Dead Destination configuration
Hello Group, I am trying some extra configuration for postfix where it would mark some destinations as undeliverable. I have found that there are some destinations, start deferring the mails (may be greylisting) for a particular period of time (times ranging from 1min to 4hrs), and after the time window is over, they accept mails properly. So, I would like to configure per-destination dead time limit, where Postfix would not attempt any delivery at all to a destination for the mentioned time. I tried configuring backoff-time, but it only comes into picture after first attempt, which will get deferred, during time the destination is differing. Next, I found "default_destination_concurrency_failed_cohort_limit", but I was unable to find to time for which it will remain dead. I know this is transport configurable, so I can configure different time limits for different destinations. This is because, I do not want any delivery attempts during the time when a destination is marked dead. Is this possible? If yes, then how? Thanks. DN Singh
Re: check_recipient_access with exceptions
On Wed, Nov 30, 2011 at 08:38:13PM -0500, Vladimir Parkhaev wrote:
Augment this:
> smtpd_recipient_restrictions =
> check_recipient_access hash:/usr/local/etc/postfix/access,
> reject_unauth_destination,
> permit
As follows (and avoid using "access", name each table after its
specific role):
main.cf:
cidr = cidr:${config_directory}/
indexed = ${default_database_type}:${config_directory}/
#
smtpd_recipient_restrictions =
check_client_access ${cidr}trusted-clients,
check_recipient_access ${indexed}rcpt-whitelist,
reject_unauth_destination,
permit
/usr/local/etc/postfix/rcpt-whitelist: (postmap rcpt-whitelist when changed)
us...@external.com OK
us...@faraway.com OK
/usr/local/etc/postfix/rcpt-whitelist: (no postmap for cidr tables)
192.0.2.1 permit
--
Viktor.
check_recipient_access with exceptions
Hello, I am running a mail relay that forwards all mail from some "management network" to a corporate MTA. For security reasons, my gateway is configured to relay mail only to internal destination addresses (us...@mydomain.com). There are a few exceptions and all "external" addresses must be whitelisted. Pretty basic setup - smtpd_recipient_restrictions = check_recipient_access hash:/usr/local/etc/postfix/access, reject_unauth_destination, permit /usr/local/etc/postfix/access: us...@external.com OK us...@faraway.com OK It did what I needed so far. Now there is a new host ABC that would need to send mail to a large number of external addresses and whitelist management becomes a pain. I am looking for a way to create an exception for check_recipient_access, ideally, IP-based. Basically, I would like to allow IP of ABC to freely send mail outside and to enforce check_recipient_access for all other hosts. I checked some smtpd_restriction_classes examples, but did find anything similar. Any ideas? Thank you. -- .signature: No such file or directory
Re: Delivery Status Notifications - What is required from the remote MTA?
Thanks! Just got it working as intended =) Nov 30 18:33:04 bigbertha postfix/smtp[22632]: discarding EHLO keywords: DSN On 11/30/2011 6:33 PM, Wietse Venema wrote: Russell Jones: Ah that makes sense! This problematic mail server does announce DSN when you telnet to it, while Google, Yahoo etc do not announce DSN support. Thanks for your help. Final question (hopefully), is there a way to ignore DSN announcements from remote servers and just treat them as if they don't support DSN, that way I can get the relay/success emails I need? I've read through the DSN readme (http://www.postfix.org/DSN_README.html) and it doesn't appear to cover that (if it's an option). I also searched for "dsn" on (http://www.postfix.org/postconf.5.html) for main.cf options for doing this with no luck. http://www.postfix.org/postconf.5.html#smtp_discard_ehlo_keyword_address_maps (that's smtp, not smtpd). Or, more radically, http://www.postfix.org/postconf.5.html#smtp_discard_ehlo_keywords Wietse
Re: Delivery Status Notifications - What is required from the remote MTA?
Russell Jones: > Ah that makes sense! > > This problematic mail server does announce DSN when you telnet to it, > while Google, Yahoo etc do not announce DSN support. > > Thanks for your help. Final question (hopefully), is there a way to > ignore DSN announcements from remote servers and just treat them as if > they don't support DSN, that way I can get the relay/success emails I > need? I've read through the DSN readme > (http://www.postfix.org/DSN_README.html) and it doesn't appear to cover > that (if it's an option). I also searched for "dsn" on > (http://www.postfix.org/postconf.5.html) for main.cf options for doing > this with no luck. http://www.postfix.org/postconf.5.html#smtp_discard_ehlo_keyword_address_maps (that's smtp, not smtpd). Or, more radically, http://www.postfix.org/postconf.5.html#smtp_discard_ehlo_keywords Wietse
Re: Delivery Status Notifications - What is required from the remote MTA?
