Re: How to setup postfix to have port 25 for receive only
Magnus Bäck pisze: On Monday, July 27, 2009 at 10:56 CEST, Zbyszek zbi...@o2.pl wrote: I googled everywhere, read how-tos but can not find solution for simple problem in postfix: I would like to have such config: - smtp25/tcp; only server-server communication, only mail receive for local domain, no relay, no send, encryption optional, SPF, blocking 'servers' having ppp, adsl , dialup in domain name. No auth because real remote servers always do not know credentials. - submission587/tcp;only send; encryption required; client-server - smtps SSL465/tcp;only send; encryption required; client-server My problem is: I do not know how to: -make postfix only receive mail on port 25 only for local domain. smtpd_recipient_restrictions = reject_unauth_destination -block incoming mail from domains containing ppp, dialup or adsl string in domain name. I don't think that's a terribly good idea, but anyway: main.cf: smtpd_client_restrictions = check_client_access pcre:/path/to/file /path/to/file: /(ppp|dialup|adsl)/ REJECT You can move the check_client_access restriction to any other smtpd_xxx_restrictions if you want. You probably want to implement a stricter regexp to avoid collateral damage. Stricter expressions have been posted here in the past. Finally, this assumes that your Postfix has PCRE support. If not, replace `pcre' with `regexp'. Thank you. have a nice day, Zbigniew
Problem sending mail from outside permit_mynetworks
1) I want to use sasl in order to send mail outside my LAN. The authentification run well. But I was stopped by zen.spamhaus.org because my FAI have registered dynamic adresses in this site. I don't understand why because permit_sasl_authenticated is always the second line !!! 2) The same thing happen with reject_non_fqdn_hostname : my home computer doesn't have a fqdn and permit_sasl_authenticated is the second line !!! Here are the restrictions in my main.cf : smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, #check_helo_access hash:/usr/local/etc/postfix/helo_access, #warn_if_reject, reject_invalid_helo_hostname, reject_non_fqdn_hostname, permit smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, permit smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_rbl_client cbl.abuseat.org, reject_rbl_client zen.spamhaus.org, permit -- Hervé Hénoch Responsable informatique Institut Sainte Catherine 1750, chemin du Lavarin, 84000 Avignon Téléphone : 04.90.27.57.44 Messagerie : h.hen...@isc84.org
Re: Problem sending mail from outside permit_mynetworks
On Tuesday, July 28, 2009 at 12:11 CEST, Hervé Hénoch h.hen...@isc84.org wrote: 1) I want to use sasl in order to send mail outside my LAN. The authentification run well. But I was stopped by zen.spamhaus.org because my FAI have registered dynamic adresses in this site. Not a problem if permit_sasl_authenticated is listed before reject_rbl_client. I don't understand why because permit_sasl_authenticated is always the second line !!! How do you know the authentication succeeds? The logs will clearly state when clients authenticate. Show the logs when a message is rejected. [...] -- Magnus Bäck mag...@dsek.lth.se
spoofed mails from backup mail server
Hi, I have configured backup mail server for our primary mail server. i am getting lot of spam with spoofed email ids from our domain. i noticed in header all these are accepting from backup mail server. primary mail server discarding spoofed mails. #postcon -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 html_directory = no inet_interfaces = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost myhostname = mail2.my.domain.net newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.2.8/README_FILES relay_domains = $mydestination, ltp.soft.net relay_recipient_maps = hash:/etc/postfix/access sample_directory = /usr/share/doc/postfix-2.2.8/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,check_sender_access hash:/etc/postfix/sender permit_mx_backup smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, check_sender_access hash:/etc/postfix/accesss, reject_non_fqdn_sender transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 Please suggest me to make any changes required. Regards, Ramesh.
