most straight-forward way to solve this is for Alice's mail admin to 
find out where her message went. Even if it's ultimately your fault, he 
or she has a better view of the problem.

Re: OT: Diagnose blocked mail

[Terry Carmen]

Sorry, I should have filled in all this information before hand :(
Server is live and fully functional. it deals with thousands of messages
per day and has for over a year. One user can't receive messages from one
contact. That contact doesn't even show up in the logs as spam or lost
connection or anything.
  

So, let me see: one user can't receive mail from on specific mail
address, but can other users receive mail from that address?, ie, if
al...@example.com sends a mail to us...@myserver.com , is the mail
delivered?



If your server is running and postfix is logging normally and there are 
no log entries for the missing message, it means that the message isn't 
making it as far as your postfix server, it's not a postfix problem and 
you need to look elsewhere.


Even if it's being eaten by another app (amavis, a poorly written 
filter, etc.), there will still be a log entry showing where postfix 
accepted or rejected the message. No log entry means you're looking in 
the wrong place.


Terry

Re: to/orig_to control

[LuKreme]

On 4-Mar-2009, at 20:29, Victor Duchovni wrote:

Add "-v" to the cleanup(8) service to see where the change was made.



cleanup   unix  n   -   n   -   0   cleanup  -v

that REALLY broke things.

Lots of stuff, ending with:

Mar  4 20:58:22 mail postfix/cleanup[55873]: cleanup socket: wanted  
attribute: flags

Mar  4 20:58:22 mail postfix/cleanup[55873]: input attribute name: flags
Mar  4 20:58:22 mail postfix/cleanup[55873]: input attribute value: 178
Mar  4 20:58:22 mail postfix/cleanup[55873]: cleanup socket: wanted  
attribute: (list terminator)

Mar  4 20:58:22 mail postfix/cleanup[55873]: input attribute name: (end)
Mar  4 20:58:22 mail postfix/cleanup[55873]: panic: cleanup_strflags:  
unrecognized flag value(s) 0x80
Mar  4 20:58:23 mail postfix/master[1001]: warning: process /usr/local/ 
libexec/postfix/cleanup pid 55873 killed by signal 6
Mar  4 20:58:23 mail postfix/master[1001]: warning: /usr/local/libexec/ 
postfix/cleanup: bad command startup -- throttling


I turned off -v and the crashing stopped. I see Weitse posted a fix to  
this in March of last year. *cough*


I'm thinking it's time to upgrade postfix (Postfix 2.5.1 20080216)  
anyway... 2.5.6 coming up, I think.


--
I'm no psychologist (although I play one when I'm picking up chicks
over by the asylum)

Re: to/orig_to control

[LuKreme]

On 4-Mar-2009, at 20:29, Victor Duchovni wrote:


On Wed, Mar 04, 2009 at 08:17:27PM -0700, LuKreme wrote:


On 4-Mar-2009, at 19:37, Victor Duchovni wrote:

On Wed, Mar 04, 2009 at 07:26:34PM -0700, LuKreme wrote:
$ grep southgaylord.com /var/log/maillog| grep orig_to | grep  
john | awk

'{print $7" "$8}'
to=, orig_to=,
to=, orig_to=,


hiding the full logging for the message in question is not  
helpful. Do
ditch the awk script and report all other entries for the same  
queue-id.



Sorry, I wasn't trying to hide it, just paste the relvenat parts  
and the
rest didn't look useful to me, but perhaps you can glean more from  
it:


Yes, and where are the other log entries for this queue-id?


I pasted them below the two log entries:

Mar  4 06:02:06 mail postfix/smtpd[89239]: E3A33118AE0A: client=mm- 
retail-out-174-146.amazon.com[207.171.174.146]
Mar  4 06:02:07 mail postfix/cleanup[89353]: E3A33118AE0A: message-id=<7604183.429751236171663751.javamail.em-bu...@na-mm2-relay.amazon.com 
>
Mar  4 06:02:07 mail postfix/qmgr[1026]: E3A33118AE0A: from=>, size=44613, nrcpt=1 (queue active)
Mar  4 06:02:13 mail postfix/local[89354]: E3A33118AE0A: to=>, orig_to=, relay=local, delay=6.4,  
delays=0.84/0.02/0/5.5, dsn=2.0.0, status=sent (delivered to command: / 
usr/local/bin/procmail -t -a $EXTENSION)

Mar  4 06:02:13 mail postfix/qmgr[1026]: E3A33118AE0A: removed
Mar  4 07:50:45 mail postfix/smtpd[95626]: DA587118B79F:  
client=ccm29.constantcontact.com[208.75.123.225]
Mar  4 07:50:46 mail postfix/cleanup[95831]: DA587118B79F: message- 
id=<1102486963097.1102192950259.179872.8.10083...@scheduler>
Mar  4 07:50:46 mail postfix/qmgr[1026]: DA587118B79F: from=>, size=14146, nrcpt=1 (queue active)
Mar  4 07:50:52 mail postfix/local[95833]: DA587118B79F: to=>, orig_to=, relay=local, delay=6.5,  
delays=0.36/0/0/6.2, dsn=2.0.0, status=sent (delivered to command: / 
usr/local/bin/procmail -t -a $EXTENSION)

Mar  4 07:50:52 mail postfix/qmgr[1026]: DA587118B79F: removed

That is everything there is for those two messages.


Add "-v" to the cleanup(8) service to see where the change was made.


I'll do that now


--
The quality of our thoughts and ideas can only be as good as the quality
of our language.

Re: OT: Diagnose blocked mail

[Ray]

On Wednesday 04 March 2009 17:49:57 Jose Ildefonso Camargo Tolosa wrote:
> Hi!
>
> On Thu, Mar 5, 2009 at 7:11 PM, Ray  wrote:
> > On Wednesday 04 March 2009 16:35:01 Magnus Bäck wrote:
> >> On Thursday, March 05, 2009 at 00:26 CET,
> >>
> >>      Ray  wrote:
> >> > On Wednesday 04 March 2009 16:12:32 Terry Carmen wrote:
> >> > > Ray wrote:
> >> > > > Alice (al...@example.com) sends Bob an Email (b...@myserver.com) CC
> >> > > > (b...@3rdserver.com) I run myserver.com. message goes through to
> >> > > > b...@3rdserver.com, but not b...@myserver.com.
> >> > > > there is absolutely no trace of alice's domain in the mail logs.
> >> > > >
> >> > > > am I being blocked up stream, is my server discarding the mail
> >> > > > somewhere or ...?
> >> > > >
> >> > > > any suggestions including alternate mail lists or google search
> >> > > > terms very much appreciated.
> >> > >
> >> > > Post the appropriate section of /var/log/maillog showing the
> >> > > misbehaving transfer.
> >> >
> >> > That's the problem, there's nothing in the logs.
> >>
> >> Is Postfix running?
> >> Is it accepting port 25 connections on the Internet-facing network
> >> interface? Is there any firewall in the way?
> >> Are the MX records pointing towards your server?
> >> Does your ISP block inbound port 25?
> >> Can you connect to port 25 from an outside network?
> >> ...
> >
> > Sorry, I should have filled in all this information before hand :(
> > Server is live and fully functional. it deals with thousands of messages
> > per day and has for over a year. One user can't receive messages from one
> > contact. That contact doesn't even show up in the logs as spam or lost
> > connection or anything.
>
> So, let me see: one user can't receive mail from on specific mail
> address, but can other users receive mail from that address?, ie, if
> al...@example.com sends a mail to us...@myserver.com , is the mail
> delivered?
>

haven't tested that yet. My gut feeling is no, but I will test.

> Do you have some kind of spam filter "before" your actual mail server?
>  if yes: which one, and: can you temporarily disable/remove it and
> test?
>

unless my IP is blocking specific email addresses or domains,
the entire mail system consists of postfix, dovecot, amavisd new, clamav and 
spamassassin running under freebsd 7.0. All of the mail components log to the 
same file. 
Ray


> I hope this helps,
>
> Ildefonso Camargo

Re: OT: Diagnose blocked mail

[Ray]

On Wednesday 04 March 2009 18:10:22 Bill Weiss wrote:
> Ray(r...@stilltech.net)@Wed, Mar 04, 2009 at 04:46:21PM -0700:
> > On Wednesday 04 March 2009 16:37:37 /dev/rob0 wrote:
> > > On Wed March 4 2009 17:26:01 Ray wrote:
> > > > On Wednesday 04 March 2009 16:12:32 Terry Carmen wrote:
> > > > > Ray wrote:
> > > > > > Hello,
> > > > > > I'm having an issue with mail being blocked (I think) and I was
> > > > > > hoping that someone here would give me an idea on where to get
> > > > > > started.
> > > > > >
> > > > > > here's the situation. (Made up names)
> > >
> > > Unfortunately, made up (misappropriated) domain names as well. Your
> > > problem is most likely either broken DNS or as you suggest, some kind
> > > of firewall blocking. We can't help with any of that if you don't use
> > > real domain names.
> >
> > receiving domain is aplustaxi.ca
>
> Your DNS and firewall look ok from here:
>
> houd...@www ~ % dig aplustaxi.ca any +short
> 10 mail.geekdelivery.com.
> 206.75.152.197
> houd...@www ~ % dig mail.geekdelivery.com any +short
> 206.75.152.197
> houd...@www ~ % telnet mail.geekdelivery.com 25
> Trying 206.75.152.197...
> Connected to mail.geekdelivery.com.
> Escape character is '^]'.
> 220 mail.geekdelivery.com ESMTP Postfix
> HELO clanspum.net
> 250 mail.geekdelivery.com
> MAIL FROM: 
> 250 2.1.0 Ok
> RCPT TO: 
> 250 2.1.5 Ok
> RSET
> 250 2.0.0 Ok
> QUIT
> 221 2.0.0 Bye
> Connection closed by foreign host.
> houd...@www ~ %
>
> Have you tried getting a pcap while the mystery server is supposed to be
> sending you mail?
>

Haven't done this yet, but I will try it. 
Assuming that the connection isn't getting to me, what kind of things do I 
check? 

> --
> Bill Weiss
>  
> C has all the expressive power of two dixie cups and a string.
>     -- Jamie Zawinski

Re: to/orig_to control

[Victor Duchovni]

On Wed, Mar 04, 2009 at 08:17:27PM -0700, LuKreme wrote:

> On 4-Mar-2009, at 19:37, Victor Duchovni wrote:
>> On Wed, Mar 04, 2009 at 07:26:34PM -0700, LuKreme wrote:
>>> $ grep southgaylord.com /var/log/maillog| grep orig_to | grep john | awk
>>> '{print $7" "$8}'
>>> to=, orig_to=,
>>> to=, orig_to=,
>>
>> hiding the full logging for the message in question is not helpful. Do
>> ditch the awk script and report all other entries for the same queue-id.
>
>
> Sorry, I wasn't trying to hide it, just paste the relvenat parts and the 
> rest didn't look useful to me, but perhaps you can glean more from it:

Yes, and where are the other log entries for this queue-id?

> Mar  4 06:02:06 mail postfix/smtpd[89239]: E3A33118AE0A: 
> client=mm-retail-out-174-146.amazon.com[207.171.174.146]
> Mar  4 06:02:07 mail postfix/cleanup[89353]: E3A33118AE0A: 
> message-id=<7604183.429751236171663751.javamail.em-bu...@na-mm2-relay.amazon.com>
> Mar  4 06:02:07 mail postfix/qmgr[1026]: E3A33118AE0A: 
> from=, 
> size=44613, nrcpt=1 (queue active)
> Mar  4 06:02:13 mail postfix/local[89354]: E3A33118AE0A: 
> to=, orig_to=, relay=local, 
> delay=6.4, delays=0.84/0.02/0/5.5, dsn=2.0.0, status=sent (delivered to 
> command: /usr/local/bin/procmail -t -a $EXTENSION)
> Mar  4 06:02:13 mail postfix/qmgr[1026]: E3A33118AE0A: removed

This message was rewritten by cleanup using one of the standard rewriting
mechanisms, typically: canonical_maps or virtual_alias_maps. If you are
using milters or Mailscanner, perhaps the envelope got modified there.

Add "-v" to the cleanup(8) service to see where the change was made.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: to/orig_to control

[LuKreme]

On 4-Mar-2009, at 19:37, Victor Duchovni wrote:

On Wed, Mar 04, 2009 at 07:26:34PM -0700, LuKreme wrote:
$ grep southgaylord.com /var/log/maillog| grep orig_to | grep john  
| awk

'{print $7" "$8}'
to=, orig_to=,
to=, orig_to=,


hiding the full logging for the message in question is not helpful. Do
ditch the awk script and report all other entries for the same queue- 
id.



Sorry, I wasn't trying to hide it, just paste the relvenat parts and  
the rest didn't look useful to me, but perhaps you can glean more from  
it:


Mar  4 06:02:13 mail postfix/local[89354]: E3A33118AE0A: to=>, orig_to=, relay=local, delay=6.4,  
delays=0.84/0.02/0/5.5, dsn=2.0.0, status=sent (delivered to command: / 
usr/local/bin/procmail -t -a $EXTENSION)
Mar  4 07:50:52 mail postfix/local[95833]: DA587118B79F: to=>, orig_to=, relay=local, delay=6.5,  
delays=0.36/0/0/6.2, dsn=2.0.0, status=sent (delivered to command: / 
usr/local/bin/procmail -t -a $EXTENSION)


and

Mar  4 06:02:06 mail postfix/smtpd[89239]: E3A33118AE0A: client=mm- 
retail-out-174-146.amazon.com[207.171.174.146]
Mar  4 06:02:07 mail postfix/cleanup[89353]: E3A33118AE0A: message-id=<7604183.429751236171663751.javamail.em-bu...@na-mm2-relay.amazon.com 
>
Mar  4 06:02:07 mail postfix/qmgr[1026]: E3A33118AE0A: from=>, size=44613, nrcpt=1 (queue active)
Mar  4 06:02:13 mail postfix/local[89354]: E3A33118AE0A: to=>, orig_to=, relay=local, delay=6.4,  
delays=0.84/0.02/0/5.5, dsn=2.0.0, status=sent (delivered to command: / 
usr/local/bin/procmail -t -a $EXTENSION)

Mar  4 06:02:13 mail postfix/qmgr[1026]: E3A33118AE0A: removed
Mar  4 07:50:45 mail postfix/smtpd[95626]: DA587118B79F:  
client=ccm29.constantcontact.com[208.75.123.225]
Mar  4 07:50:46 mail postfix/cleanup[95831]: DA587118B79F: message- 
id=<1102486963097.1102192950259.179872.8.10083...@scheduler>
Mar  4 07:50:46 mail postfix/qmgr[1026]: DA587118B79F: from=>, size=14146, nrcpt=1 (queue active)
Mar  4 07:50:52 mail postfix/local[95833]: DA587118B79F: to=>, orig_to=, relay=local, delay=6.5,  
delays=0.36/0/0/6.2, dsn=2.0.0, status=sent (delivered to command: / 
usr/local/bin/procmail -t -a $EXTENSION)

Mar  4 07:50:52 mail postfix/qmgr[1026]: DA587118B79F: removed


and the first message quite happily went off to live in /home/john/ 
Maildir/new/ and the second I believe went to /dev/null as Spam.


--
if you ever get that chimp of your back, if you ever find the thing
you lack, ah but you know you're only having a laugh.  Oh, oh
here we go again -- until the end.

Re: submission port requiring starttls even when set not to (Resolved)

[Jorey Bump]

LuKreme wrote, at 03/04/2009 09:25 PM:
> On 4-Mar-2009, at 19:12, Jorey Bump wrote:
>> LuKreme wrote, at 03/04/2009 05:24 PM:
>>> On 4-Mar-2009, at 14:33, Jorey Bump wrote:
 smtpd_tls_security_level should be used instead.
>>>
>>> Not if you don't want to force TLS on the submission port it shouldn't.
>>
>> The context is irrelevant.
> 
> Of course the context is relevant since the original poster did not want
> TLS *AT ALL* on the submission port.  Which syntax is right for enabling
> a feature he DOESN'T WANT is silliness.

Please read postconf(5). The recommended syntax for disabling TLS is:

 smtpd_tls_security_level=none

The deprecated syntax is:

 smtpd_enforce_tls=no

The OP was using both parameters with conflicting values:

 -o smtpd_tls_security_level=encrypt
 -o smtpd_enforce_tls=no

He solved his original problem by removing the recommended parameter and
leaving the deprecated one. In this case, he should have removed
smtpd_enforce_tls and set smtpd_tls_security_level appropriately.

It is not silliness to advise him to use the recommended syntax. Nor is
it inappropriate to point out the pitfalls of the proposed setting,
especially when he asked for suggestions.

Re: submission port requiring starttls even when set not to (Resolved)

[Jorey Bump]

J.P. Trosclair wrote, at 03/04/2009 05:01 PM:

> I'll research the smtpd_tls_security_level option further. It didn't
> present a problem until I started working on this specific feature with
> the white lists. I have created another smtpd instance to forward white
> listed domains to rather than trying to utilize the submission port. I
> felt like I was over-complicating (because of archiving with *_bcc_maps
> and duplicate mails) the functionality of the submission service and
> thus headed down a bumpy road, maybe I'm wrong about this though. At the
> same time the submission service seems like the ideal place to hand this
> mail over to for final delivery since it's intended (for us) to allow
> trusted clients to bypass filtering and spam checks.

