Re : Re : Re : Re : Re : Re : Re : slow transport, master.cf and maxproc value

[myrdhin bzh]

Hello,


> From: Stan Hoeppner
> 
> My spammer RADAR is beeping...

:)

No, it's not SPAM.

My client have a domain (for example clientDomain.tld) and a SMTP server. This 
server rewrite all email addresses from firstname.surn...@clientdomain.tld to 
firstname.surname-clientdomaine@zedomain.tld (zeDomain.tld is the 
problem...). My client have some internal lists too. When he send a mail to one 
of his internal list, for example servi...@clientdomain.tld, this mail is sent 
to fn1.n-clientdomaine@zedomain.tld, fn2.n-clientdomaine@zedomain.tld, 
etc. Sometime, the message :

smtp.zeDomain.tld[xxx.xxx.xxx.xxx] refused to talk to me: 421 mwinf5c20 ME Trop 
de connexions, veuillez verifier votre configuration. Too many connections, 
slow 

down. OFR004_104 [104]


In fact, zeDomain.tld is a french know domain : wanadoo.fr (and orange.fr). :( 
Wanadoo has changed his configuration last december 2010 and a lot of problem 
appears (cf in french 
http://entraide.orange.fr/assistance/messages/index/35320/messagerie-plus-aucun-email-ne-rentre-chez-107-000-utilisateurs-orange-fr.html?dub=2).



I'm not the only one who have this problem but orange/wanadoo not responding...
-- 
Myrdhin,

Looking for instructions on how to configure home server as a restricted relay host

[Reid Thompson]

What I would like to do:
Configure my home postfix server (ubuntu) to:
  send email from local user accounts
  accept external (through my cable modem) smtp requests/relay mail for 
only authorized senders
 I.E. when I'm using a public internet connection, i'd like to have 
my smtp requests go through my home server


Could someone point me to a website describing how to configure this?

thanks,
reid

Re: Pcre header checks

[mouss]

Le 07/03/2011 00:39, Erik de Castro Lopo a écrit :
> Hi all,
> 
> I'm running postfix version 2.8.1 from Debian.
> 
> I've got basic pcre header checks working as they should. I'm trying
> to reject mail that has a DKIM signature that says its from att.net
> but a Message-ID ending in 'yahoo.com'.
> 
> I've got this:
> 
> if /^DKIM-Signature: .*; d\=att.net;/i
> /^Message-ID: .*\.yahoo\.com>/i  REJECT
> endif
> 
> but it doesn't seem to work. Clues?
> 

Obviously, no header can simultaneously start with" DKIM-Signature" and
"Message-ID".

hint: header checks apply to headers, one at at a time.

if you want multi-header checks, then you need a content filter or a miler.

Re: Kernel Oops

[mouss]

Le 05/03/2011 16:32, Stan Hoeppner a écrit :
> mouss put forth on 3/5/2011 7:20 AM:
>> Le 05/03/2011 00:18, Stan Hoeppner a écrit :
> 
>>> /^.*\.(dyn|dhcp)\.embarqhsd\.net$/  REJECT Please use ISP relay
>>>
> 
>> you can simplify that:
>> /\.(dyn|dhcp)\.embarqhsd\.net$/  REJECT Please use ISP relay
>>
>> more generally /^.* is never needed.
> 
> Does this expression correctly match a longer string when used as:
> check_reverse_client_hostname_access pcre:/etc/postfix/foo.pcre
> 

/^.*foo/
means "it starts with something followed by foo". and this is the same
thing as "it contains foo", which is represented by
/foo/

more generally
/^.*whatever/
is the same as
/whatever/

and looking at the other side:
/foo.*$/
is the same as
/foo/

so whenever you see /^.*xyz/ or /xyz.*$/, you know something is useless...

> The actual FQrDNS strings in my example network will be of the form:
> fl-65-40-2-201.dyn.embarqhsd.net
> tx-67-232-101-101.dhcp.embarqhsd.net

well, you know I know these:) we all got spam from these...

> 
> I was of the impression that a preceding wild card is required if not
> using fully qualified expressions, but simply trying to match only a
> substring at the back end of the line.
> 
>> anyway, this example is too simple and can be replaced with 2 cdb entries:
>> .dyn.embarqshd.net   REJECT ...
>> .dhcp.embarqshd.net  REJECT ...
> 
> I just realized I erred in my original thought process leading to my
> example.  I started out thinking of banning blocks of IPs, and how using
> a PCRE matching rDNS patterns can shrink an equivalent IP subnet hash
> table or CIDR table dramatically. 

1) first use IP ranges.
2) then domains (hash/cdb)
for example:
.alshamil.net.aeREJECT blah blah
because there is no point to try to match something like
auh-b113917.alshamil.net.ae

3) then use regular expressions, but only when IPs and domains aren't
the way to go.



> I was strictly thinking of a hash
> table full of IP subnets.

no. IPs and domains are different things.

>  For some reason using host names in a hash
> table slipped my mind (hand to forehead).  One could just as easily do
> this with hash table.  So yes, this wasn't the greatest example.  A
> better example would have been an ISP that uses goofy multiple rDNS
> conventions, possibly due to mergers, etc, such as:
> 
> 10-1-2-3.dhcp.[state-abbr].isp.net
> 10-2-3-4.dyn.[city-name].isp.net
> 10-3-4-5.res.[state-abbr].isp.net
> 10-4-5-6-dynamic.[city-name].isp.net
> etc
> 
> A PCRE table would definitely have a smaller memory footprint (the
> current thread focus) in this example than an equivalent hash or cdb
> table. 

depends what we talk about. don't forget that the constant in O(N) may
be too large, that is O(N) applies when N is very very large (for
example 345*N is O(N) but is still less than N^2 for small N).

> And doing this with a CIDR would likely be smaller than hash or
> cdb as well, 

cidr is about IPs. hash/cdb/pcre is about names. these are different
things and you know that. use each as appropriate.

> given the number of cities and states that such as ISP
> would be operating in, which would kick the total number of rDNS
> patterns into the hundreds.


if the ISP makes it too much, then you should reduce it:
.embarqhsd.net  REJECT blah blah



> 
>> a "better" example would be
>> /(\W\d+){4}\..*\.embarqhsd\.net$/REJECT ...
> 
> "Better" in what way? 

in the sense that this can't be represented using hash or the like.

> Does this get processed using significantly less
> cycles or with significant memory footprint savings?  Your example is
> incomprehensible to non regex experts (myself included).  I had to hit
> my regex docs to understand this syntax choice.  Non experts at least
> have a fighting chance at deciphering my original example mouss. :)
> 

I believe

.embarqhsd.net  REJECT blah blah

is better.




> Thanks in advance for the anticipated forthcoming regex education.
> 

Re: Re : Re : Re : Re : Re : Re : slow transport, master.cf and maxproc value

[Stan Hoeppner]

myrdhin bzh put forth on 3/6/2011 5:33 PM:
> Really, thank you for your patience :) I have difficulty understanding 
> perfectly 
> English...
> 
> 
> 
>> No, the *process* limit of "3" is implemented in master(8), which spawns 
>> processes on demand, up to the process limit. The concurrency limit 
>> (parallel 
>> deliveries to a single destination domain) is enforced in the queue-manager. 
>> The 
>> queue manager concurrency limit is a maximum, the actual concurrency will be 
>> lower when the master(8) daemon process limit is reached, or mail arrival is 
>> not 
>> high enough to reach peak concurrency.
> 
> So in my conf :
> 
> + transport :
>   zedomain.tldslow:
> 
> + main.cf :
>   transport_maps = hash:/etc/postfix/transport
>   slow_destination_concurrency_limit = 2
> 
> + master.cf :
>   slowunix  -  -  n  -  3 smtp -o smtp_connection_cache_on_demand=no
> 
> 
> Can i replace the '3' with a '-' like this :
>   slowunix  -  -  n  -  - smtp -o smtp_connection_cache_on_demand=no
> 
> I'm really confused about this configuration... I can't find the right 
> optimized 
> configuration...
> 
> To know DNS informations  about zedomain.tld SMTP servers, I executed this 
> command : 
> 
>   user# dig smtp.zedomain.tld A
> 
> I have 10 responses (round robin) :
>   ;; ANSWER SECTION:
>   smtp.zedomain.tld.471 IN  A   xxx.xxx.xxx.x01
>   smtp.zedomain.tld.471 IN  A   xxx.xxx.xxx.x02
>   smtp.zedomain.tld.471 IN  A   xxx.xxx.xxx.x03
>   smtp.zedomain.tld.471 IN  A   xxx.xxx.xxx.x04
>   smtp.zedomain.tld.471 IN  A   xxx.xxx.xxx.x05
>   smtp.zedomain.tld.471 IN  A   xxx.xxx.xxx.x06
>   smtp.zedomain.tld.471 IN  A   xxx.xxx.xxx.x07
>   smtp.zedomain.tld.471 IN  A   xxx.xxx.xxx.x08
>   smtp.zedomain.tld.471 IN  A   xxx.xxx.xxx.x09
>   smtp.zedomain.tld.471 IN  A   xxx.xxx.xxx.x10
> 
> I know (and i tested) each smtp.zedomain.tld servers can only accept 3 max 
> concurrency connections : 3 for the xxx.xxx.xxx.x01, 3 for xxx.xxx.xxx.x02, 
> etc. 
> So I could make up to 30 concurrency connections but i would like to force 3 
> per 
> servers.
> 
> If i configure like this :
>   + main.cf :  slow_destination_concurrency_limit = 30
>   + master.cf :  slowunix  -  -  n  -  - smtp -o 
> smtp_connection_cache_on_demand=no
> 
> is it good ? If i have 22 mails for zedomain.tld, 'smtp's should send mails 
> to 
> the smtp.zedomain.tld in this order (with the 
> smtp_connection_cache_on_demand=no 
> option):

My spammer RADAR is beeping...

myrdhin bzh, what is your motivation here?  It appears you are trying to
setup your single Postfix server to push the maximum amount of mail per
second into some number of undisclosed domains that have multiple MX
hosts, by getting around their per MX host restrictions.  This isn't
something white hat mail OPs typically do.

If you have a large volume of legit mail for a single domain, and that
domain is limiting your delivery rate, causing _problems_ for your
systems, you should contact the mail OPs at that domain(s) and _ask_
them how best to address your problem.  Attempting to circumvent their
countermeasures is a good way to get yourself permanently blacklisted by
them.

-- 
Stan

Re: posfix rejected from google server

[Peter Evans]

   Just out of curiosity, can you try to send mail directly to me?
   After you have removed yourself, it should take less than about an hour to 
clear from the CBL + PBL.

   Then mail should go through.

Received: from 108.234.broadband4.iol.cz (108.234.broadband4.iol.cz 
[85.71.234.108])

   appears to be you.

IP Address 85.71.234.108 is listed in the CBL. It appears to be infected with a 
spam sending trojan or proxy. It was last detected at 2011-03-01 07:00 GMT (+/- 
30 minutes), approximately 5 days, 16 hours, 59 minutes ago.


   It appears you have fixed that (or it was never you), so you should go ahead 
and

   click on the "remove me" stuff for the cbl
   At the same time, please go here and request removal from the PBL.
   http://www.spamhaus.org/pbl/query/PBL043205

   Once both of those are clear, many places will magically start accepting 
your mail.

   Some places may be using SBL data and not give out messages stating that.


Note: I prefer NAT/router mode of my ADSL modem against BRIDGE mode
(where I would need to do PPPoE itself in OS) for additional FW
security ring to protect my computer.

   I do not blame you in the slightest. I also use NAT and static maps on a 
yamaha RTX1100,
   one of the best routers available in Japan (until they came out with the 
ultra-sexy

   RTX1200 ^^!) There are maps to allow postfix to get in/out, ftp in, etc.

Current PPPoE session status is Connected.
Access Concentrator: brasds61nakano012
36 days 12 hours 16 minutes 22 seconds  connection.
Received: 28161587 packets [2399271052 octet]  Load: 0.0%
Transmitted: 23158809 packets [1334982653 octets]  Load: 0.0%


A pity that  cbl.abuseat.org,  as described in
http://cbl.abuseat.org/faq.html, do not explain criteria how
someones IP can get into their CBL list.

   By sending mail to one of their very large spamtrap domains. The reason they 
do not tell
   you how you get on is that if they did, spammers would be able to avoid them 
and thus

   reduce the efficacy thereof.

   Looking at the timestamp on the CBL, was that IP address your ADSL modem at 
that time? 

Re: Running a script, archiving, then forwarding.

[Wietse Venema]

Stan Hoeppner:
> /etc/postfix/recipient_bcc
> 
> @hisdomain.tldcomplia...@archive-mbox-server.his-domain.tld

Nope, that loses the original recipient information.

I already gave the correct answer in the first follow-up.

Wietse

Re: Pcre header checks

[Wietse Venema]

Erik de Castro Lopo:
> Hi all,
> 
> I'm running postfix version 2.8.1 from Debian.
> 
> I've got basic pcre header checks working as they should. I'm trying
> to reject mail that has a DKIM signature that says its from att.net
> but a Message-ID ending in 'yahoo.com'.
> 
> I've got this:
> 
> if /^DKIM-Signature: .*; d\=att.net;/i
> /^Message-ID: .*\.yahoo\.com>/i  REJECT
> endif
> 
> but it doesn't seem to work. Clues?

