Re: Email in Active Queue without delivery attempts
Victor Duchovni wrote: On Tue, Jun 23, 2009 at 07:57:00PM -0700, Jacky Chan wrote: The rate_delay feature was repaired in Postfix 2.5.7. All users of this feature should be using a Postfix release with a mail_release_date after 20090305. +20090305 + + Bugfix: in the new queue manager, the _destination_rate_delay + code needed to postpone the job scheduler updates after + delivery completion, otherwise the scheduler could loop on + blocked jobs. Victor Wietse. File: qmgr/qmgr_entry.c, + qmgr/qmgr_queue.c, qmgr/qmgr_job.c. + Hi Victor, Is it confirmed that my issue caused by this bug? Best Jacky -- View this message in context: http://www.nabble.com/Email-in-Active-Queue-without-delivery-attempts-tp24177852p24179825.html Sent from the Postfix mailing list archive at Nabble.com.
Query on customize the over-quota bounce message on postfix2.2
Hi all, My current postfix version installed is postfix-2.2.10-1.1.el4 The user's mail over-quota, it will automatically send a bounced mail to the sender as below: ___Begining of the message__ This is the Postfix program at host myhostname.mydomain.com I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster If you do so, please include this problem report. You can delete your own text from the attached returned message. The Postfix program user_ic_num...@mydomain.com (expanded from usermailacco...@mydomain.com): host /var/lib/imap/socket/lmtp[/var/lib/imap/socket/lmtp] said: 552 5.2.2 Over quota (in reply to RCPT TO command) ___Ending of the message___ Is there any workaround to customize the over-quota bounced message: e.g.: 1. It shows the USER_IC_NUMBER as well (instead of UserMailAccount only). We want to hide/remove the USER_IC_NUMBER. 2. To hide the server host name: myhostname.mydomain.com 3. To hide 'The Postfix program' line. 4. To hide '/var/lib/imap/socket/lmtp[/var/lib/imap/socket/lmtp]' line. Since there's a concern for not to upgrade to postfix 2.3 (understand that postfix 2.3 has this bounce message feature), we need to look for workaround for this, at least to remove the USER_IC_NUMBER. Thank you very much for any response and help. Best regards, Rommy
Anvil Syntax ?
Hi, I'm running through the brilliant 'Book of Postfix' and running into some confusion with anvil/rate control - specifically syntax. around page 384 smtpd_client_connection_limit_exceptions = smtpd_client_connection_rate_limit = 3 smtpd_client_connection_count_limit = 3 client_connection_rate_time_unit = 60s client_connection_status_update_time = 1m But this does not seem to work as intended on my Postfix (2.5.5) The man gives this; Looking at the man for anvil I have different syntax options; anvil_rate_time_unit (60s) The time unit over which client connection rates and other rates are calculated. anvil_status_update_time (600s) How frequently the anvil(8) connection and rate limiting server logs peak usage information. Which makes me wonder what the right syntax should be. Has the syntax changed since the box was produced or is it going to change in the near future?
Re: Anvil Syntax ?
On Wed, 2009-06-24 at 10:59 +0200, Ralf Hildebrandt wrote: * Ralf Hildebrandt ralf.hildebra...@charite.de: Which makes me wonder what the right syntax should be. Has the syntax changed since the box was produced or is it going to change in the near future? The former. The concept stays the same, though. Reason: When the book was written, anvil was only in the snapshots. The parameter names have changed twice (I think). Thanks Ralf. No defence needed old chap - things change for good reasons. For once I sat down and RTFM and started to pull out my hair :-) Now working as mummy intended. I'm guessing with the line; smtpd_client_event_limit_exceptions = I can do; smtpd_client_event_limit_exceptions = my_networks or smtpd_client_event_limit_exceptions = my_networks, 1.2.3.4, 5.6.7.8 and that will be good?
Re: Anvil Syntax ?
* Steve steve.h...@digitalcertainty.co.uk: smtpd_client_event_limit_exceptions = my_networks smtpd_client_event_limit_exceptions = $mynetworks or smtpd_client_event_limit_exceptions = my_networks, 1.2.3.4, 5.6.7.8 smtpd_client_event_limit_exceptions = $mynetworks, 1.2.3.4, 5.6.7.8 and that will be good? Yep You could even do stuff like: smtpd_client_event_limit_exceptions = !10.0.0.1, 10.0.0.0/8
Re: Need a resolution to a weird error
2009/6/24 Evan Platt e...@espphotography.com: At 08:54 PM 6/23/2009, you wrote: Looks as if postifx will not send to mailbox which has close to 50M in the mailbox. http://www.postfix.org/postconf.5.html mailbox_size_limit (default: 5120) The maximal size of any http://www.postfix.org/local.8.htmllocal(8) individual mailbox or maildir file, or zero (no limit). In fact, this limits the size of any file that is written to upon local delivery, including files written by external commands that are executed by the http://www.postfix.org/local.8.htmllocal(8) delivery agent. This limit must not be smaller than the message size limit. Or am I misunderstanding ? Yes, that sounds right to me. I've not run into the limits other locally-delivered files, not just mailboxes thing, but I'll believe the docs. For the sake of mentioning it, you can't size-limit users' maildirs in this way with stock Postfix (unless the mails coming in are hitting that 50mb limit). This is good or bad depending on what you want.
Re: warning: maildir access problem for UID/GID=4444/4444: create maildir file
Flash Web wrote: When i send a mail to local postfix installation, i get error Jun 23 16:13:22 linux postfix/virtual[2526]: warning: maildir access problem for UID/GID=/: create maildir file /home/vmail/info/tmp/1245753802.P2526.linux.localdomain: Permission denied I have set vmail ownership and also set permission to 777 [r...@linux home]# ls -l|grep vmail drwxrwxrwx 3 vmail vmail 4096 2009-06-23 15:33 vmail [r...@linux home]# chmod -R 777 vmail [r...@linux home]# Now i send a mail, i got following error [r...@linux home]# echo Test with Transport | mail -s Test Email ad...@hosthat.com [r...@linux home]# tail -f /var/log/maillog Jun 23 16:13:22 linux postfix/pickup[2434]: DB0712A8A: uid=0 from=root Jun 23 16:13:22 linux postfix/cleanup[2576]: DB0712A8A: message-id= 20090623104322.db0712...@linux.hosthat.com Jun 23 16:13:22 linux postfix/qmgr[2436]: DB0712A8A: from= r...@linux.hosthat.com, size=445, nrcpt=1 (queue active) Jun 23 16:13:22 linux postfix/virtual[2526]: warning: maildir access problem for UID/GID=/: create maildir file /home/vmail/info/tmp/1245753802.P2526.linux.localdomain: Permission denied Jun 23 16:13:22 linux postfix/virtual[2526]: warning: perhaps you need to create the maildirs in advance Jun 23 16:13:22 linux postfix/virtual[2526]: DB0712A8A: to=i...@hosthat.com, orig_to=ad...@hosthat.com, relay=virtual, delay=0.05, delays=0.04/0/0/0.01, dsn=4.2.0, status=deferred (maildir delivery failed: create maildir file /home/vmail/info/tmp/1245753802.P2526.linux.localdomain: Permission denied) In postconf, i have gid and uid set to , user vmail have same uid and gid. [r...@linux home]# postconf |grep static authorized_flush_users = static:anyone authorized_mailq_users = static:anyone authorized_submit_users = static:anyone virtual_gid_maps = static: virtual_uid_maps = static: [r...@linux home]# id vmail uid=(vmail) gid=(vmail) groups=(vmail) [r...@linux home]# Why i get permission denied error while i have set permission 777 ? I tried recreating user vmail few time, but it won't fix the permission error. Are you running something like SELinux or AppArmor? If you create that directory (/home/vmail/info/tmp) and set the proper owner and permissions does the error go away? -- Michael Wang
Re: Anvil Syntax ?
Steve: Hi, I'm running through the brilliant 'Book of Postfix' and running into some confusion with anvil/rate control - specifically syntax. around page 384 smtpd_client_connection_limit_exceptions = smtpd_client_connection_rate_limit = 3 smtpd_client_connection_count_limit = 3 client_connection_rate_time_unit = 60s client_connection_status_update_time = 1m But this does not seem to work as intended on my Postfix (2.5.5) The man gives this; Looking at the man for anvil I have different syntax options; anvil_rate_time_unit (60s) The time unit over which client connection rates and other rates are calculated. This is the name in the stable release (Postfix 2.1.0 and later). anvil_status_update_time (600s) How frequently the anvil(8) connection and rate limiting server logs peak usage information. That was in the non-stable release. There is no guarantee of compatibility in non-stable releases. Wietse Which makes me wonder what the right syntax should be. Has the syntax changed since the box was produced or is it going to change in the near future?
