Re: kill ip from bootnets and zombi (shell script)

[Andreas Schuldei]

* Julio Cesar Covolato (ju...@psi.com.br) [090514 07:26]:
 Hi!

 I made a litle shell script to stoping bootnets and zombis, and I want  
 know what you think about it.

 The purpose is drop via iptables  hosts  that  are rejected  several  
 times in a litle  space of time, reading the log generated by postfix.

 Tested in a Linux box.

 The script is so poor, but it's functional!  I think that  using perl  
 will be very better ( Anyone? I'm very bad in perl, sorry!).

 Just download, untar, configure (optional), and run it by comand line  
 for a few minutes, and see the show!!!

 The idea is block via firewall the connections that is garbage. Test it!!

 Download pf-ip-killer :

 http://psi.com.br/~julio/postfix/pf-ip-killer.tgz

this could be done with the recent module for iptables. that
would take care of everything this script does (minus the pruning
after one or two hours). if that could be done, too, all this
could be a static iptables configuration. 

Re: postfix smtpd interface when using IP slow but when using localhost normal

[mouss]

Samuel Sappa a écrit :
 I have problem with my postfix, a few days ago my smtpd running very
 slow, when delivering message (using MUA outlook,TB,OE) message
 delivering very slow, but if user using web mail which is using
 openwebmail the deliver running fine without the delay, I came to
 conclusion that, when postfix sending outgoing message using IP
 address having delay, but when using 127.0.0.1 the outgoing message is
 sending without delay. I also testing the connection from the machine
 using telnet to the IP idddress, response are very slow, but when I
 using telnet and connect to 127.0.0.1 the response is normal. 

maybe a (reverse) dns resolution issue. when postfix gets a connection,
it looks up the IP in DNS. if you have no DNS server for your private
IPs, then your system will query external DNS servers, which takes times
(besides generating useless traffic).


 I
 already restore my postfix parameter to original value(main and
 master.cf) and set the inet_interface= 127.0.0.1 but still the problem
 exits,
 my question is
 1.If I added another interface (LAN Card and assign new IP address)
 for outgoing smtpd, shall the problem will be solved ?
 2.if there any possibilities that my machine already became open relay
 or that my smtp hijack by another people ?
 3.I am using untangle for my anti spam, and according the untangle
 report spam traffic is high, is this another event that caused my
 problem with my smtpd ?
 
 that's all from me thank for your kind help and suggestion
 

Re: kill ip from bootnets and zombi (shell script)

[Bill Landry]

Julio Cesar Covolato wrote:
 Hi!
 
 I made a litle shell script to stoping bootnets and zombis, and I want
 know what you think about it.
 
 The purpose is drop via iptables  hosts  that  are rejected  several
 times in a litle  space of time, reading the log generated by postfix.
 
 Tested in a Linux box.
 
 The script is so poor, but it's functional!  I think that  using perl
 will be very better ( Anyone? I'm very bad in perl, sorry!).
 
 Just download, untar, configure (optional), and run it by comand line
 for a few minutes, and see the show!!!
 
 The idea is block via firewall the connections that is garbage. Test it!!
 
 Download pf-ip-killer :
 
 http://psi.com.br/~julio/postfix/pf-ip-killer.tgz

Have you taken a look at fail2ban?:

   http://www.fail2ban.org

It already does this using python, run in daemon mode, and can support
any application that writes to a log file.

Bill

Re: Postfix-2.6.0 RPM

[Corey Chandler]

Victor Duchovni wrote:


Yes, some of the better distribution supported patches are not ill-advised.
But occasionally, one gets something along the lines of the Debian OpenSSL
fiasco (notably the Debian *Postfix* patches have been pretty good, and
historically RedHat was adding rather questionable changes to Postfix)
  
Sorry, I missed the background on this one-- what did RedHat do to 
Postfix that was questionable?


--
Corey Chandler / KB1JWQ
Living Legend / Systems Exorcist
Today's Excuse: We are a 100% Microsoft Shop

Re: Postfix-2.6.0 RPM

[Corey Chandler]

MacShane, Tracy wrote:
 
  


Yes, there is unfortunately such a need, because RHEL5 is only up to
Postfix 2.3, and we require functionality from Postfix 2.5 and up
(destination_rate_delay). 


This leads to an interesting question all its own:

I'm running the same Postfix config I built years ago under probably 2.2 
or 2.3.  Is there a document somewhere or a process by which I can 
modernize the config?  Periodically I'll be told that a line I'm using 
is deprecated by something newer, and I'd like to get with the times...

The OS administrators do not permit GCC and
devel libraries on the SMTP servers I maintain (and fair enough). 
Nor should they-- this is what a staging environment is for.  Build it 
on a staging box, test the heck out of it, and then push the binaries 
out to the production farm.

Also,
installing non-RPM packages can obviously cause clashes when installing
other RH updates (at least RPM is clever enough not to try installing
Postfix 2.3 patches when it finds 2.5 already installed).
  


Urm... add Postfix to your yum excludes file and the problem goes away.

--
Corey Chandler / KB1JWQ
Living Legend / Systems Exorcist
Today's Excuse: We are a 100% Microsoft Shop

Re: Header Check Assistance

[mouss]

Drew Tomlinson a écrit :
 Is there some rule about submitting questions with the string Help in
 the subject?  I've tried posting the following note with the subject of
 Help With header_checks and received a bounce message indicating this
 error:
 
 BOUNCE postfix-users@postfix.org:  Admin request: /^subject:\s*help\b/i
 
 
 I'm using postfix 2.5.6,1 and have been using postfix for a long time. 
 In older versions, to perform header checks, I had a text file and would
 then have to run postmap to create the header_check.db file.  Is this
 step no longer required?  When running 'postmap header_checks', I get
 lots of warning about duplicate entry.  Here's an example:
 
 postmap: warning: header_checks.db: duplicate entry: /^from:
 postmap: warning: header_checks, line 91: record is in key: value
 format; is this an alias file?
 
 Also, I am attempting to reject some mail based upon the Received:
 header.  Specifically, I have lines such as this in my header_checks:
 
 /^Received: .*mycouponsavingsmail/REJECT 550
 

missing space before REJECT.

but why do you use header_checks for this? check_client_access is better.

...
check_client_access cidr:/etc/postfix/access_client.cidr

== access_client.cidr:
24.155.144.16/28REJECT spammy network (Targetmail)
24.155.144.32/28REJECT spammy network (Targetmail)

and/or

...
check_client_access hash:/etc/postfix/access_client

== access_client:
mycouponsavingsmail.com REJECT spammy network (Targetmail)
.mycouponsavingsmail.comREJECT spammy network (Targetmail)

but you'll have a lot of work to track the domain names. See if uribl is
good for you...

 Yet I still receive mail with this in the header:
 
 Received: from mail4.mycouponsavingsmail.com
 (mail4.mycouponsavingsmail.com [24.155.144.19])
 
 Any ideas on what I'm missing?  I do have this line in my main.cf:
 
 header_checks = regexp:/usr/local/etc/postfix/header_checks
 
 Thanks,
 
 Drew
 

Re: Postfix-2.6.0 RPM

[Stefan Jakobs]

On Thursday, 14. Mai 2009 09:54:56 Corey Chandler wrote:
 MacShane, Tracy wrote:
snip
  The OS administrators do not permit GCC and
  devel libraries on the SMTP servers I maintain (and fair enough).

