Re: Minor bug in web site documentation

[Wietse Venema]

Brian Mathis:
> On the page http://www.postfix.org/SMTPD_ACCESS_README.html this
> statement is made beneath the examples:
> ...the last example above allows mail from local networks but otherwise...
> 
> It should say:
> ...the first example above allows mail from local networks but 
> otherwise...
> 
> That's a change from "last" to "first"

No, it was last, before two more examples were added. Now it is fourth.

Wietse

Re: Wishing I could change the level of smtpd DNS messages

[Wietse Venema]

Jacob Anawalt:
> Hello,
> 
> When I look at my mail.warn file (log level warn or greater), or grep
> mail.log for warning messages, I am presented with a flood of 'Name or
> service not known', 'address not listed for hostname', and 'numeric
> hostname' messages. I run a small site yet mail.warn log has 16k lines
> since yesterday and 14k of them are one of the those messages.

man egrep
man fgrep

In particular look for the -v and -f options.

It's easier to throw away information than not having the information
when you need to investigate a problem report.

Wietse

Re: It's recommended to use reject_unknown_client

[Res]

On Mon, 27 Apr 2009, Noel Jones wrote:


reject_unknown_client_hostname) is known to reject legit mail.  Use with


What would be nice, is the ability to add a simple different custom 
message to each of these kinds of tests ( reject_unknown_client_hostname
reject_unknown_helo_hostname reject_invalid_helo_hostname 
reject_non_fqdn_helo_hostname).


Or, have each default changed so they get blocked with messages like 
"Client host rejected: cannot find your hostname [1.2.3.4] please refer 
your postmaster to RFC 1912 s2.1"


Sadly, most (post|host)masters don't have a clue, but when you guide them 
in the right direction, changes can occur, and most (those who do care, and

want to try do the right thing) are normally very grateful.


--
Res

-Beware of programmers who carry screwdrivers

Minor bug in web site documentation

[Brian Mathis]

On the page http://www.postfix.org/SMTPD_ACCESS_README.html this
statement is made beneath the examples:
...the last example above allows mail from local networks but otherwise...

It should say:
...the first example above allows mail from local networks but otherwise...

That's a change from "last" to "first"

Re: Wishing I could change the level of smtpd DNS messages

[Victor Duchovni]

On Mon, Apr 27, 2009 at 02:55:41PM -0600, Jacob Anawalt wrote:

> When I look at my mail.warn file (log level warn or greater), or grep
> mail.log for warning messages, I am presented with a flood of 'Name or
> service not known', 'address not listed for hostname', and 'numeric
> hostname' messages. I run a small site yet mail.warn log has 16k lines
> since yesterday and 14k of them are one of the those messages.

SMTP server warnings I typically ignore when reporting unusual log events:

$tmp = join("|",
q{Illegal address syntax from },
q{TLS library problem: \d+:error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number:},
q{TLS library problem: \d+:error:14094412:SSL 
routines:SSL3_READ_BYTES:sslv3 alert bad certificate:},
q{TLS library problem: \d+:error:14094418:SSL 
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:},
q{Unable to look up (?:MX|NS) host \S+ for Sender address },
q{Unable to look up (?:MX|NS) host for \S+:},
q{[\d.]+: address not listed for hostname \S+},
q{[\d.]+: hostname \S+ verification failed: },
q{\w+: queue file size limit exceeded},
q{malformed domain name in resource data of (?:MX|NS|CNAME) record for 
\S+:},
q{network_biopair_interop: error reading \d+ bytes from the network: 
Connection reset by peer},
q{network_biopair_interop: error writing \d+ bytes to the network: 
(?:Connection reset by peer|Broken pipe)},
q{non-SMTP command from \S+:},
q{numeric domain name in resource data of (?:MX|NS) record for \S+:},
q{numeric hostname: },
q{valid_hostname: empty hostname},
q{valid_hostname: invalid character \S+:},
q{valid_hostname: misplaced delimiter:},
q{valid_hostname: numeric hostname: },
);
my $smtpdok = qr{$tmp};

SMTP client warnings I typically ignore when reporting unusual log events:

$tmp = join("|",
q{TLS library problem: \d+:error:140770FC:SSL 
routines:SSL23_GET_SERVER_HELLO:unknown protocol:}, 
  q{TLS library problem: \d+:error:14077410:SSL 
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:},
q{malformed domain name in resource data of (?:MX|CNAME) record for 
\S+:},
q{network_biopair_interop: error reading \d+ bytes from the network: 
Connection reset by peer},
q{network_biopair_interop: error writing \d+ bytes to the network: 
(?:Connection reset by peer|Broken pipe)},  
 q{no MX host for \S+ has a valid address record},
q{numeric domain name in resource data of MX record for \S+:},  
q{tls_text_name: \S+ peer certificate has no (?:subject CN|issuer 
Organization)}, 
  q{valid_hostname: empty hostname},
q{valid_hostname: invalid character \S+:},
q{valid_hostname: misplaced delimiter:},
q{valid_hostname: numeric hostname: },
q{host \S+\[(?:0\.0\.0\.0|127\.0\.0\.1)\]:25}.
q{ (?:greeted me|replied to HELO/EHLO) with my own hostname},
);
my $smtpok = qr{$tmp};

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Wishing I could change the level of smtpd DNS messages

[Jacob Anawalt]

Hello,

When I look at my mail.warn file (log level warn or greater), or grep
mail.log for warning messages, I am presented with a flood of 'Name or
service not known', 'address not listed for hostname', and 'numeric
hostname' messages. I run a small site yet mail.warn log has 16k lines
since yesterday and 14k of them are one of the those messages.

