Re: A question about Postfix and virus scanning

[Stan Hoeppner]

Ali Majdzadeh put forth on 11/30/2009 12:28 AM:
> Hello all,
> I do not know whether here is the right place to ask this question or
> not, but I would like to know if it is a good idea to perform offline
> e-mail virus scanning. By offline, I mean a scenario in which e-mail
> filtering management tools (like amavisd-new) do not hand out received
> e-mails to virus scanners (like clamav), instead, virus scanning is
> performed on mailboxes as regular files on the file system. Does anyone
> have any experiences regarding this scenario? Is at all this scenario
> sane or applicable?

Why would you ever want to write a virus to a user mailbox and then scan
it later?  Unless you have a flawless realtime virus scanner daemon that
checks every file as it's written to the file system, you open up the
possibility that a user will open that mail file containing the virus
before the system quarantines or deletes it.

Why would you not want to identify a viral payload as soon as it hits
your MTA, and delete it immediately?  This is analogous to waiting until
the home invaders have entered your childrens' bedroom to call the
police, instead of calling the police when you heard the front door
being kicked down.

Back in the day (maybe still) virus scanner plugins for Microsoft
Exchange worked in a similar fashion.  And on occasion, disaster struck
as a result of it, with a user's Outlook client pulling the viral email
before the A/V plugin was able to scan it.  IIRC, the reason for this
was two fold:  First, Microsoft had no interface to allow third party
scanners to look at queue files directly, because doing so would
literally break Exchange.  Second, because Exchange stores all mail
files in a database instead of as individual files, A/V vendors were
required to write SQL like queries to scan the records within the
database.  Exchange is anything but a realtime database.  Because of
this architecture, and the potentially large time delays created by a
loaded system, it was impossible to guarantee anything close to realtime
scanning of inbound mail.  I believe MS has since changed the
architecture to allow A/V scanning of mail whilst it's in the inbound
queue.  It's been a long time since I dealt with Exchange, the above
architectural short sightedness being one of the reasons for that.

In summary, scan the mail as it enters the edge MTA, and deal with viri
at that point in time.  There may be extreme border cases for very large
orgs where a tiered mail delivery approach and downstream A/V scanning
is desirable, but I'm guessing your org doesn't fit in such a case.

--
Stan

Re: A question about Postfix and virus scanning

[Ali Majdzadeh]

Stan,
Hi
Thanks for your detailed response. Actually, the main reason which drove us
toward performing virus scanning as an offline process was performance. As
we deal with large amounts of e-mails, we found the way amavisd-new or other
filtering management tools performing filtering too slow. We intended to
somehow decrease the amount of load which amavisd-new or similar tools
impose on the architecture.

Kind Regards
Ali Majdzadeh Kohbanani

2009/11/30 Stan Hoeppner 

> Ali Majdzadeh put forth on 11/30/2009 12:28 AM:
> > Hello all,
> > I do not know whether here is the right place to ask this question or
> > not, but I would like to know if it is a good idea to perform offline
> > e-mail virus scanning. By offline, I mean a scenario in which e-mail
> > filtering management tools (like amavisd-new) do not hand out received
> > e-mails to virus scanners (like clamav), instead, virus scanning is
> > performed on mailboxes as regular files on the file system. Does anyone
> > have any experiences regarding this scenario? Is at all this scenario
> > sane or applicable?
>
> Why would you ever want to write a virus to a user mailbox and then scan
> it later?  Unless you have a flawless realtime virus scanner daemon that
> checks every file as it's written to the file system, you open up the
> possibility that a user will open that mail file containing the virus
> before the system quarantines or deletes it.
>
> Why would you not want to identify a viral payload as soon as it hits
> your MTA, and delete it immediately?  This is analogous to waiting until
> the home invaders have entered your childrens' bedroom to call the
> police, instead of calling the police when you heard the front door
> being kicked down.
>
> Back in the day (maybe still) virus scanner plugins for Microsoft
> Exchange worked in a similar fashion.  And on occasion, disaster struck
> as a result of it, with a user's Outlook client pulling the viral email
> before the A/V plugin was able to scan it.  IIRC, the reason for this
> was two fold:  First, Microsoft had no interface to allow third party
> scanners to look at queue files directly, because doing so would
> literally break Exchange.  Second, because Exchange stores all mail
> files in a database instead of as individual files, A/V vendors were
> required to write SQL like queries to scan the records within the
> database.  Exchange is anything but a realtime database.  Because of
> this architecture, and the potentially large time delays created by a
> loaded system, it was impossible to guarantee anything close to realtime
> scanning of inbound mail.  I believe MS has since changed the
> architecture to allow A/V scanning of mail whilst it's in the inbound
> queue.  It's been a long time since I dealt with Exchange, the above
> architectural short sightedness being one of the reasons for that.
>
> In summary, scan the mail as it enters the edge MTA, and deal with viri
> at that point in time.  There may be extreme border cases for very large
> orgs where a tiered mail delivery approach and downstream A/V scanning
> is desirable, but I'm guessing your org doesn't fit in such a case.
>
> --
> Stan
>

Re: A question about Postfix and virus scanning

[Eero Volotinen]

Quoting Ali Majdzadeh :


Stan,
Hi
Thanks for your detailed response. Actually, the main reason which drove us
toward performing virus scanning as an offline process was performance. As
we deal with large amounts of e-mails, we found the way amavisd-new or other
filtering management tools performing filtering too slow. We intended to
somehow decrease the amount of load which amavisd-new or similar tools
impose on the architecture.


You can set up easily smtp cluster for email filtering and scanning.

--
Eero

Blocking From Certain domain to Certain User

[Marky Yehezkiel (SNC)]

Dear All,

I am using postfix and I don't know if my question already posted it before
or not, I have problem that I need to blocking from certain domain such as
facebook.com to my certain user (x...@satnetcom.com), I have search from
google but no luch try using header_checks with condition if and transport
still no luck.

 

Any one has done it before? Any advise please? Thank you

RE: Bounce a particular recipient address with specified reject message

[techlist06]

Sahil, et.al:

>Use an access(5) or transport(5) map:

It appears that using an access map would best meet my need.  I do not
currently use an access map.  Can you/anyone assist me with the proper
placement of 
 check_client_access hash:/etc/postfix/access
in my setup?  I don't want to screw up my restrictions which otherwise work
properly.

I *think* putting it last, after my greylisting line (see comment in
postconf output below) would be appropriate.  I think I'd want them to pass
all other spam checks before rejecting semi-legitimate mail to this
particular address with my specific reject message.

Thanks,
Scott


postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
html_directory = no
inet_interfaces = $myhostname, localhost
local_recipient_maps = hash:/etc/postfix/local_recipient
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 483886080
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 10485760
mydestination = $myhostname,  localhost.$mydomain,  localhost,  $mydomain
mydomain = companypostoffice.com
myhostname = tn1.companypostoffice.com
mynetworks = localhost,$localdomain, xx.xx.xx.xx/32, xx.xx.xx.xx/32
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains = smtpd_access_maps
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
relay_domains = differentdomain.com
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /usr/share/doc/postfix-2.2.10/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_data_restrictions = reject_unauth_pipelining,  permit
smtpd_helo_required = yes
smtpd_recipient_limit = 1500
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname,  reject_non_fqdn_sender,
reject_non_fqdn_recipient,  permit_mynetworks,  reject_unauth_destination,
check_recipient_mx_access hash:/etc/postfix/mx_access,
check_sender_mx_access hash:/etc/postfix/mx_access,
reject_unknown_sender_domain,  check_recipient_access
pcre:/etc/postfix/recipient_checks.pcre,  check_helo_access
hash:/etc/postfix/helo_checks,  check_sender_access
hash:/etc/postfix/sender_checks,  check_client_access
hash:/etc/postfix/client_checks,  check_client_access
pcre:/etc/postfix/client_checks.pcre,  reject_rbl_client list.dsbl.org,
reject_rbl_client zen.spamhaus.org,  reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client psbl.surriel.com,  reject_rbl_client bl.spamcop.net,
check_policy_service unix:postgrey/socket,  permit

## access map check here ??

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/certs/postfix_public_cert.pem
smtpd_tls_key_file = /etc/postfix/certs/postfix_private_key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual_domains
virtual_alias_maps = hash:/etc/postfix/virtual_users

Re: Mail from cron delay

[Victor Duchovni]

On Sun, Nov 29, 2009 at 02:42:14PM -0800, Emmett Culley wrote:

