Re: BCP on throttling outbound mail

[Stan Hoeppner]

On 7/24/2012 12:44 AM, CSS wrote:
> 
> On Jul 24, 2012, at 1:24 AM, Stan Hoeppner wrote:
> 
>> On 7/23/2012 4:16 PM, CSS wrote:
>>
>>> I'd like to take some measures to limit what an authenticated sender can do 
>>> but not limit legitimate use.
>>
>> See:
>> http://www.postfix.org/postconf.5.html#smtpd_client_connection_rate_limit
>>
>> You would apply this to your submission service, eg:
>>
>> 587  inet  n   -   n   -   -   smtpd
>>  -o smtpd_enforce_tls=yes
>>  -o smtpd_sasl_auth_enable=yes
>>  -o smtpd_client_connection_rate_limit=1
>>
>> This limits spammers and legit users to 1 msg/min, 60 msgs per hour.
>> Postfix is not psychic.
>>
>> This may be a problem for roaming users who send batches of mails when
>> they get a connection--10 msgs takes 10 minutes.  Thus, as with
>> anything, some analysis and [re]tuning will be required.  If you trust
>> some users to never have their acct compromised, you can always create
>> multiple submission services on different ports and have different
>> limits for different sets of users, or even no limits for some.
>>
>> Not a perfect solution, but better than what you have now.

>  If I can cobble this thing together, the quota module offers things like 
> messages per day or per hour, which is a fairly reasonable way to restrict 
> customers.

Apparently you didn't read the docs I provided.
http://www.postfix.org/postconf.5.html#anvil_rate_time_unit

The time unit over which client connection rates and other rates are
calculated.

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds)

> Are there any other specific policy daemons I've missed that deal explicitly 
> with rate-limiting?

Probably.  But I think you summarily discounted the inbuilt Postfix
equivalent too quickly, without even looking at it.  You can having it
running in less than 60 seconds.

> It seems like the internet as whole would certainly benefit from a 
> dead-simple policy daemon that could thwart the attempts of spammers using 
> hijacked credentials to spew their junk.

You'd think humans beings would be smart enough to follow directions and
use strong passwords, AV software, etc, and not fall for phishing scams.
 Your adversary in this war isn't the spammers, it's not the technology,
but your users.

You should not be expending any more time/effort on the tech piece of
the solution beyond finding the most basic rate limiting tool and
enabling it to prevent spewage, right now.  This is the smallest battle
in this war.

The big battles are user education (AV software on their machines, safe
surfing habits, anti-phish education, etc), and wholesale forcing all
users to change to *enforced* strong passwords.

The user related stuff wins this war.  The tech portion merely decreases
the amount of damage per clueless user battle.

-- 
Stan

Re: BCP on throttling outbound mail

[CSS]

On Jul 24, 2012, at 1:24 AM, Stan Hoeppner wrote:

> On 7/23/2012 4:16 PM, CSS wrote:
> 
>> I'd like to take some measures to limit what an authenticated sender can do 
>> but not limit legitimate use.
> 
> See:
> http://www.postfix.org/postconf.5.html#smtpd_client_connection_rate_limit
> 
> You would apply this to your submission service, eg:
> 
> 587  inet  n   -   n   -   -   smtpd
>   -o smtpd_enforce_tls=yes
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_client_connection_rate_limit=1
> 
> This limits spammers and legit users to 1 msg/min, 60 msgs per hour.
> Postfix is not psychic.
> 
> This may be a problem for roaming users who send batches of mails when
> they get a connection--10 msgs takes 10 minutes.  Thus, as with
> anything, some analysis and [re]tuning will be required.  If you trust
> some users to never have their acct compromised, you can always create
> multiple submission services on different ports and have different
> limits for different sets of users, or even no limits for some.
> 
> Not a perfect solution, but better than what you have now.

I'm looking at "policyd2/cluebringer" as well, but it's non-intuitive to say 
the least.  Install is easy, hooking in to postfix is easy, but there's a huge 
lack of howto docs on configuring the actual policies for specific use cases.  
The quota module looks great, but getting data into the config to delineate 
internal vs. external domains (and what about a sasl-authenticated user sending 
from another domain?) is quite challenging.  If I can cobble this thing 
together, the quota module offers things like messages per day or per hour, 
which is a fairly reasonable way to restrict customers.

Are there any other specific policy daemons I've missed that deal explicitly 
with rate-limiting?

It seems like the internet as whole would certainly benefit from a dead-simple 
policy daemon that could thwart the attempts of spammers using hijacked 
credentials to spew their junk.

Thanks,

Charles

> 
> -- 
> Stan
> 

Re: BCP on throttling outbound mail

[Stan Hoeppner]

On 7/23/2012 4:16 PM, CSS wrote:

> I'd like to take some measures to limit what an authenticated sender can do 
> but not limit legitimate use.

See:
http://www.postfix.org/postconf.5.html#smtpd_client_connection_rate_limit

You would apply this to your submission service, eg:

587  inet  n   -   n   -   -   smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_connection_rate_limit=1

This limits spammers and legit users to 1 msg/min, 60 msgs per hour.
Postfix is not psychic.

This may be a problem for roaming users who send batches of mails when
they get a connection--10 msgs takes 10 minutes.  Thus, as with
anything, some analysis and [re]tuning will be required.  If you trust
some users to never have their acct compromised, you can always create
multiple submission services on different ports and have different
limits for different sets of users, or even no limits for some.

Not a perfect solution, but better than what you have now.

-- 
Stan

Re: Suppressing *all* MX lookups on a transport

[Noel Jones]

On 7/23/2012 7:22 PM, Ori Bani wrote:
> On Mon, Jul 23, 2012 at 5:07 PM, Viktor Dukhovni
>  wrote:
>> What's wrong with MX lookups? If the records are absent, Postfix
>> will use A records,
> 
> Interesting, for me, postfix was throwing up its hands instead.

That's not normal behavior.  If possible, the list would like to see
the "postconf -n" and logging produced that constitutes throwing up
hands when there is no MX record.


  -- Noel Jones

Re: Suppressing *all* MX lookups on a transport

[Ori Bani]

On Mon, Jul 23, 2012 at 5:07 PM, Viktor Dukhovni
 wrote:
> On Mon, Jul 23, 2012 at 03:33:53PM -0700, Marty Beckler wrote:
>
>> Transport next hops can have MX lookups disabled by adding [] around
>> the next hop.
>>
>> Is it possible to define a transport that always has MX lookups
>> disabled without specifying the next hop?
>>
>> man 5 transport says that trivial-rewrite(8) doesn't allow
>> substitutions in pcre tables, otherwise, this is what I'd want:
>>
>> /(.+\.internal)/  internal_smtp:[$1]
>>
>> So is there any other way to disable MX lookups wholesale for a given 
>> transport?
>
> What's wrong with MX lookups? If the records are absent, Postfix
> will use A records,

Interesting, for me, postfix was throwing up its hands instead.

