Re: can not telnet,can not send mail

2013-11-25 Thread Ansgar Wiechers 
Please don' top-post.

On 2013-11-26 Feel Zhou wrote:
> 2013/11/26 Wijatmoko U. Prayitno 
>> On Tue, 26 Nov 2013 14:40:45 +0800 Feel Zhou  wrote:
>>> My postfix server can not telnet any other mail server, but other server
>>> can telnet my postfix server, so lots of mail in my queue,but I can not
>>> send it, what can I do now, thanks a lot.
>>
>> log ?
> 
> log is
> Nov 26 14:51:48 usa postfix/error[3310]: A1F4612806E: to=,
> relay=none, delay=0.02, delays=0.02/0/0/0.01, dsn=4.4.1, status=deferred
> (delivery temporarily suspended: connect to IP[IP]:25: Connection timed out)
> 
> command just like
> telnet mail.example.com  25
> Trying IP...

Looks to me like your provider is blocking outbound connections to port
25/tcp.

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

Re: can not telnet,can not send mail

2013-11-25 Thread Feel Zhou 
It's already open in the firewall , I can send mail this morning (Chinese
time) before.and never change  some setting


2013/11/26 Feel Zhou 

> It's already open in the firewall , I can send mail this morning (Chinese
> time) before.and never change  some setting
>
>
> 2013/11/26 Paul C 
>
>> check your firewall first, and also make sure your hosting company isn't
>> blocking port 25. Try to telnet to another port, like 22 or 80
>>
>>
>> On Tue, Nov 26, 2013 at 1:40 AM, Feel Zhou  wrote:
>>
>>> Hello, my friend
>>> This is Tom I'm sending my greeting from China
>>> My postfix server can not telnet any other mail server, but other server
>>> can telnet my postfix server, so lots of mail in my queue,but I can not
>>> send it, what can I do now, thanks a lot.
>>> TOM
>>>
>>
>>
>

Re: can not telnet,can not send mail

2013-11-25 Thread Feel Zhou 
log is
Nov 26 14:51:48 usa postfix/error[3310]: A1F4612806E: to=,
relay=none, delay=0.02, delays=0.02/0/0/0.01, dsn=4.4.1, status=deferred
(delivery temporarily suspended: connect to IP[IP]:25: Connection timed out)

command just like
telnet mail.example.com  25
Trying IP...



2013/11/26 Wijatmoko U. Prayitno 

> On Tue, 26 Nov 2013 14:40:45 +0800
> Feel Zhou  wrote:
>
> > My postfix server can not telnet any other mail server, but other server
> > can telnet my postfix server, so lots of mail in my queue,but I can not
> > send it, what can I do now, thanks a lot.
> >
> log ?
>
> --
> WUP
>
>

can not telnet,can not send mail

2013-11-25 Thread Feel Zhou 
Hello, my friend
This is Tom I'm sending my greeting from China
My postfix server can not telnet any other mail server, but other server
can telnet my postfix server, so lots of mail in my queue,but I can not
send it, what can I do now, thanks a lot.
TOM

Re: problem with Name service error for name=[domain name] type=AAAA

2013-11-25 Thread Wietse Venema 
Wietse:
> Sorry. Postfix reports only the last lookup error. In theory it
> could be made configurable so it tries AAA first and A last. But
> that may have performance implications.

Victor Shchukin:
> Thanks for answer. I think we could implement that behaviour and
> check if there will be performance issues. Anyone else interested?

On second thought, there should be no performance impact. Postfix
does both A and  lookups before it decides what address to
connect to, so the total amount of time spend in DNS should be the
same regardless of the lookup order.

Wietse

Re: problem with Name service error for name=[domain name] type=AAAA

2013-11-25 Thread Victor Shchukin 
Thanks for answer. I think we could implement that behaviour and check if there 
will be performance issues. Anyone else interested?

--
Victor Shchukin
ignit...@yandex-team.ru




On Nov 25, 2013, at 17:21 , Wietse Venema  wrote:

> Wietse Venema:
>> Wietse Venema:
>>> Victor Shchukin:
 Hi every one!
 
