Re: Can't whitelist header / bodychecks

[Victor Duchovni]

On Sat, Jun 13, 2009 at 01:09:49AM +0200, mouss wrote:

> by default:
> 
> mime_header_checks = $header_checks
> nested_header_checks = $header_checks
> 
> so header_checks apply to more than 822 headers.
> 
> > I'm
> > not sure if this is a bug/'feature' - but to have to keep commenting out
> > certain rules to get them sent is a minor hassle.
> 
> I personally only use few header_checks (reject "forged" mail, reject
> unauthorized attachments).

I always make sure to set nested_header_checks empty, or to a separate
table that lists only rules I am willing to enforce on the headers
message/rfc822 attachments.

The default value of nested_header_checks is a minor
backwards-compatibility blemish. Perhaps this can be addressed in
"Postfix-lite".

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Sender_Dependent_Relayhost_Maps

[Magnus Bäck]

On Saturday, June 13, 2009 at 04:25 CEST,
 Gerard  wrote:

> I still am having a problem getting 'sender_dependent_relaying" to work.
> 
> This is a snippet of the sender_relay file:
> 
> gmail.com smtp:smtp.gmail.com:587
> yahoo.com smtp:smtp.plus.mail.yahoo.com:587

As documented, @example.com is the lookup key used for domain wildcards.
This is also not a transport table, so drop the "smtp:" part. Finally,
you probably want to return [smtp.gmail.com] rather than smtp.gmail.com.

[...]

-- 
Magnus Bäck
mag...@dsek.lth.se

Re: Sender_Dependent_Relayhost_Maps

[Victor Duchovni]

On Fri, Jun 12, 2009 at 10:25:27PM -0400, Gerard wrote:

> I still am having a problem getting 'sender_dependent_relaying" to work.
> 
> This is a snippet of the sender_relay file:
> 
> gmail.com smtp:smtp.gmail.com:587
> yahoo.com smtp:smtp.plus.mail.yahoo.com:587

Well, this is transport(5) value.

> sender_dependent_relayhost_maps = hash:/usr/local/etc/postfix/sender_relay

This is a mechanism for overriding the default *nexthop*. Why do you
expect a transport value to work in this context?

Try:

gmail.com   [smtp.gmail.com]:587
yahoo.com   [smtp.plus.mail.yahoo.com]:587

and adjust lookup keys in smtp_sasl_password_maps accordingly.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: How to discern from postfix log between TO and THROUGH sending a correspondence?

[Sthu Pous]

Thank You for Your time and answer, Victor:

> The only thing recorded by Postfix is either the SMTP client source IP
> address (and optionally the source port) or the Unix uid of the process

Yea, I've seen that. My question is about some kind of postfix/etc logging level
or an utility (as I have access to the system (Linux) logs) that can provide
the info.

> that invoked sendmail(1). With SMTP, if the client uses SASL auth,
> that's also in the logs.

No they (hackers) do not use SASL in my case.

Sender_Dependent_Relayhost_Maps

[Gerard]

I still am having a problem getting 'sender_dependent_relaying" to work.

This is a snippet of the sender_relay file:

gmail.com   smtp:smtp.gmail.com:587
yahoo.com   smtp:smtp.plus.mail.yahoo.com:587

Running postmap -q gmail.com sender_relay produces:

smtp:smtp.gmail.com:587

However, postfix never seems to use any of the relays in the file.

This is the output of postconf -n:

broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = seibercom.net
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
sample_directory = /usr/local/etc/postfix
sender_dependent_relayhost_maps = hash:/usr/local/etc/postfix/sender_relay
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_type = cyrus
smtp_sender_dependent_authentication = yes
smtp_tls_CAfile = /usr/local/etc/postfix//certs/cacert.pem
smtp_tls_cert_file = /usr/local/etc/postfix/certs/postfix-cert.pem
smtp_tls_key_file = /usr/local/etc/postfix/certs/postfix-key.pem
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /usr/local/etc/postfix/certs/cacert.pem
smtpd_tls_cert_file = /usr/local/etc/postfix/certs/postfix-cert.pem
smtpd_tls_key_file = /usr/local/etc/postfix/certs/postfix-key.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550


-- 
Gerard
postfix.u...@yahoo.com

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

You will be awarded some great honor.


signature.asc
Description: PGP signature

Re: Can't whitelist header / bodychecks

[mouss]

EASY steve.h...@digitalcertainty.co.uk a écrit :
> On Fri, 2009-06-12 at 12:51 +0200, Magnus Bäck wrote:
>> On Fri, June 12, 2009 12:12 pm, Steve said:
>>
>>> Is this right?
>>>
>>> "You cannot whitelist a sender or client in an access list to bypass
>>> header or body checks.  Header and body checks take place whether you
>>> explicitly "OK" a client or sender, in access lists, or not."
>> Yes, that's correct.
>>
> Is there any kind of feature request to change this behaviour? Such as
> allowing a map list of client ip's or ranges that can 'hop over' the
> header/body checks all together?
> 

well, the hard part is to come up with a design that is
generic/flexible/... it is possible that different people/sites want
different things. if this is true, then "the thing" is better
implemented via proxy_filter or milters.

of course, if you have a good design in mind, please share it. the
problem here is to chose between a simple design (such as a "table
driven checks") and a complete design (if/then/else/for/while ...
grammar). if it's too complex, I 'd prefer to run a series of programs.


> If I forward a spam mail to an abuse department quoting full headers
> (even in the body of the mail) they seem to 'catch' on header rules.


by default:

mime_header_checks = $header_checks
nested_header_checks = $header_checks

so header_checks apply to more than 822 headers.

> I'm
> not sure if this is a bug/'feature' - but to have to keep commenting out
> certain rules to get them sent is a minor hassle.

I personally only use few header_checks (reject "forged" mail, reject
unauthorized attachments).

Re: delay between delivery for a specific transport.

[Victor Duchovni]

On Fri, Jun 12, 2009 at 11:34:42PM +0200, St?phane MERLE wrote:

> hi,
>
> thanks for your help, is there any tutorial or help page to upgrade my 
> 2.5.1 to 2.6.2 ? I am on ubuntu 2.6.28.1--std-ipv4-32 ?
> do I have to recompile it from the source code ?

If you are using 2.5.1, you could try to find an updated package that
takes you to 2.5.7. The rate_delay issue was IIRC fixed in 2.5.6, but
I am not sure, so 2.5.7 is best if you can find that, else try 2.5.6.

Of course 2.6 is not substantially different from 2.5. If you are using
a packaged build, I'd try to find a similar package of the newer version.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: questions on check_sender_mx_access

[Wietse Venema]

Noel Jones:
> Jan P. Kessler wrote:
> > 1. Will check_sender_mx_access lookup an a record if there is no mx
> > record for a given sender domain? I guess it won't as there's
> > reject_unknown_sender but I'd prefer to be sure.
> 
> If there's no MX, the sender domain's A record will be used. 
> If there's no A record either, then there's no lookup.

That's correct. check_sender_mx_access attempts to do what
the SMTP client does, and not what I wrote earlier.

Wietse

> > 2. Is there a maximum number of mx records that will be checked by
> > postfix? Are there any standards requiring or recommending this? Just to
> > prevent trivial DoS attempts by setting up domains with hundred of mx
> > records.
> 
> The max is however many MX hosts fit in 32k.  I've seen some 
> domains with hundreds of MX records (one for each host in a 
> /24).  This hasn't caused any noticeable  problem.
> 
> 
> PS. looks as if your workstation clock is 1h fast.
> 
>-- Noel Jones
> 
> 

Re: delay between delivery for a specific transport.

[Stéphane MERLE]

hi,

thanks for your help, is there any tutorial or help page to upgrade my 
2.5.1 to 2.6.2 ? I am on ubuntu 2.6.28.1--std-ipv4-32 ?

do I have to recompile it from the source code ?

Thanks again !

Stéphane


Victor Duchovni a écrit :

On Fri, Jun 12, 2009 at 05:06:18PM +0200, St?phane MERLE wrote:

  

Hi,

I try to add a 1 second delay between each smtp sent to a sp?cifique 
transport.


I followed this help file (in french as I feel more confortable in this 
langage) : 
http://postfix.traduc.org/index.php/QSHAPE_README.html#deferred_queue


so I did :

/etc/postfix/transport:
   problem.exemple.com  slow:[dead.host]

/etc/postfix/master.cf:
   # service type  private unpriv  chroot  wakeup  maxproc command
   slow  unix -   -   n   -   1smtp
   -o fallback_relay=problem.exemple.com
   -o smtp_connect_timeout=1



This is wrong. If you really need this, upgrade to 2.5.7 or 2.6.2 and
use "slow_destination_rate_delay".

  

the domain are : hotmail.fr and hotmail.com

I also add this in the master.cf :
hotmail_tr unix -   -   n   -   1  smtp

and this to main.cf
hotmail_tr_destination_concurrency = 1



No such parameter.

  

hotmail_tr_destination_concurrency_limit = 2



This is better

  

hotmail_tr_destination_rate_delay=10



This requires Postfix 2.5.6 or later (implementation issues resolved
from 2.5.0).

  


--

Re: Postfix + SASL

[Victor Duchovni]

On Fri, Jun 12, 2009 at 03:40:03PM -0400, Gerard wrote:

> >> AUTH PLAIN Z2VyYXJkXE9nZXJhcmRcT2dlcmFyZA==
> 
>  My fault! I had the wrong permissions on the 'sasldb2.db' file. All is
>  well now.

If this still reflects your current username/password, change it!

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: questions on check_sender_mx_access

[Jan P. Kessler]

Wietse Venema wrote:

Jan P. Kessler:
  

1. Will check_sender_mx_access lookup an a record if there is no mx
record for a given sender domain?



It looks up MX records. As with many other Postfix features, there
is no access control on information that does not exist.
  


Noel Jones wrote:
If there's no MX, the sender domain's A record will be used. If 
there's no A record either, then there's no lookup.


;-)



2. Is there a maximum number of mx records that will be checked by
postfix? Are there any standards requiring or recommending this? Just to
prevent trivial DoS attempts by setting up domains with hundred of mx
records.



People do occasionally set up domains with lots of records. Postfix
2.3 and later will accept DNS replies of up to 32kbytes. However,
the Postfix SMTP client will use only a limited subset of those
records.
  


