Quick Test
Quick test. sorry. Thanks! Jack
Re: rbl checks, best place
* /dev/rob0 : > On Friday 21 August 2009 00:23:07 Olivier Nicole wrote: > > > > This is a difficult question. > > > > > > I disagree. > > > > Just that because you disagree makes the question not simple :) > > Perhaps you didn't understand. I tried to explain why the choice of > pre-DATA reject_rbl_client lookups should be preferred to doing them > through content filters. Yes, I made the exception of untrustworthy > lists. If you look back, you'll possibly see that I was proposing > responsible, informed use of DNSBLs. I have to disagree here. For me it would simply be unacceptable to reject a mail based on only _one_ criterion. As you said, if e.g. gmail get's listed on any DNSBL, this might not be a false positive, but OTOH, it's highly undesireable to block the dozillions of other legitimate customer mail originating from gmail. Nowadays, I'd always favour computing a score for every incoming email as soon as we know the HELO/EHLO, (r)DNS data and MAIL FROM. With Postfix's "smtpd_delay_reject", this is easily realized by calling a policy service at an appropriate place in smtpd_recipient_restrictions. While I know that the original reason to introduce the delayed rejects was not to make more data available, rejection at the "rcpt to" stage allows for making much more comprehensive decisions about the fate of an email. You could, for example, make it easier to contact "postmaster" - because that's where third parties will seek help if they are blocked by your system. It's only logical to extend this conception when it comes to other, sender/sending host specific criteria: Instead of evaluating one criterion at a time, basing a rejection decision on the one currently being examined, you should use _all_ the data you have about an incoming message to decide on that message's fate. > I think blind reliance on content filtering is ill-advised, based on > poor logic and lack of understanding of the nature of spam. SA and > other content filters will be checking the same DNSBL as I am, with > addition of some that I'd consider less trustworthy. Furthermore, by > virtue of having accepted the DATA, a MTA assumes responsibility for > these few messages amidst all the spam garbage. Actually (that's for the archives only, I know you are well aware of that), my server only accepted a message after giving a 2xx to the DATA-DOT. > I'm not opposed to content filtering; on the contrary, I know it's > an important third or fourth line of defense for many sites. Those > sites which are using it as the first line get what they deserve. I have to disagree here, again. From your description, I think that when you are talking about "content filtering", you are referring to a post queue filter setup. There are a million sites out there using a post queue setup, and IMNSHO, they should all die in a fire for torturing their users with ancient technology like that. About 14 months ago, I switched to a pre queue setup. The main reason for this was that even with Nazi style rejection rules (that's one Godwin for me, please!) at the SMTP level, there were still mailboxes for which our content_filter quarantined (rerouted to plus'd addresses, $WHATEVER) about 30 messages per day - while killing another 50 ones silently. And no, there wasn't any chance we could have set the "kill" level even lower. C'mon. We are living in the 21st century. Why on earth should anyone have to look through a folder/quarantine with 30 messages per day? We are humans, not machines. I know that there are many concerns regarding the use of smtpd_proxy_filter - many of them having to do with the lack of scalability. So what? Buy more hardware. Or buy better hardware. If you are worried about rejecting mailing list mails, learn how to use your filter framework. But, for God's sake, step into the 21st century, finally! Postfix could easily help this if it supported the same kind of "routing" it does with a content_filter (where you can specify "content_filter = smtp-foo:filter.domain.com:10024" and it will lookup the MX records for filter.domain.com) to faciliate load balancing and increase robustness, but we probably won't see that too soon. Cheers Stefan
Re: Building milter in PHP
rank1see...@gmail.com wrote: > It did, but not anymore. > It is now depreciated.(php-milter) > > I use PHP 5.3 and already have working filter. > > To finalise it, I just need a list and description of milter commands. > Those milter commands works for any type of coding language > > Up to now I've found out these but without explanation or examples > connect > helo > envfrom > envrcpt > header > eoh > body > eom > abort > close Perhaps you should have a look here: https://www.milter.org/developers I'm sure you can find example code there. HTH, Mikael
