Re: A question about plain and cram-md5 authentication mechanisms
Hi Ali i had problems using login, plain, cram-md5 and digest-md5 (all toghether) through saslauthd. At this site, all mail parameters are in LDAP, so i had to tell saslauthd to get the authentication parameters from LDAP. For the tests, i had inserted the passwords in plaintext into LDAP. But as soon as saslauthd saw, that it had to go via LDAP, it asked for /etc/sasldb2 and wanted to go via auxprop. i did not test eny further then and went back to using auxprop with /etc/sasldb2. See also my submission dated 9/24/2009 suomi On 2009-11-11 08:51, Ali Majdzadeh wrote: Patrick, Hi Thanks for your mail. I use the following options in smtpd.conf: mech_list: gssapi plain pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab and I am able to use GSSAPI and PLAIN (Over PAM using pam_krb5.so) mechanisms. How is it possible to add cram-md5 mechanism? By the way, I do know about sasldb and auxprop, but what I plan to achieve is to have cram-md5 mechanism while supporting plain mechanism using saslauthd, PAM and pam_krb5.so. I have got no problems using native GSSAPI support. Kind Regards Ali Majdzadeh Kohbanani 2009/11/11 Patrick Ben Koetter p...@state-of-mind.de mailto:p...@state-of-mind.de * Ali Majdzadeh ali.majdza...@gmail.com mailto:ali.majdza...@gmail.com: Hello All Is it possible to have both PLAIN and CRAM-MD5 authentication mechanisms using SASL? Yes. The password must be stored as plaintext. Then plaintext and shared-secret mechanisms will work. p...@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: A question about plain and cram-md5 authentication mechanisms
Patrick, Hi Thanks for your mail. I use the following options in smtpd.conf: mech_list: gssapi plain pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab and I am able to use GSSAPI and PLAIN (Over PAM using pam_krb5.so) mechanisms. How is it possible to add cram-md5 mechanism? By the way, I do know about sasldb and auxprop, but what I plan to achieve is to have cram-md5 mechanism while supporting plain mechanism using saslauthd, PAM and pam_krb5.so. I have got no problems using native GSSAPI support. Kind Regards Ali Majdzadeh Kohbanani 2009/11/11 Magnus Bäck mag...@dsek.lth.se On Wed, November 11, 2009 8:16 am, Ali Majdzadeh said: Thanks for your mail. I use the following options in smtpd.conf: Reply to the list, not to me. I'm setting the Reply-To header for a reason. -- Magnus Bäck mag...@dsek.lth.se
Re: A question about plain and cram-md5 authentication mechanisms
Suomi, Thanks for your mail. I do not use LDAP, instead I use PAM and I want to have the following authentication mechanisms together: PLAIN (over PAM, pam_krb5.so and saslauthd) GSSAPI CRAM-MD5 Currently, two of these work fine together; plain and gssapi, but I am not able to get cram-md5 working. Kind Regards Ali Majdzadeh Kohbanani 2009/11/11 Ali Majdzadeh ali.majdza...@gmail.com Suomi, Thanks for your mail. I do not use LDAP, instead I use PAM and I want to have the following authentication mechanisms together: PLAIN (over PAM, pam_krb5.so and saslauthd) GSSAPI CRAM-MD5 Currently, two of these work fine together; plain and gssapi, but I am not able to get cram-md5 working. Kind Regards Ali Majdzadeh Kohbanani 2009/11/11 suomi post...@ayni.com Hi Ali i had problems using login, plain, cram-md5 and digest-md5 (all toghether) through saslauthd. At this site, all mail parameters are in LDAP, so i had to tell saslauthd to get the authentication parameters from LDAP. For the tests, i had inserted the passwords in plaintext into LDAP. But as soon as saslauthd saw, that it had to go via LDAP, it asked for /etc/sasldb2 and wanted to go via auxprop. i did not test eny further then and went back to using auxprop with /etc/sasldb2. See also my submission dated 9/24/2009 suomi On 2009-11-11 08:51, Ali Majdzadeh wrote: Patrick, Hi Thanks for your mail. I use the following options in smtpd.conf: mech_list: gssapi plain pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab and I am able to use GSSAPI and PLAIN (Over PAM using pam_krb5.so) mechanisms. How is it possible to add cram-md5 mechanism? By the way, I do know about sasldb and auxprop, but what I plan to achieve is to have cram-md5 mechanism while supporting plain mechanism using saslauthd, PAM and pam_krb5.so. I have got no problems using native GSSAPI support. Kind Regards Ali Majdzadeh Kohbanani 2009/11/11 Patrick Ben Koetter p...@state-of-mind.de mailto:p...@state-of-mind.de * Ali Majdzadeh ali.majdza...@gmail.com mailto:ali.majdza...@gmail.com: Hello All Is it possible to have both PLAIN and CRAM-MD5 authentication mechanisms using SASL? Yes. The password must be stored as plaintext. Then plaintext and shared-secret mechanisms will work. p...@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Test e-mailservice
Hi, Last night we had a issue with our mail server which went unnoticed till this morning. Our spam filter crashed and postfix couldn't feed mails for check to localhost:10024. The mails stayed in the queue till we noticed that we didn't received any mail this morning. I restarted the spam filter and now the queue is being processed. Of course I don't want this to happen again in the future. How do people test their mail server periodically? So far we use webmin which tries to connect to port 25, 110 and 143 and checks if the greeting is correct. If one of these connections fail we get a phone call. I can't check services which are only running on localhost because webmin is checking from a remote host. Does anybody use a check which checks the complete mail loop? I was thinking of sending a mail from a remote host (with webmin) to a test mail account and see if I can download the mail with imap and then with pop which removes the mail. The test mail account should also send a reply to the original sender (maybe explaining it's a test address) and the test server should also check for this reply. Does anybody have such a test setup? Thanks, Martijn -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
RE: Test e-mailservice
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Martijn de Munnik Sent: Wednesday, November 11, 2009 9:54 AM To: postfix-users@postfix.org Subject: Test e-mailservice Does anybody have such a test setup? Thanks, Martijn There are expensive commercial tools available to do that. We use MOM/SCOM/Spectrum/Ehealth to monitor mail flows and services. You can also write your own monitoring scripts in your favourite programming/scripting languague... I can send you a simple perl script that monitors postfix services and does some connectivity tests, if you like. Marco.
RE: Test e-mailservice
Hi, We have a server outside Our network which will send an mail every 5 minutes to a specific mailbox on Our exchange system. This has a limit on 0 which means that it will bounce the mail back to the sender. We use this to document a baseline. When sending we generate a Uniq Message-id - save this in a Database (MySql) along with the timestamp. When the bounced mail get back we grap the Message-id and timeinfo and all this is saved in the DB. You could use this info test if mailloop is to long. Best regards Peter Sørensen Phone.6550 2858 Fax 6550 2860 mail mas...@sdu.dk Web http://intern.sdu.dk/it-service/ansatte/ps-238/ Adr.Campusvej 55, 5230 Odense M University of Southern Denmark ___ Campusvej 55 * 5230 * Odense M * Tlf. 6550 1000 * www.sdu.dk -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Martijn de Munnik Sent: 11. november 2009 09:54 To: postfix-users@postfix.org Subject: Test e-mailservice Hi, Last night we had a issue with our mail server which went unnoticed till this morning. Our spam filter crashed and postfix couldn't feed mails for check to localhost:10024. The mails stayed in the queue till we noticed that we didn't received any mail this morning. I restarted the spam filter and now the queue is being processed. Of course I don't want this to happen again in the future. How do people test their mail server periodically? So far we use webmin which tries to connect to port 25, 110 and 143 and checks if the greeting is correct. If one of these connections fail we get a phone call. I can't check services which are only running on localhost because webmin is checking from a remote host. Does anybody use a check which checks the complete mail loop? I was thinking of sending a mail from a remote host (with webmin) to a test mail account and see if I can download the mail with imap and then with pop which removes the mail. The test mail account should also send a reply to the original sender (maybe explaining it's a test address) and the test server should also check for this reply. Does anybody have such a test setup? Thanks, Martijn -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
Re: Test e-mailservice
2009/11/11 Martijn de Munnik mart...@youngguns.nl: remote host. Does anybody use a check which checks the complete mail loop? I was thinking of sending a mail from a remote host (with webmin) to a test mail account and see if I can download the mail with imap and then with pop which removes the mail. The test mail account should also send a reply to the original sender (maybe explaining it's a test address) and the test server should also check for this reply. This sounds a little elaborate to me, actually polling the mailbox via pop/imap, but it's comprehensive if nothing else. I should note that I only touch webmin very rarely; I find it curious that it'd have some sort of testing/probing functionality built in. Seeing as it's an administration tool, I suspect it's not the best tool for the job (but hey, if it's already there and it works, stay with it). We don't have an end-to-end monitoring setup, but I can think of something that should work. We use Nagios, which is free and flexible (but it can get a bit complex, and there's a learning curve). We have checks on a few points: * connect to the port and check the banner * check the length of the mailqueue on the machine This works well for us and catches most problems, but it wouldn't quite work for your scenario which is end-to-end latency-sensitive. I can think of something that would probably work with Nagios though: 1. inject an email periodically, directed to a special testing address (say, every 5min, via cron) 2. this should pass through the rest of the system like regular mail 3. at the end of the mail flow, pass the mail through a script (piping the mail out from /etc/aliases would do the job) 4. the script submits a passive check result to nagios (NSCA). this could be as simple as simply freshing the check, or you could analyse the headers for timestamps and look for a delay. 4a. you could turn this into an active check by having the script touch a file, then use an NRPE check to alert people if the file is too old.
Need help to configure postfix.
Hello There, I have to configure my postfix mail server in following way so plese help me to accomplish the configuration. 1] Is it possible to configure my postfix mail server without a DNS entry for mail.mydomain.com.? i] The reason behind it is that can only send mail. Mail server will not accept any emails from the outside(internet) for the delivery. 2] It should only responsible to forward ALERT / INFO /CRITICAL notifications generated by my local syslogd to me. I want generated log reports to go to my manoj.bura...@artificialmachines.com account. 3] I have hosted my JAVA application on the same server. And it will ganerate mail to deliver to the users. e.g. mmbura...@gmail.com / yahoo.com or manoj.bura...@artificialmachines.com etc..In short it will deliver mail on the internet to other domain users. Thats it!..Nothing else will happen through the postfix mailserver. So please give me some guidelines to accomplish my postfix configuration in above mentioned manner. Or provide me any online usefull stuff for the same. -- Manoj M. Burande, Artificial Machines Pvt Ltd, System Administrator.
