Re: Scalable

[Stan Hoeppner]

Jonathan Tripathy put forth on 2/12/2010 5:05 PM:
> Hi Stan,

Hi.  Try to keep the discussions on list so everyone can assist.

> You've hit a very good question. They don't currently have an office
> email system. Staff are using their personal Hotmail accounts when they
> need to send the odd email. Do you see why I orignally was going to get
> a 256MB RAM VM to allow them to have 50 or so email accounts?

No, I can't.  I can understand your thought process, but it's wrong.  Leaving a
really bad situation for another one that's not quite as bad is not the same as
going to a good situation.  Architect a solution that fits the client's needs,
not a solution that's just a little better than what they have, but overall
still doesn't come close to meeting their needs.

> Just some other company has come in saying that they'll do 600, and even
> though my price is much cheaper, it's now being seen as "too cheap"...

Bid the job right.  Write up a proposal explaining what they need, why they need
it, and how much it's going to cost.

> I was thinking this server:
> 
> http://www.fasthosts.co.uk/dedicatedservers/linux-servers/ds300-linux/

You're still not looking at this from the proper perspective.  You're looking at
ISP rented colo offerings and trying to match one you think might fit the
client's need.  This is called an "ass backwards" approach to system design.

Identify the client's needs, then architect the system, then pick the hardware,
vendors and providers that best fit that need.

You didn't mention what their broadband connection speed is.  We need to know
that to help you properly architect this thing.  The lower that bandwidth, the
greater the need to have the mail server on site and not in a colo.

To be completely honest, from what I've seen from you to this point, it sounds
like everyone in this scenario might be better off just using Google apps.
Charge a decent "conversion" fee, add in some training, and once they're up and
running you don't have to "manage the box", which it seems you're not really up
to anyway.

-- 
Stan

Re: Postfix + Google APPS SMTP relaying issues

[Jay Bendon]

That fixed it!

Thanks so much for your help Wietse.


-- Always glad to help,
--Jay Bendon - Bendon Consults



On Fri, Feb 12, 2010 at 8:09 PM, Wietse Venema  wrote:
> Jay Bendon:
>> -- listing of /usr/lib64/sasl2 --
>> total 2748
>> drwxr-xr-x  2 root root   4096 Feb 10 19:51 .
>> drwxr-xr-x 28 root root  20480 Feb 10 21:31 ..
>> -rwxr-xr-x  1 root root    890 Sep  3 19:04 libanonymous.la
>> -rwxr-xr-x  1 root root  15880 Sep  3 19:05 libanonymous.so
>> -rwxr-xr-x  1 root root  15880 Sep  3 19:05 libanonymous.so.2
>> -rwxr-xr-x  1 root root  15880 Sep  3 19:05 libanonymous.so.2.0.22
>> -rwxr-xr-x  1 root root    936 Sep  3 19:04 libsasldb.la
>> -rwxr-xr-x  1 root root 893304 Sep  3 19:05 libsasldb.so
>> -rwxr-xr-x  1 root root 893304 Sep  3 19:05 libsasldb.so.2
>> -rwxr-xr-x  1 root root 893304 Sep  3 19:05 libsasldb.so.2.0.22
>> -rw-r--r--  1 root root     26 Aug 14  2008 smtpd.conf
>
> This supports anonymous authentication only.  There are no libplain
> and liblogin modules, and those are what gmail and Postfix want.
>
>> -- listing of /usr/lib/sasl2 --
>> total 2740
>> drwxr-xr-x  2 root root   4096 Feb 10 23:34 .
>> drwxr-xr-x 22 root root  12288 Feb 10 23:34 ..
>> -rwxr-xr-x  1 root root    884 Sep  3 19:04 libanonymous.la
>> -rwxr-xr-x  1 root root  14372 Sep  3 19:04 libanonymous.so
>> -rwxr-xr-x  1 root root  14372 Sep  3 19:04 libanonymous.so.2
>> -rwxr-xr-x  1 root root  14372 Sep  3 19:04 libanonymous.so.2.0.22
>> -rwxr-xr-x  1 root root    930 Sep  3 19:04 libsasldb.la
>> -rwxr-xr-x  1 root root 905200 Sep  3 19:04 libsasldb.so
>> -rwxr-xr-x  1 root root 905200 Sep  3 19:04 libsasldb.so.2
>
> Same here.
>
>        Wietse
>

Re: Scalable

[Victor Duchovni]

On Fri, Feb 12, 2010 at 06:24:59PM -0500, Aaron Wolfe wrote:

> If spam filtering is going to be used, it would be wise to consider
> those requirements as well.

A host with 256MB of RAM is not going to be doing much heavy lifting
with content inspection.

-- 
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

Re: Postfix + Google APPS SMTP relaying issues

[Wietse Venema]

Jay Bendon:
> -- listing of /usr/lib64/sasl2 --
> total 2748
> drwxr-xr-x  2 root root   4096 Feb 10 19:51 .
> drwxr-xr-x 28 root root  20480 Feb 10 21:31 ..
> -rwxr-xr-x  1 root root890 Sep  3 19:04 libanonymous.la
> -rwxr-xr-x  1 root root  15880 Sep  3 19:05 libanonymous.so
> -rwxr-xr-x  1 root root  15880 Sep  3 19:05 libanonymous.so.2
> -rwxr-xr-x  1 root root  15880 Sep  3 19:05 libanonymous.so.2.0.22
> -rwxr-xr-x  1 root root936 Sep  3 19:04 libsasldb.la
> -rwxr-xr-x  1 root root 893304 Sep  3 19:05 libsasldb.so
> -rwxr-xr-x  1 root root 893304 Sep  3 19:05 libsasldb.so.2
> -rwxr-xr-x  1 root root 893304 Sep  3 19:05 libsasldb.so.2.0.22
> -rw-r--r--  1 root root 26 Aug 14  2008 smtpd.conf

This supports anonymous authentication only.  There are no libplain
and liblogin modules, and those are what gmail and Postfix want.

> -- listing of /usr/lib/sasl2 --
> total 2740
> drwxr-xr-x  2 root root   4096 Feb 10 23:34 .
> drwxr-xr-x 22 root root  12288 Feb 10 23:34 ..
> -rwxr-xr-x  1 root root884 Sep  3 19:04 libanonymous.la
> -rwxr-xr-x  1 root root  14372 Sep  3 19:04 libanonymous.so
> -rwxr-xr-x  1 root root  14372 Sep  3 19:04 libanonymous.so.2
> -rwxr-xr-x  1 root root  14372 Sep  3 19:04 libanonymous.so.2.0.22
> -rwxr-xr-x  1 root root930 Sep  3 19:04 libsasldb.la
> -rwxr-xr-x  1 root root 905200 Sep  3 19:04 libsasldb.so
> -rwxr-xr-x  1 root root 905200 Sep  3 19:04 libsasldb.so.2

Same here.

