Snapshot 20091109, queue disk partition sizing
If I understood the release notes correctly, with smtpd_proxy_options = speed_adjust, each smtpd process will keep the message it's currently receiving in a temporary file. That seems to imply that there could be (number of smtpd processes) * message_size_limit bytes of queue space allocated in temporary files. I _think_ that this is not different from a setup without a content filter which would mean I don't have to increase the disk partition keeping the queue - is that assumption correct? Stefan
Re: Snapshot 20091109, queue disk partition sizing
Stefan F?rster: If I understood the release notes correctly, with smtpd_proxy_options = speed_adjust, each smtpd process will keep the message it's currently receiving in a temporary file. That seems to imply that there could be (number of smtpd processes) * message_size_limit bytes of queue space allocated in temporary files. I _think_ that this is not different from a setup without a content filter which would mean I don't have to increase the disk partition keeping the queue - is that assumption correct? By default, the Postfix requires 1.5*message_size_limit of free space before it accepts mail. Right now, the before-proxy scratch files are put in the incoming queue, but that may still chnage. I didn't change the formula (to 2.5*message_size_limit) for that reason. Wietse
SASL plain authentication failed; unable to lookup user record
i'll guess the solution to my problem will be something simple and obvious, because i know i ain't the first person to do this, but i've been staring at it for days and can't see what's wrong. os x snow leopard server; postfix 2.5.5; dovecot 1.1.17apple0.5 trying to get SMTP auth working via SASL. using a plain password scheme and plain auth scheme over SSL. client is apple mail. deliveries are working, and dovecot's pop3s and imaps are working just fine. but when i attempt to use smtp auth, postfix says SASL plain authentication failed unable to lookup user record scoured months worth of list archives and didn't see anything specific to this. other eyes are appreciated! thanks. # postconf -n biff = no command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 enable_server_options = yes header_checks = pcre:/etc/postfix/custom_header_checks html_directory = /usr/share/doc/postfix/html inet_interfaces = all mail_owner = _postfix mailbox_size_limit = 0 mailbox_transport = dovecot mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 10485760 mydomain = example.com mydomain_fallback = localhost mynetworks = 127.0.0.0/8,192.168.61.0/24 newaliases_path = /usr/bin/newaliases queue_directory = /private/var/spool/postfix readme_directory = /usr/share/doc/postfix recipient_delimiter = + relayhost = sample_directory = /usr/share/doc/postfix/examples sendmail_path = /usr/sbin/sendmail setgid_group = _postdrop smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject smtpd_enforce_tls = no smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname smtpd_pw_server_security_options = plain, login cram-md5 smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_policy_service unix:private/policy reject smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_tls_CAfile = /etc/certificates/osx-106.example.com.E2FA6EFB8203E2E09C605D30A179669E4B4F69EB.chain.pem smtpd_tls_cert_file = /etc/certificates/osx-106.example.com.E2FA6EFB8203E2E09C605D30A179669E4B4F69EB.cert.pem smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL smtpd_tls_key_file = /etc/certificates/osx-106.example.com.E2FA6EFB8203E2E09C605D30A179669E4B4F69EB.key.pem smtpd_use_pw_server = yes smtpd_use_tls = yes unknown_local_recipient_reject_code = 550 virtual_alias_maps = virtual_gid_maps = static:5000 virtual_mailbox_base = /etc/postfix/datastore virtual_mailbox_domains = osx.example.com virtual_mailbox_maps = hash:/etc/postfix/datausers virtual_minimum_uid = 100 virtual_uid_maps = static:5000 # dovecotd -n # 1.1.17apple0.5: /private/etc/dovecot/dovecot.conf Warning: fd limit 256 is lower than what Dovecot can use under full load (more than 456). Either grow the limit or change login_max_processes_count and max_mail_processes settings # OS: Darwin 10.2.0 i386 hfs base_dir: /var/run/dovecot syslog_facility: local6 protocols: pop3s imaps ssl_cert_file: /etc/certificates/osx-106.example.com.E2FA6EFB8203E2E09C605D30A179669E4B4F69EB.cert.pem ssl_key_file: /etc/certificates/osx-106.example.com.E2FA6EFB8203E2E09C605D30A179669E4B4F69EB.key.pem ssl_cipher_list: ALL:!LOW:!SSLv2:!aNULL:!ADH:!eNULL disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login login_user: _dovecot login_process_per_connection: no max_mail_processes: 200 mail_max_userip_connections(default): 20 mail_max_userip_connections(imap): 20 mail_max_userip_connections(pop3): 10 verbose_proctitle: yes first_valid_uid: 6 first_valid_gid: 6 mail_access_groups: mail mail_location: maildir:/etc/postfix/datastore/%d/%n