 We use postfix 2.10.2 and IPv6 & IPv4 mode, so when remote domain
 doesn't has A record, postfix send's bounce, like "Name service
 error for name=[domain name] type=: Host found but no data
 record of requested type" this message a little bit confused our
 users. Is it possible to send bounce for type=A only? or for A and
  type?
>>> 
>>> Sorry. Postfix reports only the last lookup error. In theory it
>>> could be made configurable so it tries AAA first and A last. But
>>> that may have performance implications.
>> 
>> Your problem description did not say where the problem happens (in
>> the SMTP client?) but if that is the case, then "smtp_address_preference
>> = ipv6" will force IPv4 lookups to happen last, and your error messages
>> may look prettier.
> 
> Never mind. smtp_address_preference decides what host to connect to,
> not what DNS query to make.
> 
>   Wietse



smime.p7s
Description: S/MIME cryptographic signature

Re: Rejecting emails based on domain blacklist

2013-11-25 Thread Wietse Venema 
Dang. I forgot to append a dummy column to the textfile. Corrected
version is below.

Also added a note that "mv newdatabse realdatabase" is not needed
with cdb and lmdb.

Wietse

Mark Goodge:
> What would be the simplest method in Postfix of implementing an 
> equivalent to the exim ACL mentioned in this blog post:
> 
> http://blog.hinterlands.org/2013/10/unwanted-email-from-communicado-ltd/
> 
> That is, what's the simplest way of rejecting email from a list of 
> domains contained within a simple text file that can be updated 
> regularly without needing to restart Postfix.

No need to restart Postfix. Use an indexed file and let smtpd(8)
auto-detect that the file has changed.

Run this from cron:

#!/bin/sh

# Configure smtpd(8) to query $TYPE:real-file

TYPE=hash
SUFF=db
URL=http://example.com/file.txt

test -f old-file || touch old-file
wget -O new-file $URL && test -s new-file && 
perl -pi -e 's/$/ x/' new-file && cmp -s old-file new-file || {
postmap $TYPE:new-file && mv new-file.$SUFF real-file.$SUFF
mv new-file old-file
}

In particular, LMDB as of postfix-2.11-20131122 no longer restarts
a daemon and picks up changes immediately. With cdb and hash, the
changes are detected at the start of a new SMTP session and then
smtpd(8) restarts.

The "mv new-file.$SUFF real-file.$SUFF" step is not needed with cdb
or lmdb databases (cdb already renames the result file, and lmdb
uses copy-on-write internally, which for pratical purposes works
like rename).

Wietse

Re: Rejecting emails based on domain blacklist

2013-11-25 Thread Jeffrey 'jf' Lim 
On Mon, Nov 25, 2013 at 9:51 PM, Wietse Venema  wrote:

> Mark Goodge:
> > What would be the simplest method in Postfix of implementing an
> > equivalent to the exim ACL mentioned in this blog post:
> >
> > http://blog.hinterlands.org/2013/10/unwanted-email-from-communicado-ltd/
> >
> > That is, what's the simplest way of rejecting email from a list of
> > domains contained within a simple text file that can be updated
> > regularly without needing to restart Postfix.
>
> No need to restart Postfix. Use an indexed file and let smtpd(8)
> auto-detect that the file has changed.
>
> Run this from cron:
>
> #!/bin/sh
>
> # Configure smtpd(8) to query $TYPE:real-file
>
> TYPE=cdb # or hash or lmdb
> SUFF=cdb # or db or lmdb
> URL=http://example.com/file.txt
>
> test -f old-file || touch old-file
> wget -O new-file $URL && test -s new-file && {
> cmp -s old-file new-file || {
> postmap $TYPE:new-file && mv new-file.$SUFF real-file.$SUFF
> mv new-file old-file
> }
> }
>


If I may chime in, I guess it's 'mv new-file.$SUFF real-file.$SUFF' that
triggers the actual change that is actually detected by postfix (or more
specifically, smptd(8))?

-jf




>
> In particular, LMDB as of postfix-2.11-20131122 no longer restarts
> a daemon and picks up changes immediately. With cdb and hash, the
> changes are detected at the start of a new SMTP session and then
> smtpd(8) restarts.
>
> Wietse
>

Re: Rejecting emails based on domain blacklist

2013-11-25 Thread Mark Goodge 

On 25/11/2013 13:51, Wietse Venema wrote:


No need to restart Postfix. Use an indexed file and let smtpd(8)
auto-detect that the file has changed.