Re: Email in Active Queue without delivery attempts
Jacky Chan: Victor Duchovni wrote: On Tue, Jun 23, 2009 at 07:57:00PM -0700, Jacky Chan wrote: The rate_delay feature was repaired in Postfix 2.5.7. All users of this feature should be using a Postfix release with a mail_release_date after 20090305. +20090305 + + Bugfix: in the new queue manager, the _destination_rate_delay + code needed to postpone the job scheduler updates after + delivery completion, otherwise the scheduler could loop on + blocked jobs. Victor Wietse. File: qmgr/qmgr_entry.c, + qmgr/qmgr_queue.c, qmgr/qmgr_job.c. + Hi Victor, Is it confirmed that my issue caused by this bug? You upgrade, and then you tell us if this solves the problem. Wietse
Re: Need a resolution to a weird error
On Tue, Jun 23, 2009 at 09:02:19PM -0700, Evan Platt wrote: At 08:54 PM 6/23/2009, you wrote: Looks as if postifx will not send to mailbox which has close to 50M in the mailbox. Can this be overriden? http://www.postfix.org/postconf.5.html mailbox_size_limit (default: 5120) The maximal size of any http://www.postfix.org/local.8.htmllocal(8) individual mailbox or maildir file, or zero (no limit). In fact, this limits the size of any file that is written to upon local delivery, including files written by external commands that are executed by the http://www.postfix.org/local.8.htmllocal(8) delivery agent. This limit must not be smaller than the message size limit. Or am I misunderstanding ? Thank you taht is what I was after. -- Member - Liberal International This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising! Never Satan President Republic! Rudeness is the weak man's imitation of strength. -Eric Hoffer
Re: Query on customize the over-quota bounce message on postfix2.2
On 6/24/2009, MSG Support (msgsupport@gmail.com) wrote: My current postfix version installed is postfix-2.2.10-1.1.el4 This is really old... upgrading to a more current release would be a good thing in any case... The user's mail over-quota, it will automatically send a bounced mail to the sender as below: First, don't accept mail and then bounce - it makes you a backscatter source. If you are going to reject mail for a user that is over quota, do it at smtp time, not after you have already accepted the message. Sorry but I cannot help with how, since I've never used quotas... -- Best regards, Charles
Testing For Open Relay
I just finished a new Postfix 2.6 installation on a Debian server in a co-location and just wanted to make sure I am properly testing this machine is not a 'open relay' before I open it out to the public: I was told to go to the following URL http://www.abuse.net/relay.html and I entered my external IP address in the 1st line and nothing else. After 17 tests, I get the following at the bottom: Relay test result All tests performed, no relays accepted. Does this mean I am safe? I read somewhere that in my main.cf I should have the following entry: relay_domains = relay_domains: is a list of destination domains this system will relay mail to. By setting it to be blank we ensure that our mail server isn't acting as an open relay for untrusted networks. The reader is advised to test that their system isn't acting as an open relay here: http://www.abuse.net/relay.html; Now that being said, I don't have relay_domains entry in my main.cf however according to the site they recommend I test, I don't appear to be one. Do I need this entry in my main.cf or am I fine? Is there an other way to test for being an open relay or should I feel safe about this? *postconf -n* alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix content_filter = amavis:[127.0.0.1]:10024 home_mailbox = mail/ inet_interfaces = all mailbox_size_limit = 0 message_size_limit = 10485760 mydestination = $config_directory/mydestination mydomain = omgwtf.com myhostname = mx.omgwtf.com mynetworks = $config_directory/mynetworks myorigin = omgwtf.com readme_directory = no receive_override_options = no_address_mappings recipient_delimiter = + smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP smtpd_use_tls = no
Re: Testing For Open Relay
Carlos Williams wrote: I just finished a new Postfix 2.6 installation on a Debian server in a co-location and just wanted to make sure I am properly testing this machine is not a 'open relay' before I open it out to the public: I was told to go to the following URL http://www.abuse.net/relay.html and I entered my external IP address in the 1st line and nothing else. After 17 tests, I get the following at the bottom: Relay test result All tests performed, no relays accepted. Does this mean I am safe? I read somewhere that in my main.cf I should have the following entry: relay_domains = Yes, this is usually a good idea if you don't have relay_domains (a domain you are MX for, but final delivery is elsewhere). relay_domains: is a list of destination domains this system will relay mail to. Correct. By setting it to be blank we ensure that our mail server isn't acting as an open relay for untrusted networks. Not exactly. The danger is that by default postfix will accept subdomains of domains listed in mydestination, which are then undeliverable and must be bounced. An example: mydestination = example.com postfix will by default accept mail to any...@foo.example.com, which will be undeliverable and must be bounced, creating backscatter. This is usually a minor problem, but it's easily fixed. It certainly isn't an open relay. The reader is advised to test that their system isn't acting as an open relay here: http://www.abuse.net/relay.html; That's good advice, but it takes some real bone-headed moves to make postfix a real open relay. Now that being said, I don't have relay_domains entry in my main.cf however according to the site they recommend I test, I don't appear to be one. Do I need this entry in my main.cf or am I fine? Is there an other way to test for being an open relay or should I feel safe about this? Add relay_domain = to your main.cf. It does prevent a minor problem. *postconf -n* no glaring errors. -- Noel Jones
Re: warning: maildir access problem for UID/GID=4444/4444: create maildir file
On Wed, Jun 24, 2009 at 03:35:08AM -0700, Michael Wang wrote: Why i get permission denied error while i have set permission 777 ? o Postfix may decline to use a mode 777 directory, try 1777 or a properly owned more 0700 directory with a delivery agent running with a fixed user id and IMAP server reading the spool with the same id. The id in question must NOT be postfix. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Pre Queue Spam Assassin Advice
Hi List, I've been having some adventures with pre queue filtering with SpamAssassin. This has introduced me to 'milters' which look really interesting. I've been trying to set up suggested spamassassin milter (spamass-milter) but I'm find large gaps in my basic Linux understanding.I don't mind admitting that I'm stupid and need help at times. My question is more 'unix' than 'Postfix' but someone here will know. If I have a milter set up and it creates a 'unix socket' on start up, e.g. /home/mail/email/private/samilter then defining the milter in main.cf like this (bear in mind Postfix is running chrooted) smtpd_milters = unix:/private/samilte milter_default_action = tempfail Would set up the communications 'channel' via this socket to the MILTER. I have go this basic thing clear and right in my head? The reason I ask is the milter kicks off as root:root and I get this; Jun 24 11:40:30 mx1 postfix/smtpd[3880]: warning: connect to Milter service unix:/private/samilter: Permission denied This looks to be because the milter creates the socket with ownerships root:root. A quick debug 'chown postfix:postfix' on the socket and we see this when we get an incoming connection; Jun 24 11:42:56 mx1 postfix/smtpd[3946]: connect from 11-38-132-95.pool.ukrtel.net[95.132.38.11] Jun 24 11:42:56 mx1 spamass-milter[3603]: Could not retrieve sendmail macro i!. Please add it to confMILTER_MACROS_ENVFROM for better spamassassin results but when an 'allowed' message runs through (having passed through CLAMAV first hence the 127.0.0.1 source) I get this; Jun 24 11:46:17 mx1 postfix/smtpd[4086]: connect from localhost[127.0.0.1] Jun 24 11:46:17 mx1 postfix/smtpd[4086]: warning: connect to Milter service unix:/private/samilter: No such file or directory Jun 24 11:46:17 mx1 postfix/smtpd[4086]: NOQUEUE: milter-reject: CONNECT from localhost[127.0.0.1]: 451 4.7.1 Service unavailable - try again later; proto=SMTP The milter stays running and other than this, there are no clues why smtpd could see the socket and then can't. My grasp of sockets and milters is weak - I've still lots to learn. I appreciate this is not 'strict Postfix' but am I missing something really really obvious ? Better still, I learn by doing, Can someone recommend a really simple pre-queue milter using a unix socket I can play with to troubleshoot my understand? The docs for the particular milter I've compiled don't appear to run past the 'readme' file in the source. AHA - my thanks as always to those much brighter than me.
Re: Pre Queue Spam Assassin Advice
On Wed, Jun 24, 2009 at 05:49:45PM +0100, Steve wrote: Hi List, I've been having some adventures with pre queue filtering with SpamAssassin. This has introduced me to 'milters' which look really interesting. I've been trying to set up suggested spamassassin milter (spamass-milter) but I'm find large gaps in my basic Linux understanding.I don't mind admitting that I'm stupid and need help at times. My question is more 'unix' than 'Postfix' but someone here will know. If I have a milter set up and it creates a 'unix socket' on start up, e.g. /home/mail/email/private/samilter then defining the milter in main.cf like this (bear in mind Postfix is running chrooted) smtpd_milters = unix:/private/samilte milter_default_action = tempfail /private/samilte != /home/mail/email/private/samiler -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Pre Queue Spam Assassin Advice
On Wed, 2009-06-24 at 13:32 -0400, Victor Duchovni wrote: On Wed, Jun 24, 2009 at 05:49:45PM +0100, Steve wrote: Hi List, I've been having some adventures with pre queue filtering with SpamAssassin. This has introduced me to 'milters' which look really interesting. I've been trying to set up suggested spamassassin milter (spamass-milter) but I'm find large gaps in my basic Linux understanding.I don't mind admitting that I'm stupid and need help at times. My question is more 'unix' than 'Postfix' but someone here will know. If I have a milter set up and it creates a 'unix socket' on start up, e.g. /home/mail/email/private/samilter then defining the milter in main.cf like this (bear in mind Postfix is running chrooted) smtpd_milters = unix:/private/samilte milter_default_action = tempfail /private/samilte != /home/mail/email/private/samiler Postfix runs chrooted and the absolute would be incorrect. It's chrooted to /home/mail/email hence it is correct as far as I understand it.
Re: Pre Queue Spam Assassin Advice
On Wed, Jun 24, 2009 at 06:36:41PM +0100, EASY steve.h...@digitalcertainty.co.uk wrote: If I have a milter set up and it creates a 'unix socket' on start up, e.g. /home/mail/email/private/samilter then defining the milter in main.cf like this (bear in mind Postfix is running chrooted) smtpd_milters = unix:/private/samilte milter_default_action = tempfail /private/samilte != /home/mail/email/private/samilter Postfix runs chrooted and the absolute would be incorrect. It's chrooted to /home/mail/email hence it is correct as far as I understand it. Note, the difference is more than just the path prefix. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Pre Queue Spam Assassin Advice
On Wed, 2009-06-24 at 13:46 -0400, Victor Duchovni wrote: On Wed, Jun 24, 2009 at 06:36:41PM +0100, EASY steve.h...@digitalcertainty.co.uk wrote: If I have a milter set up and it creates a 'unix socket' on start up, e.g. /home/mail/email/private/samilter then defining the milter in main.cf like this (bear in mind Postfix is running chrooted) smtpd_milters = unix:/private/samilte milter_default_action = tempfail /private/samilte != /home/mail/email/private/samilter Postfix runs chrooted and the absolute would be incorrect. It's chrooted to /home/mail/email hence it is correct as far as I understand it. Note, the difference is more than just the path prefix. That was just a pasting typo. Apologies. It is correct on the box (samilter)
Re: Pre Queue Spam Assassin Advice
On Wed, Jun 24, 2009 at 06:54:37PM +0100, Steve wrote: milter_default_action = tempfail /private/samilte != /home/mail/email/private/samilter Postfix runs chrooted and the absolute would be incorrect. It's chrooted to /home/mail/email hence it is correct as far as I understand it. Note, the difference is more than just the path prefix. That was just a pasting typo. Apologies. It is correct on the box (samilter) It looks like some of your smtpd(8) master.cf entries are chrooted and others are not. You should use the unchrooted pathname in both cases, and make a symlink: /home/mail/email/home/mail/email - / so that the same pathname works in both cases. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Pre Queue Spam Assassin Advice
On Wed, 2009-06-24 at 14:02 -0400, Victor Duchovni wrote: On Wed, Jun 24, 2009 at 06:54:37PM +0100, Steve wrote: milter_default_action = tempfail /private/samilte != /home/mail/email/private/samilter Postfix runs chrooted and the absolute would be incorrect. It's chrooted to /home/mail/email hence it is correct as far as I understand it. Note, the difference is more than just the path prefix. That was just a pasting typo. Apologies. It is correct on the box (samilter) It looks like some of your smtpd(8) master.cf entries are chrooted and others are not. You should use the unchrooted pathname in both cases, and make a symlink: /home/mail/email/home/mail/email - / so that the same pathname works in both cases. That sounds plausible enough to me. I'm sure I read that symlinks and chrooting was carnage - but I'm willing to give anything a go. It's not going to bring down the space station :-) My only confusion is where do I put the symlink. To make matters a struggle for me I'm dyslexic so please forgive me a little as I'm struggling to follow this: /home/mail/email/home/mail/email - I see the same things twice and this locks me up a bit. For my own clarity (I'll adapt this when I unscramble it) I guess it would be OK to make a symlink to the socket thus; LINK POINTS TO: /home/mail/email/private/samilter WHERE DO I 'PUT' LINK? Where does the link need to be -v- the duplication in the path is confusing me. ln -s /home/mail/email/private/samilter / # run from /home/mail/email ???