Yes, it can be. For example, it's perfectly reasonable to include
mynetworks in the submission port's smtpd_client_restrictions, then add
whitelisted hosts to mynetworks. But this is really true only for hosts
under your control, and not recommended for whitelisting whole external
domains. For obvious reasons, it would be insane to add gmail.com to
mynetworks.

Unfortunately, your originally proposed solution weakens security for
all clients using the submission port, including authenticating clients.
A workaround is possible with these settings:

 -o smtpd_tls_security_level=may
 -o smtpd_tls_auth_only=yes

But I would discourage this approach on the public submission port, as
it's best to provide maximum security by encrypting all connections.
When you must relax this restriction, add another port to master.cf that
you can fine-tune for the intended purpose. This also allows you to
apply firewall rules that would be inappropriate for a public submission
service on port 587, enabling you to lock it down tightly.

Re: to/orig_to control

[Victor Duchovni]

On Wed, Mar 04, 2009 at 07:26:34PM -0700, LuKreme wrote:

> $ grep southgaylord.com /var/log/maillog| grep orig_to | grep john | awk 
> '{print $7" "$8}'
> to=, orig_to=,
> to=, orig_to=,

hiding the full logging for the message in question is not helpful. Do
ditch the awk script and report all other entries for the same queue-id.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: to/orig_to control

[LuKreme]

On 4-Mar-2009, at 17:13, Victor Duchovni wrote:

On Wed, Mar 04, 2009 at 05:07:44PM -0700, LuKreme wrote:
If j...@example.com is not in /etc/postfix/virtual, where else  
could this

be controlled?


See above. Consider also that the rewrite could be based on a partial
match of either the domain or a bare user name (if the domain is  
"local").


I am REALLY confused then:

$ grep -ir john /etc/postfix
/etc/postfix/dist-postgrey_whitelist_clients:# messagelabs.com (big  
pool, reported by John Tobin)

$ grep -ir nutters2-admin /etc/postfix
/etc/postfix/aliases:nutters2-admin:"|/usr/local/mailman/mail/ 
mailman admin nutters2"

/etc/postfix/virtual:nutters2-ad...@southgaylord.com
nutters2-ad...@covisp.net
/etc/postfix/postgrey_whitelist_recipients:nutters2-admin@
Binary file /etc/postfix/aliases.db matches
Binary file /etc/postfix/virtual.db matches
$ grep southgaylord.com /var/log/maillog| grep orig_to | grep john |  
awk '{print $7" "$8}'

to=, orig_to=,
to=, orig_to=,

--
Generalizations are always inaccurate.  -Mugsy

Re: submission port requiring starttls even when set not to (Resolved)

[LuKreme]

On 4-Mar-2009, at 19:12, Jorey Bump wrote:

LuKreme wrote, at 03/04/2009 05:24 PM:

On 4-Mar-2009, at 14:33, Jorey Bump wrote:

smtpd_tls_security_level should be used instead.


Not if you don't want to force TLS on the submission port it  
shouldn't.


The context is irrelevant.


Of course the context is relevant since the original poster did not  
want TLS *AT ALL* on the submission port.  Which syntax is right for  
enabling a feature he DOESN'T WANT is silliness.



--
In my world there are people in chains and you can ride them like
ponies

Re: submission port requiring starttls even when set not to (Resolved)

[Jorey Bump]

LuKreme wrote, at 03/04/2009 05:24 PM:
> On 4-Mar-2009, at 14:33, Jorey Bump wrote:
>> smtpd_tls_security_level should be used instead.
> 
> Not if you don't want to force TLS on the submission port it shouldn't.

The context is irrelevant. smtpd_tls_security_level is the new parameter
that replaces smtpd_enforce_tls, which is still available for backwards
compatibility.

postconf(5) has this to say about smtpd_enforce_tls:

  This  feature  is  available  in  Postfix  2.2  and  later.  With
  Postfix 2.3 and later use smtpd_tls_security_level instead.

Re: OT: Diagnose blocked mail

[Bill Weiss]

Ray(r...@stilltech.net)@Wed, Mar 04, 2009 at 04:46:21PM -0700:
> On Wednesday 04 March 2009 16:37:37 /dev/rob0 wrote:
> > On Wed March 4 2009 17:26:01 Ray wrote:
> > > On Wednesday 04 March 2009 16:12:32 Terry Carmen wrote:
> > > > Ray wrote:
> > > > > Hello,
> > > > > I'm having an issue with mail being blocked (I think) and I was
> > > > > hoping that someone here would give me an idea on where to get
> > > > > started.
> > > > >
> > > > > here's the situation. (Made up names)
> >
> > Unfortunately, made up (misappropriated) domain names as well. Your
> > problem is most likely either broken DNS or as you suggest, some kind
> > of firewall blocking. We can't help with any of that if you don't use
> > real domain names.
> >
> 
> receiving domain is aplustaxi.ca

Your DNS and firewall look ok from here:

houd...@www ~ % dig aplustaxi.ca any +short
10 mail.geekdelivery.com.
206.75.152.197
houd...@www ~ % dig mail.geekdelivery.com any +short
206.75.152.197
houd...@www ~ % telnet mail.geekdelivery.com 25
Trying 206.75.152.197...
Connected to mail.geekdelivery.com.
Escape character is '^]'.
220 mail.geekdelivery.com ESMTP Postfix
HELO clanspum.net
250 mail.geekdelivery.com
MAIL FROM: 
250 2.1.0 Ok
RCPT TO: 
250 2.1.5 Ok
RSET
250 2.0.0 Ok
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
houd...@www ~ % 

Have you tried getting a pcap while the mystery server is supposed to be
sending you mail?

-- 
Bill Weiss
 
C has all the expressive power of two dixie cups and a string.
-- Jamie Zawinski

Re: OT: Diagnose blocked mail

[Jose Ildefonso Camargo Tolosa]

Hi!

On Thu, Mar 5, 2009 at 7:11 PM, Ray  wrote:
> On Wednesday 04 March 2009 16:35:01 Magnus Bäck wrote:
>> On Thursday, March 05, 2009 at 00:26 CET,
>>
>>      Ray  wrote:
>> > On Wednesday 04 March 2009 16:12:32 Terry Carmen wrote:
>> > > Ray wrote:
>> > > > Alice (al...@example.com) sends Bob an Email (b...@myserver.com) CC
>> > > > (b...@3rdserver.com) I run myserver.com. message goes through to
>> > > > b...@3rdserver.com, but not b...@myserver.com.
>> > > > there is absolutely no trace of alice's domain in the mail logs.
>> > > >
>> > > > am I being blocked up stream, is my server discarding the mail
>> > > > somewhere or ...?
>> > > >
>> > > > any suggestions including alternate mail lists or google search
>> > > > terms very much appreciated.
>> > >
>> > > Post the appropriate section of /var/log/maillog showing the
>> > > misbehaving transfer.
>> >
>> > That's the problem, there's nothing in the logs.
>>
>> Is Postfix running?
>> Is it accepting port 25 connections on the Internet-facing network
>> interface? Is there any firewall in the way?
>> Are the MX records pointing towards your server?
>> Does your ISP block inbound port 25?
>> Can you connect to port 25 from an outside network?
>> ...
> Sorry, I should have filled in all this information before hand :(
> Server is live and fully functional. it deals with thousands of messages per
> day and has for over a year. One user can't receive messages from one contact.
> That contact doesn't even show up in the logs as spam or lost connection or
> anything.

So, let me see: one user can't receive mail from on specific mail
address, but can other users receive mail from that address?, ie, if
al...@example.com sends a mail to us...@myserver.com , is the mail
delivered?

Do you have some kind of spam filter "before" your actual mail server?
 if yes: which one, and: can you temporarily disable/remove it and
test?

I hope this helps,

Ildefonso Camargo

Re: escape "^From "

[Victor Duchovni]

On Wed, Mar 04, 2009 at 05:11:02PM -0700, LuKreme wrote:

> On 4-Mar-2009, at 15:28, mouss wrote:
>> LuKreme a ?crit :
>>> What controls escaping "From " in the body of a mail message if it's at
>>> the start of a line? Since I've switched everyone over to Maildir, it
>>> seems silly to do this anymore, but I can't find the setting.  In fact,
>>> I'm not even sure it's in postfix at all.
>>
>> look at what you use to deliver mail.
>
>
> the LDA? that's procmail, but it knows it's delivering to Maildir/ also.  

How are you invoking procmail? pipe(8) provides controls for this, and
local(8) only does this when delivering to an mbox file.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Blocking a domain and user

[Jim McIver]

/dev/rob0 wrote:

Please don't top-post. Thank you.

On Wed March 4 2009 17:10:49 Jim McIver wrote:
  

Guess I'm confused. I have a relay_recipient and recipient_access
files listing only valid user's email addresses for my company.
ie..
relay_recipients
bg...@lmtribune.com any_value
bi...@lmtribune.com any_value
bjohn...@lmtribune.com  any_value

recipient_access
bg...@lmtribune.com permissive
bi...@lmtribune.com permissive
bjohn...@lmtribune.com  permissive



This sounds right. You could use the same map for both purposes.  
There's nothing magical about "any_value", in fact, the lookup result 
for relay_recipient_maps is ignored. So it might as well be

"permissive" or "restrictive" or whatever.

  

and nothing in virtual_alias_maps. I just seem to be getting hammered
with yahoo.co.jp and wanted to block .co.jp or even .jp.

Putting info in putting .jp in access_client, sender_access or
client_access doesn't seem to stop it.
Sorry for my lack of understanding.



Show the logs for the suspicious mailq entries when they first arrived. 
Not the smtp(8) logs showing you being blocked by yahoo.co.jp's MX 
hosts.


My WAG here: your Postfix configuration is correct, rejecting unknown 
recipients, but the @yahoo.co.jp senders originated from your own 
server. Compromised HTTP+PHP service?
  


Here's a snippet from maillog, but not sure if it's what your looking for:
Mar  4 15:10:13 mail postfix/smtpd[56190]: warning: Illegal address 
syntax from unknown[113.9.198.198] in MAIL co

mmand: bikedev...@yahoo.co.jp
Mar  4 15:10:15 mail postfix/smtpd[56172]: warning: 81.25.227.150: 
address not listed for hostname mail.medterm.o

d.ua
Mar  4 15:10:15 mail postfix/smtpd[56172]: connect from 
unknown[81.25.227.150]
Mar  4 15:10:15 mail postfix/smtpd[56190]: NOQUEUE: reject_warning: RCPT 
from unknown[113.9.198.198]: 450 Client
host rejected: cannot find your hostname, [113.9.198.198]; 
from= to=

proto=SMTP helo=
Mar  4 15:10:15 mail postfix/smtpd[56190]: E35C331: 
client=unknown[113.9.198.198]


Mar  4 15:10:18 mail postfix/cleanup[56217]: E35C331: 
message-id=<20090304231015.e35c...@mail.lmtribune.com>
Mar  4 15:10:18 mail postfix/qmgr[56169]: E35C331: 
from=, size=966, nrcpt=1 (queue active

)
Mar  4 15:10:18 mail postfix/smtp[56178]: E35C331: 
to=, relay=127.0.0.1[127.0.0.1], delay=3,
status=bounced (host 127.0.0.1[127.0.0.1] said: 557 Invalid routing 
request - domain in BLACK LIST. (in reply to

MAIL FROM command))
Mar  4 15:10:18 mail postfix/cleanup[56175]: 5ABF260: 
message-id=<20090304231018.5abf...@mail.lmtribune.com>
Mar  4 15:10:18 mail postfix/qmgr[56169]: 5ABF260: from=<>, size=2926, 
nrcpt=1 (queue active)

Mar  4 15:10:18 mail postfix/qmgr[56169]: E35C331: removed
Mar  4 15:10:19 mail postfix/smtpd[56190]: disconnect from 
unknown[113.9.198.198]
Mar  4 15:10:20 mail postfix/smtp[56178]: 5ABF260: 
to=, relay=mx1.mail.yahoo.co.jp[124.83
.171.181], delay=2, status=bounced (host 
mx1.mail.yahoo.co.jp[124.83.171.181] said: 553 VS10-RT Possible forgery
or deactivated due to abuse (#5.1.1) bikedev...@yahoo.co.jp (in reply to 
RCPT TO command))

Mar  4 15:10:21 mail postfix/qmgr[56169]: 5ABF260: removed

Re: to/orig_to control

[Victor Duchovni]

On Wed, Mar 04, 2009 at 05:07:44PM -0700, LuKreme wrote:

> when you have "to=, orig_to=" in the 
> maillog file, that translation is handled by /etc/postfix/virtual, isn't 
> it?

No, by any mechanism that rewrites the envelope recipient in cleanup(8):

recipient_canonical_maps
canonical_maps
recipient_canonical_maps
masquerade_domains (if masquerade_classes includes "envelope_recipient")
virtual_alias_maps

and you can use various tables with each of these.

> If j...@example.com is not in /etc/postfix/virtual, where else could this 
> be controlled?

See above. Consider also that the rewrite could be based on a partial
match of either the domain or a bare user name (if the domain is "local").

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: That Relay Access Denied Thing (Solved, no, Really!)

[LuKreme]

On 4-Mar-2009, at 15:18, Robert A. Ober wrote:

Thanks to Brian and others for hanging in there with me!


I think you owe everyone on this thread (which I was not part of, so  
no self-interest) a beer. :)


--
#27794   ... I wonder if the really nerdy Klingons learn how
to speak english

Re: to/orig_to control

[Evan Platt]

At 04:07 PM 3/4/2009, you wrote:

when you have "to=, orig_to=" in
the maillog file, that translation is handled by /etc/postfix/virtual,
isn't it?

If j...@example.com is not in /etc/postfix/virtual, where else could
this be controlled?

I did grep -ir jo...@example.com /etc/postfix/ and got 0 hits, so it's
not in virtual or virtual.db. I also went ahead and did grep -ir 
john \...@example.com /etc/ and still got 0 hits.  other virtual addresses in
example.com show up in both /etc/postfix/virtual and /etc/postfix/ 
virtual.db and yet mail to 'john' is getting translated and delivered.



Could be in aliases too, but that should show (assuming your aliases 
is in /etc/postfix) with a grep ... 

Re: escape "^From "

[LuKreme]

On 4-Mar-2009, at 15:28, mouss wrote:

LuKreme a écrit :
What controls escaping "From " in the body of a mail message if  
it's at

the start of a line? Since I've switched everyone over to Maildir, it
seems silly to do this anymore, but I can't find the setting.  In  
fact,

I'm not even sure it's in postfix at all.


look at what you use to deliver mail.



the LDA? that's procmail, but it knows it's delivering to Maildir/  
also.  Hmm


--
These budget numbers are not just estimates, these are the actual
results for the fiscal year that ended February the 30th.
- GWB

RE: Spam attacks

[MacShane, Tracy]

From: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] On Behalf Of Pawel Lesniak
Sent: Wednesday, 4 March 2009 7:32 PM
To: postfix users list
Subject: Re: Spam attacks


W dniu 2009-03-03 23:34, MacShane, Tracy pisze: 


>   We have a very clear policy that users are only
permitted to relay mail
from our networks.

So you too advocate (if I clearly understand you) my point of
view, where those "legit mails", which Noel was talking about, are just
misconfigurations of others' servers.  
I believe that we share opinion that restricting own users to
sending from my_networks and/or authenticated clients works perfectly to
stop getting spam from u...@example.com to u...@example.com.

Pawel Lesniak

=

Actually, no, I wouldn't go that far. I'm fortunate in that I can
dictate such a policy, because it's existed since we've had email in
this organisation (well before my time), and we don't generally have
users subscribing to mailers that use this technique to get the mail
through. I do think it's a silly practice, but it's not technically a
"misconfiguration", nor is it necessarily spam, if a user signed up to
such a service.

For my organisation, it works perfectly as far as it goes, but that's
because of the established history and _clear policy_. We may one day
encounter a situation where we need to create an exemption for a
specific purpose. We only catch a couple of hundred or so messages a day
using this measure at present (it was higher when the botnets were more
active, and before we implemented Fail2ban), but that's a couple of
hundred lookups to Zen we don't have to do each day (not even 0.5% of
the total, though).

to/orig_to control

[LuKreme]

when you have "to=, orig_to=" in  
the maillog file, that translation is handled by /etc/postfix/virtual,  
isn't it?


If j...@example.com is not in /etc/postfix/virtual, where else could  
this be controlled?


I did grep -ir jo...@example.com /etc/postfix/ and got 0 hits, so it's  
not in virtual or virtual.db. I also went ahead and did grep -ir john 
\...@example.com /etc/ and still got 0 hits.  other virtual addresses in  
example.com show up in both /etc/postfix/virtual and /etc/postfix/ 
virtual.db and yet mail to 'john' is getting translated and delivered.



--
So now you know the words to our song, pretty soon you'll all be
singing along, when you're sad, when you're lonely and it all
turns out wrong...