Yes, read the header_checks manpage.

Wietse

Re: Pcre header checks

[Noel Jones]

On 3/6/2011 5:47 PM, Jeroen Geilman wrote:

On 03/07/2011 12:39 AM, Erik de Castro Lopo wrote:

Hi all,

I'm running postfix version 2.8.1 from Debian.

I've got basic pcre header checks working as they should.
I'm trying
to reject mail that has a DKIM signature that says its from
att.net
but a Message-ID ending in 'yahoo.com'.

I've got this:

if /^DKIM-Signature: .*; d\=att.net;/i
/^Message-ID: .*\.yahoo\.com>/i REJECT
endif

but it doesn't seem to work. Clues?


Headers are inspected one by one, and there is NO relationship
between one header and any other.
You are saying "match DKIM headers AND reject them when they
contain a Message-ID"

This wil never happen.


Correct.




Read http://www.postfix.org/header_checks.5.html, section
"TABLE FORMAT"

If you must have this, a policy service seems the best course
of action.



A postfix policy service sees the envelope, not the message 
data.  The OP will need a milter or smtpd_proxy_filter.



  -- Noel Jones

Re: Kernel Oops

[Wietse Venema]

Wietse:
> However, if statfs/statvfs are broken, then there are likely to be
> more problems. 
> 
> I would recommend against using the file system for
> the email queue.

Instead, use a better file system.

Wietse

Re: Pcre header checks

[Noel Jones]

On 3/6/2011 5:39 PM, Erik de Castro Lopo wrote:

Hi all,

I'm running postfix version 2.8.1 from Debian.

I've got basic pcre header checks working as they should. I'm trying
to reject mail that has a DKIM signature that says its from att.net
but a Message-ID ending in 'yahoo.com'.

I've got this:

 if /^DKIM-Signature: .*; d\=att.net;/i
 /^Message-ID: .*\.yahoo\.com>/i  REJECT
 endif

but it doesn't seem to work. Clues?



Postfix evaluates headers one at a time, and doesn't save 
state from one header to the next.  Consequently, you can't 
compare two headers.


To compare reject mail based on two headers, you'll need to 
use a milter or smtpd_proxy_filter.



  -- Noel Jones

Re: Pcre header checks

[Jeroen Geilman]

On 03/07/2011 12:39 AM, Erik de Castro Lopo wrote:

Hi all,

I'm running postfix version 2.8.1 from Debian.

I've got basic pcre header checks working as they should. I'm trying
to reject mail that has a DKIM signature that says its from att.net
but a Message-ID ending in 'yahoo.com'.

I've got this:

 if /^DKIM-Signature: .*; d\=att.net;/i
 /^Message-ID: .*\.yahoo\.com>/i  REJECT
 endif

but it doesn't seem to work. Clues?
   


Headers are inspected one by one, and there is NO relationship between 
one header and any other.
You are saying "match DKIM headers AND reject them when they contain a 
Message-ID"


This wil never happen.

Read http://www.postfix.org/header_checks.5.html, section "TABLE FORMAT"

If you must have this, a policy service seems the best course of action.

--
J.

Re: Configuration of postfix 2.8.1 + ezmlm 1.2.17

[Wietse Venema]

Mark Alan:
> Hello list,
> 
> In order to have postfix 2.8.1 feeding email to a ezmlm 1.2.17 mailing
> list manager (under Debian/Ubuntu) we have a tentative setup that
> goes like described bellow.
> 
> I have 2 questions:
> 1. is there a way to do the same without (the rather expensive)
> regexp:/ lists?
> 2. in case of not being possible to do without regexp (or just in case
> the regexp happens to be the right solution) is this the right regex
> syntax to serve this setup?
> 
> # about the mailing list manager
> mailing list manager:
>   mlmmj  (which is a MTA agnostic ezmlm clone)
> list address:
>   lis...@example.org
> control commands:
>   list01+subscr...@example.org
>   list01+unsubscr...@example.org
>   list01+h...@example.org
> # VERP Return-Path:
>   list01+bounces-12-john.doe=domain@example.org
> 
> # the tentative configuration: 
>   virtual_alias_maps = cdb:/etc/postfix/virtual-alias-maps,
> regexp:/etc/postfix/mlmmj-virtual-alias-maps 
> /etc/postfix/mlmmj-virtual-alias-maps
>   /^(list01.*)@example\.com$/ ${1}
> 
>   mlmmj_destination_recipient_limit = 1
> 
>   transport_maps = regexp:/etc/postfix/mlmmj-transport
> /etc/postfix/mlmmj-transport
>   /^(list01).*$/mlmmj:$1
> 
> /etc/postfix/master.cf:
>   # transport for the mlmmj mailing list
>   mlmmj   unix   -   nn--   pipe flags=DORhu user=nobody
> argv=/usr/local/bin/mlmmj-receive -F -L /var/spool/mlmmj/$nexthop/
> 
>   postconf |grep default_privs  =>  default_privs = nobody

If you follow the mlmmj website's instructions, then it should
work.  I prefer not to review alternative variations.

By the way, the mlmmj setup can now be simplified, and no longer
needs the kludge with the mlmmj/pipe transport.  postfix-2.9-20110228
fixes a problem where the local delivery agent ignored the ownership
of regexp-based alias tables.

Why was this fixed 20110228? Because I recently stumbled upon this
problem when I visited the mlmmj/postfix webpage.

Wietse

Re: Running a script, archiving, then forwarding.

[Jeroen Geilman]

On 03/07/2011 12:07 AM, Stan Hoeppner wrote:

Victor Duchovni put forth on 3/6/2011 3:05 PM:
   

On Sun, Mar 06, 2011 at 03:48:34PM -0500, Charles Marcus wrote:

 

On 2011-03-05 9:29 PM, Stan Hoeppner wrote:
   

always_bcc is exactly what I would do
 

But isn't there a problem with the loss of all of the headers when using
always_bcc and if so, isn't that a problem with respect to most of the
laws mandating email archival?
   

Not headers, envelope. You lose the envelope recipient list. That's
why recipient_bcc_maps is better, since one can encode the original
recipients into the bcc recipient list.
 

I was unaware of this envelop loss issue with always_bcc.  Thanks
Viktor.  So in the OP's case, would he want to use something like

/etc/postfix/recipient_bcc

@hisdomain.tld  complia...@archive-mbox-server.his-domain.tld

to send a copy of every inbound mail, with envelop info, to his
downstream archiving host MTA?

   


No, that still does not preserve the envelope-to.
Wietse's solution earlier in this thread preserves the envelope-to as a 
recipient delimited user-domain@archive.



Also, probably of interest to the OP, is there a way around sending
bounces back to the sender?  I would think in the OP's scenario he
wouldn't want this.  It would be very confusing to the remote sender, as
the actual recipient probably did receive such mail, but a problem with
archive server caused the bcc copy to be bounced.


The archive server | instance | process should soft_bounce all mail.
This gives you 5 days to get it back up before anything is bounced.


   Thus the sender may
think the email didn't get through to the recipient.  There are probably
many others reasons one wouldn't want such bounced bcc mail going back
to original senders.
   


The mail should still be bounced back to the sender if it was legitimate.
However, you don't want the *copy* to generate extraneous bounce messages.

ISTR there is a direct setting for this but can't remember it off the 
top of my head.



--
J.

Pcre header checks

[Erik de Castro Lopo]

Hi all,

I'm running postfix version 2.8.1 from Debian.

I've got basic pcre header checks working as they should. I'm trying
to reject mail that has a DKIM signature that says its from att.net
but a Message-ID ending in 'yahoo.com'.

I've got this:

if /^DKIM-Signature: .*; d\=att.net;/i
/^Message-ID: .*\.yahoo\.com>/i  REJECT
endif

but it doesn't seem to work. Clues?

Cheers,
Erik
-- 
--
Erik de Castro Lopo
http://www.mega-nerd.com/

Configuration of postfix 2.8.1 + ezmlm 1.2.17

[Mark Alan]

Hello list,

In order to have postfix 2.8.1 feeding email to a ezmlm 1.2.17 mailing
list manager (under Debian/Ubuntu) we have a tentative setup that
goes like described bellow.

I have 2 questions:
1. is there a way to do the same without (the rather expensive)
regexp:/ lists?
2. in case of not being possible to do without regexp (or just in case
the regexp happens to be the right solution) is this the right regex
syntax to serve this setup?

# about the mailing list manager
mailing list manager:
  mlmmj  (which is a MTA agnostic ezmlm clone)
list address:
  lis...@example.org
control commands:
  list01+subscr...@example.org
  list01+unsubscr...@example.org
  list01+h...@example.org
# VERP Return-Path:
  list01+bounces-12-john.doe=domain@example.org

# the tentative configuration: 
  virtual_alias_maps = cdb:/etc/postfix/virtual-alias-maps,
regexp:/etc/postfix/mlmmj-virtual-alias-maps 
/etc/postfix/mlmmj-virtual-alias-maps
  /^(list01.*)@example\.com$/ ${1}

  mlmmj_destination_recipient_limit = 1

  transport_maps = regexp:/etc/postfix/mlmmj-transport
/etc/postfix/mlmmj-transport
  /^(list01).*$/mlmmj:$1

/etc/postfix/master.cf:
  # transport for the mlmmj mailing list
  mlmmj   unix   -   nn--   pipe flags=DORhu user=nobody
argv=/usr/local/bin/mlmmj-receive -F -L /var/spool/mlmmj/$nexthop/

  postconf |grep default_privs  =>  default_privs = nobody

Thanks,
M.

Re : Re : Re : Re : Re : Re : slow transport, master.cf and maxproc value

[myrdhin bzh]

Really, thank you for your patience :) I have difficulty understanding 
perfectly 
English...



> No, the *process* limit of "3" is implemented in master(8), which spawns 
>processes on demand, up to the process limit. The concurrency limit (parallel 
>deliveries to a single destination domain) is enforced in the queue-manager. 
>The 
>queue manager concurrency limit is a maximum, the actual concurrency will be 
>lower when the master(8) daemon process limit is reached, or mail arrival is 
>not 
>high enough to reach peak concurrency.

So in my conf :

+ transport :
  zedomain.tldslow:

+ main.cf :
  transport_maps = hash:/etc/postfix/transport
  slow_destination_concurrency_limit = 2

+ master.cf :
  slowunix  -  -  n  -  3 smtp -o smtp_connection_cache_on_demand=no


Can i replace the '3' with a '-' like this :
  slowunix  -  -  n  -  - smtp -o smtp_connection_cache_on_demand=no

I'm really confused about this configuration... I can't find the right 
optimized 
configuration...

To know DNS informations  about zedomain.tld SMTP servers, I executed this 
command : 

  user# dig smtp.zedomain.tld A

I have 10 responses (round robin) :
  ;; ANSWER SECTION:
  smtp.zedomain.tld.471 IN  A   xxx.xxx.xxx.x01
  smtp.zedomain.tld.471 IN  A   xxx.xxx.xxx.x02
  smtp.zedomain.tld.471 IN  A   xxx.xxx.xxx.x03
  smtp.zedomain.tld.471 IN  A   xxx.xxx.xxx.x04
  smtp.zedomain.tld.471 IN  A   xxx.xxx.xxx.x05
  smtp.zedomain.tld.471 IN  A   xxx.xxx.xxx.x06
  smtp.zedomain.tld.471 IN  A   xxx.xxx.xxx.x07
  smtp.zedomain.tld.471 IN  A   xxx.xxx.xxx.x08
  smtp.zedomain.tld.471 IN  A   xxx.xxx.xxx.x09
  smtp.zedomain.tld.471 IN  A   xxx.xxx.xxx.x10

I know (and i tested) each smtp.zedomain.tld servers can only accept 3 max 
concurrency connections : 3 for the xxx.xxx.xxx.x01, 3 for xxx.xxx.xxx.x02, 
etc. 
So I could make up to 30 concurrency connections but i would like to force 3 
per 
servers.

If i configure like this :
  + main.cf :  slow_destination_concurrency_limit = 30
  + master.cf :  slowunix  -  -  n  -  - smtp -o 
smtp_connection_cache_on_demand=no

is it good ? If i have 22 mails for zedomain.tld, 'smtp's should send mails to 
the smtp.zedomain.tld in this order (with the 
smtp_connection_cache_on_demand=no 
option):
mail #01 -> xxx.xxx.xxx.x01
mail #02 -> xxx.xxx.xxx.x02
mail #03 -> xxx.xxx.xxx.x03
mail #04 -> xxx.xxx.xxx.x04
mail #05 -> xxx.xxx.xxx.x05
mail #06 -> xxx.xxx.xxx.x06
mail #07 -> xxx.xxx.xxx.x07
mail #08 -> xxx.xxx.xxx.x08
mail #09 -> xxx.xxx.xxx.x09
mail #10 -> xxx.xxx.xxx.x10

mail #11 -> xxx.xxx.xxx.x01
mail #12 -> xxx.xxx.xxx.x02
mail #13 -> xxx.xxx.xxx.x03
mail #14 -> xxx.xxx.xxx.x04
mail #15 -> xxx.xxx.xxx.x05
mail #16 -> xxx.xxx.xxx.x06
mail #17 -> xxx.xxx.xxx.x07
mail #18 -> xxx.xxx.xxx.x08
mail #19 -> xxx.xxx.xxx.x09
mail #20 -> xxx.xxx.xxx.x10

mail #21 -> xxx.xxx.xxx.x01
mail #22 -> xxx.xxx.xxx.x02

???
Thanks
-- 
Myrdhin,

Re: Kernel Oops

[Stan Hoeppner]

Wietse Venema put forth on 3/6/2011 3:29 PM:

> Postfix uses statfs/statvfs as part of a safety net. If you delete
> the call, then Postfix would waste more bandwidth receiving mail
> that it can't store.
> 
> However, if statfs/statvfs are broken, then there are likely to be
> more problems. 