Re: Reg:Virtual Aliases forwarding
On Sat 22 Aug 2009 12:57:27 AM CEST, Priyanka Tyagi wrote I have set up SPF record for 'mydomain.com' and passes SPF, in case email originates from my postfix server. But SPF verification fails while it forwards email using virtual aliases. why forward emails at all ? anyway 2 ways to solve it: 1: whitelist your mail server ip in the final recipient mta so spf there is ignore for being forged 2: add your ip to the spf record, so final recipient see you as a valid forwarder remember to do this for all forwarded sender envelope domains my point is that its simplier to not forward -- xpoint
Re: Country IP block list
* Security Admin (NetSec) : > Could someone provide links to sites where IP addresses are grouped by > country? I use (the free) geoip database for that. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Country IP block list
At Sat, 22 Aug 2009 08:56:28 -0700, Security Admin (NetSec) wrote: > > [1 ] > Could someone provide links to sites where IP addresses are grouped by > country? ASNs would work too but would prefer IP lists that I could put in a > file that my postfix mail gateway could read. Obvious countries like China > and Brazil I would like to block wholesale. Thanks in advance! > [2 ] Please don't do that. There are many open source committers in Asia and Brasil. You need time to think about that seriously. Sincerely, -- Byung-Hee HWANG ∑ WWW: http://izb.knu.ac.kr/~bh/
Re: Country IP block list
Ralf Hildebrandt wrote: * Security Admin (NetSec) : Could someone provide links to sites where IP addresses are grouped by country? I use (the free) geoip database for that. This script has proven useful for me... http://www.cyberciti.biz/faq/block-entier-country-using-iptables/ (Yes, the spelling error IS indeed in the URL as-is)
Re: Country IP block list
On Sun, 23 Aug 2009, postfix@cmulcahy.com wrote: Ralf Hildebrandt wrote: * Security Admin (NetSec) : Could someone provide links to sites where IP addresses are grouped by country? I use (the free) geoip database for that. This script has proven useful for me... http://www.cyberciti.biz/faq/block-entier-country-using-iptables/ (Yes, the spelling error IS indeed in the URL as-is) What I have found most useful is: geoip-policyd It uses geoip as well but as a small policy server framework, you can do whatever you want to do depending on where an IP originates from (re: GeoIP). Come from country A/B? -> Use a specific smtpd custom class. Come from country C/D? -> Maybe more spam from here? Use a different check. Come from your country? -> DUNNO or greylist .. etc http://translate.google.com/translate?hl=en&sl=ja&u=http://d.hatena.ne.jp/kuni92/20071004/p1&ei=3lSRSpnSAojSNbn07ZEK&sa=X&oi=translate&resnum=3&ct=result&prev=/search%3Fq%3Dgeoip-policyd%2Bpostfix%2Bjp%26hl%3Den%26safe%3Doff%26client%3Dfirefox-a%26rls%3Dorg.mozilla:en-US:official%26hs%3DNfE%26num%3D30 http://blog.browncat.org/files/geoip-policyd-0.01.tar.gz Justin.
Re: Country IP block list
On Sun 23 Aug 2009 04:41:02 PM CEST, Justin Piszcz wrote What I have found most useful is: geoip-policyd reminds me of maRBL It uses geoip as well but as a small policy server framework, you can do whatever you want to do depending on where an IP originates from (re: GeoIP). Come from country A/B? -> Use a specific smtpd custom class. Come from country C/D? -> Maybe more spam from here? Use a different check. Come from your country? -> DUNNO or greylist usefull, but none have programmed it into one policyd so far, one needs multiple policyd to make it, and this is why i dont use any :) -- xpoint
Re: Country IP block list
Benny Pedersen a écrit : > On Sun 23 Aug 2009 04:41:02 PM CEST, Justin Piszcz wrote > >> What I have found most useful is: geoip-policyd > > reminds me of maRBL > >> It uses geoip as well but as a small policy server framework, you can >> do whatever you want to do depending on where an IP originates from >> (re: GeoIP). >> >> Come from country A/B? -> Use a specific smtpd custom class. >> Come from country C/D? -> Maybe more spam from here? Use a different >> check. >> Come from your country? -> DUNNO or greylist > > usefull, but none have programmed it into one policyd so far, one needs > multiple policyd to make it, and this is why i dont use any :) > any action should be possible with a single policyd... oh, actually, you don't even need a policyd. just dump the GeoIP and/or nerd.dk into a db.
