Virtual Domain Hosting integrated with GNU Mailman

[Jeremy Bowen]

First up, please see the output from "postconf -n"  appended below.

I have just had to quickly rebuild a failed server and get it back into 
production. I have got basic
functionality up and running but I've had to reconstruct the configuration as 
backups were incomplete
(yeah I know!) It is now mostly working but there are some problems with my 
virtual domain config.

For example:
I am hosting the domains alpha.co.zz & bravo.co.zz on myhost.sierra.co.zz (not 
the real names)
I have the following email accounts:
al...@alpha.co.zz
b...@bravo.co.zz
s...@sierra.co.zz

I also have a Mailman mailing list - "myl...@mailman.co.zz"
I have Mailman setup to create /var/lib/mailman/data/virtual-mailman which is 
included in virtual_alias_maps
There are various Unix user accounts on the server also.

It is supposed to be configured as  per "Non-Postfix mailbox store: separate 
domains, non-UNIX accounts"
from the VIRTUAL_README documentation but I had some issues with Mailman 
integration which I think
resulted from virtual_mailbox_maps so it is not precisely as described.

In my /etc/postfix/virtual file I have:
s...@sierra.co.zzsam
al...@alpha.co.zzalice
b...@bravo.co.zzrobert

Local email delivery is handled by LMTP via Cyrus-Imapd using mailbox_transport 
and virtual_transport.
Email to b...@bravo.co.zz is delivered to the "robert" mailbox in 
/var/spool/imap/b/user/robert
Email to s...@sierra.co.zz is delivered to the "sam" mailbox in 
/var/spool/imap/s/user/sam  etc.

The problem is that email addressed to s...@alpha.co.zz is also delivered to 
Sam's mailbox.
Similarly al...@bravo.co.zz is delivered to Alice's mailbox regardless of the 
domain part.

The Mailman config is working OK in that  I can create new mailing lists, add 
subscribers etc. and mail
sent to the address gets processed correctly. However mail sent to 
myl...@sierra.co.zz is also processed
by Mailman.

Currently there are no collisions in the name part of the email address but 
this is obviously not what I
ultimately want. I've put this configuration together in a bit of a rush and 
the server is currently
processing mail.
There are no obvious error messages in the log.
I'm sure that in the stress of getting things back online I'm missing something 
simple, possibly related
to virtual_mailbox_maps, but I'm not sure what to set here so that Mailman 
updates things automatically.

Could you please take a look at my settings and suggest where to look.
Thanks in advance.


[/etc/postfix]# /usr/sbin/postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = $myhostname, localhost
inet_protocols = all
local_destination_concurrency_limit = 5
local_destination_recipient_limit = 300
mail_owner = postfix
mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_cert_file = /etc/postfix/ssl/newcert.pem
smtp_tls_key_file = /etc/postfix/ssl/newkey.pem
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtpd_helo_restrictions = permit_mynetworks,reject_non_fqdn_helo_hostname,  
 
reject_invalid_helo_hostname,permit
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_pipelining,   
permit_sasl_authenticated,reject_unauth_destination,
reject_non_fqdn_sender,   
reject_non_fqdn_recipient,reject_unknown_sender_domain,   
reject_unknown_recipient_domain,reject_unverified_recipient,
check_sender_access
hash:/etc/postfix/sender_access,reject_rbl_client zen.spamhaus.org, 
   reject_rbl_client
bl.spamcop.net,permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,
reject_rhsbl_sender
dsn.rfc-ignorant.org,permit
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/ssl/newcert.pem
smtpd_tls_key_file = /etc/postfix/ssl/newkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipie

Multiple results from same dnsbl

[Uffe Jakobsen]

Hi,

DNSBL zen.spamhaus.org used from postscreen are returning multiple 
results from one query (it is a combination of other spamhaus dnsbl lists)


With multiple results returned from a query (no result filter applied) 
the hit still counts as a one (1) positive hit (which gets multiplied by 
the weight).


Is this the intended behaviour ?

