Re: postfix smtp_loop() breaks SMTP

[Victor Duchovni]

On Thu, Apr 22, 2010 at 03:45:34AM +0200, Mij wrote:

> Postfix appears to be breaking RFC 5321 by speculatively injecting
> the entire envelope session passing over replies from the server.

Folks, today is not April 1st, that was 21 days ago. Please, no more
"Postfix is fundamentally broken, and nobody noticed for 10 years" posts.

If you think you've found a major flaw in long-standing Postfix behaviour,
you're wrong. You can save yourself and the list a lot of time by not
going there...

Also, at this point, with Postfix driving such a large share of the
Internet email infrastructure, even if Postfix were hypothetically
"wrong" wrt. to some RFC, the practical implication would be that the
rest of the world (including new Postfix releases) has to suck-it-up and
interoperate. Just like Postfix carries, from its early days, work-arounds
for various widely deployed broken systems, any hypothetical widely
deployed issue in Postfix would simply have to be tolerated as a fact
of life.

Fortunately, Postfix does not mis-implement the key standards, and the
issue is moot.

-- 
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

Re: Using Sasl authentication and RBL

[David Cottle]

Sent from my iPhone

On 22/04/2010, at 12:49, Noel Jones  wrote:


On 4/21/2010 9:03 PM, Oliver Schinagl wrote:

On 04/22/10 03:55, Noel Jones wrote:

On 4/21/2010 8:39 PM, Oliver Schinagl wrote:


Heh, I suppose it wasn't as straightforward as that; I'll look  
more into

it after some sleep, I enabled it with the following:
submission inet n   -   n   -   -   smtpd
#  -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
(even tried uncommenting both, which shouldn't matter inmo?)

But got denied errors, telnet didn't tell me much, thunderbird  
told me

slightly more:
An error occurred sending mail: The mail server sent an incorrect
greeting:  5.7.1: Client host
rejected: Access denied.
It won't even ask me for my sasl password, nothing. A mistery for  
the

next day.


Please show your current "postconf -n" and the error message from  
the

postfix logs.  Showing error messages from the client or from telnet
are not particularly useful.

  -- Noel Jones
My current postconf -n is exactly as above in the mail; i hadn't  
changed
anything, i only pasted the relevant part from master.conf that i  
changed.


I don't see a postconf -n in this mail.  I asked for a new copy to  
make sure of its current contents, and because I deleted your  
previous messages and don't feel like rummaging around in the trash.




Apr 21 21:39:19 example postfix/smtpd[21360]: connect from
yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]
Apr 21 21:39:19 example postfix/smtpd[21360]: NOQUEUE: reject:  
CONNECT

from yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]
: 554 5.7.1: Client host
rejected: Access denied; proto=SMTP
Apr 21 21:39:24 example postfix/smtpd[21360]: disconnect from
yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]


The client was rejected during the CONNECT stage.  This implies you  
are using "smtpd_delay_reject = no".


Don't do that, the client doesn't get a chance to authenticate.





is the corresponding postfix error; Basically what thunderbird  
reported :)


The postfix log is far more useful; it tells us your problem is (at  
least) you need to unset smtpd_delay_reject.  There may be other  
problems exposed once you fix this one.



Looking at the message you sent David Cottle, I think he's doing what
Matt suggested I should do? Use submission to bypass RBL stuff; I'd
gladly add those 2 options as well, but why would they not be in the
default config? You'd think that the default submission bit was  
exactly
that, allow users to bypass everything and submit messages  
directly. I'm

to tired to think atm so I'll check it all out again tomorrow :)
Sleep well :)


There is no evidence David's client ever authenticates.  Not quite  
the same problem.  Your client doesn't authenticate either, but  
that's because you don't give them the chance.


Using the "submission" port is an accepted solution to the common  
problems[1] of how to allow mobile users to send mail to your  
server.  The main advantage is it allows you to specify a different  
policy[2] for authenticated users.


You can add "-o smtpd_delay_reject=yes" to the submission entry in  
master.cf to insure that changes to that parameter in main.cf won't  
affect the submission service.  But a better solution is just don't  
mess with that setting; leave it at the default "yes".


"submission" is commented out in the default postfix config because  
a relatively small subset of folks using postfix need it, and it's  
not nice to open ports not needed.


[1] IP listed in RBL.  ISP or hotspot blocks port 25 access.

[2] accept mail from authenticated clients no matter how screwed up  
their mailer or their IP


 -- Noel Jones


Hi Noel,

I tried running

testsaslauthd -u usermailname -p matchingpass -s smtp

I get

connect () : No such file or directory

Re: Set submission as to bypass RBLs

[David Cottle]

Sent from my iPhone

On 22/04/2010, at 12:00, Noel Jones  wrote:


On 4/21/2010 6:35 PM, David Cottle wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I am having some issues with my server blocking ISP IP addresses.

I know a recent update to plesk-9.5.1 changed my postfix main.cf and
master.cf (the timestamps changed).  I managed to fix main.cf as on
the smtpd_client_restrictions, they put the RBLs first.

Can anyone see what is wrong in the master.cf?

I just want submission on 587 able to bypass RBL checks:


you must have missed the answer yesterday.



#
# Postfix master process configuration file.  For details on the  
format
=== 
=== 


[...]

submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025


add here:

 -o smtpd_helo_restrictions=
 -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject


 -- Noel Jones


Hi Noel,

Okay I did miss this! I will add your smtpd_helo_restrictions as above.

What exactly does that do as to not having it?

I have to get my client to try sending email again and dig out the logs.

What I can't understand is he has 3 OS on his PC.

Fedora 11 and Windows XP using thunderbird, exactly same settings and  
both can RX but not send mail.

Windows 7, using thunderbird it RX and Sends.

Same details, ports, it's got the server certificate same on all 3 but  
only W7 works.


It's the same broadband settings, could it be the machines host name?

Anyway as it's only one client it's hard to track.

Thanks!

Re: Using Sasl authentication and RBL

[Noel Jones]

On 4/21/2010 9:03 PM, Oliver Schinagl wrote:

On 04/22/10 03:55, Noel Jones wrote:

On 4/21/2010 8:39 PM, Oliver Schinagl wrote:



Heh, I suppose it wasn't as straightforward as that; I'll look more into
it after some sleep, I enabled it with the following:
submission inet n   -   n   -   -   smtpd
#  -o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
(even tried uncommenting both, which shouldn't matter inmo?)

But got denied errors, telnet didn't tell me much, thunderbird told me
slightly more:
An error occurred sending mail: The mail server sent an incorrect
greeting:  5.7.1: Client host
rejected: Access denied.
It won't even ask me for my sasl password, nothing. A mistery for the
next day.


Please show your current "postconf -n" and the error message from the
postfix logs.  Showing error messages from the client or from telnet
are not particularly useful.

   -- Noel Jones

My current postconf -n is exactly as above in the mail; i hadn't changed
anything, i only pasted the relevant part from master.conf that i changed.


I don't see a postconf -n in this mail.  I asked for a new 
copy to make sure of its current contents, and because I 
deleted your previous messages and don't feel like rummaging 
around in the trash.




Apr 21 21:39:19 example postfix/smtpd[21360]: connect from
yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]
Apr 21 21:39:19 example postfix/smtpd[21360]: NOQUEUE: reject: CONNECT
from yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]
: 554 5.7.1: Client host
rejected: Access denied; proto=SMTP
Apr 21 21:39:24 example postfix/smtpd[21360]: disconnect from
yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]


The client was rejected during the CONNECT stage.  This 
implies you are using "smtpd_delay_reject = no".


Don't do that, the client doesn't get a chance to authenticate.





is the corresponding postfix error; Basically what thunderbird reported :)


The postfix log is far more useful; it tells us your problem 
is (at least) you need to unset smtpd_delay_reject.  There may 
be other problems exposed once you fix this one.



Looking at the message you sent David Cottle, I think he's doing what
Matt suggested I should do? Use submission to bypass RBL stuff; I'd
gladly add those 2 options as well, but why would they not be in the
default config? You'd think that the default submission bit was exactly
that, allow users to bypass everything and submit messages directly. I'm
to tired to think atm so I'll check it all out again tomorrow :)
Sleep well :)


There is no evidence David's client ever authenticates.  Not 
quite the same problem.  Your client doesn't authenticate 
either, but that's because you don't give them the chance.


Using the "submission" port is an accepted solution to the 
common problems[1] of how to allow mobile users to send mail 
to your server.  The main advantage is it allows you to 
specify a different policy[2] for authenticated users.


You can add "-o smtpd_delay_reject=yes" to the submission 
entry in master.cf to insure that changes to that parameter in 
main.cf won't affect the submission service.  But a better 
solution is just don't mess with that setting; leave it at the 
default "yes".


"submission" is commented out in the default postfix config 
because a relatively small subset of folks using postfix need 
it, and it's not nice to open ports not needed.


[1] IP listed in RBL.  ISP or hotspot blocks port 25 access.

[2] accept mail from authenticated clients no matter how 
screwed up their mailer or their IP


  -- Noel Jones

Re: postfix smtp_loop() breaks SMTP

[Wietse Venema]

Mij:
> Hello folks,
> 
> Postfix appears to be breaking RFC 5321 by speculatively injecting
> the entire envelope session passing over replies from the server.

Oh, and while you're collecting the evidence, you may also want to
read up on RFC 2920 (SMTP Pipelining).

Wietse

Re: postfix smtp_loop() breaks SMTP

[Matt Hayes]

On 04/21/2010 09:45 PM, Mij wrote:
> Hello folks,
> 
> Postfix appears to be breaking RFC 5321 by speculatively injecting
> the entire envelope session passing over replies from the server.
> 
> In src/smtp/smtp_proto.c , smtp_loop() handles the delivery loop by
> deliberately "pipelining" commands and replies in separate queues.
> 
> Only the SMTP greeting is waited for in the whole envelope, but
> curiously, RFC 5321 appears to specify the opposite:
> 
> in 4.3.1 :
> """
> One important reply is the connection greeting. [..] The sender
> SHOULD wait for this greeting message before sending any commands.
> """
> 
> """
> The communication between the sender and receiver is an alternating
>  dialogue, controlled by the sender. As such, the sender issues a command
> and the receiver responds with a reply.  Unless other arrangements are
> negotiated through service extensions, the sender MUST wait for this
> response before sending further commands.
> """
> 
> I didn't track back in which version this behavior originates, but it still
> appears to be present in 2.7.0 .
> 
> cheers!
> mij


Mij,

You said in the #postfix channel that you had a pcap file, might want to
include it.

-Matt

Re: mail from(Return-Path) when a mail relay via alias

[Jeff Huang]

For Example：

Mail Server1(@domain1.com):
alias:
id1:i...@domain2.com

when I send a email from other domain(not @domain1.com) to i...@domain1.com.

I will receive this email from i...@domain2.com.

And I check the header of the email,I found that:Return-Path: <>.






--
From: "mouss" 
Sent: Thursday, April 22, 2010 6:09 AM
To: 
Subject: Re: mail from(Return-Path) when a mail relay via alias

> Jeff Huang a écrit :
>> Hi All.
>>  
>> I found when I send a email via alias,the Return-Path is null.
>>  
>> For example,the alias :
>>  
>> i...@domain1.com:i...@domain2.com 
> 
> sorry, unparsable...
> please copy-paste.
> anyway, in alias_maps, there's no domain in the left hand side:
> joe: j...@example.com
> 
>>  
>> when I sent a email from i...@domain.com  to
>> i...@domain1.com,I  found I recevie from
>> i...@domain2.com  and found the Return-Path is null.
>>  
>> How can I set it to enable returen path
> 
> the return-path is null in bounces or if your mailer generates it.
> and in any case, alias rewrite doesn't has no influence on the return-path.
> 
> so you have another problem. please explain exactly what happens and
> show examples and logs.
> 
>

Re: postfix smtp_loop() breaks SMTP

[Wietse Venema]

Mij:
> Hello folks,
> 
> Postfix appears to be breaking RFC 5321 by speculatively injecting
> the entire envelope session passing over replies from the server.

You MUST show a packet trace to support this claim.

Wietse

Re: Set submission as to bypass RBLs

[Noel Jones]

On 4/21/2010 9:01 PM, David Cottle wrote:

The best way: postconf -n


-Matt


smtpd_client_restrictions = check_client_access
hash:/etc/postfix/whitelist, permit_sasl_authenticated,
check_client_access hash:/etc/postfix/check_backscatterer,
check_client_access hash:/etc/postfix/check_spamcannibal,
check_client_access cidr:/etc/postfix/postfix-dnswl-permit,
reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org,
reject_rbl_client b.barracudacentral.org


OK, permit_sasl_authenticated comes before reject_rbl_client.


smtpd_recipient_restrictions = permit_mynetworks, check_client_access
pcre:/var/spool/postfix/plesk/no_relay.re, permit_sasl_authenticated,
reject_unauth_destination


OK, permit_sasl_authenticated comes before reject_rbl_client.


smtpd_sender_restrictions = check_sender_access
hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated,
check_client_access pcre:/var/spool/postfix/plesk/non_auth.re


OK, no RBL checks.


Conclusion:  If a client is rejected by RBL checks, they 
didn't authenticate.  You can verify this in your postfix logs.


  -- Noel Jones

Re: Using Sasl authentication and RBL

[Oliver Schinagl]

On 04/22/10 03:55, Noel Jones wrote:
> On 4/21/2010 8:39 PM, Oliver Schinagl wrote:
>>>
>> Heh, I suppose it wasn't as straightforward as that; I'll look more into
>> it after some sleep, I enabled it with the following:
>> submission inet n   -   n   -   -   smtpd
>> #  -o smtpd_tls_security_level=encrypt
>>-o smtpd_sasl_auth_enable=yes
>>-o smtpd_client_restrictions=permit_sasl_authenticated,reject
>> #  -o milter_macro_daemon_name=ORIGINATING
>> (even tried uncommenting both, which shouldn't matter inmo?)
>>
>> But got denied errors, telnet didn't tell me much, thunderbird told me
>> slightly more:
>> An error occurred sending mail: The mail server sent an incorrect
>> greeting:  5.7.1: Client host
>> rejected: Access denied.
>> It won't even ask me for my sasl password, nothing. A mistery for the
>> next day.
>
> Please show your current "postconf -n" and the error message from the
> postfix logs.  Showing error messages from the client or from telnet
> are not particularly useful.
>
>   -- Noel Jones
My current postconf -n is exactly as above in the mail; i hadn't changed
anything, i only pasted the relevant part from master.conf that i changed.

