whitelist for smtp_recipient_restrictions
Hi community, in the last time i have some problems with smtp-senders who are blocked by dnsbl-lists like uceprotect.net. The owner of the mailservers assured me not to generate and send any SPAM. How can i implement a whitelist for some friendly senderdomains to bypass the reject_rbl_client rule? Here my smtp_recipient_restrictions entries: smtp_recipient_restrictions=permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.njabl.org, reject rbl_client dnsbl-1.uceprotect.net permit Thanks for help! Oliver ?xml:namespace prefix = o ns = urn:schemas-microsoft-com:office:office /
Re: whitelist for smtp_recipient_restrictions
* Schwalbe, Oliver oliver.schwa...@schnellecke.com: Hi community, in the last time i have some problems with smtp-senders who are blocked by dnsbl-lists like uceprotect.net. The owner of the mailservers assured me not to generate and send any SPAM. How can i implement a whitelist for some friendly senderdomains to bypass the reject_rbl_client rule? Here my smtp_recipient_restrictions entries: smtp_recipient_restrictions=permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.njabl.org, check_client_access hash:/etc/postfix/whitelist reject rbl_client dnsbl-1.uceprotect.net permit with: IP OK Or rather remove dnsbl-1.uceprotect.net, since they really suck. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Postfix-2.7.0: wlgiv...@other.host loop!!!
I have been messing with this for far more time than I should to do something so simple! I've run postfix in the past and have never run into anything like this. Basically it is this, I wanted to create an alias, wlgivens, to direct all email to wlgiv...@domain.net to wi...@domain.net. Simple? You would thing so. After getting everything setup, I edited my /etc/postfix/alias file and added wlgivens:willi generated a new hash file using postalias and 'thought' everything was fine. I logged into my webmail account and attempted to send an email to wlgiv...@domain.net and promptly starting receiving the following error: Mar 25 01:49:33 jericho postfix/smtp[7854]: 31366AFDB18: to=wlgiv...@other.host, orig_to=wi...@domain.net, relay=none, delay=170354, delays=170332/0.07/21/0, dsn=4.4.1, status=deferred (connect to other.host[24.28.193.9]:25: Connection timed out) Mar 25 01:49:34 jericho postfix/smtp[7852]: connect to other.host[24.28.193.9]:25: Connection timed out Mar 25 01:49:34 jericho postfix/smtp[7852]: 54014AFDB33: to=wlgiv...@other.host, orig_to=wi...@domain.net, relay=none, delay=169581, delays=169559/0.05/21/0, dsn=4.4.1, status=deferred (connect to other.host[24.28.193.9]:25: Connection timed out) **NOTE: 24.28.193.9 is the ip that it resolves the domain 'other.host' to, it's a default RoadRunner ip. From the looks of things, it appears that it believes other.host is my MX or relay server. I logged into a linux help group and was told that I need to setup a file, /etc/postfix/virtual, containing wlgiv...@domain.netwilli and then run postmap to generate a virtual.db file. I also needed to create a file, mydomain, containing the line domain.net OK... which I also did. I was also instructed to edit my main.cf and add the following lines: virtual_alias_maps = hash:/etc/postfix/virtual virtual_alias_database = hash:/etc/postfix/virtual virtual_alias_domains = hash:/etc/postfix/mydomains Now after reloading postfix, I get the SAME error after sending another test email and now YAHOO black listed me with a 553 open relay error! It's not an open relay. RECAP: Can't send email to an aliased name, wlgivens, and have it direct it to user willi. The root aliasing works ( root willi) btw. /*Build Options*/ make MANPATH=/usr/share/man \ CC=gcc-4.3.4 CXX=g++-4.3.4 \ CFLAGS+=-O3 -finline -fstrict-aliasing -mtune=ev67 -pipe -w -mieee \ -DNO_EPOLL -I. -I../../include -DLINUX2 /* FILES */ ./ bounce.cf.default makedefs.out relocated ../ canonical master.cfTLS_LICENSE access genericmydomainstransport access.db header_checks mydomains.db transport.db aliases LICENSEPOSTFIX_CONFIG virtual aliases.db main.cfrelay_recipients virtual.db bounce.cf main.cf.defaultrelay_recipients.db /* POSTFIX CONFIG */ r...@jericho:postfix - postconf -n alias_database = dbm:/etc/postfix/aliases.db alias_maps = hash:/etc/postfix/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 default_destination_concurrency_limit = 20 header_checks = regexp:/etc/postfix/header_checks home_mailbox = Maildir/ html_directory = no inet_interfaces = all local_destination_concurrency_limit = 2 local_recipient_maps = unix:passwd.byname $alias_maps luser_relay = $mail...@$mydomain mail_owner = postfix mailbox_command = /usr/bin/procmail -f- -a $USER mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost mydomain = domain.net mynetworks = 192.168.0.0/24, 127.0.0.0/24 myorigin = $mydomain newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = no recipient_delimiter = + sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtpd_banner = $myhostname ESMTP $mail_name soft_bounce = no unknown_local_recipient_reject_code = 550 virtual_alias_domains = hash:/etc/postfix/mydomains virtual_alias_maps = hash:/etc/postfix/virtual
reject forged emails
Hello Is there a possibility to reject that kind of forged email I have one domain, say domain.com and I want to reject emails that pretend to be sent from domain.com but are NOT into our IP range say 123.123.0.0/16 Thank you
RE: reject forged emails
Sent from my HTC -Original Message- From: Frank Bonnet f.bon...@esiee.fr Sent: Thursday, 25 March 2010 6:22 PM To: postfix-users@postfix.org postfix-users@postfix.org Subject: reject forged emails Hello Is there a possibility to reject that kind of forged email I have one domain, say domain.com and I want to reject emails that pretend to be sent from domain.com but are NOT into our IP range say 123.123.0.0/16 Thank you Hi, use spf for this
Re: reject forged emails
* Frank Bonnet f.bon...@esiee.fr: Hello Is there a possibility to reject that kind of forged email I have one domain, say domain.com and I want to reject emails that pretend to be sent from domain.com but are NOT into our IP range say 123.123.0.0/16 http://www.arschkrebs.de/postfix/postfix_incoming.shtml -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: new cipher in OpenSSL, need to rebuild Postfix?
Victor Duchovni a écrit : On Wed, Mar 24, 2010 at 11:09:44AM +0100, Gregory BELLIER wrote: if I copy an existing cipher in OpenSSL and rename it, it will act as if it is a new cipher. On the wire SSL ciphers have numeric ids, not names. If you rename a cipher, it just changes how it is displayed in logs. Renaming ciphers is fairly pointless and counter-productive. Why would you do this? Yes, renaming and changing the OID. Yes, it's useless but I want to learn. Therefore, I do useless stuff. Would I need to build postfix against this new OpenSSL to be able to use the new cipher? What new cipher? I thought you were just renaming an existing cipher. Inserting a new one. It's just a copy with a new name and a new OID. And who else would implement your new cipher to inter-operate with your Postfix? No one. How does the TLS negociation work ? I guess it is done by Postfix which asks OpenSSL what ciphers are supported and depending of the negociation, Postfix stores the cipher's OID selected. At this point, you really need to step back, take a deep breath, and use OpenSSL as-is. As I said, it's to learn. If I do nothing then it's pointless. What I ask is not your point on if it's relevant to do it or not because we all know it's not.
Re: new cipher in OpenSSL, need to rebuild Postfix?
mouss a écrit : $ ldd /usr/local/libexec/postfix/smtpd /usr/local/libexec/postfix/smtpd: ... libssl.so.7 = /usr/local/lib/libssl.so.7 (0x2810a000) libcrypto.so.7 = /usr/local/lib/libcrypto.so.7 (0x2815) ... if you rebuild openssl but provide the same ABI, then it's ok. If you you can't, then you'll need to rebuild. This is not a postfix related issue. Alright, thanks.
Re: new cipher in OpenSSL, need to rebuild Postfix?
Gregory BELLIER: At this point, you really need to step back, take a deep breath, and use OpenSSL as-is. As I said, it's to learn. If I do nothing then it's pointless. What I ask is not your point on if it's relevant to do it or not because we all know it's not. With intense effort, the Postfix warranty and support cover the official OpenSSL API. A library or system API is like a contract. - If Postfix violates a library or system API, it's our bug and we fix Postfix. - If a library or system implementation violates the API, it is their bug and they fix it. We sometimes provide workarounds. I provide no Postfix warranty and support for unofficial modifications to system or library APIs. I encourage my developers to do the same. Wietse
Re: Greylist server recommendations?