Ah that makes sense! This problematic mail server does announce DSN when you telnet to it, while Google, Yahoo etc do not announce DSN support. Thanks for your help. Final question (hopefully), is there a way to ignore DSN announcements from remote servers and just treat them as if they don't support DSN, that way I can get the relay/success emails I need? I've read through the DSN readme (http://www.postfix.org/DSN_README.html) and it doesn't appear to cover that (if it's an option). I also searched for "dsn" on (http://www.postfix.org/postconf.5.html) for main.cf options for doing this with no luck. On 11/30/2011 6:00 PM, Wietse Venema wrote: Russell Jones: Hi Wietse, Thanks! That's different from what I read in that article then... according to that article the remote mail server needs to support DSN as well for the reports to be generated. Per RFC 3461..3464, Postfix sends DSN "relayed" (not success) if the remote server does not announce DSN support. The RFCs are public documents, so you don't have to take my word for it. If the remote server announces DSN support, and you receive no "success" or "relayed" notification, then some remote system does not implement DSN correctly. Debugging remote SMTP servers is outside the scope of Postfix support. Wietse
Re: Delivery Status Notifications - What is required from the remote MTA?
Russell Jones: > Hi Wietse, > > Thanks! That's different from what I read in that article then... > according to that article the remote mail server needs to support DSN as > well for the reports to be generated. Per RFC 3461..3464, Postfix sends DSN "relayed" (not success) if the remote server does not announce DSN support. The RFCs are public documents, so you don't have to take my word for it. If the remote server announces DSN support, and you receive no "success" or "relayed" notification, then some remote system does not implement DSN correctly. Debugging remote SMTP servers is outside the scope of Postfix support. Wietse
Re: Delivery Status Notifications - What is required from the remote MTA?
Hi Wietse, Thanks! That's different from what I read in that article then... according to that article the remote mail server needs to support DSN as well for the reports to be generated. If what you are saying is correct, how can I go about diagnosing why I am not receiving DSN "success" notices when mail is sent to this one specific mail server I provided in my log output? Russell On 11/30/2011 5:50 PM, Wietse Venema wrote: Russell Jones: Nevermind, I have finally found an article that explains DSN from behind the scenes. It is quite different than just a standard "250 OK" status message of course. Article was written in 1997 apparently, but still helpful (http://email.about.com/library/weekly/aa082597.htm";>http://email.about.com/library/weekly/aa082597.htm) On to a different question, does Postfix have any features I am unaware of that can still generate a "success" message if the remote mail server responds with a "250"? Postfix will send DSN "success" notification when the remote server does NOT announce DSN support. If the server announces DSN support, then Postfix is no longer responsible for sending DSN "success" notification. Wietse
Re: Delivery Status Notifications - What is required from the remote MTA?
Russell Jones: > > >http-equiv="Content-Type"> > > > Nevermind, I have finally found an article that explains DSN from > behind the scenes. It is quite different than just a standard "250 > OK" status message of course. Article was written in 1997 > apparently, but still helpful > ( href="http://email.about.com/library/weekly/aa082597.htm";>http://email.about.com/library/weekly/aa082597.htm) > > On to a different question, does Postfix have any features I am > unaware of that can still generate a "success" message if the remote > mail server responds with a "250"? Postfix will send DSN "success" notification when the remote server does NOT announce DSN support. If the server announces DSN support, then Postfix is no longer responsible for sending DSN "success" notification. Wietse
Re: Delivery Status Notifications - What is required from the remote MTA?