Re: OT: Diagnose blocked mail

[Ray]

On Wednesday 04 March 2009 16:37:37 /dev/rob0 wrote:
> On Wed March 4 2009 17:26:01 Ray wrote:
> > On Wednesday 04 March 2009 16:12:32 Terry Carmen wrote:
> > > Ray wrote:
> > > > Hello,
> > > > I'm having an issue with mail being blocked (I think) and I was
> > > > hoping that someone here would give me an idea on where to get
> > > > started.
> > > >
> > > > here's the situation. (Made up names)
>
> Unfortunately, made up (misappropriated) domain names as well. Your
> problem is most likely either broken DNS or as you suggest, some kind
> of firewall blocking. We can't help with any of that if you don't use
> real domain names.
>

receiving domain is aplustaxi.ca

> > > > server is postfix with amavis-new, spam-assassin and dovecot.
> > > > logs are fairly verbose.
> > > >
> > > > Alice (al...@example.com) sends Bob an Email (b...@myserver.com)
> > > > CC (b...@3rdserver.com) I run myserver.com. message goes through
> > > > to b...@3rdserver.com, but not b...@myserver.com.
> > > > there is absolutely no trace of alice's domain in the mail logs.
> > > >
> > > > am I being blocked up stream, is my server discarding the mail
> > > > somewhere or ...?
> > > >
> > > > any suggestions including alternate mail lists or google search
> > > > terms very much appreciated.
> > > >
> > > > Ray
> > >
> > > Post the appropriate section of /var/log/maillog showing the
> > > misbehaving transfer.
> > >
> > > Terry
> >
> > That's the problem, there's nothing in the logs.

Re: OT: Diagnose blocked mail

[Ray]

On Wednesday 04 March 2009 16:35:01 Magnus Bäck wrote:
> On Thursday, March 05, 2009 at 00:26 CET,
>
>  Ray  wrote:
> > On Wednesday 04 March 2009 16:12:32 Terry Carmen wrote:
> > > Ray wrote:
> > > > Alice (al...@example.com) sends Bob an Email (b...@myserver.com) CC
> > > > (b...@3rdserver.com) I run myserver.com. message goes through to
> > > > b...@3rdserver.com, but not b...@myserver.com.
> > > > there is absolutely no trace of alice's domain in the mail logs.
> > > >
> > > > am I being blocked up stream, is my server discarding the mail
> > > > somewhere or ...?
> > > >
> > > > any suggestions including alternate mail lists or google search
> > > > terms very much appreciated.
> > >
> > > Post the appropriate section of /var/log/maillog showing the
> > > misbehaving transfer.
> >
> > That's the problem, there's nothing in the logs.
>
> Is Postfix running?
> Is it accepting port 25 connections on the Internet-facing network
> interface? Is there any firewall in the way?
> Are the MX records pointing towards your server?
> Does your ISP block inbound port 25?
> Can you connect to port 25 from an outside network?
> ...
Sorry, I should have filled in all this information before hand :(
Server is live and fully functional. it deals with thousands of messages per 
day and has for over a year. One user can't receive messages from one contact. 
That contact doesn't even show up in the logs as spam or lost connection or 
anything.

Ray

Re: Local mail listener

[Magnus Bäck]

On Thursday, March 05, 2009 at 00:25 CET,
 "Daniel L. Miller"  wrote:

> What I have/had now was the following:
> master.cf:
> 192.168.0.11:smtp  inet  n   -   -   -   -   smtpd
>  -o relayhost=[192.168.0.10]:225
> 192.168.0.11:125  inet  n   -   -   -   -   smtpd
>  -o relayhost=
> 
> The intent was to have local clients connect to 192.168.0.11:25.  
> Postfix should then relay it to 192.168.0.10:225.  That relay will then 
> process and return it to 192.168.0.11:125 - which would then send it to 
> the destination.
> 
> Right now, the above config "functions" in that it receives a message 
> from a client and delivers it to the destination - but it never hits my 
> filter.

No, because smtpd(8) doesn't pay attention to the relayhost parameter
and doesn't pass it on to the rest of Postfix. Postfix is modular, and
the relayhost is not a per-message property.

You're on the right track, just use content_filter instead. See
FILTER_README.

-- 
Magnus Bäck
mag...@dsek.lth.se

Re: Local mail listener

[Magnus Bäck]

On Thursday, March 05, 2009 at 00:22 CET,
 "Daniel L. Miller"  wrote:

> Noel Jones wrote:
>
> > Define content_filter in main.cf pointing to the spam processing
> > machine, define a new smtpd listener in master.cf listening on a
> > different port.
> > http://www.postfix.org/FILTER_README.html
> >
> > Amavisd-new is software often used as a postfix content_filter.
> > Even if you're using something different, the postfix setup is
> > pretty much the same.
> > http://www.ijs.si/software/amavisd/README.postfix.html
>
> What's the difference between "content_filter" and "relayhost"?

content_filter is applied on input, i.e. before Postfix has made any
decision about the destiny of the message. In other words, it applies
to all messages.

relayhost is applied on output for destinations that Postfix has deemed
non-local.

-- 
Magnus Bäck
mag...@dsek.lth.se

Re: OT: Diagnose blocked mail

[/dev/rob0]

On Wed March 4 2009 17:26:01 Ray wrote:
> On Wednesday 04 March 2009 16:12:32 Terry Carmen wrote:
> > Ray wrote:
> > > Hello,
> > > I'm having an issue with mail being blocked (I think) and I was
> > > hoping that someone here would give me an idea on where to get
> > > started.
> > >
> > > here's the situation. (Made up names)

Unfortunately, made up (misappropriated) domain names as well. Your 
problem is most likely either broken DNS or as you suggest, some kind 
of firewall blocking. We can't help with any of that if you don't use 
real domain names.

> > > server is postfix with amavis-new, spam-assassin and dovecot.
> > > logs are fairly verbose.
> > >
> > > Alice (al...@example.com) sends Bob an Email (b...@myserver.com)
> > > CC (b...@3rdserver.com) I run myserver.com. message goes through
> > > to b...@3rdserver.com, but not b...@myserver.com.
> > > there is absolutely no trace of alice's domain in the mail logs.
> > >
> > > am I being blocked up stream, is my server discarding the mail
> > > somewhere or ...?
> > >
> > > any suggestions including alternate mail lists or google search
> > > terms very much appreciated.
> > >
> > > Ray
> >
> > Post the appropriate section of /var/log/maillog showing the
> > misbehaving transfer.
> >
> > Terry
>
> That's the problem, there's nothing in the logs.

-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Re: OT: Diagnose blocked mail

[Magnus Bäck]

On Thursday, March 05, 2009 at 00:26 CET,
 Ray  wrote:

> On Wednesday 04 March 2009 16:12:32 Terry Carmen wrote:
> > Ray wrote:
> >
> > > Alice (al...@example.com) sends Bob an Email (b...@myserver.com) CC
> > > (b...@3rdserver.com) I run myserver.com. message goes through to
> > > b...@3rdserver.com, but not b...@myserver.com.
> > > there is absolutely no trace of alice's domain in the mail logs.
> > >
> > > am I being blocked up stream, is my server discarding the mail
> > > somewhere or ...?
> > >
> > > any suggestions including alternate mail lists or google search
> > > terms very much appreciated.
> >
> > Post the appropriate section of /var/log/maillog showing the
> > misbehaving transfer.
> 
> That's the problem, there's nothing in the logs.

Is Postfix running?
Is it accepting port 25 connections on the Internet-facing network interface?
Is there any firewall in the way?
Are the MX records pointing towards your server?
Does your ISP block inbound port 25?
Can you connect to port 25 from an outside network?
...

-- 
Magnus Bäck
mag...@dsek.lth.se

Re: Blocking a domain and user

[/dev/rob0]

Please don't top-post. Thank you.

On Wed March 4 2009 17:10:49 Jim McIver wrote:
> Guess I'm confused. I have a relay_recipient and recipient_access
> files listing only valid user's email addresses for my company.
> ie..
> relay_recipients
> bg...@lmtribune.com any_value
> bi...@lmtribune.com any_value
> bjohn...@lmtribune.com  any_value
>
> recipient_access
> bg...@lmtribune.com permissive
> bi...@lmtribune.com permissive
> bjohn...@lmtribune.com  permissive

This sounds right. You could use the same map for both purposes.  
There's nothing magical about "any_value", in fact, the lookup result 
for relay_recipient_maps is ignored. So it might as well be
"permissive" or "restrictive" or whatever.

> and nothing in virtual_alias_maps. I just seem to be getting hammered
> with yahoo.co.jp and wanted to block .co.jp or even .jp.
>
> Putting info in putting .jp in access_client, sender_access or
> client_access doesn't seem to stop it.
> Sorry for my lack of understanding.

Show the logs for the suspicious mailq entries when they first arrived. 
Not the smtp(8) logs showing you being blocked by yahoo.co.jp's MX 
hosts.

My WAG here: your Postfix configuration is correct, rejecting unknown 
recipients, but the @yahoo.co.jp senders originated from your own 
server. Compromised HTTP+PHP service?
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Re: OT: Diagnose blocked mail

[Ray]

On Wednesday 04 March 2009 16:12:32 Terry Carmen wrote:
> Ray wrote:
> > Hello,
> > I'm having an issue with mail being blocked (I think) and I was hoping
> > that someone here would give me an idea on where to get started.
> >
> > here's the situation. (Made up names)
> >
> > server is postfix with amavis-new, spam-assassin and dovecot. logs are
> > fairly verbose.
> >
> > Alice (al...@example.com) sends Bob an Email (b...@myserver.com) CC
> > (b...@3rdserver.com) I run myserver.com. message goes through to
> > b...@3rdserver.com, but not b...@myserver.com.
> > there is absolutely no trace of alice's domain in the mail logs.
> >
> > am I being blocked up stream, is my server discarding the mail somewhere
> > or ...?
> >
> > any suggestions including alternate mail lists or google search terms
> > very much appreciated.
> >
> > Ray
>
> Post the appropriate section of /var/log/maillog showing the misbehaving
> transfer.
>
> Terry

That's the problem, there's nothing in the logs.
Ray

Re: Local mail listener

[Daniel L. Miller]

mouss wrote:

to setup a Postfix listener for local SMTP connections, which will then
forward to a relayhost for spam processing (in this case, primarily
auto-whitelisting).  That relayhost will then send the message back to
Postfix on another connection, and THAT listener will not have a
relayhost defined so it should attempt direct delivery to the remote
host.  I know this is something relatively simple - I just seem to be
more obtuse than usual.
--


What I'm actually trying to do is configure a relayhost. What I want is


transports are global inside a postfix instance. so you can't have
context dependent routing rules.

you can however use content_filter in an smtpd or in pickup. but make
sure you don't create a loop.

  

What I have/had now was the following:
master.cf:
192.168.0.11:smtp  inet  n   -   -   -   -   smtpd
 -o relayhost=[192.168.0.10]:225
192.168.0.11:125  inet  n   -   -   -   -   smtpd
 -o relayhost=

The intent was to have local clients connect to 192.168.0.11:25.  
Postfix should then relay it to 192.168.0.10:225.  That relay will then 
process and return it to 192.168.0.11:125 - which would then send it to 
the destination.


Right now, the above config "functions" in that it receives a message 
from a client and delivers it to the destination - but it never hits my 
filter.

--
Daniel

RE: restricting who can be sent to.

[Carver Banks]

> -Original Message-
> From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
> us...@postfix.org] On Behalf Of Noel Jones
> Sent: Wednesday, March 04, 2009 2:22 PM
> To: postfix-users@postfix.org
> Subject: Re: restricting who can be sent to.
>
> Carver Banks wrote:
> > Hello,
> > I am in the process of setting up an internal mail server (carver-
> test.mydomain.local) using postfix, dovecot and squirrel mail.
> > I want the users of this system only be able send mail to a few users
> in mydomain.com
> > I imagine that there is an easy way to map this to a file, but I
> can't seem to find anything in my searches.
> >
>
> Here's the general documentation on restricting who can send
> where:
> http://www.postfix.org/RESTRICTION_CLASS_README.html
 I tried the following:
smtpd_recipient_restrictions = check_sender_access 
hash:/etc/postfix/allowed_recipients reject
but it seems that allows me to restrict the user who is sending not the 
destination address,
what I am trying to accomplish is to have many users of this system be able to 
only email a few addresses, not even each other. I understand if that is not 
possible with postfix, just trying to figure out if that is the case...

>
>
> If this is strictly an internal system, you can use something
> simpler, such as:
>
> smtpd_recipient_restrictions =
>check_recipient_access hash:/etc/postfix/allowed_recipients
>reject
>
> where allowed_recipients lists the valid recipients as:
> us...@example.com  OK
> us...@example.com  OK
>
>-- Noel Jones

Re: Question about how Postfix sends the EHLO/HELO

[Rob Tanner]

Thanks for your feedback.  I do have $myhostname defined and you've
confirmed what I thought.  It's their issue and they need to fix it.

Again, thanks.

-- Rob


On 3/4/09 12:19 PM, "LuKreme"  wrote:

> On 4-Mar-2009, at 12:33, Rob Tanner wrote:
>> X-Spam-Flag:  YES
>> X-Spam-Checker-Version:  SpamAssassin 3.2.0 (2007-05-01) on
>> microthunder.com
> 
> They really *really* need to update their two-year old SA install.
> 
>> X-Spam-Level:  
>> X-Spam-Status:  Yes, score=4.4 required=4.0
> 
> They really *REALLY* need to understand the consequences of lowering
> the threshold, as this is nearly always a very very bad idea.  SA does
> not think your message is spamish, their mailadmin does.
> 
>> RCVD_NUMERIC_HELO
> 
> Well, that one is possibly your fault, and you should certainly fix it
> if it is.
> 
>> What I don¹t get is the first test in the X-Spam-Report header which
>> received a 2.6.  Does postfix strictly send the IP address on the
>> HELO/EHLO?
> 
> Only if it has no choice.
> 
>> If so, what parameter to I need to set to $myhostname?  Or, am I
>> entirely
>> misunderstanding what that test tests for?
> 
> # INTERNET HOST AND DOMAIN NAMES
> #
> # The myhostname parameter specifies the internet hostname of this
> # mail system. The default is to use the fully-qualified domain name
> # from gethostname(). $myhostname is used as a default value for many
> # other configuration parameters.
> #
> #myhostname = host.domain.tld
> #myhostname = virtual.domain.tld
> 
> However, your headers to the list look perfectly fine.  My suspicion,
> irrational without the full headers you sent them and the full message
> they sent back, is that they screwed something up on their end with
> the RCVD_NUMERIC_HELO test and that some eager-beaver "sysadmin"
> changed something they didn't understand to "get better results". I
> base this on the evidence that some eager-beaver "sysadmin" lowered
> the threshold to 4.0 without understanding the consequences to "get
> better results".
> 
> Feel free to forward my comments along to David Sosnowski @
> > 
> 

Re: Local mail listener

[Daniel L. Miller]

Noel Jones wrote:
Define content_filter in main.cf pointing to the spam processing 
machine, define a new smtpd listener in master.cf listening on a 
different port.

http://www.postfix.org/FILTER_README.html

Amavisd-new is software often used as a postfix content_filter.  Even 
if you're using something different, the postfix setup is pretty much 
the same.

http://www.ijs.si/software/amavisd/README.postfix.html

What's the difference between "content_filter" and "relayhost"?

--
Daniel

Re: OT: Diagnose blocked mail

[Terry Carmen]

Ray wrote:
Hello, 
I'm having an issue with mail being blocked (I think) and I was hoping that 
someone here would give me an idea on where to get started.


here's the situation. (Made up names)

server is postfix with amavis-new, spam-assassin and dovecot. logs are fairly 
verbose.


Alice (al...@example.com) sends Bob an Email (b...@myserver.com) CC 
(b...@3rdserver.com) I run myserver.com. message goes through to 
b...@3rdserver.com, but not b...@myserver.com.

there is absolutely no trace of alice's domain in the mail logs.

am I being blocked up stream, is my server discarding the mail somewhere or 
...?


any suggestions including alternate mail lists or google search terms very 
much appreciated.


Ray
  
Post the appropriate section of /var/log/maillog showing the misbehaving 
transfer.


Terry

Re: Blocking a domain and user

[Jim McIver]

Noel,
Guess I'm confused. I have a relay_recipient and recipient_access files 
listing only valid user's email addresses for my company.

ie..
relay_recipients
bg...@lmtribune.com any_value
bi...@lmtribune.com any_value
bjohn...@lmtribune.com  any_value

recipient_access
bg...@lmtribune.com permissive
bi...@lmtribune.com permissive
bjohn...@lmtribune.com  permissive

and nothing in virtual_alias_maps. I just seem to be getting hammered 
with yahoo.co.jp and wanted to block .co.jp or even .jp.


Putting info in putting .jp in access_client, sender_access or 
client_access doesn't seem to stop it.

Sorry for my lack of understanding.
-jm


Noel Jones wrote:

Jim McIver wrote:
In looking at the file in xxx/deferred, my mailserver is trying to 
return an undelivable message and it looks like there is something 
wrong with the site. " said: 557 Invalid routingNCrequest - 
domain in BLACK LIST."
Basically I think the site is a spammer and they are blacklisted. How 
can I blacklist the .co.jp so I don't receive their message to start 
with?

-jm




You're focusing on the wrong problem.

1. Don't accept undeliverable mail to start with.  That will cure most 
of the problem.

  - don't use wildcards in relay_recipient_maps
  - don't use wildcards in virtual_alias_maps

2. Use zen.spamhaus.org.  That will cure most of the rest of the problem.

smtpd_client_restrictions =
  permit_mynetworks
  reject_rbl_client zen.spamhaus.org



  -- Noel Jones

OT: Diagnose blocked mail

[Ray]

Hello, 
I'm having an issue with mail being blocked (I think) and I was hoping that 
someone here would give me an idea on where to get started.

here's the situation. (Made up names)

server is postfix with amavis-new, spam-assassin and dovecot. logs are fairly 
verbose.

