Re: (OT!) Clearing Spam Folders

[Justin C. Le Grice]

Michael Orlitzky wrote:

Justin C. Le Grice wrote:

Barney Desmond wrote:

2009/8/24 Justin C. Le Grice :
  


Ideally, the script would find all subdirectories of /var/vmail 
containing the string "Maildir/.Spam/" and then delete the messages in 
those directories which are older than 365 days. But it's buggy.


First of all, if you copy-and-pasted the code exactly, the apostrophes 
around the sed command most likely did not come through, nor did the 
quotes around grep's argument. That page uses HTML entities for angled 
quotes, rather than plain ASCII ones. Fortunately, sed and grep will 
crash, rather than, say, passing all of your files to the "rm" command.


Second, it's grepping for a path containing "Maildir/.Spam/" and then 
trying to delete within that path. Try running "find" somewhere on 
your machine. Do the directories end with slashes? Not here, they 
don't. So, the script doesn't even empty the .Spam folder. It /almost/ 
empties the subdirectories of the .Spam folder, but the author is 
missing two front slashes in his find commands. For example, given the 
following directory structure,


  $ ls /var/vmail/example.com/user/Maildir/.Spam/
  drwxr-xr-x 2 mjo mjo 4.0K 2009-08-25 00:32 old-spam
  -rw-r--r-- 1 mjo mjo0 2009-08-25 00:32 test.msg

The script will try to execute the (truncated) commands:

  find /var/vmail/example.com/user/Maildir/.Spam/old-spamnew/ ...
  find /var/vmail/example.com/user/Maildir/.Spam/old-spamcur/ ...

which are clearly incorrect.

Third, if you followed the workaround.org tutorial, you don't even 
have .Spam folders, you have .spam folders, and the case of the 's' 
matters.


You don't want to run a script like this (as root!) without knowing 
what it does. One misplaced front slash or period could cause you to 
erase the entire filesystem. You can cause similar damage with cron if 
you just follow some stranger's advice without making sure you 
understand what you're doing.


Finally, the workaround.org tutorial involves Dovecot, which already 
has a plugin to do exactly what you want:


  http://wiki.dovecot.org/Plugins/Expire

The setup is a little painful, but it's The Right Way To Do It. Help 
can be found on the Dovecot mailing list. And please, forget 
everything you read on that script's website.


Thank you very much Michael.

This is most helpful and to paraphrase you "Use the right tool for the 
job". Which was why I posted the message initially.


Now off to find Dovecot mailing list join instructions and read about 
Expire.


Cheers.

Re: (OT!) Clearing Spam Folders

[Michael Orlitzky]

Justin C. Le Grice wrote:

Barney Desmond wrote:

2009/8/24 Justin C. Le Grice :
  

I am new to the world of postfix. I have managed to successfully implement
Postfix etc using workaround.org's excellent guide.

My current item on the wish list is how to sweep items from the users Spam
folders after a defined number of days.



This is the Postfix list, Postfix is only an MTA. It does not deal
with serving mailboxes. That said...

  

I have located this script from http://moze.koze.net/?p=161




  

My guess as to what this does is the following



You really don't want to be guessing here - it could wipe out your
system for all you know. The script should have documentation. If not,
you need to learn up on shell scripting.

  

1. Find any occurances of .Spam directory under /var/vmail

2. for each .Spam directory found, locate and delete any items found in new
and cur directories over 365 days old.

Am I correct here?



That sounds about right.

  

If so what do I do with this script



You run it, however you want.

  

and how do I use it in a weekly cron
job?



Put it in a weekly cronjob.


I don't mean to come off as rude, but these aren't really good
questions, relevant or otherwise.
  

Gee Barney that was really friendly, NOT!

If you had read what I was asking you should have worked out that I am 
looking for a solution for a particular issue I wish to resolve. I was 
trying to understand how this one worked. I have not implemented it 
because I was not 100% how it worked, nor how to tweak it to suit my needs.


As I also said I am new to Postfix, and also Linux so am gingerly 
feeling my way through setting up this mail server. I posed my question 
here because I was sure the friendly (now I'm not so sure) folks here 
would have come across this particular problem and would have a solution.


Cheers


Ideally, the script would find all subdirectories of /var/vmail 
containing the string "Maildir/.Spam/" and then delete the messages in 
those directories which are older than 365 days. But it's buggy.


First of all, if you copy-and-pasted the code exactly, the apostrophes 
around the sed command most likely did not come through, nor did the 
quotes around grep's argument. That page uses HTML entities for angled 
quotes, rather than plain ASCII ones. Fortunately, sed and grep will 
crash, rather than, say, passing all of your files to the "rm" command.


Second, it's grepping for a path containing "Maildir/.Spam/" and then 
trying to delete within that path. Try running "find" somewhere on your 
machine. Do the directories end with slashes? Not here, they don't. So, 
the script doesn't even empty the .Spam folder. It /almost/ empties the 
subdirectories of the .Spam folder, but the author is missing two front 
slashes in his find commands. For example, given the following directory 
structure,


  $ ls /var/vmail/example.com/user/Maildir/.Spam/
  drwxr-xr-x 2 mjo mjo 4.0K 2009-08-25 00:32 old-spam
  -rw-r--r-- 1 mjo mjo0 2009-08-25 00:32 test.msg

The script will try to execute the (truncated) commands:

  find /var/vmail/example.com/user/Maildir/.Spam/old-spamnew/ ...
  find /var/vmail/example.com/user/Maildir/.Spam/old-spamcur/ ...

which are clearly incorrect.

Third, if you followed the workaround.org tutorial, you don't even have 
.Spam folders, you have .spam folders, and the case of the 's' matters.


You don't want to run a script like this (as root!) without knowing what 
it does. One misplaced front slash or period could cause you to erase 
the entire filesystem. You can cause similar damage with cron if you 
just follow some stranger's advice without making sure you understand 
what you're doing.


Finally, the workaround.org tutorial involves Dovecot, which already has 
a plugin to do exactly what you want:


  http://wiki.dovecot.org/Plugins/Expire

The setup is a little painful, but it's The Right Way To Do It. Help can 
be found on the Dovecot mailing list. And please, forget everything you 
read on that script's website.

Re: (OT!) Clearing Spam Folders

[Sahil Tandon]

On Tue, 25 Aug 2009, Justin C. Le Grice wrote:

> Barney Desmond wrote:

[...]

>>> and how do I use it in a weekly cron
>>> job?
>>> 
>>
>> Put it in a weekly cronjob.
>>
>> I don't mean to come off as rude, but these aren't really good
>> questions, relevant or otherwise.
>>   
> Gee Barney that was really friendly, NOT!

He was being gentle; your ire is misplaced.

> If you had read what I was asking you should have worked out that I am  
> looking for a solution for a particular issue I wish to resolve. I was  
> trying to understand how this one worked. I have not implemented it  
> because I was not 100% how it worked, nor how to tweak it to suit my 
> needs.
>
> As I also said I am new to Postfix, and also Linux so am gingerly  
> feeling my way through setting up this mail server. I posed my question  
> here because I was sure the friendly (now I'm not so sure) folks here  
> would have come across this particular problem and would have a solution.

This is not the right mailing list for your general Linux/UNIX questions.
See: http://www.catb.org/~esr/faqs/smart-questions.html, especially the
section titled "Choose your forum carefully".

-- 
Sahil Tandon 

Re: (OT!) Clearing Spam Folders

[Justin C. Le Grice]

Barney Desmond wrote:

2009/8/24 Justin C. Le Grice :
  

I am new to the world of postfix. I have managed to successfully implement
Postfix etc using workaround.org's excellent guide.

My current item on the wish list is how to sweep items from the users Spam
folders after a defined number of days.



This is the Postfix list, Postfix is only an MTA. It does not deal
with serving mailboxes. That said...