> so you generally don't need to suppress MX
> lookups unless you have wildcard MX records or incorrect MX records.
> Just make sure your MX records either don't exist or are sensible.
>
> Making up top level domains like ".internal" is not a good idea.
> If the TLD is not reserved by RFC and does not exist (yet) don't
> use it. With ICANN slated to register a few thousand new TLDs this
> year, you may find your fantasy TLD turning into someone else's
> reality.
>
> If your domain is "example.com", consider "internal.example.com"
> as a "root" for internal domains.

There's too many hosts we need to resolve so short of DNS tricks, just
disabling lookups in postifx is easiest. OK, thanks for your advice. I
appreciate it.

Re: Suppressing *all* MX lookups on a transport

[Ori Bani]

On Mon, Jul 23, 2012 at 4:27 PM, Wietse Venema  wrote:
> Marty Beckler:
>> Transport next hops can have MX lookups disabled by adding [] around
>> the next hop.
>>
>> Is it possible to define a transport that always has MX lookups
>> disabled without specifying the next hop?
>
> /etc/postfix/transport:
> example.com smtp-no-mx:
>
> /etc/postfix/master.cf:
> smtp-no-mx  unix  -   -   n   -   -   smtp
> disable_dns_lookups=yes

I believe this needs a -o in front. Testing shows that it does what I
wanted. Thanks for your help and your great software. We are all
indebted to you.

> This will force A record lookups using getaddrinfo().
>
> No-one should do this on an Internet-facing SMTP client.

Roger!

Re: Suppressing *all* MX lookups on a transport

[Viktor Dukhovni]

On Mon, Jul 23, 2012 at 03:33:53PM -0700, Marty Beckler wrote:

> Transport next hops can have MX lookups disabled by adding [] around
> the next hop.
> 
> Is it possible to define a transport that always has MX lookups
> disabled without specifying the next hop?
> 
> man 5 transport says that trivial-rewrite(8) doesn't allow
> substitutions in pcre tables, otherwise, this is what I'd want:
> 
> /(.+\.internal)/  internal_smtp:[$1]
> 
> So is there any other way to disable MX lookups wholesale for a given 
> transport?

What's wrong with MX lookups? If the records are absent, Postfix
will use A records, so you generally don't need to suppress MX
lookups unless you have wildcard MX records or incorrect MX records.
Just make sure your MX records either don't exist or are sensible.

Making up top level domains like ".internal" is not a good idea.
If the TLD is not reserved by RFC and does not exist (yet) don't
use it. With ICANN slated to register a few thousand new TLDs this
year, you may find your fantasy TLD turning into someone else's
reality.

If your domain is "example.com", consider "internal.example.com"
as a "root" for internal domains.

-- 
Viktor.

Re: Suppressing *all* MX lookups on a transport

[Viktor Dukhovni]

On Mon, Jul 23, 2012 at 07:27:05PM -0400, Wietse Venema wrote:

> Marty Beckler:
> > Transport next hops can have MX lookups disabled by adding [] around
> > the next hop.
> > 
> > Is it possible to define a transport that always has MX lookups
> > disabled without specifying the next hop?
> 
> /etc/postfix/transport:
> example.com   smtp-no-mx:
> 
> /etc/postfix/master.cf:
> smtp-no-mx  unix  -   -   n   -   -   smtp
>   disable_dns_lookups=yes

That should of course have a "-o" flag:

/etc/postfix/master.cf:
smtp-no-mx  unix  -   -   n   -   -   smtp
-o disable_dns_lookups=yes

This is generally a bad idea, non-mx destinations should be the
exception, not the rule. Since you're not likely to set

default_transport = smtp-no-mx

destinations that use it would be explicitly listed in the transport
table, and it is no harder to type:

example.com smtp:[gateway.example.com]

than:

example.com smtp-no-mx:gateway.example.com

Avoid "disable_dns_lookups=yes" it is more likely to be misused than
used correctly.

-- 
Viktor.

Re: Suppressing *all* MX lookups on a transport

[Wietse Venema]

Marty Beckler:
> Transport next hops can have MX lookups disabled by adding [] around
> the next hop.
> 
> Is it possible to define a transport that always has MX lookups
> disabled without specifying the next hop?

/etc/postfix/transport:
example.com smtp-no-mx:

/etc/postfix/master.cf:
smtp-no-mx  unix  -   -   n   -   -   smtp
disable_dns_lookups=yes

This will force A record lookups using getaddrinfo().

No-one should do this on an Internet-facing SMTP client.

Wietse

Suppressing *all* MX lookups on a transport

[Marty Beckler]

Transport next hops can have MX lookups disabled by adding [] around
the next hop.

Is it possible to define a transport that always has MX lookups
disabled without specifying the next hop?

man 5 transport says that trivial-rewrite(8) doesn't allow
substitutions in pcre tables, otherwise, this is what I'd want:

/(.+\.internal)/  internal_smtp:[$1]

So is there any other way to disable MX lookups wholesale for a given transport?

It'd be nice to do something like this:

.internal  internal_smtp:[]

Or a hack for trivial-rewrite that allows pcre substitutions in
transport tables (if some security issue arises, maybe the use of
substitutions can be restricted in some way?)

BCP on throttling outbound mail

[CSS]

Hello,

Sorry for the broad question, but is there any sort of best common practice 
these days regarding limiting outbound email?  We recently had a customer's 
account compromised (not sure if it was brute-forced or keylogged) and then the 
perp proceeded to use their credentials to smtp-auth themselves a huge load of 
viagra spam.

I'd like to take some measures to limit what an authenticated sender can do but 
not limit legitimate use.  I assume this is not an uncommon scenario, but 
pointers from those with more Postfix experience would be quite welcome.

I do have amavis available for outbound virus scanning, and could conceivably 
have it do the same with spam scanning but that feels not quite right (and 
probably fairly resource intensive if someone was trying to cram tens of 
thousands of messages through the system).

Thanks,

Charles

Re: Message content in Policy Delegation

[Alfredo Saldanha]

Ok, 


I'm asking this, because I need do this checks according the user/group, I can 
not check globally. 
I'll read more about Milters. 


Thank you. 



