Re: 20-40+ second delays. Is this normal?
Some guesses below; hopefully an expert will eventually chime in. On Wed, 2014-03-12 at 06:18:37 -0700, jmct wrote: > ... > When I try sending a basic test e-mail through PowerShell using my Postfix > box as the SMTP server - I'm seeing 20-40+ second delays in the > /var/log/maillog per e-mail. > > Here is what I see in the logs: > > Mar 12 07:59:36 postfix/smtpd[21189]: connect from unknown[10.1.10.45] > ... > Mar 12 07:59:36 postfix/postdrop[21196]: warning: unable to look up > public/pickup: Permission denied A permission issue prevents postdrop(1) from notifying the pickup(8) service of new mail arrival. Try running 'postfix set-permissions' to fix this. > Mar 12 07:59:36 postfix/pipe[21192]: 2E69C1E0203: to=, > relay=spamfilter, delay=0.17, delays=0.02/0.02/0/0.13, dsn=2.0.0, > status=sent (delivered via spamfilter service) > Mar 12 07:59:36 postfix/qmgr[20944]: 2E69C1E0203: removed Postfix delivers to the spamfilter relay in < 1s from initial connect, and removes the message from the queue. > Mar 12 *07:59:36* spamd[15542]: prefork: child states: II > Mar 12 *08:00:06* postfix/pickup[20942]: 5B5A81E01ED: uid=5001 > from= During its periodic scan of the "maildrop" queue, pickup(8) sees the new mail and passes it to cleanup(8), as logged below. > Mar 12 08:00:06 postfix/cleanup[21191]: 5B5A81E01ED: > message-id=<20140312130006.5B5A81E01ED@localhost> > Mar 12 08:00:06 postfix/qmgr[20944]: 5B5A81E01ED: from=, > ... -- Sahil Tandon
Re: Allow client hostname to relay mails.
On Wed, Mar 12, 2014 at 05:28:38PM +0530, tejas sarade wrote: >> how should that be possible? >> the hostname the client pretends? >> how could you trust that? >> how could you trust any hostname? >> there is nothing else trustable than the connecting real IP > >No. Not the hostname that client pretends, I am talking about valid DNS A >record throuch DNS lookup. >> >> frankly you must even not make relay decisions based on a >> static PTR because i can add any PTR i like in my own DNS >> server which is authoritative for my in-addr.arpa zone >I am not running my own DNS server. >> the same way you can nobody stop make a valid PTR record >> you like to see on your side for grant relay permissions > >I just want to creat and access control system where I will provide the >list of valid hostname(FQDN). >Postfix will lookup the IP of that FQDN through public DNS and consider >that IP as trusted IP. If you want to limit access to the box to certain FQDNs you're probably looking for iptables and custom rules that are rewritten every 30/60 seconds with something like ddclient. This is only good for limiting maybe login attempts, or something like that but shouldn't be used for authentication to postfix and it would only work if you were planning on dropping all packets to that port that aren't on the list so it won't work on 25. Probably best to figure out the auth methods for postfix. -- Pete
20-40+ second delays. Is this normal?
Hello, I have recently spun up a Postfix server that is currently in a testing phase. It is currently not being used at the moment - so there is zero load on this server. I am actively using Postfix 2.11, SpamAssassin 3.3.1 and Dovecot 2.0.9 for POP3. When I try sending a basic test e-mail through PowerShell using my Postfix box as the SMTP server - I'm seeing 20-40+ second delays in the /var/log/maillog per e-mail. Here is what I see in the logs: Mar 12 07:59:36 postfix/smtpd[21189]: connect from unknown[10.1.10.45] Mar 12 07:59:36 postfix/smtpd[21189]: 2E69C1E0203: client=unknown[10.1.10.45] Mar 12 07:59:36 postfix/cleanup[21191]: 2E69C1E0203: message-id=<> Mar 12 07:59:36 postfix/qmgr[20944]: 2E69C1E0203: from=, size=414, nrcpt=1 (queue active) Mar 12 07:59:36 spamd[15544]: spamd: connection from localhost [127.0.0.1] at port 56378 Mar 12 07:59:36 spamd[15544]: spamd: setuid to spamfilter succeeded Mar 12 07:59:36 spamd[15544]: spamd: processing message (unknown) for spamfilter:5001 Mar 12 07:59:36 spamd[15544]: spamd: clean message (-0.9/5.0) for spamfilter:5001 in 0.1 seconds, 439 bytes. Mar 12 07:59:36 spamd[15544]: spamd: result: . 