RE: FW: Postfix delivery to openldap users

[Priscilla V]

It searches for mail=prisci...@domain.com and mail=Priscilla.
With the present ldap.cf it returns the username only for 
mail=prisci...@domain.com and does not return anything for mail=Priscilla.
This is the reason for the error "User unknown in local recipient table".
The following is the ldap log written while send email.

LDAP log 


Mar 30 09:53:21 intml slapd[3104]: conn=1060 fd=15 ACCEPT from IP=127.0.0.1:5779
9 (IP=0.0.0.0:389)
Mar 30 09:53:21 intml slapd[3104]: conn=1060 op=0 BIND 
dn="cn=Manager,o=domain.com" method=128
Mar 30 09:53:21 intml slapd[3104]: conn=1060 op=0 BIND 
dn="cn=Manager,o=domain.com" mech=SIMPLE ssf=0
Mar 30 09:53:21 intml slapd[3104]: conn=1060 op=0 RESULT tag=97 err=0 text=
Mar 30 09:53:21 intml slapd[3104]: conn=1060 op=1 SRCH base="o=domain.com" sc
ope=2 deref=0 filter="(mail=prisci...@domain.com)"
Mar 30 09:53:21 intml slapd[3104]: conn=1060 op=1 SRCH attr=uid
Mar 30 09:53:21 intml slapd[3104]: conn=1060 op=1 SEARCH RESULT tag=101 err=0 ne
ntries=1 text=
Mar 30 09:53:21 intml slapd[3104]: conn=1061 fd=16 ACCEPT from IP=127.0.0.1:5780
0 (IP=0.0.0.0:389)
Mar 30 09:53:21 intml slapd[3104]: conn=1061 op=0 BIND 
dn="cn=Manager,o=domain.com" method=128
Mar 30 09:53:21 intml slapd[3104]: conn=1061 op=0 BIND 
dn="cn=Manager,o=domain.com" mech=SIMPLE ssf=0
Mar 30 09:53:21 intml slapd[3104]: conn=1061 op=0 RESULT tag=97 err=0 text=
Mar 30 09:53:21 intml slapd[3104]: conn=1061 op=1 SRCH base="o=domain.com" sc
ope=2 deref=0 filter="(mail=priscilla)"
Mar 30 09:53:21 intml slapd[3104]: conn=1061 op=1 SRCH attr=uid
Mar 30 09:53:21 intml slapd[3104]: conn=1061 op=1 SEARCH RESULT tag=101 err=0 ne
ntries=0 text=


END of LDAP log

Kindly suggest some change.

Regards
Priscilla


-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Nikolaos Milas
Sent: Thursday, March 29, 2012 5:15 PM
To: 'Postfix users'
Subject: Re: FW: Postfix delivery to openldap users

On 29/3/2012 2:13 μμ, Priscilla V wrote:

> Even after changing it to %u the postmap command is not returning any value.

You could run:

postmap -vvv -q ldapuser ldap:/etc/postfix/ldap.cf

and try to see where is the problem.

Also, try to run a simple ldapsearch on the same machine with the same 
parameters (search key, server, credentials, binddn, return attributes
etc.) and see if it works.

Nick

Re: smtpd_reject_footer: possible improvement

[Sahil Tandon]

On Thu, 2012-03-29 at 18:51:49 -0400, Wietse Venema wrote:

> ... 
> > That is clear. However, smtpd_reject_footer is part of the stable
> > release, so it cannot be changed.
> > 
> > Hence, my request for suggestions how we would document this. Maybe
> > we can use a name similar, but not identical, to "smtpd_reject_footer".
> 
> Another option is to extend smtpd_reject_footer's feature set,
> so that
> 
>   smtpd_reject_footer = \c Text to append
> 
> Will append the text without starting a new line. All other
> smtpd_reject_footer features would work as before.

Elegant.  +1 FWIW.

-- 
Sahil Tandon

Re: smtpd_reject_footer: possible improvement

[Noel Jones]

On 3/29/2012 5:51 PM, Wietse Venema wrote:
> Wietse Venema:
>> Ralf Hildebrandt:
>>> * Reindl Harald :
 Hi

 i really love "smtpd_reject_footer" to put contact informations
 and a hint that SMTP auth is needed in the response

 would it not make sense to add the content of "smtpd_reject_footer"
 to the default-answer instead in a seperated line which can be
 easily achieved by put \n at the begin

 i noticed that some software out there seems to handle it
 wrong and display ONLY the reject footer at all or whatever
 is the last response line
>>>
>>> Indeed. I received several error messages that had the
>>> smtpd_reject_footer reduced to what you observed.
>>
>> That is clear. However, smtpd_reject_footer is part of the stable
>> release, so it cannot be changed.
>>
>> Hence, my request for suggestions how we would document this. Maybe
>> we can use a name similar, but not identical, to "smtpd_reject_footer".
> 
> Another option is to extend smtpd_reject_footer's feature set,
> so that
> 
>   smtpd_reject_footer = \c Text to append
> 
> Will append the text without starting a new line. All other
> smtpd_reject_footer features would work as before.
> 
>   Wietse


I like this as the least disruptive change.

Docs could be something like:

Use the two character sequence \c at the beginning of the text to
signal a single-line response.  This is a compatibility aid for mail
clients that only present one line of the server response to the
user.   The \c feature is available with postfix 2.10 and later.

Example:

/etc/postfix/main.cf:
smtpd_reject_footer = \c For assistance, call 800-555-0101.

Server response:

550-5.5.1  Recipient address rejected: User
unknown; For assistance, call 800-555-0101.

Re: Debugging the transport table

[N. Yaakov Ziskind]

Noel Jones wrote (on Thu, Mar 29, 2012 at 06:39:34PM -0500):
> On 3/29/2012 4:49 PM, N. Yaakov Ziskind wrote:
> > (version 2.7.0; postconf -n upon request). I'm having trouble using the
> > transport table with a non-default server port. Specifically, I have
> > 
> ...
> > me...@crownkosher.net   :[pizza.ziskind.us]:2525
> 
>.NET
> 
> ...
> > but
> > Mar 29 17:39:28 chocolate postfix/smtp[18687]: 71E781E2981:
> > to=, relay=none, delay=119, delays=98/0.04/21/0, 
> > dsn=4.4.1, status=deferred (connect to pizza.ziskind.us[24.191.111.65]:25: 
> > Connection timed out)
> 
> 
>.COM
> 
> 
> Not so big a mystery after all.
> 
> 
> 
>   -- Noel Jones

:facepalm:
You're right, of course. /runs for more caffeine

Thanks!

-- 
_
Nachman Yaakov Ziskind, FSPA, LLM   aw...@ziskind.us
Attorney and Counselor-at-Law   http://ziskind.us
Economic Group Pension Services http://egps.com
Actuaries and Employee Benefit Consultants

Re: Debugging the transport table

[N. Yaakov Ziskind]

/dev/rob0 wrote (on Thu, Mar 29, 2012 at 05:14:04PM -0500):
> On Thu, Mar 29, 2012 at 05:49:20PM -0400, N. Yaakov Ziskind wrote:
> 
> > (version 2.7.0; postconf -n upon request). I'm having trouble
> > using  the transport table with a non-default server port.
> > Specifically, I have
> > 
> > sh...@ziskind.us:[pizza.ziskind.us]:2525
> > me...@crownkosher.net   :[pizza.ziskind.us]:2525
> > 
> > the last being newly added. Results: Mar 25 08:02:11 chocolate 
> > postfix/smtp[22965]: E0BDA1E201E: to=, 
> > relay=pizza.ziskind.us[24.191.111.65]:2525, delay=2.7, 
> > delays=0.87/0.05/0.35/ 1.4, dsn=2.0.0, status=sent (250 2.0.0 Ok: 
> > queued as 86C48A6034B)
> > 
> > but
> > Mar 29 17:39:28 chocolate postfix/smtp[18687]: 71E781E2981: 
> > to=, relay=none, delay=119, 
> > delays=98/0.04/21/0, dsn=4.4.1, status=deferred (connect to 
> > pizza.ziskind.us[24.191.111.65]:25: Connection timed out)
> > 
> > So, the port number is not being used. I recall, on adding the 
> > first line, having some issues but forgot what I did to actually 
> > get it going. How do I debug this?
> 
> Based on the information here, I would guess that you forgot to 
> postmap your transport_maps file. That's really all I can guess. But 
> that should have given you warnings in the logs, so it's strange you 
> didn't see those when you retrieved the above lines.