mail_debug: yes mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_process_sharing: full mail_max_connections: 5 mail_plugins(default): quota imap_quota mail_plugins(imap): quota imap_quota mail_plugins(pop3): quota mail_plugin_dir(default): /usr/lib/dovecot/imap mail_plugin_dir(imap): /usr/lib/dovecot/imap mail_plugin_dir(pop3): /usr/lib/dovecot/pop3 auth default: verbose: yes debug: yes debug_passwords: yes passdb: driver: passwd-file args: username_format=%n /etc/postfix/datastore/%d-passwd userdb: driver: passwd-file args: username_format=%n /etc/postfix/datastore/%d-passwd socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix plugin: quota_warning: storage=100%% /usr/libexec/dovecot/quota-exceeded.sh quota: maildir:User quota sieve:
remote_header_rewrite_domain ignored
Hi, I'm using postfix 2.5.7 and having some trouble with the server domain being appended to incomplete sender addresses. I have set # postconf|grep -e rewrite -e append -e myorigin -e mydomain -e local_header append_at_myorigin = yes append_dot_mydomain = no local_header_rewrite_clients = mydomain = nippynetworks.com myorigin = $mydomain remote_header_rewrite_domain = rewrite_service_name = rewrite I have amavisd-new installed, but having bumped up the logging I believe this is happening on initial submission and not on the re-injection. Log files show the client connecting, checking the FROM address and then: Dec 4 15:33:54 mail1 postfix/smtpd[22858]: office.mydomain.com[X.X.X.X]: RCPT TO: asdf Dec 4 15:33:54 mail1 postfix/smtpd[22858]: extract_addr: input: asdf Dec 4 15:33:54 mail1 postfix/smtpd[22858]: smtpd_check_addr: addr=asdf Dec 4 15:33:54 mail1 postfix/smtpd[22858]: send attr request = rewrite Dec 4 15:33:54 mail1 postfix/smtpd[22858]: send attr rule = local Dec 4 15:33:54 mail1 postfix/smtpd[22858]: send attr address = asdf Dec 4 15:33:54 mail1 postfix/smtpd[22858]: private/rewrite socket: wanted attribute: flags Dec 4 15:33:54 mail1 postfix/smtpd[22858]: input attribute name: flags Dec 4 15:33:54 mail1 postfix/smtpd[22858]: input attribute value: 0 Dec 4 15:33:54 mail1 postfix/smtpd[22858]: private/rewrite socket: wanted attribute: address Dec 4 15:33:54 mail1 postfix/smtpd[22858]: input attribute name: address Dec 4 15:33:54 mail1 postfix/smtpd[22858]: input attribute value: a...@mydomain.com Dec 4 15:33:54 mail1 postfix/smtpd[22858]: private/rewrite socket: wanted attribute: (list terminator) Dec 4 15:33:54 mail1 postfix/smtpd[22858]: input attribute name: (end) Dec 4 15:33:54 mail1 postfix/smtpd[22858]: rewrite_clnt: local: asdf - a...@mydomain.com Dec 4 15:33:54 mail1 postfix/smtpd[22858]: send attr request = resolve Dec 4 15:33:54 mail1 postfix/smtpd[22858]: send attr sender = Dec 4 15:33:54 mail1 postfix/smtpd[22858]: send attr address = a...@mydomain.com Dec 4 15:33:54 mail1 postfix/smtpd[22858]: private/rewrite socket: wanted attribute: flags Dec 4 15:33:54 mail1 postfix/smtpd[22858]: input attribute name: flags Dec 4 15:33:54 mail1 postfix/smtpd[22858]: input attribute value: 0 I guess it must be a reasonably common situation to have a blackbox mailserver with no local accounts and only virtual users? What do others use in this config to ensure emails pass through unchanged (and then bounced since of course the address is invalid). Note for various reasons this mailserver needs to accept such incorrect emails and bounce them later - (actually we have two configurations, most emails are refused unless they have fully qualified addresses, the other configuration is used for a subset of clients where we need to accept all emails and bounce errors later) Can anyone show me what I need to change please? postconf -n: address_verify_map = btree:/var/mta/verify alias_database = hash:/etc/mail/aliases alias_maps = hash:/etc/mail/aliases append_dot_mydomain = no body_checks = regexp:/etc/postfix/body_checks bounce_queue_lifetime = 2d broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = lmtp-amavis:[127.0.2.1]:10024 daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix debug_peer_level = 2 default_destination_concurrency_limit = 2 default_recipient_limit = 500 disable_vrfy_command = yes empty_address_recipient = MAILER-DAEMON home_mailbox = mbox html_directory = /usr/share/doc/postfix-2.5.7/html local_destination_concurrency_limit = 2 local_header_rewrite_clients = local_recipient_maps = mail_owner = postfix mail_spool_directory = /var/spool/mail mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man maximal_queue_lifetime = 2d message_size_limit = 3024 mydestination = mydomain = mydomain.com myhostname = mail1.mydomain.com mynetworks = 127.0.2.1/32, X.X.X.X/32 myorigin = $mydomain newaliases_path = /usr/bin/newaliases owner_request_special = no parent_domain_matches_subdomains = queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.5.7/readme recipient_delimiter = + sample_directory = /etc/postfix sender_bcc_maps = hash:/etc/postfix/sender_bcc sendmail_path = /usr/sbin/sendmail setgid_group = postdrop show_user_unknown_table_name = no smtp_helo_timeout = 90 smtpd_client_connection_count_limit = 20 smtpd_data_restrictions = check_policy_service unix:private/my_policy smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_recipient_restrictions = check_recipient_access regexp:/etc/postfix/test.regexp, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, check_sender_access hash:/etc/postfix/relay_from_bodge, reject_unlisted_recipient, reject_unlisted_sender, check_policy_service unix:private/my_policy, permit_mynetworks,
