Re: alias map size limit
On 2011-12-30 08:18, Goutam Baul wrote: Dear List, Is there any performance related or other concerns if I try to send mail to a group containing thousands of users (say 8000) using the alias map? In case we want to use alias map for this, then which type of db we should use? With regards, Goutam There will be no performance issues per se, apart from the fact that postfix will have to explode one message into 8000 at once. If you're determined to do this, I would suggest at least 2 levels of alias, with the first expanding to a few dozen groups, and each group expanding to a few hundred addresses. You will have better control that way. Also, I would use virtual_alias_maps instead of just the local aliases, since it is much more flexible. However, a mailing list manager (MLM) is obviously the better choice for this. -- J.
Re: hotmail rate limit
On Fri, Dec 30, 2011 at 12:40 AM, Ralf Hildebrandt ralf.hildebra...@charite.de wrote: * DN Singh dnsingh@gmail.com: So Ralf, with a score of 99 with ReturnPath, what is the maximum delivery that you have got to hotmail in a single day? on mail.python.org for the last week: 2554 28th 3764 27th 3445 26th 3011 25th 2263 24th 3557 23rd 4279 22nd -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de This kind of volume is not very high, and should cause no problem with Hotmail. Helder, what kind of, and how much volume are you sending, to cause problems?
ldap managed configurable mail forward solution for non-local users
Hi, I have a mail store server which is's not an open source software and I can't modify its internals (neither it supports the feature I have to implement). However there is the project now that every mail user can set forward address (or even addresses - it's possible to give more forward addresses) with or without the local copy option (which means: original rcpt will receive it too, without local copy means that original rcpt will not get the mail, only it's forwarded to the address/addresses specified by the mail forward setting(s)). Since the mail store server does not support this feature (and I can't just replace it) I want to do this on a postfix before it: all incoming/outbound mails are relayed through it anyway, so maybe it's a good place to do it. Mail users, all parameters etc are stored in LDAP. How can I do this with postfix? I've tried to figure out myself, without too much success. As far as I understand, postfix's alias mechanism is about the local delivery which is not my case. Rcpt based bcc map seems to be OK, but still I can't really understand how I can configure the local copy / there is no local copy setting. I guess I can create a config to use rcpt based bcc map, and discard the original rcpt address if no local copy is wanted. However it seems to be a bit hackish for me. I can also imagine the usage of address rewriting. There is a lots of possibilities (at least for me) so I can't really see what I should read further to learn more about the implementation detailes: what I should use at all. Also, as far as I can see I can have difficulties with odd ideas of some users to forward mail to another user which is also forwarded ... Eh. Maybe this case can't be handled too well, and it's open to create ugly mail loops, but the other systems (where I want to migrate users from) has this feature as well, and it seems it's used by some users. Can someone suggest a configuration for postfix to implement this? Thanks in advance (and happy new year soon, btw). - Gábor
Re: ldap managed configurable mail forward solution for non-local users
On Fri, 30 Dec 2011 14:01:52 +0100 Gábor Lénárt articulated: I have a mail store server which is's not an open source software and I can't modify its internals (neither it supports the feature I have to implement). I cannot speak for others; however, I feel I could be of more assistance to you if I actually knew what this mail store server, version, etcetera actually was. I fail to see the reason or logic behind the secrecy. -- Jerry ✌ postfix-u...@seibercom.net _ TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html
Re: ldap managed configurable mail forward solution for non-local users
On Fri, Dec 30, 2011 at 08:12:59AM -0500, Jerry wrote: On Fri, 30 Dec 2011 14:01:52 +0100 Gábor Lénárt articulated: I have a mail store server which is's not an open source software and I can't modify its internals (neither it supports the feature I have to implement). I cannot speak for others; however, I feel I could be of more assistance to you if I actually knew what this mail store server, version, etcetera actually was. I fail to see the reason or logic behind the secrecy. The key of my idea: I don't even bother mail store server even if I am able to. The reason: why I have to give load to the mail store server to pass mails there which will be forwarded then back, if I can do the forward step before it, and save an extra round? Anyway, mail store server is even have too much load, since it also had POP3, IMAP, webmail tasks. So I only want to pass mails there which is really stored then, mails to be forwarded is not the case. There is no secrecy here :) actually it's CGP now, but planned to be replaced with PowerMail, as a mail store server does not need to do anything other just accept mails which can be stored locally then (as far as I know PowerMail does not even have queue, for example). No mail forwarding, etc. The reason I haven't mentioned the software for doing mail store server, since it's out of scope of the question as I want to resolve the forward issue before it, so it's not part of the topic too much. But I gave you more details anyway, since you thought it's a secret or so :)