Alas, I wish:

# l -ltr
total 672
[snip]
-rwxr--r-- 1 root root  10111 2012-03-29 17:17 transport*
-rwxr--r-- 1 root root  12288 2012-03-29 17:17 transport.db*

-- 
_
Nachman Yaakov Ziskind, FSPA, LLM   aw...@ziskind.us
Attorney and Counselor-at-Law   http://ziskind.us
Economic Group Pension Services http://egps.com
Actuaries and Employee Benefit Consultants

Re: Debugging the transport table

[Noel Jones]

On 3/29/2012 4:49 PM, N. Yaakov Ziskind wrote:
> (version 2.7.0; postconf -n upon request). I'm having trouble using the
> transport table with a non-default server port. Specifically, I have
> 
...
> me...@crownkosher.net   :[pizza.ziskind.us]:2525

   .NET

...
> but
> Mar 29 17:39:28 chocolate postfix/smtp[18687]: 71E781E2981:
> to=, relay=none, delay=119, delays=98/0.04/21/0, 
> dsn=4.4.1, status=deferred (connect to pizza.ziskind.us[24.191.111.65]:25: 
> Connection timed out)


   .COM


Not so big a mystery after all.



  -- Noel Jones

Re: smtpd_reject_footer: possible improvement

[Reindl Harald]

Am 30.03.2012 00:51, schrieb Wietse Venema:
 i noticed that some software out there seems to handle it
 wrong and display ONLY the reject footer at all or whatever
 is the last response line
>>>
>>> Indeed. I received several error messages that had the
>>> smtpd_reject_footer reduced to what you observed.
>>
>> That is clear. However, smtpd_reject_footer is part of the stable
>> release, so it cannot be changed.
>>
>> Hence, my request for suggestions how we would document this. Maybe
>> we can use a name similar, but not identical, to "smtpd_reject_footer".
> 
> Another option is to extend smtpd_reject_footer's feature set,
> so that
> 
>   smtpd_reject_footer = \c Text to append
> 
> Will append the text without starting a new line. All other
> smtpd_reject_footer features would work as before

this sounds really good and would not change existing behavior
(important for changes in minor releases) until one does it
intentional while solving problems of cunfused outlook users

and finally (correct me if i am wrong) it should not be too hard
to implement in code and documentation



signature.asc
Description: OpenPGP digital signature

Re: smtpd_reject_footer: possible improvement

[Wietse Venema]

Wietse Venema:
> Ralf Hildebrandt:
> > * Reindl Harald :
> > > Hi
> > > 
> > > i really love "smtpd_reject_footer" to put contact informations
> > > and a hint that SMTP auth is needed in the response
> > > 
> > > would it not make sense to add the content of "smtpd_reject_footer"
> > > to the default-answer instead in a seperated line which can be
> > > easily achieved by put \n at the begin
> > > 
> > > i noticed that some software out there seems to handle it
> > > wrong and display ONLY the reject footer at all or whatever
> > > is the last response line
> > 
> > Indeed. I received several error messages that had the
> > smtpd_reject_footer reduced to what you observed.
> 
> That is clear. However, smtpd_reject_footer is part of the stable
> release, so it cannot be changed.
> 
> Hence, my request for suggestions how we would document this. Maybe
> we can use a name similar, but not identical, to "smtpd_reject_footer".

Another option is to extend smtpd_reject_footer's feature set,
so that

smtpd_reject_footer = \c Text to append

Will append the text without starting a new line. All other
smtpd_reject_footer features would work as before.

Wietse

Re: smtpd_reject_footer: possible improvement

[Reindl Harald]

Am 29.03.2012 22:42, schrieb Wietse Venema:
> Ralf Hildebrandt:
>> * Reindl Harald :
>>> would it not make sense to add the content of "smtpd_reject_footer"
>>> to the default-answer instead in a seperated line which can be
>>> easily achieved by put \n at the begin
>>>
>>> i noticed that some software out there seems to handle it
>>> wrong and display ONLY the reject footer at all or whatever
>>> is the last response line
>>
>> Indeed. I received several error messages that had the
>> smtpd_reject_footer reduced to what you observed.
> 
> That is clear. However, smtpd_reject_footer is part of the stable
> release, so it cannot be changed.

good argument, but on the other hand the handling of many clients
destroys the intention of the option and possibly introduces more
problems and it should solve intentionally

my quoted message generated by outlook was a uncommented
forwarding of a customer sending to a user in his own domain
with a typo and i had already written the reply "please
use smtp authentication in your mail-client.." because this
is often forgot by users until i thought "wtf where is the
real reason in this pseudo-bounce" and observed the log

> Hence, my request for suggestions how we would document this. Maybe
> we can use a name similar, but not identical, to "smtpd_reject_footer"

what about a boolean option activly set to 1 for a changed
behavior to add the "smtpd_reject_footer" directly to the
builtin response? maybe easier to explain, but i am not good
in documentation at all



signature.asc
Description: OpenPGP digital signature

Re: Debugging the transport table

[/dev/rob0]

On Thu, Mar 29, 2012 at 05:49:20PM -0400, N. Yaakov Ziskind wrote:
> X-Mailer: Outlook stinks. Dump Outlook.

:)

> (version 2.7.0; postconf -n upon request). I'm having trouble
> using  the transport table with a non-default server port.
> Specifically, I have
> 
> sh...@ziskind.us:[pizza.ziskind.us]:2525
> me...@crownkosher.net   :[pizza.ziskind.us]:2525
> 
> the last being newly added. Results: Mar 25 08:02:11 chocolate 
> postfix/smtp[22965]: E0BDA1E201E: to=, 
> relay=pizza.ziskind.us[24.191.111.65]:2525, delay=2.7, 
> delays=0.87/0.05/0.35/ 1.4, dsn=2.0.0, status=sent (250 2.0.0 Ok: 
> queued as 86C48A6034B)
> 
> but
> Mar 29 17:39:28 chocolate postfix/smtp[18687]: 71E781E2981: 
> to=, relay=none, delay=119, 
> delays=98/0.04/21/0, dsn=4.4.1, status=deferred (connect to 
> pizza.ziskind.us[24.191.111.65]:25: Connection timed out)
> 
> So, the port number is not being used. I recall, on adding the 
> first line, having some issues but forgot what I did to actually 
> get it going. How do I debug this?

Based on the information here, I would guess that you forgot to 
postmap your transport_maps file. That's really all I can guess. But 
that should have given you warnings in the logs, so it's strange you 
didn't see those when you retrieved the above lines.
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Debugging the transport table

[N. Yaakov Ziskind]

(version 2.7.0; postconf -n upon request). I'm having trouble using the
transport table with a non-default server port. Specifically, I have

sh...@ziskind.us:[pizza.ziskind.us]:2525
me...@crownkosher.net   :[pizza.ziskind.us]:2525

the last being newly added. Results:
Mar 25 08:02:11 chocolate postfix/smtp[22965]: E0BDA1E201E:
to=, relay=pizza.ziskind.us[24.191.111.65]:2525, delay=2.7,
delays=0.87/0.05/0.35/ 1.4, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 
86C48A6034B)

but
Mar 29 17:39:28 chocolate postfix/smtp[18687]: 71E781E2981:
to=, relay=none, delay=119, delays=98/0.04/21/0, 
dsn=4.4.1, status=deferred (connect to pizza.ziskind.us[24.191.111.65]:25: 
Connection timed out)

So, the port number is not being used. I recall, on adding the first
line, having some issues but forgot what I did to actually get it going.
How do I debug this?

Thanks!

Re: smtpd_reject_footer: possible improvement

[Wietse Venema]

Ralf Hildebrandt:
> * Reindl Harald :
> > Hi
> > 
> > i really love "smtpd_reject_footer" to put contact informations
> > and a hint that SMTP auth is needed in the response
> > 
> > would it not make sense to add the content of "smtpd_reject_footer"
> > to the default-answer instead in a seperated line which can be
> > easily achieved by put \n at the begin
> > 
> > i noticed that some software out there seems to handle it
> > wrong and display ONLY the reject footer at all or whatever
> > is the last response line
> 
> Indeed. I received several error messages that had the
> smtpd_reject_footer reduced to what you observed.

That is clear. However, smtpd_reject_footer is part of the stable
release, so it cannot be changed.

Hence, my request for suggestions how we would document this. Maybe
we can use a name similar, but not identical, to "smtpd_reject_footer".

Wietse

Re: smtpd_reject_footer: possible improvement

[Ralf Hildebrandt]

* Reindl Harald :
> Hi
> 
> i really love "smtpd_reject_footer" to put contact informations
> and a hint that SMTP auth is needed in the response
> 
> would it not make sense to add the content of "smtpd_reject_footer"
> to the default-answer instead in a seperated line which can be
> easily achieved by put \n at the begin
> 
> i noticed that some software out there seems to handle it
> wrong and display ONLY the reject footer at all or whatever
> is the last response line

Indeed. I received several error messages that had the
smtpd_reject_footer reduced to what you observed.

Re: Linux.3 in makedefs & Ubuntu12

[Michael Tokarev]

On 29.03.2012 23:29, Wietse Venema wrote:
> Michael Tokarev:
>> On 29.03.2012 22:23, Wietse Venema wrote:
>> []
>>> Perhaps you can suggest a way for makedefs to parse out the CPU
>>> type from "uname -whatever" and use that in the library search?
>>
>> This isn't about uname.  Uname may return one thing, yet postfix
>> may be building for entirely another -- that's the main motivation
>> behind multiarch.
> 
> The makedefs script assumes Postfix is built for the current
> architecture. It needs command-line overrides to cross-compile
> (at least that't the version I am working with).

