postfix duplicated dkim signature
Hello I use postfix 2.7.2 with amavisd-new, opendkim and dk-milter. My problem is dkim signature appear 2 times in mail header. It is ok? how can i fix this? thanks Levi
Ldap queries optimization
Hello,
We are using ldap maps in a relay server. Ldap maps are for address
validation (valid users and alias) and a relocated map.
But now, we are having problems with our ldap servers. Problems are not
directly related with postfix servers, but I've been investigating if
postfix could do things better.
My config is:
virtual_alias_maps = hash:/etc/postfix/alu-aliases,
hash:/etc/postfix/dif-aliases, proxy:ldap:/etc/postfix/ldap-sysaliases.cf
relay_recipient_maps = hash:/etc/postfix/relaydomains,
hash:/etc/postfix/alu-aliases, hash:/etc/postfix/dif-aliases,
proxy:ldap:/etc/postfix/ldap-vmail.cf,
proxy:ldap:/etc/postfix/ldap-sysaliases.cf
relocated_maps = proxy:ldap:/etc/postfix/ldap-relocated.cf
proxy_read_maps = $local_recipient_maps $mydestination
$virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
$virtual_mailbox_domains $relay_recipient_maps $relay_domains
$canonical_maps $sender_canonical_maps $recipient_canonical_maps
$relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
Ldap maps are:
* ldap-sysaliases.cf: This is a map for alias destinations. Although
this is a relay server, I'm resolving alias because I relay internal
mail by lmtp instead of smtp
* ldap-vmail.cf: This is the map for real users.
* ldap-relocated.cf: This a relocated map (for users who change their
email address).
In my tests I have found that during a smtp transaction the next
searches are done:
* When the mail from: is received, if this mail from is from a ldap
domain, a search in the relocated map is done for this mail from address.
* When the rcpt to: is received, postfix makes 4 searches for the
recipient address in this order:
1. In the relocated map
2. In the alias map
3. In the vmail map
4. In the alias map again
* When the data command is finished, then it makes the searches:
1. In the relocated map for the mail from address.
2. In the relocated map for the recipient address.
3. In the alias map for the recipient address
4. In the alias map again for the recipient address
5. In the relocated map (again) for the recipient address
With a total of 10 searches. I repeated the test with the same from and
recipient and almost all searches are done again. In fact, the only
searches it hasn't done are searches 1 and 2 after data command.
My question are:
* is it normal this behaviour? I mean is it normal all these searches?
Or I have something with a wrong configuration?
* Is there any way to cache these queries? In a normal transaction I
have only 4 different searches of a total of 8 (or 10) and if I repeat
the mail, all searches are done again? Is there any way to cache these
results so there was no need to research again all the information?
I have attached the output of postconf -n, ldap maps config files and
the logs at ldap server for connections from the postfix server (I have
replace the final DN where I have the information and sender and
recipient address used)
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información _o)
y las Comunicaciones Aplicadas (ATICA) / \\
http://www.um.es/atica_(___V
Tfo: 868887590
Fax: 86337
address_verify_map = btree:${data_directory}/verify
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_at_myorigin = yes
append_dot_mydomain = yes
body_checks = pcre:/etc/postfix/body_checks.pcre
bounce_size_limit = 10240
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
default_privs = nobody
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_checks.pcre
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
lmtp_destination_concurrency_limit = 5
lmtp_destination_recipient_limit = 10
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 2560
mime_header_checks = pcre:/etc/postfix/mime_header_checks.pcre
mydestination = $myhostname, localhost.\$mydomain, localhost
mydomain = um.es
myhostname = xenon11.um.es
mynetworks = 127.0.0.0/8, 155.54.0.0/16, 10.54.0.0/16, 10.56.0.0/16,
10.64.0.0/28, 172.19.0.0/16, 155.54.212.160/28
myorigin = um.es
nested_header_checks = pcre:/etc/postfix/nested_header_checks.pcre
newaliases_path = /usr/bin/newaliases
notify_classes = resource, software
parent_domain_matches_subdomains = smtpd_access_maps
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps
$virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains
$relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps
$recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
$smtpd_sender_login_maps
queue_directory = /var/spool/postfix
queue_minfree = 3840
rbl_reply_maps =
Re: postfix duplicated dkim signature
Birta Levente: Hello I use postfix 2.7.2 with amavisd-new, opendkim and dk-milter. My problem is dkim signature appear 2 times in mail header. It is ok? how can i fix this? TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html Thank you for using Postfix.
Re: postfix duplicated dkim signature
On 16/02/12 09:46, Birta Levente wrote: Hello I use postfix 2.7.2 with amavisd-new, opendkim and dk-milter. I'm curious to know why you're using opendkim and dk-milter instead of using the built-in DKIM signing/checking in amavisd-new? My problem is dkim signature appear 2 times in mail header. It is ok? how can i fix this? Are you not perhaps signing with both DKIM and domainkey signature?
Small question about header_checks
Is a restart of postfix mandatory in case of changes in the header_checks regex table? Thanks Franck
How to block senders whose domain without a MX record
Hi Group, The document segment about the reject_unknown_sender_domain says that it will reject the domain without A record or MX record. Does it mean that only domains with both A and MX record will be accepted? Or, it means any domains with only A record,domains with only MX record or with both will be accepted. Can anyone clarify it? Thanks! I just want to block the senders whose domain without MX record, even if it has an A record. Thanks! Daniel Zhou
Re: How to block senders whose domain without a MX record
Am 16.02.2012 14:06, schrieb daniel zhou: Hi Group, The document segment about the reject_unknown_sender_domain says that it will reject the domain without A record or MX record. Does it mean that only domains with both A and MX record will be accepted? Or, it means any domains with only A record,domains with only MX record or with both will be accepted. Can anyone clarify it? Thanks! both missing I just want to block the senders whose domain without MX record, even if it has an A record. you must not do this because you will block normal mail without any reason! i was there by verify importing newsletter-lists with a php-application and had to change this because well known contacts of our customers were thrown out while they had active mail in both directions on the normal server signature.asc Description: OpenPGP digital signature
RE: How to block senders whose domain without a MX record
Hi, It is only applicable to the domains that are not known, ie no DNS Resolution. So based on your request, it could accept all the domain that have a DNS, even if they dont have an MX record. Franck --- De : owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] De la part de daniel zhou Envoyé : jeudi 16 février 2012 14:06 À : postfix-users@postfix.org Objet : How to block senders whose domain without a MX record Hi Group, The document segment about the reject_unknown_sender_domain says that it will reject the domain without A record or MX record. Does it mean that only domains with both A and MX record will be accepted? Or, it means any domains with only A record,domains with only MX record or with both will be accepted. Can anyone clarify it? Thanks! I just want to block the senders whose domain without MX record, even if it has an A record. Thanks! Daniel Zhou
