RBL problems affect mail reception

[Oguz Yilmaz]

Hi,

On my postfix mail server I have RBL definitions at
smtpd_client_restrictions phase. At the moment 2 of 4 rbl's waiting until
tcp timeout without an answer when I try with nslookup. This affects my
clients. Also client programs are waiting for sending e-mail. Is there any
way to put some timeout or any other resoluton for the problem?

Regards,

Oguz Yilmaz

smtpd_client_restrictions =
 check_client_access hash:/etc/postfix/access,
 permit_sasl_authenticated,
 permit_mynetworks,
 reject_rbl_client dnsbl.sorbs.net,
 reject_rbl_client dnsbl.njabl.org,
 reject_rbl_client cbl.abuseat.org,
 reject_rbl_client bl.spamcop.net,
 permit

Re: not receiveing bounce backs when using postfix

[Barney Desmond]

2009/4/4  nr...@firstfinancial.org:

 Apr  3 23:32:11 mail postfix/smtp[6451]: 96B0EB8: to=df...@yahoo.com,
 relay=b.mx.mail.yahoo.com[66.196.97.250]:25, delay=0.38,
 delays=0.28/0.01/0.05/0.04, dsn=5.0.0, status=bounced (host
 b.mx.mail.yahoo.com[66.196.97.250] said: 554 delivery error: dd This user
 doesn't have a yahoo.com account (df...@yahoo.com) [-5] -
 mta241.mail.re3.yahoo.com (in reply to end of DATA command))
 Apr  3 23:32:11 mail postfix/cleanup[7281]: 2ACDFBA:
 message-id=20090404033211.2acd...@mail.firstfinancial.org
 Apr  3 23:32:11 mail postfix/bounce[31334]: 96B0EB8: sender non-delivery
 notification: 2ACDFBA

Show more logs. 96B0EB8 is the failed delivery to yahoo, 2ACDFBA is
the non-delivery notification that postfix will attempt to pass back
to Exchange. You need to find where that non-delivery notification has
gone.

Re: header_checks doesn't work (postfix 2.5.5 on debian lenny)

[Magnus Bäck]

On Friday, April 03, 2009 at 18:50 CEST,
 sosogh sos...@126.com wrote:

[...]

 [r...@postfix]# more recipient_access.txt 
 /special.com/   FILTER smtp:[127.0.0.1]:10026 

This regular expression will match not only special.com but also
especial.com, a.special.company.net etc. Consider writing a proper
regular expression or just use a regular indexed map. You don't need
PCRE for this.

[...]

-- 
Magnus Bäck
mag...@dsek.lth.se

Re: not receiveing bounce backs when using postfix

[Wietse Venema]

nr...@firstfinancial.org:
 Thanks for the fast reply.
 
 I fixed the logging issue.
 
 From the /var/log/maillog
 
 Apr  3 23:32:11 mail postfix/smtp[6451]: 96B0EB8: to=df...@yahoo.com,
 relay=b.mx.mail.yahoo.com[66.196.97.250]:25, delay=0.38,
 delays=0.28/0.01/0.05/0.04, dsn=5.0.0, status=bounced (host
 b.mx.mail.yahoo.com[66.196.97.250] said: 554 delivery error: dd This user
 doesn't have a yahoo.com account (df...@yahoo.com) [-5] -
 mta241.mail.re3.yahoo.com (in reply to end of DATA command))
 Apr  3 23:32:11 mail postfix/cleanup[7281]: 2ACDFBA:
 message-id=20090404033211.2acd...@mail.firstfinancial.org
 Apr  3 23:32:11 mail postfix/bounce[31334]: 96B0EB8: sender non-delivery
 notification: 2ACDFBA

Do:

$ grep 2ACDFBA /var/log/maillog

Wietse

Re: RBL problems affect mail reception

[Sahil Tandon]

On Sat, 04 Apr 2009, Oguz Yilmaz wrote:

 On my postfix mail server I have RBL definitions at
 smtpd_client_restrictions phase. At the moment 2 of 4 rbl's waiting until
 tcp timeout without an answer when I try with nslookup. This affects my
 clients. Also client programs are waiting for sending e-mail. Is there any
 way to put some timeout or any other resoluton for the problem?

If clients and their programs are trusted senders, then exclude them from
RBL checks.