Re: spoofed mails from backup mail server
On Tuesday, July 28, 2009 at 12:54 CEST, itsramesh_s itsrames...@yahoo.co.in wrote: I have configured backup mail server for our primary mail server. i am getting lot of spam with spoofed email ids from our domain. i noticed in header all these are accepting from backup mail server. primary mail server discarding spoofed mails. Simple: You should always have the same antispam policies on the backup server. And do you really need the backup server? Removing it would solve all your problems. [...] Please suggest me to make any changes required. Well, how and why does the primary server reject the messages? -- Magnus Bäck mag...@dsek.lth.se
Re: Address rewriting to include GECOS
Olivier Nicole: Hi, I read and re-read the address-rewriting readme and coul dnot find any indication on the way to rewrite addresses to include GECOS information: o...@cs.ait.ac.th = Olivier Nicole o...@cs.ait.ac.th Display names are the responsibility of the mail user agent. Is that possible in Postfix? I beleive yes. No. Wietse
Re: spoofed mails from backup mail server
On Jul 28, 2009, at 4:54 AM, itsramesh_s wrote: I have configured backup mail server for our primary mail server. Almost certainly a mistake. i am getting lot of spam with spoofed email ids from our domain. That's one reason why. i noticed in header all these are accepting from backup mail server. Turn it off then. Problem solved. In order for a backup server to be AT ALL useful it must have exactly the same rejection/filtering/anti-spam in place as the primary server. EXACTLY. -- Ille Qui Nos Omnes Servabit
Need Outbound Only
Hallo; I would like to configure postfix to send whatever is in its queue to whatever is setup as smarthost, but *NOT* listen for incoming mail; this particular server is not a mail relay and I do not want to allow it to be an open relay. Anything I must specifically perform? Thanks many, .vp
Re: Need Outbound Only
Hi, I would like to configure postfix to send whatever is in its queue to whatever is setup as smarthost, but *NOT* listen for incoming mail; this particular server is not a mail relay and I do not want to allow it to be an open relay. Start by looking here: http://groups.google.com/group/mailing.postfix.users/browse_thread/thread/7852b397d05ebb20/011bd8c4cfc7bc1b?lnk=raot HTH Regards, Serge Fonville
RE: Need Outbound Only
Thanks Serge, my needs are different. What I've done so far was the following: myhostname = nonrelayhost.example.com mynetworks = 127.0.0.0/8, 192.168.100.10/32 # Or, this? # mynetworks = 127.0.0.0/8, $myhostname The above might work, but would still require manually masagging the file, I am hoping for a more generic client config that needs no mods. Thanks all! .vp From: serge.fonvi...@gmail.com Hi, I would like to configure postfix to send whatever is in its queue to whatever is setup as smarthost, but *NOT* listen for incoming mail; this particular server is not a mail relay and I do not want to allow it to be an open relay. Start by looking here: http://groups.google.com/group/mailing.postfix.users/browse_thread/thread/7852b397d05ebb20/011bd8c4cfc7bc1b?lnk=raot HTH Regards, Serge Fonville
Need Outbound Only
Thanks Serge, my needs are different. What I've done so far was the following: myhostname = nonrelayhost.example.com mynetworks = 127.0.0.0/8, 192.168.100.10/32 # Or, this? # mynetworks = 127.0.0.0/8, $myhostname If you just want to block incoming mails from outside your network use a block or reject rule with iptables and either specify the wan interface or a subnet exclusion/inclusion HTH
Re: Need Outbound Only
wiskbr...@hotmail.com wrote: Thanks Serge, my needs are different. What I've done so far was the following: myhostname = nonrelayhost.example.com mynetworks = 127.0.0.0/8, 192.168.100.10/32 # Or, this? # mynetworks = 127.0.0.0/8, $myhostname The above might work, but would still require manually masagging the file, I am hoping for a more generic client config that needs no mods. Thanks all! .vp From: serge.fonvi...@gmail.com Hi, I would like to configure postfix to send whatever is in its queue to whatever is setup as smarthost, but *NOT* listen for incoming mail; this particular server is not a mail relay and I do not want to allow it to be an open relay. Start by looking here: http://groups.google.com/group/mailing.postfix.users/browse_thread/thread/7852b397d05ebb20/011bd8c4cfc7bc1b?lnk=raot HTH Regards, Serge Fonville To turn off incoming mail completely, comment out the smtp ... smtpd service in master.cf. -- Noel Jones
Re: Need Outbound Only
To turn off incoming mail completely, comment out the smtp ... smtpd service in master.cf. Wouldn't that completely disable smtp then?
Re: Need Outbound Only
* Serge Fonville serge.fonvi...@gmail.com: To turn off incoming mail completely, comment out the smtp ... smtpd service in master.cf. Wouldn't that completely disable smtp then? Incoming, yes. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Need Outbound Only
* Serge Fonville serge.fonvi...@gmail.com: To turn off incoming mail completely, comment out the smtp ... smtpd service in master.cf. Wouldn't that completely disable smtp then? Incoming, yes. Perhaps I misunderstood then, but when would a mail be send then if it can't listen to SMTP requests? To me, sending a mail goes like this Client makes connection to smtp server Client talks smtp to server Server determines whom the mail is for Server sends (or stores) the mail to wherever it is supposed to When there is no SMTP server, how would a (local) client send a mail through it? Perhaps the OP can clarify a bit more, because an MTA without SMTP seems kinda useless to me...
Re: Need Outbound Only
* Serge Fonville serge.fonvi...@gmail.com: * Serge Fonville serge.fonvi...@gmail.com: To turn off incoming mail completely, comment out the smtp ... smtpd service in master.cf. Wouldn't that completely disable smtp then? Incoming, yes. Perhaps I misunderstood then, but when would a mail be send then if it can't listen to SMTP requests? Via sendmail maybe? To me, sending a mail goes like this Client makes connection to smtp server Client talks smtp to server Server determines whom the mail is for Server sends (or stores) the mail to wherever it is supposed to When there is no SMTP server, how would a (local) client send a mail through it? Perhaps the OP can clarify a bit more, because an MTA without SMTP seems kinda useless to me... People want strange things all the time :) -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
RE: Need Outbound Only
Thanks all; Instead of locking down access to smtpd for loopback and local IP address, I've simply commented out smtpd, but not smtp, it works! Thanks, .vp From: ralf.hildebra...@charite.de * Serge Fonville : * Serge Fonville : To turn off incoming mail completely, comment out the smtp ... smtpd service in master.cf. Wouldn't that completely disable smtp then? Incoming, yes. Perhaps I misunderstood then, but when would a mail be send then if it can't listen to SMTP requests? Via sendmail maybe? To me, sending a mail goes like this Client makes connection to smtp server Client talks smtp to server Server determines whom the mail is for Server sends (or stores) the mail to wherever it is supposed to When there is no SMTP server, how would a (local) client send a mail through it? Perhaps the OP can clarify a bit more, because an MTA without SMTP seems kinda useless to me... People want strange things all the time :) -- Ralf Hildebrandt
Postfix TLS and CRL?