RE: Test e-mailservice
Hi Peter, On Wed, 11 Nov 2009 10:08:34 +0100, Peter Sørensen mas...@sdu.dk wrote: Hi, We have a server outside Our network which will send an mail every 5 minutes to a specific mailbox on Our exchange system. This has a limit on 0 which means that it will bounce the mail back to the sender. We use this to document a baseline. When sending we generate a Uniq Message-id - save this in a Database (MySql) along with the timestamp. When the bounced mail get back we grap the Message-id and timeinfo and all this is saved in the DB. Could you make this script public, it sounds very helpful to me. I would like to test it and maybe extend it with pop and imap checks too. You could use this info test if mailloop is to long. Best regards Peter Sørensen Phone.6550 2858 Fax 6550 2860 mail mas...@sdu.dk Web http://intern.sdu.dk/it-service/ansatte/ps-238/ Adr.Campusvej 55, 5230 Odense M University of Southern Denmark ___ Campusvej 55 * 5230 * Odense M * Tlf. 6550 1000 * www.sdu.dk -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Martijn de Munnik Sent: 11. november 2009 09:54 To: postfix-users@postfix.org Subject: Test e-mailservice Hi, Last night we had a issue with our mail server which went unnoticed till this morning. Our spam filter crashed and postfix couldn't feed mails for check to localhost:10024. The mails stayed in the queue till we noticed that we didn't received any mail this morning. I restarted the spam filter and now the queue is being processed. Of course I don't want this to happen again in the future. How do people test their mail server periodically? So far we use webmin which tries to connect to port 25, 110 and 143 and checks if the greeting is correct. If one of these connections fail we get a phone call. I can't check services which are only running on localhost because webmin is checking from a remote host. Does anybody use a check which checks the complete mail loop? I was thinking of sending a mail from a remote host (with webmin) to a test mail account and see if I can download the mail with imap and then with pop which removes the mail. The test mail account should also send a reply to the original sender (maybe explaining it's a test address) and the test server should also check for this reply. Does anybody have such a test setup? Thanks, Martijn -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
RE: Test e-mailservice
Hi Martin, I will do that. I probably have to do a little bit of cleanup/docs before I send it. Will do that in the next couple of days. Hope this is OK for you. Best regards Peter -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Martijn de Munnik Sent: 11. november 2009 11:31 To: Peter Sørensen Cc: postfix-users@postfix.org Subject: RE: Test e-mailservice Hi Peter, On Wed, 11 Nov 2009 10:08:34 +0100, Peter Sørensen mas...@sdu.dk wrote: Hi, We have a server outside Our network which will send an mail every 5 minutes to a specific mailbox on Our exchange system. This has a limit on 0 which means that it will bounce the mail back to the sender. We use this to document a baseline. When sending we generate a Uniq Message-id - save this in a Database (MySql) along with the timestamp. When the bounced mail get back we grap the Message-id and timeinfo and all this is saved in the DB. Could you make this script public, it sounds very helpful to me. I would like to test it and maybe extend it with pop and imap checks too. You could use this info test if mailloop is to long. Best regards Peter Sørensen Phone.6550 2858 Fax 6550 2860 mail mas...@sdu.dk Web http://intern.sdu.dk/it-service/ansatte/ps-238/ Adr.Campusvej 55, 5230 Odense M University of Southern Denmark ___ Campusvej 55 * 5230 * Odense M * Tlf. 6550 1000 * www.sdu.dk -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Martijn de Munnik Sent: 11. november 2009 09:54 To: postfix-users@postfix.org Subject: Test e-mailservice Hi, Last night we had a issue with our mail server which went unnoticed till this morning. Our spam filter crashed and postfix couldn't feed mails for check to localhost:10024. The mails stayed in the queue till we noticed that we didn't received any mail this morning. I restarted the spam filter and now the queue is being processed. Of course I don't want this to happen again in the future. How do people test their mail server periodically? So far we use webmin which tries to connect to port 25, 110 and 143 and checks if the greeting is correct. If one of these connections fail we get a phone call. I can't check services which are only running on localhost because webmin is checking from a remote host. Does anybody use a check which checks the complete mail loop? I was thinking of sending a mail from a remote host (with webmin) to a test mail account and see if I can download the mail with imap and then with pop which removes the mail. The test mail account should also send a reply to the original sender (maybe explaining it's a test address) and the test server should also check for this reply. Does anybody have such a test setup? Thanks, Martijn -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
Re: Need help to configure postfix.
On 2009-11-11 Manoj Burande wrote: I have to configure my postfix mail server in following way so plese help me to accomplish the configuration. 1] Is it possible to configure my postfix mail server without a DNS entry for mail.mydomain.com.? Yes. MX records tell the world which server will accept inbound mail for your domain. They have nothing to do with sending outbound mail. 2] It should only responsible to forward ALERT / INFO /CRITICAL notifications generated by my local syslogd to me. I want generated log reports to go to my manoj.bura...@artificialmachines.com account. 3] I have hosted my JAVA application on the same server. And it will ganerate mail to deliver to the users. e.g. mmbura...@gmail.com / yahoo.com or manoj.bura...@artificialmachines.com etc..In short it will deliver mail on the internet to other domain users. Thats it!..Nothing else will happen through the postfix mailserver. So please give me some guidelines to accomplish my postfix configuration in above mentioned manner. Or provide me any online usefull stuff for the same. I believe this is covered by the standard configuration examples: http://www.postfix.org/STANDARD_CONFIGURATION_README.html#null_client Regards Ansgar Wiechers -- All vulnerabilities deserve a public fear period prior to patches becoming available. --Jason Coombs on Bugtraq
Re: newaliases problem with root user
Manoj Burande: Hello Wietse, Thanks for your reply. Can you please guide me on how to use postfix newaliases?. I have Yes. Deinstall SENDMAIL. Wietse already stopped sendmail on the server. And still it is using sendmail newaliases. Can you please tell me how to do that? Manoj Burande: /etc/aliases: 77 aliases, longest 36 bytes, 805 bytes total That is SENDMAIL not POSTFIX. Wietse -- Manoj M. Burande, Artificial Machines Pvt Ltd, System Administrator.
RE: Test e-mailservice
On Wed, 11 Nov 2009 12:17:01 +0100, Peter Sørensen mas...@sdu.dk wrote: Hi Martin, I will do that. I probably have to do a little bit of cleanup/docs before I send it. Will do that in the next couple of days. Hope this is OK for you. Sure that's fine with me. Thank you very much! Best regards Peter -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Martijn de Munnik Sent: 11. november 2009 11:31 To: Peter Sørensen Cc: postfix-users@postfix.org Subject: RE: Test e-mailservice Hi Peter, On Wed, 11 Nov 2009 10:08:34 +0100, Peter Sørensen mas...@sdu.dk wrote: Hi, We have a server outside Our network which will send an mail every 5 minutes to a specific mailbox on Our exchange system. This has a limit on 0 which means that it will bounce the mail back to the sender. We use this to document a baseline. When sending we generate a Uniq Message-id - save this in a Database (MySql) along with the timestamp. When the bounced mail get back we grap the Message-id and timeinfo and all this is saved in the DB. Could you make this script public, it sounds very helpful to me. I would like to test it and maybe extend it with pop and imap checks too. You could use this info test if mailloop is to long. Best regards Peter Sørensen Phone.6550 2858 Fax 6550 2860 mail mas...@sdu.dk Web http://intern.sdu.dk/it-service/ansatte/ps-238/ Adr.Campusvej 55, 5230 Odense M University of Southern Denmark ___ Campusvej 55 * 5230 * Odense M * Tlf. 6550 1000 * www.sdu.dk -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Martijn de Munnik Sent: 11. november 2009 09:54 To: postfix-users@postfix.org Subject: Test e-mailservice Hi, Last night we had a issue with our mail server which went unnoticed till this morning. Our spam filter crashed and postfix couldn't feed mails for check to localhost:10024. The mails stayed in the queue till we noticed that we didn't received any mail this morning. I restarted the spam filter and now the queue is being processed. Of course I don't want this to happen again in the future. How do people test their mail server periodically? So far we use webmin which tries to connect to port 25, 110 and 143 and checks if the greeting is correct. If one of these connections fail we get a phone call. I can't check services which are only running on localhost because webmin is checking from a remote host. Does anybody use a check which checks the complete mail loop? I was thinking of sending a mail from a remote host (with webmin) to a test mail account and see if I can download the mail with imap and then with pop which removes the mail. The test mail account should also send a reply to the original sender (maybe explaining it's a test address) and the test server should also check for this reply. Does anybody have such a test setup? Thanks, Martijn -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
Re: A question about plain and cram-md5 authentication mechanisms
* Ali Majdzadeh ali.majdza...@gmail.com: Patrick, Hi Thanks for your mail. I use the following options in smtpd.conf: mech_list: gssapi plain pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab and I am able to use GSSAPI and PLAIN (Over PAM using pam_krb5.so) mechanisms. How is it possible to add cram-md5 mechanism? Sorry, but no. saslauthd is unable to handle shared-secret mechanisms. You could, theoretically, tell libsasl to query different pwcheck_methods like this: pwcheck_method: saslauthd auxprop mech_list: gssapi plain cram-md5 saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab auxprop_plugin: sasldb libsasl would first try verification using saslauthd and if that fails it would turn to auxprop sasldb. This backend COULD provide cram-md5, but you would have to provide credentials in your kerberos backend AND in sasldb, which IMHO is a pain to support and somehow renders all the security efforts for GSSAPI and kerberos useless, because you store the same credentials in plaintext in a local database file. By the way, I do know about sasldb and auxprop, but what I plan to achieve is to have cram-md5 mechanism while supporting plain mechanism using saslauthd, PAM and pam_krb5.so. I have got no problems using native GSSAPI support. AFAIK this in not possible at the moment. p...@rick Kind Regards Ali Majdzadeh Kohbanani 2009/11/11 Patrick Ben Koetter p...@state-of-mind.de * Ali Majdzadeh ali.majdza...@gmail.com: Hello All Is it possible to have both PLAIN and CRAM-MD5 authentication mechanisms using SASL? Yes. The password must be stored as plaintext. Then plaintext and shared-secret mechanisms will work. p...@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/ -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: A question about plain and cram-md5 authentication mechanisms
