update Postqueue error??
Hi eryone, Happy new year! What's wrong with postqueue -f? Jan 1 06:18:00 orac postfix/postqueue[71142]: fatal: usage: postqueue -f | postqueue -i queueid | postqueue -p | postqueue -s site postqueue -f also doesn't flush the queue. grtz. Jack
Postqueue error??
Hi eryone, Happy new year! What's wrong with postqueue -f? Jan 1 06:18:00 orac postfix/postqueue[71142]: fatal: usage: postqueue -f | postqueue -i queueid | postqueue -p | postqueue -s site Output postconf -n: orac# postconf -n address_verify_map = btree:/var/db/postfix/verifymap address_verify_negative_cache = yes address_verify_negative_expire_time = 3d address_verify_negative_refresh_time = 2h address_verify_poll_count = 3 address_verify_poll_delay = 3s address_verify_positive_expire_time = 31d address_verify_positive_refresh_time = 7d address_verify_sender = $double_bounce_sender alias_database = $alias_maps alias_maps = hash:/etc/aliases body_checks = pcre:/postfix/tables/body_checks bounce_size_limit = 1 command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix content_filter = scan:127.0.0.1:10025 daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 2 default_destination_concurrency_limit = 5 disable_vrfy_command = yes header_checks = pcre:/postfix/tables/header_checks html_directory = /usr/local/share/doc/postfix inet_interfaces = 10.10.10.10 local_recipient_maps = proxy:unix:passwd.byname $alias_maps mail_owner = postfix mailbox_command = /usr/local/bin/procmail -a $EXTENSION mailbox_size_limit = 0 mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man maximal_backoff_time = 400s maximal_queue_lifetime = 7d message_size_limit = 4096 minimal_backoff_time = 100s multi_recipient_bounce_reject_code = 550 mydestination = jarasoft.net mydomain = jarasoft.net myhostname = raats.xs4all.nl mynetworks = 127.0.0.1, 10.10.10.10 myorigin = jarasoft.net newaliases_path = /usr/local/bin/newaliases notify_classes = resource, software owner_request_special = no parent_domain_matches_subdomains = smtpd_access_maps queue_directory = /var/spool/postfix queue_run_delay = 100s readme_directory = /usr/local/share/doc/postfix receive_override_options = no_address_mappings recipient_delimiter = + relay_domains = $mydestination, hash:/postfix/tables/transport sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtp_generic_maps = hash:/postfix/tables/generic smtp_tls_CAfile = /postfix/ssl/ca-root.crt smtp_tls_cert_file = /postfix/ssl/server.pem smtp_tls_key_file = /postfix/ssl/key.pem smtp_tls_loglevel = 2 smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_cache smtp_use_tls = yes smtpd_banner = $myhostname ESMTP $mail_name ; The JaRaSoft.net mailserver smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit smtpd_error_sleep_time = 2s smtpd_hard_error_limit = 20 smtpd_helo_required = yes smtpd_helo_restrictions = smtpd_junk_command_limit = 50 smtpd_recipient_overshoot_limit = 500 smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_helo_access hash:/postfix/tables/helo_checks, check_sender_mx_accesscidr:/postfix/tables/bogus_mx, check_helo_access pcre:/postfix/tables/tld_acl, check_client_access pcre:/postfix/tables/tld_acl, check_sender_access pcre:/postfix/tables/tld_acl, check_recipient_access hash:/postfix/tables/spamtrap, check_recipient_access hash:/postfix/tables/uce_strong, check_recipient_access hash:/postfix/tables/uce_strong1, check_recipient_access hash:/postfix/tables/uce_strong2, check_policy_service inet:127.0.0.1:10023, permit smtpd_restriction_classes = ucestrong, rhsblchecks, rblchecks, greylist smtpd_sasl_auth_enable = yes smtpd_sasl_path = /var/run/dovecot/auth-client smtpd_sasl_type = dovecot smtpd_soft_error_limit = 10 smtpd_tls_CAfile = /postfix/ssl/ca-root.crt smtpd_tls_ask_ccert = yes smtpd_tls_cert_file = /postfix/ssl/server.pem smtpd_tls_key_file = /postfix/ssl/key.pem smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_cache smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes strict_rfc821_envelopes = yes tls_random_source = dev:/dev/urandom transport_maps = hash:/postfix/tables/transport unknown_address_reject_code = 550 unknown_client_reject_code = 550 unknown_hostname_reject_code = 550 unknown_local_recipient_reject_code = 550 unknown_relay_recipient_reject_code = 550 unknown_virtual_alias_reject_code = 550 unknown_virtual_mailbox_reject_code = 550 unverified_sender_reject_code = 550 virtual_alias_domains = hash:/postfix/tables/virtual_alias_domains virtual_alias_maps = hash:/postfix/tables/virtual_alias_maps orac# Thanks for your time! Jack Raats