Re: ldap managed configurable mail forward solution for non-local users
On 2011-12-30 14:52, Gábor Lénárt wrote: On Fri, Dec 30, 2011 at 08:12:59AM -0500, Jerry wrote: On Fri, 30 Dec 2011 14:01:52 +0100 Gábor Lénárt articulated: I have a mail store server which is's not an open source software and I can't modify its internals (neither it supports the feature I have to implement). I cannot speak for others; however, I feel I could be of more assistance to you if I actually knew what this mail store server, version, etcetera actually was. I fail to see the reason or logic behind the secrecy. The key of my idea: I don't even bother mail store server even if I am able to. The reason: why I have to give load to the mail store server to pass mails there which will be forwarded then back, if I can do the forward step before it, and save an extra round? Anyway, mail store server is even have too much load, since it also had POP3, IMAP, webmail tasks. So I only want to pass mails there which is really stored then, mails to be forwarded is not the case. There is no secrecy here :) actually it's CGP now, but planned to be replaced with PowerMail, as a mail store server does not need to do anything other just accept mails which can be stored locally then (as far as I know PowerMail does not even have queue, for example). If the mail store doesn't queue messages, then there is already a real SMTP server in front of it. I am confused as to what your actual question is. -- J.
Re: ldap managed configurable mail forward solution for non-local users
On Fri, Dec 30, 2011 at 03:01:03PM +0100, Jeroen Geilman wrote: The key of my idea: I don't even bother mail store server even if I am able to. The reason: why I have to give load to the mail store server to pass mails there which will be forwarded then back, if I can do the forward step before it, and save an extra round? Anyway, mail store server is even have too much load, since it also had POP3, IMAP, webmail tasks. So I only want to pass mails there which is really stored then, mails to be forwarded is not the case. There is no secrecy here :) actually it's CGP now, but planned to be replaced with PowerMail, as a mail store server does not need to do anything other just accept mails which can be stored locally then (as far as I know PowerMail does not even have queue, for example). If the mail store doesn't queue messages, then there is already a real SMTP server in front of it. Yes. That SMTP server is postfix, where I want to implmenet the forwarding as I told. I am confused as to what your actual question is. My question is about implementing mail forwaring with forward address/addresses set by LDAP also with an option to have copy at the original rcpt or no. I am only confused because aliases mechanism which would be OK for this purpose (I guess) can't be used since these users are not local to me: I still have to send it with SMTP to the mail store server. In the LDAP structure I have a transport maps so it's not a problem: I know which domains should be sent to the mail store server, and which ones to be delivered as is, based on DNS MX.
Re: ldap managed configurable mail forward solution for non-local users
G?bor L?n?rt: implement). However there is the project now that every mail user can set forward address (or even addresses - it's possible to give more forward addresses) with or without the local copy option (which means: original rcpt will receive it too, without local copy means that original rcpt will not get the mail, only it's forwarded to the address/addresses specified by the mail forward setting(s)). Since the mail store server does not support this feature (and I can't just replace it) I want to do this on a postfix before it: all incoming/outbound mails are relayed through it anyway, so maybe it's a good place to do it. Mail users, all parameters etc This is easily done with Postfix virtual_alias_maps (NOT: virtual_alias_domains). If the user wants a local copy: Search string Lookup result u...@example.com - u...@example.com, xxx@yyy.example If the user wants no local copy: Search string Lookup result u...@example.com - xxx@yyy.example, yyy@zzz.example In tests with the postmap command, Search string is what you give to the postmap -q option, and Lookup result is what you should see as postmap command output. Wietse