Patrick, Thanks for your reply. So if I have concluded correctly, the following configuration is the one which should bring together gssapi, plain and cram-md5 authentication mechanisms: pwcheck_method: saslauthd auxprop mech_list: gssapi plain cram-md5 saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab auxprop_plugin: sasldb But, you say that currently this does not work. True? What about ldapdb? I mean, is there actually anyway to achieve such a setup? Is it possible to use ldapdb in a way that eliminates the need to duplicate the credentials? Kind Regards Ali Majdzadeh Kohbanani 2009/11/11 Patrick Ben Koetter p...@state-of-mind.de * Ali Majdzadeh ali.majdza...@gmail.com: Patrick, Hi Thanks for your mail. I use the following options in smtpd.conf: mech_list: gssapi plain pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab and I am able to use GSSAPI and PLAIN (Over PAM using pam_krb5.so) mechanisms. How is it possible to add cram-md5 mechanism? Sorry, but no. saslauthd is unable to handle shared-secret mechanisms. You could, theoretically, tell libsasl to query different pwcheck_methods like this: pwcheck_method: saslauthd auxprop mech_list: gssapi plain cram-md5 saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab auxprop_plugin: sasldb libsasl would first try verification using saslauthd and if that fails it would turn to auxprop sasldb. This backend COULD provide cram-md5, but you would have to provide credentials in your kerberos backend AND in sasldb, which IMHO is a pain to support and somehow renders all the security efforts for GSSAPI and kerberos useless, because you store the same credentials in plaintext in a local database file. By the way, I do know about sasldb and auxprop, but what I plan to achieve is to have cram-md5 mechanism while supporting plain mechanism using saslauthd, PAM and pam_krb5.so. I have got no problems using native GSSAPI support. AFAIK this in not possible at the moment. p...@rick Kind Regards Ali Majdzadeh Kohbanani 2009/11/11 Patrick Ben Koetter p...@state-of-mind.de * Ali Majdzadeh ali.majdza...@gmail.com: Hello All Is it possible to have both PLAIN and CRAM-MD5 authentication mechanisms using SASL? Yes. The password must be stored as plaintext. Then plaintext and shared-secret mechanisms will work. p...@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/ -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: Blacklisted on Verizon
On Wednesday 11 November 2009 06:14:08 dhottin...@harrisonburg.k12.va.us wrote: Quoting Stan Hoeppner s...@hardwarefreak.com: You should be concentrating your focus on the Senders by message count section. Wouldnt the logwatch from the server list top users by emails? Perhaps, but I missed the part where the OP mentioned that he was using logwatch. Nevertheless I fail to see the relevance. Possibly the OP's system is spewing spam, and all the helpful advice given in this thread has gotten the OP not one bit closer to finding the perpetrator and fixing the problem. Senders by message count is ENVELOPE SENDER, in the case of spam, completely useless. If the OP has, as I might guess, a compromised httpd + PHP script, for example, the envelope sender will probably change for EACH spam it sends. Absolute rubbish. I will say that pflogsumm.pl is a fine tool, but the suggestion thereof, and this entire thread, has been nothing but a distraction from the work that the OP needs to do immediately. I wrote: What are some things I should be looking for in the pflogsumm.pl report? 0. Not the summary, look at the actual logs. 1. Find a suspected spam. This will be easy if you start with one that was rejected by Verizon or other operator. 2. Trace that back to where it entered the queue. 3. Apply LART as necessary. 4. Review DEBUG_README.html#mail if questions still exist at this point. You can mung a specific email address if desired, but domain names and IP addresses might be very important. One step I neglected to mention in my previous post: postfix stop. Your damage increases with every spam you send. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: 答复: 答复: who know how does initial _destination_concurrency and default_destinati on_concurrency_limit work?
On 11/11/2009 12:34 AM, coofucoo zhang wrote: Hi Noel: I just want to control the sending speed of postfix. Because some of ISP complain me that my speed is too fast. So I want to make postfix send a little slowly. I am not sure how can I accomplish this target, so I set up a test ENV to do testing, to make sure how can I implement it. Then I found the problem I describe in my first email, you can see it here: //* HI ALL: I try to understand how the initial_destination_concurrency and default_destination_concurrency_limit work? How can it support to improve the output of delivery. I do a small test. I config the postfix like this: qmgr_message_active_limit = 50 qmgr_message_recipient_limit = 50 initial_destination_concurrency = 10 default_destination_concurrency_limit = 10 default_destination_rate_delay = 10s and then, I send 5 mail to one server, such as t...@a.com, 5 mail for the other server, such as t...@b.com. From the server side, I can see postfix send mail one by one. For instance, from A.com, I can see 5 mails, each is 10s delay the previous one. B.com is the same with A. So I feel confuse about how can I use initial_destination_concurrency and default_destination_concurrency_limit parameters. Because if I change these 2 parameters to 1, the test result is the same. Does anyone know my problem? How can I make postfix work like the manual described? //* From my test, I can see default_destination_rate_delay is work well. But I do not know why initial_destination_concurrency and default_destination_concurrency_limit not work. Because from the document, I think if initial_destination_concurrency is 10, postfix will use 10 smtp service to do sending. Then that is means 5 mails to the same server will be send out at the same time. But in fact, it looks like postfix setup 2 smtp for 2 servers, A and B. it will send one mail to A and then wait for 10s as my setting. For B it is the same. But how does initial_destination_concurrency and default_destination_concurrency_limit work? Do you understand my means? Best regrads! Coofucoo -邮件原件- 发件人: Noel Jones [mailto:njo...@megan.vbhcs.org] 发送时间: 2009年11月11日 3:36 收件人: Coofucoo Zhang; postfix-users@postfix.org 主题: Re: 答复: who know how does initial_destination_concurrency and default_destination_concurrency_limit work? On 11/10/2009 8:51 AM, Coofucoo Zhang wrote: Hi Petrik: Thanks. But could you tell me why? Or which knobs can I use instead? I just want to control the sending speed of postfix, how can implement? What's wrong with postfix default delivery scheduling that it needs to be changed? Describe your problem and you might get some expert advice. At least read the docs before you start twiddling knobs. http://www.postfix.org/SCHEDULER_README.html http://www.postfix.org/QSHAPE_README.html http://www.postfix.org/TUNING_README.html In your main.cf, set default_destination_rate_delay = 1s and leave all those other parameters at their default. This will instruct postfix to send no more than 60 messages per minute. -- Noel Jones
Re: analyzing a large deferred queue
On 11/10/2009 11:15 PM, Miles Fidelman wrote: Hi Folks, The current discussion re. Verizon blacklisting has been very interesting in terms of log analysis suggestions. It leads me to ask what seems to be a related question re. a problem I've been having lately. Over the past couple of weeks I've seen my deferred queue get a LOT larger than previously. I support a bunch of mailing lists, and have a lot of addresses that date back more than a decade - so needless to say, lots of spam comes our way, and gets weeded out. But we also get a lot of bounceback error messages and such. Typically, I've found that, over the course of a week, the deferred queue would grow - with most messages timing out. When the queue grows to a couple of hundred messages, I've gone in and emptied the queue using pfqueue - in the interests of cutting down attempted retransmissions of messages that will simply fail, but perhaps trigger spam blocking mechanisms on the receiving end. The past couple of weeks, I've seen the deferred queue fill up with 500 or more messages over the course of a few hours - and I've found myself deleting stuff daily. Which prompts the question: Can anybody offer suggestions on how to analyze the contents of the deferred queue - and particularly what to look for that can be used to tune filters, postfix parameters, and so forth? Thanks very much, Miles Fidelman In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra Use mailq to see what's being deferred, use postcat to view the content of the message. The general procedure is - use mailq to see what's deferred - use postcat to see where the mail originated - if the message is a non-delivery notice, find where the original message originated. Sometimes deferrals are the result of the receiving system just not accepting mail right now. You can't really do anything about those except wait. They should be delivered eventually. If the deferrals are undeliverable bounces, find the source of the original message that caused the bounce and don't accept those any more. If they are undeliverable bogus addresses in your mail lists, you need to clean up your lists. I think most list software has tools to help do this automatically; check the docs for your list software or ask on a support channel dedicated to it. -- Noel Jones
Re: Blacklisted on Verizon
On 11/11/09 7:55 AM, /dev/rob0 r...@gmx.co.uk wrote: On Wednesday 11 November 2009 06:14:08 dhottin...@harrisonburg.k12.va.us wrote: Quoting Stan Hoeppner s...@hardwarefreak.com: You should be concentrating your focus on the Senders by message count section. Wouldnt the logwatch from the server list top users by emails? Perhaps, but I missed the part where the OP mentioned that he was using logwatch. Not using logwatch that I know of. Nevertheless I fail to see the relevance. Possibly the OP's system is spewing spam, and all the helpful advice given in this thread has gotten the OP not one bit closer to finding the perpetrator and fixing the problem. No, the advice here has helped with troubleshooting where the spam is coming from or finding the compromised system/script Senders by message count is ENVELOPE SENDER, in the case of spam, completely useless. If the OP has, as I might guess, a compromised httpd + PHP script, for example, the envelope sender will probably change for EACH spam it sends. Looking into this now Absolute rubbish. I will say that pflogsumm.pl is a fine tool, but the suggestion thereof, and this entire thread, has been nothing but a distraction from the work that the OP needs to do immediately. I wrote: What are some things I should be looking for in the pflogsumm.pl report? 0. Not the summary, look at the actual logs. 1. Find a suspected spam. This will be easy if you start with one that was rejected by Verizon or other operator. 2. Trace that back to where it entered the queue. 3. Apply LART as necessary. 4. Review DEBUG_README.html#mail if questions still exist at this point. You can mung a specific email address if desired, but domain names and IP addresses might be very important. One step I neglected to mention in my previous post: postfix stop. Your damage increases with every spam you send. I don't believe this hosting service will want to kill email but will bring it to their attention