Wietse

Re: Postfix + Google APPS SMTP relaying issues

[Jay Bendon]

saslfinger - postfix Cyrus sasl configuration Fri Feb 12 19:51:42 CST 2010
version: 1.0.2
mode: client-side SMTP AUTH

-- basics --
Postfix: 2.3.3
System: CentOS release 5.4 (Final)

-- smtp is linked to --
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x2b16ec84f000)

-- active SMTP AUTH and TLS parameters for smtp --
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous
smtp_tls_cert_file = /etc/pki/tls/gmail_relay/gmail.pem
smtp_tls_enforce_peername = no
smtp_tls_key_file = /etc/pki/tls/gmail_relay/gmail.key
smtp_tls_note_starttls_offer = yes
smtp_tls_scert_verifydepth = 5
smtp_use_tls = yes


-- listing of /usr/lib64/sasl2 --
total 2748
drwxr-xr-x  2 root root   4096 Feb 10 19:51 .
drwxr-xr-x 28 root root  20480 Feb 10 21:31 ..
-rwxr-xr-x  1 root root890 Sep  3 19:04 libanonymous.la
-rwxr-xr-x  1 root root  15880 Sep  3 19:05 libanonymous.so
-rwxr-xr-x  1 root root  15880 Sep  3 19:05 libanonymous.so.2
-rwxr-xr-x  1 root root  15880 Sep  3 19:05 libanonymous.so.2.0.22
-rwxr-xr-x  1 root root936 Sep  3 19:04 libsasldb.la
-rwxr-xr-x  1 root root 893304 Sep  3 19:05 libsasldb.so
-rwxr-xr-x  1 root root 893304 Sep  3 19:05 libsasldb.so.2
-rwxr-xr-x  1 root root 893304 Sep  3 19:05 libsasldb.so.2.0.22
-rw-r--r--  1 root root 26 Aug 14  2008 smtpd.conf

-- listing of /usr/lib/sasl2 --
total 2740
drwxr-xr-x  2 root root   4096 Feb 10 23:34 .
drwxr-xr-x 22 root root  12288 Feb 10 23:34 ..
-rwxr-xr-x  1 root root884 Sep  3 19:04 libanonymous.la
-rwxr-xr-x  1 root root  14372 Sep  3 19:04 libanonymous.so
-rwxr-xr-x  1 root root  14372 Sep  3 19:04 libanonymous.so.2
-rwxr-xr-x  1 root root  14372 Sep  3 19:04 libanonymous.so.2.0.22
-rwxr-xr-x  1 root root930 Sep  3 19:04 libsasldb.la
-rwxr-xr-x  1 root root 905200 Sep  3 19:04 libsasldb.so
-rwxr-xr-x  1 root root 905200 Sep  3 19:04 libsasldb.so.2
-rwxr-xr-x  1 root root 905200 Sep  3 19:04 libsasldb.so.2.0.22

-- listing of /etc/sasl2 --
total 16
drwxr-xr-x  2 root root 4096 Sep  3 19:04 .
drwxr-xr-x 50 root root 4096 Feb 10 23:34 ..


-- permissions for /etc/postfix/sasl_passwd --
-rw-r- 1 root postfix 255 Feb 11 17:57 /etc/postfix/sasl_passwd

-- permissions for /etc/postfix/sasl_passwd.db --
-rw-r- 1 root postfix 12288 Feb 11 17:57 /etc/postfix/sasl_passwd.db

/etc/postfix/sasl_passwd.db is up to date.

-- active services in /etc/postfix/master.cf --
# service type  private unpriv  chroot  wakeup  maxproc command + args
#   (yes)   (yes)   (yes)   (never) (100)
smtp  inet  n   -   n   -   -   smtpd
pickupfifo  n   -   n   60  1   pickup
cleanup   unix  n   -   n   -   0   cleanup
qmgr  fifo  n   -   n   300 1   qmgr
tlsmgrunix  -   -   n   1000?   1   tlsmgr
rewrite   unix  -   -   n   -   -   trivial-rewrite
bounceunix  -   -   n   -   0   bounce
defer unix  -   -   n   -   0   bounce
trace unix  -   -   n   -   0   bounce
verifyunix  -   -   n   -   1   verify
flush unix  n   -   n   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
smtp  unix  -   -   n   -   -   smtp
relay unix  -   -   n   -   -   smtp
-o fallback_relay=
showq unix  n   -   n   -   -   showq
error unix  -   -   n   -   -   error
discard   unix  -   -   n   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   n   -   -   lmtp
anvil unix  -   -   n   -   1   anvil
scacheunix  -   -   n   -   1   scache
maildrop  unix  -   n   n   -   -   pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix  -   n   n   -   -   pipe
  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m
${extension} ${user}
cyrus unix  -   n   n   -   -   pipe
  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m
${extension} ${user}
uucp  unix  -   n   n   -   -   pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmailunix  -   n   n   -   -   pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix  -   n   n   -   -   pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

-- mechanisms on smtp.gmail.com:587 --

-- mechanisms on [smtp.gmail.com]:587 --

-- m

Re: Postfix + Google APPS SMTP relaying issues

[Wietse Venema]

> relayhost = [smtp.gmail.com]:587

This host supports no SASL authentication BEFORE STARTLS:

% telnet smtp.gmail.com 587
...
220 mx.google.com ESMTP 42sm38391439vws.8
ehlo hostname.porcupine.org
250-mx.google.com at your service, [my.ip.addr]
250-SIZE 35651584
250-8BITMIME
250-STARTTLS
250-ENHANCEDSTATUSCODES
250 PIPELINING

This host supports the following mechanisms AFTER STARTLS:

% openssl s_client -connect smtp.gmail.com:587 -starttls smtp
...
ehlo hostname.porcupine.org
250-mx.google.com at your service, [my.ip.addr]
250-SIZE 35651584
250-8BITMIME
250-AUTH LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250 PIPELINING

> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

Fine.

> smtp_sasl_security_options = noanonymous, noplaintext

Irrelevant, because gmail does not support SASL over non-TLS connections.

> smtp_sasl_tls_security_options = noanonymous
> smtp_use_tls = yes

Postfix allows login + plain, and gmail announces login + plain,
therefore your SASL library is not cooperating.

Run the saslfinger program *AND REPORT ALL ITS OUTPUT*.

Wietse

Re: Scalable

[Aaron Wolfe]

On Fri, Feb 12, 2010 at 5:41 PM, Victor Duchovni
 wrote:
> On Fri, Feb 12, 2010 at 05:17:26PM -0500, Aaron Wolfe wrote:
>
>> If you want to give your client good advice, you will have to measure
>> their mail flow in a meaningful way.
>> How many messages per second, minute, hour, day do you need to handle?
>>  How many concurrent SMTP sessions?  Do they even care if a message
>> takes 100ms vs 100 seconds to traverse this system?
>
> No, this is largely irrelevant. What matters is the IMAP performance
> they expect, that IMAP servers are reasonably CPU and memory intensive.
>

I was speaking about Postfix.  Of course other software will have its
own requirements.
If spam filtering is going to be used, it would be wise to consider
those requirements as well.
On my largest server we do not use any IMAP software, but we do use
spamassassin.  SA uses considerably more resources than Postfix per
SMTP process.

> --
>        Viktor.
>
> P.S. Morgan Stanley is looking for a New York City based, Senior Unix
> system/email administrator to architect and sustain our perimeter email
> environment.  If you are interested, please drop me a note.
>

Re: Scalable

[Stan Hoeppner]

Jonathan Tripathy put forth on 2/12/2010 3:50 PM:

> 2.8 Dual Core
> 2GB RAM

What about disk?  Disk is typically the key subsystem for mail performance.
Fast CPUs don't do much for mail without a fast disk subsystem.  At minimum get
hardware mirroring for two disks (RAID 1) and best to make them 10K or 15K rpm
models.  7.2K rpm disks might not cut it for 600 users unless you go hardware
RAID 10 with 4 disks.

> how much would that handle?

With the right disk subsystem, those specs above with Postfix + Dovecot IMAP +
antispam stuff + etc should be plenty.

> My customer is a business, with 600 staff, however I think they just use
> a single broadband connection so that will be the limiting factor, as
> this dedicated server has a 100Mbps link to the net..

What is the up/down link speed of the broadband connection?  If's it's something
like the low ball minimum 1.5M/512K the speed of the server won't mean much,
just as you surmise.  And if that is the case, this smtp/imap server should be
placed on site at the business location, not in a colo.

Where is their current mail server located?  Also, you need to get some usage
data from their current server to find out exactly what their flow volume is.

-- 
Stan

Re: Problems getting Gmail to use my SMTP server rather than theirs

[Rob Tanner]

Found a far superior solution. The problem that the powers that be thought
it would fix, it wouldn't fix anyway.  I finally convinced them of that and
so that's the end of that.

Nevertheless, thanks to all who replied.