It is possible to override $CC and $LD -- this should be
enough for cross-compilation already.

Note that the resulting binaries - even being foreign to the host
architecture - may actually work just fine, using some emulator
layer like qemu-user (www.qemu.org).  So even build system tries
to run executables it just built, the build process may complete
successfully.

Thanks,

/mjt

Re: Linux.3 in makedefs & Ubuntu12

[Michael Tokarev]

On 29.03.2012 23:32, Wietse Venema wrote:
> Michael Tokarev:
>> SEARCHDIRS=$(${CC-gcc} -print-search-dirs 2>/dev/null |
>> sed -n '/^libraries: =/s/libraries: =//p' |
>> sed -e 's/:/\n/g' | xargs -n1 readlink -f |
>> grep -v 'gcc\|/[0-9.]\+$' | sort -u)
>> if [ -z "$SEARCHDIRS" ]; then
>> SEARCHDIRS="/usr/lib64 /lib64 /usr/lib /lib"
>> fi
> 
> You won't find this in the makedefs files from postfix.org mirrors.
> I suppose this was added by a Linux distribution maintainer.

Most likely by Debian maintainer, LaMont Jones.  Indeed, there's
no such code in official postfix.  But this snipped can be used
there just fine.

But I still think the best is to enable -lnsl -lresolv unconditionally,
as these libs are linked into postfix on linux for about 15 years
already anyway...

/mjt

Re: postfix REGEX bug ???

[Noel Jones]

On 3/29/2012 1:15 PM, Wietse Venema wrote:
> Noel Jones:
>> On 3/29/2012 5:48 AM, Wietse Venema wrote:
>>> You mean:
>>>
>>> /^google\.com$/
>>> /^mail\.ru$/
>>
>> The expression must also match subdomains.
>>
>> /[^.]google\.com$/
>> /[^.]mail\.ru$/
> 
> To match zero or more labels before the domain name:
> 
> /^([^.]+\.)*google\.com$/
> /^([^.]+\.)*mail\.ru$/
> 
> This cannot be simplified further.
> 
>   Wietse

Dang!  What I *meant* was
/(^|\.)google\.com$/

Which has the minor defect of leaking ".google.com"



  -- Noel Jones

Re: Linux.3 in makedefs & Ubuntu12

[Wietse Venema]

Michael Tokarev:
> SEARCHDIRS=$(${CC-gcc} -print-search-dirs 2>/dev/null |
> sed -n '/^libraries: =/s/libraries: =//p' |
> sed -e 's/:/\n/g' | xargs -n1 readlink -f |
> grep -v 'gcc\|/[0-9.]\+$' | sort -u)
> if [ -z "$SEARCHDIRS" ]; then
> SEARCHDIRS="/usr/lib64 /lib64 /usr/lib /lib"
> fi

You won't find this in the makedefs files from postfix.org mirrors.
I suppose this was added by a Linux distribution maintainer.

Wietse

Re: Linux.3 in makedefs & Ubuntu12

[Michael Tokarev]

On 29.03.2012 23:23, John Peach wrote:

> My Ubuntu Precise box has the following in in /etc/ld.so.conf which
> will pick up those directories:

You can install libraries for other architectures - sparc, mipsel,
etc - and the corresponding dirs will be added to the list.  Yes
even if you're on x86, you can run sparc executables still in means
of qemu for example - it will register as binfmt-misc handler which
is able to run foreign code, for which corresponding foreign libraries
are needed.

Note yet again: hardcoding various i686/i386/x86_64/etc paths is
wrong, the world is FAR from being x86-only.

/mjt

Re: Linux.3 in makedefs & Ubuntu12

[Wietse Venema]

Michael Tokarev:
[ Charset ISO-8859-1 unsupported, converting... ]
> On 29.03.2012 22:23, Wietse Venema wrote:
> []
> > Perhaps you can suggest a way for makedefs to parse out the CPU
> > type from "uname -whatever" and use that in the library search?
> 
> This isn't about uname.  Uname may return one thing, yet postfix
> may be building for entirely another -- that's the main motivation
> behind multiarch.

The makedefs script assumes Postfix is built for the current
architecture. It needs command-line overrides to cross-compile
(at least that't the version I am working with).

> So the best fix for this stuff is - in my opinion anyway -
> just assume that -lnsl -lresolv is always there and add it
> unconditionally on linux2 or linux3.

That may well be the simplest solution.

> .  Here's the content of SEARCHDIRS variable from
> makedefs script on my 32bit system:

Hmm, I see no SEARCHDIRS in my makedefs files. What does yours
look like?

Wietse

Re: Linux.3 in makedefs & Ubuntu12

[Michael Tokarev]

On 29.03.2012 23:10, Quanah Gibson-Mount wrote:
> --On Thursday, March 29, 2012 10:56 PM +0400 Michael Tokarev 
>  wrote:
> 
>> Besides, gcc --print-search-dirs (as already used in makedefs)
>> includes all necessary multiarch directories already.  So
>> I'm not really sure why the OP have this problem to start
>> with.  Here's the content of SEARCHDIRS variable from
>> makedefs script on my 32bit system:
> 
> If postfix doesn't find nsl or resolv in the directories in that list, it 
> won't add them to the library list.  Thus the build fails.

Oh.  The code I was referring to has been removed in
postfix 2.9.  The fragment from postfix-2.8.7:

SEARCHDIRS=$(${CC-gcc} -print-search-dirs 2>/dev/null |
sed -n '/^libraries: =/s/libraries: =//p' |
sed -e 's/:/\n/g' | xargs -n1 readlink -f |
grep -v 'gcc\|/[0-9.]\+$' | sort -u)
if [ -z "$SEARCHDIRS" ]; then
SEARCHDIRS="/usr/lib64 /lib64 /usr/lib /lib"
fi
for name in nsl resolv $GDBM_LIBS
do
for lib in $SEARCHDIRS
do
test -e $lib/lib$name.a -o -e $lib/lib$name.so && {
SYSLIBS="$SYSLIBS -l$name"
break
}
done
done

The same fragment from postfix-2.9.1:

for name in nsl resolv $GDBM_LIBS
do
for lib in /usr/lib64 /lib64 /usr/lib /lib
do
test -e $lib/lib$name.a -o -e $lib/lib$name.so && {
SYSLIBS="$SYSLIBS -l$name"
break
}
done
done


I don't know why this has been changed in 2.9, seems to
be a regression.

But at any case, the whole test appears to be wrong for
a long time already.  -lnsl -lresolv should be used
unconditionally for linux2 and linux3.

Thanks,

/mjt

Re: Linux.3 in makedefs & Ubuntu12

[John Peach]

On Thu, 29 Mar 2012 12:10:26 -0700
Quanah Gibson-Mount  wrote:

> --On Thursday, March 29, 2012 10:56 PM +0400 Michael Tokarev 
>  wrote:
> 
> > Besides, gcc --print-search-dirs (as already used in makedefs)
> > includes all necessary multiarch directories already.  So
> > I'm not really sure why the OP have this problem to start
> > with.  Here's the content of SEARCHDIRS variable from
> > makedefs script on my 32bit system:
> 
> If postfix doesn't find nsl or resolv in the directories in that
> list, it won't add them to the library list.  Thus the build fails.
> 
> --Quanah
> 
> --
> 
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> 
> Zimbra ::  the leader in open source messaging and collaboration


My Ubuntu Precise box has the following in in /etc/ld.so.conf which
will pick up those directories:

cat /etc/ld.so.conf
include /etc/ld.so.conf.d/*.conf

cat /etc/ld.so.conf.d/*.conf
# Multiarch support
/lib/i386-linux-gnu
/usr/lib/i386-linux-gnu
/lib/i686-linux-gnu
/usr/lib/i686-linux-gnu
# libc default configuration
/usr/local/lib
/usr/lib/nvidia-settings
# Multiarch support
/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu
/usr/lib/nvidia-current
/usr/lib32/nvidia-current
# Legacy biarch compatibility support
/lib32
/usr/lib32

Re: Linux.3 in makedefs & Ubuntu12

[Quanah Gibson-Mount]

--On Thursday, March 29, 2012 10:56 PM +0400 Michael Tokarev 
 wrote:



Besides, gcc --print-search-dirs (as already used in makedefs)
includes all necessary multiarch directories already.  So
I'm not really sure why the OP have this problem to start
with.  Here's the content of SEARCHDIRS variable from
makedefs script on my 32bit system:


If postfix doesn't find nsl or resolv in the directories in that list, it 
won't add them to the library list.  Thus the build fails.


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration

Re: Linux.3 in makedefs & Ubuntu12

[Michael Tokarev]

On 29.03.2012 22:23, Wietse Venema wrote:
[]
> Perhaps you can suggest a way for makedefs to parse out the CPU
> type from "uname -whatever" and use that in the library search?

This isn't about uname.  Uname may return one thing, yet postfix
may be building for entirely another -- that's the main motivation
behind multiarch.

There, the only reasonable thing to do is to try to link an
executable - _provided_ that we need to actually verify the
two libs in question.