Re: A question about plain and cram-md5 authentication mechanisms
* Ali Majdzadeh ali.majdza...@gmail.com: Patrick, Thanks for your reply. So if I have concluded correctly, the following configuration is the one which should bring together gssapi, plain and cram-md5 authentication mechanisms: It should. I have never done this myself. pwcheck_method: saslauthd auxprop mech_list: gssapi plain cram-md5 saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab auxprop_plugin: sasldb But, you say that currently this does not work. True? It does not work, if you use saslauthd alone. You need an auxprop_plugin to get access to shared-secret mechs. What about ldapdb? I mean, is there actually anyway to achieve such a setup? ldapdb gives access to OpenLDAP. If (!) you store the userpassword values in plaintext, then you can use shared-secret mechanisms, such as CRAM-MD5 (and also DIGEST-MD5 and NTLM). Is it possible to use ldapdb in a way that eliminates the need to duplicate the credentials? AFAIK you still need to run ldapdb - OpenLDAP and Kerberos in parallel. Single entry password maintainance should be possible using an OpenLDAP overlay, which IIRC changes passwords in OpenLDAP and kerberos at the same time. I don't remember the overlays name, though. Maybe its best to ask the openldap mailing list how you can use kerberos and LDAP at the same time and then see how that goes together with SMTP AUTH. p...@rick Kind Regards Ali Majdzadeh Kohbanani 2009/11/11 Patrick Ben Koetter p...@state-of-mind.de * Ali Majdzadeh ali.majdza...@gmail.com: Patrick, Hi Thanks for your mail. I use the following options in smtpd.conf: mech_list: gssapi plain pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab and I am able to use GSSAPI and PLAIN (Over PAM using pam_krb5.so) mechanisms. How is it possible to add cram-md5 mechanism? Sorry, but no. saslauthd is unable to handle shared-secret mechanisms. You could, theoretically, tell libsasl to query different pwcheck_methods like this: pwcheck_method: saslauthd auxprop mech_list: gssapi plain cram-md5 saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab auxprop_plugin: sasldb libsasl would first try verification using saslauthd and if that fails it would turn to auxprop sasldb. This backend COULD provide cram-md5, but you would have to provide credentials in your kerberos backend AND in sasldb, which IMHO is a pain to support and somehow renders all the security efforts for GSSAPI and kerberos useless, because you store the same credentials in plaintext in a local database file. By the way, I do know about sasldb and auxprop, but what I plan to achieve is to have cram-md5 mechanism while supporting plain mechanism using saslauthd, PAM and pam_krb5.so. I have got no problems using native GSSAPI support. AFAIK this in not possible at the moment. p...@rick Kind Regards Ali Majdzadeh Kohbanani 2009/11/11 Patrick Ben Koetter p...@state-of-mind.de * Ali Majdzadeh ali.majdza...@gmail.com: Hello All Is it possible to have both PLAIN and CRAM-MD5 authentication mechanisms using SASL? Yes. The password must be stored as plaintext. Then plaintext and shared-secret mechanisms will work. p...@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/ -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/ -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: Relaying problems
On 11/10/2009, Alex (mysqlstud...@gmail.com) wrote: I'm still using postfix-1.x, Most people here would stop reading there and press/click delete (or some might simply click 'Reply' and add the words 'upgrade'). So... UPGRADE. It is time. is there going to be significant configuration changes to upgrade to the current from 1.x? Easily answered for yourself with a little reading... the source IP is not one from the pop-before-smtp database And you'd lose a lot of people here too. Pop-b4-smtp is insecure, and its use is strongly discouraged.
Ldap virtual_alias_maps challenge
Greetings postfixers I have a address-rewriting issue that I cannot find a golden solution for in ldap (shortened for clairty) I have the following attributes: uid: abc123 mail: abc...@example.com alias: alias...@example.com forward: forward...@anotherexample.com keep: abc...@example.com when a mail for the *alias* arrives, I want to tee it, using virtual_alias_maps: alias...@example.com - alias...@example.com, alias...@rewrite.example.com when a mail arrives for mail OR alias, I want to check if I should forward it (and eventual keep a local copy), using virtual_alias_map again abc...@example.com - forward...@anotherexample.com, abc...@example.com So my initial idea was to do: virtual_alias_maps = ldap:/path/tee.cf,ldap:/path/fwd.cf where tee.cf: query_filter = ((objectClass=MailRecipient)(alias=%s)) result_attribute = alias result_format = %...@rewrite.example.com,%...@example.com fwd.cf: query_filter = ((objectClass=MailRecipient)(|(mail=%s)(alias=%s))) result_attribute = forward, keep This works fine if incomming is for the mail, then the fwd kicks in, and forwards/keeps local copy if incomming is for the alias, there is local delivery, and a tee for the rewrite domain, but the forward check isn't done, since the first lookup was a hit. I cannot come up with just one ldap-query/result that returns alias...@example.com, alias...@rewrite.example.com, forward...@anotherexample.com, abc...@example.com for the incomming to the alias and forward...@anotherexample.com, abc...@example.com for the incomming to the mail. any suggestions on howto ??? I have one suggestion myself, and that is to add an attribute called rewrite with value abc...@rewrite.example.com and then do tee.cf: query_filter = ((objectClass=MailRecipient)(alias=%s)) result_attribute = alias,rewrite,forward,keep but I hate the idea of maintaining (and keep sync'ed) redundant data in the ldap, since the alias attribute is user-updateable (and ldap is 1.5M accounts) -- Søren Schrøder. Obey Gravity - It's the law !
Re: Blacklisted on Verizon
On 11/11/09 7:55 AM, /dev/rob0 r...@gmx.co.uk wrote: Senders by message count is ENVELOPE SENDER, in the case of spam, completely useless. If the OP has, as I might guess, a compromised httpd + PHP script, for example, the envelope sender will probably change for EACH spam it sends. /bin/ps ax -eostate,pid,ppid --sort=state 2/dev/null | grep ^Z Reveals Z 1401 2952 Z 11675 2952 Z 20155 2952 Z 27079 2952 And ps aux | grep *then the pid # reveals: 500 1401 0.0 0.0 0 0 ?Z07:09 0:00 [freshclam]defunct root 18209 0.0 0.0 4048 688 pts/0R+ 09:29 0:00 grep 1401 All of these pid's are defunct freshclam zombies, it appears.
safe way to remove corrupt files.
On one instance of an email gateway there are two files ...
[r...@mg05 log]# ls -l /var/spool/postfix/corrupt
total 4660
-rwx-- 1 postfix postfix 2183168 2009-08-30 21:06 2C9ED9BB*
-rwx-- 1 postfix postfix 2588672 2009-10-02 06:46 939DD23CA*
The postcat of them show unexpected EOF in data and I suspect they
were simply too large. Is the safe way to deal with them just to
remove them?
Is postsuper -d corrupt/2C9ED9BB the (best) way to remove them?
The obligatory information...
Considering the following, there are some mydestination and parameter
order changes I am testing that have not yet been made on this
production system.
[r...@mg05 log]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = yes
biff = no
bounce_size_limit = 1
config_directory = /etc/postfix
default_process_limit = 400
header_checks = regexp:/etc/postfix/header_checks
inet_interfaces = all
mailbox_size_limit = 0
masquerade_domains = $mydomain, cnm.edu, nmvc.org, nmvirtualcollege.org
max_use = 100
message_size_limit = 16777216
mydestination = $myhostname, $mydomain, localhost.localdomain,
cnm.edu, mail.cnm.edu, mg01.cnm.edu, mg02.cnm.edu, mg03.cnm.edu,
mg04.cnm.edu, mg05.cnm.edu, nmvc.org, mail.nmvc.org, mg01.nmvc.org,
mg02.nmvc.org, mg03.nmvc.org, mg04.nmvc.org, mg05.nmvc.org,
nmvirtualcollege.org, mail.nmvirtualcollege.org,
mg01.nmvirtualcollege.org, mg02.nmvirtualcollege.org,
mg03.nmvirtualcollege.org, mg04.nmvirtualcollege.org,
mg05.nmvirtualcollege.org, nmln.net, ideal-nm.org, ideal-nm.net,
idealnm.org, idealnm.net
myhostname = mg05.cnm.edu
mynetworks = 198.133.182.0/24, 198.133.181.0/24, 198.133.180.0/24,
172.16.0.0/12, 192.168.0.0/16, 10.0.0.0/8, 127.0.0.0/8
[:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
notify_classes = resource,software
readme_directory = no
recipient_delimiter = +
relay_domains = $mydestination
relayhost =
smtp_host_lookup = dns, native
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = cnm.edu
smtpd_client_restrictions = permit_mynetworks
hash:/etc/postfix/whitelist reject_rbl_client
zen.spamhaus.orgreject_rbl_client bl.spamcop.net
reject_rbl_client
dnsbl.njabl.org reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.4reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.5reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.6reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.7reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.8reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.9reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.10 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.11 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.13permit
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/overquota reject_non_fqdn_sender
reject_unknown_sender_domainreject_non_fqdn_recipient
reject_unknown_recipient_domain reject_unlisted_recipient
permit_mynetworks reject_unauth_destination
reject_unauth_pipeliningreject_invalid_helo_hostname
reject_non_fqdn_helo_hostname reject_rbl_client zen.spamhaus.org
smtpd_sender_restrictions = check_sender_access
hash:/etc/postfix/greylist check_sender_access
hash:/etc/postfix/sender_access permit_mynetworks
reject_unknown_sender_domain
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtualaliases
--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
Re: Test e-mailservice
On Wed, Nov 11, 2009 at 1:54 AM, Martijn de Munnik mart...@youngguns.nlwrote: Hi, Of course I don't want this to happen again in the future. How do people test their mail server periodically? So far we use webmin which tries to connect to port 25, 110 and 143 and checks if the greeting is correct. If one of these connections fail we get a phone call. I can't check services which are only running on localhost because webmin is checking from a remote host. Thanks, Martijn I use the open-source monitoring tool http://www.nagios.org/ combined with NRPE to monitor all my servers and services. -- Mike Saldivar Direct Financial Solutions Information Systems Manager Desk: 435-774-8252 Cell: 435-881-3778
How to reduce speed for certain domains
Dear All, I need to know how to reduce the sending speed or put in a delay of like 2 seconds before delivery to some of the domains. Namely yahoo, hotmail and a few others. Please help me and tell me how i can achieve this in postfix. Rgsd Dhiraj Stephen Leacockhttp://www.brainyquote.com/quotes/authors/s/stephen_leacock.html - I detest life-insurance agents: they always argue that I shall some day die, which is not so.