Incoming smtp: 554 Access Denied
Howdy, I've seen error "Client host rejected: Access denied" in many other postings, but more than a day of reading has not led me to a solution. A client is having issues sending mail to our server. I investigated and found that postfix was rejecting the sending server with: NOQUEUE: reject: RCPT from bb02d1.eurorscg.com[69.74.116.40]: 554 5.7.1 bb02d1.eurorscg.com[69.74.116.40]: Client host rejected: Access denied; I assume (possibly incorrectly) that error 554 is only raised due to the smtpd_recipient_restrictions. Looking at my settings I did not see anything that would deny the host bb02d1.eurorscg.com[69.74.116.40], but as a good measure I added a whitelist. This is my whitelist: 69.74.116.40 OK I ran postmap on the whitelist to create whitelist.db These are now my current settings from main.cf smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_client_access hash:/usr/local/etc/postfix/whitelist reject_rbl_client sbl.spamhaus.org reject_invalid_hostname reject_non_fqdn_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain permit After postfix reload and 12 hours of waiting I noticed the problem is still here. These are the relevant lines from maillog: Jun 24 09:30:50 mail postfix/smtpd[44853]: connect from bb02d1.eurorscg.com[69.74.116.40] Jun 24 09:30:50 mail postfix/smtpd[44853]: setting up TLS connection from bb02d1.eurorscg.com[69.74.116.40] Jun 24 09:30:50 mail postfix/smtpd[44853]: Anonymous TLS connection established from bb02d1.eurorscg.com[69.74.116.40]: SSLv3 with cipher RC4-MD5 (128/128 bits) Jun 24 09:30:50 mail postfix/smtpd[44853]: NOQUEUE: reject: RCPT from bb02d1.eurorscg.com[69.74.116.40]: 554 5.7.1 bb02d1.eurorscg.com[69.74.116.40]: Client host rejected: Access denied; from=XREMOVEDX@eurorscg.com to=xremov...@psyop.tv proto=ESMTP helo=bb02d1.eurorscg.com Jun 24 09:30:50 mail postfix/smtpd[44853]: disconnect from bb02d1.eurorscg.com[69.74.116.40] Inspecting the DNS records for the domain eurorscg.com I discovered that bb02d1.eurorscg.com is not listed as an MX. I am not sure if this is related. eurorscg.com. 13 IN MX 10 eurorscg.com.1.arsmtp.com. eurorscg.com. 13 IN MX 20 eurorscg.com.2.arsmtp.com. I don't know how troubleshoot this further. Where the "Access denied" error is coming from? Any help would be appreciated. Cheers, jesse
Re: Pre Queue Spam Assassin Advice
EASY steve.h...@digitalcertainty.co.uk wrote: On Wed, 2009-06-24 at 14:02 -0400, Victor Duchovni wrote: On Wed, Jun 24, 2009 at 06:54:37PM +0100, Steve wrote: milter_default_action = tempfail /private/samilte != /home/mail/email/private/samilter Postfix runs chrooted and the absolute would be incorrect. It's chrooted to /home/mail/email hence it is correct as far as I understand it. Note, the difference is more than just the path prefix. That was just a pasting typo. Apologies. It is correct on the box (samilter) It looks like some of your smtpd(8) master.cf entries are chrooted and others are not. You should use the unchrooted pathname in both cases, and make a symlink: /home/mail/email/home/mail/email - / so that the same pathname works in both cases. That sounds plausible enough to me. I'm sure I read that symlinks and chrooting was carnage - but I'm willing to give anything a go. It's not going to bring down the space station :-) My only confusion is where do I put the symlink. To make matters a struggle for me I'm dyslexic so please forgive me a little as I'm struggling to follow this: /home/mail/email/home/mail/email - I see the same things twice and this locks me up a bit. For my own clarity (I'll adapt this when I unscramble it) I guess it would be OK to make a symlink to the socket thus; LINK POINTS TO: /home/mail/email/private/samilter WHERE DO I 'PUT' LINK? Where does the link need to be -v- the duplication in the path is confusing me. ln -s /home/mail/email/private/samilter / # run from /home/mail/email ??? I find it easier to use inet: sockets rather than unix: sockets for milters. No chroot, path or permission issues... -- Noel Jones
Re: Incoming smtp: 554 Access Denied
Jesse Kretschmer wrote: Howdy, I've seen error Client host rejected: Access denied in many other postings, but more than a day of reading has not led me to a solution. A client is having issues sending mail to our server. I investigated and found that postfix was rejecting the sending server with: NOQUEUE: reject: RCPT from bb02d1.eurorscg.com[69.74.116.40]: 554 5.7.1 bb02d1.eurorscg.com[69.74.116.40]: Client host rejected: Access denied; This looks like a REJECT from a check_client_access table. I assume (possibly incorrectly) that error 554 is only raised due to the smtpd_recipient_restrictions. No, the offending rule can be in any of the smtpd_{client, helo, sender, recipient}_restrictions sections. Looking at my settings I did not see anything that would deny the host bb02d1.eurorscg.com[69.74.116.40], but as a good measure I added a whitelist. This is my whitelist: 69.74.116.40 OK ... probably in the wrong place. The whitelist must be before the offending rule. For more help, show output of postconf -n -- Noel Jones
Re: Incoming smtp: 554 Access Denied
* Noel Jones njo...@megan.vbhcs.org: Jesse Kretschmer wrote: Howdy, I've seen error Client host rejected: Access denied in many other postings, but more than a day of reading has not led me to a solution. A client is having issues sending mail to our server. I investigated and found that postfix was rejecting the sending server with: NOQUEUE: reject: RCPT from bb02d1.eurorscg.com[69.74.116.40]: 554 5.7.1 bb02d1.eurorscg.com[69.74.116.40]: Client host rejected: Access denied; This looks like a REJECT from a check_client_access table. I agree -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Incoming smtp: 554 Access Denied
These are now my current settings from main.cf Show postconf -n output. Jun 24 09:30:50 mail postfix/smtpd[44853]: NOQUEUE: reject: RCPT from bb02d1.eurorscg.com[69.74.116.40]: 554 5.7.1 bb02d1.eurorscg.com[69.74.116.40]: Client host rejected: Access denied; from=xremov...@eurorscg.com to=[1]xremov...@psyop.tv proto=ESMTP helo=bb02d1.eurorscg.com -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Incoming smtp: 554 Access Denied
On Jun 24, 2009, at 2:23 PM, Jesse Kretschmer je...@psyop.tv wrote: Howdy, I've seen error Client host rejected: Access denied in many other postings, but more than a day of reading has not led me to a solution. A client is having issues sending mail to our server. I investigated and found that postfix was rejecting the sending server with: NOQUEUE: reject: RCPT from bb02d1.eurorscg.com[69.74.116.40]: 554 5.7.1 bb02d1.eurorscg.com[69.74.116.40]: Client host rejected: Access denied; I assume (possibly incorrectly) that error 554 is only raised due to the smtpd_recipient_restrictions. Looking at my settings I did not see anything that would deny the host bb02d1.eurorscg.com[69.74.116.40], but as a good measure I added a whitelist. This is my whitelist: 69.74.116.40 OK I ran postmap on the whitelist to create whitelist.db These are now my current settings from main.cf Can you please show output of 'postconf -n'? smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_client_access hash:/usr/local/etc/postfix/whitelist reject_rbl_client sbl.spamhaus.org reject_invalid_hostname reject_non_fqdn_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain permit After postfix reload and 12 hours of waiting I noticed the problem is still here. Reloading unnecessary if Postfix was already querying the whitelist. These are the relevant lines from maillog: Jun 24 09:30:50 mail postfix/smtpd[44853]: connect from bb02d1.eurorscg.com[69.74.116.40] Jun 24 09:30:50 mail postfix/smtpd[44853]: setting up TLS connection from bb02d1.eurorscg.com[69.74.116.40] Jun 24 09:30:50 mail postfix/smtpd[44853]: Anonymous TLS connection established from bb02d1.eurorscg.com[69.74.116.40]: SSLv3 with cipher RC4-MD5 (128/128 bits) Jun 24 09:30:50 mail postfix/smtpd[44853]: NOQUEUE: reject: RCPT from bb02d1.eurorscg.com[69.74.116.40]: 554 5.7.1 bb02d1.eurorscg.com[69.74.116.40]: Client host rejected: Access denied; from=xremov...@eurorscg.com to=xremov...@psyop.tv proto=ESMTP helo=bb02d1.eurorscg.com Jun 24 09:30:50 mail postfix/smtpd[44853]: disconnect from bb02d1.eurorscg.com[69.74.116.40] Inspecting the DNS records for the domain eurorscg.com I discovered that bb02d1.eurorscg.com is not listed as an MX. I am not sure if this is related. eurorscg.com. 13 IN MX 10 eurorscg.com. 1.arsmtp.com. eurorscg.com. 13 IN MX 20 eurorscg.com. 2.arsmtp.com. Irrelevant. Many outgoing SMTP hosts are not public incoming MX servers as published in DNS. See GMail as one example. I don't know how troubleshoot this further. Where the Access denied error is coming from? Any help would be appreciated. Cheers, jesse
Re: Pre Queue Spam Assassin Advice
On Wed, 2009-06-24 at 13:29 -0500, Noel Jones wrote: EASY steve.h...@digitalcertainty.co.uk wrote: On Wed, 2009-06-24 at 14:02 -0400, Victor Duchovni wrote: On Wed, Jun 24, 2009 at 06:54:37PM +0100, Steve wrote: milter_default_action = tempfail /private/samilte != /home/mail/email/private/samilter Postfix runs chrooted and the absolute would be incorrect. It's chrooted to /home/mail/email hence it is correct as far as I understand it. Note, the difference is more than just the path prefix. That was just a pasting typo. Apologies. It is correct on the box (samilter) It looks like some of your smtpd(8) master.cf entries are chrooted and others are not. You should use the unchrooted pathname in both cases, and make a symlink: /home/mail/email/home/mail/email - / so that the same pathname works in both cases. That sounds plausible enough to me. I'm sure I read that symlinks and chrooting was carnage - but I'm willing to give anything a go. It's not going to bring down the space station :-) My only confusion is where do I put the symlink. To make matters a struggle for me I'm dyslexic so please forgive me a little as I'm struggling to follow this: /home/mail/email/home/mail/email - I see the same things twice and this locks me up a bit. For my own clarity (I'll adapt this when I unscramble it) I guess it would be OK to make a symlink to the socket thus; LINK POINTS TO: /home/mail/email/private/samilter WHERE DO I 'PUT' LINK? Where does the link need to be -v- the duplication in the path is confusing me. ln -s /home/mail/email/private/samilter / # run from /home/mail/email ??? I find it easier to use inet: sockets rather than unix: sockets for milters. No chroot, path or permission issues... -- Noel Jones The milter concerned does not offer that facility.