-- Rob




On 2/12/10 9:30 AM, "Noel Jones"  wrote:

> On 2/12/2010 11:21 AM, Michael Saldivar wrote:
>> On Wed, Feb 10, 2010 at 5:54 PM, Rob Tanner > > wrote:
>> 
 TLS is enabled on port 25 of our server and it has a regular Thawte
 certificate behind it.  Tests with Thunderbird using PLAIN
 authentication (SASL method) work perfectly.  From our point of
>> view,
 all we really want to protect in any SMTP transaction are the user
 credentials (uid/passwd) and what we are doing is currently
 sufficient.  Google, on the other hand is doing something
>> different or
 expecting something different and I have no idea what.  If you are
 successfully using a similar setup with Gmail, could you please pass
 on your wisdom.
>>> Watch your postfix logs and start debugging when gmail tries to
>>> authenticate against your server
>> 
>> The problem is the log files are rather large (a quarter million
>> lines since
>> the 4 am roll this morning, and there are lots of google entries.
>>   In other
>> words I've already spent time just trying to find the entries.  Any idea
>> about particular keywords that I might look for?
>> .
 
 Thanks,
 Rob
>> 
>> 
>> 
>> An easy way to watch is to tail -f the logfile, tell Gmail to send a
>> message, and then watch the log scroll past.  You will see the
>> authorization attempt and your server's response.
>> 
>> Also, in your Gmail account, check the submission port.  There's a drop
>> down list from which you can choose 25, 465, and 587; it defaults to 587.
> 
> And another great trick for finding stuff in your logs is to
> tag submission entries with a different syslog_name.
> 
> # master.cf
> submission ... smtpd
>-o syslog_name=postfix-submission
>...
> 
> http://www.postfix.org/postconf.5.html#syslog_name
> 
> 
>-- Noel Jones

Re: Scalable

[Victor Duchovni]

On Fri, Feb 12, 2010 at 05:17:26PM -0500, Aaron Wolfe wrote:

> If you want to give your client good advice, you will have to measure
> their mail flow in a meaningful way.
> How many messages per second, minute, hour, day do you need to handle?
>  How many concurrent SMTP sessions?  Do they even care if a message
> takes 100ms vs 100 seconds to traverse this system?

No, this is largely irrelevant. What matters is the IMAP performance
they expect, that IMAP servers are reasonably CPU and memory intensive.

-- 
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

Re: Scalable

[Aaron Wolfe]

On Fri, Feb 12, 2010 at 4:50 PM, Jonathan Tripathy  wrote:
> Hi Everyone,
>
> Thanks for all the comments.
>
> The reason why I said 256MB RAM, is because that is currently what my VM
> has...
>
> If I were to take out a dedicated server with:
>
> 2.8 Dual Core
> 2GB RAM
>
> how much would that handle?
>
> My customer is a business, with 600 staff, however I think they just use a
> single broadband connection so that will be the limiting factor, as this
> dedicated server has a 100Mbps link to the net..
>
> Please let me know what you think
>

If you want to give your client good advice, you will have to measure
their mail flow in a meaningful way.
How many messages per second, minute, hour, day do you need to handle?
 How many concurrent SMTP sessions?  Do they even care if a message
takes 100ms vs 100 seconds to traverse this system?

> Thanks
>
> Jonny
>
> On 12/02/2010 19:24, Victor Duchovni wrote:
>
> On Fri, Feb 12, 2010 at 05:14:30PM -, Jonathan Tripathy wrote:
>
>
>
> My current server has 256MB RAM (It's a VM on slicehost). How many users do
> you think that will handle?
>
>
> Is more RAM substantially more expensive? 256 MB is rather meek these days.
> With physical servers, one typically gets 16GB or more of RAM these days.
> Even a 6-Watt Atom-CPU FitPC box comes with 1GB of RAM! Your machine is
> way off the mainstream memory curve... For Postfix alone you're fine, but
> for running an IMAP server with users, you are likely too cramped, ask
> on the Dovecot list, not here. Postfix is not very memory intensive.
>
>

Re: Scalable

[Jonathan Tripathy]

Hi Everyone,

Thanks for all the comments.

The reason why I said 256MB RAM, is because that is currently what my VM 
has...


If I were to take out a dedicated server with:

2.8 Dual Core
2GB RAM

how much would that handle?

My customer is a business, with 600 staff, however I think they just use 
a single broadband connection so that will be the limiting factor, as 
this dedicated server has a 100Mbps link to the net..


Please let me know what you think

Thanks

Jonny

On 12/02/2010 19:24, Victor Duchovni wrote:

On Fri, Feb 12, 2010 at 05:14:30PM -, Jonathan Tripathy wrote:

   

My current server has 256MB RAM (It's a VM on slicehost). How many users do you 
think that will handle?
 

Is more RAM substantially more expensive? 256 MB is rather meek these days.
With physical servers, one typically gets 16GB or more of RAM these days.
Even a 6-Watt Atom-CPU FitPC box comes with 1GB of RAM! Your machine is
way off the mainstream memory curve... For Postfix alone you're fine, but
for running an IMAP server with users, you are likely too cramped, ask
on the Dovecot list, not here. Postfix is not very memory intensive.

   

Re: Postfix + Google APPS SMTP relaying issues

[Jay Bendon]

the only changes tested were:

smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous

and

smtp_sasl_security_options = noplaintext
smtp_sasl_tls_security_options = noplaintext

My origional configuration was the recommended:

smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous

Still receiving errors : no mechanism available and No worthy mechs found
my full postconf -n is as of right now:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 3
debug_peer_list = smtp.gmail.com
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost
mydomain = powerdnn.com
myhostname = monitor.powerdnn.com
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains =
relayhost = [smtp.gmail.com]:587
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous
smtp_tls_cert_file = /etc/pki/tls/gmail_relay/gmail.pem
smtp_tls_enforce_peername = no
smtp_tls_key_file = /etc/pki/tls/gmail_relay/gmail.key
smtp_tls_note_starttls_offer = yes
smtp_tls_scert_verifydepth = 5
smtp_use_tls = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_req_ccert = no
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550

end
-- Always glad to help,
--Jay Bendon - Bendon Consults




On Fri, Feb 12, 2010 at 6:53 AM, Wietse Venema  wrote:
>> On Thu, Feb 11, 2010 at 7:57 PM, Wietse Venema  wrote:
>> > Postfix also logged this message, amidst your verbose logging.
>> >
>> > ? ? Feb 11 18:23:18 nagios postfix/smtp[22560]: warning: SASL 
>> > authentication failure: No worthy mechs found
>> >
>> > For a remedy, see http://www.postfix.org/SASL_README.html
>> >
> Jay Bendon:
>> Thanks Wietse,
>>
>> I used what was recommended by the readme and that resulted in the
>> same error.  I also tried a few other settings in there and no better
>> results.
>
> What did you do? People make mistakes, we can help only if you
> show what typos you made.
>
> Where is "postconf -n" output of what you did?
>
>        Wietse
>

Re: does using a hash map for an alias file extend rec len?

[Wietse Venema]

Jay G. Scott:
> 
> Greetings,
> 
> the aliases files are limited to 1024 chars/record because of NIS.
> 
> but postfix looks like it would take hash maps instead for things
> like aliases.  does this work around the 1024 character limit?
> i hope, i hope.  the chaining biz is annoying.

hash and btree tables solve that problem.

Postfix does not enforce a length limit when it creates database
records.  If the underlying database allows jumbo-sized records
then Postfix will happily store them.

The 1024-byte limit comes from Sun's ndbm implementation (*) which
was historically used to store the NIS tables.  Other NIS
implementations may use different databases with different limits.

Wietse

(*) From the ndbm manpage:
 The sum of the sizes of a key/content pair must  not  exceed
 the internal block size (currently 1024 bytes). Moreover all
 key/content pairs that hash together must fit  on  a  single
 block.  dbm_store() will return an error in the event that a
 disk block fills with inseparable data.

Re: does using a hash map for an alias file extend rec len?

[Michael Tokarev]

Jay G. Scott wrote:
> Greetings,
> 
> the aliases files are limited to 1024 chars/record because of NIS.

Which part of the postfix documentation states this?

/mjt

does using a hash map for an alias file extend rec len?