 Nor should they-- this is what a staging environment is for.  Build it
 on a staging box, test the heck out of it, and then push the binaries
 out to the production farm.

Ehm, isn't that why you use RPM? You compile the binaries and build the 
package on a compatible system. With the package you have an easy way to 
distribute the binaries.

  Also,
  installing non-RPM packages can obviously cause clashes when installing
  other RH updates (at least RPM is clever enough not to try installing
  Postfix 2.3 patches when it finds 2.5 already installed).

 Urm... add Postfix to your yum excludes file and the problem goes away.

Postfix provides an MTA which is a quite important part of a *nix system. To 
remove the MTA package from system breaks a lot of dependencies. To avoid that 
you install your own package.

Greetings
Stefan 




signature.asc
Description: This is a digitally signed message part.

Re: Postfix-2.6.0 RPM

[Barney Desmond]

2009/5/14 Victor Duchovni victor.ducho...@morganstanley.com:
 If the purpose of using RPM files is to facilitate binary updates from
 distribution servers, wait until *your distribution* upgrades to a newer
 supported version of Postfix.

 If you incorporate your own Postfix into your O/S, why download some
 random stranger's binary RPM?

 Is there a real use case for binary RPMs not maintained by the
 distribution release engineering teams? What's wrong with the Postfix
 source, which is typically less likely to have ill-advised patches
 dropped into it?

Sure; as people have already said, some vendors (cough, Redhat) don't
really keep up to date. I haven't checked all their release channels
on offer, but the core set of packages only includes Postfix 2.3.3.
*And* it doesn't come with mysql/pgsql map support. This is when you
go and get the package from the Centos-plus channel and then tell yum
to ignore Redhat updates to Postfix so it doesn't clobber your working
setup one day...

So your real question is probably, why not just use Postfix's
source?. I can only speak for myself and my employer, but we maintain
a lot of diverse systems, so we're a bit allergic to non-packaged
software, no matter how easy it is to maintain (I've never used
non-packaged Postfix, maybe it's really easy to maintain, but that's
not the point). Packaged software is basically a requirement for
sysadmin sanity. We could produce packaged versions of Postfix from
source and put them in our internal repo, but we just don't have the
time and resources to keep on top of updates and whatnot.

I suspect people want something like DAG (http://dag.wieers.com/rpm/).
Unfortunately for them, they don't have Postfix because everyone's
already got it, just not the cutting edge. Fedora 10 is up to Postfix
2.5.5, I figure they'll have Postfix 2.6 in the next major version
release. Which is like, every fortnight, right? :)


Corey:
 I'm running the same Postfix config I built years ago under probably
 2.2 or 2.3.  Is there a document somewhere or a process by which I
 can modernize the config?  Periodically I'll be told that a line I'm
 using is deprecated by something newer, and I'd like to get with the times...

Sure, you probably want upgrade-configuration, see `man 1 postfix`

Re: Postfix-2.6.0 RPM

[Kaj Niemi]

On May 14, 2009, at 02:03, Victor Duchovni wrote:


Is there a real use case for binary RPMs not maintained by the
distribution release engineering teams? What's wrong with the Postfix
source, which is typically less likely to have ill-advised patches
dropped into it?



A bit off topic already but some organisations find it easier to pack  
everything up in rpms, debs or pkgs and then deploy than compiling  
using two of the most common deployment methods: compile and install  
blindly or alternatively compile, tar it and then deploy. :)  
Especially on RedHat platforms deploying everything in rpm format is  
very convenient, makes for good bookkeeping and preserves any  
dependencies on other applications even across upgrades as long as you  
do it correctly.




Kaj
--
Kaj J. Niemi
kaj...@basen.net
FI +358 45 63 12000
KSA +966 54 52 43277





smime.p7s
Description: S/MIME cryptographic signature

Re: Postfix-2.6.0 RPM

[Kaj Niemi]

Hi,

On May 14, 2009, at 01:07, Just E. Mail wrote:

I noticed that Postfix V#2.6.0 is now out. Does anybody know where  
to get RPM files? GOOGLE did not help.



The SRPM from Fedora should compile fine on at least EL4 and EL5. I  
suggest you download it and build it yourself instead of downloading  
blindly someone else's pre-compiled one.




Kaj
--
Kaj J. Niemi
kaj...@basen.net
FI +358 45 63 12000
KSA +966 54 52 43277





smime.p7s
Description: S/MIME cryptographic signature

Re: Postfix-2.6.0 RPM

[Kaj Niemi]

On May 14, 2009, at 12:25, Barney Desmond wrote:


Sure; as people have already said, some vendors (cough, Redhat) don't
really keep up to date. I haven't checked all their release channels
on offer, but the core set of packages only includes Postfix 2.3.3.
*And* it doesn't come with mysql/pgsql map support. This is when you
go and get the package from the Centos-plus channel and then tell yum
to ignore Redhat updates to Postfix so it doesn't clobber your working
setup one day...


Typically software coming from the base operating system is not always  
the one you want to use IF you happen to be in a very specialized  
environment. For most people postfix 2.3.3 with RHEL will be  
completely fine for the entire lifetime of that particular server and  
they most likely won't miss mysql or postgresql support either. ;-)  
With RHEL you're paying for stability and continuity over a longer  
time period - not for the latest and greatest snapshot with a specific  
feature at any point in time. :-) RHEL6, when it eventually arrives,  
will most likely have a later version of postfix just like RHEL5  
(2.3.3) has a more recent version than RHEL4 (2.2.10). See http://www.redhat.com/security/updates/errata/ 
 for info on the life cycle and erratas (updates).



sysadmin sanity. We could produce packaged versions of Postfix from
source and put them in our internal repo, but we just don't have the
time and resources to keep on top of updates and whatnot.


We do this and have done so for the last 8 years.



Kaj
--
Kaj J. Niemi
kaj...@basen.net
FI +358 45 63 12000
KSA +966 54 52 43277





smime.p7s
Description: S/MIME cryptographic signature

problem with smtpd_milter and header_checks

[Jiri Veselsky]

Hallo all. (first sorry for my english)
I have a small (big) problem with configure Postfix to drop messages with  
header_checks.

In main.cf I have:
smtpd_milters = local:/./clamav-milter.sock  
local:/./spamass-milter.sock

milter_default_action = accept

if I receive a message from internet, in headers are rows from milters:

X-Virus-Scanned: clamav-milter 0.95.1 at ...
X-Virus-Status: Clean
X-Spam-Flag: YES
X-Spam-Status: Yes, score=11.6 required=7.0...
X-Spam-Level: ***
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on ...

I think that milters works correctly. I save message as message.txt for  
testing.


next row in main.cf is:
header_checks = regexp:/usr/local/etc/postfix/header_checks

in header_checks file is:
/^X-Spam-Status: Yes/ DISCARD

I test it:
postmap -q - regexp:/usr/local/etc/postfix/header_checks  message.txt

I think that header_checks works, because show row:
X-Spam-Status: Yes, score=11.6 required=7.0... DISCARD

In master.cf I configure cleanup with -v and I read a log, but rows  
X-Virus... and X-Spam are not in log, that is (I mean) why cleanup do not  
drop messages.


