Re: how do I send all NDR reports to one email address?
Thanks Jeroen, adding bounce,2bounce to notify_classes did exactly what I was looking for. On Sat, Dec 18, 2010 at 11:45, Jeroen Geilman jer...@adaptr.nl wrote: On 12/18/10 8:16 PM, John Brahy wrote: Hello, I'm having a problem configuring what I thought would be a postmaster account alias but I'm not getting all my non-deliverable mail reports and host not found reports. How do I get all that mail to go to a specific email address? bounce_notice_recipient = defaults to postmaster You can choose which notices you want to receive with the notify_classes= option. I don't know what host not found reports are - when postfix cannot find a recipient mailhost, the recipient is rejected; generating bounces in this situation would not be the right thing to do. -- J.
Limiting delivery rate for a specific destination
Hello Postfix happy users ! I am trying to figure out if it is possible to limit the delivery concurrency for some destinations. For example : - emails matching patterns @foo.com and @bar.com must be sent with a slow delivery concurrency - other emails must be sent with (let's say) default concurrency If I use options like (initial_destination_concurrency, default_destination_concurrency_limit) in main.cf, I will limit the delivery pace for all destinations. Any way to limit for some destinations only ? If there is now way to implement want I describe using the configuration, my second option is to deliver all emails except @foo.com and @bar.com from my Postfix instance, and route @foo.com and @bar.com to another Postfix instance that will have lower delivery concurrency settings. Is this something possible ? If you have a third option idea, do not hesitate to say it loud here :) Thank you in advance, Lionel
Re: MX2
Le 20/12/2010 08:03, Ramesh a écrit : HI All, I am planning to configure backup MX for primary MX. i have few queries.. All email id's in primary MX need to be same in secondary MX? yes. and all checks done on the primary should be done on the secondary as well. also, if the secondary passes mail to the primary, then the latter must not reject it (because that would generate backscatter). you thus need to deal with such mail. finally, the secondary will attract a lot of spam (even if the primary is up). you've been warned... Is it possible to configure separate email clients to receive and send for both mail server's, in case primary MX is down? you seem confused... an MX is for receiving mail from the Internet. this has nothing to do with mail clients of your. for your mail clients: - for reading mail, refer top the documentation of your POP3 or IMAP server. postfix doesn't do any of these. - for submitting mail, set up submission MTAs. but you need an external high availability solution because an email client will only try one MTA. Please send suggestion's or URL to know more about this. Thanks and Regards, Ramesh
Re: Limiting delivery rate for a specific destination
Le 20/12/2010 10:39, Lionel TRESSENS a écrit : Hello Postfix happy users ! I am trying to figure out if it is possible to limit the delivery concurrency for some destinations. For example : - emails matching patterns @foo.com http://foo.com and @bar.com http://bar.com must be sent with a slow delivery concurrency - other emails must be sent with (let's say) default concurrency If I use options like (initial_destination_concurrency, default_destination_concurrency_limit) in main.cf http://main.cf, I will limit the delivery pace for all destinations. Any way to limit for some destinations only ? create a transport entry in master.cf by cloing smtp. something like slowsmtp unix - - n - - smtp then you can use -o options in master.cf and/or slowsmtp_foo_bar = ... in your main.cf. then use transport_maps to route selected domains or users via this slowsmtp transport: example.com slowsmtp: .example.comslowsmtp: j...@example.orgslowsmtp: If there is now way to implement want I describe using the configuration, my second option is to deliver all emails except @foo.com http://foo.com and @bar.com http://bar.com from my Postfix instance, and route @foo.com http://foo.com and @bar.com http://bar.com to another Postfix instance that will have lower delivery concurrency settings. Is this something possible ? If you have a third option idea, do not hesitate to say it loud here :) Thank you in advance, Lionel
Re: Limiting delivery rate for a specific destination
Oh thanks ! This is great ;) Regards Lionel 2010/12/20 mouss mo...@ml.netoyen.net Le 20/12/2010 10:39, Lionel TRESSENS a écrit : Hello Postfix happy users ! I am trying to figure out if it is possible to limit the delivery concurrency for some destinations. For example : - emails matching patterns @foo.com http://foo.com and @bar.com http://bar.com must be sent with a slow delivery concurrency - other emails must be sent with (let's say) default concurrency If I use options like (initial_destination_concurrency, default_destination_concurrency_limit) in main.cf http://main.cf, I will limit the delivery pace for all destinations. Any way to limit for some destinations only ? create a transport entry in master.cf by cloing smtp. something like slowsmtp unix - - n - - smtp then you can use -o options in master.cf and/or slowsmtp_foo_bar = ... in your main.cf. then use transport_maps to route selected domains or users via this slowsmtp transport: example.com slowsmtp: .example.comslowsmtp: j...@example.org slowsmtp: If there is now way to implement want I describe using the configuration, my second option is to deliver all emails except @foo.com http://foo.com and @bar.com http://bar.com from my Postfix instance, and route @foo.com http://foo.com and @bar.com http://bar.com to another Postfix instance that will have lower delivery concurrency settings. Is this something possible ? If you have a third option idea, do not hesitate to say it loud here :) Thank you in advance, Lionel -- *Lionel TRESSENS* -* Wikio Group * *OverBlog Project Manager - Wikio Experts Project Manager* **Tel : 06.61.34.01.42 - Skype : ltressens - Twitter : @ltr * *
disable delivery-status on expire messages
Hi how can I disable notifications for expire messages. DBA9ED01B53: from=, status=expired, returned to sender DBA9ED01B53: sender non-delivery notification: E737FD0192B I want to disable notification for expire messages but not for bounces.