-- 
Sahil Tandon sa...@tandon.net

new clamav-milter quarantaine in hold queue script

[Robert Schetterer]

Hi, the redesign
of the  clamav-milter 0.95
does quarantaine in the hold queue
before infected mails were written to some configurable dir

havening them in hold is a nice option
but i am thinking of a script
getting them out of hold and store
in the filesystem and clean up hold

i have some clean mailerdaemon script
which works likely  for deferred started by cron

whats your opinion does it sound like a good
idea , i dont like the idea that infected mails may i.e hold forever

or is there a way, yet ,of configure postfix to unhold
them and delete by a configured time period

after all i ve asked clamav developers to bring back
store in filesystem option, which makes it more easy to investigate
infected mails cause sometimes false positives happens
with anitpishing code etc

-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Re: not receiveing bounce backs when using postfix

[Wietse Venema]

nr...@firstfinancial.org:
 Here is the output.
 
 # grep 2ACDFBA /var/log/maillog
 Apr  3 23:32:11 triton postfix/cleanup[7281]: 2ACDFBA:
 message-id=20090404033211.2acd...@mail.firstfinancial.org
 Apr  3 23:32:11 triton postfix/bounce[31334]: 96B0EB8: sender non-delivery
 notification: 2ACDFBA
 Apr  3 23:32:11 triton postfix/smtp[8455]: 2ACDFBA:
 to=no-re...@firstfinancial.org, relay=none, delay=0.19,
 delays=0.14/0.05/0/0, dsn=5.4.4, status=bounced (Host or domain name not
 found. Name service error for name=firstfinancial.org type=: Host found
 but no data record of requested type)

2ACDFBA Is the Postfix bounce message, directed to the sender
address of message 96B0EB8 that could not be delivered.

If you want to find out why this bounce message is undeliverable,
see the mailing list welcome message below.

Wietse

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail

TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Thank you for using Postfix.

Re: new clamav-milter quarantaine in hold queue script

[Victor Duchovni]

On Sat, Apr 04, 2009 at 06:16:33PM +0200, Robert Schetterer wrote:

 havening them in hold is a nice option
 but i am thinking of a script
 getting them out of hold and store
 in the filesystem and clean up hold

Here's my suggestion:

- Create a second Postfix instance in the same file-system.
- Run a cron job to move (rename(2)) messages from the HOLD queue
  of the main instance into the deferred queue of the second instance,
  carefully respecting the hash_depth of each directory.
- In the second instance, deliver all mail via a suitable daemonized
  SMTP server or via pipe(8) script. The daemon or script will be
  the entry point into a quarantine system that eventualy expires
  unclaimed mail, generates reports and allows other administrative
  or user actions as you see fit.

This means that FILTER transport:nexthop is perhaps a better choice than
HOLD, but milters may not be able to express this action...

I am not aware of an open-source quarantine add-on for Postfix.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
mailto:majord...@postfix.org?body=unsubscribe%20postfix-users

If my response solves your problem, the best way to thank me is to not
send an it worked, thanks follow-up. If you must respond, please put
It worked, thanks in the Subject so I can delete these quickly.

Re: new clamav-milter quarantaine in hold queue script

[Robert Schetterer]

Victor Duchovni schrieb:
 On Sat, Apr 04, 2009 at 06:16:33PM +0200, Robert Schetterer wrote:
 
 havening them in hold is a nice option
 but i am thinking of a script
 getting them out of hold and store
 in the filesystem and clean up hold
 
 Here's my suggestion:
 
 - Create a second Postfix instance in the same file-system.
 - Run a cron job to move (rename(2)) messages from the HOLD queue
   of the main instance into the deferred queue of the second instance,
   carefully respecting the hash_depth of each directory.
 - In the second instance, deliver all mail via a suitable daemonized
   SMTP server or via pipe(8) script. The daemon or script will be
   the entry point into a quarantine system that eventualy expires
   unclaimed mail, generates reports and allows other administrative
   or user actions as you see fit.
 
 This means that FILTER transport:nexthop is perhaps a better choice than
 HOLD, but milters may not be able to express this action...
 
 I am not aware of an open-source quarantine add-on for Postfix.
 

Hi Victor, this sounds very complicated
i was thinking more about a cron cript like this ( surly modified to the
hold issue )




#!/bin/sh

# we need to clean up MAILER-DAEMON messages

#try to deliver by force
#postqueue -f

#now its time to kill the rest

TMPFILE=/tmp/clean.queue.$$
DEFERDIR=/var/spool/postfix/deferred

# collect the filenames
mailq |grep MAILER-DAEMON | cut -f1 -d ' '  $TMPFILE

for DEFERFILE in `cat $TMPFILE`
do
   FILEPATH=`find $DEFERDIR -name $DEFERFILE`


#echo $FILEPATH #for debug
#echo $DEFERFILE #for debug

#
# checks in use with spamass.
#
#  egrep -i 'spamassassin|hits\=[0-9]{1,2}\.[0-9]' $FILEPATH 
/dev/null
#  if [ $? -eq 0 ]
#  then
#   deferred message is most likely spam
##
   postsuper -d $DEFERFILE deferred
#  fi
done

rm -f $TMPFILE  /dev/null


-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Re: new clamav-milter quarantaine in hold queue script