quick and dirty SASL
Howdy, I have sasl installed and postfix uses it for its outbound relay just fine. I need now for a smart phone or two to use postfix to send mail. Am I correct that there's no mechanism like smtp_sasl_password_maps = hash:/etc/postfix/sasl_password for smtpd? Just need a quick and dirty one or two username auth. What do you experts thing is the best/easiest (yes, might not be the same thing!) way to do this? Thanks! $ postconf -n address_verify_sender = alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases, hash:/var/lib/mailman/data/aliases body_checks = regexp:/etc/postfix/body_checks command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp2:127.0.0.1:10025 daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix debug_peer_level = 2 delay_warning_time = 4 disable_vrfy_command = yes html_directory = /usr/share/doc/postfix/html mail_owner = postfix mail_spool_directory = /var/spool/mail mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 3058 mydestination = $myhostname, localhost.$mydomain $mydomain mynetworks = 127.0.0.0/8, 192.168.1.0/24 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = no recipient_delimiter = - relayhost = [outgoing.verizon.net] sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_password smtp_sasl_security_options = smtp_tls_CAfile = /etc/postfix/cacert.pem smtp_tls_loglevel = 0 smtp_tls_session_cache_database = btree:/var/spool/postfix/smtp_tls_session_cache smtp_use_tls = yes smtpd_banner = mail.pointyears.net ESMTP: $mail_name $mail_version smtpd_client_restrictions = permit_mynetworksreject_rbl_client sbl-xbl.spamhaus.orgpermit smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_hard_error_limit = 5 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_invalid_hostname check_helo_access hash:/etc/postfix/helo_access permit smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_recipient_access hash:/etc/postfix/deniedusers reject_unverified_recipient check_policy_service unix:private/tumgreyspf permit smtpd_tls_CAfile = /etc/postfix/cacert.pem smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem smtpd_tls_key_file = /etc/postfix/FOO-key.pem smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_session_cache smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550
Re: safe way to remove corrupt files.
Robert Lopez: On one instance of an email gateway there are two files ... [r...@mg05 log]# ls -l /var/spool/postfix/corrupt total 4660 -rwx-- 1 postfix postfix 2183168 2009-08-30 21:06 2C9ED9BB* -rwx-- 1 postfix postfix 2588672 2009-10-02 06:46 939DD23CA* You can find the history of these files in the maillog file. The postcat of them show unexpected EOF in data and I suspect they were simply too large. The execute file permission means that the file was already fully written to the file system. You can't have incomplete queue files with the execute bit, unless you have a) a file system with delayed errors or b) a corrupted file system. Is the safe way to deal with them just to remove them? Is postsuper -d corrupt/2C9ED9BB the (best) way to remove them? postsuper -d 2C9ED9BB Every name is supposed to be unique (if it isn't you have mail queue corruption caused perhaps by the use of non-Postfix programs on Postfix queue files). Wietse
Re: quick and dirty SASL
Rick Zeman wrote: Howdy, I have sasl installed and postfix uses it for its outbound relay just fine. I need now for a smart phone or two to use postfix to send mail. Am I correct that there's no mechanism like smtp_sasl_password_maps = hash:/etc/postfix/sasl_password for smtpd? Just need a quick and dirty one or two username auth. What do you experts thing is the best/easiest (yes, might not be the same thing!) way to do this? Dovecot sasl: http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL -- Eero
Re: quick and dirty SASL
On Wed, Nov 11, 2009 at 11:06 AM, Eero Volotinen eero.voloti...@iki.fi wrote: Rick Zeman wrote: Howdy, I have sasl installed and postfix uses it for its outbound relay just fine. I need now for a smart phone or two to use postfix to send mail. Am I correct that there's no mechanism like smtp_sasl_password_maps = hash:/etc/postfix/sasl_password for smtpd? Just need a quick and dirty one or two username auth. What do you experts thing is the best/easiest (yes, might not be the same thing!) way to do this? Dovecot sasl: http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL Whoops...been so long since I set that up that I should have mentioned I have cyrus sasl installed.
Re: Relaying problems
Hi, I'm still using postfix-1.x, Most people here would stop reading there and press/click delete (or some might simply click 'Reply' and add the words 'upgrade'). So... UPGRADE. It is time. Thanks for hitting me with the well-deserved clue-bat. Advice well taken. Now, what if I said I was still using bind-4? Heh, just joking :-) Thanks again, Alex
Re: How to reduce speed for certain domains
Dhiraj Chatpar: Dear All, I need to know how to reduce the sending speed or put in a delay of like 2 seconds before delivery to some of the domains. Namely yahoo, hotmail and a few others. Please help me and tell me how i can achieve this in postfix. http://www.postfix.org/QSHAPE_README.html Look for the example with slow_destination_rate_delay. Wietse
Re: A question about plain and cram-md5 authentication mechanisms
On Wed, Nov 11, 2009 at 11:21:33AM +0330, Ali Majdzadeh wrote: mech_list: gssapi plain pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab and I am able to use GSSAPI and PLAIN (Over PAM using pam_krb5.so) mechanisms. How is it possible to add cram-md5 mechanism? Why bother? Between GSSAPI and PLAIN, you are offering both ends of the spectrum. Cram-md5 just forces you store plain-text passwords, which is rarely a good idea. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: quick and dirty SASL
On Wed, Nov 11, 2009 at 12:05 PM, Eero Volotinen eero.voloti...@iki.fi wrote:
Rick Zeman wrote:
On Wed, Nov 11, 2009 at 11:20 AM, Eero Volotinen eero.voloti...@iki.fi
wrote:
Rick Zeman wrote:
http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL
Whoops...been so long since I set that up that I should have mentioned
I have cyrus sasl installed.
Maybe you can still use dovecot on different port for sasl? If not then
you
need the ugly cyrus setup?
I can't even do the ugly cyrus setup. saslpasswd2 segfaults on me.
Well. then you need to use dovecot? I think you can disable imap from
dovecot and use only authentication socket using postfix?
Then just create some local users (using adduser+passwd) for sasl and
configure authentication to mobile phone using created accounts?
AFAIK, there is a line (protocols) on the top of dovecot.conf
that tells it if it is going to do imap or pop. So, if you disable
that, you should be good. You will also need something like
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
in dovecot.conf. But I am digressing... =)
FYI, cyrus-sasl drove me nuts...
--
Eero
Re: ????: ????: who know how does initial_destination_concurrency and default_destination_concurrency_limit work?
On Wed, Nov 11, 2009 at 07:30:47AM -0600, Noel Jones wrote: In your main.cf, set default_destination_rate_delay = 1s and leave all those other parameters at their default. This will instruct postfix to send no more than 60 messages per minute. This will apply to all transports, not just smtp, if all mail is sent to remote destinations, that's fine, otherwise, one may want be more selective: smtp_destination_rate_delay = 1s -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: ????: ????: who know how does initial_destination_concurrency and default_destination_concurrency_limit work?
Dear Sir, I have tried default concurrency =1 and initial concurrency =1. but both of them dont reduce the speed of delivering the emails. Can you please guide me with a way by which i can reduce the sending of emails to very slow.. Please help Rgds Dhiraj Ted Turner http://www.brainyquote.com/quotes/authors/t/ted_turner.html - Sports is like a war without the killing. On Thu, Nov 12, 2009 at 00:04, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Wed, Nov 11, 2009 at 07:30:47AM -0600, Noel Jones wrote: In your main.cf, set default_destination_rate_delay = 1s and leave all those other parameters at their default. This will instruct postfix to send no more than 60 messages per minute. This will apply to all transports, not just smtp, if all mail is sent to remote destinations, that's fine, otherwise, one may want be more selective: smtp_destination_rate_delay = 1s -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: ????: ????: who know how does initial_destination_concurrency and default_destination_concurrency_limit work?