I've read that "many Postfix access control mechanisms depend on the
client hostname" and I can appreciate the utility of them in a log
next to the check that may be failing. That is why I am not enabling
"smtpd_peername_lookup = no". I just wish these messages weren't
emitted as warnings but instead at some lower log level, perhaps even
controllable via some smtpd_dns_logas parameter.

I am just throwing this out as something to consider. Perhaps these
messages must be warning level and It may not be worth the trouble of
documenting or maintaining a new feature. I just installed syslog-ng
and am using it's filter match facility to keep those messages out of
my mail.warn log.

Thank you for a great email system,
-- 
Jacob

Re: How to encrypt email?

[Andrzej Adam Filip]

"Jeff Huang"  wrote:  
> I found the email files that are stored under the Maildir are clearly
> code.
>  
> If I am the administrator of the system,I can see all user's email
> contents.
>  
> Is there a method to encrypt the email files so that the administrator
> can't see the email contents,even if he can read the files?

I think you want public key encryption (one key to encrypt, another to
decrypt) at receiving server before delivery to local mailbox/maildir.

It can be done e.g. by making MTA (posfix) deliver to local mailboxes
using procmail  and calling "custom encryption script/program" from
~/.procmailrc.
*BUT*
system administrator (root) can get access to email before it is
encrypted so MUA-MUA (sender's email client-recipient's email client)
encryption it much safer/secure.

-- 
[pl>en: Andrew] Andrzej Adam Filip : a...@onet.eu
I found Rome a city of bricks and left it a city of marble.
  -- Augustus Caesar

Re: How to encrypt email?

[martijn.list]

lst_ho...@kwsoft.de wrote:


Have a look for PGP or S/MIME. This is client side encryption and must 
therefore configured in the client settings, not postfix.


You can use a S/MIME gateway like Djigzo open source email encryption 
gateway (www.djigzo.com) to encrypt all your incoming email with a 
certificate for each user. The recipients need the private key to read 
any email delivered to their inbox.


Martijn Brinkers

--
Djigzo open source email encryption gateway www.djigzo.com

Re: Address verification issues

[Charles Marcus]

On 4/27/2009, xul...@onlineok.com (xul...@onlineok.com) wrote:
> Error output from a test SMTP session:

We need logs, not clients interpretation...

-- 

Best regards,

Charles

Re: Address verification issues

[xulfer]

> xul...@onlineok.com:
>> > xul...@onlineok.com:
>> >> append_at_myorigin = no
>> >
>> > As documented, this is NOT SUPPORTED.
>> >
>>
>> Blah sorry, there has been a new development.  Instead I'm now getting
>> 550-No such person at this address 550 Sender verify failed (in reply to
>> RCPT TO command).  I've tested with many addresses, and all are verified
>> to exist.
>
> You're welcome to send a problem report to postfix-users,
> with the "postconf -n" output, and other context that
> allows other people to reproduce the problem.
>
> Wietse
>

Ah, sorry I guess I should have reposted it.

postconf -n:
address_verify_map = btree:/var/postfix/verify
command_directory = /usr/local/sbin
config_directory = /etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/postfix
debug_peer_level = 2
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/local/share/doc/postfix/html
inet_protocols = all
mail_owner = _postfix
mailq_path = /usr/local/sbin/mailq
manpage_directory = /usr/local/man
mynetworks_style = subnet
myorigin = $mydomain
newaliases_path = /usr/local/sbin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix/readme
relay_domains = test.com
relayhost = [mail.test.com]
sample_directory = /etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = _postdrop
smtpd_recipient_restrictions = reject_unauth_destination
reject_unknown_recipient_domain reject_unverified_recipient
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550

transport:
test.comrelay:[mail.test.com]

Error output from a test SMTP session:
RCPT TO: 
450 4.1.1 : Recipient address rejected: unverified
address: host mail.test.com[192.168.1.1] said: 550-Verification failed for
 550-No such person at this address 550 Sender
verify failed (in reply to RCPT TO command)

Re: It's recommended to use reject_unknown_client

[Robert Schetterer]

deconya schrieb:
> thanks Noel
> 
> I don't like this option. too many risk.
> 
> Best Regards
> 
> On Mon, Apr 27, 2009 at 5:49 PM, Noel Jones  > wrote:
> 
> deconya wrote:
> 
> Hi list
> 
> Im looking diferent options to configure postfix main.cf
>   and I see the
> reject_unknown_client. I don't know if it's recomended because
> my postfix server is used for external clients and more uses
> connections with dynamic IP. If I put this, where goes, in
>  smtp_recipient_restrictions or smtp_client_restrictions?
> 
> Thanks
> 
> 
> {press the [plain text] button when posting from gmail}
> 
> reject_unknown_client (with postfix < 2.3, named
> reject_unknown_client_hostname) is known to reject legit mail.  Use
> with caution.  You can try it out with:
>  warn_if_reject reject_unknown_client_hostname
> for a period of time to log clients what would be rejected, without
> actually rejecting them.
> http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
> http://www.postfix.org/postconf.5.html#warn_if_reject
> 
> It can be used under any of the smtpd_*_restrictions.  The "best"
> place depends on your other restrictions and what you intend to
> accomplish.  A "typical" usage might look something like:
> smtpd_recipient_restrictions =
>  permit_mynetworks
>  permit_sasl_authenticated
>  reject_unauth_destination
>  reject_unknown_client_hostname
>  ... other UCE rules ...
> 
> 
>  -- Noel Jones
> 
> 
Hi,
using reject_unknown_reverse_client_hostname
is mostly save to use these days, as many big mail providers use it too
i.e gmx.de

-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Re: It's recommended to use reject_unknown_client

[deconya]

thanks Noel

I don't like this option. too many risk.