Re: Postfix and Postgrey Part II
On Fri, Dec 31, 2010 at 06:26:41PM -0400, jason hirsh wrote: >> Where is the rest of this log entry, it too is truncated... Where are >> the other instances of this same client/sender/recipient triple being >> rejected? > > Dec 31 00:03:02 tuna postfix/smtpd[8857]: NOQUEUE: reject: RCPT from > snt0-omc1-s51.snt0.hotmail.com[65.54.61.88]: 450 4.2.0 : > Recipient address rejected: Greylisted, see > http://postgrey.schweikert.ch/help/kasdivi.com.html; > from= to= proto=ESMTP > helo= This is better the client/sender triple appears constant for the three log entries. > Dec 31 00:11:02 tuna postfix/smtpd[9013]: NOQUEUE: reject: RCPT from > snt0-omc1-s51.snt0.hotmail.com[65.54.61.88]: 450 4.2.0 : > Recipient address rejected: Greylisted, see > http://postgrey.schweikert.ch/help/kasdivi.com.html; > from= to= proto=ESMTP > helo= This re-transmission is likely too soon, what is your minimum retry time set to (in the postgrey configuration). > Dec 31 00:15:02 tuna postfix/smtpd[9092]: NOQUEUE: reject: RCPT from > snt0-omc1-s51.snt0.hotmail.com[65.54.61.88]: 450 4.2.0 : > Recipient address rejected: Greylisted, see > http://postgrey.schweikert.ch/help/kasdivi.com.html; > from= to= proto=ESMTP > helo= > > and so forth until i turned off postgrey OK, Postfix is behaving normally, so the question is why Postgrey is not, indeed the Postgrey logs and configuration are likely the right place to look next. -- Viktor.
Re: Postfix and Postgrey Part II
On 12/31/10 11:26 PM, jason hirsh wrote: Dec 31 00:03:02 tuna postfix/smtpd[8857]: NOQUEUE: reject: RCPT from snt0-omc1-s51.snt0.hotmail.com[65.54.61.88]: 450 4.2.0 : Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/kasdivi.com.html; from= to= proto=ESMTP helo= Dec 31 00:11:02 tuna postfix/smtpd[9013]: NOQUEUE: reject: RCPT from snt0-omc1-s51.snt0.hotmail.com[65.54.61.88]: 450 4.2.0 : Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/kasdivi.com.html; from= to= proto=ESMTP helo= Dec 31 00:15:02 tuna postfix/smtpd[9092]: NOQUEUE: reject: RCPT from snt0-omc1-s51.snt0.hotmail.com[65.54.61.88]: 450 4.2.0 : Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/kasdivi.com.html; from= to= proto=ESMTP helo= Postfix doesn't control greylisting; look in your postgrey logs for the reason it is not being passed. -- J.
Re: Postfix and Postgrey Part II
On Dec 31, 2010, at 5:48 PM, Victor Duchovni wrote: On Fri, Dec 31, 2010 at 05:38:17PM -0400, jason hirsh wrote: On Dec 31, 2010, at 5:23 PM, Victor Duchovni wrote: On Fri, Dec 31, 2010 at 05:13:24PM -0400, jason hirsh wrote: I get repeated 450 4.2.0 : Recipient address rejected: Greylisted, This log entry is over-redacted. Show *all* log entries for this message being refused, IN FULL, including dates, client IPs, envelope sender address, ... Dec 31 15:24:21 tuna postfix/smtpd[2514]: name_mask: FAILURE Dec 31 15:24:21 tuna postfix/smtpd[2514]: name_mask: DELAY Turn off verbose logging, it is rarely needed. OK Dec 31 15:24:21 tuna postgrey[1258]: action=greylist, reason=new, client_name=asmtpout029.mac.com, client_address=17.148.16.104, sender=kasd...@mac.com, recipien This log entry appears truncated. This said, I only asked for the Postfix reject log entries, i.e. the one below: Dec 31 15:24:21 tuna postfix/smtpd[2514]: NOQUEUE: reject: RCPT from asmtpout029.mac.com[17.148.16.104]: 450 4.2.0 : Recipient address rejecte Where is the rest of this log entry, it too is truncated... Where are the other instances of this same client/sender/recipient triple being rejected? Dec 31 00:03:02 tuna postfix/smtpd[8857]: NOQUEUE: reject: RCPT from snt0-omc1-s51.snt0.hotmail.com[65.54.61.88]: 450 4.2.0 >: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/kasdivi.com.html ; from= to= proto=ESMTP helo= Dec 31 00:11:02 tuna postfix/smtpd[9013]: NOQUEUE: reject: RCPT from snt0-omc1-s51.snt0.hotmail.com[65.54.61.88]: 450 4.2.0 >: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/kasdivi.com.html ; from= to= proto=ESMTP helo= Dec 31 00:15:02 tuna postfix/smtpd[9092]: NOQUEUE: reject: RCPT from snt0-omc1-s51.snt0.hotmail.com[65.54.61.88]: 450 4.2.0 >: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/kasdivi.com.html ; from= to= proto=ESMTP helo= and so forth until i turned off postgrey Do you have a backup MX host? Does the backup MX enforce greylisting? No and therefore no -- Viktor.