Can anyone idea? Milters are after cleanup?

Thanks

Jirka

postfix sasl (dovecot) works no more

[wiseadmin]

Hello everybody,
I am running FreeBSD with postfix (2.6.0-RC2) and dovecot (1.1.11).
There are virtual domains and users and postfix authenticates users
using sasl and dovecot.
Today I've performed a server upgrade (portupgrade -arRv) and sasl
authentication works no more. It worked for the last 4 months without
problems. I've made no modification to any config file.

In postfix logs I get

May 14 14:35:11 softexp postfix/smtpd[8378]: warning: SASL: Connect to
smtpd failed: No such file or directory
May 14 14:35:11 softexp postfix/smtpd[8378]: fatal: no SASL
authentication mechanisms

postfix is running, dovecot is running, saslauthd is running.

For me everything seems ok, what file or directory has been changed and
can not be found anymore?

Please help me if you can, this is a production server.


postfconf -n
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debug_peer_list = softexp.ro
header_checks = regexp:/usr/local/etc/postfix/header_checks
html_directory = no
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
myhostname = mail.softexp.ro
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_hostname permit
smtpd_recipient_restrictions = reject_non_fqdn_sender
reject_non_fqdn_recipient permit_mynetworks  permit_sasl_authenticated 
reject_unauth_destination reject_sender_login_mismatch
reject_invalid_hostname  reject_unknown_recipient_domain
reject_unverified_recipient check_sender_access
hash:/usr/local/etc/postfix/access_sender check_helo_access
pcre:/usr/local/etc/postfix/helo_checks  reject_unknown_sender_domain
reject_rbl_client zen.spamhaus.org, reject_rhsbl_sender   
dsn.rfc-ignorant.org  permit
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = reject_unknown_sender_domain,
reject_non_fqdn_sender, permit
soft_bounce = no
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/usr/local/etc/postfix/valias.txt
virtual_gid_maps = static:1000
virtual_mailbox_base = /var/spool/vmail
virtual_mailbox_domains = /usr/local/etc/postfix/vhost.txt
virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmaps.txt
virtual_uid_maps = static:1000


dovecot -n
# 1.1.11: /usr/local/etc/dovecot.conf
# OS: FreeBSD 7.0-RELEASE amd64  ufs
base_dir: /var/run/dovecot/
log_path: /var/log/dovecot.log
info_log_path: /var/log/dovecot.info
protocols: imap imaps pop3 pop3s
ssl_disable: yes
disable_plaintext_auth: no
login_dir: /var/run/dovecot/login
login_executable(default): /usr/local/libexec/dovecot/imap-login
login_executable(imap): /usr/local/libexec/dovecot/imap-login
login_executable(pop3): /usr/local/libexec/dovecot/pop3-login
login_greeting_capability(default): yes
login_greeting_capability(imap): yes
login_greeting_capability(pop3): no
verbose_proctitle: yes
first_valid_uid: 1000
first_valid_gid: 1000
mail_privileged_group: mail
mail_location: maildir:/var/spool/vmail/%d/%n
mail_executable(default): /usr/local/libexec/dovecot/imap
mail_executable(imap): /usr/local/libexec/dovecot/imap
mail_executable(pop3): /usr/local/libexec/dovecot/pop3
mail_plugin_dir(default): /usr/local/lib/dovecot/imap
mail_plugin_dir(imap): /usr/local/lib/dovecot/imap
mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3
imap_client_workarounds(default): delay-newmail netscape-eoh
tb-extra-mailbox-sep
imap_client_workarounds(imap): delay-newmail netscape-eoh
tb-extra-mailbox-sep
imap_client_workarounds(pop3):
pop3_client_workarounds(default):
pop3_client_workarounds(imap):
pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh
auth default:
  mechanisms: plain login
  username_format: %Lu
  passdb:
driver: pam
args: session=yes dovecot
  passdb:
driver: passwd-file
args: /usr/local/etc/dovecot_passwd
  userdb:
driver: passwd
args: blocking=yes
  userdb:
driver: passwd-file
args: /usr/local/etc/dovecot_users
  socket:
type: listen
client:
  path: /var/run/dovecot/auth-client
  mode: 432
master:
  path: /var/run/dovecot/auth-master
  mode: 384


Many thanks

Re: problem with smtpd_milter and header_checks

[Wietse Venema]

Please include postconf -n command output in problem reports,
as requested in the mailing list welcome message.

Re: postfix sasl (dovecot) works no more

[Wietse Venema]

wiseadmin:
 Hello everybody,
 I am running FreeBSD with postfix (2.6.0-RC2) and dovecot (1.1.11).
 There are virtual domains and users and postfix authenticates users
 using sasl and dovecot.
 Today I've performed a server upgrade (portupgrade -arRv) and sasl
 authentication works no more. It worked for the last 4 months without

Restore the old software on the production machine, and debug the
new software on a test machine.

Wietse

Re: problem with smtpd_milter and header_checks

[Robert Schetterer]

Jiri Veselsky schrieb:
 Hallo all. (first sorry for my english)
 I have a small (big) problem with configure Postfix to drop messages
 with header_checks.
 In main.cf I have:
 smtpd_milters = local:/./clamav-milter.sock
 local:/./spamass-milter.sock
 milter_default_action = accept
 
 if I receive a message from internet, in headers are rows from milters:
 
 X-Virus-Scanned: clamav-milter 0.95.1 at ...
 X-Virus-Status: Clean
 X-Spam-Flag: YES
 X-Spam-Status: Yes, score=11.6 required=7.0...
 X-Spam-Level: ***
 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on ...
 
 I think that milters works correctly. I save message as message.txt for
 testing.
 
 next row in main.cf is:
 header_checks = regexp:/usr/local/etc/postfix/header_checks
 
 in header_checks file is:
 /^X-Spam-Status: Yes/ DISCARD

you shouldnt discard mail, only cause flagged by spamassassin
this is not allowed i.e in germany by law, if you do this for customers

use hold ( for manual inspection ) or tell spamass-milter to reject them
at smtp income level
additionally you may load sanesecurity spam sig to clamd, clamav-milter
and reject or hold them at smtp income level


 
 I test it:
 postmap -q - regexp:/usr/local/etc/postfix/header_checks  message.txt
 
 I think that header_checks works, because show row:
 X-Spam-Status: Yes, score=11.6 required=7.0... DISCARD
 
 In master.cf I configure cleanup with -v and I read a log, but rows
 X-Virus... and X-Spam are not in log, that is (I mean) why cleanup do
 not drop messages.
 
 Can anyone idea? Milters are after cleanup?
 