Best Regards

On Mon, Apr 27, 2009 at 5:49 PM, Noel Jones  wrote:

> deconya wrote:
>
>> Hi list
>>
>> Im looking diferent options to configure postfix main.cf 
>> and I see the reject_unknown_client. I don't know if it's recomended because
>> my postfix server is used for external clients and more uses connections
>> with dynamic IP. If I put this, where goes, in  smtp_recipient_restrictions
>> or smtp_client_restrictions?
>>
>> Thanks
>>
>
> {press the [plain text] button when posting from gmail}
>
> reject_unknown_client (with postfix < 2.3, named
> reject_unknown_client_hostname) is known to reject legit mail.  Use with
> caution.  You can try it out with:
>  warn_if_reject reject_unknown_client_hostname
> for a period of time to log clients what would be rejected, without
> actually rejecting them.
> http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
> http://www.postfix.org/postconf.5.html#warn_if_reject
>
> It can be used under any of the smtpd_*_restrictions.  The "best" place
> depends on your other restrictions and what you intend to accomplish.  A
> "typical" usage might look something like:
> smtpd_recipient_restrictions =
>  permit_mynetworks
>  permit_sasl_authenticated
>  reject_unauth_destination
>  reject_unknown_client_hostname
>  ... other UCE rules ...
>
>
>  -- Noel Jones
>

Re: It's recommended to use reject_unknown_client

[Noel Jones]

deconya wrote:

Hi list

Im looking diferent options to configure postfix main.cf 
 and I see the reject_unknown_client. I don't know if 
it's recomended because my postfix server is used for external clients 
and more uses connections with dynamic IP. If I put this, where goes, 
in  smtp_recipient_restrictions or smtp_client_restrictions?


Thanks


{press the [plain text] button when posting from gmail}

reject_unknown_client (with postfix < 2.3, named 
reject_unknown_client_hostname) is known to reject legit mail. 
 Use with caution.  You can try it out with:

  warn_if_reject reject_unknown_client_hostname
for a period of time to log clients what would be rejected, 
without actually rejecting them.

http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
http://www.postfix.org/postconf.5.html#warn_if_reject

It can be used under any of the smtpd_*_restrictions.  The 
"best" place depends on your other restrictions and what you 
intend to accomplish.  A "typical" usage might look something 
like:

smtpd_recipient_restrictions =
  permit_mynetworks
  permit_sasl_authenticated
  reject_unauth_destination
  reject_unknown_client_hostname
  ... other UCE rules ...


  -- Noel Jones

It's recommended to use reject_unknown_client

[deconya]

Hi list

Im looking diferent options to configure postfix main.cf and I see the
reject_unknown_client. I don't know if it's recomended because my postfix
server is used for external clients and more uses connections with dynamic
IP. If I put this, where goes, in  smtp_recipient_restrictions or
smtp_client_restrictions?

Thanks

Re: Strange problem with postfix and dovecot sasl auth

[Juha Pahkala]

Timo Sirainen wrote:

On Apr 26, 2009, at 11:58 PM, Timo Sirainen wrote:


smtpd_sasl_path = private/dovecot

..
I can see the private/auth socket created when dovecot starts, with 
postfix:postfix permissions. Also, netstat shows it:


bash:# netstat -ln | grep dovecot
unix  2  [ ACC ] STREAM LISTENING 111791   
private/dovecot


I don't see it there. What is that private/dovecot anyway? Maybe 
netstat -lnp | grep dovecot would have shown the socket though.


Oh. That's actually it. Dovecot is listening on private/auth, but 
Postfix is connecting to private/dovecot. But what is listening on 
private/dovecot then? You've added some kind of a "dovecot" service to 
master.cf?





Doh! I can't believe I've missed that, don't know how many times and 
hours I've spent staring at the config files feeling a bit stupid 
atm... ;)


Thanks Timo for spotting it, much appreciated! And Victor was right in 
his answer, the

'private/dovecot' showing in netstat is indeed a pipe transport.

THANK YOU!!!

juhis

p.s. everythings working now wrt. my dovecot&postfix co-existence.

redirect the emails

[tom lee]

Hello,
I created 365 directory based on date for every year and
want to redirect the emails to 365 different directory for all
incoming emails  based on date.
for example, all emails arriving on 01/01/2009 should go to directory
HOME/Maildir/20090101.

How can it be done via postfix or procmail?

Thanks.
tom

Re: Address verification issues

[Wietse Venema]

xul...@onlineok.com:
> append_at_myorigin = no

As documented, this is NOT SUPPORTED.

Re: how to detect spam attacks

[deconya]

Continuing with this thread I comment where I putted the options I can saw
the server refuses external connections. Finally I ned to comment
permit_mynetworks option and I think all is going right.

In the server the options are:

smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/overquota,
#   permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_hostname,
reject_unauth_pipelining,
check_client_access hash:/etc/postfix/clientes
reject_unauth_destination,
Blacklists contra los buzones de correo###
reject_rbl_client rbl.orbitrbl.com,
#   reject_rbl_client zen.spamhaus.org,###demasiados falsos positivos de
telefonica
reject_rbl_client whois.rfc-ignorant.org,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client zombie.dnsbl.sorbs.net,
reject_rbl_client bl.spamcop.net,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client psbl.surriel.com,
permit

Any idea where is the cause of external rejections?

