Mail Queue Replication
Dear List, We are running postfix-2.3.3-2 on RHEL 5.4 (32bit). The reason for running such an old version is the non-availability of the currently used security suite on newer version of OS and this issues are likely to be addressed within a couple of weeks. Our system is handling mails of big sizes and the queue size rises regularly up to 40GB. We need to find a good mechanism for replicating this queue to our disaster recovery site connected with 10Gbps OFC. Can anyone kindly point us to some good solution? We are open to commercial products as well. With regards, Goutam
setting up postscreen on a system with multiple external interfaces
Hello all, Please help me with the following. I have here a postfix system that listens on multiple (external) interfaces, e.g. one of them receives e-mail from the internet, one of them receives more or less secure mail from associated institutions. E-mail received on the internet interface receives full processing, including amavis which calls spamassassin (by proxy filter) and it should offer may level TLS (no discussion about that please ;-)). The e-mail received on the secure interface receives limited processing, e.g. no amavis and it doesn't need to offer TLS. Besides that there are also a few internal interfaces postfix listens on as well, with minimal processing, but with dkim signing. So there are actually multiple flows through the system, depending on the interface the mail was received on. I want to start using postscreen. Of course I am not going to test in a production environment, so I made a comparable postfix installation and with that installation I ran into a problem: The options (-o) that I specify on the various per-interface smtpd instances are NOT honoured anymore. I can check that quite easily because the hello string varies per interface and also TLS is no longer offered (disabled in the main.cf and enable on a per-interface basis in the master.cf file). When I revert to non-postscreen operation, it works like expected. Is this intentional? A know bug? Or something I should do another way? Anyone that has this configuration running, with postscreen? I must say the howto isn't very clear on this matter, it assumes you only have only one external interface. Thanks in advance. smime.p7s Description: S/MIME Cryptographic Signature
Re: Mail Queue Replication
On Feb 21, 2013, at 10:16, Goutam Baul goutam.b...@rp-sg.in wrote: We are running postfix-2.3.3-2 on RHEL 5.4 (32bit). The reason for running such an old version is the non-availability of the currently used security suite on newer version of OS and this issues are likely to be addressed within a couple of weeks. Our system is handling mails of big sizes and the queue size rises regularly up to 40GB. We need to find a good mechanism for replicating this queue to our disaster recovery site connected with 10Gbps OFC. Can anyone kindly point us to some good solution? We are open to commercial products as well. I'd say DRBD; http://www.drbd.org/ Depending on your requirements and with the right setup, failover to the disaster recovery site could be completely automatic. Cya, Jona
Re: setting up postscreen on a system with multiple external interfaces
Erik Slagter: I want to start using postscreen. Of course I am not going to test in a production environment, so I made a comparable postfix installation and with that installation I ran into a problem: The options (-o) that I specify on the various per-interface smtpd instances are NOT honoured anymore. I can check that quite easily If you have a problem yoo MUST show actual concrete evidence, so that it is clear whether YOU screwed or I did so. http://www.postfix.org/DEBUG_README.html Wietse
Re: setting up postscreen on a system with multiple external interfaces
On Feb 21, 2013, at 10:31, Erik Slagter e...@slagter.name wrote: Hello all, Please help me with the following. I have here a postfix system that listens on multiple (external) interfaces, e.g. one of them receives e-mail from the internet, one of them receives more or less secure mail from associated institutions. E-mail received on the internet interface receives full processing, including amavis which calls spamassassin (by proxy filter) and it should offer may level TLS (no discussion about that please ;-)). The e-mail received on the secure interface receives limited processing, e.g. no amavis and it doesn't need to offer TLS. Besides that there are also a few internal interfaces postfix listens on as well, with minimal processing, but with dkim signing. So there are actually multiple flows through the system, depending on the interface the mail was received on. I want to start using postscreen. Of course I am not going to test in a production environment, so I made a comparable postfix installation and with that installation I ran into a problem: The options (-o) that I specify on the various per-interface smtpd instances are NOT honoured anymore. I can check that quite easily because the hello string varies per interface and also TLS is no longer offered (disabled in the main.cf and enable on a per-interface basis in the master.cf file). When I revert to non-postscreen operation, it works like expected. Is this intentional? A know bug? Or something I should do another way? Anyone that has this configuration running, with postscreen? I must say the howto isn't very clear on this matter, it assumes you only have only one external interface. Thanks in advance. http://www.postfix.org/POSTSCREEN_README.html Have you followed those instructions? AFAIK, you can bind 'postscreen' to a specific interface by specifying a hostname or an IP address in front of the port name or number in 'master.cf'; 192.0.2.1:smtp inet postscreen And then have a regular Postfix instance on a seperate address; 192.0.2.2:smtp inet smtpd If you cannot simplify your setup, you may need this; http://www.postfix.org/MULTI_INSTANCE_README.html Other than that, post proof that options are not honored anymore. The most likely cause is that you are trying to apply something to 'postscreen' that is only supported for 'smtpd'? Cya, Jona
Re: reject_listed_domain option?