Re: disable delivery-status on expire messages
* alex m...@deltaindigo.ro: Hi how can I disable notifications for expire messages. DBA9ED01B53: from=, status=expired, returned to sender DBA9ED01B53: sender non-delivery notification: E737FD0192B I want to disable notification for expire messages but not for bounces. You can't. It's a bounce in both cases! -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: disable delivery-status on expire messages
On 12/20/2010 12:44 PM, Ralf Hildebrandt wrote: * alexm...@deltaindigo.ro: Hi how can I disable notifications for expire messages. DBA9ED01B53: from=, status=expired, returned to sender DBA9ED01B53: sender non-delivery notification: E737FD0192B I want to disable notification for expire messages but not for bounces. You can't. It's a bounce in both cases! I know , but represent something else (ex yahoo temporary deferred - 421 versus 554 code - no such user ).
Ji-fang Zhang/Poughkeepsie/IBM is out of the office.
I will be out of the office starting 12/20/2010 and will not return until 01/04/2011.
Re: MX2
On Mon, 2010-12-20 at 07:03 +, Ramesh wrote: HI All, I am planning to configure backup MX for primary MX. i have few queries.. All email id's in primary MX need to be same in secondary MX? Is it possible to configure separate email clients to receive and send for both mail server's, in case primary MX is down? What are the receivers currently using for their incoming mail server in their email clients ? Both your MX servers ( primary and secondary MX ) should deliver mails to the same mailbox. It would not be correct to have your recipients pull mails from both servers
automatic email reassembly at reception ?
Hello I'm searching for an automated solution that will split bigs emails in several parts ( as we do with mpack manually ) then reassemble them at reception. It would be transparent for the user that would receive only one big email. Any infos welcome Thanks
Re: automatic email reassembly at reception ?
On Monday 20 December 2010 13:11:16 Frank Bonnet wrote: Hello I'm searching for an automated solution that will split bigs emails in several parts ( as we do with mpack manually ) then reassemble them at reception. It would be transparent for the user that would receive only one big email. Any infos welcome Thanks This would only work if you control both end-points. Otherwise, the other side would still need to do this manually. Only way I can think of to do this would be to add a mail-filter in the same way as amavis is fitted in for mail-scanning that seperates large emails into seperate emails and then do the opposite for incoming emails. You would need to keep an archive locally untill you receive all the seperate parts though. They are not guaranteed to arrive in sync. Nor is there any guarantee that there will not be other emails delivered in between. Maybe it would be easier to add something to the mail-client for this? -- Joost
Re: automatic email reassembly at reception ?
Thanks for the reply My purpose is for internals emails use only ! so the control would be OK On 12/20/2010 01:17 PM, J. Roeleveld wrote: On Monday 20 December 2010 13:11:16 Frank Bonnet wrote: Hello I'm searching for an automated solution that will split bigs emails in several parts ( as we do with mpack manually ) then reassemble them at reception. It would be transparent for the user that would receive only one big email. Any infos welcome Thanks This would only work if you control both end-points. Otherwise, the other side would still need to do this manually. Only way I can think of to do this would be to add a mail-filter in the same way as amavis is fitted in for mail-scanning that seperates large emails into seperate emails and then do the opposite for incoming emails. You would need to keep an archive locally untill you receive all the seperate parts though. They are not guaranteed to arrive in sync. Nor is there any guarantee that there will not be other emails delivered in between. Maybe it would be easier to add something to the mail-client for this? -- Joost -- Frank BONNET 01.45.92.66.17 Service des Moyens Informatique Generaux ESIEE PARIS Cité Descartes / BP 99 93162 NOISY-LE-GRAND Cedex http://www.esiee.fr http://www.esiee.fr/
Re: MX2
On 2010-12-20 2:03 AM, Ramesh wrote: I am planning to configure backup MX for primary MX. i have few queries.. snip Please send suggestion's or URL to know more about this. Don't bother... backup MX's should only be implemented by those who have a very good reason for doing so, and are a total waste of time and resources for the vast majority of sites these days. Just let SMTP do its job (servers sending to you that get tempfails will retry soon enough)... -- Best regards, Charles
Re: automatic email reassembly at reception ?