Thanks && Best Regards

On Mon, Apr 27, 2009 at 11:26 AM, deconya  wrote:

> Hi list
>
> The first thing to do will be a blacklist created for me. Im looking to
> make it and is putting the line:
>
> check_client_access hash:/etc/postfix/blacklist
>
> but I have doubts. Where I need to put this? in smtp_recipient_restrictions
> or in smtpd_client_restrictions?
> The content inside the archive permit to put domains and Ips?
> For example:
> 121.222.33.44 REJECT
> domain.com REJECT
>
> This is my configuration:
>
> smtpd_recipient_restrictions =
> check_recipient_access hash:/etc/postfix/overquota,
> permit_mynetworks,
> permit_sasl_authenticated,
> reject_invalid_hostname,
> reject_unauth_pipelining,
> #check_client_accesshash:/etc/postfix/clientes #This is correct
>
> reject_unauth_destination,
> reject_rbl_client rbl.orbitrbl.com,
> reject_rbl_client zen.spamhaus.org,
> reject_rbl_client whois.rfc-ignorant.org,
> reject_rbl_client dnsbl.njabl.org,
> reject_rbl_client zombie.dnsbl.sorbs.net,
> reject_rbl_client bl.spamcop.net,
> permit
>
> Other recommendations?
>
>
> On Mon, Apr 27, 2009 at 12:39 AM, Terry Carmen wrote:
>
>>
>> > Hi list
>> >
>> > Im with the next problem: I have and old server and Im in process to
>> migrate
>> > to a better machine, but actually Im having spam attacks in the server
>> than
>> > saturate it. For  the age of the server and because in two weeks is
>> replaced
>> > I can't install any program like spamity or similar to help to detect
>> spam
>> > attacks, but I need to understand the mail.log to deduce the Ips where
>> comes
>> > the attacks and stop it. Any people can help me what clues can help me
>> to
>> > deduce this Ips?
>>
>> There are a number of things you can do, including possibly using a better
>> (or
>> an additional) blacklist, rejecting incoming connections that have no
>> reverse
>> DNS entry, and on a more controversial, but very effective note, reject IP
>> addresses that have a "dynamic looking" reverse DNS and rejecting messages
>> that are for non-existent users.
>>
>> If you can you can post a few log entries for this spam, as well as the
>> output
>> from postconf -n, I'm sure you'll get a lot of good suggestions.
>>
>> Some well-chosen restrictions will let even a small machine handle a
>> really
>> significant volume of mail. The trick is to reject as much spam as
>> possible
>> during the initial SMTP connection.
>>
>> Terry
>>
>>
>>
>>
>>
>

Re: Another SMTP protocol breakage by ASA

[Ralf Hildebrandt]

* Mark Martinec :
> Ralf, here is another one for your list of Cisco PIX and ASA
> problems with inspection of a SMTP protocol (actually, parsing
> of a mail header section):
> 
>   http://www.arschkrebs.de/postfix/postfix_cisco_pix_bugs.shtml
> 
> 
> 
> CSCsy28792
> SMTP session disconnects due to improper parsing of a DKIM header field by ASA
> 
> Problem description:
>   SMTP session is disconnected during DATA phase of a SMTP transaction
>   for mail messages with a DKIM signature, where the start of a string
>   "content-type" or "content-transfer-encoding" in a tag's value of
>   an "h" tag of a DKIM signature happens to fall on a packet boundary
>   at a start of a packet. The session is dropped with the next packet
>   containing a Content-Type or Content-Transfer-Encoding header field.
> 
> Platform:
>   ASA5580-40
>   Cisco Adaptive Security Appliance Software Version 8.1(2)

Updated.

-- 
Ralf Hildebrandt
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.computerbeschimpfung.de
A well managed mailserver has an empty queue. Instead of spending effort on
priority queueing, make the system drain the queue faster for all mail...

Address verification issues

[xulfer]

I seem to be having issues with reject_unverified_recipient.  Everything
seems okay for the most part until the RCPT To: in which case I get:

450 4.1.1 : Recipient address rejected: unverified address:
host mail.test.com[192.168.4.2] said: 501 : sender address
must contain a domain (in reply to MAIL FROM command)

postconf -n:
address_verify_map = btree:/var/postfix/verify
append_at_myorigin = no
command_directory = /usr/local/sbin
config_directory = /etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/postfix
debug_peer_level = 2
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/local/share/doc/postfix/html
inet_protocols = all
mail_owner = _postfix
mailq_path = /usr/local/sbin/mailq
manpage_directory = /usr/local/man
mydomain = test.com
mynetworks_style = subnet
myorigin = $mydomain
newaliases_path = /usr/local/sbin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix/readme
relay_domains = test.com
relayhost = [mail.test.com]
sample_directory = /etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = _postdrop
smtpd_recipient_restrictions = reject_unauth_destination
reject_unknown_recipient_domain reject_unverified_recipient
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550

Any comments, or suggestions would be greatly appreciated.  Thanks!

Sender based outgoing IP selection

[Attila Nagy]

Hello,

I have to route e-mails coming from different IP addresses to the world 
(no single smarthost, the target can be anything) with different source IPs.


So a mail coming in on 1.1.1.1 should go out with the source address of 
2.2.2.2 and another coming in on 3.3.3.3 should go out from 4.4.4.4.
Postfix listens on 1.1.1.1 and 3.3.3.3 and the machine has also the 
addresses of 2.2.2.2 and 4.4.4.4 of course.