 Thanks
 
 Jirka


-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Re: problem with smtpd_milter and header_checks

[Jiri Veselsky]

Sorry, here is output:

alias_database = dbm:/etc/mail/aliases.db
alias_maps = hash:/etc/mail/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
header_checks = regexp:/usr/local/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = no
inet_interfaces = x.x.x.x, 127.0.0.1, 10.1.3.254
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
milter_default_action = accept
mydestination = $mydomain
mydomain = joe.xxx.xxx
myhostname = joe.xxx.xxx
mynetworks = 127.0.0.0/8, 10.1.0.0/22
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_hostname
smtpd_milters = local:/var/run/clamav/clamav-milter.sock  
local:/var/run/spamass-milter.sock
smtpd_recipient_restrictions = reject_non_fqdn_recipient 
permit_sasl_authenticated   permit_mynetworks
reject_unauth_destination

smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_non_fqdn_sender   
permit_mynetworks   reject_rbl_client sbl-xbl.spamhaus.org   
reject_rbl_client cbl.abuseat.orgreject_rbl_client dul.dnsbl.sorbs.net 
reject_unknown_sender_domain

transport_maps = mysql:/usr/local/etc/postfix/virtual_transport.cf
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/usr/local/etc/postfix/virtual_aliases.cf
virtual_gid_maps = mysql:/usr/local/etc/postfix/virtual_gids.cf
virtual_mailbox_base = /
virtual_mailbox_domains = mysql:/usr/local/etc/postfix/virtual_domains.cf
virtual_mailbox_maps = mysql:/usr/local/etc/postfix/virtual_mailboxes.cf
virtual_uid_maps = mysql:/usr/local/etc/postfix/virtual_uids.cf

Re: problem with smtpd_milter and header_checks

[Jiri Veselsky]

you shouldnt discard mail, only cause flagged by spamassassin
this is not allowed i.e in germany by law, if you do this for customers

use hold ( for manual inspection ) or tell spamass-milter to reject them
at smtp income level
additionally you may load sanesecurity spam sig to clamd, clamav-milter
and reject or hold them at smtp income level


I do it for our company and top-managers says drop every emails with spam  
level 7 or higher

I am small man, I do what managers says :-(

J.

Problem with some user sometimes

[Esteban Torres Rodriguez]

I have problem with some user. This user's sometimes receive email:

A message that you send could not be delivered to one or more of its
recipients.

And Sometimes send email correct. No problem

How to control thats?

-- 

RE: Postfix-2.6.0 RPM

[Brian Collins]

 I noticed that Postfix V#2.6.0 is now out. Does anybody know where to
 get RPM files? GOOGLE did not help.

Simon Mudd picks up the releases and makes good source and binary RPMs from
them with lots of options.  However, he's a busy man and does not always get
to them right after release.  A kindly-worded email to him might yield you
an estimate of when he'll get to 2.6.

But certainly don't expect the big Linux package-based releases to make RPMs
of their own any time soon - Red Hat 5.3 ships with 2.3.

--Brian

RE: Postfix-2.6.0 RPM

[Brian Collins]

 Is there a real use case for binary RPMs not maintained by the
 distribution release engineering teams? What's wrong with the Postfix
 source, which is typically less likely to have ill-advised patches
 dropped into it?

Because those of us who run package-based systems find things work better
when we have Postfix in a package as well.  This is rarely a problem for me
on CentOS/RHEL systems, because I get Simon's source, set the options I
want, and compile my own.  Simon does a great job of keeping his source RPMs
as close to vanilla as possible, and I don't really need the latest version
on most of my systems.  Red Hat, on the other hand, has been known to
patch Postfix to the point of frustrating admins.  In addition, they are,
as someone already pointed out, several revisions back.  Looks like Fedora
11 is currently at 2.5, though.

--Brian

Re: Problem with some user sometimes

[Magnus Bäck]

On Thu, May 14, 2009 2:20 pm, Esteban Torres Rodriguez said:

 I have problem with some user. This user's sometimes receive email:

 A message that you send could not be delivered to one or more of its
 recipients.

 And Sometimes send email correct. No problem

 How to control thats?

Are the bounce messages he receives a result of messages he has sent via
your server?

If so, he may be the victim of backscatter.

http://www.postfix.org/BACKSCATTER_README.html

If not, we need to see the corresponding Postfix log (or in worst case the
bounce message) and your configuration as requested in the list
introduction message.

-- 
Magnus Bäck
mag...@dsek.lth.se

Re: problem with smtpd_milter and header_checks

[Wietse Venema]

Jiri Veselsky:
[ Charset ISO-8859-2 unsupported, converting... ]
 Hallo all. (first sorry for my english)
 I have a small (big) problem with configure Postfix to drop messages with  
 header_checks.
 In main.cf I have:
 smtpd_milters = local:/./clamav-milter.sock  
 local:/./spamass-milter.sock
 milter_default_action = accept
 
 if I receive a message from internet, in headers are rows from milters:
 
 X-Virus-Scanned: clamav-milter 0.95.1 at ...
 X-Virus-Status: Clean
 X-Spam-Flag: YES
 X-Spam-Status: Yes, score=11.6 required=7.0...
 X-Spam-Level: ***
 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on ...
 
 I think that milters works correctly. I save message as message.txt for  
 testing.
 
 next row in main.cf is:
 header_checks = regexp:/usr/local/etc/postfix/header_checks
 
 in header_checks file is:
 /^X-Spam-Status: Yes/ DISCARD
 
 I test it:
 postmap -q - regexp:/usr/local/etc/postfix/header_checks  message.txt
 
 I think that header_checks works, because show row:
 X-Spam-Status: Yes, score=11.6 required=7.0... DISCARD
 
 In master.cf I configure cleanup with -v and I read a log, but rows  
 X-Virus... and X-Spam are not in log, that is (I mean) why cleanup do not  
 drop messages.
 
 Can anyone idea? Milters are after cleanup?

Postfix header_checks happen while mail is received.

Milters can add headers only after the end of the email message is
received. That is a feature of the Milter protocol.

The Milter protocol has a DISCARD feature. If you can configure
your application to send SMFIR_DISCARD into Postfix then you are
done.

On the other hand, if header_checks are the only way, it will take
new code (not happening soon) or extra configuration (see example
below).

No code has been written to apply header_checks and body_checks
when Milters add or modify the message content. The question has
never come up, so that could be called an oversight. I don't have
much time to write new code soon, so the next option is better.

You can work around this with a null content filter (Postfix
SMTP client talking directly to Postfix SMTP server on port
10025). Below is a basic example; the text in FILTER_README
provides configurations with more bells and whistles.

/etc/postfix/master.cf:
1  # 
2  # service type  private unpriv  chroot  wakeup  maxproc command + args
3  #   (yes)   (yes)   (yes)   (never) (100)
4  # 
5  smtp  inet  n   -   n   -   -   smtpd
6  -o content_filter=smtp:127.0.0.1:10025
7  127.0.0.1:10025 inet  n -   n   -   -   smtpd
8  -o content_filter=

Line 5-6: this is the Internet-facing SMTP server. We add a content
filter setting that sends mail into localhost port 10025.

Line 7-8: this is an internal SMTP server that receives mail with
the Milter-added headers. This is then subject to header_checks
in the way that you expect it to work. For safety it kills off
any content_filter settings from main.cf.

Wietse

Re: postfix sasl (dovecot) works no more

[Sahil Tandon]

On May 14, 2009, at 7:40 AM, wiseadmin wisead...@gmail.com wrote:


Hello everybody,
I am running FreeBSD with postfix (2.6.0-RC2) and dovecot (1.1.11).
There are virtual domains and users and postfix authenticates users
using sasl and dovecot.
Today I've performed a server upgrade (portupgrade -arRv) and sasl
authentication works no more. It worked for the last 4 months without
problems. I've made no modification to any config file.

