Re: postgrey outgoing mail whitelister
Zitat von /dev/rob0 : On Wed, Apr 18, 2012 at 04:33:31AM +0300, Henrik K wrote: Still, is it too much to ask for looking at things from many angles or backing up claims with any kind of statistics or science instead of personal gut feelings? Where/how would one collect such data? My mail stream differs from yours, as does my spam problem. The best, meticulously gathered statistics from one site won't be applicable to another site. Unfortunately the gut is what we have. My gut feeling is that SPF lookups are the surest way to make this scheme work without causing some kind of problem. Yes, my MX is also the outbound relay, but at bigger sites this is less likely. Another gut feeling: greylisting is past its prime. I do it using postscreen, but I sometimes consider disabling the deep protocol tests. The DNSBL scoring system is what blocks most of my spam. And that's how the "gut feelings" are differ. On our site greylisting is by far the most effective spam-block. For a long time we had problems because the RBL listings for spam sources only appear after they have dropped their spam to us, so pure RBL/DNSBL is near useless for us. With greylisting a big share of the spam bots don't come back anyway and the ones operate longer are finally listed in the RBLs at the time they would pass greylisting. Combined with a big automatic whitelist the negative impact from greylisting is near zero because all business partners and the like are whitelisted. Regards Andreas smime.p7s Description: S/MIME Cryptographic Signature
redirect null sender
Hi all I am building system that will send mails to list of users but I need to stop receiving error emails or redirect them to another account or /dev/null. I know it is bad idea but the application I am using will handle bounce mails so I don't need error email to be sent to the end user . Regards
Re: redirect null sender
* Amira Othman : > Hi all > > > > I am building system that will send mails to list of users but I need to > stop receiving error emails or redirect them to another account or > /dev/null. I know it is bad idea but the application I am using will handle > bounce mails so I don't need error email to be sent to the end user . If your application is handling bounce mails, why not send those to the application then? Otherwise it cannot handle them, can it? -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
RE: redirect null sender
* Amira Othman : > Hi all > > > > I am building system that will send mails to list of users but I need to > stop receiving error emails or redirect them to another account or > /dev/null. I know it is bad idea but the application I am using will handle > bounce mails so I don't need error email to be sent to the end user . If your application is handling bounce mails, why not send those to the application then? Otherwise it cannot handle them, can it? I don't know how to redirect them to because it's not in the format user@domain it's null sender .where can I add this if it's possible?
Re: redirect null sender
* Amira Othman : > > * Amira Othman : > > Hi all > > > > > > > > I am building system that will send mails to list of users but I need to > > stop receiving error emails or redirect them to another account or > > /dev/null. I know it is bad idea but the application I am using will handle > > bounce mails so I don't need error email to be sent to the end user . > > If your application is handling bounce mails, why not send those > to the application then? Otherwise it cannot handle them, can it? > > > I don't know how to redirect them to because it's not in the format > user@domain it's null sender. the SENDER is null the recipient is ??? > where can I add this if it's possible? The bounce goes back to the original sender. The usual way is this: When sending mail to ralf.hildebra...@charite.de, on would set the sender to: nameoflist-bounces+ralf.hildebrandt=charite...@sending.domain.com So, if mail to "ralf.hildebra...@charite.de" bounces, it goes back to "nameoflist-bounces+ralf.hildebrandt=charite...@sending.domain.com", and by converting "nameoflist-bounces+ralf.hildebrandt=charite.de" back to "ralf.hildebra...@charite.de" the app knows which address bounced. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: postgrey outgoing mail whitelister
On 2012-04-17 6:54 AM, Reindl Harald wrote: the hard facts are that EVERY site using a dedicated spamfilter (own appliance or external service) have different IP's for MX and outgoing mail Not if they are using said spamfilter service for relaying their outbound mail *and* if the spamfilter service uses the same IP blocks for relaying. -- Best regards, Charles
Re: postgrey outgoing mail whitelister
Am 18.04.2012 14:13, schrieb Charles Marcus: > On 2012-04-17 6:54 AM, Reindl Harald wrote: >> the hard facts are that EVERY site using a dedicated >> spamfilter (own appliance or external service) have >> different IP's for MX and outgoing mail > > Not if they are using said spamfilter service for relaying their outbound > mail > *and* if the spamfilter service uses the same IP blocks for relaying. "IP blocks" does not matter and if you whitelist BLOCKS you are making a major mistake - there are way to much single addresses with static IP and a mailserver where the other IPs in the address-block are totally different customers of the ISP owning the netblock so you should only whitelist single addresses a spamfilter usually does not relay if you have a managed network outgoing mails are usually not spam so the spamfilter-appliance is a dedicated IP and receives incoming mail from the internet, realy it after scan to the mailserver and the mailserver itself relays directly signature.asc Description: OpenPGP digital signature