[Jay G. Scott]

Greetings,

the aliases files are limited to 1024 chars/record because of NIS.

but postfix looks like it would take hash maps instead for things
like aliases.  does this work around the 1024 character limit?
i hope, i hope.  the chaining biz is annoying.

j.

Re: Race condition in postmap?

[Victor Duchovni]

On Fri, Feb 12, 2010 at 11:25:05AM +, Richard Cooper wrote:

> Based on my debugging it seems that this error is related to me running 
> postmap to rebuild the virtual_alias table This is despite the fact that the 
> recipi...@example.com address is correctly configured in both the old and new 
> virtual_aliases. Here a log of what was happening at the same time as the 
> above error:

The original Berkeley DB (version 1.8x) which was available at the time
that "hash" and "btree" table support were added to Postfix was a simple
indexed file format and library. In that version of Berkeley DB there
were no memory mapped page pools, transaction logs, ...

If are using Berkeley DB on a BSD system with version 1.8x, then postmap
is race-free due to the Postfix locking protocol for Berkeley DB files.

Newer much more feature-full versions of Berkeley DB are no longer race-free
with the Postfix locking protocol, and you need to atomically create/rename
a newly built table.

I don't use Berkeley DB for multi-reader tables, I strongly recommend
CDB for that purpose. I only use Berkeley DB for single reader/writer
tables such as TLS session caches, address verification caches, ...

-- 
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

Re: Scalable

[Victor Duchovni]

On Fri, Feb 12, 2010 at 05:14:30PM -, Jonathan Tripathy wrote:

> My current server has 256MB RAM (It's a VM on slicehost). How many users do 
> you think that will handle?

Is more RAM substantially more expensive? 256 MB is rather meek these days.
With physical servers, one typically gets 16GB or more of RAM these days.
Even a 6-Watt Atom-CPU FitPC box comes with 1GB of RAM! Your machine is
way off the mainstream memory curve... For Postfix alone you're fine, but
for running an IMAP server with users, you are likely too cramped, ask
on the Dovecot list, not here. Postfix is not very memory intensive.

-- 
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

Re: Scalable

[Stan Hoeppner]

Aaron Wolfe put forth on 2/12/2010 11:39 AM:

> It might be better to think in terms of messages per hour than number of 
> users.

Most importantly, who are these users?  Are they customers?  Members of some
society or club?  Will these be their primary email accounts or secondary,
tertiary, etc?  If these are nursing home residents you could get by with an old
386. ;)

Who are your users?  The answer to this question will probably answer most of
the others.

-- 
Stan

Re: Scalable

[Aaron Wolfe]

On Fri, Feb 12, 2010 at 12:14 PM, Jonathan Tripathy  wrote:
> Hi Folks,
>
> How scaleable is postfix and dovecot, using mysql for user databases, on one
> server?
>
> My current server has 256MB RAM (It's a VM on slicehost). How many users do
> you think that will handle?
>
> How much RAM/CPU would I need to host 600 users? Please remember, that due
> to the nature of email, I imagine that the server won't be constantly
> hammered.
>

You'll probably find that one "heavy" user will take the resources of
10s or 100s of lightweight users.  With only 600 users, you're not
going to get a lot of averaging so you'll have to figure out what your
specific users are going to need.  60 heavy users might bring the
server to it's knees, 6000 light users might work out fine.

It might be better to think in terms of messages per hour than number of users.

> How much disk space do you think I'll need? I'm just looking for advice from
> someone with experience
>
> Thanks
>
> Jonny
>
>

Re: Problems getting Gmail to use my SMTP server rather than theirs

[Noel Jones]

On 2/12/2010 11:21 AM, Michael Saldivar wrote:

On Wed, Feb 10, 2010 at 5:54 PM, Rob Tanner mailto:rtan...@linfield.edu>> wrote:

 >> TLS is enabled on port 25 of our server and it has a regular Thawte
 >> certificate behind it.  Tests with Thunderbird using PLAIN
 >> authentication (SASL method) work perfectly.  From our point of
view,
 >> all we really want to protect in any SMTP transaction are the user
 >> credentials (uid/passwd) and what we are doing is currently
 >> sufficient.  Google, on the other hand is doing something
different or
 >> expecting something different and I have no idea what.  If you are
 >> successfully using a similar setup with Gmail, could you please pass
 >> on your wisdom.
 > Watch your postfix logs and start debugging when gmail tries to
 > authenticate against your server

The problem is the log files are rather large (a quarter million
lines since
the 4 am roll this morning, and there are lots of google entries.
  In other
words I've already spent time just trying to find the entries.  Any idea
about particular keywords that I might look for?
.
 >>
 >> Thanks,
 >> Rob



An easy way to watch is to tail -f the logfile, tell Gmail to send a
message, and then watch the log scroll past.  You will see the
authorization attempt and your server's response.

Also, in your Gmail account, check the submission port.  There's a drop
down list from which you can choose 25, 465, and 587; it defaults to 587.


And another great trick for finding stuff in your logs is to 
tag submission entries with a different syslog_name.


# master.cf
submission ... smtpd
  -o syslog_name=postfix-submission
  ...

http://www.postfix.org/postconf.5.html#syslog_name


  -- Noel Jones

Re: suitable webmail

[Stan Hoeppner]

LuKreme put forth on 2/12/2010 10:08 AM:
> On 12-Feb-2010, at 08:48, Stan Hoeppner wrote:
>>
>> Tell me about this "top-secure" aspect of Squirrelmail again. ;)
> 
> The fact that some spammers are able to get into email accounts and send spam 
> via squirrelmail has nothing to do with the security of squirrelmail itself. 
> In nerely all, if not all, of these cases the account is being compromised 
> due to having a password like "password1" or "12345678"

If you'd have read past the first line you'd have noticed I said the same 
thing. ;)

-- 
Stan

Re: deliver problem ( Error: file_dotlock_create )

[Stan Hoeppner]

Frank Bonnet put forth on 2/12/2010 10:05 AM:
> Hello all ( Postfix and Dovecot )
> 
> Trying to use deliver as mailbox_command with Postfix I get this
> error each time an email is arriving
> 
> deliver(): Error: file_dotlock_create(/var/mail/)
> failed: Permission denied (euid=3003() egid=3010(smig) missing
> +w perm: /var/mail) (set mail_privileged_group=mail)
> 
> Doea this means I have to chmod 777 the /var/mail directory ?

If you're using dovecot mbox format but are not going to use sieve etc, then
just have Postfix local drop the mail.  That's what I do.  Works great.

-- 
Stan

Re: Problems getting Gmail to use my SMTP server rather than theirs

[Michael Saldivar]

On Wed, Feb 10, 2010 at 5:54 PM, Rob Tanner  wrote:

> >> TLS is enabled on port 25 of our server and it has a regular Thawte
> >> certificate behind it.  Tests with Thunderbird using PLAIN
> >> authentication (SASL method) work perfectly.  From our point of view,
> >> all we really want to protect in any SMTP transaction are the user
> >> credentials (uid/passwd) and what we are doing is currently
> >> sufficient.  Google, on the other hand is doing something different or
> >> expecting something different and I have no idea what.  If you are
> >> successfully using a similar setup with Gmail, could you please pass
> >> on your wisdom.
> > Watch your postfix logs and start debugging when gmail tries to
> > authenticate against your server
>
> The problem is the log files are rather large (a quarter million lines
> since
> the 4 am roll this morning, and there are lots of google entries.  In other
> words I've already spent time just trying to find the entries.  Any idea
> about particular keywords that I might look for?
> .
> >>
> >> Thanks,
> >> Rob
>
>

An easy way to watch is to tail -f the logfile, tell Gmail to send a
message, and then watch the log scroll past.  You will see the authorization
attempt and your server's response.

Also, in your Gmail account, check the submission port.  There's a drop down
list from which you can choose 25, 465, and 587; it defaults to 587.


-- 
Mike Saldivar
Direct Financial Solutions
Information Systems Manager
Desk: 435-774-8252
Cell: 435-881-3778

Scalable

[Jonathan Tripathy]

Hi Folks,

How scaleable is postfix and dovecot, using mysql for user databases, on one 
server?