> I would recommend against using the file system for
> the email queue.
^

What?!?!?  What?!  Seeing you state this Wietse prompts me to run for
the bomb shelter, for the world as we know it will soon end. :)

Would that not make his only other option, assuming he sticks with his
current kernel, a ramdisk?  In a scenario where the target machine has
only 64MB RAM?  And considering you've expended countless keystrokes
over the years telling OPs to _never_ _ever_ put the queue on a ramdisk?

Or, are you suggesting, in a creative Wietse'esque dead pan humorous
way, that he fix the problem with his current kernel, as I did far back
in this thread, and others have since?

-- 
Stan

Re: Running a script, archiving, then forwarding.

[Stan Hoeppner]

Victor Duchovni put forth on 3/6/2011 3:05 PM:
> On Sun, Mar 06, 2011 at 03:48:34PM -0500, Charles Marcus wrote:
> 
>> On 2011-03-05 9:29 PM, Stan Hoeppner wrote:
>>> always_bcc is exactly what I would do
>>
>> But isn't there a problem with the loss of all of the headers when using
>> always_bcc and if so, isn't that a problem with respect to most of the
>> laws mandating email archival?
> 
> Not headers, envelope. You lose the envelope recipient list. That's
> why recipient_bcc_maps is better, since one can encode the original
> recipients into the bcc recipient list.

I was unaware of this envelop loss issue with always_bcc.  Thanks
Viktor.  So in the OP's case, would he want to use something like

/etc/postfix/recipient_bcc

@hisdomain.tld  complia...@archive-mbox-server.his-domain.tld

to send a copy of every inbound mail, with envelop info, to his
downstream archiving host MTA?

Also, probably of interest to the OP, is there a way around sending
bounces back to the sender?  I would think in the OP's scenario he
wouldn't want this.  It would be very confusing to the remote sender, as
the actual recipient probably did receive such mail, but a problem with
archive server caused the bcc copy to be bounced.  Thus the sender may
think the email didn't get through to the recipient.  There are probably
many others reasons one wouldn't want such bounced bcc mail going back
to original senders.

-- 
Stan

Re: Re : Re : Re : Re : Re : slow transport, master.cf and maxproc value

[Victor Duchovni]

On Sun, Mar 06, 2011 at 10:43:54PM +, myrdhin bzh wrote:

> >   slow  unix  -   -   n   -   3   smtp -o 
> >smtp_connection_cache_on_demand=no -o smtp_destination_concurrency_limit=2
> 
> >> The second "-o ..." option is pointless and should be removed.
> 
> Ok.
> 
> >> Concurrency limits are enforced in the queue manager, individual delivery 
> >>agents just deliver one message at a time, it is the queue manager that 
> >>knows 
> >>about multiple deliveries in progress.
> 
> So, in my "slow" configuration, the queue manager can only max "create"
> 3 'smtp' delivery agents.

No, the *process* limit of "3" is implemented in master(8), which spawns
processes on demand, up to the process limit. The concurrency limit
(parallel deliveries to a single destination domain) is enforced in the
queue-manager. The queue manager concurrency limit is a maximum, the actual
concurrency will be lower when the master(8) daemon process limit is reached,
or mail arrival is not high enough to reach peak concurrency.

> But each can only deliver one message at a time and i have only 
> one domain in my transport table to the 'slow' deliver, so only 2 'smtp' 
> delivery agents can be created and deliver concurrency. The 3 in my master.cf 
> slow line is useless ?

No, the "-o smtp_destination_concurrency_limit=2" is useless.

-- 
Viktor.

Re : Re : Re : Re : Re : slow transport, master.cf and maxproc value

[myrdhin bzh]

Thanks Victor,


>> You really should be using 2.7.2 or later.


I would like to use this version now :) But i can't : it will be possible after 
servers migrating (waiting 1 month :( ...)


>   slow  unix  -   -   n   -   3   smtp -o 
>smtp_connection_cache_on_demand=no -o smtp_destination_concurrency_limit=2

>> The second "-o ..." option is pointless and should be removed.

Ok.


>> Concurrency limits are enforced in the queue manager, individual delivery 
>>agents just deliver one message at a time, it is the queue manager that knows 
>>about multiple deliveries in progress.

Excuse me, I have a little trouble understanding :-s

So, in my "slow" configuration, the queue manager can only max "create" 3 
'smtp' 
delivery agents. But each can only deliver one message at a time and i have 
only 
one domain in my transport table to the 'slow' deliver, so only 2 'smtp' 
delivery agents can be created and deliver concurrency. The 3 in my master.cf 
slow line is useless ?

Thank you for your help,
-- 
Myrdhin,

Re: header_checks - restrict to SMTP-AUTH only

[Victor Duchovni]

On Sun, Mar 06, 2011 at 10:49:41PM +0100, J4K wrote:

> It carries plenty of meaning. Your email client is Mutt,unless you
> rewrote the header.

Lets not get into epistemology. There is no standard meaning for
the header in the context of email messages. It should not be added
by MUAs and should not be removed by MTAs.

> If it makes it easier, the read my question again but with
> /User-Agent/MyOwnMysteryHeaderThatIsRFCCompliant/

Postfix header actions are explained in

http://www.postfix.org/header_checks.5.html

you can "IGNORE", "PREPEND", "REPLACE" or return various access(5)
results.

-- 
Viktor.

Re: header_checks - restrict to SMTP-AUTH only

[J4K]

It carries plenty of meaning. Your email client is Mutt,unless you rewrote the 
header.

If it makes it easier, the read my question again but with 
/User-Agent/MyOwnMysteryHeaderThatIsRFCCompliemt/



Victor Duchovni  wrote:

On Mon, Mar 07, 2011 at 08:04:54AM +1100, Brad Hards wrote: > On Mon, 7 Mar 
2011 07:47:01 am Victor Duchovni wrote: > > SMTP is not HTTP. There is no 
"User-Agent" header in RFC 822 messages. > > I don't think its in the spec, but 
there is in your email: > User-Agent: Mutt/1.5.16 (2007-06-09) Regardless, this 
is a non-standard header element and carries no meaning. It should be neither 
added by the MUA, nor removed by the MTA. --Viktor. 

Re: transport throttling issue

[Noel Jones]

On 3/5/2011 9:42 PM, Steve Jenkins wrote:

On Sat, Mar 5, 2011 at 12:04 PM,  wrote:

Yes, I'll try. I hope that the upstream will accept it, they have a very low 
(and weird) rate policy


This thread was helpful for me, too, since I'm trying to make sure our
Postfix settings are compliant with Yahoo!'s guidelines. Their
Postmaster site says:

"Yahoo! Mail accepts a maximum of 20 messages per SMTP connection. We
encourage you to cap the number of messages you send to Yahoo! Mail to
fall within this per-connection limit.
When this limit is reached, no further messages will be accepted for
delivery as our server automatically terminates the connection
(without giving an error code). If you are sending messages to a
significant number of Yahoo! Mail users, the suggestions below will
help ensure uninterrupted delivery for your messages."

So, since the default_destination_concurrency_limit = 20 on my system,


This is concurrency, or simultaneous parallel connections. 
This does not control messages per connection.




do I not need to worry about setting up a custom transport for Yahoo!?
Or have others on this list found that creating a transport for Yahoo!
with additional custom settings has been helpful when delivering to
them with Postfix?


This depends on your volume of mail to yahoo.

At fairly low volumes to yahoo, the default settings will work 
well enough -- some mail may be deferred, but it should all go 
through in a reasonable amount of time.


If you are sending enough mail that the default settings are 
not giving satisfactory performance, some a custom transport 
and signing up for their feedback loop may improve things. 
This has been discussed here frequently; check the archives if 
you need details.

Re: Domain rewriting

[Noel Jones]

On 3/5/2011 11:43 PM, Nasser Heidari wrote:

Hi,
I've two Mail servers , one local server running on MS-Exchange and the
other one is my external mail server that my MTA is postfix.
I have setup Postfix as relay agent on Exchange, so all outgoing Emails
is travels through Postfix.
There are also two domains , one on the Exchange(test.local) and the
other on Postfix(test.edu).
Now I want to rewrite All of my emails domain from test.local to
test.edu when they traveling to outside network.
I know I can create generic file and rewrite Emails per user, but I want
to know if I could do it easier.

Regards,
Nasser




The easiest solution is to use smtp_generic_maps with a single 
entry:


# main.cf
smtp_generic_maps = hash:/etc/postfix/generic


# /etc/postfix/generic
@example.local   @example.edu



  -- Noel Jones

Re: submission port : "Client host rejected: Access denied"

[Noel Jones]

On 3/6/2011 9:08 AM, DTNX/NGMX Postmaster wrote:

On 6 mrt 2011, at 15:08, David Touzeau wrote:


but it seems that postfix did not want to test the authentication
method and pass it's rules trough subnet rules to finally refuse the
connection with a "Client host rejected: Access denied"


[snip]


smtpd_delay_reject = no


http://www.postfix.org/postconf.5.html#smtpd_delay_reject

Here, most likely. Ran into something very similar last week, and this was the 
cause.


Yes.



I suspect that if you were to increase logging detail, you'd find that 
'permit_sasl_authenticated' evaluates to zero during the client restrictions 
stage because of a delay in getting back an answer from whatever SASL backend 
you have in use. Postfix evaluates the rest of the client restrictions, and 
denies you access.


No.  The SASL authentication happens after CONNECT and HELO, 
before MAIL FROM.  With "smtpd_delay_reject = no", and 
"smtpd_client_restrictions = permit_sasl_authenticated, 
reject" you're checking for sasl authentication before the 
authentication ever has a chance to take place.


This has nothing to do with what you're using for a sasl 
backend, because the backend is never consulted.


Just another good reason to not muck with the defaults.

  -- Noel Jones

Re: Kernel Oops

[Wietse Venema]

Victor Duchovni:
> > The "fsspace" function is a Postfix utility function, the underlying
> > system interface is either statfs() or statvfs(). You should find
> > out which is used on your system and test that...

Denis Shulyaka:
> I have tried both statfs() and statvfs() and it shows the similar behaivour.

Postfix uses statfs/statvfs as part of a safety net. If you delete
the call, then Postfix would waste more bandwidth receiving mail
that it can't store.

However, if statfs/statvfs are broken, then there are likely to be
more problems. I would recommend against using the file system for
the email queue.

Wietse

Re: Kernel Oops

[Denis Shulyaka]

Hi Viktor,

I have tried both statfs() and statvfs() and it shows the similar behaivour.

2011/3/6 Victor Duchovni :
> The "fsspace" function is a Postfix utility function, the underlying
> system interface is either statfs() or statvfs(). You should find
> out which is used on your system and test that...
>
> --
>        Viktor.
>

Re: header_checks - restrict to SMTP-AUTH only

[Victor Duchovni]

On Mon, Mar 07, 2011 at 08:04:54AM +1100, Brad Hards wrote:

> On Mon, 7 Mar 2011 07:47:01 am Victor Duchovni wrote:
> > SMTP is not HTTP. There is no "User-Agent" header in RFC 822 messages.
>
> I don't think its in the spec, but there is in your email:
> User-Agent: Mutt/1.5.16 (2007-06-09)

Regardless, this is a non-standard header element and carries no
meaning. It should be neither added by the MUA, nor removed by the MTA.

-- 
Viktor.

Re: Running a script, archiving, then forwarding.

[Victor Duchovni]

On Sun, Mar 06, 2011 at 03:48:34PM -0500, Charles Marcus wrote:

> On 2011-03-05 9:29 PM, Stan Hoeppner wrote:
> > always_bcc is exactly what I would do
> 
> But isn't there a problem with the loss of all of the headers when using
> always_bcc and if so, isn't that a problem with respect to most of the
> laws mandating email archival?

Not headers, envelope. You lose the envelope recipient list. That's
why recipient_bcc_maps is better, since one can encode the original
recipients into the bcc recipient list.

-- 
Viktor.

Re: header_checks - restrict to SMTP-AUTH only

[Brad Hards]

On Mon, 7 Mar 2011 07:47:01 am Victor Duchovni wrote:
> SMTP is not HTTP. There is no "User-Agent" header in RFC 822 messages.
I don't think its in the spec, but there is in your email:
User-Agent: Mutt/1.5.16 (2007-06-09)

Brad

Re: Running a script, archiving, then forwarding.