Re: Postfix and Postgrey Part II
On Fri, Dec 31, 2010 at 05:38:17PM -0400, jason hirsh wrote: > > On Dec 31, 2010, at 5:23 PM, Victor Duchovni wrote: > >> On Fri, Dec 31, 2010 at 05:13:24PM -0400, jason hirsh wrote: >> >>> I get repeated 450 4.2.0 : Recipient address >>> rejected: >>> Greylisted, >> >> This log entry is over-redacted. Show *all* log entries for this message >> being refused, IN FULL, including dates, client IPs, envelope sender >> address, ... >> > > Dec 31 15:24:21 tuna postfix/smtpd[2514]: name_mask: FAILURE > Dec 31 15:24:21 tuna postfix/smtpd[2514]: name_mask: DELAY > Turn off verbose logging, it is rarely needed. > Dec 31 15:24:21 tuna postgrey[1258]: action=greylist, reason=new, > client_name=asmtpout029.mac.com, client_address=17.148.16.104, > sender=kasd...@mac.com, recipien This log entry appears truncated. This said, I only asked for the Postfix reject log entries, i.e. the one below: > Dec 31 15:24:21 tuna postfix/smtpd[2514]: NOQUEUE: reject: RCPT from > asmtpout029.mac.com[17.148.16.104]: 450 4.2.0 : > Recipient address rejecte Where is the rest of this log entry, it too is truncated... Where are the other instances of this same client/sender/recipient triple being rejected? Do you have a backup MX host? Does the backup MX enforce greylisting? -- Viktor.
Re: Postfix and Postgrey Part II
On Dec 31, 2010, at 5:23 PM, Victor Duchovni wrote: On Fri, Dec 31, 2010 at 05:13:24PM -0400, jason hirsh wrote: I get repeated 450 4.2.0 : Recipient address rejected: Greylisted, This log entry is over-redacted. Show *all* log entries for this message being refused, IN FULL, including dates, client IPs, envelope sender address, ... Dec 31 15:24:21 tuna postfix/smtpd[2514]: name_mask: FAILURE Dec 31 15:24:21 tuna postfix/smtpd[2514]: name_mask: DELAY Dec 31 15:24:21 tuna postgrey[1258]: action=greylist, reason=new, client_name=asmtpout029.mac.com, client_address=17.148.16.104, sender=kasd...@mac.com , recipien Dec 31 15:24:21 tuna postfix/smtpd[2514]: 127.0.0.1:10023: wanted attribute: action Dec 31 15:24:21 tuna postfix/smtpd[2514]: input attribute name: action Dec 31 15:24:21 tuna postfix/smtpd[2514]: input attribute value: DEFER_IF_PERMIT 4.2.0 Greylisted, see http://postgrey.schweikert.ch/help/kasdivi.com.html Dec 31 15:24:21 tuna postfix/smtpd[2514]: 127.0.0.1:10023: wanted attribute: (list terminator) Dec 31 15:24:21 tuna postfix/smtpd[2514]: input attribute name: (end) Dec 31 15:24:21 tuna postfix/smtpd[2514]: check_table_result: inet: 127.0.0.1:10023 DEFER_IF_PERMIT 4.2.0 Greylisted, see http://postgrey.schweikert.ch/help/kasdi Dec 31 15:24:21 tuna