Re: Country IP block list
On Aug 23, 2009, at 8:08, Byung-Hee HWANG wrote: At Sat, 22 Aug 2009 08:56:28 -0700, Security Admin (NetSec) wrote: [1 ] Could someone provide links to sites where IP addresses are grouped by country? ASNs would work too but would prefer IP lists that I could put in a file that my postfix mail gateway could read. Obvious countries like China and Brazil I would like to block wholesale. Thanks in advance! [2 ] Please don't do that. There are many open source committers in Asia and Brasil. You need time to think about that seriously. I block netblocks wholesale, if the netblock is outside the USA, when I get a single spam from the netblock. I used to dig deeper into APNIC or AFRINIC or BRNIC or LACNIC or RIPE (or... or ...) to block only the offending ISP, but then I realized that I and the people using my mail server have essentially no need to communicate directly with anyone outside the USA. Also, I have found that nearly 100% of my spam originates from APNIC and BRNIC netblocks. After implementing this sort of filtering, I have watched my spam load drop from 1,000+ spams a day to a few dozen, sometimes as low as only 5 or so spams a day. As to what I do, I use iptables to drop all packets from offending networks. In addition to not being able to connect to my Postfix server, they can't ping me or see my web server either. If I ever need to communicate directly with someone outside the USA, I'll open it back up, but so far all it has done has been to essentially eliminate my spam. Daniel
Re: Country IP block list
We use pf and tables here to block as well. I have huge CIDR blocks as we don't communicate directly with anyone outside the USA either. Spam has fallen seriously. The only ones we typically see now are the residential IP blocks from Verizon or RoadRunner.. -- J.D. Bronson
Re: Country IP block list
Zitat von Daniel L'Hommedieu : On Aug 23, 2009, at 8:08, Byung-Hee HWANG wrote: At Sat, 22 Aug 2009 08:56:28 -0700, Security Admin (NetSec) wrote: [1 ] Could someone provide links to sites where IP addresses are grouped by country? ASNs would work too but would prefer IP lists that I could put in a file that my postfix mail gateway could read. Obvious countries like China and Brazil I would like to block wholesale. Thanks in advance! [2 ] Please don't do that. There are many open source committers in Asia and Brasil. You need time to think about that seriously. I block netblocks wholesale, if the netblock is outside the USA, when I get a single spam from the netblock. I used to dig deeper into APNIC or AFRINIC or BRNIC or LACNIC or RIPE (or... or ...) to block only the offending ISP, but then I realized that I and the people using my mail server have essentially no need to communicate directly with anyone outside the USA. Also, I have found that nearly 100% of my spam originates from APNIC and BRNIC netblocks. After implementing this sort of filtering, I have watched my spam load drop from 1,000+ spams a day to a few dozen, sometimes as low as only 5 or so spams a day. As to what I do, I use iptables to drop all packets from offending networks. In addition to not being able to connect to my Postfix server, they can't ping me or see my web server either. If I ever need to communicate directly with someone outside the USA, I'll open it back up, but so far all it has done has been to essentially eliminate my spam. It is funny that most of the "country blockers" seam to be in the USA where most of the world wide spam is orginating too. After all mail was invented for world wide communication and not to speak with your neighbour. But your server, your rules... Andreas
Relay access denied, but I think it shouldn't be.