[Charles Marcus]

On 2011-03-06 3:48 PM, Charles Marcus wrote:
> On 2011-03-05 9:29 PM, Stan Hoeppner wrote:
>> always_bcc is exactly what I would do
> 
> But isn't there a problem with the loss of all of the headers

That didn't sound right... should have said... '...aren't some headers
lost...'...

-- 

Best regards,

Charles

Re: Running a script, archiving, then forwarding.

[Charles Marcus]

On 2011-03-05 9:29 PM, Stan Hoeppner wrote:
> always_bcc is exactly what I would do

But isn't there a problem with the loss of all of the headers when using
always_bcc and if so, isn't that a problem with respect to most of the
laws mandating email archival?

-- 

Best regards,

Charles

Re: header_checks - restrict to SMTP-AUTH only

[Victor Duchovni]

On Sun, Mar 06, 2011 at 09:36:16PM +0100, JKL wrote:

> Hallo everyone,
> 
> I'd like to write a header_check that'll replace (or delete) the
> User-Agent header, only if it comes from someone either sending on a
> particular port, or using SMTP-AUTH.

SMTP is not HTTP. There is no "User-Agent" header in RFC 822 messages.

-- 
Viktor.

header_checks - restrict to SMTP-AUTH only

[JKL]

Hallo everyone,

I'd like to write a header_check that'll replace (or delete) the
User-Agent header, only if it comes from someone either sending on a
particular port, or using SMTP-AUTH.  (The particular port is possible
since SMTP-AUTH is only allowed on one port only, and disallowed on port
25.).  Additionally, the check should only restrict on User-Agent as
there are SUbject and Date checks that ought to be applied to all Email
received.

The one I wrote has this, but it'll rewrite every email received by
postfix:-

 if /^User-Agent:/
 /^User-Agent: Mozilla\/5.0/ REPLACE User-Agent:Replaced
 endif


Is this possible?

Best wishes, s

Re: Postfix und SSL client problem.

[Victor Duchovni]

On Sat, Mar 05, 2011 at 06:48:05PM +0100, kapetr wrote:

> [ssmtp_client_iol]
> client = yes
> accept = 10465
> connect = smtp.iol.cz:465
> verify = 3
> CApath = /etc/ssl/certs

Don't use "verify = 3" until you have installed the appropriate
end-point certificate.

> The problem is, that I don't know:
> 
> 1.   How to get SSL certificate of smtp.iol.cz (and save it to
> file).

Use "openssl s_client -showcerts", the leaf server cert is the first
one reported:

$ openssl s_client -showcerts -connect smtp.iol.cz:465
CONNECTED(0003)
depth=1 C = US, O = "Thawte, Inc.", CN = Thawte SSL CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=CZ/ST=Praha/L=Praha 4/O=Telefonica O2 Czech Republic, 
a.s./OU=Operations/CN=smtp.iol.cz
   i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
-BEGIN CERTIFICATE-
MIID7zCCAtegAwIBAgIQOfm+SOJhnmplSF/Fl34IvDANBgkqhkiG9w0BAQUFADA8
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMRYwFAYDVQQDEw1U
aGF3dGUgU1NMIENBMB4XDTEwMDgwMzAwMDAwMFoXDTExMDgwMzIzNTk1OVowgYcx
CzAJBgNVBAYTAkNaMQ4wDAYDVQQIEwVQcmFoYTEQMA4GA1UEBxQHUHJhaGEgNDEr
MCkGA1UEChQiVGVsZWZvbmljYSBPMiBDemVjaCBSZXB1YmxpYywgYS5zLjETMBEG
A1UECxQKT3BlcmF0aW9uczEUMBIGA1UEAxQLc210cC5pb2wuY3owggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNPiSu2ngYDJj5L20njDN6UF9KlGOOdHfv
Po27ul9xYHTQ1YcOeIBKJlVgvBhFSUkRrfZZ1b+3EGQogkwQ5pmAyMPEeyNCypXc
etxQ4KSUkooeAWGjEaAtshoOfxmPAbuwI6HO59ttU/tbIOj5FK5z5zKsY7oawvFG
L/YvXHlmqjZ00DnoJ/sKppLXFTDFRFOA7ct9jjU3/5KvMXwxTdIcDijCpzkVb/Ec
Xe51HBWeANY5hmvegsnQtPJOTG5pVcQ21AQencweoMpgPRoPkKn+hXtuJZiLjMSa
p3eIyglhQnDUZUi0hFPxS852eslJH6i2hH8Cj4kM9Ouc3P3T09S3AgMBAAGjgaAw
gZ0wDAYDVR0TAQH/BAIwADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vc3ZyLW92
LWNybC50aGF3dGUuY29tL1RoYXd0ZU9WLmNybDAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8v
b2NzcC50aGF3dGUuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQAa6h2Hf8WZZho9T0JT
9J2/wiwkSh+r6QKW9P/9v9ljfeqFbu9BgE7KpeRulAI14n3MNWfeXZESfUjqniHn
7bQxsCVSqWARGCBNHUblaIRxSUNFSbFl39GD7QZspl1Df/3osQ3W+l6XPh4suL5H
uy1qOhoLG1GjuPorvRvdbalupQWxyqc4sBF+f5qOXxW+axVXg24evVevhq0H6vUZ
ma8MI3D2jMEt8JAt129yNk2ioNTfTF4qI55EiBeODnG3K5I2Ff7F042WJtWPLEKs
/Hn23E/9mwsCcRSor4cEoO2qXcoOXqZ5DnuG/5wgFw3mtdloQeB3YLZoOoWufFRq
q1/9
-END CERTIFICATE-
 1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
-BEGIN CERTIFICATE-
MIIEbDCCA1SgAwIBAgIQTV8sNAiyTCDNbVB+JE3J7DANBgkqhkiG9w0BAQUFADCB
qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV
BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMTAwMjA4MDAwMDAwWhcNMjAw
MjA3MjM1OTU5WjA8MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMu
MRYwFAYDVQQDEw1UaGF3dGUgU1NMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAmeSFW3ZJfS8F2MWsyMip09yY5tc0pi8M8iIm2KPJFEyPBaRF6BQM
WJAFGrfFwQalgK+7HUlrUjSIw1nn72vEJ0GMK2Yd0OCjl5gZNEtB1ZjVxwWtouTX
7QytT8G1sCH9PlBTssSQ0NQwZ2ya8Q50xMLciuiX/8mSrgGKVgqYMrAAI+yQGmDD
7bs6yw9jnw1EyVLhJZa/7VCViX9WFLG3YR0cB4w6LPf/gN45RdWvGtF42MdxaqMZ
pzJQIenyDqHGEwNESNFmqFJX1xG0k4vlmZ9d53hR5U32t1m0drUJN00GOBN6HAiY
XMRISstSoKn4sZ2Oe3mwIC88lqgRYke7EQIDAQABo4H7MIH4MDIGCCsGAQUFBwEB
BCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AudGhhd3RlLmNvbTASBgNVHRMB
Af8ECDAGAQH/AgEAMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudGhhd3Rl
LmNvbS9UaGF3dGVQQ0EuY3JsMA4GA1UdDwEB/wQEAwIBBjAoBgNVHREEITAfpB0w
GzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItOTAdBgNVHQ4EFgQUp6KDuzRFQD38
1TBPErk+oQGf9tswHwYDVR0jBBgwFoAUe1tFz6/Oy3r9MZIaarbzRutXSFAwDQYJ
KoZIhvcNAQEFBQADggEBAIAigOBsyJUW11cmh/NyNNvGclYnPtOW9i4lkaU+M5en
S+Uv+yV9Lwdh+m+DdExMU3IgpHrPUVFWgYiwbR82LMgrsYiZwf5Eq0hRfNjyRGQq
2HGn+xov+RmNNLIjv8RMVR2OROiqXZrdn/0Dx7okQ40tR0Tb9tiYyLL52u/tKVxp
EvrRI5YPv5wN8nlFUzeaVi/oVxBw9u6JDEmJmsEj9cIqzEHPIqtlbreUgm0vQF9Y
3uuVK6ZyaFIZkSqudZ1OkubK3lTqGKslPOZkpnkfJn1h7X3S5XFV2JMXfBQ4MDzf
huNMrUnjl1nOG5srztxl1Asoa06ERlFE9zMILViXIa4=
-END CERTIFICATE-
---
Server certificate
subject=/C=CZ/ST=Praha/L=Praha 4/O=Telefonica O2 Czech Republic, 
a.s./OU=Operations/CN=smtp.iol.cz
issuer=/C=US/O=Thawte, Inc./CN=Thawte SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 2300 bytes and written 522 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher: RC4-SHA
Session-ID: B7A6D13A9E0E987A2FD9AC49B3FC6A5B1AAD2388A89AE7C687CA2C11099486DC
Session-ID-ctx:
Master-Key: 
90E07474370EEE2749252A13E8CC97B61217E9D51AC843A986D3606A1966290141553179F968FAE76E5510AB14B04E00
Key-Arg   : None
PSK identity: None
PSK identity hint: None
Start Time: 1299442136
Timeout   : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
220 port3.iol.cz ESMTP
quit
221 port3.iol.cz
read:errno=0

> 2. Where to put this file

Re: Dovecot, Postfix and Dovecot LDA (LMTP) delivery

[Remy Zandwijk]

On 06.03.2011 19:25 , Wietse Venema wrote:

Nikolaos Milas:

I'm asking trying to learn:

Is there a benefit of using LMTP for local delivery when using Dovecot?
Why not use Dovecot LDA (without using LMTP)?

Better scalability, performance, and error handling than is possible
with the pipe-to-command interface.


In Postfix documentation, I've read about lmtp that "The advantage of
this setup is that one Postfix machine can feed multiple mailbox servers
over LMTP. The opposite is true as well: one mailbox server can be fed
over LMTP by multiple Postfix machines."

And I wonder:

1. Can't this be done also with Dovecot LDA?

Yes, if you limit yourself to one machine.

Wietse
Besides that, you need dovecot-lda to be setuid-root or call it with sudo 
(according to http://wiki2.dovecot.org/LDA) to get it to cooperate with 
Postfix. I think using LMTP is a much more cleaner solution.


-Remy

Re: Dovecot, Postfix and Dovecot LDA (LMTP) delivery

[Remy Zandwijk]

On 06.03.2011 17:21 , Jeroen Geilman wrote:

On 03/06/2011 04:57 PM, Wietse Venema wrote:

Remy Zandwijk:

Is there a way Postfix can be told to get rid of the domain part if mail is
sent through LMTP?

No. The LMTP protocol, like SMTP requires complete email addresses.

Wietse


Additionally, overriding local_transport means you won't be able to use the 
standard alias_maps setting to list valid local recipients - you have to 
customize these for dovecot LMTP.


Simply put, /etc/aliases no longer works; you'll have to set up 
virtual_alias_maps for all your local aliases.


This also means you can't alias or forward to commands anymore; any command 
execution you wish to do will have to be set up as a full-fledged pipe(8) 
transport.


Consider using mailbox_transport instead.


For a Postfix novice like me, that's very usefull information :-) Thank you.

-Remy

Re: Kernel Oops

[Victor Duchovni]

On Sun, Mar 06, 2011 at 10:32:11PM +0300, Denis Shulyaka wrote:

> Hi Viktor,
> 
> You are right, for some reason my system has some troubles with
> fsspace("/var/spool/postfix", &fsbuf). Possibly, Bastian is right
> about my kernel. But I just don't how to fix it.
> 
> Any way, Postfix code is OK, and the workaround with
> `fsspace("/overlay", &fsbuf)` satisfies me so far.

The "fsspace" function is a Postfix utility function, the underlying
system interface is either statfs() or statvfs(). You should find
out which is used on your system and test that...

-- 
Viktor.

Re: [Q] Warning: Connection rate limit reached (anvil), and "milter-reject: END-OF-MESSAGE"

[JKL]

Hi Reindl,

As far as I can tell, the anvil settings are running at the default
settings in my configuration:-

# postconf -n | grep anvil
# postconf -d | grep anvil
anvil_rate_time_unit = 60s
anvil_status_update_time = 600s

However, the rate limit is set to 40 (default is 50)
# postconf -n | grep connection_rate_limit
smtpd_client_connection_rate_limit = 40

Now I think I know what is happening.  Thanks.  

I don't think that is really needs to be changed.  I could increase the
smtpd_client_connection_rate_limit and the anvil_rate_time_unit, but its
not a major problem.  So long as the server is not loosing Email and
being civil to Email server, then all is well.

It was a compromised user, or a test server:
Mar  5 03:21:46 srv4 postfix/anvil[5078]: statistics: max connection
rate 1733/60s for (smtp:62.198.48.73) at Mar  5 03:16:45

Cheers.
S.