  

I have located this script from http://moze.koze.net/?p=161




  

My guess as to what this does is the following



You really don't want to be guessing here - it could wipe out your
system for all you know. The script should have documentation. If not,
you need to learn up on shell scripting.

  

1. Find any occurances of .Spam directory under /var/vmail

2. for each .Spam directory found, locate and delete any items found in new
and cur directories over 365 days old.

Am I correct here?



That sounds about right.

  

If so what do I do with this script



You run it, however you want.

  

and how do I use it in a weekly cron
job?



Put it in a weekly cronjob.


I don't mean to come off as rude, but these aren't really good
questions, relevant or otherwise.
  

Gee Barney that was really friendly, NOT!

If you had read what I was asking you should have worked out that I am 
looking for a solution for a particular issue I wish to resolve. I was 
trying to understand how this one worked. I have not implemented it 
because I was not 100% how it worked, nor how to tweak it to suit my needs.


As I also said I am new to Postfix, and also Linux so am gingerly 
feeling my way through setting up this mail server. I posed my question 
here because I was sure the friendly (now I'm not so sure) folks here 
would have come across this particular problem and would have a solution.


Cheers

Re: unknown identities

[Sahil Tandon]

On Mon, 24 Aug 2009, Oscar m Cruz wrote:

> as soon as possible i need to block all kind of messages coming from an
> unkown account inside my server, its mean something as taking some unknown
> identities from my domain
> 
> for instance: unknownacco...@mydomain.com -> to m...@mydomain.comhapping
> with most of the mail account

See http://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_sender

-- 
Sahil Tandon 

unknown identities

[Oscar m Cruz]

Hi list

as soon as possible i need to block all kind of messages coming from an
unkown account inside my server, its mean something as taking some unknown
identities from my domain

for instance: unknownacco...@mydomain.com -> to m...@mydomain.comhapping
with most of the mail account

here the output of my postconf -n

alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
best_mx_transport = local
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
defer_transports =
disable_dns_lookups = no
disable_mime_output_conversion = no
html_directory = /usr/share/doc/packages/postfix/html
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_command =
mailbox_size_limit = 0
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 10485760
mydestination = mysql:/etc/postfix/mysql-mydestination.cf
myhostname = mydomain
mynetworks = 11./11.22/333
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix/README_FILES
receive_override_options = no_address_mappings
relayhost =
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_sasl_auth_enable = no
smtp_use_tls = no
smtpd_client_restrictions = permit_mynetworks, reject_rbl_client
bl.spamcop.net, reject_rbl_client sbl.spamhaus.org
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_use_tls = no
strict_8bitmime = no
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf



Regards !

Re: Block email based on recipient address

[mouss]

Gejo Paul a écrit :
> Hi,
> 
> My postfix version is postfix-2.3.3-2
> main.cf 
> smtpd_recipient_restrictions = check_sender_access ldap:ldapcond,

don't do this. don't use a check_sender_access before
reject_unauth_destination. put this check under
smtpd_sender_restrictions instead.


>permit_mynetworks,
> permit_sasl_authenticated,reject_unknown_sender_domain, reject
> smtpd_restriction_classes=default
> default = check_recipient_access hash:/etc/postfix/broadcast/default
> 
> 
>   Edit /etc/postfix/broadcast/default
> gejop...@yahoo.com   REJECT
> redhat.com    REJECT
> *gmail.com DISCARD
> 
> *2)#cd /etc/postfix/broadcast
> 3 #postmap default
> 
> Normally this will reject with a warning on the screen to while send a
> mail to   gejop...@yahoo.com .But it is not happening.
> 

only if a check that really occurs returns "default" (which is a really
bad name. use something like "policy_default" instead...)

> 
> Is it a  postfix version problem. Expecting your valuable help.
> 

you'll need to prove that mail should have hit the check you're talking
about...

Re: Blocking mail "from me to me"

[mouss]

LuKreme a écrit :
> On 24-Aug-2009, at 08:28, Daniel L'Hommedieu wrote:
>> The one bit of spam I'd like to stop, and I seem to remember seeing
>> talk of it at some point (but I've been unable to find it again) is
>> the spam appears to be "from me to me."  That is, the spammers who use
>> my email address as the from address.  Those emails get past the relay
>> and auth checks because the mail is not being relayed.  If I could
>> stop that spam, it would probably kill 100% of my spam.
> 
> The best way to deal with 'from me to me spam' in my opinion is to
> implement SPF, then you can either reject SPF-fail, or hand mail to Spam
> Assassin and score SPF fail up. That is, unless you are REALLY sure that
> no one on your domain will ever send mail to themselves.
> 
> 

If you ever want to block this, there is absolutely no reason to check
dns. you know what domains are yours so you can simply use an access list:

check_sender_access hash:/etc/postfix/mydomain

== mydomain
example.com REJECT you cannot send on behalf of example.com
.example.comREJECT you cannot send on behalf of example.com

please do not advocate SPF on this list. check the archives and you'll
see that it is taboo here.

Settings for restrictive mail server

[Michael Saldivar]

I need some ideas for implementing this uber-restrictive mailserver at my
company.

Some background: CEO doesn't want to buy Exchange. We have basically 3 user
groups: agents, their team leads, and corporate (execs, etc).

The goal is: Execs don't want agents to e-mail each other or anyone outside
the company. Agents are also prohibited from receiving e-mail from anyone
outside the company. Agents can only e-mail people in the company who are
not agents. Summary: agents can only send mail to and receive from their
leads or corporate.

Non-agents are on Google Apps (GA). We have 3 GA domains (ex: cc.com,
dfs.com, acr.com), depending on which corporate identity the corporate
employee uses.  Agents are allowed to send to and receive from anyone on the
GA domains; they just can't e-mail each other on their local Postfix server.
 Agents' e-mail will be on agents.cc.com.

I looked at Zimbra, which is built on Postfix, and would work great if it
could be configured restrictively - then we could get rid of Outloook, too.

Any tips? I'm reading Postfix documentation to see if its directives can do
this. There's only 60 agents and 35 non-agents, so having to manually
maintain access lists isn't a huge deal, but if I could build it so that
smtpd_recipient_restrictions and standard RELAY restrictions could control
it, that'd be fabulous.

I'm currently on this page of the wiki, trying to understand how to apply it
to this problem.
http://postfix.wiki.xs4all.nl/index.php?title=Client_sender_recipient_restrictions

smtpd_client_restrictions = check_client_access
hash:/etc/postfix/restricted_clients, permit_mynetworks, permit
smtpd_restriction_classes = local_only
local_only = check_recipient_access hash:/etc/postfix/local_domains_to,
reject

#/etc/postfix/restricted_clients
#Add the list of IP addresses which cannot send emails to each other
10.5   local_only  # would this apply to the entire 10.5.x.x network?  or
should I use
10.5.10.11 local_only
10.5.10.12 local_only

# /etc/postfix/local_domains_to
# Insert the list of domains that every user can send emails to
cc.com   OK
dfs.com   OK
acr.com OK
agents.cc.com DENY # to deny e-mail from the agents to the agents

Any tips?

Thanks,
-Mike

Re: issues with postfix-ldap

[Victor Duchovni]

On Sun, Aug 23, 2009 at 03:55:43PM -0700, Daniel Corbe wrote:

> acceptdomains_server_host = localhost
> acceptdomains_server_port = 389
> acceptdomains_bind = yes
> acceptdomains_bind_dn = cn=Manager,dc=corbe,dc=net
> acceptdomains_bind_pw = xx55ZZ
> acceptdomains_search_base = dc=corbe,dc=net
> acceptdomains_query_filter = (associatedDomain=*)
> acceptdomains_result_attribute = associatedDomain

This is almost certainly the wrong query filter. Try associatedDomain=%s
or something similar.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: log check_client_access

[Martijn de Munnik]

On Aug 24, 2009, at 8:31 PM, Martijn de Munnik wrote:



On Aug 24, 2009, at 7:57 PM, /dev/rob0 wrote:


On Monday 24 August 2009 12:43:16 Martijn de Munnik wrote:

How can I write a message to syslog when a check_client_access
rule matches?