On Monday 20 December 2010 13:22:25 Frank Bonnet wrote: Thanks for the reply My purpose is for internals emails use only ! so the control would be OK If it is for internal email only, why do you want to split up the emails? If it's because postfix rejects too large emails you can always increase the allowed size of these emails to match. -- Joost On 12/20/2010 01:17 PM, J. Roeleveld wrote: On Monday 20 December 2010 13:11:16 Frank Bonnet wrote: Hello I'm searching for an automated solution that will split bigs emails in several parts ( as we do with mpack manually ) then reassemble them at reception. It would be transparent for the user that would receive only one big email. Any infos welcome Thanks This would only work if you control both end-points. Otherwise, the other side would still need to do this manually. Only way I can think of to do this would be to add a mail-filter in the same way as amavis is fitted in for mail-scanning that seperates large emails into seperate emails and then do the opposite for incoming emails. You would need to keep an archive locally untill you receive all the seperate parts though. They are not guaranteed to arrive in sync. Nor is there any guarantee that there will not be other emails delivered in between. Maybe it would be easier to add something to the mail-client for this? -- Joost
Re: automatic email reassembly at reception ?
Le 20/12/2010 13:11, Frank Bonnet a écrit : Hello I'm searching for an automated solution that will split bigs emails in several parts ( as we do with mpack manually ) then reassemble them at reception. It would be transparent for the user that would receive only one big email. Do you mean reassemble then deliver to mailbox? but then downloading large files over IMAP or POP is a pain. also, didn't test, but an anti-virus on the client box won't be happy (and these beasts know how to show when they're not happy;-p) if the problem is at postfix side, simply increase the limit. a better solution is to use web application that allows users to upload files and chose recipients. the application then sends URLs to recipients... (of course, files must have expiry dates. lest you provide a free storage server!). if asking users to upload to web server is too much (but really, it's better than sending the document via smtp. performances will help motivate users), then you could setup a content filter that extracts large attachments and replaces them with a URL. (be careful not to mess up with the MIME structure...). or you might be happy if you have clients that support fragmented messages (these never really made it, in part because of the security risks).
PREPEND problems
Hi, I am a little bit stuck with prepending one and exactly one additional header to outgoing mails that are sent from local users. In fact I want to add a VBR-Info:- header for outgoing mails. Local users use a seperate MSA port (own IP-socket in master.cf). The socket is configured with smtpd_proxy_filter off and using content_filter. So the whole mails gets queued before giving it to amavis (in my setup). Inside the MSA part, I first defined a check_sender_access rule and thought that would do the job. But today I saw that for _each_ To: address a header is prepended. So if I write a mail with eight recipients, I see eight VBR-Info:-header lines in the result. So I thought I need a different method and configured header_checks: # header_checks if !/^VBR-Info:.*roessner-net(work-solutions)?/ /^From:@roessner-net\.com/ PREPEND VBR-Info: md=roessner-net.com; mv=dwl.spamhaus.org; mc=all /^From:@roessner-network-solutions\.com/ PREPEND VBR-Info: md=roessner-network-solutions.com; mv=dwl.spamhaus.org; mc=all endif # Any other checks for incoming and outgoing mail goes here But this does not change anything. Same result. And I fear I understand why. It is the cleanup that does the checks for each outgoing mail. Is that right? Do you have any idea, how I could solve this? Thanks in advance Christian
avoiding externals spammesr that pretend to be in my domain
Hello I receive periodically some spams that pretend to be from my domain. Looking in emaila headers I can see where the email come from Received: from 174.subnet222-124-154.static.astinet.telkom.net.id (unknown [222.124.154.172]) Of course the header has been rewrited but is there a possibility with postfix to refuse that kind of emails that comes from an explicitly outer IP address but pretend to be in my domain ? Thanks
Re: avoiding externals spammesr that pretend to be in my domain
* Frank Bonnet f.bon...@esiee.fr: Hello I receive periodically some spams that pretend to be from my domain. Looking in emaila headers I can see where the email come from Received: from 174.subnet222-124-154.static.astinet.telkom.net.id (unknown [222.124.154.172]) http://www.spamhaus.org/query/bl?ip=222.124.154.172 use an DNSBL to filter out the crap -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: PREPEND problems
Hi again, # header_checks if !/^VBR-Info:.*roessner-net(work-solutions)?/ /^From:@roessner-net\.com/ PREPEND VBR-Info: md=roessner-net.com; mv=dwl.spamhaus.org; mc=all /^From:@roessner-network-solutions\.com/ PREPEND VBR-Info: md=roessner-network-solutions.com; mv=dwl.spamhaus.org; mc=all endif # Any other checks for incoming and outgoing mail goes here First I tried -o header_checks= in master.cf, but I need to add no_header_body_checks to the smtpd which receives from amavis. Christian
hook for message delivery notification?