In postfix logs I get

May 14 14:35:11 softexp postfix/smtpd[8378]: warning: SASL: Connect to
smtpd failed: No such file or directory
May 14 14:35:11 softexp postfix/smtpd[8378]: fatal: no SASL
authentication mechanisms

postfix is running, dovecot is running, saslauthd is running


Why dovecot AND saslauthd?

Re: problem with smtpd_milter and header_checks

[Jiri Veselsky]

Postfix header_checks happen while mail is received.

Milters can add headers only after the end of the email message is
received. That is a feature of the Milter protocol.

The Milter protocol has a DISCARD feature. If you can configure
your application to send SMFIR_DISCARD into Postfix then you are
done.

On the other hand, if header_checks are the only way, it will take
new code (not happening soon) or extra configuration (see example
below).

No code has been written to apply header_checks and body_checks
when Milters add or modify the message content. The question has
never come up, so that could be called an oversight. I don't have
much time to write new code soon, so the next option is better.

You can work around this with a null content filter (Postfix
SMTP client talking directly to Postfix SMTP server on port
10025). Below is a basic example; the text in FILTER_README
provides configurations with more bells and whistles.

/etc/postfix/master.cf:
1  # 
2  # service type  private unpriv  chroot  wakeup  maxproc command + args
3  #   (yes)   (yes)   (yes)   (never) (100)
4  # 
5  smtp  inet  n   -   n   -   -   smtpd
6  -o content_filter=smtp:127.0.0.1:10025
7  127.0.0.1:10025 inet  n -   n   -   -   smtpd
8  -o content_filter=

Line 5-6: this is the Internet-facing SMTP server. We add a content
filter setting that sends mail into localhost port 10025.

Line 7-8: this is an internal SMTP server that receives mail with
the Milter-added headers. This is then subject to header_checks
in the way that you expect it to work. For safety it kills off
any content_filter settings from main.cf.

Wietse



Many thanks, I try it...

J.

Re: Postfix-2.6.0 RPM

[Ralf Hildebrandt]

* Brian Collins lis...@newnanutilities.org:
  I noticed that Postfix V#2.6.0 is now out. Does anybody know where to
  get RPM files? GOOGLE did not help.
 
 Simon Mudd picks up the releases and makes good source and binary RPMs from
 them with lots of options.  However, he's a busy man and does not always get
 to them right after release.  A kindly-worded email to him might yield you
 an estimate of when he'll get to 2.6.

He's a bit busy right now due to family issues.

-- 
Ralf Hildebrandt
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.computerbeschimpfung.de
It's always nice to see USA set the edgy standards. First for
freedom, then for the police state.

Re: postfix sasl (dovecot) works no more

[Wietse Venema]

wiseadmin:
 May 14 14:35:11 softexp postfix/smtpd[8378]: warning: SASL: Connect to
 smtpd failed: No such file or directory

You need to update your main.cf:smtpd_sasl_path setting and specify
the location of the socket that the Dovecot server listens on.

For example, when dovecot.conf says:

socket listen {
...
path = /var/spool/postfix/private/auth
...

Then main.cf would say:

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

Wietse

Re: Postfix-2.6.0 RPM

[Roderick A. Anderson]

Ralf Hildebrandt wrote:

* Brian Collins lis...@newnanutilities.org:

I noticed that Postfix V#2.6.0 is now out. Does anybody know where to
get RPM files? GOOGLE did not help.

Simon Mudd picks up the releases and makes good source and binary RPMs from
them with lots of options.  However, he's a busy man and does not always get
to them right after release.  A kindly-worded email to him might yield you
an estimate of when he'll get to 2.6.


He's a bit busy right now due to family issues.


Sorry to hear that but in the mean time you can grab .src.rpm for a 
prior release, the tarball for the current release and modify the .spec 
file to reflect this.


As mentioned in an earlier message Simon's RPMs are built as simply as 
possible so can be handled this way.



\\||/
Rod
--

Re: Need To Reject Inbound From Addresses with My Own Domain/s

[Noel Jones]

wiskbr...@hotmail.com wrote:

Recently I've been getting a ton of email for a new domain we've registered and 
have begun receiving email for.  Our users in this new domain are either

1. receiving email with a From address identical to their own, or
2. receiving email with a From address of one of our other three domains, none 
of the emails are valid and the real sender is sending the email from the 
internet and through an external postfix gateway/relay box.

Here is a sample of my main.cf:

smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
check_sender_access dbm:/etc/postfix/blocked_senders,
reject_rbl_client CLIENT-LICENSE.mail-abuse.com

Here are the contents of my /etc/postfix/blocked_senders file:

operator#...@somephishingbanksite\.comREJECT


The above line is the wrong syntax and will never match 
anything.  Wildcards are not allowed in dbm or other indexed 
files, and quotes should never be used.



mydomain.com   554 mydomain.com sender? But you're not in my network ...


Yes, this will reject your own domain when used outside 
$mynetworks.


  -- Noel Jones

RE: Need To Reject Inbound From Addresses with My Own Domain/s

[wiskbroom]

 Here are the contents of my /etc/postfix/blocked_senders file:

 operator#...@somephishingbanksite\.com REJECT

 The above line is the wrong syntax and will never match
 anything. Wildcards are not allowed in dbm or other indexed
 files, and quotes should never be used.

I am almost certain that it has already worked in the past, I'll check. 
Otherwise, any suggestions for where and how to implement such a rule?

 mydomain.com 554 mydomain.com sender? But you're not in my network ...

 Yes, this will reject your own domain when used outside
 $mynetworks.

Awesome, I've just implemented this and it's thus far working like a charm!  (I 
was afraid to roll it out...)

.vp

Re: problem with smtpd_milter and header_checks

[Robert Schetterer]

Jiri Veselsky schrieb:

 you shouldnt discard mail, only cause flagged by spamassassin
 this is not allowed i.e in germany by law, if you do this for customers

 use hold ( for manual inspection ) or tell spamass-milter to reject them
 at smtp income level
 additionally you may load sanesecurity spam sig to clamd, clamav-milter
 and reject or hold them at smtp income level


 I do it for our company and top-managers says drop every emails with
 spam level 7 or higher
 I am small man, I do what managers says :-(
 
 J.

jep do this with reject and i.e spamass-milter -r 7 
why searching about other solutions if the right one is allready there
and you allready have spamass-milter setup

SpamAssassin Sendmail Milter Plugin

Usage: spamass-milter -p socket [-b|-B bucket] [-d xx[,yy...]] [-D host]
  [-e defaultdomain] [-f] [-i networks] [-m] [-M]
  [-P pidfile] [-r nn] [-u defaultuser] [-x] [-a]
  [-- spamc args ]
   -p socket: path to create socket
 -a: don't scan messages over an authenticated connexion.
   -b bucket: redirect spam to this mail address.  The orignal
  recipient(s) will not receive anything.
   -B bucket: add this mail address as a BCC recipient of spam.
   -d xx[,yy ...]: set debug flags.  Logs to syslog
   -D host: connect to spamd at remote host (deprecated)
   -e defaultdomain: pass full email address to spamc instead of just
  username.  Uses 'defaultdomain' if there was none
   -f: fork into background
   -i: skip (ignore) checks from these IPs or netblocks
  example: -i 192.168.12.5,10.0.0.0/8,172.16.0.0/255.255.0.0
   -m: don't modify body, Content-type: or Subject:
   -M: don't modify the message at all
   -P pidfile: Put processid in pidfile
   -r nn: reject messages with a score = nn with an SMTP error.
  use -1 to reject any messages tagged by SA.
   -u defaultuser: pass the recipient's username to spamc.
  Uses 'defaultuser' if there are multiple recipients.
   -x: pass email address through alias and virtusertable expansion.
   -- spamc args: pass the remaining flags to spamc.



