Re: Receiving mail Relay Access Denied
On Fri, May 11, 2012 at 12:48:38PM +0800, Tseveendorj Ochirlantuu wrote: Hello, I'm new on postfix and I'm trying to configure send and receive mail on postfix with local system user. Welcome to postfix and this list. [..] Please do not send your main.cf but the output from postconf -n. For further reading about how to report problems see the mailing list welcome message and http://www.postfix.org/DEBUG_README.html#mail. mydestination = mail.domain.com Here you define the domains your mailserver is final destination for. See http://www.postfix.org/postconf.5.html#mydestination. Btw. domain.com is a valid and used (but surely not by you) domain name. For documentation and examples there is example.{com,net,org}. [..] but when I send mail from gmail but I got following error in my postfix log. May 11 12:46:53 univision postfix/smtpd[24500]: connect from mail-bk0-f50.google.com[209.85.214.50] May 11 12:46:55 univision postfix/smtpd[24500]: NOQUEUE: reject: RCPT from mail-bk0-f50.google.com[209.85.214.50]: 554 5.7.1 ad...@domain.com: Relay domain.com does not match mail.domain.com so postfix does not feel responsible for this email. For further reading have a look here: http://www.postfix.org/BASIC_CONFIGURATION_README.html http://www.postfix.org/SOHO_README.html Dennis
Exception in check_sender_access?
Hi, In my config I have done so that every mail with a NULL sender gets checked at ips.backscatterer.org like this: smtpd_restriction_classes = backscatter_rbl backscatter_rbl = reject_rbl_client ips.backscatterer.org smtpd_recipient_restrictions = . check_sender_access hash:/etc/postfix/check_backscatterer /etc/postfix/check_backscatterer: backscatter_rbl However, is it possible to make an exception for a recipient in some way? If a mail with a NULL sender comes in to except...@domain.com it won't check the senders IP at ips.backscatterer.org? I'm using Postifx 2.7.1 Thanks, -Patric
Re: Exception in check_sender_access?
Am 11.05.2012 10:27, schrieb Patric Falinder: Hi, In my config I have done so that every mail with a NULL sender gets checked at ips.backscatterer.org like this: smtpd_restriction_classes = backscatter_rbl backscatter_rbl = reject_rbl_client ips.backscatterer.org smtpd_recipient_restrictions = . check_sender_access hash:/etc/postfix/check_backscatterer /etc/postfix/check_backscatterer: backscatter_rbl However, is it possible to make an exception for a recipient in some way? If a mail with a NULL sender comes in to except...@domain.com it won't check the senders IP at ips.backscatterer.org? I'm using Postifx 2.7.1 Thanks, -Patric i have removed ips.backscatterer.org to much false positives , the exceptions went to endless some day -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: Exception in check_sender_access?
Robert Schetterer skrev 2012-05-11 10:32: Am 11.05.2012 10:27, schrieb Patric Falinder: Hi, In my config I have done so that every mail with a NULL sender gets checked at ips.backscatterer.org like this: smtpd_restriction_classes = backscatter_rbl backscatter_rbl = reject_rbl_client ips.backscatterer.org smtpd_recipient_restrictions = . check_sender_access hash:/etc/postfix/check_backscatterer /etc/postfix/check_backscatterer: backscatter_rbl However, is it possible to make an exception for a recipient in some way? If a mail with a NULL sender comes in to except...@domain.com it won't check the senders IP at ips.backscatterer.org? I'm using Postifx 2.7.1 Thanks, -Patric i have removed ips.backscatterer.org to much false positives , the exceptions went to endless some day Is there any other backskatterer-list you can recommend? I haven't had that much problem with it except this time.
Re: Exception in check_sender_access?
Am 11.05.2012 10:44, schrieb Patric Falinder: Robert Schetterer skrev 2012-05-11 10:32: Am 11.05.2012 10:27, schrieb Patric Falinder: Hi, In my config I have done so that every mail with a NULL sender gets checked at ips.backscatterer.org like this: smtpd_restriction_classes = backscatter_rbl backscatter_rbl = reject_rbl_client ips.backscatterer.org smtpd_recipient_restrictions = . check_sender_access hash:/etc/postfix/check_backscatterer /etc/postfix/check_backscatterer: backscatter_rbl However, is it possible to make an exception for a recipient in some way? If a mail with a NULL sender comes in to except...@domain.com it won't check the senders IP at ips.backscatterer.org? I'm using Postifx 2.7.1 Thanks, -Patric i have removed ips.backscatterer.org to much false positives , the exceptions went to endless some day Is there any other backskatterer-list you can recommend? I haven't had that much problem with it except this time. no i havent, its simple not the right tec to avoid backscatter in general ,i think, however it may be ok for you i.e if you have always the same domains or server which backscatter you , which means blacklisting with this rbl , not whitelisting exceptions analyse your logs if use of this rbl is helpfull at your site then decide if you need it -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: Exception in check_sender_access?