The reason for my question is that I want to evaluate sender mx 
addresses (combined with other things) in a policy daemon and I'm 
looking for a reasonable number of queries to perform. Do you have any 
recommendations on that?

Re: Postfix + SASL

[Gerard]

On Fri, 12 Jun 2009 14:29:02 -0400
Victor Duchovni  wrote:

>On Fri, Jun 12, 2009 at 01:59:33PM -0400, Gerard wrote:
>
>> broken_sasl_auth_clients = yes
>> smtpd_sasl_auth_enable = yes
>> smtpd_sasl_authenticated_header = yes
>> smtpd_sasl_local_domain = $myhostname
>> smtpd_sasl_path = smtpd
>> smtpd_sasl_security_options = noanonymous
>> 
>> This is the output when I attempt to connect:
>> 
>> Trying 127.0.0.1...
>> Connected to localhost.
>> Escape character is '^]'.
>> 220 example.net ESMTP Postfix
>> ECHO example.net
>> 250-scorpio.seibercom.net
>> 250-PIPELINING
>> 250-SIZE 1024
>> 250-VRFY
>> 250-ETRN
>> 250-AUTH LOGIN PLAIN
>> 250-AUTH=LOGIN PLAIN
>> 250-ENHANCEDSTATUSCODES
>> 250-8BITMIME
>> 250 DSN
>> AUTH PLAIN Z2VyYXJkXE9nZXJhcmRcT2dlcmFyZA==
>> 535 5.7.8 Error: authentication failed: bad protocol / cancel
>> QUIT
>> 221 2.0.0 Bye
>> Connection closed by foreign host.
>> 
>> I am not sure exactly what I should be looking for.
>
>Look at your logs, and post the contents of smtpd.conf. Test
>SASL with sample_server and sample_client before testing with
>Postfix.

 My fault! I had the wrong permissions on the 'sasldb2.db' file. All is
 well now.


-- 
Gerard
postfix.u...@yahoo.com

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

The only real argument for marriage is that it remains the best method
for getting acquainted.
-- Heywood Broun


signature.asc
Description: PGP signature

Re: Can't whitelist header / bodychecks

[EASY steve.h...@digitalcertainty.co.uk]

On Fri, 2009-06-12 at 14:52 -0400, Victor Duchovni wrote:
> On Fri, Jun 12, 2009 at 07:40:27PM +0100, EASY 
> steve.h...@digitalcertainty.co.uk wrote:
> 
> > > Currently, as in, what is available now. I am not good
> > > at predicting the future.
> >
> > I know. If you were I would not be asking for basic features you never
> > had the foresight to see would be requested for by end users ;-)
> 
> Some "end users" put the wrong "end" of their torso to use when composing
> feature requests. :-) The scheduler queue for feature requests is
> top-down.
> 
That's because some coders half do a tardy job and then use that wrong
torso end to defend it.

Re: Can't whitelist header / bodychecks

[Victor Duchovni]

On Fri, Jun 12, 2009 at 07:40:27PM +0100, EASY 
steve.h...@digitalcertainty.co.uk wrote:

> > Currently, as in, what is available now. I am not good
> > at predicting the future.
>
> I know. If you were I would not be asking for basic features you never
> had the foresight to see would be requested for by end users ;-)

Some "end users" put the wrong "end" of their torso to use when composing
feature requests. :-) The scheduler queue for feature requests is
top-down.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Postfix + SASL

[Eduardo Júnior]

Hi,


http://www.postfix.org/SASL_README.html


[]'s

-- 
Eduardo Júnior
GNU/Linux user #423272

:wq

Re: delay between delivery for a specific transport.

[Victor Duchovni]

On Fri, Jun 12, 2009 at 05:06:18PM +0200, St?phane MERLE wrote:

> Hi,
>
> I try to add a 1 second delay between each smtp sent to a sp?cifique 
> transport.
>
> I followed this help file (in french as I feel more confortable in this 
> langage) : 
> http://postfix.traduc.org/index.php/QSHAPE_README.html#deferred_queue
>
> so I did :
>
> /etc/postfix/transport:
>problem.exemple.com  slow:[dead.host]
>
> /etc/postfix/master.cf:
># service type  private unpriv  chroot  wakeup  maxproc command
>slow  unix -   -   n   -   1smtp
>-o fallback_relay=problem.exemple.com
>-o smtp_connect_timeout=1

This is wrong. If you really need this, upgrade to 2.5.7 or 2.6.2 and
use "slow_destination_rate_delay".

>
>
> the domain are : hotmail.fr and hotmail.com
>
> I also add this in the master.cf :
> hotmail_tr unix -   -   n   -   1  smtp
>
> and this to main.cf
> hotmail_tr_destination_concurrency = 1

No such parameter.

> hotmail_tr_destination_concurrency_limit = 2

This is better

> hotmail_tr_destination_rate_delay=10

This requires Postfix 2.5.6 or later (implementation issues resolved
from 2.5.0).

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Can't whitelist header / bodychecks

[EASY steve.h...@digitalcertainty.co.uk]

On Fri, 2009-06-12 at 14:09 -0400, Wietse Venema wrote:
> EASY steve.h...@digitalcertainty.co.uk:
> > On Fri, 2009-06-12 at 12:36 -0400, Wietse Venema wrote:
> > > Steve:
> > > > On Fri, 2009-06-12 at 11:07 -0400, Wietse Venema wrote:
> > > > > If there is a reproducible example where header_checks triggers on
> > > > > body content, then I will fix it.
> > > > > 
> > > > > All I ask for is that conditions be independently reproducible.
> > > > > 
> > > > >   Wietse
> > > > In the meantime - how do I white-list this?
> > > 
> > > Currently, the option is:
> > Does that mean you will be introducing white listing for this in a
> > future release?
> 
> Currently, as in, what is available now. I am not good
> at predicting the future.
> 
>   Wietse
I know. If you were I would not be asking for basic features you never
had the foresight to see would be requested for by end users ;-)

I'll see if I can find a link for you do download a virtual crystal ball
to help (blows dust off 5 inch floppy disc)

Re: Postfix + SASL

[Victor Duchovni]

On Fri, Jun 12, 2009 at 01:59:33PM -0400, Gerard wrote:

> broken_sasl_auth_clients = yes
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_local_domain = $myhostname
> smtpd_sasl_path = smtpd
> smtpd_sasl_security_options = noanonymous
> 
> This is the output when I attempt to connect:
> 
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 220 example.net ESMTP Postfix
> ECHO example.net
> 250-scorpio.seibercom.net
> 250-PIPELINING
> 250-SIZE 1024
> 250-VRFY
> 250-ETRN
> 250-AUTH LOGIN PLAIN
> 250-AUTH=LOGIN PLAIN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> AUTH PLAIN Z2VyYXJkXE9nZXJhcmRcT2dlcmFyZA==
> 535 5.7.8 Error: authentication failed: bad protocol / cancel
> QUIT
> 221 2.0.0 Bye
> Connection closed by foreign host.
> 
> I am not sure exactly what I should be looking for.

Look at your logs, and post the contents of smtpd.conf. Test
SASL with sample_server and sample_client before testing with
Postfix.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: questions on check_sender_mx_access

[Noel Jones]

Jan P. Kessler wrote:

1. Will check_sender_mx_access lookup an a record if there is no mx
record for a given sender domain? I guess it won't as there's
reject_unknown_sender but I'd prefer to be sure.


If there's no MX, the sender domain's A record will be used. 
If there's no A record either, then there's no lookup.



2. Is there a maximum number of mx records that will be checked by
postfix? Are there any standards requiring or recommending this? Just to
prevent trivial DoS attempts by setting up domains with hundred of mx
records.


The max is however many MX hosts fit in 32k.  I've seen some 
domains with hundreds of MX records (one for each host in a 
/24).  This hasn't caused any noticeable  problem.



PS. looks as if your workstation clock is 1h fast.

  -- Noel Jones

Re: questions on check_sender_mx_access

[Wietse Venema]

Jan P. Kessler:
> 1. Will check_sender_mx_access lookup an a record if there is no mx
> record for a given sender domain? I guess it won't as there's
> reject_unknown_sender but I'd prefer to be sure.

It looks up MX records. As with many other Postfix features, there
is no access control on information that does not exist.

> 2. Is there a maximum number of mx records that will be checked by
> postfix? Are there any standards requiring or recommending this? Just to
> prevent trivial DoS attempts by setting up domains with hundred of mx
> records.

People do occasionally set up domains with lots of records. Postfix
2.3 and later will accept DNS replies of up to 32kbytes. However,
the Postfix SMTP client will use only a limited subset of those
records.

Wietse

Re: Multiple Milters

[Ihsan Dogan]

Am 12.6.2009 17:50 Uhr, Noel Jones schrieb:

 Is such a setup possible with Postfix?^M
>>> Not supported. Eror control is limited to milter_default_action.
>> I see.
>>
>> If I specify "milter_default_action = reject" and there is an error with
>> the milter daemon, Postfix will give a 554. What is then the expected
>> behavior of the MTA, which just tried to deliver a mail? Will it try to
>> deliver the mail to the MX with the next higher priority?
> If you "reject" on milter failure, the sending MTA should give up and
> return the message as undeliverable.
> 
> Sounds as if you want to specify
> milter_default_action = tempfail
> This will ask the sending MTA to retry.  The retry details are
> controlled by the sending MTA.
> http://www.postfix.org/postconf.5.html#milter_default_action

Ok, thanks a lot for the quick help.



Ihsan

-- 
ih...@dogan.ch  http://blog.dogan.ch/

Re: Can't whitelist header / bodychecks

[Wietse Venema]

EASY steve.h...@digitalcertainty.co.uk:
> On Fri, 2009-06-12 at 12:36 -0400, Wietse Venema wrote:
> > Steve:
> > > On Fri, 2009-06-12 at 11:07 -0400, Wietse Venema wrote:
> > > > If there is a reproducible example where header_checks triggers on
> > > > body content, then I will fix it.
> > > > 
> > > > All I ask for is that conditions be independently reproducible.
> > > > 
> > > > Wietse
> > > In the meantime - how do I white-list this?
> > 
> > Currently, the option is:
> Does that mean you will be introducing white listing for this in a
> future release?

Currently, as in, what is available now. I am not good
at predicting the future.