On 2/20/2013 11:29 PM, Dennis Carr wrote: I'm basically looking for such an option - for all intents, if a domain is not, for some reason, in the RBLs, one could manually add the domain into such a list. In particular, I'm looking to do this to hostwinds.net and bluemountain14.com, as they do not seem to test positive in the RBLs. Or, maybe I'm doing it wrong. In any case, is there any way that exists to do this? -Dennis use a check_client_access blacklist file. http://www.postfix.org/documentation.html If you need more help, see http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones
Re: setting up postscreen on a system with multiple external interfaces
On 21-02-13 13:04, DTNX Postmaster wrote: Please help me with the following. I have here a postfix system that listens on multiple (external) interfaces, e.g. one of them receives e-mail from the internet, one of them receives more or less secure mail from associated institutions. E-mail received on the internet interface receives full processing, including amavis which calls spamassassin (by proxy filter) and it should offer may level TLS (no discussion about that please ;-)). The e-mail received on the secure interface receives limited processing, e.g. no amavis and it doesn't need to offer TLS. Besides that there are also a few internal interfaces postfix listens on as well, with minimal processing, but with dkim signing. So there are actually multiple flows through the system, depending on the interface the mail was received on. I want to start using postscreen. Of course I am not going to test in a production environment, so I made a comparable postfix installation and with that installation I ran into a problem: The options (-o) that I specify on the various per-interface smtpd instances are NOT honoured anymore. I can check that quite easily because the hello string varies per interface and also TLS is no longer offered (disabled in the main.cf and enable on a per-interface basis in the master.cf file). When I revert to non-postscreen operation, it works like expected. Is this intentional? A know bug? Or something I should do another way? Anyone that has this configuration running, with postscreen? I must say the howto isn't very clear on this matter, it assumes you only have only one external interface. Thanks in advance. http://www.postfix.org/POSTSCREEN_README.html Have you followed those instructions? Yes I did (of course). The README does NOT give any information on the use of multiple interfaces. It says change ... into ... but my master file doesn't have these lines. It would be much better if it would explain HOW it works so you can do the adjustments yourself. AFAIK, you can bind 'postscreen' to a specific interface by specifying a hostname or an IP address in front of the port name or number in 'master.cf'; 192.0.2.1:smtp inet postscreen And then have a regular Postfix instance on a seperate address; 192.0.2.2:smtp inet smtpd I tried another variant: 192.168.0.1:smtp inet ... postscreen -o options... 192.168.0.1:pass inet ... smtpd -o options... This resembles the approach in the README most closely. Postfix does start, but it doesn't honour the options, on both instances. It's very simple to check, because I have postcheck report another welcome string on every interface. Now it shows the default welcome string, without postscreen, it gives the proper welcome string. If you cannot simplify your setup, you may need this; http://www.postfix.org/MULTI_INSTANCE_README.html Read that too. It is not completely clear to me, but I suspect this gives me multiples queues too, which is not what I want, I want to route e-mail between all interfaces. Other than that, post proof that options are not honored anymore. The most likely cause is that you are trying to apply something to 'postscreen' that is only supported for 'smtpd'? See above, SMTP welcome string. Which I added as an option to both the smtpd and the postscreen line... None of them were honoured. smime.p7s Description: S/MIME Cryptographic Signature
Re: setting up postscreen on a system with multiple external interfaces
On 21/02/2013 15:32, Erik Slagter wrote: On 21-02-13 13:04, DTNX Postmaster wrote: Please help me with the following. I have here a postfix system that listens on multiple (external) interfaces, e.g. one of them receives e-mail from the internet, one of them receives more or less secure mail from associated institutions. E-mail received on the internet interface receives full processing, including amavis which calls spamassassin (by proxy filter) and it should offer may level TLS (no discussion about that please ;-)). The e-mail received on the secure interface receives limited processing, e.g. no amavis and it doesn't need to offer TLS. Besides that there are also a few internal interfaces postfix listens on as well, with minimal processing, but with dkim signing. So there are actually multiple flows through the system, depending on the interface the mail was received on. I want to start using postscreen. Of course I am not going to test in a production environment, so I made a comparable postfix installation and with that installation I ran into a problem: The options (-o) that I specify on the various per-interface smtpd instances are NOT honoured anymore. I can check that quite easily because the hello string varies per interface and also TLS is no longer offered (disabled in the main.cf and enable on a per-interface basis in the master.cf file). When I revert to non-postscreen operation, it works like expected. Is this intentional? A know bug? Or something I should do another way? Anyone that has this configuration running, with postscreen? I must say the howto isn't very clear on this matter, it assumes you only have only one external interface. Thanks in advance. http://www.postfix.org/POSTSCREEN_README.html Have you followed those instructions? Yes I did (of course). The README does NOT give any information on the use of multiple interfaces. It says change ... into ... but my master file doesn't have these lines. It would be much better if it would explain HOW it works so you can do the adjustments yourself. AFAIK, you can bind 'postscreen' to a specific interface by specifying a hostname or an IP address in front of the port name or number in 'master.cf'; 192.0.2.1:smtp inet postscreen And then have a regular Postfix instance on a seperate address; 192.0.2.2:smtp inet smtpd I tried another variant: 192.168.0.1:smtp inet ... postscreen -o options... 