postfix/smtpd[2514]: generic_checks: name=check_policy_service status=0 Dec 31 15:24:21 tuna postfix/smtpd[2514]: >>> END Recipient address RESTRICTIONS <<< Dec 31 15:24:21 tuna postfix/smtpd[2514]: NOQUEUE: reject: RCPT from asmtpout029.mac.com[17.148.16.104]: 450 4.2.0 : Recipient address rejecte Dec 31 15:24:21 tuna postfix/smtpd[2514]: > asmtpout029.mac.com[17.148.16.104]: 450 4.2.0 : Recipient address rejected: Greylisted, see http:/ Dec 31 15:24:21 tuna postfix/smtpd[2514]: < asmtpout029.mac.com[17.148.16.104]: DATA Dec 31 15:24:21 tuna postfix/smtpd[2514]: > asmtpout029.mac.com[17.148.16.104]: 554 5.5.1 Error: no valid recipients Dec 31 15:24:21 tuna postfix/smtpd[2514]: < asmtpout029.mac.com[17.148.16.104]: QUIT Dec 31 15:24:21 tuna postfix/smtpd[2514]: > asmtpout029.mac.com[17.148.16.104]: 221 2.0.0 Bye Dec 31 15:24:21 tuna postfix/smtpd[2514]: match_hostname: asmtpout029.mac.com ~? 127.0.0.0/8 Dec 31 15:24:21 tuna postfix/smtpd[2514]: match_hostaddr: 17.148.16.104 ~? 127.0.0.0/8 Dec 31 15:24:21 tuna postfix/smtpd[2514]: match_hostname: asmtpout029.mac.com ~? 209.160.65.133 Dec 31 15:24:21 tuna postfix/smtpd[2514]: match_hostaddr: 17.148.16.104 ~? 209.160.65.133 Dec 31 15:24:21 tuna postfix/smtpd[2514]: match_hostname: asmtpout029.mac.com ~? 209.160.68.112 Dec 31 15:24:21 tuna postfix/smtpd[2514]: match_hostaddr: 17.148.16.104 ~? 209.160.68.112 Dec 31 15:24:21 tuna postfix/smtpd[2514]: match_list_match: asmtpout029.mac.com: no match Dec 31 15:24:21 tuna postfix/smtpd[2514]: match_list_match: 17.148.16.104: no match Dec 31 15:24:21 tuna postfix/smtpd[2514]: send attr request = disconnect Dec 31 15:24:21 tuna postfix/smtpd[2514]: send attr ident = smtp: 17.148.16.104 Dec 31 15:24:21 tuna postfix/smtpd[2514]: private/anvil: wanted attribute: status Dec 31 15:24:21 tuna postfix/smtpd[2514]: input attribute name: status Dec 31 15:24:21 tuna postfix/smtpd[2514]: input attribute value: 0 Dec 31 15:24:21 tuna postfix/smtpd[2514]: private/anvil: wanted attribute: (list terminator) Dec 31 15:24:21 tuna postfix/smtpd[2514]: input attribute name: (end) Dec 31 15:24:21 tuna postfix/smtpd[2514]: disconnect from asmtpout029.mac.com[17.148.16.104] Dec 31 15:24:21 tuna postfix/smtpd[2514]: master_notify: status 1 Dec 31 15:24:21 tuna postfix/smtpd[2514]: connection closed
Re: Postfix and Postgrey Part II
On Fri, Dec 31, 2010 at 05:13:24PM -0400, jason hirsh wrote: > I get repeated 450 4.2.0 : Recipient address rejected: > Greylisted, This log entry is over-redacted. Show *all* log entries for this message being refused, IN FULL, including dates, client IPs, envelope sender address, ... -- Viktor.