Re: ldap managed configurable mail forward solution for non-local users
Wietse Venema: G?bor L?n?rt: implement). However there is the project now that every mail user can set forward address (or even addresses - it's possible to give more forward addresses) with or without the local copy option (which means: original rcpt will receive it too, without local copy means that original rcpt will not get the mail, only it's forwarded to the address/addresses specified by the mail forward setting(s)). Since the mail store server does not support this feature (and I can't just replace it) I want to do this on a postfix before it: all incoming/outbound mails are relayed through it anyway, so maybe it's a good place to do it. Mail users, all parameters etc This is easily done with Postfix virtual_alias_maps (NOT: virtual_alias_domains). If the user wants a local copy: Search string Lookup result u...@example.com - u...@example.com, xxx@yyy.example If the user wants no local copy: Search string Lookup result u...@example.com - xxx@yyy.example, yyy@zzz.example In tests with the postmap command, Search string is what you give to the postmap -q option, and Lookup result is what you should see as postmap command output. Note: this has no effect when one user on the mail store server can send mail directly (i.e. not through Postfix) to other users on the same mail store server. Wietse
sender delivery status notification not working
Hello, * DSN(sender delivery status notification) does not work on my box running postfix. * the version of postfix on the non working box is postfix-2.8.7-1 In Mozilla Thunderebird write message -- options -- Delivery Status Notification * Read this didnt help much http://www.postfix.org/DSN_README.html * The qmgr should pass the message to bounce daemon to send the DSN to the sender but this does not happen. Dec 28 08:39:49 outbound1 postfix/smtpd[30112]: 7287E8F10BE: client=unknown[], sasl_method=PLAIN, sasl_username=x...@.com Dec 28 08:39:50 outbound1 postfix/smtpd[30112]: 7287E8F10BE: filter: END-OF-MESSAGE from unknown[]: x...@.com: Sender address triggers FILTER XX-:; from=x...@.com to= x...@gmail.com proto=ESMTP helo=[172.16.137.158] Dec 28 08:39:50 outbound1 postfix/cleanup[11391]: 7287E8F10BE: message-id=4efb1cef.3090...@.com Dec 28 08:39:50 outbound1 ct-milter[19914]: queueid=7287E8F10BE Dec 28 08:39:50 outbound1 ct-milter[19914]: [ASVOD] IP: , Sender(Auth): .com(.com), Spam: Unknown, VOD: Unknown, RefID: str=0001.0A020208.4EFB1C26.0011,ss=1,re=0.000,fgs=0, Action: tag, QueueId: 7287E8F10BE Dec 28 08:39:50 outbound1 postfix/qmgr[25269]: 7287E8F10BE: from=.com, size=669, nrcpt=1 (queue active) Dec 28 08:39:50 outbound1 postfix-smtp4/smtp[16777]: 7287E8F10BE: to= x...@gmail.com, relay=gmail-smtp-in.l.google.com[74.125.157.26]:25, delay=1.5, delays=0.96/0/0.09/0.45, dsn=2.0.0, status=sent (250 2.0.0 OK 1325079590 v46si4631651yhl.53) Dec 28 08:39:50 outbound1 postfix/qmgr[25269]: 7287E8F10BE: removed * postconf output ---snip--- smtp_discard_ehlo_keyword_address_maps = smtp_discard_ehlo_keywords = ---snip--- TIA,
Re: sender delivery status notification not working
pritam raote: Hello, * DSN(sender delivery status notification) does not work on my box running postfix. * the version of postfix on the non working box is postfix-2.8.7-1 DSN works only if: 1 - The POSTFIX SMTP server sends the DSN announcement to the REMOTE SMTP client. 2 - The REMOTE SMTP client (Thunderbird) requests DSN support. To find out if (1) and (2) happen, you need to report the SMTP commands and replies between the POSTFIX SMTP server and the REMOTE SMTP client (Thunderbird). You can anonymize the email address. http://www.postfix.org/DEBUG_README.html#mail Wietse
Re: ldap managed configurable mail forward solution for non-local users
On Fri, Dec 30, 2011 at 09:27:08AM -0500, Wietse Venema wrote: This is easily done with Postfix virtual_alias_maps (NOT: virtual_alias_domains). If the user wants a local copy: Search string Lookup result u...@example.com - u...@example.com, xxx@yyy.example If the user wants no local copy: Search string Lookup result u...@example.com - xxx@yyy.example, yyy@zzz.example In tests with the postmap command, Search string is what you give to the postmap -q option, and Lookup result is what you should see as postmap command output. Note: this has no effect when one user on the mail store server can send mail directly (i.e. not through Postfix) to other users on the same mail store server. Ok, thanks. Well no worries here, as mail store server really does not send anything, it just store, mail submission is done on another server (from outside it seems that all of the services are on a single IP, but behind the firewall this is not the case, and mail submission is done on another server, separated from mail store, which does only serve POP3/IMAP from the user's point of view). Thanks again.