192.168.0.1:pass inet ... smtpd -o options... This resembles the approach in the README most closely. Postfix does start, but it doesn't honour the options, on both instances. It's very simple to check, because I have postcheck report another welcome string on every interface. Now it shows the default welcome string, without postscreen, it gives the proper welcome string. It's mine: postscreen_greet_banner = $smtpd_banner/Postscreen enabled If you cannot simplify your setup, you may need this; http://www.postfix.org/MULTI_INSTANCE_README.html Read that too. It is not completely clear to me, but I suspect this gives me multiples queues too, which is not what I want, I want to route e-mail between all interfaces. Other than that, post proof that options are not honored anymore. The most likely cause is that you are trying to apply something to 'postscreen' that is only supported for 'smtpd'? See above, SMTP welcome string. Which I added as an option to both the smtpd and the postscreen line... None of them were honoured. smime.p7s Description: S/MIME Cryptographic Signature
Re: setting up postscreen on a system with multiple external interfaces
On 21/02/2013 15:56, Erik Slagter wrote: On 21-02-13 14:41, Birta Levente wrote: Postfix does start, but it doesn't honour the options, on both instances. It's very simple to check, because I have postcheck report another welcome string on every interface. Now it shows the default welcome string, without postscreen, it gives the proper welcome string. It's mine: postscreen_greet_banner = $smtpd_banner/Postscreen enabled I don't understand? As I understand, you verify the new postscreen enabled configuration with welcome string, which as I understand is the smtp banner. Postscreen enabled smtp banner is set by postscreen_greet_banner. Levi smime.p7s Description: S/MIME Cryptographic Signature
Re: setting up postscreen on a system with multiple external interfaces
On Feb 21, 2013, at 14:32, Erik Slagter e...@slagter.name wrote: On 21-02-13 13:04, DTNX Postmaster wrote: http://www.postfix.org/POSTSCREEN_README.html Have you followed those instructions? Yes I did (of course). The README does NOT give any information on the use of multiple interfaces. It says change ... into ... but my master file doesn't have these lines. It would be much better if it would explain HOW it works so you can do the adjustments yourself. [snip] Other than that, post proof that options are not honored anymore. The most likely cause is that you are trying to apply something to 'postscreen' that is only supported for 'smtpd'? See above, SMTP welcome string. Which I added as an option to both the smtpd and the postscreen line... None of them were honoured. Postscreen has its own set of options. Read the documentation; http://www.postfix.org/postscreen.8.html Also, avoid trying to 'optimize' for cosmetic reasons. Things like the welcome string are generally only seen by machines, have no impact on the operation of the mail server in general, and so on. But if you cannot resist doing so, this may be what you are looking for; http://www.postfix.org/postconf.5.html#postscreen_greet_banner Cya, Jona
Re: Our postfix works fine, but it is very slow when we send newsletter
* Vince Wang vw...@nwp.org: Hello, We have a configured postfix email server worked well when we had it on the public IP. After we moved it behind our firewall on a intranet with ip 192.168.xxx.xxx, we found it is very slow when we send newsletter. Logs? As I just start learning about postfix so I tried to figure how it works. I sent a newsletter to 1100 members last week and monitored the queue in the webmin and mailq, and the postfix log. After I clicked the send button on our web page, I found that the messages are added into the queue for 15 minutes and then I saw messages are sent out from the log file for around 15 minutes. It could be that the process injecting the mails into the queue is stalling the queuemanager, thus sending out can only begin AFTER the injection period. Here is the main.cf: # amavis loop content_filter = smtp-amavis:[127.0.0.1]:10024 You're filtering the mail? I hope not. -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
Re: setting up postscreen on a system with multiple external interfaces
On 21-02-13 15:29, DTNX Postmaster wrote: See above, SMTP welcome string. Which I added as an option to both the smtpd and the postscreen line... None of them were honoured. Postscreen has its own set of options. Read the documentation; http://www.postfix.org/postscreen.8.html man postscreen. The postscreen (and fwiw tslproxy) has it's own set of options which are... by default... copied from the standard smtpd_* options! Also tried it with setting these options explicitly (with no success), but didn't want to flood information. Also, avoid trying to 'optimize' for cosmetic reasons. Things like the welcome string are generally only seen by machines, have no impact on the operation of the mail server in general, and so on. But if you cannot resist doing so, this may be what you are looking for; http://www.postfix.org/postconf.5.html#postscreen_greet_banner The welcome string is very important for me, because, as may be obvious now, that's a very quick way to check if per-interface settings are honoured. This is completely NOT about the welcome string on itself, it's about per-interface options not being honoured, so I end up without TLS support on the outside interface, whilst if I disable postscreen, it simply works! The only thing I need is an example of a master.cf file where postfix listens on various interfaces with different options, and then the same with postscreen enabled and still working (i.e. the per-interface smtpd options are honoured). Or a good explanation of the workflow of postscreen, a.o. what the two example lines in the README actually do, so I can adapt that to my situation. Thx. smime.p7s Description: S/MIME Cryptographic Signature
Re: setting up postscreen on a system with multiple external interfaces
Erik Slagter: I tried another variant: 192.168.0.1:smtp inet ... postscreen -o options... 192.168.0.1:pass inet ... smtpd -o options... If you don't show the exact options and the exact logging then no-one can say what mistake YOU are making. Wietse
Re: setting up postscreen on a system with multiple external interfaces
