Re: kill ip from bootnets and zombi (shell script)
* Julio Cesar Covolato (ju...@psi.com.br) [090514 07:26]: Hi! I made a litle shell script to stoping bootnets and zombis, and I want know what you think about it. The purpose is drop via iptables hosts that are rejected several times in a litle space of time, reading the log generated by postfix. Tested in a Linux box. The script is so poor, but it's functional! I think that using perl will be very better ( Anyone? I'm very bad in perl, sorry!). Just download, untar, configure (optional), and run it by comand line for a few minutes, and see the show!!! The idea is block via firewall the connections that is garbage. Test it!! Download pf-ip-killer : http://psi.com.br/~julio/postfix/pf-ip-killer.tgz this could be done with the recent module for iptables. that would take care of everything this script does (minus the pruning after one or two hours). if that could be done, too, all this could be a static iptables configuration.
Re: postfix smtpd interface when using IP slow but when using localhost normal
Samuel Sappa a écrit : I have problem with my postfix, a few days ago my smtpd running very slow, when delivering message (using MUA outlook,TB,OE) message delivering very slow, but if user using web mail which is using openwebmail the deliver running fine without the delay, I came to conclusion that, when postfix sending outgoing message using IP address having delay, but when using 127.0.0.1 the outgoing message is sending without delay. I also testing the connection from the machine using telnet to the IP idddress, response are very slow, but when I using telnet and connect to 127.0.0.1 the response is normal. maybe a (reverse) dns resolution issue. when postfix gets a connection, it looks up the IP in DNS. if you have no DNS server for your private IPs, then your system will query external DNS servers, which takes times (besides generating useless traffic). I already restore my postfix parameter to original value(main and master.cf) and set the inet_interface= 127.0.0.1 but still the problem exits, my question is 1.If I added another interface (LAN Card and assign new IP address) for outgoing smtpd, shall the problem will be solved ? 2.if there any possibilities that my machine already became open relay or that my smtp hijack by another people ? 3.I am using untangle for my anti spam, and according the untangle report spam traffic is high, is this another event that caused my problem with my smtpd ? that's all from me thank for your kind help and suggestion
Re: kill ip from bootnets and zombi (shell script)
Julio Cesar Covolato wrote: Hi! I made a litle shell script to stoping bootnets and zombis, and I want know what you think about it. The purpose is drop via iptables hosts that are rejected several times in a litle space of time, reading the log generated by postfix. Tested in a Linux box. The script is so poor, but it's functional! I think that using perl will be very better ( Anyone? I'm very bad in perl, sorry!). Just download, untar, configure (optional), and run it by comand line for a few minutes, and see the show!!! The idea is block via firewall the connections that is garbage. Test it!! Download pf-ip-killer : http://psi.com.br/~julio/postfix/pf-ip-killer.tgz Have you taken a look at fail2ban?: http://www.fail2ban.org It already does this using python, run in daemon mode, and can support any application that writes to a log file. Bill
Re: Postfix-2.6.0 RPM
Victor Duchovni wrote: Yes, some of the better distribution supported patches are not ill-advised. But occasionally, one gets something along the lines of the Debian OpenSSL fiasco (notably the Debian *Postfix* patches have been pretty good, and historically RedHat was adding rather questionable changes to Postfix) Sorry, I missed the background on this one-- what did RedHat do to Postfix that was questionable? -- Corey Chandler / KB1JWQ Living Legend / Systems Exorcist Today's Excuse: We are a 100% Microsoft Shop
Re: Postfix-2.6.0 RPM
MacShane, Tracy wrote: Yes, there is unfortunately such a need, because RHEL5 is only up to Postfix 2.3, and we require functionality from Postfix 2.5 and up (destination_rate_delay). This leads to an interesting question all its own: I'm running the same Postfix config I built years ago under probably 2.2 or 2.3. Is there a document somewhere or a process by which I can modernize the config? Periodically I'll be told that a line I'm using is deprecated by something newer, and I'd like to get with the times... The OS administrators do not permit GCC and devel libraries on the SMTP servers I maintain (and fair enough). Nor should they-- this is what a staging environment is for. Build it on a staging box, test the heck out of it, and then push the binaries out to the production farm. Also, installing non-RPM packages can obviously cause clashes when installing other RH updates (at least RPM is clever enough not to try installing Postfix 2.3 patches when it finds 2.5 already installed). Urm... add Postfix to your yum excludes file and the problem goes away. -- Corey Chandler / KB1JWQ Living Legend / Systems Exorcist Today's Excuse: We are a 100% Microsoft Shop
Re: Header Check Assistance
Drew Tomlinson a écrit : Is there some rule about submitting questions with the string Help in the subject? I've tried posting the following note with the subject of Help With header_checks and received a bounce message indicating this error: BOUNCE postfix-users@postfix.org: Admin request: /^subject:\s*help\b/i I'm using postfix 2.5.6,1 and have been using postfix for a long time. In older versions, to perform header checks, I had a text file and would then have to run postmap to create the header_check.db file. Is this step no longer required? When running 'postmap header_checks', I get lots of warning about duplicate entry. Here's an example: postmap: warning: header_checks.db: duplicate entry: /^from: postmap: warning: header_checks, line 91: record is in key: value format; is this an alias file? Also, I am attempting to reject some mail based upon the Received: header. Specifically, I have lines such as this in my header_checks: /^Received: .*mycouponsavingsmail/REJECT 550 missing space before REJECT. but why do you use header_checks for this? check_client_access is better. ... check_client_access cidr:/etc/postfix/access_client.cidr == access_client.cidr: 24.155.144.16/28REJECT spammy network (Targetmail) 24.155.144.32/28REJECT spammy network (Targetmail) and/or ... check_client_access hash:/etc/postfix/access_client == access_client: mycouponsavingsmail.com REJECT spammy network (Targetmail) .mycouponsavingsmail.comREJECT spammy network (Targetmail) but you'll have a lot of work to track the domain names. See if uribl is good for you... Yet I still receive mail with this in the header: Received: from mail4.mycouponsavingsmail.com (mail4.mycouponsavingsmail.com [24.155.144.19]) Any ideas on what I'm missing? I do have this line in my main.cf: header_checks = regexp:/usr/local/etc/postfix/header_checks Thanks, Drew
Re: Postfix-2.6.0 RPM
On Thursday, 14. Mai 2009 09:54:56 Corey Chandler wrote: MacShane, Tracy wrote: snip The OS administrators do not permit GCC and devel libraries on the SMTP servers I maintain (and fair enough). Nor should they-- this is what a staging environment is for. Build it on a staging box, test the heck out of it, and then push the binaries out to the production farm. Ehm, isn't that why you use RPM? You compile the binaries and build the package on a compatible system. With the package you have an easy way to distribute the binaries. Also, installing non-RPM packages can obviously cause clashes when installing other RH updates (at least RPM is clever enough not to try installing Postfix 2.3 patches when it finds 2.5 already installed). Urm... add Postfix to your yum excludes file and the problem goes away. Postfix provides an MTA which is a quite important part of a *nix system. To remove the MTA package from system breaks a lot of dependencies. To avoid that you install your own package. Greetings Stefan signature.asc Description: This is a digitally signed message part.