0 - ALL_TRUSTED,MISSING_MID scantime=0.1,size=439,user=spamfilter,uid=5001,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=56378,mid=(unknown),autolearn=no Mar 12 07:59:36 postfix/postdrop[21196]: warning: unable to look up public/pickup: Permission denied Mar 12 07:59:36 postfix/pipe[21192]: 2E69C1E0203: to=, relay=spamfilter, delay=0.17, delays=0.02/0.02/0/0.13, dsn=2.0.0, status=sent (delivered via spamfilter service) Mar 12 07:59:36 postfix/qmgr[20944]: 2E69C1E0203: removed Mar 12 *07:59:36* spamd[15542]: prefork: child states: II Mar 12 *08:00:06* postfix/pickup[20942]: 5B5A81E01ED: uid=5001 from= Mar 12 08:00:06 postfix/cleanup[21191]: 5B5A81E01ED: message-id=<20140312130006.5B5A81E01ED@localhost> Mar 12 08:00:06 postfix/qmgr[20944]: 5B5A81E01ED: from=, size=772, nrcpt=1 (queue active) Mar 12 08:00:08 postfix/smtp[21200]: 5B5A81E01ED: to=, relay=smtp.workdomain[10.10.106.10]:25, delay=32, delays=30/0.02/0.14/1.8, dsn=2.6.0, status=sent (250 2.6.0 <20140312130006.5B5A81E01ED@localhost> [InternalId=10592664] Queued mail for delivery) Mar 12 08:00:08 postfix/qmgr[20944]: 5B5A81E01ED: removed Mail originating from the Postfix server and being sent out are near instantaneous - it's just the relay portion that appears to be taking some time. Is the above normal? Or is there something I can tweak to have these go out quicker? I'm completely open to suggestions. Here is my Postfix configuration: >>postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 home_mailbox = Maildir/ html_directory = no inet_interfaces = all inet_protocols = ipv4 local_recipient_maps = mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mime_header_checks = regexp:/etc/postfix/mime_header_checks mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = mydomain myhostname = localhost mynetworks = 10.1.1.0/24, 127.0.0.0/24, 10.1.10.0/24 mynetworks_style = subnet myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix notify_classes = resource, software, bounce queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.11.0/README_FILES relay_domains = $mydomain relayhost = sample_directory = /usr/share/doc/postfix-2.11.0/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop unknown_local_recipient_reject_code = 550 virtual_gid_maps = static:5000 virtual_mailbox_base = /home/vmail virtual_mailbox_domains = /etc/postfix/vhosts virtual_mailbox_maps = hash:/etc/postfix/vmaps virtual_minimum_uid = 1000 virtual_uid_maps = static:5000' Any help is very much appreciated! Thanks, Joey -- View this message in context: http://postfix.1071664.n5.nabble.com/20-40-second-delays-Is-this-normal-tp65951.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: Allow client hostname to relay mails.
tejas sarade: > I just want to creat and access control system where I will provide the > list of valid hostname(FQDN). > Postfix will lookup the IP of that FQDN through public DNS and consider > that IP as trusted IP. Access control by hostname is not reliable if you rely on remote DNS servers. - Remote DNS lookups sometimes time out. - Postfix will not give acces based on PTR records; access based on the hostname requires that the PTR name resolves to the client IP address. Instead, use access control based on the client IP address, SASL authentication, client TLS certificate, or client TLS public-key fingerprint. Wietse
Re: Allow client hostname to relay mails.
Am 12.03.2014 12:58, schrieb tejas sarade: >> how should that be possible? >> the hostname the client pretends? >> how could you trust that? >> how could you trust any hostname? >> there is nothing else trustable than the connecting real IP > > No. Not the hostname that client pretends, I am talking > about valid DNS A record throuch DNS lookup. how do you imagine that please read how DNS works in case of a connecting IP you have no A-Record A = translate name to IP and not the other way PTR = IP to name and controlled by the DNS responsible for the network range >> frankly you must even not make relay decisions based on a >> static PTR because i can add any PTR i like in my own DNS >> server which is authoritative for my in-addr.arpa zone > > I am not running my own DNS server does not matter, i do and if i know what hostname you like to see i greet yoi with that in EHLO and set my PTR to that name >> the same way you can nobody stop make a valid PTR record >> you like to see on your side for grant relay permissions > > I just want to creat and access control system where I will > provide the list of valid hostname(FQDN). Postfix will lookup > the IP of that FQDN through public DNS and consider that > IP as trusted IP that does not work - postfix can only query the PTR and at best than verify that the PTR to a IP matchs the A-record but that also means if doing so you maust *always* make sure that your dynamic IP becomes the correct in-addr.arpa PTR please understand that you must not make relay decisions based on hostnames - the only harmless decisions are rejects based on that but never for opening a spam door
Re: Allow client hostname to relay mails.