Hello, I would like to have a program called when a message is delivered in a mailbox. I'm currently trying this with a filter, which gives me a race condition between real delivery and the moment my hook/filter runs. I (partly) understand I can do this with a 'maildrop' program, but would like to do it without having to recreate the bugs others have made while building my own maildrop program. Is there an easy way to do this? Ronald,
Re: avoiding externals spammesr that pretend to be in my domain
On 12/20/10 3:49 PM, Frank Bonnet wrote: Hello I receive periodically some spams that pretend to be from my domain. If this is in the From: header, there's not much you can do about that. The envelope sender you can trivially protect. After you have allowed submission, and have passed $mynetworks, use a check_sender_access map to REJECT anything in your domain. Looking in emaila headers I can see where the email come from Received: from 174.subnet222-124-154.static.astinet.telkom.net.id (unknown [222.124.154.172]) Of course the header has been rewrited but is there a possibility with postfix to refuse that kind of emails that comes from an explicitly outer IP address but pretend to be in my domain ? Thanks -- J.
Re: PREPEND problems
On 12/20/2010 8:37 AM, Christian Roessner wrote: Hi, I am a little bit stuck with prepending one and exactly one additional header to outgoing mails that are sent from local users. In fact I want to add a VBR-Info:- header for outgoing mails. Local users use a seperate MSA port (own IP-socket in master.cf). The socket is configured with smtpd_proxy_filter off and using content_filter. So the whole mails gets queued before giving it to amavis (in my setup). Inside the MSA part, I first defined a check_sender_access rule and thought that would do the job. But today I saw that for _each_ To: address a header is prepended. So if I write a mail with eight recipients, I see eight VBR-Info:-header lines in the result. Yes, that will work fine if you put your check_sender_access rule under smtpd_data_restrictions. So I thought I need a different method and configured header_checks: # header_checks if !/^VBR-Info:.*roessner-net(work-solutions)?/ /^From:@roessner-net\.com/ PREPEND VBR-Info: md=roessner-net.com; mv=dwl.spamhaus.org; mc=all /^From:@roessner-network-solutions\.com/ PREPEND VBR-Info: md=roessner-network-solutions.com; mv=dwl.spamhaus.org; mc=all endif Headers are checked one at a time with no state kept, so the above will never work. Put your check_sender_access rule in smtpd_data_restrictions. -- Noel Jones
Re: hook for message delivery notification?
On 12/20/10 4:29 PM, Ronald Klop wrote: Hello, I would like to have a program called when a message is delivered in a mailbox. I'm currently trying this with a filter, which gives me a race condition between real delivery and the moment my hook/filter runs. That sounds wrong. Any of the available methods only deliver the message once, to the location you specify. There should be no race conditions unless you are doing something wrong. I (partly) understand I can do this with a 'maildrop' program, but would like to do it without having to recreate the bugs others have made while building my own maildrop program. Um.. use a maildrop-like program. What bugs ? Is there an easy way to do this? You can use any LDA that can perform processing during delivery (dovecot deliver, courier maildrop, postfix local(8) can all do this). Optionally, for greater flexibility but added complexity, yuo could set up a transport(5) map with a pipe(8) transport. Ronald, -- J.