On 21-02-13 15:50, Wietse Venema wrote: Erik Slagter: I tried another variant: 192.168.0.1:smtp inet ... postscreen -o options... 192.168.0.1:pass inet ... smtpd -o options... If you don't show the exact options and the exact logging then no-one can say what mistake YOU are making. Okay, I didn't post the complete master.cf because I thought it wouldn't be necessary, so here it comes. This is the plain version that works, without postscreen enabled. If somebody can explain to me how to transform this into something working with postscreen enabled AND TLS working on the outside interface (ppp0, ipv4 and ipv6), I'd be very grateful, but really I've tried various approaches without luck. Postscreen on itself is working fine, btw. # == # service typeprivate unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # == #smtp inetn - n - 1 smtpd #smtp inetn - n - 1 postscreen #smtpd pass- - n - - smtpd #dnsblogunix- - n - 0 dnsblog #tlsproxy unix- - n - 0 tlsproxy # # outside - inside # postfix(25) - amavis(10025) # mx1.ipv4.slagter.name:smtp inetn - n - 2 smtpd -o myhostname=eriks.xs4all.nl -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv4-25 -o smtpd_tls_security_level=may -o postscreen_tls_security_level=may -o tlsproxy_tls_security_level=may -o smtpd_proxy_filter=nemesis.ipv4:10025 -o soft_bounce=no -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4 mx1.ipv6.slagter.name:smtp inetn - n - 2 smtpd -o myhostname=mx1.ipv6.slagter.name -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv6-25 -o smtpd_tls_security_level=may -o postscreen_tls_security_level=may -o tlsproxy_tls_security_level=may -o smtpd_proxy_filter=nemesis.ipv4:10025 -o soft_bounce=no -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv6 # # amavis(10025) - postfix(10026) # nemesis.ipv4:10026 inet n - n - 2 smtpd -o smtpd_recipient_restrictions=permit_mynetworks,reject -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o body_checks= -o header_checks= -o myhostname=nemesis.slagter.name -o smtp_helo_name=nemesis.slagter.name -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-lo-ipv4-10026 -o smtpd_client_restrictions= -o smtpd_authorized_xforward_hosts=10.1.1.1 # # postfix(25) - dkimproxy(11025) # nemesis.ipv4:smtp inet n - n - 2 smtpd -o smtpd_recipient_restrictions=permit_mynetworks,reject -o body_checks= -o header_checks= -o myhostname=nemesis.slagter.name -o smtp_helo_name=nemesis.slagter.name -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-eth0-ipv4-25 -o mynetworks=127.0.0.0/8 -o smtpd_proxy_filter=nemesis.ipv4:11025 nemesis.ipv6:smtp inet n - n - 2 smtpd -o smtpd_recipient_restrictions=permit_mynetworks,reject -o body_checks= -o header_checks= -o myhostname=nemesis.slagter.name -o smtp_helo_name=nemesis.slagter.name -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-eth0-ipv6-25 -o smtpd_proxy_filter=nemesis.ipv4:11025 # # dkimproxy(11025) - postfix(11026) # nemesis.ipv4:11026 inet n - n - 2 smtpd -o smtpd_recipient_restrictions=permit_mynetworks,reject -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o body_checks= -o header_checks= -o myhostname=nemesis.slagter.name -o smtp_helo_name=nemesis.slagter.name -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-lo-ipv4-11026 -o smtpd_client_restrictions= -o smtpd_authorized_xforward_hosts=10.1.1.1 # # locally generated # #localhost.ipv4:smtp inet n - n - - postscreen localhost.ipv4:smtp inet n - n - - smtpd -o smtpd_recipient_restrictions=permit_mynetworks,reject -o body_checks= -o header_checks= -o myhostname=nemesis.slagter.name -o smtp_helo_name=nemesis.slagter.name -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-lo-ipv4-25 -o mynetworks=127.0.0.0/8 #nemesis.ipv4:smtp inet n - n - - postscreen nemesis.ipv4:smtp inet n - n - - smtpd -o
Re: setting up postscreen on a system with multiple external interfaces
Erik Slagter: On 21-02-13 15:50, Wietse Venema wrote: Erik Slagter: I tried another variant: 192.168.0.1:smtp inet ... postscreen -o options... 192.168.0.1:pass inet ... smtpd -o options... If you don't show the exact options and the exact logging then no-one can say what mistake YOU are making. Okay, I didn't post the complete master.cf because I thought it wouldn't be necessary, so here it comes. This is the plain version that works, without postscreen enabled. If somebody can explain to me how to TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html Thank you for using Postfix.
Re: setting up postscreen on a system with multiple external interfaces
On 21-02-13 16:16, Wietse Venema wrote: Erik Slagter: TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html Thank you for using Postfix. And I always thought I could be blunt at moments ;-) PROBLEM (apparently this is a problem) * Summary Setting up postscreen on a system with multiple external interfaces causes per-interface smtpd options not to be honoured * Complete error messages None. * Postfix logging None relevant (really! the logging is exactly the same for postscreen and non-postscreen operation, up to the problem the problem occurs). * Postconf -n alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases allow_mail_to_commands = alias,forward allow_mail_to_files = alias,forward append_at_myorigin = yes append_dot_mydomain = yes command_time_limit = 300 config_directory = /etc/postfix data_directory = /var/lib/postfix default_destination_concurrency_limit = 2 default_privs = amavis default_transport = smtp-default delay_warning_time = 4 fast_flush_domains = $mydomain inet_protocols = ipv6 ipv4 local_destination_concurrency_limit = 2 local_transport = local mail_owner = postfix mailbox_size_limit = 0 masquerade_domains = $mydomain masquerade_exceptions = root maximal_backoff_time = 1h maximal_queue_lifetime = 21d message_size_limit = 1 minimal_backoff_time = 2m mydestination = nemesis.slagter.name, eriks.xs4all.nl, $myhostname, localhost.$mydomain, localhost mydomain = slagter.name myhostname = nemesis.slagter.name mynetworks = 10.0.0.0/8, 127.0.0.0/8, [2001:980:5fef::]/48 [::1]/128 [fe80::]/10 myorigin = $mydomain notify_classes = bounce,2bounce,data,delay,resource,software postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr postscreen_bare_newline_action = enforce postscreen_bare_newline_enable = yes postscreen_blacklist_action = enforce postscreen_cache_retention_time = 30d postscreen_greet_action = enforce postscreen_greet_banner = $smtpd_banner postscreen postscreen_greet_ttl = 1h postscreen_greet_wait = 2s postscreen_non_smtp_command_action = enforce postscreen_non_smtp_command_enable = yes postscreen_pipelining_enable = yes queue_directory = /var/spool/postfix queue_minfree = 0 queue_run_delay = 5m recipient_delimiter = + relay_domains = slagter.name, eriks...