See the WARN result. If you mean that you want to log and to trigger
some other action, do note that REJECT and DEFER results are logged
anyway. If you're wanting to log an accept action, you could make a
multiple result using a restriction class:
  http://www.postfix.org/RESTRICTION_CLASS_README.html
  http://www.postfix.org/postconf.5.html#smtpd_restriction_classes


Could someone please provide an example, this is a little bit too  
technical for me ;)


smtpd_recipient_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_non_fqdn_recipient,
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  reject_unverified_recipient,
  reject_unauth_destination,
  reject_invalid_helo_hostname,
  reject_non_fqdn_helo_hostname,
  reject_rbl_client virbl.dnsbl.bit.nl,
  check_policy_service inet:127.0.0.1:12525,
  check_client_access cidr:/opt/csw/etc/postfix/postfix-dnswl-permit,
  check_policy_service inet:127.0.0.1:10023



I want to log the accept action from the check_client_access rule so I  
can use the whitelist hits in stats.






(Technically I think restriction classes are not necessary for this;
similar results could be had from simply defining a restriction as a
variable in main.cf.)
--
  Offlist mail to this address is discarded unless
  "/dev/rob0" or "not-spam" is in Subject: header

Re: Maximum lines for relay_recipient_maps

[Noel Jones]

Jonah Simandjuntak wrote:

Hello,

I've searched the available archives regarding the subject line above and 
couldn't find an answer.

Is there a maximum line that the relay_recipient_maps (or in my case inside the 
relay_recipients file) can contain? Here is the line: relay_recipient_maps = 
dbm:/etc/postfix/domain/relay_recipients

Any real life sample on what is the number of lines in the relay_recipients 
file before starting to see system performance degradation (if any)?

Thanks,

--Jonah


Postfix has no built-in limits on file sizes.

With dbm: type, likely hundreds of thousands of entries before 
lookups are affected, although rebuilding the file might be 
kinda slow.  The hash: or btree: type will probably perform 
somewhat better if they are available on your platform.


For larger numbers, cdb: scales well to millions of entries. 
Consider building postfix with cdb: support if you need large, 
fast tables. http://www.postfix.org/CDB_README.html


Many people prefer to use *sql or LDAP when they get past a 
couple thousand entries simply for ease of maintenance.


  -- Noel Jones

Re: Blocking mail "from me to me" (was: Country IP block list)

[LuKreme]

On 24-Aug-2009, at 08:28, Daniel L'Hommedieu wrote:
The one bit of spam I'd like to stop, and I seem to remember seeing  
talk of it at some point (but I've been unable to find it again) is  
the spam appears to be "from me to me."  That is, the spammers who  
use my email address as the from address.  Those emails get past the  
relay and auth checks because the mail is not being relayed.  If I  
could stop that spam, it would probably kill 100% of my spam.


The best way to deal with 'from me to me spam' in my opinion is to  
implement SPF, then you can either reject SPF-fail, or hand mail to  
Spam Assassin and score SPF fail up. That is, unless you are REALLY  
sure that no one on your domain will ever send mail to themselves.



--
Space Directive 723: Terraformers are expressly forbidden
from recreating Swindon.

Maximum lines for relay_recipient_maps

[Jonah Simandjuntak]

Hello,

I've searched the available archives regarding the subject line above and 
couldn't find an answer.

Is there a maximum line that the relay_recipient_maps (or in my case inside the 
relay_recipients file) can contain? Here is the line: relay_recipient_maps = 
dbm:/etc/postfix/domain/relay_recipients

Any real life sample on what is the number of lines in the relay_recipients 
file before starting to see system performance degradation (if any)?

Thanks,

--Jonah


pgpxqgsNClTaA.pgp
Description: PGP signature

Re: log check_client_access

[Martijn de Munnik]

On Aug 24, 2009, at 7:57 PM, /dev/rob0 wrote:


On Monday 24 August 2009 12:43:16 Martijn de Munnik wrote:

How can I write a message to syslog when a check_client_access
rule matches?


See the WARN result. If you mean that you want to log and to trigger
some other action, do note that REJECT and DEFER results are logged
anyway. If you're wanting to log an accept action, you could make a
multiple result using a restriction class:
   http://www.postfix.org/RESTRICTION_CLASS_README.html
   http://www.postfix.org/postconf.5.html#smtpd_restriction_classes


Could someone please provide an example, this is a little bit too  
technical for me ;)


smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_non_fqdn_recipient,
   reject_non_fqdn_sender,
   reject_unknown_sender_domain,
   reject_unverified_recipient,
   reject_unauth_destination,
   reject_invalid_helo_hostname,
   reject_non_fqdn_helo_hostname,
   reject_rbl_client virbl.dnsbl.bit.nl,
   check_policy_service inet:127.0.0.1:12525,
   check_client_access cidr:/opt/csw/etc/postfix/postfix-dnswl-permit,
   check_policy_service inet:127.0.0.1:10023




(Technically I think restriction classes are not necessary for this;
similar results could be had from simply defining a restriction as a
variable in main.cf.)
--
   Offlist mail to this address is discarded unless
   "/dev/rob0" or "not-spam" is in Subject: header

Re: Non deterministic usage of STARTTLS

[Noel Jones]

Julien Vehent wrote:



Wietse Venema wrote:

Noel Jones:

--
Aug 22 07:52:12 zerhuel postfix/smtpd[2109]: initializing the 
server-side

TLS engine


This is logged ONCE when a postfix/smtpd process starts up.

Then, it handles one or more SMTP clients.

So, 'initializing the server-side TLS engine' is logged only before
the FIRST SMTP client that is handled by the SMTP server process.

Wietse


OK, thanks to both of you. It explains why I wasn't seeing this line at 
every connection.


But when I more smtpd_tls_loglevel to "1", I don't see any information 
regarding the TLS connection.
I tried to do the opposite and moved it to "4" and there I see the 
following:


Leave the log level at 1.

a sample sequence at log level 1:

Aug 24 06:25:43 mgate2 postfix/smtpd[52067]: connect from 
mxsb6.state.tn.us[170.143.36.97]
Aug 24 06:25:43 mgate2 postfix/smtpd[52067]: setting up TLS 
connection from mxsb6.state.tn.us[170.143.36.97]
Aug 24 06:25:43 mgate2 postfix/smtpd[52067]: Anonymous TLS 
connection established from mxsb6.state.tn.us[170.143.36.97]: TLS

v1 with cipher DHE-RSA-AES256-SHA (256/256 bits)



It's a good idea to connect to your box from the outside to 
make sure it's really advertising STARTTLS after EHLO because 
some firewalls may disable the STARTTLS command.


  -- Noel Jones

Re: issues with postfix-ldap

[Daniel Corbe]

Issues with the depreciated config aside I figured out what the issue was.

Burried deep inside the ldap_table(5) man page was my answer: for whatever 
reason postfix defaults to LDAPv2 instead of LDAPv3.  The configuration 
examples with the newer versions of OpenLDAP try to gently discourage use of 
LDAPv2, IE the bind was not succeeding.  I did some quick debugging with slapd 
to verify and added version=3 to my main.cf config bits and it worked like a 
charm.

Thanks for the help though.