Precedence header
Hello postfix list! I've recently checked the gmail bulk mail guidelines, and I've seen that they recommend this header in the email: Precedence: bulk The source is this URL: https://mail.google.com/support/bin/answer.py?answer=81126#format We have a designed our own mail server for clients alerts and updates, and I'd like to implement this, however, I've no idea how to make the server to add that header in each mail that it send. Googling fo a while, but all I found is how to add the header in telnet or sendmail command line, and I'd like to add it when it hits the email server, or before sending the email. That would be awesome! Do you have any links or tips? Don0t have a clue how to do this. Thanks! Cheers, Martin
Re: Precedence header
On 12/20/2010 10:49 AM, Martin Spinassi wrote: Hello postfix list! I've recently checked the gmail bulk mail guidelines, and I've seen that they recommend this header in the email: Precedence: bulk The source is this URL: https://mail.google.com/support/bin/answer.py?answer=81126#format We have a designed our own mail server for clients alerts and updates, and I'd like to implement this, however, I've no idea how to make the server to add that header in each mail that it send. Googling fo a while, but all I found is how to add the header in telnet or sendmail command line, and I'd like to add it when it hits the email server, or before sending the email. That would be awesome! Do you have any links or tips? Don0t have a clue how to do this. Thanks! Cheers, Martin The Precedence header must be added by your mail generating software, not by postfix. -- Noel Jones
Re: PREPEND problems
On 12/20/2010 10:55 AM, Christian Roessner wrote: Yes, that will work fine if you put your check_sender_access rule under smtpd_data_restrictions. I am unsure if that works. I thought that check_sender_access only uses the envelope-from tag. So where is the difference between putting it in smtpd_recipient_restrictions or waiting for the end of the DATA phase? Think, I don't understand :-) MAIL FROM:whate...@example.org 220 OK RCPT TO:-- Testing here, if in smtpd_recipient_restrictions 220 OK RCPT TO:-- and again, producing the duplicate?? 220 OK DATA .CRLF -- Testing after this point, if in smtpd_data_restrictions. But does this behave differently then the above? Of course it works. And BTW, smtpd_data_restrictions are run after the DATA command, not after the dot -- that's smtpd_end_of_data_restrictions. With the default smtpd_delay_reject=yes, smtpd_{client, helo, sender, recipient}_restrictions are repeated for each recipient, but smtpd_data_restrictions are run only once. You could also fix this particular problem by setting smtpd_delay_reject=no and putting your check in smtpd_sender_restrictions, but that causes other problems best avoided. -- Noel Jones
Re: PREPEND problems
DATA .CRLF -- Testing after this point, if in smtpd_data_restrictions. But does this behave differently then the above? Of course it works. And BTW, smtpd_data_restrictions are run after the DATA command, not after the dot -- that's smtpd_end_of_data_restrictions. :-) With the default smtpd_delay_reject=yes, smtpd_{client, helo, sender, recipient}_restrictions are repeated for each recipient, but smtpd_data_restrictions are run only once. That is really good to know and makes things much easier now. I give it a try. You could also fix this particular problem by setting smtpd_delay_reject=no and putting your check in smtpd_sender_restrictions, but that causes other problems best avoided. Yes, I try to put everything under smtpd_recipient_restrictions. Thanks for your help Christian
Re: PREPEND problems
With the default smtpd_delay_reject=yes, smtpd_{client, helo, sender, recipient}_restrictions are repeated for each recipient, but smtpd_data_restrictions are run only once. That is really good to know and makes things much easier now. I give it a try. Thanks :-) Works. It is frustrating, how complicated I sometimes think and how easy solutions can be. Christian
Re: automatic email reassembly at reception ?
On Mon, Dec 20, 2010 at 01:11:16PM +0100, Frank Bonnet wrote: I'm searching for an automated solution that will split bigs emails in several parts ( as we do with mpack manually ) then reassemble them at reception. It would be transparent for the user that would receive only one big email. Historically, Outlook Express would generate and re-assemble large messages via message/partial MIME encapsulation. http://tools.ietf.org/html/rfc2046#section-5.2.2 This format is not directly supported by most MUAs and poses some issues for gateway A/V products, as the pieces don't necessarily arrive via the same gateway. -- Viktor.
Transport maps with LDAP.