On 03/06/2011 01:28 PM, Reindl Harald wrote:
> Sounds like you have set something like this in main.cf
>
> anvil_rate_time_unit   = 1800s
> smtpd_client_connection_rate_limit = 50
>
> this means "a maximum of 50 connection per half a hour from the same ip"
> my example 50/18000 is from our live configuration on postfix-servers
> as well our barracuda-spamfirewall and is really a good setting because
> sometimes over weeks nobody reaches this limit
>
> if it is reached there is surely a spammer delivering his crap
> and postfix will reject temporary connections from the ip
>
> a normal server will try later, a spammer will give up sooner or later
>
>
> Am 06.03.2011 13:15, schrieb JKL:
>> Dear all,
>>
>> ** QUESTION 1
>> I just noticed this message appearing the log files (mail.log). I
>> read a little on the page http://www.postfix.org/QSHAPE_README.html, but
>> did not quite understand where my postfix problem lied.  The queues are
>> very quiet presently.  This mail server does not have a lot of throughput.
>>
>> - Postfix Begin  
>>
>>  2105   *Warning: Connection rate limit reached (anvil) 
>> 4   Miscellaneous warnings  
>>  
>>   666.166K  Bytes accepted 682,154
>>   128.576K  Bytes sent via SMTP131,662
>>   634.608K  Bytes delivered649,839
>>     ==
>>  
>>55   Accepted20.15%
>>   218   Rejected79.85%
>>     --
>>   273   Total  100.00%
>>     ==
>>  
>> 1   5xx Reject relay denied  0.46%
>> 1   5xx Reject HELO/EHLO 0.46%
>>   100   5xx Reject unknown user 45.87%
>>   106   5xx Reject RBL  48.62%
>> 2   5xx Reject header0.92%
>> 8   5xx Reject milter3.67%
>>     --
>>   218   Total 5xx Rejects  100.00%
>>     ==
>>  
>> 7   4xx Reject milter  100.00%
>>     --
>> 7   Total 4xx Rejects  100.00%
>>     ==
>>  
>>  2406   Connections 
>>   158   Connections lost (inbound) 
>>  2406   Disconnections  
>>36   Removed from queue  
>>32   Delivered   
>>13   Sent via SMTP   
>>  
>> 5   Timeouts (inbound)  
>> 1   Illegal address syntax in SMTP command 
>>47   Hostname verification errors 
>>18   TLS connections (server) 
>> 6   SASL authenticated messages 
>>  
>>  
>>  -- Postfix End - 
>>
>>
>> ** QUESTION 2
>> On an additional note a milter is rejecting these messages (about 40 each 
>> day).  I am uncertain which milter is rejecting it from  the message.  Does 
>> anyone know how I can identify the milter:
>>
>> Mar  6 12:04:17 logout postfix/cleanup[18037]: D6861848C7: milter-reject: 
>> END-OF-MESSAGE from smtp143.junkemailfilter.com[69.50.231.143]: 4.7.1 
>> Service unavailable - try again later; from= 
>> to= proto=ESMTP helo=
>>
>>
>> Any one, any ideas?  Perhaps, which is likly there is some misconfiguration.
>>
>> Best regards, s.

Re: Re : Re : Re : Re : slow transport, master.cf and maxproc value

[Victor Duchovni]

On Sun, Mar 06, 2011 at 04:21:44PM +, myrdhin bzh wrote:

> > From : myrdhin
> > Thank you for your help. I'll try your solution.
> 
> Sorry, but i always have "Too many connections, slow down." in my 
> /var/log/mail.log.
> 
> My Postfix is old (mail_version = 2.1.5) butI am constrained to correct this 
> problem before doing the migration on another server (with a recent
> version of postfix...).

The scheduler features that you are new with Postfix 2.5 and required at
least Postfix 2.5.7. You really should be using 2.7.2 or later.

> Finally i do that :
> 
>   # in /etc/postfix/main.cf :
>   transport_maps = hash:/etc/postfix/transport
>   slow_destination_concurrency_limit = 2
> 
>   # in /etc/transport/transport :
>   zeDomain.tld slow:
> 
>   # in /etc/postfix/master.cf :
>   slow  unix  -   -   n   -   3   smtp -o 
> smtp_connection_cache_on_demand=no -o smtp_destination_concurrency_limit=2

The second "-o ..." option is pointless and should be removed. Concurrency
limits are enforced in the queue manager, individual delivery agents just
deliver one message at a time, it is the queue manager that knows about
multiple deliveries in progress.

-- 
Viktor.

Re: Kernel Oops

[Denis Shulyaka]

Hi Viktor,

You are right, for some reason my system has some troubles with
fsspace("/var/spool/postfix", &fsbuf). Possibly, Bastian is right
about my kernel. But I just don't how to fix it.

Any way, Postfix code is OK, and the workaround with
`fsspace("/overlay", &fsbuf)` satisfies me so far.


Best regards,
Denis Shulyaka

2011/3/6 Victor Duchovni :
> On Sat, Mar 05, 2011 at 06:24:57PM +0300, Denis Shulyaka wrote:
>
>> If I pass change `fsspace(".", &fsbuf);' to `fsspace("/", &fsbuf);' it
>> works, no oopses, and the messages are received without problems. I
>> will make some stress tests later.
>>
>> So the remaining question is what "." in smtpd context mean? Is it the
>> dir postfix has been started from?
>
> Services spawned from master.cf run with cwd == $queue_directory
> (typically /var/spool/postfix).
>
> --
>        Viktor.
>

Re: Kernel Oops

[Victor Duchovni]

On Sat, Mar 05, 2011 at 06:24:57PM +0300, Denis Shulyaka wrote:

> If I pass change `fsspace(".", &fsbuf);' to `fsspace("/", &fsbuf);' it
> works, no oopses, and the messages are received without problems. I
> will make some stress tests later.
> 
> So the remaining question is what "." in smtpd context mean? Is it the
> dir postfix has been started from?

Services spawned from master.cf run with cwd == $queue_directory
(typically /var/spool/postfix).

-- 
Viktor.

Re: Dovecot, Postfix and Dovecot LDA (LMTP) delivery

[Wietse Venema]

Nikolaos Milas:
> I'm asking trying to learn:
> 
> Is there a benefit of using LMTP for local delivery when using Dovecot? 
> Why not use Dovecot LDA (without using LMTP)?

Better scalability, performance, and error handling than is possible
with the pipe-to-command interface.

> In Postfix documentation, I've read about lmtp that "The advantage of 
> this setup is that one Postfix machine can feed multiple mailbox servers 
> over LMTP. The opposite is true as well: one mailbox server can be fed 
> over LMTP by multiple Postfix machines."
> 
> And I wonder:
> 
>1. Can't this be done also with Dovecot LDA?

Yes, if you limit yourself to one machine.

Wietse

Re: Dovecot, Postfix and Dovecot LDA (LMTP) delivery

[Nikolaos Milas]

I'm asking trying to learn:

Is there a benefit of using LMTP for local delivery when using Dovecot? 
Why not use Dovecot LDA (without using LMTP)?


In Postfix documentation, I've read about lmtp that "The advantage of 
this setup is that one Postfix machine can feed multiple mailbox servers 
over LMTP. The opposite is true as well: one mailbox server can be fed 
over LMTP by multiple Postfix machines."


And I wonder:

  1. Can't this be done also with Dovecot LDA?
  2. Apart from that ability, what else should we take into account
 when planning the use of LDA vs LMTP ? Could someone suggest when
 an administrator should prefer either solution, in terms of
 performance, scalability, functionality etc.?

I've tried to find such info, but I haven't been able to locate adequate 
details.


(My environment is virtual vs the one described in this thread which 
uses local accounts, but that may be a secondary matter.)


Thanks,
Nick


On 6/3/2011 4:16 μμ, Remy Zandwijk wrote:


Due to obvious reasons I want to switch to Dovecot LDA delivery, 
through LMTP.






smime.p7s
Description: S/MIME Cryptographic Signature

Re: Postfix and Mailman, error message Sender address rejected: User unknown in virtual mailbox table;

[Wietse Venema]

Werner Schalk:
> Dear all,
> 
> I am running Postfix and Mailman on my server with MySQL as backend. It 
> works like a charm (including mailman) but for one domain (customerA.com) 
> the following error message is generating when the admin user maintains a 
> list and an email is being generated (e.g. when adding/removing a member):
> 
> Mar  6 18:12:46 localhost postfix/smtpd[23391]: NOQUEUE: reject: RCPT from 
> localhost[127.0.0.1]: 550 5.1.0 : Sender 
> address rejected: User unknown in virtual mailbox table; 
> from= to= proto=ESMTP 
> helo=<[127.0.0.1]>

As described in (among others) VIRTUAL_README.html: 

1 - The sender address must exist in virtual_alias_maps.

2 - The virtual_alias_maps must rewrite this address into an address
in a different domain.

You need to find out which of the two requirements is not satisfied.

Wietse

Postfix and Mailman, error message Sender address rejected: User unknown in virtual mailbox table;

[Werner Schalk]

Dear all,

I am running Postfix and Mailman on my server with MySQL as backend. It 
works like a charm (including mailman) but for one domain (customerA.com) 
the following error message is generating when the admin user maintains a 
list and an email is being generated (e.g. when adding/removing a member):


Mar  6 18:12:46 localhost postfix/smtpd[23391]: NOQUEUE: reject: RCPT from 
localhost[127.0.0.1]: 550 5.1.0 : Sender 
address rejected: User unknown in virtual mailbox table; 
from= to= proto=ESMTP 
helo=<[127.0.0.1]>


It appears that for some reason the aliases for this domain were not 
created correctly. I have tried running "genaliases" again but that did not 
change anything. Here is my current Postfix configuration, Mailman config 
follows below:


alias_maps = 
hash:/var/lib/mailman/data/aliases,mysql:/etc/postfix/mysql_virtual_alias_maps.cf

append_dot_mydomain = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/lib64/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 10
default_privs = mailman
disable_vrfy_command = yes
home_mailbox = .maildir/
html_directory = /usr/share/doc/postfix-2.2.5/html
in_flow_delay = 1s
inet_interfaces = all
local_destination_concurrency_limit = 2
mail_owner = postfix
mailbox_size_limit = 2504800
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 150480
mydestination = $myhostname,localhost
mydomain = mydomain.com
myhostname = myserver.mydomain.com
mynetworks = 1.2.3.4/32, 127.0.0.0/8
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases
owner_request_special = no
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.2.5/readme
recipient_delimiter = +
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_delay_reject = yes
smtpd_recipient_restrictions = permit_mynetworks,  reject_non_fqdn_sender, 
reject_non_fqdn_recipient,   permit_sasl_authenticated, 
reject_unauth_destination,  reject_unauth_pipelining, 
reject_invalid_hostname,  reject_unknown_sender_domain, 
check_sender_access hash:/etc/postfix/sender_access,  reject_rbl_client 
zen.spamhaus.org,  reject_rbl_client cbl.abuseat.org,  reject_rbl_client 
ix.dnsbl.manitu.net,  reject_rbl_client 
hostkarma.junkemailfilter.com=127.0.0.2,  reject_rbl_client 
sbl-xbl.spamhaus.org,  reject_rbl_client list.dsbl.org,  reject_rbl_client 
dul.dnsbl.sorbs.net,  reject_rbl_client bl.spamcop.net, 
check_policy_service inet:127.0.0.1:10030

smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = mail.mydomain.com
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_non_fqdn_sender
smtpd_tls_CAfile = /etc/postfix/GeoTrust_Global_CA.cer
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/postfix.crt
smtpd_tls_key_file = /etc/postfix/postfix.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = 
hash:/var/lib/mailman/data/virtual-mailman,mysql:/etc/postfix/mysql_virtual_alias_maps.cf

virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domain_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_transport = dovecot

My Mailman config file is as follows:

from Defaults import *
MTA = 'Postfix'
DEFAULT_SERVER_LANGUAGE = 'de'
DEFAULT_URL_PATTERN = 'https://%s/mailman/'
DEFAULT_EMAIL_HOST = 'webgui.mydomain.com'
DEFAULT_URL_HOST = 'webgui.mydomain.com'
POSTFIX_STYLE_VIRTUAL_DOMAINS = 
['myserver.mydomain.com','customerA.com','customerB.com','mydomain.com']

SMTP_MAX_RCPTS = 50
VIRTUAL_HOSTS.clear()
add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST)
add_virtualhost('webgui.mydomain.com','mydomain.com')
add_virtualhost('webgui.mydomain.com','customerA.com')

In addition, running "postmap -q list 
hash:/var/lib/mailman/data/virtual-mailman" does not return anything 
although the file is not empty and contains the same entries for all of my 
mailing lists (and with the exception of this one for customerA.com is 
working fine). Any ideas what might be causing this problem?


Thanks a lot!

Kind regards,
Werner.

Re: Dovecot, Postfix and Dovecot LDA (LMTP) delivery

[Jeroen Geilman]

On 03/06/2011 04:57 PM, Wietse Venema wrote:

Remy Zandwijk:
   

Is there a way Postfix can be told to get rid of the domain part if mail is
sent through LMTP?
 

No. The LMTP protocol, like SMTP requires complete email addresses.

Wietse
   


Additionally, overriding local_transport means you won't be able to use 
the standard alias_maps setting to list valid local recipients - you 
have to customize these for dovecot LMTP.


Simply put, /etc/aliases no longer works; you'll have to set up 
virtual_alias_maps for all your local aliases.


This also means you can't alias or forward to commands anymore; any 
command execution you wish to do will have to be set up as a 
full-fledged pipe(8) transport.


Consider using mailbox_transport instead.

--
J.