Run this from cron:

 #!/bin/sh

 # Configure smtpd(8) to query $TYPE:real-file

 TYPE=cdb # or hash or lmdb
 SUFF=cdb # or db or lmdb
 URL=http://example.com/file.txt

 test -f old-file || touch old-file
 wget -O new-file $URL && test -s new-file && {
cmp -s old-file new-file || {
postmap $TYPE:new-file && mv new-file.$SUFF real-file.$SUFF
mv new-file old-file
}
 }

In particular, LMDB as of postfix-2.11-20131122 no longer restarts
a daemon and picks up changes immediately. With cdb and hash, the
changes are detected at the start of a new SMTP session and then
smtpd(8) restarts.


Thanks. I'll have a play with that later.

Mark
--
My blog: http://mark.goodge.co.uk

Re: Rejecting emails based on domain blacklist

2013-11-25 Thread Wietse Venema 
Mark Goodge:
> What would be the simplest method in Postfix of implementing an 
> equivalent to the exim ACL mentioned in this blog post:
> 
> http://blog.hinterlands.org/2013/10/unwanted-email-from-communicado-ltd/
> 
> That is, what's the simplest way of rejecting email from a list of 
> domains contained within a simple text file that can be updated 
> regularly without needing to restart Postfix.

No need to restart Postfix. Use an indexed file and let smtpd(8)
auto-detect that the file has changed.

Run this from cron:

#!/bin/sh

# Configure smtpd(8) to query $TYPE:real-file

TYPE=cdb # or hash or lmdb
SUFF=cdb # or db or lmdb
URL=http://example.com/file.txt

test -f old-file || touch old-file
wget -O new-file $URL && test -s new-file && {
cmp -s old-file new-file || {
postmap $TYPE:new-file && mv new-file.$SUFF real-file.$SUFF
mv new-file old-file
}
}

In particular, LMDB as of postfix-2.11-20131122 no longer restarts
a daemon and picks up changes immediately. With cdb and hash, the
changes are detected at the start of a new SMTP session and then
smtpd(8) restarts.

Wietse

Re: problem with Name service error for name=[domain name] type=AAAA

2013-11-25 Thread Wietse Venema 
Wietse Venema:
> Wietse Venema:
> > Victor Shchukin:
> > > Hi every one!
> > > 
> > > We use postfix 2.10.2 and IPv6 & IPv4 mode, so when remote domain
> > > doesn't has A record, postfix send's bounce, like "Name service
> > > error for name=[domain name] type=: Host found but no data
> > > record of requested type" this message a little bit confused our
> > > users. Is it possible to send bounce for type=A only? or for A and
> > >  type?
> > 
> > Sorry. Postfix reports only the last lookup error. In theory it
> > could be made configurable so it tries AAA first and A last. But
> > that may have performance implications.
> 
> Your problem description did not say where the problem happens (in
> the SMTP client?) but if that is the case, then "smtp_address_preference
> = ipv6" will force IPv4 lookups to happen last, and your error messages
> may look prettier.

Never mind. smtp_address_preference decides what host to connect to,
not what DNS query to make.

Wietse

Re: problem with Name service error for name=[domain name] type=AAAA

2013-11-25 Thread Wietse Venema 
Wietse Venema:
> Victor Shchukin:
> > Hi every one!
> > 
> > We use postfix 2.10.2 and IPv6 & IPv4 mode, so when remote domain
> > doesn't has A record, postfix send's bounce, like "Name service
> > error for name=[domain name] type=: Host found but no data
> > record of requested type" this message a little bit confused our
> > users. Is it possible to send bounce for type=A only? or for A and
> >  type?
> 
> Sorry. Postfix reports only the last lookup error. In theory it
> could be made configurable so it tries AAA first and A last. But
> that may have performance implications.

Your problem description did not say where the problem happens (in
the SMTP client?) but if that is the case, then "smtp_address_preference
= ipv6" will force IPv4 lookups to happen last, and your error messages
may look prettier.