Re: Postfix-2.6.0 RPM
2009/5/14 Victor Duchovni victor.ducho...@morganstanley.com: If the purpose of using RPM files is to facilitate binary updates from distribution servers, wait until *your distribution* upgrades to a newer supported version of Postfix. If you incorporate your own Postfix into your O/S, why download some random stranger's binary RPM? Is there a real use case for binary RPMs not maintained by the distribution release engineering teams? What's wrong with the Postfix source, which is typically less likely to have ill-advised patches dropped into it? Sure; as people have already said, some vendors (cough, Redhat) don't really keep up to date. I haven't checked all their release channels on offer, but the core set of packages only includes Postfix 2.3.3. *And* it doesn't come with mysql/pgsql map support. This is when you go and get the package from the Centos-plus channel and then tell yum to ignore Redhat updates to Postfix so it doesn't clobber your working setup one day... So your real question is probably, why not just use Postfix's source?. I can only speak for myself and my employer, but we maintain a lot of diverse systems, so we're a bit allergic to non-packaged software, no matter how easy it is to maintain (I've never used non-packaged Postfix, maybe it's really easy to maintain, but that's not the point). Packaged software is basically a requirement for sysadmin sanity. We could produce packaged versions of Postfix from source and put them in our internal repo, but we just don't have the time and resources to keep on top of updates and whatnot. I suspect people want something like DAG (http://dag.wieers.com/rpm/). Unfortunately for them, they don't have Postfix because everyone's already got it, just not the cutting edge. Fedora 10 is up to Postfix 2.5.5, I figure they'll have Postfix 2.6 in the next major version release. Which is like, every fortnight, right? :) Corey: I'm running the same Postfix config I built years ago under probably 2.2 or 2.3. Is there a document somewhere or a process by which I can modernize the config? Periodically I'll be told that a line I'm using is deprecated by something newer, and I'd like to get with the times... Sure, you probably want upgrade-configuration, see `man 1 postfix`
Re: Postfix-2.6.0 RPM
On May 14, 2009, at 02:03, Victor Duchovni wrote: Is there a real use case for binary RPMs not maintained by the distribution release engineering teams? What's wrong with the Postfix source, which is typically less likely to have ill-advised patches dropped into it? A bit off topic already but some organisations find it easier to pack everything up in rpms, debs or pkgs and then deploy than compiling using two of the most common deployment methods: compile and install blindly or alternatively compile, tar it and then deploy. :) Especially on RedHat platforms deploying everything in rpm format is very convenient, makes for good bookkeeping and preserves any dependencies on other applications even across upgrades as long as you do it correctly. Kaj -- Kaj J. Niemi kaj...@basen.net FI +358 45 63 12000 KSA +966 54 52 43277 smime.p7s Description: S/MIME cryptographic signature
Re: Postfix-2.6.0 RPM
Hi, On May 14, 2009, at 01:07, Just E. Mail wrote: I noticed that Postfix V#2.6.0 is now out. Does anybody know where to get RPM files? GOOGLE did not help. The SRPM from Fedora should compile fine on at least EL4 and EL5. I suggest you download it and build it yourself instead of downloading blindly someone else's pre-compiled one. Kaj -- Kaj J. Niemi kaj...@basen.net FI +358 45 63 12000 KSA +966 54 52 43277 smime.p7s Description: S/MIME cryptographic signature
Re: Postfix-2.6.0 RPM
On May 14, 2009, at 12:25, Barney Desmond wrote: Sure; as people have already said, some vendors (cough, Redhat) don't really keep up to date. I haven't checked all their release channels on offer, but the core set of packages only includes Postfix 2.3.3. *And* it doesn't come with mysql/pgsql map support. This is when you go and get the package from the Centos-plus channel and then tell yum to ignore Redhat updates to Postfix so it doesn't clobber your working setup one day... Typically software coming from the base operating system is not always the one you want to use IF you happen to be in a very specialized environment. For most people postfix 2.3.3 with RHEL will be completely fine for the entire lifetime of that particular server and they most likely won't miss mysql or postgresql support either. ;-) With RHEL you're paying for stability and continuity over a longer time period - not for the latest and greatest snapshot with a specific feature at any point in time. :-) RHEL6, when it eventually arrives, will most likely have a later version of postfix just like RHEL5 (2.3.3) has a more recent version than RHEL4 (2.2.10). See http://www.redhat.com/security/updates/errata/ for info on the life cycle and erratas (updates). sysadmin sanity. We could produce packaged versions of Postfix from source and put them in our internal repo, but we just don't have the time and resources to keep on top of updates and whatnot. We do this and have done so for the last 8 years. Kaj -- Kaj J. Niemi kaj...@basen.net FI +358 45 63 12000 KSA +966 54 52 43277 smime.p7s Description: S/MIME cryptographic signature
problem with smtpd_milter and header_checks
Hallo all. (first sorry for my english) I have a small (big) problem with configure Postfix to drop messages with header_checks. In main.cf I have: smtpd_milters = local:/./clamav-milter.sock local:/./spamass-milter.sock milter_default_action = accept if I receive a message from internet, in headers are rows from milters: X-Virus-Scanned: clamav-milter 0.95.1 at ... X-Virus-Status: Clean X-Spam-Flag: YES X-Spam-Status: Yes, score=11.6 required=7.0... X-Spam-Level: *** X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on ... I think that milters works correctly. I save message as message.txt for testing. next row in main.cf is: header_checks = regexp:/usr/local/etc/postfix/header_checks in header_checks file is: /^X-Spam-Status: Yes/ DISCARD I test it: postmap -q - regexp:/usr/local/etc/postfix/header_checks message.txt I think that header_checks works, because show row: X-Spam-Status: Yes, score=11.6 required=7.0... DISCARD In master.cf I configure cleanup with -v and I read a log, but rows X-Virus... and X-Spam are not in log, that is (I mean) why cleanup do not drop messages. Can anyone idea? Milters are after cleanup? Thanks Jirka
postfix sasl (dovecot) works no more