Does Postfix support/use CRLs? I found some articles like http://www.irbs.net/internet/postfix/0706/0304.html but I have yet to find something more recnt. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Catchall account and lots of spam in a short period
On Jul 27, 2009, at 11:18 AM, /dev/rob0 wrote: To name one, I tried to get automobile insurance with GEICO, a large insurer in the USA. If I had access to my old virtual_alias_maps I could find many more who rejected the +. ATT, Coca Cola, nearly every bank or any site for a company that is not primarily a tech/web company. See, the problem is they hire monkey to do their sites, and all the monkeys share the same crappy javascript to 'validate' email addresses. I found that _ was the best alternative for address delimiters. Users want .'s or -'s too often. Certainly dashes are needed when someone wants 1) their last name AND 2) their last name contains a hyphen like Jones-Smith. Periods (full stops) are fine, but some users like first.l...@domain.tld for their users. So, I went with '_' -- Well I've seen the Heart of Darkness/Read the writing on the wall/an the voice out in the desert/Was the voice out in the hall
Re: Catchall account and lots of spam in a short period
On Jul 27, 2009, at 11:56 AM, Martijn de Munnik wrote: I guess I need prohibit the catch all account and offer the solution with the delimiter instead. That way all spam to bogus email addresses get rejected because the address does not exist. That is the best course, yes. But still I wonder if there is a way to stop the spam attack. The catchall account did exist for a long time but was under attack only for a short period (couple of hours). Is there a way to limit the effect of such attacks? The user normally only receives about 10 messages per hour. So hundreds of messages per hour is a clear sign that a spam attack is happening. So, in those hundreds of emails, which ones do you allow through. You could have a policy service that started returning 450 errors for the account after it reached some threshold number of messages per hour and hope that none of that spam was retried and all of the ham was, but that could end up getting very ugly, very fast. -- How do you feel? I'm lonely What do you think? Cant take it all Whatcha gonna do? Gonna live my life
Re: Catchall account and lots of spam in a short period
On Jul 28, 2009, at 2:05 PM, LuKreme krem...@kreme.com wrote: On Jul 27, 2009, at 11:18 AM, /dev/rob0 wrote: To name one, I tried to get automobile insurance with GEICO, a large insurer in the USA. If I had access to my old virtual_alias_maps I could find many more who rejected the +. ATT, Coca Cola, nearly every bank or any site for a company that is not primarily a tech/web company. See, the problem is they hire monkey to do their sites, and all the monkeys share the same crappy javascript to 'validate' email addresses. I found that _ was the best alternative for address delimiters. Users want .'s or -'s too often. Certainly dashes are needed when someone wants 1) their last name AND 2) their last name contains a hyphen like Jones-Smith. Periods (full stops) are fine, but some users like first.l...@domain.tld for their users. So, I went with '_' Some large banks use first_l...@foo.com.
Re: Postfix TLS and CRL?