Am I right when I think this can only be done correctly with two postfix 
instances?


Thanks,

Re: Problem with local delivery

[Mateusz Kijowski]

2009/4/23 Dominic Osterried :
> Hello,
>
> i've got a strange problem with postfix: When I try to send a mail to
> a local user postfix says that this user is not existing. As soon as I
> put the line "jacques: dominic.osterr...@gmx.de" in /etc/aliases, the
> mail gets send without any problems via gmx.  Obviously its only a
> problem with local mail.
> I'm sending testmail with the command "mail jacques" from the CLI. The
> System is Debian Testing.

I recall that postfix services in Debian are run chrooted by default.

[...]

> local     unix  -       n       -       -       -       local

Doesn't above mean that "local" service is running chrooted?  If so,
the it doesn't know anything about your local user jacques. Try
turning off the chroot for the local service, which according to
http://www.postfix.org/master.5.html should not be used for local.

--
Mateusz

Re: Per-user sending quotas

[Robert Schetterer]

Guy schrieb:
> Hi guys,
> 
> The boss wants to be able to limit the amount of mail a user can send
> and the number of recipients based on their "level" of account. A
> higher level account can have more recipients and more messages per
> time period. Basically per user anvil settings.
> 
> As far as I'm aware this is directly possible in Postfix, but does
> anyone heard of an SMTP proxy or something along those lines that
> could do this?
> 
> Thanks
> Guy
> 
look
http://www.policyd.org/tiki-index.php?page=Accounting&structure=Documentation
if Message Count Limit feature is enough for you
but i think you will not find a solution with scaleable account levels

-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Per-user sending quotas

[Guy]

Hi guys,

The boss wants to be able to limit the amount of mail a user can send
and the number of recipients based on their "level" of account. A
higher level account can have more recipients and more messages per
time period. Basically per user anvil settings.

As far as I'm aware this is directly possible in Postfix, but does
anyone heard of an SMTP proxy or something along those lines that
could do this?

Thanks
Guy

-- 
Don't just do something...sit there!

Re: Queued non-deliverable message

[Simon Wilson]

Quoting Sahil Tandon :


On Mon, 27 Apr 2009, Simon Wilson wrote:

So my question is why did I get a message that one was wring and

not the

other? Do I need to change config somehow?


You use reject_unknown_recipient_domain, which results in a

deferral and

re-retry of mail delivery in the case of *temporary* error.

Postfix will try

to deliver the mail until $maximal_queue_lifetime.  Set

$delay_warning_time

to a non-zero value if you wish for Postfix to send the envelope

sender a

notice that mail was undeliverable, but is still being re-tried.

To understand the difference between your two scenarios, try using

host(1) to

query yahoo.com.uk and talktalk.com.

--
Sahil Tandon 





Aha! Now I understand - thank you to you both (Michael and Sahil).  
Running host on them both shed a lot of light. I'll look at  
$delay_warning_time so it warns me if I do it again...


Thanks.

--
Simon Wilson
www.simonandkate.net

Re: eMail redirection

[morphium]

I did now set
virtual_alias_maps = hash:/etc/postfix/virtual

modified /etc/postfix/virtual to:
.* t.re...@dotsource.de
[thats me]

did postmap /etc/postfix/virtual

and restarted postfix

# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
default_transport = error
inet_interfaces = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mydestination = dsapp02.DOTSOURCE.local, localhost.DOTSOURCE.local, localhost
myhostname = dsapp02.DOTSOURCE.local
mynetworks = 127.0.0.0/8 172.16.26.0/24 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relay_transport = error
relayhost = mail.dotsource.de
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_recipient_restrictions = permit, reject
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtual


If I do now:
# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 dsapp02.DOTSOURCE.local ESMTP Postfix (Debian/GNU)
HELO dsapp02
250 dsapp02.DOTSOURCE.local
MAIL FROM:
250 2.1.0 Ok
RCPT TO:
550 5.1.1 : Recipient address rejected: dotsource.de
RCPT TO:
550 5.1.1 : Recipient address rejected:
domaindoesntexist.org

As you can see, it rejects the email.

As postconf shows, I've set smtpd_recipient_restrictions = permit,
reject, so it should accept EVERY email.

So how to make postfix accepting it?

Ah, mail.log output:
Apr 27 12:01:05 dsapp02 postfix/smtpd[10253]: connect from localhost[127.0.0.1]
Apr 27 12:02:02 dsapp02 postfix/smtpd[10253]: warning: restriction
`reject' after `permit' is ignored
Apr 27 12:02:02 dsapp02 postfix/smtpd[10253]: NOQUEUE: reject: RCPT
from localhost[127.0.0.1]: 550 5.1.1 : Recipient
address rejected: dotsource.de; from=
to= proto=SMTP helo=
Apr 27 12:02:17 dsapp02 postfix/smtpd[10253]: warning: restriction
`reject' after `permit' is ignored
Apr 27 12:02:17 dsapp02 postfix/smtpd[10253]: NOQUEUE: reject: RCPT
from localhost[127.0.0.1]: 550 5.1.1 :
Recipient address rejected: domaindoesntexist.org; from=
to= proto=SMTP helo=
Apr 27 12:03:55 dsapp02 postfix/smtpd[10253]: disconnect from
localhost[127.0.0.1]