Ted Turner http://www.brainyquote.com/quotes/authors/t/ted_turner.html - Sports is like a war without the killing. On Thu, Nov 12, 2009 at 00:04, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Wed, Nov 11, 2009 at 07:30:47AM -0600, Noel Jones wrote: In your main.cf, set default_destination_rate_delay = 1s and leave all those other parameters at their default. This will instruct postfix to send no more than 60 messages per minute. This will apply to all transports, not just smtp, if all mail is sent to remote destinations, that's fine, otherwise, one may want be more selective: smtp_destination_rate_delay = 1s Dhiraj Chatpar: Dear Sir, I have tried default concurrency =1 and initial concurrency =1. but both of them dont reduce the speed of delivering the emails. Can you please guide me with a way by which i can reduce the sending of emails to very slow.. You need to set the appropriate _destination_rate_delay parameter, instead the concurrency parameters. Then you need to execute postfix reload or else these changes have no effect at all. Wietse
Transport question
Hello, When entering smtp and smtps in transport I am getting an error: postmap: warning: /etc/postfix/transport.db: duplicate entry: example.com example.com smtp:[10.2.4.7] example.com smtps:[10.2.4.7] What is the correct syntax to have both? Thank you, Cameron
Re: Transport question
On 11/11/2009 2:53 PM, Cameron Smith wrote: Hello, When entering smtp and smtps in transport I am getting an error: postmap: warning: /etc/postfix/transport.db: duplicate entry: example.com http://example.com example.com http://example.com smtp:[10.2.4.7] example.com http://example.com smtps:[10.2.4.7] What is the correct syntax to have both? You can't. What are you trying to solve? -- Noel Jones
Re: Transport question
On Wed, Nov 11, 2009 at 12:53:05PM -0800, Cameron Smith wrote: Hello, When entering smtp and smtps in transport I am getting an error: postmap: warning: /etc/postfix/transport.db: duplicate entry: example.com example.com smtp:[10.2.4.7] example.com smtps:[10.2.4.7] What is the correct syntax to have both? There is no such syntax. Each recipient address resolves to exactly one transport. What do you expect smtps to do anyway? If you want STARTTLS, the smtp transport will do that either opportunistically, or on a per-destination basis: http://www.postfix.org/TLS_README.html#client_tls_levels http://www.postfix.org/TLS_README.html#client_tls_policy http://www.postfix.org/TLS_README.html#client_tls_may http://www.postfix.org/TLS_README.html#client_tls_encrypt http://www.postfix.org/TLS_README.html#client_tls_secure -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: A question about plain and cram-md5 authentication mechanisms
Patrick, Thanks a lot for your help. I will test the mentioned configuration and will post the results to the list. I hope it works. Unfortunately, I do not have so much knowledge about LDAP, but I do know that it is possible to store Kerberos principals in an LDAP structure. Well, I don't know whether that is useful or not. Thanks again. Kind Regards Ali Majdzadeh Kohbanani 2009/11/11, Patrick Ben Koetter p...@state-of-mind.de: * Ali Majdzadeh ali.majdza...@gmail.com: Patrick, Thanks for your reply. So if I have concluded correctly, the following configuration is the one which should bring together gssapi, plain and cram-md5 authentication mechanisms: It should. I have never done this myself. pwcheck_method: saslauthd auxprop mech_list: gssapi plain cram-md5 saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab auxprop_plugin: sasldb But, you say that currently this does not work. True? It does not work, if you use saslauthd alone. You need an auxprop_plugin to get access to shared-secret mechs. What about ldapdb? I mean, is there actually anyway to achieve such a setup? ldapdb gives access to OpenLDAP. If (!) you store the userpassword values in plaintext, then you can use shared-secret mechanisms, such as CRAM-MD5 (and also DIGEST-MD5 and NTLM). Is it possible to use ldapdb in a way that eliminates the need to duplicate the credentials? AFAIK you still need to run ldapdb - OpenLDAP and Kerberos in parallel. Single entry password maintainance should be possible using an OpenLDAP overlay, which IIRC changes passwords in OpenLDAP and kerberos at the same time. I don't remember the overlays name, though. Maybe its best to ask the openldap mailing list how you can use kerberos and LDAP at the same time and then see how that goes together with SMTP AUTH. p...@rick Kind Regards Ali Majdzadeh Kohbanani 2009/11/11 Patrick Ben Koetter p...@state-of-mind.de * Ali Majdzadeh ali.majdza...@gmail.com: Patrick, Hi Thanks for your mail. I use the following options in smtpd.conf: mech_list: gssapi plain pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab and I am able to use GSSAPI and PLAIN (Over PAM using pam_krb5.so) mechanisms. How is it possible to add cram-md5 mechanism? Sorry, but no. saslauthd is unable to handle shared-secret mechanisms. You could, theoretically, tell libsasl to query different pwcheck_methods like this: pwcheck_method: saslauthd auxprop mech_list: gssapi plain cram-md5 saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab auxprop_plugin: sasldb libsasl would first try verification using saslauthd and if that fails it would turn to auxprop sasldb. This backend COULD provide cram-md5, but you would have to provide credentials in your kerberos backend AND in sasldb, which IMHO is a pain to support and somehow renders all the security efforts for GSSAPI and kerberos useless, because you store the same credentials in plaintext in a local database file. By the way, I do know about sasldb and auxprop, but what I plan to achieve is to have cram-md5 mechanism while supporting plain mechanism using saslauthd, PAM and pam_krb5.so. I have got no problems using native GSSAPI support. AFAIK this in not possible at the moment. p...@rick Kind Regards Ali Majdzadeh Kohbanani 2009/11/11 Patrick Ben Koetter p...@state-of-mind.de * Ali Majdzadeh ali.majdza...@gmail.com: Hello All Is it possible to have both PLAIN and CRAM-MD5 authentication mechanisms using SASL? Yes. The password must be stored as plaintext. Then plaintext and shared-secret mechanisms will work. p...@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/ -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/ -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: Transport question
I have a mail server on my lan and I want it to route mail sent from it through my mail gateway. It was working with smtp and mail headers were showing that route. Then I tried to move to smtps and I can send but the mail is no longer routing to the gateway, it is sending directly from the mailserver. What do I need to change? Thanks, Cameron On Wed, Nov 11, 2009 at 12:57 PM, Noel Jones njo...@megan.vbhcs.org wrote: On 11/11/2009 2:53 PM, Cameron Smith wrote: Hello, When entering smtp and smtps in transport I am getting an error: postmap: warning: /etc/postfix/transport.db: duplicate entry: example.com http://example.com example.com http://example.com smtp:[10.2.4.7] example.com http://example.com smtps:[10.2.4.7] What is the correct syntax to have both? You can't. What are you trying to solve? -- Noel Jones
Re: A question about plain and cram-md5 authentication mechanisms
Viktor, Thanks for your attention. You are right, but unfortunately we have got some in-house developed mail clients which are bound to use cram-md5 authentication mechanism. Well, I think I should investigate on integrating LDAP to our architecture and figure out the new opportunities. Thanks again. Kind Regards Ali Majdzadeh Kohbanani 2009/11/11, Victor Duchovni victor.ducho...@morganstanley.com: On Wed, Nov 11, 2009 at 11:21:33AM +0330, Ali Majdzadeh wrote: mech_list: gssapi plain pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab and I am able to use GSSAPI and PLAIN (Over PAM using pam_krb5.so) mechanisms. How is it possible to add cram-md5 mechanism? Why bother? Between GSSAPI and PLAIN, you are offering both ends of the spectrum. Cram-md5 just forces you store plain-text passwords, which is rarely a good idea. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Transport question
On 11/11/2009 3:03 PM, Cameron Smith wrote: I have a mail server on my lan and I want it to route mail sent from it through my mail gateway. It was working with smtp and mail headers were showing that route. Then I tried to move to smtps and I can send but the mail is no longer routing to the gateway, it is sending directly from the mailserver. What do I need to change? Thanks, Cameron [please don't top post] The standard postfix smtp client supports STARTTLS encryption automatically if postfix is built with TLS support. http://www.postfix.org/TLS_README.html#client_tls_levels If you're trying to use the deprecated smtps TLS wrappermode, postfix doesn't do that by itself. Here's a workaround: http://www.postfix.org/TLS_README.html#client_smtps -- Noel Jones
Re: Test e-mailservice
2009/11/12 Michael Saldivar mike.saldi...@advocatecreditrepair.com: I use the open-source monitoring tool http://www.nagios.org/ combined with NRPE to monitor all my servers and services. +1 NRPE allows you to connect to the system being monitored, and execute any command on the local system, returning the result to the Nagios server. In your case, you could either check for TCP connectivity on 127.0.0.1:10024 or use the check_procs plugin to see if the process is running -- or both. If firewalls etc prevent you configuring the Monitoring server connecting to the Mail Server to initiate NRPE checks, then you can use NSCA which is basically the same thing, except the machine being monitored is responsible for checking the status, and sending notifications to the monitoring server (passive checks).
Re: Test e-mailservice
Phillip Smith wrote: 2009/11/12 Michael Saldivar mike.saldi...@advocatecreditrepair.com: I use the open-source monitoring tool http://www.nagios.org/ combined with NRPE to monitor all my servers and services. +1 NRPE allows you to connect to the system being monitored, and execute any command on the local system, returning the result to the Nagios server. In your case, you could either check for TCP connectivity on 127.0.0.1:10024 or use the check_procs plugin to see if the process is running -- or both. This page also contains nice trick to check server against rbl list: http://www.linuxjournal.com/content/monitoring-email-nagios It is also possible to use snmp to monitor, restart or execute (snmp exec / procfix) commands on remote system: http://www.logix.cz/michal/devel/nagios/ and http://www.packetmischief.ca/network/monitoring/postfix/#snmp -- Eero
Re: A question about plain and cram-md5 authentication mechanisms
* Ali Majdzadeh ali.majdza...@gmail.com: Patrick, Thanks a lot for your help. I will test the mentioned configuration and will post the results to the list. I hope it works. Unfortunately, I do not have so much knowledge about LDAP, but I do know that it is possible to store Kerberos principals in an LDAP structure. Well, I don't know whether that is useful or not. I think Victor put it right: You already have the best of both worlds with PLAIN (low entry barrier, protection over TLS possible) and GSSAPI (high entry barrier, protected in itself). Why go for CRAM-MD5, when this means you need to lower the shields and store credentials in plain. p...@rick -- state of mind Digitale Kommunikation http://www.state-of-mind.de Franziskanerstraße 15 Telefon +49 89 3090 4664 81669 München Telefax +49 89 3090 4666 Amtsgericht MünchenPartnerschaftsregister PR 563
Re: Transport question
On Wed, Nov 11, 2009 at 2:35 PM, Eero Volotinen eero.voloti...@iki.fiwrote: My original issue is still existing in that mail is no longer routing through my mail gateway but is being sent directly from the mail server. Any pointers in how to trouble shoot this? transport maps: http://www.postfix.org/transport.5.html , http://www.nooblet.org/blog/2007/postfix-transport-maps-diverting-mail-traffic/ smarthost: http://embraceubuntu.com/2005/09/07/setting-a-smarthost-in-postfix/ and again: http://www.postfix.org/STANDARD_CONFIGURATION_README.html -- Eero Thank you Eero, I will look into those links. Cameron
Re: Test e-mailservice
On Wed, Nov 11, 2009 at 2:29 PM, Eero Volotinen eero.voloti...@iki.fiwrote: Phillip Smith wrote: 2009/11/12 Michael Saldivar mike.saldi...@advocatecreditrepair.com: I use the open-source monitoring tool http://www.nagios.org/ combined with NRPE to monitor all my servers and services. +1 NRPE allows you to connect to the system being monitored, and execute any command on the local system, returning the result to the Nagios server. In your case, you could either check for TCP connectivity on 127.0.0.1:10024 or use the check_procs plugin to see if the process is running -- or both. This page also contains nice trick to check server against rbl list: http://www.linuxjournal.com/content/monitoring-email-nagios It is also possible to use snmp to monitor, restart or execute (snmp exec / procfix) commands on remote system: http://www.logix.cz/michal/devel/nagios/ and http://www.packetmischief.ca/network/monitoring/postfix/#snmp -- Eero Fixed! The solution was to set in the mail servers: relayhost = your.server.com All the instructions when setting up behind a firewall seemed to say leave that at relayhost = but adding my gateway IP makes it work so I am happy :) Thanks! Cameron
Re: Test e-mailservice
Cameron Smith wrote: Fixed! The solution was to set in the mail servers: relayhost = your.server.com http://your.server.com/ All the instructions when setting up behind a firewall seemed to say leave that at relayhost = but adding my gateway IP makes it work so I am happy :) Yes, that is the way. It is also wise only allow direct smtp connections from your gateway (block connections to tcp/25 on main firewall) to prevent smtp zombies and spammers. -- Eero, RHCE
How to stop postfix sending emails
Hi All, We are doing an upgrade on the machine that holds the postboxes (mailenable) during the upgrade the server will need to be rebooted which renders the boxes unreachable. This causes a 550 error to be sent back to our spam catching server (running MailScanner spamassassin and postfix). In order to prevent the loss of emails I was going to change the postfix config in the following way soft_bounce http://www.postfix.org/postconf.5.html#soft_bounce = yes Is this going to achieve what I need (i.e. that 550 responses are not treated as permenant and will try again). Alternatively I was considering stopping the spam server from sending out emails during the upgrade time but I am unsure how to alter the behaviour of postfix so that it receives in email but will then hold it in queue and not attempt to send on. Thoughts appreciated. Thanks Kate
Re: How to stop postfix sending emails
Lists: Hi All, We are doing an upgrade on the machine that holds the postboxes (mailenable) during the upgrade the server will need to be rebooted which renders the boxes unreachable. This causes a 550 error to be sent back to our spam catching server (running MailScanner spamassassin and postfix). That is a terrible configuration error. A host outage should never result in 5xx mail rejects. Wietse
Re: How to stop postfix sending emails
Maybe you can tell spam filter postfix to HOLD all mails to your domains and then just remove hold and postsuper -H ALL ? like this: http://wiki.zimbra.com/index.php?title=Irfan-Notes#Holding_the_Postfix_Queue_at_time_of_server_migration.2Fmaintenance and man 5 access and look for HOLD ? -- Eero
Re: How to stop postfix sending emails
Wietse Venema wrote: Lists: Hi All, We are doing an upgrade on the machine that holds the postboxes (mailenable) during the upgrade the server will need to be rebooted which renders the boxes unreachable. This causes a 550 error to be sent back to our spam catching server (running MailScanner spamassassin and postfix). That is a terrible configuration error. A host outage should never result in 5xx mail rejects. Wietse I don't love it either but it is how MailEnable works when it can't access the box, it responds with - 550 5.7.1 Unable to relay for originallocalsen...@domain.co.nz (in reply to RCPT TO command)) Hopefully the MailEnable server won't be in the state where it can't access the boxes for long - i'm just trying to ensure no mail ends up lost.