> For some months I've been noticing on multiple servers that mail from a cron 
> job defined in the root's crontab takes 24 hours to get to it's destination.  
> It finally bugged me enough to have me take a look for the reason.  This is 
> what I found in the maillog for each day:
> 
> Nov 29 03:15:58 den1 postfix/pickup[8219]: B0771588D1B: uid=0 from=
> Nov 29 03:15:58 den1 postfix/cleanup[7689]: B0771588D1B: 
> message-id=<20091129101558.b0771588...@den1.thisserver.net>
> Nov 29 03:15:58 den1 postfix/qmgr[3361]: B0771588D1B: 
> from=, size=819, nrcpt=1 (queue active)
> Nov 29 03:15:59 den1 postfix/smtp[7691]: B0771588D1B: 
> to=, relay=example.com[123.45.67.89]:25, delay=86457, 
> delays=86457/0/0.36/0.18, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 
> 3586C400032)
> Nov 29 03:15:59 den1 postfix/qmgr[3361]: B0771588D1B: removed

Any warnings in your logs matching either of the below regexps?

egrep 'message dated [0-9]* seconds into the future' /some/log/file
egrep 'message has been queued for [0-9]* days' /some/log/file

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Something like address based relay just the other way around

[Tobi]

Hello

I just wonder whether my idea is technically possible to fullfill with
Postfix. I already use sender based relaying which works fine.
My problem is that I'm running a Postfix Server on my dynamic IP-Address. I
would say for 80% of the receivers is no problem to send the emails
directly (direct-mx). Some domains or receivers do not accept this due to
dynamic IP block. No problem I thought I could set up a receiver-based
relay, but unfortunatly I did not find anything about it in Postfix doc
(maybe I looked for the wrong keywords).
So my question is: Is there a way to conditionally relay emails based on
the receivers address/domain? So I could send emails for defined
addresses/domains via my ISP mailserver instead of direct-mx.
Is there a way to do this in Postfix?

Thanks a lot for all tipps/hints
Cheers

tobi

Re: Mail from cron delay

[Wietse Venema]

Victor Duchovni:
> On Sun, Nov 29, 2009 at 02:42:14PM -0800, Emmett Culley wrote:
> 
> > For some months I've been noticing on multiple servers that mail from a 
> > cron job defined in the root's crontab takes 24 hours to get to it's 
> > destination.  It finally bugged me enough to have me take a look for the 
> > reason.  This is what I found in the maillog for each day:
> > 
> > Nov 29 03:15:58 den1 postfix/pickup[8219]: B0771588D1B: uid=0 from=
> > Nov 29 03:15:58 den1 postfix/cleanup[7689]: B0771588D1B: 
> > message-id=<20091129101558.b0771588...@den1.thisserver.net>
> > Nov 29 03:15:58 den1 postfix/qmgr[3361]: B0771588D1B: 
> > from=, size=819, nrcpt=1 (queue active)
> > Nov 29 03:15:59 den1 postfix/smtp[7691]: B0771588D1B: 
> > to=, relay=example.com[123.45.67.89]:25, 
> > delay=86457, delays=86457/0/0.36/0.18, dsn=2.0.0, status=sent (250 2.0.0 
> > Ok: queued as 3586C400032)
> > Nov 29 03:15:59 den1 postfix/qmgr[3361]: B0771588D1B: removed
> 
> Any warnings in your logs matching either of the below regexps?
> 
> egrep 'message dated [0-9]* seconds into the future' /some/log/file
> egrep 'message has been queued for [0-9]* days' /some/log/file

Some unhelpful systems log warning messages separate from normal
activity, so he may have to look in different files.

Wietse

Re: Something like address based relay just the other way around

[Wietse Venema]

Tobi:
> Hello
> 
> I just wonder whether my idea is technically possible to fullfill with
> Postfix. I already use sender based relaying which works fine.
> My problem is that I'm running a Postfix Server on my dynamic IP-Address. I
> would say for 80% of the receivers is no problem to send the emails
> directly (direct-mx). Some domains or receivers do not accept this due to
> dynamic IP block. No problem I thought I could set up a receiver-based
> relay, but unfortunatly I did not find anything about it in Postfix doc
> (maybe I looked for the wrong keywords).

See this URL: http://www.postfix.org/transport.5.html 

If I am not mistaken, this has precedence over sender-dependent features.

Wietse

> So my question is: Is there a way to conditionally relay emails based on
> the receivers address/domain? So I could send emails for defined
> addresses/domains via my ISP mailserver instead of direct-mx.
> Is there a way to do this in Postfix?
> 
> Thanks a lot for all tipps/hints
> Cheers
> 
> tobi
> 
> 

Re: Mail from cron delay

[Emmett Culley]

On 11/29/2009 03:27 PM, Wietse Venema wrote:
> Emmett Culley:
>> For some months I've been noticing on multiple servers that mail
>> from a cron job defined in the root's crontab takes 24 hours to
>> get to it's destination.  It finally bugged me enough to have me
>> take a look for the reason.  This is what I found in the maillog
>> for each day:
>>
>> Nov 29 03:15:58 den1 postfix/pickup[8219]: B0771588D1B: uid=0 from=
>> Nov 29 03:15:58 den1 postfix/cleanup[7689]: B0771588D1B: 
>> message-id=<20091129101558.b0771588...@den1.thisserver.net>
>> Nov 29 03:15:58 den1 postfix/qmgr[3361]: B0771588D1B: 
>> from=, size=819, nrcpt=1 (queue active)
>> Nov 29 03:15:59 den1 postfix/smtp[7691]: B0771588D1B: 
>> to=, relay=example.com[123.45.67.89]:25, delay=86457, 
>> delays=86457/0/0.36/0.18, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 
>> 3586C400032)
> 
> This message is queued on a DIFFERENT mail system
> example.com[123.45.67.89]:25, meaning it was sent via the SMTP port
> (port 25) to a mail system on a named example.com with IP address
> 123.45.67.89.
> 
> Is the local machine running MacOS? Apple has made some changes
> such that Postfix is not running all of the time. This is a change
> that is specific to APPLE, and may explain why mail not picked
> up as soon as it is enqueued.
> 
> Is the queue on a file server, and are the client and file server
> clocks out of sync?
> 
> Looking at the Received: in your message as delivered, the clocks
> on those systems are all out of sync.
> 
>   Wietse
> 
Both machines are running CentOS and Postfix.  One is on MST (sender, 
thisserver.net) the the other is on PST (receiver, example.com).

The log entries are from thisserver.net.  So I think I am seeing the cron 
process hitting the local Postfix server 24 hours after cron says it was sent.

After taking a closer look at the email, the first "Received:" header says the 
email was received from cron by the sender on 11/29 at 3:15:58, yet cron and 
the email content show that it was sent 24 hours earlier.

Email Header:
- snip ---
Received: from g1.example.com ([127.0.0.1])
by localhost (g1.example.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id dS+5g5AAK5vQ
for ;
Sun, 29 Nov 2009 02:15:59 -0800 (PST)
Received: from den1.thisserver.net (den1.thisserver.net [98.76.54.32])
by g1.example.com (Postfix) with ESMTP id 3586C400032
for ; Sun, 29 Nov 2009 02:15:59 -0800 (PST)
Received: by den1.thisserver.net (Postfix, from userid 0)
id ; Sun, 29 Nov 2009 03:15:58 -0700 (MST)
- snip --
Date: Sat, 28 Nov 2009 03:15:01 -0700 (MST)

Email content:
- snip ---
Sat Nov 28 03:16:05 MST 2009

-

That along with the log showing that Postfix (on the sender) didn't see it from 
cron until the next day, like the email headers indicate, tells me it must be 
something between cron and Postfix.  It was only the "delay=86457" that had me 
query the Postfix users mailing list.

Nov 29 03:15:58 den1 postfix/pickup[8219]: B0771588D1B: uid=0 from=
Nov 29 03:15:58 den1 postfix/cleanup[7689]: B0771588D1B: 
message-id=<20091129101558.b0771588...@den1.thisserver.net>
Nov 29 03:15:58 den1 postfix/qmgr[3361]: B0771588D1B: 
from=, size=819, nrcpt=1 (queue active)
Nov 29 03:15:59 den1 postfix/smtp[7691]: B0771588D1B: 
to=, relay=example.com[123.45.67.89]:25, delay=86457, 
delays=86457/0/0.36/0.18, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 
3586C400032)

Please note, however that the last log line shows that the email was queued as 
3586C400032, which is the same ESMTP id as in the next "Received:" header.  It 
seems like understanding where the "delay=86457" and "delays=86457/0/0.36/0.18" 
come from would probably help me to understand the 24 delay.