Thanks in advance,
morphium


2009/4/27 Barney Desmond :
> 2009/4/27 morphium :
>> I want my postfix test system to accept eMail to any address and
>> redirect it i.e. t...@morphium.info (and not to the specified
>> recipient).
>> How could I accomplish that?
>> Could recipient_canoncial_maps or virtual_alias_maps be helpful?
>> I can't get it working on my own, so I would be glad of a bit of assistance.
>
> virtual_alias_maps will do the job for you, though I believe you need
> to be able to enumerate all the possible domains (Postfix makes it
> difficult for you to fail really hard, like being an open relay). I
> list all the domains in virtual_alias_domains, then add a catchall on
> each one to do whatever address you want. I suspect there may be a
> better way, someone here might know.
>
> Also, you need to provide the output of "postconf -n" if you're to get
> good help. Saying "I can't get it working" doesn't tell us anything.
>

Re: Queued non-deliverable message

[Sahil Tandon]

On Mon, 27 Apr 2009, Simon Wilson wrote:
> Setup works a treat, has been running great for a few weeks. I sent an  
> email to about 10 people, 2 of the email addresses were wrong. For one  
> of them I got a bounce message in my mailbox telling me it was wrong (I 
> had typed @yahoo.com.uk instead of @yahoo.co.uk). The other one I got 
> nothing (I had typed @talktalk.com instead of talktalk.net) so wasn't 
> aware I'd mistyped but I have just noticed a message sitting in the 
> Postfix mail queue in Webmin (for the talktalk.net one) saying "Status: 
>   Host or domain name not found. Name service error for name=talktalk.com 
> type=MX: Host not found, try again"
>
> So my question is why did I get a message that one was wring and not the 
> other? Do I need to change config somehow?

You use reject_unknown_recipient_domain, which results in a deferral and
re-retry of mail delivery in the case of *temporary* error.  Postfix will try
to deliver the mail until $maximal_queue_lifetime.  Set $delay_warning_time
to a non-zero value if you wish for Postfix to send the envelope sender a
notice that mail was undeliverable, but is still being re-tried.

To understand the difference between your two scenarios, try using host(1) to
query yahoo.com.uk and talktalk.com.

-- 
Sahil Tandon 

Re: Queued non-deliverable message

[Michael Tokarev]

Simon Wilson wrote:
I'm running Postfix 2.3.3 on CentOS 5.3 x64 (Postfix installed from 
CentOS repository). Firstly thank you to the writers for a great piece 
of software... :)


Postconf -n:

[]
Setup works a treat, has been running great for a few weeks. I sent an 
email to about 10 people, 2 of the email addresses were wrong. For one 
of them I got a bounce message in my mailbox telling me it was wrong (I 
had typed @yahoo.com.uk instead of @yahoo.co.uk). The other one I got 
nothing (I had typed @talktalk.com instead of talktalk.net) so wasn't 
aware I'd mistyped but I have just noticed a message sitting in the 
Postfix mail queue in Webmin (for the talktalk.net one) saying 
"Status: Host or domain name not found. Name service error for 
name=talktalk.com type=MX: Host not found, try again"


So my question is why did I get a message that one was wring and not the 
other? Do I need to change config somehow?


There are two types of problems you're seeing, from about a million of
possibilities. ;)

With yahoo.com.uk postfix was able to contact the remote servers instantly,
and got definitive answer that the address does not exist, so postfix sent
the bounce message back to you as soon as it knew the answer, or almost
immediately.

But with talktalk.com the situation is different.  The DNS servers for that
domain does not work.  Postfix tried to figure out where to send that email
to, but is unable to - because there's no one to answer.  So Postfix tried
and retried, but still got no answer - nor positive nor negative.  So it
does not know what to do with the address in question.  And the best it can
do is to retry for some time, maybe the remote servers are just down and will
come back in a near future, maybe there's some communication problems that
will be resolved soon and so on.  Postfix will keep trying for up to
maximal_queue_lifetime (which is 5days by default) and will finally return
the email back to you telling it wasn't able to figure out what to do with
it.

So basically, there's nothing for you to do, the thing work as designed. There's
one more parameter you can tweak if you like - it's delay_warning_time.

/mjt

Re: how to detect spam attacks

[deconya]

Hi list

The first thing to do will be a blacklist created for me. Im looking to make
it and is putting the line:

check_client_access hash:/etc/postfix/blacklist

but I have doubts. Where I need to put this? in smtp_recipient_restrictions
or in smtpd_client_restrictions?
The content inside the archive permit to put domains and Ips?
For example:
121.222.33.44 REJECT
domain.com REJECT

This is my configuration:

smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/overquota,
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_hostname,
reject_unauth_pipelining,
#check_client_accesshash:/etc/postfix/clientes #This is correct
reject_unauth_destination,
reject_rbl_client rbl.orbitrbl.com,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client whois.rfc-ignorant.org,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client zombie.dnsbl.sorbs.net,
reject_rbl_client bl.spamcop.net,
permit

Other recommendations?

On Mon, Apr 27, 2009 at 12:39 AM, Terry Carmen  wrote:

>
> > Hi list
> >
> > Im with the next problem: I have and old server and Im in process to
> migrate
> > to a better machine, but actually Im having spam attacks in the server
> than
> > saturate it. For  the age of the server and because in two weeks is
> replaced
> > I can't install any program like spamity or similar to help to detect
> spam
> > attacks, but I need to understand the mail.log to deduce the Ips where
> comes
> > the attacks and stop it. Any people can help me what clues can help me to
> > deduce this Ips?
>
> There are a number of things you can do, including possibly using a better
> (or
> an additional) blacklist, rejecting incoming connections that have no
> reverse
> DNS entry, and on a more controversial, but very effective note, reject IP
> addresses that have a "dynamic looking" reverse DNS and rejecting messages
> that are for non-existent users.
>
> If you can you can post a few log entries for this spam, as well as the
> output
> from postconf -n, I'm sure you'll get a lot of good suggestions.
>
> Some well-chosen restrictions will let even a small machine handle a really
> significant volume of mail. The trick is to reject as much spam as possible
> during the initial SMTP connection.
>
> Terry
>
>
>
>
>

Re: How to encrypt email?