Re: How to block senders whose domain without a MX record
On Thu, Feb 16, 2012 at 05:06:22AM -0800, daniel zhou wrote: The document segment about the reject_unknown_sender_domain says that it will reject the domain without A record or MX record. Does it mean that only domains with both A and MX record will be accepted? Or, it means any domains with only A record,domains with only MX record or with both will be accepted. Can anyone clarify it? Thanks! An unknown sender domain means that the name did not resolve in a way such that mail could be delivered to it. An A record, even if it's 0.0.0.0 or 127.x.x.x or any other address that might not be deliverable for some reason, qualifies as a known sender domain. Unless of course there is a MX, and that name does not resolve: then it is unknown. Also a malformed MX record is unknown. IIRC these rules can be found in RFC 5321 and predecessors. I just want to block the senders whose domain without MX record, even if it has an A record. There is check_sender_mx_access, but I don't know if it strictly works the way you want. Also, I don't think your idea is a good one. You will block some real mail, I bet, while making little if any impact on spam. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Re: postfix duplicated dkim signature
On 16/02/2012 15:02, li...@coffeehabit.net wrote: On 16/02/12 09:46, Birta Levente wrote: Hello I use postfix 2.7.2 with amavisd-new, opendkim and dk-milter. I'm curious to know why you're using opendkim and dk-milter instead of using the built-in DKIM signing/checking in amavisd-new? I think its easier to configure and people say keeps more rapidly up to day with changes to the DKIM standards. My problem is dkim signature appear 2 times in mail header. It is ok? how can i fix this? Are you not perhaps signing with both DKIM and domainkey signature? No, all the mails are signed with DKIM and DomainKey. main.cf: smtpd_milters = inet:localhost:8891,inet:localhost:8892 non_smtpd_milters = $smtpd_milters milter_protocol = 2 milter_default_action = accept Maybe is signed 2 times because the amavisd-new reinject the mail? Here the related header: Received-SPF: pass (google.com: domain of l...@gogogog.go designates 88.88.88.88 as permitted sender) client-ip=88.88.88.88; Authentication-Results: mx.google.com; spf=pass (google.com: domain of l...@gogogog.go designates 88.88.88.88 as permitted sender) smtp.mail=l...@gogogog.go; dkim=pass header.i=gogogog...@gogogogo.og Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.ogogog.go (Postfix) with ESMTP id 2C3D0117C61 for g...@gogogo.go; Thu, 16 Feb 2012 11:27:39 +0200 (EET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gogogogo.og; s=mail; t=1329384459; i=gogogog...@gogogogo.og; bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=; h=Message-ID:Date:From:MIME-Version:To:Subject:Content-Type: Content-Transfer-Encoding; b=bPG4XAQhXelbhfvaNR6qqjkD+QtYW3sKxwx76lExAxK9WsEJPygHYCmPHc1RDRuH/ 9kW3x8zPpGNL8bS0Ru5pfLCxh6oytkEuIC2tKcgmSK4km5AjZcepNBos2s7B3HtbgL R+PLIHvTe6DOxuqVsjKsSZTpGDcIgn4BRul/Np6M= X-Virus-Scanned: amavisd-new at ogogog.go Received: from mail.ogogog.go ([127.0.0.1]) by localhost (mail.ogogog.go [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wy4yozd49FpF for g...@gogogo.go; Thu, 16 Feb 2012 11:27:33 +0200 (EET) Received: from [192.168.1.2] ( [192.168.1.2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: l...@gogogog.go) by mail.ogogog.go (Postfix) with ESMTPSA id A6C0A117C5F for g...@gogogo.go; Thu, 16 Feb 2012 11:27:33 +0200 (EET) X-DomainKeys: Sendmail DomainKeys Filter v1.0.2 mail.ogogog.go A6C0A117C5F DomainKey-Signature: a=rsa-sha1; s=mail; d=gogogogo.og; c=simple; q=dns; b=NAoz38nesEe51iDiW6e3IUz6JI/A9T2HHXm9TEO3i3YhG4lo9jGKgAdzE694ROHK9 32dvbtPYAIeKV5XKdWiziWEWyQ0VgJl+Y/0ob220L41PgBJGySsYjER9oaTRDWnEA7q 5s7bAQv271d5uBY0zyug2h7niNGrfPaPc4MXnhY= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gogogogo.og; s=mail; t=1329384453; i=gogogog...@gogogogo.og; bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=; h=Message-ID:Date:From:MIME-Version:To:Subject:Content-Type: Content-Transfer-Encoding; b=PYb3ucj83tuXJ3+s6jHAZ8aQ14RLqiyyQVtL1rZDRq4wIztFmATgiP2aPlyqat3Ny Yj33qdKuIxFAldM8Bu4KMgx8GKKq1QPQemfHc3QUP8mojQlddQ79k1uPrP/6tdUCtv 9fbK1DodD+NQSbj0PMUC1sb+0arraV0IVfZkGT5A=
Re: Small question about header_checks
On Thu, Feb 16, 2012 at 02:05:37PM +0100, Franck MAHE wrote: Is a restart of postfix mandatory in case of changes in the header_checks regex table? No; header_checks tables are read by the cleanup(8) daemon which is short-lived. Your changes will be effective at the next restart of cleanup. postfix reload ensures that the changes are effective immediately. man 8 cleanup has the details. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Undefined MX record for a sender domain
Hello, I have the following configuration for the recipient restriction: permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_non_fqdn_sender reject_non_fqdn_recipient reject_unlisted_sender reject_unlisted_recipient reject_unknown_sender_domain reject_invalid_hostname reject_rbl_client zen.spamhaus.org reject_rbl_client bl.spamcop.net check_policy_service inet:127.0.0.1:2501 I would like that sender domain names for which is not configured any MX record are not relayed from my MTA. I have tried to use the restriction 'reject_unknown_sender_domain' but it does not seems to work or maybe a do not have understud the right place where to put it. Moreover, I would like to reject immediately a message that has not an MX defined for the sender domain. I saw also the restriction 'reject_unverified_sender' that it could be worth. Could some one explain me better the difference between the two restrictions? Thank you in advance! rocsca
Re: Undefined MX record for a sender domain
Scappatura Rocco: I would like that sender domain names for which is not configured any MX record are not relayed from my MTA. I have tried to use the That would be a mistake. There is no RFC REQUIREMENT that a domain has an MX record. Wietse
Re: Undefined MX record for a sender domain
On 16/02/2012 14:35, Scappatura Rocco wrote: I would like that sender domain names for which is not configured any MX record are not relayed from my MTA. Why? MX records are not required for receiving mail. Nor are they required for sending mail. So there is no reason to reject mail which lacks them. Also, a lot of entirely legitimate messages will have the sender domain set to something like 'mail.example.com', but there will only be MX records for 'example.com'. Rejecting on lack of senderMX will, therefore, cause you to lose all of these. I saw also the restriction 'reject_unverified_sender' that it could be worth. Could some one explain me better the difference between the two restrictions? 'reject_unverified_sender' uses sender address verification (SAV) to attempt to check that the sending address will itself receive mail. This is not a reliable check, since some servers won't reject at RCPT TO time but instead defer rejection until the end of the DATA phase. Also, excessive use of SAV is itself considered abusive (since it's a form of backscatter), and will get your mail server blocked by many other mail servers (including Hotmail). If you are considering using sender verification, you should read the online documentation and only use it if you fully understand what you are doing and the potential consequences: http://www.postfix.org/ADDRESS_VERIFICATION_README.html and Mark -- Sent from my Babbage Difference Engine 2 http://mark.goodge.co.uk
RE: Undefined MX record for a sender domain