Hello everybody, I am running FreeBSD with postfix (2.6.0-RC2) and dovecot (1.1.11). There are virtual domains and users and postfix authenticates users using sasl and dovecot. Today I've performed a server upgrade (portupgrade -arRv) and sasl authentication works no more. It worked for the last 4 months without problems. I've made no modification to any config file. In postfix logs I get May 14 14:35:11 softexp postfix/smtpd[8378]: warning: SASL: Connect to smtpd failed: No such file or directory May 14 14:35:11 softexp postfix/smtpd[8378]: fatal: no SASL authentication mechanisms postfix is running, dovecot is running, saslauthd is running. For me everything seems ok, what file or directory has been changed and can not be found anymore? Please help me if you can, this is a production server. postfconf -n command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 2 debug_peer_list = softexp.ro header_checks = regexp:/usr/local/etc/postfix/header_checks html_directory = no mail_owner = postfix mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man myhostname = mail.softexp.ro mynetworks_style = host newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = no sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname permit smtpd_recipient_restrictions = reject_non_fqdn_sender reject_non_fqdn_recipient permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_sender_login_mismatch reject_invalid_hostname reject_unknown_recipient_domain reject_unverified_recipient check_sender_access hash:/usr/local/etc/postfix/access_sender check_helo_access pcre:/usr/local/etc/postfix/helo_checks reject_unknown_sender_domain reject_rbl_client zen.spamhaus.org, reject_rhsbl_sender dsn.rfc-ignorant.org permit smtpd_sasl_auth_enable = yes smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender, permit soft_bounce = no unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/usr/local/etc/postfix/valias.txt virtual_gid_maps = static:1000 virtual_mailbox_base = /var/spool/vmail virtual_mailbox_domains = /usr/local/etc/postfix/vhost.txt virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmaps.txt virtual_uid_maps = static:1000 dovecot -n # 1.1.11: /usr/local/etc/dovecot.conf # OS: FreeBSD 7.0-RELEASE amd64 ufs base_dir: /var/run/dovecot/ log_path: /var/log/dovecot.log info_log_path: /var/log/dovecot.info protocols: imap imaps pop3 pop3s ssl_disable: yes disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable(default): /usr/local/libexec/dovecot/imap-login login_executable(imap): /usr/local/libexec/dovecot/imap-login login_executable(pop3): /usr/local/libexec/dovecot/pop3-login login_greeting_capability(default): yes login_greeting_capability(imap): yes login_greeting_capability(pop3): no verbose_proctitle: yes first_valid_uid: 1000 first_valid_gid: 1000 mail_privileged_group: mail mail_location: maildir:/var/spool/vmail/%d/%n mail_executable(default): /usr/local/libexec/dovecot/imap mail_executable(imap): /usr/local/libexec/dovecot/imap mail_executable(pop3): /usr/local/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/local/lib/dovecot/imap mail_plugin_dir(imap): /usr/local/lib/dovecot/imap mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3 imap_client_workarounds(default): delay-newmail netscape-eoh tb-extra-mailbox-sep imap_client_workarounds(imap): delay-newmail netscape-eoh tb-extra-mailbox-sep imap_client_workarounds(pop3): pop3_client_workarounds(default): pop3_client_workarounds(imap): pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh auth default: mechanisms: plain login username_format: %Lu passdb: driver: pam args: session=yes dovecot passdb: driver: passwd-file args: /usr/local/etc/dovecot_passwd userdb: driver: passwd args: blocking=yes userdb: driver: passwd-file args: /usr/local/etc/dovecot_users socket: type: listen client: path: /var/run/dovecot/auth-client mode: 432 master: path: /var/run/dovecot/auth-master mode: 384 Many thanks
Re: problem with smtpd_milter and header_checks
Please include postconf -n command output in problem reports, as requested in the mailing list welcome message.
Re: postfix sasl (dovecot) works no more
wiseadmin: Hello everybody, I am running FreeBSD with postfix (2.6.0-RC2) and dovecot (1.1.11). There are virtual domains and users and postfix authenticates users using sasl and dovecot. Today I've performed a server upgrade (portupgrade -arRv) and sasl authentication works no more. It worked for the last 4 months without Restore the old software on the production machine, and debug the new software on a test machine. Wietse
Re: problem with smtpd_milter and header_checks
Jiri Veselsky schrieb: Hallo all. (first sorry for my english) I have a small (big) problem with configure Postfix to drop messages with header_checks. In main.cf I have: smtpd_milters = local:/./clamav-milter.sock local:/./spamass-milter.sock milter_default_action = accept if I receive a message from internet, in headers are rows from milters: X-Virus-Scanned: clamav-milter 0.95.1 at ... X-Virus-Status: Clean X-Spam-Flag: YES X-Spam-Status: Yes, score=11.6 required=7.0... X-Spam-Level: *** X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on ... I think that milters works correctly. I save message as message.txt for testing. next row in main.cf is: header_checks = regexp:/usr/local/etc/postfix/header_checks in header_checks file is: /^X-Spam-Status: Yes/ DISCARD you shouldnt discard mail, only cause flagged by spamassassin this is not allowed i.e in germany by law, if you do this for customers use hold ( for manual inspection ) or tell spamass-milter to reject them at smtp income level additionally you may load sanesecurity spam sig to clamd, clamav-milter and reject or hold them at smtp income level I test it: postmap -q - regexp:/usr/local/etc/postfix/header_checks message.txt I think that header_checks works, because show row: X-Spam-Status: Yes, score=11.6 required=7.0... DISCARD In master.cf I configure cleanup with -v and I read a log, but rows X-Virus... and X-Spam are not in log, that is (I mean) why cleanup do not drop messages. Can anyone idea? Milters are after cleanup? Thanks Jirka -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: problem with smtpd_milter and header_checks
Sorry, here is output: alias_database = dbm:/etc/mail/aliases.db alias_maps = hash:/etc/mail/aliases broken_sasl_auth_clients = yes command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 2 header_checks = regexp:/usr/local/etc/postfix/header_checks home_mailbox = Maildir/ html_directory = no inet_interfaces = x.x.x.x, 127.0.0.1, 10.1.3.254 mail_owner = postfix mail_spool_directory = /var/spool/mail mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man milter_default_action = accept mydestination = $mydomain mydomain = joe.xxx.xxx myhostname = joe.xxx.xxx mynetworks = 127.0.0.0/8, 10.1.0.0/22 newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = no sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname smtpd_milters = local:/var/run/clamav/clamav-milter.sock local:/var/run/spamass-milter.sock smtpd_recipient_restrictions = reject_non_fqdn_recipient permit_sasl_authenticated permit_mynetworks reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = reject_non_fqdn_sender permit_mynetworks reject_rbl_client sbl-xbl.spamhaus.org reject_rbl_client cbl.abuseat.orgreject_rbl_client dul.dnsbl.sorbs.net reject_unknown_sender_domain transport_maps = mysql:/usr/local/etc/postfix/virtual_transport.cf unknown_local_recipient_reject_code = 550 virtual_alias_maps = mysql:/usr/local/etc/postfix/virtual_aliases.cf virtual_gid_maps = mysql:/usr/local/etc/postfix/virtual_gids.cf virtual_mailbox_base = / virtual_mailbox_domains = mysql:/usr/local/etc/postfix/virtual_domains.cf virtual_mailbox_maps = mysql:/usr/local/etc/postfix/virtual_mailboxes.cf virtual_uid_maps = mysql:/usr/local/etc/postfix/virtual_uids.cf
Re: problem with smtpd_milter and header_checks
you shouldnt discard mail, only cause flagged by spamassassin this is not allowed i.e in germany by law, if you do this for customers use hold ( for manual inspection ) or tell spamass-milter to reject them at smtp income level additionally you may load sanesecurity spam sig to clamd, clamav-milter and reject or hold them at smtp income level I do it for our company and top-managers says drop every emails with spam level 7 or higher I am small man, I do what managers says :-( J.