[Barney Desmond]

2009/4/27 Jeff Huang :
> I found the email files that are stored under the Maildir are clearly code.
>
> If I am the administrator of the system,I can see all user's email contents.
>
> Is there a method to encrypt the email files so that the administrator can't
> see the email contents,even if he can read the files?

Not really, otherwise how would postfix be able to do its job the
point of being an admin is that you have full access.

It sounds like you want PGP or S/MIME, this is something your users
have to do. It's hard to be a mail server admin when you can't trust
yourself and you're trying to secure it :)

Re: eMail redirection

[Barney Desmond]

2009/4/27 morphium :
> I want my postfix test system to accept eMail to any address and
> redirect it i.e. t...@morphium.info (and not to the specified
> recipient).
> How could I accomplish that?
> Could recipient_canoncial_maps or virtual_alias_maps be helpful?
> I can't get it working on my own, so I would be glad of a bit of assistance.

virtual_alias_maps will do the job for you, though I believe you need
to be able to enumerate all the possible domains (Postfix makes it
difficult for you to fail really hard, like being an open relay). I
list all the domains in virtual_alias_domains, then add a catchall on
each one to do whatever address you want. I suspect there may be a
better way, someone here might know.

Also, you need to provide the output of "postconf -n" if you're to get
good help. Saying "I can't get it working" doesn't tell us anything.

Re: How to encrypt email?

[lst_hoe02]

Zitat von Jeff Huang :


Hi All.

I found the email files that are stored under the Maildir are clearly code.

If I am the administrator of the system,I can see all user's email contents.

Is there a method to encrypt the email files so that the  
administrator can't see the email contents,even if he can read the  
files?


Have a look for PGP or S/MIME. This is client side encryption and must  
therefore configured in the client settings, not postfix.


Regards

Andreas

Queued non-deliverable message

[Simon Wilson]

I'm running Postfix 2.3.3 on CentOS 5.3 x64 (Postfix installed from  
CentOS repository). Firstly thank you to the writers for a great piece  
of software... :)


Postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
html_directory = no
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
masquerade_domains = simonandkate.net, simonandkate.lan
message_size_limit = 26214400
mydestination = $myhostname, localhost.$mydomain, localhost,  
$mydomain, localhost.localdomain, simonandkate.net,  
system.simonandkate.net, howiesue.net

myhostname = mail.simonandkate.net
mynetworks = 127.0.0.0/8, 192.168.1.0/24
myorigin = simonandkate.net
newaliases_path = /usr/bin/newaliases.postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions =
smtpd_data_restrictions = reject_unauth_pipelining  permit
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks, 
permit_sasl_authenticated, reject_unauth_destination, 
reject_unauth_pipelining, reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,  reject_non_fqdn_sender,  
reject_unknown_sender_domain,reject_non_fqdn_recipient,   
reject_unknown_recipient_domain,check_sender_access  
hash:/etc/postfix/sender_access,
   reject_rbl_client zen.spamhaus.org, 
reject_rbl_client bl.spamcop.net,  
 check_policy_service  
unix:postgrey/socket,  permit

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sender_restrictions =
smtpd_tls_CAfile = /etc/pki/tls/certs/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/simonandkate.net-cert.pem
smtpd_tls_key_file = /etc/pki/tls/private/simonandkate.net-key.pem
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550

Setup works a treat, has been running great for a few weeks. I sent an  
email to about 10 people, 2 of the email addresses were wrong. For one  
of them I got a bounce message in my mailbox telling me it was wrong  
(I had typed @yahoo.com.uk instead of @yahoo.co.uk). The other one I  
got nothing (I had typed @talktalk.com instead of talktalk.net) so  
wasn't aware I'd mistyped but I have just noticed a message sitting in  
the Postfix mail queue in Webmin (for the talktalk.net one) saying  
"Status: 	Host or domain name not found. Name service error for  
name=talktalk.com type=MX: Host not found, try again"


So my question is why did I get a message that one was wring and not  
the other? Do I need to change config somehow?


Thank you.

--
Simon Wilson
www.simonandkate.net

How to encrypt email?

[Jeff Huang]

Hi All.

I found the email files that are stored under the Maildir are clearly code.

If I am the administrator of the system,I can see all user's email contents.

Is there a method to encrypt the email files so that the administrator can't 
see the email contents,even if he can read the files?


Jeff Huang

eMail redirection

[morphium]

Hi,

I want my postfix test system to accept eMail to any address and
redirect it i.e. t...@morphium.info (and not to the specified
recipient).
How could I accomplish that?
Could recipient_canoncial_maps or virtual_alias_maps be helpful?
I can't get it working on my own, so I would be glad of a bit of assistance.