I provided a reply with info on the setup i use it in. While i do realize that it is far from big, it certainly proves that policydv2 is stable enough to be used in medium or large deployments and it does work and scale good enough. What i don't get is why does it bother you mentioning v2. v1 won't be developed any further. Yea i know it works, our older setups use it and still do, without any problem for years, but you could be using qmail instead of postfix for the same reason. As far as the naming goes, it's up to the author to decide that. - mouss mo...@ml.netoyen.net wrote: Nikolai K. Bochev a écrit : please do not top post. my point is what I said: v2 has nothing to do with v1. it's the same name but it's not the same program. if you have something to say about this, feel free to express yourself... Until then, - v1 is a single threaded C program. v2 is a complete rewrite in perl. it has absolutely nothing to do with v1 - v1 was used in a large ISP setup. I have no information about v2 being used anywhere ... using the same name for two different solutions is not honest. -- Nikolai K. Bochev System Administrator
Directing SPAM mail to a Junk Folder
Dear All, I need to put the SPAM mails into users' Junk Mail folder. How can we do it in Postfix? Mails are stored in Maildir format in the user's home directory. Junk mail folder is inside the Maildir as .Junk. Amavisd-new tags the spam mails as [SPAM] Highly appreciate your help in this regard. Thanks Indrajith
Re: Directing SPAM mail to a Junk Folder
On 2010-03-25 Chaminda Indrajith wrote: I need to put the SPAM mails into users' Junk Mail folder. How can we do it in Postfix? You can't. Postfix does not know (or care) about the inner workings of a user's mailbox. Mails are stored in Maildir format in the user's home directory. Junk mail folder is inside the Maildir as .Junk. Amavisd-new tags the spam mails as [SPAM] Configure either the MDA or the user's MUA to put tagged mail into the Junk folder. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Directing SPAM mail to a Junk Folder
The (imho) nicest solution is to use an LDA which supports sieve. Then write a small sieve script to move spam to the junk folder. You can use sieve for all other kinds of mail-sorting as well. Most popular LDA's support sieve. Ansgar Wiechers wrote: On 2010-03-25 Chaminda Indrajith wrote: I need to put the SPAM mails into users' Junk Mail folder. How can we do it in Postfix? You can't. Postfix does not know (or care) about the inner workings of a user's mailbox. Mails are stored in Maildir format in the user's home directory. Junk mail folder is inside the Maildir as .Junk. Amavisd-new tags the spam mails as [SPAM] Configure either the MDA or the user's MUA to put tagged mail into the Junk folder. Regards Ansgar Wiechers
Re: Directing SPAM mail to a Junk Folder
Chaminda Indrajith wrote: Dear All, I need to put the SPAM mails into users' Junk Mail folder. How can we do it in Postfix? Mails are stored in Maildir format in the user's home directory. Junk mail folder is inside the Maildir as .Junk. Amavisd-new tags the spam mails as [SPAM] 1. install procmail 2. configure postfix to use procmail as your local delivery agent 3. configure procmail to route spam to the junk folder - can be configured system wide and/or per-user http://en.wikipedia.org/wiki/Procmail is as good a place as any to start for more info google procmail to find lots of how-to.s In theory, there is no difference between theory and practice. Infnord practice, there is. Yogi Berra
Re: Directing SPAM mail to a Junk Folder
Hello,
I use maildrop package to replace virtual. In your email
directory /home/email for example you put this :
Filename =
.mailfilter
# move spam to
spamfolder
##
SPAMFLD=$DEFAULT/.Junk/
SUBSCRIPT=$DEFAULT/courierimapsubscribed
#
test idf Junk folder exists, if notr create one
# autosubscribe to the
Junk folder
`test -d $SPAMFLD`
if( $RETURNCODE == 1 )
{
`maildirmake
$SPAMFLD`
`echo INBOX.Junk $SUBSCRIPT`
}
Before, you have to
configure postfix to delivered email with
maildrop.
http://www.postfix.org/MAILDROP_README.html
For me it's the best
solution. (i use amavis also).
Regards,
On Thu, 25 Mar 2010 08:10:37
-0400, Miles Fidelman
wrote:
Chaminda Indrajith wrote:
Dear
All,
I need to put the SPAM mails into users' Junk Mail folder. How
can we
do it in Postfix?
Mails are stored in Maildir format in
the user's home directory. Junk
mail folder is inside the Maildir as
.Junk. Amavisd-new tags the
spam mails as [SPAM]
1. install
procmail
2. configure postfix to use procmail as your local delivery
agent
3. configure procmail to route spam to the junk folder - can be
configured system wide and/or per-user
http://en.wikipedia.org/wiki/Procmail is as good a place as any to start
for more info
google procmail to find lots of how-to.s
In theory,
there is no difference between theory and practice.
In practice, there
is. Yogi Berra
Exchange ActiveSync account
Hi, I have an Exchange ActiveSync account and I would like to get this mail on my freebsd 7.3-stable server. I donn't haven an imap or pop account, only the information of the activesync account. Can anyone give me a clue how to achieve this? Thanks for your time! Jack Raats
Sending email from a pool of IP addresses
Hello, I know this question has been discussed on this list* but no suitable solution was provided for our SMTP server settings. A patch** is published but reports on this list say that it does not work. I am responsible for a medium sized mailing-list, through which one email is sent per day to roughly 600 000 subscribers. Since our mailing list is growing, we are having more and more problems with very conservative SMTP servers enforcing a low number of simultaneous connections from a single IP address. Our subscribers wish to receive their email as soon as possible so delaying the email for a few hours is not an option. I was thinking of allocating 4 IP aliases for our SMTP server so that connections would appear to come from different servers. The goal is not to flood*** the target server as our own postfix server has its own limit to the number of simultaneous active connections, set to 30 connections. The application uses the sendmail binary to send email, and not SMTP. One email is sent per subscriber and signed with dkimproxy plugged onto the pickup daemon. Each email is always sent from the same nore...@mydomain.org address. Is it possible to tell postfix to randomly select an IP address, and associated hostname (as many smtp servers perform RDNS lookups and compare it to the HELO/EHLO greeting) when sending an email ? That would be very helpful. Regards, David. (*) http://www.mail-archive.com/postfix-users@postfix.org/msg18400.html http://www.mailinglistarchive.com/postfix-users@postfix.org/msg57399.html (**) http://denixsolutions.com/Scripts/Postfix-Multiple-Interfaces-Patch (***) At this stage I feel it is necessary to stress that the mailing-list is not for profit and that we take every step to make sure that subscribers who change their mind are unsubscribed as soon as possible. We use confirmed opt-in (aka double opt-in) for subscription, simplified unsubscription, every RFC compliant headers required for bulk emailing, VERP, SPF, DKIM, complaint feedback loop with ARF with most providers etc in order to maintain a high deliverability ratio. I am not willing to give the name of the organisation so you will have to take my word for it.
Re: question about MX records and postfix (repost)
On Mar 24, 2010, at 17:14, Wietse Venema wrote: Daniel L'Hommedieu: If all you want is treat anything.example.com as example.com, use: /etc/postfix/main.cf: mydestination = localhost example.com pcre:/etc/postfix/mydestination.pcre /etc/postfix/mydestination.pcre: /\.example\.com$/ whatever Where whatever may be any non-empty value. By design, Postfix *internals* do not depend on DNS, so that Postfix keeps working when the network is down. Wietse, I think this is the piece I was missing. My hosts are named as hostname.department.example.com. I am building a mail catcher for my department, so I want my Postfix to accept mail for *...@*.department.example.com, and this PCRE is exactly what I was missing. As I mentioned, I figured it had to be something simple. More specifically, what I want is something that will catch r...@*.department.example.com, so that the guy who runs the corporate mail server doesn't get frustrated with the double-bounces that my department's applications generate. If I can stay off of his radar, I am doing good, and this mail catcher will help me do that. To fix the problem at its root, configure the machines so they send mail as u...@example.com not u...@host.example.com. Wietse, Thanks for the suggestion, but for reasons I'm not going to bother getting into here, this is not a practical solution for us. My real reason for writing again is to ask about PCRE support in Postfix. I have read the short PCRE README at http://www.postfix.org/PCRE_README.html, but it doesn't specifically answer this question, or maybe I am not understanding it: is PCRE supported (in Postfix) anywhere that a map would be used? I'm guessing that it is, but I am having trouble finding documentation of that. Thanks. Daniel
Re: Relaying and backskatter problem
Stan Hoeppner wrote: Randy put forth on 3/24/2010 3:55 PM: dig -x 208.43.143.111 ;; ANSWER SECTION: 111.143.43.208.in-addr.arpa. 3600 INPTR 208.43.143.111-static.reverse.softlayer.com. Your problem isn't the Exchange server per se. Your problem is that you're forwarding spam to it, and its anti-spam software is better than that on your Postfix server, which causes the backscatter. Almost any mail coming to you from Softlayer IP space is going to be spam, most likely snowshoe. Softlayer is a generic ISP/COLO outfit with tons of resellers and terrible (non existent) customer vetting. They have few, if any, legit email sending customers. As you can see I've extensively SMTP blocked Softlayer over the years. I suggest you do the same. # Softlayer, Dallas 10/10/2008 66.228.112.0/20 REJECT 67.228.0.0/16 REJECT 74.86.0.0/16REJECT 208.43.0.0/16 REJECT 174.36.0.0/15 REJECT 75.126.0.0/16 REJECT 173.192.0.0/15 REJECT Beef up the anti spam capabilities on your Postfix server and this problem will go away. Either that or tell the Exchange admin to silently drop/discard/eat the spam instead of rejecting it back upstream. The former is the preferable route, the latter the lazy route. Agreed that most if not all is spam, however, I do not want to accept the mail period much less accept it, then scam/ mark it and then drop it. The reason I mark spam then drop into a specified users folder is so that a user can review as need. In fact, we send out reminders to users to look through their spam folders for these false positives. Also, it appears that exchange is rejecting the mail and not accepting, scanning then bouncing. It appears that exchange uses some other criteria to check sender domain or that it does additional checks and simply rejects with that message. I do realize that I could set up something where we accept the mail to these domains, scan it then drop the email if it is tagged as spam. What about the mail that passes the content scanning? And what happens when this particular mail gets through and they send 1 million. Is in not better to drop reject mail at the smtpd level which would free resources and not allow specifically crafted mail to even enter the content filter? I think I have come to the conclusion that I need to contact their ISP and ask that they turn these checks off and allow us to filter as necessary. However, I would still like to reject before we send it over to the spam software as it appears exchange has the means to catch these and postfix does not or I cannot find a setting.
Re: Directing SPAM mail to a Junk Folder
Dear All,
Thank you very much for the immediate responses for all you guys...
I will try all of these options and let you know the progress.