@xs4all.nl, eriks.xs4all.nl setgid_group = postdrop smtp_helo_name = eriks.xs4all.nl smtp_send_xforward_command = yes smtp_tls_block_early_mail_reply = yes smtp_tls_cert_file = /etc/postfix/mx1_slagter_name_all_crt.pem smtp_tls_key_file = /etc/postfix/mx1_slagter_name_key.pem smtp_tls_loglevel = 1 smtp_tls_security_level = none smtpd_authorized_xforward_hosts = 127.0.0.0/8,10.1.0.0/16,10.0.0.0/16 smtpd_banner = $myhostname ESMTP $mail_name smtpd_client_restrictions = permit smtpd_delay_reject = no smtpd_etrn_restrictions = permit smtpd_helo_required = yes smtpd_helo_restrictions = permit smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_unauth_destination check_recipient_access hash:/etc/postfix/local_users permit smtpd_sender_restrictions = permit smtpd_tls_ask_ccert = yes smtpd_tls_cert_file = /etc/postfix/mx1_slagter_name_all_crt.pem smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem smtpd_tls_key_file = /etc/postfix/mx1_slagter_name_key.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_req_ccert = no smtpd_tls_security_level = none strict_rfc821_envelopes = no tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport virtual_alias_maps = hash:/etc/postfix/virtual * Postfinger ostfinger - postfix configuration on do feb 21 16:32:28 CET 2013 version: 1.30 Warning: postfinger output may show private configuration information, such as ip addresses and/or domain names which you do not want to show to the public. If this is the case it is your responsibility to modify the output to hide this private information. [Remove this warning with the --nowarn option.] --System Parameters-- mail_version = 2.9.4 hostname = nemesis uname = Linux nemesis 3.5.3 #1 SMP Thu Aug 30 18:52:19 CEST 2012 x86_64 x86_64 x86_64 GNU/Linux --Packaging information-- looks like this postfix comes from RPM package: postfix-2.9.4-2.fc17.x86_64 --main.cf non-default parameters-- alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases allow_mail_to_commands = alias,forward allow_mail_to_files = alias,forward command_time_limit = 300 default_destination_concurrency_limit = 2 default_privs = amavis default_transport = smtp-default delay_warning_time = 4 fast_flush_domains = $mydomain inet_protocols = ipv6 ipv4 local_transport = local mailbox_size_limit = 0 masquerade_domains = $mydomain masquerade_exceptions = root maximal_backoff_time = 1h maximal_queue_lifetime = 21d message_size_limit = 1 minimal_backoff_time = 2m mydestination = nemesis.slagter.name,
Re: setting up postscreen on a system with multiple external interfaces
Am 21.02.2013 16:35, schrieb Erik Slagter: mx1.ipv4.slagter.name:smtpinetn-n-2smtpd -o myhostname=eriks.xs4all.nl -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv4-25 -o smtpd_tls_security_level=may -o postscreen_tls_security_level=may -o tlsproxy_tls_security_level=may -o smtpd_proxy_filter=nemesis.ipv4:10025 -o soft_bounce=no -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4 and how should this be supposed to use postscreen with smtpd instead of postscreen as command? signature.asc Description: OpenPGP digital signature
Re: setting up postscreen on a system with multiple external interfaces
If I set up postscreen as closely as possible to the postscreen README document, I get this (diff to previous message) (I'm sorry lots of it has been folded). The log says address already in use for 10.1.1.1, this is interesting because none of the changes involved 10.1.1.1. --- a 2013-02-21 16:37:18.348109048 +0100 +++ b 2013-02-21 17:25:24.337265305 +0100 @@ -8,7 +8,7 @@ * Postfix logging -None relevant (really! the logging is exactly the same for postscreen and non-postscreen operation, up to the problem the problem occurs). +Feb 21 16:46:03 nemesis-vlan1 postfix/master[28268]: fatal: bind 10.1.1.1 port 25: Address already in use * Postconf -n @@ -93,7 +93,7 @@ * Postfinger -Postfinger - postfix configuration on do feb 21 16:32:28 CET 2013 +postfinger - postfix configuration on do feb 21 17:24:49 CET 2013 version: 1.30 Warning: postfinger output may show private configuration information, @@ -178,7 +178,10 @@ virtual_alias_maps = hash:/etc/postfix/virtual --master.cf-- -mx1.ipv4.slagter.name:smtp inetn - n - 2 smtpd +smtp inetn - n - 1 postscreen +dnsblogunix- - n - 0 dnsblog +tlsproxy unix- - n - 0 tlsproxy +mx1.ipv4.slagter.name:smtp passn - n - 2 smtpd -o myhostname=eriks.xs4all.nl -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv4-25 -o smtpd_tls_security_level=may @@ -187,7 +190,7 @@ -o smtpd_proxy_filter=nemesis.ipv4:10025 -o soft_bounce=no -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4 -mx1.ipv6.slagter.name:smtp inetn - n - 2 smtpd +mx1.ipv6.slagter.name:smtp passn - n - 2 smtpd -o myhostname=mx1.ipv6.slagter.name -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv6-25 -o smtpd_tls_security_level=may @@ -288,3 +291,6 @@ -- end of postfinger output -- smime.p7s Description: S/MIME Cryptographic Signature
Re: setting up postscreen on a system with multiple external interfaces
Another variation I tried (pass and postscreen the other way around). This works, but gives the original problem, the smtpd options are not honoured (especially banner and starttls=may), even though I set both: -o smtpd_tls_security_level=may -o postscreen_tls_security_level=may Output of postfinger, diff to first non-postscreen config: --- a 2013-02-21 17:35:41.568369098 +0100 +++ c 2013-02-21 17:38:58.274633686 +0100 @@ -1,4 +1,4 @@ -Postfinger - postfix configuration on do feb 21 16:32:28 CET 2013 +postfinger - postfix configuration on do feb 21 17:38:58 CET 2013 version: 1.30 Warning: postfinger output may show private configuration information, @@ -83,7 +83,10 @@ virtual_alias_maps = hash:/etc/postfix/virtual --master.cf-- -mx1.ipv4.slagter.name:smtp inetn - n - 2 smtpd +smtpd pass- - n - - smtpd +dnsblogunix- - n - 0 dnsblog +tlsproxy unix- - n - 0 tlsproxy +mx1.ipv4.slagter.name:smtp inetn - n - 2 postscreen -o myhostname=eriks.xs4all.nl -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv4-25 -o smtpd_tls_security_level=may @@ -92,7 +95,7 @@ -o smtpd_proxy_filter=nemesis.ipv4:10025 -o soft_bounce=no -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4 -mx1.ipv6.slagter.name:smtp inetn - n - 2 smtpd +mx1.ipv6.slagter.name:smtp passn - n - 2 postscreen -o myhostname=mx1.ipv6.slagter.name -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv6-25 -o smtpd_tls_security_level=may * Log output Feb 21 17:42:40 nemesis-vlan1 postfix/master[4547]: daemon started -- version 2.9.4, configuration /etc/postfix Feb 21 17:42:42 nemesis-vlan1 postfix/postscreen[4553]: CONNECT from [10.1.1.5]:49309 to [83.163.214.71]:25 Feb 21 17:42:42 nemesis-vlan1 postfix/postscreen[4553]: WHITELISTED [10.1.1.5]:49309 Feb 21 17:42:42 nemesis-vlan1 postfix/postscreen[4553]: cache btree:/var/lib/postfix/postscreen_cache-ipv4 full cleanup: retained=5 dropped=0 entries Feb 21 17:42:42 nemesis-vlan1 postfix/smtpd[4554]: connect from eos.ipv4.slagter.name[10.1.1.5] Feb 21 17:42:50 nemesis-vlan1 postfix/smtpd[4554]: disconnect from eos.ipv4.slagter.name[10.1.1.5] smime.p7s Description: S/MIME Cryptographic Signature