Apr 21 21:39:19 example postfix/smtpd[21360]: connect from
yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]
Apr 21 21:39:19 example postfix/smtpd[21360]: NOQUEUE: reject: CONNECT
from yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]
: 554 5.7.1 : Client host
rejected: Access denied; proto=SMTP
Apr 21 21:39:24 example postfix/smtpd[21360]: disconnect from
yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]


is the corresponding postfix error; Basically what thunderbird reported :)



Looking at the message you sent David Cottle, I think he's doing what
Matt suggested I should do? Use submission to bypass RBL stuff; I'd
gladly add those 2 options as well, but why would they not be in the
default config? You'd think that the default submission bit was exactly
that, allow users to bypass everything and submit messages directly. I'm
to tired to think atm so I'll check it all out again tomorrow :)
Sleep well :)

Re: Set submission as to bypass RBLs

[David Cottle]

Sent from my iPhone

On 22/04/2010, at 11:38, Matt Hayes  wrote:




On 04/21/2010 09:23 PM, David Cottle wrote:



Sent from my iPhone

On 22/04/2010, at 10:28, Matt Hayes  wrote:



On 04/21/2010 08:14 PM, webmas...@aus-city.com wrote:

Quoting Matt Hayes :


n 04/21/2010 07:35 PM, David Cottle wrote:


#submission inet n   -   n   -   -   smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING


Seems submission is commented out?

-matt



Hi Matt,

No its not look further down:

smtpd_tls_wrappermode=yes
submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025






ahhh missed that!

If you have smtpd_recipient_restrictions defined in main.cf you'll  
have

to negate them just as you did with smtpd_sender_restrictions

-Matt


Hi Matt,

In main.cf I have got in smptd sender restrictions permit sasl
authenticated.

It's also in smtpd recipient restrictions as the 3rd after mynetworks
and a plesk no relay check.

smtpd client restrictions it's 2nd after a plesk blacklist check.

In client restrictions it's the 2nd one, as my whitelists is first.

I know it's RBL killing as it's complaints about ISP dynamic message.

I can post my actual main.cf later when I have PC as I am on iPhone.

Is there also a command to dump the config?

Thanks!





The best way: postconf -n


-Matt


alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = all
local_recipient_maps = $virtual_mailbox_maps
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 2048
mydestination = localhost.$mydomain, localhost, localhost.localdomain
mynetworks = 127.0.0.0/8, 10.0.0.0/8, 10.0.10.1/32 [::1]/128  
[fe80::%eth0]/64, 192.168.0.0/24, 203.19.70.65, 202.129.79.106, 203.217.18.104/30 
, 203.206.180.36/30, 203.206.129.128/27

newaliases_path = /usr/bin/newaliases.postfix
notify_classes =
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.5.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_send_xforward_command = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_authorized_xforward_hosts = 127.0.0.0/8
smtpd_client_restrictions = check_client_access hash:/etc/postfix/ 
whitelist, permit_sasl_authenticated, check_client_access hash:/etc/ 
postfix/check_backscatterer, check_client_access hash:/etc/postfix/ 
check_spamcannibal, check_client_access cidr:/etc/postfix/postfix- 
dnswl-permit, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org 
, reject_rbl_client b.barracudacentral.org

smtpd_proxy_timeout = 3600s
smtpd_recipient_restrictions = permit_mynetworks, check_client_access  
pcre:/var/spool/postfix/plesk/no_relay.re, permit_sasl_authenticated,  
reject_unauth_destination

smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = check_sender_access hash:/var/spool/ 
postfix/plesk/blacklists, permit_sasl_authenticated,  
check_client_access pcre:/var/spool/postfix/plesk/non_auth.re

smtpd_timeout = 3600s
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_use_tls = yes
transport_maps = hash:/var/spool/postfix/plesk/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/ 
virtual

virtual_gid_maps = static:31
virtual_mailbox_base = /var/qmail/mailnames
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/ 
postfix/plesk/virtual_domains

virtual_mailbox_maps = hash:/var/spool/postfix/plesk/vmailbox
virtual_transport = plesk_virtual
virtual_uid_maps = static:110

Re: Set submission as to bypass RBLs

[Noel Jones]

On 4/21/2010 6:35 PM, David Cottle wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I am having some issues with my server blocking ISP IP addresses.

I know a recent update to plesk-9.5.1 changed my postfix main.cf and
master.cf (the timestamps changed).  I managed to fix main.cf as on
the smtpd_client_restrictions, they put the RBLs first.

Can anyone see what is wrong in the master.cf?

I just want submission on 587 able to bypass RBL checks:


you must have missed the answer yesterday.



#
# Postfix master process configuration file.  For details on the format
==

[...]

submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025


add here:

  -o smtpd_helo_restrictions=
  -o 
smtpd_recipient_restrictions=permit_sasl_authenticated,reject



  -- Noel Jones

Re: Using Sasl authentication and RBL

[Noel Jones]

On 4/21/2010 8:39 PM, Oliver Schinagl wrote:



Heh, I suppose it wasn't as straightforward as that; I'll look more into
it after some sleep, I enabled it with the following:
submission inet n   -   n   -   -   smtpd
#  -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
(even tried uncommenting both, which shouldn't matter inmo?)

But got denied errors, telnet didn't tell me much, thunderbird told me
slightly more:
An error occurred sending mail: The mail server sent an incorrect
greeting:  5.7.1: Client host
rejected: Access denied.
It won't even ask me for my sasl password, nothing. A mistery for the
next day.


Please show your current "postconf -n" and the error message 
from the postfix logs.  Showing error messages from the client 
or from telnet are not particularly useful.


  -- Noel Jones

Re: Using Sasl authentication and RBL

[Oliver Schinagl]

On 04/22/10 03:39, Oliver Schinagl wrote:
> On 04/22/10 02:57, Oliver Schinagl wrote:
>   
>> On 04/22/10 02:42, Matt Hayes wrote:
>>   
>> 
>>> On 04/21/2010 08:33 PM, Oliver Schinagl wrote:
>>>   
>>> 
>>>   
 On 04/22/10 02:10, Matt Hayes wrote:
 
   
 
> On 04/21/2010 07:19 PM, Oliver Schinagl wrote:
>   
>   
> 
>   
>> On 04/21/10 23:47, mouss wrote:
>> 
>> 
>>   
>> 
>>> Oliver Schinagl a écrit :
>>>   
>>>   
>>>   
>>> 
>>>   
 Hello all,

 I've been trying to figure out why a new server I setup using postfix
 doesn't allow me to relay messages after I authenticate (using
 cyrus-sasl). It appears then I can authenticate just fine, but when I
 try to send a message, I get a RBL error. I obviously want my ADSL IP
 not to be whitelisted from the sending end (as it's dhcp and just a
 regular adsl ip) but I would have expected that after authentication 
 the
 RBL would be bypassed?

 
 
 
   
 
>>> Show logs that prove your claims:
>>> 1- user was authenticated
>>> 2- relay was denied
>>>
>>> for (1), you should find a line like this:
>>> Apr 21 00:11:06 imlil postfix/smtpd[41827]: 454E8E54888:
>>> client=ouzoud.netoyen.net[82.239.111.75], sasl_method=PLAIN,
>>> sasl_username=mo...@ml.netoyen.net
>>>
>>>   
>>>   
>>>   
>>> 
>>>   
>> Sorry for forgetting,
>>
>> I can post 2; I'm having troubles finding 1, because I think that's
>> whats going wrong ;)
>>
>> Apr 19 14:30:36 example postfix/smtpd[26549]: connect from
>> xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]
>> Apr 19 14:30:36 example postfix/smtpd[26549]: NOQUEUE: reject: CONNECT
>> from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]: 554 5.7.1 Service
>> unavailable; Client host [xx.xxx.xx.xx] blocked using zen.spamhaus.org;
>> http://www.spamhaus.org/query/bl?ip=xx.xxx.xx.xx; proto=SMTP
>> Apr 19 14:30:36 example postfix/smtpd[26549]: too many errors after
>> CONNECT from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]
>> Apr 19 14:30:36 example postfix/smtpd[26549]: disconnect from
>> xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]
>>
>> What does work however, is if i telnet from my own host (which isn't in
>> the pbl so it makes testing for me really hard (unless I could fake my
>> domain temporarly to be on the pbl?) and AUTH LOGIN and send a message
>> it does work, so sasl_auth must be working right?
>>
>> Apr 21 19:17:42 example postfix/smtpd[27551]: 3A47410E63:
>> client=yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy], sasl_method=LOGIN,
>> sasl_username=theuser
>>
>>
>> Either thunderbird isn't trying to auth at all (even though I told it
>> to) or it gets RBLed before it could even try to auth, which is what I'm
>> thinking.
>>
>> My test box, (diff server basically) which is on the pbl normally, is
>> down for maintanance atm (broken nic :S) so all I got is users
>> complaining unable to send mail on the new server, and I can't figure
>> out what I have done wrong.
>> 
>> 
>>   
>> 
>>>   
>>>   
>>>   
>>> 
>>>   
 I thought I pretty much set it up the same way as my older server, 
 which
 accepts my mail just fine! Guess I was wrong, and I can't find the
 differences.

 As I've setup my server, I tried to document it as well as possible 
 over
 at the gentoo-wiki;

 http://en.gentoo-wiki.com/wiki/Complete_Virtual_Mail_Server


 The entire postfix server seems to be running excellently as far as I
 can tell, except for not being able to send from remote 'internet' IP's
 that are on the PBL.

 Find below my postconf -n (having replaced the real hostname with
 foo.example)
 ===
 postconf -n
 biff = no
 broken_sasl_auth_clients = no
 command_directory = /usr/sbin
 config_directory = /etc/postfix
 daemon_directory = /usr/lib64/postfix
 data_directory = /var/lib/postfix
 debug_peer_level = 1
 disable_vrfy_command = yes
 home_mailbox = .maildir/
 html_directory = /usr/share/doc/postfix-2.6.5/html
 mail_owner = postfix
 mailq_path = /usr/bin/mailq
 manpage_directory = /usr/share/man
 message_size_limit = 2048
 mydomain = example.com
 myhostname = foo.example.com
 mynetworks_style = ho

postfix smtp_loop() breaks SMTP

[Mij]

Hello folks,

Postfix appears to be breaking RFC 5321 by speculatively injecting
the entire envelope session passing over replies from the server.

In src/smtp/smtp_proto.c , smtp_loop() handles the delivery loop by
deliberately "pipelining" commands and replies in separate queues.

Only the SMTP greeting is waited for in the whole envelope, but
curiously, RFC 5321 appears to specify the opposite:

in 4.3.1 :
"""
One important reply is the connection greeting. [..] The sender
SHOULD wait for this greeting message before sending any commands.
"""

"""
The communication between the sender and receiver is an alternating
 dialogue, controlled by the sender. As such, the sender issues a command
and the receiver responds with a reply.  Unless other arrangements are
negotiated through service extensions, the sender MUST wait for this
response before sending further commands.
"""

I didn't track back in which version this behavior originates, but it still
appears to be present in 2.7.0 .

cheers!
mij

Re: Using Sasl authentication and RBL

[Oliver Schinagl]

On 04/22/10 02:57, Oliver Schinagl wrote:
> On 04/22/10 02:42, Matt Hayes wrote:
>   
>> On 04/21/2010 08:33 PM, Oliver Schinagl wrote:
>>   
>> 
>>> On 04/22/10 02:10, Matt Hayes wrote:
>>> 
>>>   
 On 04/21/2010 07:19 PM, Oliver Schinagl wrote:
   
   
 
> On 04/21/10 23:47, mouss wrote:
> 
> 
>   
>> Oliver Schinagl a écrit :
>>   
>>   
>>   
>> 
>>> Hello all,
>>>
>>> I've been trying to figure out why a new server I setup using postfix
>>> doesn't allow me to relay messages after I authenticate (using
>>> cyrus-sasl). It appears then I can authenticate just fine, but when I
>>> try to send a message, I get a RBL error. I obviously want my ADSL IP
>>> not to be whitelisted from the sending end (as it's dhcp and just a
>>> regular adsl ip) but I would have expected that after authentication the
>>> RBL would be bypassed?
>>>
>>> 
>>> 
>>> 
>>>   
>> Show logs that prove your claims:
>> 1- user was authenticated
>> 2- relay was denied
>>
>> for (1), you should find a line like this:
>> Apr 21 00:11:06 imlil postfix/smtpd[41827]: 454E8E54888:
>> client=ouzoud.netoyen.net[82.239.111.75], sasl_method=PLAIN,
>> sasl_username=mo...@ml.netoyen.net
>>
>>   
>>   
>>   
>> 
> Sorry for forgetting,
>
> I can post 2; I'm having troubles finding 1, because I think that's
> whats going wrong ;)
>
> Apr 19 14:30:36 example postfix/smtpd[26549]: connect from
> xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]
> Apr 19 14:30:36 example postfix/smtpd[26549]: NOQUEUE: reject: CONNECT
> from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]: 554 5.7.1 Service
> unavailable; Client host [xx.xxx.xx.xx] blocked using zen.spamhaus.org;
> http://www.spamhaus.org/query/bl?ip=xx.xxx.xx.xx; proto=SMTP
> Apr 19 14:30:36 example postfix/smtpd[26549]: too many errors after
> CONNECT from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]
> Apr 19 14:30:36 example postfix/smtpd[26549]: disconnect from
> xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]
>
> What does work however, is if i telnet from my own host (which isn't in
> the pbl so it makes testing for me really hard (unless I could fake my
> domain temporarly to be on the pbl?) and AUTH LOGIN and send a message
> it does work, so sasl_auth must be working right?
>
> Apr 21 19:17:42 example postfix/smtpd[27551]: 3A47410E63:
> client=yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy], sasl_method=LOGIN,
> sasl_username=theuser
>
>
> Either thunderbird isn't trying to auth at all (even though I told it
> to) or it gets RBLed before it could even try to auth, which is what I'm
> thinking.
>
> My test box, (diff server basically) which is on the pbl normally, is
> down for maintanance atm (broken nic :S) so all I got is users
> complaining unable to send mail on the new server, and I can't figure
> out what I have done wrong.
> 
> 
>   
>>   
>>   
>>   
>> 
>>> I thought I pretty much set it up the same way as my older server, which
>>> accepts my mail just fine! Guess I was wrong, and I can't find the
>>> differences.
>>>
>>> As I've setup my server, I tried to document it as well as possible over
>>> at the gentoo-wiki;
>>>
>>> http://en.gentoo-wiki.com/wiki/Complete_Virtual_Mail_Server
>>>
>>>
>>> The entire postfix server seems to be running excellently as far as I
>>> can tell, except for not being able to send from remote 'internet' IP's
>>> that are on the PBL.
>>>
>>> Find below my postconf -n (having replaced the real hostname with
>>> foo.example)
>>> ===
>>> postconf -n
>>> biff = no
>>> broken_sasl_auth_clients = no
>>> command_directory = /usr/sbin
>>> config_directory = /etc/postfix
>>> daemon_directory = /usr/lib64/postfix
>>> data_directory = /var/lib/postfix
>>> debug_peer_level = 1
>>> disable_vrfy_command = yes
>>> home_mailbox = .maildir/
>>> html_directory = /usr/share/doc/postfix-2.6.5/html
>>> mail_owner = postfix
>>> mailq_path = /usr/bin/mailq
>>> manpage_directory = /usr/share/man
>>> message_size_limit = 2048
>>> mydomain = example.com
>>> myhostname = foo.example.com
>>> mynetworks_style = host
>>> newaliases_path = /usr/bin/newaliases
>>> queue_directory = /var/spool/postfix
>>> readme_directory = /usr/share/doc/postfix-2.6.5/readme
>>> recipient_delimiter = +
>>> relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf
>>> sendmail_path = /usr/sbin/sendmail
>>> setgid_group = postdrop
>>> smtpd_banner = $myhostname NO UCE ESMTP

Re: Set submission as to bypass RBLs

[Matt Hayes]

On 04/21/2010 09:23 PM, David Cottle wrote:
> 
> 
> Sent from my iPhone
> 
> On 22/04/2010, at 10:28, Matt Hayes  wrote:
> 
>>
>> On 04/21/2010 08:14 PM, webmas...@aus-city.com wrote:
>>> Quoting Matt Hayes :
>>>
 n 04/21/2010 07:35 PM, David Cottle wrote:

> #submission inet n   -   n   -   -   smtpd
> #  -o smtpd_tls_security_level=encrypt
> #  -o smtpd_sasl_auth_enable=yes
> #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> #  -o milter_macro_daemon_name=ORIGINATING

 Seems submission is commented out?