Wietse

Postfix + SASL

[Gerard]

This is my first attempt to get Postfix-2.6 working with SASL.
Unfortunately, it isn't. This is the 'postconf -n' output:

broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
mydestination = $myhostname, localhost.$mydomain, localhost,
$mydomain   mail.$mydomain, www.$mydomain, ftp.$mydomain mydomain
= example.net mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
unknown_local_recipient_reject_code = 550

This is the output when I attempt to connect:

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 example.net ESMTP Postfix
ECHO example.net
250-scorpio.seibercom.net
250-PIPELINING
250-SIZE 1024
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN Z2VyYXJkXE9nZXJhcmRcT2dlcmFyZA==
535 5.7.8 Error: authentication failed: bad protocol / cancel
QUIT
221 2.0.0 Bye
Connection closed by foreign host.

I am not sure exactly what I should be looking for.


-- 
Gerard
postfix.u...@yahoo.com

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

The clash of ideas is the sound of freedom.


signature.asc
Description: PGP signature

Re: logging stuff: NOQUEUE

[Noel Jones]

Stefan Palme wrote:

On Fri, 2009-06-12 at 12:41 -0500, Noel Jones wrote:
A QUEUEID is created when the number of accepted recipients 
for a message is greater than zero.


In the case of a multi-recipient message where some recipients 
are accepted and some rejected, recipients before the first 
accepted recipient will have NOQUEUEID, after that a QUEUEID 
will be listed.


A message may be rejected by smtpd_{data, 
end-of-data}_restrictions, in which case a QUEUEID will have 
already been created.


Ok, to be sure, if I have understood all this correctly: 
whenever the smtpd server sees a "RCPT TO" in the SMTP 
protocol, all the smtpd_recipient_restrictions will be 
applied. After the first "valid" recipient a QUEUEID is

created (which will be used in the logs for this and all
subsequent valid and invalid "RCPT TO" recipients).

Because a "DATA" command is only allowed when there has
been at least one valid recipient, all log messages
regarding invalid DATA / END-OF-DATA restrictions will 
contain a QUEUEID (!="NOQUEUE").


Ok?

Thanks and regards
-stefan-




Yup.

  -- Noel Jones

Re: logging stuff: NOQUEUE

[Stefan Palme]

On Fri, 2009-06-12 at 12:41 -0500, Noel Jones wrote:
> A QUEUEID is created when the number of accepted recipients 
> for a message is greater than zero.
> 
> In the case of a multi-recipient message where some recipients 
> are accepted and some rejected, recipients before the first 
> accepted recipient will have NOQUEUEID, after that a QUEUEID 
> will be listed.
> 
> A message may be rejected by smtpd_{data, 
> end-of-data}_restrictions, in which case a QUEUEID will have 
> already been created.

Ok, to be sure, if I have understood all this correctly: 
whenever the smtpd server sees a "RCPT TO" in the SMTP 
protocol, all the smtpd_recipient_restrictions will be 
applied. After the first "valid" recipient a QUEUEID is
created (which will be used in the logs for this and all
subsequent valid and invalid "RCPT TO" recipients).

Because a "DATA" command is only allowed when there has
been at least one valid recipient, all log messages
regarding invalid DATA / END-OF-DATA restrictions will 
contain a QUEUEID (!="NOQUEUE").

Ok?

Thanks and regards
-stefan-

questions on check_sender_mx_access

[Jan P. Kessler]

1. Will check_sender_mx_access lookup an a record if there is no mx
record for a given sender domain? I guess it won't as there's
reject_unknown_sender but I'd prefer to be sure.

2. Is there a maximum number of mx records that will be checked by
postfix? Are there any standards requiring or recommending this? Just to
prevent trivial DoS attempts by setting up domains with hundred of mx
records.

Thank you
  Jan

Re: logging stuff: NOQUEUE

[Noel Jones]

Stefan Palme wrote:

Hi all,

I am currently working on a new logfile analyzer for postfix.
Regarding this I will probably have some questions. Here the
first one:

When an incoming mail is rejected because of one of the rules
defined by smtpd_{sender,recipient,data,helo}_restrictions, this
rejection is logged with queue-id="NOQUEUE":


Jun 12 19:11:30 [postfix/smtpd] NOQUEUE: reject: 
  RCPT from 217-68-166-69.dynamic.primacom.net[217.68.166.69]: 
  450 4.1.2 : Recipient address rejected: Domain not found;
  from= to= 
  proto=ESMTP helo=<[192.168.1.144]>



Can I be sure that postfix creates a queue-id only AFTER
all smtpd_*_restrictions have been passed successfully?

If not - what is the general rule when I have to expect a NOQUEUE
and when to expect a conrete queue ID?



A QUEUEID is created when the number of accepted recipients 
for a message is greater than zero.


In the case of a multi-recipient message where some recipients 
are accepted and some rejected, recipients before the first 
accepted recipient will have NOQUEUEID, after that a QUEUEID 
will be listed.


A message may be rejected by smtpd_{data, 
end-of-data}_restrictions, in which case a QUEUEID will have 
already been created.



  -- Noel Jones

logging stuff: NOQUEUE

[Stefan Palme]

Hi all,

I am currently working on a new logfile analyzer for postfix.
Regarding this I will probably have some questions. Here the
first one:

When an incoming mail is rejected because of one of the rules
defined by smtpd_{sender,recipient,data,helo}_restrictions, this
rejection is logged with queue-id="NOQUEUE":


Jun 12 19:11:30 [postfix/smtpd] NOQUEUE: reject: 
  RCPT from 217-68-166-69.dynamic.primacom.net[217.68.166.69]: 
  450 4.1.2 : Recipient address rejected: Domain not found;
  from= to= 
  proto=ESMTP helo=<[192.168.1.144]>


Can I be sure that postfix creates a queue-id only AFTER
all smtpd_*_restrictions have been passed successfully?

If not - what is the general rule when I have to expect a NOQUEUE
and when to expect a conrete queue ID?

Thanks for any hints
Regards
-stefan-

Re: Message with 300,000+ recips via alias_maps

[dan trainor]

On 6/12/09, Wietse Venema  wrote:
>
> dan trainor:
>
> > Just to follow up looks like this process has taken too long.  I
> > eventually killed it.  I'm happy that things are working *exactly* as
> they
> > should, however.
> >
> > We ended up splitting up that list of 300,000+ recips in to around 6
> aliases
> > of 50,000 recips.  This method is/was exponentially faster.  I think at
> this
> > point we're going to consider a MySQL VIEW to convert one of those
> aliases
> > in to a more normalized group of recipients so we can automate breaking
> > these messages up in the future.
> >
> > Thanks again, Wietse - I sincerely appreciate the input.
>
>
> One final input: be sure to give each alias an owner-alias so that
> Postfix will store the result of alias expansion in new queue
> files.
>
> Otherwise, the result of expansion will not be stored. After failure
> of delivery to one local recipient in the expansion, the whole
> alias will be expanded again when delivery is retried, which is
> something that the other recipients will not appreciate.
>
>
> Wietse
>

Hello -

Very good point.  We've already gone ahead and done that per the
requirements of our list management software.

Thanks again
-dant

Re: Can't whitelist header / bodychecks

[EASY steve.h...@digitalcertainty.co.uk]

On Fri, 2009-06-12 at 12:36 -0400, Wietse Venema wrote:
> Steve:
> > On Fri, 2009-06-12 at 11:07 -0400, Wietse Venema wrote:
> > > If there is a reproducible example where header_checks triggers on
> > > body content, then I will fix it.
> > > 
> > > All I ask for is that conditions be independently reproducible.
> > > 
> > >   Wietse
> > In the meantime - how do I white-list this?
> 
> Currently, the option is:
Does that mean you will be introducing white listing for this in a
future release?

Re: Message with 300,000+ recips via alias_maps

[Wietse Venema]

dan trainor:
> Just to follow up looks like this process has taken too long.  I
> eventually killed it.  I'm happy that things are working *exactly* as they
> should, however.
> 
> We ended up splitting up that list of 300,000+ recips in to around 6 aliases
> of 50,000 recips.  This method is/was exponentially faster.  I think at this
> point we're going to consider a MySQL VIEW to convert one of those aliases
> in to a more normalized group of recipients so we can automate breaking
> these messages up in the future.
> 
> Thanks again, Wietse - I sincerely appreciate the input.

One final input: be sure to give each alias an owner-alias so that
Postfix will store the result of alias expansion in new queue
files.

Otherwise, the result of expansion will not be stored. After failure
of delivery to one local recipient in the expansion, the whole
alias will be expanded again when delivery is retried, which is
something that the other recipients will not appreciate.

Wietse

Re: Can't whitelist header / bodychecks

[Wietse Venema]

Steve:
> On Fri, 2009-06-12 at 11:07 -0400, Wietse Venema wrote:
> > If there is a reproducible example where header_checks triggers on
> > body content, then I will fix it.
> > 
> > All I ask for is that conditions be independently reproducible.
> > 
> > Wietse
> In the meantime - how do I white-list this?

Currently, the option is:

- Use "Content-Transfer-Encoding: base64" for the forwarded message.

- Avoid header_checks that trigger on "Received: .. for ".

Wietse

Re: Can't whitelist header / bodychecks

[Wietse Venema]

Wietse Venema:
> Steve:
> > It is easy enough to reproduce. Just build a header filter like this;
> > (put aside the fact this is going to catch a shed load of legit mail)
> > 
> > /^Received: from.*(cmodem|dhcp|adsl|broadband|dynamic)/ REJECT dynamic
> > host in headers
> 
> This matches Received: headers.
> 
> > This mail;
> > Subject: UCE: 86.140.171.207
> > From: 
> > Reply-To: zen158...@zen.co.uk
> > To: ab...@btbroadband.com
> > [other text omitted]
> 
> Contains no Received: header.
> 
> > In the logs; tripped on the header filter;
> > Jun 12 11:01:58 mail4 postfix/cleanup[1419]: B9F16AC09D: reject: header
> > Received: from [192.168.1.xx] (xx [192.168.1.xx])??by mail4.xx.co.uk
> > (xx) with ESMTPA id B9F16AC09D??for ; Fri, 12 Jun
> > 2009 11:01:58 +0100 (BST) from mail4[192.168.1.xx];
> > from= to= proto=ESMTP
> > helo=<[192.168.1.xx]>: 5.7.1 dynamic host in headers
> 
> This Received: header was prepended by Postfix itself.
> 
> Observe:
> 
> - The logfile record has time stamp "Jun 12 11:01:58".
> 
> - The Received: header has time stamp "Fri, 12 Jun 2009 11:01:58".