Re : Re : Re : Re : slow transport, master.cf and maxproc value

[myrdhin bzh]

Hello :),

> From : myrdhin
> Thank you for your help. I'll try your solution.

Sorry, but i always have "Too many connections, slow down." in my 
/var/log/mail.log.

My Postfix is old (mail_version = 2.1.5) butI am constrained to correct this 
problem before doing the migration on another server (with a recent version of 
postfix...).

Finally i do that :

  # in /etc/postfix/main.cf :
  transport_maps = hash:/etc/postfix/transport
  slow_destination_concurrency_limit = 2

  # in /etc/transport/transport :
  zeDomain.tld slow:

  # in /etc/postfix/master.cf :
  slow  unix  -   -   n   -   3   smtp -o 
smtp_connection_cache_on_demand=no -o smtp_destination_concurrency_limit=2


It seems to work : no "Too many connections, slow down." messages in my log 
file 
since 2 days but i'm afraid about a mail delivery slowdown...

I understand the "smtp_connection_cache_on_demand=no" option but i don't know 
if 
the "*_destination_concurrency_limit" option is per process of smtp program.

With my master.cf, can i make 6 concurrency connections max on zeDomain.tld ? 
Or 
is it only 2 max ?

Thanks for your help,
-- 
Myrdhin,

Re: submission port : "Client host rejected: Access denied"

[David Touzeau]

Le dimanche 06 mars 2011 à 16:08 +0100, DTNX/NGMX Postmaster a écrit :
> Jona


Many thanks jona  

smtpd_delay_reject = yes
fix the issue

Re: Dovecot, Postfix and Dovecot LDA (LMTP) delivery

[Wietse Venema]

Remy Zandwijk:
> Is there a way Postfix can be told to get rid of the domain part if mail is 
> sent through LMTP?

No. The LMTP protocol, like SMTP requires complete email addresses.

Wietse

Re: submission port : "Client host rejected: Access denied"

[Patrick Ben Koetter]

* Jeroen Geilman :
> On 03/06/2011 01:18 PM, David Touzeau wrote:
> >dear
> >
> >i would like to use submission port for authenticate users from internet
> >allowing them to the postfix smtpd server
> >
> >For testing purpose, i have set a network different from the LAN to be
> >sure that postfix allow SASL connections
> >
> >but it seems that postfix did not want to test the authentication method
> >and pass it's rules trough subnet rules to finally refuse the connection
> >with a "Client host rejected: Access denied"
> >We can see that there an request to saslauthd
> >"xsasl_cyrus_server_create: SASL service=smtp, realm=(null)" but i did
> >not really understand what is means..
> >
> >
> >I'm using saslauthd trough LDAP to perform credentials checking and
> >postfix 2.8.0
> >
> >Where i'm wrong ??
> >
> >When using testssaslauthd
> >--
> >testsaslauthd  -u david.touzeau -p secret -f /var/run/saslauthd/mux -s
> >smtp
> >0: OK "Success."

You are testing as user root, right?

> >Content of /etc/postfix/sasl/smtpd.conf

Postfix runs as user postfix.

Blind guess: Your postfix user is not member of the sasl group. Check using
"id postfix". If it doesn't list postfix, then add postfix to group sasl and
restart postfix:

% adduser postfix sasl
% postfix reload

Second blind guess: /etc/default/saslauthd places the saslauthd socket outside
of Postfix chroot (you are running Postfix chrooted as your master.cf shows
below).

Enable/uncommend the line at the bottom of /etc/default/saslauthd:

# OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Then comment the OPTIONS line above and restart saslauthd.

p@rick

> >master.cf
> >--
> >smtp inetn   -   n   -   -   smtpd
> >submission   inetn   -   n   -   -   smtpd
> >  -o smtpd_etrn_restrictions=reject
> >  -o smtpd_enforce_tls=yes
> >  -o smtpd_sasl_auth_enable=yes
> >  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> >  -o smtp_generic_maps=
> >  -o sender_canonical_maps=
> >
> >Here it is a piece of debug logs :
> >--
> 
> Debug logs should not be required to solve SASL issues.
> 
> Please include the output of postconf -n and the normal postfix logs
> for the observed behaviour, as described in:
> 
> http://www.postfix.org/DEBUG_README.html#mail
> 
> 
> -- 
> J.
> 

-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Re: posfix rejected from google server

[kapetr]

Hello,

reply for: 

"Peter Evans"  and
Reindl Harald 

My ISP (without need of request it and pay for it :-) assign every
time (via PPPOE on ADSL) the same IP address for the same client
(DSLAM port). So my IP is from "dynamic" range, but in practice is
it static IP.

I'm sure about it and it is very simple to check my "outside" IP -
e.g. with mojeip.cz - or simply check my IP in my ADSL modem log.
In fact I am behind NAT - but this is NAT of my ADSL modem and I am
the only one computer in my LAN. The FW of modem and of Ubuntu are
closed for any connections from outside.

Note: I prefer NAT/router mode of my ADSL modem against BRIDGE mode
(where I would need to do PPPoE itself in OS) for additional FW
security ring to protect my computer.

So ... nobody except me can send "spam" from this IP address.
(This is not a confession! ;-)

Reindl wrote:
>seems you do not understand what a spamtrap is
>hint: your sender-address does not play in this game

Thanks for explanation.

Note: once again - I had understand and totally accept the fact,
that I can't send mail directly from my "dynamic range" IP, so I use
relayhost. 

I just try to understand, how I could get into spam list. In my
previous post I have explain, why I do not believe, that there is no
hidden spambot in my system. So when I now know, what is 
then it is quite impossible, that I have get into spam list this
way.

A pity that  cbl.abuseat.org,  as described in
http://cbl.abuseat.org/faq.html, do not explain criteria how
someones IP can get into their CBL list.


--kapetr

Re: submission port : "Client host rejected: Access denied"

[DTNX/NGMX Postmaster]

On 6 mrt 2011, at 15:08, David Touzeau wrote:

>>> but it seems that postfix did not want to test the authentication
>>> method and pass it's rules trough subnet rules to finally refuse the
>>> connection with a "Client host rejected: Access denied"

[snip]

> smtpd_delay_reject = no

http://www.postfix.org/postconf.5.html#smtpd_delay_reject

Here, most likely. Ran into something very similar last week, and this was the 
cause.

I suspect that if you were to increase logging detail, you'd find that 
'permit_sasl_authenticated' evaluates to zero during the client restrictions 
stage because of a delay in getting back an answer from whatever SASL backend 
you have in use. Postfix evaluates the rest of the client restrictions, and 
denies you access.

Try setting 'smtpd_delay_reject' to yes, which is the default, and consolidate 
all your restrictions under 'smtpd_recipient_restrictions' instead.

Cya,
Jona

Re: Dovecot, Postfix and Dovecot LDA (LMTP) delivery

[Remy Zandwijk]

I am running a Debian Lenny machine with Postfix 2.5.5 and Dovecot 2.0.8. Up 
until now I ran Postfix with the Procmail delivery agent succesfully. The 
machine has only local users; I am not using virtual mailboxes. Due to 
obvious reasons I want to switch to Dovecot LDA delivery, through LMTP.


I spend quite some time finding 'the' configuration for both Postfix and 
Dovecot, but without success. Find my current configuration below. Postfix 
receives the e-mail, but delivery through LMTP fails, resulting in Postfix 
sending an NDR.


I just cannot figure out what's wrong and I am not sure whether it's a 
Postfix or Dovecot problem either. Some log output from Postfix:


I finally figured out what's wrong. It appears that Dovecot in fact is 
checking the existance of user 'r...@hostname.domain.tld' in one of the 
configured user databases. Obviously, local users/usernames do not have the 
local domain added.


Adding

userdb {
driver = passwd-file
args = username_format=%n /etc/passwd
}

to the 'protocol lmtp { }' block solves the issue. The only thing is that 
Dovecot now logs this to it's logs:


Mar 06 15:04:57 auth: Error: passwd-file /etc/passwd: User root has invalid 
UID '0'


Can't hurt, but is polutes the logs.


Is there a way Postfix can be told to get rid of the domain part if mail is 
sent through LMTP?



Thanks,
Remy

Re: submission port : "Client host rejected: Access denied"

[David Touzeau]

Le dimanche 06 mars 2011 à 07:58 -0500, Jerry a écrit :
> On Sun, 06 Mar 2011 13:18:02 +0100
> David Touzeau  articulated:
> 
> > dear 
> > 
> > i would like to use submission port for authenticate users from
> > internet allowing them to the postfix smtpd server
> > 
> > For testing purpose, i have set a network different from the LAN to be
> > sure that postfix allow SASL connections
> > 
> > but it seems that postfix did not want to test the authentication
> > method and pass it's rules trough subnet rules to finally refuse the
> > connection with a "Client host rejected: Access denied"
> > We can see that there an request to saslauthd
> > "xsasl_cyrus_server_create: SASL service=smtp, realm=(null)" but i did
> > not really understand what is means..
> > 
> > 
> > I'm using saslauthd trough LDAP to perform credentials checking and
> > postfix 2.8.0
> > 
> > Where i'm wrong ??
> > 
> > When using testssaslauthd
> > --
> > testsaslauthd  -u david.touzeau -p secret -f /var/run/saslauthd/mux -s
> > smtp
> > 0: OK "Success."
> > 
> > Content of /etc/postfix/sasl/smtpd.conf
> > --
> > pwcheck_method: saslauthd
> > mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5
> > log_level: 5
> > 
> > master.cf
> > --
> > smtpinetn   -   n   -   -
> > smtpd submissioninetn   -
> > n   -   -   smtpd -o smtpd_etrn_restrictions=reject
> >  -o smtpd_enforce_tls=yes
> >  -o smtpd_sasl_auth_enable=yes
> >  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> >  -o smtp_generic_maps=
> >  -o sender_canonical_maps=
> > 
> > Here it is a piece of debug logs :
> > --
> > 
> > 
> > Mar  6 13:48:20 bigfiles postfix/smtpd[17456]:
> > xsasl_cyrus_server_create: SASL service=smtp, realm=(null)
> > Mar  6 13:48:20 bigfiles postfix/smtpd[17456]: name_mask: noanonymous
> > Mar  6 13:48:22 bigfiles postfix/scache[19807]: statistics: start
> > interval Mar  6 13:45:02
> > Mar  6 13:48:22 bigfiles postfix/scache[19807]: statistics: address
> > lookup hits=5 miss=2 success=71%
> > Mar  6 13:48:22 bigfiles postfix/scache[19807]: statistics: max
> > simultaneous domains=0 addresses=1 connection=2
> > Mar  6 13:48:40 bigfiles postfix/postfix-script[22489]: stopping the
> > Postfix mail system
> > Mar  6 13:48:40 bigfiles postfix/master[2548]: terminating on signal
> > 15 Mar  6 13:48:40 bigfiles postfix/postfix-script[22571]: starting
> > the Postfix mail system
> > Mar  6 13:48:40 bigfiles postfix/master[22572]: daemon started --
> > version 2.8.0, configuration /etc/postfix
> > Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: name_mask: ipv4
> > Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: inet_addr_local:
> > configured 3 IPv4 addresses
> > Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: process generation: 3
> > (3) Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
> > mynetworks ~? debug_peer_list
> > Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
> > mynetworks ~? fast_flush_domains
> > Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
> > mynetworks ~? mynetworks
> > Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
> > relay_domains ~? debug_peer_list
> > Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
> > relay_domains ~? fast_flush_domains
> > Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
> > relay_domains ~? mynetworks
> > Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
> > relay_domains ~? permit_mx_backup_networks
> > Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
> > relay_domains ~? qmqpd_authorized_clients
> > Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
> > relay_domains ~? relay_domains
> > Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against
> > Berkeley DB: 4.5.20?
> > Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against
> > Berkeley DB: 4.5.20?
> > Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open:
> > hash:/etc/postfix/relay_domains
> > Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
> > permit_mx_backup_networks ~? debug_peer_list
> > Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
> > permit_mx_backup_networks ~? fast_flush_domains
> > Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
> > permit_mx_backup_networks ~? mynetworks
> > Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
> > permit_mx_backup_networks ~? permit_mx_backup_networks
> > Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against
> > Berkeley DB: 4.5.20?
> > Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against
> > Berkeley DB: 4.5.20?
> > Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open:
> > hash:/etc/postf

Re: submission port : "Client host rejected: Access denied"

[David Touzeau]

