Re: spammers masquerading as me
On 1681 0, Stuart Matthews s...@eff.org wrote: Hi everyone, I am the systems administrator for the Electronic Frontier Foundation. I have been having a problem with getting spam that has a from of, for example, t...@eff.org (which is a valid email address). I would like my mail server to not accept mail that says it is from @eff.org unless it is sent via an authenticated end user, or unless it is mail generated by the mail server itself. Essentially, in pseudo-code, what I want is: if ((from == *...@eff.org) and ((sending mail server != mail1.eff.org) or (sent using SMTP auth))) then REJECT I have already tried editing /usr/local/etc/postfix/access, adding: eff.org REJECT you can't send mail as me! And of course I ran postmap after this. I have also tried using the setting that rejects mail that says HELO eff.org. Neither worked. i use a different approach on this. for example, it will reject all unauthenticated sender claiming to be from domain.com. the error message would be not logged in. smtpd_sender_login_maps = hash:/etc/postfix/sender_login virtual_mailbox_maps = hash:/etc/postfix/sender_login smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, reject_unauthenticated_sender_login_mismatch, reject_sender_login_mismatch, permit_sasl_authenticated ... smtpd_recipient_restrictions = ... permit_sasl_authenticated, ... # /etc/postfix/sender_login us...@domain.com user1 us...@domain.com user2 ad...@domain.com admin,user1 t...@domain.com tech,admin
Re: best practices for workstations that occasionally disconnect
On Wed, Jun 24, 2009 at 11:39:15PM -0700, William Yardley wrote: On Thu, Jun 25, 2009 at 12:25:41AM -0500, Noel Jones wrote: Maybe setting $bounce_queue_lifetime to 0 but leaving $maximal_queue_lifetime set to 5d+ would do the trick? [The main issue with this approach is that it will get rid of *all* DSNs / bounces, even those in $notify_classes; I only want to avoid the ones due to being unable to connect to $relayhost] w
matching IP ranges in headers
Hi, A lot of spam comes from certain ip ranges (e.g. west africa) through relays (large ISPs) that would be too onerous to block. To filter these I am presently matching: /^((Received|X-Originating-IP):.+\b(124\.120\.1\.(IP RANGE IN REGEX)\b/ in pcre:/etc/postfix/header_access. But converting IP ranges to regex'es is time consuming and error prone. Is there a way to use a cidr table for header matching while retaining control of the prefix ^(Received|X-Originating-IP) ? Or another better way? Thanks,
Tip: Restricting mail reception using a remote service's SPF records
Here's an idea.. maybe it's useful for someone, so I post it here. I'm setting up a local mail server to cache remote service's mail for faster access on the LAN. The remote server has an up-to-date SPF record that is updated whenever the sending IP ranges change. I want to limit unauthenticated mail reception to the sending servers of the remote mail system. I use the following in main.cf: smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated check_client_access cidr:$config_directory/tables/client_access_maps.cidr reject To automatically keep the client_access_maps.cird up-to-date I run the following as a cron-job.. perhaps every hour. The SPF record changes rarely, but obviously when it does, the mail would not be accepted on the local server without an update. On the other hand, I assume when the sending ranges change, the SPF records are updated well in advance so there is plenty of time for the local system to pick up the change. The following is concept; I don't have the script yet ready, but it'll be easy to write with your favorite scripting language: --- 1. get your remote sender's current SPF record: dig yourremotesender.com txt tempfile 2. parse the result in tempfile with regex: /.*?ANSWER\sSECTION:.*?yourremotesender\.com*.\s+?\d+?\s+?IN\s+?TXT\s+?v=spf1\s+?([^)]+?)\s+?.all/ (dot matches newline) 3. explode the result 4. remove ip4: from the front of each segment if present 5. mogrify to format ip OK ip/cidr OK .. and save to a temp file. 6. compare the checksum of the temp file to the currently active client_access_maps.cidr; if different.. 7. copy the tempfile to ../postfix/tables/client_access_maps.cidr 8. execute `postfix reload' --- Ville
Re: customizing postfix logs with a mailing id
Magnus Bäck a écrit : On Mon, June 15, 2009 12:01 pm, Stéphane MERLE said: Can I, at least, add the from in the logs ? Jun 15 11:59:01 smtp postfix/smtp[3061]: 683EB37AECA3: to=kdkdlem...@live.fr, relay=mx1.hotmail.com[65.55.92.136]:25, conn_use=91, delay=401662, delays=401197/464/0.13/0.32, dsn=2.0.0, status=sent (250 20090610182440.0a14a3776...@smtp.domaineamoi.com Queued mail for delivery) would be : Jun 15 11:59:01 smtp postfix/smtp[3061]: 683EB37AECA3: from=sen...@domaineamoi.com, to=kdkdlem...@live.fr, relay=mx1.hotmail.com[65.55.92.136]:25, conn_use=91, delay=401662, delays=401197/464/0.13/0.32, dsn=2.0.0, status=sent (250 20090610182440.0a14a3776...@smtp.domaineamoi.com Queued mail for delivery) The envelope sender is logged by qmgr(8). Grep your log for 683EB37AECA3 and see for yourself. Please do not top-post. Thanks, with this tip, I manage to change the return-path and use it with a perl script to parse the log file to get my infos. Stéphane
Re: Tip: Restricting mail reception using a remote service's SPF records
The following is concept; I don't have the script yet ready, but it'll be easy to write with your favorite scripting language: --- 1. get your remote sender's current SPF record: dig yourremotesender.com txt tempfile 2. parse the result in tempfile with regex: /.*?ANSWER\sSECTION:.*?yourremotesender\.com*.\s+?\d+?\s+?IN\s+?TXT\s+?v=spf1\s+?([^)]+?)\s+?.all/ snip The implementation seems a little fragile, but the concept should be workable. On dig (at least the versions I've used), you can use +short for parseable output. Example: dig +short example.com TXT | grep 'v=spf1' | egrep -o 'ip4:[0-9./]+' | sed 's/^ip4://' | sed 's/$/ OK/' tempfile Something like that, anyway.