One could argue that multiple results from a query should count the 
number of hits


Kind regards Uffe

On DKIM and Content-Transfer-Encoding

[Mauricio Tavares]

  This email is mostly about understanding what is going on, how
the process works than whether my install of postfix is working
properly or the MUA is lying. In fact, I am using ssmtp to send the
email to postfix because I want to make my test as simple as possible
(avoid "helpful" MUAs adding stuff to the email). So, let's say I
create simple email:

raub@desktop:~$ cat 8bit_test
Subject: 8bit test
Content-Transfer-Encoding: 8bit

Text with umlauts here

raub@desktop:~$

It only has two headers (the From: header is added when I actually
send email) and a single line in the body, which has a few 8bit
characters. I am using ssmtp to send the above email to my postfix
server,

ssmtp -v r...@domain.com < 8bit_test

which is setup to do DKIM and announces that supports the following

250-PIPELINING
250-SIZE
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

What I have noticed is that it will fail DKIM, and then will change
the Content-Transfer-Encoding: header to quoted-printable. Now, if I
submit the same email setting

Content-Transfer-Encoding: quoted-printable

it passes DKIM test. So, what is the 8bit encoding here anyway and how
it compared to quoted-printable? From
http://tools.ietf.org/html/rfc2045#page-14, it seems that
quoted-printable converts the body to something 7bit can deal with (or
at least the MTA will see that header and do the convertion). What
about 8bit? Is it not translated? Or, is it expected to be fed in some
kind of (mime) encoded format (hence the 8bitmime) so the MTA does not
touch it (hence the mime processing controls mentioned in
http://www.postfix.org/cleanup.8.html)?

Re: Multiple results from same dnsbl

[Wietse Venema]

Uffe Jakobsen:
> DNSBL zen.spamhaus.org used from postscreen are returning multiple 
> results from one query (it is a combination of other spamhaus dnsbl lists)
> 
> With multiple results returned from a query (no result filter applied) 
> the hit still counts as a one (1) positive hit (which gets multiplied by 
> the weight).
> 
> Is this the intended behaviour ?

Yes. Suppose that one DNSBL starts to send replies with twice as
many IP addresses after they change to finer-grained lists.  I don't
want them to get twice the weight just because they present the
same information in a different manner.

For me, a spambot on a compromised system (XBL) on a network not
listed in PBL is no better or worse than a spambot on compromised
system (XBL) on a residential network that is listed in PBL.

> One could argue that multiple results from a query should count the 
> number of hits

If you want to count each response, then you can configure an
explicit filter for each response.

Wietse

Re: On DKIM and Content-Transfer-Encoding

[Wietse Venema]

Mauricio Tavares:
>   This email is mostly about understanding what is going on, how
> the process works than whether my install of postfix is working
> properly or the MUA is lying. In fact, I am using ssmtp to send the
> email to postfix because I want to make my test as simple as possible
> (avoid "helpful" MUAs adding stuff to the email). So, let's say I
> create simple email:
> 
> raub@desktop:~$ cat 8bit_test
> Subject: 8bit test
> Content-Transfer-Encoding: 8bit
> 
> Text with umlauts here

This email requires a MIME-Version header. Otherwise it is
not valid MIME.

> raub@desktop:~$
> 
> It only has two headers (the From: header is added when I actually
> send email) and a single line in the body, which has a few 8bit
> characters. I am using ssmtp to send the above email to my postfix
> server,
> 
> ssmtp -v r...@domain.com < 8bit_test
> 
> which is setup to do DKIM and announces that supports the following
> 
> 250-PIPELINING
> 250-SIZE
> 250-ETRN
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN

If the client sends 8BITMIME, then it MUST issue the 8BITMIME keyword
on the MAIL FROM command line. Otherwise, behavior is undefined
(i.e. different systems may handle this in different ways).

> What I have noticed is that it will fail DKIM, and then will change
> the Content-Transfer-Encoding: header to quoted-printable. Now, if I

As required by the MIME RFCs, an MTA must either bounce mail or
convert it to quoted-printable when it needs to deliver 8BITMIME
mail to an SMTP server that does not announce 8BITMIME support.

DKIM signatures of 8BITMIME mail may break unless all SMTP servers
in the path implement and announce 8BITMIME support. Otherwise, it
is better to down-convert to quoted-printable before DKIM signing.

Wietse

postscreen_dnsbl_sites load list to memory from external file

[Uffe Jakobsen]

Hi,

Feature request:

It would be nice if the "postscreen_dnsbl_sites" list could be loaded 
into memory (once - upon start/reload) from an external file - that 
doesn't seem to be possible right now - or am I wrong ?


/Uffe

Re: postscreen_dnsbl_sites load list to memory from external file

[Viktor Dukhovni]

On Tue, Jun 24, 2014 at 05:55:47PM +0200, Uffe Jakobsen wrote:

> Feature request:
> 
> It would be nice if the "postscreen_dnsbl_sites" list could be loaded into
> memory (once - upon start/reload) from an external file - that doesn't seem
> to be possible right now - or am I wrong ?

# cd /etc/postfix; make; postfix reload

The make(1) command updates main.cf from an external file.

-- 
Viktor.