 -matt

>>>
>>> Hi Matt,
>>>
>>> No its not look further down:
>>>
>>> smtpd_tls_wrappermode=yes
>>> submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
>>> smtpd_sasl_auth_enable=yes -o
>>> smtpd_client_restrictions=permit_sasl_authenticated,reject -o
>>> smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025
>>>
>>>
>>>
>>
>>
>> ahhh missed that!
>>
>> If you have smtpd_recipient_restrictions defined in main.cf you'll have
>> to negate them just as you did with smtpd_sender_restrictions
>>
>> -Matt
> 
> Hi Matt,
> 
> In main.cf I have got in smptd sender restrictions permit sasl
> authenticated.
> 
> It's also in smtpd recipient restrictions as the 3rd after mynetworks
> and a plesk no relay check.
> 
> smtpd client restrictions it's 2nd after a plesk blacklist check.
> 
> In client restrictions it's the 2nd one, as my whitelists is first.
> 
> I know it's RBL killing as it's complaints about ISP dynamic message.
> 
> I can post my actual main.cf later when I have PC as I am on iPhone.
> 
> Is there also a command to dump the config?
> 
> Thanks!
>  
>   


The best way: postconf -n


-Matt

Re: Set submission as to bypass RBLs

[David Cottle]

Sent from my iPhone

On 22/04/2010, at 10:28, Matt Hayes  wrote:



On 04/21/2010 08:14 PM, webmas...@aus-city.com wrote:

Quoting Matt Hayes :


n 04/21/2010 07:35 PM, David Cottle wrote:


#submission inet n   -   n   -   -   smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING


Seems submission is commented out?

-matt



Hi Matt,

No its not look further down:

smtpd_tls_wrappermode=yes
submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025






ahhh missed that!

If you have smtpd_recipient_restrictions defined in main.cf you'll  
have

to negate them just as you did with smtpd_sender_restrictions

-Matt


Hi Matt,

In main.cf I have got in smptd sender restrictions permit sasl  
authenticated.


It's also in smtpd recipient restrictions as the 3rd after mynetworks  
and a plesk no relay check.


smtpd client restrictions it's 2nd after a plesk blacklist check.

In client restrictions it's the 2nd one, as my whitelists is first.

I know it's RBL killing as it's complaints about ISP dynamic message.

I can post my actual main.cf later when I have PC as I am on iPhone.

Is there also a command to dump the config?

Thanks!
 

Re: Using Sasl authentication and RBL

[Oliver Schinagl]

On 04/22/10 02:42, Matt Hayes wrote:
>
> On 04/21/2010 08:33 PM, Oliver Schinagl wrote:
>   
>> On 04/22/10 02:10, Matt Hayes wrote:
>> 
>>> On 04/21/2010 07:19 PM, Oliver Schinagl wrote:
>>>   
>>>   
 On 04/21/10 23:47, mouss wrote:
 
 
> Oliver Schinagl a écrit :
>   
>   
>   
>> Hello all,
>>
>> I've been trying to figure out why a new server I setup using postfix
>> doesn't allow me to relay messages after I authenticate (using
>> cyrus-sasl). It appears then I can authenticate just fine, but when I
>> try to send a message, I get a RBL error. I obviously want my ADSL IP
>> not to be whitelisted from the sending end (as it's dhcp and just a
>> regular adsl ip) but I would have expected that after authentication the
>> RBL would be bypassed?
>>
>> 
>> 
>> 
> Show logs that prove your claims:
> 1- user was authenticated
> 2- relay was denied
>
> for (1), you should find a line like this:
> Apr 21 00:11:06 imlil postfix/smtpd[41827]: 454E8E54888:
> client=ouzoud.netoyen.net[82.239.111.75], sasl_method=PLAIN,
> sasl_username=mo...@ml.netoyen.net
>
>   
>   
>   
 Sorry for forgetting,

 I can post 2; I'm having troubles finding 1, because I think that's
 whats going wrong ;)

 Apr 19 14:30:36 example postfix/smtpd[26549]: connect from
 xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]
 Apr 19 14:30:36 example postfix/smtpd[26549]: NOQUEUE: reject: CONNECT
 from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]: 554 5.7.1 Service
 unavailable; Client host [xx.xxx.xx.xx] blocked using zen.spamhaus.org;
 http://www.spamhaus.org/query/bl?ip=xx.xxx.xx.xx; proto=SMTP
 Apr 19 14:30:36 example postfix/smtpd[26549]: too many errors after
 CONNECT from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]
 Apr 19 14:30:36 example postfix/smtpd[26549]: disconnect from
 xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]

 What does work however, is if i telnet from my own host (which isn't in
 the pbl so it makes testing for me really hard (unless I could fake my
 domain temporarly to be on the pbl?) and AUTH LOGIN and send a message
 it does work, so sasl_auth must be working right?

 Apr 21 19:17:42 example postfix/smtpd[27551]: 3A47410E63:
 client=yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy], sasl_method=LOGIN,
 sasl_username=theuser


 Either thunderbird isn't trying to auth at all (even though I told it
 to) or it gets RBLed before it could even try to auth, which is what I'm
 thinking.

 My test box, (diff server basically) which is on the pbl normally, is
 down for maintanance atm (broken nic :S) so all I got is users
 complaining unable to send mail on the new server, and I can't figure
 out what I have done wrong.
 
 
>   
>   
>   
>> I thought I pretty much set it up the same way as my older server, which
>> accepts my mail just fine! Guess I was wrong, and I can't find the
>> differences.
>>
>> As I've setup my server, I tried to document it as well as possible over
>> at the gentoo-wiki;
>>
>> http://en.gentoo-wiki.com/wiki/Complete_Virtual_Mail_Server
>>
>>
>> The entire postfix server seems to be running excellently as far as I
>> can tell, except for not being able to send from remote 'internet' IP's
>> that are on the PBL.
>>
>> Find below my postconf -n (having replaced the real hostname with
>> foo.example)
>> ===
>> postconf -n
>> biff = no
>> broken_sasl_auth_clients = no
>> command_directory = /usr/sbin
>> config_directory = /etc/postfix
>> daemon_directory = /usr/lib64/postfix
>> data_directory = /var/lib/postfix
>> debug_peer_level = 1
>> disable_vrfy_command = yes
>> home_mailbox = .maildir/
>> html_directory = /usr/share/doc/postfix-2.6.5/html
>> mail_owner = postfix
>> mailq_path = /usr/bin/mailq
>> manpage_directory = /usr/share/man
>> message_size_limit = 2048
>> mydomain = example.com
>> myhostname = foo.example.com
>> mynetworks_style = host
>> newaliases_path = /usr/bin/newaliases
>> queue_directory = /var/spool/postfix
>> readme_directory = /usr/share/doc/postfix-2.6.5/readme
>> recipient_delimiter = +
>> relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf
>> sendmail_path = /usr/sbin/sendmail
>> setgid_group = postdrop
>> smtpd_banner = $myhostname NO UCE ESMTP
>> smtpd_client_restrictions = permit_mynetworks,
>> permit_sasl_authenticated, permit_mx_backup, reject_rbl_client
>> zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client
>> bl.spamcop.net
>> smtpd_delay_reject = no
>> smtpd_helo_required = yes
>> smtpd_helo_restriction

Re: Using Sasl authentication and RBL

[Matt Hayes]

On 04/21/2010 08:33 PM, Oliver Schinagl wrote:
> On 04/22/10 02:10, Matt Hayes wrote:
>> On 04/21/2010 07:19 PM, Oliver Schinagl wrote:
>>   
>>> On 04/21/10 23:47, mouss wrote:
>>> 
 Oliver Schinagl a écrit :
   
   
> Hello all,
>
> I've been trying to figure out why a new server I setup using postfix
> doesn't allow me to relay messages after I authenticate (using
> cyrus-sasl). It appears then I can authenticate just fine, but when I
> try to send a message, I get a RBL error. I obviously want my ADSL IP
> not to be whitelisted from the sending end (as it's dhcp and just a
> regular adsl ip) but I would have expected that after authentication the
> RBL would be bypassed?
>
> 
> 
 Show logs that prove your claims:
 1- user was authenticated
 2- relay was denied

 for (1), you should find a line like this:
 Apr 21 00:11:06 imlil postfix/smtpd[41827]: 454E8E54888:
 client=ouzoud.netoyen.net[82.239.111.75], sasl_method=PLAIN,
 sasl_username=mo...@ml.netoyen.net

   
   
>>> Sorry for forgetting,
>>>
>>> I can post 2; I'm having troubles finding 1, because I think that's
>>> whats going wrong ;)
>>>
>>> Apr 19 14:30:36 example postfix/smtpd[26549]: connect from
>>> xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]
>>> Apr 19 14:30:36 example postfix/smtpd[26549]: NOQUEUE: reject: CONNECT
>>> from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]: 554 5.7.1 Service
>>> unavailable; Client host [xx.xxx.xx.xx] blocked using zen.spamhaus.org;
>>> http://www.spamhaus.org/query/bl?ip=xx.xxx.xx.xx; proto=SMTP
>>> Apr 19 14:30:36 example postfix/smtpd[26549]: too many errors after
>>> CONNECT from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]
>>> Apr 19 14:30:36 example postfix/smtpd[26549]: disconnect from
>>> xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]
>>>
>>> What does work however, is if i telnet from my own host (which isn't in
>>> the pbl so it makes testing for me really hard (unless I could fake my
>>> domain temporarly to be on the pbl?) and AUTH LOGIN and send a message
>>> it does work, so sasl_auth must be working right?
>>>
>>> Apr 21 19:17:42 example postfix/smtpd[27551]: 3A47410E63:
>>> client=yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy], sasl_method=LOGIN,
>>> sasl_username=theuser
>>>
>>>
>>> Either thunderbird isn't trying to auth at all (even though I told it
>>> to) or it gets RBLed before it could even try to auth, which is what I'm
>>> thinking.
>>>
>>> My test box, (diff server basically) which is on the pbl normally, is
>>> down for maintanance atm (broken nic :S) so all I got is users
>>> complaining unable to send mail on the new server, and I can't figure
>>> out what I have done wrong.
>>> 
   
   
> I thought I pretty much set it up the same way as my older server, which
> accepts my mail just fine! Guess I was wrong, and I can't find the
> differences.
>
> As I've setup my server, I tried to document it as well as possible over
> at the gentoo-wiki;
>
> http://en.gentoo-wiki.com/wiki/Complete_Virtual_Mail_Server
>
>
> The entire postfix server seems to be running excellently as far as I
> can tell, except for not being able to send from remote 'internet' IP's
> that are on the PBL.
>
> Find below my postconf -n (having replaced the real hostname with
> foo.example)
> ===
> postconf -n
> biff = no
> broken_sasl_auth_clients = no
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/lib64/postfix
> data_directory = /var/lib/postfix
> debug_peer_level = 1
> disable_vrfy_command = yes
> home_mailbox = .maildir/
> html_directory = /usr/share/doc/postfix-2.6.5/html
> mail_owner = postfix
> mailq_path = /usr/bin/mailq
> manpage_directory = /usr/share/man
> message_size_limit = 2048
> mydomain = example.com
> myhostname = foo.example.com
> mynetworks_style = host
> newaliases_path = /usr/bin/newaliases
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix-2.6.5/readme
> recipient_delimiter = +
> relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf
> sendmail_path = /usr/sbin/sendmail
> setgid_group = postdrop
> smtpd_banner = $myhostname NO UCE ESMTP
> smtpd_client_restrictions = permit_mynetworks,
> permit_sasl_authenticated, permit_mx_backup, reject_rbl_client
> zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client
> bl.spamcop.net
> smtpd_delay_reject = no
> smtpd_helo_required = yes
> smtpd_helo_restrictions = reject_invalid_hostname
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated, permit_mx_backup, check_policy_service
> inet:127.0.0.1:2525, reject_unauth_destination
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_heade

Re: Using Sasl authentication and RBL

[Oliver Schinagl]

On 04/22/10 02:10, Matt Hayes wrote:
> On 04/21/2010 07:19 PM, Oliver Schinagl wrote:
>   
>> On 04/21/10 23:47, mouss wrote:
>> 
>>> Oliver Schinagl a écrit :
>>>   
>>>   
 Hello all,

 I've been trying to figure out why a new server I setup using postfix
 doesn't allow me to relay messages after I authenticate (using
 cyrus-sasl). It appears then I can authenticate just fine, but when I
 try to send a message, I get a RBL error. I obviously want my ADSL IP
 not to be whitelisted from the sending end (as it's dhcp and just a
 regular adsl ip) but I would have expected that after authentication the
 RBL would be bypassed?