Thanks and Regards
Indrajith
On Thu, 25 Mar 2010 13:37:19 +0100
DUBOURG Kevin ke...@dubourg.info wrote:
Hello,
I use maildrop package to replace virtual. In your email
directory /home/email for example you put this :
Filename =
.mailfilter
# move spam to
spamfolder
##
SPAMFLD=$DEFAULT/.Junk/
SUBSCRIPT=$DEFAULT/courierimapsubscribed
#
test idf Junk folder exists, if notr create one
# autosubscribe to the
Junk folder
`test -d $SPAMFLD`
if( $RETURNCODE == 1 )
{
`maildirmake
$SPAMFLD`
`echo INBOX.Junk $SUBSCRIPT`
}
Before, you have to
configure postfix to delivered email with
maildrop.
http://www.postfix.org/MAILDROP_README.html
For me it's the best
solution. (i use amavis also).
Regards,
On Thu, 25 Mar 2010 08:10:37
-0400, Miles Fidelman
wrote:
Chaminda Indrajith wrote:
Dear
All,
I need to put the SPAM mails into users' Junk Mail folder. How
can we
do it in Postfix?
Mails are stored in Maildir format in
the user's home directory. Junk
mail folder is inside the Maildir as
.Junk. Amavisd-new tags the
spam mails as [SPAM]
1. install
procmail
2. configure postfix to use procmail as your local delivery
agent
3. configure procmail to route spam to the junk folder - can be
configured system wide and/or per-user
http://en.wikipedia.org/wiki/Procmail is as good a place as any to
start
for more info
google procmail to find lots of how-to.s
In theory,
there is no difference between theory and practice.
In practice, there
is. Yogi Berra
Re: Sending email from a pool of IP addresses
David Michard wrote: we are having more and more problems with very conservative SMTP servers enforcing a low number of simultaneous connections from a single IP address. Our subscribers wish to receive their email as soon as possible so delaying the email for a few hours is not an option. So actually you are trying to solve the other mail servers trouble. Did you contact (some of) them to get you whitelisted? Is it possible to tell postfix to randomly select an IP address, and associated hostname (as many smtp servers perform RDNS lookups and compare it to the HELO/EHLO greeting) when sending an email ? That would be very helpful. It seems to me that http://www.mailinglistarchive.com/postfix-users@postfix.org/msg57399.html contains a recipe that solves your problem, only missing a 5-line perl policyd that returns a random transport. -- Regards, Tom
Re: Sending email from a pool of IP addresses
* Tom Hendrikx t...@whyscream.net: So actually you are trying to solve the other mail servers trouble. Did you contact (some of) them to get you whitelisted? One could also run multiple instances and cascade them as a fallback_relay chain (uaaah!) -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Sending email from a pool of IP addresses
On Mar 25, 2010, at 10:13, Tom Hendrikx wrote: David Michard wrote: we are having more and more problems with very conservative SMTP servers enforcing a low number of simultaneous connections from a single IP address. Our subscribers wish to receive their email as soon as possible so delaying the email for a few hours is not an option. So actually you are trying to solve the other mail servers trouble. Did you contact (some of) them to get you whitelisted? Here's what I did when I had a similar issue with sendmail: I reconfigured sendmail such that all mailers are considered expensive. In sendmail, what this does is: new messages are only queued, and messages are sent only during a queue run. This has the effect of using a single connection to send the messages. Previously our several chatty servers would use dozens of simultaneous connections, and that irritated the admin who ran the corporate mail server, because it was effectively a low-grade DoS attack. Using this method means that some emails are delayed, but that overall there is a net increase in the speed of delivery of email. I don't know if postfix has a similar feature, but if it does, that's what I'd implement. Daniel
Re: Sending email from a pool of IP addresses
David Michard: Hello, I know this question has been discussed on this list* but no suitable solution was provided for our SMTP server settings. A patch** is published but reports on this list say that it does not work. I am responsible for a medium sized mailing-list, through which one email is sent per day to roughly 600 000 subscribers. Since our mailing list is growing, we are having more and more problems with very conservative SMTP servers enforcing a low number of simultaneous connections from a single IP address. Our subscribers wish to receive their email as soon as possible so delaying the email for a few hours is not an option. You need to cut deals with ISPs and other sites that you have lots of customers at. Using a spread spectrum approach is just a trick to fly under the radar, and that works only with low-volume mail. Is it possible to tell postfix to randomly select an IP address, and associated hostname (as many smtp servers perform RDNS lookups and compare it to the HELO/EHLO greeting) when sending an email ? That would be very helpful. You would use a regexp-based transport map that matches the first character(s) of the recipient email address, and that routes mail to a Postfix mail delivery agent that has its own smtp_bind_address etc. setting in the master.cf file. However, the concurrencies for each delivery agent are scheduled independently, as if you are running multiple Postfix instances. Wietse Regards, David. (*) http://www.mail-archive.com/postfix-users@postfix.org/msg18400.html http://www.mailinglistarchive.com/postfix-users@postfix.org/msg57399.html (**) http://denixsolutions.com/Scripts/Postfix-Multiple-Interfaces-Patch (***) At this stage I feel it is necessary to stress that the mailing-list is not for profit and that we take every step to make sure that subscribers who change their mind are unsubscribed as soon as possible. We use confirmed opt-in (aka double opt-in) for subscription, simplified unsubscription, every RFC compliant headers required for bulk emailing, VERP, SPF, DKIM, complaint feedback loop with ARF with most providers etc in order to maintain a high deliverability ratio. I am not willing to give the name of the organisation so you will have to take my word for it.
Re: Sending email from a pool of IP addresses
Daniel L'Hommedieu: Here's what I did when I had a similar issue with sendmail: I reconfigured sendmail such that all mailers are considered expensive. In sendmail, what this does is: new messages are only queued, and messages are sent only during a queue run. ... I don't know if postfix has a similar feature, but if it does, that's what I'd implement. This is how Postfix works by design. Mail is always queued, and the central scheduler controls connection concurrencies by destination name. Wietse
Re: Directing SPAM mail to a Junk Folder
On Thu, Mar 25, 2010 at 05:05:47PM +0530, Chaminda Indrajith wrote: I need to put the SPAM mails into users' Junk Mail folder. How can we do it in Postfix? Mails are stored in Maildir format in the user's home directory. Junk mail folder is inside the Maildir as .Junk. Amavisd-new tags the spam mails as [SPAM] Amavisd-new can also use a recipient_delimiter and change the localpart user to user+spam. See amavisd-new documentation to learn how to activate this feature. Postfix local(8) can handle this differently by using a ~user/.forward+spam file. Postfix virtual(8) can handle this differently by using a different virtual_mailbox_maps result for user+s...@example.com . References: http://www.postfix.org/postconf.5.html#recipient_delimiter http://www.postfix.org/local.8.html http://www.postfix.org/aliases.5.html http://www.postfix.org/virtual.8.html http://www.postfix.org/postconf.5.html#virtual_mailbox_maps -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
how to allow a rejcted domain
Hello My isp has sent a message that my postfix is rejecting. I have spent the morning reading through what i think are the relevent parts of the documentation and through the archives but the changes i've made to my configuration are not working and I don't understand what i've done wrong. The logfile has the following entry: Mar 25 15:04:45 fix postfix/smtpd[11095]: NOQUEUE: reject: RCPT from pih-inmx03.plus.net[212.159.10.4]: 450 4.1.8 www-d...@fhw-workplace02.servers.plus.net: Sender address rejected: Domain not found; from=www-d...@fhw-workplace02.servers.plus.net to=grif...@fantomatic.co.uk proto=ESMTP helo=pih-inmx03.plus.net Mar 25 15:04:45 fix postfix/smtpd[11095]: disconnect from pih-inmx03.plus.net[212.159.10.4] So i tried letting this domain through by putting .plus.net into a file: hash:/usr/pkg/etc/postfix/whitelist_sender like so: /usr/pkg/etc/postfix/main.cf : smtpd_sender_restrictions = check_sender_access hash:/usr/pkg/etc/postfix/whitelist_sender, [ ... ] /usr/pkg/etc/postfix/whitelist_sender: .plus.netOK Before this, I thought the problem might with configuration i've used in $smtpd_recipient_restrictions but I tried a similar approach as above but that didn't work either. I know I've made a mistake but i can't see what it is, i'm stuck. I'm wondering if someone on list could give some guidance. My postconf -n is below, thank you. Jamie. - fix# /usr/pkg/sbin/postconf -n biff = no body_checks = pcre:/usr/pkg/etc/postfix/body_checks config_directory = /usr/pkg/etc/postfix default_destination_concurrency_limit = 10 empty_address_recipient = MAILER-DAEMON header_checks = pcre:/usr/pkg/etc/postfix/header_checks home_mailbox = Maildir/inbox/ inet_interfaces = all local_destination_concurrency_limit = 2 mydestination = $myhostnme, $mydomain, localhost.$mydomain, localhost mydomain = fantomatic.co.uk myhostname = fix.fantomatic.co.uk mynetworks_style = host myorigin = $mydomain queue_minfree = 12000 smtp_tls_CAfile = /usr/pkg/etc/ssl/certs/ca.crt smtp_tls_CApath = /usr/pkg/etc/ssl/certs smtp_tls_cert_file = /usr/pkg/etc/ssl/certs/server.crt smtp_tls_key_file = /usr/pkg/etc/ssl/certs/server.key smtp_tls_loglevel = 1 smtp_use_tls = yes smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname, reject_rbl_client zen.spamhaus.org=127.0.0.10, reject_rbl_client zen.spamhaus.org=127.0.0.11, reject_rbl_client zen.spamhaus.org smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/usr/pkg/etc/postfix/helo_checks, reject_unlisted_recipient, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_mynetworks, reject_unauth_destination, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org smtpd_sender_restrictions = check_sender_access hash:/usr/pkg/etc/postfix/whitelist_sender, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unlisted_sender smtpd_tls_CAfile = /usr/pkg/etc/ssl/certs/ca.crt smtpd_tls_CApath = /usr/pkg/etc/ssl/certs smtpd_tls_cert_file = /usr/pkg/etc/ssl/certs/server.crt smtpd_tls_key_file = /usr/pkg/etc/ssl/certs/server.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom
RE: How to disable Postfix Mail Delivery Report