I'm using Postfix 2.7.0. I use LDAP do manage/list domains that I relay for. My problem is, when mail arrives to a domain I make relay for, and this account has an alias to another domain I also relay for, the transport to the second e-mail is not found. Suppose I relay for both domain1.org and domain2.org. Mail arrives to b...@domain1.org (and b...@domain1.org has an alias to bla...@domain2.org). The relay to domain1.org is returned according to the transport_map: transport_maps = ldap:/etc/postfix/ldap-mapa-transporte.cf /etc/postfix/ldap-mapa-transporte.cf: version = 3 server_host = ldap://1.2.3.4:389 search_base=ou=mail,ou=services,dc=company,dc=org result_attribute=associatedDomain result_format=%s relay:[1.2.3.10] query_filter=((objectclass=domainRelatedObject)(associatedDomain=%s)) scope = sub The result is domain1.org relay:[1.2.3.10]. I would like the result to the query to be the domain I searched, AND the other domains, since, in the case I have an alias, domain2.org also needs to be listed as a domain a relay for. What I get in my logs is: warning: connect to transport private/domain2.org relay: No such file or directory I think when Postfix notices it also has to deliver to bla...@domain2.org, it does NOT make another search, and the only transport it knows about at that moment, is domain1.org relay:[1.2.3.10]. It seems Postfix doesn't know about the transport to domain2.org thanks This message was sent using IMP, the Internet Messaging Program.
Re: Transport maps with LDAP.
On Mon, Dec 20, 2010 at 04:17:08PM -0200, Lauro Costa G. Borges wrote: I'm using Postfix 2.7.0. Good, this is a reasonably recent release. You may want to consider updating to 2.7.2: 20100515 Bugfix (introduced Postfix 2.6): the Postfix SMTP client XFORWARD implementation did not skip unknown SMTP client attributes, causing a syntax error when sending a PORT attribute. Reported by Victor Duchovni. File: smtp/smtp_proto.c. 20100526 Cleanup: a unit-test driver (for stand-alone tests) was not updated after an internal API change. Vesa-Matti J Kari File: milter/milter.c. 20100529 Portability: OpenSSL 1.0.0 changes the priority of anonymous cyphers. Victor Duchovni. Files: postconf.proto, global/mail_params.h, tls/tls_certkey.c, tls/tls_client.c, tls/tls_dh.c, tls/tls_server.c. Portability: Mac OS 10.6.3 requires arpa/nameser_compat.h instead of nameser8_compat.h. Files: makedefs, util/sys_defs.h, dns/dns.h. 20100531 Robustness: skip LDAP queries with non-ASCII search strings. The LDAP library requires well-formed UTF-8. Victor Duchovni. File: global/dict_ldap.c. 20100601 Safety: Postfix processes log a warning when a matchlist has a #comment at the end of a line (for example mynetworks or relay_domains). File: util/match_list.c. Portability: Berkeley DB 5.x has the same API as Berkeley DB 4.1 and later. File: util/dict_db.c. 20100610 Bugfix (introduced Postfix 2.2): Postfix no longer appends the system default CA certificates to the lists specified with *_tls_CAfile or with *_tls_CApath. This prevents third-party certificates from getting mail relay permission with the permit_tls_all_clientcerts feature. Unfortunately this may cause compatibility problems with configurations that rely on certificate verification for other purposes. To get the old behavior, specify tls_append_default_CA = yes. Files: tls/tls_certkey.c, tls/tls_misc.c, global/mail_params.h. proto/postconf.proto, mantools/postlink. 20100714 Compatibility with Postfix 2.3: fix 20061207 was incomplete (undoing the change to bounce instead of defer after pipe-to-command delivery fails with a signal). Fix by Thomas Arnett. File: global/pipe_command.c. 20100727 Bugfix: the milter_header_checks parser provided only the actions that change the message flow (reject, filter, discard, redirect) but disabled the non-flow actions (warn, replace, prepend, ignore, dunno, ok). File: cleanup/cleanup_milter.c. 20100827 Performance: fix for poor smtpd_proxy_filter TCP performance over loopback (127.0.0.1) connections. Problem reported by Mark Martinec. Files: smtpd/smtpd_proxy.c. 20101023 Cleanup: don't apply reject_rhsbl_helo to non-domain forms such as network addresses. This would cause false positives with dbl.spamhaus.org. File: smtpd/smtpd_check.c. 20101117 Bugfix: the 421 reply after Milter error was overruled by Postfix 1.1 code that replied with 503 for RFC 2821 compliance. We now make an exception for final replies, as permitted by RFC. Solution by Victor Duchovni. File: smtpd/smtpd.c. I use LDAP do manage/list domains that I relay for. Make sure you have a robust, low-latency LDAP infrastructure. The trivial-rewrite service will query LDAP to determine the address class of each domain, and qmgr(8) uses trivial-rewrite to resolve every recipient, so LDAP becomes performance critical. Suppose I relay for both domain1.org and domain2.org. Mail arrives to b...