But on any modern linux system - and I really mean this, since
stuff for libc5 (pre-glibc linux) isn't interesting anymore
except of for some historical reasons, and other implementations
of libc on linux (uclibc, dietlibc) have -lnsl -lresolv.

So the best fix for this stuff is - in my opinion anyway -
just assume that -lnsl -lresolv is always there and add it
unconditionally on linux2 or linux3.

Note again that linux _kernel_ version has very little to
do with C library features present.

Besides, gcc --print-search-dirs (as already used in makedefs)
includes all necessary multiarch directories already.  So
I'm not really sure why the OP have this problem to start
with.  Here's the content of SEARCHDIRS variable from
makedefs script on my 32bit system:

 /lib /lib/i386-linux-gnu /usr/lib /usr/lib/i386-linux-gnu

and here's how it looks like when setting CC="gcc -m64" before
invoking makedefs:

 /lib /lib64 /lib/x86_64-linux-gnu /usr/lib /usr/lib64 /usr/lib/x86_64-linux-gnu

> The reason I ask this is that it makes little sense to hard-code
> all possible architecture names in this script.

That'd be wrong, because some of these libs wont work on current
arch directly anyway, and may be unrelated to the postfix build.

Thanks,

/mjt

Re: smtpd_reject_footer: possible improvement

[Wietse Venema]

Reindl Harald:
> >> i really love "smtpd_reject_footer" to put contact informations
> >> and a hint that SMTP auth is needed in the response
> >>
> >> would it not make sense to add the content of "smtpd_reject_footer"
> >> to the default-answer instead in a seperated line which can be
> >> easily achieved by put \n at the begin
> >>
> >> i noticed that some software out there seems to handle it
> >> wrong and display ONLY the reject footer at all or whatever
> >> is the last response line
> > 
> > Please suggest a postconf(5) manpage description
> 
> sorry, i did not get you

All Postfix features are documented. You are requesting a
feature update/change/whatever.

Please suggest NEW text for a postconf(5) manpage description.

Wietse

Re: smtpd_reject_footer: possible improvement

[Reindl Harald]

Am 29.03.2012 20:18, schrieb Wietse Venema:
> Reindl Harald:
>>
>> i really love "smtpd_reject_footer" to put contact informations
>> and a hint that SMTP auth is needed in the response
>>
>> would it not make sense to add the content of "smtpd_reject_footer"
>> to the default-answer instead in a seperated line which can be
>> easily achieved by put \n at the begin
>>
>> i noticed that some software out there seems to handle it
>> wrong and display ONLY the reject footer at all or whatever
>> is the last response line
> 
> Please suggest a postconf(5) manpage description

sorry, i did not get you

the manpage does not fix behavior of widely used
software and who knows which other only display
the last respone line to the enduser




signature.asc
Description: OpenPGP digital signature

Re: Linux.3 in makedefs & Ubuntu12

[Wietse Venema]

Quanah Gibson-Mount:
> I'm testing the ubuntu12 64-bit beta, and had to make the following change 
> to makedefs under the Linux.3 category.  Just FYI:
> 
> --- postfix-2.9.1.2z/makedefs.orig  2012-01-17 17:19:48.0 -0800
> +++ postfix-2.9.1.2z/makedefs   2012-03-28 16:43:26.154076634 -0700
> @@ -367,7 +373,7 @@
>  SYSLIBS="-ldb"
>  for name in nsl resolv
>  do
> -for lib in /usr/lib64 /lib64 /usr/lib /lib
> +for lib in /usr/lib64 /lib64 /usr/lib /lib 
> /usr/lib/x86_64-linux-gnu /lib/x86_64-linux-gnu

Perhaps you can suggest a way for makedefs to parse out the CPU
type from "uname -whatever" and use that in the library search?

The reason I ask this is that it makes little sense to hard-code
all possible architecture names in this script.

Wietse

Re: smtpd_reject_footer: possible improvement

[Wietse Venema]

Reindl Harald:
> 
> i really love "smtpd_reject_footer" to put contact informations
> and a hint that SMTP auth is needed in the response
> 
> would it not make sense to add the content of "smtpd_reject_footer"
> to the default-answer instead in a seperated line which can be
> easily achieved by put \n at the begin
> 
> i noticed that some software out there seems to handle it
> wrong and display ONLY the reject footer at all or whatever
> is the last response line

Please suggest a postconf(5) manpage description.

Wietse

Re: postfix REGEX bug ???

[Wietse Venema]

Noel Jones:
> On 3/29/2012 5:48 AM, Wietse Venema wrote:
> > You mean:
> > 
> > /^google\.com$/
> > /^mail\.ru$/
> 
> The expression must also match subdomains.
> 
> /[^.]google\.com$/
> /[^.]mail\.ru$/

To match zero or more labels before the domain name:

/^([^.]+\.)*google\.com$/
/^([^.]+\.)*mail\.ru$/

This cannot be simplified further.

Wietse

smtpd_reject_footer: possible improvement

[Reindl Harald]

Hi

i really love "smtpd_reject_footer" to put contact informations
and a hint that SMTP auth is needed in the response

would it not make sense to add the content of "smtpd_reject_footer"
to the default-answer instead in a seperated line which can be
easily achieved by put \n at the begin

i noticed that some software out there seems to handle it
wrong and display ONLY the reject footer at all or whatever
is the last response line

currently:

 * outlook, example of the "dake mail" outlook puts in the inbox
   yes, the mail-client is crap, but widely used
   only for the "fake-mail" instead not accept the message at all
   someone in redmond should become tar and feathers

 * barracuda spamfirewall gibes only the reject_footer back
   to the delivering client, easy solveable by using a
   dedicated submit port with a stripped down configuration
   no reject_footer, no restrictions, no ssl..


Betreff: Unzustellbar: 

Ihre Nachricht hat einige oder alle Empfänger nicht erreicht.

  Betreff:  AW: **

  Gesendet am:  29.03.2012 15:43

Folgende(r) Empfänger kann/können nicht erreicht werden:

  'wolfgang.@' am 29.03.2012 15:43

550 5.1.1 as customer please use smtp-authentication, as admin make 
sure your server has a valid
reverse-lookup and HELO, time: Mar 29 15:42:36, client: *, server: 
mail.thelounge.net, contact:
 +4315953999



signature.asc
Description: OpenPGP digital signature

Re: Linux.3 in makedefs & Ubuntu12

[Scott Kitterman]

Quanah Gibson-Mount  wrote:

>I'm testing the ubuntu12 64-bit beta, and had to make the following
>change 
>to makedefs under the Linux.3 category.  Just FYI:
>
>--- postfix-2.9.1.2z/makedefs.orig  2012-01-17 17:19:48.0
>-0800
>+++ postfix-2.9.1.2z/makedefs   2012-03-28 16:43:26.154076634 -0700
>@@ -367,7 +373,7 @@
> SYSLIBS="-ldb"
> for name in nsl resolv
> do
>-for lib in /usr/lib64 /lib64 /usr/lib /lib
>+for lib in /usr/lib64 /lib64 /usr/lib /lib 
>/usr/lib/x86_64-linux-gnu /lib/x86_64-linux-gnu
> do
>test -e $lib/lib$name.a -o -e $lib/lib$name.so && {
>SYSLIBS="$SYSLIBS -l$name"
>
>
>
>Apparently, Ubuntu/Debian put some of the libraries in an architecture 
>specific directory now (x86_64-linux-gnu).  I hit this for libnsl.

wiki.debian.org/Multiarch

Scott K

Linux.3 in makedefs & Ubuntu12

[Quanah Gibson-Mount]

I'm testing the ubuntu12 64-bit beta, and had to make the following change 
to makedefs under the Linux.3 category.  Just FYI:


--- postfix-2.9.1.2z/makedefs.orig  2012-01-17 17:19:48.0 -0800
+++ postfix-2.9.1.2z/makedefs   2012-03-28 16:43:26.154076634 -0700
@@ -367,7 +373,7 @@
SYSLIBS="-ldb"
for name in nsl resolv
do
-for lib in /usr/lib64 /lib64 /usr/lib /lib
+for lib in /usr/lib64 /lib64 /usr/lib /lib 
/usr/lib/x86_64-linux-gnu /lib/x86_64-linux-gnu

do
   test -e $lib/lib$name.a -o -e $lib/lib$name.so && {
   SYSLIBS="$SYSLIBS -l$name"



Apparently, Ubuntu/Debian put some of the libraries in an architecture 
specific directory now (x86_64-linux-gnu).  I hit this for libnsl.


--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration

Re: postfix REGEX bug ???

[Noel Jones]

On 3/29/2012 5:48 AM, Wietse Venema wrote:
> You mean:
> 
> /^google\.com$/
> /^mail\.ru$/

The expression must also match subdomains.

/[^.]google\.com$/
/[^.]mail\.ru$/

pesky regexps...  always causing trouble.