Postfix and Postgrey Part II
OK Everyone was such a help that I am back.. I got a new server and thought things were going great The issue is Postgrey keeps bouncingh the same message i have tried to debug using my mac.com, comcast.net hotmail.com in all instances it kept boucing the mail until I entered the server in the white Freebsd 8.0 Postgrey is running as follows: postgrey 1258 0.0 1.0 12196 10144 ?? Ss3:05PM 0:00.21 /usr/ local/sbin/postgrey --pidfile=/var/run/postgrey.pid --inet=10023 -d -- user=postgrey --group=postgrey --dbd Postconf-n body_checks = regexp:/usr/local/etc/postfix/body_check command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/local/libexec/postfix daemon_timeout = 36000s data_directory = /var/db/postfix delay_warning_time = 2h disable_vrfy_command = yes header_checks = regexp:/usr/local/etc/postfix/header_checks home_mailbox = Maildir/ html_directory = /usr/local/share/doc/postfix mail_spool_directory = /var/mail/vmail mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man maps_rbl_domains = bl.spamcop.net message_size_limit = 1024 mydestination = localhost.$mydomain, localhost mynetworks = 127.0.0.0/8, 209.160.65.133, 209.160.68.112 newaliases_path = /usr/local/bin/newaliases readme_directory = /usr/local/share/doc/postfix receive_override_options = no_address_mappings relay_recipient_maps = hash:/usr/local/etc/postfix/relay_recipients sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtp_tls_note_starttls_offer = yes smtpd_banner = Hi This is the Ocean Window - BV smtpd_helo_required = yes smtpd_helo_restrictions = permit_sasl_authenticated,permit_mynetworks,check_helo_access hash:/ usr/local/etc/postfix/ helo_access,reject_invalid_hostname,reject_unknown_hostname smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination,reject_rbl_client zen.spamhaus.org,reject_rbl_client bl.spamcop.net,check_policy_service inet:127.0.0.1:10023 smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostnamebroken_sasl_auth_clients = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_sasl_authenticated smtpd_tls_CAfile = /usr/local/etc/keys/root.crt smtpd_tls_cert_file = /usr/local/etc/keys/server.cert smtpd_tls_key_file = /usr/local/etc/keys/private.key smtpd_tls_loglevel = 5 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/usr/local/etc/postfix/virtual virtual_gid_maps = static:1000 virtual_mailbox_base = /var/mail/vmail virtual_mailbox_domains = /usr/local/etc/postfix/virtual_domains virtual_mailbox_maps = hash:/usr/local/etc/postfix/virtual_mailbox virtual_minimum_uid = 100 virtual_uid_maps = static:1003 Maillog shows postgrey is trying but not learning I get repeated 450 4.2.0 : Recipient address rejected: Greylisted, any thoughts???
Re: 'include' contents of another file in mysql_*.cf (or other) maps?
On Fri, Dec 31, 2010 at 03:03:03PM -0500, Charles Marcus wrote:
> On 2010-12-29 12:45 PM, Victor Duchovni wrote:
> > On Wed, Dec 29, 2010 at 08:29:18AM -0500, Charles Marcus wrote:
> >> I was wondering if it is possible to 'include' the contents of a file in
> >> the mysql*.cf map files (although I guess if you can with these you can
> >> with others)...
>
> > Use make(1) (and/or if you miss Sendmail's .mc files, m4) to construct
> > the target file from multiple input files.
> >
> > M4 = m4
> > mv = mv
> > .SUFFIXES: .cf .mc
> > .mc.cf:
> > ${RM} $...@.tmp
> > ${M4} $< > $...@.tmp
> > ${MV} $...@.tmp $@
>
> I've been meaning to learn how to use make files to automate things like
> this, so maybe I'll have time after the holidays to do so...
If you do use my sample Makefile, its "mv = mv" macro needs to use
upper-case "MV = mv" for the variable name.
--
Viktor.
Re: 'include' contents of another file in mysql_*.cf (or other) maps?
On 2010-12-29 12:45 PM, Victor Duchovni wrote:
> On Wed, Dec 29, 2010 at 08:29:18AM -0500, Charles Marcus wrote:
>> I was wondering if it is possible to 'include' the contents of a file in
>> the mysql*.cf map files (although I guess if you can with these you can
>> with others)...
> Use make(1) (and/or if you miss Sendmail's .mc files, m4) to construct
> the target file from multiple input files.
>
> M4 = m4
> mv = mv
> .SUFFIXES: .cf .mc
> .mc.cf:
> ${RM} $...@.tmp
> ${M4} $< > $...@.tmp
> ${MV} $...@.tmp $@
>> The reason I ask is, it would be nice when changing auth databases
>> (which I'm doing now), to just edit one file that contains the db access
>> information (user, password, hosts, db_name), and have all of the other
>> maps immediately pick up the change(s).
>>
>> Yes, I know I can change the contents of all of the files with a simple
>> script, but I'm just curious if this can be done.
> Postfix does not implement any "include" mechanisms.
Thanks for the confirmation Victor (and mouss)...
I've been meaning to learn how to use make files to automate things like
this, so maybe I'll have time after the holidays to do so...
Thanks
--
Best regards,
Charles
Re: Postfix queue in Mysql ?