Robert Schetterer skrev 2012-05-11 10:50: Am 11.05.2012 10:44, schrieb Patric Falinder: Robert Schetterer skrev 2012-05-11 10:32: Am 11.05.2012 10:27, schrieb Patric Falinder: Hi, In my config I have done so that every mail with a NULL sender gets checked at ips.backscatterer.org like this: smtpd_restriction_classes = backscatter_rbl backscatter_rbl = reject_rbl_client ips.backscatterer.org smtpd_recipient_restrictions = . check_sender_access hash:/etc/postfix/check_backscatterer /etc/postfix/check_backscatterer: backscatter_rbl However, is it possible to make an exception for a recipient in some way? If a mail with a NULL sender comes in to except...@domain.com it won't check the senders IP at ips.backscatterer.org? I'm using Postifx 2.7.1 Thanks, -Patric i have removed ips.backscatterer.org to much false positives , the exceptions went to endless some day Is there any other backskatterer-list you can recommend? I haven't had that much problem with it except this time. no i havent, its simple not the right tec to avoid backscatter in general ,i think, however it may be ok for you i.e if you have always the same domains or server which backscatter you , which means blacklisting with this rbl , not whitelisting exceptions analyse your logs if use of this rbl is helpfull at your site then decide if you need it Yeah just noticed that it doesn't do much help after all. It blocked much more back when I stared using it, now it's like 10-20 blocks per day so I'm going to run without it for a while and see how it goes. Thanks for you help!
Postscreen not working
Hi Members, I setup postscreen on of my postfix-2.8.4 mail server . Postscreen is not working and i am getting following in log file - fatal: btree:/var/lib/postfix/postscreen_cache: unable to get exclusive lock: Resource temporarily unavailable postfix/master[8783]: warning: process /usr/libexec/postfix/postscreen pid 14066 exit status 1 nav1 postfix/master[8783]: warning: /usr/libexec/postfix/postscreen: bad command startup -- throttling - Please guide how i can resolve this issue and number of process configured for postscreen in only 1 in master.conf. Thanks
Re: Postscreen not working
Hi Vishesh, Can you share your postconf -n and master.cf file ?? Regards, Uma Shankar On Fri, May 11, 2012 at 2:46 PM, vishesh kumar linuxtovish...@gmail.comwrote: Hi Members, I setup postscreen on of my postfix-2.8.4 mail server . Postscreen is not working and i am getting following in log file - fatal: btree:/var/lib/postfix/postscreen_cache: unable to get exclusive lock: Resource temporarily unavailable postfix/master[8783]: warning: process /usr/libexec/postfix/postscreen pid 14066 exit status 1 nav1 postfix/master[8783]: warning: /usr/libexec/postfix/postscreen: bad command startup -- throttling - Please guide how i can resolve this issue and number of process configured for postscreen in only 1 in master.conf. Thanks
Re: Postscreen not working
Hi Shankar, My master.cf is as follows - smtp inet n - n - 1 postscreen soft_bounce=y es smtpd pass - - n - - smtpd dnsblog unix - - n - 0 dnsblog tlsproxy unix - - n - 0 tlsproxy -- and postfix conf file is - postscreen_cache_cleanup_interval = 12h postscreen_cache_map = btree:/var/lib/postfix/postscreen_cache postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*2 b.barracudacentral.org*1 postscreen_dnsbl_threshold = 2 postscreen_greet_action = enforce proxy_write_maps = queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.8.4/README_FILES sample_directory = /usr/share/doc/postfix-2.8.4/samples sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_send_xforward_command = yes smtp_tls_security_level = may smtp_use_tls = no smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128 smtpd_client_restrictions = permit_mynetworks, reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net, reject_rbl_client nomail.rhsbl.sorbs.net smtpd_milters = inet:localhost:12768 smtpd_proxy_timeout = 3600s smtpd_recipient_restrictions = permit_mynetworks, check_client_access pcre:/var/spool/postfix/plesk/no_relay.re, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, check_client_access pcre:/var/spool/postfix/plesk/non_auth.re smtpd_timeout = 3600s smtpd_tls_cert_file = /etc/postfix/postfix_default.pem smtpd_tls_key_file = $smtpd_tls_cert_file smtpd_tls_security_level = may smtpd_use_tls = yes transport_maps = hash:/var/spool/postfix/plesk/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual virtual_gid_maps = static:31 virtual_mailbox_base = /var/qmail/mailnames virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains virtual_mailbox_maps = hash:/var/spool/postfix/plesk/vmailbox virtual_transport = plesk_virtual virtual_uid_maps = static:110 --- Thanks On Fri, May 11, 2012 at 3:00 PM, Uma Shankar rajarya...@gmail.com wrote: Hi Vishesh, Can you share your postconf -n and master.cf file ?? Regards, Uma Shankar On Fri, May 11, 2012 at 2:46 PM, vishesh kumar linuxtovish...@gmail.comwrote: Hi Members, I setup postscreen on of my postfix-2.8.4 mail server . Postscreen is not working and i am getting following in log file - fatal: btree:/var/lib/postfix/postscreen_cache: unable to get exclusive lock: Resource temporarily unavailable postfix/master[8783]: warning: process /usr/libexec/postfix/postscreen pid 14066 exit status 1 nav1 postfix/master[8783]: warning: /usr/libexec/postfix/postscreen: bad command startup -- throttling - Please guide how i can resolve this issue and number of process configured for postscreen in only 1 in master.conf. Thanks -- http://linuxmantra.com
Re: Postscreen not working
vishesh kumar: fatal: btree:/var/lib/postfix/postscreen_cache: unable to get exclusive lock: Resource temporarily unavailable You can't share one /var/lib/postfix/postscreen_cache.db file with more than one postscreen process. How many main.cf/master.cf files are there on your system? Instead of /var/lib/postfix, use $data_directory to avoid file sharing conflicts. Wietse
Logging Help
Hello all, I just wanted to ensure that I am not duplicating my logging procedures for Postfix. I have set up my mail server so that I am receiving messages for info, warn, err and log. Looking at these, I can see that some of the messages I receive are duplicated in other logs. Is there an optimal way to set up logging so that messages are duplicated? Hopefully I'm making sense! Cheers, -- Tim Smith Tel: 01423 564 078 Mob: 07984 398 299 Email: t...@titan21.co.uk Web: www.titan21.co.uk
Re: SPF Policy Daemon: Sender vs. Recipient Rejected?
On Thu, 10 May 2012 23:23:43 +0200 Benny Pedersen m...@junc.org wrote: Den 2012-05-10 14:40, James Seymour skrev: Eh? Explain, please? check_policy_service must be after reject_unlisted_recipient [snip] that makes sure greylist is not called for unlisted users that will be rejected as unknown users later [snip] That does not solve the problem at hand. (Besides: One might argue that generating a delay in a user does not exist response is a Good Thing. Slows the spammers down and really doesn't have all that much effect on legitimate senders.) And, with that, I guess we're done with this discussion. Only solution is to move the SPF check to sender restrictions, and I don't care to engage in that complexity. Thanks for the feedback, everybody. Regards, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at http://jimsun.LinxNet.com/contact/scform.php.