 
 
>>> Show logs that prove your claims:
>>> 1- user was authenticated
>>> 2- relay was denied
>>>
>>> for (1), you should find a line like this:
>>> Apr 21 00:11:06 imlil postfix/smtpd[41827]: 454E8E54888:
>>> client=ouzoud.netoyen.net[82.239.111.75], sasl_method=PLAIN,
>>> sasl_username=mo...@ml.netoyen.net
>>>
>>>   
>>>   
>> Sorry for forgetting,
>>
>> I can post 2; I'm having troubles finding 1, because I think that's
>> whats going wrong ;)
>>
>> Apr 19 14:30:36 example postfix/smtpd[26549]: connect from
>> xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]
>> Apr 19 14:30:36 example postfix/smtpd[26549]: NOQUEUE: reject: CONNECT
>> from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]: 554 5.7.1 Service
>> unavailable; Client host [xx.xxx.xx.xx] blocked using zen.spamhaus.org;
>> http://www.spamhaus.org/query/bl?ip=xx.xxx.xx.xx; proto=SMTP
>> Apr 19 14:30:36 example postfix/smtpd[26549]: too many errors after
>> CONNECT from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]
>> Apr 19 14:30:36 example postfix/smtpd[26549]: disconnect from
>> xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]
>>
>> What does work however, is if i telnet from my own host (which isn't in
>> the pbl so it makes testing for me really hard (unless I could fake my
>> domain temporarly to be on the pbl?) and AUTH LOGIN and send a message
>> it does work, so sasl_auth must be working right?
>>
>> Apr 21 19:17:42 example postfix/smtpd[27551]: 3A47410E63:
>> client=yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy], sasl_method=LOGIN,
>> sasl_username=theuser
>>
>>
>> Either thunderbird isn't trying to auth at all (even though I told it
>> to) or it gets RBLed before it could even try to auth, which is what I'm
>> thinking.
>>
>> My test box, (diff server basically) which is on the pbl normally, is
>> down for maintanance atm (broken nic :S) so all I got is users
>> complaining unable to send mail on the new server, and I can't figure
>> out what I have done wrong.
>> 
>>>   
>>>   
 I thought I pretty much set it up the same way as my older server, which
 accepts my mail just fine! Guess I was wrong, and I can't find the
 differences.

 As I've setup my server, I tried to document it as well as possible over
 at the gentoo-wiki;

 http://en.gentoo-wiki.com/wiki/Complete_Virtual_Mail_Server


 The entire postfix server seems to be running excellently as far as I
 can tell, except for not being able to send from remote 'internet' IP's
 that are on the PBL.

 Find below my postconf -n (having replaced the real hostname with
 foo.example)
 ===
 postconf -n
 biff = no
 broken_sasl_auth_clients = no
 command_directory = /usr/sbin
 config_directory = /etc/postfix
 daemon_directory = /usr/lib64/postfix
 data_directory = /var/lib/postfix
 debug_peer_level = 1
 disable_vrfy_command = yes
 home_mailbox = .maildir/
 html_directory = /usr/share/doc/postfix-2.6.5/html
 mail_owner = postfix
 mailq_path = /usr/bin/mailq
 manpage_directory = /usr/share/man
 message_size_limit = 2048
 mydomain = example.com
 myhostname = foo.example.com
 mynetworks_style = host
 newaliases_path = /usr/bin/newaliases
 queue_directory = /var/spool/postfix
 readme_directory = /usr/share/doc/postfix-2.6.5/readme
 recipient_delimiter = +
 relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf
 sendmail_path = /usr/sbin/sendmail
 setgid_group = postdrop
 smtpd_banner = $myhostname NO UCE ESMTP
 smtpd_client_restrictions = permit_mynetworks,
 permit_sasl_authenticated, permit_mx_backup, reject_rbl_client
 zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client
 bl.spamcop.net
 smtpd_delay_reject = no
 smtpd_helo_required = yes
 smtpd_helo_restrictions = reject_invalid_hostname
 smtpd_recipient_restrictions = permit_mynetworks,
 permit_sasl_authenticated, permit_mx_backup, check_policy_service
 inet:127.0.0.1:2525, reject_unauth_destination
 smtpd_sasl_auth_enable = yes
 smtpd_sasl_authenticated_header = no
 smtpd_sasl_local_domain =
 smtpd_sasl_security_options = noanonymous
 smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem
 smtpd_tls_auth_only = no

Re: Set submission as to bypass RBLs

[Matt Hayes]

On 04/21/2010 08:14 PM, webmas...@aus-city.com wrote:
> Quoting Matt Hayes :
> 
>> n 04/21/2010 07:35 PM, David Cottle wrote:
>>
>>> #submission inet n   -   n   -   -   smtpd
>>> #  -o smtpd_tls_security_level=encrypt
>>> #  -o smtpd_sasl_auth_enable=yes
>>> #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>> #  -o milter_macro_daemon_name=ORIGINATING
>>
>> Seems submission is commented out?
>>
>> -matt
>>
> 
> Hi Matt,
> 
> No its not look further down:
> 
> smtpd_tls_wrappermode=yes
> submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
> smtpd_sasl_auth_enable=yes -o
> smtpd_client_restrictions=permit_sasl_authenticated,reject -o
> smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025
> 
> 
> 


ahhh missed that!

If you have smtpd_recipient_restrictions defined in main.cf you'll have
to negate them just as you did with smtpd_sender_restrictions

-Matt

Re: Set submission as to bypass RBLs

[webmaster]

Quoting Matt Hayes :


n 04/21/2010 07:35 PM, David Cottle wrote:


#submission inet n   -   n   -   -   smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING


Seems submission is commented out?

-matt



Hi Matt,

No its not look further down:

smtpd_tls_wrappermode=yes
submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025

Re: Using Sasl authentication and RBL

[Matt Hayes]

On 04/21/2010 07:19 PM, Oliver Schinagl wrote:
> On 04/21/10 23:47, mouss wrote:
>> Oliver Schinagl a écrit :
>>   
>>> Hello all,
>>>
>>> I've been trying to figure out why a new server I setup using postfix
>>> doesn't allow me to relay messages after I authenticate (using
>>> cyrus-sasl). It appears then I can authenticate just fine, but when I
>>> try to send a message, I get a RBL error. I obviously want my ADSL IP
>>> not to be whitelisted from the sending end (as it's dhcp and just a
>>> regular adsl ip) but I would have expected that after authentication the
>>> RBL would be bypassed?
>>>
>>> 
>> Show logs that prove your claims:
>> 1- user was authenticated
>> 2- relay was denied
>>
>> for (1), you should find a line like this:
>> Apr 21 00:11:06 imlil postfix/smtpd[41827]: 454E8E54888:
>> client=ouzoud.netoyen.net[82.239.111.75], sasl_method=PLAIN,
>> sasl_username=mo...@ml.netoyen.net
>>
>>   
> Sorry for forgetting,
> 
> I can post 2; I'm having troubles finding 1, because I think that's
> whats going wrong ;)
> 
> Apr 19 14:30:36 example postfix/smtpd[26549]: connect from
> xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]
> Apr 19 14:30:36 example postfix/smtpd[26549]: NOQUEUE: reject: CONNECT
> from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]: 554 5.7.1 Service
> unavailable; Client host [xx.xxx.xx.xx] blocked using zen.spamhaus.org;
> http://www.spamhaus.org/query/bl?ip=xx.xxx.xx.xx; proto=SMTP
> Apr 19 14:30:36 example postfix/smtpd[26549]: too many errors after
> CONNECT from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]
> Apr 19 14:30:36 example postfix/smtpd[26549]: disconnect from
> xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]
> 
> What does work however, is if i telnet from my own host (which isn't in
> the pbl so it makes testing for me really hard (unless I could fake my
> domain temporarly to be on the pbl?) and AUTH LOGIN and send a message
> it does work, so sasl_auth must be working right?
> 
> Apr 21 19:17:42 example postfix/smtpd[27551]: 3A47410E63:
> client=yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy], sasl_method=LOGIN,
> sasl_username=theuser
> 
> 
> Either thunderbird isn't trying to auth at all (even though I told it
> to) or it gets RBLed before it could even try to auth, which is what I'm
> thinking.
> 
> My test box, (diff server basically) which is on the pbl normally, is
> down for maintanance atm (broken nic :S) so all I got is users
> complaining unable to send mail on the new server, and I can't figure
> out what I have done wrong.
>>
>>   
>>> I thought I pretty much set it up the same way as my older server, which
>>> accepts my mail just fine! Guess I was wrong, and I can't find the
>>> differences.
>>>
>>> As I've setup my server, I tried to document it as well as possible over
>>> at the gentoo-wiki;
>>>
>>> http://en.gentoo-wiki.com/wiki/Complete_Virtual_Mail_Server
>>>
>>>
>>> The entire postfix server seems to be running excellently as far as I
>>> can tell, except for not being able to send from remote 'internet' IP's
>>> that are on the PBL.
>>>
>>> Find below my postconf -n (having replaced the real hostname with
>>> foo.example)
>>> ===
>>> postconf -n
>>> biff = no
>>> broken_sasl_auth_clients = no
>>> command_directory = /usr/sbin
>>> config_directory = /etc/postfix
>>> daemon_directory = /usr/lib64/postfix
>>> data_directory = /var/lib/postfix
>>> debug_peer_level = 1
>>> disable_vrfy_command = yes
>>> home_mailbox = .maildir/
>>> html_directory = /usr/share/doc/postfix-2.6.5/html
>>> mail_owner = postfix
>>> mailq_path = /usr/bin/mailq
>>> manpage_directory = /usr/share/man
>>> message_size_limit = 2048
>>> mydomain = example.com
>>> myhostname = foo.example.com
>>> mynetworks_style = host
>>> newaliases_path = /usr/bin/newaliases
>>> queue_directory = /var/spool/postfix
>>> readme_directory = /usr/share/doc/postfix-2.6.5/readme
>>> recipient_delimiter = +
>>> relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf
>>> sendmail_path = /usr/sbin/sendmail
>>> setgid_group = postdrop
>>> smtpd_banner = $myhostname NO UCE ESMTP
>>> smtpd_client_restrictions = permit_mynetworks,
>>> permit_sasl_authenticated, permit_mx_backup, reject_rbl_client
>>> zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client
>>> bl.spamcop.net
>>> smtpd_delay_reject = no
>>> smtpd_helo_required = yes
>>> smtpd_helo_restrictions = reject_invalid_hostname
>>> smtpd_recipient_restrictions = permit_mynetworks,
>>> permit_sasl_authenticated, permit_mx_backup, check_policy_service
>>> inet:127.0.0.1:2525, reject_unauth_destination
>>> smtpd_sasl_auth_enable = yes
>>> smtpd_sasl_authenticated_header = no
>>> smtpd_sasl_local_domain =
>>> smtpd_sasl_security_options = noanonymous
>>> smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem
>>> smtpd_tls_auth_only = no
>>> smtpd_tls_cert_file = /etc/postfix/ssl/smtp.example.com_server.pem
>>> smtpd_tls_key_file = /etc/postfix/ssl/smtp.example.com_privatekey.pem
>>> smtpd_tls_loglevel = 0
>>> smtpd_tls_received_header = yes
>>> smtpd_t

Re: Set submission as to bypass RBLs

[Matt Hayes]

n 04/21/2010 07:35 PM, David Cottle wrote:

> #submission inet n   -   n   -   -   smtpd
> #  -o smtpd_tls_security_level=encrypt
> #  -o smtpd_sasl_auth_enable=yes
> #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> #  -o milter_macro_daemon_name=ORIGINATING

Seems submission is commented out?

-matt

Set submission as to bypass RBLs

[David Cottle]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I am having some issues with my server blocking ISP IP addresses.

I know a recent update to plesk-9.5.1 changed my postfix main.cf and
master.cf (the timestamps changed).  I managed to fix main.cf as on
the smtpd_client_restrictions, they put the RBLs first.

Can anyone see what is wrong in the master.cf?

I just want submission on 587 able to bypass RBL checks:

#
# Postfix master process configuration file.  For details on the format
==
smtp inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025
#submission inet n   -   n   -   -   smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps inet  n   -   n   -   -   smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628  inet  n   -   n   -   -   qmqpd
pickup fifo n - - 60 1 pickup -o content_filter=smtp:127.0.0.1:10027
cleanup   unix  n   -   n   -   0   cleanup
qmgr  fifo  n   -   n   300 1   qmgr
#qmgr fifo  n   -   n   300 1   oqmgr
tlsmgrunix  -   -   n   1000?   1   tlsmgr
rewrite   unix  -   -   n   -   -   trivial-rewrite
bounceunix  -   -   n   -   0   bounce
defer unix  -   -   n   -   0   bounce
trace unix  -   -   n   -   0   bounce
verifyunix  -   -   n   -   1   verify
flush unix  n   -   n   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
proxywrite unix -   -   n   -   1   proxymap
smtp  unix  -   -   n   -   -   smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX
loops
relay unix  -   -   n   -   -   smtp
-o smtp_fallback_relay=
#   -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix  n   -   n   -   -   showq
error unix  -   -   n   -   -   error
retry unix  -   -   n   -   -   error
discard   unix  -   -   n   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   n   -   -   lmtp
anvil unix  -   -   n   -   1   anvil
scacheunix  -   -   n   -   1   scache
#

plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser
argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p
/var/qmail/mailnames
mailman unix - n n - - pipe flags=R user=mailman:mailman
argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}
127.0.0.1:10025 inet n n n - - spawn user=mhandlers-user
argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue
127.0.0.1:10026 inet n - - - - smtpd  -o smtpd_client_restrictions=
- -o smtpd_helo_restrictions=  -o smtpd_sender_restrictions=  -o
smtpd_recipient_restrictions=permit_mynetworks,reject  -o
smtpd_data_restrictions=  -o
receive_override_options=no_unknown_recipient_checks
127.0.0.1:10027 inet n n n - - spawn user=mhandlers-user
argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote
plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6
dbpath=/plesk/passwd.db
smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o
smtpd_tls_wrappermode=yes
submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvPi7MACgkQi1lOcz5YUMhUdgCfSQcDsMVe0jM6dUUZ4i1JC58i
tO0AnAwyEiJYikm4w4imblStUKv7jNga
=+b+4
-END PGP SIGNATURE-

Re: Using Sasl authentication and RBL

[Oliver Schinagl]

On 04/21/10 23:47, mouss wrote:
> Oliver Schinagl a écrit :
>   
>> Hello all,
>>
>> I've been trying to figure out why a new server I setup using postfix
>> doesn't allow me to relay messages after I authenticate (using
>> cyrus-sasl). It appears then I can authenticate just fine, but when I
>> try to send a message, I get a RBL error. I obviously want my ADSL IP
>> not to be whitelisted from the sending end (as it's dhcp and just a
>> regular adsl ip) but I would have expected that after authentication the
>> RBL would be bypassed?
>>
>> 
> Show logs that prove your claims:
> 1- user was authenticated
> 2- relay was denied
>
> for (1), you should find a line like this:
> Apr 21 00:11:06 imlil postfix/smtpd[41827]: 454E8E54888:
> client=ouzoud.netoyen.net[82.239.111.75], sasl_method=PLAIN,
> sasl_username=mo...@ml.netoyen.net
>
>   
Sorry for forgetting,

I can post 2; I'm having troubles finding 1, because I think that's
whats going wrong ;)

Apr 19 14:30:36 example postfix/smtpd[26549]: connect from
xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]
Apr 19 14:30:36 example postfix/smtpd[26549]: NOQUEUE: reject: CONNECT
from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]: 554 5.7.1 Service
unavailable; Client host [xx.xxx.xx.xx] blocked using zen.spamhaus.org;
http://www.spamhaus.org/query/bl?ip=xx.xxx.xx.xx; proto=SMTP
Apr 19 14:30:36 example postfix/smtpd[26549]: too many errors after
CONNECT from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]
Apr 19 14:30:36 example postfix/smtpd[26549]: disconnect from
xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]

What does work however, is if i telnet from my own host (which isn't in
the pbl so it makes testing for me really hard (unless I could fake my
domain temporarly to be on the pbl?) and AUTH LOGIN and send a message
it does work, so sasl_auth must be working right?