-Daniel

On Mon, Aug 24, 2009 at 10:00:49AM -0400, Brian Evans - Postfix List wrote:
> Daniel Corbe wrote:
> > Hi,
> >
> > I'm seeing the following errors in my syslog being generated by 
> > trivial-rewrite after a MAIL FROM: command hits my MTA.  I've been trying 
> > to enable LDAP lookups for my mail system without much success.  The error 
> > messages aren't very helpful (even with verbose logging turned on for the 
> > trivial-rewrite process).
> >
> > I've run my query filter through ldapsearch and it returns data.  Further, 
> > I'm currently binding my rootdn so there should be no access restrictions 
> > on the LDAP side.  I'm not sure where to go from here.
> >
> > Error:
> >
> > Aug 23 15:48:41 apollo postfix/trivial-rewrite[3]: fatal: 
> > ldap:acceptdomains(0,lock|fold_fix): table lookup problem
> >
> > Relevant LDAP bits from main.cf:
> >
> > mydestination = $myhostname, localhost.$mydomain, localhost.localdomain, 
> > ldap:acceptdomains
> > acceptdomains_server_host = localhost
> > acceptdomains_server_port = 389
> > acceptdomains_bind = yes
> > acceptdomains_bind_dn = cn=Manager,dc=corbe,dc=net
> > acceptdomains_bind_pw = xx55ZZ
> > acceptdomains_search_base = dc=corbe,dc=net
> > acceptdomains_query_filter = (associatedDomain=*)
> > acceptdomains_result_attribute = associatedDomain
> >   
> You are using the depreciated form of an LDAP lookup. (Pre Postfix-2.1)
> 
> I would first suggest moving the lookup to it's own file.
> Then, "postmap -q" works properly to search and may give a different error.
> 
> Please see the following for more info.
> http://www.postfix.org/LDAP_README.html
> http://www.postfix.org/ldap_table.5.html
> 

Re: log check_client_access

[/dev/rob0]

On Monday 24 August 2009 12:43:16 Martijn de Munnik wrote:
> How can I write a message to syslog when a check_client_access
> rule matches?

See the WARN result. If you mean that you want to log and to trigger
some other action, do note that REJECT and DEFER results are logged
anyway. If you're wanting to log an accept action, you could make a
multiple result using a restriction class:
http://www.postfix.org/RESTRICTION_CLASS_README.html
http://www.postfix.org/postconf.5.html#smtpd_restriction_classes

(Technically I think restriction classes are not necessary for this;
similar results could be had from simply defining a restriction as a
variable in main.cf.)
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Re: Reg:Virtual Aliases forwarding

[Priyanka Tyagi]

Thanks for reply, Benny.
Just to better explain my problem:
Assume, all domains in example : d1.com, d2.com and d3.com have SPF record
setup to Pass.

I have virtual_alias setup like this: "u...@d2.com > u...@d3.com".

When I send email from u...@d1.com to u...@d2.com. It passes SPF with
this message: "Received-SPF: pass (d1.com: IP of d1.com is authorized
to use 'u...@d1.com'; envelope-from="u...@d1.com";"  (I have
reduced/edited message for brevity)

Now, when I send email from u...@d1.com to u...@d3.com. It doesn't
recognize SPF with this message: "Received-SPF: neutral (d3.com:IP of
d2.com is neither permitted nor denied by domain of u...@d1.com)
client-ip=IP of d2.com;"

The problem is, d3.com is checking for d1.com's SPF record, as d1.com
is as envelope-sender after virtual alias forwarding. Because message
is forwarding thru d2.com, so its looking at d2.com's IP address. As a
result, its trying to look for d1.com's SPF record for wrong IP and
does't recognize valid SPF record and fails to "neutral" status.

I believe, if I could add envelope-sender as u...@d2.com, then IP and
domain would match. While I was reading Postfix manual, I read about
canonical(5), that can re-write envelope-from. I didn't get how it
does that. Can anyone help in understanding how canonical_classes can
re-write 'envelope-from' without changing the actual message. I have
virtual hosted domains and want more than one domain supporting this.

Thanks for taking time in reading and understanding my problem.

-Priyanka


On Sun, Aug 23, 2009 at 4:31 AM, Benny Pedersen  wrote:

> On Sat 22 Aug 2009 12:57:27 AM CEST, Priyanka Tyagi wrote
>
>> I have set up SPF record for 'mydomain.com' and passes SPF, in case
>> email originates from my postfix server. But SPF verification fails while
>> it
>> forwards email using virtual aliases.
>>
>
> why forward emails at all ?
>
> anyway 2 ways to solve it:
>
> 1: whitelist your mail server ip in the final recipient mta so spf there is
> ignore for being forged
>
> 2: add your ip to the spf record, so final recipient see you as a valid
> forwarder
>
> remember to do this for all forwarded sender envelope domains
>
> my point is that its simplier to not forward
>
> --
> xpoint
>
>

log check_client_access

[Martijn de Munnik]

Hi,

How can I write a message to syslog when a check_client_access rule  
matches?


thanks,
Martijn

Re: Non deterministic usage of STARTTLS

[Julien Vehent]

Wietse Venema wrote:

Noel Jones:

--
Aug 22 07:52:12 zerhuel postfix/smtpd[2109]: initializing the server-side
TLS engine


This is logged ONCE when a postfix/smtpd process starts up.

Then, it handles one or more SMTP clients.

So, 'initializing the server-side TLS engine' is logged only before
the FIRST SMTP client that is handled by the SMTP server process.

Wietse


OK, thanks to both of you. It explains why I wasn't seeing this line at 
every connection.


But when I more smtpd_tls_loglevel to "1", I don't see any information 
regarding the TLS connection.
I tried to do the opposite and moved it to "4" and there I see the 
following:

--
Aug 24 19:37:21 zerhuel postfix/smtpd[5865]: initializing the 
server-side TLS engine
Aug 24 19:37:21 zerhuel postfix/tlsmgr[5866]: open smtpd TLS cache 
btree:/var/lib/postfix/smtpd_tls_session_cache
Aug 24 19:37:21 zerhuel postfix/tlsmgr[5866]: tlsmgr_cache_run_event: 
start TLS smtpd session cache cleanup
Aug 24 19:37:21 zerhuel postfix/smtpd[5865]: connect from 
mail-gx0-f213.google.com[209.85.217.213]

--

Am I missing something or with 'smtpd_tls_loglevel=1' there is no way to 
now if a message has been delivered using TLS or not.


Julien


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Mail Box

[Benny Pedersen]

On Mon 24 Aug 2009 05:53:38 PM CEST, Mihira Fernando wrote

How does roundcube compare with exchange outlook web access?

As a webmail client, its pretty good. Follows some traits as the Gmail
web interface. However it does not have all the bells and whistles
Exchange has.


exchange have not sieve :=)

well i like horde aswell as roundcube, 2 perfect webmails beside squirrelmail


--
xpoint

Re: Non deterministic usage of STARTTLS

[Wietse Venema]

Noel Jones:
> > --
> > Aug 22 07:52:12 zerhuel postfix/smtpd[2109]: initializing the server-side
> > TLS engine

This is logged ONCE when a postfix/smtpd process starts up.

Then, it handles one or more SMTP clients.

So, 'initializing the server-side TLS engine' is logged only before
the FIRST SMTP client that is handled by the SMTP server process.

Wietse

Re: Non deterministic usage of STARTTLS

[Noel Jones]

Julien Vehent wrote:

That message does not indicate a TLS connection.  Try using
smtpd_tls_loglevel = 1
for a clear indication of when TLS is in use without the noise.

   -- Noel Jones


OK, I did. I will look more closely at the logs to check that again.

But, what does this message indicates if not a TLS connection ?

Thanks,
Julien



You get that message whenever a new smtpd process starts.  It 
means roughly, "the smtpd process startup has completed and 
the TLS portion of the code is ready".  This happens before 
any client connects.  This message is only logged at 
smtpd_tls_loglevel 2 or greater, since it's not particularly 
important or interesting on a working server.


smtpd processes start up as needed, then hang around until 
they have handled $max_use connections (default 100), or been 
left alone for $max_idle time (default 100s).