Ralf Hildebrandt: Does Postfix support/use CRLs? I found some articles like Not according to documentation. If it gets added, then it is up to the sysadmin to feed up-to-date CRL files to Postfix. It unlikely that Postfix will reach out over the network whenever a client connects. Wietse http://www.irbs.net/internet/postfix/0706/0304.html but I have yet to find something more recnt. -- Ralf Hildebrandt Gesch?ftsbereich IT | Abteilung Netzwerk Charit? - Universit?tsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Catchall account and lots of spam in a short period
On Jul 28, 2009, at 12:10 PM, Sahil Tandon wrote: Some large banks use first_l...@foo.com. What other sites use doesn't affect me. '-' is problematic because it is sometimes part of a person's actual name. I chose '_' over '.' because I had users who already used '.' as a first.last separator, and it seemed to me that '.' was a more common separator. -- Love is strange and you have to learn to take the crunchy with the smooth I suppose
Re: Problem sending mail from outside permit_mynetworks
On Tuesday 28 July 2009 05:11:05 Hervé Hénoch wrote: 1) I want to use sasl in order to send mail outside my LAN. The authentification run well. But I was stopped by zen.spamhaus.org because my FAI have registered dynamic adresses in this site. I don't understand why because permit_sasl_authenticated is always the second line !!! 2) The same thing happen with reject_non_fqdn_hostname : my home computer doesn't have a fqdn and permit_sasl_authenticated is the second line !!! Here are the restrictions in my main.cf : While it is nice to see the well-formatted lines below, this could be yet another case of why postconf -n is preferred. One possibility is that smtpd_relay_reject is no, and a reject_rbl_client check is being done prior to AUTH. I'm sure that logs and postconf -n will tell the whole story. smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, #check_helo_access hash:/usr/local/etc/postfix/helo_access, #warn_if_reject, reject_invalid_helo_hostname, reject_non_fqdn_hostname, permit smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, permit smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_unauth_pipelining does nothing at this point unless you have smtpd_relay_reject = no. reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_rbl_client cbl.abuseat.org, reject_rbl_client zen.spamhaus.org, I suppose you're aware that CBL is included in Zen with a very slight lag. Some sites query CBL first to potentially reduce their number of Spamhaus queries, or to address the issue of that lag. permit -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: Catchall account and lots of spam in a short period
On Monday 27 July 2009 16:57:20 mouss wrote: /dev/rob0 a écrit : Unfortunately, I have found that many Web programmers don't bother to read RFC's and find out what characters are allowed in email addresses. Many sites will not accept a + in your username. I think the old default qmail delimiter, -, is a better choice for those just now switching to recipient_delimiter use. Another good one would be .. To name one, I tried to get automobile insurance with GEICO, a large insurer in the USA. If I had access to my old virtual_alias_maps I could find many more who rejected the +. I've seen many sites that refuse '+', but for now, no site that refuses '-'. unfortunately, I am not happy with using '-' because: - many french names have a '-': jean-pierre, ... - '-' is used in mailing-lists Understood on both counts, but is this really a problem? As the documentation for recipient_delimiter states, the full LHS string is tried first. Your jean-pie...@example.fr could still use jean-pierre-...@example.fr. I guess the problem occurs only for j...@example.fr if he wants to use jean-pie...@example.fr. And there, you have a political / administrative issue. Seems like there is NO perfect choice here ... and all because of incompetent Web monkeys. :( up so far, I have pcre maps for specific users to alias joe-ext to joe+ext. but I will be moving to using '-' with a subdomain: joe-extens...@silly.$domain where joe is necessarily '-' free (so jean-pierre would be jpierre, ...etc. while he could complain for the normal domain, he can't complain for @silly.$domain, since this is done to help him). -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: Local to local and pop-before-smtp
On Sunday 26 July 2009 17:19:39 Magnus Bäck wrote: On Sunday, July 26, 2009 at 23:58 CEST, Pablo Yaggi pya...@alsurdelsur.com wrote: [...] these are my current restrictions: [...] reject_rhsbl_client sbl-xbl.spamhaus.org, reject_rhsbl_client bl.spamcop.net, reject_rhsbl_client list.dsbl.org, reject_rhsbl_sender sbl-xbl.spamhaus.org, reject_rhsbl_sender bl.spamcop.net, reject_rhsbl_sender list.dsbl.org, permit_auth_destination, reject The two last ones serve no purpose. For that matter, that entire block is meaningless: none of these are/were RHSBL services, and as Magnus noted, DSBL is defunct. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Re: virtual_alias_maps works with hash but not LDAP (Postfix 2.5.1)]
John/SML a écrit : [snip] cleanup unix n - - - 0 cleanup mouss said: make sure the 5th field is 'n' (and not 'y' nor '-'). then you said: I have disbabled chroot in master.cf Wasn't that a lie? [snip]
Re: multiple reverse DNS?
ghe a écrit : On 7/27/09 1:45 PM, /dev/rob0 wrote: [1] Strictly speaking, it's $smtp_helo_name which should resolve, but the default value for smtp_helo_name is $myhostname, and I would not generally recommend setting smtp_helo_name without good reason. My MTA is on the DMZ with an FQDN and IP on a 1918 network. That IP gets NAT'ed on its way out to one that resolves to a218.slsware.com. So I set the helo name to what is seen by the universe. good. helo is seen by outsiders (for example, in Received: headers), so it's good to use a public name. Here, some private patterns are rejected (localhost, localdomain, lan, private, ). While in principle I don't take about helo, it helps getting rid of many silly clients. Is that a good enough reason?