Scappatura Rocco: I would like that sender domain names for which is not configured any MX record are not relayed from my MTA. I have tried to use the That would be a mistake. There is no RFC REQUIREMENT that a domain has an MX record. I have no doubt about the correctness of what you stated above, but whenever a customer of mine sends a message through my MTA, specifying a sender with a domain that has not a valid sender (and, in particular, a domain sender with no MX defined and the message for some reason is not delivered), I receive a DSN for the customer that remain in deferred queue, just because it is destined to a recipient for which the domain has no MX defined. :-( What it could be the solution? Thanks in advance, rocsca
Re: Ldap queries optimization
On Thu, Feb 16, 2012 at 10:49:10AM +0100, Angel L. Mateo wrote: My config is: virtual_alias_maps = hash:/etc/postfix/alu-aliases, hash:/etc/postfix/dif-aliases, proxy:ldap:/etc/postfix/ldap-sysaliases.cf relay_recipient_maps = hash:/etc/postfix/relaydomains, hash:/etc/postfix/alu-aliases, hash:/etc/postfix/dif-aliases, proxy:ldap:/etc/postfix/ldap-vmail.cf, proxy:ldap:/etc/postfix/ldap-sysaliases.cf There is no need to list virtual alias lookup tables in relay_recipient_maps. Postfix performs that lookup automatically, therefore, the relay_recipient_maps setting should be just: relay_recipient_maps = hash:/etc/postfix/relaydomains, proxy:ldap:/etc/postfix/ldap-vmail.cf In my tests I have found that during a smtp transaction the next searches are done: If your LDAP tables contain no bare (just the local part) address lookup keys, you may consider using %u@%d instead of %s in the query definition. That could also avoid some unneeded lookups, otherwise Postfix performs the lookups it needs to, and unless you've failed to index your LDAP attributes appropriately, Postfix is unlikely to be a significant burden on LDAP, nor is LDAP likely to noticeably slow down Postfix. mydestination = $myhostname, localhost.\$mydomain, localhost That \ is unlikely to be what you want. mynetworks = 127.0.0.0/8, 155.54.0.0/16, 10.54.0.0/16, 10.56.0.0/16, 10.64.0.0/28, 172.19.0.0/16, 155.54.212.160/28 With the entire class 155.54/16 listed, no need for the final /28. smtpd_banner = $myhostname NO UCE ESMTP Don't, or at least make it $myhostname ESMTP NO UCE, that ESMTP is not semantically valid unless it immediately follows the hostname. smtpd_client_restrictions = reject_rbl_client rbl.um.es, permit_sasl_authenticated, check_client_access hash:/etc/postfix/whitelist_um, reject_unknown_reverse_client_hostname, check_client_access cidr:/etc/postfix/client_checks.cidr, smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_end_of_data_restrictions = $(smtpdEndOfDataRestrictions) smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/helo_checks smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_recipient_access pcre:/etc/postfix/recipient_checks.pcre, check_recipient_access hash:/etc/postfix/verified_recipient_checks, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_maps, permit You don't need these last two, they are implicit. smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_access pcre:/etc/postfix/sender_checks.pcre Otherwise nothing else to do in Postfix, make sure your LDAP tables are properly indexed. -- Viktor.
Re: Undefined MX record for a sender domain
On Thu, Feb 16, 2012 at 04:26:58PM +0100, Scappatura Rocco wrote: Scappatura Rocco: I would like that sender domain names for which is not configured any MX record are not relayed from my MTA. I have tried to use the That would be a mistake. There is no RFC REQUIREMENT that a domain has an MX record. I have no doubt about the correctness of what you stated above, ... However, if no MX record exists, an A record MUST exist (some day an may also be sufficient, for now most MTAs don't do IPv6). -- Viktor.
Re: Undefined MX record for a sender domain
On 16/02/2012 15:26, Scappatura Rocco wrote: Scappatura Rocco: I would like that sender domain names for which is not configured any MX record are not relayed from my MTA. I have tried to use the That would be a mistake. There is no RFC REQUIREMENT that a domain has an MX record. I have no doubt about the correctness of what you stated above, but whenever a customer of mine sends a message through my MTA, specifying a sender with a domain that has not a valid sender (and, in particular, a domain sender with no MX defined and the message for some reason is not delivered), I receive a DSN for the customer that remain in deferred queue, just because it is destined to a recipient for which the domain has no MX defined. :-( For that to happen, the sending domain must be missing not only MX records but also A records. In which case, 'reject_unknown_sender_domain' will block it. If you have reject_unknown_sender_domain already configured and that isn't blocking the mail, then missing MX records are not the reason why you are unable to deliver the DSN to your customer. What do your logs say when your server tries to deliver the DSN? Mark -- Sent from my Babbage Difference Engine 2 http://mark.goodge.co.uk
MySQL table question
Hi All,
I'd like to use MySQL table to block some of the peer MTAs based on their IP
addresses by storing IP pools ('from' and 'to' addresses as unsigned integers,
using MySQL's INET_ATON() function) in MySQL as blocked IP ranges.
However I found a little problem in my solution:
As access table readme states too, postfix with check_client_access will try
with various information, including A, A.B, A.B.C and A.B.C.D for a given
A.B.C.D IPv4 address. However it causes my query to produce false
blockings, as MySQL's INET_ATON() will happily convert an IP address like
192.168 to some numeric value which often triggers a totally different
banned IP pool (the peer's IP address is not even in that pool, and should
not be blocked - but I did).
Now I have this ugly solution to work-around the problem (it seems to work
now ...):
query = SELECT policy AS qres FROM banned_clients WHERE INET_ATON('%s')
BETWEEN ip_from AND ip_to AND
'%s' REGEXP '^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+$'
With the last REGEXP condition I want to be sure that the lookup-key is a
normal IP address and not some other.
Can I tell postfix somehow, that I am interested in only the client IP's
check in my SQL table rather than trying to look up with other methods as
well? It would also save some wasted SQL queries to be sent to the MySQL
server, as with lookups for A, A.B, A.B.C would never match with this query.
The relevant main.cf fragment:
smtpd_client_restrictions =
[...]
check_client_access mysql:/etc/postfix/banned_clients.sql,
[...]
I have something similar with sender/rcpt check too; the situation is not so
serious there: my query would do the checking by itself for the whole
address and domain, in once (with one query), so I don't
need postfix to try to look-up different information (which is redundant for
me this way), I only need a single lookup from postfix with the full
address (but according to the dox, it tries user@domain, domain.tld,
.domain.tld, and @user in sequence). Unlike the previous situation with the
client check it does not cause false blockings (at least I hope so) but
still it generates un-needed lookups I would never use anyway.
My try (for senders, the same for recipient):
query = SELECT policy AS qres FROM banned_senders WHERE sender
IN ('%s','%d')
Note: I am not even sure it works (I am busy with the client checks for
now), what postfix will do with specifying %s and %d in the same lookup.
Maybe is it a different issue by nature with lookups than the client check
problem of mine, above? If I am wrong with this one, please help me about
the client checks at least :) Thanks.
So in general: is it possible to inform postfix that I need only a the
look-up key as-is with check_client_access, check_sender_accesss and
check_recipient_access without trying to look-up only part of the
information of the look-up key?