Apr 21 19:17:42 example postfix/smtpd[27551]: 3A47410E63:
client=yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy], sasl_method=LOGIN,
sasl_username=theuser


Either thunderbird isn't trying to auth at all (even though I told it
to) or it gets RBLed before it could even try to auth, which is what I'm
thinking.

My test box, (diff server basically) which is on the pbl normally, is
down for maintanance atm (broken nic :S) so all I got is users
complaining unable to send mail on the new server, and I can't figure
out what I have done wrong.
>
>   
>> I thought I pretty much set it up the same way as my older server, which
>> accepts my mail just fine! Guess I was wrong, and I can't find the
>> differences.
>>
>> As I've setup my server, I tried to document it as well as possible over
>> at the gentoo-wiki;
>>
>> http://en.gentoo-wiki.com/wiki/Complete_Virtual_Mail_Server
>>
>>
>> The entire postfix server seems to be running excellently as far as I
>> can tell, except for not being able to send from remote 'internet' IP's
>> that are on the PBL.
>>
>> Find below my postconf -n (having replaced the real hostname with
>> foo.example)
>> ===
>> postconf -n
>> biff = no
>> broken_sasl_auth_clients = no
>> command_directory = /usr/sbin
>> config_directory = /etc/postfix
>> daemon_directory = /usr/lib64/postfix
>> data_directory = /var/lib/postfix
>> debug_peer_level = 1
>> disable_vrfy_command = yes
>> home_mailbox = .maildir/
>> html_directory = /usr/share/doc/postfix-2.6.5/html
>> mail_owner = postfix
>> mailq_path = /usr/bin/mailq
>> manpage_directory = /usr/share/man
>> message_size_limit = 2048
>> mydomain = example.com
>> myhostname = foo.example.com
>> mynetworks_style = host
>> newaliases_path = /usr/bin/newaliases
>> queue_directory = /var/spool/postfix
>> readme_directory = /usr/share/doc/postfix-2.6.5/readme
>> recipient_delimiter = +
>> relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf
>> sendmail_path = /usr/sbin/sendmail
>> setgid_group = postdrop
>> smtpd_banner = $myhostname NO UCE ESMTP
>> smtpd_client_restrictions = permit_mynetworks,
>> permit_sasl_authenticated, permit_mx_backup, reject_rbl_client
>> zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client
>> bl.spamcop.net
>> smtpd_delay_reject = no
>> smtpd_helo_required = yes
>> smtpd_helo_restrictions = reject_invalid_hostname
>> smtpd_recipient_restrictions = permit_mynetworks,
>> permit_sasl_authenticated, permit_mx_backup, check_policy_service
>> inet:127.0.0.1:2525, reject_unauth_destination
>> smtpd_sasl_auth_enable = yes
>> smtpd_sasl_authenticated_header = no
>> smtpd_sasl_local_domain =
>> smtpd_sasl_security_options = noanonymous
>> smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem
>> smtpd_tls_auth_only = no
>> smtpd_tls_cert_file = /etc/postfix/ssl/smtp.example.com_server.pem
>> smtpd_tls_key_file = /etc/postfix/ssl/smtp.example.com_privatekey.pem
>> smtpd_tls_loglevel = 0
>> smtpd_tls_received_header = yes
>> smtpd_tls_session_cache_timeout = 3600s
>> smtpd_use_tls = yes
>> soft_bounce = no
>> tls_random_source = dev:/dev/urandom
>> unknown_local_recipient_reject_code = 550
>> virtual_alias_maps = pgsql:/etc/postfix/pg

Re: mail from(Return-Path) when a mail relay via alias

[mouss]

Jeff Huang a écrit :
> Hi All.
>  
> I found when I send a email via alias,the Return-Path is null.
>  
> For example,the alias :
>  
> i...@domain1.com:i...@domain2.com 

sorry, unparsable...
please copy-paste.
anyway, in alias_maps, there's no domain in the left hand side:
joe:j...@example.com

>  
> when I sent a email from i...@domain.com  to
> i...@domain1.com,I  found I recevie from
> i...@domain2.com  and found the Return-Path is null.
>  
> How can I set it to enable returen path

the return-path is null in bounces or if your mailer generates it.
and in any case, alias rewrite doesn't has no influence on the return-path.

so you have another problem. please explain exactly what happens and
show examples and logs.

Re: Reject Notification

[mouss]

Carlos Mennens a écrit :
> I was wondering if there is a simple way to have Postfix send all
> 'reject' messages regardless of the reason to a specific email like
> 'rej...@mydomain.tld' and then in my /etc/aliases file just route all
> mail to 'reject' to a known recipient? I was looking to see what the
> best suggestion would be for setting this up via Postfix? I just have
> 5 users on my server and from time to time I notice rarely  there are
> some rejects but I would like to know about them rather than searching
> through logs. Anyone have any suggestions?
> 

what do you mean by "reject"? you'd like to get mail for things like:

Apr 21 00:02:31 imlil postmx/smtpd[41698]: NOQUEUE: reject: RCPT from
unknown[190.167.122.44]: 550 5.1.1 <43cd9398.3090...@netoyen.net>:
Recipient address rejected: User unknown;
from= to=<43cd9398.3090...@netoyen.net>
proto=ESMTP helo=

or this:

Apr 21 00:19:04 imlil postmx/smtpd[41856]: NOQUEUE: reject: RCPT from
226.4.54.77.rev.vodafone.pt[77.54.4.226]: 554 5.7.1 Service unavailable;
Client host [77.54.4.226] blocked using zen.spamhaus.org;
http://www.spamhaus.org/query/bl?ip=77.54.4.226;
from= to= proto=ESMTP
helo=

If it's so, then write a script that parses the logs and sends you mail
for each "NOQUEUE: reject:"

but do you really want that?

[OT] sql lower (WAS: OT: Cyrus-sasl + virtual_mailbox_maps query - lowercase username)

[mouss]

Charles Marcus a écrit :
> Hi,
> 
> I know this isn't exactly a postfix question, but I'm hoping someone
> will have pity on me and answer anyway...
> 
> I have a server using postfix+courier-imap+cyrus-sasl. Currently the
> query in virtual_mailbox_maps is:
> 
> query = SELECT maildir FROM mailbox WHERE username='%s'
> 
> If I want to force the supplied username to lowercase, would I change it to:
> 
> query = SELECT maildir FROM mailbox WHERE username=LOWER('%s')
> 

yes. but, in mysql at least, the default is case insensitive. so you
don't need that.

Re: Using Sasl authentication and RBL

[mouss]

Oliver Schinagl a écrit :
> Hello all,
> 
> I've been trying to figure out why a new server I setup using postfix
> doesn't allow me to relay messages after I authenticate (using
> cyrus-sasl). It appears then I can authenticate just fine, but when I
> try to send a message, I get a RBL error. I obviously want my ADSL IP
> not to be whitelisted from the sending end (as it's dhcp and just a
> regular adsl ip) but I would have expected that after authentication the
> RBL would be bypassed?
> 

Show logs that prove your claims:
1- user was authenticated
2- relay was denied

for (1), you should find a line like this:
Apr 21 00:11:06 imlil postfix/smtpd[41827]: 454E8E54888:
client=ouzoud.netoyen.net[82.239.111.75], sasl_method=PLAIN,
sasl_username=mo...@ml.netoyen.net



> I thought I pretty much set it up the same way as my older server, which
> accepts my mail just fine! Guess I was wrong, and I can't find the
> differences.
> 
> As I've setup my server, I tried to document it as well as possible over
> at the gentoo-wiki;
> 
> http://en.gentoo-wiki.com/wiki/Complete_Virtual_Mail_Server
> 
> 
> The entire postfix server seems to be running excellently as far as I
> can tell, except for not being able to send from remote 'internet' IP's
> that are on the PBL.
> 
> Find below my postconf -n (having replaced the real hostname with
> foo.example)
> ===
> postconf -n
> biff = no
> broken_sasl_auth_clients = no
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/lib64/postfix
> data_directory = /var/lib/postfix
> debug_peer_level = 1
> disable_vrfy_command = yes
> home_mailbox = .maildir/
> html_directory = /usr/share/doc/postfix-2.6.5/html
> mail_owner = postfix
> mailq_path = /usr/bin/mailq
> manpage_directory = /usr/share/man
> message_size_limit = 2048
> mydomain = example.com
> myhostname = foo.example.com
> mynetworks_style = host
> newaliases_path = /usr/bin/newaliases
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix-2.6.5/readme
> recipient_delimiter = +
> relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf
> sendmail_path = /usr/sbin/sendmail
> setgid_group = postdrop
> smtpd_banner = $myhostname NO UCE ESMTP
> smtpd_client_restrictions = permit_mynetworks,
> permit_sasl_authenticated, permit_mx_backup, reject_rbl_client
> zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client
> bl.spamcop.net
> smtpd_delay_reject = no
> smtpd_helo_required = yes
> smtpd_helo_restrictions = reject_invalid_hostname
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated, permit_mx_backup, check_policy_service
> inet:127.0.0.1:2525, reject_unauth_destination
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = no
> smtpd_sasl_local_domain =
> smtpd_sasl_security_options = noanonymous
> smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem
> smtpd_tls_auth_only = no
> smtpd_tls_cert_file = /etc/postfix/ssl/smtp.example.com_server.pem
> smtpd_tls_key_file = /etc/postfix/ssl/smtp.example.com_privatekey.pem
> smtpd_tls_loglevel = 0
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes
> soft_bounce = no
> tls_random_source = dev:/dev/urandom
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-alias-maps.cf
> virtual_gid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-gid-maps.cf
> virtual_mailbox_base = /var/vmail
> virtual_mailbox_domains =
> pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-domains.cf
> virtual_mailbox_limit_maps =
> pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-limit-maps.cf
> virtual_mailbox_limit_override = yes
> virtual_mailbox_maps =
> pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-maps.cf
> virtual_maildir_extended = yes
> virtual_maildir_limit_message = "Sorry, the recipients mailbox is
> currently full. Please try again later."
> virtual_overquota_bounce = no
> virtual_trash_count = no
> virtual_trash_name = ".Trash"
> virtual_uid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-uid-maps.cf

Re: Reject Notification

[Eduardo Júnior]

Hi,


On Wed, Apr 21, 2010 at 8:16 PM, Carlos Mennens  wrote:
> I was wondering if there is a simple way to have Postfix send all
> 'reject' messages regardless of the reason to a specific email like
> 'rej...@mydomain.tld' and then in my /etc/aliases file just route all
> mail to 'reject' to a known recipient? I was looking to see what the
> best suggestion would be for setting this up via Postfix? I just have
> 5 users on my server and from time to time I notice rarely  there are
> some rejects but I would like to know about them rather than searching
> through logs. Anyone have any suggestions?
>
> -Carlos


I think that only to messages bounced a notify (a delivery status information)
is returned to sender.


http://www.postfix.org/bounce.8.html


To achieve what you want, an option is to use a log analyzer according
to an specific schedule. Pflogsumm is a good choice:

http://jimsun.linxnet.com/postfix_contrib.html


[]`s

-- 
Eduardo Júnior
GNU/Linux user #423272

:wq

Re: Why was this message rejected by postfix

[Noel Jones]

On 4/21/2010 3:04 PM, Russell Horn wrote:

Hi,

I believed I had the whole facebook IP block covered by
/etc/postfix/access by adding the line:

69.63.176.0/20 OK

And recreating the has file.


cidr: syntax is not supported in hash: files.  You can list 
the first three octects to simulate a /24 or your can list 
each IP individually.




paddington:~ # postconf -n
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
$virtual_mailbox_maps


$virtual_mailbox_maps should not be included in 
local_recipient_maps.  This implies you have a 
virtual_mailbox_domain listed in mydestination; don't do that.



maps_rbl_domains = blackholes.mail-abuse.org, sbl.spamhaus.org,
bl.spamcop.net, blackholes.easynet.nl


The easynet.nl blacklists have been retired for years.  Most 
people have moved from sbl.spamhaus.org to zen.spamhaus.org.

mail-abuse.org is a subscription-only service.

RBLs are not a set-and-forget item.

Anyway, maps_rbl_domains is a deprecated syntax.  You should 
be using "reject_rbl_client rbl.example.com" in your 
smtpd_*_restrictions instead.


[...]

You should probably set relay_domains empty if you're not 
using any relay_domains


relay_domains =


smtpd_client_restrictions = hash:/etc/postfix/access, reject_maps_rbl


Deprecated syntax. This should be
smtpd_client_restrictions =
  check_client_access hash:/etc/postfix/access
  reject_rbl_client zen.spamhaus.org
  reject_rbl_client bl.spamcop.net


smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, check_client_access
hash:/etc/postfix/access, reject_unauth_destination


Open relay warning!  Any client listed with OK in your access 
file has relay access.


To fix this, move reject_unauth_destination BEFORE 
check_client_access.

http://www.postfix.org/SMTPD_ACCESS_README.html#danger


hash:/etc/postfix/block,


Using a hash: file without check_{something}_access statement 
is deprecated syntax.  Use:

   check_recipient_access hash:/etc/postfix/block


reject_non_fqdn_hostname,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_invalid_hostname, reject_unknown_sender_domain,
reject_unknown_client, check_relay_domains


check_relay_domains is deprecated (and doesn't do any good 
here at the end of your restrictions).  Remove it.



  -- Noel Jones

Re: Why was this message rejected by postfix

[Victor Duchovni]

On Wed, Apr 21, 2010 at 04:04:32PM -0400, Russell Horn wrote:

> Hi,
> 
> I believed I had the whole facebook IP block covered by
> /etc/postfix/access by adding the line:
> 
> 69.63.176.0/20 OK
> 
> And recreating the has file.

cidr != hash

Choose one or the other.

cidr:
69.63.176.0/20  OK

hash:
69.63.176   OK
69.63.177   OK
69.63.178   OK
69.63.179   OK
69.63.180   OK
69.63.181   OK
69.63.182   OK
69.63.183   OK
69.63.184   OK
69.63.185   OK
69.63.186   OK
69.63.187   OK
69.63.188   OK
69.63.189   OK
69.63.190   OK
69.63.191   OK

-- 
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

Reject Notification

[Carlos Mennens]

I was wondering if there is a simple way to have Postfix send all
'reject' messages regardless of the reason to a specific email like
'rej...@mydomain.tld' and then in my /etc/aliases file just route all
mail to 'reject' to a known recipient? I was looking to see what the
best suggestion would be for setting this up via Postfix? I just have
5 users on my server and from time to time I notice rarely  there are
some rejects but I would like to know about them rather than searching
through logs. Anyone have any suggestions?