Le dimanche 06 mars 2011 à 13:58 +0100, Jeroen Geilman a écrit :
> On 03/06/2011 01:18 PM, David Touzeau wrote:
> > dear
> >
> > i would like to use submission port for authenticate users from internet
> > allowing them to the postfix smtpd server
> >
> > For testing purpose, i have set a network different from the LAN to be
> > sure that postfix allow SASL connections
> >
> > but it seems that postfix did not want to test the authentication method
> > and pass it's rules trough subnet rules to finally refuse the connection
> > with a "Client host rejected: Access denied"
> > We can see that there an request to saslauthd
> > "xsasl_cyrus_server_create: SASL service=smtp, realm=(null)" but i did
> > not really understand what is means..
> >
> >
> > I'm using saslauthd trough LDAP to perform credentials checking and
> > postfix 2.8.0
> >
> > Where i'm wrong ??
> >
> > When using testssaslauthd
> > --
> > testsaslauthd  -u david.touzeau -p secret -f /var/run/saslauthd/mux -s
> > smtp
> > 0: OK "Success."
> >
> > Content of /etc/postfix/sasl/smtpd.conf
> > --
> > pwcheck_method: saslauthd
> > mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5
> > log_level: 5
> >
> > master.cf
> > --
> > smtpinetn   -   n   -   -   smtpd
> > submission  inetn   -   n   -   -   smtpd
> >   -o smtpd_etrn_restrictions=reject
> >   -o smtpd_enforce_tls=yes
> >   -o smtpd_sasl_auth_enable=yes
> >   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> >   -o smtp_generic_maps=
> >   -o sender_canonical_maps=
> >
> > Here it is a piece of debug logs :
> > --
> >
> 
> Debug logs should not be required to solve SASL issues.
> 
> Please include the output of postconf -n and the normal postfix logs for 
> the observed behaviour, as described in:
> 
> http://www.postfix.org/DEBUG_README.html#mail

Thanks Jeroen

Here it is information requested


postconf -n
--
2bounce_notice_recipient = postmaster
address_verify_negative_cache = yes
address_verify_negative_expire_time = 3d
address_verify_negative_refresh_time = 3h
address_verify_poll_count = 3
address_verify_poll_delay = 3s
address_verify_positive_expire_time = 31d
address_verify_positive_refresh_time = 7d
address_verify_sender = $double_bounce_sender
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
biff = no
bounce_notice_recipient = postmaster
bounce_queue_lifetime = 5d
bounce_service_name = bounce
bounce_size_limit = 5
bounce_template_file = /etc/postfix/bounce.template.cf
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
connection_cache_status_update_time = 600s
connection_cache_ttl_limit = 2s
content_filter = 
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 20
default_destination_recipient_limit = 50
default_process_limit = 100
delay_notice_recipient = david.touz...@touzeau.com
delay_warning_time = 1h
disable_dns_lookups = no
disable_mime_output_conversion = no
disable_vrfy_command = yes
double_bounce_sender = double-bounce
empty_address_recipient = david.touz...@touzeau.com
enable_original_recipient = yes
error_notice_recipient = david.touz...@touzeau.com
header_address_token_limit = 10240
header_checks = 
html_directory = /usr/share/doc/packages/postfix-doc/html
ignore_mx_lookup_error = no
in_flow_delay = 1s
inet_interfaces = all
inet_protocols = ipv4
initial_destination_concurrency = 5
lmtp_sasl_auth_enable = no
local_destination_concurrency_limit = 2
local_recipient_maps = 
luser_relay = 
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_size_limit = 10240
mailbox_transport =
lmtp:unix:/var/spool/postfix/var/run/cyrus/socket/lmtp
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_exceptions = root
master_service_disable = 
maximal_backoff_time = 4000s
maximal_queue_lifetime = 5d
message_size_limit = 10240
message_strip_characters = \0
milter_command_timeout = 180
milter_connect_macros = j _ {daemon_name} {if_name} {if_addr}
{client_name} {client_addr} {client_resolve} {client_ptr}
milter_connect_timeout = 180
milter_content_timeout = 600
milter_default_action = accept
milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject}
{cert_issuer}
milter_mail_macros = i {auth_type} {auth_authen} {auth_ssf}
{auth_author} {mail_mailer} {mail_host} {mail_addr} {client_addr}
{if_addr}
milter_protocol = 6
milter_rcpt_macros = {rcpt_mailer} {rcpt_host} {rcpt_addr} {client_addr}
{if_addr}
mime_header

Re: Kernel Oops

[Bastian Blank]

On Fri, Mar 04, 2011 at 03:43:11PM +0300, Denis Shulyaka wrote:
> Mar  4 14:46:29 shulyaka kern.alert kernel: CPU 0 Unable to handle
> kernel paging request at virtual address 0050, epc == 800fbdb4, ra
> == 800fbdf8

This kernel is broken bejond repair. Get a fixed one.

> Mar  4 14:46:29 shulyaka kern.warn kernel: Tainted: G  D

This is _not_ the first oops in the log.

Bastian

-- 
Emotions are alien to me.  I'm a scientist.
-- Spock, "This Side of Paradise", stardate 3417.3

Re: submission port : "Client host rejected: Access denied"

[Jerry]

On Sun, 06 Mar 2011 13:18:02 +0100
David Touzeau  articulated:

> dear 
> 
> i would like to use submission port for authenticate users from
> internet allowing them to the postfix smtpd server
> 
> For testing purpose, i have set a network different from the LAN to be
> sure that postfix allow SASL connections
> 
> but it seems that postfix did not want to test the authentication
> method and pass it's rules trough subnet rules to finally refuse the
> connection with a "Client host rejected: Access denied"
> We can see that there an request to saslauthd
> "xsasl_cyrus_server_create: SASL service=smtp, realm=(null)" but i did
> not really understand what is means..
> 
> 
> I'm using saslauthd trough LDAP to perform credentials checking and
> postfix 2.8.0
> 
> Where i'm wrong ??
> 
> When using testssaslauthd
> --
> testsaslauthd  -u david.touzeau -p secret -f /var/run/saslauthd/mux -s
> smtp
> 0: OK "Success."
> 
> Content of /etc/postfix/sasl/smtpd.conf
> --
> pwcheck_method: saslauthd
> mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5
> log_level: 5
> 
> master.cf
> --
> smtp  inetn   -   n   -   -
> smtpd submission  inetn   -
> n -   -   smtpd -o smtpd_etrn_restrictions=reject
>  -o smtpd_enforce_tls=yes
>  -o smtpd_sasl_auth_enable=yes
>  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>  -o smtp_generic_maps=
>  -o sender_canonical_maps=
> 
> Here it is a piece of debug logs :
> --
> 
> 
> Mar  6 13:48:20 bigfiles postfix/smtpd[17456]:
> xsasl_cyrus_server_create: SASL service=smtp, realm=(null)
> Mar  6 13:48:20 bigfiles postfix/smtpd[17456]: name_mask: noanonymous
> Mar  6 13:48:22 bigfiles postfix/scache[19807]: statistics: start
> interval Mar  6 13:45:02
> Mar  6 13:48:22 bigfiles postfix/scache[19807]: statistics: address
> lookup hits=5 miss=2 success=71%
> Mar  6 13:48:22 bigfiles postfix/scache[19807]: statistics: max
> simultaneous domains=0 addresses=1 connection=2
> Mar  6 13:48:40 bigfiles postfix/postfix-script[22489]: stopping the
> Postfix mail system
> Mar  6 13:48:40 bigfiles postfix/master[2548]: terminating on signal
> 15 Mar  6 13:48:40 bigfiles postfix/postfix-script[22571]: starting
> the Postfix mail system
> Mar  6 13:48:40 bigfiles postfix/master[22572]: daemon started --
> version 2.8.0, configuration /etc/postfix
> Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: name_mask: ipv4
> Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: inet_addr_local:
> configured 3 IPv4 addresses
> Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: process generation: 3
> (3) Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
> mynetworks ~? debug_peer_list
> Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
> mynetworks ~? fast_flush_domains
> Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
> mynetworks ~? mynetworks
> Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
> relay_domains ~? debug_peer_list
> Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
> relay_domains ~? fast_flush_domains
> Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
> relay_domains ~? mynetworks
> Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
> relay_domains ~? permit_mx_backup_networks
> Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
> relay_domains ~? qmqpd_authorized_clients
> Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
> relay_domains ~? relay_domains
> Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against
> Berkeley DB: 4.5.20?
> Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against
> Berkeley DB: 4.5.20?
> Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open:
> hash:/etc/postfix/relay_domains
> Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
> permit_mx_backup_networks ~? debug_peer_list
> Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
> permit_mx_backup_networks ~? fast_flush_domains
> Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
> permit_mx_backup_networks ~? mynetworks
> Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
> permit_mx_backup_networks ~? permit_mx_backup_networks
> Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against
> Berkeley DB: 4.5.20?
> Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against
> Berkeley DB: 4.5.20?
> Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open:
> hash:/etc/postfix/canonical
> Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against
> Berkeley DB: 4.5.20?
> Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against
> Berkeley DB: 4.5.20?
> Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open:
> hash:/etc/postfi

Re: submission port : "Client host rejected: Access denied"

[Jeroen Geilman]

On 03/06/2011 01:18 PM, David Touzeau wrote:

dear

i would like to use submission port for authenticate users from internet
allowing them to the postfix smtpd server

For testing purpose, i have set a network different from the LAN to be
sure that postfix allow SASL connections

but it seems that postfix did not want to test the authentication method
and pass it's rules trough subnet rules to finally refuse the connection
with a "Client host rejected: Access denied"
We can see that there an request to saslauthd
"xsasl_cyrus_server_create: SASL service=smtp, realm=(null)" but i did
not really understand what is means..


I'm using saslauthd trough LDAP to perform credentials checking and
postfix 2.8.0

Where i'm wrong ??

When using testssaslauthd
--
testsaslauthd  -u david.touzeau -p secret -f /var/run/saslauthd/mux -s
smtp
0: OK "Success."

Content of /etc/postfix/sasl/smtpd.conf
--
pwcheck_method: saslauthd
mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5
log_level: 5

master.cf
--
smtpinetn   -   n   -   -   smtpd
submission  inetn   -   n   -   -   smtpd
  -o smtpd_etrn_restrictions=reject
  -o smtpd_enforce_tls=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtp_generic_maps=
  -o sender_canonical_maps=

Here it is a piece of debug logs :
--
   


Debug logs should not be required to solve SASL issues.

Please include the output of postconf -n and the normal postfix logs for 
the observed behaviour, as described in:


http://www.postfix.org/DEBUG_README.html#mail


--
J.

Dovecot, Postfix and Dovecot LDA (LMTP) delivery

[Remy Zandwijk]

Hi list,

I am running a Debian Lenny machine with Postfix 2.5.5 and Dovecot 2.0.8. Up 
until now I ran Postfix with the Procmail delivery agent succesfully. The 
machine has only local users; I am not using virtual mailboxes. Due to obvious 
reasons I want to switch to Dovecot LDA delivery, through LMTP.


I spend quite some time finding 'the' configuration for both Postfix and 
Dovecot, but without success. Find my current configuration below. Postfix 
receives the e-mail, but delivery through LMTP fails, resulting in Postfix 
sending an NDR.


I just cannot figure out what's wrong and I am not sure whether it's a Postfix 
or Dovecot problem either. Some log output from Postfix:


Mar  5 13:25:15 hostname postfix/smtpd[12442]: connect from 
otherhost.domain.tld[aa.bb.cc.dd]
Mar  5 13:25:16 hostname postfix/smtpd[12442]: CC47979071: 
client=otherhost.domain.tld[aa.bb.cc.dd]
Mar  5 13:25:16 hostname postfix/cleanup[12447]: CC47979071: 
message-id=
Mar  5 13:25:16 hostname postfix/qmgr[12372]: CC47979071: 
from=, size=1037, nrcpt=1 (queue active)
Mar  5 13:25:16 hostname postfix/smtpd[12442]: disconnect from 
otherhost.domain.tld[aa.bb.cc.dd]
Mar  5 13:25:16 hostname postfix/lmtp[12448]: CC47979071: 
to=, 
relay=hostname.domain.tld[private/dovecot-lmtp], delay=1.2, 
delays=1.2/0.01/0.01/0.05, dsn=5.1.1, status=bounced (host 
hostname.domain.tld[private/dovecot-lmtp] said: 550 5.1.1 
 User doesn't exist: r...@hostname.domain.tld (in 
reply to RCPT TO command))



The only lines that Dovecot logs are:

Mar 05 13:25:16 lmtp(12449): Info: Connect from local
Mar 05 13:25:16 lmtp(12449): Info: Disconnect from local: Client quit


Although LMTP should log to /tmp/dovecot-lmtp.log, the file remains empty.

Anyone amongst you who is running the same kind of setup and can help?