Thanks in advance,
- Gábor
always_bcc to a specific address list
Hi guys, My question is very simple. Is possible configure the Postfix to deliver a BCC message to a list of specifics address (list)? Can I use the feature always_bcc to do this? How? Thank you. Alfredo
RE: Undefined MX record for a sender domain
On 16/02/2012 15:26, Scappatura Rocco wrote: Scappatura Rocco: I would like that sender domain names for which is not configured any MX record are not relayed from my MTA. I have tried to use the That would be a mistake. There is no RFC REQUIREMENT that a domain has an MX record. I have no doubt about the correctness of what you stated above, but whenever a customer of mine sends a message through my MTA, specifying a sender with a domain that has not a valid sender (and, in particular, a domain sender with no MX defined and the message for some reason is not delivered), I receive a DSN for the customer that remain in deferred queue, just because it is destined to a recipient for which the domain has no MX defined. :-( For that to happen, the sending domain must be missing not only MX records but also A records. In which case, 'reject_unknown_sender_domain' will block it. Ah ok.. If you have reject_unknown_sender_domain already configured and that isn't blocking the mail, then missing MX records are not the reason why you are unable to deliver the DSN to your customer. What do your logs say when your server tries to deliver the DSN? status=deferred (connect to domain.tld[xxx.yyy.uuu.vvv]:25: Connection timed out) Mark rocsca
Re: Undefined MX record for a sender domain
On 16/02/2012 16:07, Scappatura Rocco wrote: What do your logs say when your server tries to deliver the DSN? status=deferred (connect to domain.tld[xxx.yyy.uuu.vvv]:25: Connection timed out) Which proves that the problem is not lack of DNS, since your server is finding an IP address to deliver to. Your customer has probably got some kind of misconfiguration, but that isn't really your problem. Mark -- Sent from my Babbage Difference Engine 2 http://mark.goodge.co.uk
Re: always_bcc to a specific address list
Hi guys again, Sorry, I've done using sender_bcc_maps. It is ok now. Thank you. On 02/16/2012 01:51 PM, Alfredo Saldanha wrote: Hi guys, My question is very simple. Is possible configure the Postfix to deliver a BCC message to a list of specifics address (list)? Can I use the feature always_bcc to do this? How? Thank you. Alfredo
forcing MX lookups
Hi guys, We're currently developing a project where customers can add their own domains to our mailsystem. The biggest problem would be that a customer adds a domain he doesn't own or isn't represented by our mail cluster. For example a customer adds ibm.com - a manual validation through one of our employees isn't possible and an automated validation makes no sense since the MX records could be changed at any time, which would force a re-check. My thought was this: when sending the mail, configure postfix that he does a MX lookup and sends the mail to the IP given by the lookup. In this case the customer could add ibm.com, but he wouldn't be able to grab the mails sent from our cluster. I tried a few things but haven't come to a clean solution yet. Is there any way to configure postfix to always make MX record DNS lookups, or is the only way through a second postfix instance that has no localdomains specified? Thanks in advance for your time, Juergen
Re: forcing MX lookups
Am 16.02.2012 18:13, schrieb Dipl.-Ing. Juergen Ladstaetter: We're currently developing a project where customers can add their own domains to our mailsystem. The biggest problem would be that a customer adds a domain he doesn't own or isn't represented by our mail cluster. For example a customer adds ibm.com - a manual validation through one of our employees isn't possible and an automated validation makes no sense since the MX records could be changed at any time, which would force a re-check. My thought was this: when sending the mail, configure postfix that he does a MX lookup and sends the mail to the IP given by the lookup. In this case the customer could add ibm.com, but he wouldn't be able to grab the mails sent from our cluster. I tried a few things but haven't come to a clean solution yet. Is there any way to configure postfix to always make MX record DNS lookups, or is the only way through a second postfix instance that has no localdomains specified? put your postfix-configuration in mysql-tables and create a limited user for query if input is valid and allowed from the moment on you are dealing with websites AND configurations you should have as much as possible of your config in databases signature.asc Description: OpenPGP digital signature
AW: forcing MX lookups
The configuration for domains etc. is stored in mysql tables but that has nothing to do with the initial problem described in my other email. -Ursprüngliche Nachricht- Von: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] Im Auftrag von Reindl Harald Gesendet: Thursday, February 16, 2012 12:20 PM An: postfix-users@postfix.org Betreff: Re: forcing MX lookups Am 16.02.2012 18:13, schrieb Dipl.-Ing. Juergen Ladstaetter: We're currently developing a project where customers can add their own domains to our mailsystem. The biggest problem would be that a customer adds a domain he doesn't own or isn't represented by our mail cluster. For example a customer adds ibm.com - a manual validation through one of our employees isn't possible and an automated validation makes no sense since the MX records could be changed at any time, which would force a re-check. My thought was this: when sending the mail, configure postfix that he does a MX lookup and sends the mail to the IP given by the lookup. In this case the customer could add ibm.com, but he wouldn't be able to grab the mails sent from our cluster. I tried a few things but haven't come to a clean solution yet. Is there any way to configure postfix to always make MX record DNS lookups, or is the only way through a second postfix instance that has no localdomains specified? put your postfix-configuration in mysql-tables and create a limited user for query if input is valid and allowed from the moment on you are dealing with websites AND configurations you should have as much as possible of your config in databases
Re: forcing MX lookups
what is this for a strange day you are the second one in a few hours not understand that a domain does not need any MX-RECORD to be a valid maildomain your other things are also not job of postfix if you have a application where users can input data you are responsible to verify the input inside your application before proceed make DNS requests and whatever verifications in your app and leave postfix in peace - postfix is a MTA and should only be used as MTA Am 16.02.2012 18:45, schrieb Dipl.-Ing. Juergen Ladstaetter: The configuration for domains etc. is stored in mysql tables but that has nothing to do with the initial problem described in my other email. -Ursprüngliche Nachricht- Von: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] Im Auftrag von Reindl Harald Gesendet: Thursday, February 16, 2012 12:20 PM An: postfix-users@postfix.org Betreff: Re: forcing MX lookups Am 16.02.2012 18:13, schrieb Dipl.-Ing. Juergen Ladstaetter: We're currently developing a project where customers can add their own domains to our mailsystem. The biggest problem would be that a customer adds a domain he doesn't own or isn't represented by our mail cluster. For example a customer adds ibm.com - a manual validation through one of our employees isn't possible and an automated validation makes no sense since the MX records could be changed at any time, which would force a re-check. My thought was this: when sending the mail, configure postfix that he does a MX lookup and sends the mail to the IP given by the lookup. In this case the customer could add ibm.com, but he wouldn't be able to grab the mails sent from our cluster. I tried a few things but haven't come to a clean solution yet. Is there any way to configure postfix to always make MX record DNS lookups, or is the only way through a second postfix instance that has no localdomains specified? put your postfix-configuration in mysql-tables and create a limited user for query if input is valid and allowed from the moment on you are dealing with websites AND configurations you should have as much as possible of your config in databases signature.asc Description: OpenPGP digital signature
AW: forcing MX lookups