Re: Postscreen DNSBL weights
On Thu, May 10, 2012 at 11:38:07PM -0400, Sahil Tandon wrote: On Fri, 2012-05-04 at 11:29:01 -0400, Rod K wrote: Was wondering if anyone would be willing to share what DNSBL and weights they are using with Postscreen. Mine are adapted from a previous post by /dev/rob0: Mine is still very similar. I think I need to add a few more one-point sites. postscreen_dnsbl_threshold = 3 postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*3 While I agree with this, I still keep BRBL score at 2. I call it as reject_rbl_client for most of my recipient domains, so in effect I'm doing the same. But BRBL requires at least one other DNSBL to cause postscreen rejection. dnsbl.njabl.org*2 bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.ahbl.org Not very effective, but very accurate. I give AHBL 2 points. spamtrap.trblspam.com swl.spamhaus.org*-5 list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-4 list.dnswl.org=127.[0..255].[0..255].[2..255]*-6 And FWIW, the below statistics correspond to a recent 24hr period; TOTAL is the number of IPs listed by a given zone, and UNIQ is the number of IPs listed *only* by that zone. Regarding overlap with whitelists, I've noticed that it's consistently highest for spamtrap.trblspam.com. UNIQ/TOTAL DNSBLDNSWL 1022/17454 b.barracudacentral.org 17 54/6841bl.spamcop.net 25 4/5502bl.spameatingmonkey.net 0 5/96 dnsbl.ahbl.org 0 7/134 dnsbl.njabl.org 3 587/3842spamtrap.trblspam.com 469 1609/18263 zen.spamhaus.org 5 Most of those DNSWL hits are list.dnswl.org=127.0.15.0, I bet. I toy with the idea of using that as a one-point DNSBL. :) I actually did configure a per-recipient-domain restriction class which does a reject_rbl_client for list.dnswl.org=127.0.15.0, but it's not used for any domains which receive significant mail from outside. (This idea, of using dnswl.org as a DNSBL, has been discussed on SDLU.) UNIQ/TOTAL DNSWLDNSBL 2514/2520list.dnswl.org 510 0/6 swl.spamhaus.org 0 SWL is so good that it's useless. :) They're being very careful with invitations such that the list is small, and as pure as the driven snow, but here in postscreen, you might as well not use SWL. No host on SWL has any significant DNSBL listing -- I bet if it did, it would come off of SWL pretty quick. I'm sure SWL has its use in content filtering, however. Excellent post, Sahil, thanks. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Re: Logging Help
Tim: Hello all, I just wanted to ensure that I am not duplicating my logging procedures for Postfix. I have set up my mail server so that I am receiving messages for info, warn, err and log. Looking at these, I can see that some of the messages I receive are duplicated in other logs. Is there an optimal way to set up logging so that messages are duplicated? Hopefully I'm making sense! Postfix logs its activities at different levels of severity. The worst one can do is to split the Postfix event stream into different files for different levels, such that one file contains only normal activity, one file contains only warnings, etc. In such a setting, a warning/error/fatal/panic message loses much of its value (for you or people who can help on the postfix-users list) because it lacks the context of normal activity that immediately precedes or follows. On the other hand, Postfix can produce a lot of logging on a busy server, therefore logging the same thing multiple times can be wasteful. I use one logfile and rotate as often as needed; you may want to use one logfile that records all severity levels, and one logfile for warning/error/fatal/panic only. Wietse
Re: Logging Help
Hi Wietse, You're quite correct. My logs are rotated and destroyed on a regular basis so the suggestion of collating all logging in one file and using .err and .warn to flag specific errors seems sensible. Thanks for the help. Tim On Fri, 2012-05-11 at 08:44 -0400, Wietse Venema wrote: Tim: Hello all, I just wanted to ensure that I am not duplicating my logging procedures for Postfix. I have set up my mail server so that I am receiving messages for info, warn, err and log. Looking at these, I can see that some of the messages I receive are duplicated in other logs. Is there an optimal way to set up logging so that messages are duplicated? Hopefully I'm making sense! Postfix logs its activities at different levels of severity. The worst one can do is to split the Postfix event stream into different files for different levels, such that one file contains only normal activity, one file contains only warnings, etc. In such a setting, a warning/error/fatal/panic message loses much of its value (for you or people who can help on the postfix-users list) because it lacks the context of normal activity that immediately precedes or follows. On the other hand, Postfix can produce a lot of logging on a busy server, therefore logging the same thing multiple times can be wasteful. I use one logfile and rotate as often as needed; you may want to use one logfile that records all severity levels, and one logfile for warning/error/fatal/panic only. Wietse -- Tim Smith Tel: 01423 564 078 Mob: 07984 398 299 Email: t...@titan21.co.uk Web: www.titan21.co.uk