Emmett

Re: Mail from cron delay

[Victor Duchovni]

On Mon, Nov 30, 2009 at 10:35:02AM -0800, Emmett Culley wrote:

> It seems like understanding where the "delay=86457"
> and "delays=86457/0/0.36/0.18" come from would probably help me to
> understand the 24 delay.

Not really. The message took 1 day to enter the active queue, not
surprising, since pickup seems to have it a day late. Did your system
clock get changed (by a day or so) while Postfix was running?

The pickup(8) daemon scans the maildrop queue every 60 seconds by default,
and on-demand when postdrop(1) sends a "wakeup trigger" after creating
a new message.

If you have SE-Linux, AppArmor, ... they could block postdrop from
accessing the pickup service socket. Also file/directory permissions
could be wrong, or your clock erratic.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Something like address based relay just the other way around

[tobi]

Wietse Venema schrieb:
> Tobi:
>   
>> Hello
>>
>> I just wonder whether my idea is technically possible to fullfill with
>> Postfix. I already use sender based relaying which works fine.
>> My problem is that I'm running a Postfix Server on my dynamic IP-Address. I
>> would say for 80% of the receivers is no problem to send the emails
>> directly (direct-mx). Some domains or receivers do not accept this due to
>> dynamic IP block. No problem I thought I could set up a receiver-based
>> relay, but unfortunatly I did not find anything about it in Postfix doc
>> (maybe I looked for the wrong keywords).
>> 
>
> See this URL: http://www.postfix.org/transport.5.html 
>
> If I am not mistaken, this has precedence over sender-dependent features.
>
>   Wietse
>
>   
>> So my question is: Is there a way to conditionally relay emails based on
>> the receivers address/domain? So I could send emails for defined
>> addresses/domains via my ISP mailserver instead of direct-mx.
>> Is there a way to do this in Postfix?
>>
>> Thanks a lot for all tipps/hints
>> Cheers
>>
>> tobi
>>
>>
>> 
>
>   
Hello

I tried according to Wietse's link to the manual and it works 50% ;-)
The email is properly forwarded according to receivers domain with the
values in transport conf file
But now Postfix has no user details to perform a SMTP Authentication at
the defined relay server. smtp tries to relay without auth which my
providers server don't like. If I'm using sender_dependent_relay then
smtp takes the details from my sasl password file and therefore can
perform an auth at the relay server.
So my next question is how to tell transport where to lookup for the
login credentials to send an email through an external relay server
which expects user auth.

Is there a way which I have not found in the manual to tell Postfix the
necessary details? Or is it not possible by design?

Thanks and cheers

tobi

Re: A question about Postfix and virus scanning

[Stan Hoeppner]

Eero Volotinen put forth on 11/30/2009 2:14 AM:
> Quoting Ali Majdzadeh :
> 
>> Stan,
>> Hi
>> Thanks for your detailed response. Actually, the main reason which
>> drove us
>> toward performing virus scanning as an offline process was
>> performance. As
>> we deal with large amounts of e-mails, we found the way amavisd-new or
>> other
>> filtering management tools performing filtering too slow. We intended to
>> somehow decrease the amount of load which amavisd-new or similar tools
>> impose on the architecture.
> 
> You can set up easily smtp cluster for email filtering and scanning.

Agreed.  But, due to the fact that the OP is sending from a Gmail
account, it's not possible for me to investigate his current MX setup in
DNS.  Being able to do so would allow me to give more concise
information relating to his particular needs.  That said...

Assuming he doesn't already have an MX cluster, scaling out with a DNS
based round robin MX cluster should do the trick.  This will distribute
the entire inbound mail load (including virus scanning running on each
host) across X machines.  Depending on the OP's mail stream, he may or
may not get (perfectly) even distribution across the MX hosts, but at
the least he will keep one host from being clobbered all the time.  If
need be, increase X until a generally acceptable load across the hosts
in the MX cluster is found.  If the OP is currently running a single MX
host, merely adding one more 'identical' host and doing the DNS
balancing act will likely solve the OP's load problem.

Short tutorial on DNS load balancing of MX hosts:
http://www.zytrax.com/books/dns/ch9/rr.html

Keep in mind that this requires identical Postfix configurations so all
the MX cluster hosts process all mail in exactly the same way--nexthop,
user lookup, filter rules, virus scanning, etc, must all be identical.
The only real differences will be the local host name and IP address.

Hope this points the OP in the right direction.

--
Stan

RE: Bounce a particular recipient address with specified reject message

[techlist06]

I tried to setup an access map and reject a specific user.  But the mails to
that user are not rejected.  I tried adding the access map in a few
different places in the configuration, so far none worked.  It shows up in
the smtpd_recipient_restrictions line below.   Can anyone see what I did
wrong?:

My access map file has:
mailli...@mydomain.com  550 REJECT 

The corresponding access.db file is built and fresh

But mails to mailli...@mydomain.com get through without issue.


postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
html_directory = no
inet_interfaces = $myhostname, localhost
local_recipient_maps = hash:/etc/postfix/local_recipient
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = xxx
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = x
mydestination = $myhostname,  localhost.$mydomain,  localhost,  $mydomain
mydomain = companypostoffice.com
myhostname = tn1.companypostoffice.com
mynetworks = localhost,$localdomain, xx.xx.xx.xx/32, xx.xx.xx.xx/32
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains = smtpd_access_maps
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
relay_domains = differentdomain.com
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /usr/share/doc/postfix-2.2.10/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_data_restrictions = reject_unauth_pipelining,  permit
smtpd_helo_required = yes
smtpd_recipient_limit = 1500
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname,  reject_non_fqdn_sender,
reject_non_fqdn_recipient,  permit_mynetworks,  reject_unauth_destination,
check_recipient_mx_access hash:/etc/postfix/mx_access,
check_sender_mx_access hash:/etc/postfix/mx_access,
reject_unknown_sender_domain,  check_recipient_access
pcre:/etc/postfix/recipient_checks.pcre,  check_helo_access
hash:/etc/postfix/helo_checks,  check_sender_access
hash:/etc/postfix/sender_checks,  check_client_access
hash:/etc/postfix/client_checks,  check_client_access
pcre:/etc/postfix/client_checks.pcre,  check_client_access
hash:/etc/postfix/access  reject_rbl_client list.dsbl.org,
reject_rbl_client zen.spamhaus.org,  reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client psbl.surriel.com,  reject_rbl_client bl.spamcop.net,
check_policy_service unix:postgrey/socket,  permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/certs/postfix_public_cert.pem
smtpd_tls_key_file = /etc/postfix/certs/postfix_private_key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual_domains
virtual_alias_maps = hash:/etc/postfix/virtual_users



 

>-Original Message-
>From: owner-postfix-us...@postfix.org 
>[mailto:owner-postfix-us...@postfix.org] On Behalf Of techlist06
>Sent: Tuesday, November 24, 2009 8:14 AM
>To: postfix-users@postfix.org
>Subject: Bounce a particular recipient address with specified 
>reject message
>
>Greetings:
>
>I have what I expect is a simple question for you guys.  
>Thanks to Ralphs
>book and the help here I have a many-year stable postfix 
>configuration, love
>it, don't mess with it.
>
>I have a very small hobby-based mailing list I maintain 
>manually in Outlook.
>Although all maillist messages I send out include a footer asking the
>recipients to not reply to that maillist messages, the users 
>will reply to
>the maillist messages occasionally and I would prefer they 
>only reply to my
>other addresses.  I can change the reply to address in Outlook 
>to an invalid
>one, and it will reject it back to the sender with "not in virtual user
>table" but I don't wan that bounce message for this particular case.
>
>Instead, I would like to setup postfix so it has a more 
>friendly reject for
>mail sent to (via replys to my messages) "maill...@mydomain.com" with a
>particular reject message that instructs the user on what 
>address(es) to use
>to better contact me.  Something similar to :
>
>550 reject The email address maill...@mydomain.com does not 
>accept inbound
>mail.  Please use one of these addresses for contacting us: maillist
>unsubsubscribe: rem...@mydomain.com, support issues: 
>supp...@my

Re: Blocking From Certain domain to Certain User

[Stan Hoeppner]

Marky Yehezkiel (SNC) put forth on 11/30/2009 7:47 AM:
> Dear All,
> 
> I am using postfix and I don’t know if my question already posted it
> before or not, I have problem that I need to blocking from certain
> domain such as facebook.com to my certain user (x...@satnetcom.com
> ), I have search from google but no luch try
> using header_checks with condition if and transport still no luck.