- Mensagem original -

De: "Viktor Dukhovni"  
Para: postfix-users@postfix.org 
Enviadas: Segunda-feira, 23 de Julho de 2012 15:21:02 
Assunto: Re: Message content in Policy Delegation 

On Mon, Jul 23, 2012 at 02:28:33PM -0300, Alfredo Saldanha wrote: 

> I'd like to know if is possible to check some itens using postfix 
> policy delegation: 
> 
> - file extensions 

No. Message content is not available to policy services. 

> - text in subject 

No. Message content is not available to policy services. 

> - some specific words 

No. Message content is not available to policy services. 

Content inspection is supported via: 

- Built-in header/body checks 
- Post-queue content filters 
- Pre-queue proxy filters 
- Milters 

-- 
Viktor. 

Re: Message content in Policy Delegation

[Wietse Venema]

Alfredo Saldanha:
> 
> Hi there, 
> 
> 
> I'd like to know if is possible to check some itens using postfix policy 
> delegation: 

Message content is not available via this interface. Consider using
the interfaces for deep content inspection: SMTP-based or Milter.

Wietse

Re: Message content in Policy Delegation

[Viktor Dukhovni]

On Mon, Jul 23, 2012 at 02:28:33PM -0300, Alfredo Saldanha wrote:

> I'd like to know if is possible to check some itens using postfix
> policy delegation:
>
> - file extensions 

No. Message content is not available to policy services.

> - text in subject 

No. Message content is not available to policy services.

> - some specific words 

No. Message content is not available to policy services.

Content inspection is supported via:

- Built-in header/body checks
- Post-queue content filters
- Pre-queue proxy filters
- Milters

-- 
Viktor.

Message content in Policy Delegation

[Alfredo Saldanha]

Hi there, 


I'd like to know if is possible to check some itens using postfix policy 
delegation: 
- file extensions (I could use mime_header_checks to check it globally, but I 
need to accept for some groups and reject to another groups of users) 
- text in subject (I could use header_checks to check it globally, but I need 
to accept for some groups and reject to another groups of users ) 
- some specific words (I could use body_checks to check it globally, but I need 
to accept for some groups and reject to another groups of users ) 


Thank you in advance. 

Re: Postfix Issue

[Ansgar Wiechers]

On 2012-07-23 Marius Lewies wrote:
> Referring to  Ansgar reply it seems that relay_domains.db is out of
> date.  Ansgar suggested " You need to run the command to convert the
> (plain text) map into the database file that Postfix uses"  How to do
> or else,  where can I find the instruction to do this.  This is the
> test I done.
> 
> root@mxgw:/etc/postfix#   postmap -q vegaspartnerlounge.dk
> hash:/etc/postfix/relay_domains
> postmap: warning: database /etc/postfix/relay_domains.db is older than
> source file /etc/postfix/relay_domains
> root@mxgw:/etc/postfix#

Please re-read my previous mail. Why is $relay_domains still a map in
your config? Change this

  relay_domains = hash:/etc/postfix/relay_domains

into this

  relay_domains = /etc/postfix/relay_domains

and run "/etc/init.d/postfix reload".

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

Re: Postfix Issue

[Reindl Harald]

would you please strip your quotes a little bit
and at least remove multiple header-blocks

this starts to become complete unreadable

thank you!

Am 23.07.2012 16:39, schrieb Marius Lewies:
> 
> -Original Message-
> From: James Day [mailto:james@ontraq.com] 
> Sent: Monday, July 23, 2012 4:15 PM
> To: Marius Lewies; Ansgar Wiechers; postfix-users@postfix.org
> Subject: RE: Postfix Issue
> 
> 
>> -Original Message-
>> From: Marius Lewies [mailto:mariu...@verpakt.com]
>> Sent: 23 July 2012 15:03
>> To: James Day; Ansgar Wiechers; postfix-users@postfix.org
>> Subject: RE: Postfix Issue
>>
>>
>>
>> -Original Message-
>> From: James Day [mailto:james@ontraq.com]
>> Sent: Monday, July 23, 2012 3:45 PM
>> To: Marius Lewies; Ansgar Wiechers; postfix-users@postfix.org
>> Subject: RE: Postfix Issue
>>
>>> -Original Message-
>>> From: owner-postfix-us...@postfix.org [mailto:owner-postfix- 
>>> us...@postfix.org] On Behalf Of Marius Lewies
>>> Sent: 23 July 2012 14:32
>>> To: Ansgar Wiechers; postfix-users@postfix.org
>>> Subject: RE: Postfix Issue
>>>
>>> -Original Message-
>>> From: owner-postfix-us...@postfix.org 
>>> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Ansgar 
>>> Wiechers
>>> Sent: Monday, July 23, 2012 2:39 PM
>>> To: postfix-users@postfix.org
>>> Subject: Re: Postfix Issue




signature.asc
Description: OpenPGP digital signature

RE: Postfix Issue

[Marius Lewies]

-Original Message-
From: James Day [mailto:james@ontraq.com] 
Sent: Monday, July 23, 2012 4:15 PM
To: Marius Lewies; Ansgar Wiechers; postfix-users@postfix.org
Subject: RE: Postfix Issue


> -Original Message-
> From: Marius Lewies [mailto:mariu...@verpakt.com]
> Sent: 23 July 2012 15:03
> To: James Day; Ansgar Wiechers; postfix-users@postfix.org
> Subject: RE: Postfix Issue
> 
> 
> 
> -Original Message-
> From: James Day [mailto:james@ontraq.com]
> Sent: Monday, July 23, 2012 3:45 PM
> To: Marius Lewies; Ansgar Wiechers; postfix-users@postfix.org
> Subject: RE: Postfix Issue
> 
> > -Original Message-
> > From: owner-postfix-us...@postfix.org [mailto:owner-postfix- 
> > us...@postfix.org] On Behalf Of Marius Lewies
> > Sent: 23 July 2012 14:32
> > To: Ansgar Wiechers; postfix-users@postfix.org
> > Subject: RE: Postfix Issue
> >
> > Nor did I think I am.  This is the first time that I am using this 
> > forum.  Instead of replying to all  I mistakenly replied to
yourself.
> > If you are not prepared to assist or help and Yes I know you ALL do 
> > it
> 
> > on your own time and free will I will gladly remove myself from the
> list.
> >
> > -Original Message-
> > From: owner-postfix-us...@postfix.org 
> > [mailto:owner-postfix-us...@postfix.org] On Behalf Of Ansgar 
> > Wiechers
> > Sent: Monday, July 23, 2012 2:39 PM
> > To: postfix-users@postfix.org
> > Subject: Re: Postfix Issue
> >
> > Please keep this on-list. You're neither family, nor personal 
> > friend, nor paying customer, so you're not entitled to personal
support.
> >
> > On 2012-07-23 Marius Lewies wrote:
> > > Did you postmap all_ad_recipients after adding the recipient
> address?
> > > = Yes did run a ./getadusers and verified that address does
exsist.
> >
> > That was not the question.
> >
> > I don't know what the command "getadusers" does, but I assume that 
> > it's a script querying users' mail addresses from AD and writing 
> > them to a file. Does the script run the postmap command on the file
> afterwards?
> > And how did you verify that the address exists.
> >
> > > Should I do somtehinge else with "postmap"  what is the meaning?
> >
> > You need to run the command to convert the (plain text) map into the