Nevermind, I have finally found an article that explains DSN from behind the scenes. It is quite different than just a standard "250 OK" status message of course. Article was written in 1997 apparently, but still helpful (http://email.about.com/library/weekly/aa082597.htm) On to a different question, does Postfix have any features I am unaware of that can still generate a "success" message if the remote mail server responds with a "250"? On 11/30/2011 5:01 PM, Russell Jones wrote: Hi *, My google-foo is failing me at this point, so I turn to you all. I am using a standard Postfix setup and am sending messages via Thunderbird. I am choosing under the Options menu "Delivery Status Notification". The results: DSN's for email sent to gmail work fine DSN's for email sent to yahoo work fine DSN's for email sent to a local account on my mail server work fine There is one specific mail server though that I am not receiving "successful delivery" DSN's for, and I cannot figure out why. The following is the conversation log from my server to theirs: Nov 30 16:39:19 bigbertha postfix/cleanup[18162]: 78861CCFF: warning: header Subject: asasddsad from c-98-197-129-225.hsd1.tx.comcast.net[98.197.129.225]; from= to= proto=ESMTP helo=<[192.168.2.3]> Nov 30 16:39:19 bigbertha postfix/qmgr[16356]: 78861CCFF: from=, size=805, nrcpt=1 (queue active) Nov 30 16:39:19 bigbertha postfix/smtpd[18337]: disconnect from c-98-197-129-225.hsd1.tx.comcast.net[98.197.129.225] Nov 30 16:39:21 bigbertha postfix/smtp[18341]: 78861CCFF: to=, relay=redacted[redacted]:25, delay=2.5, delays=0.18/0/0.43/1.9, dsn=2.0.0, status=sent (250 +OK message queued for delivery.) Nov 30 16:39:21 bigbertha postfix/qmgr[16356]: 78861CCFF: removed Given that the remote mail server is returning a "250" status, why would I not get a successful DSN? The return code looks exactly the same as mail to a test yahoo account that I *did* get a successful DSN generated for: Nov 30 16:38:28 bigbertha postfix/cleanup[18162]: 17F73CCFF: warning: header Subject: test from c-98-197-129-225.hsd1.tx.comcast.net[98.197.129.225]; from= to= proto=ESMTP helo=<[192.168.2.3]> Nov 30 16:38:28 bigbertha postfix/qmgr[16356]: 17F73CCFF: from=, size=785, nrcpt=1 (queue active) Nov 30 16:38:30 bigbertha postfix/smtp[18341]: 17F73CCFF: to=, relay=mta5.am0.yahoodns.net[67.195.168.31]:25, delay=2.2, delays=0.16/0.01/0.28/1.7, dsn=2.0.0, status=sent (250 ok dirdel) Nov 30 16:38:30 bigbertha postfix/bounce[18342]: 17F73CCFF: sender delivery status notification: 3827D74091 Nov 30 16:38:30 bigbertha postfix/qmgr[16356]: 17F73CCFF: removed I have a feeling I am misunderstanding what communication takes places behind the scenes when a DSN is requested. If someone could shed some light on it for me, that'd be awesome :)
Delivery Status Notifications - What is required from the remote MTA?
Hi *, My google-foo is failing me at this point, so I turn to you all. I am using a standard Postfix setup and am sending messages via Thunderbird. I am choosing under the Options menu "Delivery Status Notification". The results: DSN's for email sent to gmail work fine DSN's for email sent to yahoo work fine DSN's for email sent to a local account on my mail server work fine There is one specific mail server though that I am not receiving "successful delivery" DSN's for, and I cannot figure out why. The following is the conversation log from my server to theirs: Nov 30 16:39:19 bigbertha postfix/cleanup[18162]: 78861CCFF: warning: header Subject: asasddsad from c-98-197-129-225.hsd1.tx.comcast.net[98.197.129.225]; from= to= proto=ESMTP helo=<[192.168.2.3]> Nov 30 16:39:19 bigbertha postfix/qmgr[16356]: 78861CCFF: from=, size=805, nrcpt=1 (queue active) Nov 30 16:39:19 bigbertha postfix/smtpd[18337]: disconnect from c-98-197-129-225.hsd1.tx.comcast.net[98.197.129.225] Nov 30 16:39:21 bigbertha postfix/smtp[18341]: 78861CCFF: to=, relay=redacted[redacted]:25, delay=2.5, delays=0.18/0/0.43/1.9, dsn=2.0.0, status=sent (250 +OK message queued for delivery.) Nov 30 16:39:21 bigbertha postfix/qmgr[16356]: 78861CCFF: removed Given that the remote mail server is returning a "250" status, why would I not get a successful DSN? The return code looks exactly the same as mail to a test yahoo account that I *did* get a successful DSN generated for: Nov 30 16:38:28 