Re: Catchall account and lots of spam in a short period
/dev/rob0 a écrit : On Monday 27 July 2009 16:57:20 mouss wrote: /dev/rob0 a écrit : Unfortunately, I have found that many Web programmers don't bother to read RFC's and find out what characters are allowed in email addresses. Many sites will not accept a + in your username. I think the old default qmail delimiter, -, is a better choice for those just now switching to recipient_delimiter use. Another good one would be .. To name one, I tried to get automobile insurance with GEICO, a large insurer in the USA. If I had access to my old virtual_alias_maps I could find many more who rejected the +. I've seen many sites that refuse '+', but for now, no site that refuses '-'. unfortunately, I am not happy with using '-' because: - many french names have a '-': jean-pierre, ... - '-' is used in mailing-lists Understood on both counts, but is this really a problem? As the documentation for recipient_delimiter states, the full LHS string is tried first. Your jean-pie...@example.fr could still use jean-pierre-...@example.fr. I guess the problem occurs only for j...@example.fr if he wants to use jean-pie...@example.fr. And there, you have a political / administrative issue. it's not politicial. If I tell users that they can use any use...@domain, then jean would be allowed to use any jea...@domain, including jean-paul. now if jean-paul is hired, then he would get mail for jean-paul, even if this was used by jean before. this is a no go. it is not reasonable to tell jean that there is an exception list, because I've seen names that I have never saw before. (actually, I suggest to people like jean-paul to use jpaul instead. but some people love their first names...). Seems like there is NO perfect choice here ... and all because of incompetent Web monkeys. :( yeah. but it's not only monkey developers. in a company I worked for before, we outsourced some web dev to an external company. part of the code was to handle user subscriptions. The first thing I tested was the email address validation. of course, the code rejected '+' (but it accepted a lot of addresses that were obviously invalid ;-) I reported this to my boss, just to hear him saying I don't want extensions. I want _real_ addresses. we've had a long discussion, but it brought nothing. (fortunately, he later needed me to improve deliverability...).
Postfix/dovecot smtp auth implementation question
Hi all! With the config lines below, all clients from inside my network MUST authenticate to deliver a message. But all connections from the Internet where mail from is @mydomain.com can deliver mail to local users without authenticate. What should I do to force authentication to ALL us...@mydomain.com? smtpd_sasl_authenticated_header = yes broken_sasl_auth_client = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
Re: Postfix/dovecot smtp auth implementation question
indio a écrit : Hi all! With the config lines below, all clients from inside my network MUST authenticate to deliver a message. But all connections from the Internet where mail from is @mydomain.com can deliver mail to local users without authenticate. What should I do to force authentication to ALL us...@mydomain.com? smtpd_sasl_authenticated_header = yes broken_sasl_auth_client = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch
Re: Catchall account and lots of spam in a short period
On Jul 28, 2009, at 3:39 PM, mouss wrote: reported this to my boss, just to hear him saying I don't want extensions. I want _real_ addresses. I used to have an email address (since retired into a spam magnet). u...@example.com - All mail was fed to sa-learn --spam and reported to spamcop. The ONLY valid addresses on it were the four or five + addresses I created. Just in case you ever have another PHB like that, there's a data point you can throw out. And I have stopped doing business with companies because their sites reject plus addresses. Redbox is a recent example, they USED to have the + on their email entry in the kiosk, but they took it out. I sent them an email, from my plus address telling them I was no longer going to use their service. Never got a reply. -- May the forces of evil become confused on the way to your house.
Invalid Header problems