You might be able to do this with a PCRE in
smtpd_recipient_restrictions.  These however usually trigger on a single
match, and you need to trigger on strictly a double match.  I'm no regex
expert.  Maybe someone here can help you out.

This issue relates to a single user.  Is there a reason why you can't
merely implement this as an MUA rule?  MTAs usually deal with site wide
mail issues, not individual email address rules.

If you have a problem user whom you are attempting to take disciplinary
action against, I suggest that attempting to use Postfix to deprive that
user of his/her Facebook email is not the best way to accomplish this
goal.  Employee/student behavioral problems can only be properly
addressed by management or administration policy and action.

Many schools and businesses null route social networking sites' IP
ranges at the edge, denying _everyone_ access to said sites.  The reason
being that this type of social networking should not be stealing time
from the classroom or workplace.

--
Stan

Re: A question about Postfix and virus scanning

[Michael Katz]

Stan Hoeppner wrote:

Eero Volotinen put forth on 11/30/2009 2:14 AM:

Quoting Ali Majdzadeh :


Stan,
Hi
Thanks for your detailed response. Actually, the main reason which
drove us
toward performing virus scanning as an offline process was
performance. As
we deal with large amounts of e-mails, we found the way amavisd-new or
other
filtering management tools performing filtering too slow. We intended to
somehow decrease the amount of load which amavisd-new or similar tools
impose on the architecture.



There are many filtering Postfix AV solutions that are far more 
efficient than Amavisd and many AV scanners that are considerably more 
scalable than clamav such.  A few years ago we did some detailed testing 
between ClamAV and commercial av scanners and the difference was huge in 
terms of load reduction and throughput. In our tests we have found that 
the biggest performance limitation in Postfix for AV/AS scanning, 
assuming you have removed bottlenecks that amavisd and clamav introduce, 
 is from having to copy messages out of the queue to scan. Some 
commercial email platforms allow for scanning in memory rather than 
requiring copying files and these platforms , in our test, far outscale 
Postfix for filtering over a 100 messages/second.


Mike Katz
http://mailspect.com



You can set up easily smtp cluster for email filtering and scanning.


Agreed.  But, due to the fact that the OP is sending from a Gmail
account, it's not possible for me to investigate his current MX setup in
DNS.  Being able to do so would allow me to give more concise
information relating to his particular needs.  That said...

Assuming he doesn't already have an MX cluster, scaling out with a DNS
based round robin MX cluster should do the trick.  This will distribute
the entire inbound mail load (including virus scanning running on each
host) across X machines.  Depending on the OP's mail stream, he may or
may not get (perfectly) even distribution across the MX hosts, but at
the least he will keep one host from being clobbered all the time.  If
need be, increase X until a generally acceptable load across the hosts
in the MX cluster is found.  If the OP is currently running a single MX
host, merely adding one more 'identical' host and doing the DNS
balancing act will likely solve the OP's load problem.

Short tutorial on DNS load balancing of MX hosts:
http://www.zytrax.com/books/dns/ch9/rr.html

Keep in mind that this requires identical Postfix configurations so all
the MX cluster hosts process all mail in exactly the same way--nexthop,
user lookup, filter rules, virus scanning, etc, must all be identical.
The only real differences will be the local host name and IP address.

Hope this points the OP in the right direction.

--
Stan

Re: Something like address based relay just the other way around

[Wietse Venema]

tobi:
[ Charset ISO-8859-1 unsupported, converting... ]
> Wietse Venema schrieb:
> > Tobi:
> >   
> >> Hello
> >>
> >> I just wonder whether my idea is technically possible to fullfill with
> >> Postfix. I already use sender based relaying which works fine.
> >> My problem is that I'm running a Postfix Server on my dynamic IP-Address. I
> >> would say for 80% of the receivers is no problem to send the emails
> >> directly (direct-mx). Some domains or receivers do not accept this due to
> >> dynamic IP block. No problem I thought I could set up a receiver-based
> >> relay, but unfortunatly I did not find anything about it in Postfix doc
> >> (maybe I looked for the wrong keywords).
> >
> > See this URL: http://www.postfix.org/transport.5.html 
> >
> > If I am not mistaken, this has precedence over sender-dependent features.
> 
> I tried according to Wietse's link to the manual and it works 50% ;-)
> The email is properly forwarded according to receivers domain with the
> values in transport conf file
> But now Postfix has no user details to perform a SMTP Authentication at
> the defined relay server. smtp tries to relay without auth which my
> providers server don't like. If I'm using sender_dependent_relay then

Then you made too many transport map entries.

Wietse

Re: Bounce a particular recipient address with specified reject message

[Stan Hoeppner]

techlist06 put forth on 11/30/2009 1:59 PM:
> I tried to setup an access map and reject a specific user.  But the mails to
> that user are not rejected.  I tried adding the access map in a few
> different places in the configuration, so far none worked.  It shows up in
> the smtpd_recipient_restrictions line below.   Can anyone see what I did
> wrong?:

Yes, you have:

check_client_access hash:/etc/postfix/access

which is wrong for matching email addresses:

check_client_access type:table
Search the specified access database for the client hostname, parent
domains, client IP address, or networks obtained by stripping least
significant octets. See the access(5) manual page for details.


You need check_recipient_access type:table

check_recipient_access type:table
Search the specified access(5) database for the resolved RCPT TO
address, domain, parent domains, or localpart@, and execute the
corresponding action.

Example:

smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/access

/etc/postfix/access
mailli...@mydomain.com  550 REJECT

Also, postmap /etc/postfix/access every time you make changes to it.  If
you did not reload postfix after creating the access file and adding it
to main.cf, you also need to restart postfix.

> My access map file has:
> mailli...@mydomain.com  550 REJECT 
> 
> The corresponding access.db file is built and fresh
> 
> But mails to mailli...@mydomain.com get through without issue.

BTW, if you are trying to block all access to this email address, why
not just remove it from your list(s) of valid recipients?  Did I miss
something earlier in the thread?

--
Stan

Re: A question about Postfix and virus scanning

[Eero Volotinen]

Michael Katz wrote:

There are many filtering Postfix AV solutions that are far more 
efficient than Amavisd and many AV scanners that are considerably more 
scalable than clamav such.  A few years ago we did some detailed testing 
between ClamAV and commercial av scanners and the difference was huge in 
terms of load reduction and throughput. In our tests we have found that 
the biggest performance limitation in Postfix for AV/AS scanning, 
assuming you have removed bottlenecks that amavisd and clamav introduce, 
 is from having to copy messages out of the queue to scan. Some 
commercial email platforms allow for scanning in memory rather than 
requiring copying files and these platforms , in our test, far outscale 
Postfix for filtering over a 100 messages/second.


Maybe You can list some of the best alternatives on commercial side for 
postfix mailscanning?


--
Eero

Re: A question about Postfix and virus scanning

[Stan Hoeppner]

Michael Katz put forth on 11/30/2009 2:45 PM:

> There are many filtering Postfix AV solutions that are far more
> efficient than Amavisd and many AV scanners that are considerably more
> scalable than clamav such.  A few years ago we did some detailed testing
> between ClamAV and commercial av scanners and the difference was huge in
> terms of load reduction and throughput. In our tests we have found that
> the biggest performance limitation in Postfix for AV/AS scanning,
> assuming you have removed bottlenecks that amavisd and clamav introduce,
>  is from having to copy messages out of the queue to scan. Some
> commercial email platforms allow for scanning in memory rather than
> requiring copying files and these platforms , in our test, far outscale
> Postfix for filtering over a 100 messages/second.

I'm pretty sure I recall Wietse saying that third party software
accessing queue files is forbidden, as he provides no supported API for
dong so.  IIRC, products that do this void the Postfix support warranty,
such as Mailscanner.

> Mike Katz
> http://mailspect.com

The cost of a modern plenty powerful (CPU/memory) 1U server with a
couple of fast sata disks is around $1000-2000, paid _once_ with no
recurring licensing fees as all the software is FOSS, with minimal power
usage, maybe $100/year.  What's the license + maintenance cost of any of
these commercial A/V solutions for *nix/Postfix?  I'm just betting the
commercial A/V outlay is probably more than a 2nd box, especially over
3-5 years.  No?