I know that it doesn't need a MX record. I just want to know if there is some way of configuring postfix to make DNS (A or MX) lookups for every mail sent. Since a two instance configuration would work, I just wanted to know if there is a way to configure one instance to do this. No need to get impolite... -Ursprüngliche Nachricht- Von: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] Im Auftrag von Reindl Harald Gesendet: Thursday, February 16, 2012 12:54 PM An: postfix-users@postfix.org Betreff: Re: forcing MX lookups what is this for a strange day you are the second one in a few hours not understand that a domain does not need any MX-RECORD to be a valid maildomain your other things are also not job of postfix if you have a application where users can input data you are responsible to verify the input inside your application before proceed make DNS requests and whatever verifications in your app and leave postfix in peace - postfix is a MTA and should only be used as MTA Am 16.02.2012 18:45, schrieb Dipl.-Ing. Juergen Ladstaetter: The configuration for domains etc. is stored in mysql tables but that has nothing to do with the initial problem described in my other email. -Ursprüngliche Nachricht- Von: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] Im Auftrag von Reindl Harald Gesendet: Thursday, February 16, 2012 12:20 PM An: postfix-users@postfix.org Betreff: Re: forcing MX lookups Am 16.02.2012 18:13, schrieb Dipl.-Ing. Juergen Ladstaetter: We're currently developing a project where customers can add their own domains to our mailsystem. The biggest problem would be that a customer adds a domain he doesn't own or isn't represented by our mail cluster. For example a customer adds ibm.com - a manual validation through one of our employees isn't possible and an automated validation makes no sense since the MX records could be changed at any time, which would force a re-check. My thought was this: when sending the mail, configure postfix that he does a MX lookup and sends the mail to the IP given by the lookup. In this case the customer could add ibm.com, but he wouldn't be able to grab the mails sent from our cluster. I tried a few things but haven't come to a clean solution yet. Is there any way to configure postfix to always make MX record DNS lookups, or is the only way through a second postfix instance that has no localdomains specified? put your postfix-configuration in mysql-tables and create a limited user for query if input is valid and allowed from the moment on you are dealing with websites AND configurations you should have as much as possible of your config in databases
Re: forcing MX lookups
how should anybody imagine lookups for every mail if you have a local-domain it will not make a lookup if it would the mail could not be delivered local so no, you can have not in one instance local inboxes for example.com and force postfix to do any dns-lookups for example.com why should it do this and what should happen relay the message? why if it is as local domain configured? again: it is generally a complete misdesign to use a mailserver with whatever tricks to do strange things even if it would work - such solutions are the root cause for most of our problems these days in other words: this all does not make any sense Am 16.02.2012 19:05, schrieb Dipl.-Ing. Juergen Ladstaetter: I know that it doesn't need a MX record. I just want to know if there is some way of configuring postfix to make DNS (A or MX) lookups for every mail sent. Since a two instance configuration would work, I just wanted to know if there is a way to configure one instance to do this. No need to get impolite... -Ursprüngliche Nachricht- Von: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] Im Auftrag von Reindl Harald Gesendet: Thursday, February 16, 2012 12:54 PM An: postfix-users@postfix.org Betreff: Re: forcing MX lookups what is this for a strange day you are the second one in a few hours not understand that a domain does not need any MX-RECORD to be a valid maildomain your other things are also not job of postfix if you have a application where users can input data you are responsible to verify the input inside your application before proceed make DNS requests and whatever verifications in your app and leave postfix in peace - postfix is a MTA and should only be used as MTA Am 16.02.2012 18:45, schrieb Dipl.-Ing. Juergen Ladstaetter: The configuration for domains etc. is stored in mysql tables but that has nothing to do with the initial problem described in my other email. -Ursprüngliche Nachricht- Von: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] Im Auftrag von Reindl Harald Gesendet: Thursday, February 16, 2012 12:20 PM An: postfix-users@postfix.org Betreff: Re: forcing MX lookups Am 16.02.2012 18:13, schrieb Dipl.-Ing. Juergen Ladstaetter: We're currently developing a project where customers can add their own domains to our mailsystem. The biggest problem would be that a customer adds a domain he doesn't own or isn't represented by our mail cluster. For example a customer adds ibm.com - a manual validation through one of our employees isn't possible and an automated validation makes no sense since the MX records could be changed at any time, which would force a re-check. My thought was this: when sending the mail, configure postfix that he does a MX lookup and sends the mail to the IP given by the lookup. In this case the customer could add ibm.com, but he wouldn't be able to grab the mails sent from our cluster. I tried a few things but haven't come to a clean solution yet. Is there any way to configure postfix to always make MX record DNS lookups, or is the only way through a second postfix instance that has no localdomains specified? put your postfix-configuration in mysql-tables and create a limited user for query if input is valid and allowed from the moment on you are dealing with websites AND configurations you should have as much as possible of your config in databases -- Mit besten Grüßen, Reindl Harald the lounge interactive design GmbH A-1060 Vienna, Hofmühlgasse 17 CTO / software-development / cms-solutions p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40 icq: 154546673, http://www.thelounge.net/ http://www.thelounge.net/signature.asc.what.htm signature.asc Description: OpenPGP digital signature
AW: forcing MX lookups
Alright then let me try to make it more clear for you: if you have a local-domain it will not make a lookup if it would the mail could not be delivered local That's the point. Even though it's configured as local-domain I would want it to look up any records (MX, A) and try to sent the mail to the underlying mailserver. why should it do this and what should happen relay the message? Why: because there is probably a configuration variable that allows me this configuration. If not then I have to do it differently What should happen: Email - lookup - connect - deliver Normally with local-domains it would be Email - local deliver. I would want to add 'lookup - connect' as it's done with non-local-domains why if it is as local domain configured? To ensure that mails are delivered to the right server since a 100% dynamic system sadly is open for fraudulent entries. again: it is generally a complete misdesign to use a mailserver with whatever tricks to do strange things even if it would work - such solutions are the root cause for most of our problems these days Not really. Open relays cause problems. Non-standard designs that are well maintained and secured don't. in other words: this all does not make any sense Neither do parts of your email. I, and I think many others, would appreciate it if you reply in a more polite way since we're only here to share information and furthermore it would be amazing if you re-read your emails before sending them since they are full of weird sentences, typos and wrong grammar. Thanks -Ursprüngliche Nachricht- Von: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] Im Auftrag von Reindl Harald Gesendet: Thursday, February 16, 2012 1:22 PM An: postfix-users@postfix.org Betreff: Re: forcing MX lookups how should anybody imagine lookups for every mail if you have a local-domain it will not make a lookup if it would the mail could not be delivered local so no, you can have not in one instance local inboxes for example.com and force postfix to do any dns-lookups for example.com why should it do this and what should happen relay the message? why if it is as local domain configured? again: it is generally a complete misdesign to use a mailserver with whatever tricks to do strange things even if it would work - such solutions are the root cause for most of our problems these days in other words: this all does not make any sense Am 16.02.2012 19:05, schrieb Dipl.