Re: Incoming smtp: 554 Access Denied
Thanks for the many quick responses.I should have started with this: # postconf -n broken_sasl_auth_clients = yes command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 2 delay_warning_time = 10m html_directory = no inet_interfaces = all mail_owner = postfix mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man maximal_queue_lifetime = 2d message_size_limit = 2048 mydestination = $myhostname, localhost.$mydomain, localhost mydomain = psyop.com myhostname = mail.psyop.com mynetworks = 10.0.0.0/8, 192.168.0.0/16, 172.29.0.0/16, 127.0.0.1/32 myorigin = $myhostname newaliases_path = /usr/local/bin/newaliases proxy_interfaces = 67.111.178.66 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps queue_directory = /var/spool/postfix readme_directory = no relay_domains = $mydestination sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_banner = $myhostname ESMTP $mail_name smtpd_helo_restrictions = permit_mynetworks reject_invalid_hostname permit smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_client_access hash:/usr/local/etc/postfix/whitelist reject_rbl_client sbl.spamhaus.org reject_invalid_hostname reject_non_fqdn_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain permit smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $mydomain smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks smtpd_tls_CAfile = /etc/ssl/postfix/smtpd-comodo.pem smtpd_tls_cert_file = /etc/ssl/postfix/smtpd-comodo.pem smtpd_tls_key_file = /etc/ssl/postfix/smtpd-comodo.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom transport_maps = hash:/usr/local/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = proxy:mysql:/usr/local/etc/postfix/ mysql_virtual_alias_maps.cf virtual_gid_maps = static:125 virtual_mailbox_base = /usr/local/virtual virtual_mailbox_domains = proxy:mysql:/usr/local/etc/postfix/ mysql_virtual_domains_maps.cf virtual_mailbox_limit = 5120 virtual_mailbox_limit_maps = proxy:mysql:/usr/local/etc/postfix/ mysql_virtual_mailbox_limit_maps.cf virtual_mailbox_limit_override = yes virtual_mailbox_maps = proxy:mysql:/usr/local/etc/postfix/ mysql_virtual_mailbox_maps.cf virtual_maildir_limit_message = Sorry, this user has overdrawn their diskspace quota. Please try again later. virtual_minimum_uid = 125 virtual_overquota_bounce = yes virtual_transport = virtual virtual_uid_maps = static:125
Re: Incoming smtp: 554 Access Denied
* Jesse Kretschmer je...@psyop.tv: Thanks for the many quick responses.I should have started with this: # postconf -n Nothing in here cold cause what you see. Show master.cf please smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_client_access hash:/usr/local/etc/postfix/whitelist An entry in /usr/local/etc/postfix/whitelist could cause a rejection -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Pre Queue Spam Assassin Advice
On Wed, Jun 24, 2009 at 07:20:00PM +0100, EASY steve.h...@digitalcertainty.co.uk wrote: It looks like some of your smtpd(8) master.cf entries are chrooted and others are not. You should use the unchrooted pathname in both cases, and make a symlink: /home/mail/email/home/mail/email - / so that the same pathname works in both cases. That sounds plausible enough to me. I'm sure I read that symlinks and chrooting was carnage - but I'm willing to give anything a go. It's not going to bring down the space station :-) My only confusion is where do I put the symlink. To make matters a struggle for me I'm dyslexic so please forgive me a little as I'm struggling to follow this: /home/mail/email/home/mail/email - I see the same things twice and this locks me up a bit. Exactly as written, the symlink is /home/mail/email/home/mail/email and it points to /. # mkdir -p /home/mail/email/home/mail # ln -s / /home/mail/email/home/mail/email in the chroot jail, this results in /home/mail/email/private/foo being the same as /private/foo. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Incoming smtp: 554 Access Denied
Ralf Hildebrandt wrote: Nothing in here cold cause what you see. Show master.cf please [r...@mail ~]# sed -e '/^#/d' -e '/^\s*$/d' /usr/local/etc/postfix/main.cf soft_bounce = no content_filter=smtp-amavis:[127.0.0.1]:10024 queue_directory = /var/spool/postfix command_directory = /usr/local/sbin daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix mail_owner = postfix myhostname = mail.psyop.com mydomain = psyop.com myorigin = $myhostname inet_interfaces = all proxy_interfaces = 67.111.178.66 mydestination = $myhostname, localhost.$mydomain, localhost unknown_local_recipient_reject_code = 550 mynetworks = 10.0.0.0/8, 192.168.0.0/16, 172.29.0.0/16, 127.0.0.1/32 relay_domains = $mydestination message_size_limit = 2048 smtpd_banner = $myhostname ESMTP $mail_name debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id sleep 5 sendmail_path = /usr/local/sbin/sendmail newaliases_path = /usr/local/bin/newaliases mailq_path = /usr/local/bin/mailq setgid_group = maildrop html_directory = no manpage_directory = /usr/local/man sample_directory = /usr/local/etc/postfix readme_directory = no broken_sasl_auth_clients = yes smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_client_access hash:/usr/local/etc/postfix/whitelist reject_rbl_client sbl.spamhaus.org reject_invalid_hostname reject_non_fqdn_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain permit smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $mydomain smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_helo_restrictions = permit_mynetworks reject_invalid_hostname permit smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/ssl/postfix/smtpd-comodo.pem smtpd_tls_cert_file = /etc/ssl/postfix/smtpd-comodo.pem smtpd_tls_CAfile = /etc/ssl/postfix/smtpd-comodo.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom virtual_alias_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:125 virtual_mailbox_base = /usr/local/virtual virtual_mailbox_domains = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_domains_maps.cf virtual_mailbox_limit = 5120 virtual_mailbox_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_minimum_uid = 125 virtual_transport = virtual virtual_uid_maps = static:125 virtual_create_maildirsize = yes virtual_mailbox_extended = yes virtual_mailbox_limit_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_limit_maps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps virtual_mailbox_limit_override = yes virtual_maildir_limit_message = Sorry, this user has overdrawn their diskspace quota. Please try again later. virtual_overquota_bounce = yes transport_maps = hash:/usr/local/etc/postfix/transport vacation_destination_recipient_limit = 1 maximal_queue_lifetime = 2d delay_warning_time = 10m An entry in /usr/local/etc/postfix/whitelist could cause a rejection [r...@mail ~]# cat /usr/local/etc/postfix/whitelist 69.74.116.40 OK Thanks for looking. -jesse
Re: Incoming smtp: 554 Access Denied
* Jesse Kretschmer je...@psyop.tv: Ralf Hildebrandt wrote: Nothing in here cold cause what you see. Show master.cf please [r...@mail ~]# sed -e '/^#/d' -e '/^\s*$/d' /usr/local/etc/postfix/main.cf This hardly shows master.cf :) -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Incoming smtp: 554 Access Denied
Ralf Hildebrandt wrote: * Jesse Kretschmer je...@psyop.tv: Ralf Hildebrandt wrote: Nothing in here cold cause what you see. Show master.cf please [r...@mail ~]# sed -e '/^#/d' -e '/^\s*$/d' /usr/local/etc/postfix/main.cf This hardly shows master.cf :) Oops. I've never actually touched the master.cf file, so when I read the line, I just assumed main.cf. Thanks for bearing with me. Without further ado: # sed -e '/^#/d' -e '/^\s*$/d' /usr/local/etc/postfix/master.cf smtp inet n - n - - smtpd smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o smtp_fallback_relay= showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache vacation unix - n n - - pipe flags=DRhu user=vacation argv=/var/spool/vacation/vacation.pl smtp-amavis unix - - n - 2 smtp -o smtp_data_done_timeout=2400 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks_style=host -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings
Re: Incoming smtp: 554 Access Denied
* Jesse Kretschmer je...@psyop.tv: Oops. I've never actually touched the master.cf file, so when I read the line, I just assumed main.cf. Thanks for bearing with me. Without further ado: # sed -e '/^#/d' -e '/^\s*$/d' /usr/local/etc/postfix/master.cf smtp inet n - n - - smtpd smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject THIS could be the problem. This would cause the reject as you see it in the log :) -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Incoming smtp: 554 Access Denied
Jesse Kretschmer wrote: Thanks for the many quick responses. I should have started with this: # postconf -n delay_warning_time = 10m Quite short, but won't break anything. maximal_queue_lifetime = 2d recommended minimum is 3 days, default is 5 days. If you have lots of undeliverable mail in your queue, address the source of the undeliverable mail instead of covering up the symptoms. mydestination = $myhostname, localhost.$mydomain, localhost OK. mydomain = psyop.com http://psyop.com myhostname = mail.psyop.com http://mail.psyop.com mynetworks = 10.0.0.0/8 http://10.0.0.0/8, 192.168.0.0/16 http://192.168.0.0/16, 172.29.0.0/16 http://172.29.0.0/16, 127.0.0.1/32 http://127.0.0.1/32 Your HTML message makes this a little hard to read. Plain text only please. relay_domains = $mydestination this should be set empty unless you really have relay domains (ie. subdomains of domains listed in mydestination that are accepted but delivered elsewhere). smtpd_helo_restrictions = permit_mynetworks reject_invalid_hostname permit I see you have reject_invalid_hostname duplicated in smtpd_recipient_restrictions. Just remove all the above. smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_client_access hash:/usr/local/etc/postfix/whitelist reject_rbl_client sbl.spamhaus.org http://sbl.spamhaus.org reject_invalid_hostname reject_non_fqdn_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain permit OK. Nothing here to cause the rejection you reported. I see Ralf is looking at your master.cf, we'll see what he says. -- Noel Jones
Re: Pre Queue Spam Assassin Advice
On Wed, 2009-06-24 at 14:58 -0400, Victor Duchovni wrote: On Wed, Jun 24, 2009 at 07:20:00PM +0100, EASY steve.h...@digitalcertainty.co.uk wrote: It looks like some of your smtpd(8) master.cf entries are chrooted and others are not. You should use the unchrooted pathname in both cases, and make a symlink: /home/mail/email/home/mail/email - / so that the same pathname works in both cases. That sounds plausible enough to me. I'm sure I read that symlinks and chrooting was carnage - but I'm willing to give anything a go. It's not going to bring down the space station :-) My only confusion is where do I put the symlink. To make matters a struggle for me I'm dyslexic so please forgive me a little as I'm struggling to follow this: /home/mail/email/home/mail/email - I see the same things twice and this locks me up a bit. Exactly as written, the symlink is /home/mail/email/home/mail/email and it points to /. # mkdir -p /home/mail/email/home/mail # ln -s / /home/mail/email/home/mail/email in the chroot jail, this results in /home/mail/email/private/foo being the same as /private/foo. Thank you Viktor. After typing it out I finally *got* it. It's about what it looks like resolving from inside the jail. The fix works just fine. I no longer get any issues connecting to it and mail flow works. I can't thank you enough Sir. Sincerely - my most grateful thanks to you for taking your time to help me with something trivial. Steve