Alice (al...@example.com) sends Bob an Email (b...@myserver.com) CC 
(b...@3rdserver.com) I run myserver.com. message goes through to 
b...@3rdserver.com, but not b...@myserver.com.
there is absolutely no trace of alice's domain in the mail logs.

am I being blocked up stream, is my server discarding the mail somewhere or 
...?

any suggestions including alternate mail lists or google search terms very 
much appreciated.

Ray

Re: Local mail listener

[Noel Jones]

Daniel L. Miller wrote:
Ok - now that I've fixed my idiotic routing errors (don't have two NIC's 
on the same network unless you know what you're doing - which I clearly 
don't!), I can get back to Postfix.


 From my prior configuration questions in ages past, I have been trying 
to make most of my changes in master.cf, so each listener will do 
exactly what I want (or to be more correct - exactly what it's TOLD, 
which is not necessarily what I wanted...)


There are two processes I would like to configure, but I'm not sure 
which lines would be applicable.  Which line in the default master.cf 
would apply to the BSD mail command on the local server?  So when I'm 
configuring my Postfix server, and from the command line I type "mail 
someb...@hotmail.com", which listener(s) process this?


Local "mail" submission is usually done via the sendmail(1) 
command.  This corresponds to the "pickup" service in master.cf.




The other process would be whatever performs the send operation.  If I 
understand it right, whether I use the command line "mail" command or an 
SMTP client, it will connect to an smtpd listener.  Various Postfix 
internals will munch on the information, and assuming it processed 
correctly a Postfix process will then attempt to send it on the remote 
destination (assuming I'm sending a mail intended for a remote 
destination).  


Postfix accepts mail via SMTP or sendmail(1)/pickup and puts 
it in the queue.  The queue manager then examines the mail to 
see where it goes.

http://www.postfix.org/OVERVIEW.html


Is that step perform by either the "smtp" or "relay" lines?


Yes.  Postfix decides which to use based on the address class 
of the destination, can be changed by transport_maps entries.

http://www.postfix.org/ADDRESS_CLASS_README.html



What I'm actually trying to do is configure a relayhost.  What I want is 
to setup a Postfix listener for local SMTP connections, which will then 
forward to a relayhost for spam processing (in this case, primarily 
auto-whitelisting).  That relayhost will then send the message back to 
Postfix on another connection, and THAT listener will not have a 
relayhost defined so it should attempt direct delivery to the remote 
host.  I know this is something relatively simple - I just seem to be 
more obtuse than usual.

--
Daniel


Define content_filter in main.cf pointing to the spam 
processing machine, define a new smtpd listener in master.cf 
listening on a different port.

http://www.postfix.org/FILTER_README.html

Amavisd-new is software often used as a postfix 
content_filter.  Even if you're using something different, the 
postfix setup is pretty much the same.

http://www.ijs.si/software/amavisd/README.postfix.html


There's a wealth of information to be found at
http://www.postfix.org/documentation.html

  -- Noel Jones

PATCH: Possible reasons for "qmgr" loading the system?

[Wietse Venema]

Santiago Romero:
> Wietse Venema escribi?:
> > Santiago Romero:
> >   
> >>  I case it happens again ...  Where or what should I take a look? At OS 
> >> level (disk or network I/O, processes...) I didn't see anything before 
> >> the "postfix restart"...
> >> 
> >
> > Try ``strace -o filename -p pid'' or the equivalent for your OS.
> >   
> 
>  Hi.
> 
>  Today happened again in 2 new machines. The last one:
> 
> 
> top - 09:44:25 up 19:39,  2 users,  load average: 4.68, 4.87, 4.76
> Tasks: 154 total,   6 running, 148 sleeping,   0 stopped,   0 zombie
> Cpu(s): 30.7%us, 49.2%sy,  0.0%ni, 11.7%id,  1.3%wa,  1.0%hi,  6.1%si,  
> 0.0%st
> 
>   PID USER  PR  NI  VIRT  RES  SHR S %CPU %MEMTIME+  
> COMMAND 
> 26926 postfix   20   0  5840 2552 1792 R   43  0.3 276:51.22 qmgr   
> 
> 
> The problem was never appeared in those machines until, yesterday, I 
> added the following to postfix configuration:
> 
>    /etc/postfix/master.cf
> slow unix  -   -   -   -   -   smtp
>   -o syslog_name=postfix-slow
> 
> 
>    /etc/postfix/main.cf
> # Special "slow" transport:
> slow_destination_recipient_limit=1
> slow_destination_concurrency_limit=1
> slow_destination_rate_delay=5

OK, leave the above settings and see if this helps (Postfix 2.5 or later).

I have not been able to reproduce the problem, but there was
some bogosity with the handling of _destination_rate_delay.

The only reason I know for lots of qmgr CPU usage is when all
mail is being delivered to a "discard" transport. When all mail
is bounced or deferred you'd have lots of disk activity that
causes qmgr to be slowed down.

Wietse

diff --exclude=man --exclude=html --exclude=README_FILES --exclude=.indent.pro 
--exclude=Makefile.in -cr src/qmgr/qmgr_entry.c- src/qmgr/qmgr_entry.c
*** src/qmgr/qmgr_entry.c-  Fri Dec 14 17:47:21 2007
--- src/qmgr/qmgr_entry.c   Wed Mar  4 16:04:21 2009
***
*** 299,304 
--- 299,317 
  }
  
  /*
+  * Suspend a rate-limited queue, so that mail trickles out.
+  */
+ if (which == QMGR_QUEUE_BUSY && transport->rate_delay > 0) {
+   if (queue->window > 1)
+   msg_panic("%s: queue %s/%s: window %d > 1 on rate-limited service",
+ myname, transport->name, queue->name, queue->window);
+   if (QMGR_QUEUE_THROTTLED(queue))/* XXX */
+   qmgr_queue_unthrottle(queue);
+   if (QMGR_QUEUE_READY(queue))
+   qmgr_queue_suspend(queue, transport->rate_delay);
+ }
+ 
+ /*
   * If the queue was blocking some of the jobs on the job list, check if
   * the concurrency limit has lifted. If there are still some pending
   * deliveries, give it a try and unmark all transport blockers at once.
***
*** 336,354 
   */
  if (which == QMGR_QUEUE_BUSY)
queue->last_done = event_time();
- 
- /*
-  * Suspend a rate-limited queue, so that mail trickles out.
-  */
- if (which == QMGR_QUEUE_BUSY && transport->rate_delay > 0) {
-   if (queue->window > 1)
-   msg_panic("%s: queue %s/%s: window %d > 1 on rate-limited service",
- myname, transport->name, queue->name, queue->window);
-   if (QMGR_QUEUE_THROTTLED(queue))/* XXX */
-   qmgr_queue_unthrottle(queue);
-   if (QMGR_QUEUE_READY(queue))
-   qmgr_queue_suspend(queue, transport->rate_delay);
- }
  
  /*
   * When the in-core queue for this site is empty and when this site is
--- 349,354 

Re: Local mail listener

[mouss]

Daniel L. Miller a écrit :
> Ok - now that I've fixed my idiotic routing errors (don't have two NIC's
> on the same network unless you know what you're doing - which I clearly
> don't!), I can get back to Postfix.
> 
> From my prior configuration questions in ages past, I have been trying
> to make most of my changes in master.cf, so each listener will do
> exactly what I want (or to be more correct - exactly what it's TOLD,
> which is not necessarily what I wanted...)
> 
> There are two processes I would like to configure, but I'm not sure
> which lines would be applicable.  Which line in the default master.cf
> would apply to the BSD mail command on the local server?  So when I'm
> configuring my Postfix server, and from the command line I type "mail
> someb...@hotmail.com", which listener(s) process this?
> 

the mail command calls the sendmail command. if the sendmail command is
the one supplied with postfix, the service to configure is pickup.

I personally never use the "mail" command. I prefer using the sendmail
command directly.

> The other process would be whatever performs the send operation.  If I
> understand it right, whether I use the command line "mail" command or an
> SMTP client, it will connect to an smtpd listener.

No.

>  Various Postfix
> internals will munch on the information, and assuming it processed
> correctly a Postfix process will then attempt to send it on the remote
> destination (assuming I'm sending a mail intended for a remote
> destination).  Is that step perform by either the "smtp" or "relay" lines?
> 

By default "relay" is an "smtp". if you check master.cf, you'll find:

relay unix  -   -   n   -   -   smtp
  ...


> What I'm actually trying to do is configure a relayhost.  What I want is
> to setup a Postfix listener for local SMTP connections, which will then
> forward to a relayhost for spam processing (in this case, primarily
> auto-whitelisting).  That relayhost will then send the message back to
> Postfix on another connection, and THAT listener will not have a
> relayhost defined so it should attempt direct delivery to the remote
> host.  I know this is something relatively simple - I just seem to be
> more obtuse than usual.
> -- 


transports are global inside a postfix instance. so you can't have
context dependent routing rules.

you can however use content_filter in an smtpd or in pickup. but make
sure you don't create a loop.

Re: Blocking a domain and user

[Noel Jones]

Jim McIver wrote:
In looking at the file in xxx/deferred, my mailserver is trying to 
return an undelivable message and it looks like there is something wrong 
with the site. " said: 557 Invalid routingNCrequest - domain in 
BLACK LIST."
Basically I think the site is a spammer and they are blacklisted. How 
can I blacklist the .co.jp so I don't receive their message to start with?

-jm




You're focusing on the wrong problem.

1. Don't accept undeliverable mail to start with.  That will 
cure most of the problem.

  - don't use wildcards in relay_recipient_maps
  - don't use wildcards in virtual_alias_maps

2. Use zen.spamhaus.org.  That will cure most of the rest of 
the problem.


smtpd_client_restrictions =
  permit_mynetworks
  reject_rbl_client zen.spamhaus.org



  -- Noel Jones

Re: escape "^From "

[mouss]

LuKreme a écrit :
> What controls escaping "From " in the body of a mail message if it's at
> the start of a line? Since I've switched everyone over to Maildir, it
> seems silly to do this anymore, but I can't find the setting.  In fact,
> I'm not even sure it's in postfix at all.

look at what you use to deliver mail.

> 
> RTFM replies preferred, just say with FM to R, please.
> 

Re: submission port requiring starttls even when set not to (Resolved)

[LuKreme]

On 4-Mar-2009, at 14:33, Jorey Bump wrote:

smtpd_tls_security_level should be used instead.



Not if you don't want to force TLS on the submission port it shouldn't.


On 4-Mar-2009, at 13:21, Brian Evans - Postfix List wrote:

*encrypt*
   Mandatory TLS encryption: announce STARTTLS support to SMTP  
clients,

   and require that clients use TLS encryption. According to RFC 2487
    this MUST NOT be applied in
   case of a publicly-referenced SMTP server. Instead, this option
   should be used only on dedicated servers.


This is wrong too (not he quote, but Brian's missaplication of it).  
From RFC287


A publicly-referenced SMTP server MUST NOT require use of the  
STARTTLS extension in order to deliver mail locally.

So far so good, but keep reading:
This rule prevents the STARTTLS extension from damaging the  
interoperability of the Internet's SMTP infrastructure. ***A  
publicly-referenced SMTP server is an SMTP server which runs on port  
25 of an Internet host listed in the MX record (or A record if an MX  
record is not present) for the domain name on the right hand side of  
an Internet mail address***.

So that has nothing to do with the submission port.

--
When the routine bites hard / and ambitions are low
And the resentment rides high / but emotions won't grow
And we're changing our ways, / taking different roads
Then love, love will tear us apart again

Re: restricting who can be sent to.

[Noel Jones]

Carver Banks wrote:

Hello,
I am in the process of setting up an internal mail server 
(carver-test.mydomain.local) using postfix, dovecot and squirrel mail.
I want the users of this system only be able send mail to a few users in 
mydomain.com
I imagine that there is an easy way to map this to a file, but I can't seem to 
find anything in my searches.



Here's the general documentation on restricting who can send 
where:

http://www.postfix.org/RESTRICTION_CLASS_README.html


If this is strictly an internal system, you can use something 
simpler, such as:


smtpd_recipient_restrictions =
  check_recipient_access hash:/etc/postfix/allowed_recipients
  reject

where allowed_recipients lists the valid recipients as:
us...@example.com  OK
us...@example.com  OK

  -- Noel Jones

Re: Blocking a domain and user

[Jim McIver]

In looking at the file in xxx/deferred, my mailserver is trying to 
return an undelivable message and it looks like there is something wrong 
with the site. " said: 557 Invalid routingNCrequest - domain in 
BLACK LIST."
Basically I think the site is a spammer and they are blacklisted. How 
can I blacklist the .co.jp so I don't receive their message to start with?

-jm

Brian Evans - Postfix List wrote:

Jim McIver wrote:
  

I have Postfix 2.1 on Freebsd 4.10 and am having trouble blocking
email from a domain.




Postfix 2.1 is ancient.  Recommend an upgrade as some things I mention
may require 2.2 or 2.3 or higher.
  

Here is a snipet of the postqueue -p:

DF6A927D   3512 Tue Mar  3 18:42:35  MAILER-DAEMON
(connect to mx1.mail.yahoo.co.jp[124.83.183.240]: server dropped
connection without sending the initial SMTP greeting)
megu0327_he...@yahoo.co.jp




You accepted this mail.  You need to find out WHY this
bounce/backscatter is occurring.
Check your mail log for DF6A927D.

  

I would like to block the .co.jp so it doesn't pile up in postqueue.

2nd:
I also receive over 400 messages daily from "u...@domain.com". The
messages never go anywhere, they just pile up in the postqueue and I'd
like to keep the postqueue -p cleaned out.

Snippet from maillog:

Mar  4 00:09:21 mail postfix/smtpd[36633]: NOQUEUE: reject: RCPT from
unknown[89.218.164.251]: 554 : Sender address
rejected: Access denied; from=
to= proto=SMTP helo=<89.218.164.251.metro.online.kz>



This message is rejected. It was not queued.

To block more, upgrade and use Zen (see site for usage restrictions)

grkni...@mx1 ~ $ host 251.164.218.89.zen.spamhaus.org
251.164.218.89.zen.spamhaus.org has address 127.0.0.11
251.164.218.89.zen.spamhaus.org has address 127.0.0.4

  

In my sender_access and  I have:
co.jpREJECT
u...@domain.com REJECT

In my access_client I have:
co.jpREJECT

Output of postconf -n
smtpd_client_restrictions = check_client_access
hash:/usr/local/etc/postfix/client_access   permit
smtpd_recipient_restrictions = permit_mynetworks   
reject_unauth_destination   reject_invalid_hostname warn_if_reject
reject_unknown_hostname   reject_unauth_pipelining   
reject_non_fqdn_sender  reject_unknown_sender_domain
reject_non_fqdn_recipient   reject_unknown_recipient_domain
warn_if_reject reject_unknown_client
reject_non_fqdn_hostnamecheck_client_access

hash:/usr/local/etc/postfix/access_client   check_helo_access
hash:/usr/local/etc/postfix/helo_accesscheck_sender_access
hash:/usr/local/etc/postfix/sender_accesscheck_recipient_access
hash:/usr/local/etc/postfix/recipient_access
smtpd_sender_restrictions = check_sender_access
hash:/usr/local/etc/postfix/sender_access



check_client_access expects a connecting IP match not a MAIL FROM match.

Brian
  

Re: That Relay Access Denied Thing (Solved, no, Really!)

[Robert A. Ober]

On 3/4/2009 1:57 PM, Brian Evans - Postfix List wrote:

Robert A. Ober wrote:
   

On 3/4/2009 1:06 PM, Brian Evans - Postfix List wrote:
 

Robert A. Ober wrote:

   

On 3/4/2009 12:32 PM, Robert A. Ober wrote:

 

On 3/4/2009 11:54 AM, Brian Evans - Postfix List wrote:

   


   

FYI: saslauthd is Cyrus not Dovecot

   



   

Right and that means the type is Cyrus?

Robert

 

You seem to have had Cyrus working, but want to break it to try to use
Dovecot.

This thread is going in circles and I am not understanding what you
ultimately want done.

Postfix can use EITHER Cyrus or Dovecot.
You REALLY should review SASL_README before asking for any more help.

Brian

   

Cyrus never allowed me to retrieve email via pop3.  I have read the
SASL_README.  Please understand I am not the expert you folks are and
am very tired and distraught.

One of the howto's said to use Dovecot + sasl  install cyrus-sasl, so
I did.  Dovecot-auth is running.  Should I kill that?  If so, how
without killing Dovecot?
 


Cyrus' saslauthd is not used by Dovecot what so ever.  Any HOWTO that
says otherwise is a HOW(not)TO.
Some here will testament that the official docs are the place to review
first as some HOWTOs become outdated quickly or are just poor.
   

If I want Dovecot for pop3/imap without cyrus-sasl,  what do I install
for sasl and where is the doc for that?  Before I was forced to
reload, I had no SASL and pop-before-smtp let pop3 work.
 

Dovecot has it's own auth daemon (called dovecot-auth) which you refer to

The sections http://www.postfix.org/SASL_README.html#server_sasl and
http://www.postfix.org/SASL_README.html#server_dovecot
are usually all it takes to configure Dovecot SASL.
Any other additions may not work.