And:

- The logfile record has B9F16AC09D as the queue ID.

- The Received: header has "id B9F16AC09D...".

It really was the header prepended by Postfix.

Wietse

Re: Message with 300,000+ recips via alias_maps

[dan trainor]

On 6/11/09, dan trainor  wrote:
>
>
>
> On Thu, Jun 11, 2009 at 1:32 PM, Wietse Venema wrote:
>
>> dan trainor:
>> > Hello, all -
>> >
>> > I've sent an email through Postfix which has one recipient, which is an
>> > alias via alias_maps (mysql lookup table).  I've had just a little bit
>> of
>> > experience with this type of delivery, but not a lot of experience with
>> this
>> > many final recipients.
>> >
>> > Right now I see the message sitting in the 'active' queue, but its been
>> > sitting for some time.
>>
>> Is this before or after alias expansion? It can take some time to
>> expand 300k aliases from SQL. In fact, the local delivery agent
>> may be terminated by a watchdog timer (daemon_timeout = 18000s).
>>
>> I suspect that SQL is taking its time.
>>
>> A minor concern: the expansion of 300k aliases will be written to
>> a new queue file, so it needs to fit within the message_size_limit
>> setting.
>>
>> Once the new queue file is complete, the queue manager will
>> be quite busy scheduling deliveries.
>>
>> You may want to dry-run test this without outgoing mail enabled.
>>
>>Wietse
>>
>
> Good evening, Wietse -
>
> Shortly after sending that message out, I realized that this was
> happening.  I do in fact see the 'local' transport very busy, eating as much
> CPU as it can muster.
>
> The message sitting in the queue has been placed there before alias
> expansion I would assume.  I say that assuming the sleeping thread in MySQL
> from the Postfix map resolution process is the result of already having
> queried MySQL, and also that there is only one message in that 'active'
> queue which does not have those aliases expanded.
>
> I'm going to give it some more time, and see what happens first - the
> 'local' transport finishes up as the result of the message(s) being sent,
> being killed by daemon_timeout, or something else.
>
> That's a good point regarding message size limit; I did not think about
> that.  This would clearly be the cumulation of those final recipient
> addresses in the message itself, as documented by "...including envelope
> information."
>
> Thanks again for your time.
>
> Thanks!
> -dant
>
>
Hi -

Just to follow up looks like this process has taken too long.  I
eventually killed it.  I'm happy that things are working *exactly* as they
should, however.

We ended up splitting up that list of 300,000+ recips in to around 6 aliases
of 50,000 recips.  This method is/was exponentially faster.  I think at this
point we're going to consider a MySQL VIEW to convert one of those aliases
in to a more normalized group of recipients so we can automate breaking
these messages up in the future.

Thanks again, Wietse - I sincerely appreciate the input.

Thanks!
-dant

Re: Can't whitelist header / bodychecks

[Steve]

On Fri, 2009-06-12 at 11:07 -0400, Wietse Venema wrote:
> If there is a reproducible example where header_checks triggers on
> body content, then I will fix it.
> 
> All I ask for is that conditions be independently reproducible.
> 
>   Wietse
In the meantime - how do I white-list this?

Re: Export User mailbox

[Sasa]

Hi, on actually mail server I have the following permission:

-rw-rw username mail

..but after copy on the new server the permssion are modified in root-root e 
therefore I am forced to change permission to username-mail.

Thanks.

--

  Salvatore.



- Original Message - 
From: "Magnus Bäck" 

To: 
Sent: Friday, June 12, 2009 5:36 PM
Subject: Re: Export User mailbox



On Friday, June 12, 2009 at 16:13 CEST,
Sasa  wrote:


Hi, I use postfix-2.2.8 with qpopper/amavis/maia...is possible to
export (and then import on another mail server) the
user mailbox stored in /var/spool/mail/user1, /var/spool/mail/user2 ?


Yes. It's just a file.

--
Magnus Bäck
mag...@dsek.lth.se

Re: Multiple Milters

[Noel Jones]

Ihsan Dogan wrote:

Wietse Venema wrote:


I'm running two spamfilters on two machines, which are accessed with^M
milter. In case of an error (eg: the first milter service is not running),^M
I would like that Postfix wold use the second one on the other host.^M
^M
I was expecting something something like this:^M
smtpd_milters = inet:[127.0.0.1],[1.2.3.4]:41001^M

When you specify multiple milters in smtpd_milters or non_smtpd_milters,
this means that Postfix always use all of them. The syntax is
different than what you have above.


Is such a setup possible with Postfix?^M

Not supported. Eror control is limited to milter_default_action.


I see.

If I specify "milter_default_action = reject" and there is an error with
the milter daemon, Postfix will give a 554. What is then the expected
behavior of the MTA, which just tried to deliver a mail? Will it try to
deliver the mail to the MX with the next higher priority?



Ihsan



If you "reject" on milter failure, the sending MTA should give 
up and return the message as undeliverable.


Sounds as if you want to specify
milter_default_action = tempfail
This will ask the sending MTA to retry.  The retry details are 
controlled by the sending MTA.

http://www.postfix.org/postconf.5.html#milter_default_action

  -- Noel Jones

Re: Can't whitelist header / bodychecks

[Wietse Venema]

Steve:
> It is easy enough to reproduce. Just build a header filter like this;
> (put aside the fact this is going to catch a shed load of legit mail)
> 
> /^Received: from.*(cmodem|dhcp|adsl|broadband|dynamic)/ REJECT dynamic
> host in headers

This matches Received: headers.

> This mail;
> Subject: UCE: 86.140.171.207
> From: 
> Reply-To: zen158...@zen.co.uk
> To: ab...@btbroadband.com
> [other text omitted]

Contains no Received: header.

> In the logs; tripped on the header filter;
> Jun 12 11:01:58 mail4 postfix/cleanup[1419]: B9F16AC09D: reject: header
> Received: from [192.168.1.xx] (xx [192.168.1.xx])??by mail4.xx.co.uk
> (xx) with ESMTPA id B9F16AC09D??for ; Fri, 12 Jun
> 2009 11:01:58 +0100 (BST) from mail4[192.168.1.xx];
> from= to= proto=ESMTP
> helo=<[192.168.1.xx]>: 5.7.1 dynamic host in headers

This Received: header was prepended by Postfix itself.

Observe:

- The logfile record has time stamp "Jun 12 11:01:58".

- The Received: header has time stamp "Fri, 12 Jun 2009 11:01:58".

To make this demonstration more credible, the rejected Received:
header would need to demonstrably come from body content. This
is easy enough: just submit a spam report with a Received: header
from at least a few minutes old.

Wietse

Re: Export User mailbox

[Magnus Bäck]

On Friday, June 12, 2009 at 16:13 CEST,
 Sasa  wrote:

> Hi, I use postfix-2.2.8 with qpopper/amavis/maia...is possible to
> export (and then import on another mail server) the
> user mailbox stored in /var/spool/mail/user1, /var/spool/mail/user2 ?

Yes. It's just a file.

-- 
Magnus Bäck
mag...@dsek.lth.se

Re: Can't whitelist header / bodychecks

[Wietse Venema]

If there is a reproducible example where header_checks triggers on
body content, then I will fix it.

All I ask for is that conditions be independently reproducible.

Wietse

delay between delivery for a specific transport.

[Stéphane MERLE]

Hi,

I try to add a 1 second delay between each smtp sent to a spécifique 
transport.


I followed this help file (in french as I feel more confortable in this 
langage) : 
http://postfix.traduc.org/index.php/QSHAPE_README.html#deferred_queue


so I did :

/etc/postfix/transport:
   problem.exemple.com  slow:[dead.host]

/etc/postfix/master.cf:
   # service type  private unpriv  chroot  wakeup  maxproc command
   slow  unix -   -   n   -   1smtp
   -o fallback_relay=problem.exemple.com
   -o smtp_connect_timeout=1


the domain are : hotmail.fr and hotmail.com

I also add this in the master.cf :
hotmail_tr unix -   -   n   -   1  smtp

and this to main.cf
hotmail_tr_destination_concurrency = 1
hotmail_tr_destination_concurrency_limit = 2
hotmail_tr_destination_rate_delay=10
transport_maps = hash:/etc/postfix/transport


but still no delay between each try or retry ...

any help would be appreciated ...

Stéphane

Re: Can't whitelist header / bodychecks

[EASY steve.h...@digitalcertainty.co.uk]

On Fri, 2009-06-12 at 16:56 +0200, Ralf Hildebrandt wrote:
> * EASY steve.h...@digitalcertainty.co.uk :
> 
> > Yep, I had already done that. I tried the same thing to ab...@bt.com and
> > got the same result.
> 
> Log entry for exactly that case?
> 
reads 6 minutes later but was sent to 'ab...@bt.com' rather than
'ab...@btbroadband.com' - other than that, it's all identical.

Re: Can't whitelist header / bodychecks

[Ralf Hildebrandt]

* EASY steve.h...@digitalcertainty.co.uk :

> Yep, I had already done that. I tried the same thing to ab...@bt.com and
> got the same result.

Log entry for exactly that case?

-- 
Ralf Hildebrandt
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.computerbeschimpfung.de
Which fundamental human right do you want to give up today?

Re: Can't whitelist header / bodychecks

[Wietse Venema]

Mark Goodge:
> I wouldn't call it a bug, since it's a feature that works as designed. 
> It is, however, a design choice that makes the feature less useful than 
> it otherwise could have been. [other good points omitted]

For SMTP submissions, header/body checks whitelisting could be done
by adding SMTPD access map support for "receive_override_options"
features (such as "no_header_body_checks").  Those features did
not exist until some four years after "header_checks" support was
added to Postfix, and therefore these features not part of the
"header_checks" design.

For non-SMTP submissions, there is no equivalent configuration, so
the ability to whitelist header/body checks would be partly broken.