Hello! Thank you for your answer. I try to use as sender address but unfortunately some mail filters mark messages with null sender as spam, so I need another method to disable Postfix Mail Delivery Report. Is the a way to disable Postfix Mail Delivery Report completely or for some senders only? Regards, Aleksey -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of mouss Sent: Tuesday, March 23, 2010 1:18 AM To: postfix-users@postfix.org Subject: Re: How to disable Postfix Mail Delivery Report Aleksey Chudov a écrit : Hello! I have few email servers that send only email notifications to our customers with Return-Path: and From: none@mydomain. If email message cannot be delivered to customer, it must be silently discarded without non-delivery report to sender. Is the a way to completely disable Postfix Mail Delivery Report? the way to do that is to use as the sender, not n...@*. The null sender is described in the RFC. but then, don't use this as the From: header. the From: header is what the user sees. so please make it nice... Regards, Aleksey
Sending mail to a FAX machine
Hallo to everybody, I'm a newbie and I'm sorry for my English. Here is my question: Can I diversify fax_num...@fax.our.domain messages for Hylafax relaying ( that's already running) from all others messages that I would deliver locally? Actually all the messages are piped to usr fax for faxing delivery! Thanks a lot Bye Stefano Colombo
Re: Small amount of spam still routed through server and another problem with spam
On 2010-03-24 7:24 PM, Josh Cason wrote: As I said a person connnects up. (not one of the email users). Just a random ip number. Sometimes it is postini (we use postini), aol, etc, etc. That sends one message in with mutiple reciepients. Then it sends out like say 20 or 30 or 100 messages to yahoo or aol or what not. Why are you allowing $random_ip to relay mail through your server? Or am I misunderstanding what you said? -- Best regards, Charles
Re: how to allow a rejcted domain
On Thu, Mar 25, 2010 at 03:40:55PM +, Jamie Griffin wrote: Hello My isp has sent a message that my postfix is rejecting. I have spent the morning reading through what i think are the relevent parts of the documentation and through the archives but the changes i've made to my configuration are not working and I don't understand what i've done wrong. The logfile has the following entry: Mar 25 15:04:45 fix postfix/smtpd[11095]: NOQUEUE: reject: RCPT from pih-inmx03.plus.net[212.159.10.4]: 450 4.1.8 www-d...@fhw-workplace02.servers.plus.net: Sender address rejected: Domain not found; from=www-d...@fhw-workplace02.servers.plus.net to=grif...@fantomatic.co.uk proto=ESMTP helo=pih-inmx03.plus.net The reject should be expected since fhw-workplace02.servers.plus.net neither owns an A nor an MX-RR. Mar 25 15:04:45 fix postfix/smtpd[11095]: disconnect from pih-inmx03.plus.net[212.159.10.4] So i tried letting this domain through by putting .plus.net into a file: hash:/usr/pkg/etc/postfix/whitelist_sender like so: /usr/pkg/etc/postfix/main.cf : smtpd_sender_restrictions = check_sender_access hash:/usr/pkg/etc/postfix/whitelist_sender, [ ... ] /usr/pkg/etc/postfix/whitelist_sender: .plus.netOK I think -- whilst I'm not entirely sure -- you should whitelist @fhw-workplace02.servers.plus.net and not only .plus.net. Oh, and don't forget to invoke postmap to create /usr/pkg/etc/postfix/whitelist_sender.db Before this, I thought the problem might with configuration i've used in $smtpd_recipient_restrictions but I tried a similar approach as above but that didn't work either. I know I've made a mistake but i can't see what it is, i'm stuck. I'm wondering if someone on list could give some guidance. My postconf -n is below, thank you. IHMO you did no mistake, all postfix installations I know use reject_unknown_sender_domain to prevent SPAM. And no one should send emails with no valid A and MX-RR. Jamie. Dennis
Re: how to allow a rejcted domain
On Thu, Mar 25, 2010 at 03:40:55PM +, Jamie Griffin wrote: Mar 25 15:04:45 fix postfix/smtpd[11095]: NOQUEUE: reject: RCPT from pih-inmx03.plus.net[212.159.10.4]: 450 4.1.8 www-d...@fhw-workplace02.servers.plus.net: Sender address rejected: Domain not found; fhw-workplace02.servers.plus.net is the domain that does not exist. The REAL problem that needs to be addressed is that the sender is trying to use an invalid sender address. These deserve to be rejected. That said, recently I did a special order from Lowe's (a big USA retailer), and they outsourced their order service to some silly company which did not understand this VERY BASIC issue in email. (That company is called IBM.) Since I needed the order, I had to whitelist, ugh. It was very painful, thinking of how much money Lowe's pays IBM for that fine service, and me being in need of a job. :) So i tried letting this domain through by putting .plus.net into a file: You need to understand the documentation of parent_domain_matches_subdomains. Unfortunately, I don't know enough to explain it to you. :) But I'm fairly sure in your case that the leading dot pattern was not looked up. I unset this: parent_domain_matches_subdomains = so, for me, something similar (with ihost.com) is what worked. hash:/usr/pkg/etc/postfix/whitelist_sender like so: /usr/pkg/etc/postfix/main.cf : smtpd_sender_restrictions = check_sender_access hash:/usr/pkg/etc/postfix/whitelist_sender, [ ... ] /usr/pkg/etc/postfix/whitelist_sender: .plus.netOK -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
sender_dependent_relayhost_maps + recipient_bcc_maps
Hello. I've configured Postfix to relay mail from a specific address to a remote MTA through 'sender_dependent_relayhost_maps' and that works fine. I now want to BCC an address for messages sent by this same user. The most obvious option seemed 'recipient_bcc_maps', but unfortunately I'm not receiving the BCCs. Perhaps the relayhost option is delivering mail before processing of the BCC option? # postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 header_checks = regexp:/etc/postfix/header_checks html_directory = no inet_interfaces = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost myhostname = demo-infrastructure.cloudswitch.com newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.5.6/README_FILES recipient_bcc_maps = hash:/etc/postfix/recipient_bcc_maps relay_domains = $mydestination,cloudswitch.com,hotmail.com sample_directory = /usr/share/doc/postfix-2.5.6/samples sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_sasl_auth_enable = yes smtp_sasl_mechanism_filter = digest-md5 smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_sender_dependent_authentication = yes unknown_local_recipient_reject_code = 550 Thanks for any guidance you can provide. Regards, Damon
Re: Log files this time! Small amount of spam still routed through server and another problem with spam
Thanks for the help so far. I already posted my config file in the very first post. However, I will repost it. Plus an additional log file of the attack. Yes to me it seems like an open relay. As stated before when I run tests they say closed relay. As for reading the howto's. I have been through them over and over again. When I find a change or something I need to add I apply the changes. Just two weeks ago I applied a change. The week before that I cleaned up the config file for postfix. This does help get rid of alot of spam. But I still get what is posted below. A quick run down of the system again. Running, Mysql, postfix, dovecot, postfixadmin, MailScanner (uses clamav and spamassasian), postini, centos 5.X (Cannot remeber the exact version, and running this virtual with multiple domains. Posted the config file and the log file for all of you to admire my horrible work. LOL. Like I said on another post the system worked great for about 1 year then out of the blue. We get this. Yes We do have a firewall but when we block the ip number. They just change ip number. Plus as you can see this comes tthrough postini. I did run into one other person who had this issue. The fix was to add all the users to the postini database and tell postini not to accept aanything else. I don't believe that is the only fix. But yes we can block Ip and addresses. But when they spoof a valid address or ip and as said once before they change ip. Don't do me any good. This is what the attack looks like: (I have to use the -v in the main.cf file) Mar 24 00:01:50 primary postfix/qmgr[25306]: D13DE10D8837: from=drlarrype...@gmail.com, size=2922, nrcpt=30 (queue active) Mar 24 00:01:50 primary postfix/qmgr[25306]: C1EAA10D8187: from=drlarrype...@gmail.com, size=2922, nrcpt=30 (queue active) Mar 24 00:01:50 primary postfix/smtpd[2483]: D760910D8152: client=exprod6mx284.postini.com[64.18.1.71] Mar 24 00:01:51 primary postfix/smtp[2490]: C1EAA10D8187: host canit01.muw.edu[192.231.29.105] said: 451 4.3.0 Message held $ Mar 24 00:01:51 primary postfix/cleanup[2489]: D760910D8152: hold: header Received: from psmtp.com (exprod6mx284.postini.com$ Mar 24 00:01:51 primary postfix/cleanup[2489]: D760910D8152: message-id=201003240540.o2o5emi1002...@gw.npskskip.com Mar 24 00:01:52 primary postfix/smtpd[2483]: disconnect from exprod6mx284.postini.com[64.18.1.71] Mar 24 00:01:52 primary MailScanner[1930]: New Batch: Scanning 1 messages, 3236 bytes Mar 24 00:01:52 primary MailScanner[1930]: Spam Checks: Starting Mar 24 00:01:52 primary postfix/smtp[2490]: C1EAA10D8187: to=j...@muw.edu, relay=canit02.muw.edu[192.231.29.106]:25, delay=$ Mar 24 00:01:53 primary postfix/smtpd[2610]: disconnect from exprod6mx247.postini.com[64.18.1.147] Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187: to=bengrins...@yahoo.com, relay=h.mx.mail.yahoo.com[66.94.236.34$ Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187: to=btlresourcecen...@yahoo.com, relay=h.mx.mail.yahoo.com[66.94.$ Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187: to=cheryl0...@yahoo.com, relay=h.mx.mail.yahoo.com[66.94.236.34]$ Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187: to=dajatinkerb...@yahoo.com, relay=h.mx.mail.yahoo.com[66.94.236$ Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187: to=dit...@yahoo.com, relay=h.mx.mail.yahoo.com[66.94.236.34]:25,$ Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187: to=hollowd...@yahoo.com, relay=h.mx.mail.yahoo.com[66.94.236.34]$ Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187: to=jasonspence...@yahoo.com, relay=h.mx.mail.yahoo.com[66.94.236$ Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187: to=jeff_pad...@yahoo.com, relay=h.mx.mail.yahoo.com[66.94.236.34$ Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187: to=kimflip...@yahoo.com, relay=h.mx.mail.yahoo.com[66.94.236.34]$ Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187: to=lambnichola...@yahoo.com, relay=h.mx.mail.yahoo.com[66.94.236$ Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187: to=mariomartescu...@yahoo.com, relay=h.mx.mail.yahoo.com[66.94.2$ Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187: to=megan_steinm...@yahoo.com, relay=h.mx.mail.yahoo.com[66.94.23$ Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187: to=romackro...@yahoo.com, relay=h.mx.mail.yahoo.com[66.94.236.34$ Mar 24 00:01:54 primary MailScanner[1930]: Virus and Content Scanning: Starting Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837: to=aztekgladia...@yahoo.com, relay=a.mx.mail.yahoo.com[67.195.16$ Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837: to=damnshecansingbi...@yahoo.com, relay=a.mx.mail.yahoo.com[67.1$ Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837: to=deniseandcendy4l...@yahoo.com, relay=a.mx.mail.yahoo.com[67.1$ Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837: to=ejelia...@yahoo.com,
Re: new cipher in OpenSSL, need to rebuild Postfix?