  -- Noel Jones

Re: issues with postfix-ldap

[Charles Marcus]

On 8/24/2009, Brian Evans - Postfix List (grkni...@scent-team.com) wrote:
> You are using the depreciated form of an LDAP lookup.

Pet-peeve:

The word is 'deprecated', not 'depreciated'...


-- 

Best regards,

Charles

Re: Non deterministic usage of STARTTLS

[Julien Vehent]

On Mon, 24 Aug 2009 10:33:31 -0500, Noel Jones 
wrote:
> On 8/24/2009 9:51 AM, Julien Vehent wrote:
>> Hello guys,
>>
>> This is my first email on the list, so I hope it doesn't break any rule
>> :)
>>
>> I've been playing around with my postfix logs to evaluate the
percentage
>> of MTA that are using STARTTLS when sending me emails.
>>
>> The result is pretty interesting, because some MTA are using TLS, but
not
>> all the time. It appears that the MTA will start the TLS connection
once
>> in
>> a while, and the rest of the time it won't (the opposite works too ;)
).
>>
>> I suppose it's just me who is not understanding something properly...
>> sorry for the noise, but if somebody could explain :)
>>
>>
>> Here is an example with a mailing list server:
>>
>> First log:
>> --
>> Aug 22 07:52:12 zerhuel postfix/smtpd[2109]: initializing the
server-side
>> TLS engine
>> Aug 22 07:52:12 zerhuel postfix/smtpd[2109]: connect from
>> [1.2.3.4]
>> --
>>
>> We clearly see the initialization of the TLS connection. But the day
>> before, the log was different :
>>
>> --
>> Aug 21 12:05:37 zerhuel cyrus/imaps[10051]: open: user XX opened
>> INBOX
>>
>> Aug 21 12:05:41 zerhuel postfix/smtpd[10055]: connect from
>> [1.2.3.4]
>> Aug 21 12:05:41 zerhuel postgrey[3113]: action=pass, reason=triplet
>> found,
>> client_name=, client_addres
>> s=1.2.3.4,
>>
sender=+bounces-3062-julien=linuxwall.info@.org,
>> recipient=jul...@linuxwall.info
>> --
>>
>> No TLS initialization here. And I don't think this is a TLS cache
issue,
>> because at some other times, I see very close connections that both
>> perform
>> the TLS initialization :
>>
>> first one :
>> -
>> Aug 21 06:18:03 zerhuel postfix/smtpd[26217]: initializing the
>> server-side
>> TLS engine
>> Aug 21 06:18:04 zerhuel postfix/smtpd[26217]: connect from
>> [1.2.3.4]
>> -
>>
>> second one :
>> -
>> Aug 21 06:23:51 zerhuel postfix/smtpd[26478]: initializing the
>> server-side
>> TLS engine
>> Aug 21 06:23:51 zerhuel postfix/smtpd[26478]: connect from
>> [1.2.3.4]
>> -
>>
>> I see this behavior in, at least, 30 MTAs in my logs (within a week) on
a
>> total of about 220.
>>
>>
>> I run a pretty small infrastructure with two servers running Postfix
>> 2.5.5-1.1 on Debian Lenny.
>> My SMTPD TLS configuration is :
>>
>> --
>> smtpd_tls_CAfile =
>> smtpd_tls_CApath =
>> smtpd_tls_always_issue_session_ids = yes
>> smtpd_tls_ask_ccert = yes
>> smtpd_tls_auth_only = yes
>> smtpd_tls_ccert_verifydepth = 9
>> smtpd_tls_cert_file =
>> smtpd_tls_dcert_file =
>> smtpd_tls_dh1024_param_file =
>> smtpd_tls_dh512_param_file =
>> smtpd_tls_dkey_file = $smtpd_tls_dcert_file
>> smtpd_tls_exclude_ciphers =
>> smtpd_tls_fingerprint_digest = md5
>> smtpd_tls_key_file =
>> smtpd_tls_loglevel = 2
>> smtpd_tls_mandatory_ciphers = medium
>> smtpd_tls_mandatory_exclude_ciphers =
>> smtpd_tls_mandatory_protocols = SSLv3, TLSv1
>> smtpd_tls_received_header = yes
>> smtpd_tls_req_ccert = no
>> smtpd_tls_security_level = may
>> smtpd_tls_session_cache_database = btree:
>> smtpd_tls_session_cache_timeout = 3600s
>> smtpd_tls_wrappermode = no
>> --
>>
>>
>> Any idea of what this is due to ?
> 
> That message does not indicate a TLS connection.  Try using
> smtpd_tls_loglevel = 1
> for a clear indication of when TLS is in use without the noise.
> 
>-- Noel Jones

OK, I did. I will look more closely at the logs to check that again.

But, what does this message indicates if not a TLS connection ?

Thanks,
Julien

Re: Mail Box

[Mihira Fernando]

On Mon, 24 Aug 2009 11:28:20 -0400
Roman Gelfand  wrote:

> How does roundcube compare with exchange outlook web access?

As a webmail client, its pretty good. Follows some traits as the Gmail
web interface. However it does not have all the bells and whistles
Exchange has.

Re: Non deterministic usage of STARTTLS

[Noel Jones]

On 8/24/2009 9:51 AM, Julien Vehent wrote:

Hello guys,

This is my first email on the list, so I hope it doesn't break any rule :)

I've been playing around with my postfix logs to evaluate the percentage
of MTA that are using STARTTLS when sending me emails.

The result is pretty interesting, because some MTA are using TLS, but not
all the time. It appears that the MTA will start the TLS connection once in
a while, and the rest of the time it won't (the opposite works too ;) ).

I suppose it's just me who is not understanding something properly...
sorry for the noise, but if somebody could explain :)


Here is an example with a mailing list server:

First log:
--
Aug 22 07:52:12 zerhuel postfix/smtpd[2109]: initializing the server-side
TLS engine
Aug 22 07:52:12 zerhuel postfix/smtpd[2109]: connect from
[1.2.3.4]
--

We clearly see the initialization of the TLS connection. But the day
before, the log was different :

--
Aug 21 12:05:37 zerhuel cyrus/imaps[10051]: open: user XX opened INBOX

Aug 21 12:05:41 zerhuel postfix/smtpd[10055]: connect from
[1.2.3.4]
Aug 21 12:05:41 zerhuel postgrey[3113]: action=pass, reason=triplet found,
client_name=, client_addres
s=1.2.3.4,
sender=+bounces-3062-julien=linuxwall.info@.org,
recipient=jul...@linuxwall.info
--

No TLS initialization here. And I don't think this is a TLS cache issue,
because at some other times, I see very close connections that both perform
the TLS initialization :

first one :
-
Aug 21 06:18:03 zerhuel postfix/smtpd[26217]: initializing the server-side
TLS engine
Aug 21 06:18:04 zerhuel postfix/smtpd[26217]: connect from
[1.2.3.4]
-

second one :
-
Aug 21 06:23:51 zerhuel postfix/smtpd[26478]: initializing the server-side
TLS engine
Aug 21 06:23:51 zerhuel postfix/smtpd[26478]: connect from
[1.2.3.4]
-

I see this behavior in, at least, 30 MTAs in my logs (within a week) on a
total of about 220.


I run a pretty small infrastructure with two servers running Postfix
2.5.5-1.1 on Debian Lenny.
My SMTPD TLS configuration is :

--
smtpd_tls_CAfile =
smtpd_tls_CApath =
smtpd_tls_always_issue_session_ids = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_ccert_verifydepth = 9
smtpd_tls_cert_file =
smtpd_tls_dcert_file =
smtpd_tls_dh1024_param_file =
smtpd_tls_dh512_param_file =
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_exclude_ciphers =
smtpd_tls_fingerprint_digest = md5
smtpd_tls_key_file =
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers =
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_wrappermode = no
--


Any idea of what this is due to ?