-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Re: Header Check Assistance

[Drew Tomlinson]

mouss wrote:

Drew Tomlinson a écrit :
  

Is there some rule about submitting questions with the string Help in
the subject?  I've tried posting the following note with the subject of
Help With header_checks and received a bounce message indicating this
error:

BOUNCE postfix-users@postfix.org:  Admin request: /^subject:\s*help\b/i


I'm using postfix 2.5.6,1 and have been using postfix for a long time. 
In older versions, to perform header checks, I had a text file and would

then have to run postmap to create the header_check.db file.  Is this
step no longer required?  When running 'postmap header_checks', I get
lots of warning about duplicate entry.  Here's an example:

postmap: warning: header_checks.db: duplicate entry: /^from:
postmap: warning: header_checks, line 91: record is in key: value
format; is this an alias file?

Also, I am attempting to reject some mail based upon the Received:
header.  Specifically, I have lines such as this in my header_checks:

/^Received: .*mycouponsavingsmail/REJECT 550




missing space before REJECT.
  

Thank you.  I knew it was something simple.  :)


but why do you use header_checks for this? check_client_access is better.
  


I have no preference for header_checks.  What makes client_access 
better?  Is it less expensive?



...
check_client_access cidr:/etc/postfix/access_client.cidr

== access_client.cidr:
24.155.144.16/28REJECT spammy network (Targetmail)
24.155.144.32/28REJECT spammy network (Targetmail)

and/or

...
check_client_access hash:/etc/postfix/access_client

== access_client:
mycouponsavingsmail.com REJECT spammy network (Targetmail)
.mycouponsavingsmail.comREJECT spammy network (Targetmail)

but you'll have a lot of work to track the domain names. See if uribl is
good for you...
  


Yes, I'm using several blacklists.  But recently I'm getting a bunch of 
spam from a few domains and wanted to block it.


Thanks,

Drew

--
Be a Great Magician!
Visit The Alchemist's Warehouse

http://www.alchemistswarehouse.com 

Re: Proxying a policy service

[J Sloan]

Geert Hendrickx wrote:

 What drawbacks did you experience?  We run a local policyd instance on each
 postfix server too, all connecting to a central (not replicated) MySQL.
 Policyd's behaviour when MySQL becomes unavailable is configurable, it can
 either tempfail (4xx) all incoming e-mail or dunno it.
   
Yes, that is the benefit of doing it that way. But we experienced
problems with recurring corruption of the isam tables when the network
connections to the db server were interrupted. Apparently myisam tables
don't deal well with interrupted connections, from what I found on google.

At any rate, once we moved policyd to the same host as the mysql
database, the corruption issue disappeared permanently, but we have the
different issue of smtp transactions failing whenever there are
connectivity glitches.

I'm going to try out hapolicy first, since it's quite a bit quicker and
cheaper to set up than full blown mysql replication.
Joe

Re: Postfix-2.6.0 RPM

[J Sloan]

Roderick A. Anderson wrote:

 Sorry to hear that but in the mean time you can grab .src.rpm for a
 prior release, the tarball for the current release and modify the
 .spec file to reflect this.
I've been doing this for our smtp servers for some time. The suse
factory postfix srpm compiles nicely on SLES and is usually fairly
current, but if need be, as mentioned above, it's not too difficult to
drop in a newer tarball from postfix.org and tweak the spec file before
rebuilding.

Joe

not sure why this is getting through

[Joey]

Hello All,

 

I am receiving message from people faking like they are from our domain,
when looking in the headers I see this:

Received-SPF: permerror (mydomain.com: Junk encountered in mechanism
'+ptr:')

 

 

Read this on the spf site:

If the permerror occurred because an SPF publisher uses a mechanism not
understood by an SPF client and the receiver does not reject the message due
to the permerror, that mechanism should be provided in the header
immediately following the permerror. That way, the information is
available to the end user to support troubleshooting.

 

Not sure I know how to resolve this, any help appreciated!

 

Joey

 

 

Re: Need To Reject Inbound From Addresses with My Own Domain/s

[Noel Jones]

wiskbr...@hotmail.com wrote:



Here are the contents of my /etc/postfix/blocked_senders file:

operator#...@somephishingbanksite\.com REJECT

The above line is the wrong syntax and will never match
anything. Wildcards are not allowed in dbm or other indexed
files, and quotes should never be used.


I am almost certain that it has already worked in the past, I'll check. 
Otherwise, any suggestions for where and how to implement such a rule?


Here's an example using a regexp table instead of the dbm 
table for those two statements.  It's also acceptable to use 
multiple check_sender_access statements if that fits your 
needs better.


# main.cf
smtpd_recipient_restrictions =
  permit_mynetworks
  reject_unauth_destination
  check_sender_access regexp:/etc/psotfix/senders.pcre
  ... other stuff ...


# senders.pcre
/operator#...@somephishingbanksite\.com$/  REJECT phishing
/@mydomain\.com$/   554 mydomain.com sender? But you're not!

Note that you do not postmap regexp or pcre files.

  -- Noel Jones

Re: Proxying a policy service

[Geert Hendrickx]

On Thu, May 14, 2009 at 10:15:07AM -0700, J Sloan wrote:
 Yes, that is the benefit of doing it that way. But we experienced problems
 with recurring corruption of the isam tables when the network connections
 to the db server were interrupted. Apparently myisam tables don't deal well
 with interrupted connections, from what I found on google.


FWIW, policyd v2 uses innodb.


Geert


-- 
Geert Hendrickx  -=-  g...@telenet.be  -=-  PGP: 0xC4BB9E9F
This e-mail was composed using 100% recycled spam messages!

Re: Proxying a policy service

[J Sloan]

Geert Hendrickx wrote:
 On Thu, May 14, 2009 at 10:15:07AM -0700, J Sloan wrote:
   
 Yes, that is the benefit of doing it that way. But we experienced problems
 with recurring corruption of the isam tables when the network connections
 to the db server were interrupted. Apparently myisam tables don't deal well
 with interrupted connections, from what I found on google.
 


 FWIW, policyd v2 uses innodb.
   

That is true - however, policyd v1 is a very efficient compiled c
program which runs for months with no hiccups or memory leaks, and we're
understandably a bit hesitant to move to a perl script.