bigbertha postfix/cleanup[18162]: 17F73CCFF: warning: header Subject: test from c-98-197-129-225.hsd1.tx.comcast.net[98.197.129.225]; from= to= proto=ESMTP helo=<[192.168.2.3]> Nov 30 16:38:28 bigbertha postfix/qmgr[16356]: 17F73CCFF: from=, size=785, nrcpt=1 (queue active) Nov 30 16:38:30 bigbertha postfix/smtp[18341]: 17F73CCFF: to=, relay=mta5.am0.yahoodns.net[67.195.168.31]:25, delay=2.2, delays=0.16/0.01/0.28/1.7, dsn=2.0.0, status=sent (250 ok dirdel) Nov 30 16:38:30 bigbertha postfix/bounce[18342]: 17F73CCFF: sender delivery status notification: 3827D74091 Nov 30 16:38:30 bigbertha postfix/qmgr[16356]: 17F73CCFF: removed I have a feeling I am misunderstanding what communication takes places behind the scenes when a DSN is requested. If someone could shed some light on it for me, that'd be awesome :)
Re: To be able to connect from outlook, do I have to confiure saslauthd
Am 30.11.2011 23:39, schrieb bilal ghayyad: > I am new to postfix. > I am using Fedora and I installed it using yum, also I was able to send email > by using the telnet method. I added one user in the linux using adduser > command. > But when I tried to use outlook to send email, it failed ! > First of all, I feel it is most probably related to the authentication, > because > actually I am trying from my labtop and I used the username and password that > I > built using adduser command. new or not without log-entries and any usefull information first "postconf -n" nobody and nowhere can help you, independent of postfix signature.asc Description: OpenPGP digital signature
To be able to connect from outlook, do I have to confiure saslauthd
Hi All; I am new to postfix. I am using Fedora and I installed it using yum, also I was able to send email by using the telnet method. I added one user in the linux using adduser command. But when I tried to use outlook to send email, it failed ! First of all, I feel it is most probably related to the authentication, because actually I am trying from my labtop and I used the username and password that I built using adduser command. Do I have to install and confiure saslauthd to be able to send email from my outlook at my labtop? Or what could I am missing? I did the needed configuration at the DNS and the MX record, and I routed it for my mail server, also I added the mail server name in the main.cf file. And I was able to send email using the telnet method as I said. Any help? Regards Bilal
Re: Σχετ: SMTP Auth question
On 11/30/2011 1:13 PM, Peter Tselios wrote: > Thank you Brian, > > Sorry, to bug you, but, do you have any link to read how to enable the SMTP > Auth? My plan is to enable it (first for selected users and later for all > users (in the openLDAP). All "how-tos" I have found so far are with Cyrus or > Dovecot. > > P. The Postfix documentation is quite extensive on this subject. http://www.postfix.org/SASL_README.html#server_sasl Brian > > > - Αρχικό μήνυμα - > Απο: Brian Evans - Postfix List > Προς: postfix-users@postfix.org > Κοιν.: > Στάλθηκε: 8:08 μ.μ. Τετάρτη, 30 Νοεμβρίου 2011 > Θεμα: Re: SMTP Auth question > > On 11/30/2011 12:55 PM, Peter Tselios wrote: >> Hallo, >> >> I would to like to enable SMTP authentication, as an option feature for our >> users, but I have some questions before doing so. >> 1st: Is it possible to enable it, without Cyrus of Dovecot? I do not want to >> install Cyrus of Dovecot on my gateway. > You need either Cyrus SASL or Dovecot for Postfix to enable SMTP AUTH. > > You do NOT need Cyrus IMAP or other services > >> 2nd: As far as I understand, there is an option to use SMTP auth for mail >> submission only. Right? >> > You choose how you want to use it. > Many administrators enforce (require) SASL on the submission port (587) > as well as options to use TLS. > > Brian >
Σχετ: SMTP Auth question