Hello, I have a mental block and need an other set of eyes to maybe spot it. I have replaced the gmail username with user below. So below is the mail log and my postconf -n Aug 23 11:25:55 suse104 postfix/smtpd[16378]: NOQUEUE: reject: RCPT from localhost[::1]: 554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo= Aug 23 12:11:12 suse104 postfix/smtpd[21134]: NOQUEUE: reject: RCPT from localhost[::1]: 554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo= Aug 23 12:40:22 suse104 postfix/smtpd[23849]: NOQUEUE: reject: RCPT from localhost[::1]: 554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo= Aug 23 13:06:14 suse104 postfix/smtp[25561]: 8C5B96C0B21: to=, relay=gmail-smtp-in.l.google.com[209.85.216.94]:25, delay=2.4, delays=0.16/0/1.3/0.95, dsn=2.0.0, status=sent (250 2.0.0 OK 1251054374 16si2264586pxi.78) Aug 23 13:41:57 suse104 postfix/smtpd[28431]: NOQUEUE: reject: RCPT from localhost[::1]: 554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo= and here is the postconf -n $ postconf -n alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases biff = no canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix debug_peer_level = 2 defer_transports = disable_dns_lookups = no disable_mime_output_conversion = no html_directory = /usr/share/doc/packages/postfix/html inet_interfaces = all inet_protocols = all mail_owner = postfix mail_spool_directory = /var/mail mailbox_command = mailbox_size_limit = 0 mailbox_transport = mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = masquerade_exceptions = root message_size_limit = 0 mydestination = $myhostname, www.zenez.com, ftp.zenez.com, blg.zenez.com, work0.zenez.com, devsys0.zenez.comi, $mydomain, mail.zenez.com, lists.zenez.com, gate.zenez.com, xenau105.advancedittraining.com, xenau.advancedittraining.com, advancedittraining.com, localhost, localhost.zenez.com, localhost.$mydomain mydomain = zenez.com myhostname = suse104.zenez.com mynetworks = 166.70.62.0/28,198.60.105.0/24, 127.0.0.0/8 mynetworks_style = subnet newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/packages/postfix/README_FILES recipient_delimiter = + relay_domains = $mydestination relayhost = relocated_maps = hash:/etc/postfix/relocated sample_directory = /usr/share/doc/packages/postfix/samples sender_canonical_maps = hash:/etc/postfix/sender_canonical sendmail_path = /usr/sbin/sendmail setgid_group = maildrop smtp_sasl_auth_enable = no smtp_use_tls = no smtpd_client_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/access, warn_if_reject reject_rbl_client bl.spamcop.net, warn_if_reject reject_rbl_client sbl.spamhaus.org, warn_if_reject reject_rbl_client list.dsbl.org smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_helo_required = no smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/access, warn_if_reject reject_invalid_hostname, warn_if_reject reject_non_fqdn_hostname, warn_if_reject reject_unauth_pipelining, warn_if_reject reject_unauth_destination, permit smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination smtpd_sasl_auth_enable = no smtpd_sender_restrictions = hash:/etc/postfix/access, check_sender_access hash:/etc/postfix/access reject_non_fqdn_sender, reject_unknown_sender_domain, permit smtpd_timeout = 60s smtpd_use_tls = no strict_8bitmime = no strict_rfc821_envelopes = no transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_domains = hash:/etc/postfix/virtual virtual_alias_maps = hash:/etc/postfix/virtual virtual_mailbox_limit = 0 Thanks, -- Boyd Gerber 801 849-0213 ZENEZ 1042 East Fort Union #135, Midvale Utah 84047
Re: Relay access denied, but I think it shouldn't be.
Zitat von Boyd Lynn Gerber : Hello, I have a mental block and need an other set of eyes to maybe spot it. I have replaced the gmail username with user below. So below is the mail log and my postconf -n Aug 23 11:25:55 suse104 postfix/smtpd[16378]: NOQUEUE: reject: RCPT from localhost[::1]: 554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo= Your machine and Postfix are capable of IPv6 and using it for communication across loopback if but you have not configured postfix to include localhost IPv6 in mynetworks. Regards Andreas
Re: Relay access denied, but I think it shouldn't be.