@domain1.org (and b...@domain1.org has an alias to bla...@domain2.org). What do you mean by has an alias? I would like the result to the query to be the domain I searched, AND the other domains, since, in the case I have an alias, domain2.org also needs to be listed as a domain a relay for. You are confused. Transport lookups are single valued. The lookup result in relay_domains is entirely ignored, ony the existence of the lookup key in the table is signficant. If you want to relay for a domain, make sure that a lookup for that domain returns a result when queried against the table that implements relay_domains. I think when Postfix notices it also has to deliver to bla...@domain2.org, it does NOT make another search, and the only transport it knows about at that moment, is domain1.org relay:[1.2.3.10]. It seems Postfix doesn't know about the transport to domain2.org This is completely wrong. First, you have to explain what you
Re: qmgr killed by signal 15
On 12/18/2010 11:03 PM, Victor Duchovni wrote: postfix/master[20377]: warning: process /usr/libexec/postfix/qmgr pid 20380 killed by signal 15 This is SIGTERM. Are you running postfix stop frequently? No. In fact I'm not running it at all. In fact in the interest of troubleshooting this, I have re-installed my VPS from a clean CentOS 5.5 image, and done *nothing* but yum erase sendmail, yum install postfix, service postfix start. And I still get the same problem. And only on this one VPS with 123Systems, not on any of the dozens of other Postfix mail servers I am responsible for. Don't restart Postfix every 5 minutes. I'm not. As I said, the master.cf has wakeup set to 300 seconds, but this is the default setting, not something I modified, and it is the same setting as all of my other servers (which do not exhibit this problem.) If it were not there, then I don't believe that qmgr would run at all, except when a connection comes in on port 25. I haven't looked at the postfix source code, but it seems like postfix is smart enough to check for qmgr when a connection comes in, sees that it isn't running, and spawns it. Likewise, every 5 minutes it's trying to wake up qmgr, seeing that it's not running, and spawning it. In other words, postfix is trying it's darndist to keep things running, but *something* is sending a SIGTERM to qmgr several seconds after it starts up. And as Wietse mentioned in a separate reply, we can rule out that it's Postfix which is sending the SIGTERM to qmgr, because if it were, it would not be logging the warning. And not only am I running with a clean VPS image, I've even tried killing everything non-essential, to the point where basically all that's running on the VPS is init, postfix, and sshd, and yet the problem persists. There's no cron running, no scripts, no other deamons, nothing. Interestingly, I also received one other off-list response to my email from someone else who is experiencing the exact smae problem. Despite *hours* of Googling, he is the only other person I've managed to come across with this same issue, and here's the kicker... he's on a VPS with 123Systems as well. So there's the commonality. I'm not one to believe in coincidences, so now I'm pretty much convinced that there must be something that 123Systems is doing which is causing this. Either they have some sort of monitoring running on the host which is somehow sending a SIGTERM to qmgr within the guest, or they have done something to their default CentOS image which is causing it (althoguh for the life of me I can't imagine what, since even if I replace the Postfix config files with the config from my other, working VPS, I still get this same behavior.) I have opened a ticket with 123Systems to see if they can shed any light on this. I'll post a follow-up here when I have anything new to report. Thanks. - Jeff
tagging instead of rejecting?
For some of the smtpd restrictions I would like to merely tag a message instead of outright reject it. It would be either delivered as usual with the tagging in place for the client or user agent to check for, or be used to deliver the mail to a special folder. If the tagging is done by adding +whatever to the recipient address, that would work for me. Or adding any new header can work. Or adding a string in some distinctive place would probably work. Does Postfix have any way to (be configured to) do this? -- sHiFt HaPpEnS!