> > database file that Postfix uses. You can also use the command to 
> > check
> 
> > the map for existence of a particular key, e.g.:
> >
> >   postmap -q mariu...@vegaspartnerlounge.dk \
> >   hash:/etc/postfix/all_ad_recipients
> >
> > > And $relay_domains is a list, not a map, so the line in main.cf 
> > > should
> >
> > > be like this: = This used to work before new address was added.  
> > > All
> 
> > > other domains within the file is relaying.  What is the difference

> > > between a map and a list?
> >
> > A map is mapping one thing to another thing. Hence the name.
> >
> >   f...@example.com x
> >   b...@example.com x
> >   ...
> >
> > For some maps the right-hand value defines the action to be taken
> (e.g.
> > DUNNO, REJECT, OK). For $relay_recipient_maps, however, the 
> > right-hand
> 
> > value merely needs to exist, which will indicate a valid address.
> >
> > A list OTOH is just a list, i.e. a flat file with one item per line.
> >
> >   example.com
> >   example.org
> >   ...
> >
> > > relay_domains = /etc/postfix/relay_domains
> > >
> > > Postconf -n result
> > [...]
> > > relay_domains = hash:/etc/postfix/relay_domains
> >
> > Fix that.
> >
> > [...]
> > > smtpd_recipient_restrictions =
> > >   permit_mynetworks,
> > >   reject_non_fqdn_recipient,
> > >   reject_unauth_destination,
> >
> > This is barely safe. The reject_unauth_destination restriction is 
> > the one that prevents you from being an open relay. It should be the

> > first
> 
> > rule after those that allow relaying for selected clients (i.e.
> > permit_mynetworks and/or permit_sasl_authenticated).
> >
> > >   reject_unauth_pipelining,
> > >   reject_rbl_client zen.spamhaus.org,
> > >   reject_rbl_client bl.spamcop.net,
> > >   check_client_access regexp:/etc/postfix/blacklist_clients,
> >
> > RBL lookups are usually more expensive than lookups in local tables,

> > so reject_rbl_client should go after check_client_access.
> >
> > Regards
> > Ansgar Wiechers
> > --
> > "Abstractions save us time working, but they don't save us time
> learning."
> > --Joel Spolsky
> >
> > --
> > This message has been scanned for viruses and dangerous content by 
> > MailScanner, and is believed to be clean.
> >
> >
> > --
> > This message has been scanned for viruses and dangerous content by 
> > MailScanner, and is believed to be clean.
> 
> No need to get upset.
> 
> Mistakes do happen, I find myself automatically clicking the reply 
> button instead of reply to all so you're not alone.
> 
> The people on this list are willing to help you. You just need to help

> yourself a bit by reading the appropriate documentation. Postfix is 
> possibly the best documented piece of open source software and as such

> it 

Re: Question how do i keep incoming mails from causing an error message send back

[Noel Jones]

On 7/23/2012 7:24 AM, jan...@web.de wrote:
> Hello list,
> I'm new to this list hoping to receive some help. I posted my question on 
> June 20 on the Zarafa community page, but did not get a feedback since, so I 
> hope you tolerate my double posting. This is what I'm struggeling with:
>  
> I'm quit proud to say that I have sucessfully managed to install zarafa on 
> Centos 6. Unfortunately as I haven't found any working tutorials I had to 
> collect my pieces on the way. I am now left with a problem, which I guess is 
> related to the missing communication between zarafa and postfix.
> 
> This is my postfix/master.cf added lines:
> zarafa unix - n n - 10 pipe
> flags= user=vmail argv=/usr/bin/zarafa-dagent ${user}
> __ 
> __ 
> and that's my postfix/main.cf:
> mailbox_command = /usr/bin/zarafa-dagent "$USER"
> local_recipient_maps =
> mailbox_transport = zarafa:
> zarafa_destination_recipient_limit = 1
> 
> # zarafa unix - n n - 10 pipe
> # flags= user=vmail argv=/usr/bin/zarafa-dagent ${user}
> 
> # fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
> myhostname = mail.example.de
> mydomain = mail.example.de
> 
> mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost
> __ 
> __ 
> 
> now if I do a telnet mail.example.de 110
> I get a 
> +OK Zarafa POP3 gateway ready

That's the POP server and has nothing to do with postfix.

> 
> now I try my user abcde
> and the pass secret
> and get a -ERR Wrong username or password
> 
> The login via zarafa webinterface works just fine.

again, nothing to do with postfix.

> Now if I send an email to my account the mail is delivered, but the sender 
> receives the following report:
> 
> Reporting-MTA: dns; mail.example.de
> X-Postfix-Queue-ID: 620C47D08589
> X-Postfix-Sender: rfc822; ab...@.de
> Arrival-Date: Wed, 20 Jun 2012 07:53:43 +0200 (CEST)
> 
> Final-Recipient: rfc822; ab...@mail.example.de[ab...@mail.example.de]
> Original-Recipient: rfc822;ab...@mail.example.de
> Action: failed
> Status: 5.3.0
> [...]
> Naturally I have replaced my domain with example, everything else is 
> unchanged.
> I figure it's a authorization issue between postfix and zarafa, but I don't 
> know, how to solve it. Please take into account that I have somewhat limit 
> linux skills. I hope I have provided all information needed and somebody 
> could help me out here.