Does the /var/spool/postfix/private/auth socket exist and accessible to
the Postfix user?

   

I currently have pop3 working offsite with OL2007 and Thunderbird.
OL2003 and OLXP get relay access denied when sending.  I want to cure
the relay access denied for OLXP and OL2003.  I have supported many
products including some for corporate users but my understanding of
how Postfix works is limited.
 

Again, this is commented in the SASL_README when it talks about
broken_sasl_auth_clients

Brian
   


Ok,  had a short nap, uninstalled cyrus-sasl and followed the 
SASL_README.  And it works.  The other docs had confused me into 
thinking I needed cyrus-sasl.


Thanks to Brian and others for hanging in there with me!

Y'all have some fun,
Robert:-)

rewriting sender address

[ghe]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I need to change email sent by a user from one domain (a.com) so that
clicking Reply will reply to him at b.com. (a.com isn't always reliable,
and I admin b.com, among other reasons.)

Google got me to postfix.org's documentation on generic maps. I'm
running 2.5, so tried that, to rewrite the destination address on its
way out, but couldn't get it to work:

main.cf:
smtp_generic_maps = hash:/etc/postfix/generic

/etc/postfix/generic:
ghe2...@gmail.com   g...@slsware.com
g...@qw.net g...@slsware.com

I sent mail to myself at gmail, expecting it to come here -- the log
says it was successfully sent to gmail, but I never saw it. qw.net
actually exists, and they refused the 2 or 3 connection attempts with
what look to me like SASL errors.


So I tried to rewrite the sender address on its way in. The
canonical-sender map worked when I telnet'ed and did SMTP by hand,
without supplying a From: header. But when he sent me mail, the
Return-Path header was rewritten but From: was not, so clicking Reply
was sending to a.com.

Is there a way to get postfix to change From: or to maybe copy
Return-Path to a Reply-To?

Or can you tell me what I did wrong with the generic map?

I found I could create a phony DNS zone on my LAN with a phony MX, but
that feels like a real kludge and fraught with peril...

- --
Glenn English
g...@slsware.com

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmu/QAACgkQ04yQfZbbTLaecACgpBYNZxXtN45vyEgGICHINl2s
OpMAnRg02VvXxL+dFASCo2eBukI5GAkL
=St47
-END PGP SIGNATURE-

Re: Blocking a domain and user

[Jim McIver]

My mistake. The u...@domain.com is in the maillog. yahoo.co.jp is in 
postqueue -p

-jm

Paweł Leśniak wrote:

W dniu 2009-03-04 21:32, Jim McIver pisze:
I have Postfix 2.1 on Freebsd 4.10 and am having trouble blocking 
email from a domain.


Here is a snipet of the postqueue -p:

DF6A927D   3512 Tue Mar  3 18:42:35  MAILER-DAEMON
(connect to mx1.mail.yahoo.co.jp[124.83.183.240]: server dropped 
connection without sending the initial SMTP greeting)

megu0327_he...@yahoo.co.jp

D5EFB277   3508 Tue Mar  3 18:42:28  MAILER-DAEMON
(connect to mx3.mail.yahoo.co.jp[203.216.247.184]: server dropped 
connection without sending the initial SMTP greeting)

megu0327_he...@yahoo.co.jp

D870B221   3248 Tue Mar  3 15:03:34  MAILER-DAEMON
(connect to mx5.mail.yahoo.co.jp[203.216.243.173]: server dropped 
connection without sending the initial SMTP greeting)

maria_rosmarinus0...@yahoo.co.jp

DA5AC227   3583 Tue Mar  3 14:46:26  MAILER-DAEMON
(host mx3.mail.yahoo.co.jp[124.83.155.153] said: 451 VS14-RT5 Mailbox 
bounce arrival rate exceeds system limit (#4.2.2) 
x_lily_05...@yahoo.co.jp (in reply to RCPT TO command))

x_lily_05...@yahoo.co.jp

D11AD314   3248 Wed Mar  4 08:21:42  MAILER-DAEMON
(host mx3.mail.yahoo.co.jp[124.83.155.153] said: 451 VS14-RT5 Mailbox 
bounce arrival rate exceeds system limit (#4.2.2) 
maria_rosmarinus0...@yahoo.co.jp (in reply to RCPT TO command))

maria_rosmarinus0...@yahoo.co.jp

D48452DB   3250 Wed Mar  4 11:39:04  MAILER-DAEMON
(host mx2.mail.yahoo.co.jp[203.216.243.170] said: 451 VS14-RT5 
Mailbox bounce arrival rate exceeds system limit (#4.2.2) 
maria_rosmarinus0...@yahoo.co.jp (in reply to RCPT TO command))

maria_rosmarinus0...@yahoo.co.jp

I would like to block the .co.jp so it doesn't pile up in postqueue.
This seems like your email address has been used as sender_address 
with some spam rejected by yahoo.co.jp (just a guess). Anyways your 
MAILER_DAEMON tries to send bounces to yahoo.co.jp. You'd have to 
check what's inside those bounced messages to find out what's the real 
problem, I mean why your mailserver is generating those bounces.
You could reject those messages by rejecting recipients from 
yahoo.co.jp. but this is not recommended.

2nd:
I also receive over 400 messages daily from "u...@domain.com". The 
messages never go anywhere, they just pile up in the postqueue and 
I'd like to keep the postqueue -p cleaned out.


Snippet from maillog:

Mar  4 00:09:21 mail postfix/smtpd[36633]: NOQUEUE: reject: RCPT from 
unknown[89.218.164.251]: 554 : Sender address 
rejected: Access denied; from= 
to= proto=SMTP 
helo=<89.218.164.251.metro.online.kz>
Mar  4 02:41:25 mail postfix/smtpd[38622]: NOQUEUE: reject: RCPT from 
unknown[86.123.168.197]: 554 : Sender address 
rejected: Access denied; from= 
to= proto=SMTP 
helo=<86-123-168-197.brasov.rdsnet.ro>
Mar  4 02:59:03 mail postfix/smtpd[39694]: NOQUEUE: reject: RCPT from 
unknown[92.83.230.6]: 554 : Sender address rejected: 
Access denied; from= to= 
proto=SMTP helo=


Looks fine. You are rejecting mails from u...@domain.com (and that 
obeys with your config check_sender_access 
hash:/usr/local/etc/postfix/sender_access). You shouldn't see those in 
queue.


Pawel Lesniak

Re: Blocking a domain and user

[Jim McIver]

My mistake, the ones piling up in postqueue -p are the yahoo.co.jp. The 
u...@domain.com is just listed in the maillog and it's a bogus email 
address I'd like not to receive email from.

-jm

LuKreme wrote:

On 4-Mar-2009, at 13:32, Jim McIver wrote:
they just pile up in the postqueue and I'd like to keep the postqueue 
-p cleaned out.


Snippet from maillog:

Mar  4 00:09:21 mail postfix/smtpd[36633]: NOQUEUE: reject: RCPT from 
unknown[89.218.164.251]: 554 : Sender address 
rejected: Access denied; from= 
to= proto=SMTP 
helo=<89.218.164.251.metro.online.kz>


How are they piling up in postqueue when the connection is being 
rejected?

Re: submission port requiring starttls even when set not to (Resolved)

[J.P. Trosclair]

Jorey Bump wrote:

Put it back. smtpd_enforce_tls is deprecated since Postfix 2.3 and
smtpd_tls_security_level should be used instead.



I'll research the smtpd_tls_security_level option further. It didn't 
present a problem until I started working on this specific feature with 
the white lists. I have created another smtpd instance to forward white 
listed domains to rather than trying to utilize the submission port. I 
felt like I was over-complicating (because of archiving with *_bcc_maps 
and duplicate mails) the functionality of the submission service and 
thus headed down a bumpy road, maybe I'm wrong about this though. At the 
same time the submission service seems like the ideal place to hand this 
mail over to for final delivery since it's intended (for us) to allow 
trusted clients to bypass filtering and spam checks.

Re: Spam attacks

[mouss]

Paweł Leśniak a écrit :
> W dniu 2009-03-03 18:41, Noel Jones pisze:
>> Some legit "reminder" type services, some meeting notifications, and
>> other legit mail might arrive with you as the sender.  Maybe not best
>> practices, but it's legit mail and such a policy will reject it.
> Why would someone want to fake sender address? Is this really legit mail
> when one has (envelope!) sender address spoofed? I've no idea why should
> I get reminder from myself. If xyz is this service provider I want to
> get reminder from s...@xyz.
> 

When you send us mail, you give your mailer (thunderbird, outlook, ...)
the right to send the mail on behalf of you.

now, If I click on a "send this to your friend" link, what is the
difference? why shouldn't I be able to send as myself while clicking on
a link hosted by another organisation.

so if there were no spam, this practice would be ok. now, spam has
killed a lot of functionality... so sending behalf of someone has become
too complex.

>> You can send yourself mail via eg. gmail or your home ISP with your
>> postfix domain as sender address.  Some people really do this.
> And why would I do that?

I do this. I don't care how I send mail. I use my "profile". I will not
sends j...@free.fr when I post via my free.fr account,
j...@somehotel.example when I send from a hotel, ... etc.

> If my ISP would restrict to send only via their
> SMTP server, I'd use webmail. 

feel free. now webmail is a lot less secure than MUA mail. so I still
prefer MUA mail with SASL/TLS...

> And I have no idea why would one allow
> relaying via their SMTP server for everyone. And if not for everyone,
> then ISP should do address rewriting for their users.

No. if rewrite is needed, then something is fundamentally broken. work
should be done at the source except if not possible. intermediary
systems should not need a lot of resources. otherwise, every time you
design a system, you need to cope with all intermediary systems that
might be added some day.

> That's it. And
> that still doesn't change my point of view - broken configuration
> doesn't always give you legit mail.

This has nothing to do with broken configs.

> If one still wants to use other SMTP server to send mail with spoofed
> address, why just not add this SMTP server's IP to my_networks?
> 

I don't see what mynetworks and IPs come to do with sender addresses.
don't add unnecessary coupling.

>> The "some amount" of legit mail you will reject is highly dependent on
>> your users. Some sites will see quite a bit, others very little.  Some
>> people consider this a horrible idea, others a useful policy with an
>> acceptable risk.  You get to pick which side of the fence you live on.
> I cant's see any risk anyways, not just in place. And it's possible that
> zen BL will stop more "legit" mails (depends on what one means by "legit
> mail", maybe there are people who read those "I'll give you $1billion"
> mails). If I'm wrong, please point it out, let me learn.
> 

I don't know how you define legit, but the way I see it, I haven't seen
a zen FP, but I have seen cases when senders have been used from
"different" networks.

restricting who can be sent to.

[Carver Banks]

Hello,
I am in the process of setting up an internal mail server 
(carver-test.mydomain.local) using postfix, dovecot and squirrel mail.
I want the users of this system only be able send mail to a few users in 
mydomain.com
I imagine that there is an easy way to map this to a file, but I can't seem to 
find anything in my searches.

Thanks


Postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
mailbox_size_limit = 0
mydestination = carver-test.mydomain.local, carver-test.mydomain.com, localhost
mydomain = mydomain.local
myhostname = carver-test.mydomain.com
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relay_domains = $mydestination, mydomain.com
relayhost = exchange.mydomain.com
smtp_generic_maps = hash:/etc/postfix/generic
virtual_gid_maps = static:1001
virtual_mailbox_base = /home/vmail/
virtual_mailbox_domains = mydomain.local
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf
virtual_uid_maps = static:1001



Carver Banks

Local mail listener

[Daniel L. Miller]

Ok - now that I've fixed my idiotic routing errors (don't have two NIC's 
on the same network unless you know what you're doing - which I clearly 
don't!), I can get back to Postfix.


From my prior configuration questions in ages past, I have been trying 
to make most of my changes in master.cf, so each listener will do 
exactly what I want (or to be more correct - exactly what it's TOLD, 
which is not necessarily what I wanted...)


There are two processes I would like to configure, but I'm not sure 
which lines would be applicable.  Which line in the default master.cf 
would apply to the BSD mail command on the local server?  So when I'm 
configuring my Postfix server, and from the command line I type "mail 
someb...@hotmail.com", which listener(s) process this?


The other process would be whatever performs the send operation.  If I 
understand it right, whether I use the command line "mail" command or an 
SMTP client, it will connect to an smtpd listener.  Various Postfix 
internals will munch on the information, and assuming it processed 
correctly a Postfix process will then attempt to send it on the remote 
destination (assuming I'm sending a mail intended for a remote 
destination).  Is that step perform by either the "smtp" or "relay" lines?


What I'm actually trying to do is configure a relayhost.  What I want is 
to setup a Postfix listener for local SMTP connections, which will then 
forward to a relayhost for spam processing (in this case, primarily 
auto-whitelisting).  That relayhost will then send the message back to 
Postfix on another connection, and THAT listener will not have a 
relayhost defined so it should attempt direct delivery to the remote 
host.  I know this is something relatively simple - I just seem to be 
more obtuse than usual.

--
Daniel

Re: submission port requiring starttls even when set not to (Resolved)

[Jorey Bump]

J.P. Trosclair wrote, at 03/04/2009 04:05 PM:
> LuKreme wrote:
>> On 4-Mar-2009, at 13:08, J.P. Trosclair wrote:
>>> submission inet n   -   -   -   -   smtpd
>>>  -o smtpd_tls_security_level=encrypt
>>
>>
>> Why?
>>
> 
> I didn't explicitly add it. It was a left over from the default
> master.cf for the postfix package on debian 5.0. It's gone and
> everything is good, for now.

Put it back. smtpd_enforce_tls is deprecated since Postfix 2.3 and
smtpd_tls_security_level should be used instead.

Furthermore, you should leave it set to encrypt. Part of the value of
running a submission service on port 587 is that it allows you to
severely restrict connections in a way that is acceptable to ISPs, who
are blocking outgoing connections to SMTP port 25. If admins begin
relaxing the restrictions on port 587 without understanding the
ramifications, ISPs might start blocking it, too, which is bad for
residential and roaming users who need it in order to relay mail through
the desired server. An important part of this is encrypting all
connections to port 587.

It's easy enough to set up another (local) port in master.cf that will
serve your purpose (or someone might even be able to suggest an
alternative approach).

Re: Blocking a domain and user

[Noel Jones]

Paweł Leśniak wrote:

W dniu 2009-03-04 21:32, Jim McIver pisze:
I have Postfix 2.1 on Freebsd 4.10 and am having trouble blocking 
email from a domain.


Here is a snipet of the postqueue -p:

DF6A927D   3512 Tue Mar  3 18:42:35  MAILER-DAEMON
(connect to mx1.mail.yahoo.co.jp[124.83.183.240]: server dropped 
connection without sending the initial SMTP greeting)

megu0327_he...@yahoo.co.jp

D5EFB277   3508 Tue Mar  3 18:42:28  MAILER-DAEMON
(connect to mx3.mail.yahoo.co.jp[203.216.247.184]: server dropped 
connection without sending the initial SMTP greeting)

megu0327_he...@yahoo.co.jp

D870B221   3248 Tue Mar  3 15:03:34  MAILER-DAEMON
(connect to mx5.mail.yahoo.co.jp[203.216.243.173]: server dropped 
connection without sending the initial SMTP greeting)

maria_rosmarinus0...@yahoo.co.jp

DA5AC227   3583 Tue Mar  3 14:46:26  MAILER-DAEMON
(host mx3.mail.yahoo.co.jp[124.83.155.153] said: 451 VS14-RT5 Mailbox 
bounce arrival rate exceeds system limit (#4.2.2) 
x_lily_05...@yahoo.co.jp (in reply to RCPT TO command))

x_lily_05...@yahoo.co.jp

D11AD314   3248 Wed Mar  4 08:21:42  MAILER-DAEMON
(host mx3.mail.yahoo.co.jp[124.83.155.153] said: 451 VS14-RT5 Mailbox 
bounce arrival rate exceeds system limit (#4.2.2) 
maria_rosmarinus0...@yahoo.co.jp (in reply to RCPT TO command))

maria_rosmarinus0...@yahoo.co.jp

D48452DB   3250 Wed Mar  4 11:39:04  MAILER-DAEMON
(host mx2.mail.yahoo.co.jp[203.216.243.170] said: 451 VS14-RT5 Mailbox 
bounce arrival rate exceeds system limit (#4.2.2) 
maria_rosmarinus0...@yahoo.co.jp (in reply to RCPT TO command))

maria_rosmarinus0...@yahoo.co.jp

I would like to block the .co.jp so it doesn't pile up in postqueue.
This seems like your email address has been used as sender_address with 
some spam rejected by yahoo.co.jp (just a guess). Anyways your 
MAILER_DAEMON tries to send bounces to yahoo.co.jp. You'd have to check 
what's inside those bounced messages to find out what's the real 
problem, I mean why your mailserver is generating those bounces.
You could reject those messages by rejecting recipients from 
yahoo.co.jp. but this is not recommended.


No, his postfix is generating these bounces.  His postfix 
accepted mail addressed from *...@yahoo.co.jp, wasn't able to 
deliver it, and it attempting to return to sender.


Very likely these non-delivery reports are because his system 
is accepting mail to non-existent recipients.  He is 
generating backscatter, not a victim of it.


Maybe OP has a wildcard entry in his virtual_alias_maps.