Joe

Re: postfix sasl (dovecot) works no more

[wiseadmin]

Thank you Wietse !
Unfortunately it doesnt work :(
In dovecot.conf the socket is /var/run/dovecot/auth-master
When I added in main.cf I got permission denied (it has 600 and
root:wheel). I changed the permission in 666 (this is not ok, but I only
wanted to see if it works) and now I get in logs only fatal: no SASL
authentication mechanisms.
I don't know what else to do. Some one said something about smtpd.conf
The file is in /usr/lib/sasl2/smtpd.conf and in /usr/lib/sasl2 and its
content is:
log_level:3
pwcheck_method: saslauthd
mech_list: plain login


What is frustrated is that the server worked for many months. I tried a
downgrade of postfix and I get the same error. maybe it is not from
postfix but from dovecot or saslauthd.

Is some one know what should I do please advice me. I'm stuck and I
don't know what to do.

Thank you

 
Wietse Venema wrote:
 You need to update your main.cf:smtpd_sasl_path setting and specify
 the location of the socket that the Dovecot server listens on.

 For example, when dovecot.conf says:

 socket listen {
   ...
   path = /var/spool/postfix/private/auth
   ...

 Then main.cf would say:

 smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth

   Wietse

   

Re: postfix sasl (dovecot) works no more

[wiseadmin]

I think the problem is
deeper. 
The 25/tcp port is open but I can't ehlo the server.

[...@toshiba ~]$telnet server_domain 25
Trying 80.96.x.x...
Connected to server_domain.
Escape character is '^]'.

And get stucked there !


Wietse Venema wrote:

  wiseadmin:
  
  
May 14 14:35:11 softexp postfix/smtpd[8378]: warning: SASL: Connect to
smtpd failed: No such file or directory

  
  
You need to update your main.cf:smtpd_sasl_path setting and specify
the location of the socket that the Dovecot server listens on.

For example, when dovecot.conf says:

socket listen {
	...
	path = /var/spool/postfix/private/auth
	...

Then main.cf would say:

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

	Wietse

  

Re: postfix sasl (dovecot) works no more

[wiseadmin]

Why not?
It is simple for my setup. I only have 10-15 users and that's all.
If you think its dangerous or something please explain and I'll change
it.
Thanks

Sahil Tandon wrote:
On May 14, 2009, at 7:40 AM, wiseadmin
wisead...@gmail.com wrote:
  
  
  Hello everybody,

I am running FreeBSD with postfix (2.6.0-RC2) and dovecot (1.1.11).

There are virtual domains and users and postfix authenticates users

using sasl and dovecot.

Today I've performed a server upgrade (portupgrade -arRv) and sasl

authentication works no more. It worked for the last 4 months without

problems. I've made no modification to any config file.


In postfix logs I get


May 14 14:35:11 softexp postfix/smtpd[8378]: warning: SASL: Connect to

smtpd failed: No such file or directory

May 14 14:35:11 softexp postfix/smtpd[8378]: fatal: no SASL

authentication mechanisms


postfix is running, dovecot is running, saslauthd is running

  
  
Why dovecot AND saslauthd?
  
  

Options for immediate email address activation in postfix.

[Scott Haneda]

A client of mine has a web service where a simple web page can be made  
via a browser to crete an identity for them online. Build a page with  
web tools, toggle a setting to add DNS records, update the registrar  
to point to the NS's, and they have a live webpage in short order.


They want to be able to allow an info@ email address that will only  
forward to some other account.  There is no need for pop/imap login, i...@example.com 
 will simply forward to users-des...@theiremail.com


Any suggestions on the simplest way to approach this.  I was thinking  
postfix with MySql backed data store.  Today I read that RHEL is  
behind on postfix, and I think does not have MySql support in their  
rpm's.  I have zero access to a staging server.


If this turns into a high volume site, would file based aliases fall  
apart after a certain amount?  I also see maintaining a alias mapping  
via a file managed by a web service to be prone to error.  If anything  
I wold store the mappings in a database, and write them out clean on  
schedule.  What are the upper limits of how many forwards I should  
feel comfortable maintaing as a local file?


Any other suggestions on methodology?
--
Scott * If you contact me off list replace talklists@ with scott@ *

Re: not sure why this is getting through

[Barney Desmond]

2009/5/15 Joey j...@web56.net:
 Received-SPF: permerror (mydomain.com: Junk encountered in mechanism
 '+ptr:')

 “If the permerror occurred because an SPF publisher uses a mechanism not
 understood by an SPF client and the receiver does not reject the message due
 to the permerror, that mechanism should be provided in the header
 immediately following the permerror. That way, the information is
 available to the end user to support troubleshooting.”

As it says, the SPF publisher (you) have a mechanism in your records
that the client (anything checking the SPF records for incoming mail)
doesn't understand. You're getting this message because the mail
wasn't rejected as a result of the SPF check.

Seeing as you haven't supplied your SPF record, *and* you've masked
your domain, we can't say much more. Checking your syntax, if you
haven't already, is a good idea.
http://www.kitterman.com/spf/validate.html

At a guess, the client might not like the '+'-qualifier. Seeing as
pass is the default anyway, try removing it from the 'ptr'
mechanism.

Re: Options for immediate email address activation in postfix.

[Barney Desmond]

2009/5/15 Scott Haneda talkli...@newgeo.com:
 Any suggestions on the simplest way to approach this.  I was thinking
 postfix with MySql backed data store.  Today I read that RHEL is behind on
 postfix, and I think does not have MySql support in their rpm's.  I have
 zero access to a staging server.

Correct, you'd have to roll your own or use the Centos-plus channel
RPM. If you choose the latter you can have a very high degree of
confidence that it will just work as you expect, but you need to
maintain it yourself. Postfix 2.3 is otherwise fine for functionality
in RHEL5 though.

 If this turns into a high volume site, would file based aliases fall apart
 after a certain amount?  I also see maintaining a alias mapping via a file
 managed by a web service to be prone to error.  If anything I wold store the
 mappings in a database, and write them out clean on schedule.  What are the
 upper limits of how many forwards I should feel comfortable maintaing as a
 local file?

With enough sanity checks you can manage an alias file with scripts
(run via web frontend), but it's not much fun. I believe (redhat)
default hash-maps perform and scale quite nicely. CDB maps are said to
scale even better, and I think numbers quoted on this list previously
say... 1 million is no problem for CDB?

If you go this route you probably want a couple of sanity checks to
make sure that the new map file isn't drastically different (smaller)
to the current running one. I can just imagine a situation with some
sort of temporary DB failure producing zero lines of output, which is
then promptly used to create a new map...

Re: Postfix-2.6.0 RPM

[Corey Chandler]

Didn't get the message you replied to, so I'm bolting it on to yours.

mouss wrote:


Stefan Jakobs a écrit :
  

On Thursday, 14. Mai 2009 09:54:56 Corey Chandler wrote:


MacShane, Tracy wrote:
  



Also,
installing non-RPM packages can obviously cause clashes when installing
other RH updates (at least RPM is clever enough not to try installing
Postfix 2.3 patches when it finds 2.5 already installed).


Urm... add Postfix to your yum excludes file and the problem goes away.
  
Postfix provides an MTA which is a quite important part of a *nix system. To 
remove the MTA package from system breaks a lot of dependencies. To avoid that 
you install your own package.