On 2010-12-29 10:14 AM, Joan Moreau wrote: > But I have no " car to fix" . What is that story about ? In your first post, you vaguely described a 'problem': "the postfix queue manager (qmgr) is taking far too much resources when the number of email pending is growing." > Now, I did not rule out anything in any email. Yes you did: "(dont tell me "dbmail", I want to keep my dovecot imap/pop sever)" You also said: "(yes, a file system is made for storing files, but it is not at all made to execute queries on teh file tree (hey, it is a tree! not a rdbms )" which suggests that you feel a need to do lots of queries on the postfix queue - which suggests that you have [a] problem[s] that need to be fixed. > Can you just tell me how to put the mailing queue in a DB (mysql > database in my case) ? For the 5th or 6th time: IT IS NOT POSSIBLE. Now, if you would like some help with fixing the actual *problem[s]* (messages piling up in your queue[s], please follow the instructions you were given in the welcome message you received when you joined the list: TO REPORT A PROBLEM see: http://www.postfix.org/DEBUG_README.html#mail This usually means postfix version, output of postconf -n and unedited NON-verbose (unless verbose are specifically requested by someone helping you) logs exhibiting the problem. Other details, like contents of master.cf, and maybe even platform/OS details may be necessary for certain issues. -- Best regards, Charles
Re: Relay restrictions
On Fri, Dec 31, 2010 at 12:52:04PM -0600, michael.lar...@wellsfargo.com wrote:
> Thanks for your reply. How does this configuration determine if all
> mail from a client should be relayed, or only the mail allowed by the
> allowed-sender/allowed-recipient rules? There are some hosts I don't
> want subjected to those rules.
Clients that are listed in the CIDR table (above the 0.0.0.0/0 catchall
at the bottom of the file) with a "permit" action, can do as they please.
At your request, this configuration never rejects mail, if the sender
and recipient are both "special" mail is relayed from any client. Otherwise,
mail is discarded if it is not from a specifically authorized client.
> > In that case change the client restrictions to "OR", but keep sender
> > and recipient as "AND".
> >
> > main.cf:
> >
> > indexed = ${default_database_type}:${config_directory}/
> > cidr = cidr:${config_directory}/
> >
> > smtpd_restriction_classes = discard_all
> > discard_all = static:discard
> >
> > smtpd_sender_restrictions =
> > check_sender_access ${indexed}allowed-senders
> > check_client_access ${cidr}allowed-clients,
> >
> > smtpd_recipient_restrictions =
> > check_recipient_access ${indexed}allowed-recipients,
> > check_client_access ${cidr}allowed-clients,
> > #
> > # Required to appease validation logic, in-practice,
> > # allowed-clients will perimit all IPs, some to deliver
> > # and the rest to discard.
> > #
> > reject
> >
> > allowed-clients:
> > 192.0.2.1 permit
> > 0.0.0.0/0 discard_all, permit
>
> --
> Viktor.
>
--
Viktor.
RE: Relay restrictions
Thanks for your reply. How does this configuration determine if all mail from a
client should be relayed, or only the mail allowed by the
allowed-sender/allowed-recipient rules? There are some hosts I don't want
subjected to those rules.
-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org]
On Behalf Of Victor Duchovni
Sent: Friday, December 31, 2010 12:43 PM
To: postfix-users@postfix.org
Subject: Re: Relay restrictions
On Fri, Dec 31, 2010 at 12:24:13PM -0600, michael.lar...@wellsfargo.com wrote:
> Thanks again for trying to help, Viktor, but I'm unable to ascertain
> how your suggested configuration fulfills my goal. It appears to me that
> your config discards mail from all clients unless they're listed in the
> allowed-clients table.
No, this is not the case, when the sender is allowed and the recipient
is allowed. Both conditions are checked first. Since both return "OK"
the client condition is not checked when both succeed.
> In that case change the client restrictions to "OR", but keep sender
> and recipient as "AND".
>
> main.cf:
>
> indexed = ${default_database_type}:${config_directory}/
> cidr = cidr:${config_directory}/
>
> smtpd_restriction_classes = discard_all
> discard_all = static:discard
>
> smtpd_sender_restrictions =
> check_sender_access ${indexed}allowed-senders
> check_client_access ${cidr}allowed-clients,
>
> smtpd_recipient_restrictions =
> check_recipient_access ${indexed}allowed-recipients,
> check_client_access ${cidr}allowed-clients,
> #
> # Required to appease validation logic, in-practice,
> # allowed-clients will perimit all IPs, some to deliver
> # and the rest to discard.
> #
> reject
>
> allowed-clients:
> 192.0.2.1 permit
> 0.0.0.0/0 discard_all, permit
--
Viktor.