-Carlos

Re: Fixing reverse DNS lookup for a virtual domain

[Kārlis Repsons]

On Tuesday 20 April 2010 20:50:08 Noel Jones wrote:
> Here's the problem, your IP has no hostname:
> # host 85.15.210.5
> Host 5.210.15.85.in-addr.arpa not found: 3(NXDOMAIN)
..
> Your HELO name and rDNS name should match, there should be an
> A record for the rDNS name that points back to the same IP.
Thanks...


signature.asc
Description: This is a digitally signed message part.

Why was this message rejected by postfix

[Russell Horn]

Hi,

I believed I had the whole facebook IP block covered by
/etc/postfix/access by adding the line:

69.63.176.0/20 OK

And recreating the has file.

However, a message from that block was rejected on account of its
listing by spamcop.

Apr 21 20:39:51 paddington postfix/smtpd[29991]: connect from
outmail018.snc1.tfbnw.net[69.63.178.177]
Apr 21 20:39:51 paddington postfix/smtpd[29991]: NOQUEUE: reject: RCPT
from outmail018.snc1.tfbnw.net[69.63.178.177]: 550 Service
unavailable; Client host [69.63.178.177] blocked using bl.spamcop.net;
Blocked - see http://www.spamcop.net/bl.shtml?69.63.178.177;
from= to=
proto=ESMTP helo=
Apr 21 20:39:56 paddington postfix/smtpd[29991]: disconnect from
outmail018.snc1.tfbnw.net[69.63.178.177]


Can anyone explain what I have wrong. Here's postconf -n


# ARIN WHOIS database, last updated 2010-04-20 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at https://www.arin.net/whois_tou.html
paddington:~ # vi /etc/postfix/access
paddington:~ # postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases,
hash:/etc/php_email_aliases
body_checks = pcre:/etc/postfix/virus
bounce_size_limit = 1000
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 3
default_process_limit = 100
defer_transports =
disable_dns_lookups = no
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/headerchecks
html_directory = /usr/share/doc/packages/postfix/html
invalid_hostname_reject_code = 501
lmtp_sasl_security_options = noanonymous
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
$virtual_mailbox_maps
mail_name = Postfix ESMTP $myhostname
mail_spool_directory = /var/mail
mailbox_transport = lmtp:unix:/var/spool/postfix/socket/lmtp
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps_rbl_domains = blackholes.mail-abuse.org, sbl.spamhaus.org,
bl.spamcop.net, blackholes.easynet.nl
maps_rbl_reject_code = 550
masquerade_domains = staff.example.org
masquerade_exceptions = root
message_size_limit = 4000
mime_header_checks = pcre:/etc/postfix/virus
mydestination = example.org mail.example.org
myhostname = mail.example.org
mynetworks = 87.82.228.xxx
myorigin = example.org
newaliases_path = /usr/bin/newaliases
owner_request_special = no
readme_directory = /usr/share/doc/packages/postfix/README_FILES
recipient_delimiter = +
reject_code = 550
relay_domains_reject_code = 550
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_sasl_security_options =
smtp_tls_CAfile = /etc/postfix/certs/ssl.ca
smtp_tls_cert_file = /etc/postfix/certs/ssl.cert
smtp_tls_key_file = /etc/postfix/certs/ssl.key
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = sdbm:/etc/postfix/cache/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtp_use_tls = yes
smtpd_client_restrictions = hash:/etc/postfix/access, reject_maps_rbl
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_recipient_limit = 1000
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, check_client_access
hash:/etc/postfix/access, reject_unauth_destination
hash:/etc/postfix/block, reject_non_fqdn_hostname,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_invalid_hostname, reject_unknown_sender_domain,
reject_unknown_client, check_relay_domains
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = paddington
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = check_sender_access, hash:/etc/postfix/spammers
smtpd_tls_CAfile = /etc/ssl/certs/commercial.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/ssl/certs/www.example.org.wc.2010.crt
smtpd_tls_key_file = /etc/ssl/certs/www.example.org.imap.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = sdbm:/etc/postfix/cache/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport

Re: Major Bug!!

[Wietse Venema]

The Doctor:
> Found the problem, a filter was set to 120.0.0.1 instead of 127.0.0.1 .
> 
> I thought it was fixed.
> 
> Even after 'fixing' this problem, postfix still insisted the filter
> was at 120.0.0.1 .

See the "postsuper -r" option:

http://www.postfix.org/postsuper.1.html

This is also referenced from:

http://www.postfix.org/FILTER_README.html#advanced_turnoff

Which describes what to do when you change your mind about the
current content_filter setting.

Wietse

OT: Cyrus-sasl + virtual_mailbox_maps query - lowercase username

[Charles Marcus]

Hi,

I know this isn't exactly a postfix question, but I'm hoping someone
will have pity on me and answer anyway...

I have a server using postfix+courier-imap+cyrus-sasl. Currently the
query in virtual_mailbox_maps is:

query = SELECT maildir FROM mailbox WHERE username='%s'

If I want to force the supplied username to lowercase, would I change it to:

query = SELECT maildir FROM mailbox WHERE username=LOWER('%s')

?

Tia...

Charles

Re: Major Bug!!

[Victor Duchovni]

On Wed, Apr 21, 2010 at 11:20:11AM -0600, The Doctor wrote:

> Dear Wietse,
> 
> There is a bug in Postfix that should looked at immediately.

Dear "Doctor", if you don't want to be rediculed and summarily dismissed,
ask humbly for clarification of how things are expected to work and
whether what you are experiencing is expected behaviour before making
wild accusations and implying that someone owes you "immediate" support
for free software.

> http://groups.google.com/group/alt.comp.mail.postfix/browse_thread/thread/fa83dc31cec1194e#
> 
> In case you think I am being pompous, I am not.

I am afraid only others can refute this claim, you are not in a position
to do so.

> Found the problem, a filter was set to 120.0.0.1 instead of 127.0.0.1 .
> I thought it was fixed.

The content filter of already accepted messages is a queue-file property.
As documented, files already in the queue need to be reprocesed with
new filter settings:

http://www.postfix.org/FILTER_README.html#advanced_turnoff

In your case to correct rather than disable the filter, but the idea is
the same.

> All right I do not mind the smtp_fallback_relay , but this indicates a bug
> somewhere in postfix.  
> 
> Even if told to change directions, it was still looking for the wrong server?
> 
> I tried both 2.7.0 and 2.8 experimental!
> 
> The debugging sectin help and stil we have a back up of e-mail.
> 
> PLEASE fix! 

This is the last time you get any help with that tone. Future violations
will lead to the termination of your list subscription.

-- 
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

Re: Major Bug!!

[Matt Hayes]

On 4/21/2010 1:20 PM, The Doctor wrote:
> Dear Wietse,
> 
> There is a bug in Postfix that should looked at immediately.
> 
> FRom 
> 
> http://groups.google.com/group/alt.comp.mail.postfix/browse_thread/thread/fa83dc31cec1194e#
> 
> In case you think I am being pompous, I am not.
> 
> Found the problem, a filter was set to 120.0.0.1 instead of 127.0.0.1 .
> 
> I thought it was fixed.
> 
> Even after 'fixing' this problem, postfix still insisted the filter
> was at 120.0.0.1 .
> 
> All right I do not mind the smtp_fallback_relay , but this indicates a bug
> somewhere in postfix.  
> 
> Even if told to change directions, it was still looking for the wrong server?
> 
> I tried both 2.7.0 and 2.8 experimental!
> 
> The debugging sectin help and stil we have a back up of e-mail.
> 
> PLEASE fix! 
> 
> 


Have you by chance looked at: man postsuper and reference the -r parameter?

-Matt

Major Bug!!

[The Doctor]

Dear Wietse,

There is a bug in Postfix that should looked at immediately.

FRom 

http://groups.google.com/group/alt.comp.mail.postfix/browse_thread/thread/fa83dc31cec1194e#

In case you think I am being pompous, I am not.

Found the problem, a filter was set to 120.0.0.1 instead of 127.0.0.1 .

I thought it was fixed.

Even after 'fixing' this problem, postfix still insisted the filter
was at 120.0.0.1 .

All right I do not mind the smtp_fallback_relay , but this indicates a bug
somewhere in postfix.  

Even if told to change directions, it was still looking for the wrong server?

I tried both 2.7.0 and 2.8 experimental!

The debugging sectin help and stil we have a back up of e-mail.

PLEASE fix! 


-- 
Member - Liberal International  This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca
God, Queen and country! Never Satan President Republic! Beware AntiChrist 
rising! 
http://twitter.com/rootnl2k http://www.facebook.com/dyadallee
UK Time for a Common Sense change vote Liberal Democrat / Alliance 

Re: Unknown senders and spam

[Noel Jones]

On 4/21/2010 9:31 AM, Alex wrote:

Hi,


You're still using warn_if_reject wrong; that's why you're getting an error.

If you post your "postconf -n" we can show you exactly what to change to use
warn_if_reject.


Thanks so much for your help. I've included it below. Ideally I'd like
to have support for smtpd_restriction_classes and
reject_unknown_reverse_client_hostname or related lesser strict
restrictions. You'll notice I have two instances set up, for use with
amavisd.


For new features you'll need to upgrade.  As a general rule, 
upgrading postfix is pretty easy if you read the RELEASE_NOTES.


That said, smtpd_restriction_classes is a fairly old feature, 
and likely supported by your version.  For the others, you'll 
need to upgrade.




relay_domains = $mydestination, mydomain.com, mkt.mydomain.com,
sales.mydomain.com


Unless these are really relay_domains (relayed to a different 
server for final delivery) they shouldn't be listed here.


relay_domains =



smtpd_recipient_restrictions = reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
permit_mynetworks,
check_client_access hash:/etc/postfix/client_checks,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_unauth_destination,
check_helo_access hash:/etc/postfix/helo_checks,
check_recipient_access pcre:/etc/postfix/recipient_checks,
check_recipient_access pcre:/etc/postfix/main_relay_recip_checks,
check_recipient_access pcre:/etc/postfix/sales_recip_map,
check_sender_access hash:/etc/postfix/sender_checks,
check_client_access hash:/etc/postfix/client_checks,
reject_maps_rbl


Change the above line to
warn_if_reject reject_maps_rbl



  -- Noel Jones

Re: Postfix & Exchange 2007

[Victor Duchovni]

On Wed, Apr 21, 2010 at 12:59:15PM +0200, Cyril Vieville wrote:

> I made some modifications in the Postfix configuration.
> 
>  
> 
> /etc/postfix/main.cf :
> mydestination = localhost, localhost.test.com, localhost.testing.com
> relay_domains = fr.design.test.com, test.com, testing.com

If your domain is local, by making it a relay_domain, you lose recipient
validation, unless you duplicate /etc/passwd and /etc/aliases into a
relay_recipient_maps table. Not doing recipient validation is bad for
the health of your queue and bad for your spam reputation (lots of
spam backscatter).

If the domain is formerly a local domain, use:

virtual(5)
aliases(5)
or
http://www.postfix.org/postconf.5.html#mailbox_transport_maps

to rewrite or reroute some local recipients to the MSFT Exchange server.

The last option requires that any users whose "local" system account is no
longer present in the servers passwd file be added to local_recipient_maps
by using $mailbox_transport_maps directly, or by building both
mailbox_transport_maps and a component of local_recipient_maps from a
common data source.

I strongly recommend virtual(5). Ideally the MSFT Exchange server is
configured with an internal domain for which it is fully authoritative,
and users are given proxyAddresses in that domain in addition to their
primary external address. The virtual(5) table then rewrites into the
internal domain, which is routed exclusively to Exchange.


> test.com   local
> testing.com local

This is generally not a good idea. Local domains should be listed in
mydestination.

> But I encounter the problem of authentication. It seems that I need to
> authenticate Postfix to Exchange 2007 for the migrated users to receive an
> email and 

This is an Exchange misconfiguration, and this is not the right place
to ask for help with that. Exchange should accept mail for its own
users without authentication, but you can limit the IP addresses from
which it will accept mail if you wish.

-- 
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

RE: Email attachment parsing via mime4j

[Sharma, Ashish]

Wietse,

Accept my apologies.

but I thought postfix mailing list subscribers might have good ideas about MIME 
parsing and such stuff.

Thanks for helping and replying  patiently

Ashish Sharma

-Original Message-
From: Wietse Venema [mailto:wie...@porcupine.org] 
Sent: Wednesday, April 21, 2010 9:03 PM
To: Sharma, Ashish
Cc: Postfix users
Subject: Re: Email attachment parsing via mime4j

Sharma, Ashish:
> But since there are lots of cases that I need to cater to that's
> why I am looking for a MIME processor that does this all catering
> to all of the possible cases (like text/html, text/plain,
> multipart/alternative, multipart/mixed, multipart/related etc) on
> the backend.
...
> Please suggest such a MIME processor (preferably in java or C#)
> that I can use as a custom library and lessen the complexity of
> parsing MIME by using javax mail api.

This mailing list is about the Postfix mail server.

Your question is about how to implement a MIME processor,
not about Postfix.

Wietse

Re: Email attachment parsing via mime4j

[Wietse Venema]

Sharma, Ashish:
> But since there are lots of cases that I need to cater to that's
> why I am looking for a MIME processor that does this all catering
> to all of the possible cases (like text/html, text/plain,
> multipart/alternative, multipart/mixed, multipart/related etc) on
> the backend.
...
> Please suggest such a MIME processor (preferably in java or C#)
> that I can use as a custom library and lessen the complexity of
> parsing MIME by using javax mail api.

This mailing list is about the Postfix mail server.

Your question is about how to implement a MIME processor,
not about Postfix.

Wietse

RE: Email attachment parsing via mime4j

[Sharma, Ashish]

Wietse,

I have an implementation wherein the smtp 
library(http://code.google.com/p/subethasmtp/) is delivering the mail byte 
stream to my custom logic, here by using javax mail api I am able to strip the 
attachments etc. out of the byte stream.

But since there are lots of cases that I need to cater to that's why I am 
looking for a MIME processor that does this all catering to all of the possible 
cases (like text/html, text/plain, multipart/alternative, multipart/mixed, 
multipart/related etc) on the backend.

Currently in case of javax mail api I had to manually check out the mime types 
etc and parse them by using api abstractions and related methods which is 
proving to be quite involved and confusing.

Please suggest such a MIME processor (preferably in java or C#) that I can use 
as a custom library and lessen the complexity of parsing MIME by using javax 
mail api.