On Sunday 23 August 2009 14:57:00 Boyd Lynn Gerber wrote: > Aug 23 11:25:55 suse104 postfix/smtpd[16378]: NOQUEUE: reject: RCPT from > localhost[::1]: 554 5.7.1 : Relay access denied; The IPv6 address for localhost is not in mynetworks. This client on localhost is using IPv6 to connect. > and here is the postconf -n > inet_protocols = all You could disable IPv6 if you're not using it, see $html_directory/postconf.5.html#inet_protocols > mynetworks = 166.70.62.0/28,198.60.105.0/24, 127.0.0.0/8 Or specify IPv6 networks here, or remove mynetworks and use: > mynetworks_style = subnet > smtpd_client_restrictions = permit_mynetworks, check_client_access > hash:/etc/postfix/access, warn_if_reject reject_rbl_client > bl.spamcop.net, warn_if_reject reject_rbl_client sbl.spamhaus.org, > warn_if_reject reject_rbl_client list.dsbl.org See http://en.wikipedia.org/wiki/Distributed_Sender_Blackhole_List : do not use DNSBLs with which you are not familiar. warn_if_reject is good, for the most part, but DSBL is pinin' for the fjords. > smtpd_helo_restrictions = permit_mynetworks, check_helo_access > hash:/etc/postfix/access, warn_if_reject reject_invalid_hostname, > warn_if_reject reject_non_fqdn_hostname, warn_if_reject You're using deprecated syntax for the reject_*_helo_hostname restrictions. And why do you need all these stages? It will be easier for you to understand and maintain if you merge them all into smtpd_recipient_restrictions. > reject_unauth_pipelining, warn_if_reject reject_unauth_destination, These are meaningless in smtpd_helo_restrictions. > transport_maps = hash:/etc/postfix/transport Why? General comment: you have specified a lot of default parameters in main.cf. Postfix is designed to require minimal configuration, with many sane and well-reasoned default settings. Leave them alone? -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header
Re: rbl checks, best place + ipv6?
On Sunday August 23 2009 04:10:06 Dave Täht wrote: > What I found after fighting with an exchange server that what seems to > work best is assigning my first mx host to be ipv6 only, and my fallback > to be a mx ipv6 and ipv4 host. My choice is to have the first MX have both the IPv6 and IPv4 addresses, but have a lower priority MX be IPv4-only. This way it should provide a fallback connectivity even if some mailer which thinks it has an IPv6 connectivity but doesn't, then fails to walk through multiple records of a multihomed host name. (even though RFC 5321 requires to try at least two records). Mark
issues with postfix-ldap
Hi, I'm seeing the following errors in my syslog being generated by trivial-rewrite after a MAIL FROM: command hits my MTA. I've been trying to enable LDAP lookups for my mail system without much success. The error messages aren't very helpful (even with verbose logging turned on for the trivial-rewrite process). I've run my query filter through ldapsearch and it returns data. Further, I'm currently binding my rootdn so there should be no access restrictions on the LDAP side. I'm not sure where to go from here. Error: Aug 23 15:48:41 apollo postfix/trivial-rewrite[3]: fatal: ldap:acceptdomains(0,lock|fold_fix): table lookup problem Relevant LDAP bits from main.cf: mydestination = $myhostname, localhost.$mydomain, localhost.localdomain, ldap:acceptdomains acceptdomains_server_host = localhost acceptdomains_server_port = 389 acceptdomains_bind = yes acceptdomains_bind_dn = cn=Manager,dc=corbe,dc=net acceptdomains_bind_pw = xx55ZZ acceptdomains_search_base = dc=corbe,dc=net acceptdomains_query_filter = (associatedDomain=*) acceptdomains_result_attribute = associatedDomain # ldapsearch -D 'cn=Manager,dc=corbe,dc=net' -x -W -b 'dc=corbe,dc=net' '(associatedDomain=*)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (associatedDomain=*) # requesting: ALL # # corbe.net dn: dc=corbe,dc=net objectClass: dcObject objectClass: domainRelatedObject objectClass: dNSDomain o: Corbe Networks dc: corbe associatedDomain: corbe.net associatedDomain: wavelen.net associatedDomain: as.corbe.net # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Any pointers here would be highly appriciated. Thanks. -Daniel
Relaying mail through remote server?