Re: Tip: Restricting mail reception using a remote service's SPF records
Thanks, I'll look into that; it'll simplify it a bit. Anything that is parsed from text output is obviously not super solid but for this application it'll suffice. The MX for the business domains in question is an external service that takes care of spam filtering, address consolidation, etc. The external service also offers better availability than the LAN server that is not monitored 24/7 and that is connected to the internet via single T1. But as a remote service it is not as fast as accessing emails on the LAN, and at peak-times the Internet congestion slows it further. This is a small office environment, and the plan is to cache the couple of dozen mailboxes to the LAN mail server. The above configuration will be used to prevent any mail from outside of the external service from finding its way to the local mail server. In the event the local server fails (since there is no server redundancy), users continue to have full access (albeit slower) to their mailboxes using the external service which is the primary receiver anyway. Ville
Re: matching IP ranges in headers
2009/6/25 Louis-David Mitterrand vindex+lists-postfix-us...@apartia.org: /^((Received|X-Originating-IP):.+\b(124\.120\.1\.(IP RANGE IN REGEX)\b/ in pcre:/etc/postfix/header_access. But converting IP ranges to regex'es is time consuming and error prone. Is there a way to use a cidr table for header matching while retaining control of the prefix ^(Received|X-Originating-IP) ? I suspect you're out of luck. To be sufficiently general to be useful, I understand Postfix takes the entire header and uses it as a lookup key to the defined table (you're not limited to pcre/regexp, but not much else will be useful). Bare IP addresses of course wouldn't appear as headers, so you can't use a CIDR table. Or another better way? Someone else may have a better, or they might say you should be using a DNSBL for this sort of purpose. I personally suspect this IP-based method won't stay up-to-date enough for practical purposes, which is why it's probably easier to let someone else do the work and use their blacklist.
Re: matching IP ranges in headers
On Thu, Jun 25, 2009 at 10:14:29PM +1000, Barney Desmond wrote: 2009/6/25 Louis-David Mitterrand vindex+lists-postfix-us...@apartia.org: /^((Received|X-Originating-IP):.+\b(124\.120\.1\.(IP RANGE IN REGEX)\b/ in pcre:/etc/postfix/header_access. But converting IP ranges to regex'es is time consuming and error prone. Is there a way to use a cidr table for header matching while retaining control of the prefix ^(Received|X-Originating-IP) ? I suspect you're out of luck. To be sufficiently general to be useful, I understand Postfix takes the entire header and uses it as a lookup key to the defined table (you're not limited to pcre/regexp, but not much else will be useful). Bare IP addresses of course wouldn't appear as headers, so you can't use a CIDR table. Or another better way? Someone else may have a better, or they might say you should be using a DNSBL for this sort of purpose. I personally suspect this IP-based method won't stay up-to-date enough for practical purposes, which is why it's probably easier to let someone else do the work and use their blacklist. If you have a cidr list, it's sufficiently easy to use some perl magic and make regex out of it. You can make pretty large lists into smallish regex since there's only so many characters in IPs. I already made a bare script our of curiosity, need to finish it..