Re: Relay restrictions
On Fri, Dec 31, 2010 at 12:24:13PM -0600, michael.lar...@wellsfargo.com wrote:
> Thanks again for trying to help, Viktor, but I'm unable to ascertain
> how your suggested configuration fulfills my goal. It appears to me that
> your config discards mail from all clients unless they're listed in the
> allowed-clients table.
No, this is not the case, when the sender is allowed and the recipient
is allowed. Both conditions are checked first. Since both return "OK"
the client condition is not checked when both succeed.
> In that case change the client restrictions to "OR", but keep sender
> and recipient as "AND".
>
> main.cf:
>
> indexed = ${default_database_type}:${config_directory}/
> cidr = cidr:${config_directory}/
>
> smtpd_restriction_classes = discard_all
> discard_all = static:discard
>
> smtpd_sender_restrictions =
> check_sender_access ${indexed}allowed-senders
> check_client_access ${cidr}allowed-clients,
>
> smtpd_recipient_restrictions =
> check_recipient_access ${indexed}allowed-recipients,
> check_client_access ${cidr}allowed-clients,
> #
> # Required to appease validation logic, in-practice,
> # allowed-clients will perimit all IPs, some to deliver
> # and the rest to discard.
> #
> reject
>
> allowed-clients:
> 192.0.2.1 permit
> 0.0.0.0/0 discard_all, permit
--
Viktor.
RE: Relay restrictions
Thanks again for trying to help, Viktor, but I'm unable to ascertain how your
suggested configuration fulfills my goal. It appears to me that your config
discards mail from all clients unless they're listed in the allowed-clients
table. This isn't what I'm after. What I'm after is for all clients to be
allowed to relay, but only certain ones be allowed to relay everything sent by
them, and the rest be allowed to relay mail sent only by specific senders to
specific recipients. I don't see where the "AND" part is for evaluation between
allowed-senders and allowed-recipients. It appears to me that in this
configuration, allowed-senders and allowed-recipients are evaluated
independently. Can you explain what I'm missing?
-Original Message-
From: Victor Duchovni [mailto:victor.ducho...@morganstanley.com]
Sent: Thursday, December 30, 2010 2:43 PM
To: Larsen, Michael W.
Cc: postfix-users@postfix.org
Subject: Re: Relay restrictions
On Thu, Dec 30, 2010 at 02:09:57PM -0600, michael.lar...@wellsfargo.com wrote:
> Perhaps I misunderstood, but you said:
>
> > With this all mail is discarded unless *all* (my emphasis) the conditions
> > below are met:
> >
> > - From an allowed SMTP client (IP address CIDR table)
> > - From an allowed envelope sender (indexed via postmap lookup table)
> > - To an allowed envelope recipient (indexed via postmap lookup
> > table)
>
> Which isn't what I want. For hosts in client_access, I don't want any
> sender/recipient evaluation - I just want it to flow through - all of
> it. For hosts not in client_access, I want it assumed they're allowed,
> but the sender/recipient restrictions asserted.
In that case change the client restrictions to "OR", but keep sender
and recipient as "AND".
main.cf:
indexed = ${default_database_type}:${config_directory}/
cidr = cidr:${config_directory}/
smtpd_restriction_classes = discard_all
discard_all = static:discard
smtpd_sender_restrictions =
check_sender_access ${indexed}allowed-senders
check_client_access ${cidr}allowed-clients,
smtpd_recipient_restrictions =
check_recipient_access ${indexed}allowed-recipients,
check_client_access ${cidr}allowed-clients,
#
# Required to appease validation logic, in-practice,
# allowed-clients will perimit all IPs, some to deliver
# and the rest to discard.
#
reject
allowed-clients:
192.0.2.1 permit
0.0.0.0/0 discard_all, permit
--
Viktor.