Thanks in advance

Ashish Sharma

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Wietse Venema
Sent: Wednesday, April 21, 2010 8:17 PM
To: Postfix users
Subject: Re: Email attachment parsing via mime4j

Sharma, Ashish:
> Hi,
> 
> I am using a small java smtp library
> (http://code.google.com/p/subethasmtp/), by this I need to parse
> the incoming emails in separate components viz body, attachments
> etc.
>
> I am trying to use mime4j , but the documentation suggests that
> mime4j can only give event notification or token notification and
> nothing else. For stripping out body and attachments etc I had to
> use my own custom logic inside the event handlers. Is my observation
> correct?
>
> If yes then how can I use mime4j to use for my requirement. Please
> suggest.
>
> I need an approach that takes in the smtp data stream and returns
> me with an array of attachment references or streams in fully
> parsed out form in java. Please help.

There are two options.

1) Have an existing MTA deliver the mail to your program as a local
   file, or as a byte stream over a local IPC channel.

2) Have an existing MTA deliver the mail to your program over SMTP,
   in which case you need to combine the MIME processor with an
   SMTP engine (preferably one that already exists).

Wietse

Re: Relay between 2 Postfix : SASL authentication failure

[Gregory BELLIER]

Hi !

I managed to make it work. Finally ! Thank you Victor !

However, I've done dozen of tests and I found a weird behaviour when 
authenticating and I can reproduce it every time.


This is a test sample I've done. Obviously to have a success, the 
login/password in sasl_passwd.db and the login/unix passwd on mta2 are a 
match.




MTA1   -   MTA2
Unix PasswdUnix Passwd
sasl_passwd.db

popo arthur ===> success (normal)
arthur

popo arthur ===> fail (normal)
laura

arthur   arthur ===> fail (normal)
laura

arthur  michel ===> fail (normal)
laura

arthur  michel ===> success (normal)
michel

popo  popo ===> success (normal)
popo

alfred  alfred  ===> success (*not* normal)
popo

On MTA2, after decryption of the base64, I get username/popo as expected 
but the authentication successes.


After restarting (/etc/init.d/postfix restart) on both machines, it 
still validates.

If I reboot the machines, it fails as it is supposed to.

I'm not sure if the unix password on MTA1 is relevant here but I wrote 
it on my paper so maybe it could be a hint, I don't know...

Re: Problem using deliver as LDA

[Bastien Semene]

I tried to modify the files permissions and the uids in the conf file, 
but that changed nothing.


I can't find what "euid" and "egid" exactly is, so I can't understand 
what postfix is logging.

If someone can point me some resources on this, it will be a great help !

Thanks,
Bastien Semene

Le 21/04/2010 11:42, Bastien Semene a écrit :

Hi list,

There's something I can't figure out with deliver as LDA configuration.
I'm working with Postfix and Dovecot.

I configured deliver as explained in the official doc and some 
directives in found in the conf file or while googling to resolve my 
issue :


dovecot.conf :
protocol lda {
postmaster = em...@domain.com (actually working email)
sendmail_path = /usr/sbin/sendmail
auth_socket_path = /var/run/dovecot/auth-master
}

auth default {
...
  socket listen {
master {
  path = /var/run/dovecot/auth-master
  mode = 0600
  user = nobody
  }
...
  }
}

postfix/main.cf :
virtual_transport = dovecot

postfix/master.cf :
dovecotunix   -   n   n   -   -   pipe
   flags=DRhu   user=nobody 
argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${recipient}


But mail is not delivered, and produces the following log lines :
Apr 21 11:21:43 mail dovecot: deliver(em...@domain.com): Fatal: 
setgid(125(postfix)) failed with euid=65534(nobody), 
gid=65534(nobody), egid=65534(nobody): Operation not permitted
Apr 21 11:21:43 mail postfix/pipe[27550]: 21BBF9247DE: 
to=, relay=dovecot, delay=1179, 
delays=1178/0.07/0/0.07, dsn=4.3.0, status=deferred (temporary failure)


I did a "ls" in case some permissions went wrong, but everything seems 
ok :
c# ls -hal 
/var/run/dovecot  
[r...@mail]

total 8
drwxr-xr-x3 root   wheel 512B   Apr 21 11:11 .
drwxr-xr-x5 root   wheel 512B   Apr 21 11:11 ..
srw--- 1 nobody  wheel   0BApr 21 11:11 auth-master
srw--- 1 root   wheel   0BApr 21 11:11 
auth-worker.27424

srwxrwxrwx  1 root   wheel   0BApr 21 11:11 dict-server
lrwx-- 1 root   wheel  27B   Apr 21 11:11 dovecot.conf 
-> /usr/local/etc/dovecot.conf

drwxr-x---2 root  dovecot   512B Apr 21 11:11 login
-rw---1 root   wheel   6BApr 21 11:11 master.pid

Dovecot is using MySQL as the userdb backend, but I think auth process 
must pass through this socket to authenticate through dovecot against 
the MySQL server.

Everything works fine while using (postfix) virtual as LDA.
I think the setgid(125(postfix)) can be the problem, but the mailboxes 
uses this uid :

virtual_uid_maps = static:125
# ls -hal /usr/local/mailboxes/domain.com 
   [r...@mail]

total 6
drwx--   3 postfix  postfix   512B Nov  2 15:40 .
drwx--   3 postfix  postfix   512B Nov  2 15:40 ..
drwx--  14 postfix  postfix   1.0K Apr 21 09:58 email

# cat /etc/passwd | grep 
125[r...@mail]
postfix:*:125:125:Postfix Mail 
System:/var/spool/postfix:/usr/sbin/nologin


Maybe the use of postfix as mail owner was a bad idea and the problem 
appears now that pipe(8) doesn't allow postfix as user.

If I'm right, how can I solve this issue?




--
Administrateur Réseau&  Système

Cyanide Studio - FRANCE

Re: problem with postdrop: warning: mail_queue_enter: create file maildrop/631329.7980: Permission denied

[Wietse Venema]

peceka:
> Hi all!
> 
> i've created jail on FreeBSD system and put postifx into it.
> When i'm in jail and want to send mail i've got many such errors:
> Apr 21 16:30:49 rt postfix/postdrop[7852]: warning: mail_queue_enter:
> create file maildrop/103703.7852: Permission denied

You broke the file permissions, or your file system does not support
setuid/setgid execution.

To correct the permissions execute the command:

# postfix set-permissions

(this requires Postfix 2.1 or later).

Wietse

Re: Email attachment parsing via mime4j

[Wietse Venema]

Sharma, Ashish:
> Hi,
> 
> I am using a small java smtp library
> (http://code.google.com/p/subethasmtp/), by this I need to parse
> the incoming emails in separate components viz body, attachments
> etc.
>
> I am trying to use mime4j , but the documentation suggests that
> mime4j can only give event notification or token notification and
> nothing else. For stripping out body and attachments etc I had to
> use my own custom logic inside the event handlers. Is my observation
> correct?
>
> If yes then how can I use mime4j to use for my requirement. Please
> suggest.
>
> I need an approach that takes in the smtp data stream and returns
> me with an array of attachment references or streams in fully
> parsed out form in java. Please help.

There are two options.

1) Have an existing MTA deliver the mail to your program as a local
   file, or as a byte stream over a local IPC channel.

2) Have an existing MTA deliver the mail to your program over SMTP,
   in which case you need to combine the MIME processor with an
   SMTP engine (preferably one that already exists).

Wietse

problem with postdrop: warning: mail_queue_enter: create file maildrop/631329.7980: Permission denied

[peceka]

Hi all!

i've created jail on FreeBSD system and put postifx into it.
When i'm in jail and want to send mail i've got many such errors:
Apr 21 16:30:49 rt postfix/postdrop[7852]: warning: mail_queue_enter:
create file maildrop/103703.7852: Permission denied
Apr 21 16:31:14 rt postfix/postdrop[7980]: warning: mail_queue_enter:
create file maildrop/619206.7980: Permission denied
Apr 21 16:31:24 rt postfix/postdrop[7980]: warning: mail_queue_enter:
create file maildrop/620043.7980: Permission denied
Apr 21 16:31:34 rt postfix/postdrop[7980]: warning: mail_queue_enter:
create file maildrop/624650.7980: Permission denied
Apr 21 16:31:44 rt postfix/postdrop[7980]: warning: mail_queue_enter:
create file maildrop/625766.7980: Permission denied

i've double checked if permissions are correct (directory structure
and permissions are made by postfix-script):

host# ls -l /var/jails/jail1/var/spool/postfix/
total 28
drwx--  2 postfix  wheel 512 Apr 21 13:51 active
drwx--  2 postfix  wheel 512 Apr 21 13:51 bounce
drwx--  2 postfix  wheel 512 Apr 21 13:03 corrupt
drwx--  2 postfix  wheel 512 Apr 21 13:03 defer
drwx--  2 postfix  wheel 512 Apr 21 13:03 deferred
drwx--  2 postfix  wheel 512 Apr 21 13:03 flush
drwx--  2 postfix  wheel 512 Apr 21 13:03 hold
drwx--  2 postfix  wheel 512 Apr 21 13:51 incoming
drwx-wx---  2 postfix  maildrop  512 Apr 21 13:51 maildrop
drwxr-xr-x  2 root wheel 512 Apr 21 13:27 pid
drwx--  2 postfix  wheel 512 Apr 21 13:47 private
drwx--x---  2 postfix  maildrop  512 Apr 21 13:47 public
drwx--  2 postfix  wheel 512 Apr 21 13:03 saved
drwx--  2 postfix  wheel 512 Apr 21 13:03 trace
host#

when i do:
chmod o+wx /var/jails/jail1/var/spool/postfix/maildrop
file is created but got another error:
Apr 21 16:39:48 rt postfix/postdrop[8004]: warning: unable to look up
public/pickup: Permission denied
so when i do:
chmod o+gx /var/jails/jail1/var/spool/postfix/public
sending mails is working.

but when i'm testing sending mails on outside jail everything is
working even when:
drwx-wx---  2 postfix  maildrop  512 Apr 21 13:51 maildrop
drwx--x---  2 postfix  maildrop  512 Apr 21 13:47 public

can somebody help me how to resolve this problem without changing
default permissions?

TIA,
p.

Using Sasl authentication and RBL

[Oliver Schinagl]

Hello all,

I've been trying to figure out why a new server I setup using postfix
doesn't allow me to relay messages after I authenticate (using
cyrus-sasl). It appears then I can authenticate just fine, but when I
try to send a message, I get a RBL error. I obviously want my ADSL IP
not to be whitelisted from the sending end (as it's dhcp and just a
regular adsl ip) but I would have expected that after authentication the
RBL would be bypassed?

I thought I pretty much set it up the same way as my older server, which
accepts my mail just fine! Guess I was wrong, and I can't find the
differences.

As I've setup my server, I tried to document it as well as possible over
at the gentoo-wiki;

http://en.gentoo-wiki.com/wiki/Complete_Virtual_Mail_Server


The entire postfix server seems to be running excellently as far as I
can tell, except for not being able to send from remote 'internet' IP's
that are on the PBL.

Find below my postconf -n (having replaced the real hostname with
foo.example)
===
postconf -n
biff = no
broken_sasl_auth_clients = no
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib64/postfix
data_directory = /var/lib/postfix
debug_peer_level = 1
disable_vrfy_command = yes
home_mailbox = .maildir/
html_directory = /usr/share/doc/postfix-2.6.5/html
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 2048
mydomain = example.com
myhostname = foo.example.com
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.5/readme
recipient_delimiter = +
relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_banner = $myhostname NO UCE ESMTP
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated, permit_mx_backup, reject_rbl_client
zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client
bl.spamcop.net
smtpd_delay_reject = no
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_hostname
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, permit_mx_backup, check_policy_service
inet:127.0.0.1:2525, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtp.example.com_server.pem
smtpd_tls_key_file = /etc/postfix/ssl/smtp.example.com_privatekey.pem
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-alias-maps.cf
virtual_gid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-gid-maps.cf
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains =
pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-domains.cf
virtual_mailbox_limit_maps =
pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-limit-maps.cf
virtual_mailbox_limit_override = yes
virtual_mailbox_maps =
pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-maps.cf
virtual_maildir_extended = yes
virtual_maildir_limit_message = "Sorry, the recipients mailbox is
currently full. Please try again later."
virtual_overquota_bounce = no
virtual_trash_count = no
virtual_trash_name = ".Trash"
virtual_uid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-uid-maps.cf

Re: Unknown senders and spam

[Alex]

Hi,

> You're still using warn_if_reject wrong; that's why you're getting an error.
>
> If you post your "postconf -n" we can show you exactly what to change to use
> warn_if_reject.

Thanks so much for your help. I've included it below. Ideally I'd like
to have support for smtpd_restriction_classes and
reject_unknown_reverse_client_hostname or related lesser strict
restrictions. You'll notice I have two instances set up, for use with
amavisd.

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
alternate_config_directories = /etc/postfix_f
always_bcc =
biff = no
body_checks = regexp:/etc/postfix/body_checks.pcre
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
default_process_limit = 120
delay_warning_time = 0
disable_mime_input_processing = yes
disable_vrfy_command = yes
enabled = yes
fallback_relay =
header_checks = pcre:/etc/postfix/header_checks.pcre,
pcre:/etc/postfix/header_checks-jimsun.pcre
mail_owner = postfix
mailbox_command = /usr/bin/procmail
mailbox_size_limit = 25600
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps_rbl_domains = zen.spamhaus.org
maximal_queue_lifetime = 5d
message_size_limit = 13312000
mime_header_checks =
minimal_backoff_time = 800s
mydestination = $myhostname, localhost.$mydomain
myhostname = smtp01.mydomain.com
mynetworks = 127.0.0.0/8, 2XX.201.XXX.45/32
newaliases_path = /usr/bin/newaliases
parent_domain_matches_subdomains = smtpd_access_maps
queue_directory = /var/spool/postfix
readme_directory = /etc/postfix/README_FILES
relay_domains = $mydestination, mydomain.com, mkt.mydomain.com,
sales.mydomain.com
relayhost =
sample_directory = /etc/postfix/samples
sender_canonical_maps =
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
permit_mynetworks,
check_client_access hash:/etc/postfix/client_checks,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_unauth_destination,
check_helo_access hash:/etc/postfix/helo_checks,
check_recipient_access pcre:/etc/postfix/recipient_checks,
check_recipient_access pcre:/etc/postfix/main_relay_recip_checks,
check_recipient_access pcre:/etc/postfix/sales_recip_map,
check_sender_access hash:/etc/postfix/sender_checks,
check_client_access hash:/etc/postfix/client_checks,
reject_maps_rbl
transport_maps = hash:/etc/postfix/transport
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
virtual_maps = hash:/etc/postfix/virtual

Email attachment parsing via mime4j

[Sharma, Ashish]

Hi,

I am using a small java smtp library (http://code.google.com/p/subethasmtp/), 
by this I need to parse the incoming emails in separate components viz body, 
attachments etc.

I am trying to use mime4j , but the documentation suggests that mime4j can only 
give event notification or token notification and nothing else. For stripping 
out body and attachments etc I had to use my own custom logic inside the event 
handlers. Is my observation correct?