My current server has 256MB RAM (It's a VM on slicehost). How many users do you 
think that will handle?

How much RAM/CPU would I need to host 600 users? Please remember, that due to 
the nature of email, I imagine that the server won't be constantly hammered.

How much disk space do you think I'll need? I'm just looking for advice from 
someone with experience

Thanks

Jonny

Re: suitable webmail

[Ben Winslow]

On 02/12/2010 10:48 AM, Stan Hoeppner wrote:
> Tell me about this "top-secure" aspect of Squirrelmail again. ;)

> User-Agent: SquirrelMail/1.4.15

Spammers regularly phish for ISP account information and then use those
credentials to send spam via webmail and SMTP auth.  We see this
frequently, and it's not directly related to the webmail software in use.

-- 
Ben Winslow 

Re: Postfix Addon Software

[Reinaldo de Carvalho]

On Fri, Feb 12, 2010 at 4:53 AM, fsuel  wrote:
>
> Hi,
>
> I'am from the french ministry of defense and we have a opensource
> project about trusted messaging system. The aims of the global project
> is to build more trusted email system with components as Thunderbird and
> PostFix. All of the project is call TRUSTEDBIRD  with the agreement of
> the Mozilla Foundation :  www.trustedbird.org
>
> We developped somes script for to setup an email gateway managing
> several priorities (with Postfix and Qpsmtpd) and Qos over the nerwork.
> Sould it be possible to have informations listed on the Posfix Addon
> Software page with the subtitle Management of priority ?
> You can find informations about the addon here :
> http://www.trustedbird.org/tb/Priority_email_gateway
>

Well, add a tos/dscp action for restriction/{header|body}_checks,
writing the value to queue file, and doing qmgr pass to smtp client
this tos/dscp as command args, do the job. Tos/dscp action can be no
terminative action, also "filter" could be.

I'd like see restrictions support to non-terminative actions, to set
some behavior but not skip nexts acls jumping to next restriction
(useful for "FILTER", "WARN" and TOS/DSCP proposed action). Something
like "set behavior and dunno".

--
Reinaldo de Carvalho
http://korreio.sf.net
http://python-cyrus.sf.net

"Don't try to adapt the software to the way you work, but rather
yourself to the way the software works" (myself)

Re: suitable webmail

[LuKreme]

On 12-Feb-2010, at 08:48, Stan Hoeppner wrote:
> 
> Tell me about this "top-secure" aspect of Squirrelmail again. ;)

The fact that some spammers are able to get into email accounts and send spam 
via squirrelmail has nothing to do with the security of squirrelmail itself. In 
nerely all, if not all, of these cases the account is being compromised due to 
having a password like "password1" or "12345678"

-- 
TAR IS NOT A PLAYTHING
Bart chalkboard Ep. 7F02

deliver problem ( Error: file_dotlock_create )

[Frank Bonnet]

Hello all ( Postfix and Dovecot )

Trying to use deliver as mailbox_command with Postfix I get this
error each time an email is arriving

deliver(): Error: file_dotlock_create(/var/mail/) 
failed: Permission denied (euid=3003() egid=3010(smig) missing 
+w perm: /var/mail) (set mail_privileged_group=mail)


Doea this means I have to chmod 777 the /var/mail directory ?

Thanks a lot

Re: 554 5.7.1 relay access denied

[Noel Jones]

On 2/12/2010 12:18 AM, Jeff Lacki wrote:

Im going out of my mind trying to get relaying working
for my users who want to use my domain as their smtp
outgoing server.

Ive setup SASL and TLS successfully (I believe).
I have the following:

relay_transport = hash:/etc/postfix/transport


relay_transport must specify a transport name from master.cf, 
NOT a map.  Remove the above setting.

http://www.postfix.org/postconf.5.html#relay_transport

Anyway, this setting controls outgoing mail for relay_domains. 
 This doesn't appear to be something you need, so remove it.





and in transport I have:

.mydomain.com   :


Remove this too.



I see my test run connecting but then getting denied
for relaying:

Feb 12 06:02:21 202010-1 postfix/smtpd[23305]: connect from 
99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]
Feb 12 06:02:21 202010-1 postfix/smtpd[23305]: setting up TLS connection from 
99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]
Feb 12 06:02:21 202010-1 postfix/smtpd[23305]: Anonymous TLS connection 
established from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: 
SSLv3 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Feb 12 06:02:21 202010-1 postfix/smtpd[23305]: NOQUEUE: reject: RCPT from 
99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: 554 5.7.1: Relay 
access denied; from=  to=  proto=ESMTP 
helo=<[192.168.2.11]>
Feb 12 06:02:23 202010-1 postfix/smtpd[23305]: disconnect from 
99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]

I appreciate your help.



No indication that the user authenticated.  When someone 
authenticates you'll get a log line something like
Feb 12 09:24:06 mgate2 postfix/smtpd[93626]: E4E077978A8: 
client=user.example.org[192.168.1.163], sasl_method=CRAM-MD5, 
sasl_username=username


Test your SASL setup as described in
http://www.postfix.org/SASL_README.html#server_test
Make sure you use "smtpd_tls_auth_only = no" so you can test 
unencrypted with telnet.


If you need more help, please see
http://www.postfix.org/DEBUG_README.html#mail

  -- Noel Jones

Re: suitable webmail

[Stan Hoeppner]

Thijssen put forth on 2/9/2010 4:19 AM:

> - If they like flashy GUI bullshit like HTML-mail and WYSIWYG
> formatted emails and spam and commerce, then don't use Squirrelmail.
> - If they focuss on actual text content and plaintext emails (the way
> it should be), then squirrelmail is your Number One choice, far
> outweighing all others.
> 
> It's rock stable and top-secure.

Tell me about this "top-secure" aspect of Squirrelmail again. ;)

Received: from mail.afranet.com (mail.afranet.com [80.75.0.13])
by greer.hardwarefreak.com (Postfix) with ESMTP id 1F0AC6C2B9
for ; Thu, 11 Feb 2010 07:02:04 -0600 (CST)
...
Received: from 78.138.3.237
(SquirrelMail authenticated user test)
by mail.afranet.com with HTTP;
...
User-Agent: SquirrelMail/1.4.15
...
To: undisclosed-recipients:;
...
   :::YEAR 2010 E-MAIL AWARDS:::
Dear Winner,
...
CONTACT HIM WITH YOUR DETAILS, FILL Details BELOW;
*** Your Full Name
*** Your Address
*** Your Country
*** Your Phone number
*** Your Age(Date of birth)
*** Your Gender(Male or Female)
*** Your present Occupation
*** Your Micros ID
...

I get phish and 419 from compromised Sqirrelmail servers at least once or twice
a month.  I've yet to receive one from a compromised Roundcube, Horde, or SOGo
server.  Now, in fairness to SM, this probably has as much to do with widespread
implementation and poor administration as it does insecure code.  It appears the
phish sent from the SM server in the example above utilized a test account with
a weak or non-existent password.

Regarding Jose's comments about his web servers constantly being scanned for
Roundcube directories, I see no one else reporting this.  I run a Roundcube
server and see nothing of the sort.  Additionally, scans != compromise or high
potential for compromise.  I see thousands of scans and login attempts on my ssh
and ftp ports monthly.  Does that mean that Proftpd and sshd are automatically
vulnerable?  Because people are scanning them?  You made a pretty weak argument
against Roundcube with that example.

-- 
Stan

Re: Combination of two permissions with AND operator

[Noel Jones]

On 2/12/2010 5:27 AM, Неворотин Вадим wrote:

Ok, well, now I decide not to allow connections not from my internal
network. But I was really surprised that I can't fully operate with
different clients identification information.

Where can I write "feature request"?))) It will be good to add state
values (something like $is_from_mynetwork, $is_sasl_authenticated,
$has_valid_certificate and so on) to Postfix configuration, and add
ability to use logical operations with this variables to decide permit,
reject, defer etc.