slow link
Hello guys Before all, please forget my bad English. I'm newbie in postfix. I want to ask you a question. Let me explain the situation. I have a dialup link. When the link goes up automatically executes a postqueue -f command and mail is delivered. The problem is link speed, I'm getting timeouts and packet loss. I want to force postfix to deliver messages one by one. I don't accept incoming smtp conections from other server. The incoming mail is fetched using fetchmail from a hosting server. How can I force postfix to deliver messages one by one? Thanks David
adding headers for bcc recipients
Hi all, I'm looking for a way to add a header to the messages before they are delivered to a multidrop mailbox with virtual aliases. After searching the postfix-users list archives I've found that this subject has been already discused here and I've found a message from Zoltan Balogh that seemed to be exactly what I needed: --8 So basically I just need to help fetchmail guessing the correct envelope recipients by appending X-Envelope-To (or similar header entry) to the email message. I did the following: smtpd_recipient_restrictions = ... check_recipient_access pcre:/etc/postfix/recipient_access /etc/postfix/check_recipient_access: /(@somedomain.com)/ PREPEND X-Envelope-To: $1 --8 But it doesn't work for me. No header is added at all! Maybe it is because I use LMTP as a delivery method from Postfix to Cyrus? Should I place the check_recipient_access rule in another phase of smtp check instead of smtpd_recipient_restrictions? Thanks -- Bernardo Pons
Re: slow link
Ing. Davy Leon: Hello guys Before all, please forget my bad English. I'm newbie in postfix. I want to ask you a question. Let me explain the situation. I have a dialup link. When the link goes up automatically executes a postqueue -f command and mail is delivered. The problem is link speed, I'm getting timeouts and packet loss. I want to force postfix to deliver messages one by one. As root: # postconf -e default_process_limit=1 # postfix reload See also: http://www.postfix.org/postconf.5.html#default_process_limit http://www.postfix.org/master.5.html Wietse I don't accept incoming smtp conections from other server. The incoming mail is fetched using fetchmail from a hosting server. How can I force postfix to deliver messages one by one? Thanks David
Re: slow link
Thanks Wietse I'm checking the links right now. Thanks my friend David - Original Message - From: Wietse Venema wie...@porcupine.org To: Postfix users postfix-users@postfix.org Sent: Thursday, June 25, 2009 8:00 AM Subject: Re: slow link Ing. Davy Leon: Hello guys Before all, please forget my bad English. I'm newbie in postfix. I want to ask you a question. Let me explain the situation. I have a dialup link. When the link goes up automatically executes a postqueue -f command and mail is delivered. The problem is link speed, I'm getting timeouts and packet loss. I want to force postfix to deliver messages one by one. As root: # postconf -e default_process_limit=1 # postfix reload See also: http://www.postfix.org/postconf.5.html#default_process_limit http://www.postfix.org/master.5.html Wietse I don't accept incoming smtp conections from other server. The incoming mail is fetched using fetchmail from a hosting server. How can I force postfix to deliver messages one by one? Thanks David
customize bounce behavior
Hi, I apologize if this has already been covered but I can't seem to find any information. I need to customize the bounce behavior for the following: 1. If a bounce message is created because it can't deliver to a specified list of email addresses we don't want a bounce returned. 2. If a bounce message is created, we need to use the recipient's domain for the mailer-daemon domain instead of myorigin parameter. Is the some type of check policy feature I can add to support this behavior? George _ Lauren found her dream laptop. Find the PC that’s right for you. http://www.microsoft.com/windows/choosepc/?ocid=ftp_val_wl_290
Header Time
Hi, I am sure someone can clarify it for me. A device uses postfix relay to send mails out. When I receive them in outlook, they are 4 hrs behind. When I looked at the header, postfix seems to doing -400 (EDT). by postfixmta.domain.net (Postfix) with SMTP id 62B1257AB5 for myu...@mydomain.net; Thu, 25 Jun 2009 12:16:12 -0400 (EDT) But I looked at var log messages, it shows the right time there. Did I configured anything wrong or how to fix this? Thank you very much!! ~LA
Re: best practices for workstations that occasionally disconnect
William Yardley wrote: I was thinking that setting $defer_transports might avoid $maximal_queue_lifetime, but from my tests, looks like that's not the case. What about holding the messages? Same thing? Messages on hold never expire (postfix ignores messages in the hold queue). When they are released from hold, they get one free delivery attempt before $maximal_queue_lifetime is tested. I'd like to avoid DSNs for messages that can't be delivered because a smarthost can't be reached. Since the DSNs also go through the relayhost (there's no local delivery), and won't get through til the network is back up anyway, they don't serve any purpose for us. On the other hand, in the best of all worlds, I'd like the messages themselves to stick around. Sounds like the best solution is just set a really long $maximal_queue_lifetime -- Noel Jones
Re: Header Time
On 6/25/09 9:50 AM, Linux Addict wrote: A device uses postfix relay to send mails out. When I receive them in outlook, they are 4 hrs behind. When I looked at the header, postfix seems to doing -400 (EDT). Hmmm. 4 hours. Are you using greylisting? -- Glenn English g...@slsware.com
Re: Incoming smtp: 554 Access Denied
Noel Jones wrote: If not, they *should not* be connecting to your smtps port; their mail server is misconfigured and it's not your problem. This was exactly the problem. I did some troubleshooting with the mail admin of the sending server. One of their servers was attempting to connect on port 465 only. He corrected the configuration and things worked without a hitch. As you suggested I added the following line to the smtps section of master.cf: -o syslog_name=postfix-smtps This was made it very easy to verify which service the server in question was connecting to. This should be in the master.cf by default as it is very helpful. Thanks everyone for all the help. Cheers, jesse
Re: Header Time
On Thu, Jun 25, 2009 at 1:41 PM, ghe g...@slsware.com wrote: On 6/25/09 9:50 AM, Linux Addict wrote: A device uses postfix relay to send mails out. When I receive them in outlook, they are 4 hrs behind. When I looked at the header, postfix seems to doing -400 (EDT). Hmmm. 4 hours. Are you using greylisting? -- Glenn English g...@slsware.com We are, but these aren't even going out. There is a transport map which directs it to internal exchange servers. I am curious where its getting the -400(EDIT) from.