If yes then how can I use mime4j to use for my requirement. Please suggest.

I need an approach that takes in the smtp data stream and returns me with an 
array of attachment references or streams in fully parsed out form in java. 
Please help.

Thanks in advance

Ashish Sharma

Re: Newbie question: difference config options

[Noel Jones]

On 4/21/2010 1:06 AM, M.S. Lucas wrote:

Hello,

I'm trying to migrate a qmail server to postfix and have a small question.
At the bottom is a part of my main.cf file

I'm missing what the real difference is between some options.

In my words this is the difference but please correct me if I'm wrong.
- alias_maps


contains the actual user -> user mapping.


- alias_database


defines the databases that will be rebuilt with the 
"newaliases" command.



- virtual_alias_domains


Defines the virtual domains, not the users.  The domain needs 
to be defined here so postfix knows what to do with the 
"reject_unauth_destination" restriction.



- virtual_alias_maps


Defines u...@example1 -> us...@example2 mapping.  Any user can 
be rewritten, the domain need not be defined as a 
virtual_alias_domain.




For domains which doesn't really exist on the server. But only store and
forward or translate one domain to another.
@domain1.nl @domain2.nl


This is a wildcard rewrite.  Don't use this as it turns your 
server into a backscatter source.




- virtual_mailbox_domains


Defines domains used for virtual mailboxes.  Postfix needs to 
know this for "reject_unauth_destination" and to know which 
domains to search virtual_mailbox_maps for.



- virtual_mailbox_maps


Defines u...@example -> mailbox mapping.


For domains which are stored locally for e.g. pop3/imap

Question:
-
What is the best way to do the following?
u...@domain.nl  us...@domain.nl, us...@domain.nl
For a domain which is in virtual_mailbox_domains.


Add that entry to virtual_alias_maps.
Do *not* list domain.nl in virtual_alias_domains.



  -- Noel Jones

Re: email Status in mail queue

[Wietse Venema]

Sharma, Ashish:
> Hi,
> 
> I just want to confirm my two observations that I read from Postfix 
> documentation:
> 
> 1. In before queue mail filter (milter) the email is not put in
> postfix queue until it's passed by milters successfully, only
> after email gets passed through milters then only email is received
> fully from foreign email server.

Conforming to the SMTP standard, the Postfix SMTP server replies
"250 OK" to end-of-data AFTER the message is committed to the mail
queue.

This is regardless of whether there is a filter between the
Postfix SMTP server and the queue.

> 2. In after queue content filter, the email is passed to the
> content filter from postfix queue and only if it's reinjected back
> into postfix, postfix have a reference of it else the email is
> lost and no reference etc is maintained in the postfix mail queue.

Conforming to the SMTP standard, the Postfix SMTP client will remove
the recipient from the queue file after the Postfix SMTP client
receives "250 OK" in response to end-of-data (and the queue manager
removes queue files that have no left-over recipients).

This is regardless of whether the Postfix SMTP client delivers mail
to a content filter.

As documented in FILTER_README, it is the responsibility of the
content filter to discard the message, to quarantine the message,
to send the filtered mail back into the same Postfix instance, or
to send filtered mail into a different MTA instance (Postfix or
non-Postfix).

With Postfix 2.6 and later, using two Postfix instances makes
"after-queue" content inspection easier to manage.

Wietse

Re: Unknown senders and spam

[Noel Jones]

On 4/20/2010 10:47 PM, Alex wrote:

Hi,


$ postfix check
postfix: fatal: /etc/postfix/main.cf, line 700: missing '=' after
attribute name: "warn_if_reject reject_maps_rbl
backscatter.spameatingmonkey.net"
Apr 19 02:35:33 smtp01 postfix[13351]: fatal: /etc/postfix/main.cf,
line 700: missing '=' after attribute name: "warn_if_reject
reject_maps_rbl backscatter.spameatingmonkey.net"



Duh. read the error message again and tell me what it has to do with
reject_rbl_client.


Yes, sorry, I meant to use reject_rbl_client, but it doesn't work there either:

Apr 20 23:43:02 smtp01 postfix[30380]: fatal: /etc/postfix/main.cf,
line 609: missing '=' after attribute name: "warn_if_reject
reject_rbl_client backscatter.spameatingmonkey.net"

It appears that it's not supported in my version (postfix-20020613).

As an interim solution, do you think I could get a later postfix
working, say, postfix-1.1.13 without much difficulty, and benefit from
some of these features to ease testing and migration to postfix-2.7
later?

Thanks,
Alex



You're still using warn_if_reject wrong; that's why you're 
getting an error.


If you post your "postconf -n" we can show you exactly what to 
change to use warn_if_reject.

email Status in mail queue

[Sharma, Ashish]

Hi,

I just want to confirm my two observations that I read from Postfix 
documentation:

1. In before queue mail filter (milter) the email is not put in postfix queue 
until it's passed by milters successfully, only after email gets passed through 
milters then only email is received fully from foreign email server.

2. In after queue content filter, the email is passed to the content filter 
from postfix queue and only if it's reinjected back into postfix, postfix have 
a reference of it else the email is lost and no reference etc is maintained in 
the postfix mail queue.

Am I correct?

Thanks in advance

Ashish Sharma

Re: Unknown senders and spam

[Wietse Venema]

Alex:
> Hi,
> 
> >> $ postfix check
> >> postfix: fatal: /etc/postfix/main.cf, line 700: missing '=' after
> >> attribute name: "warn_if_reject reject_maps_rbl
> >> backscatter.spameatingmonkey.net"
> >> Apr 19 02:35:33 smtp01 postfix[13351]: fatal: /etc/postfix/main.cf,
> >> line 700: missing '=' after attribute name: "warn_if_reject
> >> reject_maps_rbl backscatter.spameatingmonkey.net"

DO NOT USE warn_if_reject AT THE BEGINNING OF A RULE.

Wietse

Re: Postfix sending NDR instead of rejecting in SMTP session

[Ansgar Wiechers]

On 2010-04-21 Vegard Svanberg wrote:
> my mailserver usually rejects unknown recipients in the SMTP session.
> 
> However, when an account or domain is forwarded, Postfix does not
> reject, but accepts and sends an NDR when it discovers that the
> recipient does not exist.
> 
> Example 1: Domain @example.invalid is forwarded to domain
> @example2.invalid. There are no matching accounts or aliases on
> example2.invalid.
> 
> SMTP session:
> 
> rcpt to: 
> 250 2.1.5 Ok

If you have a mapping "@example.invalid @example2.invalid" in your
$virtual_alias_maps this is expected behavior. Postfix' checks aren't
transitive, i.e. it only checks the left-hand side of the map for
matches. Which makes @example.invalid a catch-all for that domain.

> Example 2: u...@example.invalid is forwarded to r...@example2.invalid.
> r...@example2.invalid does not exist; neither as an alias nor a mailbox.
> 
> SMTP dialog:
> 
> rcpt to: 
> 250 2.1.5 Ok

This is expected behavior as well. Postfix only checks the left-hand
side of $virtual_alias_maps. If it finds a match there, then it will
accept the mail for further delivery. It is your job as a mail server
admin to ensure that your MTA does not have invalid mappings.

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

Postfix & Exchange 2007

[Cyril Vieville]

Hi everybody,

 

I'm actually configuring our new mail server Exchange 2007. It's a migration
from Postfix/Cyrus to Exchange 2007.

We plan to migrate some users at a time and we need to keep Postfix as a
relay for the users who are migrated so postfix is used as a relay for the
migrated users

and as the main server for the others.

Emails will follow those directions :

From internet ---> Barracuda anti spam Appliance ---> Postfix. The server
will understand if it's necessary to relay the email to the Exchange server
.

migrated users ---> Exchange 2007 ---> Internet

users ---> Postfix  ---> Internet

users ---> Postfix ---> Exchange 2007 ---> migrated users

migrated users ---> Exchnage 2007 --> Postfix --> users

 

I made some modifications in the Postfix configuration.

 

/etc/postfix/main.cf :

 

#mydestination = localhost, localhost.test.com, test.com,
localhost.testing.com, testing.com

mydestination = localhost, localhost.test.com, localhost.testing.com

#relay_domains = fr.design.test.com

relay_domains = fr.design.test.com, test.com, testing.com

 

/etc/postfix/transport :

 

# MAILBOX MIGRATED

te...@test.com   smtp:srvexch.test.com

te...@test.comsmtp:srvexch.test.com

 

#MUST BE THE LAST LINE

test.com   local

testing.com local

 

On the Exchange 2007 side, I created a receive connector with a specific IP
defined to receive mail from (the Postfix server), a send connector to send
emails

to the Postfix users (address spaces *.test.com, *.testing.com & use of the
MX record to find the Postfix server) and a send connector to send emails
outside of the organization directly to internet (address space *).

 

But I encounter the problem of authentication. It seems that I need to
authenticate Postfix to Exchange 2007 for the migrated users to receive an
email and 

I don't know what to do to make it run smoothly.

 

/etc/postfix # cat /var/log/mail | grep test1

Apr 21 12:02:34 everest postfix/smtp[27036]: C33675832B:
to=, relay= srvexch.test.com [192.168.145.99], delay=48,
status=bounced (host srvexch.test.com [192.168.145.99] said: 530 5.7.1
Client was not authenticated (in reply to MAIL FROM command))

 

I guess I need to specify in Exchange 2007 the security mechanisms to use
in the receive connector and I want to use TLS. 

First of all, do you think it's enough as I don't want that a sniffer can
read emails ?

And what should I configure in Postfix to use TLS and allow Postfix to
discuss with Exchange ?

 

I hope I was enough clear on what I'm trying to do. 

Thank you for your help.



PGP.sig
Description: PGP signature

Postfix sending NDR instead of rejecting in SMTP session

[Vegard Svanberg]

Hello,

my mailserver usually rejects unknown recipients in the SMTP session.

However, when an account or domain is forwarded, Postfix does not
reject, but accepts and sends an NDR when it discovers that the
recipient does not exist.

Example 1: Domain @example.invalid is forwarded to domain
@example2.invalid. There are no matching accounts or aliases on
example2.invalid.

SMTP session:

rcpt to: 
250 2.1.5 Ok

Example 2: u...@example.invalid is forwarded to r...@example2.invalid.
r...@example2.invalid does not exist; neither as an alias nor a mailbox.

SMTP dialog:

rcpt to: 
250 2.1.5 Ok

I'd be happy to post more info is needed. First I'd just like to know if
this is expected behavior, and if so, how we can stop these NDRs. 

This is Postfix 2.5.5-1.1 (from Debian). Info is stored in LDAP, and
virtual_alias_domains and virtual_alias_maps are used to retrieve the
info. 

Thanks!

-- 
Vegard Svanberg  [*tak...@irc (EFnet)]

Problem using deliver as LDA

[Bastien Semene]

Hi list,

There's something I can't figure out with deliver as LDA configuration.
I'm working with Postfix and Dovecot.

I configured deliver as explained in the official doc and some 
directives in found in the conf file or while googling to resolve my 
issue :


dovecot.conf :
protocol lda {
postmaster = em...@domain.com (actually working email)
sendmail_path = /usr/sbin/sendmail
auth_socket_path = /var/run/dovecot/auth-master
}

auth default {
...
  socket listen {
master {
  path = /var/run/dovecot/auth-master
  mode = 0600
  user = nobody
  }
...
  }
}

postfix/main.cf :
virtual_transport = dovecot

postfix/master.cf :
dovecotunix   -   n   n   -   -   pipe
   flags=DRhu   user=nobody argv=/usr/local/libexec/dovecot/deliver 
-f ${sender} -d ${recipient}


But mail is not delivered, and produces the following log lines :
Apr 21 11:21:43 mail dovecot: deliver(em...@domain.com): Fatal: 
setgid(125(postfix)) failed with euid=65534(nobody), gid=65534(nobody), 
egid=65534(nobody): Operation not permitted
Apr 21 11:21:43 mail postfix/pipe[27550]: 21BBF9247DE: 
to=, relay=dovecot, delay=1179, 
delays=1178/0.07/0/0.07, dsn=4.3.0, status=deferred (temporary failure)


I did a "ls" in case some permissions went wrong, but everything seems ok :
c# ls -hal 
/var/run/dovecot  [r...@mail]

total 8
drwxr-xr-x3 root   wheel 512B   Apr 21 11:11 .
drwxr-xr-x5 root   wheel 512B   Apr 21 11:11 ..
srw--- 1 nobody  wheel   0BApr 21 11:11 auth-master
srw--- 1 root   wheel   0BApr 21 11:11 auth-worker.27424
srwxrwxrwx  1 root   wheel   0BApr 21 11:11 dict-server
lrwx-- 1 root   wheel  27B   Apr 21 11:11 dovecot.conf 
-> /usr/local/etc/dovecot.conf

drwxr-x---2 root  dovecot   512B Apr 21 11:11 login
-rw---1 root   wheel   6BApr 21 11:11 master.pid

Dovecot is using MySQL as the userdb backend, but I think auth process 
must pass through this socket to authenticate through dovecot against 
the MySQL server.

Everything works fine while using (postfix) virtual as LDA.
I think the setgid(125(postfix)) can be the problem, but the mailboxes 
uses this uid :

virtual_uid_maps = static:125
# ls -hal /usr/local/mailboxes/domain.com 
   [r...@mail]

total 6
drwx--   3 postfix  postfix   512B Nov  2 15:40 .
drwx--   3 postfix  postfix   512B Nov  2 15:40 ..
drwx--  14 postfix  postfix   1.0K Apr 21 09:58 email

# cat /etc/passwd | grep 
125[r...@mail]

postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/nologin

Maybe the use of postfix as mail owner was a bad idea and the problem 
appears now that pipe(8) doesn't allow postfix as user.

If I'm right, how can I solve this issue?


--
Bastien Semene
Administrateur Réseau&  Système

Cyanide Studio - FRANCE

Wildcard certificate warning

[Jordi Espasa Clofent]

Hi all,

I've configured a TLS/SSL smtpd in a box as follows:

# postconf -n | grep -i tls
smtpd_tls_cert_file = /usr/local/home/example.com.crt
smtpd_tls_key_file = /usr/local/home/example.com.key
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/usr/local/etc/postfix/smtpd_cache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom

The cert is a wildcard certificate for *.example.com.

When the MUA (tested in Microsoft Outlook and Mazilla Thunderbird) tries 
to send email using this box, it show a warning about the cert. It 
happens when it try connection using STARTTLS (port 25) and also TLS/SSL 
(port 465).


¿Why?

The box is named mai.example.com, so I understand a wildcard certificate 
(*.example.com) should be enough.


--
I must not fear. Fear is the mind-killer. Fear is the little-death that 
brings total obliteration. I will face my fear. I will permit it to pass 
over me and through me. And when it has gone past I will turn the inner 
eye to see its path. Where the fear has gone there will be nothing. Only 
I will remain.


Bene Gesserit Litany Against Fear.