Wietse

Re: Can't whitelist header / bodychecks

[Mark Goodge]

EASY steve.h...@digitalcertainty.co.uk wrote:

On Fri, 2009-06-12 at 16:40 +0200, Ralf Hildebrandt wrote:

* Ralf Hildebrandt :

* Steve :


/^Received: from.*(cmodem|dhcp|adsl|broadband|dynamic)/ REJECT dynamic host in 
headers

OK


In the logs; tripped on the header filter;
Jun 12 11:01:58 mail4 postfix/cleanup[1419]: B9F16AC09D: reject: header
Received: from [192.168.1.xx] (xx [192.168.1.xx])??by mail4.xx.co.uk
(xx) with ESMTPA id B9F16AC09D??for ; Fri, 12 Jun
2009 11:01:58 +0100 (BST) from mail4[192.168.1.xx];
from= to= proto=ESMTP
helo=<[192.168.1.xx]>: 5.7.1 dynamic host in headers

The regular expression is too broad, since it also matches the "for 
"
portion in the headers!

Since the headers look like:

Received: from [192.168.1.xx] (xx [192.168.1.xx])  NEWLINE
  by mail4.xx.co.uk (xx) with ESMTPA id B9F16AC09D NEWLINE
  for  ...

You COULD solve this using:

/^Received: from .*(cmodem|dhcp|adsl|broadband|dynamic).*by / REJECT dynamic 
host in headers

It's worth a try.


Indeed, but it's *not* in the header section of the email, is it! It has
been pasted into the *BODY* of an email.


Yes, it's in the headers. Look, here's what you originally sent:

Subject: UCE: 86.140.171.207
From: 
Reply-To: zen158...@zen.co.uk
To: ab...@btbroadband.com
Content-Type: text/plain
Organization: 
Message-Id: <1244801375.6998.30>
Mime-Version: 1.0
X-Mailer: Evolution 2.24.3
Content-Transfer-Encoding: 7bit
Date: Fri, 12 Jun 2009 11:09:36 +0100
X-Evolution-Format: text/plain
X-Evolution-Account: 1242054711.26374.4

Since you're sending it to 'ab...@btbroadband.com', one of the 
'Received:' headers will look like this:


Received: from [192.168.1.xx] (xx [192.168.1.xx])
by mail4.xx.co.uk (xx) with ESMTPA id B9F16AC09D
	for ; Fri, 12 Jun 2009 11:01:58 +0100 (BST) from 
mail4[192.168.1.xx];


Note that the recipient address is in the 'Received:' header. And the 
string 'broadband' in that address is what the regex is matching.


Mark

Re: Can't whitelist header / bodychecks

[EASY steve.h...@digitalcertainty.co.uk]

On Fri, 2009-06-12 at 16:50 +0200, Ralf Hildebrandt wrote:
> * EASY steve.h...@digitalcertainty.co.uk :
> 
> > > for  ...
> > > 
> > > You COULD solve this using:
> > > 
> > > /^Received: from .*(cmodem|dhcp|adsl|broadband|dynamic).*by / REJECT 
> > > dynamic host in headers
> > > 
> > > It's worth a try.
> > > 
> > Indeed, but it's *not* in the header section of the email, is it! It has
> > been pasted into the *BODY* of an email.
> 
> Try forwarding it someplace else, instead of ab...@btbroadband.com
> 
> Whenever you're forwarding it to a recipient that matches
> (cmodem|dhcp|adsl|broadband|dynamic) -- in this case "btbroadband.com"
> matches "broadband" you'll be seeing this, since you own Received headers
> will match the header_checks regexp.
> 
> You COULD strip your own internal Received: headers to avoid this. But
> that's solving the wrong problem.
> 
Yep, I had already done that. I tried the same thing to ab...@bt.com and
got the same result.

Of course the *easy* fix would be for me to allowed to *whitelist*
senders so they were not subjected to header and body checks.

Re: Can't whitelist header / bodychecks

[Ralf Hildebrandt]

* Ralf Hildebrandt :

> > > /^Received: from .*(cmodem|dhcp|adsl|broadband|dynamic).*by / REJECT 
> > > dynamic host in headers
> > > 
> > > It's worth a try.
> 
> > Indeed, but it's *not* in the header section of the email, is it! It has
> > been pasted into the *BODY* of an email.
> 
> Your system generates headers on it's own, to which the header_checks
> apply.

To give you an example - that's one of the Received-headers my host
adds when it receives mail from my internal mailbox host:

> Received: from postamt.charite.de (postamt.charite.de [141.42.4.250])
>   (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
>   (No client certificate requested)
>   by mail-ausfall.charite.de (Postfix) with ESMTPS
>   for ; Fri, 12 Jun 2009 16:50:40 +0200 (CEST)

If I were to send to ab...@btbroadband.com, we would have:

Received: from postamt.charite.de ...
...
...
...
for 

and the header regexp would trigger.

-- 
Ralf Hildebrandt
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.computerbeschimpfung.de
Is "Sig" copyrighted by www.sig.com?

Re: Can't whitelist header / bodychecks

[Ralf Hildebrandt]

* EASY steve.h...@digitalcertainty.co.uk :

> >   for  ...
> > 
> > You COULD solve this using:
> > 
> > /^Received: from .*(cmodem|dhcp|adsl|broadband|dynamic).*by / REJECT 
> > dynamic host in headers
> > 
> > It's worth a try.
> > 
> Indeed, but it's *not* in the header section of the email, is it! It has
> been pasted into the *BODY* of an email.

Try forwarding it someplace else, instead of ab...@btbroadband.com

Whenever you're forwarding it to a recipient that matches
(cmodem|dhcp|adsl|broadband|dynamic) -- in this case "btbroadband.com"
matches "broadband" you'll be seeing this, since you own Received headers
will match the header_checks regexp.

You COULD strip your own internal Received: headers to avoid this. But
that's solving the wrong problem.

-- 
Ralf Hildebrandt
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.computerbeschimpfung.de
Nichts kann ohne Einsamkeit entstehen.

Re: Can't whitelist header / bodychecks

[Ralf Hildebrandt]

* EASY steve.h...@digitalcertainty.co.uk :

> > Since the headers look like:
> > 
> > Received: from [192.168.1.xx] (xx [192.168.1.xx])  NEWLINE
> >   by mail4.xx.co.uk (xx) with ESMTPA id B9F16AC09D NEWLINE
> >   for  ...
> > 
> > You COULD solve this using:
> > 
> > /^Received: from .*(cmodem|dhcp|adsl|broadband|dynamic).*by / REJECT 
> > dynamic host in headers
> > 
> > It's worth a try.

> Indeed, but it's *not* in the header section of the email, is it! It has
> been pasted into the *BODY* of an email.

Your system generates headers on it's own, to which the header_checks
apply.

-- 
Ralf Hildebrandt
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.computerbeschimpfung.de
It's not that I'm so smart , it's just that I stay with problems longer. 
-- Albert Einstein

Re: Can't whitelist header / bodychecks

[EASY steve.h...@digitalcertainty.co.uk]

On Fri, 2009-06-12 at 16:40 +0200, Ralf Hildebrandt wrote:
> * Ralf Hildebrandt :
> > * Steve :
> > 
> > > /^Received: from.*(cmodem|dhcp|adsl|broadband|dynamic)/ REJECT dynamic 
> > > host in headers
> > 
> > OK
> > 
> > > In the logs; tripped on the header filter;
> > > Jun 12 11:01:58 mail4 postfix/cleanup[1419]: B9F16AC09D: reject: header
> > > Received: from [192.168.1.xx] (xx [192.168.1.xx])??by mail4.xx.co.uk
> > > (xx) with ESMTPA id B9F16AC09D??for ; Fri, 12 Jun
> > > 2009 11:01:58 +0100 (BST) from mail4[192.168.1.xx];
> > > from= to= proto=ESMTP
> > > helo=<[192.168.1.xx]>: 5.7.1 dynamic host in headers
> > 
> > The regular expression is too broad, since it also matches the "for 
> > "
> > portion in the headers!
> 
> Since the headers look like:
> 
> Received: from [192.168.1.xx] (xx [192.168.1.xx])  NEWLINE
>   by mail4.xx.co.uk (xx) with ESMTPA id B9F16AC09D NEWLINE
> for  ...
> 
> You COULD solve this using:
> 
> /^Received: from .*(cmodem|dhcp|adsl|broadband|dynamic).*by / REJECT dynamic 
> host in headers
> 
> It's worth a try.
> 
Indeed, but it's *not* in the header section of the email, is it! It has
been pasted into the *BODY* of an email.

Re: Can't whitelist header / bodychecks

[Ralf Hildebrandt]

* Ralf Hildebrandt :
> * Steve :
> 
> > /^Received: from.*(cmodem|dhcp|adsl|broadband|dynamic)/ REJECT dynamic host 
> > in headers
> 
> OK
> 
> > In the logs; tripped on the header filter;
> > Jun 12 11:01:58 mail4 postfix/cleanup[1419]: B9F16AC09D: reject: header
> > Received: from [192.168.1.xx] (xx [192.168.1.xx])??by mail4.xx.co.uk
> > (xx) with ESMTPA id B9F16AC09D??for ; Fri, 12 Jun
> > 2009 11:01:58 +0100 (BST) from mail4[192.168.1.xx];
> > from= to= proto=ESMTP
> > helo=<[192.168.1.xx]>: 5.7.1 dynamic host in headers
> 
> The regular expression is too broad, since it also matches the "for 
> "
> portion in the headers!

Since the headers look like:

Received: from [192.168.1.xx] (xx [192.168.1.xx])  NEWLINE
  by mail4.xx.co.uk (xx) with ESMTPA id B9F16AC09D NEWLINE
  for  ...

You COULD solve this using:

/^Received: from .*(cmodem|dhcp|adsl|broadband|dynamic).*by / REJECT dynamic 
host in headers

It's worth a try.

-- 
Ralf Hildebrandt
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.computerbeschimpfung.de
"The danger from computers is not that they will eventually get as smart
as men, but we will meanwhile agree to meet them halfway."-Bernard Avishai 

Re: Can't whitelist header / bodychecks

[Ralf Hildebrandt]

* Steve :

> /^Received: from.*(cmodem|dhcp|adsl|broadband|dynamic)/ REJECT dynamic host 
> in headers

OK

> In the logs; tripped on the header filter;
> Jun 12 11:01:58 mail4 postfix/cleanup[1419]: B9F16AC09D: reject: header
> Received: from [192.168.1.xx] (xx [192.168.1.xx])??by mail4.xx.co.uk
> (xx) with ESMTPA id B9F16AC09D??for ; Fri, 12 Jun
> 2009 11:01:58 +0100 (BST) from mail4[192.168.1.xx];
> from= to= proto=ESMTP
> helo=<[192.168.1.xx]>: 5.7.1 dynamic host in headers

The regular expression is too broad, since it also matches the "for 
"
portion in the headers!