Re: Pre Queue Spam Assassin Advice
On Wed, Jun 24, 2009 at 08:29:42PM +0100, Steve wrote: My only confusion is where do I put the symlink. To make matters a struggle for me I'm dyslexic so please forgive me a little as I'm struggling to follow this: /home/mail/email/home/mail/email - I see the same things twice and this locks me up a bit. Exactly as written, the symlink is /home/mail/email/home/mail/email and it points to /. # mkdir -p /home/mail/email/home/mail # ln -s / /home/mail/email/home/mail/email in the chroot jail, this results in /home/mail/email/private/foo being the same as /private/foo. Thank you Viktor. After typing it out I finally *got* it. It's about what it looks like resolving from inside the jail. The fix works just fine. I no longer get any issues connecting to it and mail flow works. I can't thank you enough Sir. Sincerely - my most grateful thanks to you for taking your time to help me with something trivial. Some people will set the link to point to ../.. which makes it work even from outside the jail, but there is not much point. Another thing to consider is whether you really need the milter in both contexts. It sounds like you also have a content filter, and mail is subjected to milters on both sides of the content filter, it is not clear this is what you need, though there are plausible use cases for doing this. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Incoming smtp: 554 Access Denied
Ralf Hildebrandt wrote: * Jesse Kretschmer je...@psyop.tv: Oops. I've never actually touched the master.cf file, so when I read the line, I just assumed main.cf. Thanks for bearing with me. Without further ado: # sed -e '/^#/d' -e '/^\s*$/d' /usr/local/etc/postfix/master.cf smtp inet n - n - - smtpd smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject THIS could be the problem. This would cause the reject as you see it in the log :) Jesse, You may find it helpful to add -o syslog_name=postfix-smtps to the above options to differentiate logging from the smtps service. -- Noel Jones
Slowly drain the active queue
Hi, I'm trying to understand how I can control postfix active queue.We ran into a problem where out back end LMTP deposit service had failures.Therefore, the queues grew quite large.We had trouble stabilizing the LTMP back end because postfix active queuewas trying to deliver very quickly to LMTP service. How can I control or slowly drain the active queue so it doesn't slam LMTP? I was reading and found the following information but I'm not sure it applies.Can I change default_destination_rate_delay to limit the delivery rate?I also see queue_run_delay and minimal/maximal_backoff_times but it seems thisapplies to the defer queue, correct? George _ Microsoft brings you a new way to search the web. Try Bing™ now http://www.bing.com?form=MFEHPGpubl=WLHMTAGcrea=TEXT_MFEHPG_Core_tagline_try_bing_1x1
Re: Pre Queue Spam Assassin Advice
On Wed, 2009-06-24 at 15:35 -0400, Victor Duchovni wrote: On Wed, Jun 24, 2009 at 08:29:42PM +0100, Steve wrote: My only confusion is where do I put the symlink. To make matters a struggle for me I'm dyslexic so please forgive me a little as I'm struggling to follow this: /home/mail/email/home/mail/email - I see the same things twice and this locks me up a bit. Exactly as written, the symlink is /home/mail/email/home/mail/email and it points to /. # mkdir -p /home/mail/email/home/mail # ln -s / /home/mail/email/home/mail/email in the chroot jail, this results in /home/mail/email/private/foo being the same as /private/foo. Thank you Viktor. After typing it out I finally *got* it. It's about what it looks like resolving from inside the jail. The fix works just fine. I no longer get any issues connecting to it and mail flow works. I can't thank you enough Sir. Sincerely - my most grateful thanks to you for taking your time to help me with something trivial. Some people will set the link to point to ../.. which makes it work even from outside the jail, but there is not much point. Another thing to consider is whether you really need the milter in both contexts. It sounds like you also have a content filter, and mail is subjected to milters on both sides of the content filter, it is not clear this is what you need, though there are plausible use cases for doing this. My train of thought is to filter in this order; POSTFIX NATIVE client checks (RATE CONTROL, IP, PTR, RBL, CUSTOM LISTS, HEADER BODY) PRE-QUEUE CONTENT FILTER (CLAMAV using clamsmtp) PRE-QUEUE CONTENT FILTER (spamass-milter) The volumes I get will support this on the hardware I have. If I had big volumes I would either need more 'meat', some clustering, both or to change the the pre-queues to after queues. Again - I sincerely thank you for your help. It's basic stuff giving me some gaps here, but I'm determined to learn and happy to get my hands dirty. Steve
Re: Slowly drain the active queue
On Wed, Jun 24, 2009 at 07:42:11PM +, George Forman wrote: Hi, I'm trying to understand how I can control postfix active queue.We ran into a problem where out back end LMTP deposit service had failures.Therefore, the queues grew quite large.We had trouble stabilizing the LTMP back end because postfix active queuewas trying to deliver very quickly to LMTP service. Is LMTP delivery direct from the transport table or via local(8) + alias expansion - mailbox_transport? If direct, reduce the concurrency or process limit of the lmtp transport. If indirect via local(8), reduce the master.cf process limit of the local transport. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Incoming smtp: 554 Access Denied
Noel Jones wrote: Jesse Kretschmer wrote: # postconf -n delay_warning_time = 10m Quite short, but won't break anything. maximal_queue_lifetime = 2d recommended minimum is 3 days, default is 5 days. If you have lots of undeliverable mail in your queue, address the source of the undeliverable mail instead of covering up the symptoms. Sorbs listed our ISPs block of ip addresses as dynamic even with a valid PTR. I was trying to highlight the problem so that are users were aware of messages that were not being delivered. I'll take your advice and lengthen it. Sorbs has finally added an exception for our domain though only after a lot of grief. mydestination = $myhostname, localhost.$mydomain, localhost relay_domains = $mydestination this should be set empty unless you really have relay domains (ie. subdomains of domains listed in mydestination that are accepted but delivered elsewhere). smtpd_helo_restrictions = permit_mynetworks reject_invalid_hostname permit I see you have reject_invalid_hostname duplicated in smtpd_recipient_restrictions. Just remove all the above. That makes sense. I'm still getting my bearings with postfix. Jesse, You may find it helpful to add -o syslog_name=postfix-smtps to the above options to differentiate logging from the smtps service. -- Noel Jones Great tip. That will help a lot. Ralf Hildebrandt wrote: smtp inet n - n - - smtpd smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject THIS could be the problem. This would cause the reject as you see it in the log :) I've been reading the docs. I am not sure what the correct solution is, but I see a directive: permit_tls_clientcerts. I suspect that I should be adding this to the master.cf to allow these tls connections. I'll report back if I find a working solution. Noel and Ralf, thanks for the help. I never expected such a thorough review of my problem. Cheers! jesse
Re: Pre Queue Spam Assassin Advice
On Wed, Jun 24, 2009 at 08:43:15PM +0100, Steve wrote: My train of thought is to filter in this order; POSTFIX NATIVE client checks (RATE CONTROL, IP, PTR, RBL, CUSTOM LISTS, HEADER BODY) PRE-QUEUE CONTENT FILTER (CLAMAV using clamsmtp) PRE-QUEUE CONTENT FILTER (spamass-milter) This is too sketchy to be useful. To ask this question properly you'd need to explain the whole configuration and message flow in some detail. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Incoming smtp: 554 Access Denied
* Noel Jones njo...@megan.vbhcs.org: Jesse, You may find it helpful to add -o syslog_name=postfix-smtps to the above options to differentiate logging from the smtps service. Amen to that! -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Incoming smtp: 554 Access Denied
* Jesse Kretschmer je...@psyop.tv: smtp inet n - n - - smtpd smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject THIS could be the problem. This would cause the reject as you see it in the log :) I've been reading the docs. I am not sure what the correct solution is, Simply turn it off. COmment out the smtps inet ... line. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Slowly drain the active queue
* George Forman georgeforma...@hotmail.com: Hi, I'm trying to understand how I can control postfix active queue. What is there to control? We ran into a problem where out back end LMTP deposit service had failures. Therefore, the queues grew quite large. But not the active, but the defered queue. We had trouble stabilizing the LTMP back end because postfix active queuewas trying to deliver very quickly to LMTP service. Of course. How can I control or slowly drain the active queue so it doesn't slam LMTP? You could limit the number of lmtp processes to 1 What kind of super flaky LMTP server is that? -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
multiple signatures DK multiple selector
hi list hi all dkimproxy I can not specify that only selector. how to have multiple signatures DK multiple number selectors thanks for all your feedbacks
Re: multiple signatures DK multiple selector
fake...@fakessh.eu wrote: hi list hi all dkimproxy I can not specify that only selector. how to have multiple signatures DK multiple number selectors thanks for all your feedbacks both dkim-milter and amavisd-new support multiple dkim selectors. They both work well. -- Noel Jones
Re: multiple signatures DK multiple selector
dkim I know it supports multiple signatures but DK domains and selector keys ? Le mercredi 24 juin 2009 22:28, Noel Jones a écrit : fake...@fakessh.eu wrote: hi list hi all dkimproxy I can not specify that only selector. how to have multiple signatures DK multiple number selectors thanks for all your feedbacks both dkim-milter and amavisd-new support multiple dkim selectors. They both work well. -- Noel Jones
Re: multiple signatures DK multiple selector
use dkimproxy 1.1.0 Le mercredi 24 juin 2009 22:34, fake...@fakessh.eu a écrit : dkim I know it supports multiple signatures but DK domains and selector keys ? Le mercredi 24 juin 2009 22:28, Noel Jones a écrit : fake...@fakessh.eu wrote: hi list hi all dkimproxy I can not specify that only selector. how to have multiple signatures DK multiple number selectors thanks for all your feedbacks both dkim-milter and amavisd-new support multiple dkim selectors. They both work well. -- Noel Jones
Re: FYI: Imminent closure of SORBS...