Victor Duchovni a e'crit: On Thu, Mar 25, 2010 at 10:31:40AM +0100, Gregory BELLIER wrote: At this point, you really need to step back, take a deep breath, and use OpenSSL as-is. As I said, it's to learn. If I do nothing then it's pointless. No need to change the OpenSSL APIs to discover how Postfix handles new SSL ciphers, a quick look at the Postfix documentation: http://www.postfix.org/TLS_README.html#client_cipher http://www.postfix.org/TLS_README.html#server_cipher should make it clear that new ciphers are supported automatically, as soon as they become available in OpenSSL. Postfix code modifications would only become necessary if OpenSSL added a new key-exchange algorithm that required new server-side parameter settings. - To enable EDH ciphers, the server needs to specify DH parameters, a large prime and a generator (usually 2) of multicative group of non-zero residues modulo that prime. A pair of parameters is required, one for 512-bit EDH and another for 1024-bit EDH. http://www.postfix.org/postconf.5.html#smtpd_tls_dh1024_param_file http://www.postfix.org/postconf.5.html#smtpd_tls_dh512_param_file with OpenSSL 1.0.0 (any day now...), there is support for EECDH key-exchange, which requires the server to choose a suitable elliptic curve (I saw it called an epileptic curve recently, which has a certain irony). New code was added to Postfix (some time ago now) to allow users to specify a suitably sensible curve: http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade Postfix would also need new code if OpenSSL adds more public key types for X.509 certificates, and we want to allow users to install more than 3 different certificates for a single server---one for each desired public key type. It is not widely known that the parameter pairs: http://www.postfix.org/postconf.5.html#smtpd_tls_cert_file http://www.postfix.org/postconf.5.html#smtpd_tls_key_file http://www.postfix.org/postconf.5.html#smtpd_tls_dcert_file http://www.postfix.org/postconf.5.html#smtpd_tls_dkey_file http://www.postfix.org/postconf.5.html#smtpd_tls_eccert_file http://www.postfix.org/postconf.5.html#smtpd_tls_eckey_file are functionally equivalent, you can use any parameter pair to load any type of compatible certificate/key. So, you can associate up to 3 keys/certificates pairs using any public-key algorithm (supported by OpenSSL) so long as each of the three certificates uses a different algorithm. You can set EC certs via the cert_file, RSA certs via the dcert_file and GOST keys via the eccert_file, if that tickles your fancy. So, Postfix will continue to support many future versions of OpenSSL with no code change in Postfix. From time to time, there may be new capabilities in OpenSSL (not ciphers, which we handle transparently, but something more major) that may be of interest to Postfix users. For example, it may be interesting to support SNI at some point in the future, or to make the Postfix server-side session cache session-ticket aware. http://tools.ietf.org/html/rfc4507 so some future change in the Postfix TLS module is likely inevitable, but new ciphers are by far the least likely reason for new Postfix code, these are handled generically by Postfix, since they are handled generically by OpenSSL. Thank you Victor for this complete response. Time was taken and I can only appreciate it. You're right, I don't need to change anything in OpenSSL to learn how Postfix does things. In fact, I did the other way. I tested in OpenSSL and then I wandered if Postfix could benefit from it. However, I didn't ask if new code was necessary in Postfix so it can be aware of a new cipher. As you said, it's automatical. I asked if, in your opinion, it would be necessary to build postfix (as is) against a new OpenSSL. In my opinon, the only need to build against a new OpenSSL would be if Postfix needs to call new encryption symbols which would be the new cipher. But I guess it's not Postfix's deal to call directly the OpenSSL encryption functions. But apparently, there is no need to do such a thing. I think I've been misunderstood because I didn't ask to change or support anything different from the tree. A simple yes/no response would have suffice. Thank you all for your time. Gregory.
Re: reject forged emails
On 25-03-2010 05:41, Ralf Hildebrandt wrote: * Frank Bonnetf.bon...@esiee.fr: I have one domain, say domain.com and I want to reject emails that pretend to be sent from domain.com but are NOT into our IP range say 123.123.0.0/16 http://www.arschkrebs.de/postfix/postfix_incoming.shtm Hi Ralf, It seemed so simple and efficient I couldn't resist to implement. It worked as expected at first, but some apparently random legitimate messages get refused by that rule. Can you help me? I use postfix 2.5.1-2ubuntu1.2 on a Ubuntu 8.10 LTS box with pam_ldap (if that matters). Strip from main.cf, I did it with /etc/postfix/fakea1: smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination check_sender_access hash:/etc/postfix/freemail_access check_recipient_access hash:/etc/postfix/rfc, check_recipient_access pcre:/etc/postfix/inativos_pcre, hash:/etc/postfix/inativos check_sender_access pcre:/etc/postfix/access_pcre, hash:/etc/postfix/access, hash:/etc/postfix/fakea1 check_client_access hash:/etc/postfix/access, cidr:/etc/postfix/cidr reject_invalid_hostname reject_unauth_pipelining reject_non_fqdn_sender reject_non_fqdn_recipient reject_rbl_client bl.spamcop.net reject_rbl_client dnsbl.njabl.org reject_rbl_client b.barracudacentral.org check_policy_service inet:127.0.0.1:6 permit Some relevant info and confs regarding reject_unauth_destination: r...@jupiter:/etc/postfix# postconf relay_domains mydestination relay_domains = $mydestination mydestination = ldap:/etc/postfix/ldaptransport.cf r...@jupiter:/etc/postfix# cat /etc/postfix/ldaptransport.cf server_host = ldap://192.168.0.xxx ldap://192.168.0.xxx search_base = ou=domains,dc=xxx bind= no query_filter= ((cn=%s)(objectclass=transportTable)) result_attribute= transport r...@jupiter:/etc/postfix# ldapsearch -x -b ou=domains,dc=xxx ((cn=a1.ind.br)(objectclass=transportTable)) # extended LDIF # # LDAPv3 # base ou=domains,dc=xxx with scope subtree # filter: ((cn=a1.ind.br)(objectclass=transportTable)) # requesting: ALL # # a1.ind.br, domains, a1.ind dn: cn=a1.ind.br,ou=domains,dc=xxx objectClass: top objectClass: transportTable cn: a1.ind.br transport: smtp:[smtp.a1.ind.br] # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 r...@jupiter:/etc/postfix# cat fakea1 a1.ind.br 554 Utilize http://webmail.a1.ind.br ou o servidor autenticado. r...@jupiter:/etc/postfix# Berfore you ask, I did postmapped 'fakea1' and reloaded postfix :) And finally the evidence: Mar 25 15:06:22 jupiter postfix/smtpd[17453]: NOQUEUE: reject: RCPT from hm2223.locaweb.com.br[200.234.196.45]: 554 5.7.1 giulio.bor...@a1.ind.br: Recipient address rejected: Utilize http://webmail.a1.ind.br ou o servidor autentica do.; from=fo...@helpfacil.com.br to=giulio.bor...@a1.ind.br proto=ESMTP helo=HM2223.locaweb.com.br Have I missed something? What's wrong? Thanks and best regards. -- Marcio Merlone
Re: Sending email from a pool of IP addresses
Am 25.03.2010 14:26, schrieb David Michard: Hello, I know this question has been discussed on this list* but no suitable solution was provided for our SMTP server settings. A patch** is published but reports on this list say that it does not work. I am responsible for a medium sized mailing-list, through which one email is sent per day to roughly 600 000 subscribers. Since our mailing list is growing, we are having more and more problems with very conservative SMTP servers enforcing a low number of simultaneous connections from a single IP address. Our subscribers wish to receive their email as soon as possible so delaying the email for a few hours is not an option. I was thinking of allocating 4 IP aliases for our SMTP server so that connections would appear to come from different servers. The goal is not to flood*** the target server as our own postfix server has its own limit to the number of simultaneous active connections, set to 30 connections. The application uses the sendmail binary to send email, and not SMTP. One email is sent per subscriber and signed with dkimproxy plugged onto the pickup daemon. Each email is always sent from the same nore...@mydomain.org address. Is it possible to tell postfix to randomly select an IP address, and associated hostname (as many smtp servers perform RDNS lookups and compare it to the HELO/EHLO greeting) when sending an email ? That would be very helpful. Regards, David. (*) http://www.mail-archive.com/postfix-users@postfix.org/msg18400.html http://www.mailinglistarchive.com/postfix-users@postfix.org/msg57399.html (**) http://denixsolutions.com/Scripts/Postfix-Multiple-Interfaces-Patch (***) At this stage I feel it is necessary to stress that the mailing-list is not for profit and that we take every step to make sure that subscribers who change their mind are unsubscribed as soon as possible. We use confirmed opt-in (aka double opt-in) for subscription, simplified unsubscription, every RFC compliant headers required for bulk emailing, VERP, SPF, DKIM, complaint feedback loop with ARF with most providers etc in order to maintain a high deliverability ratio. I am not willing to give the name of the organisation so you will have to take my word for it. i would prepare fallback_relays and special transports by recipient domains -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: Log files this time! Small amount of spam still routed through server and another problem with spam