Re: Header Time
* Linux Addict linuxaddi...@gmail.com: We are, but these aren't even going out. There is a transport map which directs it to internal exchange servers. I am curious where its getting the -400(EDIT) from. Please show the exact header... and 2 lines before and after. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Header Time
On 6/25/09 12:06 PM, Linux Addict wrote: I am curious where its getting the -400(EDIT) from. It's EDT, not EDIT. It means that the local time (Eastern Daylight Time) is 4 hours less than GMT... -- Glenn English g...@slsware.com
Re: Header Time
On Jun 25, 2009, at 2:06 PM, Linux Addict linuxaddi...@gmail.com wrote: On Thu, Jun 25, 2009 at 1:41 PM, ghe g...@slsware.com wrote: On 6/25/09 9:50 AM, Linux Addict wrote: A device uses postfix relay to send mails out. When I receive them in outlook, they are 4 hrs behind. When I looked at the header, postfix seems to doing -400 (EDT). Hmmm. 4 hours. Are you using greylisting? -- Glenn English g...@slsware.com We are, but these aren't even going out. There is a transport map which directs it to internal exchange servers. I am curious where its getting the -400(EDIT) from. No Outlook help here but what exactly is the Postfix problem? Or is the GMT - EDT terminology confusing you? EDT = Eastern Daylight Time = GMT - 4:00.
Re: spammers masquerading as me
Hi all, That seems to have done it... banging my head against the problem all because of a typo. Thanks, Stu J.P. Trosclair wrote: Stuart Matthews wrote: I have already tried editing /usr/local/etc/postfix/access, adding: eff.orgREJECTyou can't send mail as me! And of course I ran postmap after this. I have also tried using the setting that rejects mail that says HELO eff.org. You say check_sender_access didn't work, did you use it with smtpd_recipient_restrictions? A similar setup to the following works for us (this is a modified version of your output from postconf -n): smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated check_sender_access hash:$config_directory/access # Look Here reject_non_fqdn_recipient reject_multi_recipient_bounce reject_unknown_recipient_domain reject_unauth_destination reject_unlisted_recipient permit_mx_backup permit $config_directory/access: t...@eff.orgREJECT This is just a guess and a proposed solution, you probably need to supply supporting log entries for cases it didn't work to get to the bottom of what's really wrong.
Re: Header Time
On Thu, Jun 25, 2009 at 2:22 PM, Sahil Tandon sa...@tandon.net wrote: On Jun 25, 2009, at 2:06 PM, Linux Addict linuxaddi...@gmail.com wrote: On Thu, Jun 25, 2009 at 1:41 PM, ghe g...@slsware.comg...@slsware.comwrote: On 6/25/09 9:50 AM, Linux Addict wrote: A device uses postfix relay to send mails out. When I receive them in outlook, they are 4 hrs behind. When I looked at the header, postfix seems to doing -400 (EDT). Hmmm. 4 hours. Are you using greylisting? -- Glenn English g...@slsware.comg...@slsware.com We are, but these aren't even going out. There is a transport map which directs it to internal exchange servers. I am curious where its getting the -400(EDIT) from. No Outlook help here but what exactly is the Postfix problem? Or is the GMT - EDT terminology confusing you? EDT = Eastern Daylight Time = GMT - 4:00. Not looking for any outlook. See below the complete header. The BOLD text is where message enters the postfix and time seem adjusted. On my Mail Client, the sent time is showing as Wed 6/24/2009 *1:12 PM*instead of *5:12PM* ie. -4 hours. I believe that was caused by -0400 (EDT) modified by postfix. Microsoft Mail Internet Headers Version 2.0 Received: from NYCEX20.MYDOMAIN.NET ([XX.XX.XX.XX]) by NYCEX20.MYDOMAIN.NETwith Microsoft SMTPSVC(6.0.3790.3959); Wed, 24 Jun 2009 17:13:42 -0400 Received: from POSTFIXMTA.MYDOMAIN.NET ([XX.XX.XX.XX]) by NYCEX20.MYDOMAIN.NET with Microsoft SMTPSVC(6.0.3790.3959); Wed, 24 Jun 2009 17:13:42 -0400 Received: from LCM (unknown [XX.XX.XX.XX]) by POSTFIXMTA.MYDOMAIN.NET (Postfix) with SMTP id A21103A006F for backups-al...@mydomain.net; *Wed, 24 Jun 2009 17:13:39 -0400 (EDT)* From: bac...@mydomain.net To: backups-al...@mydomain.net Subject: T120 Test Mail Date: *Wed, 24 Jun 2009 17:11:41* Message-Id: 20090624211340.a21103a0...@postfix.mydomain.net Return-Path: bac...@mydomain.net X-OriginalArrivalTime: 24 Jun 2009 21:13:42.0727 (UTC) FILETIME=[A7067570:01C9F510]
Re: Header Time
I can't say much because I know next to nothing about Outlook and friends, but MS keeps time in local time (I hear), and *nix goes on GMT, and there's a 4 hour time correction for your local time, and you're seeing a 4 hour time change in your headers in mail being passed between *nix and MS. Betcha it's in there somewhere... -- Glenn English g...@slsware.com
Re: Tip: Restricting mail reception using a remote service's SPF records
Here's the completed script (the IP/CIDR extract worked perfectly -- thanks Barney!): --- #!/bin/sh ORIGINAL=/usr/local/etc/postfix/tables/client_access_maps.cidr NEW=/tmp/postfix_clients.tmp dig +short senderdomain.net TXT | grep 'v=spf1' | egrep -o 'ip4:[0-9./]+' | sed 's/^ip4://' | sed 's/$/ OK/' $NEW ORIGINAL_CK=`cksum $ORIGINAL | awk '{print $1}'` NEW_CK=`cksum $NEW | awk '{print $1}'` if [ -s $NEW ] ; then if [ $ORIGINAL_CK != $NEW_CK ] ; then cp -f $NEW $ORIGINAL postfix reload /dev/null fi fi rm $NEW exit 0 --- It works except that the Postfix refresh message (postfix/postfix-script: refreshing the Postfix mail system) is displayed despite of the attempt to redirect it to /dev/null? Any idea how I could hide it? Ville
Re: Tip: Restricting mail reception using a remote service's SPF records
Ville Walveranta wrote: It works except that the Postfix refresh message (postfix/postfix-script: refreshing the Postfix mail system) is displayed despite of the attempt to redirect it to /dev/null? Any idea how I could hide it? It's probably writing to stderr, postfix reload 2/dev/null # stderr only postfix reload /dev/null # stdout stderr Though if it writes an error to the screen, you'll miss it. J.P.