Thank you Brian, Sorry, to bug you, but, do you have any link to read how to enable the SMTP Auth? My plan is to enable it (first for selected users and later for all users (in the openLDAP). All "how-tos" I have found so far are with Cyrus or Dovecot. P. - Αρχικό μήνυμα - Απο: Brian Evans - Postfix List Προς: postfix-users@postfix.org Κοιν.: Στάλθηκε: 8:08 μ.μ. Τετάρτη, 30 Νοεμβρίου 2011 Θεμα: Re: SMTP Auth question On 11/30/2011 12:55 PM, Peter Tselios wrote: > Hallo, > > I would to like to enable SMTP authentication, as an option feature for our > users, but I have some questions before doing so. > 1st: Is it possible to enable it, without Cyrus of Dovecot? I do not want to > install Cyrus of Dovecot on my gateway. You need either Cyrus SASL or Dovecot for Postfix to enable SMTP AUTH. You do NOT need Cyrus IMAP or other services > 2nd: As far as I understand, there is an option to use SMTP auth for mail > submission only. Right? > You choose how you want to use it. Many administrators enforce (require) SASL on the submission port (587) as well as options to use TLS. Brian
Re: SMTP Auth question
On 11/30/2011 12:55 PM, Peter Tselios wrote: > Hallo, > > I would to like to enable SMTP authentication, as an option feature for our > users, but I have some questions before doing so. > 1st: Is it possible to enable it, without Cyrus of Dovecot? I do not want to > install Cyrus of Dovecot on my gateway. You need either Cyrus SASL or Dovecot for Postfix to enable SMTP AUTH. You do NOT need Cyrus IMAP or other services > 2nd: As far as I understand, there is an option to use SMTP auth for mail > submission only. Right? > You choose how you want to use it. Many administrators enforce (require) SASL on the submission port (587) as well as options to use TLS. Brian
SMTP Auth question
Hallo, I would to like to enable SMTP authentication, as an option feature for our users, but I have some questions before doing so. 1st: Is it possible to enable it, without Cyrus of Dovecot? I do not want to install Cyrus of Dovecot on my gateway. 2nd: As far as I understand, there is an option to use SMTP auth for mail submission only. Right? Thanks, Peter
Re: How to obtain the message.ID from postfix?
> > what about speaking english in a public mailing-list instead switch > the language inside a running thread? > Sorry I forgot to remove the list from 'Cc'; anyway i translated only Wietse and Viktor emails without adding anything. -- Simone Caruso IT Consultant +39 349 65 90 805
Re: How to obtain the message.ID from postfix?
Am 30.11.2011 11:39, schrieb Simone Caruso: >> Correct, Viktor. >> Once I'm said the queue ID is useful, then useless, then useful again. >> Now I know. > Te lo spiego in italiano, Viktor dice di assegnare un ID a livello APPLICATIVO > che sia univoco e che t renda tracciabile un messaggio. > > Se vuoi che un ID VALIDO venga assegnato da Postfix devi inviare tramite la > porta 25, al contrario l'ID restituito da sendmail non puoi prenderlo in > considerazione perché è temporaneo. > > In breve... usa smtp. > Spero ti averti chiarito la cosa. what about speaking english in a public mailing-list instead switch the language inside a running thread? signature.asc Description: OpenPGP digital signature
Re: How to obtain the message.ID from postfix?
On 28/11/2011 20:16, Vincenzo Romano wrote: > 2011/11/28 Viktor Dukhovni : >> On Mon, Nov 28, 2011 at 06:17:30PM +0100, Vincenzo Romano wrote: >> >>> 2011/11/28 Wietse Venema : Vincenzo Romano: > The point is that postfix/smtp is not logging the Message-ID along > with the other details it logs. > Is there a way to ask postfix/smtp to log also the Message-ID? If you submit over port 25, then the SMTP server provides the queue ID in the end-of-data reply. When you search the maillog file for this queue ID, then you will find the Message-ID which is logged by the cleanup server. >>> >>> I'm using the sendmail tool. >> >> To track messages submitted via Sendmail, give each message a >> globally unique application-assigned Message-Id. That message-id >> is logged by cleanup(8) and the corresponding queue-id correlates >> this log message with the other log entries for the same message. >> >> It seems this question has been re-asked and re-answered many times, >> I think it is time to stop. > > Correct, Viktor. > Once I'm said the queue ID is useful, then useless, then useful again. > Now I know. Te lo spiego in italiano, Viktor dice di assegnare un ID a livello APPLICATIVO che sia univoco e che t renda tracciabile un messaggio. Se vuoi che un ID VALIDO venga assegnato da Postfix devi inviare tramite la porta 25, al contrario l'ID restituito da sendmail non puoi prenderlo in considerazione perché è temporaneo. In breve... usa smtp. Spero ti averti chiarito la cosa. -- Simone Caruso IT Consultant +39 349 65 90 805