Hi folks i'm trying to figure out a problem with some domains when they send mails to my server. apparently the problem comes from an invalid header but i don't know what kind of parameter must change, cause this isn't happens with all the domains just with some ones. maybe one of you help me about it, i show the message log and the postconf -n please tell me know if i should make any change in particular in tha log, notice that message seems to be sent but seconds later a bounced message is showed here's an attach log info Jul 28 09:45:08 boom3 postfix/qmgr[3548]: 3337125C001: from=sen...@.com, size=1836, nrcpt=1 (queue active) Jul 28 09:45:08 boom3 postfix/smtpd[6976]: disconnect from unknown[192.27.1.15] Jul 28 09:45:08 boom3 amavis[5637]: (05637-16) ESMTP::10024 /var/spool/amavis/tmp/amavis-20090728T092128-05637: sen...@.com - recipi...@myserver SIZE=1836 Received: from myserver ([127.0.0.1]) by localhost (myserver [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for recipi...@myserver; Tue, 28 Jul 2009 09:45:08 -0600 (CST) Jul 28 09:45:08 boom3 amavis[6937]: (06937-01) ESMTP::10024 /var/spool/amavis/tmp/amavis-20090728T094508-06937: sen...@.com - recipi...@myserver SIZE=1838 Received: from myserver ([127.0.0.1]) by localhost (myserver [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for recipi...@myserver; Tue, 28 Jul 2009 09:45:08 -0600 (CST) Jul 28 09:45:08 boom3 amavis[5637]: (05637-16) Checking: XPr4Jvf1nybP sen...@.com - recipi...@myserver Jul 28 09:45:08 boom3 amavis[5637]: (05637-16) p001 1 Content-Type: text/plain, size: 868 B, name: Jul 28 09:45:08 boom3 amavis[6937]: (06937-01) Checking: Wb-KS8AghfQh sen...@.com - recipi...@myserver Jul 28 09:45:08 boom3 amavis[6937]: (06937-01) p001 1 Content-Type: text/plain, size: 868 B, name: Jul 28 09:45:09 boom3 postfix/smtpd[6914]: connect from unknown[192.27.1.15] Jul 28 09:45:09 boom3 postfix/smtpd[6914]: 567CD25C003: client=unknown[192.27.1.15] Jul 28 09:45:09 boom3 postfix/cleanup[6921]: 567CD25C003: message-id= Jul 28 09:45:09 boom3 postfix/qmgr[3548]: 567CD25C003: from=sen...@.com, size=1833, nrcpt=1 (queue active) Jul 28 09:45:09 boom3 postfix/smtpd[6914]: disconnect from unknown[192.27.1.15] Jul 28 09:45:10 boom3 postfix/smtpd[6932]: connect from localhost[127.0.0.1] Jul 28 09:45:10 boom3 postfix/smtpd[6932]: 934E325C004: client=localhost[127.0.0.1] Jul 28 09:45:10 boom3 postfix/cleanup[6984]: 934E325C004: message-id= Jul 28 09:45:10 boom3 postfix/qmgr[3548]: 934E325C004: from=sen...@.com, size=2274, nrcpt=1 (queue active) Jul 28 09:45:10 boom3 postfix/smtpd[6932]: disconnect from localhost[127.0.0.1] Jul 28 09:45:10 boom3 amavis[5637]: (05637-16) FWD via SMTP: sen...@.com - recipi...@myserver,BODY=7BIT 250 2.6.0 Ok, id=05637-16, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 934E325C004 Jul 28 09:45:10 booo3 amavis[5637]: (05637-16) Passed CLEAN, [10.10.10.10] sen...@.com - recipi...@myserver, mail_id: XPr4Jvf1nybP, Hits: -0.699, size: 1836, queued_as: 934E325C004, 2375 ms Jul 28 09:45:10 boom3 postfix/smtp[6922]: 3337125C001: to=recipi...@myserver, relay=127.0.0.1[127.0.0.1]:10024, delay=2.5, delays=0.09/0/0/2.4, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 934E325C004) Jul 28 09:45:10 boom3 postfix/qmgr[3548]: 3337125C001: removed Jul 28 09:45:10 boom3 amavis[5637]: (05637-16) TIMING [total 2380 ms] - SMTP greeting: 2 (0%)0, SMTP EHLO: 1 (0%)0, SMTP pre-MAIL: 0 (0%)0, SMTP pre-DATA-flush: 3 (0%)0, SMTP DATA: 34 (1%)2, check_init: 1 (0%)2, digest_hdr: 1 (0%)2, digest_body: 0 (0%)2, gen_mail_id: 1 (0%)2, mime_decode: 8 (0%)2, get-file-type1: 15 (1%)3, parts_decode: 0 (0%)3, check_header: 2 (0%)3, AV-scan-1: 4 (0%)3, AV-scan-2: 1467 (62%)65, spam-wb-list: 2 (0%)65, SA msg read: 1 (0%)65, SA parse: 2 (0%)65, SA check: 739 (31%)96, update_cache: 6 (0%)96, decide_mail_destiny: 1 (0%)96, fwd-connect: 6 (0%)96, fwd-mail-pip: 13 (1%)97, fwd-rcpt-pip: 0 (0%)97, fwd-data-chkpnt: 0 (0%)97, write-header: 1 (0%)97, fwd-data-contents: 0 (0%)97, fwd-end-chkpnt: 59 (2%)99, prepare-dsn: 1 (0%)99, main_log_entry: 9 (0%)100, update_snmp: 2 (0%)100, SMTP pre-response: 0 (0%)100, SMTP response: 0 (0%)100, unlink-1-files: 0 (0%)100, rundown: 0 (0%)100 Jul 28 09:45:10 boom3 amavis[5637]: (05637-17) ESMTP::10024 /var/spool/amavis/tmp/amavis-20090728T092128-05637: sen...@.com - recipi...@myserver SIZE=1833 Received: from myserver. ([127.0.0.1]) by localhost (myserver. [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for recipi...@myserver; Tue, 28 Jul 2009 09:45:10 -0600 (CST) Jul 28 09:45:10 boom3 amavis[5637]: (05637-17) Checking: wKNkVzaar0-x sen...@.com - recipi...@myserver Jul 28 09:45:10 boom3 amavis[5637]: (05637-17) cached acae0dadbbcd66e7cf51eda9ae4bc2f8 from sen...@.com (1,1) Jul 28 09:45:10 boom3 amavis[5637]: (05637-17) p001 1 Content-Type: text/plain, size: 868 B, name: Jul 28 09:45:10 boom3 postfix/smtpd[6932]: connect from localhost[127.0.0.1] Jul 28 09:45:10 boom3 postfix/smtpd[6932]:
request to update ... in non-postfix directory
What do these log entries mean and how can I fix this problem:
Jul 29 02:19:39 stevie.youngguns.nl postfix/postfix-script[24806]: [ID
197553 mail.info] starting the Postfix mail system
Jul 29 02:19:41 stevie.youngguns.nl postfix/master[24807]: [ID 197553
mail.info] daemon started -- version 2.7-20090607, configuration /etc/
postfix
Jul 29 02:19:41 stevie.youngguns.nl postfix/tlsmgr[24813]: [ID 947731
mail.warning] warning: request to update table btree:/var/spool/
postfix/smtpd_scache in non-postfix directory /var/spool/postfix
Jul 29 02:19:41 stevie.youngguns.nl postfix/tlsmgr[24813]: [ID 947731
mail.warning] warning: redirecting the request to postfix-owned
data_directory /opt/csw/var/lib/postfix
Jul 29 02:19:41 stevie.youngguns.nl postfix/tlsmgr[24813]: [ID 947731
mail.warning] warning: request to update table btree:/var/spool/
postfix/smtp_scache in non-postfix directory /var/spool/postfix
Jul 29 02:19:41 stevie.youngguns.nl postfix/tlsmgr[24813]: [ID 947731
mail.warning] warning: redirecting the request to postfix-owned
data_directory /opt/csw/var/lib/postfix
postconf -n
alias_maps = hash:/opt/csw/etc/postfix/aliases
body_checks = regexp:/opt/csw/etc/postfix/maps/body_checks
broken_sasl_auth_clients = yes
command_directory = /opt/csw/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:localhost:10024
daemon_directory = /opt/csw/libexec/postfix
data_directory = /opt/csw/var/lib/postfix
default_database_type = hash
delay_warning_time = 4h
disable_vrfy_command = yes
header_checks = regexp:/opt/csw/etc/postfix/maps/header_checks
home_mailbox = Maildir/
html_directory = /opt/csw/share/doc/postfix/html
inet_interfaces = all
mail_spool_directory = /opt/csw/var/lib/postfix
mailbox_command = /opt/csw/bin/procmail-wrapper -o -a $DOMAIN -d
$LOGNAME
mailbox_size_limit = 209715200
mailq_path = /opt/csw/bin/mailq
manpage_directory = /opt/csw/share/man
maximal_backoff_time = 8000s
maximal_queue_lifetime = 7d
message_size_limit = 20971520
mime_header_checks = regexp:/opt/csw/etc/postfix/maps/mime_header_checks
minimal_backoff_time = 1000s
mydestination = $myhostname, localhost.$mydomain
myhostname = stevie.youngguns.nl
mynetworks_style = host
myorigin = $myhostname
newaliases_path = /opt/csw/bin/newaliases
readme_directory = /opt/csw/share/doc/postfix/README_FILES
receive_override_options = no_address_mappings
recipient_delimiter = +
relay_domains = $mydestination, slagenlandwonen.nl, wfcommunicatie.nl,
gooischebrink.com, interjute.nl, melamo.nl, fair-play.nl,
loopbaankamer.nl, ospl.nl, ospl.de, printcontrol.nl, dankers-
schilderwerken.nl, promonta.nl, interim-denbosch.nl
relayhost =
sample_directory = /opt/csw/share/doc/postfix/samples
sendmail_path = /opt/csw/sbin/sendmail
smtp_bind_address = 213.207.90.2
smtp_helo_timeout = 60s
smtp_send_xforward_command = yes
smtp_skip_quit_response = yes
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP
smtpd_client_connection_count_limit = 10
smtpd_client_restrictions = reject_rbl_client dnsbl.njabl.org, permit
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_hard_error_limit = 12
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,warn_if_reject
reject_non_fqdn_hostname,
reject_invalid_hostname,permit
smtpd_recipient_limit = 25
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_non_fqdn_recipient,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_invalid_hostname,
reject_unauth_destination,
reject_unlisted_recipient, reject_rbl_client
virbl.dnsbl.bit.nl, check_policy_service inet:
127.0.0.1:12525, check_policy_service inet:
127.0.0.1:10023, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks,
reject_unknown_sender_domain, permit
smtpd_soft_error_limit = 3
smtpd_tls_cert_file = /home/yghosting/ssl/secure-youngguns-nl.pem
smtpd_tls_key_file = /home/yghosting/ssl/secure-youngguns-nl.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/opt/csw/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/opt/csw/etc/postfix/virtual
Re: request to update ... in non-postfix directory
Martijn de Munnik:
What do these log entries mean and how can I fix this problem:
Read the RELEASE_NOTES.