On 3/25/2010 12:22 PM, Josh Cason wrote: Thanks for the help so far. I already posted my config file in the very first post. However, I will repost it. Plus an additional log file of the attack. Yes to me it seems like an open relay. As stated before when I run tests they say closed relay. As for reading the howto's. I have been through them over and over again. When I find a change or something I need to add I apply the changes. Just two weeks ago I applied a change. The week before that I cleaned up the config file for postfix. This does help get rid of alot of spam. But I still get what is posted below. A quick run down of the system again. Running, Mysql, postfix, dovecot, postfixadmin, MailScanner (uses clamav and spamassasian), postini, centos 5.X (Cannot remeber the exact version, and running this virtual with multiple domains. Posted the config file and the log file for all of you to admire my horrible work. LOL. Like I said on another post the system worked great for about 1 year then out of the blue. We get this. Yes We do have a firewall but when we block the ip number. They just change ip number. Plus as you can see this comes tthrough postini. I did run into one other person who had this issue. The fix was to add all the users to the postini database and tell postini not to accept aanything else. I don't believe that is the only fix. But yes we can block Ip and addresses. But when they spoof a valid address or ip and as said once before they change ip. Don't do me any good. This is what the attack looks like: (I have to use the -v in the main.cf file) Mar 24 00:01:50 primary postfix/qmgr[25306]: D13DE10D8837: from=drlarrype...@gmail.com, size=2922, nrcpt=30 (queue active) Mar 24 00:01:50 primary postfix/qmgr[25306]: C1EAA10D8187: from=drlarrype...@gmail.com, size=2922, nrcpt=30 (queue active) Mar 24 00:01:50 primary postfix/smtpd[2483]: D760910D8152: client=exprod6mx284.postini.com[64.18.1.71] Mar 24 00:01:51 primary postfix/smtp[2490]: C1EAA10D8187: host canit01.muw.edu[192.231.29.105] said: 451 4.3.0 Message held $ Mar 24 00:01:51 primary postfix/cleanup[2489]: D760910D8152: hold: header Received: from psmtp.com (exprod6mx284.postini.com$ Mar 24 00:01:51 primary postfix/cleanup[2489]: D760910D8152: message-id=201003240540.o2o5emi1002...@gw.npskskip.com Mar 24 00:01:52 primary postfix/smtpd[2483]: disconnect from exprod6mx284.postini.com[64.18.1.71] Mar 24 00:01:52 primary MailScanner[1930]: New Batch: Scanning 1 messages, 3236 bytes Mar 24 00:01:52 primary MailScanner[1930]: Spam Checks: Starting Mar 24 00:01:52 primary postfix/smtp[2490]: C1EAA10D8187: to=j...@muw.edu, relay=canit02.muw.edu[192.231.29.106]:25, delay=$ Mar 24 00:01:53 primary postfix/smtpd[2610]: disconnect from exprod6mx247.postini.com[64.18.1.147] Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187: to=bengrins...@yahoo.com, relay=h.mx.mail.yahoo.com[66.94.236.34$ Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187: to=btlresourcecen...@yahoo.com, relay=h.mx.mail.yahoo.com[66.94.$ Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187: to=cheryl0...@yahoo.com, relay=h.mx.mail.yahoo.com[66.94.236.34]$ Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187: to=dajatinkerb...@yahoo.com, relay=h.mx.mail.yahoo.com[66.94.236$ Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187: to=dit...@yahoo.com, relay=h.mx.mail.yahoo.com[66.94.236.34]:25,$ Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187: to=hollowd...@yahoo.com, relay=h.mx.mail.yahoo.com[66.94.236.34]$ Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187: to=jasonspence...@yahoo.com, relay=h.mx.mail.yahoo.com[66.94.236$ Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187: to=jeff_pad...@yahoo.com, relay=h.mx.mail.yahoo.com[66.94.236.34$ Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187: to=kimflip...@yahoo.com, relay=h.mx.mail.yahoo.com[66.94.236.34]$ Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187: to=lambnichola...@yahoo.com, relay=h.mx.mail.yahoo.com[66.94.236$ Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187: to=mariomartescu...@yahoo.com, relay=h.mx.mail.yahoo.com[66.94.2$ Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187: to=megan_steinm...@yahoo.com, relay=h.mx.mail.yahoo.com[66.94.23$ Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187: to=romackro...@yahoo.com, relay=h.mx.mail.yahoo.com[66.94.236.34$ Mar 24 00:01:54 primary MailScanner[1930]: Virus and Content Scanning: Starting Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837: to=aztekgladia...@yahoo.com, relay=a.mx.mail.yahoo.com[67.195.16$ Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837: to=damnshecansingbi...@yahoo.com, relay=a.mx.mail.yahoo.com[67.1$ Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837: to=deniseandcendy4l...@yahoo.com, relay=a.mx.mail.yahoo.com[67.1$ Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837: to=ejelia...@yahoo.com, relay=a.mx.mail.yahoo.com[67.195.168.31]$ Mar 24 00:01:55 primary
Re: Sending email from a pool of IP addresses
David Michard wrote:
Hello,
I know this question has been discussed on this list* but no suitable
solution was provided for our SMTP server settings.
A patch** is published but reports on this list say that it does not work.
I am responsible for a medium sized mailing-list, through which one
email is sent per day to roughly 600 000 subscribers. Since our
mailing list is growing, we are having more and more problems with
very conservative SMTP servers enforcing a low number of simultaneous
connections from a single IP address. Our subscribers wish to receive
their email as soon as possible so delaying the email for a few hours
is not an option.
I was thinking of allocating 4 IP aliases for our SMTP server so that
connections would appear to come from different servers. The goal is
not to flood*** the target server as our own postfix server has its
own limit to the number of simultaneous active connections, set to 30
connections.
The application uses the sendmail binary to send email, and not SMTP.
One email is sent per subscriber and signed with dkimproxy plugged
onto the pickup daemon.
Each email is always sent from the same nore...@mydomain.org address.
Is it possible to tell postfix to randomly select an IP address, and
associated hostname (as many smtp servers perform RDNS lookups and
compare it to the HELO/EHLO greeting) when sending an email ?
That would be very helpful.
Regards,
David.
(*) http://www.mail-archive.com/postfix-users@postfix.org/msg18400.html
http://www.mailinglistarchive.com/postfix-users@postfix.org/msg57399.html
(**) http://denixsolutions.com/Scripts/Postfix-Multiple-Interfaces-Patch
(***) At this stage I feel it is necessary to stress that the
mailing-list is not for profit and that we take every step to make
sure that subscribers who change their mind are unsubscribed as soon
as possible. We use confirmed opt-in (aka double opt-in) for
subscription, simplified unsubscription, every RFC compliant headers
required for bulk emailing, VERP, SPF, DKIM, complaint feedback loop
with ARF with most providers etc in order to maintain a high
deliverability ratio. I am not willing to give the name of the
organisation so you will have to take my word for it.
We do this by using multiple postfix configs/queues as in postfix{1-5}
with each binding to its own ip.
Thanks,
Randy Ramsdell
Re: update: Small amount of spam still routed through server and another problem with spam
I checked a few setting as explained. I have a stupid question and also my results. First of all it is not just comming from postini. It once in a while wonders in from the outside. Not that I know how since all my mx records points to postini. Just random junk I suspose. The next thing is postini is not listed anyplace. Either in a white list, access list or mynetworks. The third thing is a question on mynetworks. I currently have it going to a file. On one machine I can work with and without the file This being the test machine. On the production machine. I have to have a certain number in there. 10.0.0.0/8 - This is our internal network but if I remove this or change the ip number nothing works on the production server. Error when trying to send. Now of all things the test server was built after the production server so the main.cf was copied from the production server to the test server. The only thing changed was the ip number of said machine. Since the test server is a different ip. Everything else is duplicated. Probably something I did when I setup both servers. The fouth thing is when I test the mysql database with the following. postmap -q mydomain.com mysql:/etc/postfix/mysql_virtual_domains_maps.cf If it is a valid domain I'm hosting. Then it will return back the exact domain name. If the domain is wrong. It returns back nothing. Just a blank screen. It does this for any of the mysql queies. So if query the whole e-mail address. If valid it will reply back the e-mail address. If not it will be a blank screen. I hope this helps in understanding my system better to try to fix this. Thanks, Josh -- This message has been scanned for viruses and dangerous content by Mychoice, and is believed to be clean.