Re: Postscreen DNSBL weights
Hello, with your suggestions I modified my config: postscreen_dnsbl_threshold = 3 postscreen_dnsbl_sites = zen.spamhaus.org*3 bl.mailspike.net*3 b.barracudacentral.org*2 combined.njabl.org=127.0.0.[2;4;9]*2 dnsbl.ahbl.org*2 bl.spameatingmonkey.net bl.spamcop.net spamtrap.trblspam.com dnsbl.sorbs.net=127.0.0.[2;3;6;7;10] ix.dnsbl.manitu.net list.dnswl.org=127.0.[0..255].0*-1 list.dnswl.org=127.0.[0..255].1*-2 list.dnswl.org=127.0.[0..255].[2..3]*-3 iadb.isipp.com=127.0.[0..255].[0..255]*-2 iadb.isipp.com=127.3.100.[6..200]*-2 wl.mailspike.net=127.0.0.[17;18]*-1 wl.mailspike.net=127.0.0.[19;20]*-2 Thanks, Andrea Il 11/05/2012 14:35, /dev/rob0 ha scritto: On Thu, May 10, 2012 at 11:38:07PM -0400, Sahil Tandon wrote: On Fri, 2012-05-04 at 11:29:01 -0400, Rod K wrote: Was wondering if anyone would be willing to share what DNSBL and weights they are using with Postscreen. Mine are adapted from a previous post by /dev/rob0: Mine is still very similar. I think I need to add a few more one-point sites. postscreen_dnsbl_threshold = 3 postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*3 While I agree with this, I still keep BRBL score at 2. I call it as reject_rbl_client for most of my recipient domains, so in effect I'm doing the same. But BRBL requires at least one other DNSBL to cause postscreen rejection. dnsbl.njabl.org*2 bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.ahbl.org Not very effective, but very accurate. I give AHBL 2 points. spamtrap.trblspam.com swl.spamhaus.org*-5 list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-4 list.dnswl.org=127.[0..255].[0..255].[2..255]*-6 And FWIW, the below statistics correspond to a recent 24hr period; TOTAL is the number of IPs listed by a given zone, and UNIQ is the number of IPs listed *only* by that zone. Regarding overlap with whitelists, I've noticed that it's consistently highest for spamtrap.trblspam.com. UNIQ/TOTAL DNSBLDNSWL 1022/17454 b.barracudacentral.org 17 54/6841bl.spamcop.net 25 4/5502bl.spameatingmonkey.net 0 5/96 dnsbl.ahbl.org 0 7/134 dnsbl.njabl.org 3 587/3842spamtrap.trblspam.com 469 1609/18263 zen.spamhaus.org 5 Most of those DNSWL hits are list.dnswl.org=127.0.15.0, I bet. I toy with the idea of using that as a one-point DNSBL. :) I actually did configure a per-recipient-domain restriction class which does a reject_rbl_client for list.dnswl.org=127.0.15.0, but it's not used for any domains which receive significant mail from outside. (This idea, of using dnswl.org as a DNSBL, has been discussed on SDLU.) UNIQ/TOTAL DNSWLDNSBL 2514/2520list.dnswl.org 510 0/6 swl.spamhaus.org 0 SWL is so good that it's useless. :) They're being very careful with invitations such that the list is small, and as pure as the driven snow, but here in postscreen, you might as well not use SWL. No host on SWL has any significant DNSBL listing -- I bet if it did, it would come off of SWL pretty quick. I'm sure SWL has its use in content filtering, however. Excellent post, Sahil, thanks.
Re: Postscreen not working
Hi wietse , I have only one main.cf and one master.cf . Also if i can't share /var/lib/postfix/postscreen_cache then what options i have ? Thanks Vishesh Kumar On Fri, May 11, 2012 at 4:31 PM, Wietse Venema wie...@porcupine.org wrote: vishesh kumar: fatal: btree:/var/lib/postfix/postscreen_cache: unable to get exclusive lock: Resource temporarily unavailable You can't share one /var/lib/postfix/postscreen_cache.db file with more than one postscreen process. How many main.cf/master.cf files are there on your system? Instead of /var/lib/postfix, use $data_directory to avoid file sharing conflicts. Wietse -- http://linuxmantra.com
Re: Postscreen not working
vishesh kumar: fatal: btree:/var/lib/postfix/postscreen_cache: unable to get exclusive lock: Resource temporarily unavailable Wietse: You can't share one /var/lib/postfix/postscreen_cache.db file with more than one postscreen process. How many main.cf/master.cf files are there on your system? Instead of /var/lib/postfix, use $data_directory to avoid file sharing conflicts. vishesh kumar: I have only one main.cf and one master.cf . Also if i can't share /var/lib/postfix/postscreen_cache then what options i have ? You can share it via the memcache protocol. http://www.postfix.org/POSTSCREEN_README.html http://www.postfix.org/DATABASE_README.html http://www.postfix.org/memcache_table.html Wietse