Problem with some user sometimes
I have problem with some user. This user's sometimes receive email: A message that you send could not be delivered to one or more of its recipients. And Sometimes send email correct. No problem How to control thats? --
RE: Postfix-2.6.0 RPM
I noticed that Postfix V#2.6.0 is now out. Does anybody know where to get RPM files? GOOGLE did not help. Simon Mudd picks up the releases and makes good source and binary RPMs from them with lots of options. However, he's a busy man and does not always get to them right after release. A kindly-worded email to him might yield you an estimate of when he'll get to 2.6. But certainly don't expect the big Linux package-based releases to make RPMs of their own any time soon - Red Hat 5.3 ships with 2.3. --Brian
RE: Postfix-2.6.0 RPM
Is there a real use case for binary RPMs not maintained by the distribution release engineering teams? What's wrong with the Postfix source, which is typically less likely to have ill-advised patches dropped into it? Because those of us who run package-based systems find things work better when we have Postfix in a package as well. This is rarely a problem for me on CentOS/RHEL systems, because I get Simon's source, set the options I want, and compile my own. Simon does a great job of keeping his source RPMs as close to vanilla as possible, and I don't really need the latest version on most of my systems. Red Hat, on the other hand, has been known to patch Postfix to the point of frustrating admins. In addition, they are, as someone already pointed out, several revisions back. Looks like Fedora 11 is currently at 2.5, though. --Brian
Re: Problem with some user sometimes
On Thu, May 14, 2009 2:20 pm, Esteban Torres Rodriguez said: I have problem with some user. This user's sometimes receive email: A message that you send could not be delivered to one or more of its recipients. And Sometimes send email correct. No problem How to control thats? Are the bounce messages he receives a result of messages he has sent via your server? If so, he may be the victim of backscatter. http://www.postfix.org/BACKSCATTER_README.html If not, we need to see the corresponding Postfix log (or in worst case the bounce message) and your configuration as requested in the list introduction message. -- Magnus Bäck mag...@dsek.lth.se
Re: problem with smtpd_milter and header_checks
Jiri Veselsky: [ Charset ISO-8859-2 unsupported, converting... ] Hallo all. (first sorry for my english) I have a small (big) problem with configure Postfix to drop messages with header_checks. In main.cf I have: smtpd_milters = local:/./clamav-milter.sock local:/./spamass-milter.sock milter_default_action = accept if I receive a message from internet, in headers are rows from milters: X-Virus-Scanned: clamav-milter 0.95.1 at ... X-Virus-Status: Clean X-Spam-Flag: YES X-Spam-Status: Yes, score=11.6 required=7.0... X-Spam-Level: *** X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on ... I think that milters works correctly. I save message as message.txt for testing. next row in main.cf is: header_checks = regexp:/usr/local/etc/postfix/header_checks in header_checks file is: /^X-Spam-Status: Yes/ DISCARD I test it: postmap -q - regexp:/usr/local/etc/postfix/header_checks message.txt I think that header_checks works, because show row: X-Spam-Status: Yes, score=11.6 required=7.0... DISCARD In master.cf I configure cleanup with -v and I read a log, but rows X-Virus... and X-Spam are not in log, that is (I mean) why cleanup do not drop messages. Can anyone idea? Milters are after cleanup? Postfix header_checks happen while mail is received. Milters can add headers only after the end of the email message is received. That is a feature of the Milter protocol. The Milter protocol has a DISCARD feature. If you can configure your application to send SMFIR_DISCARD into Postfix then you are done. On the other hand, if header_checks are the only way, it will take new code (not happening soon) or extra configuration (see example below). No code has been written to apply header_checks and body_checks when Milters add or modify the message content. The question has never come up, so that could be called an oversight. I don't have much time to write new code soon, so the next option is better. You can work around this with a null content filter (Postfix SMTP client talking directly to Postfix SMTP server on port 10025). Below is a basic example; the text in FILTER_README provides configurations with more bells and whistles. /etc/postfix/master.cf: 1 # 2 # service type private unpriv chroot wakeup maxproc command + args 3 # (yes) (yes) (yes) (never) (100) 4 # 5 smtp inet n - n - - smtpd 6 -o content_filter=smtp:127.0.0.1:10025 7 127.0.0.1:10025 inet n - n - - smtpd 8 -o content_filter= Line 5-6: this is the Internet-facing SMTP server. We add a content filter setting that sends mail into localhost port 10025. Line 7-8: this is an internal SMTP server that receives mail with the Milter-added headers. This is then subject to header_checks in the way that you expect it to work. For safety it kills off any content_filter settings from main.cf. Wietse
Re: postfix sasl (dovecot) works no more
On May 14, 2009, at 7:40 AM, wiseadmin wisead...@gmail.com wrote: Hello everybody, I am running FreeBSD with postfix (2.6.0-RC2) and dovecot (1.1.11). There are virtual domains and users and postfix authenticates users using sasl and dovecot. Today I've performed a server upgrade (portupgrade -arRv) and sasl authentication works no more. It worked for the last 4 months without problems. I've made no modification to any config file. In postfix logs I get May 14 14:35:11 softexp postfix/smtpd[8378]: warning: SASL: Connect to smtpd failed: No such file or directory May 14 14:35:11 softexp postfix/smtpd[8378]: fatal: no SASL authentication mechanisms postfix is running, dovecot is running, saslauthd is running Why dovecot AND saslauthd?