Re: postscreen dnsblog problem
Len Conrad: I've got more data. The killer option is when I have this on: postscreen_blacklist_networks = mysql:/usr/local/etc/postfix/mysql-mta_clients_reactive_b.cf I'll mkae a note that postscreen must be used only with low-latency databases such as local files. Wietse
Re: Should Anyone Be Able To Send Telnet Email
On Dec 4, 2009, at 8:08 PM, Carlos Williams wrote: I was just thinking today that if anyone knew a valid email address on my Postfix mail server, anyone could simply telnet to it (assuming they're on a trusted network / mynetworks) and send mail posed as that valid email address. I know this is not a huge security deal since it's come from a client listed in the mynetworks parameter but sometimes we have not so nice people we are forced to trust. Does this sound correct to anyone here? Normally on any mail client you need a username / password to send / receive email for a specific user but in the case of Telnet or just sending, it appears this is not required. Is there something I over looked? If sending e-mail via telnet without a username/password is possible it is also possible with a client.
Re: Should Anyone Be Able To Send Telnet Email
On Fri, Dec 4, 2009 at 2:16 PM, Martijn de Munnik mart...@youngguns.nl wrote: If sending e-mail via telnet without a username/password is possible it is also possible with a client. OK so from that note I gather something with my config is not secure or wide open. Is this is a Postfix issue or something 'off-topic'?
Re: Should Anyone Be Able To Send Telnet Email
Carlos Williams wrote: On Fri, Dec 4, 2009 at 2:16 PM, Martijn de Munnik mart...@youngguns.nl wrote: If sending e-mail via telnet without a username/password is possible it is also possible with a client. OK so from that note I gather something with my config is not secure or wide open. Is this is a Postfix issue or something 'off-topic'? The question is, are you trying to 'relay' through the server or sending to a domain that the server hosts? -Matt
Re: Should Anyone Be Able To Send Telnet Email
Carlos Williams put forth on 12/4/2009 1:08 PM: I was just thinking today that if anyone knew a valid email address on my Postfix mail server, anyone could simply telnet to it (assuming they're on a trusted network / mynetworks) and send mail posed as that valid email address. I know this is not a huge security deal since it's come from a client listed in the mynetworks parameter but sometimes we have not so nice people we are forced to trust. Does this sound correct to anyone here? Normally on any mail client you need a username / password to send / receive email for a specific user but in the case of Telnet or just sending, it appears this is not required. Is there something I over looked? Disallow submission on port 25, only allow submission on 587 with auth. This solves the possible nefarious submission issue, but requires that all clients be reconfigured to use 587 with uname and passwd. This can be fairly easily accomplished in a corporate environment with remote management tools. -- Stan
Re: Should Anyone Be Able To Send Telnet Email
On Fri, Dec 4, 2009 at 2:22 PM, Matt Hayes domin...@slackadelic.com wrote: The question is, are you trying to 'relay' through the server or sending to a domain that the server hosts? -Matt I don't know how to answer this. The Postfix server is on the same network as the clients connecting to it. The clients simply connect to the server on the same subnet / domain. It just seems that anyone can log in as anybody and send mail on their behalf. This appears bad to me...
Re: Should Anyone Be Able To Send Telnet Email
On Dec 4, 2009, at 2:26 PM, Carlos Williams carlosw...@gmail.com wrote: On Fri, Dec 4, 2009 at 2:22 PM, Matt Hayes domin...@slackadelic.com wrote: The question is, are you trying to 'relay' through the server or sending to a domain that the server hosts? -Matt I don't know how to answer this. The Postfix server is on the same network as the clients connecting to it. The clients simply connect to the server on the same subnet / domain. It just seems that anyone can log in as anybody and send mail on their behalf. This appears bad to me... If you don't trust users in your networks not to masquerade as one another, prohibit users from relaying without SASL auth and employ reject_sender_login_mismatch.