Something like:

smtpd_recipient_restrictions =
  is_from_mynetwork AND is_sasl_aithenticated THEN permit
  reject_unauth_destination



smtpd_sender_restrictions =
  permit_sasl_authenticated
  reject_unauth_destination

smtpd_recipient_restrictions =
  permit_mynetworks
  reject_unauth_destination

If this is an MSA only, replace reject_unauth_destination with 
reject.



Duh.

 -- Noel Jones

Re: Problem with transport

[Noel Jones]

On 2/12/2010 1:41 AM, Patric Falinder wrote:

Hi!

I got a little problem with my postfix setup. I currently have Postfix,
MySQL, amavisd-maia (Maia Mailguard), spamassassin, f-secure and dovecot
installed.
I have all my users/domains information in the database that are going
to be delivered to my pop3/imap.
But I also want to be some sort of "spamcheck relay" for other servers
so their mail gets delivered to my server, get checked for spam and then
I send them to their mailserver.
I don't know if I should post all my configs here in the mail, cause the
mail will get very long, so I will just link to my post on
Linuxquestions.org where I have also posted this problem:
http://www.linuxquestions.org/questions/linux-server-73/postfix-transport-788433/


anyway, I have these two settings:
virtual_transport = virtual
transport_maps = hash:/etc/postfix/transport

in the transport -file I have:

example.com smtp:[smtp.example.com]


but when I get a mail from t...@example.org it checks the database if
the user exists, which it doesn't becuase I am just gonna spam check it
and send it the the real mailserver.
error message:

Feb 11 11:49:38 example.com postfix/smtpd[24775]: NOQUEUE: reject: RCPT
from blu0-omc2-s8.blu0.hotmail.com[65.55.111.83]: 550 5.1.1
: Recipient address rejected: User unknown in virtual
mailbox table; from= to= proto=ESMTP
helo=

I read this in the postfix doc:
virtual_transport (default: virtual)
The default mail delivery transport and next-hop destination for final
delivery to domains listed with $virtual_mailbox_domains. *This
information can be overruled with the transport(5) table.*

Specify a string of the form transport:nexthop, where transport is the
name of a mail delivery transport defined in master.cf. The :nexthop
destination is optional; its syntax is documented in the manual page of
the corresponding delivery agent.

but don't understand what I have to do to make it work?
Can anyone help me with this?

Thanks!




The domain should be listed in relay_domains.  Valid 
recipients should be listed in relay_recipient_maps.  If you 
don't have a list of valid recipients, you can use active 
address verification to verify them during the SMTP transaction.

http://www.postfix.org/ADDRESS_VERIFICATION_README.html

It's important to verify the recipients to manage load on your 
computer and to maintain reasonable queue sizes.  It's also 
only a matter of time until you get blacklisted as a 
backscatter source if you don't verify recipients.


  -- Noel Jones

Re: Problem with transport

[Patric Falinder]

Wietse Venema skrev:

Patric Falinder:
  
but when I get a mail from t...@example.org it checks the database if 
the user exists, which it doesn't becuase I am just gonna spam check it 
and send it the the real mailserver.

error message:

Feb 11 11:49:38 example.com postfix/smtpd[24775]: NOQUEUE: reject: RCPT from 
blu0-omc2-s8.blu0.hotmail.com[65.55.111.83]: 550 5.1.1 : Recipient address 
rejected: User unknown in virtual mailbox table; from= 
to= proto=ESMTP helo=




You have mis-configured your virtual_mailbox_maps setting.

It would be a good idea if you take a look at the instructions
in the mailing list welcome message.

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail

TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Thank you for using Postfix.
  

Sorry if I did something wrong in the mailinglist.
I attached my output from postfinger and the mysql config for 
virtual_mailbox_maps.
I looked over the documentation for virtual_mailbox_maps and can't 
figure out what I mis-configured..
Do I have to tell it that it should look whats in the transport file too 
somehow?


I might have missed to say that I use postfixadmin too so I use the 
database tables that they provide if thats to any help.


Sorry if I'm annoying in any way, its just that I really need this to 
work and I can't figure out what I have done wrong..


Thanks!
--System Parameters--
mail_version = 2.5.5
hostname = sexan
uname = Linux sexan 2.6.26-2-amd64 #1 SMP Tue Jan 12 22:12:20 UTC 2010 x86_64 
GNU/Linux

--Packaging information--
looks like this postfix comes from deb package: postfix-

--main.cf non-default parameters--
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
content_filter = smtp-amavis:[127.0.0.1]:10024
mailbox_size_limit = 0
mydestination = localhost
myhostname = mail.mydomain.com
mynetworks = 127.0.0.0/8 10.0.0.0/24
myorigin = mydomain.com
receive_override_options = no_address_mappings
recipient_delimiter = +
relay_domains = example.com
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, 
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = 
proxy:mysql:$config_directory/mysql/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:8
virtual_mailbox_base = /usr/local/vmail
virtual_mailbox_domains = 
proxy:mysql:$config_directory/mysql/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = 
proxy:mysql:$config_directory/mysql/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 150
virtual_uid_maps = static:150

--master.cf--
smtp  inet  n   -   -   -   -   smtpd
smtps inet  n   -   -   -   -   smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
pickupfifo  n   -   -   60  1   pickup
cleanup   unix  n   -   -   -   0   cleanup
qmgr  fifo  n   -   n   300 1   qmgr
tlsmgrunix  -   -   -   1000?   1   tlsmgr
rewrite   unix  -   -   -   -   -   trivial-rewrite
bounceunix  -   -   -   -   0   bounce
defer unix  -   -   -   -   0   bounce
trace unix  -   -   -   -   0   bounce
verifyunix  -   -   -   -   1   verify
flush unix  n   -   -   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
proxywrite unix -   -   n   -   1   proxymap
smtp  unix  -   -   -   -   -   smtp
relay unix  -   -   -   -   -   smtp
-o smtp_fallback_relay=
showq unix  n   -   -   -   -   showq
error unix  -   -   -   -   -   error
retry unix  -   -   -   -   -   error
discard   unix  -   -   -   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   -   -   -   lmtp
anvil unix  -   -   -   -   1   anvil
scacheunix  -   -   -   -   1   scache
maildrop  unix  -   n   n   -   -   pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp  unix  -   n   n   -   -   pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmailunix  -   n   n   -   -   pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix  -   n   n  

Duplicate filtering

[Veikko "Wexi" Skurnik]

Hi

I'm having trouble configuring a working duplicate filter for my mail 
server. This simple procmail recipe does the trick:


MAILDIR=/var/vmail

:0 Wh: msgid.lock

| formail -D 8192 .msgid.cache


The question is, is it possible to configure postfix to use procmail as 
a content filter along with ClamAV and then after the filtering, postfix 
gives the messages to Dovecot's deliver for delivery?


I basically want to do this:

Unfiltered mail -> Postfix -> Procmail filter -> ClamAV filter -> 
Postfix -> Dovecot delivery


My mail server is otherwise working fine but I want to eliminate the 
multiple delivery of a message to a virtual users Maildir that has more 
than one e-mail address.


Any help will be greatly appreciated
Wexi

--
* Veikko "Wexi" Skurnik: +358(44)5288338 *
*  w...@wexin.net   w...@ircnet  *
*   Näyttämönkatu 4 B 12 33720 Tampere   *
*   "Kosminen balanssi ei saa järkkyä"   *

Re: Race condition in postmap?

[Eray Aslan]

On 12.02.2010 14:47, Richard Cooper wrote:
> On 12 Feb 2010, at 12:12, Eray Aslan wrote:
>> On 12.02.2010 13:25, Richard Cooper wrote:
>>> Feb 12 00:41:24 mail1 postfix/smtpd[24782]: NOQUEUE: reject: RCPT from 
>>> unknown[111.111.111.111]: 550 5.1.1 : Recipient 
>>> address rejected: User unknown in virtual alias table; 
>>> from= to=< recipi...@example.com > proto=SMTP 
>>> helo=
>>>
>>> This is a very intermittent and short lived error. Emails to 
>>> recipi...@example.com were working before the error and start working again 
>>> a few seconds after it.
>>
>> http://www.postfix.org/DATABASE_README.html#safe_db
> 
> 
> I'm not sure that apples to my case. That page says "If the update fails in 
> the middle [because the disk is full or because something else happens] then 
> you have no usable database, and Postfix will stop working". In my case the 
> update completes without error, correctly writes virtual_aliases.db and 
> postfix continues working. The only visible error is that during the update 
> Postfix "forgets" some of the lookup table for a short period of time.