Re: How to stop postfix sending emails
Lists: Wietse Venema wrote: Lists: Hi All, We are doing an upgrade on the machine that holds the postboxes (mailenable) during the upgrade the server will need to be rebooted which renders the boxes unreachable. This causes a 550 error to be sent back to our spam catching server (running MailScanner spamassassin and postfix). That is a terrible configuration error. A host outage should never result in 5xx mail rejects. Wietse I don't love it either but it is how MailEnable works when it can't access the box, it responds with - 550 5.7.1 Unable to relay for originallocalsen...@domain.co.nz (in reply to RCPT TO command)) Don't we all love brain-dead systems. I recently added a translation mapping for SMTP server inputs. That was meant to map inputs from brain-dead SMTP clients into something that satisfies basic SMTP syntax rules. Perhaps I should also add a translation mapping for inputs from SMTP servers, so that in the future, one could replace the above reply by a 4xx class reply. Wietse
Re: How to stop postfix sending emails
Eero Volotinen wrote: Lists wrote: Hi All, We are doing an upgrade on the machine that holds the postboxes (mailenable) during the upgrade the server will need to be rebooted which renders the boxes unreachable. This causes a 550 error to be sent back to our spam catching server (running MailScanner spamassassin and postfix). In order to prevent the loss of emails I was going to change the postfix config in the following way soft_bounce http://www.postfix.org/postconf.5.html#soft_bounce = yes Is this going to achieve what I need (i.e. that 550 responses are not treated as permenant and will try again). Alternatively I was considering stopping the spam server from sending out emails during the upgrade time but I am unsure how to alter the behaviour of postfix so that it receives in email but will then hold it in queue and not attempt to send on. Maybe you can tell spam filter postfix to HOLD all mails to your domains and then just remove hold and postsuper -H ALL ? -- Eero Yeah I just had a look at the postsuper -h ALL - it only seems to move emails present in the queues at that moment to the hold bin but doesn't put subsequent ones in their. Is there a way for it to keep moving them until the postsuper -r ALL is given?
Re: How to stop postfix sending emails
On 11/11/2009 7:14 PM, Wietse Venema wrote: Lists: Wietse Venema wrote: Lists: Hi All, We are doing an upgrade on the machine that holds the postboxes (mailenable) during the upgrade the server will need to be rebooted which renders the boxes unreachable. This causes a 550 error to be sent back to our spam catching server (running MailScanner spamassassin and postfix). That is a terrible configuration error. A host outage should never result in 5xx mail rejects. Wietse I don't love it either but it is how MailEnable works when it can't access the box, it responds with - 550 5.7.1 Unable to relay for originallocalsen...@domain.co.nz (in reply to RCPT TO command)) Don't we all love brain-dead systems. I recently added a translation mapping for SMTP server inputs. That was meant to map inputs from brain-dead SMTP clients into something that satisfies basic SMTP syntax rules. Perhaps I should also add a translation mapping for inputs from SMTP servers, so that in the future, one could replace the above reply by a 4xx class reply. Wietse I dealt with a similar brain-dead relay destination by creating a never_reject transport that had soft bounce turned on. This worked pretty well, but only because I had a valid user list from the offender. Wouldn't that be about the same as what you describe above? -- Noel Jones
Re: Relaying problems
Hi, I hoped someone could clarify for me the difference between check_sender_access and check_client_access? I don't know why the docs are unclear to me. When is a sender_access restriction used and when is a client_access restriction used? I thought the client_access was based on the envelope information (MAIL FROM:), but I've read so much contradictory information that I'm confused. If I wanted to block mail from a specific remote user, as we normally think of the From: field, it would go in client_access, I believe. sender_access would be based on the RCPT TO: information, then? I'm not sure how the flow works; whether it's the client_access first or sender_access, or vice-versa. Would it be better to put check_sender_access in the sender_restrictions instead? I currently have no sender_restrictions. I have the following in my logs from yesterday that I'm concerned about: Nov 10 00:06:33 smtp01 postfix_1/qmgr[12340]: 24A2B5603A6: from=i...@compensation.com, size=3082, nrcpt=50 (qu eue active) Nov 10 00:06:33 smtp01 postfix_1/qmgr[12340]: 24A2B5603A6: to=mac...@yahoo.com, relay=none, delay=14656, sta tus=deferred (connect to b.mx.mail.yahoo.com[66.196.82.7]: server refused mail service) I removed all the active, defer'd and deferred files from the second instance so they would no longer try to be delivered. This is not good. We are not responsible for the compensation.com domain. It also looks like there's 50 recipients, and the data from the queue file is obvious spam. It also looks like yahoo has now greylisted this server because it's refusing service, and other mail servers have blocked us outright. I know this mail came from 81.169.130.185, h1372645.stratoserver.net, based on the information in the queue data, but the first occurrence I can find of this IP address in the logs is embedded in the message-id. There is no occurrence of this IP address in the pop-before-smtp logs, so it didn't come from an authorized user there. Below is my smtpd_recipient_restrictions again. Hopefully someone has some ideas while I work on upgrading to a more recent version? smtpd_recipient_restrictions = reject_non_fqdn_sender reject_non_fqdn_recipient permit_mynetworks check_client_access hash:/etc/postfix/pop-before-smtp reject_unauth_destination reject_invalid_hostname reject_non_fqdn_hostname reject_unknown_sender_domain # reject_unknown_recipient_domain # reject_unauth_pipelining check_client_access hash:/etc/postfix/client_checks check_client_access pcre:/etc/postfix/client_checks.pcre check_recipient_access pcre:/etc/postfix/recipient_checks check_helo_access hash:/etc/postfix/helo_checks check_sender_access hash:/etc/postfix/sender_checks check_sender_access hash:/etc/postfix/disallow_my_domain check_recipient_access pcre:/etc/postfix/recipient_checks.pcre Below is the other relevant information from main.cf. Please excuse the obscuring of my real domain with 'exxample.com' in its place. mydestination = $myhostname, localhost.$mydomain, smtp0.exxample.com mydomain = exxample.com myhostname = smtp0.exxample.com Thanks so much. Best regards, Alex On Wed, Nov 11, 2009 at 12:05 PM, Alex mysqlstud...@gmail.com wrote: Hi, I'm still using postfix-1.x, Most people here would stop reading there and press/click delete (or some might simply click 'Reply' and add the words 'upgrade'). So... UPGRADE. It is time. Thanks for hitting me with the well-deserved clue-bat. Advice well taken. Now, what if I said I was still using bind-4? Heh, just joking :-) Thanks again, Alex
Re: Relaying problems
Alex wrote: Hi, I hoped someone could clarify for me the difference between check_sender_access and check_client_access? I don't know why the docs are unclear to me. Both restrictions look up something in an access table, and return a result. With check_client_access, the thing that is looked up is the client. By client, the following is meant: client hostname, parent domains, client IP address, or networks obtained by stripping least significant octets With check_sender_access, the sender of the message is used as the lookup key. Again, multiple lookups are made: MAIL FROM address, domain, parent domains, or localpart@ When is a sender_access restriction used and when is a client_access restriction used? I thought the client_access was based on the envelope information (MAIL FROM:), but I've read so much contradictory information that I'm confused. If you want to block the MAIL FROM address, use check_sender_access. If I wanted to block mail from a specific remote user, as we normally think of the From: field, it would go in client_access, I believe. sender_access would be based on the RCPT TO: information, then? Use check_sender_access to block email addresses, but beware that the envelope (MAIL FROM) sender often disagrees with the From: header. I'm not sure how the flow works; whether it's the client_access first or sender_access, or vice-versa. Normally, client information is available first, but if you're deferring rejection, you can place the restrictions in any order you wish. Below is my smtpd_recipient_restrictions again. Hopefully someone has some ideas while I work on upgrading to a more recent version? smtpd_recipient_restrictions = reject_non_fqdn_sender reject_non_fqdn_recipient permit_mynetworks check_client_access hash:/etc/postfix/pop-before-smtp reject_unauth_destination reject_invalid_hostname reject_non_fqdn_hostname reject_unknown_sender_domain # reject_unknown_recipient_domain # reject_unauth_pipelining check_client_access hash:/etc/postfix/client_checks check_client_access pcre:/etc/postfix/client_checks.pcre check_recipient_access pcre:/etc/postfix/recipient_checks check_helo_access hash:/etc/postfix/helo_checks check_sender_access hash:/etc/postfix/sender_checks check_sender_access hash:/etc/postfix/disallow_my_domain check_recipient_access pcre:/etc/postfix/recipient_checks.pcre I'm guessing even v1.x required commas between restrictions?