  -- Noel Jones

Re: defer mail for unknown recipients for one domain only

[/dev/rob0]

On Thu, Mar 29, 2012 at 11:44:00AM -0500, I wrote:
> I have reviewed this with more lucidity and alertness, but I have 
> not found any mistake. It seems that the built-in rejection of 
> unknown users is bound only by the global soft_bounce and these 
> per-class settings, to wit:
> 
> unknown_local_recipient_reject_code = 550
> unknown_relay_recipient_reject_code = 550
> unknown_virtual_alias_reject_code = 550
> unknown_virtual_mailbox_reject_code = 550
> 
> Therefore a *possible* hack (if relay_domains is not otherwise in 
> use) would be for the OP to put that domain in relay_domains, take it 
> out of the prior address class (virtual_whichever_domains), and set 
> an appropriate value for relay_recipient_maps and relay_transport.

Apparently I wasn't lucid enough to include the most important part 
of this hack:

unknown_relay_recipient_reject_code = 450

> That's an ugly hack, because it disables the use of relay_domains as 
> designed, but it would work for sites which don't need relay_domains. 
> This hack could be amended to coexist with real relay_domains, but 
> quite a few variables make it impractical to outline the various
> possibilities.
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: OT-follow up - postfix REGEX bug ???

[Helder Oliveira]

http://rubular.com/


a good place to test and learn...


On Mar 29, 2012, at 5:42 PM, john wrote:

> Could somebody recommend a "good" tutorial on REGEX and/or PRCE?
> John A
> 
> On 29/03/2012 11:35 AM, Женя wrote:
>> That's it. Ashamed.
>> Tricky REGEX. Thanks everyone. And thank you for great mail server.
>> 
>>> :
  /google\.com/   OK
  /mail\.ru/ OK
>>> You mean:
>>> 
>>> /^google\.com$/
>>> /^mail\.ru$/
>>> 
>>> RTFM!
>>> 
>>> Wietse
>>> 
>>> 

OT-follow up - postfix REGEX bug ???

[john]

Could somebody recommend a "good" tutorial on REGEX and/or PRCE?
John A

On 29/03/2012 11:35 AM, Женя wrote:

That's it. Ashamed.
Tricky REGEX. Thanks everyone. And thank you for great mail server.


:

  /google\.com/   OK
  /mail\.ru/ OK

You mean:

 /^google\.com$/
 /^mail\.ru$/

RTFM!

Wietse

Re: defer mail for unknown recipients for one domain only

[/dev/rob0]

On Wed, Mar 28, 2012 at 12:26:47AM -0500, I wrote:
> On Tue, Mar 27, 2012 at 09:43:27PM -0400, Wietse Venema wrote:
> > Wietse Venema:
> > > /dev/rob0:
> > > > On Tue, Mar 27, 2012 at 04:10:59PM -0500, I wrote:
> > > > > On Tue, Mar 27, 2012 at 10:21:14PM +0200, Sebastian 
> > > > > Wiesinger wrote:
> > > > > > I have a setup with handles a few virtual domains. For 
> > > > > > one domain only I want mails not to be rejected with an 
> > > > > > an 5xx error code but be deferred with a 4xx error code.
> > > > > > Is that possible?
> > > > > 
> > > > > main.cf :
> > > > > smtpd_client_restrictions = check_recipient_access
> > > > > hash:/etc/postfix/deferred_recipient[, ... ]
> > > > > 
> > > > > deferred_recipient :
> > > > > 
> > > > > example.com   defer_if_reject
> > > > > [ ... ]
> > > > 
> > > > That of course turns any rejection which comes after this 
> > > > restriction into a deferral, and that's not quite what you 
> > > > said you want. There are ways to apply it only to unknown 
> > > > recipients. I would move any spam-blocking restriction to 
> > > > smtpd_client_restrictions, after any necessary permit_* 
> > > > restrictions and before check_recipient_access. Then the 
> > > > unknown recipient rejection, which happens in 
> > > > smtpd_recipient_restrictions, will be subject to 
> > > > defer_if_reject.
> > > 
> > > You will need to specify an explicit "reject_unknown_recipient"
> 
> (typo: "reject_unlisted_recipient")
> 
> > > at the end of smtpd_recipient_restrictions. 
> > 
> > It would be worthwhile if someone can check if this is needed.
> 
> This is interesting. In my preliminary tests, the defer_if_reject 
> does not work, neither with nor without reject_unlisted_recipient 
> specified. It seems that the explicit test is also not playing 
> along. Client restrictions find the defer_if_reject, and in 
> recipient restrictions, reject_unlisted_recipient calls >>> 
> CHECKING RECIPIENT MAPS <<<.
> 
> The address I tried was an unlisted virtual alias where the domain 
> was in virtual_alias_domains. The following verbose log excerpt 
> shows from smtpd_client_restrictions through the end of smtpd 
> connection, with defer_if_reject as above and 
> reject_unlisted_recipient in smtpd_recipient_restrictions.

I have reviewed this with more lucidity and alertness, but I have 
not found any mistake. It seems that the built-in rejection of 
unknown users is bound only by the global soft_bounce and these 
per-class settings, to wit:

unknown_local_recipient_reject_code = 550
unknown_relay_recipient_reject_code = 550
unknown_virtual_alias_reject_code = 550
unknown_virtual_mailbox_reject_code = 550

Therefore a *possible* hack (if relay_domains is not otherwise in 
use) would be for the OP to put that domain in relay_domains, take it 
out of the prior address class (virtual_whichever_domains), and set 
an appropriate value for relay_recipient_maps and relay_transport.

That's an ugly hack, because it disables the use of relay_domains as 
designed, but it would work for sites which don't need relay_domains. 
This hack could be amended to coexist with real relay_domains, but 
quite a few variables make it impractical to outline the various
possibilities.

Other choices might include replacing the built-in unknown recipient 
checking with manual check_recipient_access lookups. But I can't say 
for sure whether or not that defer lookup result would override the 
built-in unknown recipient rejection. Without investing more time to 
test it, I would guess not, as per my understanding that 5xx trumps 
4xx in rejection logic.

TBH, I would have expected that defer_if_reject would convert the 
per-class unknown recipient settings into 4xx. Least surprising.

Sebastian, good luck, HTH. Wietse, sorry for the additional work. :)


> Mar 27 23:53:05 chestnut postfix/smtpd[16757]: >>> START Client host 
> RESTRICTIONS <<<
> Mar 27 23:53:05 chestnut postfix/smtpd[16757]: generic_checks: 
> name=check_recipient_access
> Mar 27 23:53:05 chestnut postfix/smtpd[16757]: check_mail_access: 
> non...@example.com
> Mar 27 23:53:05 chestnut postfix/smtpd[16757]: ctable_locate: leave existing 
> entry key non...@example.com
> Mar 27 23:53:05 chestnut postfix/smtpd[16757]: check_access: 
> non...@example.com
> Mar 27 23:53:05 chestnut postfix/smtpd[16757]: check_domain_access: 
> example.com
> Mar 27 23:53:05 chestnut postfix/smtpd[16757]: check_table_result: 
> hash:/etc/postfix/defer_unknown defer_if_reject example.com
> Mar 27 23:53:05 chestnut postfix/smtpd[16757]: generic_checks: 
> name=check_recipient_access status=0
> Mar 27 23:53:05 chestnut postfix/smtpd[16757]: >>> END Client host 
> RESTRICTIONS <<<
> Mar 27 23:53:05 chestnut postfix/smtpd[16757]: >>> START Recipient address 
> RESTRICTIONS <<<
> Mar 27 23:53:05 chestnut postfix/smtpd[16757]: generic_checks: 
> name=permit_mynetworks
> Mar 27 23:53:05 chestnut postfix/smtpd[16757]: permit_mynetworks: localhost 
> 127.0.0.1
> Mar 27 23:53:05 chestn

Re: postfix REGEX bug ???

[Женя]

That's it. Ashamed.
Tricky REGEX. Thanks everyone. And thank you for great mail server.

> :
> >  /google\.com/   OK
> >  /mail\.ru/ OK
> 
> You mean:
> 
> /^google\.com$/
> /^mail\.ru$/
> 
> RTFM!
> 
>   Wietse
> 
>

RE: LoadShared Failover

[Aaron Bennett]

From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Michael Maymann
Sent: Thursday, March 29, 2012 4:01 AM
To: postfix-users@postfix.org
Subject: Re: LoadShared Failover

Hi List,


Only problem I see now is when one of the postfix servers dies. Clients will 
still try to send mails to it as they are DNS RR'ed, but would get no response 
ofcause if they hit the dead one.
(How) Do I handle this ? or will I just have to live with the time-loss, 
clients connecting to dead postfix server, gives me when it has to retry ?

[Aaron Bennett]
Or buy a commercial load balancer, or build one out of something like the 
linux-ha project (http://www.linux-ha.org/wiki/Main_Page).