-- 
Ralf Hildebrandt
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.computerbeschimpfung.de
I dropped my computer on my foot! That Megahurtz!

Re: Can't whitelist header / bodychecks

[d . hill]

Quoting Mark Goodge :


EASY steve.h...@digitalcertainty.co.uk wrote:


It's a bug. Read the original question carefully. If I'm pasting the
original headers into the BODY of a fresh mail, and the header filters
are *blocking* it - is that intended behaviour? Answer (hopefully) 'No'.


If the header-only filters are blocking on the body content, then  
yes, that would be a bug. But that isn't what you said in your  
original question, which was whether this is true:


"You cannot whitelist a sender or client in an access list to bypass
header or body checks.  Header and body checks take place whether you
explicitly "OK" a client or sender, in access lists, or not."

That's a question about whether it's possible to override header or  
body checks by whitelisting. And the answer to that is "no". I agree  
that's not necessarily desirable behaviour, but there are reasons  
why it's done that way and it's certainly not a bug.


If you meant to ask "Do header checks apply to body content as  
well?" then that's a different question. If the answer to that is  
"yes" then I would be very surprised, since the documentation[1]  
clearly indicates that these are applied separately. If  
header_checks are (or appear to be) blocking messages where the  
offending headers are pasted into the body of a message, then either  
you have misconfigured your server or you have found a real bug. If  
the latter, then you ought to be able to demonstrate it with a  
combination of mail logs, sample messages and the output of postconf  
-n.


[1] http://www.postfix.org/header_checks.5.html

Mark


Then again, the OP may be running up against:

  http://www.postfix.org/postconf.5.html#nested_header_checks

nested_header_checks is set to the same as header_checks by default. I  
didn't recall seeing any logs or config from the OP, so this is pure  
speculation.

Re: Can't whitelist header / bodychecks

[Steve]

On Fri, 2009-06-12 at 15:09 +0100, Mark Goodge wrote:
> EASY steve.h...@digitalcertainty.co.uk wrote:
> 
> [1] http://www.postfix.org/header_checks.5.html
> 
> Mark
Did you find that all on your own, or did you get some help with that?

I honestly can't be tossed to bother with the guy and raising an issue
for it. His people skills tend to evoke the worst in me and I really
can't be bothered with it.

It is easy enough to reproduce. Just build a header filter like this;
(put aside the fact this is going to catch a shed load of legit mail)

/^Received: from.*(cmodem|dhcp|adsl|broadband|dynamic)/ REJECT dynamic
host in headers

This mail;
Subject: UCE: 86.140.171.207
From: 
Reply-To: zen158...@zen.co.uk
To: ab...@btbroadband.com
Content-Type: text/plain
Organization: 
Message-Id: <1244801375.6998.30>
Mime-Version: 1.0
X-Mailer: Evolution 2.24.3 
Content-Transfer-Encoding: 7bit
Date: Fri, 12 Jun 2009 11:09:36 +0100
X-Evolution-Format: text/plain
X-Evolution-Account: 1242054711.26374.4


Log excerpt below:

un 11 20:17:35 mail4 postfix/smtpd[27674]: NOQUEUE: reject: RCPT from
host86-140-171-207.range86-140.btcentralplus.com[86.140.171.207]: 554
5.7.1 Service unavailable; Client host [86.140.171.207] blocked using
zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=86.140.171.207;
from=
to= proto=ESMTP
helo=

In the logs; tripped on the header filter;
Jun 12 11:01:58 mail4 postfix/cleanup[1419]: B9F16AC09D: reject: header
Received: from [192.168.1.xx] (xx [192.168.1.xx])??by mail4.xx.co.uk
(xx) with ESMTPA id B9F16AC09D??for ; Fri, 12 Jun
2009 11:01:58 +0100 (BST) from mail4[192.168.1.xx];
from= to= proto=ESMTP
helo=<[192.168.1.xx]>: 5.7.1 dynamic host in headers


But like you say - it's my misconfiguration

Export User mailbox

[Sasa]

Hi, I use postfix-2.2.8 with qpopper/amavis/maia...is possible to export 
(and then import on another mail server) the

user mailbox stored in /var/spool/mail/user1, /var/spool/mail/user2 ?
Thanks.

--

  Salvatore. 

Re: Can't whitelist header / bodychecks

[Mark Goodge]

EASY steve.h...@digitalcertainty.co.uk wrote:


It's a bug. Read the original question carefully. If I'm pasting the
original headers into the BODY of a fresh mail, and the header filters
are *blocking* it - is that intended behaviour? Answer (hopefully) 'No'.


If the header-only filters are blocking on the body content, then yes, 
that would be a bug. But that isn't what you said in your original 
question, which was whether this is true:


"You cannot whitelist a sender or client in an access list to bypass
header or body checks.  Header and body checks take place whether you
explicitly "OK" a client or sender, in access lists, or not."

That's a question about whether it's possible to override header or body 
checks by whitelisting. And the answer to that is "no". I agree that's 
not necessarily desirable behaviour, but there are reasons why it's done 
that way and it's certainly not a bug.


If you meant to ask "Do header checks apply to body content as well?" 
then that's a different question. If the answer to that is "yes" then I 
would be very surprised, since the documentation[1] clearly indicates 
that these are applied separately. If header_checks are (or appear to 
be) blocking messages where the offending headers are pasted into the 
body of a message, then either you have misconfigured your server or you 
have found a real bug. If the latter, then you ought to be able to 
demonstrate it with a combination of mail logs, sample messages and the 
output of postconf -n.


[1] http://www.postfix.org/header_checks.5.html

Mark

Re: Can't whitelist header / bodychecks

[EASY steve.h...@digitalcertainty.co.uk]

On Fri, 2009-06-12 at 15:54 +0200, Ralf Hildebrandt wrote:
> * EASY steve.h...@digitalcertainty.co.uk :
> 
> > > I only use it for stuff I absolutely don't want to see. Everything
> > > else gets handled by amavisd-new
> > 
> > Which is flaky.
> 
> Not here.
And the tens of thousands of Barracuda owners out there with a whole
service dedicated to bouncing amavis-new because it so flaky pale into
insignificance when placed against your total mastery of the world ;-) 
> 
> > The fix is to make the content scanner in Postfix work as it should -
> > or do we keep making excuses for it so we don't upset *you know who*
> 
> I read the other mail about pasting the headers into the body and then
> the header_checks trigger again. Can you show a minimal example for
> that (with log lines)?
> 
Why - like it will ever get fixed! Nah. It's easy enough to recreate if
you really gave a damn. Don't be so lazy.

Re: Can't whitelist header / bodychecks

[Ralf Hildebrandt]

* EASY steve.h...@digitalcertainty.co.uk :

> > I only use it for stuff I absolutely don't want to see. Everything
> > else gets handled by amavisd-new
> 
> Which is flaky.

Not here.

> The fix is to make the content scanner in Postfix work as it should -
> or do we keep making excuses for it so we don't upset *you know who*

I read the other mail about pasting the headers into the body and then
the header_checks trigger again. Can you show a minimal example for
that (with log lines)?

-- 
Ralf Hildebrandt
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.computerbeschimpfung.de
Al Gore invented the Internet, Bill Gates deployed it. That's their
respective stories, anyways

Re: Can't whitelist header / bodychecks

[EASY steve.h...@digitalcertainty.co.uk]

On Fri, 2009-06-12 at 15:47 +0200, Ralf Hildebrandt wrote:
> * Mark Goodge :
> 
> > I wouldn't call it a bug, since it's a feature that works as designed.
> > It is, however, a design choice that makes the feature less useful than
> > it otherwise could have been. But the point here is that content
> > inspection isn't a core part of the job of an MTA anyway, so if the
> > rather simplistic version built in to Postfix isn't sufficient then
> > you're no worse off than if it didn't have the facility to begin with.
> > The fact that it does it at all is a bonus that may be useful in some
> > cases where whitelisting isn't necessary.
> 
> I only use it for stuff I absolutely don't want to see. Everything
> else gets handled by amavisd-new

Which is flaky. The fix is to make the content scanner in Postfix work
as it should - or do we keep making excuses for it so we don't upset
*you know who*

Re: Can't whitelist header / bodychecks

[EASY steve.h...@digitalcertainty.co.uk]

On Fri, 2009-06-12 at 14:36 +0100, Mark Goodge wrote:
> Steve wrote:
> > On Fri, 2009-06-12 at 08:17 -0400, Wietse Venema wrote:
> >> Mark Goodge:
> >>> Ralf Hildebrandt wrote:
>  * Steve :
> > Is this right?
>  Yes 
> > "You cannot whitelist a sender or client in an access list to bypass
> > header or body checks.  Header and body checks take place whether you
> > explicitly "OK" a client or sender, in access lists, or not."
> >
> > I'm gob smacked if it is? 
>  Why?
> >>> Because it rather misses the point of whitelisting.
> >> To forward spam reports through Postfix, the recommended solution
> >> is to BASE64 encode the "offending" content.
> >>
> >> See http://www.postfix.org/BUILTIN_FILTER_README.html for points
> >> discussed in this thread and more.
> >>
> >>Wietse
> > Always a clever answer for a bug - nice one :-) wanker.
> 
> I wouldn't call it a bug, since it's a feature that works as designed. 
> It is, however, a design choice that makes the feature less useful than 
> it otherwise could have been. But the point here is that content 
> inspection isn't a core part of the job of an MTA anyway, so if the 
> rather simplistic version built in to Postfix isn't sufficient then 
> you're no worse off than if it didn't have the facility to begin with. 
> The fact that it does it at all is a bonus that may be useful in some 
> cases where whitelisting isn't necessary.
> 
> Actually, if you wanted to do it all with Postfix then I think one 
> solution could be to use multiple SMTP services. Have all inbound mail 
> go to the first service, where mail from whitelisted sources is handled, 
> then all remaining mail is delivered to the second service which does 
> header checks before processing the mail. But there may be other gotchas 
> with this that I haven't thought of.
> 
> Mark
It's a bug. Read the original question carefully. If I'm pasting the
original headers into the BODY of a fresh mail, and the header filters
are *blocking* it - is that intended behaviour? Answer (hopefully) 'No'.