Re: problem with smtpd_milter and header_checks
Postfix header_checks happen while mail is received. Milters can add headers only after the end of the email message is received. That is a feature of the Milter protocol. The Milter protocol has a DISCARD feature. If you can configure your application to send SMFIR_DISCARD into Postfix then you are done. On the other hand, if header_checks are the only way, it will take new code (not happening soon) or extra configuration (see example below). No code has been written to apply header_checks and body_checks when Milters add or modify the message content. The question has never come up, so that could be called an oversight. I don't have much time to write new code soon, so the next option is better. You can work around this with a null content filter (Postfix SMTP client talking directly to Postfix SMTP server on port 10025). Below is a basic example; the text in FILTER_README provides configurations with more bells and whistles. /etc/postfix/master.cf: 1 # 2 # service type private unpriv chroot wakeup maxproc command + args 3 # (yes) (yes) (yes) (never) (100) 4 # 5 smtp inet n - n - - smtpd 6 -o content_filter=smtp:127.0.0.1:10025 7 127.0.0.1:10025 inet n - n - - smtpd 8 -o content_filter= Line 5-6: this is the Internet-facing SMTP server. We add a content filter setting that sends mail into localhost port 10025. Line 7-8: this is an internal SMTP server that receives mail with the Milter-added headers. This is then subject to header_checks in the way that you expect it to work. For safety it kills off any content_filter settings from main.cf. Wietse Many thanks, I try it... J.
Re: Postfix-2.6.0 RPM
* Brian Collins lis...@newnanutilities.org: I noticed that Postfix V#2.6.0 is now out. Does anybody know where to get RPM files? GOOGLE did not help. Simon Mudd picks up the releases and makes good source and binary RPMs from them with lots of options. However, he's a busy man and does not always get to them right after release. A kindly-worded email to him might yield you an estimate of when he'll get to 2.6. He's a bit busy right now due to family issues. -- Ralf Hildebrandt Postfix - Einrichtung, Betrieb und Wartung Tel. +49 (0)30-450 570-155 http://www.computerbeschimpfung.de It's always nice to see USA set the edgy standards. First for freedom, then for the police state.
Re: postfix sasl (dovecot) works no more
wiseadmin: May 14 14:35:11 softexp postfix/smtpd[8378]: warning: SASL: Connect to smtpd failed: No such file or directory You need to update your main.cf:smtpd_sasl_path setting and specify the location of the socket that the Dovecot server listens on. For example, when dovecot.conf says: socket listen { ... path = /var/spool/postfix/private/auth ... Then main.cf would say: smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth Wietse
Re: Postfix-2.6.0 RPM
Ralf Hildebrandt wrote: * Brian Collins lis...@newnanutilities.org: I noticed that Postfix V#2.6.0 is now out. Does anybody know where to get RPM files? GOOGLE did not help. Simon Mudd picks up the releases and makes good source and binary RPMs from them with lots of options. However, he's a busy man and does not always get to them right after release. A kindly-worded email to him might yield you an estimate of when he'll get to 2.6. He's a bit busy right now due to family issues. Sorry to hear that but in the mean time you can grab .src.rpm for a prior release, the tarball for the current release and modify the .spec file to reflect this. As mentioned in an earlier message Simon's RPMs are built as simply as possible so can be handled this way. \\||/ Rod --
Re: Need To Reject Inbound From Addresses with My Own Domain/s
wiskbr...@hotmail.com wrote: Recently I've been getting a ton of email for a new domain we've registered and have begun receiving email for. Our users in this new domain are either 1. receiving email with a From address identical to their own, or 2. receiving email with a From address of one of our other three domains, none of the emails are valid and the real sender is sending the email from the internet and through an external postfix gateway/relay box. Here is a sample of my main.cf: smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, check_sender_access dbm:/etc/postfix/blocked_senders, reject_rbl_client CLIENT-LICENSE.mail-abuse.com Here are the contents of my /etc/postfix/blocked_senders file: operator#...@somephishingbanksite\.comREJECT The above line is the wrong syntax and will never match anything. Wildcards are not allowed in dbm or other indexed files, and quotes should never be used. mydomain.com 554 mydomain.com sender? But you're not in my network ... Yes, this will reject your own domain when used outside $mynetworks. -- Noel Jones
RE: Need To Reject Inbound From Addresses with My Own Domain/s
Here are the contents of my /etc/postfix/blocked_senders file: operator#...@somephishingbanksite\.com REJECT The above line is the wrong syntax and will never match anything. Wildcards are not allowed in dbm or other indexed files, and quotes should never be used. I am almost certain that it has already worked in the past, I'll check. Otherwise, any suggestions for where and how to implement such a rule? mydomain.com 554 mydomain.com sender? But you're not in my network ... Yes, this will reject your own domain when used outside $mynetworks. Awesome, I've just implemented this and it's thus far working like a charm! (I was afraid to roll it out...) .vp
Re: problem with smtpd_milter and header_checks
Jiri Veselsky schrieb: you shouldnt discard mail, only cause flagged by spamassassin this is not allowed i.e in germany by law, if you do this for customers use hold ( for manual inspection ) or tell spamass-milter to reject them at smtp income level additionally you may load sanesecurity spam sig to clamd, clamav-milter and reject or hold them at smtp income level I do it for our company and top-managers says drop every emails with spam level 7 or higher I am small man, I do what managers says :-( J. jep do this with reject and i.e spamass-milter -r 7 why searching about other solutions if the right one is allready there and you allready have spamass-milter setup SpamAssassin Sendmail Milter Plugin Usage: spamass-milter -p socket [-b|-B bucket] [-d xx[,yy...]] [-D host] [-e defaultdomain] [-f] [-i networks] [-m] [-M] [-P pidfile] [-r nn] [-u defaultuser] [-x] [-a] [-- spamc args ] -p socket: path to create socket -a: don't scan messages over an authenticated connexion. -b bucket: redirect spam to this mail address. The orignal recipient(s) will not receive anything. -B bucket: add this mail address as a BCC recipient of spam. -d xx[,yy ...]: set debug flags. Logs to syslog -D host: connect to spamd at remote host (deprecated) -e defaultdomain: pass full email address to spamc instead of just username. Uses 'defaultdomain' if there was none -f: fork into background -i: skip (ignore) checks from these IPs or netblocks example: -i 192.168.12.5,10.0.0.0/8,172.16.0.0/255.255.0.0 -m: don't modify body, Content-type: or Subject: -M: don't modify the message at all -P pidfile: Put processid in pidfile -r nn: reject messages with a score = nn with an SMTP error. use -1 to reject any messages tagged by SA. -u defaultuser: pass the recipient's username to spamc. Uses 'defaultuser' if there are multiple recipients. -x: pass email address through alias and virtusertable expansion. -- spamc args: pass the remaining flags to spamc. -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: Header Check Assistance