Good riddance. --kj
Re: Incoming smtp: 554 Access Denied
Noel Jones wrote: The smtps service is for your own mail clients to use. This is a deprecated method of encryption sometimes called SSL (not to be confused with HTTPS/SSL) in some mail clients. Clients that don't authenticate via SASL should be rejected. Typically only older MUAs and some Microsoft products need the smtps service. Most modern clients use STARTTLS on the submission service. Just turn it off (comment it out) if you don't need it. All of my mail users are connecting through smtps. So I guess I'd like to keep it. The permit_tls_clientcerts function is probably not what you want. The typical use case is MTA to MTA authenticated relaying since few end-user mail programs support certificate based authentication. Yeah, I'm still trying to get a grasp of the situation. After reading more it does not seem to be the best option. If you can explain what you mean by allow these tls connections we can give more pointers. Looking at the logs, the company that is having issues with our mail server only has issue occasionally. It appears to be one server in particular. This one server always starts a TLS connection, and that's usually the end of it. Here are the logs that I see. The first connection is the problem the others work well. # grep 69.74.116 /var/log/maillog Jun 24 09:30:50 mail postfix/smtpd[44853]: connect from bb02d1.eurorscg.com[69.74.116.40] Jun 24 09:30:50 mail postfix/smtpd[44853]: setting up TLS connection from bb02d1.eurorscg.com[69.74.116.40] Jun 24 09:30:50 mail postfix/smtpd[44853]: Anonymous TLS connection established from bb02d1.eurorscg.com[69.74.116.40]: SSLv3 with cipher RC4-MD5 (128/128 bits) Jun 24 09:30:50 mail postfix/smtpd[44853]: NOQUEUE: reject: RCPT from bb02d1.eurorscg.com[69.74.116.40]: 554 5.7.1 bb02d1.eurorscg.com[69.74.116.40]: Client host rejected: Access denied; from=xremov...@euroscg.com to=xremov...@psyop.tv proto=ESMTP helo=bb02d1.eurorscg.com Jun 24 09:30:50 mail postfix/smtpd[44853]: disconnect from bb02d1.eurorscg.com[69.74.116.40] Jun 24 14:24:16 mail postfix/smtpd[58786]: connect from ms01d1.eurorscg.com[69.74.116.44] Jun 24 14:24:16 mail postfix/smtpd[58786]: 246F6102D3F: client=ms01d1.eurorscg.com[69.74.116.44] Jun 24 14:24:16 mail postfix/smtpd[58786]: disconnect from ms01d1.eurorscg.com[69.74.116.44] Jun 24 14:24:22 mail amavis[59190]: (59190-01-3) Checking: [69.74.116.44] xremov...@euroscg.com - xremov...@psyop.tv Jun 24 14:24:22 mail amavis[59190]: (59190-01-3) Passed CLEAN, [69.74.116.44] [69.74.116.44] xremov...@euroscg.com - xremov...@psyop.tv, Message-ID: xremov...@euroscg.com, Hits: -, 415 ms Jun 24 14:38:17 mail postfix/smtpd[58080]: connect from ms01d1.eurorscg.com[69.74.116.44] Jun 24 14:38:17 mail postfix/smtpd[58080]: 516EE102D2C: client=ms01d1.eurorscg.com[69.74.116.44] Jun 24 14:38:17 mail postfix/smtpd[58080]: disconnect from ms01d1.eurorscg.com[69.74.116.44] Jun 24 14:38:18 mail amavis[59880]: (59880-01) Checking: [69.74.116.44] xremov...@euroscg.com - xremov...@psyop.tv Jun 24 14:38:18 mail amavis[59880]: (59880-01) Passed CLEAN, [69.74.116.44] [69.74.116.44] xremov...@euroscg.com - xremov...@psyop.tv, Message-ID: xremov...@euroscg.com, Hits: -, 337 ms Jun 24 14:46:18 mail postfix/smtpd[58785]: connect from ms08d1.eurorscg.com[69.74.116.58] Jun 24 14:46:18 mail postfix/smtpd[58785]: 80A51102D2A: client=ms08d1.eurorscg.com[69.74.116.58] Jun 24 14:46:18 mail postfix/smtpd[58785]: disconnect from ms08d1.eurorscg.com[69.74.116.58] Jun 24 14:46:18 mail amavis[60310]: (60310-01) Checking: [69.74.116.58] xremov...@euroscg.com - xremov...@psyop.tv Jun 24 14:46:19 mail amavis[60310]: (60310-01) Passed CLEAN, [69.74.116.58] [69.74.116.58] xremov...@euroscg.com - xremov...@psyop.tv, Message-ID: xremov...@euroscg.com, Hits: -, 329 ms Jun 24 14:47:10 mail postfix/smtpd[58786]: connect from ms07d1.eurorscg.com[69.74.116.48] Jun 24 14:47:10 mail postfix/smtpd[58786]: 55F11102D2D: client=ms07d1.eurorscg.com[69.74.116.48] Jun 24 14:47:10 mail postfix/smtpd[58786]: disconnect from ms07d1.eurorscg.com[69.74.116.48] Jun 24 14:47:12 mail amavis[60310]: (60310-07) Checking: [69.74.116.48] xremov...@euroscg.com - xremov...@psyop.tv Jun 24 14:47:12 mail amavis[60310]: (60310-07) Passed CLEAN, [69.74.116.48] [69.74.116.48] xremov...@euroscg.com - xremov...@psyop.tv, Message-ID: xremov...@euroscg.com, Hits: -, 283 ms Is there a single site or book that I should read? I feel as if I am running around blindfolded. I'm glad you folks have been kind enough to tell me when to turn. -jesse
Re: Incoming smtp: 554 Access Denied
Noel Jones wrote: The smtps service is for your own mail clients to use. This is a deprecated method of encryption sometimes called SSL (not to be confused with HTTPS/SSL) in some mail clients. Clients that don't authenticate via SASL should be rejected. Typically only older MUAs and some Microsoft products need the smtps service. Most modern clients use STARTTLS on the submission service. Just turn it off (comment it out) if you don't need it. All of my mail users are connecting through smtps. So I guess I'd like to keep it. The permit_tls_clientcerts function is probably not what you want. The typical use case is MTA to MTA authenticated relaying since few end-user mail programs support certificate based authentication. Yeah, I'm still trying to get a grasp of the situation. After reading more it does not seem to be the best option. If you can explain what you mean by allow these tls connections we can give more pointers. Looking at the logs, the company that is having issues with our mail server only has issue occasionally. It appears to be one server in particular. This one server always starts a TLS connection, and that's usually the end of it. Here are the logs that I see. The first connection is the problem the others work well. # grep 69.74.116 /var/log/maillog Jun 24 09:30:50 mail postfix/smtpd[44853]: connect from bb02d1.eurorscg.com[69.74.116.40] Jun 24 09:30:50 mail postfix/smtpd[44853]: setting up TLS connection from bb02d1.eurorscg.com[69.74.116.40] Jun 24 09:30:50 mail postfix/smtpd[44853]: Anonymous TLS connection established from bb02d1.eurorscg.com[69.74.116.40]: SSLv3 with cipher RC4-MD5 (128/128 bits) Jun 24 09:30:50 mail postfix/smtpd[44853]: NOQUEUE: reject: RCPT from bb02d1.eurorscg.com[69.74.116.40]: 554 5.7.1 bb02d1.eurorscg.com[69.74.116.40]: Client host rejected: Access denied; from=xremov...@euroscg.com to=xremov...@psyop.tv proto=ESMTP helo=bb02d1.eurorscg.com Jun 24 09:30:50 mail postfix/smtpd[44853]: disconnect from bb02d1.eurorscg.com[69.74.116.40] Jun 24 14:24:16 mail postfix/smtpd[58786]: connect from ms01d1.eurorscg.com[69.74.116.44] Jun 24 14:24:16 mail postfix/smtpd[58786]: 246F6102D3F: client=ms01d1.eurorscg.com[69.74.116.44] Jun 24 14:24:16 mail postfix/smtpd[58786]: disconnect from ms01d1.eurorscg.com[69.74.116.44] Jun 24 14:24:22 mail amavis[59190]: (59190-01-3) Checking: [69.74.116.44] xremov...@euroscg.com - xremov...@psyop.tv Jun 24 14:24:22 mail amavis[59190]: (59190-01-3) Passed CLEAN, [69.74.116.44] [69.74.116.44] xremov...@euroscg.com - xremov...@psyop.tv, Message-ID: xremov...@euroscg.com, Hits: -, 415 ms Jun 24 14:38:17 mail postfix/smtpd[58080]: connect from ms01d1.eurorscg.com[69.74.116.44] Jun 24 14:38:17 mail postfix/smtpd[58080]: 516EE102D2C: client=ms01d1.eurorscg.com[69.74.116.44] Jun 24 14:38:17 mail postfix/smtpd[58080]: disconnect from ms01d1.eurorscg.com[69.74.116.44] Jun 24 14:38:18 mail amavis[59880]: (59880-01) Checking: [69.74.116.44] xremov...@euroscg.com - xremov...@psyop.tv Jun 24 14:38:18 mail amavis[59880]: (59880-01) Passed CLEAN, [69.74.116.44] [69.74.116.44] xremov...@euroscg.com - xremov...@psyop.tv, Message-ID: xremov...@euroscg.com, Hits: -, 337 ms Jun 24 14:46:18 mail postfix/smtpd[58785]: connect from ms08d1.eurorscg.com[69.74.116.58] Jun 24 14:46:18 mail postfix/smtpd[58785]: 80A51102D2A: client=ms08d1.eurorscg.com[69.74.116.58] Jun 24 14:46:18 mail postfix/smtpd[58785]: disconnect from ms08d1.eurorscg.com[69.74.116.58] Jun 24 14:46:18 mail amavis[60310]: (60310-01) Checking: [69.74.116.58] xremov...@euroscg.com - xremov...@psyop.tv Jun 24 14:46:19 mail amavis[60310]: (60310-01) Passed CLEAN, [69.74.116.58] [69.74.116.58] xremov...@euroscg.com - xremov...@psyop.tv, Message-ID: xremov...@euroscg.com, Hits: -, 329 ms Jun 24 14:47:10 mail postfix/smtpd[58786]: connect from ms07d1.eurorscg.com[69.74.116.48] Jun 24 14:47:10 mail postfix/smtpd[58786]: 55F11102D2D: client=ms07d1.eurorscg.com[69.74.116.48] Jun 24 14:47:10 mail postfix/smtpd[58786]: disconnect from ms07d1.eurorscg.com[69.74.116.48] Jun 24 14:47:12 mail amavis[60310]: (60310-07) Checking: [69.74.116.48] xremov...@euroscg.com - xremov...@psyop.tv Jun 24 14:47:12 mail amavis[60310]: (60310-07) Passed CLEAN, [69.74.116.48] [69.74.116.48] xremov...@euroscg.com - xremov...@psyop.tv, Message-ID: xremov...@euroscg.com, Hits: -, 283 ms Is there a single site or book that I should read? I feel as if I am running around blindfolded. I'm glad you folks have been kind enough to tell me when to turn. -jesse
Re: Incoming smtp: 554 Access Denied