[Victor Duchovni]

On Sat, Apr 04, 2009 at 07:01:08PM +0200, Robert Schetterer wrote:

  Here's my suggestion:
  
  - Create a second Postfix instance in the same file-system.
  - Run a cron job to move (rename(2)) messages from the HOLD queue
of the main instance into the deferred queue of the second instance,
carefully respecting the hash_depth of each directory.
  - In the second instance, deliver all mail via a suitable daemonized
SMTP server or via pipe(8) script. The daemon or script will be
the entry point into a quarantine system that eventualy expires
unclaimed mail, generates reports and allows other administrative
or user actions as you see fit.
  
  This means that FILTER transport:nexthop is perhaps a better choice than
  HOLD, but milters may not be able to express this action...
  
  I am not aware of an open-source quarantine add-on for Postfix.
 
 Hi Victor, this sounds very complicated

Yes, I am proposing a robust, comprehensive system that could serve a
variety of needs.

 i was thinking more about a cron cript like this ( surly modified to the
 hold issue )

What do mail-daemon messages have to do with junk placed in the HOLD
queue by a milter

 TMPFILE=/tmp/clean.queue.$$
 DEFERDIR=/var/spool/postfix/deferred
 
 # collect the filenames
 mailq |grep MAILER-DAEMON | cut -f1 -d ' '  $TMPFILE
 
 for DEFERFILE in `cat $TMPFILE`
 do
FILEPATH=`find $DEFERDIR -name $DEFERFILE`

This is subject to race-conditions, because queue-ids can be re-used.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
mailto:majord...@postfix.org?body=unsubscribe%20postfix-users

If my response solves your problem, the best way to thank me is to not
send an it worked, thanks follow-up. If you must respond, please put
It worked, thanks in the Subject so I can delete these quickly.

Re: Backscatter

[Paweł Leśniak]

W dniu 2009-04-04 20:09, LuKreme pisze:
I've seen an increase in backscatter emails recently. Perfectly valid 
headers (AFAICT)


Return-Path: 
X-Original-To: kr...@kreme.com
Delivered-To: kr...@covisp.net
Received: from mail9.webair.com (mail9.webair.net [74.206.236.69])
by mail.covisp.net (Postfix) with ESMTPS id 4FC10118B5B0
for kr...@kreme.com; Sat,  4 Apr 2009 00:18:38 -0600 (MDT)
Received: (qmail 45760 invoked for bounce); 4 Apr 2009 06:18:36 -
Date: 4 Apr 2009 06:18:36 -
From: mailer-dae...@mail9.webair.com
To: kr...@kreme.com
Subject: failure notice
Message-Id: 20090404061838.4fc10118b...@mail.covisp.net


(I did just update this spf record to v=spf1 a mx 
ip4:75.148.117.94/29 ~all which I expect will help some)


Is there some sort of strategy I can implement that will reject a good 
portion of these kinds of messages? What are other people doing to 
deal with backscatter? I read up on SRS, but it doesn't sound like a 
great idea.



I'd recommend using rbl checks specified for this:
backscatter.map:
 reject_rbl_client ips.backscatterer.org, reject_rbl_client 
bl.spamcannibal.org
postmaster reject_rbl_client ips.backscatterer.org, reject_rbl_client 
bl.spamcannibal.org
MAILER-DAEMON reject_rbl_client ips.backscatterer.org, reject_rbl_client 
bl.spamcannibal.org


Add
check_sender_access hash:/etc/postfix/backscatter.map
at the very last of RBLs in smtpd_recipient_restrictions (or other 
restrisctions if you prefer). For sure you should also read info on 
those blacklists.


IP you've provided as source of backscatter is listed in backscatterer.org.

Moreover, SPF won't help you much, because other mailserver admins would 
have to check it, and it's rarely supported.


Pawel Lesniak

Re: new clamav-milter quarantaine in hold queue script

[Noel Jones]

Robert Schetterer wrote:

i was thinking more about a cron cript like this ( surly modified to the
hold issue )

What do mail-daemon messages have to do with junk placed in the HOLD
queue by a milter


Here's a dorky script I use to release mail on hold after a 
few days.  I have some questionable header_checks that HOLD 
mail and don't want to keep mail on hold forever if I'm on 
vacation or whatever...


It can easily be modified to move mail elsewhere or just 
delete old mail.  Caution: if you move the file without 
renaming it, keep it in the same filesystem to insure unique 
filenames.