Best regards,
morphium

Re: shellscript as policy-service --> zombie/load

[Robert Schetterer]

Andre Hübner schrieb:
> Hello,
> 
>> Andre Hübner:
>>> Hello,
>>>
>>> for testing purposes i wrote a policy-service for postfix as a
>>> shellscript.
>>> My Script is working very well, iam happy with its functionality ;)
>>> But unfortunately there is one problem when a lot of mails are
>>> incoming. the
>>> shellscript just does some grepping in small files etc. and  is
>>> giving back
>>> a allowd result..
>>> My Shellscript is spawned from master.cf like this:
>>>
>>> policy-mycheck  unix  -   n   n   -   -   spawn
>>> user=nobody argv=nice -n 15 /usr/lib/postfix/mycheckscript.sh
>>>
>>> When a lot of mails are incoming i got a high number of zombies. as a
>>> consequence of this my system load gets really high.
>>> Are there some general methods to avoid this?
>>
>> Find out what is the parent process of the zombies. This parent
>> process is not cleaning up as it should.
>>
>> Wietse
> 
> hmm, i know, it is not a postfix issue but i am afraid i need further
> help :(
> at the moment i do not have an idea how to debug this. after sending
> answer to postfix script is done and exits with 0, this works.
> script just does only formating input-data from postfix and grepping in
> files with basic shell commands and  writing a linein maillog. i have no
> idea where the zombies came from...
> Is there a general way for debugging this?
> 
> Thanks,
> Andre

Hello Andre, what about forget this shell script
(i dont think you will ever be lucky with it)
and use fail2ban

http://www.fail2ban.org

to firewall the zombies for a configured time
after all you should use all other allready implemented
antispam features included in postfix
( google about it search in the list)
a simple way may be i.e after you looked in log
to fast reject dyn ip adresses

i.e like this for smtpd_client stage

smtpd_client_restrictions = ...
permit_sasl_authenticated,
permit_mynetworks,
check_client_access hash:/etc/postfix/client_access,
check_client_access pcre:/etc/postfix/dyn_spambotmap_client_access_pcre,
reject_unknown_reverse_client_hostname,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client combined.njabl.org,
reject_rbl_client ix.dnsbl.manitu.net,  


/etc/postfix/dyn_spambotmap_client_access_pcre

/c-.*hsd[0-9].*comcast.net/ REJECT Comcast worlds largest bot farm
/cpe-.*res.rr.com/ REJECT Time Warner Road Runner cable spam bots
/dsl.*\.ttnet.net.tr/ REJECT Turk Telekom spam bots
/pool-.*verizon.net/ REJECT Verizon spam bots
/.*dynamic\..*\.retail\.telecomitalia\.it/i REJECT SPAM_dyn_ip-add_networks
/.*\.dyn-ip\.SPb\.SkyLink\.RU/i REJECT SPAM_dyn-ip-SPb-SkyLink
/ppp.*\.home\.otenet\.gr/i REJECT clean your net from spam bots
/ppp.*\.pppoe\.avangarddsl\.ru/i REJECT clean your net from spam bots
/ppp.*\..*\.asianet\.co\.th/i REJECT clean your net from spam bots
/dhcp-.*\.chello\.nl/i REJECT clean your net from spam bots

/etc/postfix/client_access
trafficmonkey.info REJECT Spam mailer
...
208.53.3.66 REJECT
...


stopping Zombies is hard work
and you will never win with all of them
target should be beat them that way that you have no problem
with your legal mail
every domain has its own spam and zombies so analyse your logs
you might try many combinations from antispam features fit to your needs
there is no all around match kill them all
i have a three letter domain which is bombed since years from zombies
no feature got zombies out of the way, seems 3 letters are simply to
easy to type in bot programming, but others reported bots stopping after
a time
by whatever speculated reason


-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Re: SMFIP_RCPT_REJ Milter support

[Jose-Marcio Martins da Cruz]

Hello Wietse,

Thanks very much ! That's nice !

Jose-Marcio


Wietse Venema wrote:

The Postfix 2.6 Milter interface now implements SMFIP_RCPT_REJ,
meaning that postfix can report rejected recipients to Milter
applications.

Postfix will report the following macro values, as decribed in
Sendmail 8.14.0 documentation:

{rcpt_mailer} = "error",

{rcpt_host} = enhanced status code (e.g., "5.7.1"),

{rcpt_addr} = reason to reject (e.g., "Relay access denied").

This will be available in release candidate postfix-2.6.0-RC2
and in experimental release postfix-2.7-20090426.

Wietse




--
 ---
 Jose Marcio MARTINS DA CRUZ   http://j-chkmail.ensmp.fr
 Ecole des Mines de Paris
 60, bd Saint Michel  75272 - PARIS CEDEX 06
 mailto:jose-marcio.mart...@mines-paristech.fr

Re: shellscript as policy-service --> zombie/load

[Andre Hübner]

Hello,


Andre Hübner:

Hello,

for testing purposes i wrote a policy-service for postfix as a 
shellscript.

My Script is working very well, iam happy with its functionality ;)
But unfortunately there is one problem when a lot of mails are incoming. 
the
shellscript just does some grepping in small files etc. and  is giving 
back

a allowd result..
My Shellscript is spawned from master.cf like this:

policy-mycheck  unix  -   n   n   -   -   spawn
user=nobody argv=nice -n 15 /usr/lib/postfix/mycheckscript.sh

When a lot of mails are incoming i got a high number of zombies. as a
consequence of this my system load gets really high.
Are there some general methods to avoid this?


Find out what is the parent process of the zombies. This parent
process is not cleaning up as it should.

Wietse


hmm, i know, it is not a postfix issue but i am afraid i need further help 
:(
at the moment i do not have an idea how to debug this. after sending answer 
to postfix script is done and exits with 0, this works.
script just does only formating input-data from postfix and grepping in 
files with basic shell commands and  writing a linein maillog. i have no 
idea where the zombies came from...

Is there a general way for debugging this?

Thanks,
Andre