It's not worth filing a bug report because all that Wietse (and Ralph)
want to do is argue with people all the time. If it's broke, bloody fix
it. It's really THAT simple :-)

Re: Can't whitelist header / bodychecks

[Ralf Hildebrandt]

* Mark Goodge :

> I wouldn't call it a bug, since it's a feature that works as designed.
> It is, however, a design choice that makes the feature less useful than
> it otherwise could have been. But the point here is that content
> inspection isn't a core part of the job of an MTA anyway, so if the
> rather simplistic version built in to Postfix isn't sufficient then
> you're no worse off than if it didn't have the facility to begin with.
> The fact that it does it at all is a bonus that may be useful in some
> cases where whitelisting isn't necessary.

I only use it for stuff I absolutely don't want to see. Everything
else gets handled by amavisd-new

> Actually, if you wanted to do it all with Postfix then I think one  
> solution could be to use multiple SMTP services. 

Which can be done EASILY using the new postmulti command. Works as
documented. I tried :)

> Have all inbound mail go to the first service, where mail from
> whitelisted sources is handled, then all remaining mail is delivered to
> the second service which does header checks before processing the mail.
> But there may be other gotchas with this that I haven't thought of.
>
> Mark

-- 
Ralf Hildebrandt
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.computerbeschimpfung.de
"FOOT-AND-MOUTH BELIEVED TO BE FIRST VIRUS UNABLE TO SPREAD THROUGH
MICROSOFT OUTLOOK Researchers Shocked to Finally Find Virus That Email
App Doesn't Like".

Re: Can't whitelist header / bodychecks

[Larry Stone]

On Fri, 12 Jun 2009, Steve wrote:


Wietse



Always a clever answer for a bug - nice one :-) wanker.


As someone who mostly site on the side of this forum but is extremely 
appreciative of the work Wietse and others have done to bring Postfix to 
the community, I'd like to suggest that if you're not happy with the 
capaibilities that Postfix provides, then you are certainly welcome to go 
write your own MTA. IIRC, this isn't the first time you've jumpred on 
Wietse because he decided to make Postfix work differently than you think 
it should. Just because something doesn't work as you think it should 
doesn't make it a bug.


By the way, Postfix also won't mop the floor for you. That's not a bug 
either. :-)


-- Larry Stone
   lston...@stonejongleux.com

Re: Can't whitelist header / bodychecks

[Mark Goodge]

Steve wrote:

On Fri, 2009-06-12 at 08:17 -0400, Wietse Venema wrote:

Mark Goodge:

Ralf Hildebrandt wrote:

* Steve :

Is this right?
Yes 

"You cannot whitelist a sender or client in an access list to bypass
header or body checks.  Header and body checks take place whether you
explicitly "OK" a client or sender, in access lists, or not."

I'm gob smacked if it is? 

Why?

Because it rather misses the point of whitelisting.

To forward spam reports through Postfix, the recommended solution
is to BASE64 encode the "offending" content.

See http://www.postfix.org/BUILTIN_FILTER_README.html for points
discussed in this thread and more.

Wietse

Always a clever answer for a bug - nice one :-) wanker.


I wouldn't call it a bug, since it's a feature that works as designed. 
It is, however, a design choice that makes the feature less useful than 
it otherwise could have been. But the point here is that content 
inspection isn't a core part of the job of an MTA anyway, so if the 
rather simplistic version built in to Postfix isn't sufficient then 
you're no worse off than if it didn't have the facility to begin with. 
The fact that it does it at all is a bonus that may be useful in some 
cases where whitelisting isn't necessary.


Actually, if you wanted to do it all with Postfix then I think one 
solution could be to use multiple SMTP services. Have all inbound mail 
go to the first service, where mail from whitelisted sources is handled, 
then all remaining mail is delivered to the second service which does 
header checks before processing the mail. But there may be other gotchas 
with this that I haven't thought of.


Mark

Re: Can't whitelist header / bodychecks

[Steve]

On Fri, 2009-06-12 at 08:17 -0400, Wietse Venema wrote:
> Mark Goodge:
> > Ralf Hildebrandt wrote:
> > > * Steve :
> > >> Is this right?
> > > 
> > > Yes 
> > >> "You cannot whitelist a sender or client in an access list to bypass
> > >> header or body checks.  Header and body checks take place whether you
> > >> explicitly "OK" a client or sender, in access lists, or not."
> > >>
> > >> I'm gob smacked if it is? 
> > > Why?
> > 
> > Because it rather misses the point of whitelisting.
> 
> To forward spam reports through Postfix, the recommended solution
> is to BASE64 encode the "offending" content.
> 
> See http://www.postfix.org/BUILTIN_FILTER_README.html for points
> discussed in this thread and more.
> 
>   Wietse
Always a clever answer for a bug - nice one :-) wanker.

Different Message Size limit for local mail only?

[Charles Marcus]

I need our users to be able to send and receive large messages (max
50MB) to/from remote destinations, but *not* when sending to each other
(local mail only)...

Is there a way to do this without a policy server?

myhost ~ # postconf -n
alias_maps = hash:/etc/mail/aliases, hash:/var/lib/mailman/data/aliases
anvil_rate_time_unit = 360s
anvil_status_update_time = 3600s
bounce_size_limit = 1
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
delay_warning_time = 15m
home_mailbox = .maildir/
message_size_limit = 5120
mydomain = example.com
myhostname = smtp.example.com
mynetworks = 127.0.0.0/8 192.168.1.32
parent_domain_matches_subdomains =
recipient_delimiter = +
relay_domains =
relayhost = [post18.example2.com]
smtp_fallback_relay = [smtp.example.net]
smtpd_hard_error_limit = 3
smtpd_recipient_limit = 100
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/moved-employees,  permit_mynetworks,
permit_sasl_authenticated,  reject_unauth_destination,
check_client_access cidr:/etc/postfix/allowed_clients.cidr,
check_recipient_access hash:/etc/postfix/x-employees,
check_sender_access hash:/etc/postfix/blocked_senders,
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/wildcard.crt
smtpd_tls_key_file = /etc/ssl/wildcard.key
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = mysql:/etc/postfix/mysql_vam.cf,
hash:/var/lib/mailman/data/virtual-mailman
virtual_gid_maps = static:207
virtual_mailbox_base = /var/virtual
virtual_mailbox_domains = mysql:/etc/postfix/mysql_vmd.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_vmm.cf
virtual_minimum_uid = 207
virtual_uid_maps = static:207
myhost ~ #

Thanks,

-- 

Best regards,

Charles

Re: Can't whitelist header / bodychecks

[Wietse Venema]

Mark Goodge:
> Ralf Hildebrandt wrote:
> > * Steve :
> >> Is this right?
> > 
> > Yes 
> >> "You cannot whitelist a sender or client in an access list to bypass
> >> header or body checks.  Header and body checks take place whether you
> >> explicitly "OK" a client or sender, in access lists, or not."
> >>
> >> I'm gob smacked if it is? 
> > Why?
> 
> Because it rather misses the point of whitelisting.

To forward spam reports through Postfix, the recommended solution
is to BASE64 encode the "offending" content.

See http://www.postfix.org/BUILTIN_FILTER_README.html for points
discussed in this thread and more.

Wietse

Re: Can't whitelist header / bodychecks

[Mark Goodge]

Ralf Hildebrandt wrote:

* Steve :

Is this right?


Yes 

"You cannot whitelist a sender or client in an access list to bypass
header or body checks.  Header and body checks take place whether you
explicitly "OK" a client or sender, in access lists, or not."

I'm gob smacked if it is? 

Why?


Because it rather misses the point of whitelisting.

Mark

Re: Can't whitelist header / bodychecks

[Ralf Hildebrandt]

* Steve :
> Is this right?

Yes 
> "You cannot whitelist a sender or client in an access list to bypass
> header or body checks.  Header and body checks take place whether you
> explicitly "OK" a client or sender, in access lists, or not."
> 
> I'm gob smacked if it is? 
Why?

-- 
Ralf Hildebrandt
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.computerbeschimpfung.de
I hate microsoft with a passion. They suck. I irrationally loathe the
company, their products, and everything they stand for.

Re: howto HOLD all mails for a specific user?

[Wietse Venema]

One correction for missing ":" below.

Wietse Venema:
> Stefan Palme:
> > Hi all,
> > 
> > As far as I have understood, check_recipient_access in 
> > smtpd_recipient_restrictions uses the original RCPT TO addresses for
> > lookup (and not on the results after resolving (virtual) aliases).
> > 
> > I want all mails received for a certain user to put on HOLD
> > for a while (because I am repairing her IMAP mailbox).
> > 
> > This user receives mail for a lot of (virtual) email addresses, e.g.
> > i...@example1.com, webmas...@example2.net, etc.
> > 
> > Do I really have to write my check_recipient_access map in the form
> > 
> >   i...@example1.com   HOLD
> >   webmas...@example2.net  HOLD
> >   ...
> 
> With Postfix 2.4+:
> 
> /etc/postfix/main.cf:
> transport_maps = /etc/postfix/transport
> 
> /etc/postfix/transport:
> u...@example.com retry 4.0.0 Mailbox being migrated

Should be: u...@example.com retry:4.0.0 Mailbox being migrated

Wietse
> This avoids the need to hold and release mail.
> 
>   Wietse
> 
> 

Re: Can't whitelist header / bodychecks

[EASY steve.h...@digitalcertainty.co.uk]

On Fri, 2009-06-12 at 12:51 +0200, Magnus Bäck wrote:
> On Fri, June 12, 2009 12:12 pm, Steve said:
> 
> > Is this right?
> >
> > "You cannot whitelist a sender or client in an access list to bypass
> > header or body checks.  Header and body checks take place whether you
> > explicitly "OK" a client or sender, in access lists, or not."
> 
> Yes, that's correct.
> 
Is there any kind of feature request to change this behaviour? Such as
allowing a map list of client ip's or ranges that can 'hop over' the
header/body checks all together?

If I forward a spam mail to an abuse department quoting full headers
(even in the body of the mail) they seem to 'catch' on header rules. I'm
not sure if this is a bug/'feature' - but to have to keep commenting out
certain rules to get them sent is a minor hassle.

Re: howto HOLD all mails for a specific user?