Re: Relaying problems
On 11/11/2009 8:18 PM, Alex wrote:
Hi,
I hoped someone could clarify for me the difference between
check_sender_access and check_client_access? I don't know why the docs
are unclear to me.
When is a sender_access restriction used and when is a client_access
restriction used? I thought the client_access was based on the
envelope information (MAIL FROM:), but I've read so much contradictory
information that I'm confused.
All the check_*_access restrictions operate on the SMTP
envelope information -- the same information that shows up in
the postfix logs. Although some of this information can also
be found in headers, postfix doesn't look in the headers for
these.
The check_*_access restrictions tell postfix what data to
check, and are used as follows:
client = client IP or confirmed client hostname; the host that
connected to your server. This is very difficult to forge.
helo = the HELO or EHLO hostname given by the client. This is
trivial to forge, and often wrong on legit systems. This is
so close to useless that Postfix doesn't bother to log the
helo name on accepted transactions. (but /sometimes/ can be
useful to block unwanted mail.)
The client and helo are also usually found in the top-most
Received: header added by your system. Other Received:
headers are easily forged and considered suspect.
sender = the MAIL FROM address used during SMTP. This address
*may* be found in the Return-path: header. The SMTP sender is
not necessarily listed in the From: header. This is perfectly
acceptable. Both the sender and the From: header are easily
forged.
recipient = the RCPT TO address used during SMTP. This is the
address postfix uses for deciding where the mail is to be
delivered. This may not show up anywhere in the headers.
If I wanted to block mail from a specific remote user, as we normally
think of the From: field, it would go in client_access, I believe.
sender_access would be based on the RCPT TO: information, then?
From ~ check_sender_access ... who sent the mail.
I'm not sure how the flow works; whether it's the client_access first
or sender_access, or vice-versa.
Within each smtpd_{client, helo, sender,
recipient}_restrictions section, the restrictions are
evaluated in the order you place them.
Most people put all their restrictions under
smtpd_recipient_restrictions for clarity.
Would it be better to put check_sender_access in the
sender_restrictions instead? I currently have no sender_restrictions.
I have the following in my logs from yesterday that I'm concerned about:
Nov 10 00:06:33 smtp01 postfix_1/qmgr[12340]: 24A2B5603A6:
from=i...@compensation.com, size=3082, nrcpt=50 (qu
eue active)
Nov 10 00:06:33 smtp01 postfix_1/qmgr[12340]: 24A2B5603A6:
to=mac...@yahoo.com, relay=none, delay=14656, sta
tus=deferred (connect to b.mx.mail.yahoo.com[66.196.82.7]: server
refused mail service)
I removed all the active, defer'd and deferred files from the second
instance so they would no longer try to be delivered.
This is not good. We are not responsible for the compensation.com
domain. It also looks like there's 50 recipients, and the data from
the queue file is obvious spam. It also looks like yahoo has now
greylisted this server because it's refusing service, and other mail
servers have blocked us outright.
Yahoo routinely greylists everybody. I would be more
concerned that others are blocking you.
I know this mail came from 81.169.130.185, h1372645.stratoserver.net,
based on the information in the queue data, but the first occurrence I
can find of this IP address in the logs is embedded in the message-id.
Then that's not the right IP. Share what you're seeing.
There is no occurrence of this IP address in the pop-before-smtp logs,
so it didn't come from an authorized user there.
Below is my smtpd_recipient_restrictions again. Hopefully someone has
some ideas while I work on upgrading to a more recent version?
I expect the two most common causes of a postfix server
sending spam are
- compromised script in your web server. These usually show
up in the logs as coming from the postfix/pickup service.
- hijacked user account.
Examine your logs more carefully. Search for the QUEUEID of
the mail in question and find the earliest instance of it, but
remember that a QUEUEID can be reused.
smtpd_recipient_restrictions =
reject_non_fqdn_sender
reject_non_fqdn_recipient
permit_mynetworks
check_client_access hash:/etc/postfix/pop-before-smtp
reject_unauth_destination
Your postfix is not an open relay (assuming nothing silly in
$mydestination, $relay_domains, $virtual_aliases).
Everything you need can be found at
http://www.postfix.org/documentation.html
-- Noel Jones
答复: ????: ????: who know how does init ial_destination_concurrency and default _destination_concurrency_limit work?
Yes, that is what I mentioned before. It looks like concurrency setting not work. Best regrads! Coofucoo -邮件原件- 发件人: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix. org] 代表 Wietse Venema 发送时间: 2009年11月12日 3:16 收件人: Dhiraj Chatpar 抄送: postfix-users@postfix.org; victor.ducho...@morganstanley.com 主题: Re: : : who know how does initial_destination_concurrency and default_destination_concurrency_limit work? Ted Turner http://www.brainyquote.com/quotes/authors/t/ted_turner.html - Sports is like a war without the killing. On Thu, Nov 12, 2009 at 00:04, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Wed, Nov 11, 2009 at 07:30:47AM -0600, Noel Jones wrote: In your main.cf, set default_destination_rate_delay = 1s and leave all those other parameters at their default. This will instruct postfix to send no more than 60 messages per minute. This will apply to all transports, not just smtp, if all mail is sent to remote destinations, that's fine, otherwise, one may want be more selective: smtp_destination_rate_delay = 1s Dhiraj Chatpar: Dear Sir, I have tried default concurrency =1 and initial concurrency =1. but both of them dont reduce the speed of delivering the emails. Can you please guide me with a way by which i can reduce the sending of emails to very slow.. You need to set the appropriate _destination_rate_delay parameter, instead the concurrency parameters. Then you need to execute postfix reload or else these changes have no effect at all. Wietse
Re: How to stop postfix sending emails
Lists wrote: Hi All, We are doing an upgrade on the machine that holds the postboxes (mailenable) during the upgrade the server will need to be rebooted which renders the boxes unreachable. This causes a 550 error to be sent back to our spam catching server (running MailScanner spamassassin and postfix). In order to prevent the loss of emails I was going to change the postfix config in the following way soft_bounce http://www.postfix.org/postconf.5.html#soft_bounce = yes Is this going to achieve what I need (i.e. that 550 responses are not treated as permenant and will try again). Alternatively I was considering stopping the spam server from sending out emails during the upgrade time but I am unsure how to alter the behaviour of postfix so that it receives in email but will then hold it in queue and not attempt to send on. Thoughts appreciated. Thanks Kate How mad would everyone be if you just unplugged the Ethernet cable on the machine returning 550?
Re: Relaying problems
Hi, But commas do make it prettier to look at. My reality has been shaken, and everything I previously thought I knew drawn into question. Yeah, crazy. I always had the smtpd_recipient_restrictions separated by a comma, all on one line, until recently when I saw so many others using it otherwise. Thanks to all for the information so far. I've got a bit more reading to do, and have to monitor more closely. Not only do queue IDs get reused, they change mid-stream because of the two-queue configuration. Thanks again, Alex
Relaying problems
Noel Jones put forth on 11/11/2009 10:16 PM: But commas do make it prettier to look at. Pfft. I removed all my commas recently to improve aesthetics. Now you're telling me I have to put 'em back in? Sheesh. :P -- Stan
RE: Required sender email address while table lookup for rejecting mails for unknown local users
Hi Magnus, Thanks for replying... Yup, I know about spoofing and I'm taking care of it in my system. So let's assume that user is not spoofed. Now I have scenario: Only some users can send email to particular user. When I receive email on postfix, I just want to query: Is this sender can send email to this receiver? So again my question is, how can I have sender email address during validation of local_recipient_maps? Many Thanks, Sumit Arora -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Magnus Bäck Sent: Wednesday, November 11, 2009 1:41 AM To: postfix-users@postfix.org Subject: Re: Required sender email address while table lookup for rejecting mails for unknown local users On Tuesday, November 10, 2009 at 07:49 CET, Arora, Sumit sumit.ar...@hp.com wrote: I'm using mysql local_recipient_maps for rejecting email for unknown local users. Here are the changes in my main.cf local_recipient_maps = proxy:unix:passwd.byname $alias_maps virtual_alias_maps = mysql:/etc/postfix/mysql-relays.cf I assume this should be: local_recipient_maps = proxy:unix:passwd.byname $alias_maps virtual_alias_maps = mysql:/etc/postfix/mysql-relays.cf Here is my mysql-relays.cf hosts=16.123.123.123 user=root password=* dbname=testDB table=users query = select emailaddress from users where emailaddress='%s' I'm able to query successfully. But I'm stuck as my requirement is to query database according to sender. Let's say some user with emailaddress 'sen...@myhostname.com' is sending email to my postfix and I need to validate him. What does validate the sender mean? Check that the sender address, if it's one of your own domains, is a valid recipient address? Only allow a select number of sender addresses? Please be more complete. You do know that sender addresses are easily spoofed? [...] -- Magnus Bäck mag...@dsek.lth.se