Re: setting up postscreen on a system with multiple external interfaces
Am 21.02.2013 17:46, schrieb Erik Slagter: Another variation I tried (pass and postscreen the other way around). This works, but gives the original problem, the smtpd options are not honoured (especially banner and starttls=may), even though I set both: postscreen != smtpd so why should it do so? http://www.postfix.org/postscreen.8.html The Postfix postscreen(8) server provides additional pro- tection against mail server overload. One postscreen(8) process handles multiple inbound SMTP connections, and decides which clients may talk to a Postfix SMTP server process. signature.asc Description: OpenPGP digital signature
Re: Problem with relay_domains lookups
On Wed, 20 Feb 2013, Wietse Venema wrote: In ldap-domains.cf, I use %d as the key to look for. Should I be using %s That was the mistake. As documented in ldap_table(5): %d When the input key is an address of the form user@domain, %d is replaced by the (RFC 2253) quoted domain part of the address. Otherwise, the search is suppressed and returns no results. You probably want this: %s This is replaced by the input key. RFC 2253 quoting is used to make sure that the input key does not add unex- pected metacharacters. You're right. This was the problem. My initial mistake was taking a postgresql example of a relay_domains lookup which I assumed to be functional, and applying it to my situation. When using %d didn't work, I wrongly guessed that the lookup used the full address as key. I can see where I went wrong with this, as a static file will of course only have the domain. It now appears to work as documented. Thanks everyone for your help. Cheers, Geoff.
Re: setting up postscreen on a system with multiple external interfaces
On 21-02-13 16:45, Reindl Harald wrote: Am 21.02.2013 16:35, schrieb Erik Slagter: mx1.ipv4.slagter.name:smtpinetn-n-2smtpd [ ... ] and how should this be supposed to use postscreen with smtpd instead of postscreen as command? Interesting how anybody is keen on telling me I am doing it wrong, which I sort of already had figured because it doesn't work... On the other hand nobody has given a hint on how to do it right then. Likewise people pointing me to the postscreen HOWTO, which I've been reading numerous times now and really does _not_ give an answer to this problem. mx1.ipv4.slagter.name:smtpinetn-n-2smtpd [ ... ] and how should this be supposed to use postscreen with smtpd instead of postscreen as command? Well don't ask me, I don't know, I am just trying everything because the documentation doesn't tell me how to do it? smime.p7s Description: S/MIME Cryptographic Signature
Re: setting up postscreen on a system with multiple external interfaces
On Feb 21, 2013, at 18:28, Erik Slagter e...@slagter.name wrote: On 21-02-13 16:45, Reindl Harald wrote: Am 21.02.2013 16:35, schrieb Erik Slagter: mx1.ipv4.slagter.name:smtpinetn-n-2smtpd [ ... ] and how should this be supposed to use postscreen with smtpd instead of postscreen as command? Interesting how anybody is keen on telling me I am doing it wrong, which I sort of already had figured because it doesn't work... On the other hand nobody has given a hint on how to do it right then. Likewise people pointing me to the postscreen HOWTO, which I've been reading numerous times now and really does _not_ give an answer to this problem. mx1.ipv4.slagter.name:smtpinetn-n-2smtpd [ ... ] and how should this be supposed to use postscreen with smtpd instead of postscreen as command? Well don't ask me, I don't know, I am just trying everything because the documentation doesn't tell me how to do it? You keep blaming the documentation and the software, when the problem is most likely in your understanding of it. Simplify your configuration. Don't assume that what goes for 'smtpd' goes for 'postscreen' as well. Pick sensible defaults for 'main.cf', and override only the options that are absolutely necessary. If you have a legitimate reason (as in, contractual obligations or whatnot) to require seperate hostnames, greetings, TLS settings and such, use the multi-instance features and seperate them. Otherwise the KISS principle applies. Cya, Jona
Re: setting up postscreen on a system with multiple external interfaces
On 2/21/2013 10:46 AM, Erik Slagter wrote: Another variation I tried (pass and postscreen the other way around). You've shared too much. By now no one has any idea what you're doing. Overview: Postscreen is a front-end listener for smtpd. It's not a proxy. Incoming connections are handled by postscreen until postscreen either decides it's clean and passes the connection endpoint to smtpd, or rejected. This is covered in more detail in the POSTSCREEN_README. When postscreen decides to pass the connection to smtpd, postscreen is no longer involved, and smtpd has no knowledge of what transpired between postscreen and a client. Solution: [this is not a complete how-to, but will show you how to use multiple interfaces] At some point you reported: mx1.ipv4.slagter.name:smtpinetn - n - 2 smtpd -o myhostname=eriks.xs4all.nl -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv4-25 -o smtpd_tls_security_level=may Ok. -o postscreen_tls_security_level=may -o tlsproxy_tls_security_level=may both these belong in main.cf, or better, set main.cf: smtpd_security_level = may and leave these at their defaults. -o smtpd_proxy_filter=nemesis.ipv4:10025 -o soft_bounce=no -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4 The cache map parameter belongs in main.cf. Probably a mistake to create separate caches. Same comments as above for the smtpd listener below. mx1.ipv6.slagter.name:smtpinetn - n - 2 smtpd -o myhostname=mx1.ipv6.slagter.name -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv6-25 -o smtpd_tls_security_level=may -o postscreen_tls_security_level=may -o tlsproxy_tls_security_level=may -o smtpd_proxy_filter=nemesis.ipv4:10025 -o soft_bounce=no -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv6 For the TLS part, it will be much easier to turn TLS on in main.cf, then turn it off on the interfaces where you don't want to offer it with -o smtpd_tls_security_level=none. # main.cf smtpd_tls_security_level = may For the greeting banners, set them as macros in main.cf and then refer to them by $name in master.cf # main.cf postscreen_greet_v4 = postscreen.v4.mx1 ESMTP greets you postscreen_greet_v6 = postscreen.v6.mx1 ESTMP greets you Now tell postscreen which ports to listen on and to enable the banner: # master.cf mx1.ipv4.slagter.name:smtp inet n - n - 1 postscreen -o postscreen_greet_banner=$postscreen_greet_v4 mx1.ipv6.slagter.name:smtp inet n - n - 1 postscreen -o postscreen_greet_banner=$postscreen_greet_v6 Next we tell smtpd to get it's connections from postscreen. On your existing smtp ... smtpd entries where you want postscreen, change the smtp inet n part to smtp pass - This is described in detail in http://www.postfix.org/POSTSCREEN_README.html#config so your existing entry: mx1.ipv4.slagter.name:smtpinetn - n - 2 smtpd would become: mx1.ipv4.slagter.name:smtp pass - - n - 2 smtpd Good luck. -- Noel Jones
Re: setting up postscreen on a system with multiple external interfaces
On 21-02-13 19:17, DTNX Postmaster wrote: You keep blaming the documentation and the software, when the problem is most likely in your understanding of it. Yes I blame the documentation, but not the software. I've been using postfix for, well, something like ten years or more, I think it's the best thing since sliced bread, especially compared to sendmail, qmail and exchange. The way I've configured it now, really suits the demands. I cannot remember any phrases in the documentation recommending not to do it this way (i.e. start multiple smtp listeners on different addresses with different options, in one master process). If it actually appears to be disrecommended, then that's clear to me, no problem. Simplify your configuration. Don't assume that what goes for 'smtpd' goes for 'postscreen' as well. I'd like to, but where do I find what I CAN assume? The factual documentation of postscreen is so sparse, it's mostly HOWTO, monkey-see-monkey-do. Pick sensible defaults for 'main.cf', and override only the options that are absolutely necessary. That's already done. If you have a legitimate reason (as in, contractual obligations or whatnot) to require seperate hostnames, greetings, TLS settings and such, use the multi-instance features and seperate them. Otherwise the KISS principle applies. Actually this way is much more KISS to me than running multiple instances of master. I'm starting to think that the reason this operation is not documented, is because it's not possible. It looks like the postscreen layer literaly sits between the remote client and the smtp process, and the information where the connection took place (interface/address) is not available at the point where the smtpd is invoked. If that's the case, postscreen is not the way to go for me. I assumed postscreen was implemented a bit like proxy-filter, where you can run any number of filters on any number of addresses. smime.p7s Description: S/MIME Cryptographic Signature
Re: setting up postscreen on a system with multiple external interfaces
On 21-02-13 19:30, Noel Jones wrote: You've shared too much. By now no one has any idea what you're doing. I'm just following the REPORT A PROBLEM procedure I was kindly pointed at... When postscreen decides to pass the connection to smtpd, postscreen is no longer involved, and smtpd has no knowledge of what transpired between postscreen and a client. Yes at this point the smtpd/master has no knowledge of the interface/address, that's exactly the thing I fear. At some point you reported: [ .. ] -o postscreen_tls_security_level=may -o tlsproxy_tls_security_level=may both these belong in main.cf, or better, set main.cf: smtpd_security_level = may and leave these at their defaults. Tried both, doesn't matter. The thing is that what way you set the smtpd options (in main.cf) you cannot override them with postscreen. So if you set the default value suitable for address a and b, they must be override for address c and d and vv. Yes, I have some internal address that need to have tls_security=none and yes, that works like a charm without postscreen enabled. -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4 The cache map parameter belongs in main.cf. Probably a mistake to create separate caches. Nope, the cache map cannot be shared between two smtpd processes (see documentation ;-)). It's not a problem though, because one db holds ipv4 addresses and the other is ipv6 addresses. For the TLS part, it will be much easier to turn TLS on in main.cf, then turn it off on the interfaces where you don't want to offer it with -o smtpd_tls_security_level=none. All relevant options for tls are actually set in main.cf. It's only that it's not enabled there, it's enabled on a per-address base. Which works. For the greeting banners, set them as macros in main.cf and then refer to them by $name in master.cf That's a possibility, but it's not necessary and doesn't solve the problem. Now tell postscreen which ports to listen on and to enable the banner: # master.cf mx1.ipv4.slagter.name:smtp inet n - n - 1 postscreen -o postscreen_greet_banner=$postscreen_greet_v4 mx1.ipv6.slagter.name:smtp inet n - n - 1 postscreen -o postscreen_greet_banner=$postscreen_greet_v6 Next we tell smtpd to get it's connections from postscreen. On your existing smtp ... smtpd entries where you want postscreen, change the smtp inet n part to smtp pass - This is described in detail in http://www.postfix.org/POSTSCREEN_README.html#config so your existing entry: mx1.ipv4.slagter.name:smtp inetn - n - 2 smtpd would become: mx1.ipv4.slagter.name:smtp pass - - n - 2 smtpd I get your drift, but IIRC I already tried this (multiple times, with slight variations) and also reported about the outcoming of that: fatal: address already in use. Did I already mention I have followed all the steps from the README as closely as possible? smime.p7s Description: S/MIME Cryptographic Signature