  -- Noel Jones

Re: submission port requiring starttls even when set not to (Resolved)

[J.P. Trosclair]

LuKreme wrote:

On 4-Mar-2009, at 13:08, J.P. Trosclair wrote:

submission inet n   -   -   -   -   smtpd
 -o smtpd_tls_security_level=encrypt



Why?



I didn't explicitly add it. It was a left over from the default 
master.cf for the postfix package on debian 5.0. It's gone and 
everything is good, for now.

Re: Blocking a domain and user

[LuKreme]

On 4-Mar-2009, at 13:32, Jim McIver wrote:
they just pile up in the postqueue and I'd like to keep the  
postqueue -p cleaned out.


Snippet from maillog:

Mar  4 00:09:21 mail postfix/smtpd[36633]: NOQUEUE: reject: RCPT  
from unknown[89.218.164.251]: 554 : Sender address  
rejected: Access denied; from= to=> proto=SMTP helo=<89.218.164.251.metro.online.kz>


How are they piling up in postqueue when the connection is being  
rejected?



--
This is our music from the bachelor's den, the sound of loneliness
turned up to ten.  A harsh soundtrack from a stagnant waterbed
and it sounds just like this. This is the sound of someone
losing the plot making out that they're OK when they're not.
You're gonna like it, but not a lot.  And the chorus goes like
this...

Re: Blocking a domain and user

[Paweł Leśniak]

W dniu 2009-03-04 21:32, Jim McIver pisze:
I have Postfix 2.1 on Freebsd 4.10 and am having trouble blocking 
email from a domain.


Here is a snipet of the postqueue -p:

DF6A927D   3512 Tue Mar  3 18:42:35  MAILER-DAEMON
(connect to mx1.mail.yahoo.co.jp[124.83.183.240]: server dropped 
connection without sending the initial SMTP greeting)

megu0327_he...@yahoo.co.jp

D5EFB277   3508 Tue Mar  3 18:42:28  MAILER-DAEMON
(connect to mx3.mail.yahoo.co.jp[203.216.247.184]: server dropped 
connection without sending the initial SMTP greeting)

megu0327_he...@yahoo.co.jp

D870B221   3248 Tue Mar  3 15:03:34  MAILER-DAEMON
(connect to mx5.mail.yahoo.co.jp[203.216.243.173]: server dropped 
connection without sending the initial SMTP greeting)

maria_rosmarinus0...@yahoo.co.jp

DA5AC227   3583 Tue Mar  3 14:46:26  MAILER-DAEMON
(host mx3.mail.yahoo.co.jp[124.83.155.153] said: 451 VS14-RT5 Mailbox 
bounce arrival rate exceeds system limit (#4.2.2) 
x_lily_05...@yahoo.co.jp (in reply to RCPT TO command))

x_lily_05...@yahoo.co.jp

D11AD314   3248 Wed Mar  4 08:21:42  MAILER-DAEMON
(host mx3.mail.yahoo.co.jp[124.83.155.153] said: 451 VS14-RT5 Mailbox 
bounce arrival rate exceeds system limit (#4.2.2) 
maria_rosmarinus0...@yahoo.co.jp (in reply to RCPT TO command))

maria_rosmarinus0...@yahoo.co.jp

D48452DB   3250 Wed Mar  4 11:39:04  MAILER-DAEMON
(host mx2.mail.yahoo.co.jp[203.216.243.170] said: 451 VS14-RT5 Mailbox 
bounce arrival rate exceeds system limit (#4.2.2) 
maria_rosmarinus0...@yahoo.co.jp (in reply to RCPT TO command))

maria_rosmarinus0...@yahoo.co.jp

I would like to block the .co.jp so it doesn't pile up in postqueue.
This seems like your email address has been used as sender_address with 
some spam rejected by yahoo.co.jp (just a guess). Anyways your 
MAILER_DAEMON tries to send bounces to yahoo.co.jp. You'd have to check 
what's inside those bounced messages to find out what's the real 
problem, I mean why your mailserver is generating those bounces.
You could reject those messages by rejecting recipients from 
yahoo.co.jp. but this is not recommended.

2nd:
I also receive over 400 messages daily from "u...@domain.com". The 
messages never go anywhere, they just pile up in the postqueue and I'd 
like to keep the postqueue -p cleaned out.


Snippet from maillog:

Mar  4 00:09:21 mail postfix/smtpd[36633]: NOQUEUE: reject: RCPT from 
unknown[89.218.164.251]: 554 : Sender address 
rejected: Access denied; from= 
to= proto=SMTP helo=<89.218.164.251.metro.online.kz>
Mar  4 02:41:25 mail postfix/smtpd[38622]: NOQUEUE: reject: RCPT from 
unknown[86.123.168.197]: 554 : Sender address 
rejected: Access denied; from= 
to= proto=SMTP 
helo=<86-123-168-197.brasov.rdsnet.ro>
Mar  4 02:59:03 mail postfix/smtpd[39694]: NOQUEUE: reject: RCPT from 
unknown[92.83.230.6]: 554 : Sender address rejected: 
Access denied; from= to= 
proto=SMTP helo=


Looks fine. You are rejecting mails from u...@domain.com (and that obeys 
with your config check_sender_access 
hash:/usr/local/etc/postfix/sender_access). You shouldn't see those in 
queue.


Pawel Lesniak

Re: Blocking a domain and user

[Brian Evans - Postfix List]

Jim McIver wrote:
> I have Postfix 2.1 on Freebsd 4.10 and am having trouble blocking
> email from a domain.
>

Postfix 2.1 is ancient.  Recommend an upgrade as some things I mention
may require 2.2 or 2.3 or higher.
> Here is a snipet of the postqueue -p:
>
> DF6A927D   3512 Tue Mar  3 18:42:35  MAILER-DAEMON
> (connect to mx1.mail.yahoo.co.jp[124.83.183.240]: server dropped
> connection without sending the initial SMTP greeting)
> megu0327_he...@yahoo.co.jp
>
>
You accepted this mail.  You need to find out WHY this
bounce/backscatter is occurring.
Check your mail log for DF6A927D.

>
> I would like to block the .co.jp so it doesn't pile up in postqueue.
>
> 2nd:
> I also receive over 400 messages daily from "u...@domain.com". The
> messages never go anywhere, they just pile up in the postqueue and I'd
> like to keep the postqueue -p cleaned out.
>
> Snippet from maillog:
>
> Mar  4 00:09:21 mail postfix/smtpd[36633]: NOQUEUE: reject: RCPT from
> unknown[89.218.164.251]: 554 : Sender address
> rejected: Access denied; from=
> to= proto=SMTP helo=<89.218.164.251.metro.online.kz>
>
This message is rejected. It was not queued.

To block more, upgrade and use Zen (see site for usage restrictions)

grkni...@mx1 ~ $ host 251.164.218.89.zen.spamhaus.org
251.164.218.89.zen.spamhaus.org has address 127.0.0.11
251.164.218.89.zen.spamhaus.org has address 127.0.0.4

>
> In my sender_access and  I have:
> co.jpREJECT
> u...@domain.com REJECT
>
> In my access_client I have:
> co.jpREJECT
>
> Output of postconf -n
> smtpd_client_restrictions = check_client_access
> hash:/usr/local/etc/postfix/client_access   permit
> smtpd_recipient_restrictions = permit_mynetworks   
> reject_unauth_destination   reject_invalid_hostname warn_if_reject
> reject_unknown_hostname   reject_unauth_pipelining   
> reject_non_fqdn_sender  reject_unknown_sender_domain
> reject_non_fqdn_recipient   reject_unknown_recipient_domain
> warn_if_reject reject_unknown_client
> reject_non_fqdn_hostnamecheck_client_access
> hash:/usr/local/etc/postfix/access_client   check_helo_access
> hash:/usr/local/etc/postfix/helo_accesscheck_sender_access
> hash:/usr/local/etc/postfix/sender_accesscheck_recipient_access
> hash:/usr/local/etc/postfix/recipient_access
> smtpd_sender_restrictions = check_sender_access
> hash:/usr/local/etc/postfix/sender_access
>
check_client_access expects a connecting IP match not a MAIL FROM match.

Brian

Re: submission port requiring starttls even when set not to

[LuKreme]

On 4-Mar-2009, at 13:08, J.P. Trosclair wrote:

submission inet n   -   -   -   -   smtpd
 -o smtpd_tls_security_level=encrypt



Why?

--
If I were you boys, I wouldn't talk or even think about women.
T'aint good for your health.

Re: Messages Are Refused

[Noel Jones]

Carlos Williams wrote:

Thanks for that info. Can someone also comment on this? I asked a
friend via email and this was his response to the same issue:

**

"I used nslookup to verify the address your queue is showing, and it
does correspond to je.jfcom.mil. But a request for the mail-exchangers
for jfcom.mil does not indicate that this host should be receiving
mail. The mail-exchangers for that domain are:

smtp01.jfcom.mil
smtp02.jfcom.mil


This is irrelevant.  Your users addressed the mail to 
@je.jfcom.mil, not @jfcom.mil.





So this problem resolves into a new one: how did your Postfix come up
with the name je.jfcom.mil to send messages to? Did the user
explicitly specify that host as a target? 


The user addressed it to @je.jfcom.mil, which is where postfix 
is trying to deliver it.  This could be a mistake on your 
user's part, but it's not postfix's job to second-guess the 
sender.  It would be a horrible mistake for postfix to deliver 
mail to a parent domain MX when the specified host is unreachable.


...

**

My question is how did he find smtp01.jfcom.mil? And more important,
why then is my Postfix server trying to send to a different smtp
address?


Your clueless friend looked up the mx for jfcom.mil.  That's 
not the recipient domain your user specified.


There is no problem with your server; it's doing exactly what 
it's supposed to do.

The possible problems include
 - recipient's mail server is down
 - sender mis-addressed the mail

You could ask your user to verify the address, but other than 
that, nothing for you to do.



  -- Noel Jones

Blocking a domain and user

[Jim McIver]

I have Postfix 2.1 on Freebsd 4.10 and am having trouble blocking email 
from a domain.


Here is a snipet of the postqueue -p:

DF6A927D   3512 Tue Mar  3 18:42:35  MAILER-DAEMON
(connect to mx1.mail.yahoo.co.jp[124.83.183.240]: server dropped 
connection without sending the initial SMTP greeting)

megu0327_he...@yahoo.co.jp

D5EFB277   3508 Tue Mar  3 18:42:28  MAILER-DAEMON
(connect to mx3.mail.yahoo.co.jp[203.216.247.184]: server dropped 
connection without sending the initial SMTP greeting)

megu0327_he...@yahoo.co.jp

D870B221   3248 Tue Mar  3 15:03:34  MAILER-DAEMON
(connect to mx5.mail.yahoo.co.jp[203.216.243.173]: server dropped 
connection without sending the initial SMTP greeting)

maria_rosmarinus0...@yahoo.co.jp

DA5AC227   3583 Tue Mar  3 14:46:26  MAILER-DAEMON
(host mx3.mail.yahoo.co.jp[124.83.155.153] said: 451 VS14-RT5 Mailbox 
bounce arrival rate exceeds system limit (#4.2.2) 
x_lily_05...@yahoo.co.jp (in reply to RCPT TO command))

x_lily_05...@yahoo.co.jp

D11AD314   3248 Wed Mar  4 08:21:42  MAILER-DAEMON
(host mx3.mail.yahoo.co.jp[124.83.155.153] said: 451 VS14-RT5 Mailbox 
bounce arrival rate exceeds system limit (#4.2.2) 
maria_rosmarinus0...@yahoo.co.jp (in reply to RCPT TO command))

maria_rosmarinus0...@yahoo.co.jp

D48452DB   3250 Wed Mar  4 11:39:04  MAILER-DAEMON
(host mx2.mail.yahoo.co.jp[203.216.243.170] said: 451 VS14-RT5 Mailbox 
bounce arrival rate exceeds system limit (#4.2.2) 
maria_rosmarinus0...@yahoo.co.jp (in reply to RCPT TO command))

maria_rosmarinus0...@yahoo.co.jp

I would like to block the .co.jp so it doesn't pile up in postqueue.

2nd:
I also receive over 400 messages daily from "u...@domain.com". The 
messages never go anywhere, they just pile up in the postqueue and I'd 
like to keep the postqueue -p cleaned out.


Snippet from maillog:

Mar  4 00:09:21 mail postfix/smtpd[36633]: NOQUEUE: reject: RCPT from 
unknown[89.218.164.251]: 554 : Sender address rejected: 
Access denied; from= to= 
proto=SMTP helo=<89.218.164.251.metro.online.kz>
Mar  4 02:41:25 mail postfix/smtpd[38622]: NOQUEUE: reject: RCPT from 
unknown[86.123.168.197]: 554 : Sender address rejected: 
Access denied; from= to= 
proto=SMTP helo=<86-123-168-197.brasov.rdsnet.ro>
Mar  4 02:59:03 mail postfix/smtpd[39694]: NOQUEUE: reject: RCPT from 
unknown[92.83.230.6]: 554 : Sender address rejected: 
Access denied; from= to= 
proto=SMTP helo=



In my sender_access and  I have:
co.jpREJECT
u...@domain.com REJECT

In my access_client I have:
co.jpREJECT

Output of postconf -n
alias_database = hash:/etc/mail/aliases
alias_maps = hash:/etc/mail/aliases
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
content_filter = smtp:[127.0.0.1]:10024
daemon_directory = /usr/local/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
header_checks = regexp:/usr/local/etc/postfix/header_checks
html_directory = no
mail_name = TPC Holdings, We report spam
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 500
mydestination = lt.lmtribune.com mail.lmtribune.com
mydomain = lmtribune.com
myhostname = mail.lmtribune.com
mynetworks = 199.5.221.0/24 192.168.0.0/16 127.0.0.0/8
mynetworks_style = subnet
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
relay_domains = lmtribune.com dnews.com
relay_recipient_maps = hash:/usr/local/etc/postfix/relay_recipients
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = check_client_access 
hash:/usr/local/etc/postfix/client_access   permit

smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks
reject_unauth_destination   reject_invalid_hostname warn_if_reject 
reject_unknown_hostname   reject_unauth_pipelining
reject_non_fqdn_sender  reject_unknown_sender_domain 
reject_non_fqdn_recipient   reject_unknown_recipient_domain 
warn_if_reject reject_unknown_client reject_non_fqdn_hostname
check_client_access hash:/usr/local/etc/postfix/access_client   
check_helo_access hash:/usr/local/etc/postfix/helo_access
check_sender_access hash:/usr/local/etc/postfix/sender_access
check_recipient_access hash:/usr/local/etc/postfix/recipient_access

smtpd_restriction_classes = restrictive, permissive
smtpd_sender_restrictions = check_sender_access 
hash:/usr/local/etc/postfix/sender_access

smtpd_soft_error_limit = 10
strict_rfc821_envelopes = yes
transport_maps = hash:/usr/loca

Re: postconf -n suggestion

[Wietse Venema]

Pawe?? Le??niak:
> W dniu 2009-03-04 20:53, Charles Marcus pisze:
> > Irrelevant. There is nothing wrong with simplifying things...
> >
> Simplifying does not mean changing behavior. As Wietse said, postconf -n 
> shows only setting from main.cf. So adding values from outside main.cf 
> is not simplifying at all.
> > By your argument, there is no need for the postconf tool at all...
> >
> Never said anything like that.

Making trouble reports easier requires a saslfinger-like tool that
captures info about Postfix, the OS, build options, etc.  Patrick's
tool goes a long way towards the solution. If someone can port it
to all the non-LINUX platforms then it might even become supported.

Wietse

Re: submission port requiring starttls even when set not to

[Brian Evans - Postfix List]

J.P. Trosclair wrote:
> I'm trying to implement a white list with check_sender_access in
> smtpd_recipient_restrictions. The problem I'm running into is that the
> submission port is requiring TLS even when I have set
> smtpd_enforce_tls=no and smtp_enfoce_tls=no in main.cf and specified
> them as options for the submission entry master.cf.
>
> submission entry from /etc/postfix/master.cf:
> submission inet n   -   -   -   -   smtpd
>   -o smtpd_tls_security_level=encrypt
>  
http://www.postfix.org/postconf.5.html#smtpd_tls_security_level

*encrypt*
Mandatory TLS encryption: announce STARTTLS support to SMTP clients,
and require that clients use TLS encryption. According to RFC 2487
 this MUST NOT be applied in
case of a publicly-referenced SMTP server. Instead, this option
should be used only on dedicated servers.

Brian

Re: Question about how Postfix sends the EHLO/HELO

[LuKreme]

On 4-Mar-2009, at 12:33, Rob Tanner wrote:

X-Spam-Flag:  YES
X-Spam-Checker-Version:  SpamAssassin 3.2.0 (2007-05-01) on
microthunder.com


They really *really* need to update their two-year old SA install.


X-Spam-Level:  
X-Spam-Status:  Yes, score=4.4 required=4.0


They really *REALLY* need to understand the consequences of lowering  
the threshold, as this is nearly always a very very bad idea.  SA does  
not think your message is spamish, their mailadmin does.



RCVD_NUMERIC_HELO


Well, that one is possibly your fault, and you should certainly fix it  
if it is.



What I don’t get is the first test in the X-Spam-Report header which
received a 2.6.  Does postfix strictly send the IP address on the  
HELO/EHLO?


Only if it has no choice.

If so, what parameter to I need to set to $myhostname?  Or, am I  
entirely

misunderstanding what that test tests for?