Re: I'm an open relay some how
On 12/30/2011 10:17 AM, Gary Smith wrote: I've been administering the same postfix server for years so I'm a little confused as to how this happened. Granted postifx hasn't been updated in a year or so. This morning I came in to a mailq of over 93000 messages all destine to @yahoo.com.tw For now I'm just blocking all email destined for this domain but I would really like to find out what happened. I haven't changed my main.cf file for over a year.I can post it if needed. Are you an open relay or did one of your user accounts get hacked. I'd check the envelope of one of the messages, cross that with where it originated and go from there. Just a shoot from the hip guess with little information. I'm pretty sure. I'm watching the connections coming in and they are from external IP addresses. A who is shows them as being from south America and Europe. -- Stephen Atkins Information Systems Resorts of the Canadian Rockies INC. http://www.skircr.com satk...@skircr.com Voice: (403) 209-3367 Cell: (403) 510-8333 Fax: (403) 244-3774
Re: SSL/TLS suddenly stopped working for postfix
On 12/30/2011 10:53 AM, Mark wrote: My apologies for the cross-posting but I believe it is relevant. I have been running postfix for 8+ months without problems. Recently ( a week or two) I had a user complain that he could no longer send. It appears that postfix is no longer accepting SSL/TLS connections. STARTTLS is working on port 587 (and possibly 25, still testing) I am trying to figure out why the change. If I try and open an openssl connection manually, this is what I get: openssl s_client -connect mail.myServer.net:587 CONNECTED(0003) 44829:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:478: Wrong command. Use: openssl s_client -starttls smtp -connect host.example.com:587 If you need more help, please see http://www.postfix.org/DEBUG_README.html#mail and no more cross posting. -- Noel Jones
Re: I'm an open relay some how
Am 30.12.2011 18:19, schrieb Stephen Atkins: On 12/30/2011 10:17 AM, Gary Smith wrote: I've been administering the same postfix server for years so I'm a little confused as to how this happened. Granted postifx hasn't been updated in a year or so. This morning I came in to a mailq of over 93000 messages all destine to @yahoo.com.tw For now I'm just blocking all email destined for this domain but I would really like to find out what happened. I haven't changed my main.cf file for over a year.I can post it if needed. if you are really an open realy this is idiotic and the only soltuion is fix it or stop the service! I'm pretty sure. I'm watching the connections coming in and they are from external IP addresses. A who is shows them as being from south America and Europe. without providing logs nobody can help you however pretty sure does mean nothing you/we need a COMPLETE log-part of a message from connection to relay * you do not show logs * you do not provide postconf-n you simply provide nothing what help do you expect with no informations? signature.asc Description: OpenPGP digital signature
Re: I'm an open relay some how
On 12/30/2011 11:19 AM, Stephen Atkins wrote: On 12/30/2011 10:17 AM, Gary Smith wrote: I've been administering the same postfix server for years so I'm a little confused as to how this happened. Granted postifx hasn't been updated in a year or so. This morning I came in to a mailq of over 93000 messages all destine to @yahoo.com.tw For now I'm just blocking all email destined for this domain but I would really like to find out what happened. I haven't changed my main.cf file for over a year.I can post it if needed. Are you an open relay or did one of your user accounts get hacked. I'd check the envelope of one of the messages, cross that with where it originated and go from there. Just a shoot from the hip guess with little information. I'm pretty sure. I'm watching the connections coming in and they are from external IP addresses. A who is shows them as being from south America and Europe. Show all the postfix logging for one of the suspect transactions. Show your postconf -n output. http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones
Re: I'm an open relay some how
On 12/30/2011 10:19 AM, Stephen Atkins wrote: On 12/30/2011 10:17 AM, Gary Smith wrote: I've been administering the same postfix server for years so I'm a little confused as to how this happened. Granted postifx hasn't been updated in a year or so. This morning I came in to a mailq of over 93000 messages all destine to @yahoo.com.tw For now I'm just blocking all email destined for this domain but I would really like to find out what happened. I haven't changed my main.cf file for over a year. I can post it if needed. Are you an open relay or did one of your user accounts get hacked. I'd check the envelope of one of the messages, cross that with where it originated and go from there. Just a shoot from the hip guess with little information. I'm pretty sure. I'm watching the connections coming in and they are from external IP addresses. A who is shows them as being from south America and Europe. Okay sorry now that I look a little more closely at the messages coming in, it seems they are using postmaster@ my domain to send from. So sorry for the inconvenience. Looks like I just have to fix that. Here's the log of a couple: Dec 30 10:29:02 mta5 postfix/smtpd[3679]: E6F13186001: reject: RCPT from unknown[113.94.89.26]: 554 5.7.1 sglo...@yahoo.com.tw: Recipient address rejected: 521; from=postmas...@skircr.com to=sglo...@yahoo.com.tw proto=ESMTP helo=nsizfwnsj Dec 30 10:29:02 mta5 postfix/smtpd[3679]: E6F13186001: reject: RCPT from unknown[113.94.89.26]: 554 5.7.1 kiven9992...@yahoo.com.tw: Recipient address rejected: 521; from=postmas...@skircr.com to=kiven9992...@yahoo.com.tw proto=ESMTP helo=nsizfwnsj -- Stephen Atkins