--
Stan

Re: Something like address based relay just the other way around

[tobi]

Wietse Venema schrieb:
> tobi:
> [ Charset ISO-8859-1 unsupported, converting... ]
>   
>> Wietse Venema schrieb:
>> 
>>> Tobi:
>>>   
>>>   
 Hello

 I just wonder whether my idea is technically possible to fullfill with
 Postfix. I already use sender based relaying which works fine.
 My problem is that I'm running a Postfix Server on my dynamic IP-Address. I
 would say for 80% of the receivers is no problem to send the emails
 directly (direct-mx). Some domains or receivers do not accept this due to
 dynamic IP block. No problem I thought I could set up a receiver-based
 relay, but unfortunatly I did not find anything about it in Postfix doc
 (maybe I looked for the wrong keywords).
 
>>> See this URL: http://www.postfix.org/transport.5.html 
>>>
>>> If I am not mistaken, this has precedence over sender-dependent features.
>>>   
>> I tried according to Wietse's link to the manual and it works 50% ;-)
>> The email is properly forwarded according to receivers domain with the
>> values in transport conf file
>> But now Postfix has no user details to perform a SMTP Authentication at
>> the defined relay server. smtp tries to relay without auth which my
>> providers server don't like. If I'm using sender_dependent_relay then
>> 
>
> Then you made too many transport map entries.
>
>   Wietse
>
>   
Thanks for your patience :-)
But I only have two entries in transport which look like this

cat /opt/etc/postfix/transport | grep -v "#"
postfix.org smtp:[smtp.mysip.ch]:587
domain.tld smtp:[smtp.myotherisp.ch]:587

And only once in the config (main.cf transport_maps...).
I can see the unauthorized relay attempts with myisp.ch/myotherisp.ch in
the Postfix logs. So I assume that no login credentials were used. Is
transport meant to use the data from sender_relay and sasl_passwd files
to login to the relay servers?

Regards

tobi

RE: Bounce a particular recipient address with specified reject message

[techlist06]

> You have:
>check_client_access hash:/etc/postfix/access
>which is wrong for matching email addresses:

Thanks, that fixed my error.

>check_recipient_access hash:/etc/postfix/access
>BTW, if you are trying to block all access to this email address, why
>not just remove it from your list(s) of valid recipients?  Did I miss
>something earlier in the thread?

I was wanting to give a specific reject message for a particular address.
It's a small, manually maintained maillist.  I don't want the subscribers to
reply to the "reply to" address, but I didn't want to reject mails without a
friendlier explanation of where they should reply.  An auto-reply with
reject I guess.

I expect there is a better way to do same, this seems to work OK.

Re: A question about Postfix and virus scanning

[Stan Hoeppner]

Eero Volotinen put forth on 11/30/2009 2:59 PM:
> Michael Katz wrote:
> 
>> There are many filtering Postfix AV solutions that are far more
>> efficient than Amavisd and many AV scanners that are considerably more
>> scalable than clamav such.  A few years ago we did some detailed
>> testing between ClamAV and commercial av scanners and the difference
>> was huge in terms of load reduction and throughput. In our tests we
>> have found that the biggest performance limitation in Postfix for
>> AV/AS scanning, assuming you have removed bottlenecks that amavisd and
>> clamav introduce,  is from having to copy messages out of the queue to
>> scan. Some commercial email platforms allow for scanning in memory
>> rather than requiring copying files and these platforms , in our test,
>> far outscale Postfix for filtering over a 100 messages/second.
> 
> Maybe You can list some of the best alternatives on commercial side for
> postfix mailscanning?

I just re-read his message.  I don't believe he's actually talking about
AV/AS addons for post Postfix.  I think he's talking about "complete"
commercial edge solutions, ala Astaro, Barracuda, IronPort, et al.

"Some commercial email platforms...far outscale Postfix"

Michael Katz is a commercial vendor, so it makes sense that he'd want to
sell you a completely new "solution", not a paltry commercial AV addon
for a FOSS mailer.

--
Stan

Re: Bounce a particular recipient address with specified reject message

[Stan Hoeppner]

techlist06 put forth on 11/30/2009 3:14 PM:
>> You have:
>> check_client_access hash:/etc/postfix/access
>> which is wrong for matching email addresses:
> 
> Thanks, that fixed my error.
> 
>> check_recipient_access hash:/etc/postfix/access
>> BTW, if you are trying to block all access to this email address, why
>> not just remove it from your list(s) of valid recipients?  Did I miss
>> something earlier in the thread?
> 
> I was wanting to give a specific reject message for a particular address.
> It's a small, manually maintained maillist.  I don't want the subscribers to
> reply to the "reply to" address, but I didn't want to reject mails without a
> friendlier explanation of where they should reply.  An auto-reply with
> reject I guess.
> 
> I expect there is a better way to do same, this seems to work OK.

So, lemme get this straight.  You changed the list address, but instead
of just sending an email to the list addresses telling all users of the
list address change, you just decided to, in essence, inform them via an
NDR when they send mail to the list?  There have got to be at least 1000
list management how-to's on the web, and not a one would recommend you
do this in this way, and probably all 1000 would say _never_ manage a
list this way...yikes.

--
Stan

RE: Bounce a particular recipient address with specified reject message

[techlist06]

>So, lemme get this straight.  You changed the list address, but instead
>of just sending an email to the list addresses telling all users of the
>list address change, you just decided to, in essence, inform 
>them via an
>NDR when they send mail to the list?  There have got to be at 
>least 1000
>list management how-to's on the web, and not a one would recommend you
>do this in this way, and probably all 1000 would say _never_ manage a
>list this way...yikes.

No I didn't change the list address.  It is not a "mail list" like this one,
more of an "announcement list".  It is not a 2-way mailing list.  The
subscribers don't send anything to it for other subscribers to see.  It's
used rarely to send announcements of event cancellations, etc.  About 1000
subscribers manually maintained.  But, the users tend to start a (unrelated)
communication with us  via replying to that announcement list's "reply to"
address since that is where they last received a message from us.  And so
their message does not go to the right person, it goes to the source address
of the announcement and we have to sort through them and direct the message
to where it should have gone to start with.  We just want to let subscriber
who incorrectly sends to the announcement list address to use one of the
"correct" addresses to communicate with us, not via replying to the
announcement list.  See?  FWIW, we tell them not to do it with a footer and
header on every announcement email, but they do it anyway.  I'm sure there
is a better way, this seemed easy enough to implement.   Perhaps and
auto-reply type setup to that particular address.  I looked at those and
they looked more difficult to set up.  I'd be grateful for better
suggestions. I'll look for a better way to notify them. 

Thanks very much for the help.

Re: How to make the original mail show a correct addresser?

[mouss]

yuzifu a écrit :
> I use the mail service of google apps now, I have pointed to
> mydomain.com  MX record to google apps, but it is
> too slow, so I install a POSTFIX server in my LAN.
> My domain is a "mydomain.com ",
> "i...@mydomain.com/mypasswd " is my
> google apps account.
> 
> I have already set in the /etc/postfix/main.cf 
> =begin==
> myhostname = server.mydomain.com 
> myorigin = mydomain.com 
> relayhost = [smtp.gmail.com ]:587
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> .
> .
> .
> =end===
> 
> set in the /etc/postfix/sasl_passwd
> =begin==
> [smtp.gmail.com ]:587   i...@mydomain.com:mypasswd
> 
> =end===
> 
> Now, i can use MUA send a mail with POSTFIX in my LAN,
> but, the "From: " of mail always i...@mydomain.com
> , when I use any account number in LAN.
> 
> -- 

you'll see some  things above: this is because you didn't use the
"text" button on gmail.

anyway, the From: header is set by your mailer (thunderbird, outlook,
whatever). postfix is an MTA: it doesn't care about what headers your
mailer sets. the role of an MTA is mail routing, not mail composition.