Re: Enabled SMTP AUTH but mails from external networks still being rejected

[Brian Evans - Postfix List]

On 3/29/2012 6:56 AM, Phill Edwards wrote:
>
> > smtpd_recipient_restrictions = permit_sasl_authenticated,
> > permit_mynetworks, check_relay_domains
>
> You'll want a reject_unauth_destination after these.
>
>
> Sorry but I don't have any idea what that means. Could you please
> explain a little further what I'm supposed to do here.
>

You are using the deprecated 1.x syntax of check_relay_domains.
It is recommended to use reject_unauth_destination instead of
check_relay_domains.

Your mail log may even indicate this as a warning.

Brian

Re: First post, first question

[Rodolphe Quiedeville]

Stoyan Stoyanov a écrit on 29/03/12 14:04:

Hi Redolphe,

I have emailing company in eastern-europe, I personaly like and use the
scenario where there is one 'main' postfix, which is configured to relay
mails to one address: balance.domain.com, where the balance.domain.com
is an bind9 records with 0 ttl which resolv on 20 postfixes, which is
actually used for the outgoing mail. I sent about 200-400K emails per
day, and the systems works really fine. I think it will be good for you
too.


[...]

Hi,

Thanks Jeffrey and Stoyan four you answer I didn't think about that but 
it's a good idea.
Finally I used haproxy to load-balance between our outgoing servers. We 
already use haproxy to load-ablance on webserver it's a well known software.


Regards


--
Rodolphe Quiédeville - rodolp...@pilotsystems.net
Pilot Systems - 9, rue Desargues - 75011 Paris
Tel : +33 1 44 53 05 55 - www.pilotsystems.net
Gérez vos contacts et vos newsletters : www.cockpit-mailing.com

Re: First post, first question

[Stoyan Stoyanov]

Hi Redolphe,

 I have emailing company in eastern-europe, I personaly like and use  
the scenario where there is one 'main' postfix, which is configured to  
relay mails to one address: balance.domain.com, where the  
balance.domain.com is an bind9 records with 0 ttl which resolv on 20  
postfixes, which is actually used for the outgoing mail. I sent about  
200-400K emails per day, and the systems works really fine. I think it  
will be good for you too.


ps.
of course there is dynamic dns updates, so keep the rates to big esps,  
a little more complicated configurations that make smtp connections to  
the 'main' machine, but in general I think you understand the scenario.


Regards,
Sto.

On Mar 29, 2012, at 2:55 PM, jeffrey j donovan wrote:



On Mar 29, 2012, at 3:43 AM, Rodolphe Quiedeville wrote:


Hi,

This is my first post on this list, I'm a french sys/admin using  
postfix now from more tyhan 10 years ago, but always with small  
traffic and end-user needs. I'm working at pilotsystems.net a small  
french free software service company. We have a mailing solution  
called http://cockpit-mailing.com/ wich will follow legal anti-spam  
french laws.
I subscribed after looking for an answer on the net but with no  
result.


I would like to split my outgoing mail to more than one host. By  
now I use this transport on my main outgoing server,  
out1.foobar.com is one off my postfix server.


domain.com :[out1.foobar.com]

Is it possible to do something like

domain.com: [out1.foobar.com,out2.foobar.com]

Wich will result on first mail go through out1, second email on  
out2, thir email on out1, and continue.
My goal is to split outgoing email, when I'll send 5000K emails to  
same domain, 2500K will be send out from out1 end 2500K will be  
send out from out2.


Regards


you could probably set it up in dns.

out.foobar.com  60 IN   A   10.10.1.5
out.foobar.com  60 IN   A   10.10.1.6
out.foobar.com  60 IN   A   10.10.1.7

out1.foobar.com IN  A 10.10.1.5
out2.foobar.com IN  A 10.10.1.5
out3.foobar.com IN  A 10.10.1.5


then transportmap it.

domain.com smtp:out.foobar.com

-j


Stoyan Stoyanov
Core System Administrator

<>


CONFIDENTIAL
The information contained in this email and any attachment is  
confidential. It is intended only for the named addressee(s). If you  
are not the named addressee(s) please notify the sender immediately  
and do not disclose, copy or distribute the contents to any other  
person other than the intended addressee(s).

Re: First post, first question

[jeffrey j donovan]

On Mar 29, 2012, at 3:43 AM, Rodolphe Quiedeville wrote:

> Hi,
> 
> This is my first post on this list, I'm a french sys/admin using postfix now 
> from more tyhan 10 years ago, but always with small traffic and end-user 
> needs. I'm working at pilotsystems.net a small french free software service 
> company. We have a mailing solution called http://cockpit-mailing.com/ wich 
> will follow legal anti-spam french laws.
> I subscribed after looking for an answer on the net but with no result.
> 
> I would like to split my outgoing mail to more than one host. By now I use 
> this transport on my main outgoing server, out1.foobar.com is one off my 
> postfix server.
> 
> domain.com :[out1.foobar.com]
> 
> Is it possible to do something like
> 
> domain.com: [out1.foobar.com,out2.foobar.com]
> 
> Wich will result on first mail go through out1, second email on out2, thir 
> email on out1, and continue.
> My goal is to split outgoing email, when I'll send 5000K emails to same 
> domain, 2500K will be send out from out1 end 2500K will be send out from out2.
> 
> Regards

you could probably set it up in dns.

out.foobar.com  60 IN   A   10.10.1.5
out.foobar.com  60 IN   A   10.10.1.6
out.foobar.com  60 IN   A   10.10.1.7

out1.foobar.com IN  A 10.10.1.5
out2.foobar.com IN  A 10.10.1.5
out3.foobar.com IN  A 10.10.1.5


then transportmap it.

domain.com smtp:out.foobar.com

-j

Re: Enabled SMTP AUTH but mails from external networks still being rejected

[Phill Edwards]

if "permit_sasl_authenticated" is before restricitions the client can always

> authenticate, this is how the tings are working
>

Thaks for the info.


>
>
> P.S.: please do not reply offlist!
>

Yes, I noticed that. I didn't mean to, but I find with this particular
mailing list when I click reply it replies to the sender rather than the
mailing list. I don't know why that is as I don't find the same problem
with other mailing lists.

Re: FW: Postfix delivery to openldap users

[Nikolaos Milas]

On 29/3/2012 2:13 μμ, Priscilla V wrote:


Even after changing it to %u the postmap command is not returning any value.


You could run:

   postmap -vvv -q ldapuser ldap:/etc/postfix/ldap.cf

and try to see where is the problem.

Also, try to run a simple ldapsearch on the same machine with the same 
parameters (search key, server, credentials, binddn, return attributes 
etc.) and see if it works.


Nick

Re: Encrypt attachments

[Kai Szymanski]

Hi Andreas,

That's why e-mail encryption (S/MIME, PGP) was invented for. Why 
reinvent the wheel?


You are right...and not ;)

Problem: If we use for example gpg rhe !other side! also have to use gpg 
and needs to have a key infrastructure implemented. Most of the 
"customer customers" don't have very much "computer skills" to realize 
that kind of things. They can use for example Winzip but nothing 
moreso i seek for "the middle course" beweeen security <-> usibility.


But maybe i'am wrong ?

Thanks!

Best regards,
  Kai.

--
Kai Szymanski

Auf dem Peterswerder 17
28205 Bremen

EMail k...@codebiz.de / Web http://www.codebiz.de

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. 
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten 
haben, informieren Sie bitte sofort den Absender und löschen Sie diese Mail. 
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail und der 
darin enthaltenen Informationen sind nicht gestattet.

This e-mail may contain confidential and/or privileged information. If you are 
not the intended recipient (or have received this e-mail in error) please 
notify the sender immediately and delete this e-mail. Any unauthorized copying, 
disclosure or distribution of the material in this e-mail is strictly forbidden.

RE: FW: Postfix delivery to openldap users

[Priscilla V]

Even after changing it to %u the postmap command is not returning any value.

Regards
Priscilla

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Nikolaos Milas
Sent: Thursday, March 29, 2012 1:47 PM
To: 'Postfix users'
Subject: Re: FW: Postfix delivery to openldap users

On 29/3/2012 9:03 πμ, Priscilla V wrote:

> Postmap -q  ldap:/etc/postfix/ldap.cf
>
> Is not giving any output.
> It returns silently.

Have you changed:

query_filter = (mail=%s)

to:

query_filter = (mail=%u)

as was suggested (if you are still using alias_maps)?

Ref: http://www.postfix.org/ldap_table.5.html

Alternatively, use virtual_alias_maps ***even if you don't have virtual 
domains*** (as was also suggested).

Nick

Re: LoadShared Failover

[Wietse Venema]

Michael Maymann:
> ; zone file fragment
> IN  MX  10  mail.example.com
> .
> 
> mailIN  A   10.10.10.100
> IN  A   10.10.20.100
> 
> 3. Clients will use mail.example.com as server.
> 
> Only problem I see now is when one of the postfix servers dies. Clients
> will still try to send mails to it as they are DNS RR'ed, but would get no
> response ofcause if they hit the dead one.

In that case the client should try the other IP address. 