Hi, I have a user that travels frequently. We have been using pop-before-smtp, and that's worked well. He now has a Verizon Air card, and the IP changes faster than the popb4smtp db can keep up with, so I had to add an entire /24 to mynetworks so he wouldn't have a problem connecting. He mentioned that it's now possible to use Outlook to connect to Gmail and have Google send the mail for him, showing his address in the "From" field: http://gmailblog.blogspot.com/2009/07/send-mail-from-another-address-without.html How can I duplicate this using postfix, and without the PITA that is popb4smtp, so he doesn't have to leave our system, and doesn't think we're a bunch of inept fools? Thanks, Alex
Re: Relay access denied, but I think it shouldn't be. (SOLVED)
On Sun, 23 Aug 2009, lst_ho...@kwsoft.de wrote: Zitat von Boyd Lynn Gerber : I have a mental block and need an other set of eyes to maybe spot it. I have replaced the gmail username with user below. So below is the mail log and my postconf -n Aug 23 11:25:55 suse104 postfix/smtpd[16378]: NOQUEUE: reject: RCPT from localhost[::1]: 554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo= Your machine and Postfix are capable of IPv6 and using it for communication across loopback if but you have not configured postfix to include localhost IPv6 in mynetworks. Thanks adding the ipv6 localhost properly fixed the problem. -- Boyd Gerber 801 849-0213 ZENEZ 1042 East Fort Union #135, Midvale Utah 84047
Re: Significant relay delays
Hi, > problem today. Mail was queuing up on one of our servers with exactly > the same messages as what you had. In our case a perl script on the > postfix server had gone crazy and started consuming all the memory and > swap space on the machine. Once that was fixed, the errors cleared up > and the mail queue emptied itself. HTH I don't think it's a memory or lack of available CPU resources causing this, as the server just routes mail, and is typically pretty idle. I'd sure welcome some additional ideas to troubleshoot. Thanks, Alex
Re: Significant relay delays
Hi, >> I'm also pretty sure it's not a network issue. After passing >> billions of packets there isn't a single error. I'm also pretty sure >> DNS is configured properly. > > Have you checked the connection between postfix and the exchange > machines? After some years, a cable can get bad, lousy, and the > packets would not pass so reliably anymore. After moving a > machine/wandering around a rack cabinet, one may have step on a cable > and disconnect it or damage it. I had them replace the network cable, to no avail. How can I add some additional debugging, without overwhelming the system, to troubleshoot this further? Is there a way to increase the debugging info for messages in the queue, such as the last time an attempt was made to deliver the message, or the timeline of what was happening during the failed delivery attempt? Thanks, Alex
Re: Relaying mail through remote server?
MySQL Student(mysqlstud...@gmail.com)@Sun, Aug 23, 2009 at 07:50:39PM -0400: > Hi, > > I have a user that travels frequently. We have been using > pop-before-smtp, and that's worked well. He now has a Verizon Air > card, and the IP changes faster than the popb4smtp db can keep up > with, so I had to add an entire /24 to mynetworks so he wouldn't have > a problem connecting. > > He mentioned that it's now possible to use Outlook to connect to Gmail > and have Google send the mail for him, showing his address in the > "From" field: > > http://gmailblog.blogspot.com/2009/07/send-mail-from-another-address-without.html > > How can I duplicate this using postfix, and without the PITA that is > popb4smtp, so he doesn't have to leave our system, and doesn't think > we're a bunch of inept fools? You're looking for authenticated SMTP: http://www.postfix.org/SASL_README.html -- Bill Weiss
Re: Relaying mail through remote server?