Re: A question about Postfix and virus scanning

[Wietse Venema]

Stan Hoeppner:
> Michael Katz put forth on 11/30/2009 2:45 PM:
> 
> > There are many filtering Postfix AV solutions that are far more
> > efficient than Amavisd and many AV scanners that are considerably more
> > scalable than clamav such.  A few years ago we did some detailed testing
> > between ClamAV and commercial av scanners and the difference was huge in
> > terms of load reduction and throughput. In our tests we have found that
> > the biggest performance limitation in Postfix for AV/AS scanning,
> > assuming you have removed bottlenecks that amavisd and clamav introduce,
> >  is from having to copy messages out of the queue to scan. Some
> > commercial email platforms allow for scanning in memory rather than
> > requiring copying files and these platforms , in our test, far outscale
> > Postfix for filtering over a 100 messages/second.
> 
> I'm pretty sure I recall Wietse saying that third party software
> accessing queue files is forbidden, as he provides no supported API for
> dong so.  IIRC, products that do this void the Postfix support warranty,
> such as Mailscanner.

However, I am willing to negotiate an API that would be supported
(but I don't recall getting input on that). 

The closest we have at this point is the Milter protocol which can
inspect and update email messages on arrival, without compromising
transactional safety, and with only minimal file system overhead
(no copying from one file to another).

> > Mike Katz
> > http://mailspect.com
> 
> The cost of a modern plenty powerful (CPU/memory) 1U server with a
> couple of fast sata disks is around $1000-2000, paid _once_ with no
> recurring licensing fees as all the software is FOSS, with minimal power
> usage, maybe $100/year.  What's the license + maintenance cost of any of
> these commercial A/V solutions for *nix/Postfix?  I'm just betting the
> commercial A/V outlay is probably more than a 2nd box, especially over
> 3-5 years.  No?

I think that there is no need to be hostile towards commercial
solutions (or, at least, to hold IT solutions to different standards
than other all the other things that we are paying for without
getting upset).

Wietse

postfix gateway with empty relay_recipient_maps plus VRFY

[Udo Rader]

Hi,

I know, this issue has been discussed quite often, but nevertheless I am 
 just wondering if something was possible to circumvent the missing 
list of recipients.


Imagine a situation where there is a main postfix gateway used for spam 
defence, transporting successfully passed emails to their end points 
defined in transport_maps.


Without knowledge about the valid email addresses that each transport 
endpoint supports, the main gateway will just have to accept any email 
address for any defined transport endpoint domain.


Now what I am wondering if it was possible that the main gateway used 
the SMTP "VRFY" command with the transport endpoints before actually 
sending a email to them.


That way we could get rid of the potentially huge relay_recipient_maps.

Is this doable?

--
Udo Rader, CTO
http://www.bestsolution.at
http://riaschissl.blogspot.com

Re: Something like address based relay just the other way around

[tobi]

tobi schrieb:
> Wietse Venema schrieb:
>   
>> tobi:
>> [ Charset ISO-8859-1 unsupported, converting... ]
>>   
>> 
>>> Wietse Venema schrieb:
>>> 
>>>   
 Tobi:
   
   
 
> Hello
>
> I just wonder whether my idea is technically possible to fullfill with
> Postfix. I already use sender based relaying which works fine.
> My problem is that I'm running a Postfix Server on my dynamic IP-Address. 
> I
> would say for 80% of the receivers is no problem to send the emails
> directly (direct-mx). Some domains or receivers do not accept this due to
> dynamic IP block. No problem I thought I could set up a receiver-based
> relay, but unfortunatly I did not find anything about it in Postfix doc
> (maybe I looked for the wrong keywords).
> 
>   
 See this URL: http://www.postfix.org/transport.5.html 

 If I am not mistaken, this has precedence over sender-dependent features.
   
 
>>> I tried according to Wietse's link to the manual and it works 50% ;-)
>>> The email is properly forwarded according to receivers domain with the
>>> values in transport conf file
>>> But now Postfix has no user details to perform a SMTP Authentication at
>>> the defined relay server. smtp tries to relay without auth which my
>>> providers server don't like. If I'm using sender_dependent_relay then
>>> 
>>>   
>> Then you made too many transport map entries.
>>
>>  Wietse
>>
>>   
>> 
> Thanks for your patience :-)
> But I only have two entries in transport which look like this
>
> cat /opt/etc/postfix/transport | grep -v "#"
> postfix.org smtp:[smtp.mysip.ch]:587
> domain.tld smtp:[smtp.myotherisp.ch]:587
>
> And only once in the config (main.cf transport_maps...).
> I can see the unauthorized relay attempts with myisp.ch/myotherisp.ch in
> the Postfix logs. So I assume that no login credentials were used. Is
> transport meant to use the data from sender_relay and sasl_passwd files
> to login to the relay servers?
>
> Regards
>
> tobi
>   
Problem found 30cm in front of the screen.
After changing the transport

postfix.org smtp:[smtp.mysip.ch]:submission
domain.tld smtp:[smtp.myotherisp.ch]:submission

it works. I thought :587 would be the same as :submission

Re: postfix gateway with empty relay_recipient_maps plus VRFY

[Eero Volotinen]

Udo Rader wrote:

Hi,

I know, this issue has been discussed quite often, but nevertheless I am 
 just wondering if something was possible to circumvent the missing list 
of recipients.


Imagine a situation where there is a main postfix gateway used for spam 
defence, transporting successfully passed emails to their end points 
defined in transport_maps.


Without knowledge about the valid email addresses that each transport 
endpoint supports, the main gateway will just have to accept any email 
address for any defined transport endpoint domain.


Now what I am wondering if it was possible that the main gateway used 
the SMTP "VRFY" command with the transport endpoints before actually 
sending a email to them.


I am using address verification callout on our mailproxy with cache. It 
works fine. See documentation at:


http://www.postfix.org/ADDRESS_VERIFICATION_README.html

--
Eero

Re: postfix gateway with empty relay_recipient_maps plus VRFY

[Udo Rader]

Eero Volotinen wrote:

Udo Rader wrote:

Hi,

I know, this issue has been discussed quite often, but nevertheless I 
am  just wondering if something was possible to circumvent the missing 
list of recipients.


Imagine a situation where there is a main postfix gateway used for 
spam defence, transporting successfully passed emails to their end 
points defined in transport_maps.


Without knowledge about the valid email addresses that each transport 
endpoint supports, the main gateway will just have to accept any email 
address for any defined transport endpoint domain.


Now what I am wondering if it was possible that the main gateway used 
the SMTP "VRFY" command with the transport endpoints before actually 
sending a email to them.


I am using address verification callout on our mailproxy with cache. It 
works fine. See documentation at:


http://www.postfix.org/ADDRESS_VERIFICATION_README.html


That was extremely easy, thank you :-)

--
Udo Rader, CTO
http://www.bestsolution.at
http://riaschissl.blogspot.com

Re: A question about Postfix and virus scanning

[mouss]

Michael Katz a écrit :
> Stan Hoeppner wrote:
>> Eero Volotinen put forth on 11/30/2009 2:14 AM:
>>> Quoting Ali Majdzadeh :
>>>
 Stan,
 Hi
 Thanks for your detailed response. Actually, the main reason which
 drove us
 toward performing virus scanning as an offline process was
 performance. As
 we deal with large amounts of e-mails, we found the way amavisd-new or
 other
 filtering management tools performing filtering too slow. We
 intended to
 somehow decrease the amount of load which amavisd-new or similar tools
 impose on the architecture.
> 
> 
> There are many filtering Postfix AV solutions that are far more
> efficient than Amavisd and many AV scanners that are considerably more
> scalable than clamav such. 

I'd be happy to see more arguments about this. and please don't tell me
"perl is slow" or the like. I'd like to see more quantitative
measurements (to see which parts need to be improved).


> A few years ago we did some detailed testing
> between ClamAV 

a few years ago, clamav was indeed very "slow". but since then (one year
ago? I don't remember), it progressed. did you redo your tests lately?

and what does the clamav tests have to do with amavisd-new? did you
measure amavisd-new? if so, how? (yes, this is an open question, not a
provocative one).

> and commercial av scanners and the difference was huge in
> terms of load reduction and throughput. In our tests we have found that
> the biggest performance limitation in Postfix for AV/AS scanning,
> assuming you have removed bottlenecks that amavisd and clamav introduce,
>  is from having to copy messages out of the queue to scan. Some
> commercial email platforms allow for scanning in memory rather than
> requiring copying files and these platforms , in our test, far outscale
> Postfix for filtering over a 100 messages/second.
> 

building on FreeBSD 8.0?

[ben]

I know there are instructions in the INSTALL document how to "port" 
postfix to "unsupported systems" but I wonder if the list here has any 
help for getting postfix built on newly released FreeBSD 8.0. . .