Check the postfix logs for more detailed information about why this
was marked failed.  Postfix intentionally does not provide failure
details in mail to strangers.
Start with this:
http://www.postfix.org/DEBUG_README.html#logging



If you need more help, please see
http://www.postfix.org/DEBUG_README.html#mail



  -- Noel Jones

RE: Postfix Issue

[James Day]

> -Original Message-
> From: Marius Lewies [mailto:mariu...@verpakt.com]
> Sent: 23 July 2012 15:03
> To: James Day; Ansgar Wiechers; postfix-users@postfix.org
> Subject: RE: Postfix Issue
> 
> 
> 
> -Original Message-
> From: James Day [mailto:james@ontraq.com]
> Sent: Monday, July 23, 2012 3:45 PM
> To: Marius Lewies; Ansgar Wiechers; postfix-users@postfix.org
> Subject: RE: Postfix Issue
> 
> > -Original Message-
> > From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
> > us...@postfix.org] On Behalf Of Marius Lewies
> > Sent: 23 July 2012 14:32
> > To: Ansgar Wiechers; postfix-users@postfix.org
> > Subject: RE: Postfix Issue
> >
> > Nor did I think I am.  This is the first time that I am using this
> > forum.  Instead of replying to all  I mistakenly replied to yourself.
> > If you are not prepared to assist or help and Yes I know you ALL do it
> 
> > on your own time and free will I will gladly remove myself from the
> list.
> >
> > -Original Message-
> > From: owner-postfix-us...@postfix.org
> > [mailto:owner-postfix-us...@postfix.org] On Behalf Of Ansgar Wiechers
> > Sent: Monday, July 23, 2012 2:39 PM
> > To: postfix-users@postfix.org
> > Subject: Re: Postfix Issue
> >
> > Please keep this on-list. You're neither family, nor personal friend,
> > nor paying customer, so you're not entitled to personal support.
> >
> > On 2012-07-23 Marius Lewies wrote:
> > > Did you postmap all_ad_recipients after adding the recipient
> address?
> > > = Yes did run a ./getadusers and verified that address does exsist.
> >
> > That was not the question.
> >
> > I don't know what the command "getadusers" does, but I assume that
> > it's a script querying users' mail addresses from AD and writing them
> > to a file. Does the script run the postmap command on the file
> afterwards?
> > And how did you verify that the address exists.
> >
> > > Should I do somtehinge else with "postmap"  what is the meaning?
> >
> > You need to run the command to convert the (plain text) map into the
> > database file that Postfix uses. You can also use the command to check
> 
> > the map for existence of a particular key, e.g.:
> >
> >   postmap -q mariu...@vegaspartnerlounge.dk \
> >   hash:/etc/postfix/all_ad_recipients
> >
> > > And $relay_domains is a list, not a map, so the line in main.cf
> > > should
> >
> > > be like this: = This used to work before new address was added.  All
> 
> > > other domains within the file is relaying.  What is the difference
> > > between a map and a list?
> >
> > A map is mapping one thing to another thing. Hence the name.
> >
> >   f...@example.com x
> >   b...@example.com x
> >   ...
> >
> > For some maps the right-hand value defines the action to be taken
> (e.g.
> > DUNNO, REJECT, OK). For $relay_recipient_maps, however, the right-hand
> 
> > value merely needs to exist, which will indicate a valid address.
> >
> > A list OTOH is just a list, i.e. a flat file with one item per line.
> >
> >   example.com
> >   example.org
> >   ...
> >
> > > relay_domains = /etc/postfix/relay_domains
> > >
> > > Postconf -n result
> > [...]
> > > relay_domains = hash:/etc/postfix/relay_domains
> >
> > Fix that.
> >
> > [...]
> > > smtpd_recipient_restrictions =
> > >   permit_mynetworks,
> > >   reject_non_fqdn_recipient,
> > >   reject_unauth_destination,
> >
> > This is barely safe. The reject_unauth_destination restriction is the
> > one that prevents you from being an open relay. It should be the first
> 
> > rule after those that allow relaying for selected clients (i.e.
> > permit_mynetworks and/or permit_sasl_authenticated).
> >
> > >   reject_unauth_pipelining,
> > >   reject_rbl_client zen.spamhaus.org,
> > >   reject_rbl_client bl.spamcop.net,
> > >   check_client_access regexp:/etc/postfix/blacklist_clients,
> >
> > RBL lookups are usually more expensive than lookups in local tables,
> > so reject_rbl_client should go after check_client_access.
> >
> > Regards
> > Ansgar Wiechers
> > --
> > "Abstractions save us time working, but they don't save us time
> learning."
> > --Joel Spolsky
> >
> > --
> > This message has been scanned for viruses and dangerous content by
> > MailScanner, and is believed to be clean.
> >
> >
> > --
> > This message has been scanned for viruses and dangerous content by
> > MailScanner, and is believed to be clean.
> 
> No need to get upset.
> 
> Mistakes do happen, I find myself automatically clicking the reply button
> instead of reply to all so you're not alone.
> 
> The people on this list are willing to help you. You just need to help 
> yourself a
> bit by reading the appropriate documentation. Postfix is possibly the best
> documented piece of open source software and as such it is frustrating when
> people come to the list with issues that could be easily resolved by reading 
> it.
> 
> PS
> 
> Polite notice: Please don't top post on the list - it makes the conversations
> much harder to follow.
> 
> Kind regards,
> 
> Jam

Re: Postfix Issue

[Reindl Harald]

Am 23.07.2012 16:03, schrieb Marius Lewies:

please strip qutoings a little bit!

> Referring to  Ansgar reply it seems that relay_domains.db is out of
> date.  Ansgar suggested " You need to run the command to convert the
> (plain text) map into the database file that Postfix uses"  How to do or
> else,  where can I find the instruction to do this.  This is the test I
> done.
> 
> root@mxgw:/etc/postfix#   postmap -q vegaspartnerlounge.dk
> hash:/etc/postfix/relay_domains
> postmap: warning: database /etc/postfix/relay_domains.db is older than
> source file /etc/postfix/relay_domains
> root@mxgw:/etc/postfix#

postmap /etc/postfix/relay_domains



signature.asc
Description: OpenPGP digital signature

RE: Postfix Issue

[Marius Lewies]

-Original Message-
From: James Day [mailto:james@ontraq.com] 
Sent: Monday, July 23, 2012 3:45 PM
To: Marius Lewies; Ansgar Wiechers; postfix-users@postfix.org
Subject: RE: Postfix Issue

> -Original Message-
> From: owner-postfix-us...@postfix.org [mailto:owner-postfix- 
> us...@postfix.org] On Behalf Of Marius Lewies
> Sent: 23 July 2012 14:32
> To: Ansgar Wiechers; postfix-users@postfix.org
> Subject: RE: Postfix Issue
> 
> Nor did I think I am.  This is the first time that I am using this 
> forum.  Instead of replying to all  I mistakenly replied to yourself.
> If you are not prepared to assist or help and Yes I know you ALL do it