-Ing. Juergen Ladstaetter: I know that it doesn't need a MX record. I just want to know if there is some way of configuring postfix to make DNS (A or MX) lookups for every mail sent. Since a two instance configuration would work, I just wanted to know if there is a way to configure one instance to do this. No need to get impolite... -Ursprüngliche Nachricht- Von: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] Im Auftrag von Reindl Harald Gesendet: Thursday, February 16, 2012 12:54 PM An: postfix-users@postfix.org Betreff: Re: forcing MX lookups what is this for a strange day you are the second one in a few hours not understand that a domain does not need any MX-RECORD to be a valid maildomain your other things are also not job of postfix if you have a application where users can input data you are responsible to verify the input inside your application before proceed make DNS requests and whatever verifications in your app and leave postfix in peace - postfix is a MTA and should only be used as MTA Am 16.02.2012 18:45, schrieb Dipl.-Ing. Juergen Ladstaetter: The configuration for domains etc. is stored in mysql tables but that has nothing to do with the initial problem described in my other email. -Ursprüngliche Nachricht- Von: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] Im Auftrag von Reindl Harald Gesendet: Thursday, February 16, 2012 12:20 PM An: postfix-users@postfix.org Betreff: Re: forcing MX lookups Am 16.02.2012 18:13, schrieb Dipl.-Ing. Juergen Ladstaetter: We're currently developing a project where customers can add their own domains to our mailsystem. The biggest problem would be that a customer adds a domain he doesn't own or isn't represented by our mail cluster. For example a customer adds ibm.com - a manual validation through one of our employees isn't possible and an automated validation makes no sense since the MX records could be changed at any time, which would force a re-check. My thought was this: when sending the mail, configure postfix that he does a MX lookup and sends the mail to the IP given by the lookup. In this case the customer could add ibm.com, but he wouldn't be able to grab the mails sent from our cluster. I tried a few things but haven't come to a clean solution yet. Is there any way to configure postfix to always make MX record DNS lookups, or is the only way through a second postfix instance
virtual_
Hello list, I have set up a home e-mail server with Postfix and Cyrus, and everything seems to work. There is one matter I'd like to clarify, though. Is it so, that if I use non-Postfix virtual mail delivery (in my case, to Cyrus accounts via unix socket using LMTP), I'm supposed to use virtual_alias_maps, and to perform delivery to a Maildir or mbox file directly (referred to as virtual MAILBOX: separate domains, non-UNIX accounts), I should use virtual_mailbox_maps and virtual_mailbox_base instead? Based on the documentation, my initial impression was that a virtual_mailbox_maps like some.em...@example.com imapuser should do the job, but it didn't deliver some.em...@example.com to imapuser. virtual_alias_maps did the job, though (see my configs below). So, is it how it should be, or am I missing something important here? Thanks in advance. pfx:~# postconf -n broken_sasl_auth_clients = yes config_directory = /etc/postfix content_filter = amavisfeed:[127.0.0.1]:10024 local_destination_concurrency_limit = 5 local_destination_recipient_limit = 300 local_recipient_maps = mime_header_checks = pcre:/etc/postfix/mime_header_checks mydestination = localhost.$mydomain, localhost mydomain = pfx.tere.com myhostname = pfx.tere.com mynetworks = 127.0.0.0/8 192.168.50.0/24 mynetworks_style = subnet myorigin = tere.com proxy_interfaces = 80.235.55.179, 192.168.50.1, 192.168.1.254 receive_override_options = no_address_mappings recipient_delimiter = + smtpd_helo_restrictions = warn_if_rejectreject_invalid_helo_hostname smtpd_recipient_restrictions = reject_non_fqdn_sender reject_non_fqdn_recipient permit_sasl_authenticated permit_mynetworks, reject_unauth_destinationcheck_helo_access pcre:/etc/postfix/helo_checks check_policy_service inet:127.0.0.1:10023permit smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous virtual_alias_maps = hash:/etc/postfix/valias_map virtual_mailbox_domains = tere.com virtual_transport = lmtp:unix:public/lmtp pfx:~# cat /etc/postfix/valias_map j...@example.comjack ja...@example.com jack jack.robin...@example.com jack
Re: virtual_
On 2/16/2012 2:15 PM, Toomas Vendelin wrote: Hello list, I have set up a home e-mail server with Postfix and Cyrus, and everything seems to work. There is one matter I'd like to clarify, though. Is it so, that if I use non-Postfix virtual mail delivery (in my case, to Cyrus accounts via unix socket using LMTP), I'm supposed to use virtual_alias_maps, and to perform delivery to a Maildir or mbox file directly (referred to as virtual MAILBOX: separate domains, non-UNIX accounts), I should use virtual_mailbox_maps and virtual_mailbox_base instead? Based on the documentation, my initial impression was that a virtual_mailbox_maps like some.em...@example.com imapuser should do the job, but it didn't deliver some.em...@example.com to imapuser. virtual_alias_maps did the job, though (see my configs below). So, is it how it should be, or am I missing something important here? Referring to the official manual: http://www.postfix.org/VIRTUAL_README.html#in_virtual_other The purpose of virtual_mailbox_domains is to route domains through the virtual_transport The purpose of virtual_mailbox_maps in a delivery agent other than virtual(8) is for VERIFICATION that a user exists. If it is left empty, no verification is done. The result just has to be non-empty for verification to occur. This is a possible BACKSCATTER source when left empty. The purpose of virtual_alias_maps is to reroute email REGARDLESS of its address class. Brian Thanks in advance. pfx:~# postconf -n broken_sasl_auth_clients = yes config_directory = /etc/postfix content_filter = amavisfeed:[127.0.0.1]:10024 local_destination_concurrency_limit = 5 local_destination_recipient_limit = 300 local_recipient_maps = mime_header_checks = pcre:/etc/postfix/mime_header_checks mydestination = localhost.$mydomain, localhost mydomain = pfx.tere.com myhostname = pfx.tere.com mynetworks = 127.0.0.0/8 192.168.50.0/24 mynetworks_style = subnet myorigin = tere.com proxy_interfaces = 80.235.55.179, 192.168.50.1, 192.168.1.254 receive_override_options = no_address_mappings recipient_delimiter = + smtpd_helo_restrictions = warn_if_reject reject_invalid_helo_hostname smtpd_recipient_restrictions = reject_non_fqdn_senderreject_non_fqdn_recipient permit_sasl_authenticated permit_mynetworks, reject_unauth_destinationcheck_helo_access pcre:/etc/postfix/helo_checks check_policy_service inet:127.0.0.1:10023 permit smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous virtual_alias_maps = hash:/etc/postfix/valias_map virtual_mailbox_domains = tere.com virtual_transport = lmtp:unix:public/lmtp pfx:~# cat /etc/postfix/valias_map j...@example.com jack ja...@example.com jack jack.robin...@example.com jack
Re: forcing MX lookups
Am 16.02.2012 19:32, schrieb Dipl.-Ing. Juergen Ladstaetter: if you have a local-domain it will not make a lookup if it would the mail could not be delivered local That's the point. Even though it's configured as local-domain I would want it to look up any records (MX, A) and try to sent the mail to the underlying mailserver. you want rely so you do not need the domain locally configured in other words you want a list with allowed domains why if it is as local domain configured? To ensure that mails are delivered to the right server since a 100% dynamic system sadly is open for fraudulent entries. how will a local domain here help? this is your friend and NOT local domains, mixed with some other relay-params and mysql-lookup-tables it should be easy to make a defacto catch-all@domain http://www.postfix.org/postconf.5.html#relay_domains in other words: this all does not make any sense Neither do parts of your email. I, and I think many others, would appreciate it if you reply in a more polite way since we're only here to share information and furthermore it would be amazing if you re-read your emails before sending them since they are full of weird sentences, typos and wrong grammar. Thanks maybe it would help the next time try to describe wat you want to do instead come with a solution which is not one and try to find out how you can misuse it P.S.: not all out are native english speakers signature.asc Description: OpenPGP digital signature
Re: forcing MX lookups
On 02/16/2012 12:13 PM, Dipl.-Ing. Juergen Ladstaetter wrote: yet. Is there any way to configure postfix to always make MX record DNS lookups, or is the only way through a second postfix instance that has no localdomains specified? Even with two instances you could have problems. For example, your users might have aliases that get expanded on the incoming instance, where the maps are controlled by customers. If one of your customers sets up example.com, and has u...@example.com aliased to u...@example.net hosted elsewhere, they could be open to another customer stealing the example.net mail. One instance per customer is /probably/ safe, but I wouldn't swear to it without some more thought.