Re: Available: preliminary postscreen STARTTLS support
Wietse Venema: > Wietse Venema: > > I have built an event-driven TLS proxy for postscreen(8). This > > addresses the problem that postscreen(8) could not be used when > > SMTP clients require STARTTLS support. > > > > The new daemon is called starttlsd(8). When a non-whitelisted (*) > > SMTP client sends a STARTTLS command, postscreen(8) will hand off > > the connection to starttlsd(8) and read/write the plaintext to/from > > starttlsd(8). > > > > The challenge was that one starttlsd(8) must be able to handle the > > TLS <=> plaintext translation for more than one SMTP client, but > > thanks to careful planning, it worked out of the box. > > This is uploaded as postfix-2.8-20101230-nonprod. The code has had > limited testing, so keep an eye on things if you intend to expose > it to the network. Updated to postfix-2.8-20101231-nonprod, with minor fixes from Victor and Christian, and with extra safety nets against deadlock that will hopefully never be needed. Wietse
Re: with sasl authentication the username in sent twice
Rob van Dam put forth on 12/30/2010 3:25 PM: > Seems Centos 5.5 is shipping an old version of Postfix. Debian Stable has a reputation of shipping with dinosaur packages. CentOS ships with stuff that existed before the first DNA chains appeared in the primordial soup. :) Luckily for you Simon Mudd makes newer Posftix RPMs for RHEL/CentOS: http://postfix.wl0.org/en/available-packages/ You'll want the Postfix 2.5 package for RHEL5. -- Stan
Re: Available: preliminary postscreen STARTTLS support
Christian Roessner: > Hi, > > > This is uploaded as postfix-2.8-20101230-nonprod. The code has had > > limited testing, so keep an eye on things if you intend to expose > > it to the network. > > Minor questions: > > postfix/tlsproxy[30864]: CONNECT [2a01:4f8:120:31e2::165]51824 Right. This is the result from a late change while cleaning up the internal protocols. > It is just, because I saw it: Missing ":" between address and > port. And by the way: For postscreen and dnsblog and ... are you > planning on making these modules behave like $smtpd_client_port_logging > (default: no) ? This is not an option. postscreen(8) and tlsproxy(8) programs MUST log the client port number, otherwise their logging becomes incomprehensible. With smtpd(8), you can still distinguish between different sessions from the same client by the smtpd(8) process ID. > And one minor thing. When rebuilding Ubuntu packages for the > 20101230-nonprod, I reviewed master.cf for the tlsproxy line. I > added it with a comment sign, read from the POSTSCREEN_README. The > current master.cf is missing it. The POSTFIX post-install procedure adds the missing line. If UBUNTU does not use the POSTFIX post-install procedure, then they deserve the pain of having to duplicate its functionality. This includes duplicating the code that adds lines that weren't present in previously installed configuration files, and duplicating the code that installs and sets permissions on files (e.g. executables or manpages) that were not present in previous Postfix versions. Wietse > So far, hope you don't mind my little comments :-) > > I wish you all a good change from old->new year. > > Christian > > --- > Roessner-Network-Solutions > Bachelor of Science Informatik > Nahrungsberg 81, 35390 Gie?en > F: +49 641 5879091, M: +49 176 93118939 > USt-IdNr.: DE225643613 > http://www.roessner-network-solutions.com > > >
Re: Available: preliminary postscreen STARTTLS support
Hi, > This is uploaded as postfix-2.8-20101230-nonprod. The code has had > limited testing, so keep an eye on things if you intend to expose > it to the network. Minor questions: postfix/tlsproxy[30864]: CONNECT [2a01:4f8:120:31e2::165]51824 It is just, because I saw it: Missing ":" between address and port. And by the way: For postscreen and dnsblog and ... are you planning on making these modules behave like $smtpd_client_port_logging (default: no) ? And one minor thing. When rebuilding Ubuntu packages for the 20101230-nonprod, I reviewed master.cf for the tlsproxy line. I added it with a comment sign, read from the POSTSCREEN_README. The current master.cf is missing it. So far, hope you don't mind my little comments :-) I wish you all a good change from old->new year. Christian --- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com
Re: with sasl authentication the username in sent twice
Postfix works perfectly now. Thank you SkykingOH on the http://fonality.com/trixbox/forums/trixbox-ce-development-forum/general-development/postfix-sasl-related-problem#comment-182659 forum for instructions how to update postfix on Centos. And of course a big thanks here for helping me to find out what actually the problem was. Rob On 30-12-10 22:25, Rob van Dam wrote: On 30-12-10 21:44, Victor Duchovni wrote: > On Thu, Dec 30, 2010 at 09:32:48PM +0100, Rob van Dam wrote: > >>> What is the output from >>> >>> postconf mail_version >>> >>> As documented this parameter was introduced with Postfix 2.4.4. >>> >>> Wietse >>> >> Hello Wietse, >> >> I just posted that my Postfix was too old, when I got this mail. I have >> Postfix version 2.3.3. Is there a workaround for older versions? > If you need this feature you need 2.4.4 or later. > Hello Viktor, I will look if I can update Postfix on the Trixbox. Seems Centos 5.5 is shipping an old version of Postfix. Thanks for the help. Rob