You might also want to try CDB.  Its updates are atomic.  Recommended
instead of Berkeley DB.

http://www.postfix.org/CDB_README.html

-- 
Eray

Re: Problem with transport

[Wietse Venema]

Patric Falinder:
> but when I get a mail from t...@example.org it checks the database if 
> the user exists, which it doesn't becuase I am just gonna spam check it 
> and send it the the real mailserver.
> error message:
> 
> Feb 11 11:49:38 example.com postfix/smtpd[24775]: NOQUEUE: reject: RCPT from 
> blu0-omc2-s8.blu0.hotmail.com[65.55.111.83]: 550 5.1.1 : 
> Recipient address rejected: User unknown in virtual mailbox table; 
> from= to= proto=ESMTP 
> helo=
> 

You have mis-configured your virtual_mailbox_maps setting.

It would be a good idea if you take a look at the instructions
in the mailing list welcome message.

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail

TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Thank you for using Postfix.

Re: Postfix + Google APPS SMTP relaying issues

[Wietse Venema]

> On Thu, Feb 11, 2010 at 7:57 PM, Wietse Venema  wrote:
> > Postfix also logged this message, amidst your verbose logging.
> >
> > ? ? Feb 11 18:23:18 nagios postfix/smtp[22560]: warning: SASL 
> > authentication failure: No worthy mechs found
> >
> > For a remedy, see http://www.postfix.org/SASL_README.html
> >
Jay Bendon:
> Thanks Wietse,
> 
> I used what was recommended by the readme and that resulted in the
> same error.  I also tried a few other settings in there and no better
> results.

What did you do? People make mistakes, we can help only if you
show what typos you made.

Where is "postconf -n" output of what you did?

Wietse

Re: 554 5.7.1 relay access denied

[Wietse Venema]

Jeff Lacki:
> 
> Im going out of my mind trying to get relaying working
> for my users who want to use my domain as their smtp
> outgoing server.
> 
> Ive setup SASL and TLS successfully (I believe).
> I have the following:
> 
> relay_transport = hash:/etc/postfix/transport
> 
> and in transport I have:
> 
> .mydomain.com :
> 
> I see my test run connecting but then getting denied
> for relaying:
> 
> Feb 12 06:02:21 202010-1 postfix/smtpd[23305]: connect from 
> 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]
> Feb 12 06:02:21 202010-1 postfix/smtpd[23305]: setting up TLS connection from 
> 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]
> Feb 12 06:02:21 202010-1 postfix/smtpd[23305]: Anonymous TLS connection 
> established from 
> 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: SSLv3 with 
> cipher DHE-RSA-AES256-SHA (256/256 bits)
> Feb 12 06:02:21 202010-1 postfix/smtpd[23305]: NOQUEUE: reject: RCPT from 
> 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: 554 5.7.1 
> : Relay access denied; from= 
> to= proto=ESMTP helo=<[192.168.2.11]>
> Feb 12 06:02:23 202010-1 postfix/smtpd[23305]: disconnect from 
> 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]
> 
> I appreciate your help.

Then, follow the instructions in the mailing list welcome message.

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail

TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Thank you for using Postfix.

Re: Race condition in postmap?

[Richard Cooper]

On 12 Feb 2010, at 12:21, LuKreme wrote:
> On 12-Feb-2010, at 04:25, Richard Cooper wrote:
>> 
>> to=< recipi...@example.com > proto=SMTP helo=
>> 
>> This is a very intermittent and short lived error. Emails to 
>> recipi...@example.com were working before the error and start working again 
>> a few seconds after it.
> 
> The email is not to recipi...@example.com, it is to " recipi...@example.com"

Sorry. That was a typo I introduced while anonymizing. There were no extraneous 
spaces in the original.

- Richard

PS: Apologies to LuKreme for the off-list reply

Re: skipping single restrictions

[Stefan Palme]

On Wed, 2010-02-10 at 15:26 -0500, Wietse Venema wrote:
> Stefan Palme:
> > ...
> > For testing purposes, I want to skip the policy service for some
> > recipient addresses, for other recipients I want to skip the spamhaus
> > check, and for a third class of recipients I want to skip both checks.
> 
> See RESTRICTION_CLASS_README for recipient-dependent restrictions.

Thanks to all for their answers, restriction classes solved the issue!

Best regards
-stefan-

Re: Race condition in postmap?

[Richard Cooper]

On 12 Feb 2010, at 12:12, Eray Aslan wrote:

> On 12.02.2010 13:25, Richard Cooper wrote:
>> Feb 12 00:41:24 mail1 postfix/smtpd[24782]: NOQUEUE: reject: RCPT from 
>> unknown[111.111.111.111]: 550 5.1.1 : Recipient 
>> address rejected: User unknown in virtual alias table; 
>> from= to=< recipi...@example.com > proto=SMTP 
>> helo=
>> 
>> This is a very intermittent and short lived error. Emails to 
>> recipi...@example.com were working before the error and start working again 
>> a few seconds after it.
> 
> http://www.postfix.org/DATABASE_README.html#safe_db


I'm not sure that apples to my case. That page says "If the update fails in the 
middle [because the disk is full or because something else happens] then you 
have no usable database, and Postfix will stop working". In my case the update 
completes without error, correctly writes virtual_aliases.db and postfix 
continues working. The only visible error is that during the update Postfix 
"forgets" some of the lookup table for a short period of time.

None the less, it's a good suggestion for the next thing for me to test. I will 
give it a try and see if it fixes the problem. Thank you.

- Richard

PS: Apologies to Eray for the off-list reply

Re: Combination of two permissions with AND operator

[Ralf Hildebrandt]

* Неворотин Вадим :
> Ok, well, now I decide not to allow connections not from my internal
> network. But I was really surprised that I can't fully operate with
> different clients identification information.
> 
> Where can I write "feature request"?))) It will be good to add state values
> (something like $is_from_mynetwork, $is_sasl_authenticated,
> $has_valid_certificate and so on) to Postfix configuration, and add ability
> to use logical operations with this variables to decide permit, reject,
> defer etc.

Yes, you can do that using a policy_daemon

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: Race condition in postmap?

[LuKreme]

On 12-Feb-2010, at 04:25, Richard Cooper wrote:
> 
> to=< recipi...@example.com > proto=SMTP helo=
> 
> This is a very intermittent and short lived error. Emails to 
> recipi...@example.com were working before the error and start working again a 
> few seconds after it.

The email is not to recipi...@example.com, it is to " recipi...@example.com"

Didn't we just cover this in the last week?

-- 
"I've just learned about his illness. Let's hope it's nothing 
trivial."  Irvin S. Cobb

Re: Race condition in postmap?

[Eray Aslan]

On 12.02.2010 13:25, Richard Cooper wrote:
> Feb 12 00:41:24 mail1 postfix/smtpd[24782]: NOQUEUE: reject: RCPT from 
> unknown[111.111.111.111]: 550 5.1.1 : Recipient 
> address rejected: User unknown in virtual alias table; 
> from= to=< recipi...@example.com > proto=SMTP 
> helo=
> 
> This is a very intermittent and short lived error. Emails to 
> recipi...@example.com were working before the error and start working again a 
> few seconds after it.

http://www.postfix.org/DATABASE_README.html#safe_db

-- 
Eray

Re: Combination of two permissions with AND operator

[Неворотин Вадим]

Ok, well, now I decide not to allow connections not from my internal
network. But I was really surprised that I can't fully operate with
different clients identification information.