> on your own time and free will I will gladly remove myself from the
list.
> 
> -Original Message-
> From: owner-postfix-us...@postfix.org
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Ansgar Wiechers
> Sent: Monday, July 23, 2012 2:39 PM
> To: postfix-users@postfix.org
> Subject: Re: Postfix Issue
> 
> Please keep this on-list. You're neither family, nor personal friend, 
> nor paying customer, so you're not entitled to personal support.
> 
> On 2012-07-23 Marius Lewies wrote:
> > Did you postmap all_ad_recipients after adding the recipient
address?
> > = Yes did run a ./getadusers and verified that address does exsist.
> 
> That was not the question.
> 
> I don't know what the command "getadusers" does, but I assume that 
> it's a script querying users' mail addresses from AD and writing them 
> to a file. Does the script run the postmap command on the file
afterwards?
> And how did you verify that the address exists.
> 
> > Should I do somtehinge else with "postmap"  what is the meaning?
> 
> You need to run the command to convert the (plain text) map into the 
> database file that Postfix uses. You can also use the command to check

> the map for existence of a particular key, e.g.:
> 
>   postmap -q mariu...@vegaspartnerlounge.dk \
>   hash:/etc/postfix/all_ad_recipients
> 
> > And $relay_domains is a list, not a map, so the line in main.cf 
> > should
> 
> > be like this: = This used to work before new address was added.  All

> > other domains within the file is relaying.  What is the difference 
> > between a map and a list?
> 
> A map is mapping one thing to another thing. Hence the name.
> 
>   f...@example.com x
>   b...@example.com x
>   ...
> 
> For some maps the right-hand value defines the action to be taken
(e.g.
> DUNNO, REJECT, OK). For $relay_recipient_maps, however, the right-hand

> value merely needs to exist, which will indicate a valid address.
> 
> A list OTOH is just a list, i.e. a flat file with one item per line.
> 
>   example.com
>   example.org
>   ...
> 
> > relay_domains = /etc/postfix/relay_domains
> >
> > Postconf -n result
> [...]
> > relay_domains = hash:/etc/postfix/relay_domains
> 
> Fix that.
> 
> [...]
> > smtpd_recipient_restrictions =
> >   permit_mynetworks,
> >   reject_non_fqdn_recipient,
> >   reject_unauth_destination,
> 
> This is barely safe. The reject_unauth_destination restriction is the 
> one that prevents you from being an open relay. It should be the first

> rule after those that allow relaying for selected clients (i.e.
> permit_mynetworks and/or permit_sasl_authenticated).
> 
> >   reject_unauth_pipelining,
> >   reject_rbl_client zen.spamhaus.org,
> >   reject_rbl_client bl.spamcop.net,
> >   check_client_access regexp:/etc/postfix/blacklist_clients,
> 
> RBL lookups are usually more expensive than lookups in local tables, 
> so reject_rbl_client should go after check_client_access.
> 
> Regards
> Ansgar Wiechers
> --
> "Abstractions save us time working, but they don't save us time
learning."
> --Joel Spolsky
> 
> --
> This message has been scanned for viruses and dangerous content by 
> MailScanner, and is believed to be clean.
> 
> 
> --
> This message has been scanned for viruses and dangerous content by 
> MailScanner, and is believed to be clean.

No need to get upset.

Mistakes do happen, I find myself automatically clicking the reply
button instead of reply to all so you're not alone.

The people on this list are willing to help you. You just need to help
yourself a bit by reading the appropriate documentation. Postfix is
possibly the best documented piece of open source software and as such
it is frustrating when people come to the list with issues that could be
easily resolved by reading it.

PS

Polite notice: Please don't top post on the list - it makes the
conversations much harder to follow.

Kind regards,

James Day

--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.


Hi,

Thank you for the reply James.

Referring to  Ansgar reply it seems that relay_domains.db is out of
date.  Ansgar suggested " You need to run the command to convert the
(plain text) map into the database file that Postfix uses"  How to do or
else,  where can I find the instruction to do this.  This is the test I
done.

root@m

RE: Postfix Issue

[James Day]

> -Original Message-
> From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
> us...@postfix.org] On Behalf Of Marius Lewies
> Sent: 23 July 2012 14:32
> To: Ansgar Wiechers; postfix-users@postfix.org
> Subject: RE: Postfix Issue
> 
> Nor did I think I am.  This is the first time that I am using this forum.  
> Instead
> of replying to all  I mistakenly replied to yourself.
> If you are not prepared to assist or help and Yes I know you ALL do it on your
> own time and free will I will gladly remove myself from the list.
> 
> -Original Message-
> From: owner-postfix-us...@postfix.org
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Ansgar Wiechers
> Sent: Monday, July 23, 2012 2:39 PM
> To: postfix-users@postfix.org
> Subject: Re: Postfix Issue
> 
> Please keep this on-list. You're neither family, nor personal friend, nor 
> paying
> customer, so you're not entitled to personal support.
> 
> On 2012-07-23 Marius Lewies wrote:
> > Did you postmap all_ad_recipients after adding the recipient address?
> > = Yes did run a ./getadusers and verified that address does exsist.
> 
> That was not the question.
> 
> I don't know what the command "getadusers" does, but I assume that it's a
> script querying users' mail addresses from AD and writing them to a file. Does
> the script run the postmap command on the file afterwards?
> And how did you verify that the address exists.
> 
> > Should I do somtehinge else with "postmap"  what is the meaning?
> 
> You need to run the command to convert the (plain text) map into the
> database file that Postfix uses. You can also use the command to check the
> map for existence of a particular key, e.g.:
> 
>   postmap -q mariu...@vegaspartnerlounge.dk \
>   hash:/etc/postfix/all_ad_recipients
> 
> > And $relay_domains is a list, not a map, so the line in main.cf should
> 
> > be like this: = This used to work before new address was added.  All
> > other domains within the file is relaying.  What is the difference
> > between a map and a list?
> 
> A map is mapping one thing to another thing. Hence the name.
> 
>   f...@example.com x
>   b...@example.com x
>   ...
> 
> For some maps the right-hand value defines the action to be taken (e.g.
> DUNNO, REJECT, OK). For $relay_recipient_maps, however, the right-hand
> value merely needs to exist, which will indicate a valid address.
> 
> A list OTOH is just a list, i.e. a flat file with one item per line.
> 
>   example.com
>   example.org
>   ...
> 
> > relay_domains = /etc/postfix/relay_domains
> >
> > Postconf -n result
> [...]
> > relay_domains = hash:/etc/postfix/relay_domains
> 
> Fix that.
> 
> [...]
> > smtpd_recipient_restrictions =
> >   permit_mynetworks,
> >   reject_non_fqdn_recipient,
> >   reject_unauth_destination,
> 
> This is barely safe. The reject_unauth_destination restriction is the one that
> prevents you from being an open relay. It should be the first rule after those
> that allow relaying for selected clients (i.e.
> permit_mynetworks and/or permit_sasl_authenticated).
> 
> >   reject_unauth_pipelining,
> >   reject_rbl_client zen.spamhaus.org,
> >   reject_rbl_client bl.spamcop.net,
> >   check_client_access regexp:/etc/postfix/blacklist_clients,
> 
> RBL lookups are usually more expensive than lookups in local tables, so
> reject_rbl_client should go after check_client_access.
> 
> Regards
> Ansgar Wiechers
> --
> "Abstractions save us time working, but they don't save us time learning."
> --Joel Spolsky
> 
> --
> This message has been scanned for viruses and dangerous content by
> MailScanner, and is believed to be clean.
> 
> 
> --
> This message has been scanned for viruses and dangerous content by
> MailScanner, and is believed to be clean.