On 23-Aug-2009, at 17:50, MySQL Student wrote: I have a user that travels frequently. We have been using pop-before-smtp, and that's worked well. He now has a Verizon Air card, and the IP changes faster than the popb4smtp db can keep up with, so I had to add an entire /24 to mynetworks so he wouldn't have a problem connecting. Er... the day I do something like that to work around the asstards at Verizon is the day someone needs to shoot me in the head. How can I duplicate this using postfix, and without the PITA that is popb4smtp, so he doesn't have to leave our system, and doesn't think we're a bunch of inept fools? What is it exactly you want to duplicate? Gmail will simply allow you to enter a user name and password for sending via another mailserver. Send through SMTP servers (recommended for professional domains – Learn more) SMTP Server:Port: [587] Username: Password: [ ] Always use a secure connection (SSL) when sending mail Postfix isn't involved in anyway here. -- What are you, Ghouls? There are no dead students here. This week.
Re: Relaying mail through remote server?
Hi, >> with, so I had to add an entire /24 to mynetworks so he wouldn't have >> a problem connecting. > > Er... the day I do something like that to work around the asstards at > Verizon is the day someone needs to shoot me in the head. Yeah, not fun, but have to keep the customer > What is it exactly you want to duplicate? The ability for an authorized user to be able to use our mail server without having to have an entry in mynetworks or use popb4smtp. > Gmail will simply allow you to > enter a user name and password for sending via another mailserver. > > Send through SMTP servers (recommended for professional > domains – Learn more) > SMTP Server: Port: [587] What is the "submission" port? It doesn't have anything to do with postfix or SASL? > Username: > Password: Is this the POP password for the Gmail account? Is there something that already exists, outside of Gmail, that I can adapt to this system, in effect giving the customer the ability to update their own "mynetworks", of sorts? Thanks, Alex
Re: issues with postfix-ldap
Hi, I did some digging around and I didn't get much further: # postmap -q corbe.net ldap:acceptdomains postmap: warning: dict_ldap_lookup: Search error 50: Insufficient access It's almost as if postfix is simply ignoring the fact that I've asked it to bind a specific DN and is trying to bind anonymously anyways. I'm at a loss as to how to fix it but it certainly seems as if it is a postfix problem and not an openldap one. -Daniel On Sun, Aug 23, 2009 at 03:55:43PM -0700, Daniel Corbe wrote: > Hi, > > I'm seeing the following errors in my syslog being generated by > trivial-rewrite after a MAIL FROM: command hits my MTA. I've been trying to > enable LDAP lookups for my mail system without much success. The error > messages aren't very helpful (even with verbose logging turned on for the > trivial-rewrite process). > > I've run my query filter through ldapsearch and it returns data. Further, > I'm currently binding my rootdn so there should be no access restrictions on > the LDAP side. I'm not sure where to go from here. > > Error: > > Aug 23 15:48:41 apollo postfix/trivial-rewrite[3]: fatal: > ldap:acceptdomains(0,lock|fold_fix): table lookup problem > > Relevant LDAP bits from main.cf: > > mydestination = $myhostname, localhost.$mydomain, localhost.localdomain, > ldap:acceptdomains > acceptdomains_server_host = localhost > acceptdomains_server_port = 389 > acceptdomains_bind = yes > acceptdomains_bind_dn = cn=Manager,dc=corbe,dc=net > acceptdomains_bind_pw = xx55ZZ > acceptdomains_search_base = dc=corbe,dc=net > acceptdomains_query_filter = (associatedDomain=*) > acceptdomains_result_attribute = associatedDomain > > # ldapsearch -D 'cn=Manager,dc=corbe,dc=net' -x -W -b 'dc=corbe,dc=net' > '(associatedDomain=*)' > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: (associatedDomain=*) > # requesting: ALL > # > > # corbe.net > dn: dc=corbe,dc=net > objectClass: dcObject > objectClass: domainRelatedObject > objectClass: dNSDomain > o: Corbe Networks > dc: corbe > associatedDomain: corbe.net > associatedDomain: wavelen.net > associatedDomain: as.corbe.net > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > Any pointers here would be highly appriciated. > > Thanks. > > -Daniel >