Re: PREPEND problems
Le 20/12/2010 17:55, Christian Roessner a écrit : Yes, that will work fine if you put your check_sender_access rule under smtpd_data_restrictions. I am unsure if that works. I thought that check_sender_access only uses the envelope-from tag. It is. So where is the difference between putting it in smtpd_recipient_restrictions or waiting for the end of the DATA phase?Think, I don't understand :-) smtpd_recipient_restrictions is called for _every_recipient. so mail is sent to 3 recipients, a check will apend the header 3 times. end of data is unique in a transaction. moreale of the story: do what Noel suggested. MAIL FROM:whate...@example.org 220 OK RCPT TO:-- Testing here, if in smtpd_recipient_restrictions 220 OK RCPT TO:-- and again, producing the duplicate?? yep. 220 OK DATA .CRLF -- Testing after this point, if in smtpd_data_restrictions. But does this behave differently then the above? of course. there is only one DATA command in a transaction. while there may be many recipients. So I thought I need a different method and configured header_checks: # header_checks if !/^VBR-Info:.*roessner-net(work-solutions)?/ /^From:@roessner-net\.com/ PREPEND VBR-Info: md=roessner-net.com; mv=dwl.spamhaus.org; mc=all /^From:@roessner-network-solutions\.com/ PREPEND VBR-Info: md=roessner-network-solutions.com; mv=dwl.spamhaus.org; mc=all endif Headers are checked one at a time with no state kept, so the above will never work. Put your check_sender_access rule in smtpd_data_restrictions. The rules shown above are for header_checks. That seems to do the trick, the if part is useless. what you are doing is: for each header: if this is not a ^VBR and if it is a ^From, then PREPEND ... which obviously is the same as if it is a ^From in short, you can remove the if !/^VRB and acompanying endif. but your rule depends on the presence of a From header, which is the standard but is not necessarily true. and also, there may be multiple FRom headers (although this is bad). anyway, reading your prepend info tells us that you're trying to do something regarding spamhaus based on the From header. This is most probably wrong. if you tell us what you're trying to do, we will tell you why you are wrong ;-p but I have to add no_header_body_checks to the receive_overide_options in the return socket. Unfortunately this also disables header checking for incoming MTA connections. I would need a different return socket for amavis, but I do not know how to tell amavis in its policy_banks to use a different forward-/notify-method :-( So this is something I asked on the amavis-users list right now. $interface_policy{'12345'} = 'BLAHBLAH'; $policy_bank{'BLAHBLAH'} = { #forward_method = 'smtp:[127.0.0.1]:10024', #bypass_spam_checks_maps = [ 1 ], #bypass_banned_checks_maps = [ 1 ], # };
Re: avoiding externals spammesr that pretend to be in my domain
Le 20/12/2010 15:49, Frank Bonnet a écrit : Hello I receive periodically some spams that pretend to be from my domain. Looking in emaila headers I can see where the email come from Received: from 174.subnet222-124-154.static.astinet.telkom.net.id (unknown [222.124.154.172]) Of course the header has been rewrited but is there a possibility with postfix to refuse that kind of emails that comes from an explicitly outer IP address but pretend to be in my domain ? there are many many many things you can do. - use one or more of reject_rbl_client zen.spamhaus.org reject_rbl_client bl.spamcop.net reject_rbl_client psbl.surriel.com - reject any mail from .astinet.telkom.net.id - tell us if you're talking about envelope sender (mail from) or the from header. ...
Re: PREPEND problems
Hi all, really thanks for all info, but the problem already is fixed. It needed help here for the check_sender_access adding to smtpd_data_restrictions and the help of Mark Martinec for amavisd-new, to get header_checks working in a dual setup MSA/MTA. Many thanks for all your help. It works pretty fine now. Christian PGP.sig Description: Signierter Teil der Nachricht
Re: tagging instead of rejecting?
Phil Howard: For some of the smtpd restrictions I would like to merely tag a message instead of outright reject it. It would be either delivered as usual with the tagging in place for the client or user agent to check for, or be used to deliver the mail to a special folder. If the tagging is done by adding +whatever to the recipient address, that would work for me. Or adding any new header can work. Or adding a string in some distinctive place would probably work. Does Postfix have any way to (be configured to) do this? There is no primitive to change the recipient address depending on some condition, but it is possible to use the PREPEND action in an access map, a policy daemon response, or in a header check. Wietse
Re: automatic email reassembly at reception ?
On Tuesday, December 21, 2010 04:59:16 am Victor Duchovni wrote: Historically, Outlook Express would generate and re-assemble large messages via message/partial MIME encapsulation. http://tools.ietf.org/html/rfc2046#section-5.2.2 This format is not directly supported by most MUAs and poses some issues for gateway A/V products, as the pieces don't necessarily arrive via the same gateway. Microsoft's current implementation guidance (e.g. [MS-OXCMAIL] specification Section 4.4) is not to support sending or receiving message/partial. Brad
Re: PREPEND problems
mouss wrote: anyway, reading your prepend info tells us that you're trying to do something regarding spamhaus based on the From header. This is most probably wrong. if you tell us what you're trying to do, we will tell you why you are wrong ;-p If we are talking about VBR-Info based on a DKIM signature (not SPF), then making it depend on a domain in From header field is likely the right thing to do, because the signing domain (the 'd' tag) is also likelyto be derived from a domain in a From header header field (making ADSP happy). Even if occasionally this isn't so (e.g. when VBR-Info is inserted but signature is not), it isn't too bad. Recipients take the VBR-Info just as a hint. If there is no valid DKIM signature in a message, the information in VBR-Info will be ignored - DNS whitelists like DWL should only be consulted if signature is valid (or spf passes). Mark