[Wietse Venema]

Stefan Palme:
> Hi all,
> 
> As far as I have understood, check_recipient_access in 
> smtpd_recipient_restrictions uses the original RCPT TO addresses for
> lookup (and not on the results after resolving (virtual) aliases).
> 
> I want all mails received for a certain user to put on HOLD
> for a while (because I am repairing her IMAP mailbox).
> 
> This user receives mail for a lot of (virtual) email addresses, e.g.
> i...@example1.com, webmas...@example2.net, etc.
> 
> Do I really have to write my check_recipient_access map in the form
> 
>   i...@example1.com   HOLD
>   webmas...@example2.net  HOLD
>   ...

With Postfix 2.4+:

/etc/postfix/main.cf:
transport_maps = /etc/postfix/transport

/etc/postfix/transport:
u...@example.com retry 4.0.0 Mailbox being migrated

This avoids the need to hold and release mail.

Wietse

Re: Upgrade TOTAL screw-up - Part One

[Wietse Venema]

William Michael:
> Jun 11 16:34:12 dns1 postfix/smtpd[4165]: connect to subsystem
> private/proxymap: Connection refused

You removed the proxymap service from master.cf. Don't do that!

Try running:

postfix upgrade-configuration
postfix reload

to restore.

BTW This won't restore all missing services.

Wietse

Re: Can't whitelist header / bodychecks

[Magnus Bäck]

On Fri, June 12, 2009 12:12 pm, Steve said:

> Is this right?
>
> "You cannot whitelist a sender or client in an access list to bypass
> header or body checks.  Header and body checks take place whether you
> explicitly "OK" a client or sender, in access lists, or not."

Yes, that's correct.

-- 
Magnus Bäck
mag...@dsek.lth.se

Re: Confirmation email with captcha

[Gabriel Hahmann]

Wow.

Thank you very much for everybody who answered my question. In fact
some of the problems related with captcha I already knew, but some of
them I've never thinked about.

In fact the problem that I have is that one of my lame clients is
asking for a solution like this, so I need to find something better or
argument with him. Thanks for the problems related to this solution so
I can convince them that this is a bad idea.

I'll take a look at the tools presented here in case I cant convince them.

Thanks in advance,

Best regards,
Gabriel.

On Wed, Jun 10, 2009 at 10:37 PM, brian moore wrote:
> On Wed, 10 Jun 2009 11:40:58 -0600
> LuKreme  wrote:
>
>> This is known as a "Prove You Love Me" scheme and is, essentially,
>> offloading your spam problems onto everyone else who sends you mail.
>> You will find a LOT of people are pissed off by these PYLM emails,
>> and will not reply.
>
> Nor will sites that send email to confirm your address before
> accepting your registration...
>
> Or send you notices with your UPS tracking number so you can see
> expected delivery dates...
>
> Or that send you a confirmation email when you forget your password
> to your bank account...
>
> It's a surefire way to lose some very important mail.
>
>

Can't whitelist header / bodychecks

[Steve]

Is this right?

"You cannot whitelist a sender or client in an access list to bypass
header or body checks.  Header and body checks take place whether you
explicitly "OK" a client or sender, in access lists, or not."

I'm gob smacked if it is? 

RE: Content filter - 2 entries?

[Cory Hawkless]

Being new to the scene I've implemented a postfix\amavisd-new config, seems
to work really well once you get your head around it. Anybody got any good
reasons not to use amavis and any suggestions for alternatives (Mid-Large
email volume)

-Original Message-
From: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] On Behalf Of Magnus Bäck
Sent: Friday, 12 June 2009 5:09 PM
To: postfix-users@postfix.org
Subject: Re: Content filter - 2 entries?

On Fri, June 12, 2009 8:51 am, Vasilios Tzanoudakis said:

> Is there any way that i can use 2 content filters? system works for ONE
> of the entries below (main.cf).

You can have any number of content filters, but you must chain them
together manually.

Postfix -> filter1 -> Postfix -> filter2 -> Postfix
or
Postfix -> filter1 -> filter2 -> Postfix

You don't need separate Postfix instances, but you do need multiple
smtpd(8) listeners with proper content_filter settings. Something like
this in master.cf:

smtp... smtpd -o content_filter=scan:[127.0.0.1]:10025
127.0.0.1:10026 ... smtpd -o content_filter=spamassassin
pickup  ... pickup -o content_filter=

[...]

> ps: As you can undestand i need to avoid Amavis like hell ;-)

Why?

[...]

-- 
Magnus Bäck
mag...@dsek.lth.se

Re: howto HOLD all mails for a specific user?

[Stefan Palme]

On Fri, 2009-06-12 at 09:47 +0200, Magnus Bäck wrote:
> The only solution I can think of that isn't overcomplicated would be to
> clone the virtual or local transport in master.cf (depends on the address
> class of the domain) and use the transport table to redirect the final
> address to that transport. Then, use defer_transports to defer deliveries
> to the clones transport.

Sounds like a good solution, and the effort to realize this is
independent of the number of aliases of that user, so I guess I
will try it.


> Perhaps there are other solutions than suspending deliveries to the user's
> account? Why does the IMAP mailbox need to be "repaired"?  How do you
> repair it and why does that operation require exclusive access to the
> mailbox?

The user my accident deleted all mails (>20.000) from her IMAP account.
I have to recover them from backup (and merge them with the mails 
meanwhile). After that, I have to reconstruct the mailbox database (I 
use cyrus imap server). I don't want any new mails to come in during
this recovery phase because I have bad experience with this...

Thanks and regards
-stefan-

Re: howto HOLD all mails for a specific user?

[Magnus Bäck]

On Fri, June 12, 2009 9:08 am, Stefan Palme said:

> As far as I have understood, check_recipient_access in
> smtpd_recipient_restrictions uses the original RCPT TO addresses for
> lookup (and not on the results after resolving (virtual) aliases).

Correct.

> I want all mails received for a certain user to put on HOLD
> for a while (because I am repairing her IMAP mailbox).
>
> This user receives mail for a lot of (virtual) email addresses, e.g.
> i...@example1.com, webmas...@example2.net, etc.
>
> Do I really have to write my check_recipient_access map in the form
>
>   i...@example1.com   HOLD
>   webmas...@example2.net  HOLD
>   ...
>
> or is there a shorter way to do this, because all this mail addresses
> are in the end aliased to the same "local" user account?
>
> Some of those email addresses are even aliased to more than one user.
> So the bad side effect of the map as shown above would be, that NOBODY
> receives mails targeted at e.g. i...@example1.com - but I only want to
> prevent one special mailbox to not receive any mail...

The only solution I can think of that isn't overcomplicated would be to
clone the virtual or local transport in master.cf (depends on the address
class of the domain) and use the transport table to redirect the final
address to that transport. Then, use defer_transports to defer deliveries
to the clones transport.

Perhaps there are other solutions than suspending deliveries to the user's
account? Why does the IMAP mailbox need to be "repaired"? How do you
repair it and why does that operation require exclusive access to the
mailbox?

-- 
Magnus Bäck
mag...@dsek.lth.se

Re: Upgrade TOTAL screw-up - Part One

[Ralf Hildebrandt]

> --master.cf--
> smtp  inet  n   -   n   -   -   smtpd -v
> 
> -- end of postfinger output --
> 
> 
> WTF am I doing wrong ??

Show all of master.cf

-- 
Ralf Hildebrandt
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.computerbeschimpfung.de
UNIX is an operating system, OS/2 is half an operating system, Windows
is a shell, and DOS is a boot partition virus."  -- Peter H. Coffin

Re: Content filter - 2 entries?

[Magnus Bäck]

On Fri, June 12, 2009 8:51 am, Vasilios Tzanoudakis said:

> Is there any way that i can use 2 content filters? system works for ONE
> of the entries below (main.cf).

You can have any number of content filters, but you must chain them
together manually.

Postfix -> filter1 -> Postfix -> filter2 -> Postfix
or
Postfix -> filter1 -> filter2 -> Postfix

You don't need separate Postfix instances, but you do need multiple
smtpd(8) listeners with proper content_filter settings. Something like
this in master.cf:

smtp... smtpd -o content_filter=scan:[127.0.0.1]:10025
127.0.0.1:10026 ... smtpd -o content_filter=spamassassin
pickup  ... pickup -o content_filter=

[...]

> ps: As you can undestand i need to avoid Amavis like hell ;-)

Why?

[...]

-- 
Magnus Bäck
mag...@dsek.lth.se

Re: Multiple Milters

[Ihsan Dogan]

Wietse Venema wrote:

>> I'm running two spamfilters on two machines, which are accessed with^M
>> milter. In case of an error (eg: the first milter service is not running),^M
>> I would like that Postfix wold use the second one on the other host.^M
>> ^M
>> I was expecting something something like this:^M
>> smtpd_milters = inet:[127.0.0.1],[1.2.3.4]:41001^M
> 
> When you specify multiple milters in smtpd_milters or non_smtpd_milters,
> this means that Postfix always use all of them. The syntax is
> different than what you have above.
> 
>> Is such a setup possible with Postfix?^M
> 
> Not supported. Eror control is limited to milter_default_action.

I see.

If I specify "milter_default_action = reject" and there is an error with
the milter daemon, Postfix will give a 554. What is then the expected
behavior of the MTA, which just tried to deliver a mail? Will it try to
deliver the mail to the MX with the next higher priority?



Ihsan

-- 
ih...@dogan.ch  http://blog.dogan.ch/

howto HOLD all mails for a specific user?

[Stefan Palme]

Hi all,

As far as I have understood, check_recipient_access in 
smtpd_recipient_restrictions uses the original RCPT TO addresses for
lookup (and not on the results after resolving (virtual) aliases).

I want all mails received for a certain user to put on HOLD
for a while (because I am repairing her IMAP mailbox).

This user receives mail for a lot of (virtual) email addresses, e.g.
i...@example1.com, webmas...@example2.net, etc.

Do I really have to write my check_recipient_access map in the form

  i...@example1.com   HOLD
  webmas...@example2.net  HOLD
  ...

or is there a shorter way to do this, because all this mail addresses
are in the end aliased to the same "local" user account?

Some of those email addresses are even aliased to more than one user. 
So the bad side effect of the map as shown above would be, that NOBODY
receives mails targeted at e.g. i...@example1.com - but I only want to
prevent one special mailbox to not receive any mail...

Thanks and regards
-stefan-