RE: redirect null sender
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Ralf Hildebrandt Sent: Wednesday, April 18, 2012 2:08 PM To: postfix-users@postfix.org Subject: Re: redirect null sender * Amira Othman : > > * Amira Othman : > > Hi all > > > > > > > > I am building system that will send mails to list of users but I need to > > stop receiving error emails or redirect them to another account or > > /dev/null. I know it is bad idea but the application I am using will handle > > bounce mails so I don't need error email to be sent to the end user . > > If your application is handling bounce mails, why not send those > to the application then? Otherwise it cannot handle them, can it? > > > I don't know how to redirect them to because it's not in the format > user@domain it's null sender. the SENDER is null the recipient is ??? > where can I add this if it's possible? The bounce goes back to the original sender. The usual way is this: When sending mail to ralf.hildebra...@charite.de, on would set the sender to: nameoflist-bounces+ralf.hildebrandt=charite...@sending.domain.com So, if mail to "ralf.hildebra...@charite.de" bounces, it goes back to "nameoflist-bounces+ralf.hildebrandt=charite...@sending.domain.com", and by converting "nameoflist-bounces+ralf.hildebrandt=charite.de" back to "ralf.hildebra...@charite.de" the app knows which address bounced. But the original sender will not be user on my mail server .it will be any client that sends mail through application. I don't want client to receive bounces. How can I do that?
Re: redirect null sender
> But the original sender will not be user on my mail server. It doesn't have to be. > it will be any client that sends mail through application. No. A client is a client. The sender is specified by the application. > I don't want client to receive bounces. How can I do that? Frankly, I don't think you should be doing this. Possible solutions: === 1) Specify the null sender as sender, thus mails cannot bounce. 2) Specify a sender domain pointing to another server (e.g. bounces.example.com) -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: redirect null sender
On Apr 18, 2012, at 14:38, Amira Othman wrote: >>> I am building system that will send mails to list of users but I need to >>> stop receiving error emails or redirect them to another account or >>> /dev/null. I know it is bad idea but the application I am using will handle >>> bounce mails so I don't need error email to be sent to the end user . >> >> I don't know how to redirect them to because it's not in the format >> user@domain it's null sender. > >> where can I add this if it's possible? > > But the original sender will not be user on my mail server .it will be any > client that sends mail through application. I don't want client to receive > bounces. How can I do that? Read up on the difference between the envelope sender (MAIL FROM) and the sender specified in the 'From:' header. The former is what is used to handle bounces and errors, the latter is what the recipient sees in their mail application. The bounces should return to your server where you can process them, based on the envelope sender. Use a domain here that you control, or have your clients delegate a subdomain. See Ralf's message for suggestions on how you can retrieve the original recipient from the bounce address. And if you set the 'From:' and 'Reply-To:' headers right, the recipient will be able to reply to the messages your clients are sending. It will appear as if sent by them, without coming back to you. Most importantly though, be sure that you know what you are getting yourself into. Research your options. Read the Postfix documentation. Read the relevant RFCs. Understand all of the above. Use existing functionality, in proven software. Avoid reinventing the wheel, basically :-) And don't discard errors lightly. HTH, Jona
Virtual domain postfix configuration problem
Seems like this is a semi-common problem, but I just can't get my head around this. I've been struggling with this for over 5 days, and I could really use a fresh pair of eyes: Trying to send an email from an outside domain (t...@pagestream.org in this case) to an email on my server which hosts several domains using virtualmin/webmin to configure everything. The emails never make it, but get refused. Doesn't make a difference where they come from. I've tried many different configurations, so it may well be worse now than when I started. In the current configuration, here is the "final word" from the log (complete log at the end): Apr 18 22:33:43 lisn-mdv postfix/smtpd[8419]: NOQUEUE: reject: RCPT from a2s61.a2hosting.com[75.98.165.130]: 554 5.7.1 : Recipient address rejected: Access denied; from= to= proto=ESMTP helo= Apr 18 22:33:43 lisn-mdv postfix/smtpd[8419]: generic_checks: name=reject status=2 Apr 18 22:33:43 lisn-mdv postfix/smtpd[8419]: > a2s61.a2hosting.com[75.98.165.130]: 554 5.7.1 : Recipient address rejected: Access denied postmap -q t...