mouss wrote: Drew Tomlinson a écrit : Is there some rule about submitting questions with the string Help in the subject? I've tried posting the following note with the subject of Help With header_checks and received a bounce message indicating this error: BOUNCE postfix-users@postfix.org: Admin request: /^subject:\s*help\b/i I'm using postfix 2.5.6,1 and have been using postfix for a long time. In older versions, to perform header checks, I had a text file and would then have to run postmap to create the header_check.db file. Is this step no longer required? When running 'postmap header_checks', I get lots of warning about duplicate entry. Here's an example: postmap: warning: header_checks.db: duplicate entry: /^from: postmap: warning: header_checks, line 91: record is in key: value format; is this an alias file? Also, I am attempting to reject some mail based upon the Received: header. Specifically, I have lines such as this in my header_checks: /^Received: .*mycouponsavingsmail/REJECT 550 missing space before REJECT. Thank you. I knew it was something simple. :) but why do you use header_checks for this? check_client_access is better. I have no preference for header_checks. What makes client_access better? Is it less expensive? ... check_client_access cidr:/etc/postfix/access_client.cidr == access_client.cidr: 24.155.144.16/28REJECT spammy network (Targetmail) 24.155.144.32/28REJECT spammy network (Targetmail) and/or ... check_client_access hash:/etc/postfix/access_client == access_client: mycouponsavingsmail.com REJECT spammy network (Targetmail) .mycouponsavingsmail.comREJECT spammy network (Targetmail) but you'll have a lot of work to track the domain names. See if uribl is good for you... Yes, I'm using several blacklists. But recently I'm getting a bunch of spam from a few domains and wanted to block it. Thanks, Drew -- Be a Great Magician! Visit The Alchemist's Warehouse http://www.alchemistswarehouse.com
Re: Proxying a policy service
Geert Hendrickx wrote: What drawbacks did you experience? We run a local policyd instance on each postfix server too, all connecting to a central (not replicated) MySQL. Policyd's behaviour when MySQL becomes unavailable is configurable, it can either tempfail (4xx) all incoming e-mail or dunno it. Yes, that is the benefit of doing it that way. But we experienced problems with recurring corruption of the isam tables when the network connections to the db server were interrupted. Apparently myisam tables don't deal well with interrupted connections, from what I found on google. At any rate, once we moved policyd to the same host as the mysql database, the corruption issue disappeared permanently, but we have the different issue of smtp transactions failing whenever there are connectivity glitches. I'm going to try out hapolicy first, since it's quite a bit quicker and cheaper to set up than full blown mysql replication. Joe
Re: Postfix-2.6.0 RPM
Roderick A. Anderson wrote: Sorry to hear that but in the mean time you can grab .src.rpm for a prior release, the tarball for the current release and modify the .spec file to reflect this. I've been doing this for our smtp servers for some time. The suse factory postfix srpm compiles nicely on SLES and is usually fairly current, but if need be, as mentioned above, it's not too difficult to drop in a newer tarball from postfix.org and tweak the spec file before rebuilding. Joe
not sure why this is getting through
Hello All, I am receiving message from people faking like they are from our domain, when looking in the headers I see this: Received-SPF: permerror (mydomain.com: Junk encountered in mechanism '+ptr:') Read this on the spf site: If the permerror occurred because an SPF publisher uses a mechanism not understood by an SPF client and the receiver does not reject the message due to the permerror, that mechanism should be provided in the header immediately following the permerror. That way, the information is available to the end user to support troubleshooting. Not sure I know how to resolve this, any help appreciated! Joey
Re: Need To Reject Inbound From Addresses with My Own Domain/s
wiskbr...@hotmail.com wrote: Here are the contents of my /etc/postfix/blocked_senders file: operator#...@somephishingbanksite\.com REJECT The above line is the wrong syntax and will never match anything. Wildcards are not allowed in dbm or other indexed files, and quotes should never be used. I am almost certain that it has already worked in the past, I'll check. Otherwise, any suggestions for where and how to implement such a rule? Here's an example using a regexp table instead of the dbm table for those two statements. It's also acceptable to use multiple check_sender_access statements if that fits your needs better. # main.cf smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination check_sender_access regexp:/etc/psotfix/senders.pcre ... other stuff ... # senders.pcre /operator#...@somephishingbanksite\.com$/ REJECT phishing /@mydomain\.com$/ 554 mydomain.com sender? But you're not! Note that you do not postmap regexp or pcre files. -- Noel Jones
Re: Proxying a policy service
On Thu, May 14, 2009 at 10:15:07AM -0700, J Sloan wrote: Yes, that is the benefit of doing it that way. But we experienced problems with recurring corruption of the isam tables when the network connections to the db server were interrupted. Apparently myisam tables don't deal well with interrupted connections, from what I found on google. FWIW, policyd v2 uses innodb. Geert -- Geert Hendrickx -=- g...@telenet.be -=- PGP: 0xC4BB9E9F This e-mail was composed using 100% recycled spam messages!