That message does not indicate a TLS connection.  Try using
smtpd_tls_loglevel = 1
for a clear indication of when TLS is in use without the noise.

  -- Noel Jones

Re: Mail Box

[Roman Gelfand]

How does roundcube compare with exchange outlook web access?

Non deterministic usage of STARTTLS

[Julien Vehent]

Hello guys,

This is my first email on the list, so I hope it doesn't break any rule :)

I've been playing around with my postfix logs to evaluate the percentage
of MTA that are using STARTTLS when sending me emails.

The result is pretty interesting, because some MTA are using TLS, but not
all the time. It appears that the MTA will start the TLS connection once in
a while, and the rest of the time it won't (the opposite works too ;) ).

I suppose it's just me who is not understanding something properly...
sorry for the noise, but if somebody could explain :)


Here is an example with a mailing list server:

First log:
--
Aug 22 07:52:12 zerhuel postfix/smtpd[2109]: initializing the server-side
TLS engine
Aug 22 07:52:12 zerhuel postfix/smtpd[2109]: connect from
[1.2.3.4] 
--

We clearly see the initialization of the TLS connection. But the day
before, the log was different :

--
Aug 21 12:05:37 zerhuel cyrus/imaps[10051]: open: user XX opened INBOX

Aug 21 12:05:41 zerhuel postfix/smtpd[10055]: connect from
[1.2.3.4] 
Aug 21 12:05:41 zerhuel postgrey[3113]: action=pass, reason=triplet found,
client_name=, client_addres
s=1.2.3.4,
sender=+bounces-3062-julien=linuxwall.info@.org,
recipient=jul...@linuxwall.info
--

No TLS initialization here. And I don't think this is a TLS cache issue,
because at some other times, I see very close connections that both perform
the TLS initialization :

first one :
-
Aug 21 06:18:03 zerhuel postfix/smtpd[26217]: initializing the server-side
TLS engine   
Aug 21 06:18:04 zerhuel postfix/smtpd[26217]: connect from
[1.2.3.4]
-

second one :
-
Aug 21 06:23:51 zerhuel postfix/smtpd[26478]: initializing the server-side
TLS engine   
Aug 21 06:23:51 zerhuel postfix/smtpd[26478]: connect from
[1.2.3.4]
-

I see this behavior in, at least, 30 MTAs in my logs (within a week) on a
total of about 220.


I run a pretty small infrastructure with two servers running Postfix
2.5.5-1.1 on Debian Lenny. 
My SMTPD TLS configuration is :

--
smtpd_tls_CAfile = 
smtpd_tls_CApath = 
smtpd_tls_always_issue_session_ids = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_ccert_verifydepth = 9
smtpd_tls_cert_file = 
smtpd_tls_dcert_file = 
smtpd_tls_dh1024_param_file = 
smtpd_tls_dh512_param_file = 
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_exclude_ciphers = 
smtpd_tls_fingerprint_digest = md5
smtpd_tls_key_file = 
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers = 
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_wrappermode = no
--


Any idea of what this is due to ?


Best,
Julien

-- 
http://jve.linuxwall.info/blog

Re: Blocking mail "from me to me" (was: Country IP block list)

[Martijn de Munnik]

> Most of this spam is also blocked using spamhaus. Also you could add SPF
> to your own domain so no other servers could send mail using your
> domain.
> http://www.openspf.org/Introduction

Off course your server should check the SPF records for incoming mail.

Re: Blocking mail "from me to me" (was: Country IP block list)

[Martijn de Munnik]

On Mon, 2009-08-24 at 10:28 -0400, Daniel L'Hommedieu wrote:
> On Aug 24, 2009, at 10:10, Mikael Bak wrote:
> > Daniel L'Hommedieu wrote:
> >>
> >> The spam I see pretty much all originates in China & Brazil, with  
> >> some
> >> originating in Korea & US.  It also pretty much all originates on
> >> dynamic IP addresses, so if there's a way to block email from dynamic
> >> address ranges, I would very much be interested in that.
> >>
> >
> > Not exactly what you ask for, but it'll stop most of them:
> >
> > http://www.spamhaus.org/zen/
> 
> Mikael,
> 
> Thanks - I saw that in a previous comment or thread, so I instituted  
> the rules that guy was using.
> 
> The one bit of spam I'd like to stop, and I seem to remember seeing  
> talk of it at some point (but I've been unable to find it again) is  
> the spam appears to be "from me to me."  That is, the spammers who use  
> my email address as the from address.  Those emails get past the relay  
> and auth checks because the mail is not being relayed.  If I could  
> stop that spam, it would probably kill 100% of my spam.
> 
> Can anyone point me in the right direction for that one?

Most of this spam is also blocked using spamhaus. Also you could add SPF
to your own domain so no other servers could send mail using your
domain.
http://www.openspf.org/Introduction

> 
> Daniel

Re: rbl checks, best place + ipv6?

[Dave Täht]

Mark Martinec  writes:

> On Sunday August 23 2009 04:10:06 Dave Täht wrote:
>> What I found after fighting with an exchange server that what seems to
>> work best is assigning my first mx host to be ipv6 only, and my fallback
>> to be a mx ipv6 and ipv4 host.
>
> My choice is to have the first MX have both the IPv6 and IPv4 addresses,
> but have a lower priority MX be IPv4-only. This way it should provide a
> fallback connectivity even if some mailer which thinks it has an IPv6
> connectivity but doesn't, then fails to walk through multiple records
> of a multihomed host name. (even though RFC 5321 requires to try
> at least two records).

In my case, my first mx record is my laptop which has postfix configured to
listen and send on IPv6 only. For sending mail, if it can't get through,
it falls back to forwarding via IPv6 to the secondary, smarter host,
which is listening on both IPv4 and IPv6.

Replies to teklibre.org try that IPv6 mx record first (I hope), then
fall back to the smarter host.

This brings back an age of direct email connectivity for all the IPv6 
hosts on my fairly widely geographically spaced network.  Mail gets
through as fast as IM (or faster), with a minimum of men in the middle,
over IPv6 whenever possible.
 
I still have to get reverse DNS to resolve, working on it... (the 8 hosts
I have exchanging mail this way use certs to identify and authenticate 
themselves currently)

This leaves the problem of dealing with non RFC 5321 compliant hosts, but
to heck with them, and so far, I haven't had anyone complain that they
can't get mail to me (I am continuing to experiment, however).

>
>   Mark
>

-- 
Dave Taht
http://the-edge.blogspot.com

Blocking mail "from me to me" (was: Country IP block list)

[Daniel L'Hommedieu]

On Aug 24, 2009, at 10:10, Mikael Bak wrote:

Daniel L'Hommedieu wrote:


The spam I see pretty much all originates in China & Brazil, with  
some

originating in Korea & US.  It also pretty much all originates on
dynamic IP addresses, so if there's a way to block email from dynamic
address ranges, I would very much be interested in that.



Not exactly what you ask for, but it'll stop most of them:

http://www.spamhaus.org/zen/


Mikael,

Thanks - I saw that in a previous comment or thread, so I instituted  
the rules that guy was using.


The one bit of spam I'd like to stop, and I seem to remember seeing  
talk of it at some point (but I've been unable to find it again) is  
the spam appears to be "from me to me."  That is, the spammers who use  
my email address as the from address.  Those emails get past the relay  
and auth checks because the mail is not being relayed.  If I could  
stop that spam, it would probably kill 100% of my spam.


Can anyone point me in the right direction for that one?