Wietse

Re: Enabled SMTP AUTH but mails from external networks still being rejected

[Phill Edwards]

>
> > I have now set up SMTP AUTH and it's working when sening emails from PCs
> on
> > my LAN. But when I send emails from outside (eg from my mobile phone) I
> get
> > these errors:
>
> Hopefully it's as simple as fixing the smtpd restrictions:
>
> > smtpd_client_restrictions = permit_mynetworks, reject
>

> This is outright banning anybody outside mynetworks.
>

Thanks, I've removed this line altogether and it works now.


>
> > smtpd_recipient_restrictions = permit_sasl_authenticated,
> > permit_mynetworks, check_relay_domains
>
> You'll want a reject_unauth_destination after these.
>
>
Sorry but I don't have any idea what that means. Could you please explain a
little further what I'm supposed to do here.

Re: postfix REGEX bug ???

[Wietse Venema]

:
>  /google\.com/   OK
>  /mail\.ru/ OK

You mean:

/^google\.com$/
/^mail\.ru$/

RTFM!

Wietse

Re: postfix REGEX bug ???

[Tom Hendrikx]

On 29/03/12 10:51, Женя wrote:
> I'm using postfix (2.7.0 on Ubuntu Linux 10.04.3) as mail relay and
> antispam filter. It's set up and works perfectly except one small
> bug. I use smtpd_client_restrictions to filter SMTP clents as
> following:
> 
> smtpd_client_restrictions = permit_mynetworks, 
> reject_unknown_client_hostname, check_client_access
> regexp:/etc/postfix/client_access
> 
> And /etc/postfix/client_access with number of regex rules like: 
> /google\.com/   OK /mail\.ru/ OK .. 
> /schweiz029\.startdedicated\.com/   REJECT /rusguru/
> REJECT /mail\.agere\.pt/   REJECT /relay\.tmsoft\-ltd\.com/
> REJECT
> 
> 
> This setup works like designed, filtering all clients successfully
> except ONE (/rusguru/ expression):

> 
> As everyone can see postfix does not proper match regex expression.
> I've tried first full domain regex like /rusguru\.ru/, shorted to
> /rusguru/ only - no success.

Hi,

Your regexes aren't terminated, which means that /mail\.ru/ does also
match 'mail.rusguru.ru'. If you OK that as per your example, then that
is your issue: you let them in yourselves...

--
Tom

Re: Enabled SMTP AUTH but mails from external networks still being rejected

[Reindl Harald]

Am 29.03.2012 12:08, schrieb Phill Edwards:
> 
> Am 28.03.2012 15:31, schrieb Phill Edwards:
> > I have had a Postfix SMTP server on my LAN for a long time and it works 
> really well for delivering my email via
> > relayhost = smtp.example.com  
>  (replaced my actuals ISP's
> SMTP server here).
> >
> > I have now set up SMTP AUTH and it's working when sening emails from 
> PCs on my LAN. But when I send emails from
> > outside (eg from my mobile phone) I get these errors:
> >
> > Mar 29 00:04:32 zrf postfix/smtpd[624]: warning: xx.xxx.180.193: 
> hostname
> paxx-xxx-180-193.pa.nsw.optusnet.com.au 
> 
> >  verification failed: 
> Name or service not known
> > Mar 29 00:04:32 zrf postfix/smtpd[624]: connect from 
> unknown[xx.xxx.180.193]
> > Mar 29 00:04:33 zrf postfix/smtpd[624]: NOQUEUE: reject: RCPT from 
> unknown[xx.xxx.180.193]: 554 5.7.1
> > : Client host rejected: Access denied; 
> from=mailto:m...@example.com>
> >>
> > to=mailto:some...@example.com> 
>  >> proto=ESMTP 
> helo= 
> > >
> > Mar 29 00:04:33 zrf postfix/smtpd[624]: disconnect from 
> unknown[xx.xxx.180.193]
> 
> where do you see here any authentication try?
> connect -> reject
> 
> 
> I ran some tests on the LAN which showed up seccuessful authentivation 
> attempts. This is a log of what happens when
> a mobile phone tries to connect from outside the LAN. I'm assuming there are 
> no authentication tries because the
> client has been rejected due to network restrictions before even attempting 
> any credentials are processed.
> 
> let me guess - this is a iPhone?
>
> No, it's a Samsung Galaxy S II with K-9 Mail as the email client

if "permit_sasl_authenticated" is before restricitions the client can always
authenticate, this is how the tings are working

but the client has to be configured for authentication
sadly it is not default in most clients while if
the MUA developers would be a little smarter they
would activate it and use the same credentials as
for incoming server which fits 99% of all setups

P.S.: please do not reply offlist!




signature.asc
Description: OpenPGP digital signature

Re: Encrypt attachments

[lst_hoe02]

Zitat von Kai Szymanski :


Hi!

For a customer i have to implement "on the fly" encryption for  
attachments. Means:


1) Send Mail to Customer

- Postfix receive email by smtp from local sender

- Check if Recipient is in DB. If not => Forward message by smtp  
to customer


- If customer is in DB, detach Attachments, create a encrypted  
zip-Archiv (password comes from db), re-attach it to email and  
forward it by smtp to customer


Is there a place where i can find more informations about doing it  
or exists there a "ready" solution ?


Thanks a lot!

Best regards,
  Kai.


Hello

That's why e-mail encryption (S/MIME, PGP) was invented for. Why  
reinvent the wheel?


Regards

Andreas




smime.p7s
Description: S/MIME Cryptographic Signature

Re: postfix REGEX bug ???

[Ralf Hildebrandt]

* Женя :
> I'm using postfix (2.7.0 on Ubuntu Linux 10.04.3) as mail relay and antispam 
> filter. It's set up and works perfectly except one small bug.
> I use smtpd_client_restrictions to filter SMTP clents as following:
> 
>  smtpd_client_restrictions =
>permit_mynetworks,
>reject_unknown_client_hostname,
>check_client_access regexp:/etc/postfix/client_access
> 
> And /etc/postfix/client_access with number of regex rules like:
>  /google\.com/   OK
>  /mail\.ru/ OK
>  ..
>  /schweiz029\.startdedicated\.com/   REJECT
>  /rusguru/   REJECT
>  /mail\.agere\.pt/   REJECT
>  /relay\.tmsoft\-ltd\.com/   REJECT

Show "postconf -n" output.

> Mar 27 06:12:15 mailrelay postfix/smtpd[14368]: connect from 
> mail.rusguru.ru[195.3.141.61]
195.3.141.61 might be in mynetworks

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

postfix REGEX bug ???

[Женя]

I'm using postfix (2.7.0 on Ubuntu Linux 10.04.3) as mail relay and antispam 
filter. It's set up and works perfectly except one small bug.
I use smtpd_client_restrictions to filter SMTP clents as following:

 smtpd_client_restrictions =
   permit_mynetworks,
   reject_unknown_client_hostname,
   check_client_access regexp:/etc/postfix/client_access

And /etc/postfix/client_access with number of regex rules like:
 /google\.com/   OK
 /mail\.ru/ OK
 ..
 /schweiz029\.startdedicated\.com/   REJECT
 /rusguru/   REJECT
 /mail\.agere\.pt/   REJECT
 /relay\.tmsoft\-ltd\.com/   REJECT


This setup works like designed, filtering all clients successfully except ONE 
(/rusguru/ expression): 

Mar 27 06:12:15 mailrelay postfix/smtpd[14368]: connect from 
mail.rusguru.ru[195.3.141.61]
Mar 27 06:12:18 mailrelay postfix/smtpd[14368]: 0A03961A61: 
client=mail.rusguru.ru[195.3.141.61]
Mar 27 06:12:18 mailrelay postfix/cleanup[14482]: 0A03961A61: 
message-id=<084C071CD1FD4B01A5E885AAD6A6C083@wks01>
Mar 27 06:12:19 mailrelay spamd[5700]: spamd: connection from localhost 
[127.0.0.1] at port 33079
Mar 27 06:12:19 mailrelay spamd[5700]: spamd: processing message 
<084C071CD1FD4B01A5E885AAD6A6C083@wks01> for spamd:1001
Mar 27 06:12:24 mailrelay spamd[5700]: spamd: identified spam (7.7/5.0) for 
spamd:1001 in 5.6 seconds, 27372 bytes.
Mar 27 06:12:24 mailrelay spamd[5700]: spamd: result: Y 7 - 
FUZZY_XPILL,HTML_MESSAGE,RU_CERTIFICATE_KOI8,RU_CLASSES_1_KOI8,RU_SPAM_KOI8,RU_SUSPECTED_SPAM_KOI8,RU_WEBSITE_KOI8,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY
 
scantime=5.6,size=27372,user=spamd,uid=1001,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=33079,mid=<084C071CD1FD4B01A5E885AAD6A6C083@wks01>,autolearn=disabled,shortcircuit=no
Mar 27 06:12:24 mailrelay postfix/cleanup[14482]: 0A03961A61: 
milter-header-hold: header X-Spam-Status: Yes, score=7.7 required=5.0 
tests=FUZZY_XPILL from mail.rusguru.ru[195.3.141.61]; from= 
to= proto=SMTP helo=: 
Mar 27 06:12:24 mailrelay postfix/smtpd[14368]: disconnect from 
mail.rusguru.ru[195.3.141.61]


As everyone can see postfix does not proper match regex expression. I've tried 
first full domain regex like /rusguru\.ru/, shorted to /rusguru/ only - no 
success. I believe, there is something to do with "ru" part repetition and, 
almost obvious, it is BUG in regex engine of postfix. I have no other 
explanations. Had no issues with other regex expressions. I do know it is not 
the latest version of postfix but before compiling latest one I want to be sure 
such bug is not present.
I don't know other way to reach postfix developers (no info on official web 
site) so post this in hope they visit this place or someone informs them.