> how should that be possible? > the hostname the client pretends? > how could you trust that? > how could you trust any hostname? > there is nothing else trustable than the connecting real IP No. Not the hostname that client pretends, I am talking about valid DNS A record throuch DNS lookup. > > frankly you must even not make relay decisions based on a > static PTR because i can add any PTR i like in my own DNS > server which is authoritative for my in-addr.arpa zone I am not running my own DNS server. > the same way you can nobody stop make a valid PTR record > you like to see on your side for grant relay permissions I just want to creat and access control system where I will provide the list of valid hostname(FQDN). Postfix will lookup the IP of that FQDN through public DNS and consider that IP as trusted IP.
Re: Allow client hostname to relay mails.
Am 12.03.2014 12:06, schrieb tejas sarade: > I want to allow a machine with dynamic IP address but static hostname through > DynDNS. > I know that hostname in smtpd_client_restricions works only through reverse > DNS lookup. > Is there any way, I can allow the client based on hostname which has dynamic > IP? how should that be possible? the hostname the client pretends? how could you trust that? how could you trust any hostname? there is nothing else trustable than the connecting real IP frankly you must even not make relay decisions based on a static PTR because i can add any PTR i like in my own DNS server which is authoritative for my in-addr.arpa zone the same way you can nobody stop make a valid PTR record you like to see on your side for grant relay permissions
Allow client hostname to relay mails.
Hello, I want to allow a machine with dynamic IP address but static hostname through DynDNS. I know that hostname in smtpd_client_restricions works only through reverse DNS lookup. Is there any way, I can allow the client based on hostname which has dynamic IP?
Re: Directing delivery diagnostics with owner-alias
On 11.3.2014, at 23.42, Eino Tuominen wrote: > The listdelivery instance then expands the list using virtual(8), and then > sends the message back to the main postfix instance via relayhost = > [127.0.0.1]:10026. Just found a flaw in my line of thought. This doesn’t work as expected as virtual(8) resolves the list recursively and nested mail lists will end up being send with the envelope sender of the umbrella list. Well, I might as well let the python program deliver straight to list members, that will save me the administrative burden of the second postfix instance. — Eino Tuominen
Re: How to redirect one specific sender to one specific non-existent recipient?
Hello All Thank you for all your replies. I will put my solution below (just in case someone other stumbles over it). On 03/04/2014 04:32 PM, Noel Jones wrote: > However, you can do this with either a smtpd restriction class or > with a policy server such as postfwd. > http://www.postfix.org/RESTRICTION_CLASS_README.html > http://www.postfix.org/SMTPD_POLICY_README.html > http://postfwd.org/ Thank you for the hint Noel. I don't use postfwd right now so i did my solution with the restriction class. It works as follows: * In the first rule of my "smtpd_recipient_restrictions" i do check for the recipient and if it matches i trigger the "after_account_redirects" restriction class. * In this restriction class i do twice a check against the sender and finally (if my specified sender has not sent this message) reject the mail with a "reject_unlisted_recipient". * The first sender check makes sure that the email will be redirected to the new addres. * The second sender check makes sure we accept this email. Without this permit the mail gets redirected AND the sender receives a bounce that the email could not be sent to the user "secretary" (which in fact does not exist anymore). /etc/postfix/main.cf # If set to yes we always reject the mails because the user does not # exist. But now you have to make sure you have defined the # reject_unlisted_recipient access restriction somewhere. smtpd_reject_unlisted_recipient = no smtpd_restriction_classes = [...] after_account_redirects after_account_redirects = # Depending on the sender define the redirection address check_sender_access hash:/etc/postfix/aaredirect_redirects # Then check again for the sender and permit the redirection check_sender_access hash:/etc/postfix/aaredirect_permits # Sender was not found? Reject and tell the user does not exist. reject_unlisted_recipient smtpd_recipient_restrictions = # Here we define recipients which should trigger the restritcion # class. Thiss could be a hash table but we use it also for some # other tests so it is a pcre. check_recipient_access pcre:/etc/postfix/recipient_redirects [...] reject_unlisted_recipient /etc/postfix/recipient_redirects /secret...@ee.ethz.ch/ after_account_redirects /etc/postfix/aaredirect_redirects sa...@software.tld REDIRECT otheracco...@ee.ethz.ch /etc/postfix/aaredirect_permits sa...@software.tld permit It works as intended, but i don't like the two lookups i have to do for the same address. Maybe someone sees how i could do that better? Best regards Matthias -- Matthias Egger ETH Zurich Department of Information Technology maeg...@ee.ethz.ch and Electrical Engineering IT Support Group (ISG.EE), ETL/F/24.1 Phone +41 (0)44 632 03 90 Physikstrasse 3, CH-8092 Zurich Fax +41 (0)44 632 11 95