Re: Should Anyone Be Able To Send Telnet Email
Carlos Williams schrieb: On Fri, Dec 4, 2009 at 2:22 PM, Matt Hayes domin...@slackadelic.com wrote: The question is, are you trying to 'relay' through the server or sending to a domain that the server hosts? -Matt I don't know how to answer this. The Postfix server is on the same network as the clients connecting to it. The clients simply connect to the server on the same subnet / domain. It just seems that anyone can log in as anybody and send mail on their behalf. This appears bad to me... Have a look at http://www.postfix.org/SASL_README.html Only allow authenticated users to relay through your Postfix Server and set mynetworks on a local IP like 127.0.0.1 Cheers tobi
Re: Should Anyone Be Able To Send Telnet Email
On Dec 4, 2009, at 2:34 PM, Sahil Tandon sa...@tandon.net wrote: On Dec 4, 2009, at 2:26 PM, Carlos Williams carlosw...@gmail.com wrote: On Fri, Dec 4, 2009 at 2:22 PM, Matt Hayes domin...@slackadelic.com wrote: The question is, are you trying to 'relay' through the server or sending to a domain that the server hosts? -Matt I don't know how to answer this. The Postfix server is on the same network as the clients connecting to it. The clients simply connect to the server on the same subnet / domain. It just seems that anyone can log in as anybody and send mail on their behalf. This appears bad to me... If you don't trust users in your networks not to masquerade as one another, prohibit users from relaying without SASL auth and employ reject_sender_login_mismatch. BTW: you do realize the mail from and from: header of your users/ domains can still be spoofed from elsewhere, right?
Re: Should Anyone Be Able To Send Telnet Email
Carlos Williams wrote: On Fri, Dec 4, 2009 at 2:22 PM, Matt Hayes domin...@slackadelic.com wrote: The question is, are you trying to 'relay' through the server or sending to a domain that the server hosts? -Matt I don't know how to answer this. The Postfix server is on the same network as the clients connecting to it. The clients simply connect to the server on the same subnet / domain. It just seems that anyone can log in as anybody and send mail on their behalf. This appears bad to me... This is nothing new - and using a manual telnet connection is rather awkward and time consuming; there is nothing in the telnet approach that can't be done more quickly and easily with any decent mail client. Forged senders are quite commonplace, and when coming from the internet they are rather easily detected. Even if they are inside, you have their IP address in the postfix logs. I doubt that the crowd who routinely forge the sender address do so using manual telnet - they simply use a mail client/script/tool to make their jobs easier. Telnet is a red herring, it's not the real issue here. The question is, how paranoid do you need to be, and how far are you willing to go to lock things down? Joe
Re: Should Anyone Be Able To Send Telnet Email
This post was full of misunderstandings. First, the Subject, there is no such thing as telnet email. telnet(1) is a commonly-available TCP client, which can be used to make a connection to a process such as smtpd(8). On Fri, Dec 04, 2009 at 02:08:46PM -0500, Carlos Williams wrote: I was just thinking today that if anyone knew a valid email address on my Postfix mail server, Sender addresses are typically not checked for sending mail. Of course there are numerous options to do so, but these are not the defaults, and you would have had to consult some documentation to even know that they exist. anyone could simply telnet to it This is not simple. It requires that the telnet user knows enough of the SMTP protocol syntax to be able to send a message. Most people do not. (assuming they're on a trusted network / mynetworks) and send mail That is precisely what $mynetworks is for. posed as that valid email address. ANY address. Quite possibly not even a valid one. This is how SMTP was designed (arguably, misdesigned.) I know this is not a huge security deal since it's come from a client listed in the mynetworks parameter but sometimes we have not so nice people we are forced to trust. Does this sound correct to anyone here? You pull the plug on anyone in $mynetworks who does something naughty. MYnetworks means it is under your control. Use that, and be quick to act against any abuser. Normally on any mail client you need a username / password to send *If* authentication is required, such as for a sender coming from outside $mynetworks, who wants to relay (to send to mail addresses which are not handled by your server.) Otherwise, no. / receive email for a specific user A MUA speaks IMAP to an imapd or POP3 to to a pop3d. Generally those protocols require authentication. They're also irrelevant here on postfix-users, since Postfix is not an IMAP or POP3 server. but in the case of Telnet or just sending, it appears this is not required. A MUA inside $mynetworks is not required to authenticate to send. It does the same thing you might do with telnet, except that the people who wrote your MUA software most likely have spent more time reading SMTP RFCs than you did, so it might be a bit better at it. It will definitely do it faster than you could type manual commands. Is there something I over looked? Maybe just lacking the Big Picture on what email is and how it works? -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: Snapshot 20091109, queue disk partition sizing
* Wietse Venema wie...@porcupine.org: Stefan Förster: (number of smtpd processes) * message_size_limit bytes of queue space allocated in temporary files. By default, the Postfix requires 1.5*message_size_limit of free space before it accepts mail. Right now, the before-proxy scratch files are put in the incoming queue, but that may still chnage. I didn't change the formula (to 2.5*message_size_limit) for that reason. Thank you for that clarification. Now, about logging - I'd be really grateful if the existing logging functionality could be extended in a way so that the pre-queue content filter's response is logged. I know that it is actually the content filter's job to log what it did during an ESMTP transaction, but I think if Postfix logged the filter's response, correlating logs would be much easier. Stefan