Re: Directing SPAM mail to a Junk Folder
On Fri, March 26, 2010 2:29 am, /dev/rob0 wrote: Rob0, Amavisd-new can also use a recipient_delimiter and change the localpart user to user+spam. See amavisd-new documentation to learn how to activate this feature. Postfix virtual(8) can handle this differently by using a different virtual_mailbox_maps result for user+s...@example.com . http://www.postfix.org/postconf.5.html#virtual_mailbox_maps I've set amavis to the '+address', as far as I can tell, that seems to work fine. my virtual domains/users are in MySQL as: # grep virtual_mailbox_maps main.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf # cat mysql_virtual_mailbox_maps.cf user = xxx password = yyy hosts = 127.0.0.1 dbname = ppp table = mailbox select_field = maildir where_field = username dumb Q: so, if I was to create a mail user 'voytek+spam' in the database, '+spam' mail would end up in voytek+spam mail user maildir ? is that what I would need to as as 'next step' within above setup ? how to make that as a spam subfolder for 'voytek' ? is that something like... symlinking ?? voytek+spam mail user to voytek's spam folder ?? sorry for dumb question, pls speak slowly... -- Voytek
Re: reject forged emails
* Marcio Vogel Merlone dos Santos marcio.merl...@a1.ind.br: On 25-03-2010 05:41, Ralf Hildebrandt wrote: * Frank Bonnetf.bon...@esiee.fr: I have one domain, say domain.com and I want to reject emails that pretend to be sent from domain.com but are NOT into our IP range say 123.123.0.0/16 http://www.arschkrebs.de/postfix/postfix_incoming.shtm Hi Ralf, It seemed so simple and efficient I couldn't resist to implement. It worked as expected at first, but some apparently random legitimate messages get refused by that rule. Can you help me? I use postfix 2.5.1-2ubuntu1.2 on a Ubuntu 8.10 LTS box with pam_ldap (if that matters). Strip from main.cf, I did it with /etc/postfix/fakea1: smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination check_sender_access hash:/etc/postfix/freemail_access check_recipient_access hash:/etc/postfix/rfc, check_recipient_access pcre:/etc/postfix/inativos_pcre, hash:/etc/postfix/inativos check_sender_access pcre:/etc/postfix/access_pcre, hash:/etc/postfix/access, hash:/etc/postfix/fakea1 check_client_access hash:/etc/postfix/access, cidr:/etc/postfix/cidr These don't do what you think :) YOu need to write: check_recipient_access pcre:/etc/postfix/inativos_pcre, check_recipient_access hash:/etc/postfix/inativos check_sender_access pcre:/etc/postfix/access_pcre, check_sender_access hash:/etc/postfix/access, check_Sender_Access hash:/etc/postfix/fakea1 check_client_access hash:/etc/postfix/access, CHECK_CLIENT_access cidr:/etc/postfix/cidr -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: update: Small amount of spam still routed through server and another problem with spam
On 2010-03-25 Josh Cason wrote: First of all it is not just comming from postini. It once in a while wonders in from the outside. Not that I know how since all my mx records points to postini. Just random junk I suspose. Your previous log excerpt did not include a full transaction (much less smtpd -v logging). Also the log lines had been cropped. Please post the full output of grep D13DE10D8837 /var/log/mail.log. Check, if the sending client is listed in mynetworks or in the access or pop-before-smtp maps. Check, if the sender address is listed in the sender_access map. Check, if the recpient domain is listed in $relay_domains. Check, if the recipient address is listed in $relay_recipient_maps. Sorry about unnecessarily requesting the output of postconf -n again when you already had posted it. You made so many changes from the default config that I got the impression you had just posted your main.cf. Perhaps you should simplify that a bit (particularly the smtpd_*_restrictions). I'd suggest something like this: smtpd_client_restrictions = smtpd_helo_restrictions = smtpd_sender_restrictions = smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/pop-before-smtp, check_client_access hash:/etc/postfix/access, check_sender_access hash:/etc/postfix/sender_access, reject_unknown_client_hostname, reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unverified_sender, reject_unauth_destination, reject_rbl_client multi.uribl.com, reject_rbl_client dsn.rfc-ignorant.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client combined.rbl.msrbl.net, reject_rbl_client rabl.nuclearelephant.com smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Directing SPAM mail to a Junk Folder
On Fri, Mar 26, 2010 at 08:26:33AM +1100, Voytek Eymont wrote: so, if I was to create a mail user 'voytek+spam' in the database, '+spam' mail would end up in voytek+spam mail user maildir ? The user for virtual(8) must be the full address: voy...@example.com example.com/voytek/maildir/ voytek+s...@example.com example.com/voytek/maildir/.spam/ ot...@example.com example.com/other/maildir/ other+s...@example.com example.com/other/maildir/.spam/ The concept of user is blurred here. To virtual, these are like different users. But to your IMAPd, ideally, you are simply delivering mail to another folder owned by that virtual user. There might be SQL tricks you can use to get the +spam queries to return the spam mailfolder paths, too. That's beyond the scope of this list, and beyond my very modest SQL literacy level. But DB storage is cheap, and it's easy to script something like this to populate your database for all existing users. is that what I would need to as as 'next step' within above setup ? how to make that as a spam subfolder for 'voytek' ? is that something like... symlinking ?? voytek+spam mail user to voytek's spam folder ?? sorry for dumb question, pls speak slowly... No problem, but at this point you should look at your IMAP server documentation on how to deliver to a virtual user's subfolder. The example above, I think, will work with Dovecot, but it assumes that voy...@example.com has $virtual_mailbox_base/example.com/voytek/ as HOME, and $HOME/maildir/ as top-level folder. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: how to allow a rejcted domain
On Thu, Mar 25, 2010 at 05:43:11PM +, Jamie Griffin wrote: You need to understand the documentation of parent_domain_matches_subdomains. Unfortunately, I don't know enough to explain it to you. :) But I'm fairly sure in your case that the leading dot pattern was not looked up. I unset this: parent_domain_matches_subdomains = so, for me, something similar (with ihost.com) is what worked. I had briefly looked at that setting earlier but thought just using the .domain.tld notation would be ok. Just having another read about that, it looks as though I need to set it like this: /usr/pkg/etc/postfix/main.cf: [ ... ] parent_domain_matches_subdomains = smtpd_access_maps [ ... ] is that right? No. If you tell Postfix to match subdomains, the lookup that does this is the domain name WITHOUT the leading dot. For example, this: ihost.com permit_auth_destination would match for a check_sender_access lookup of i...@low1ap106.infra.secaucus.mebs.ihost.com . (Maybe my complaint went up the line, because I see that name now has an A record. Go figure!) If you unset parent_domain_matches_subdomains as I suggested, the lookup would be this, with the leading dot: .ihost.com permit_auth_destination If you have a parent_domain_matches_subdomains list which does NOT include smtpd_access_maps. I am not sure how that is handled. My guess is that the leading dot lookup is used. I also understood that using the $smtpd_sender_restrictions parameter would be the right way to whitelist this domain for what i'm trying to achieve, have I got that right? You have what is IMO an unwieldy and hard-to-manage set of smtpd restrictions. Personally, I prefer keeping most or all restrictions in a single stage, smtpd_recipient_restrictions. However, IIRC from your OP, you did have the reject_unknown_sender_domain only in smtpd_sender_restrictions. Therefore yes, you are right. But to understand why, you should know that reject_unknown_sender_domain that caused your rejection. Anywhere you use that restriction, you must precede it with your whitelist lookup. Ugh. Do consider standing up for the principle of requiring senders to use real domains in their email addresses. I would have done so myself, but I knew they were not going to resend the bounced email. :) (IIRC it was just a copy of my invoice, which I had from my Web browser anyway.) -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: sender_dependent_relayhost_maps + recipient_bcc_maps
On Thu, Mar 25, 2010 at 12:48:33PM -0400, Damon Miller wrote: Hello. I've configured Postfix to relay mail from a specific address to a remote MTA through 'sender_dependent_relayhost_maps' and that works fine. I now want to BCC an address for messages sent by this same user. The most obvious option seemed 'recipient_bcc_maps', but unfortunately I'm not receiving the BCCs. Why is this obvious? recipient_bcc_maps :: BCC maps indexed by RECIPIENT address sender_bcc_maps :: BCC maps indexed by SENDER address Sounds to me like you might have wanted the latter. # postconf -n I was going to skip the rest of this, but this caught my eye: relay_domains = $mydestination,cloudswitch.com,hotmail.com This is very wrong, unless you are a MX host for cloudswitch.com and hotmail.com. You probably need to unset this. relay_domains = References: http://www.postfix.org/ADDRESS_CLASS_README.html#relay_domain_class http://www.postfix.org/postconf.html#relay_domains -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: update: Small amount of spam still routed through server and another problem with spam
On 3/25/2010 4:27 PM, Josh Cason wrote: I checked a few setting as explained. I have a stupid question and also my results. First of all it is not just comming from postini. It once in a while wonders in from the outside. Not that I know how since all my mx records points to postini. Just random junk I suspose. One of your lookup tables is making you a partial open relay. The usual suspects include: - incorrect mynetworks - firewall/NAT config that makes foreign connections appear as local - faulty relay_domains lookup - faulty virtual_* lookup - access table in smtpd_recipient_restrictions BEFORE reject_unauth_destination. - compromised user mail account. http://www.postfix.org/BASIC_CONFIGURATION_README.html http://www.postfix.org/ADDRESS_CLASS_README.html http://www.postfix.org/SMTPD_ACCESS_README.html#danger Speculation is pointless. Postfix makes decisions based on the config you give it, and logs all actions taken. For more detailed logging, add a single -v to the smtp ... smtpd entry in master.cf, and post the unedited logging of unwanted relaying, plus your CURRENT 'postconf -n'. http://www.postfix.org/DEBUG_README.html#verbose -- Noel Jones
Re: how to allow a rejcted domain
No. If you tell Postfix to match subdomains, the lookup that does this is the domain name WITHOUT the leading dot. For example, this: ihost.com permit_auth_destination would match for a check_sender_access lookup of i...@low1ap106.infra.secaucus.mebs.ihost.com . (Maybe my complaint went up the line, because I see that name now has an A record. Go figure!) If you unset parent_domain_matches_subdomains as I suggested, the lookup would be this, with the leading dot: .ihost.com permit_auth_destination Yep. got that. I had set it using the .domain.tld method without including $parent_domain_matches_subdomains initially because the way i understood the access(5) manual page I didn't need to do this, and only using $parent_domain_matches_subdomains without the leading '.' and in conjunction with an smtpd access map but, I'm easily confused :-) [ ... ] You have what is IMO an unwieldy and hard-to-manage set of smtpd restrictions. Personally, I prefer keeping most or all restrictions in a single stage, smtpd_recipient_restrictions. However, IIRC from your OP, you did have the reject_unknown_sender_domain only in smtpd_sender_restrictions. Therefore yes, you are right. But to understand why, you should know that reject_unknown_sender_domain that caused your rejection. Anywhere you use that restriction, you must precede it with your whitelist lookup. I'm going to re-read about smtpd_*_restrictions to better understand what i've done because from what you've said I could improve my configuration but can i ask quickly, do you mean I can move all of the smtpd restrictions i'm using into $smtpd_recipeint_restrictions ? Ugh. Do consider standing up for the principle of requiring senders to use real domains in their email addresses. I would have done so myself, but I knew they were not going to resend the bounced email. :) (IIRC it was just a copy of my invoice, which I had from my Web browser anyway.) Yeah I feel thefrustration with that too. I mean, the fuss i've gone to today just to get one message through my server; and the fact it's the ISP i'm paying that has send it is not very encouraging. Thanks again for your time and help. Jamie.