Daniel

Re: Country IP block list

[Mikael Bak]

Daniel L'Hommedieu wrote:
> 
> The spam I see pretty much all originates in China & Brazil, with some
> originating in Korea & US.  It also pretty much all originates on
> dynamic IP addresses, so if there's a way to block email from dynamic
> address ranges, I would very much be interested in that.
> 

Not exactly what you ask for, but it'll stop most of them:

http://www.spamhaus.org/zen/

HTH,
Mikael

Re: Clearing Spam Folders

[Barney Desmond]

2009/8/24 Justin C. Le Grice :
> I am new to the world of postfix. I have managed to successfully implement
> Postfix etc using workaround.org's excellent guide.
>
> My current item on the wish list is how to sweep items from the users Spam
> folders after a defined number of days.

This is the Postfix list, Postfix is only an MTA. It does not deal
with serving mailboxes. That said...

> I have located this script from http://moze.koze.net/?p=161
>

> My guess as to what this does is the following

You really don't want to be guessing here - it could wipe out your
system for all you know. The script should have documentation. If not,
you need to learn up on shell scripting.

> 1. Find any occurances of .Spam directory under /var/vmail
>
> 2. for each .Spam directory found, locate and delete any items found in new
> and cur directories over 365 days old.
>
> Am I correct here?

That sounds about right.

> If so what do I do with this script

You run it, however you want.

> and how do I use it in a weekly cron
> job?

Put it in a weekly cronjob.


I don't mean to come off as rude, but these aren't really good
questions, relevant or otherwise.

Re: issues with postfix-ldap

[Brian Evans - Postfix List]

Daniel Corbe wrote:
> Hi,
>
> I'm seeing the following errors in my syslog being generated by 
> trivial-rewrite after a MAIL FROM: command hits my MTA.  I've been trying to 
> enable LDAP lookups for my mail system without much success.  The error 
> messages aren't very helpful (even with verbose logging turned on for the 
> trivial-rewrite process).
>
> I've run my query filter through ldapsearch and it returns data.  Further, 
> I'm currently binding my rootdn so there should be no access restrictions on 
> the LDAP side.  I'm not sure where to go from here.
>
> Error:
>
> Aug 23 15:48:41 apollo postfix/trivial-rewrite[3]: fatal: 
> ldap:acceptdomains(0,lock|fold_fix): table lookup problem
>
> Relevant LDAP bits from main.cf:
>
> mydestination = $myhostname, localhost.$mydomain, localhost.localdomain, 
> ldap:acceptdomains
> acceptdomains_server_host = localhost
> acceptdomains_server_port = 389
> acceptdomains_bind = yes
> acceptdomains_bind_dn = cn=Manager,dc=corbe,dc=net
> acceptdomains_bind_pw = xx55ZZ
> acceptdomains_search_base = dc=corbe,dc=net
> acceptdomains_query_filter = (associatedDomain=*)
> acceptdomains_result_attribute = associatedDomain
>   
You are using the depreciated form of an LDAP lookup. (Pre Postfix-2.1)

I would first suggest moving the lookup to it's own file.
Then, "postmap -q" works properly to search and may give a different error.

Please see the following for more info.
http://www.postfix.org/LDAP_README.html
http://www.postfix.org/ldap_table.5.html

Re: Country IP block list

[Daniel L'Hommedieu]

On Aug 23, 2009, at 22:26, Olivier Nicole wrote:

Hi,

Could someone provide links to sites where IP addresses are grouped  
by coun=
try?  ASNs would work too but would prefer IP lists that I could  
put in a f=
ile that my postfix mail gateway could read.  Obvious countries  
like China =

and Brazil I would like to block wholesale.


As mentionned earlier, blocking by country is pretty uneffective, as
you will end-up blocking some legitimate mail.

The counties you've mentionned are not the originators of spam, but
only the relay. If you want to block the biggest originator of spam,
you should consider blocking USA... Which is obviously not possible.

What will you reply to your user visiting one of these blocked
countries, when they complain they cann write back home?


I personally unfilter netblocks when people are visiting those areas.   
Also, since mine is firewall-based filtering, I have a way to update  
the firewall from remote.


The spam I see pretty much all originates in China & Brazil, with some  
originating in Korea & US.  It also pretty much all originates on  
dynamic IP addresses, so if there's a way to block email from dynamic  
address ranges, I would very much be interested in that.


Thanks.

Daniel

Re: Mail Box

[Mikael Bak]

Hi,

Roman Gelfand wrote:
> Can somebody recommend a mail box server software that would be worthy
> of postfix?
> 

dovecot

> Also, if anyone knows of a cool web client.
> 

roundcube

Re: Mail Box

[Ralf Hildebrandt]

* Roman Gelfand :
> Can somebody recommend a mail box server software that would be worthy
> of postfix?

Dovecot

> Also, if anyone knows of a cool web client.

Horde
Squirrelmail
roundcube

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Mail Box

[Roman Gelfand]

Can somebody recommend a mail box server software that would be worthy
of postfix?

Also, if anyone knows of a cool web client.

Thanks in advance

Block email based on recipient address

[Gejo Paul]

Hi,

My postfix version is postfix-2.3.3-2
main.cf
smtpd_recipient_restrictions = check_sender_access ldap:ldapcond,
   permit_mynetworks,
permit_sasl_authenticated,reject_unknown_sender_domain, reject
smtpd_restriction_classes=default
default = check_recipient_access hash:/etc/postfix/broadcast/default


  Edit /etc/postfix/broadcast/default
gejop...@yahoo.com   REJECT
redhat.com   REJECT
*gmail.comDISCARD

*2)#cd /etc/postfix/broadcast
3 #postmap default

Normally this will reject with a warning on the screen to while send a mail
to   gejop...@yahoo.com .But it is not happening.


Is it a  postfix version problem. Expecting your valuable help.

-- 
Best Regards
Gejo Paul

Clearing Spam Folders

[Justin C. Le Grice]

Hi there.

I am new to the world of postfix. I have managed to successfully 
implement Postfix etc using workaround.org's excellent guide.


My current item on the wish list is how to sweep items from the users 
Spam folders after a defined number of days.


I have located this script from http://moze.koze.net/?p=161

   #!/bin/bash

   find /var/vmail -type d | sed 's/ /\\ /g' | grep "Maildir/.Spam/" |
   while read line
   do
   find ${line}new/ -mtime +365 2>/dev/null -exec rm {} \;
   find ${line}cur/ -mtime +365 2>/dev/null -exec rm {} \;

   done

My guess as to what this does is the following

1. Find any occurances of .Spam directory under /var/vmail

2. for each .Spam directory found, locate and delete any items found in 
new and cur directories over 365 days old.


Am I correct here?

If so what do I do with this script and how do I use it in a weekly cron 
job?


Many thanks for your help here.

Regards

Justin

Re: Any C api to access Postfix programmatically?

[Δημήτριος Καραπιπέρης]

I came to this solution, a bash script to validate a local recipient 
employing the SMTP protocol.



#!/bin/bash

nc localhost 25 << EOF | grep '250 2.1.5 Ok' | sed 's/250 2.1.5 Ok/OK/'
 HELO localhost
 MAIL FROM: 
 RCPT TO: <$1>
 QUIT
EOF

Dimitrios



O/H Wietse Venema έγραψε:

? ???:
  

Hi !

Is there any Programming Interface (api) , so that a Postfix instance
could be accessed programmaticaly, say, a C program?



Currently,  all the SUPPORTED interfaces require that non-Postfix
code communicates with Postfix via some protocol:  examples are
the SMTP protocol, the pipe-to-command protocol, the SMTPD policy
protocol, the Milter protocol, and a simple TCP-based lookup table.

  

for example, connect to a Postfix instance and validate if an e-mail
address is a valid recipient  for the specific instance...



You can already do this with the existing SMTP interface.