Jesse Kretschmer wrote: If you can explain what you mean by allow these tls connections we can give more pointers. Looking at the logs, the company that is having issues with our mail server only has issue occasionally. It appears to be one server in particular. This one server always starts a TLS connection, and that's usually the end of it. Do you expect to authenticate? ie. you've issued them credentials? If yes, they aren't authenticating; their mail server is misconfigured. If not, they *should not* be connecting to your smtps port; their mail server is misconfigured and it's not your problem. If this is just some third party that wants to send you mail, they must connect to port 25 like everyone else. If they want to use TLS, they must use the STARTTLS command on port 25 like everyone else. Is there a single site or book that I should read? I feel as if I am running around blindfolded. I'm glad you folks have been kind enough to tell me when to turn. The Book of Postfix is excellent, but getting a little outdated (common problem with any treeware tracking a living software project). Online, the official postfix documentation and archives of this list are invaluable. http://www.postfix.org/documentation.html -- Noel Jones
spammers masquerading as me
Hi everyone, I am the systems administrator for the Electronic Frontier Foundation. I have been having a problem with getting spam that has a from of, for example, t...@eff.org (which is a valid email address). I would like my mail server to not accept mail that says it is from @eff.org unless it is sent via an authenticated end user, or unless it is mail generated by the mail server itself. Essentially, in pseudo-code, what I want is: if ((from == *...@eff.org) and ((sending mail server != mail1.eff.org) or (sent using SMTP auth))) then REJECT I have already tried editing /usr/local/etc/postfix/access, adding: eff.org REJECT you can't send mail as me! And of course I ran postmap after this. I have also tried using the setting that rejects mail that says HELO eff.org. Neither worked. I should also point out that, at least for now, this is the ONLY type of mail that I want to explicitly block. At this time I am not able to do a spam assassin install or reject via black lists due to our current spam policy. Here is my postconf -n output: address_verify_negative_expire_time = 1d alias_database = hash:$config_directory/aliases, hash:$config_directory/aliases.mailman alias_maps = hash:$config_directory/aliases, hash:$config_directory/aliases.mailman command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 2 home_mailbox = Maildir/ html_directory = no mail_owner = postfix mail_spool_directory = /var/mail mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man mydestination = $myhostname, localhost, $myhostname.$mydomain, $mydomain, email.$mydomain myhostname = mail1.eff.org mynetworks = 75.101.97.64/28, 68.120.144.0/24, 67.103.31.132/32, 127.0.0.0/8 myorigin = $mydomain newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = no sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtpd_banner = $myhostname ESMTP $mail_name smtpd_client_restrictions = permit_mynetworks reject_unknown_client check_client_access hash:$config_directory/accesslist permit smtpd_data_restrictions = reject_unauth_pipelining permit smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks check_helo_access hash:$config_directory/restrict_helo check_helo_access hash:$config_directory/accesslist reject_invalid_hostname permit smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_non_fqdn_recipient reject_multi_recipient_bounce reject_unknown_recipient_domain reject_unauth_destination reject_unlisted_recipient permit_mx_backup permit smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_mynetworks check_sender_access hash:$config_directory/accesslist reject_non_fqdn_sender reject_unknown_sender_domain reject_unlisted_sender hash:$config_directory/sender_access permit smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/STAR_eff_org.postfix.crt smtpd_tls_key_file = /etc/ssl/STAR_eff_org.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes unknown_address_reject_code = 550 unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 450 unverified_sender_reject_code = 550 virtual_alias_domains = $virtual_alias_maps virtual_alias_maps = hash:$config_directory/virtual.dearaol.com, hash:$config_directory/virtual.ourvotelive.org, hash:$config_directory/virtual.stopthespying.org, hash:$config_directory/virtual.soundcopyright.eu Thanks for any help you might be able to provide. - Stu
Re: FYI: Imminent closure of SORBS...
kj a écrit : Good riddance. oh please. this is the postfix mailing list. Viktor simply wanted people to be aware of the possible shutdown. now, sorbs will most probably survive.
Re: spammers masquerading as me
Stuart Matthews a écrit : Hi everyone, I am the systems administrator for the Electronic Frontier Foundation. I have been having a problem with getting spam that has a from of, for example, t...@eff.org (which is a valid email address). I would like my mail server to not accept mail that says it is from @eff.org unless it is sent via an authenticated end user, or unless it is mail generated by the mail server itself. Essentially, in pseudo-code, what I want is: if ((from == *...@eff.org) and ((sending mail server != mail1.eff.org) or (sent using SMTP auth))) then REJECT I have already tried editing /usr/local/etc/postfix/access, adding: eff.orgREJECTyou can't send mail as me! you call this file access, yet your restrictions use accesslist. BTW, avoid sharing maps. instead of access and accesslist, use something like: access_sender, access_helo, ... (one per type of check). smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated check_sender_access hash:/etc/postfix/access_sender check_helo_access hash:/etc/postfix/access_helo ... == access_sender eff.org REJECT blah blah .eff.orgREJECT blah blah == access_helo eff.org REJECT blah blah .eff.orgREJECT blah blah And of course I ran postmap after this. I have also tried using the setting that rejects mail that says HELO eff.org. Neither worked. I should also point out that, at least for now, this is the ONLY type of mail that I want to explicitly block. At this time I am not able to do a spam assassin install or reject via black lists due to our current spam policy. Here is my postconf -n output: address_verify_negative_expire_time = 1d alias_database = hash:$config_directory/aliases, hash:$config_directory/aliases.mailman alias_maps = hash:$config_directory/aliases, hash:$config_directory/aliases.mailman command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 2 home_mailbox = Maildir/ html_directory = no mail_owner = postfix mail_spool_directory = /var/mail mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man mydestination = $myhostname, localhost, $myhostname.$mydomain, $mydomain, email.$mydomain myhostname = mail1.eff.org mynetworks = 75.101.97.64/28, 68.120.144.0/24, 67.103.31.132/32, 127.0.0.0/8 myorigin = $mydomain newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = no sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtpd_banner = $myhostname ESMTP $mail_name smtpd_client_restrictions = permit_mynetworks reject_unknown_client check_client_access hash:$config_directory/accesslist permit smtpd_data_restrictions = reject_unauth_pipelining permit smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks check_helo_access hash:$config_directory/restrict_helo check_helo_access hash:$config_directory/accesslist reject_invalid_hostname permit smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_non_fqdn_recipient reject_multi_recipient_bounce reject_unknown_recipient_domain reject_unauth_destination reject_unlisted_recipient permit_mx_backup permit smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_mynetworks check_sender_access hash:$config_directory/accesslist reject_non_fqdn_sender reject_unknown_sender_domain reject_unlisted_sender hash:$config_directory/sender_access permit smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/STAR_eff_org.postfix.crt smtpd_tls_key_file = /etc/ssl/STAR_eff_org.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes unknown_address_reject_code = 550 unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 450 unverified_sender_reject_code = 550 virtual_alias_domains = $virtual_alias_maps virtual_alias_maps = hash:$config_directory/virtual.dearaol.com, hash:$config_directory/virtual.ourvotelive.org, hash:$config_directory/virtual.stopthespying.org, hash:$config_directory/virtual.soundcopyright.eu Thanks for any help you might be able to provide. - Stu
Re: spammers masquerading as me
Stuart Matthews wrote: I have already tried editing /usr/local/etc/postfix/access, adding: eff.orgREJECTyou can't send mail as me! And of course I ran postmap after this. I have also tried using the setting that rejects mail that says HELO eff.org. You say check_sender_access didn't work, did you use it with smtpd_recipient_restrictions? A similar setup to the following works for us (this is a modified version of your output from postconf -n): smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated check_sender_access hash:$config_directory/access # Look Here reject_non_fqdn_recipient reject_multi_recipient_bounce reject_unknown_recipient_domain reject_unauth_destination reject_unlisted_recipient permit_mx_backup permit $config_directory/access: t...@eff.orgREJECT This is just a guess and a proposed solution, you probably need to supply supporting log entries for cases it didn't work to get to the bottom of what's really wrong.