Wietse

Re: Rejecting emails based on domain blacklist

2013-11-25 Thread Wietse Venema 
Wietse Venema:
> Mark Goodge:
> > That is, what's the simplest way of rejecting email from a list of 
> > domains contained within a simple text file that can be updated 
> > regularly without needing to restart Postfix.
> 
> What do you mean with "regularly"? Postfix SMTP daemons check if a
> hash:  or btree: file has changed when a new client connects. 
> However they don't auto-detect changes to pcre/regexp/cidr files.
> 
> If Postfix daemons must see updates instantaneously, use the LMDB
> client of Postfix 2.11-20131122 ("postmap simple-text-file").  Or
> use *SQL. Or serve the "simple text file" with a socketmap: or
> tcp: daemon. Or use DNS (reject_rhsbl_client).

Alternatively, this could be as simple as implementing a variant
of texthash: tables that keeps the file open and re-reads it after
change.

Wietse

Re: Preventing mail from one address

2013-11-25 Thread Noel Jones 
On 11/25/2013 3:39 AM, Rod Evans wrote:
> Hi
>  
> I've taken over a postfix mailserver which has the main.cf shown below
>  
> The server is sheltered behind a reasonably good commercial antispam
> service so the config is light on many of the usual things discussed
> on this list. The protection afforded by the antispam service seems
> to have been good enough over the last few years, but in the last
> few days the server has been compromised. Spam is being sent in
> volumes in the name of one user. Deleting the user from the service
> had no effect.
>  
> The log shows mail being sent consistently from one address
>  
> from= < u...@domain.com  >
>  
> and I have tried to stop this with an extra line in main.cf
>  
> smtpd_sender_restrictions=check_sender_access
> hash:/etc/postfix/sender_access
>  
> with  u...@domain.com   REJECT in the
> sender_access file
>  
> This rejects mail when I try to send it as u...@domain.com
>  but spam from u...@domain.com
>  is still being sent with corresponding
> entries in the log.
>  
> Can anyone advise:
>  
> - what I can do to stop mail from u...@domain.com
>  being sent?
>  
> - and what I should do generally to tighten up the config?

That sounds like an abused web form, submitting mail through the
sendmail(1) command.

As a temporary measure, you can add the web user to main.cf
authorized_submit_users
http://www.postfix.org/postconf.5.html#authorized_submit_users

# main.cf
authorized_submit_users = !www, static:all
where www is the abused user name.

Then, you must fix your web server.

If you need more help with postfix, please read:
http://www.postfix.org/DEBUG_README.html#mail


  -- Noel Jones



>  
> main.cf:
> ---
>  
> queue_directory = /var/spool/postfix
>  
> command_directory = /usr/sbin
>  
> daemon_directory = /usr/libexec/postfix
>  
> mail_owner = postfix
>  
> mydestination = $myhostname, localhost.$mydomain
> unknown_local_recipient_reject_code = 450
>  
> mynetworks_style = host
>  
> 
> debug_peer_level = 2
>  
> debugger_command =
>   PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
>   ddd $daemon_directory/$process_name $process_id & sleep 5
>  
> sendmail_path = /usr/sbin/sendmail.postfix
>  
> newaliases_path = /usr/bin/newaliases.postfix
>  
> mailq_path = /usr/bin/mailq.postfix
>  
> setgid_group = postdrop
>  
> manpage_directory = /usr/share/man
>  
> sample_directory = /usr/share/doc/postfix-2.3.3/samples
>  
> readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
> alias_database = hash:/etc/postfix/aliases
>  
> virtual_maps = hash:/etc/postfix/virtual
> transport_maps = hash:/etc/postfix/transport
> virtual_mailbox_domains = $transport_maps
> local_destination_concurrency_limit=1
> maildrop_destination_concurrency_limit=1
> maildrop_destination_recipient_limit=1
> relay_domains=$mydestination
>  
> mynetworks = 127.0.0.1
>  
> smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
> smtpd_sasl_auth_enable=yes
> smtpd_sasl_security_options=noanonymous
>  
> Thanks
>  
> RE

Re: problem with Name service error for name=[domain name] type=AAAA

2013-11-25 Thread Wietse Venema 
Victor Shchukin:
> Hi every one!
> 
> We use postfix 2.10.2 and IPv6 & IPv4 mode, so when remote domain
> doesn't has A record, postfix send's bounce, like "Name service
> error for name=[domain name] type=: Host found but no data
> record of requested type" this message a little bit confused our
> users. Is it possible to send bounce for type=A only? or for A and
>  type?