Re: Significant relay delays
On 8/23/2009 7:01 PM, MySQL Student wrote: Hi, I'm also pretty sure it's not a network issue. After passing billions of packets there isn't a single error. I'm also pretty sure DNS is configured properly. Have you checked the connection between postfix and the exchange machines? After some years, a cable can get bad, lousy, and the packets would not pass so reliably anymore. After moving a machine/wandering around a rack cabinet, one may have step on a cable and disconnect it or damage it. I had them replace the network cable, to no avail. How can I add some additional debugging, without overwhelming the system, to troubleshoot this further? Is there a way to increase the debugging info for messages in the queue, such as the last time an attempt was made to deliver the message, or the timeline of what was happening during the failed delivery attempt? Thanks, Alex All the information you need is likely already in the logs. You can make the logs a little easier to read by marking different services with different names. This is particularly handy if you have multiple instances, but it can also be helpful to label the after content_filter smtpd. http://www.postfix.org/postconf.5.html#syslog_name Here's some pointers on what to look for in the log: http://www.postfix.org/QSHAPE_README.html these may be helpful also: http://www.postfix.org/DEBUG_README.html http://www.postfix.org/TUNING_README.html -- Noel Jones
Re: Relaying mail through remote server?
On 8/23/2009 7:51 PM, MySQL Student wrote: Hi, with, so I had to add an entire /24 to mynetworks so he wouldn't have a problem connecting. Er... the day I do something like that to work around the asstards at Verizon is the day someone needs to shoot me in the head. Yeah, not fun, but have to keep the customer What is it exactly you want to duplicate? The ability for an authorized user to be able to use our mail server without having to have an entry in mynetworks or use popb4smtp. Gmail will simply allow you to enter a user name and password for sending via another mailserver. Send through SMTP servers (recommended for professional domains – Learn more) SMTP Server: Port: [587] What is the "submission" port? It doesn't have anything to do with postfix or SASL? postfix running on the submission port. You need to configure your postfix for SMTP AUTH (SASL) and also configure postfix to listen on the submission port. Username: Password: Is this the POP password for the Gmail account? Is there something that already exists, outside of Gmail, that I can adapt to this system, in effect giving the customer the ability to update their own "mynetworks", of sorts? This has nothing (directly) to do with gmail. You configure your postfix for SASL, then your client can use your postfix to relay mail using their password. Generally the password is from the same backend that runs your POP/IMAP server. Postfix must be compiled with SASL support; if you install from a vendor-supplied package you may already have SASL or can get it by installing a different package. Get started here: http://www.postfix.org/SASL_README.html -- Noel Jones
Re: Relaying mail through remote server?
Hi, >> What is the "submission" port? It doesn't have anything to do with >> postfix or SASL? > > postfix running on the submission port. You need to configure your postfix > for SMTP AUTH (SASL) and also configure postfix to listen on the submission > port. Ah, got it, thanks so much. Best regards, Alex
Re: Country IP block list
Hi, > Could someone provide links to sites where IP addresses are grouped by coun= > try? ASNs would work too but would prefer IP lists that I could put in a f= > ile that my postfix mail gateway could read. Obvious countries like China = > and Brazil I would like to block wholesale. As mentionned earlier, blocking by country is pretty uneffective, as you will end-up blocking some legitimate mail. The counties you've mentionned are not the originators of spam, but only the relay. If you want to block the biggest originator of spam, you should consider blocking USA... Which is obviously not possible. What will you reply to your user visiting one of these blocked countries, when they complain they cann write back home? Bests, Olivier