No need to get upset.

Mistakes do happen, I find myself automatically clicking the reply button 
instead of reply to all so you're not alone.

The people on this list are willing to help you. You just need to help yourself 
a bit by reading the appropriate documentation. Postfix is possibly the best 
documented piece of open source software and as such it is frustrating when 
people come to the list with issues that could be easily resolved by reading it.

PS

Polite notice: Please don't top post on the list - it makes the conversations 
much harder to follow.

Kind regards,

James Day

RE: Postfix Issue

[Marius Lewies]

Nor did I think I am.  This is the first time that I am using this
forum.  Instead of replying to all  I mistakenly replied to yourself.
If you are not prepared to assist or help and Yes I know you ALL do it
on your own time and free will I will gladly remove myself from the
list.

-Original Message-
From: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] On Behalf Of Ansgar Wiechers
Sent: Monday, July 23, 2012 2:39 PM
To: postfix-users@postfix.org
Subject: Re: Postfix Issue

Please keep this on-list. You're neither family, nor personal friend,
nor paying customer, so you're not entitled to personal support.

On 2012-07-23 Marius Lewies wrote:
> Did you postmap all_ad_recipients after adding the recipient address?
> = Yes did run a ./getadusers and verified that address does exsist.

That was not the question.

I don't know what the command "getadusers" does, but I assume that it's
a script querying users' mail addresses from AD and writing them to a
file. Does the script run the postmap command on the file afterwards?
And how did you verify that the address exists.

> Should I do somtehinge else with "postmap"  what is the meaning?

You need to run the command to convert the (plain text) map into the
database file that Postfix uses. You can also use the command to check
the map for existence of a particular key, e.g.:

  postmap -q mariu...@vegaspartnerlounge.dk \
  hash:/etc/postfix/all_ad_recipients

> And $relay_domains is a list, not a map, so the line in main.cf should

> be like this: = This used to work before new address was added.  All 
> other domains within the file is relaying.  What is the difference 
> between a map and a list?

A map is mapping one thing to another thing. Hence the name.

  f...@example.com x
  b...@example.com x
  ...

For some maps the right-hand value defines the action to be taken (e.g.
DUNNO, REJECT, OK). For $relay_recipient_maps, however, the right-hand
value merely needs to exist, which will indicate a valid address.

A list OTOH is just a list, i.e. a flat file with one item per line.

  example.com
  example.org
  ...

> relay_domains = /etc/postfix/relay_domains
> 
> Postconf -n result
[...]
> relay_domains = hash:/etc/postfix/relay_domains

Fix that.

[...]
> smtpd_recipient_restrictions =
>   permit_mynetworks,
>   reject_non_fqdn_recipient,
>   reject_unauth_destination,

This is barely safe. The reject_unauth_destination restriction is the
one that prevents you from being an open relay. It should be the first
rule after those that allow relaying for selected clients (i.e.
permit_mynetworks and/or permit_sasl_authenticated).

>   reject_unauth_pipelining,
>   reject_rbl_client zen.spamhaus.org,
>   reject_rbl_client bl.spamcop.net,
>   check_client_access regexp:/etc/postfix/blacklist_clients,

RBL lookups are usually more expensive than lookups in local tables, so
reject_rbl_client should go after check_client_access.

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time
learning."
--Joel Spolsky

--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Postfix Issue

[Ansgar Wiechers]

Please keep this on-list. You're neither family, nor personal friend,
nor paying customer, so you're not entitled to personal support.

On 2012-07-23 Marius Lewies wrote:
> Did you postmap all_ad_recipients after adding the recipient address?
> = Yes did run a ./getadusers and verified that address does exsist.

That was not the question.

I don't know what the command "getadusers" does, but I assume that it's
a script querying users' mail addresses from AD and writing them to a
file. Does the script run the postmap command on the file afterwards?
And how did you verify that the address exists.

> Should I do somtehinge else with "postmap"  what is the meaning?

You need to run the command to convert the (plain text) map into the
database file that Postfix uses. You can also use the command to check
the map for existence of a particular key, e.g.:

  postmap -q mariu...@vegaspartnerlounge.dk \
  hash:/etc/postfix/all_ad_recipients

> And $relay_domains is a list, not a map, so the line in main.cf should
> be like this: = This used to work before new address was added.  All
> other domains within the file is relaying.  What is the difference
> between a map and a list?

A map is mapping one thing to another thing. Hence the name.

  f...@example.com x
  b...@example.com x
  ...

For some maps the right-hand value defines the action to be taken (e.g.
DUNNO, REJECT, OK). For $relay_recipient_maps, however, the right-hand
value merely needs to exist, which will indicate a valid address.

A list OTOH is just a list, i.e. a flat file with one item per line.

  example.com
  example.org
  ...

> relay_domains = /etc/postfix/relay_domains
> 
> Postconf -n result
[...]
> relay_domains = hash:/etc/postfix/relay_domains

Fix that.

[...]
> smtpd_recipient_restrictions =
>   permit_mynetworks,
>   reject_non_fqdn_recipient,
>   reject_unauth_destination,

This is barely safe. The reject_unauth_destination restriction is the
one that prevents you from being an open relay. It should be the first
rule after those that allow relaying for selected clients (i.e.
permit_mynetworks and/or permit_sasl_authenticated).