Re: Directing SPAM mail to a Junk Folder
Hi rob0, ~user/.forward+spam would be a good solution for me since my users are system users. Could you give me an example for the following? I can configure amavisd-new to do + address extension. ## Deliver user+s...@example.com mails to /home/user/Maildir/.Junk .Junk is also in Maildir format. Appreciate your help in this regard. Thanks Indrajith On Thu, 25 Mar 2010 10:29:43 -0500 /dev/rob0 r...@gmx.co.uk wrote: On Thu, Mar 25, 2010 at 05:05:47PM +0530, Chaminda Indrajith wrote: I need to put the SPAM mails into users' Junk Mail folder. How can we do it in Postfix? Mails are stored in Maildir format in the user's home directory. Junk mail folder is inside the Maildir as .Junk. Amavisd-new tags the spam mails as [SPAM] Amavisd-new can also use a recipient_delimiter and change the localpart user to user+spam. See amavisd-new documentation to learn how to activate this feature. Postfix local(8) can handle this differently by using a ~user/.forward+spam file. Postfix virtual(8) can handle this differently by using a different virtual_mailbox_maps result for user+s...@example.com . References: http://www.postfix.org/postconf.5.html#recipient_delimiter http://www.postfix.org/local.8.html http://www.postfix.org/aliases.5.html http://www.postfix.org/virtual.8.html http://www.postfix.org/postconf.5.html#virtual_mailbox_maps -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Set up SMTP AUTH/SASL, can't log in
I just set up basic configurations for SMTP AUTH (and, the next step, SASL) for my server, however I cannot seem to make it work quite right. Using the instructions at http://www.postfix.org/SASL_README.html, focusing on using dovecot as it is present. (Note, dovecot is not the active POP3/IMAP4 daemon, that seems to be deferred to the basic daemons from xinetd.) On testing, this happens: $ telnet chez-vrolet.net 25 (motd and dialog involving EHLO goes here) AUTH PLAIN 334 (login) 535 5.7.0 Error: authentication failed: authentication failure The only thing I noticed is that Dovecot did not place /var/spool/postfix/private/auth, which from what I'm reading of the instructions, should happen. What am I doing wrong here? -Dennis
machine.local question
I've setup a postfix/dovecot/mysql server and am in the process of testing. I have a few machines without fully qualified names (e.g. mac.local) that run nightly scripts to be emailed. They were being rejected by postfix due to: Sender address rejected: Domain not found. I added to smtpd_sender_restrictions = permit_mynetworks and that solved the problem, but I'm wondering if this is the correct or preferred way to allow .local machines on the LAN to send mail. postconf -n broken_sasl_auth_clients = yes command_directory = /opt/local/sbin config_directory = /opt/local/etc/postfix daemon_directory = /opt/local/libexec/postfix data_directory = /opt/local/var/lib/postfix debug_peer_level = 2 default_privs = nobody home_mailbox = Maildir/ html_directory = no mail_owner = _postfix mailq_path = /opt/local/bin/mailq manpage_directory = /opt/local/share/man mydestination = $myhostname, localhost.$mydomain, localhost myhostname = mail.digital-outpost.com mynetworks = 192.168.0.0/24, 127.0.0.0/8 myorigin = $mydomain newaliases_path = /opt/local/bin/newaliases proxy_interfaces = 70.167.15.114 queue_directory = /opt/local/var/spool/postfix readme_directory = /opt/local/share/postfix/readme sample_directory = /opt/local/share/postfix/sample sendmail_path = /opt/local/sbin/sendmail setgid_group = _postdrop smtpd_enforce_tls = no smtpd_helo_required = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, check_policy_service inet:127.0.0.1:6, check_client_access pcre:/opt/local/etc/postfix/dspam_filter_access smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_mynetworks, reject_unknown_address smtpd_tls_cert_file = /opt/local/etc/postfix/ssl/certs/postfix.cert smtpd_tls_key_file = /opt/local/etc/postfix/ssl/private/postfix.key smtpd_tls_loglevel = 1 smtpd_use_tls = yes tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = mysql:/opt/local/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:102 virtual_mailbox_base = /Volumes/mail/vmail/ virtual_mailbox_domains = mysql:/opt/local/etc/postfix/mysql_virtual_mailbox_domains.cf virtual_mailbox_maps = mysql:/opt/local/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_minimum_uid = 102 virtual_transport = dovecot virtual_uid_maps = static:102 Thanks, -Terry
RE: sender_dependent_relayhost_maps + recipient_bcc_maps
On Thu, Mar 25, 2010 at 7:45:14PM -0400, /dev/rob0 wrote: On Thu, Mar 25, 2010 at 12:48:33PM -0400, Damon Miller wrote: Hello. I've configured Postfix to relay mail from a specific address to a remote MTA through 'sender_dependent_relayhost_maps' and that works fine. I now want to BCC an address for messages sent by this same user. The most obvious option seemed 'recipient_bcc_maps', but unfortunately I'm not receiving the BCCs. Why is this obvious? recipient_bcc_maps :: BCC maps indexed by RECIPIENT address sender_bcc_maps :: BCC maps indexed by SENDER address Sounds to me like you might have wanted the latter. Quite right. Either sender- or recipient-based BCC is ok for my use case so I arbitrarily chose recipient_bcc_maps. I then promptly forgot which one I chose and tested the wrong one. Thanks very much for the reminder. # postconf -n I was going to skip the rest of this, but this caught my eye: relay_domains = $mydestination,cloudswitch.com,hotmail.com This is very wrong, unless you are a MX host for cloudswitch.com and hotmail.com. You probably need to unset this. relay_domains = References: http://www.postfix.org/ADDRESS_CLASS_README.html#relay_domain_class http://www.postfix.org/postconf.html#relay_domains That one, at least, was intentional: I populated the recipient_bcc_maps table with a Hotmail address for testing purposes so I needed Postfix to temporarily relay messages to that domain. This is an internal machine intended solely for testing so I was never relaying for the Internet. Regardless, now that I've proven the configuration works I've removed the entry from relay_domains. Thank you again for your quick response and insight. I'm in good shape! Regards, Damon
RE: A little bit of spam is getting through
I don't have time to post alot more info since I'm off of work on friday. But going back and looking at my log. I thought of a question a few months ago. But had not place to ask. We are behind a firewall that is doing nat translation. I got the impression that when this spam hits. It looks like it is originating from the server. At least the server ip address. Then going out. Do I need to use a proxy setting in main.cf to tell it my outside public ip number for that server? I ignored it since it seemed more for backup mx servers. As for my posting of my main.cf file. It does look better than posted. I'm going between a linux box and a winderz machine. So they looked messed up sometimes. I also saw what part of that I got off from the mail log with the -v. The message in the queue got re numbered via rules. So when I type grep the original message. In this case as listed above. It list the server ip number as comming in with some outside e-mail address we don't have. Thanks, Josh -- This message has been scanned for viruses and dangerous content by Mychoice, and is believed to be clean.
Deliver raw, local emails to a socket?
I'd like to have all local postfix deliveries to go directly into a TCP or UDS (named pipe) socket, that will eventually end up raw in database table for subsequent triage. Are there any concrete examples or tools that do not include procmail? It appears that local(8) expects the mailbox path to be either a maildir dir/ or a plain old mbox file (due to the exclusive lock and truncation on error). Has anyone tried pointing local(8) directly at a named pipe? Use netcat via pipe(8)? I want to completely avoid procmail. Thanks, Kurt Stephens