# INTERNET HOST AND DOMAIN NAMES
#
# The myhostname parameter specifies the internet hostname of this
# mail system. The default is to use the fully-qualified domain name
# from gethostname(). $myhostname is used as a default value for many
# other configuration parameters.
#
#myhostname = host.domain.tld
#myhostname = virtual.domain.tld

However, your headers to the list look perfectly fine.  My suspicion,  
irrational without the full headers you sent them and the full message  
they sent back, is that they screwed something up on their end with  
the RCVD_NUMERIC_HELO test and that some eager-beaver "sysadmin"  
changed something they didn't understand to "get better results". I  
base this on the evidence that some eager-beaver "sysadmin" lowered  
the threshold to 4.0 without understanding the consequences to "get  
better results".


Feel free to forward my comments along to David Sosnowski @ >



--
What the hell's goin' on in the engine room? Were there
monkeys? Some terrifying space monkeys maybe got loose?

Re: Spam attacks

[Paweł Leśniak]

On 3/4/2009, PaweB Le[niak (warl...@lesniakowie.com) wrote:
   

Looking at first email in thread carefully you'd see that Dave has
(or had) problem with spam sent from j...@foo.com to j...@foo.com. And
that's the case where authentication will do the job perfectly - IMHO
way better then zen.
 


You do realize that if you did that you wouldn't be able to receive your
own messages from mail lists such as this one, correct?

   

How come?

Mar  4 20:50:50 lola amavis[15332]: (15332-05) FWD via SMTP: 
 -> ,BODY=7BIT 
250 2.6.0 Ok, id=15332-05, from MTA([127.0.0

.1]:10025): 250 2.0.0 Ok: queued as EACA754205

And here restrictions (only recipient - not using any other):
smtpd_recipient_restrictions = permit_mynetworks, 
permit_sasl_authenticated, reject_non_fqdn_sender, 
reject_non_fqdn_recipient, reject_unknown_sender_domain, 
reject_unknown_recipient_domain, reject_invalid_hostname, 
reject_unauth_destination, reject_unlisted_sender, check_sender_access 
hash:/etc/postfix/restricted_senders.map, reject_sender_login_mismatch, 
check_client_access pcre:/etc/postfix/check_client_fqdn.pcre, 
check_recipient_access hash:/etc/postfix/restricted_recipients.map, 
reject_rbl_client zen.spamhaus.org, check_greylist


/etc/postfix/restricted_senders.map:
lesniakowie.com 554 Prosze wlaczyc autentykacje SMTP / Please enable 
SMTP authentication


I'm getting all messages without problems. Also those sent by myself.

Pawel Lesniak

Re: VERPify recommendations

[Noel Jones]

Steve Crawford wrote:
While we do not manage a "mailing list" in the traditional sense, we do 
send a lot of emails (daily/weekly/monthly reports, instant-alert 
messages, etc.) where using VERP to track bounces could prove useful.


We run numerous projects with varying requirements and the messages 
could be generated by Perl, Python, Bash/mutt, etc. All inbound/outbound 
mail is routed through Postfix.


In my ideal world, I would find a magic setting that said, say, "use 
VERP for all messages from f...@pinpointresearch.com" or perhaps from 
some specific IP range. Digging through the docs and list archives 
indicates this does not exist.


So I'm seeking recommendations/ideas. Has anyone done something with 
rewriting or procmail or ??? Are there any filters or other external 
programs that might help me achieve this in Postfix? Can you recommend 
any replacements for our current email generation tools (needs to be 
command-line and allow us to generate multipart-MIME and attachments)?


I am aware of the sendmail -V possibililty but some of the other tools 
are more convenient when generating multipart MIME, adding attachments, 
etc. and it doesn't appear the -V option can be used in server mode to 
make a VERPifying server.


Thoughts/suggestions/ideas?

Cheers,
Steve



Seems to me that if you want to use SMTP and you control the 
submitting software it should be easy enough to add XVERP to 
the MAIL FROM command:

http://www.postfix.org/VERP_README.html#smtp

It wouldn't be safe to do this by sender address, but you 
could use a check_client_access table with a FILTER result 
pointing to a pipe transport that does a "sendmail -XV ..." 
reinjection.


  -- Noel Jones

Re: postconf -n suggestion

[Paweł Leśniak]

W dniu 2009-03-04 20:53, Charles Marcus pisze:

Irrelevant. There is nothing wrong with simplifying things...
   
Simplifying does not mean changing behavior. As Wietse said, postconf -n 
shows only setting from main.cf. So adding values from outside main.cf 
is not simplifying at all.

By your argument, there is no need for the postconf tool at all...
   

Never said anything like that.

Pawel Lesniak

submission port requiring starttls even when set not to

[J.P. Trosclair]

I'm trying to implement a white list with check_sender_access in 
smtpd_recipient_restrictions. The problem I'm running into is that the 
submission port is requiring TLS even when I have set 
smtpd_enforce_tls=no and smtp_enfoce_tls=no in main.cf and specified 
them as options for the submission entry master.cf.


The details are, I'm trying to change the transport for white listed 
domains so that the spam filters and what not are bypassed. The mail 
delivery attempt via the submission port fails every time with "Must 
issue a STARTTLS command first." I feel confident that I'm overlooking 
something obvious but I've given all the various config settings I can 
think of an attempt with the same outcome.


This is all dev stuff, none of it is set in stone. If anyone has a 
better suggestion on how to bypass the spam filters and what not for 
certain domains, I'm ready to listen.


From here on is my postconf -n, white_list file for 
check_sender_access, submission entry from master.cf and the relevant 
log entries.


postconf -n:
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
disable_vrfy_command = yes
inet_interfaces = all
mailbox_size_limit = 0
maximal_backoff_time = 300s
message_size_limit = 0
minimal_backoff_time = 120s
mydestination = maildev.judelawfirm.com
myhostname = maildev.judelawfirm.com
mynetworks = 127.0.0.0/8192.168.1.0/24
myorigin = maildev.judelawfirm.com
queue_run_delay = 120s
readme_directory = no
recipient_bcc_maps = pcre:/etc/postfix/recipient_bcc
recipient_delimiter = +
sender_bcc_maps = pcre:/etc/postfix/recipient_bcc
smtp_enforce_tls = no
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_data_restrictions = reject_unauth_pipelining 
permit_mynetworks   permit_sasl_authenticated

smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_hostname 
reject_non_fqdn_hostname
smtpd_recipient_restrictions = permit_mynetworks 
permit_sasl_authenticated   check_sender_access 
hash:/etc/postfix/black_listcheck_sender_access 
hash:/etc/postfix/white_listreject_unlisted_recipient 
reject_non_fqdn_hostnamereject_non_fqdn_sender 
reject_non_fqdn_recipient   reject_unauth_destination 
reject_unauth_pipeliningreject_invalid_hostname

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/transports
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:1000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 1000
virtual_transport = dovecot
virtual_uid_maps = static:1000


/etc/postfix/white_list:
gmail.com   FILTER  smtp:[127.0.0.1]:submission


submission entry from /etc/postfix/master.cf:
submission inet n   -   -   -   -   smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_enforce_tls=no
  -o smtp_enforce_tls=no
  -o mynetworks=127.0.0.0/8
  -o 
smtpd_client_restrictions=permit_my_networks,permit_sasl_authenticated,reject

  -o milter_macro_daemon_name=ORIGINATING
  -o content_filter=


log entries:
Mar  4 13:48:10 mail1 postfix/smtpd[15692]: connect from 
qw-out-2122.google.com[74.125.92.26]
Mar  4 13:48:11 mail1 postfix/smtpd[15692]: NOQUEUE: filter: RCPT from 
qw-out-2122.google.com[74.1   25.92.26]: : 
Sender address triggers FILTER smtp:[127.0.0.1]:submission; fr 
om= to= proto=ESMTP 
helo=
Mar  4 13:48:11 mail1 postfix/smtpd[15692]: 35B9C19C717: 
client=qw-out-2122.google.com[74.125.92.2   6]
Mar  4 13:48:11 mail1 postfix/cleanup[15697]: 35B9C19C717: 
message-id=<49aedb33.1020...@gmail.com>
Mar  4 13:48:11 mail1 postfix/qmgr[15691]: 35B9C19C717: 
from=, size=1989, n   rcpt=2 (queue active)
Mar  4 13:48:11 mail1 postfix/smtpd[15699]: connect from 
localhost[127.0.0.1]
Mar  4 13:48:11 mail1 postfix/smtp[15698]: 35B9C19C717: 
to=, relay=127.0.   0.1[127.0.0.1]:587, 
delay=0.34, delays=0.31/0.01/0.02/0, dsn=5.7.0, status=bounced (host 
127.0.0.1   [127.0.0.1] said: 530 5.7.0 Must issue a STARTTLS 
command first (in reply to MAIL FROM command))
Mar  4 13:48:11 mail1 postfix/smtp[15698]: 35B9C19C717: 
to=, rela 
y=127.0.0.1[127.0.0.1]:587, delay=0.34, delays=0.31/0.01/0.02/0, 
dsn=5.7.0, status=bounced (host 1   27.0.0.1[127.0.0.1] said: 530 
5.7.0 Must issue a 

Re: That Relay Access Denied Thing (Solved, Almost)

[Brian Evans - Postfix List]

Robert A. Ober wrote:
> On 3/4/2009 1:06 PM, Brian Evans - Postfix List wrote:
>> Robert A. Ober wrote:
>>   
>>> On 3/4/2009 12:32 PM, Robert A. Ober wrote:
>>> 
 On 3/4/2009 11:54 AM, Brian Evans - Postfix List wrote:
   
>>
>>   
 FYI: saslauthd is Cyrus not Dovecot
   
>> 
>>   
>>> Right and that means the type is Cyrus?
>>>
>>> Robert
>>> 
>> You seem to have had Cyrus working, but want to break it to try to use
>> Dovecot.
>>
>> This thread is going in circles and I am not understanding what you
>> ultimately want done.
>>
>> Postfix can use EITHER Cyrus or Dovecot.
>> You REALLY should review SASL_README before asking for any more help.
>>
>> Brian
>>   
> Cyrus never allowed me to retrieve email via pop3.  I have read the
> SASL_README.  Please understand I am not the expert you folks are and
> am very tired and distraught.
>
> One of the howto's said to use Dovecot + sasl  install cyrus-sasl, so
> I did.  Dovecot-auth is running.  Should I kill that?  If so, how
> without killing Dovecot?

Cyrus' saslauthd is not used by Dovecot what so ever.  Any HOWTO that
says otherwise is a HOW(not)TO.
Some here will testament that the official docs are the place to review
first as some HOWTOs become outdated quickly or are just poor.
>
> If I want Dovecot for pop3/imap without cyrus-sasl,  what do I install
> for sasl and where is the doc for that?  Before I was forced to
> reload, I had no SASL and pop-before-smtp let pop3 work.
Dovecot has it's own auth daemon (called dovecot-auth) which you refer to

The sections http://www.postfix.org/SASL_README.html#server_sasl and
http://www.postfix.org/SASL_README.html#server_dovecot
are usually all it takes to configure Dovecot SASL.
Any other additions may not work.

Does the /var/spool/postfix/private/auth socket exist and accessible to
the Postfix user?

>
> I currently have pop3 working offsite with OL2007 and Thunderbird. 
> OL2003 and OLXP get relay access denied when sending.  I want to cure
> the relay access denied for OLXP and OL2003.  I have supported many
> products including some for corporate users but my understanding of
> how Postfix works is limited.
Again, this is commented in the SASL_README when it talks about
broken_sasl_auth_clients

Brian

escape "^From "

[LuKreme]

What controls escaping "From " in the body of a mail message if it's  
at the start of a line? Since I've switched everyone over to Maildir,  
it seems silly to do this anymore, but I can't find the setting.  In  
fact, I'm not even sure it's in postfix at all.


RTFM replies preferred, just say with FM to R, please.

--
Bowling scores are way up, minigolf scores are way down, and we
have more excellent waterslides than any other planet we
communicate with

Re: postconf -n suggestion

[Charles Marcus]

On 3/4/2009 2:36 PM, Paweł Leśniak wrote:
>> I was just talking about something that would make it easier when
>> someone was asking for help on the list... I don't think the above will
>> quite accomplish that...

> In many cases (I'm not gonna do statistics) new users do not post their
> questions correctly - often we can see 2nd message in thread asking for
> more information according to MAIL_DEBUG readme.
> So I think that making changes to postconf -n output are useless. If one
> will manage to read MAIL_DEBUG, one will also be able to have a look at
> postfix version and other system-related informations. If not, certainly
> one should not do any changes to mail server. Honestly.

Irrelevant. There is nothing wrong with simplifying things...

By your argument, there is no need for the postconf tool at all...

Wietse has already explained why this will not be done, so further
discussion is useless. Personally, I don't see any reason to not add a
new flag that does this, but again - it doesn't matter what I think...

Besides, Victor did provide a way to do this on an individual basis, and
even though ianap, I may play with it a bit...

Oh, and thanks Victor for that...

Re: Question about how Postfix sends the EHLO/HELO

[Noel Jones]

Rob Tanner wrote:

Hi,

We are having problems sending email to a particular site on the 
internet that uses SpamAssassin to filter for spam.  They send me back 
the headers on a particular message and here is the spam portion:



 X-Spam-Flag:  YES  
 X-Spam-Checker-Version:  SpamAssassin 3.2.0 (2007-05-01) on 
microthunder.com  
 X-Spam-Level:    
 X-Spam-Status:  Yes, score=4.4 required=4.0 tests=HTML_MESSAGE, 
MIME_QP_LONG_LINE,RCVD_NUMERIC_HELO autolearn=no version=3.2.0  
 X-Spam-Report:  * 2.6 RCVD_NUMERIC_HELO Received: contains an IP 
address used for HELO * 0.0 HTML_MESSAGE BODY: HTML included in message 
* 1.8 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars  



What I don’t get is the first test in the X-Spam-Report header which 
received a 2.6.  Does postfix strictly send the IP address on the 
HELO/EHLO?  If so, what parameter to I need to set to $myhostname?  Or, 
am I entirely misunderstanding what that test tests for?


Thanks.

--
*Rob Tanner
*UNIX Services Manager
Linfield College, McMinnville Oregon
503-883-2558



Where postfix gets the HELO name used:
http://www.postfix.org/postconf.5.html#smtp_helo_name
http://www.postfix.org/postconf.5.html#myhostname

I'm going to rashly assume the problem is with the same server 
you used to send mail to the list, so the rest of this message 
could be totally irrelevant ...


Looking at the headers of the message you sent to the list:

Received: from neskowin.linfield.edu (neskowin.linfield.edu 
[192.147.171.21])

by russian-caravan.cloud9.net (Postfix) with SMTP id 55D0AFD9F3
	for ; Wed,  4 Mar 2009 14:33:37 
-0500 (EST)
Received: from neskowin.linfield.edu (localhost.localdomain 
[127.0.0.1])

by linfield.edu (Postfix) with SMTP id 596B158120
	for ; Wed,  4 Mar 2009 11:33:36 
-0800 (PST)
Received: from exchangedb.wfo.linfield.edu 
(exchangedb.wfo.linfield.edu [10.170.131.27])

by neskowin.linfield.edu (Postfix) with ESMTP id 410365811C
	for ; Wed,  4 Mar 2009 11:33:36 
-0800 (PST)
Received: from 10.219.255.241 ([10.219.255.241]) by 
exchangedb.wfo.linfield.edu ([10.170.131.27]) via Exchange 
Front-End Server exchange.linfield.edu ([10.170.131.28]) with 
Microsoft Exchange Server HTTP-DAV ;

 Wed,  4 Mar 2009 19:33:36 +

the only numeric HELO I see is from the originating client. 
IMHO SpamAssassin should not be applying this test to all 
headers, only the topmost "trusted" header.  Next wild guess 
is that the recipient server has misconfigured SA.


You can "fix" this with a header_checks rule to either REWRITE 
the offending header to "X-Received:..." or just IGNORE 
(remove) it.


  -- Noel Jones

Re: Spam attacks

[Charles Marcus]

On 3/4/2009, PaweB Le[niak (warl...@lesniakowie.com) wrote:
> Looking at first email in thread carefully you'd see that Dave has 
> (or had) problem with spam sent from j...@foo.com to j...@foo.com. And 
> that's the case where authentication will do the job perfectly - IMHO
> way better then zen.

You do realize that if you did that you wouldn't be able to receive your
own messages from mail lists such as this one, correct?

-- 

Best regards,

Charles

Re: Postfix + Dovecot SASL authentication.

[Robert A. Ober]

On 3/4/2009 10:05 AM, Miguel Da Silva - Centro de Matemática wrote:

Victor Duchovni escribió:
On Wed, Mar 04, 2009 at 09:35:38AM -0200, Miguel Da Silva - Centro de 
Matem?tica wrote:


The user was not "relaying": mail was sent to a domain you are 
responsible

for, so this was not blocked by "reject_unauth_destination".
Well... I don't think so, maybe I am not understandig 
reject_unauth_destinations correctly.


You are the one asking the question, so it would be wise to take time
to research and test the (correct) answer you were given.

* Postfix is the final destination: the resolved RCPT TO 
domain matches $mydestination, $inet_interfaces, $proxy_interfaces, 
$virtual_alias_domains, or $virtual_mailbox_domains, and contains no 
sender-specified routing (u...@elsewhere@domain).