Re: I'm an open relay some how
On 12/30/2011 10:26 AM, Noel Jones wrote: On 12/30/2011 11:19 AM, Stephen Atkins wrote: On 12/30/2011 10:17 AM, Gary Smith wrote: I've been administering the same postfix server for years so I'm a little confused as to how this happened. Granted postifx hasn't been updated in a year or so. This morning I came in to a mailq of over 93000 messages all destine to @yahoo.com.tw For now I'm just blocking all email destined for this domain but I would really like to find out what happened. I haven't changed my main.cf file for over a year.I can post it if needed. Are you an open relay or did one of your user accounts get hacked. I'd check the envelope of one of the messages, cross that with where it originated and go from there. Just a shoot from the hip guess with little information. I'm pretty sure. I'm watching the connections coming in and they are from external IP addresses. A who is shows them as being from south America and Europe. Show all the postfix logging for one of the suspect transactions. Show your postconf -n output. http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones Here is the output of my postconf -n alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases hash:/etc/postfix/majordomo/majoraliases allow_untrusted_routing = no bounce_queue_lifetime = 2h broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/lib/postfix debug_peer_level = 1 disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks home_mailbox = Maildir/ in_flow_delay = 5s inet_interfaces = all local_recipient_maps = mail_owner = postfix mailbox_size_limit = 0 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man maximal_queue_lifetime = 1d message_size_limit = 26214400 mydestination = localhost.localdomain, localhost, mta1.rcr.inc mta2.rcr.inc, ridelouise.com, canadiarockiessummer.com, rcr.west rcr.inc mydomain = skircr.com myhostname = smtp.skircr.com mynetworks = 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24, 192.168.5.0/24, 192.168.6.0/24, 192.168.7.0/24, 209.91.64.21, 127.0.0.0/8, 10.0.100.0/24, 10.0.6.0/24, 192.168.10.0/24, 192.168.80.0/23, 192.168.142.0/24, 216.133.52.45, 216.113.43.184, 192.168.143.0/24, 69.70.230.206, 207.96.243.24, 207.96.243.25, 24.37.1.234, 10.0.0.0/8 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix owner_request_special = no queue_directory = /var/spool/postfix readme_directory = no recipient_delimiter = + sample_directory = /usr/share/doc/postfix-2.0.11/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_helo_name = skircr.com smtpd_banner = $myhostname ESMTP $mail_name. We block/report all spam/spammers. smtpd_client_restrictions = permit_mynetworks smtpd_delay_reject = no smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit smtpd_recipient_restrictions = hash:/etc/postfix/access, check_client_access hash:/etc/postfix/client_checks, check_recipient_access hash:/etc/postfix/sender_checks, check_sender_access hash:/etc/postfix/sender_checks, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_invalid_hostname, check_client_access cidr:/etc/postfix/dnswl-header, check_client_access cidr:/etc/postfix/dnswl-permit, check_client_access hash:/etc/postfix/rbl_override, reject_rbl_client zen.spamhaus.org, reject_rbl_client combined.njabl.org, reject_rbl_client dbl.spamhaus.org, check_policy_service inet:127.0.0.1:6, permit smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_sender_restrictions = hash:/etc/postfix/access, check_client_access hash:/etc/postfix/client_checks, check_sender_access hash:/etc/postfix/sender_checks, permit_sasl_authenticated, permit_mynetworks, reject_unauth_pipelining, permit smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt smtpd_tls_key_file = /etc/ssl/private/smtpd.key smtpd_tls_loglevel = 9 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes strict_rfc821_envelopes = yes tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = mysql:/etc/postfix/mysql/virtual_alias_maps.cf virtual_gid_maps = static:119 virtual_mailbox_base = /usr/local/virtual virtual_mailbox_domains = mysql:/etc/postfix/mysql/virtual_domains_maps.cf virtual_mailbox_limit = 0 virtual_mailbox_maps = mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf virtual_minimum_uid = 109 virtual_transport = virtual virtual_uid_maps = static:109 -- Stephen Atkins Information Systems Resorts of