Re: Proxying a policy service
Geert Hendrickx wrote: On Thu, May 14, 2009 at 10:15:07AM -0700, J Sloan wrote: Yes, that is the benefit of doing it that way. But we experienced problems with recurring corruption of the isam tables when the network connections to the db server were interrupted. Apparently myisam tables don't deal well with interrupted connections, from what I found on google. FWIW, policyd v2 uses innodb. That is true - however, policyd v1 is a very efficient compiled c program which runs for months with no hiccups or memory leaks, and we're understandably a bit hesitant to move to a perl script. Joe
Re: postfix sasl (dovecot) works no more
Thank you Wietse ! Unfortunately it doesnt work :( In dovecot.conf the socket is /var/run/dovecot/auth-master When I added in main.cf I got permission denied (it has 600 and root:wheel). I changed the permission in 666 (this is not ok, but I only wanted to see if it works) and now I get in logs only fatal: no SASL authentication mechanisms. I don't know what else to do. Some one said something about smtpd.conf The file is in /usr/lib/sasl2/smtpd.conf and in /usr/lib/sasl2 and its content is: log_level:3 pwcheck_method: saslauthd mech_list: plain login What is frustrated is that the server worked for many months. I tried a downgrade of postfix and I get the same error. maybe it is not from postfix but from dovecot or saslauthd. Is some one know what should I do please advice me. I'm stuck and I don't know what to do. Thank you Wietse Venema wrote: You need to update your main.cf:smtpd_sasl_path setting and specify the location of the socket that the Dovecot server listens on. For example, when dovecot.conf says: socket listen { ... path = /var/spool/postfix/private/auth ... Then main.cf would say: smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth Wietse
Re: postfix sasl (dovecot) works no more
I think the problem is deeper. The 25/tcp port is open but I can't ehlo the server. [...@toshiba ~]$telnet server_domain 25 Trying 80.96.x.x... Connected to server_domain. Escape character is '^]'. And get stucked there ! Wietse Venema wrote: wiseadmin: May 14 14:35:11 softexp postfix/smtpd[8378]: warning: SASL: Connect to smtpd failed: No such file or directory You need to update your main.cf:smtpd_sasl_path setting and specify the location of the socket that the Dovecot server listens on. For example, when dovecot.conf says: socket listen { ... path = /var/spool/postfix/private/auth ... Then main.cf would say: smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth Wietse
Re: postfix sasl (dovecot) works no more
Why not? It is simple for my setup. I only have 10-15 users and that's all. If you think its dangerous or something please explain and I'll change it. Thanks Sahil Tandon wrote: On May 14, 2009, at 7:40 AM, wiseadmin wisead...@gmail.com wrote: Hello everybody, I am running FreeBSD with postfix (2.6.0-RC2) and dovecot (1.1.11). There are virtual domains and users and postfix authenticates users using sasl and dovecot. Today I've performed a server upgrade (portupgrade -arRv) and sasl authentication works no more. It worked for the last 4 months without problems. I've made no modification to any config file. In postfix logs I get May 14 14:35:11 softexp postfix/smtpd[8378]: warning: SASL: Connect to smtpd failed: No such file or directory May 14 14:35:11 softexp postfix/smtpd[8378]: fatal: no SASL authentication mechanisms postfix is running, dovecot is running, saslauthd is running Why dovecot AND saslauthd?
Options for immediate email address activation in postfix.
A client of mine has a web service where a simple web page can be made via a browser to crete an identity for them online. Build a page with web tools, toggle a setting to add DNS records, update the registrar to point to the NS's, and they have a live webpage in short order. They want to be able to allow an info@ email address that will only forward to some other account. There is no need for pop/imap login, i...@example.com will simply forward to users-des...@theiremail.com Any suggestions on the simplest way to approach this. I was thinking postfix with MySql backed data store. Today I read that RHEL is behind on postfix, and I think does not have MySql support in their rpm's. I have zero access to a staging server. If this turns into a high volume site, would file based aliases fall apart after a certain amount? I also see maintaining a alias mapping via a file managed by a web service to be prone to error. If anything I wold store the mappings in a database, and write them out clean on schedule. What are the upper limits of how many forwards I should feel comfortable maintaing as a local file? Any other suggestions on methodology? -- Scott * If you contact me off list replace talklists@ with scott@ *
Re: not sure why this is getting through
2009/5/15 Joey j...@web56.net: Received-SPF: permerror (mydomain.com: Junk encountered in mechanism '+ptr:') “If the permerror occurred because an SPF publisher uses a mechanism not understood by an SPF client and the receiver does not reject the message due to the permerror, that mechanism should be provided in the header immediately following the permerror. That way, the information is available to the end user to support troubleshooting.” As it says, the SPF publisher (you) have a mechanism in your records that the client (anything checking the SPF records for incoming mail) doesn't understand. You're getting this message because the mail wasn't rejected as a result of the SPF check. Seeing as you haven't supplied your SPF record, *and* you've masked your domain, we can't say much more. Checking your syntax, if you haven't already, is a good idea. http://www.kitterman.com/spf/validate.html At a guess, the client might not like the '+'-qualifier. Seeing as pass is the default anyway, try removing it from the 'ptr' mechanism.
Re: Options for immediate email address activation in postfix.
2009/5/15 Scott Haneda talkli...@newgeo.com: Any suggestions on the simplest way to approach this. I was thinking postfix with MySql backed data store. Today I read that RHEL is behind on postfix, and I think does not have MySql support in their rpm's. I have zero access to a staging server. Correct, you'd have to roll your own or use the Centos-plus channel RPM. If you choose the latter you can have a very high degree of confidence that it will just work as you expect, but you need to maintain it yourself. Postfix 2.3 is otherwise fine for functionality in RHEL5 though. If this turns into a high volume site, would file based aliases fall apart after a certain amount? I also see maintaining a alias mapping via a file managed by a web service to be prone to error. If anything I wold store the mappings in a database, and write them out clean on schedule. What are the upper limits of how many forwards I should feel comfortable maintaing as a local file? With enough sanity checks you can manage an alias file with scripts (run via web frontend), but it's not much fun. I believe (redhat) default hash-maps perform and scale quite nicely. CDB maps are said to scale even better, and I think numbers quoted on this list previously say... 1 million is no problem for CDB? If you go this route you probably want a couple of sanity checks to make sure that the new map file isn't drastically different (smaller) to the current running one. I can just imagine a situation with some sort of temporary DB failure producing zero lines of output, which is then promptly used to create a new map...