Re: SASL plain authentication failed; unable to lookup user record
* JP post...@postfix.exjay.com: i'll guess the solution to my problem will be something simple and obvious, because i know i ain't the first person to do this, but i've been staring at it for days and can't see what's wrong. os x snow leopard server; postfix 2.5.5; dovecot 1.1.17apple0.5 trying to get SMTP auth working via SASL. using a plain password scheme and plain auth scheme over SSL. client is apple mail. deliveries are working, and dovecot's pop3s and imaps are working just fine. but when i attempt to use smtp auth, postfix says SASL plain authentication failed unable to lookup user record Your Postfix uses Dovecot SASL. Have you tried to authenticate using a telnet session, sending AUTH identity on command line? p...@rick scoured months worth of list archives and didn't see anything specific to this. other eyes are appreciated! thanks. # postconf -n biff = no command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 enable_server_options = yes header_checks = pcre:/etc/postfix/custom_header_checks html_directory = /usr/share/doc/postfix/html inet_interfaces = all mail_owner = _postfix mailbox_size_limit = 0 mailbox_transport = dovecot mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 10485760 mydomain = example.com mydomain_fallback = localhost mynetworks = 127.0.0.0/8,192.168.61.0/24 newaliases_path = /usr/bin/newaliases queue_directory = /private/var/spool/postfix readme_directory = /usr/share/doc/postfix recipient_delimiter = + relayhost = sample_directory = /usr/share/doc/postfix/examples sendmail_path = /usr/sbin/sendmail setgid_group = _postdrop smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject smtpd_enforce_tls = no smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname smtpd_pw_server_security_options = plain, login cram-md5 smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_policy_service unix:private/policy reject smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_tls_CAfile = /etc/certificates/osx-106.example.com.E2FA6EFB8203E2E09C605D30A179669E4B4F69EB.chain.pem smtpd_tls_cert_file = /etc/certificates/osx-106.example.com.E2FA6EFB8203E2E09C605D30A179669E4B4F69EB.cert.pem smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL smtpd_tls_key_file = /etc/certificates/osx-106.example.com.E2FA6EFB8203E2E09C605D30A179669E4B4F69EB.key.pem smtpd_use_pw_server = yes smtpd_use_tls = yes unknown_local_recipient_reject_code = 550 virtual_alias_maps = virtual_gid_maps = static:5000 virtual_mailbox_base = /etc/postfix/datastore virtual_mailbox_domains = osx.example.com virtual_mailbox_maps = hash:/etc/postfix/datausers virtual_minimum_uid = 100 virtual_uid_maps = static:5000 # dovecotd -n # 1.1.17apple0.5: /private/etc/dovecot/dovecot.conf Warning: fd limit 256 is lower than what Dovecot can use under full load (more than 456). Either grow the limit or change login_max_processes_count and max_mail_processes settings # OS: Darwin 10.2.0 i386 hfs base_dir: /var/run/dovecot syslog_facility: local6 protocols: pop3s imaps ssl_cert_file: /etc/certificates/osx-106.example.com.E2FA6EFB8203E2E09C605D30A179669E4B4F69EB.cert.pem ssl_key_file: /etc/certificates/osx-106.example.com.E2FA6EFB8203E2E09C605D30A179669E4B4F69EB.key.pem ssl_cipher_list: ALL:!LOW:!SSLv2:!aNULL:!ADH:!eNULL disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login login_user: _dovecot login_process_per_connection: no max_mail_processes: 200 mail_max_userip_connections(default): 20 mail_max_userip_connections(imap): 20 mail_max_userip_connections(pop3): 10 verbose_proctitle: yes first_valid_uid: 6 first_valid_gid: 6 mail_access_groups: mail mail_location: maildir:/etc/postfix/datastore/%d/%n mail_debug: yes mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_process_sharing: full mail_max_connections: 5 mail_plugins(default): quota imap_quota mail_plugins(imap): quota imap_quota mail_plugins(pop3): quota mail_plugin_dir(default): /usr/lib/dovecot/imap mail_plugin_dir(imap): /usr/lib/dovecot/imap mail_plugin_dir(pop3): /usr/lib/dovecot/pop3 auth default: verbose: yes debug: yes debug_passwords: yes passdb: driver: passwd-file args: username_format=%n /etc/postfix/datastore/%d-passwd userdb: driver: passwd-file args: username_format=%n /etc/postfix/datastore/%d-passwd socket:
different greetings for each domain I have. (many domains)
Hello everyone. I have a mail server running postfix. the server has man different ip's associated with it, and many domains pointing at it. As Im sure you all know, when the server gets a connection request, it responds with a greeting message. something along the lines of 220 cattlejobs.com ESMTP. I would like to have each greeting message sent have the domain name (in this case cattlejobs.com ) be tailored to match which ever IP the client is connecting to. Up until now, I have just been adding more lines to my /etc/postfix/master.cf file as shown below: 69.74.158.54:smtp inet n - - - - smtpd -o myhostname=cattlejobs.com 69.77.250.125:smtp inet n - - - - smtpd -o myhostname=cattlejobs.com 69.77.243.21:smtp inet n - - - - smtpd -o myhostname=cattlejobs.com 69.77.124.200:smtp inet n - - - - smtpd -o myhostname=cattlejobs.com It has worked well, but now I am trying to add lots of entries like this (2000+). Once I have much more than 300 entries I start to get an error fatal: pipe: Too many open files Can anyone suggest a different way to acheive this, or a work around to this problem? Thanks in advance, Steve.