Wietse
Jul 29 02:19:39 stevie.youngguns.nl postfix/postfix-script[24806]: [ID
197553 mail.info] starting the Postfix mail system
Jul 29 02:19:41 stevie.youngguns.nl postfix/master[24807]: [ID 197553
mail.info] daemon started -- version 2.7-20090607, configuration /etc/
postfix
Jul 29 02:19:41 stevie.youngguns.nl postfix/tlsmgr[24813]: [ID 947731
mail.warning] warning: request to update table btree:/var/spool/
postfix/smtpd_scache in non-postfix directory /var/spool/postfix
Jul 29 02:19:41 stevie.youngguns.nl postfix/tlsmgr[24813]: [ID 947731
mail.warning] warning: redirecting the request to postfix-owned
data_directory /opt/csw/var/lib/postfix
Jul 29 02:19:41 stevie.youngguns.nl postfix/tlsmgr[24813]: [ID 947731
mail.warning] warning: request to update table btree:/var/spool/
postfix/smtp_scache in non-postfix directory /var/spool/postfix
Jul 29 02:19:41 stevie.youngguns.nl postfix/tlsmgr[24813]: [ID 947731
mail.warning] warning: redirecting the request to postfix-owned
data_directory /opt/csw/var/lib/postfix
postconf -n
alias_maps = hash:/opt/csw/etc/postfix/aliases
body_checks = regexp:/opt/csw/etc/postfix/maps/body_checks
broken_sasl_auth_clients = yes
command_directory = /opt/csw/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:localhost:10024
daemon_directory = /opt/csw/libexec/postfix
data_directory = /opt/csw/var/lib/postfix
default_database_type = hash
delay_warning_time = 4h
disable_vrfy_command = yes
header_checks = regexp:/opt/csw/etc/postfix/maps/header_checks
home_mailbox = Maildir/
html_directory = /opt/csw/share/doc/postfix/html
inet_interfaces = all
mail_spool_directory = /opt/csw/var/lib/postfix
mailbox_command = /opt/csw/bin/procmail-wrapper -o -a $DOMAIN -d
$LOGNAME
mailbox_size_limit = 209715200
mailq_path = /opt/csw/bin/mailq
manpage_directory = /opt/csw/share/man
maximal_backoff_time = 8000s
maximal_queue_lifetime = 7d
message_size_limit = 20971520
mime_header_checks = regexp:/opt/csw/etc/postfix/maps/mime_header_checks
minimal_backoff_time = 1000s
mydestination = $myhostname, localhost.$mydomain
myhostname = stevie.youngguns.nl
mynetworks_style = host
myorigin = $myhostname
newaliases_path = /opt/csw/bin/newaliases
readme_directory = /opt/csw/share/doc/postfix/README_FILES
receive_override_options = no_address_mappings
recipient_delimiter = +
relay_domains = $mydestination, slagenlandwonen.nl, wfcommunicatie.nl,
gooischebrink.com, interjute.nl, melamo.nl, fair-play.nl,
loopbaankamer.nl, ospl.nl, ospl.de, printcontrol.nl, dankers-
schilderwerken.nl, promonta.nl, interim-denbosch.nl
relayhost =
sample_directory = /opt/csw/share/doc/postfix/samples
sendmail_path = /opt/csw/sbin/sendmail
smtp_bind_address = 213.207.90.2
smtp_helo_timeout = 60s
smtp_send_xforward_command = yes
smtp_skip_quit_response = yes
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP
smtpd_client_connection_count_limit = 10
smtpd_client_restrictions = reject_rbl_client dnsbl.njabl.org, permit
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_hard_error_limit = 12
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,warn_if_reject
reject_non_fqdn_hostname,
reject_invalid_hostname,permit
smtpd_recipient_limit = 25
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_non_fqdn_recipient,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_invalid_hostname,
reject_unauth_destination,
reject_unlisted_recipient, reject_rbl_client
virbl.dnsbl.bit.nl, check_policy_service inet:
127.0.0.1:12525, check_policy_service inet:
127.0.0.1:10023, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks,
reject_unknown_sender_domain, permit
smtpd_soft_error_limit = 3
smtpd_tls_cert_file = /home/yghosting/ssl/secure-youngguns-nl.pem
smtpd_tls_key_file = /home/yghosting/ssl/secure-youngguns-nl.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/opt/csw/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/opt/csw/etc/postfix/virtual
Re: Invalid Header problems
Oscar Cruz: Hi folks i'm trying to figure out a problem with some domains when they send mails to my server. apparently the problem comes from an invalid header but i don't know what kind of parameter must change, cause this isn't happens with all the domains just with some ones. Jul 28 09:45:10 boom3 postfix/pipe[6971]: 934E325C004: to=recipi...@myserver, orig_to=recipi...@myserver, relay=cyrus, delay=0.23, delays=0.06/0/0/0.16, dsn=5.6.0, status=bounced (data format error. Command output: recipient: Message contains invalid header ) CYRUS reports an error. Ask the CYRUS mailing list. Wietse
Re: request to update ... in non-postfix directory
Martijn de Munnik wrote:
What do these log entries mean and how can I fix this problem:
Jul 29 02:19:41 stevie.youngguns.nl postfix/tlsmgr[24813]: [ID 947731
mail.warning] warning: request to update table
btree:/var/spool/postfix/smtpd_scache in non-postfix directory
/var/spool/postfix
Jul 29 02:19:41 stevie.youngguns.nl postfix/tlsmgr[24813]: [ID 947731
mail.warning] warning: redirecting the request to postfix-owned
data_directory /opt/csw/var/lib/postfix
Jul 29 02:19:41 stevie.youngguns.nl postfix/tlsmgr[24813]: [ID 947731
mail.warning] warning: request to update table
btree:/var/spool/postfix/smtp_scache in non-postfix directory
/var/spool/postfix
Jul 29 02:19:41 stevie.youngguns.nl postfix/tlsmgr[24813]: [ID 947731
mail.warning] warning: redirecting the request to postfix-owned
data_directory /opt/csw/var/lib/postfix
Read the RELEASE_NOTES before you upgrade. Or after you
upgrade and something ... unexpected happens.
postconf -n
...
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
These should point to $data_directory. See RELEASE_NOTES.
-- Noel Jones