Re: Tip: Restricting mail reception using a remote service's SPF records
Ville Walveranta wrote: Here's the completed script (the IP/CIDR extract worked perfectly -- thanks Barney!): --- #!/bin/sh ORIGINAL=/usr/local/etc/postfix/tables/client_access_maps.cidr NEW=/tmp/postfix_clients.tmp dig +short senderdomain.net TXT | grep 'v=spf1' | egrep -o 'ip4:[0-9./]+' | sed 's/^ip4://' | sed 's/$/ OK/' $NEW ORIGINAL_CK=`cksum $ORIGINAL | awk '{print $1}'` NEW_CK=`cksum $NEW | awk '{print $1}'` if [ -s $NEW ] ; then if [ $ORIGINAL_CK != $NEW_CK ] ; then cp -f $NEW $ORIGINAL postfix reload /dev/null fi fi rm $NEW exit 0 --- It works except that the Postfix refresh message (postfix/postfix-script: refreshing the Postfix mail system) is displayed despite of the attempt to redirect it to /dev/null? Any idea how I could hide it? postfix reload /dev/null 21 Rod --
Re: Tip: Restricting mail reception using a remote service's SPF records
Ville Walveranta wrote: Here's the completed script (the IP/CIDR extract worked perfectly -- thanks Barney!): --- #!/bin/sh ORIGINAL=/usr/local/etc/postfix/tables/client_access_maps.cidr NEW=/tmp/postfix_clients.tmp dig +short senderdomain.net TXT | grep 'v=spf1' | egrep -o 'ip4:[0-9./]+' | sed 's/^ip4://' | sed 's/$/ OK/' $NEW ORIGINAL_CK=`cksum $ORIGINAL | awk '{print $1}'` NEW_CK=`cksum $NEW | awk '{print $1}'` if [ -s $NEW ] ; then if [ $ORIGINAL_CK != $NEW_CK ] ; then cp -f $NEW $ORIGINAL postfix reload /dev/null fi fi rm $NEW exit 0 --- It works except that the Postfix refresh message (postfix/postfix-script: refreshing the Postfix mail system) is displayed despite of the attempt to redirect it to /dev/null? Any idea how I could hide it? Ville Try postfix reload 2/dev/null instead Gerardo
Re: Tip: Restricting mail reception using a remote service's SPF records
Perfect! Thanks all!!
Re: Header Time
On Thu, Jun 25, 2009 at 4:17 PM, ghe g...@slsware.com wrote: I can't say much because I know next to nothing about Outlook and friends, but MS keeps time in local time (I hear), and *nix goes on GMT, and there's a 4 hour time correction for your local time, and you're seeing a 4 hour time change in your headers in mail being passed between *nix and MS. Betcha it's in there somewhere... -- Glenn English g...@slsware.com I dont think this is something to do with outlook as I tested with yahoo and gmail as well. I see the same pattern. Looks to me message leaves postfix with updated time stamp. Is there any verbose can enabled in postfix to see what its doing to check time change process?