I tried simply duping the makedefs line for FreeBSD 7:

  FreeBSD.7*)   SYSTYPE=FREEBSD7

 with

  FreeBSD.8*)   SYSTYPE=FREEBSD7

but that (of course) did not work:

. . .
[src/util]
gcc -Wmissing-prototypes -Wformat -DHAS_MYSQL 
-I/usr/local/mysql/include/mysql -DUSE_TLS -I/usr/local/ssl/include 
-DUSE_SASL_AUTH -g -O -I. -DFREEBSD7 -c attr_clnt.c

In file included from attr_clnt.c:77:
/usr/include/unistd.h:329: error: conflicting types for 'closefrom'
./sys_defs.h:1395: error: previous declaration of 'closefrom' was here
*** Error code 1

Stop in /usr/local/src/postfix-2.6.5/src/util.
*** Error code 1

Stop in /usr/local/src/postfix-2.6.5.

Re: Bounce a particular recipient address with specified reject message

[Noel Jones]

On 11/30/2009 3:52 PM, techlist06 wrote:

So, lemme get this straight.  You changed the list address, but instead
of just sending an email to the list addresses telling all users of the
list address change, you just decided to, in essence, inform
them via an
NDR when they send mail to the list?  There have got to be at
least 1000
list management how-to's on the web, and not a one would recommend you
do this in this way, and probably all 1000 would say _never_ manage a
list this way...yikes.


No I didn't change the list address.  It is not a "mail list" like this one,
more of an "announcement list".  It is not a 2-way mailing list.  The
subscribers don't send anything to it for other subscribers to see.  It's
used rarely to send announcements of event cancellations, etc.  About 1000
subscribers manually maintained.  But, the users tend to start a (unrelated)
communication with us  via replying to that announcement list's "reply to"
address since that is where they last received a message from us.  And so
their message does not go to the right person, it goes to the source address
of the announcement and we have to sort through them and direct the message
to where it should have gone to start with.  We just want to let subscriber
who incorrectly sends to the announcement list address to use one of the
"correct" addresses to communicate with us, not via replying to the
announcement list.  See?  FWIW, we tell them not to do it with a footer and
header on every announcement email, but they do it anyway.  I'm sure there
is a better way, this seemed easy enough to implement.   Perhaps and
auto-reply type setup to that particular address.  I looked at those and
they looked more difficult to set up.  I'd be grateful for better
suggestions. I'll look for a better way to notify them.

Thanks very much for the help.





The envelope sender where delivery problems are reported can 
be different from the From: header displayed in most email 
clients, which can also be different from the Reply-To: header 
where most mail clients will send if you hit the "Reply" button.


You mustn't block the mail list's envelope sender address; you 
must be able to receive non-delivery notifications.


There's nothing wrong with rejecting incoming mail addressed 
to the mail list "From:" address for an announce-only list.


In your case, it would be a nice touch to add a Reply-To: 
header that points to the human contact or help desk as a 
convenience for your recipients.


Look at this message -- the envelope is 
"owner-postfix-us...@..." the From: displayed by your mail 
client is "Noel Jones", but if you hit your reply button it 
will be addressed to "postfix-us...@..." since I want replies 
to go to the list.



  -- Noel Jones

Re: A question about Postfix and virus scanning

[Stan Hoeppner]

Wietse Venema put forth on 11/30/2009 3:56 PM:

>> The cost of a modern plenty powerful (CPU/memory) 1U server with a
>> couple of fast sata disks is around $1000-2000, paid _once_ with no
>> recurring licensing fees as all the software is FOSS, with minimal power
>> usage, maybe $100/year.  What's the license + maintenance cost of any of
>> these commercial A/V solutions for *nix/Postfix?  I'm just betting the
>> commercial A/V outlay is probably more than a 2nd box, especially over
>> 3-5 years.  No?
> 
> I think that there is no need to be hostile towards commercial
> solutions (or, at least, to hold IT solutions to different standards
> than other all the other things that we are paying for without
> getting upset).

My apologies if my tone seemed hostile.  Such was not intended.  I am in
no way against commercial (paid) software.  There is some very good paid
software out there, many for which there is no FOSS equivalent.  I was
merely pointing out that in the OP's case, it would likely be cheaper to
just add another Postfix box, and sticking to software he is already
familiar with.  We know this is a proven, no gotcha, scaling solution.

I am always skeptical of commercial vendors who lurk on the support
lists for FOSS products (skepticism != hostility).  Especially if said
vendors offer no software that integrates with said FOSS product, but
are merely attempting to devour the weak stragglers of the pack,
convincing/converting them to paid solutions that may or may not be
superior or in the best interest of the OP.

In Mike's defense, he's not hard selling on this list and being a pest.
 Though if he was you'd probably boot him, so I'm not sure how much of
this is self control. ;)  No offense Mike.

--
Stan

Re: building on FreeBSD 8.0?

[Reko Turja]

--
From: 
Sent: Tuesday, December 01, 2009 12:40 AM
To: 
Subject: building on FreeBSD 8.0?

I know there are instructions in the INSTALL document how to "port" 
postfix to "unsupported systems" but I wonder if the list here has 
any help for getting postfix built on newly released FreeBSD 8.0. . 
.


Uhh, good reason for not using the ports system? Been working a treat 
for me in 8.0 betas and RC's.


-Reko 

Re: building on FreeBSD 8.0?

[Stan Hoeppner]

b...@electricembers.net put forth on 11/30/2009 4:40 PM:
> I know there are instructions in the INSTALL document how to "port"
> postfix to "unsupported systems" but I wonder if the list here has any
> help for getting postfix built on newly released FreeBSD 8.0. . .

Why not try this, since Sahil has already put so much hard work into it:

http://www.freebsd.org/cgi/cvsweb.cgi/ports/mail/postfix-current/

Sahil is a very active member here, so he'll likely chime in before long.

--
Stan

Re: building on FreeBSD 8.0?

[Sahil Tandon]

On Mon, 30 Nov 2009, b...@electricembers.net wrote:

> I know there are instructions in the INSTALL document how to "port"
> postfix to "unsupported systems" but I wonder if the list here has
> any help for getting postfix built on newly released FreeBSD 8.0. .
> .
> 
> I tried simply duping the makedefs line for FreeBSD 7:
> 
>   FreeBSD.7*)   SYSTYPE=FREEBSD7
> 
>  with
> 
>   FreeBSD.8*)   SYSTYPE=FREEBSD7

That should be:

FreeBSD.8*)   SYSTYPE=FREEBSD8

> [src/util]
> gcc -Wmissing-prototypes -Wformat -DHAS_MYSQL
> -I/usr/local/mysql/include/mysql -DUSE_TLS -I/usr/local/ssl/include
> -DUSE_SASL_AUTH -g -O -I. -DFREEBSD7 -c attr_clnt.c
> In file included from attr_clnt.c:77:
> /usr/include/unistd.h:329: error: conflicting types for 'closefrom'
> ./sys_defs.h:1395: error: previous declaration of 'closefrom' was here
> *** Error code 1

You also need to modify src/util/sys_defs.h.  For guidance, see Postfix
2.7 Snapshot 20091115.

-- 
Sahil Tandon 

RE: Blocking From Certain domain to Certain User

[Marky Yehezkiel (SNC)]

The reason that I need to do this, I using alias email on postfix and that 
alias will distribute email to few email inside it, and many invite email from 
twitter, facebook etc send to this alias and annoying us, I can't reject 
totally of facebook, twitter etc because a lot of email account using their 
account to receive notification from facebook and twitter.

That’s why I need some clue or example how to do this. Any one has example for 
this matter? Thank you

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Stan Hoeppner
Sent: Tuesday, December 01, 2009 4:33 AM
To: postfix-users@postfix.org
Subject: Re: Blocking From Certain domain to Certain User

Marky Yehezkiel (SNC) put forth on 11/30/2009 7:47 AM:
> Dear All,
> 
> I am using postfix and I don’t know if my question already posted it
> before or not, I have problem that I need to blocking from certain
> domain such as facebook.com to my certain user (x...@satnetcom.com
> ), I have search from google but no luch try
> using header_checks with condition if and transport still no luck.

You might be able to do this with a PCRE in
smtpd_recipient_restrictions.  These however usually trigger on a single
match, and you need to trigger on strictly a double match.  I'm no regex
expert.  Maybe someone here can help you out.