RE: I'm an open relay some how
Without knowing for sure I would say that one of your accounts has been compromised and is being used to send out spam. Look at your messages on the postfix queue, usually under /var/spool/postfix. Use the strings command to search through the queued email and look for common patterns like the same username, from address etc and determine the problem that way. -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Stephen Atkins Sent: Friday, December 30, 2011 12:31 PM To: postfix users Cc: Noel Jones Subject: Re: I'm an open relay some how On 12/30/2011 10:26 AM, Noel Jones wrote: On 12/30/2011 11:19 AM, Stephen Atkins wrote: On 12/30/2011 10:17 AM, Gary Smith wrote: I've been administering the same postfix server for years so I'm a little confused as to how this happened. Granted postifx hasn't been updated in a year or so. This morning I came in to a mailq of over 93000 messages all destine to @yahoo.com.tw For now I'm just blocking all email destined for this domain but I would really like to find out what happened. I haven't changed my main.cf file for over a year.I can post it if needed. Are you an open relay or did one of your user accounts get hacked. I'd check the envelope of one of the messages, cross that with where it originated and go from there. Just a shoot from the hip guess with little information. I'm pretty sure. I'm watching the connections coming in and they are from external IP addresses. A who is shows them as being from south America and Europe. Show all the postfix logging for one of the suspect transactions. Show your postconf -n output. http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones Here is the output of my postconf -n alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases hash:/etc/postfix/majordomo/majoraliases allow_untrusted_routing = no bounce_queue_lifetime = 2h broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/lib/postfix debug_peer_level = 1 disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks home_mailbox = Maildir/ in_flow_delay = 5s inet_interfaces = all local_recipient_maps = mail_owner = postfix mailbox_size_limit = 0 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man maximal_queue_lifetime = 1d message_size_limit = 26214400 mydestination = localhost.localdomain, localhost, mta1.rcr.inc mta2.rcr.inc, ridelouise.com, canadiarockiessummer.com, rcr.west rcr.inc mydomain = skircr.com myhostname = smtp.skircr.com mynetworks = 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24, 192.168.5.0/24, 192.168.6.0/24, 192.168.7.0/24, 209.91.64.21, 127.0.0.0/8, 10.0.100.0/24, 10.0.6.0/24, 192.168.10.0/24, 192.168.80.0/23, 192.168.142.0/24, 216.133.52.45, 216.113.43.184, 192.168.143.0/24, 69.70.230.206, 207.96.243.24, 207.96.243.25, 24.37.1.234, 10.0.0.0/8 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix owner_request_special = no queue_directory = /var/spool/postfix readme_directory = no recipient_delimiter = + sample_directory = /usr/share/doc/postfix-2.0.11/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_helo_name = skircr.com smtpd_banner = $myhostname ESMTP $mail_name. We block/report all spam/spammers. smtpd_client_restrictions = permit_mynetworks smtpd_delay_reject = no smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit smtpd_recipient_restrictions = hash:/etc/postfix/access, check_client_access hash:/etc/postfix/client_checks, check_recipient_access hash:/etc/postfix/sender_checks, check_sender_access hash:/etc/postfix/sender_checks, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_invalid_hostname, check_client_access cidr:/etc/postfix/dnswl-header, check_client_access cidr:/etc/postfix/dnswl-permit, check_client_access hash:/etc/postfix/rbl_override, reject_rbl_client zen.spamhaus.org, reject_rbl_client combined.njabl.org, reject_rbl_client dbl.spamhaus.org, check_policy_service inet:127.0.0.1:6, permit smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_sender_restrictions = hash:/etc/postfix/access, check_client_access hash:/etc/postfix/client_checks, check_sender_access hash:/etc/postfix/sender_checks, permit_sasl_authenticated, permit_mynetworks, reject_unauth_pipelining, permit smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt smtpd_tls_key_file = /etc/ssl/private/smtpd.key smtpd_tls_loglevel = 9 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout =
Re: I'm an open relay some how
Stephen Atkins: sorry for the inconvenience. Looks like I just have to fix that. Here's the log of a couple: Dec 30 10:29:02 mta5 postfix/smtpd[3679]: E6F13186001: reject: RCPT from unknown[113.94.89.26]: 554 5.7.1 sglo...@yahoo.com.tw: Recipient address rejected: 521; from=postmas...@skircr.com to=sglo...@yahoo.com.tw proto=ESMTP helo=nsizfwnsj Dec 30 10:29:02 mta5 postfix/smtpd[3679]: E6F13186001: reject: RCPT from unknown[113.94.89.26]: 554 5.7.1 kiven9992...@yahoo.com.tw: Recipient address rejected: 521; from=postmas...@skircr.com to=kiven9992...@yahoo.com.tw proto=ESMTP helo=nsizfwnsj Show evidence that Postfix RELAYS the mail. Wietse
[no subject]
I know I don't have a back scater problem.