Re: forcing MX lookups
On Thu, Feb 16, 2012 at 03:20:30PM -0500, Michael Orlitzky wrote: On 02/16/2012 12:13 PM, Dipl.-Ing. Juergen Ladstaetter wrote: yet. Is there any way to configure postfix to always make MX record DNS lookups, or is the only way through a second postfix instance that has no localdomains specified? Even with two instances you could have problems. For example, your users might have aliases that get expanded on the incoming instance, where the maps are controlled by customers. If one of your customers sets up example.com, and has u...@example.com aliased to u...@example.net hosted elsewhere, they could be open to another customer stealing the example.net mail. If there is a way to force all alias expansion to go through the clean instance, this might work. Only thing I can think of is to append a domain component to all such names as used in aliasing, stripping it off on the way out. Then if it's valid, the clean relayhost would pass it right back. u...@example.comu...@example.net.Juergen Maybe either generic(5) maps on the dirty instance, or canonical(5) on the clean one, could strip this out and send it properly. One instance per customer is /probably/ safe, but I wouldn't swear to it without some more thought. At least in that case they'd only have themselves to blame. :) I would also consider periodic automated DNS checks which would disable any domain where DNS points elsewhere. (Or at least alert administrators to check on it.) -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
AW: forcing MX lookups
Thank you both very much. That input was very good and I might rethink the strategy we're aiming at. Probably active DNS checks and periodic re-checks are better to ensure some security. Thanks guys -Ursprüngliche Nachricht- Von: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] Im Auftrag von /dev/rob0 Gesendet: Thursday, February 16, 2012 3:38 PM An: postfix-users@postfix.org Betreff: Re: forcing MX lookups On Thu, Feb 16, 2012 at 03:20:30PM -0500, Michael Orlitzky wrote: On 02/16/2012 12:13 PM, Dipl.-Ing. Juergen Ladstaetter wrote: yet. Is there any way to configure postfix to always make MX record DNS lookups, or is the only way through a second postfix instance that has no localdomains specified? Even with two instances you could have problems. For example, your users might have aliases that get expanded on the incoming instance, where the maps are controlled by customers. If one of your customers sets up example.com, and has u...@example.com aliased to u...@example.net hosted elsewhere, they could be open to another customer stealing the example.net mail. If there is a way to force all alias expansion to go through the clean instance, this might work. Only thing I can think of is to append a domain component to all such names as used in aliasing, stripping it off on the way out. Then if it's valid, the clean relayhost would pass it right back. u...@example.comu...@example.net.Juergen Maybe either generic(5) maps on the dirty instance, or canonical(5) on the clean one, could strip this out and send it properly. One instance per customer is /probably/ safe, but I wouldn't swear to it without some more thought. At least in that case they'd only have themselves to blame. :) I would also consider periodic automated DNS checks which would disable any domain where DNS points elsewhere. (Or at least alert administrators to check on it.) -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Re: AW: forcing MX lookups
On 16-02-12 23:52, Dipl.-Ing. Juergen Ladstaetter wrote: Thank you both very much. That input was very good and I might rethink the strategy we're aiming at. Probably active DNS checks and periodic re-checks are better to ensure some security. Thanks guys Checking DNS at input time would still suffice. You simply require that domains entered have their MXen pointing to a predefined set of hosts (your cluster). They might change their own MX records later on (which will only harm the customer), but ibm.com will never point to your MXen to your cluster, so no customer can ever enter it. As long as you don't allow changing the domain itself without a re-check, no customer will ever be able to configure a domain that has MX records not controlled by that same customer. Shops that do hosted exchange etc (google, outlook.com) ask you to (temporarily) add some unique key/identifier to your DNS zone on order to prove that you actually own the zone (and the MX records). Same principle, but a bit more work for the customer. -Ursprüngliche Nachricht- Von: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] Im Auftrag von /dev/rob0 Gesendet: Thursday, February 16, 2012 3:38 PM An: postfix-users@postfix.org Betreff: Re: forcing MX lookups On Thu, Feb 16, 2012 at 03:20:30PM -0500, Michael Orlitzky wrote: On 02/16/2012 12:13 PM, Dipl.-Ing. Juergen Ladstaetter wrote: yet. Is there any way to configure postfix to always make MX record DNS lookups, or is the only way through a second postfix instance that has no localdomains specified? Even with two instances you could have problems. For example, your users might have aliases that get expanded on the incoming instance, where the maps are controlled by customers. If one of your customers sets up example.com, and has u...@example.com aliased to u...@example.net hosted elsewhere, they could be open to another customer stealing the example.net mail. If there is a way to force all alias expansion to go through the clean instance, this might work. Only thing I can think of is to append a domain component to all such names as used in aliasing, stripping it off on the way out. Then if it's valid, the clean relayhost would pass it right back. u...@example.com u...@example.net.Juergen Maybe either generic(5) maps on the dirty instance, or canonical(5) on the clean one, could strip this out and send it properly. One instance per customer is /probably/ safe, but I wouldn't swear to it without some more thought. At least in that case they'd only have themselves to blame. :) I would also consider periodic automated DNS checks which would disable any domain where DNS points elsewhere. (Or at least alert administrators to check on it.) -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
per sender relay and sasl not receiving username/password
I am trying to setup my mail server to send email from a single email address
via a rely and deliver all other email properly, however I am having problems
with the TLS authentication and was hoping for some points please. The current
configs are below (anonymised) and the error I am getting is:
*log*
Feb 16 23:53:37 my-server postfix/smtp[21955]: 406E2E4382:
to=addr...@domain.com, relay=127.0.0.1[127.0.0.1]:1125, delay=1.1,
delays=0.02/0.03/0.5/0.51, dsn=5.0.0, status=bounced (host 127.0.0.1[127.0.0.1]
said: 554 Transaction failed: User name is missing: 'undisclosed-recipients:;'.
(in reply to end of DATA command))
*sender_relay*
address-to-re...@somedomain.com [127.0.0.1]:1125
*sasl_password*
[127.0.0.1]:1125user:pass
*main.cf*
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate delayed mail warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = mail.mydomain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mail.mydomain.com, localhost, localhost.localdomain, localhost
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
# This allows us to specify our mail to go via other servers
smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = may
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
# This allows us to pipe mail to a script
local_recipient_maps =
luser_relay = our_script
transport_maps = hash:/etc/postfix/transport
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
reject_invalid_hostname,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl.spamhaus.org,
permit
Re: forcing MX lookups
Am 17.02.2012 00:07, schrieb Tom Hendrikx:
On 16-02-12 23:52, Dipl.-Ing. Juergen Ladstaetter wrote:
Thank you both very much. That input was very good and I might rethink the
strategy we're aiming at. Probably active DNS checks and periodic re-checks
are better to ensure some security. Thanks guys
Checking DNS at input time would still suffice.
You simply require that domains entered have their MXen pointing to a
predefined set of hosts (your cluster). They might change their own MX
records later on (which will only harm the customer), but ibm.com will
never point to your MXen to your cluster, so no customer can ever enter it.
As long as you don't allow changing the domain itself without a
re-check, no customer will ever be able to configure a domain that has
MX records not controlled by that same customer.