Re: Should Anyone Be Able To Send Telnet Email
Original-Nachricht Datum: Fri, 4 Dec 2009 14:08:46 -0500 Von: Carlos Williams carlosw...@gmail.com An: postfix users list postfix-users@postfix.org Betreff: Should Anyone Be Able To Send Telnet Email I was just thinking today that if anyone knew a valid email address on my Postfix mail server, anyone could simply telnet to it (assuming they're on a trusted network / mynetworks) and send mail posed as that valid email address. I know this is not a huge security deal since it's come from a client listed in the mynetworks parameter but sometimes we have not so nice people we are forced to trust. Does this sound correct to anyone here? Normally on any mail client you need a username / password to send / receive email for a specific user but in the case of Telnet or just sending, it appears this is not required. Is there something I over looked? I don't allow that kind of things except on localhost/127.0.0.1 where Postfix is running. All other attempts to send in the name of a user for which my Postfix system is responsible will result in a error. For example: - theia ~ # telnet 192.168.0.78 25 Trying 192.168.0.78... Connected to 192.168.0.78. Escape character is '^]'. 220 nyx.mydomain.tld ESMTP Postfix (2.6.5) ehlo theia.mydomain.tld 250-nyx.mydomain.tld 250-PIPELINING 250-SIZE 52428800 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from:postmas...@mydomain.tld 553 5.7.1 postmas...@mydomain.tld: Sender address rejected: not logged in rset 250 2.0.0 Ok quit 221 2.0.0 Bye Connection closed by foreign host. theia ~ # - To have that you could use reject_sender_login_mismatch. I have not directly used that this statement in smtpd_mumble_restrictions. I use a lookup map in which I check some exceptions and if client/sender is passing the exception then nothing is happening. Every one else gets reject_sender_login_mismatch as an result. This allows me to have reject_sender_login_mismatch but still have the possibility to add exceptions if needed. // Steve -- Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3.5 - sicherer, schneller und einfacher! http://portal.gmx.net/de/go/chbrowser
Re: SASL plain authentication failed; unable to lookup user record
Patrick Ben Koetter wrote: * JP post...@postfix.exjay.com: i'll guess the solution to my problem will be something simple and obvious, because i know i ain't the first person to do this, but i've been staring at it for days and can't see what's wrong. os x snow leopard server; postfix 2.5.5; dovecot 1.1.17apple0.5 trying to get SMTP auth working via SASL. using a plain password scheme and plain auth scheme over SSL. client is apple mail. deliveries are working, and dovecot's pop3s and imaps are working just fine. but when i attempt to use smtp auth, postfix says SASL plain authentication failed unable to lookup user record Your Postfix uses Dovecot SASL. Have you tried to authenticate using a telnet session, sending AUTH identity on command line? p...@rick scoured months worth of list archives and didn't see anything specific to this. other eyes are appreciated! thanks. # postconf -n biff = no command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 enable_server_options = yes header_checks = pcre:/etc/postfix/custom_header_checks html_directory = /usr/share/doc/postfix/html inet_interfaces = all mail_owner = _postfix mailbox_size_limit = 0 mailbox_transport = dovecot mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 10485760 mydomain = example.com mydomain_fallback = localhost mynetworks = 127.0.0.0/8,192.168.61.0/24 newaliases_path = /usr/bin/newaliases queue_directory = /private/var/spool/postfix readme_directory = /usr/share/doc/postfix recipient_delimiter = + relayhost = sample_directory = /usr/share/doc/postfix/examples sendmail_path = /usr/sbin/sendmail setgid_group = _postdrop smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject smtpd_enforce_tls = no smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname smtpd_pw_server_security_options = plain, login cram-md5 smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_policy_service unix:private/policy reject smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_tls_CAfile = /etc/certificates/osx-106.example.com.E2FA6EFB8203E2E09C605D30A179669E4B4F69EB.chain.pem smtpd_tls_cert_file = /etc/certificates/osx-106.example.com.E2FA6EFB8203E2E09C605D30A179669E4B4F69EB.cert.pem smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL smtpd_tls_key_file = /etc/certificates/osx-106.example.com.E2FA6EFB8203E2E09C605D30A179669E4B4F69EB.key.pem smtpd_use_pw_server = yes smtpd_use_tls = yes unknown_local_recipient_reject_code = 550 virtual_alias_maps = virtual_gid_maps = static:5000 virtual_mailbox_base = /etc/postfix/datastore virtual_mailbox_domains = osx.example.com virtual_mailbox_maps = hash:/etc/postfix/datausers virtual_minimum_uid = 100 virtual_uid_maps = static:5000 # dovecotd -n # 1.1.17apple0.5: /private/etc/dovecot/dovecot.conf Warning: fd limit 256 is lower than what Dovecot can use under full load (more than 