Error, Retry, Discard Required?
Hi, Couldn't find any clear answers to this question anywhere in the documentation. I'm not specifically referencing the error, retry or discard transports. Can I keep them commented out in master.cf? Are they used internally? Cheers, Sabahattin
Re: Error, Retry, Discard Required?
* Sabahattin Gucukoglu m...@sabahattin-gucukoglu.com: Hi, Couldn't find any clear answers to this question anywhere in the documentation. man 8 error I'm not specifically referencing the error, retry or discard transports. You're not? (typo?) Can I keep them commented out in master.cf? Are they used internally? You need the error and retry transports. The discard transport is only used when discarding mail, e.g. using transport_maps: some@address discard: -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: I'm an open relay some how
On Fri, Dec 30, 2011 at 12:51:27PM -0600, Noel Jones wrote: These are rejected and not useful to our discussion. Please show ALL the postfix logging of a suspect transaction that makes it to your queue. In particular, we want to see if there is a sasl_username= line logged for a suspicious QUEUEID. Stephen, you say that you have a lot of mail in the queue. I suppose you use `mailq` to see that? You need to take the queue ID of a suspect mail from there, grep /var/log/maillog for that, and send us the output. HTH
Re: I'm an open relay some how
On Friday 30 December 2011 14:46:46 Lorens Kockum wrote: On Fri, Dec 30, 2011 at 12:51:27PM -0600, Noel Jones wrote: These are rejected and not useful to our discussion. Please show ALL the postfix logging of a suspect transaction that makes it to your queue. In particular, we want to see if there is a sasl_username= line logged for a suspicious QUEUEID. Stephen, you say that you have a lot of mail in the queue. I suppose you use `mailq` to see that? You need to take the queue ID of a suspect mail from there, grep /var/log/maillog for that, and send us the output. Specifically, we would be most interested in how the message first entered the queue. Arrival via smtpd(8) means you (Stephen) have an access maps problem, or, as Noel surmised, exploited SASL user credentials. Arrival via pickup(8) means you have some other kind of exploit, such as a compromised HTTP-PHP script. I'll also take this opportunity to nitpick in some ways that Noel spared you. :) smtpd_recipient_restrictions = hash:/etc/postfix/access, access is a terrible name for an access lookup, believe it or not! And here you are using it as an implied check_recipient_access lookup, which as Noel pointed out, should not be done. What is this lookup doing? (Do you know?) check_client_access hash:/etc/postfix/client_checks, This one is named appropriately, but possibly not *used* in a safe, reasonable manner. What is this one doing? check_recipient_access hash:/etc/postfix/sender_checks, check_sender_access hash:/etc/postfix/sender_checks, Same file, named sender_checks, being used for both sender and recipient lookups? That might be reasonable, but sender_checks is not a good name in that case. In general, check_sender_access is not a good tool. Sure, it does exactly what it claims to do, but most spam has forged sender addresses. Therefore check_sender_access is reasonable neither for whitelisting nor for blacklisting. My bet is on this file; you have done something in sender_checks that you should not have done. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Re: Relay for many local systems, but restrict internet forwarding?
On 2011-12-30 20:33, Lee Roth wrote: Currently, we have a Postfix V2.4.5 server That is quite old; consider upgrading to at least one of the current 2.8 branches. with no local accounts receiving email. We permit internal, local systems to freely use the system as a relay: smtpd_client_restrictions = permit_mynetworks, reject permit_mynetworks Is this a typo/copy-o, or is this really in your main .cf ? mynetworks = 127.0.0.0/8, 295.283.0.0/16, 10.0.0.0/8 (internal subnet obviously obfuscated) Obviously not, since those are private IP ranges and hence they do not NEED obfuscation. In our transport_maps file: ourdomain.org: .ourdomain.org : * smtp:[firewall.ourdomain.org] Ok, now management has asked us to restrict the flow of outbound email (i.e. to the internet) to only selected systems, based on their IP addresses. I'm looking for a general suggestion of how I can implement this selective permit of only certain systems to have emails forwarded out to the internet, with the rest of the systems still able to send email internally via the Postfix-based mail gateway machine. You want to selectively allow certain internal source IPs to be able to send mail to the outside world ? smtpd_recipient_restrictions = check_client_access cidr:/etc/postfix/allow_out, reject_unauth_destination, permit and in /etc/postfix/allow_out: permitted.IP OK other.permitted.IPOK permitted.IP/range OK The reject_unauth_destination check AFTER the client access check yielded no positive OK or REJECT means that any other internal or external clients can only send mail to authorized destinations, i.e., recipients/domains postfix controls mail for. BTW, there is a single network connection on the Postfix box - dual path isn't feasible at this time. Is *sender_dependent_relayhost_maps* my proper starting point for investigation experimentation? Hell no, that's way too complicated. Why do you have transport_maps at all here ? if (.)ourdomain.org is in mydestination or virtual_mailbox_domains, it will never be sent over smtp to begin with. -- J.