Yes, I'm aware of that.  If you reread the parent's use case, they're 
building a custom spin of Postfix from source.  Therefore, you want to 
ensure that postfix itself is excluded from updates so your install 
doesn't get overwritten by an earlier version; it doesn't usually, but I 
don't like to count on that.


--
Corey Chandler / KB1JWQ
Living Legend / Systems Exorcist
Today's Excuse: We are a 100% Microsoft Shop

need help figuring out why spf or other rule is not rejecting this

[Joey]

Hello All,

 

I am receiving message from people faking like they are from our domain,
when looking in the headers I see this:

Received-SPF: permerror (mydomain.com: Junk encountered in mechanism
'+ptr:')

 

 

Read this on the spf site:

If the permerror occurred because an SPF publisher uses a mechanism not
understood by an SPF client and the receiver does not reject the message due
to the permerror, that mechanism should be provided in the header
immediately following the permerror. That way, the information is
available to the end user to support troubleshooting.

 

Not sure I know how to resolve this, any help appreciated!

 

Joey

 

 

 

Re: Options for immediate email address activation in postfix.

[Martin Strand]

At my company we're doing almost the exact same thing.
FOr this we use Postfix on RHEL5 with MySQL for domains, users and aliases.
With about ~10k accounts everything works great except the forwarding vs SPF 
problem, ie:

1. someu...@hotmail.com sends a message to i...@yourcustomer.com
2. your server forwards this message to yourcusto...@hotmail.com
3. hotmail rejects the message because your server is not allowed send messages 
from someu...@hotmail.com

I believe the solution to this would be SRS, but haven't found any such 
solution for Postfix yet :(
http://www.openspf.org/SRS

Martin

On Fri, 15 May 2009 02:53:19 +0200, Scott Haneda talkli...@newgeo.com wrote:

 A client of mine has a web service where a simple web page can be made
 via a browser to crete an identity for them online. Build a page with
 web tools, toggle a setting to add DNS records, update the registrar
 to point to the NS's, and they have a live webpage in short order.

 They want to be able to allow an info@ email address that will only
 forward to some other account.  There is no need for pop/imap login, 
 i...@example.com
   will simply forward to users-des...@theiremail.com

 Any suggestions on the simplest way to approach this.  I was thinking
 postfix with MySql backed data store.  Today I read that RHEL is
 behind on postfix, and I think does not have MySql support in their
 rpm's.  I have zero access to a staging server.

 If this turns into a high volume site, would file based aliases fall
 apart after a certain amount?  I also see maintaining a alias mapping
 via a file managed by a web service to be prone to error.  If anything
 I wold store the mappings in a database, and write them out clean on
 schedule.  What are the upper limits of how many forwards I should
 feel comfortable maintaing as a local file?

 Any other suggestions on methodology?

Re: Options for immediate email address activation in postfix.

[Scott Haneda]

On May 14, 2009, at 6:07 PM, Barney Desmond wrote:

If this turns into a high volume site, would file based aliases  
fall apart
after a certain amount?  I also see maintaining a alias mapping via  
a file
managed by a web service to be prone to error.  If anything I wold  
store the
mappings in a database, and write them out clean on schedule.  What  
are the
upper limits of how many forwards I should feel comfortable  
maintaing as a

local file?


With enough sanity checks you can manage an alias file with scripts
(run via web frontend), but it's not much fun. I believe (redhat)
default hash-maps perform and scale quite nicely. CDB maps are said to
scale even better, and I think numbers quoted on this list previously
say... 1 million is no problem for CDB?



Thank you very much, I do not think a million will be hit for some  
time.  Is there any penalty when you run postmap to read in the  
changes to the virtual_alias_maps file?  I know it is not a server  
restart, and can happen without interruption of service, though I  
wonder what happens when you issue a postmap on a million line file.


Thanks.
--
Scott * If you contact me off list replace talklists@ with scott@ *

Re: Need To Reject Inbound From Addresses with My Own Domain/s

[Noel Jones]

Victor Duchovni wrote:

On Thu, May 14, 2009 at 12:42:01PM -0500, Noel Jones wrote:


wiskbr...@hotmail.com wrote:

Here are the contents of my /etc/postfix/blocked_senders file:

operator#...@somephishingbanksite\.com REJECT

The above line is the wrong syntax and will never match
anything. Wildcards are not allowed in dbm or other indexed
files, and quotes should never be used.
I am almost certain that it has already worked in the past, I'll check. 
Otherwise, any suggestions for where and how to implement such a rule?
Here's an example using a regexp table instead of the dbm table for those 
two statements.  It's also acceptable to use multiple check_sender_access 
statements if that fits your needs better.


# main.cf
smtpd_recipient_restrictions =
  permit_mynetworks
  reject_unauth_destination
  check_sender_access regexp:/etc/psotfix/senders.pcre
  ... other stuff ...


# senders.pcre
/operator#...@somephishingbanksite\.com$/  REJECT phishing
/@mydomain\.com$/   554 mydomain.com sender? But you're not!


Does regexp support \d+? It looks like PCRE to me... So the
table prefix should be pcre: not regexp:.



You're right, that's a pcre construct and not universally 
supported by regexp.  A more portable expression would be:


/operator#[0-...@somephishingbanksite\.com$/  REJECT phishing



  -- Noel Jones

Re: Header Check Assistance

[Drew Tomlinson]

mouss wrote:
 Drew Tomlinson a écrit :
   
 mouss wrote:
 I have no preference for header_checks.  What makes client_access
 better?  Is it less expensive?
 

 it's time to learn how smtp works. in particluar, the fact that the
 message is sent after the DATA command. which means that if you reject
 before DATA, you avoid having to read the message (including the headers).
   

Thank you. This makes sense to me.

 .[snip]

 but you'll have a lot of work to track the domain names. See if uribl is
 good for you...
   
   
 Yes, I'm using several blacklists.  
 

 you didn't understand what I was suggested.
   

OK, I think I understand now.  uribl is a way to check mail content for
domains that *appear* in spam, not from where the mail is sent.  Good
idea!  I will see about adding that to SpamAssassin.

[snip]

Thanks for your help.  I appreciate it.

Drew

-- 
Be a Great Magician!
Visit The Alchemist's Warehouse

http://www.alchemistswarehouse.com

Re: Options for immediate email address activation in postfix.

[Victor Duchovni]

On Thu, May 14, 2009 at 06:48:07PM -0700, Scott Haneda wrote:

 Thank you very much, I do not think a million will be hit for some time.  
 Is there any penalty when you run postmap to read in the changes to the 
 virtual_alias_maps file?  I know it is not a server restart, and can happen 
 without interruption of service, though I wonder what happens when you 
 issue a postmap on a million line file.

You consume some CPU and burn some disk I/O ops. Daemons that use the
indexed file with re-start at a convenient point in time (i.e. not in
the middle of a transaction, ...). Regardless of size, you should not
be re-building indexed files frequently (more than a few times a day) ,
if you are, use *SQL or LDAP.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
mailto:majord...@postfix.org?body=unsubscribe%20postfix-users

If my response solves your problem, the best way to thank me is to not
send an it worked, thanks follow-up. If you must respond, please put
It worked, thanks in the Subject so I can delete these quickly.