@marksteiner.ag hash:/etc/postfix/virtual returns test.marksteiner.ag but I don't see trivial-rewrite making that substitution. The other troublesome bit is that the fqdn is lisn-mdv.razercut.com, but a virtualmin user suggested it should be ns1.razercut.com. They both resolve to the same ip, so I'm not sure what that gains me and it a non-trivial change. So could someone give a crazed nut a hand? Thanks! Deron -- Output from postfinger: postfinger - postfix configuration on Wed Apr 18 22:40:56 EDT 2012 version: 1.30 --System Parameters-- mail_version = 2.8.5 hostname = lisn-mdv.razercut.com uname = Linux lisn-mdv.razercut.com 2.6.38-11-generic #48-Ubuntu SMP Fri Jul 29 19:02:55 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux --Packaging information-- looks like this postfix comes from deb package: postfix-2.8.5-2~build0.11.04 --main.cf non-default parameters-- alias_maps = hash:/etc/aliases allow_percent_hack = no append_dot_mydomain = no biff = no broken_sasl_auth_clients = yes debug_peer_level = 5 debug_peer_list = marksteiner.ag,75.98.165.130,faroutprojects.com,75.104.6.189 home_mailbox = Maildir/ mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME mailbox_size_limit = 0 mydestination = lisn-mdv.razercut.com, localhost.razercut.com, , localhost, marksteiner.ag, faroutprojects.com, whdt.net mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 readme_directory = no recipient_delimiter = + sender_bcc_maps = hash:/etc/postfix/bcc smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject smtpd_sasl_auth_enable = yes smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache virtual_alias_maps = hash:/etc/postfix/virtual --master.cf-- smtpinetn----smtpd -o smtpd_sasl_auth_enable=yes -v pickupfifo n - - 60 1 pickup -v cleanup unix n - - - 0 cleanup -v qmgr fifo n - n 300 1 qmgr -v tlsmgrunix - - - 1000? 1 tlsmgr -v rewrite unix - - - - - trivial-rewrite -v bounceunix - - - - 0 bounce -v defer unix - - - - 0 bounce -v trace unix - - - - 0 bounce -v verifyunix - - - - 1 verify -v flush unix n - - 1000? 0 flush -v proxymap unix - - n - - proxymap -v proxywrite unix - - n - 1 proxymap -v smtp unix - - - - - smtp -v relay unix - - - - - smtp -v -o smtp_fallback_relay= showq unix n - - - - showq -v error unix - - - - - error -v retry unix - - - - - error -v discard unix - - - - - discard -v local unix - n n - - local -v virtual unix - n n - - virtual -v lmtp unix - - - - - lmtp -v anvil unix - - - - 1 anvil -v scacheunix - - - - 1 scache -v maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifma
postfix lmtp ssl failure
Greetings: Having difficulty with communications between cyrus-imapd lmtpd (version 2.4.14) and postfix lmtp (version 2.9.1) using openssl (version 1.0.0-fips 29) on Centos (version 6) system. Selinux is in permissive mode. lmtptest -t "" -p 24 localhost, works without difficulty openssl s_client -connect 127.0.0.1:24 -starttls smtp works with known announced fault (ehlo instead of lhlo, session is still established) Certificates seem to be good. channel_cache has been disabled. However communication breaks down between postfix and cyrus. Using TCP (24) port for common link. I appears that the read for server cipher list is requested prior to the information being placed in buffer, cyrus-imapd replies with 454 4.3(.3) TLS not available, then lmtp reads this as reply cipher list and fails with SSLv3/v2 protocol not found. This causes the handshake to fail. Please see log output below. Notice the first read returns a (-1) fault from buffer block. Any suggestions appreciated. http://old.nabble.com/file/p33705787/maillog.txt maillog.txt -- View this message in context: http://old.nabble.com/postfix-lmtp-ssl-failure-tp33705787p33705787.html Sent from the Postfix mailing list archive at Nabble.com.
Re: Virtual domain postfix configuration problem
On 4/18/2012 10:21 PM, Deron Kazmaier wrote: > Seems like this is a semi-common problem, but I just can't get my > head around this. I've been struggling with this for over 5 days, > and I could really use a fresh pair of eyes: > First, TURN OFF ALL THE DEBUG AND VERBOSE LOGGING! Odds are overwhelming that normal logging contains everything you need to diagnose and fix the problem. Odds are also overwhelming that the thousands of extra debug lines make the important nuggets near impossible to separate from the noise. > mydestination = lisn-mdv.razercut.com, localhost.razercut.com, , localhost, > marksteiner.ag, faroutprojects.com, whdt.net Are all these "local" non-virtual domains? Domains handled by postfix should not be listed in more than one address class. http://www.postfix.org/ADDRESS_CLASS_README.html > smtpd_recipient_restrictions = permit_mynetworks > permit_sasl_authenticated reject On a general purpose MTA, this must be smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination The final "reject" is causing your current problem. Possibly other problems will show up after you fix this. If you get new errors, post the NON VERBOSE log entries and a fresh postfinger with the new configuration. -- Noel Jones