Re: FW: Postfix delivery to openldap users

[Nikolaos Milas]

On 29/3/2012 9:03 πμ, Priscilla V wrote:


Postmap -q  ldap:/etc/postfix/ldap.cf

Is not giving any output.
It returns silently.


Have you changed:

   query_filter = (mail=%s)

to:

   query_filter = (mail=%u)

as was suggested (if you are still using alias_maps)?

Ref: http://www.postfix.org/ldap_table.5.html

Alternatively, use virtual_alias_maps ***even if you don't have virtual 
domains*** (as was also suggested).


Nick

Re: LoadShared Failover

[Michael Maymann]

Hi List,

I have now looked all over the web to try and find best possible solution
for me... (redundant loadshared sending-only mailgw)... this is currently
what I think of doing...:
1. Setup 2 postfix servers in 2 physical different location with same
configuration (handles by our HostConfigurationManagementSys
tem).
2. DNS will be configured like:

; zone file fragment
IN  MX  10  mail.example.com
.

mailIN  A   10.10.10.100
IN  A   10.10.20.100

3. Clients will use mail.example.com as server.

Only problem I see now is when one of the postfix servers dies. Clients
will still try to send mails to it as they are DNS RR'ed, but would get no
response ofcause if they hit the dead one.
(How) Do I handle this ? or will I just have to live with the time-loss,
clients connecting to dead postfix server, gives me when it has to retry ?

I can compensate a bit by setting low DNS TTL (like 15 minutes) and remove
dead DNS entry manually when our monitoring system alerts about port not
responding - but would like to implement a real redundant system if at all
possible... How do I do this - any howto I might have missed... ?



Thanks in advance :) !
~maymann


2012/3/28 Michael Maymann 

> Hi List,
>
> I have now looked all over the web to try and find best possible solution
> for me... (redundant loadshared sending-only mailgw)... this is currently
> what I think of doing...:
> 1. Setup 2 postfix servers in 2 physical different location with same
> configuration (handles by our HostConfigurationManagementSystem).
> 2. DNS will be configured like:
>
> ; zone file fragment
> IN  MX  10  mail.example.com
> .
> 
> mailIN  A   10.10.10.100
> IN  A   10.10.20.100
>
> 3. Clients will use mail.example.com as server.
>
> Only problem I see now is when one of the postfix servers dies. Clients
> will still try to send mails to it as they are DNS RR'ed, but would get no
> response ofcause if they hit the dead one.
> (How) Do I handle this ? or will I just have to live with the time-loss,
> clients connecting to dead postfix server, gives me when it has to retry ?
>
> I can compensate a bit by setting low DNS TTL (like 15 minutes) and remove
> dead DNS entry manually when our monitoring system alerts about port not
> responding - but would like to implement a real redundant system if at all
> possible... How do I do this - any howto I might have missed... ?
>
>
>
> Thanks in advance :) !
> ~maymann
>
>
> 2012/3/13 Stan Hoeppner 
>
>> On 3/12/2012 1:29 PM, Michael Maymann wrote:
>> > Hi,
>> >
>> > Stan: thanks for your reply.
>> > I was talking about NIC bonding: http://www.howtoforge.com/nic_bonding
>> > But if that is not the way to go, then that won't matter anymore... and
>> no
>> > need for RedHat support either...
>>
>> NIC bonding isn't applicable to your dual relay host scenario.
>>
>> > I'm a simple SMTP/PostFix beginner and just trying to learn as I go
>> along -
>> > thought the mailinglist would be a good offset to get some initial
>> answers
>> > so I can start looking in the right places - first things first... :) !
>>
>> You have it backwards.  The Postfix mailing list is a "last resort"
>> resource and is meant more for troubleshooting that "system design
>> assistance" or "education".  You are expected to read all applicable
>> Postfix and RFC/BCP documentation and troubleshoot issues until you are
>> sure you cannot resolve them on your own.  *Then* post a help query on
>> the Postfix list.  It is not a teaching resource.  Please don't treat it
>> as such.
>>
>> > If RR DNS is the way forward, then I guess I would need to configure:
>> >
>> > ; zone file fragment
>> > IN  MX  10  mail.example.com.
>> > 
>> > mailIN  A   192.168.0.4
>> > IN  A   192.168.0.5
>> >
>> >
>> > and point all my MUA's to mail.example.com
>> >
>> > Just to try and understand better how this communication would be
>> working:
>> > 1. Does the MUAs then just retry if it doesn't get answer from one of
>> the
>> > MTAs ?
>> > 2. If so, will this then always generate a new nslookup / will it use a
>> > cache / do I need to configure this on the MUA's ?
>> > 3. Is there a default number of retries (and does this differentiate
>> from
>> > MUA to MUA) or are they just queued forever on the MUAs until properly
>> > delivered to a responsive MTA ?
>>
>> See the bind manual, or the manual of whichever DNS server daemon you
>> happen to be using, and other applicable guides to round robin DNS.
>>
>> --
>> Stan
>>
>
>

Encrypt attachments

[Kai Szymanski]

Hi!

For a customer i have to implement "on the fly" encryption for 
attachments. Means:


1) Send Mail to Customer

- Postfix receive email by smtp from local sender

- Check if Recipient is in DB. If not => Forward message by smtp to 
customer


- If customer is in DB, detach Attachments, create a encrypted 
zip-Archiv (password comes from db), re-attach it to email and forward 
it by smtp to customer


Is there a place where i can find more informations about doing it or 
exists there a "ready" solution ?


Thanks a lot!

Best regards,
  Kai.

First post, first question

[Rodolphe Quiedeville]

Hi,

This is my first post on this list, I'm a french sys/admin using postfix 
now from more tyhan 10 years ago, but always with small traffic and 
end-user needs. I'm working at pilotsystems.net a small french free 
software service company. We have a mailing solution called 
http://cockpit-mailing.com/ wich will follow legal anti-spam french laws.

I subscribed after looking for an answer on the net but with no result.

I would like to split my outgoing mail to more than one host. By now I 
use this transport on my main outgoing server, out1.foobar.com is one 
off my postfix server.


domain.com :[out1.foobar.com]

Is it possible to do something like

domain.com: [out1.foobar.com,out2.foobar.com]

Wich will result on first mail go through out1, second email on out2, 
thir email on out1, and continue.
My goal is to split outgoing email, when I'll send 5000K emails to same 
domain, 2500K will be send out from out1 end 2500K will be send out from 
out2.


Regards

--
Rodolphe Quiédeville - rodolp...@pilotsystems.net
Pilot Systems - 9, rue Desargues - 75011 Paris
Tel : +33 1 44 53 05 55 - www.pilotsystems.net
Gérez vos contacts et vos newsletters : www.cockpit-mailing.com

Re: STARTTLS and mailservers who choke on it

[Robert Schetterer]

Am 29.03.2012 09:35, schrieb Ralf Hildebrandt:
> * Per Jessen :
>> I'm wondering how others handle this.  We offer TLS for all inbound
>> traffic, which works fine 99% of the time.  Every other day though I
>> notice one or two mailservers who simply cannot cope with it.  They try,
>> but they keep getting a timeout.  Something is clearly not working on
>> their side and the email will eventually not get delivered. (I'm pretty
>> certain they're all MSEX, but that's just a hunch).
>>
>> To prevent this I check our logs regularly and use 
>> smtpd_discard_ehlo_keyword_address_maps to disable starttls for those
>> servers that have a problem.  It's a bit of a hassle, so I was wondering 
>> how others handle it? 
> 
> I handle it exactly the same way. On a  related issue: There are
> systems which request DSN (delivery status notification), but once our
> system sends those, their server won't accept them.
> 

yes, i noticed that too

-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Re: STARTTLS and mailservers who choke on it

[Ralf Hildebrandt]

* Per Jessen :
> I'm wondering how others handle this.  We offer TLS for all inbound
> traffic, which works fine 99% of the time.  Every other day though I
> notice one or two mailservers who simply cannot cope with it.  They try,
> but they keep getting a timeout.  Something is clearly not working on
> their side and the email will eventually not get delivered. (I'm pretty
> certain they're all MSEX, but that's just a hunch).
> 
> To prevent this I check our logs regularly and use 
> smtpd_discard_ehlo_keyword_address_maps to disable starttls for those
> servers that have a problem.  It's a bit of a hassle, so I was wondering 
> how others handle it? 

I handle it exactly the same way. On a  related issue: There are
systems which request DSN (delivery status notification), but once our
system sends those, their server won't accept them.

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de