>   reject_unauth_pipelining,
>   reject_rbl_client zen.spamhaus.org,
>   reject_rbl_client bl.spamcop.net,
>   check_client_access regexp:/etc/postfix/blacklist_clients,

RBL lookups are usually more expensive than lookups in local tables, so
reject_rbl_client should go after check_client_access.

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

Question how do i keep incoming mails from causing an error message send back

[janbro]

Hello list,
I'm new to this list hoping to receive some help. I posted my question on June 
20 on the Zarafa community page, but did not get a feedback since, so I hope 
you tolerate my double posting. This is what I'm struggeling with:
 
I'm quit proud to say that I have sucessfully managed to install zarafa on 
Centos 6. Unfortunately as I haven't found any working tutorials I had to 
collect my pieces on the way. I am now left with a problem, which I guess is 
related to the missing communication between zarafa and postfix.

This is my postfix/master.cf added lines:
zarafa unix - n n - 10 pipe
flags= user=vmail argv=/usr/bin/zarafa-dagent ${user}
__ 
__ 
and that's my postfix/main.cf:
mailbox_command = /usr/bin/zarafa-dagent "$USER"
local_recipient_maps =
mailbox_transport = zarafa:
zarafa_destination_recipient_limit = 1

# zarafa unix - n n - 10 pipe
# flags= user=vmail argv=/usr/bin/zarafa-dagent ${user}

# fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
myhostname = mail.example.de
mydomain = mail.example.de

mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost
__ 
__ 

now if I do a telnet mail.example.de 110
I get a 
+OK Zarafa POP3 gateway ready

now I try my user abcde
and the pass secret
and get a -ERR Wrong username or password

The login via zarafa webinterface works just fine.

Now if I send an email to my account the mail is delivered, but the sender 
receives the following report:

Reporting-MTA: dns; mail.example.de
X-Postfix-Queue-ID: 620C47D08589
X-Postfix-Sender: rfc822; ab...@.de
Arrival-Date: Wed, 20 Jun 2012 07:53:43 +0200 (CEST)

Final-Recipient: rfc822; ab...@mail.example.de[ab...@mail.example.de]
Original-Recipient: rfc822;ab...@mail.example.de
Action: failed
Status: 5.3.0
[...]
Naturally I have replaced my domain with example, everything else is unchanged.
I figure it's a authorization issue between postfix and zarafa, but I don't 
know, how to solve it. Please take into account that I have somewhat limit 
linux skills. I hope I have provided all information needed and somebody could 
help me out here.

thx in advance
jan

-- 
 Ihr WEB.DE Postfach immer dabei: die kostenlose WEB.DE Mail App für iPhone und 
Android.
https://produkte.web.de/freemail_mobile_startseite/

Re: Postfix Issue

[Jerry]

On Mon, 23 Jul 2012 12:19:18 +0200
Marius Lewies articulated:

> I am new to Postfix and have taken over the admin thereof.
>  
> We have a situation where a certain email address get  the following
> error.  All other mail gets relayed. 
> SMTP error from remote mail server after RCPT
> TO:: host maila.vegaspartnerlounge.dk
> [196.14.16.67]: 554 5.7.1 : Relay
> access denied 
> Below is the main.cf file.  The email address is added to
> all_ad_recipients and the domain to relay_domains.  I have checked
> and we are not black listed What am I missing?

For starters you are missing the information listed in your welcome
letter to the group.

Start by reading , in
particular the "Reporting problems to postfix-users@postfix.org"
. Including your version
of Postfix, etcetera would be useful also. You could use the output
from the postfinger tool. This can be found at
.

-- 
Jerry ✌
postfix-u...@seibercom.net
_
TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Re: Postfix Issue

[Ansgar Wiechers]

On 2012-07-23 Marius Lewies wrote:
> We have a situation where a certain email address get  the following
> error.  All other mail gets relayed.
> 
> SMTP error from remote mail server after RCPT
> TO::
> host maila.vegaspartnerlounge.dk [196.14.16.67]:
> 554 5.7.1 : Relay access denied
> 
> Below is the main.cf file.

As requested per the list's welcome message: do NOT post your main.cf,
but the output of "postconf -n". The latter is your active Postfix
configuration. Also post an excerpt from your mail log demonstrating the
problem.

> The email address is added to all_ad_recipients and the domain to
> relay_domains.  I have checked and we are not black listed
> 
> What am I missing?

Did you postmap all_ad_recipients after adding the recipient address?
And $relay_domains is a list, not a map, so the line in main.cf should
be like this:

  relay_domains = /etc/postfix/relay_domains

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

Can't auth to postfix using a secondary server

[Nicolás]

Hi all!

I have a server with postfix with virtual users (using MySQL), it's 
working ok, let's call it A. I also have a secondary server, which I 
want to use to send mails even outside my local network, let's call it 
B. So I'm trying to configure B to relay through A to send e-mails. The 
problem is I have SMTP auth enabled on A and I'm missing something at 
the config of B because I get this error:


Jul 23 11:50:41 mail postfix/smtp[9912]: D7429100B65: 
to=, relay=mydomain.es[X.X.X.X.]:25, delay=0.39, 
delays=0.09/0/0.22/0.08, dsn=5.0.0, status=bounced (host 
mydomain.es[X.X.X.X.] said: 550-Please turn on SMTP Authentication in 
your mail client, or login to the 550-IMAP/POP3 server before sending 
your message. 550-85.155.X.X.X.X (mail.mydomain.es) [X.X.X.X]:60006 is 
550 not permitted to relay through this server without authentication. 
(in reply to RCPT TO command))


1) Relevant A main.cf config:

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_login_maps = 
proxy:mysql:/etc/postfix/mysql-virtual_identities.cf
proxy_read_maps = $local_recipient_maps $mydestination 
$virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps 
$virtual_mailbox_domains $relay_recipient_maps $relay_domains 
$canonical_maps $sender_canonical_maps $recipient_canonical_maps 
$relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps 
$smtpd_sender_login_maps

smtpd_error_sleep_time = 2s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks

2) Whole B main.cf config:

config_directory = /etc/postfix
relayhost = 192.168.0.14
myhostname = socks.mydomain.es
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt

Note: 192.168.0.14 is A.

3) Content of /etc/postfix/sasl/passwd:

192.168.0.14 b...@domain.es:password

I'm using mailx command to send mails, for example:

# echo "Bar" | mailx -s "Foo" postfix-...@gmail.com --tls=true

Could someone tell me what am I doing wrong? I thought using 
'smtp_sasl_auth_enable' at B would be enough to use SMTP authentication, 
but it's not happening.


Thank you so much!

Nicolás