Sorry. Postfix reports only the last lookup error. In theory it
could be made configurable so it tries AAA first and A last. But
that may have performance implications.

Wietse

Re: Rejecting emails based on domain blacklist

2013-11-25 Thread Wietse Venema 
Mark Goodge:
> That is, what's the simplest way of rejecting email from a list of 
> domains contained within a simple text file that can be updated 
> regularly without needing to restart Postfix.

What do you mean with "regularly"? Postfix SMTP daemons check if a
hash:  or btree: file has changed when a new client connects. 
However they don't auto-detect changes to pcre/regexp/cidr files.

If Postfix daemons must see updates instantaneously, use the LMDB
client of Postfix 2.11-20131122 ("postmap simple-text-file").  Or
use *SQL. Or serve the "simple text file" with a socketmap: or
tcp: daemon. Or use DNS (reject_rhsbl_client).

Wietse

Rejecting emails based on domain blacklist

2013-11-25 Thread Mark Goodge 
What would be the simplest method in Postfix of implementing an 
equivalent to the exim ACL mentioned in this blog post:


http://blog.hinterlands.org/2013/10/unwanted-email-from-communicado-ltd/

That is, what's the simplest way of rejecting email from a list of 
domains contained within a simple text file that can be updated 
regularly without needing to restart Postfix.


Mark
--
My blog: http://mark.goodge.co.uk

problem with Name service error for name=[domain name] type=AAAA

2013-11-25 Thread Victor Shchukin 
Hi every one!

We use postfix 2.10.2 and IPv6 & IPv4 mode, so when remote domain doesn't has A 
record, postfix send's bounce, like "Name service error for name=[domain name] 
type=: Host found but no data record of requested type" this message a 
little bit confused our users. Is it possible to send bounce for type=A only? 
or for A and  type?
Thanks for advice

--
Victor Shchukin
ignit...@yandex-team.ru


smime.p7s
Description: S/MIME cryptographic signature

Preventing mail from one address

2013-11-25 Thread Rod Evans 
Hi

I've taken over a postfix mailserver which has the main.cf shown below

The server is sheltered behind a reasonably good commercial antispam service so 
the config is light on many of the usual things discussed on this list. The 
protection afforded by the antispam service seems to have been good enough over 
the last few years, but in the last few days the server has been compromised. 
Spam is being sent in volumes in the name of one user. Deleting the user from 
the service had no effect.

The log shows mail being sent consistently from one address

from= < u...@domain.com > 

and I have tried to stop this with an extra line in main.cf

smtpd_sender_restrictions=check_sender_access 
hash:/etc/postfix/sender_access 

with  u...@domain.com  REJECT in the sender_access file

This rejects mail when I try to send it as u...@domain.com but spam from 
u...@domain.com is still being sent with corresponding entries in the log.

Can anyone advise:

- what I can do to stop mail from u...@domain.com being sent?

- and what I should do generally to tighten up the config?

main.cf:
---

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/libexec/postfix

mail_owner = postfix

mydestination = $myhostname, localhost.$mydomain
unknown_local_recipient_reject_code = 450

mynetworks_style = host


debug_peer_level = 2

debugger_command =
  PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
  ddd $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix

newaliases_path = /usr/bin/newaliases.postfix

mailq_path = /usr/bin/mailq.postfix

setgid_group = postdrop

manpage_directory = /usr/share/man

sample_directory = /usr/share/doc/postfix-2.3.3/samples

readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
alias_database = hash:/etc/postfix/aliases

virtual_maps = hash:/etc/postfix/virtual
transport_maps = hash:/etc/postfix/transport
virtual_mailbox_domains = $transport_maps
local_destination_concurrency_limit=1
maildrop_destination_concurrency_limit=1
maildrop_destination_recipient_limit=1
relay_domains=$mydestination

mynetworks = 127.0.0.1

smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_auth_enable=yes
smtpd_sasl_security_options=noanonymous

 
Thanks

RE