Re: Postfix-2.6.0 RPM
Didn't get the message you replied to, so I'm bolting it on to yours. mouss wrote: Stefan Jakobs a écrit : On Thursday, 14. Mai 2009 09:54:56 Corey Chandler wrote: MacShane, Tracy wrote: Also, installing non-RPM packages can obviously cause clashes when installing other RH updates (at least RPM is clever enough not to try installing Postfix 2.3 patches when it finds 2.5 already installed). Urm... add Postfix to your yum excludes file and the problem goes away. Postfix provides an MTA which is a quite important part of a *nix system. To remove the MTA package from system breaks a lot of dependencies. To avoid that you install your own package. Yes, I'm aware of that. If you reread the parent's use case, they're building a custom spin of Postfix from source. Therefore, you want to ensure that postfix itself is excluded from updates so your install doesn't get overwritten by an earlier version; it doesn't usually, but I don't like to count on that. -- Corey Chandler / KB1JWQ Living Legend / Systems Exorcist Today's Excuse: We are a 100% Microsoft Shop
need help figuring out why spf or other rule is not rejecting this
Hello All, I am receiving message from people faking like they are from our domain, when looking in the headers I see this: Received-SPF: permerror (mydomain.com: Junk encountered in mechanism '+ptr:') Read this on the spf site: If the permerror occurred because an SPF publisher uses a mechanism not understood by an SPF client and the receiver does not reject the message due to the permerror, that mechanism should be provided in the header immediately following the permerror. That way, the information is available to the end user to support troubleshooting. Not sure I know how to resolve this, any help appreciated! Joey
Re: Options for immediate email address activation in postfix.
At my company we're doing almost the exact same thing. FOr this we use Postfix on RHEL5 with MySQL for domains, users and aliases. With about ~10k accounts everything works great except the forwarding vs SPF problem, ie: 1. someu...@hotmail.com sends a message to i...@yourcustomer.com 2. your server forwards this message to yourcusto...@hotmail.com 3. hotmail rejects the message because your server is not allowed send messages from someu...@hotmail.com I believe the solution to this would be SRS, but haven't found any such solution for Postfix yet :( http://www.openspf.org/SRS Martin On Fri, 15 May 2009 02:53:19 +0200, Scott Haneda talkli...@newgeo.com wrote: A client of mine has a web service where a simple web page can be made via a browser to crete an identity for them online. Build a page with web tools, toggle a setting to add DNS records, update the registrar to point to the NS's, and they have a live webpage in short order. They want to be able to allow an info@ email address that will only forward to some other account. There is no need for pop/imap login, i...@example.com will simply forward to users-des...@theiremail.com Any suggestions on the simplest way to approach this. I was thinking postfix with MySql backed data store. Today I read that RHEL is behind on postfix, and I think does not have MySql support in their rpm's. I have zero access to a staging server. If this turns into a high volume site, would file based aliases fall apart after a certain amount? I also see maintaining a alias mapping via a file managed by a web service to be prone to error. If anything I wold store the mappings in a database, and write them out clean on schedule. What are the upper limits of how many forwards I should feel comfortable maintaing as a local file? Any other suggestions on methodology?
Re: Options for immediate email address activation in postfix.
On May 14, 2009, at 6:07 PM, Barney Desmond wrote: If this turns into a high volume site, would file based aliases fall apart after a certain amount? I also see maintaining a alias mapping via a file managed by a web service to be prone to error. If anything I wold store the mappings in a database, and write them out clean on schedule. What are the upper limits of how many forwards I should feel comfortable maintaing as a local file? With enough sanity checks you can manage an alias file with scripts (run via web frontend), but it's not much fun. I believe (redhat) default hash-maps perform and scale quite nicely. CDB maps are said to scale even better, and I think numbers quoted on this list previously say... 1 million is no problem for CDB? Thank you very much, I do not think a million will be hit for some time. Is there any penalty when you run postmap to read in the changes to the virtual_alias_maps file? I know it is not a server restart, and can happen without interruption of service, though I wonder what happens when you issue a postmap on a million line file. Thanks. -- Scott * If you contact me off list replace talklists@ with scott@ *
Re: Need To Reject Inbound From Addresses with My Own Domain/s
Victor Duchovni wrote: On Thu, May 14, 2009 at 12:42:01PM -0500, Noel Jones wrote: wiskbr...@hotmail.com wrote: Here are the contents of my /etc/postfix/blocked_senders file: operator#...@somephishingbanksite\.com REJECT The above line is the wrong syntax and will never match anything. Wildcards are not allowed in dbm or other indexed files, and quotes should never be used. I am almost certain that it has already worked in the past, I'll check. Otherwise, any suggestions for where and how to implement such a rule? Here's an example using a regexp table instead of the dbm table for those two statements. It's also acceptable to use multiple check_sender_access statements if that fits your needs better. # main.cf smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination check_sender_access regexp:/etc/psotfix/senders.pcre ... other stuff ... # senders.pcre /operator#...@somephishingbanksite\.com$/ REJECT phishing /@mydomain\.com$/ 554 mydomain.com sender? But you're not! Does regexp support \d+? It looks like PCRE to me... So the table prefix should be pcre: not regexp:. You're right, that's a pcre construct and not universally supported by regexp. A more portable expression would be: /operator#[0-...@somephishingbanksite\.com$/ REJECT phishing -- Noel Jones
Re: Header Check Assistance
mouss wrote: Drew Tomlinson a écrit : mouss wrote: I have no preference for header_checks. What makes client_access better? Is it less expensive? it's time to learn how smtp works. in particluar, the fact that the message is sent after the DATA command. which means that if you reject before DATA, you avoid having to read the message (including the headers). Thank you. This makes sense to me. .[snip] but you'll have a lot of work to track the domain names. See if uribl is good for you... Yes, I'm using several blacklists. you didn't understand what I was suggested. OK, I think I understand now. uribl is a way to check mail content for domains that *appear* in spam, not from where the mail is sent. Good idea! I will see about adding that to SpamAssassin. [snip] Thanks for your help. I appreciate it. Drew -- Be a Great Magician! Visit The Alchemist's Warehouse http://www.alchemistswarehouse.com
Re: Options for immediate email address activation in postfix.
On Thu, May 14, 2009 at 06:48:07PM -0700, Scott Haneda wrote: Thank you very much, I do not think a million will be hit for some time. Is there any penalty when you run postmap to read in the changes to the virtual_alias_maps file? I know it is not a server restart, and can happen without interruption of service, though I wonder what happens when you issue a postmap on a million line file. You consume some CPU and burn some disk I/O ops. Daemons that use the indexed file with re-start at a convenient point in time (i.e. not in the middle of a transaction, ...). Regardless of size, you should not be re-building indexed files frequently (more than a few times a day) , if you are, use *SQL or LDAP. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.