Re: Error, Retry, Discard Required?
Sabahattin Gucukoglu: Hi, Couldn't find any clear answers to this question anywhere in the documentation. I'm not specifically referencing the error, retry or discard transports. Can I keep them commented out in master.cf? Are they used internally? Postfix uses error and retry when it can't deliver mail. discard is like /dev/null - you can try to remove it but someone (and that may be you a year from now) will hate you for it. Wietse
Re:
Am 30.12.2011 20:59, schrieb Al Zick: I know I don't have a back scater problem. but you have many other problems sending such a phrase without context and subject to a mailing-list what did you want to tell us? signature.asc Description: OpenPGP digital signature
Re: I'm an open relay some how
Stephen Atkins: So it turns out my replacement while I was on vacation modified my main.cf. I went back to an back up I have a few weeks ago and changed it back. Now I don't have that problem any more. What it came down to was check_relay_domains had been removed for some reason. Use permit_mynetworks, reject_unauth_destination instead of check_relay_domains. I am about to remove check_relay_domains from Postfix. Wietse
Re: I'm an open relay some how
On 12/30/2011 3:59 PM, Wietse Venema wrote: Stephen Atkins: So it turns out my replacement while I was on vacation modified my main.cf. I went back to an back up I have a few weeks ago and changed it back. Now I don't have that problem any more. What it came down to was check_relay_domains had been removed for some reason. Use permit_mynetworks, reject_unauth_destination instead of check_relay_domains. I am about to remove check_relay_domains from Postfix. Thanks. I see that in the log file now. I will remove it as reject_unauth_destination is also in there. -- Stephen Atkins
Re: I'm an open relay some how
Stephen Atkins: On 12/30/2011 3:59 PM, Wietse Venema wrote: Stephen Atkins: So it turns out my replacement while I was on vacation modified my main.cf. I went back to an back up I have a few weeks ago and changed it back. Now I don't have that problem any more. What it came down to was check_relay_domains had been removed for some reason. Use permit_mynetworks, reject_unauth_destination instead of check_relay_domains. I am about to remove check_relay_domains from Postfix. Thanks. I see that in the log file now. I will remove it as reject_unauth_destination is also in there. No, you need to replace the check_relay_domains AT THE BEGINNING of smtpd_recipient_restrictions by permit_mynetworks, reject_unauth_destination AT THE BEGINNING of smtpd_recipient_restrictions otherwise you are at risk of becoming an open relay again. Wietse
Re: I'm an open relay some how
On 12/30/2011 4:11 PM, Wietse Venema wrote: Stephen Atkins: On 12/30/2011 3:59 PM, Wietse Venema wrote: Stephen Atkins: So it turns out my replacement while I was on vacation modified my main.cf. I went back to an back up I have a few weeks ago and changed it back. Now I don't have that problem any more. What it came down to was check_relay_domains had been removed for some reason. Use permit_mynetworks, reject_unauth_destination instead of check_relay_domains. I am about to remove check_relay_domains from Postfix. Thanks. I see that in the log file now. I will remove it as reject_unauth_destination is also in there. No, you need to replace the check_relay_domains AT THE BEGINNING of smtpd_recipient_restrictions by permit_mynetworks, reject_unauth_destination AT THE BEGINNING of smtpd_recipient_restrictions otherwise you are at risk of becoming an open relay again. So is this valid or bad? smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, if not where should the permit_sasl_authenticated go? -- Stephen Atkins Information Systems Resorts of the Canadian Rockies INC. http://www.skircr.com satk...@skircr.com Voice: (403) 209-3367 Cell: (403) 510-8333 Fax: (403) 244-3774
Re: I'm an open relay some how
Stephen Atkins: So is this valid or bad? smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, This is safe. When you put the access table lookups after these, then you can't become an open relay. Wietse