This issue relates to a single user.  Is there a reason why you can't
merely implement this as an MUA rule?  MTAs usually deal with site wide
mail issues, not individual email address rules.

If you have a problem user whom you are attempting to take disciplinary
action against, I suggest that attempting to use Postfix to deprive that
user of his/her Facebook email is not the best way to accomplish this
goal.  Employee/student behavioral problems can only be properly
addressed by management or administration policy and action.

Many schools and businesses null route social networking sites' IP
ranges at the edge, denying _everyone_ access to said sites.  The reason
being that this type of social networking should not be stealing time
from the classroom or workplace.

--
Stan

Re: Blocking From Certain domain to Certain User

[Noel Jones]

On 11/30/2009 6:56 PM, Marky Yehezkiel (SNC) wrote:


The reason that I need to do this, I using alias email on postfix and that 
alias will distribute email to few email inside it, and many invite email from 
twitter, facebook etc send to this alias and annoying us, I can't reject 
totally of facebook, twitter etc because a lot of email account using their 
account to receive notification from facebook and twitter.

That’s why I need some clue or example how to do this. Any one has example for 
this matter? Thank you



Here's the general idea, but read the whole document:
http://www.postfix.org/RESTRICTION_CLASS_README.html#internal

  -- Noel Jones

RE: Blocking From Certain domain to Certain User

[Marky Yehezkiel (SNC)]

Thanks noel I will read it carefully 

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Noel Jones
Sent: Tuesday, December 01, 2009 9:06 AM
To: postfix-users@postfix.org
Subject: Re: Blocking From Certain domain to Certain User

On 11/30/2009 6:56 PM, Marky Yehezkiel (SNC) wrote:
>
> The reason that I need to do this, I using alias email on postfix and that 
> alias will distribute email to few email inside it, and many invite email 
> from twitter, facebook etc send to this alias and annoying us, I can't reject 
> totally of facebook, twitter etc because a lot of email account using their 
> account to receive notification from facebook and twitter.
>
> That’s why I need some clue or example how to do this. Any one has example 
> for this matter? Thank you
>

Here's the general idea, but read the whole document:
http://www.postfix.org/RESTRICTION_CLASS_README.html#internal

   -- Noel Jones

RE: Bounce a particular recipient address with specified reject message

[techlist06]

Noel:

Thank you.

>The envelope sender where delivery problems are reported can 
>be different from the From: header displayed in most email 
>clients, which can also be different from the Reply-To: header 
>where most mail clients will send if you hit the "Reply" button.
>
>You mustn't block the mail list's envelope sender address; you 
>must be able to receive non-delivery notifications.

>There's nothing wrong with rejecting incoming mail addressed 
>to the mail list "From:" address for an announce-only list.

I believe I understand and that was exactly what I was setting up, I think.
This is what I had setup to do:
The original message is actually sent from maill...@mydomain.com.  The
envelope sender as I understand it.  

I NEED to know when a announcement message bounces, because that is how I
maintain the list manually, and remove any invalid entries.  When they
bounce, I know they are bad, or I can decide if they've had too many
"mailbox full" replies, etc. and I then I remove the bounced address from
the distribution list.  So I have not blocked the envelope sender.

For announcements I send, I have the "Reply to" set to a different, but
similar address which is: maillist_nore...@mydomain.com (still trying to get
their attention to not reply to the address).  This is the address I have
blocked in my new access table.

So, if they click on "reply" in their client, the reply message should be
sent to maillist_nore...@mydomain.com.  My end accepts it (through spam
filters), but then rejects the address with my custom reject message via my
new access table with:
maillist_nore...@mydomain.com 550 Do not reply to this address, instead do
this.

I did not add all that detail in my original post to avoid confusing my
original question.  Thanks for the detailed reply and helping me be sure I
wasn't doing something wrong/improper.

Best,
Scott

Re: A question about Postfix and virus scanning

[Thomas Harold]

On 11/30/2009 3:11 AM, Ali Majdzadeh wrote:

Stan, Hi Thanks for your detailed response. Actually, the main reason
which drove us toward performing virus scanning as an offline process
was performance. As we deal with large amounts of e-mails, we found
the way amavisd-new or other filtering management tools performing
filtering too slow. We intended to somehow decrease the amount of
load which amavisd-new or similar tools impose on the architecture.



Did you only try virus filtering within amavisd-new, or did you also try
using the clamav-milter at SMTP time?  How much are you blocking at SMTP
time and how much is getting through to amavisd for scoring?

(On a side note, I'm curious whether the new clamav milter in ClamAV
0.95 is faster and better then letting the messages reach amavisd-new.
I use the clamav-milter and have disabled virus scanning on the
amavisd-new side.)

Re: building on FreeBSD 8.0?

[LuKreme]

On 30-Nov-2009, at 15:40, b...@electricembers.net wrote:
> I know there are instructions in the INSTALL document how to "port" postfix 
> to "unsupported systems" but I wonder if the list here has any help for 
> getting postfix built on newly released FreeBSD 8.0. . .


Did `portinstall postfix` not work?

…worked for me… 

-- 
'They're the cream!'
Rincewind sighed.
'Cohen, they're the cheese.' --Interesting Times

Re: Something like address based relay just the other way around

[Victor Duchovni]

On Mon, Nov 30, 2009 at 11:02:22PM +0100, tobi wrote:

> > cat /opt/etc/postfix/transport | grep -v "#"
> > postfix.org smtp:[smtp.mysip.ch]:587
> > domain.tld smtp:[smtp.myotherisp.ch]:587
>
> Problem found 30cm in front of the screen.
> After changing the transport
> 
> postfix.org smtp:[smtp.mysip.ch]:submission
> domain.tld smtp:[smtp.myotherisp.ch]:submission
> 
> it works. I thought :587 would be the same as :submission

It is, essentially, the difference is that ":submission" can break if
your /etc/services is incomplete, NIS is not working, ... while the 587,
works all the time.

The other difference is that by changing the nexthop, you have also
changed the lookup key for smtp_sasl_password_maps, smtp_tls_policy_maps,
and any other per-destination SMTP client tables.

You may have incorrect data for the ":587" lookup key in some cases.

Finally, changing the table source, may have resulted in an actual update
of the index file via "postmap", previously not carried out correctly.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: How to make the original mail show a correct addresser?

[Victor Duchovni]

On Mon, Nov 30, 2009 at 10:56:04PM +0100, mouss wrote:

> anyway, the From: header is set by your mailer (thunderbird, outlook,
> whatever). postfix is an MTA: it doesn't care about what headers your
> mailer sets. the role of an MTA is mail routing, not mail composition.


But, for internal domains, Postfix can rewrite internal addresses to
external form for outgoing mail. This is done via smtp_generic_maps,
as documented in generic(5) and the address rewriting tutorial.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: A question about Postfix and virus scanning

[Ali Majdzadeh]

Dear friends,
Thanks for this nice discussion. Actually, as a project, we are going to
deliver an e-mail architecture which supports over 100 users. We use
Postfix, courier-imap, amavisd-new, spamassassin and clamav and of course
the tools needed to balance the load between multiple instances of the
mentioned tools. We use specmail to test our architecture. Recently, we have
introduced our intended e-mail filtering platform consisting amavisd-new,
spamassassin and clamav to the architecture and we have observed significant
delivery time decrease regarding Postifx. As a way out, we thought of the
ways which made it possible to do offline virus scanning, but actually we
have found that amavisd-new together with it's filtering tools is a serious
performance bottleneck.
I really appreciate suggestions regarding this scenario.

Warm Regards
Ali Majdzadeh Kohbanani

2009/12/1 Thomas Harold 

> On 11/30/2009 3:11 AM, Ali Majdzadeh wrote:
>
>> Stan, Hi Thanks for your detailed response. Actually, the main reason
>> which drove us toward performing virus scanning as an offline process
>> was performance. As we deal with large amounts of e-mails, we found
>> the way amavisd-new or other filtering management tools performing
>> filtering too slow. We intended to somehow decrease the amount of
>> load which amavisd-new or similar tools impose on the architecture.
>>
>>
> Did you only try virus filtering within amavisd-new, or did you also try
> using the clamav-milter at SMTP time?  How much are you blocking at SMTP
> time and how much is getting through to amavisd for scoring?
>
> (On a side note, I'm curious whether the new clamav milter in ClamAV
> 0.95 is faster and better then letting the messages reach amavisd-new.
> I use the clamav-milter and have disabled virus scanning on the
> amavisd-new side.)
>