456). Either grow the limit or change login_max_processes_count and max_mail_processes settings # OS: Darwin 10.2.0 i386 hfs base_dir: /var/run/dovecot syslog_facility: local6 protocols: pop3s imaps ssl_cert_file: /etc/certificates/osx-106.example.com.E2FA6EFB8203E2E09C605D30A179669E4B4F69EB.cert.pem ssl_key_file: /etc/certificates/osx-106.example.com.E2FA6EFB8203E2E09C605D30A179669E4B4F69EB.key.pem ssl_cipher_list: ALL:!LOW:!SSLv2:!aNULL:!ADH:!eNULL disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login login_user: _dovecot login_process_per_connection: no max_mail_processes: 200 mail_max_userip_connections(default): 20 mail_max_userip_connections(imap): 20 mail_max_userip_connections(pop3): 10 verbose_proctitle: yes first_valid_uid: 6 first_valid_gid: 6 mail_access_groups: mail mail_location: maildir:/etc/postfix/datastore/%d/%n mail_debug: yes mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_process_sharing: full mail_max_connections: 5 mail_plugins(default): quota imap_quota mail_plugins(imap): quota imap_quota mail_plugins(pop3): quota mail_plugin_dir(default): /usr/lib/dovecot/imap mail_plugin_dir(imap): /usr/lib/dovecot/imap mail_plugin_dir(pop3): /usr/lib/dovecot/pop3 auth default: verbose: yes debug: yes debug_passwords: yes passdb: driver: passwd-file args: username_format=%n /etc/postfix/datastore/%d-passwd userdb: driver: passwd-file args: username_format=%n /etc/postfix/datastore/%d-passwd socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user:
Searching Mails
Hi Folks as soon as possible i need to get a command to search all mails between a date it's mean start date to end date and i also im looking for a command to get inmediatelly a mail of a specific mail for date. Thanks in advanced Greetings !!
Re: different greetings for each domain I have. (many domains)
On 12/4/2009 3:32 PM, S Lastname wrote: Hello everyone. I have a mail server running postfix. the server has man different ip's associated with it, and many domains pointing at it. As Im sure you all know, when the server gets a connection request, it responds with a greeting message. something along the lines of 220 cattlejobs.com ESMTP. I would like to have each greeting message sent have the domain name (in this case cattlejobs.com ) be tailored to match which ever IP the client is connecting to. Up until now, I have just been adding more lines to my /etc/postfix/master.cf file as shown below: Can anyone suggest a different way to acheive this, or a work around to this problem? Don't do this as nothing out there looks for it. You should set myhostname to the machine name and leave it as that. SMTP protocol requires 220 machine-name, with an optional ESMTP added to show extra function. I know of no software or protocol that actually cares what the machine name is. You really don't gain anything but headaches trying what you mentioned.
Re: SASL plain authentication failed; unable to lookup user record
* JP post...@postfix.exjay.com: Your Postfix uses Dovecot SASL. Have you tried to authenticate using a telnet session, sending AUTH identity on command line? Escape character is '^]'. 220 osx-106.example.com ESMTP Postfix EHLO foobie.example.com 250-osx-106.example.com 250-PIPELINING 250-SIZE 10485760 250-VRFY 250-ETRN 250-AUTH LOGIN PLAIN CRAM-MD5 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH PLAIN 1a1dc91c907325c69271ddf0c944bc72blahblahblah 535 Error: authentication failed Postfix and Dovecot both use the Dovecot authentication methods. Dovecot works, Postfix doesn't. Where's the difference? What happens if you try an IMAP login on command line and send the same credentials? If you send the same credentials and it succeeds, then something between Postfix and the Dovecot auth socket is probably wrong. If IMAP login fails too, then you probably send the wrong credentials during SMTP AUTH and you should find out what is sent during IMAP login. p...@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: Searching Mails
On Fri, 04 Dec 2009, osmcr...@gmail.com wrote: as soon as possible i need to get a command to search all mails between a date it's mean start date to end date and i also im looking for a command to get inmediatelly a mail of a specific mail for date. Please, carefully read: http://www.postfix.org/DEBUG_README.html#mail and re-post your question more clearly, and only if it relates to Postfix. -- Sahil Tandon sa...@tandon.net
postfix and ldap configuration blog post
http://jdbates.blogspot.com/2009/11/initially-i-had-some-email-addresses-e.html ^ I just made this blog post about a Postfix configuration I've used a couple times The configuration is for storing user's email addresses in LDAP and both forwarding messages to and sending messages from those addresses It also supports a second LDAP attribute which can be used to forward messages to one address and send messages from another, different address I struggled to write it clearly, so if anyone is willing to vet it for me, I'd much appreciate that! I'd appreciate any feedback on mistakes, or how to make it clearer, or ???