Shops that do hosted exchange etc (google, outlook.com) ask you to
(temporarily) add some unique key/identifier to your DNS zone on order
to prove that you actually own the zone (and the MX records). Same
principle, but a bit more work for the customer.
that is what i said from the first moment on
it must not go to postfix
it has verified an rejected at input time and user-input
MUST NEVER be proceeded without verify in any from or
the app is broken by design
simple function in PHP written in 30 seconds
function verify_mail_domain($Adress)
{
$split = explode('@', $Adress);
$mx_failed = 0;
if(!getmxrr($split[1], $mxhosts))
{
usleep(50);
if(!getmxrr($split[1], $mxhosts))
{
$mx_failed = 1;
}
}
if($mx_failed)
{
$host_ip = gethostbyname($split[1]);
if(empty($host_ip) || $host_ip == $split[1])
{
usleep(50);
$host_ip = gethostbyname($split[1]);
if(empty($host_ip) || $host_ip == $split[1])
{
return false;
}
}
}
return true;
}
signature.asc
Description: OpenPGP digital signature
Re: per sender relay and sasl not receiving username/password
* Jake Stride j...@stride.me.uk: I am trying to setup my mail server to send email from a single email address via a rely and deliver all other email properly, however I am having problems with the TLS authentication and was hoping for some points please. The current configs are below (anonymised) and the error I am getting is: *log* Feb 16 23:53:37 my-server postfix/smtp[21955]: 406E2E4382: to=addr...@domain.com, relay=127.0.0.1[127.0.0.1]:1125, delay=1.1, delays=0.02/0.03/0.5/0.51, dsn=5.0.0, status=bounced (host 127.0.0.1[127.0.0.1] said: 554 Transaction failed: User name is missing: 'undisclosed-recipients:;'. (in reply to end of DATA command)) I don't think this is a SASL related problem. The receiving side seems to dislike the To:-header, in specific, it complains the To-header does not contain a FQDN mail address i.e. localpart@domainpart. address-to-re...@somedomain.com [127.0.0.1]:1125 *sasl_password* [127.0.0.1]:1125user:pass *main.cf* Better use 'postconf -n' to create configuration output from main.cf. p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: How to block senders whose domain without a MX record
Thanks all for the clarification. You are right. That idea may block more real mail than the spam ones. From: /dev/rob0 r...@gmx.co.uk To: postfix-users@postfix.org Sent: Thursday, February 16, 2012 9:28 PM Subject: Re: How to block senders whose domain without a MX record On Thu, Feb 16, 2012 at 05:06:22AM -0800, daniel zhou wrote: The document segment about the reject_unknown_sender_domain says that it will reject the domain without A record or MX record. Does it mean that only domains with both A and MX record will be accepted? Or, it means any domains with only A record,domains with only MX record or with both will be accepted. Can anyone clarify it? Thanks! An unknown sender domain means that the name did not resolve in a way such that mail could be delivered to it. An A record, even if it's 0.0.0.0 or 127.x.x.x or any other address that might not be deliverable for some reason, qualifies as a known sender domain. Unless of course there is a MX, and that name does not resolve: then it is unknown. Also a malformed MX record is unknown. IIRC these rules can be found in RFC 5321 and predecessors. I just want to block the senders whose domain without MX record, even if it has an A record. There is check_sender_mx_access, but I don't know if it strictly works the way you want. Also, I don't think your idea is a good one. You will block some real mail, I bet, while making little if any impact on spam. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Re: per sender relay and sasl not receiving username/password
Thanks - I was using sendmail -f addr...@domain.com to check it worked, using telnet the current config works. Thanks for the help. On Friday, 17 February 2012 at 11:56 AM, Patrick Ben Koetter wrote: * Jake Stride j...@stride.me.uk (mailto:j...@stride.me.uk): I am trying to setup my mail server to send email from a single email address via a rely and deliver all other email properly, however I am having problems with the TLS authentication and was hoping for some points please. The current configs are below (anonymised) and the error I am getting is: *log* Feb 16 23:53:37 my-server postfix/smtp[21955]: 406E2E4382: to=addr...@domain.com (mailto:addr...@domain.com), relay=127.0.0.1[127.0.0.1]:1125, delay=1.1, delays=0.02/0.03/0.5/0.51, dsn=5.0.0, status=bounced (host 127.0.0.1[127.0.0.1] said: 554 Transaction failed: User name is missing: 'undisclosed-recipients:;'. (in reply to end of DATA command)) I don't think this is a SASL related problem. The receiving side seems to dislike the To:-header, in specific, it complains the To-header does not contain a FQDN mail address i.e. localpart@domainpart. address-to-re...@somedomain.com (mailto:address-to-re...@somedomain.com) [127.0.0.1]:1125 *sasl_password* [127.0.0.1]:1125 user:pass *main.cf* Better use 'postconf -n' to create configuration output from main.cf. p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: Ldap queries optimization
El 16/02/12 16:35, Viktor Dukhovni escribió: On Thu, Feb 16, 2012 at 10:49:10AM +0100, Angel L. Mateo wrote: My config is: virtual_alias_maps = hash:/etc/postfix/alu-aliases, hash:/etc/postfix/dif-aliases, proxy:ldap:/etc/postfix/ldap-sysaliases.cf relay_recipient_maps = hash:/etc/postfix/relaydomains, hash:/etc/postfix/alu-aliases, hash:/etc/postfix/dif-aliases, proxy:ldap:/etc/postfix/ldap-vmail.cf, proxy:ldap:/etc/postfix/ldap-sysaliases.cf There is no need to list virtual alias lookup tables in relay_recipient_maps. Postfix performs that lookup automatically, therefore, the relay_recipient_maps setting should be just: relay_recipient_maps = hash:/etc/postfix/relaydomains, proxy:ldap:/etc/postfix/ldap-vmail.cf In my tests I have found that during a smtp transaction the next searches are done: If your LDAP tables contain no bare (just the local part) address lookup keys, you may consider using %u@%d instead of %s in the query definition. That could also avoid some unneeded lookups, otherwise Postfix performs the lookups it needs to, and unless you've failed to index your LDAP attributes appropriately, Postfix is unlikely to be a significant burden on LDAP, nor is LDAP likely to noticeably slow down Postfix. mydestination = $myhostname, localhost.\$mydomain, localhost That \ is unlikely to be what you want. mynetworks = 127.0.0.0/8, 155.54.0.0/16, 10.54.0.0/16, 10.56.0.0/16, 10.64.0.0/28, 172.19.0.0/16, 155.54.212.160/28 With the entire class 155.54/16 listed, no need for the final /28. smtpd_banner = $myhostname NO UCE ESMTP Don't, or at least make it $myhostname ESMTP NO UCE, that ESMTP is not semantically valid unless it immediately follows the hostname. smtpd_client_restrictions = reject_rbl_client rbl.um.es, permit_sasl_authenticated, check_client_access hash:/etc/postfix/whitelist_um, reject_unknown_reverse_client_hostname, check_client_access cidr:/etc/postfix/client_checks.cidr, smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_end_of_data_restrictions = $(smtpdEndOfDataRestrictions) smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/helo_checks smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_recipient_access pcre:/etc/postfix/recipient_checks.pcre, check_recipient_access hash:/etc/postfix/verified_recipient_checks, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_maps, permit You don't need these last two, they are implicit. smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_access pcre:/etc/postfix/sender_checks.pcre Otherwise nothing else to do in Postfix, make sure your LDAP tables are properly indexed. Although I could refine this configuration changes, problem is not ldap indexes. I have all indexes created, openldap is answering all the queries postfix makes. The problem I'm trying to fix is that postfix is making lot of repeated queries. In the transactions I sent in my first email, in one transaction it makes 8 queries, 5 of then was the same query. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337