Re: spammers masquerading as me
Stuart Matthews: Hi everyone, I am the systems administrator for the Electronic Frontier Foundation. I have been having a problem with getting spam that has a from of, for example, t...@eff.org (which is a valid email address). I would like my mail server to not accept mail that says it is from @eff.org unless it is sent via an authenticated end user, or unless it is mail generated by the mail server itself. Essentially, in pseudo-code, what I want is: if ((from == *...@eff.org) and ((sending mail server != mail1.eff.org) or (sent using SMTP auth))) then REJECT Making a variation on http://www.nabble.com/false-return-addresses-td24058164.html Not tested: # Pass mail from inside mynetworks, reject senders /etc/postfix/main.cf: smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/sender_access, # Also matches subdomains of example.com by default (see # parent_matches_subdomains documentation). # Needs postmap /etc/postfix/sender_access after change. /etc/postfix/sender_access: example.com REJECT Bad sender address - you are not example.com Wietse I have already tried editing /usr/local/etc/postfix/access, adding: eff.org REJECT you can't send mail as me! And of course I ran postmap after this. I have also tried using the setting that rejects mail that says HELO eff.org. Neither worked. I should also point out that, at least for now, this is the ONLY type of mail that I want to explicitly block. At this time I am not able to do a spam assassin install or reject via black lists due to our current spam policy. Here is my postconf -n output: address_verify_negative_expire_time = 1d alias_database = hash:$config_directory/aliases, hash:$config_directory/aliases.mailman alias_maps = hash:$config_directory/aliases, hash:$config_directory/aliases.mailman command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 2 home_mailbox = Maildir/ html_directory = no mail_owner = postfix mail_spool_directory = /var/mail mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man mydestination = $myhostname, localhost, $myhostname.$mydomain, $mydomain, email.$mydomain myhostname = mail1.eff.org mynetworks = 75.101.97.64/28, 68.120.144.0/24, 67.103.31.132/32, 127.0.0.0/8 myorigin = $mydomain newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = no sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtpd_banner = $myhostname ESMTP $mail_name smtpd_client_restrictions = permit_mynetworks reject_unknown_client check_client_access hash:$config_directory/accesslist permit smtpd_data_restrictions = reject_unauth_pipelining permit smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks check_helo_access hash:$config_directory/restrict_helo check_helo_access hash:$config_directory/accesslist reject_invalid_hostname permit smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_non_fqdn_recipient reject_multi_recipient_bounce reject_unknown_recipient_domain reject_unauth_destination reject_unlisted_recipient permit_mx_backup permit smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_mynetworks check_sender_access hash:$config_directory/accesslist reject_non_fqdn_sender reject_unknown_sender_domain reject_unlisted_sender hash:$config_directory/sender_access permit smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/STAR_eff_org.postfix.crt smtpd_tls_key_file = /etc/ssl/STAR_eff_org.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes unknown_address_reject_code = 550 unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 450 unverified_sender_reject_code = 550 virtual_alias_domains = $virtual_alias_maps virtual_alias_maps = hash:$config_directory/virtual.dearaol.com, hash:$config_directory/virtual.ourvotelive.org, hash:$config_directory/virtual.stopthespying.org, hash:$config_directory/virtual.soundcopyright.eu Thanks for any help you might be able to provide. - Stu
Re: spammers masquerading as me
On Wed June 24 2009 18:21:19 Stuart Matthews wrote: I am the systems administrator for the Electronic Frontier Foundation. I have been having a problem with getting spam that has a And I talked to you yesterday in IRC. from of, for example, t...@eff.org (which is a valid email address). I would like my mail server to not accept mail that says it is from @eff.org unless it is sent via an authenticated end user, or unless it is mail generated by the mail server itself. Essentially, in pseudo-code, what I want is: if ((from == *...@eff.org) and ((sending mail server != mail1.eff.org) or (sent using SMTP auth))) then REJECT I have already tried editing /usr/local/etc/postfix/access, adding: eff.org REJECT you can't send mail as me! And of course I ran postmap after this. I have also tried using the setting that rejects mail that says HELO eff.org. Neither worked. I should also point out that, at least for now, this is the ONLY type of mail that I want to explicitly block. At this time I am not able to do a spam assassin install or reject via black lists due to our current spam policy. Here is my postconf -n output: I'm leaving in only the relevant settings below. smtpd_client_restrictions = permit_mynetworks reject_unknown_client check_client_access hash:$config_directory/accesslist permit smtpd_helo_restrictions = permit_mynetworks check_helo_access hash:$config_directory/restrict_helo check_helo_access hash:$config_directory/accesslist reject_invalid_hostname permit smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_non_fqdn_recipient reject_multi_recipient_bounce reject_unknown_recipient_domain reject_unauth_destination reject_unlisted_recipient permit_mx_backup permit smtpd_sender_restrictions = permit_mynetworks check_sender_access hash:$config_directory/accesslist reject_non_fqdn_sender reject_unknown_sender_domain reject_unlisted_sender hash:$config_directory/sender_access permit Many users (well, I am one of them) find it easier to consolidate all smtpd restrictions into a single stage. The logical choice for such consolidation would be smtpd_recipient_restrictions, because that's the only required stage. Since you did not include logs with your post we can only guess, but best guess would be that you're not doing this in your two check_sender_access lookups. Either accesslist or sender_access should contain your blocking rule, and should be preceded by permit_sasl_authenticated, else you will block your own authenticating senders. Multiple use of the same lookup can lead to undesired results. What is looked up for a check_sender_access differs from check_*_access (other access(5) lookups.) You should really understand access.5.html well. You mentioned a /usr/local/etc/postfix/access file above, yet the postconf output has no evidence of such a file. Therefore, it is not used. If you need to followup, please include logs and relevant snippets from the map files. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Oldest message in the queue
Hi, It appears we would need to write a script to parse all the messages. What is an efficient way to get the age of the oldest message in the queue? George _ Microsoft brings you a new way to search the web. Try Bing™ now http://www.bing.com?form=MFEHPGpubl=WLHMTAGcrea=TEXT_MFEHPG_Core_tagline_try_bing_1x1
Re: Oldest message in the queue
On Thu, Jun 25, 2009 at 01:57:31AM +, George Forman wrote: It appears we would need to write a script to parse all the messages. What is an efficient way to get the age of the oldest message in the queue? If the deferred queue is large enough, it is more efficient to parse the logs, especially if you do this on an ongoing basis, and track the creation and deletion of each queue-id. For small backlogs, just read all the files with postcat, or adapt (no warranty) the code from qshape, which reads the undocumented queue file format. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
best practices for workstations that occasionally disconnect
I'm just wondering if anyone has a good suggestion for how to deal with workstations, setup with a $relayhost for all outbound mail, which occasionally get unplugged from the network or otherwise taken offline. While this doesn't happen to our machines a lot, it does cause some annoyance when a machine gets unplugged for a long time and a flood of messages (and the resulting bounces) come through. We don't mind getting the mail sent while the system is offline, but (in cases where the sender is root, which also forwards offsite), we don't want to get all the bouncse. $notify_classes is set to the default, but since most of the system messages (cron, etc.) come from root, there's still a single bounce when a message can't be sent. I could just set $maximal_queue_lifetime and $bounce_queue_lifetime to really short values, but I'd rather preserve the original mail. My other thought was to follow the suggestions in http://www.postfix.org/STANDARD_CONFIGURATION_README.html#dialup However, since there's no dialup script, I'd probably have to write a cron job that flushes the queue every minute or two, which seems dumb. I guess another approach would be to have a cron job that changes $defer_transports and reloads Postfix if the network is down (and reverses it when the network comes back up). Anyone have a better / less kludgy approach to this problem? Am I just thinking of it all wrong? Disabling DNS lookups doesn't change anything, does it? w
Re: rejecting client=unknown[ip.ad.dr.ess]
On 23-Jun-2009, at 06:31, Jan P. Kessler wrote: Another option is to use selective greylisting on unknown clients: MAIN.CF smtpd_recipient:_restrictions = permit_mynetworks, ...others..., check_client_access = pcre:/etc/postfix/client_check /etc/postfix/client_check: /^unknown$/ check_policy_service inet:127.0.0.1:10031 Oh yes, that works. In fact, I thought I already had that in my check_client_fqdn.pcre file, I guess I overlooked it. -- BILL: I can't get behind the Gods, who are more vengeful, angry, an dangerous if you don't believe in them! HENRY: Why can't all these God just get along? I mean, they're omni- potent and omnipresent, what's the problem?
Re: rejecting client=unknown[ip.ad.dr.ess]
On Wed, Jun 24, 2009 at 10:15:39PM -0600, LuKreme wrote: On 23-Jun-2009, at 06:31, Jan P. Kessler wrote: Another option is to use selective greylisting on unknown clients: MAIN.CF smtpd_recipient:_restrictions = permit_mynetworks, ...others..., check_client_access = pcre:/etc/postfix/client_check No = sign between check_client_access and the table name. /etc/postfix/client_check: /^unknown$/ check_policy_service inet:127.0.0.1:10031 Oh yes, that works. In fact, I thought I already had that in my check_client_fqdn.pcre file, I guess I overlooked it. It is somewhat fragile, because it fails to distinguish between transient and permanent lookup errors. The policy service needs to be careful to not reject outright (greylisting is perhaps safe, but one needs to understand the limitations of this approach). -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: best practices for workstations that occasionally disconnect
William Yardley wrote: I'm just wondering if anyone has a good suggestion for how to deal with workstations, setup with a $relayhost for all outbound mail, which occasionally get unplugged from the network or otherwise taken offline. While this doesn't happen to our machines a lot, it does cause some annoyance when a machine gets unplugged for a long time and a flood of messages (and the resulting bounces) come through. What bounces? Are you talking about a machine that's unplugged longer than $maximal_queue_lifetime but less than $bounce_queue_lifetime? maybe a really long maximal_queue_lifetime would avoid that problem. I could just set $maximal_queue_lifetime and $bounce_queue_lifetime to really short values, but I'd rather preserve the original mail. Throwing mail away sooner doesn't sound like a good solution to anything. I guess another approach would be to have a cron job that changes $defer_transports and reloads Postfix if the network is down (and reverses it when the network comes back up). Yes, or just do nothing and let postfix figure it out. Anyone have a better / less kludgy approach to this problem? Am I just thinking of it all wrong? I may not understand what problem you're trying to solve. Maybe describe your problem a little better rather than proposed solutions. Disabling DNS lookups doesn't change anything, does it? No. The best practice for occasional fairly brief (less than a couple days) outages is just ignore them. Postfix should handle things pretty well up to several thousand deferred messages. If you're expecting tens of thousands of deferred messages, then maybe a script to defer_transports or to put everything on HOLD until the network is back up. -- Noel Jones
Re: best practices for workstations that occasionally disconnect
On Thu, Jun 25, 2009 at 12:25:41AM -0500, Noel Jones wrote: The best practice for occasional fairly brief (less than a couple days) outages is just ignore them. Postfix should handle things pretty well up to several thousand deferred messages. If you're expecting tens of thousands of deferred messages, then maybe a script to defer_transports or to put everything on HOLD until the network is back up. Make that several tens of thousands of deferred messages, but as the queue starts growing to 100,000+ deferred messages, the congestion can get too severe (retries of the deferred queue can dominate the active queue and gum everything up). -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.