Re: postscreen dnsblog problem
Len Conrad: -- Original Message -- From: wie...@porcupine.org (Wietse Venema) Date: Fri, 4 Dec 2009 14:13:17 -0500 (EST) I'll mkae a note that postscreen must be used only with low-latency databases such as local files. the problem postscreen MX pinging the mysql server on the same switch shows: round-trip min/avg/max/stddev = 0.143/0.227/0.443/0.100 ms 2 non-problem postscreening MXs pinging from South Carolina to Atlanta show: round-trip min/avg/max/stddev = 4.613/4.945/5.249/0.205 ms It's quite confusing to tease where the problem is. Ping measures the kernel-to-kernel latency. postscreen is affected by the application-to-application table lookup latency. Postscreen is a single program that makes a decision on every inbound connection in real time. Having it talk to a mysql server introduces huge latency. While the mysql lookup happens, all of postscreen stalls, meaning it does not take new connections off the input queue. If this happens often enough, postscreen falls behind and reports all ports busy errors. For example, if mysql replies in 10ms, then the entire Postfix system cannot process more than 100 connection requests per second in total, that's all the connections from zombies and good clients combined. With such performance, what was meant to be a zombie killer quickly becomes a self-inflicted DOS. I'm adding extra checks to postscreen than measure table lookup delays, and that log warnings when these delays exceed i.e. a couple milliseconds. btw, what does postscreen send to smtp client when postscreen logs this: egrep -ic all screening ports busy /var2/log/maillog 5615 It sends a 421 reply. Wietse
Re: remote_header_rewrite_domain ignored
Ed W: Hi, I'm using postfix 2.5.7 and having some trouble with the server domain being appended to incomplete sender addresses. I have set # postconf|grep -e rewrite -e append -e myorigin -e mydomain -e local_header append_at_myorigin = yes append_dot_mydomain = no local_header_rewrite_clients = Note: local_***HEADER***_rewrite_clients, a feature that controls how HEADER address are rewritten. mydomain = nippynetworks.com myorigin = $mydomain remote_header_rewrite_domain = rewrite_service_name = rewrite I have amavisd-new installed, but having bumped up the logging I believe this is happening on initial submission and not on the re-injection. Log files show the client connecting, checking the FROM address and then: Dec 4 15:33:54 mail1 postfix/smtpd[22858]: office.mydomain.com[X.X.X.X]: RCPT TO: asdf That is not a HEADER address. Wietse
whitelisting problem
I can't figure out why my whitelist entry for 204.238.179.0/24 is being ignored. If not for a transient DNS failure this afternoon I'd not have known this was broken. The check_client_access whitelist entry _should_ have triggered before reject_unknown_client_hostname. Any ideas why is doesn't/didn't? parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps smtpd_client_restrictions = check_recipient_access hash:/etc/postfix/access check_client_access hash:/etc/postfix/access ... ... reject_unknown_client_hostname reject_unauth_pipelining smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access reject_non_fqdn_sender smtpd_helo_required = yes smtpd_helo_restrictions = check_recipient_access hash:/etc/postfix/access reject_non_fqdn_helo_hostname reject_invalid_helo_hostname reject_unknown_helo_hostname smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination reject_unlisted_recipient check_recipient_access hash:/etc/postfix/access reject_rbl_client zen.spamhaus.org check_policy_service inet:127.0.0.1:6 /etc/postfix/access ... 66.135.197 OK 168.100.1 OK 204.238.179 OK spam-l-boun...@spam-l.com OK owner-postfix-us...@cloud9.net OK majordomo-ow...@cloud9.net OK owner-postfix-us...@postfix.org OK ... Dec 4 13:39:15 greer postfix/smtpd[7124]: NOQUEUE: reject: RCPT from unknown[204.238.179.8]: 450 4.7.1 mx1.mfn.org: Helo command rejected: Host not found; from=spam-l-boun...@spam-l.com to=s...@hardwarefreak.com proto=ESMTP helo=mx1.mfn.org Any clues as to what's wrong? -- Stan
Re: whitelisting problem
Stan Hoeppner wrote: I can't figure out why my whitelist entry for 204.238.179.0/24 is being ignored. If not for a transient DNS failure this afternoon I'd not have known this was broken. The check_client_access whitelist entry _should_ have triggered before reject_unknown_client_hostname. Any ideas why is doesn't/didn't? ... Dec 4 13:39:15 greer postfix/smtpd[7124]: NOQUEUE: reject: RCPT from unknown[204.238.179.8]: 450 4.7.1 mx1.mfn.org: Helo command rejected: Host not found; from=spam-l-boun...@spam-l.com to=s...@hardwarefreak.com proto=ESMTP helo=mx1.mfn.org Any clues as to what's wrong? You rejected the HELO hostname, not the IP address. What is reject_unknown_helo_hostname going to do when your DNS is broken?