Re: Header Time
Linux Addict wrote: On Thu, Jun 25, 2009 at 2:22 PM, Sahil Tandon sa...@tandon.net mailto:sa...@tandon.net wrote: On Jun 25, 2009, at 2:06 PM, Linux Addict linuxaddi...@gmail.com mailto:linuxaddi...@gmail.com wrote: On Thu, Jun 25, 2009 at 1:41 PM, ghe mailto:g...@slsware.comg...@slsware.com mailto:g...@slsware.com wrote: On 6/25/09 9:50 AM, Linux Addict wrote: A device uses postfix relay to send mails out. When I receive them in outlook, they are 4 hrs behind. When I looked at the header, postfix seems to doing -400 (EDT). Hmmm. 4 hours. Are you using greylisting? -- Glenn English mailto:g...@slsware.comg...@slsware.com mailto:g...@slsware.com We are, but these aren't even going out. There is a transport map which directs it to internal exchange servers. I am curious where its getting the -400(EDIT) from. No Outlook help here but what exactly is the Postfix problem? Or is the GMT - EDT terminology confusing you? EDT = Eastern Daylight Time = GMT - 4:00. Not looking for any outlook. See below the complete header. The BOLD text is where message enters the postfix and time seem adjusted. On my Mail Client, the sent time is showing as Wed 6/24/2009 *1:12 PM* instead of *5:12PM* ie. -4 hours. I believe that was caused by -0400 (EDT) modified by postfix. No, the postfix header is correct. Look as the headers of this message. The time format in the headers is: HH:MM:SS [local offset from GMT] [timezone] The offset and timezone are optional, if the timezone is supplied, the offset. If no offset is provided, GMT is assumed. But anyway, you're looking in the wrong place. The date/time in your mail client is provided by the Date: header. Let's see what that says... Microsoft Mail Internet Headers Version 2.0 Received: from NYCEX20.MYDOMAIN.NET http://NYCEX20.MYDOMAIN.NET ([XX.XX.XX.XX]) by NYCEX20.MYDOMAIN.NET http://NYCEX20.MYDOMAIN.NET with Microsoft SMTPSVC(6.0.3790.3959); Wed, 24 Jun 2009 17:13:42 -0400 Received: from POSTFIXMTA.MYDOMAIN.NET http://POSTFIXMTA.MYDOMAIN.NET ([XX.XX.XX.XX]) by NYCEX20.MYDOMAIN.NET http://NYCEX20.MYDOMAIN.NET with Microsoft SMTPSVC(6.0.3790.3959); Wed, 24 Jun 2009 17:13:42 -0400 Received: from LCM (unknown [XX.XX.XX.XX]) by POSTFIXMTA.MYDOMAIN.NET http://POSTFIXMTA.MYDOMAIN.NET (Postfix) with SMTP id A21103A006F for backups-al...@mydomain.net mailto:backups-al...@mydomain.net; *Wed, 24 Jun 2009 17:13:39 -0400 (EDT)* From: bac...@mydomain.net mailto:bac...@mydomain.net To: backups-al...@mydomain.net mailto:backups-al...@mydomain.net Subject: T120 Test Mail Date: *Wed, 24 Jun 2009 17:11:41* Ah, there's the problem. No offset is provided, so **YOUR MAIL CLIENT** assumes it's GMT and applies **YOUR PC'S** offset, which is -400. If you want to fix this, fix whatever is sending the mail. Either set its time zone so it can provide an offset, or set it to GMT rather than local time. Message-Id: 20090624211340.a21103a0...@postfix.mydomain.net mailto:20090624211340.a21103a0...@postfix.mydomain.net Return-Path: bac...@mydomain.net mailto:bac...@mydomain.net X-OriginalArrivalTime: 24 Jun 2009 21:13:42.0727 (UTC) FILETIME=[A7067570:01C9F510]
Re: Header Time
Original Message Subject: Re: Header Time From: Linux Addict linuxaddi...@gmail.com I dont think this is something to do with outlook as I tested with yahoo and gmail as well. I see the same pattern. Looks to me message leaves postfix with updated time stamp. �Is there any verbose can enabled in postfix to see what its doing to check time change process? The only problem I see is that your appliance sends the date as Date: Wed, 24 Jun 2009 17:11:41 when it should send as Date: Wed, 24 Jun 2009 17:11:41 -0400. Since no time zone is provided, most mail clients likely interpret this as UTC time and display accordingly. If your device send email for the correct time zone, set the clock as UTC on the device. -Blake
Re: rejecting client=unknown[ip.ad.dr.ess]
LuKreme a écrit : On 22-Jun-2009, at 18:29, mouss wrote: Is there anyway to, if not outright reject anyone whose DNS shows up as unknown to at least tempfail them with a Ooops, your DNS is not resolving, try back later or something? if you insist, you could use one of http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname but use at your own risks. In particular, reject_unknown_client_hostname (previously: reject_unknown_client) _will_ block or delay legitimate mail. Will it block or delay it? Can I set the error code to a tempfail instead of a outright rejection. Blocking legitimate mail that fails dns checks is one thing, rejecting it outright is another thing altogether. Seems at least half the spam that gets by zen shows up as client=unknown how much is half of what... I don't understand the question. sorry. I meant that, the way it is stated, at least half of spam is a meaningless measure. for example, if you use other checks, numbers will change. yes, it is hard to come up with meaningful numbers. I do a multiple levels stats: ratio of junk blocked by major checks, then among what slips, ratio blocked by other checks, and then among what slips, ratio of junk detected by SA, ... etc. I stopped doing global measures.