Re: setting up postscreen on a system with multiple external interfaces
On Thu, Feb 21, 2013 at 05:46:26PM +0100, Erik Slagter wrote: Another variation I tried (pass and postscreen the other way around). This works, but gives the original problem, the smtpd options are not honoured (especially banner and starttls=may), even though I set both: Take a DEEP breath, relax and don't *try* implementing new configurations you don't yet understand. The shots in the dark will just get you more confused. It is time to try to *understand*. 1. A running Postfix instance is a collection of separate background services (daemons) launched by an inetd-like service supervisor known as master. These services run independently in separate processes and communicate with each other using unix-domain sockets. They are configured either via main.cf (best practice) or via master.cf -o parameter=$value overrides (when you must). The MOST important thing you need to understand about this is: Adding -o FOO=BAR to the master.cf entry for SERVICEA has NO EFFECT on the value of FOO in SERVICEB! Even when the MESSAGE is passed from SERVICEA to SERVICEB the parameter settings ARE NOT. Thus when you convert an existing smtpd entry to a postscreen entry, it is a grave mistake to leave the smtpd (-o options) that tune the functionality of smtpd attached to the postscreen service. It (postscreen) won't care and the destination smtpd to which the message is handed off will no longer know the parameters. 2. To provide multiple smtpd personalities, you need to implement multiple smtpd services each with their own settings. (As you do when smtpd listens directly on an inet socket). 3. To implement 2. with postscreen, each inet listening postscreen (with settings relevant for postscreen) must hand the message off to an smtpd appropriate for its listening IP address. 4. Therefore, you need multiple smtpd pass services for postscreen to hand the connection to. The postscreen(8) manual page refers you to http://www.postfix.org/postconf.5.html#smtpd_service_name which must specify the service name of a pass entry in master.cf, you need one of these for each distinct postscreen instance. 192.0.2.1:25 inet ... postscreen -o smtpd_service_name=25@192.0.2.1 -o postscreen-related-settings ... 25@192.0.2.1 pass ... smtpd -o smtpd-related-settings ... Lather, rinse, repeat: 192.0.2.1:587 inet ... postscreen -o smtpd_service_name=587@192.0.2.1 -o postscreen-related-settings ... 587@192.0.2.1 pass ... smtpd -o smtpd-related-settings ... Lather, rinse, repeat: 192.0.2.2:25 inet ... postscreen -o smtpd_service_name=25@192.0.2.2 -o postscreen-related-settings ... 25@192.0.2.2 pass ... smtpd -o smtpd-related-settings ... Lather, rinse, repeat: 192.0.2.3:25 inet ... postscreen -o smtpd_service_name=25@192.0.2.3 -o postscreen-related-settings ... 25@192.0.3.2 pass ... smtpd -o smtpd-related-settings ... ... but do stop eventually ... :-) -- Viktor.
Re: Our postfix works fine, but it is very slow when we send newsletter
On 02/20/2013 07:16 PM, Vince Wang wrote: Hello, We have a configured postfix email server worked well when we had it on the public IP. After we moved it behind our firewall on a intranet with ip 192.168.xxx.xxx, we found it is very slow when we send newsletter. How is DNS set up in comparison with the previous server ? Badly configured DNS can certainly slow things down, especially on outgoing mail. Any even moderately busy mailserver should have a local DNS cache. Server info: Ubuntu 10.4 32 bit running on 4cpus + 8GB memory VM ( VMware host ) A 32-bit OS with 8GB of memory ? only 3.5GB of that will be used, ever. Regardless, postfix hardly uses any memory, unless you are receiving hundreds of 10MB messages concurrently. That is much more relevant for mail performance is storage I/O - and you don't mention anything related to storage. As I just start learning about postfix so I tried to figure how it works. I sent a newsletter to 1100 members last week How many *messages* did you send ? and monitored the queue in the webmin and mailq, and the postfix log. After I clicked the send button on our web page, I found that the messages are added into the queue for 15 minutes and then I saw messages are sent out from the log file for around 15 minutes. So you are seeing an average processing speed of 1.2 messages per second before queue, and another average 1.2 messages per second during delivery ? Show logs that exhibit these delays; postfix logs detailed delay statistics for each message delivered. content_filter = smtp-amavis:[127.0.0.1]:10024 If you're submitting via smtpd(8) then all locally submitted mail will be scanned, which is patently useless in this case. smtpd_recipient_limit = 10 That is insane. qmgr_message_active_limit = 5 line_length_limit = 204800 maximal_queue_lifetime = 2d queue_run_delay = 4000s minimal_backoff_time = 4000s Do not mess with these values unless you know exactly what they do. No logs, so how do you expect us to deduce what is happening here ? -- J.
Re: Our postfix works fine, but it is very slow when we send newsletter
On 02/21/2013 03:34 PM, Ralf Hildebrandt wrote: It could be that the process injecting the mails into the queue is stalling the queuemanager, thus sending out can only begin AFTER the injection period. ... how ? Either pickup(8) or smtpd(8) do the queueing; the qmgr only SENDS mail. There could be disk I/O contention, sure, but that would never translate into a scenario where no mail could be de-queued before all mail was finished queueing. These are wholly separate processes after all, and the only point of contact is the mail queue, which is concurrent read-write by design. By default, there may be many simultaneous processes accessing the queue (100 each of smtpd and smtp, for starters.) Of course, it could be that he really is sending every single submitted message through amavisd and then re-injecting into postfix, thus effectively forcing every single message through the pipeline twice. This would be inane no matter what kind of IP address it has, but the cause of the delays would be the content_filter, nothing else. There are settings in amavisd-new that govern what to do when a message originates from a trusted or untrusted IP range, offering the option to pass it through without scanning. If this was impacted by the IP change, that could easily explain the delays - but they would still never be sequential. Of course, you did ask for logs as well :) -- J.