Thanks,
Remy


Postfix config (postfix -n output)

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
default_transport = smtp
inet_interfaces = all
local_transport = lmtp:unix:private/dovecot-lmtp
mailbox_command =
mailbox_size_limit = 0
message_size_limit = 31457280
mydestination = hostname.domain.tld, localhost.domain.tld, localhost
myhostname = hostname.domain.tld
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relay_transport = error
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = check_client_access hash:/etc/postfix/access, 
permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, 
reject_rbl_client dnsbl.sorbs.net,reject_unauth_pipelining

smtpd_helo_required = yes
smtpd_helo_restrictions = 
reject_invalid_helo_hostname,reject_non_fqdn_helo_hostname,reject_unknown_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, 
reject_non_fqdn_recipient, reject_unauth_destination, 
reject_unknown_recipient_domain

smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access, 
reject_non_fqdn_sender, reject_unknown_sender_domain

smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes


Dovecot config (dovecot -n output)

# 2.0.8: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.26-2-amd64 x86_64 Debian 5.0.8
auth_master_user_separator = *
listen = *
log_path = /var/log/dovecot.log
mail_location = maildir:~/.maildir
maildir_stat_dirs = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags 
copy include variables body enotify environment mailbox date

namespace {
  hidden = no
  inbox = yes
  list = yes
  location =
  prefix =
  separator = /
  subscriptions = yes
  type = private
}
passdb {
  driver = pam
}
plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
protocols = imap lmtp
service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0660
user = postfix
  }
}
ssl_cert = 

Re: [Q] Warning: Connection rate limit reached (anvil), and "milter-reject: END-OF-MESSAGE"

[Reindl Harald]

Sounds like you have set something like this in main.cf

anvil_rate_time_unit   = 1800s
smtpd_client_connection_rate_limit = 50

this means "a maximum of 50 connection per half a hour from the same ip"
my example 50/18000 is from our live configuration on postfix-servers
as well our barracuda-spamfirewall and is really a good setting because
sometimes over weeks nobody reaches this limit

if it is reached there is surely a spammer delivering his crap
and postfix will reject temporary connections from the ip

a normal server will try later, a spammer will give up sooner or later


Am 06.03.2011 13:15, schrieb JKL:
> 
> Dear all,
> 
> ** QUESTION 1
> I just noticed this message appearing the log files (mail.log). I
> read a little on the page http://www.postfix.org/QSHAPE_README.html, but
> did not quite understand where my postfix problem lied.  The queues are
> very quiet presently.  This mail server does not have a lot of throughput.
> 
> - Postfix Begin  
> 
>  2105   *Warning: Connection rate limit reached (anvil) 
> 4   Miscellaneous warnings  
>  
>   666.166K  Bytes accepted 682,154
>   128.576K  Bytes sent via SMTP131,662
>   634.608K  Bytes delivered649,839
>     ==
>  
>55   Accepted20.15%
>   218   Rejected79.85%
>     --
>   273   Total  100.00%
>     ==
>  
> 1   5xx Reject relay denied  0.46%
> 1   5xx Reject HELO/EHLO 0.46%
>   100   5xx Reject unknown user 45.87%
>   106   5xx Reject RBL  48.62%
> 2   5xx Reject header0.92%
> 8   5xx Reject milter3.67%
>     --
>   218   Total 5xx Rejects  100.00%
>     ==
>  
> 7   4xx Reject milter  100.00%
>     --
> 7   Total 4xx Rejects  100.00%
>     ==
>  
>  2406   Connections 
>   158   Connections lost (inbound) 
>  2406   Disconnections  
>36   Removed from queue  
>32   Delivered   
>13   Sent via SMTP   
>  
> 5   Timeouts (inbound)  
> 1   Illegal address syntax in SMTP command 
>47   Hostname verification errors 
>18   TLS connections (server) 
> 6   SASL authenticated messages 
>  
>  
>  -- Postfix End - 
> 
> 
> ** QUESTION 2
> On an additional note a milter is rejecting these messages (about 40 each 
> day).  I am uncertain which milter is rejecting it from  the message.  Does 
> anyone know how I can identify the milter:
> 
> Mar  6 12:04:17 logout postfix/cleanup[18037]: D6861848C7: milter-reject: 
> END-OF-MESSAGE from smtp143.junkemailfilter.com[69.50.231.143]: 4.7.1 Service 
> unavailable - try again later; from= 
> to= proto=ESMTP helo=
> 
> 
> Any one, any ideas?  Perhaps, which is likly there is some misconfiguration.
> 
> Best regards, s.

-- 

Mit besten Grüßen, Reindl Harald
the lounge interactive design GmbH
A-1060 Vienna, Hofmühlgasse 17
CTO / software-development / cms-solutions
p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40
icq: 154546673, http://www.thelounge.net/



signature.asc
Description: OpenPGP digital signature

submission port : "Client host rejected: Access denied"

[David Touzeau]

dear 

i would like to use submission port for authenticate users from internet
allowing them to the postfix smtpd server

For testing purpose, i have set a network different from the LAN to be
sure that postfix allow SASL connections

but it seems that postfix did not want to test the authentication method
and pass it's rules trough subnet rules to finally refuse the connection
with a "Client host rejected: Access denied"
We can see that there an request to saslauthd
"xsasl_cyrus_server_create: SASL service=smtp, realm=(null)" but i did
not really understand what is means..


I'm using saslauthd trough LDAP to perform credentials checking and
postfix 2.8.0

Where i'm wrong ??

When using testssaslauthd
--
testsaslauthd  -u david.touzeau -p secret -f /var/run/saslauthd/mux -s
smtp
0: OK "Success."

Content of /etc/postfix/sasl/smtpd.conf
--
pwcheck_method: saslauthd
mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5
log_level: 5

master.cf
--
smtpinetn   -   n   -   -   smtpd
submission  inetn   -   n   -   -   smtpd 
 -o smtpd_etrn_restrictions=reject
 -o smtpd_enforce_tls=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o smtp_generic_maps=
 -o sender_canonical_maps=

Here it is a piece of debug logs :
--


Mar  6 13:48:20 bigfiles postfix/smtpd[17456]:
xsasl_cyrus_server_create: SASL service=smtp, realm=(null)
Mar  6 13:48:20 bigfiles postfix/smtpd[17456]: name_mask: noanonymous
Mar  6 13:48:22 bigfiles postfix/scache[19807]: statistics: start
interval Mar  6 13:45:02
Mar  6 13:48:22 bigfiles postfix/scache[19807]: statistics: address
lookup hits=5 miss=2 success=71%
Mar  6 13:48:22 bigfiles postfix/scache[19807]: statistics: max
simultaneous domains=0 addresses=1 connection=2
Mar  6 13:48:40 bigfiles postfix/postfix-script[22489]: stopping the
Postfix mail system
Mar  6 13:48:40 bigfiles postfix/master[2548]: terminating on signal 15
Mar  6 13:48:40 bigfiles postfix/postfix-script[22571]: starting the
Postfix mail system
Mar  6 13:48:40 bigfiles postfix/master[22572]: daemon started --
version 2.8.0, configuration /etc/postfix
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: name_mask: ipv4
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: inet_addr_local:
configured 3 IPv4 addresses
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: process generation: 3 (3)
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: mynetworks
~? debug_peer_list
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: mynetworks
~? fast_flush_domains
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: mynetworks
~? mynetworks
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
relay_domains ~? debug_peer_list
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
relay_domains ~? fast_flush_domains
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
relay_domains ~? mynetworks
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
relay_domains ~? permit_mx_backup_networks
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
relay_domains ~? qmqpd_authorized_clients
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
relay_domains ~? relay_domains
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against Berkeley
DB: 4.5.20?
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against
Berkeley DB: 4.5.20?
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open:
hash:/etc/postfix/relay_domains
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
permit_mx_backup_networks ~? debug_peer_list
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
permit_mx_backup_networks ~? fast_flush_domains
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
permit_mx_backup_networks ~? mynetworks
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
permit_mx_backup_networks ~? permit_mx_backup_networks
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against Berkeley
DB: 4.5.20?
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against
Berkeley DB: 4.5.20?
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open:
hash:/etc/postfix/canonical
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against Berkeley
DB: 4.5.20?
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against
Berkeley DB: 4.5.20?
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open:
hash:/etc/postfix/virtual
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
smtpd_access_maps ~? debug_peer_list
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:
smtpd_access_maps ~? fast_flush_domains
Mar  6 13:48:54 bigfiles postfix/smtpd[22708]: match_string:

[Q] Warning: Connection rate limit reached (anvil), and "milter-reject: END-OF-MESSAGE"

[JKL]

Dear all,

** QUESTION 1
I just noticed this message appearing the log files (mail.log). I
read a little on the page http://www.postfix.org/QSHAPE_README.html, but
did not quite understand where my postfix problem lied.  The queues are
very quiet presently.  This mail server does not have a lot of throughput.

- Postfix Begin  

 2105   *Warning: Connection rate limit reached (anvil) 
4   Miscellaneous warnings  
 
  666.166K  Bytes accepted 682,154
  128.576K  Bytes sent via SMTP131,662
  634.608K  Bytes delivered649,839
    ==
 
   55   Accepted20.15%
  218   Rejected79.85%
    --
  273   Total  100.00%
    ==
 
1   5xx Reject relay denied  0.46%
1   5xx Reject HELO/EHLO 0.46%
  100   5xx Reject unknown user 45.87%
  106   5xx Reject RBL  48.62%
2   5xx Reject header0.92%
8   5xx Reject milter3.67%
    --
  218   Total 5xx Rejects  100.00%
    ==
 
7   4xx Reject milter  100.00%
    --
7   Total 4xx Rejects  100.00%
    ==
 
 2406   Connections 
  158   Connections lost (inbound) 
 2406   Disconnections  
   36   Removed from queue  
   32   Delivered   
   13   Sent via SMTP   
 
5   Timeouts (inbound)  
1   Illegal address syntax in SMTP command 
   47   Hostname verification errors 
   18   TLS connections (server) 
6   SASL authenticated messages 
 
 
 -- Postfix End - 


** QUESTION 2
On an additional note a milter is rejecting these messages (about 40 each day). 
 I am uncertain which milter is rejecting it from  the message.  Does anyone 
know how I can identify the milter:

Mar  6 12:04:17 logout postfix/cleanup[18037]: D6861848C7: milter-reject: 
END-OF-MESSAGE from smtp143.junkemailfilter.com[69.50.231.143]: 4.7.1 Service 
unavailable - try again later; from= 
to= proto=ESMTP helo=


Any one, any ideas?  Perhaps, which is likly there is some misconfiguration.

Best regards, s.

Re: posfix rejected from google server

[Reindl Harald]

Am 06.03.2011 07:51, schrieb kapetr:

> My "from:" address used by these tests of fresh Postfix installation
> I have and use many years - so it fit not in yours definition of
> "spamtrap adress".

seems you do not understand waht a spamtrap is
hint: your sender-address does not play in this game

somebody places a hidden mail-link somewehere and does
never publish the address, if some idiot is fetching
addresses from websites and sending only one mail there
the sender-ip will be blocked

are you sure you have a ip-address for your own
which does not change? dynamic-address sounds not so!

somebody other had the ip-adresss before, had a bot on his
machine and sent spam, now you have exactly this address and
you are blocked because the poor man before you has another
address from this range and sending spam from this too sonner
or later the whole subnet is  blocked. And if this guy is sending
over a longer time uceprotect level 2 is blocking your whole
provider because he does nothing against spam

guy it is so easy: from your little home-ip-address you will never
send mails out there if you want that they are reaching their target

accept this and use a relayserver or take some money and
get a business account!







signature.asc
Description: OpenPGP digital signature

RE: Domain rewriting

[Nasser Heidari]

I've did it using canonical maps :
Main.cf :
sender_canonical_maps = hash:/etc/postfix/canonical

/etc/postfix/canonical:
@test.local @test.edu


Thanks
Nasser

 

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On
> Behalf Of Luigi Rosa
> Sent: Sunday, March 06, 2011 10:49
> To: Postfix users
> Subject: Re: Domain rewriting
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Nasser Heidari said the following on 06/03/11 06:43:
> 
> > Now I want to rewrite All of my emails domain from test.local to
> > test.edu when they traveling to outside network.
> 
> I have many similar installations: Exchange (often on Windows SBS) inside and
> Postfix as border MTA.
> 
> My solution is this, giving the domain name example.com and the exchange
> hostname exchange.example.local
> 
> On the Exchange server you configure each user with _main_ SMTP address
> u...@example.com and another SMTP address u...@exchange.example.com (you
> can also add SMTP addresses for example.local, but could not be needed).
> 
> In the Exchange SMTP connector you tell Exchange to use Postfix MTA as smart 
> relay
> (you have to enclose Postfix IP in square brackets in the appropriate field 
> of SMTP
> connector).
> 
> In Postfix you create an alias table (using /etc/aliases, or a database of 
> your
> choice) like this:
> 
>u...@example.com:   u...@exchange.example.com
>us...@example.com:  us...@exchange.example.com
>us...@example.com:  us...@exchange.example.com
> 
> Of course you have to tell Postfix to deliver all the mail for 
> exchange.example.com to
> exchange server
> 
> 
> If you follow this procedure, or something linke this, your email from 
> Exchange will
> have u...@example.com because you have set it as the main email address
> 
> 
> 
> 
> Ciao,
> luigi
> 
> - --
> /
> +--[Luigi Rosa]--
> \
> 
> I have a bad feeling about this.
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk1zNWcACgkQ3kWu7Tfl6ZRRdgCgjYkV6hesQ05n/zI+11J4zRzi
> 1AoAn2vMyVG3vQxVI47S2pfiEcdMVMPy
> =Li4W
> -END PGP SIGNATURE-

VBoxAdm - Virtual Mailbox Admin

[Dominik Schulz]

Hi,

I'd like to draw your attentention on just another web based management
interface aimed at postfix mailservers. It is called VBoxAdm (Virtual
Mailbox Admin) and allows management of virtual domains, mailboxes,
aliases and alias domains. It is free software released under the terms of
the GNU GPL version 2.

Homepage w/ screenshots: http://www.vboxadm.net/

Git Repository: http://git.gauner.org/vboxadm.git/

VBoxAdm is written in Perl using CGI::Application and some other CPAN
modules.

A Debian package for easy setup is available. Migration scripts for
migrating from Postfix.Admin, Vexim and others are included.

The main goals of this project are security, maintainability and scalability.

Best Regards,

Dominik Schulz