Re: customize bounce behavior
George Forman a écrit : Hi, I apologize if this has already been covered but I can't seem to find any information. I need to customize the bounce behavior for the following: 1. If a bounce message is created because it can't deliver to a specified list of email addresses we don't want a bounce returned. can you explain a little? what exactly do you mean by a list? and why it wouldn't be delivered? (the reason is important). 2. If a bounce message is created, we need to use the recipient's domain for the mailer-daemon domain instead of myorigin parameter. to use * domain for what? the bounce sender is . no domain there. This is mandated by the standard. Is the some type of check policy feature I can add to support this behavior? George Lauren found her dream laptop. Find the PC that’s right for you. http://www.microsoft.com/windows/choosepc/?ocid=ftp_val_wl_290
Re: adding headers for bcc recipients
Bernardo Pons a écrit : Hi all, I'm looking for a way to add a header to the messages before they are delivered to a multidrop mailbox with virtual aliases. After searching the postfix-users list archives I've found that this subject has been already discused here and I've found a message from Zoltan Balogh that seemed to be exactly what I needed: --8 So basically I just need to help fetchmail guessing the correct envelope recipients by appending X-Envelope-To (or similar header entry) to the email message. I did the following: smtpd_recipient_restrictions = ... check_recipient_access pcre:/etc/postfix/recipient_access /etc/postfix/check_recipient_access: /(@somedomain.com)/ mailto:@somedomain.com)/ PREPEND X-Envelope-To: $1 please use the text button to avoid these annoying mailto... addons. --8 This is bad. it exposes Bcc recipients. use recipient_bcc_maps instead. then the Delivered-To header should be enough. if you have a more complex setup (later rewrite, do start with recipient_bcc_maps, then ask a new question, with relevant infos). But it doesn't work for me. No header is added at all! well, unless your expression is wrong or your rule isn't called, it should work. but as said above, this is the wrong approach (all recipients see all the headers, so Bcc recipients are disclosed). Maybe it is because I use LMTP as a delivery method from Postfix to Cyrus? Should I place the check_recipient_access rule in another phase of smtp check instead of smtpd_recipient_restrictions? Thanks -- Bernardo Pons
Re: Tip: Restricting mail reception using a remote service's SPF records
On 25-Jun-2009, at 14:33, Ville Walveranta wrote: It works except that the Postfix refresh message (postfix/postfix-script: refreshing the Postfix mail system) is displayed despite of the attempt to redirect it to /dev/null? Any idea how I could hide it? That refresh message is output on stderror, and you are only redirecting stdout. in /bin/sh I believe the way to redirect (assuming you are using bash's sh) is 21 -- So here's us, on the raggedy edge. Don't push me. And I won't push you.
Re: A question about the instance attribute in policy delegation
On Thu, 25 Jun 2009, Rob Tanner wrote: I¹ve got a policy listener in place. It merely logs the request and returns an ³OK² and doesn¹t otherwise make any decisions. What I¹m noticing is many of the client requests do not even contain the instance attribute. My assumption from reading the documentation was that even a single recipient message would contain an instance attribute with a unique value. Is that incorrect? How do I interpret a request with no instance attribute? In which phase of the SMTP transaction do you plug in your policy service? From what I understand, the instance attribute does not exist until Postfix chooses/assigns a queue ID, which happens *after* the first RCPT TO command is accepted. If your policy service plugs in before that, there is no instance; therefore, the attribute is empty. -- Sahil Tandon sa...@tandon.net
greylist and then still RBL?
I have the following in my main.cf: MAINCF #smtpd_reject_unlisted_sender = yes mime_header_checks = pcre:$config_directory/mime_headers.pcre smtpd_restriction_classes = check_greylist check_greylist = check_policy_service inet:127.0.0.1:10023 MAINCF (there are no leading spaces or stray ,'s, I pasted the lines exactly in, including the following blank line.) but when I look at postconf, the check_greylist = does not show up. $ postconf -n | grep grey smtpd_restriction_classes = check_greylist $ Is that simply because the check_greylist directive is, itself, nonstandard and so not shown by postconf -n? The reason I ask is that when a message is greylisted, it still 'goes on' in the log to hit the RBL check. postfix/smtpd[68116]: connect from unknown[173.45.143.3] postgrey[948]: action=greylist, reason=new, client_name=unknown, client_address=173.45.143.3, sender=spam...@kintopuzi.com.example.org, recipient=u...@example.com postfix/smtpd[68116]: NOQUEUE: reject: RCPT from unknown[173.45.143.3]: 554 5.7.1 Service unavailable; Client host [173.45.143.3] blocked using zen.spamhaus.org; http://www.spamhaus.org/SBL/sbl.lasso?query=SBL75567 ; from=alifechangingev...@kintopuzi.com to=r...@broadway- terrace.com proto=SMTP helo=mx2.kintopuzi.com.example.org postfix/smtpd[68116]: disconnect from unknown[173.45.143.3] -- Can I tell you the truth? I mean this isn't like TV news, is it?
RE: customize bounce behavior
Date: Thu, 25 Jun 2009 23:56:34 +0200 From: mo...@ml.netoyen.net To: postfix-users@postfix.org Subject: Re: customize bounce behavior George Forman a écrit : Hi, I apologize if this has already been covered but I can't seem to find any information. I need to customize the bounce behavior for the following: 1. If a bounce message is created because it can't deliver to a specified list of email addresses we don't want a bounce returned. can you explain a little? what exactly do you mean by a list? and why it wouldn't be delivered? (the reason is important). We have several mail accounts (ie list) that have automated mailgenerated and sent to these accounts for security reasons. Under normal conditions, the mailbox for these few accountsshould accept mail. However, there have been situation in the past wherethe process on these boxes accepting the mail has problems and the mailcan't be delivered. Typically they resolve the problems and SMTP retries.However for extend period outages or their is a bug in their code,the process rejects the mail, postfix will generate a bounce message.In these cases, we don't want to have a bounce message generated. 2. If a bounce message is created, we need to use the recipient's domain for the mailer-daemon domain instead of myorigin parameter. to use * domain for what? the bounce sender is . no domain there. This is mandated by the standard. My apologies, I wasn't clear. In the bounce message's RFC822 From header,the mailer-daemon must contain the appropriate domain. Is the some type of check policy feature I can add to support this behavior? George Lauren found her dream laptop. Find the PC that’s right for you. http://www.microsoft.com/windows/choosepc/?ocid=ftp_val_wl_290 _ Windows Live™ SkyDrive™: Get 25 GB of free online storage. http://windowslive.com/online/skydrive?ocid=TXT_TAGLM_WL_SD_25GB_062009
Re: A question about the instance attribute in policy delegation
On Thu, Jun 25, 2009 at 09:46:51PM -0400, Sahil Tandon wrote: On Thu, 25 Jun 2009, Rob Tanner wrote: I?ve got a policy listener in place. It merely logs the request and returns an ?OK? and doesn?t otherwise make any decisions. What I?m noticing is many of the client requests do not even contain the instance attribute. My assumption from reading the documentation was that even a single recipient message would contain an instance attribute with a unique value. Is that incorrect? How do I interpret a request with no instance attribute? In which phase of the SMTP transaction do you plug in your policy service? From what I understand, the instance attribute does not exist until Postfix chooses/assigns a queue ID, which happens *after* the first RCPT TO command is accepted. If your policy service plugs in before that, there is no instance; therefore, the attribute is empty. IIRC, the instance attribute identifies a mail transaction and is assigned before the queue-id. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: greylist and then still RBL?