Wietse
  

Re: DNSBL/RBL-Blacklist

[Duane Hill]

On Mon, 24 Aug 2009, Schwalbe, Oliver wrote:


Helo Newsgroup,

i will integrate an DNSBL/RBL-Blacklist to avoid SPAM.
So i insert a new row in my main.cf

main.cf before:


[snip]


main.cf after:

smtpd_recipient_restrictions =  permit_mynetworks,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,

reject_unknown_sender_domain,

reject_unknown_recipient_domain,
reject_unauth_pipelining,
reject_unauth_destination,
reject_rbl_client
zen.spamhouse.org, <-- new Row inserted


should be:

  reject_rbl_client zen.spamhaus.org


permit


After restarting postfix (rcpostfix restart) i can't get any mails from
external domains.
External senders received the following error-message


The error is because you misspelled the RBL as indicated above.


   - The following addresses had permanent fatal errors -

(reason: 554 5.7.1 Service unavailable; Client host [64.12.206.41]
blocked
using zen.spamh
ouse.org; This is not the DNSBL you're looking for.)

   - Transcript of session follows -
... while talking to mail.sachsentrans.de.:
>>> DATA
<<< 554 5.7.1 Service unavailable; Client host [64.12.206.41] blocked using
zen.spamhouse.org; This is not the DNSBL you're looking for.
554 5.0.0 Service unavailable
<<< 554 5.5.1 Error: no valid recipients


Can anyone help?
Thanks

Re: DNSBL/RBL-Blacklist

[Ralf Hildebrandt]

* Ralf Hildebrandt :
> * Schwalbe, Oliver :
> 
> > reject_rbl_client 
> > zen.spamhouse.org, <-- new Row inserted
> 
> reject_rbl_client zen.spamhaus.org
> 
> > <<< 554 5.7.1 Service unavailable; Client host [64.12.206.41] blocked using 
> > zen.spamhouse.org; This is not the DNSBL you're looking for.
> 
> Read man, READ!

http://www.spamhouse.org/ says:

SPAMHOUSE.ORG is not a DNSbl!

Queries to SPAMHOUSE.ORG will ALWAYS return a positive lookup.

This means that if you use it, you will refuse *all* of your incoming
email.

Please use one of Spamhaus.org's excellent DNSbls, or better yet, buy
a Spamhaus datafeed!

Please visit SPAMHAUS.ORG's technical page for information on using
their excellent DNSbl. 

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: DNSBL/RBL-Blacklist

[Ralf Hildebrandt]

* Schwalbe, Oliver :

> reject_rbl_client 
> zen.spamhouse.org, <-- new Row inserted

reject_rbl_client zen.spamhaus.org

> <<< 554 5.7.1 Service unavailable; Client host [64.12.206.41] blocked using 
> zen.spamhouse.org; This is not the DNSBL you're looking for.

Read man, READ!
I like the StarWars phrasing :)

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: DNSBL/RBL-Blacklist

[Justin C. Le Grice]

Schwalbe, Oliver wrote:

Helo Newsgroup,
 
i will integrate an DNSBL/RBL-Blacklist to avoid SPAM.

So i insert a new row in my main.cf
 
main.cf before:
 
smtpd_recipient_restrictions =  permit_mynetworks,

reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,

reject_unknown_sender_domain,

reject_unknown_recipient_domain,

reject_unauth_pipelining,
reject_unauth_destination,
permit
 
 
main.cf after:
 
smtpd_recipient_restrictions =  permit_mynetworks,

reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,

reject_unknown_sender_domain,

reject_unknown_recipient_domain,

reject_unauth_pipelining,
reject_unauth_destination,
reject_rbl_client 
zen.spamhouse.org, <-- new Row inserted

permit
 
 
After restarting postfix (rcpostfix restart) i can't get any mails 
from external domains.

External senders received the following error-message
 
   - The following addresses had permanent fatal errors -

mailto:myadr...@mydomain.de>>
(reason: 554 5.7.1 Service unavailable; Client host [64.12.206.41] 
blocked

using zen.spamh
ouse.org; This is not the DNSBL you're looking for.)

   - Transcript of session follows -
... while talking to mail.sachsentrans.de.:
>>> DATA
<<< 554 5.7.1 Service unavailable; Client host [64.12.206.41] blocked 
using

zen.spamhouse.org; This is not the DNSBL you're looking for.
554 5.0.0 Service unavailable
<<< 554 5.5.1 Error: no valid recipients
 
 
Can anyone help?

Thanks
 

This is my smtpd_recipient_restrictions= section

smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unauth_destination,
   reject_invalid_hostname,
   reject_non_fqdn_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   reject_rbl_client bl.spamcop.net,
   reject_rbl_client sbl-xbl.spamhaus.org,   < NOTE Spelling of 
spamhaus!

   reject_rbl_client dnsbl.njabl.org,
   reject_rbl_client dnsbl-1.uceprotect.net,
   reject_rbl_client dnsbl-2.uceprotect.net,
   permit


Correct your spelling and you should be working.

Regards

Justin

DNSBL/RBL-Blacklist

[Schwalbe, Oliver]

Helo Newsgroup,
 
i will integrate an DNSBL/RBL-Blacklist to avoid SPAM.
So i insert a new row in my main.cf
 
main.cf before:
 
smtpd_recipient_restrictions =  permit_mynetworks,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
reject_unauth_destination,
permit
 
 
main.cf after:
 
smtpd_recipient_restrictions =  permit_mynetworks,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
reject_unauth_destination,
reject_rbl_client 
zen.spamhouse.org, <-- new Row inserted
permit
 
 
After restarting postfix (rcpostfix restart) i can't get any mails from 
external domains.
External senders received the following error-message
 
   - The following addresses had permanent fatal errors -
< myadr...@mydomain.de>
(reason: 554 5.7.1 Service unavailable; Client host [64.12.206.41] blocked 
using zen.spamh
ouse.org; This is not the DNSBL you're looking for.)

   - Transcript of session follows -
... while talking to mail.sachsentrans.de.:
>>> DATA
<<< 554 5.7.1 Service unavailable; Client host [64.12.206.41] blocked using 
zen.spamhouse.org; This is not the DNSBL you're looking for.
554 5.0.0 Service unavailable
<<< 554 5.5.1 Error: no valid recipients

 
 
Can anyone help?
Thanks
 
 
 
 
 
 
 

Re: deflecting attacks

[lst_hoe02]

Zitat von AMP Admin :


Does anyone use iptables or something to defend against attacks?  Like if x
amount of requests per x amount of time send away.  If so I would love some
examples.  Thanks!



We use the following :

$IPTABLES -N SMTP-BLOCK
$IPTABLES -A SMTP-BLOCK -m limit --limit 1/m --limit-burst 3 -j LOG  
--log-level notice --log-prefix "iptables SMTP-BLOCK "

$IPTABLES -A SMTP-BLOCK -m recent --name SMTPBLOCK --set -j DROP

$IPTABLES -A INPUT -p tcp --dport 25 -m state --state NEW -m recent  
--name SMTPBLOCK  --rcheck --seconds 360 -j SMTP-BLOCK
$IPTABLES -A INPUT -p tcp --dport 25 -m state --state NEW -m recent  
--name SMTP --set
$IPTABLES -A INPUT -p tcp --dport 25 -m state --state NEW -m recent  
--name SMTP --rcheck --seconds 60 --hitcount 15 -j SMTP-BLOCK

$IPTABLES -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

It creates some trap for hosts which open too many connections in a  
short timeframe. Be aware of the limitations :
- The recent module can only handle a limited number of entries to  
compare so if you have high traffic this list may be overflow/cycled  
before the offender get caught.

- You must adjust the connection/time to match your needs.
- For larger sites you maybe have to adjust the size of the blocklist.

Regards

Andreas