Just run from cron a couple times a day.

8X
#!/bin/sh
# pf-releasehold - automatically release messages from
# the hold queue if they are greater than DAYSOLD days old.

PBIN=/usr/sbin
DAYSOLD=2

QUEUEDIR=`$PBIN/postconf -h queue_directory`
HOLDQUEUE=${QUEUEDIR}/hold
TMPFILE=/tmp/pfhold-$$

find ${HOLDQUEUE} -type f -mtime +${DAYSOLD} -print  ${TMPFILE}

if test -z ${TMPFILE}
  then echo 'nothing to release from hold'
   rm -f ${TMPFILE}
   exit
fi


# if we get this far, there must be something that needs to be 
released


for QUEUEPATH in `cat ${TMPFILE}`
do
QUEUEID=`basename ${QUEUEPATH}`

# change this line to adjust action
$PBIN/postsuper -H ${QUEUEID} 21 |
   mail -s 'pf-releasehold' postmaster

done

rm -f ${TMPFILE}

8X


Of course, the better answer is:
If clamav-milter isn't doing what you need, use another 
milter.  There are several milters that can interface to clamd.


  -- Noel Jones

Re: Backscatter

[LuKreme]

On 4-Apr-2009, at 16:02, Noel Jones wrote:
Best in smtpd_data_restrictions so you don't reject sourceforge and  
others sender verification probes.


Is there anything I need to be concerned about having/not having in  
smtpd_data_restrictions?  it is currently commented out.  if I simply  
put:


smtpd_data_restrictions =
reject_unauth_pipelining,
reject_rbl_client ips.backscatterer.org,
reject_rbl_client bl.spamcannibal.org
permit

is that good enough?  (the pipelining was there before in the  
commented out declaration along with the permit). I am sad to say I am  
still a little unclear about how the various smtpd_mumble_restrictions  
work together.


IP you've provided as source of backscatter is listed in  
backscatterer.org.
Moreover, SPF won't help you much, because other mailserver admins  
would have to check it, and it's rarely supported.


True.  It seems that sites with SPF are less frequently chosen as  
joe-job victims, but there's no guarantee.  At any rate, adding SPF  
shouldn't hurt anything.


Well, I am hoping spf helps a bit. I'd left off the ~all on some  
domain's configuration and I've noticed a lot os this backscatter has


Received-SPF: neutral (mail9.webair.com: 85.9.127.134 is neither  
permitted nor denied by SPF record at kreme.com)



Other suggestions...

Add the header_checks suggested in 
http://www.postfix.org/BACKSCATTER_README.html
Note the examples will need to be customized for your site.


Oh, those look like a good idea in general, backscatter or not. At  
least in the header_checks.  I am leery of running body_checks as it  
seems those would be expensive.



If you're using SpamAssassin, the VBOUNCE rules are helpful.



Yeah, but SA is run after reception.  I'd rather reject backscatter  
than discard it, if possible.


Thanks, this is great info.

--
I'll trade you 223 Wesley Crushers for your Captain Picard

Re: Backscatter

[Sahil Tandon]

On Sat, 04 Apr 2009, LuKreme wrote:

 On 4-Apr-2009, at 16:02, Noel Jones wrote:
 Best in smtpd_data_restrictions so you don't reject sourceforge and  
 others sender verification probes.

 Is there anything I need to be concerned about having/not having in  
 smtpd_data_restrictions?  it is currently commented out.  if I simply  
 put:

 smtpd_data_restrictions =
 reject_unauth_pipelining,
 reject_rbl_client ips.backscatterer.org,
 reject_rbl_client bl.spamcannibal.org
 permit

The trailing permit is unnecessary.  And some people worry about blocking
legitimate mail from sites listed on those RBLs.  If you share that fear, you
could use an access(5) table to limit the RBL lookups (and rejections) only
to null envelope senders.

 is that good enough?  (the pipelining was there before in the commented 
 out declaration along with the permit). I am sad to say I am still a 
 little unclear about how the various smtpd_mumble_restrictions work 
 together.

For more clarity and general illumination, see:
http://www.postfix.org/SMTPD_ACCESS_README.html

-- 
Sahil Tandon sa...@tandon.net

Re: Cannot use restrictions to block emails between local users.

[Xn Nooby]

 Chances are you'll need to modify the webmail software so that it
 sends mail via SMTP, then maybe you'll be able to reject it as you
 want to (this will depend on the webmail software setting the right
 sender address).

Hurray, that worked!  I was able block an email after changing
SquirrelMail from sendmail to SMTP.

FYI, this email server is for internal use, in an environment where
people are supposed to only use it to contact their supervisors, and
not eachother.

thanks!!