On Thu, 25 Jun 2009, LuKreme wrote: I have the following in my main.cf: MAINCF #smtpd_reject_unlisted_sender = yes mime_header_checks = pcre:$config_directory/mime_headers.pcre smtpd_restriction_classes = check_greylist check_greylist = check_policy_service inet:127.0.0.1:10023 MAINCF (there are no leading spaces or stray ,'s, I pasted the lines exactly in, including the following blank line.) but when I look at postconf, the check_greylist = does not show up. $ postconf -n | grep grey smtpd_restriction_classes = check_greylist $ Is that simply because the check_greylist directive is, itself, nonstandard and so not shown by postconf -n? Correct, check_greylist is not a Postfix configuration parameter, so postconf(1) does not care about it. The reason I ask is that when a message is greylisted, it still 'goes on' in the log to hit the RBL check. You did not include 'postconf -n' as suggested in DEBUG_README, so I can only guess. Your RBL check occurs later in smtpd_foo_restrictions, and since the check_greylist action is != OK, REJECT, or DEFER, Postfix iterates through the following restrictions, eventually hitting REJECT via zen.spamhaus.org. -- Sahil Tandon sa...@tandon.net
Re: A question about the instance attribute in policy delegation
On Thu, 25 Jun 2009, Victor Duchovni wrote: On Thu, Jun 25, 2009 at 09:46:51PM -0400, Sahil Tandon wrote: On Thu, 25 Jun 2009, Rob Tanner wrote: I?ve got a policy listener in place. It merely logs the request and returns an ?OK? and doesn?t otherwise make any decisions. What I?m noticing is many of the client requests do not even contain the instance attribute. My assumption from reading the documentation was that even a single recipient message would contain an instance attribute with a unique value. Is that incorrect? How do I interpret a request with no instance attribute? In which phase of the SMTP transaction do you plug in your policy service? From what I understand, the instance attribute does not exist until Postfix chooses/assigns a queue ID, which happens *after* the first RCPT TO command is accepted. If your policy service plugs in before that, there is no instance; therefore, the attribute is empty. IIRC, the instance attribute identifies a mail transaction and is assigned before the queue-id. My bad reading of src/smtpd/smtpd_check.c, then. But does that mean an instance can exist *before* the first recipient is accepted? For context: http://www.irbs.net/internet/postfix/0412/0896.html -- Sahil Tandon sa...@tandon.net
Re: Header Time
On Thu, Jun 25, 2009 at 5:11 PM, Blake Hudson bl...@ispn.net wrote: Original Message Subject: Re: Header Time From: Linux Addict linuxaddi...@gmail.com I dont think this is something to do with outlook as I tested with yahoo and gmail as well. I see the same pattern. Looks to me message leaves postfix with updated time stamp. �Is there any verbose can enabled in postfix to see what its doing to check time change process? The only problem I see is that your appliance sends the date as Date: Wed, 24 Jun 2009 17:11:41 when it should send as Date: Wed, 24 Jun 2009 17:11:41 -0400. Since no time zone is provided, most mail clients likely interpret this as UTC time and display accordingly. If your device send email for the correct time zone, set the clock as UTC on the device. -Blake A RHEL host(mailx) was able to sent correctly, but I didn't compare headers of the both. I will do it next morning and will confirm.
Re: A question about the instance attribute in policy delegation
On Thu, Jun 25, 2009 at 10:36:09PM -0400, Sahil Tandon wrote: IIRC, the instance attribute identifies a mail transaction and is assigned before the queue-id. My bad reading of src/smtpd/smtpd_check.c, then. But does that mean an instance can exist *before* the first recipient is accepted? For context: http://www.irbs.net/internet/postfix/0412/0896.html Yes. An instance (transaction) id is assigned at MAIL FROM: time, provided the MAIL command iis not rejected. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Postfix Logfile
Hi there, i have a little problem to change time of logswitch for the postfix-logfile mail in /var/log/. the logswitch yet is every day at 11:00 am. The switch should take place at midnight. i can't find any parameter in main.cf or master.cf Kind regards Oliver