Where can I write "feature request"?))) It will be good to add state values
(something like $is_from_mynetwork, $is_sasl_authenticated,
$has_valid_certificate and so on) to Postfix configuration, and add ability
to use logical operations with this variables to decide permit, reject,
defer etc.

Something like:

smtpd_recipient_restrictions =
 is_from_mynetwork AND is_sasl_aithenticated THEN permit
 reject_unauth_destination



2010/2/12 Ralf Hildebrandt 

> * Ralf Hildebrandt :
> > * Неворотин Вадим :
> > > Mmm... Unfortunatelly, I can't understand how combine
> > > permit_sasl_authenticated and permit_tls_clientcerts with access_maps.
> >
> > You can't, since both return PERMIT
>
> One idea would be to use a policy daemon. The daemon can retrieve
> authentication and SSL info from postfix
>
> --
> Ralf Hildebrandt
>  Geschäftsbereich IT | Abteilung Netzwerk
>  Charité - Universitätsmedizin Berlin
>  Campus Benjamin Franklin
>  Hindenburgdamm 30 | D-12203 Berlin
>  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
>  ralf.hildebra...@charite.de | http://www.charite.de
>
>

Race condition in postmap?

[Richard Cooper]

Hi All,

I'm using postfix as an MX server which delivers email to the final recipient 
using virtual aliases. The version number according to rpm is 
postfix-2.3.3-2.1.el5_2, that is the version which is supplied in the main 
CentOS5 yum repositories. This is working perfectly except for one problem. 
Occasionally postfix will reject an email with the following error:

Feb 12 00:41:24 mail1 postfix/smtpd[24782]: NOQUEUE: reject: RCPT from 
unknown[111.111.111.111]: 550 5.1.1 : Recipient address 
rejected: User unknown in virtual alias table; from= to=< 
recipi...@example.com > proto=SMTP helo=

This is a very intermittent and short lived error. Emails to 
recipi...@example.com were working before the error and start working again a 
few seconds after it.

Based on my debugging it seems that this error is related to me running postmap 
to rebuild the virtual_alias table This is despite the fact that the 
recipi...@example.com address is correctly configured in both the old and new 
virtual_aliases. Here a log of what was happening at the same time as the above 
error:

2010-02-12 00:40:39,345 - 24597 - DEBUG - Writing virtual_aliases and 
virtual_domains
2010-02-12 00:41:20,496 - 24597 - DEBUG - Done writing virtual_aliases and 
virtual_domains.
2010-02-12 00:41:20,506 - 24597 - DEBUG - Running postmap virtual_domains.
2010-02-12 00:41:23,555 - 24597 - DEBUG - Done running postmap virtual_domains.
2010-02-12 00:41:23,556 - 24597 - DEBUG - Running postmap virtual_aliases.
2010-02-12 00:41:24,107 - 24597 - DEBUG - Done running postmap virtual_aliases.

Maillog doesn't have millisecond precision so I can't see exactly when the 
"User unknown in virtual alias table" error was logged but it happens either 
while "postmap virtual_aliases" is running or very shortly (within a second) 
afterwards. The same pattern repeats itself in other cases of the same error. 
The error always seem to happen within a second or so of "postmap 
virtual_aliases" finishing.

 So my questions are:

1. Does my analysis seem correct?
2. Is this a known problem? Are there any known race conditions in reloading 
the virtual aliases config by running "postmap virtual_aliases"
3. Is there anyway I can fix or work around this problem? Would upgrading help?
4. If I switched to using a SQL or LDAP backend for the table lookups would 
this problem go away?

Thanks in advance,

- Richard

Re: Combination of two permissions with AND operator

[Ralf Hildebrandt]

* Ralf Hildebrandt :
> * Неворотин Вадим :
> > Mmm... Unfortunatelly, I can't understand how combine
> > permit_sasl_authenticated and permit_tls_clientcerts with access_maps.
> 
> You can't, since both return PERMIT

One idea would be to use a policy daemon. The daemon can retrieve
authentication and SSL info from postfix

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: Combination of two permissions with AND operator

[Ralf Hildebrandt]

* Неворотин Вадим :
> Mmm... Unfortunatelly, I can't understand how combine
> permit_sasl_authenticated and permit_tls_clientcerts with access_maps.

You can't, since both return PERMIT

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: Combination of two permissions with AND operator

[Неворотин Вадим]

Mmm... Unfortunatelly, I can't understand how combine
permit_sasl_authenticated and permit_tls_clientcerts with access_maps.
Because this maps look like "client - action", but I can't write in client
field something like "sasl_autentificated"

2010/2/12 Ralf Hildebrandt 

> * Неворотин Вадим :
>
> > Cool)) But then how to combine permit_sasl_authenticated and
> > permit_tls_clientcerts? The purpose is to allow send mails only for users
> > with valid certificate and valid login+password)))
>
> Phew. Dunno.
>
> --
> Ralf Hildebrandt
>  Geschäftsbereich IT | Abteilung Netzwerk
>  Charité - Universitätsmedizin Berlin
>  Campus Benjamin Franklin
>  Hindenburgdamm 30 | D-12203 Berlin
>  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
>  ralf.hildebra...@charite.de | http://www.charite.de
>
>

Re: Combination of two permissions with AND operator

[Ralf Hildebrandt]

* Неворотин Вадим :

> Cool)) But then how to combine permit_sasl_authenticated and
> permit_tls_clientcerts? The purpose is to allow send mails only for users
> with valid certificate and valid login+password)))

Phew. Dunno.

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: Combination of two permissions with AND operator

[Неворотин Вадим]

Cool)) But then how to combine permit_sasl_authenticated and
permit_tls_clientcerts? The purpose is to allow send mails only for users
with valid certificate and valid login+password)))

2010/2/12 Ralf Hildebrandt 

> * Ralf Hildebrandt :
>
> > You need restriction classes for that :)
>
> I suck. I left out the restriction classes...
>
> > > smtp_recipient_restriction =
> > >   permit_mynetworks
> > >   permit_sasl_authenticated
> >
> > smtpd_recipient_restriction =
> >check_client_access hash:/etc/postfix/mynetworks
> >reject
>
> It's
> smtpd_recipient_restrictions =
>check_client_access hash:/etc/postfix/mynetworks
>   reject
>
> > in  /etc/postfix/mynetworks you have:
> > 10.0.0.1  permit_sasl_authenticated
>
> --
> Ralf Hildebrandt
>  Geschäftsbereich IT | Abteilung Netzwerk
>  Charité - Universitätsmedizin Berlin
>  Campus Benjamin Franklin
>  Hindenburgdamm 30 | D-12203 Berlin
>  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
>  ralf.hildebra...@charite.de | http://www.charite.de
>
>

Re: Combination of two permissions with AND operator

[Ralf Hildebrandt]

* Ralf Hildebrandt :

> You need restriction classes for that :)

I suck. I left out the restriction classes...

> > smtp_recipient_restriction =
> >   permit_mynetworks
> >   permit_sasl_authenticated
> 
> smtpd_recipient_restriction =
>check_client_access hash:/etc/postfix/mynetworks
>reject

It's 
smtpd_recipient_restrictions =
   check_client_access hash:/etc/postfix/mynetworks
   reject

> in  /etc/postfix/mynetworks you have:
> 10.0.0.1  permit_sasl_authenticated

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: Combination of two permissions with AND operator

[Ralf Hildebrandt]

* Неворотин Вадим :

> I need to allow to send mails throw my Postfix SMTP server only for
> users from mynetwork with valid SMTP authentication. But I can't
> understand how to combine two permissions in smtp_recipient_restriction
> options: permit_mynetworks and permit_sasl_authenticated.

You need restriction classes for that :)

> smtp_recipient_restriction =
>   permit_mynetworks
>   permit_sasl_authenticated

smtpd_recipient_restriction =
   check_client_access hash:/etc/postfix/mynetworks
   reject
   
in  /etc/postfix/mynetworks you have:
10.0.0.1  permit_sasl_authenticated

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de