But, reading the second one I would say every local user sending 
mail to another local user will get it done through the server.


Any client (regardless of envelope sender address) passes this 
restriction

when sending to a local destination address.



It's done... now I could say there are no problem. I misunderstood the 
documentation, so I checked them one more time and did some tests.


Everything is working as it should.

Thank you.
Since I am trying to get basically the same thing to work,  where did 
your sasl come from?  I came in late to the discussion.  What OS are you 
running?


Thanks,
Robert

Re: postconf -n suggestion

[Paweł Leśniak]

I was just talking about something that would make it easier when
someone was asking for help on the list... I don't think the above will
quite accomplish that...

   
In many cases (I'm not gonna do statistics) new users do not post their 
questions correctly - often we can see 2nd message in thread asking for 
more information according to MAIL_DEBUG readme.
So I think that making changes to postconf -n output are useless. If one 
will manage to read MAIL_DEBUG, one will also be able to have a look at 
postfix version and other system-related informations. If not, certainly 
one should not do any changes to mail server. Honestly.


Pawel Lesniak

Question about how Postfix sends the EHLO/HELO

[Rob Tanner]

Hi,

We are having problems sending email to a particular site on the internet
that uses SpamAssassin to filter for spam.  They send me back the headers on
a particular message and here is the spam portion:


 X-Spam-Flag:  YES 
 X-Spam-Checker-Version:  SpamAssassin 3.2.0 (2007-05-01) on
microthunder.com  
 X-Spam-Level:  
 X-Spam-Status:  Yes, score=4.4 required=4.0 tests=HTML_MESSAGE,
MIME_QP_LONG_LINE,RCVD_NUMERIC_HELO autolearn=no version=3.2.0
 X-Spam-Report:  * 2.6 RCVD_NUMERIC_HELO Received: contains an IP address
used for HELO * 0.0 HTML_MESSAGE BODY: HTML included in message * 1.8
MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars


What I don¹t get is the first test in the X-Spam-Report header which
received a 2.6.  Does postfix strictly send the IP address on the HELO/EHLO?
If so, what parameter to I need to set to $myhostname?  Or, am I entirely
misunderstanding what that test tests for?

Thanks.

--
Rob Tanner
UNIX Services Manager
Linfield College, McMinnville Oregon
503-883-2558

Re: Configuration advice

[Jorey Bump]

Emmanuel Seyman wrote, at 03/04/2009 02:03 PM:

> What's the best way to do this? If I install SA on the first domain
> and remove the lists.example.org MX, spammers will still be able to
> send spam to it directly. Is setting up SA on both machines the simplest
> way to go?

It's certainly more flexible. You can adjust SA scores on the list
server in a way that might be too restrictive or inappropriate on the
other.

Re: Spam attacks

[Paweł Leśniak]

On Wed March 4 2009 08:48:18 Paweł Leśniak wrote:
   

But then we come to definition of spam. It's in simple words unwanted
message.
 


Too simple, and not correct. The true definition of spam is UBE:
unsolicited bulk email. Most spammers put out messages that a tiny
percentage of recipients want to see. It's how they keep making money
at it.
   
And where do you see the difference between unwanted message and 
unsolicited bulk email? Word bulk here does not matter in terms of 
single email address - you don't know (often) if this is one message of 
many sent or just a single mail, as long as given sender gets 
blacklisted or you start getting same mail at many different addresses.

Postmasters who fail to understand what spam is contribute to the
problem, which is this: email has become nearly unusable for many
people, and would be unusable for everyone without sane strategies to
control the spew. I bet 95% of all SMTP traffic is abuse.
   

At my servers it's about 90-95% percent of connections which get rejected.


Also IMHO I'll get much more "false positives" with zen then with
authentication if for example I'd be interested in getting money and
medicines offers. We get here to definition of "false positives"
which can be very different for different customers. And that leads
 


For the most part, I don't care what the end user thinks, for reasons
implied above. If they solicited email from a legitimate (i.e., not
listed on SBL and not using zombies) bulk sender, they'll get it. If
they solicited email from a spammer, oops, it's blocked.

We all owe it to the Internet to limit spammers' access to our
clue-deprived users who might otherwise help keep them in business.

   

true

I try to explain it to them. No, it's not easy. No, I am not managing
any large sites at the moment, but if I was, I'd put up explanations
with links on a http://postmaster.example.com/ Web site.

Most people who claim that Zen gives "false positives" are not using
reject_rbl_client properly. Obviously, you do not reject_rbl_client
before permit_sasl_authenticated. But in your case I don't know what
you're saying. I think the issue of authentication that you bring up
might be irrelevant, except perhaps for the narrow "issue" of sender
equals recipient. I haven't noticed a significant problem with such
spam, which is probably attributable to Zen.
   
I'm not saying zen gives "false positives" which I (or better users of 
my servers)  think are not spam. But if one says that mail sent with 
spoofed sender is correct then it's not fine with me.
I do not allow mails from client addresses without DNS entries (why 
don't they use correctly configured mailserver), etc. One can say that 
I'm rejecting many false positives. Maybe. But I'm rejecting those 
messages. If sender wants to send legitimate email to me and gets 
rejected, he should get reply from his server about rejection. If this 
is the case, then "the ball is on his side". In terms of business mails, 
one will say that after rejection, the other side will just think we are 
not worth cooperation. That's not true, because it's better to get 
rejection instantly then wait few days while recipients finds the 
message in spam folder for example.


Looking at first email in thread carefully you'd see that Dave has (or 
had) problem with spam sent from j...@foo.com to j...@foo.com. And that's 
the case where authentication will do the job perfectly - IMHO way 
better then zen.


Pawel Lesniak

Re: That Relay Access Denied Thing (Solved, Almost)

[Robert A. Ober]

On 3/4/2009 1:06 PM, Brian Evans - Postfix List wrote:

Robert A. Ober wrote:
   

On 3/4/2009 12:32 PM, Robert A. Ober wrote:
 

On 3/4/2009 11:54 AM, Brian Evans - Postfix List wrote:
   


   

FYI: saslauthd is Cyrus not Dovecot
   


   

Right and that means the type is Cyrus?

Robert
 

You seem to have had Cyrus working, but want to break it to try to use
Dovecot.

This thread is going in circles and I am not understanding what you
ultimately want done.

Postfix can use EITHER Cyrus or Dovecot.
You REALLY should review SASL_README before asking for any more help.

Brian
   
Cyrus never allowed me to retrieve email via pop3.  I have read the 
SASL_README.  Please understand I am not the expert you folks are and am 
very tired and distraught.


One of the howto's said to use Dovecot + sasl  install cyrus-sasl, so I 
did.  Dovecot-auth is running.  Should I kill that?  If so, how without 
killing Dovecot?


If I want Dovecot for pop3/imap without cyrus-sasl,  what do I install 
for sasl and where is the doc for that?  Before I was forced to reload, 
I had no SASL and pop-before-smtp let pop3 work.


I currently have pop3 working offsite with OL2007 and Thunderbird.  
OL2003 and OLXP get relay access denied when sending.  I want to cure 
the relay access denied for OLXP and OL2003.  I have supported many 
products including some for corporate users but my understanding of how 
Postfix works is limited.


Thanks,
Robert

Re: postconf -n suggestion

[LuKreme]

On 4-Mar-2009, at 11:54, Wietse Venema wrote:

"postconf -n" does not list parameters unless they are set in
main.cf. The simplicity of the tool makes it useful for building
into other tools. If we start making random exceptions then we get
on a slippery slope (why stop with mail_version? why not also
include SASL and TLS, chroot stuff, and so on).


I do agree in principle with this, but I think that for version at  
least, an exception should be made.  (OS is largely irrelevant, but  
version is pretty much critical all the time).



--
I've always had a flair for stage directions.

Re: That Relay Access Denied Thing (Solved, Almost)

[Brian Evans - Postfix List]

Robert A. Ober wrote:
> On 3/4/2009 12:32 PM, Robert A. Ober wrote:
>> On 3/4/2009 11:54 AM, Brian Evans - Postfix List wrote:

>> FYI: saslauthd is Cyrus not Dovecot
 
> Right and that means the type is Cyrus?
>
> Robert
You seem to have had Cyrus working, but want to break it to try to use
Dovecot.

This thread is going in circles and I am not understanding what you
ultimately want done.

Postfix can use EITHER Cyrus or Dovecot.
You REALLY should review SASL_README before asking for any more help.

Brian

Configuration advice

[Emmanuel Seyman]

Hey, all.

I've been asked to overhaul a postfix configuration and I would really
appreciate any tips or advice that people may have on the subject.

I'm working on two servers :

The first one receives mail for @example.org . The configuration isn't
easy to read (hence the overhaul) but it looks so far to contain only
aliases (so mail is received and goes back out instantly).

The second server has the MX for @lists.example.org . As you can
probably guess, it's a mailman-only machine.

The main reason for the overhaul is spam. We're getting nailed
as spammers by other domains because the first server redirects 
incoming spam to other mail servers and the amount of spam that needs
to be moderated on the mailing lists is driving the list admins crazy.
To solve this problem, we've decided to install spamassassin but I'ld
prefer to manage only one instance of SA instead of two.

What's the best way to do this? If I install SA on the first domain
and remove the lists.example.org MX, spammers will still be able to
send spam to it directly. Is setting up SA on both machines the simplest
way to go?

Emmanuel Seyman

Re: postconf -n suggestion

[Wietse Venema]

LuKreme:
> On 4-Mar-2009, at 09:22, Wietse Venema wrote:
> > Charles Marcus:
> >> Dovecot has added two lines of text to the beginning output of  
> >> dovecot
> >> -n that could possibly save some time with troubleshooting...
> >>
> >> It adds the version on the first line, and OS/platform info on the
> >> second line, like so:
> >>
> >> # 1.1.11: /etc/dovecot/dovecot.conf
> >> # OS: Linux 2.6.23-gentoo-r9 x86_64 Gentoo Base System release  
> >> 1.12.11.1
> >>
> >> Maybe postfix could do the same with postconf -n output?
> >
> > No. The output has a defined "name = value" format. Adding
> > cruft would break bazillions of scripts that rely on it.
> 
> version=2.4.2
> uname=FreeBSD 6.2-RELEASE

The "postconf -n" command lists known parameters that are
explicitly specified in main.cf.

If you want a fingerprinting tool, don't mess up postconf.

Wietse

Re: That Relay Access Denied Thing

[/dev/rob0]

On Wed March 4 2009 08:39:37 Victor Duchovni wrote:
> If I recall correctly the OP reported using Postfix 2.2 and should
> see:
>
> http://www.postfix.org/postconf.5.html#smtpd_sasl_type
>
> attempts to use Dovecot SASL auth with Postfix 2.2 are unlikely to
> get very far.

I did it, but I cheated. I used Timo's patch. :)
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Re: postconf -n suggestion

[Wietse Venema]

Noel Jones:
> Wietse Venema wrote:
> > Charles Marcus:
> >> Dovecot has added two lines of text to the beginning output of dovecot
> >> -n that could possibly save some time with troubleshooting...
> >>
> >> It adds the version on the first line, and OS/platform info on the
> >> second line, like so:
> >>
> >> # 1.1.11: /etc/dovecot/dovecot.conf
> >> # OS: Linux 2.6.23-gentoo-r9 x86_64 Gentoo Base System release 1.12.11.1
> >>
> >> Maybe postfix could do the same with postconf -n output?
> > 
> > No. The output has a defined "name = value" format. Adding
> > cruft would break bazillions of scripts that rely on it.
> > 
> > Wietse
> 
> There was a discussion a while back about always including
> "mail_version = value" in postconf -n output.  I can't 
> remember why that isn't a good idea...

"postconf -n" does not list parameters unless they are set in
main.cf. The simplicity of the tool makes it useful for building
into other tools. If we start making random exceptions then we get
on a slippery slope (why stop with mail_version? why not also
include SASL and TLS, chroot stuff, and so on).

If we want to fingerprint a Postfix install, it is beter to use a
fingerprinting tool that also captures master.cf, information about
the platform itself, and Postfix build options. Patrick's saslfinger
already does most of this.

Wietse

Re: postconf -n suggestion

[postfix]

At 12:52 PM 3/4/2009, Charles Marcus wrote:

>> # 1.1.11: /etc/dovecot/dovecot.conf
>> # OS: Linux 2.6.23-gentoo-r9 x86_64 Gentoo Base System release 1.12.11.1


If the output is name =value then could the output just be
conf = 1.1.11: /etc/dovecot/dovecot.conf
OS = Linux 2.6.23-gentoo-r9 x86_64 Gentoo Base System release 1.12.11.1

and not break things? (or something like that).


rick

Re: Spam attacks

[/dev/rob0]

On Wed March 4 2009 08:48:18 Paweł Leśniak wrote:
> But then we come to definition of spam. It's in simple words unwanted
> message.

Too simple, and not correct. The true definition of spam is UBE: 
unsolicited bulk email. Most spammers put out messages that a tiny 
percentage of recipients want to see. It's how they keep making money 
at it.

Postmasters who fail to understand what spam is contribute to the 
problem, which is this: email has become nearly unusable for many 
people, and would be unusable for everyone without sane strategies to 
control the spew. I bet 95% of all SMTP traffic is abuse.

> Also IMHO I'll get much more "false positives" with zen then with
> authentication if for example I'd be interested in getting money and
> medicines offers. We get here to definition of "false positives"
> which can be very different for different customers. And that leads

For the most part, I don't care what the end user thinks, for reasons 
implied above. If they solicited email from a legitimate (i.e., not 
listed on SBL and not using zombies) bulk sender, they'll get it. If 
they solicited email from a spammer, oops, it's blocked.

We all owe it to the Internet to limit spammers' access to our 
clue-deprived users who might otherwise help keep them in business.

I try to explain it to them. No, it's not easy. No, I am not managing 
any large sites at the moment, but if I was, I'd put up explanations 
with links on a http://postmaster.example.com/ Web site.

Most people who claim that Zen gives "false positives" are not using 
reject_rbl_client properly. Obviously, you do not reject_rbl_client 
before permit_sasl_authenticated. But in your case I don't know what 
you're saying. I think the issue of authentication that you bring up 
might be irrelevant, except perhaps for the narrow "issue" of sender 
equals recipient. I haven't noticed a significant problem with such 
spam, which is probably attributable to Zen.
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Re: Possible reasons for "qmgr" loading the system?

[Wietse Venema]

Victor Duchovni:
> > slow_destination_recipient_limit=1
> > slow_destination_concurrency_limit=1

I wonder if the problem recurs when these are changed. But let's
first swap new and old queue managers.

Wietse

Re: modify ldap return query value

[Evelio Vila]

ok thanks wietse!



Evelio Vila:
> so I would like to modify the return_attribute to pass postfix only
the user
> part of the mail field.

See: man ldap_table | less +/result_format

> Also, could several queries can be combined to form the desired
result?

You can't make multiple queries per result.

Wietse




VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y 
Educación Energética
9 - 12 de Junio 2009, Palacio de las Convenciones
...Por una cultura energética sustentable
www.ciercuba.com 

Re: postconf -n suggestion

[Noel Jones]

Wietse Venema wrote:

Charles Marcus:

Dovecot has added two lines of text to the beginning output of dovecot
-n that could possibly save some time with troubleshooting...

It adds the version on the first line, and OS/platform info on the
second line, like so:

# 1.1.11: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.23-gentoo-r9 x86_64 Gentoo Base System release 1.12.11.1

Maybe postfix could do the same with postconf -n output?


No. The output has a defined "name = value" format. Adding
cruft would break bazillions of scripts that rely on it.

Wietse


There was a discussion a while back about always including
"mail_version = value" in postconf -n output.  I can't 
remember why that isn't a good idea...


  -- Noel Jones

Re: That Relay Access Denied Thing (Solved, Almost)

[Robert A. Ober]

On 3/4/2009 12:32 PM, Robert A. Ober wrote:

On 3/4/2009 11:54 AM, Brian Evans - Postfix List wrote:

Robert A. Ober wrote:
   

On 3/4/2009 10:19 AM, Brian Evans - Postfix List wrote:
 

Robert A. Ober wrote

   

vi /etc/sysconfig/saslauthd :


 

FYI: saslauthd is Cyrus not Dovecot
 

Right and that means the type is Cyrus?

Robert

Re: That Relay Access Denied Thing (Solved, Almost)

[Robert A. Ober]

On 3/4/2009 11:54 AM, Brian Evans - Postfix List wrote:

Robert A. Ober wrote:
   

On 3/4/2009 10:19 AM, Brian Evans - Postfix List wrote:
 

Robert A. Ober wrote

   

vi /etc/sysconfig/saslauthd :


 

FYI: saslauthd is Cyrus not Dovecot
   

There is some issue with Mandriva 2009.0 that requires
SASL_AUTHMECH=shadow in /etc/sasl2/saslauthd.

Now it works for Thunderbird and OL2007.  OL2003 and OLXP still give
relay access denied.  Any OL workarounds?  Have outgoing server
requires authentication checked and with/without same as incoming.
 

Have you tried 'broken_sasl_auth_clients = yes' as listed in the
SASL_README?

Brian
   

And when I do sasl type and path (found with dovecot -n, duh) OL says:


Task 'bcgtest - Sending' reported error (0x800CCC0F) : 'The connection 
to the server was interrupted.  If this problem continues, contact your 
server administrator or Internet service provider (ISP).'


Robert