Re: postscreen_dnsbl_sites load list to memory from external file

[Uffe Jakobsen]

On 2014-06-24 18:06, Viktor Dukhovni wrote:

On Tue, Jun 24, 2014 at 05:55:47PM +0200, Uffe Jakobsen wrote:


Feature request:

It would be nice if the "postscreen_dnsbl_sites" list could be loaded into
memory (once - upon start/reload) from an external file - that doesn't seem
to be possible right now - or am I wrong ?


 # cd /etc/postfix; make; postfix reload

The make(1) command updates main.cf from an external file.



Your installation or platform must be differeent from mine (FreeBSD) - I 
have no Makefile, GNUmakefile or BSDmakefile in /usr/local/etc/postfix/ 
config dir.


But it was not was I was looking for - because for various reasons the 
userid that writes the dnsbl sites file has no permissions to write 
main.cf nor realod postfix.


/Uffe

Re: postscreen_dnsbl_sites load list to memory from external file

[Wietse Venema]

Uffe Jakobsen:
> Your installation or platform must be differeent from mine (FreeBSD) - I 
> have no Makefile, GNUmakefile or BSDmakefile in /usr/local/etc/postfix/ 
> config dir.

The idea is that you to create that Makefile.

> But it was not was I was looking for - because for various reasons the 
> userid that writes the dnsbl sites file has no permissions to write 
> main.cf nor realod postfix.

Including data from an non-root account into main.cf is not supported.
Anyone who can change main.cf can also elevate privileges to root.

Wietse

Re: postscreen_dnsbl_sites load list to memory from external file

[Viktor Dukhovni]

On Tue, Jun 24, 2014 at 12:35:15PM -0400, Wietse Venema wrote:
> Uffe Jakobsen:
> > Your installation or platform must be differeent from mine (FreeBSD) - I 
> > have no Makefile, GNUmakefile or BSDmakefile in /usr/local/etc/postfix/ 
> > config dir.
> 
> The idea is that you to create that Makefile.

That Makefile can validate the safety of the externally sourced data,
and update main.cf.

> > But it was not was I was looking for - because for various reasons the 
> > userid that writes the dnsbl sites file has no permissions to write 
> > main.cf nor realod postfix.

But root (the account that actually performs the reload) can update
main.cf.

-- 
Viktor.

Re: postscreen_dnsbl_sites load list to memory from external file

[li...@rhsoft.net]

Am 24.06.2014 18:41, schrieb Viktor Dukhovni:
> On Tue, Jun 24, 2014 at 12:35:15PM -0400, Wietse Venema wrote:
>> Uffe Jakobsen:
>>> Your installation or platform must be differeent from mine (FreeBSD) - I 
>>> have no Makefile, GNUmakefile or BSDmakefile in /usr/local/etc/postfix/ 
>>> config dir.
>>
>> The idea is that you to create that Makefile.
> 
> That Makefile can validate the safety of the externally sourced data,
> and update main.cf.
> 
>>> But it was not was I was looking for - because for various reasons the 
>>> userid that writes the dnsbl sites file has no permissions to write 
>>> main.cf nor realod postfix.
> 
> But root (the account that actually performs the reload) can update
> main.cf.

IMHO all answers bypass the question which was not to list the
configured blacklists in an external file - some blacklists offer
to download / rsync the complete list data into a local file and
so no DNS requests needed

Re: postscreen_dnsbl_sites load list to memory from external file

[Uffe Jakobsen]

On 2014-06-24 18:35, Wietse Venema wrote:



But it was not was I was looking for - because for various reasons the
userid that writes the dnsbl sites file has no permissions to write
main.cf nor realod postfix.


Including data from an non-root account into main.cf is not supported.
Anyone who can change main.cf can also elevate privileges to root.



Agree - I did never mean to suggest to include any file (externally 
owned, potentially unsafe or not) into main.cf.


What I was suggesting was that main.cf should instruct postfix to fetch 
the dnsbl list from an external file - in my mind this is not the same 
as to include anothoer file into main.cf


Disclaimer - I have very little knowledge (read: ~0) of the inner 
working details of postfix and its configuration file and safety mechanisms.


/Uffe

Re: postscreen_dnsbl_sites load list to memory from external file

[Wietse Venema]

Uffe Jakobsen:
> 
> On 2014-06-24 18:35, Wietse Venema wrote:
> >
> >> But it was not was I was looking for - because for various reasons the
> >> userid that writes the dnsbl sites file has no permissions to write
> >> main.cf nor realod postfix.
> >
> > Including data from an non-root account into main.cf is not supported.
> > Anyone who can change main.cf can also elevate privileges to root.
> 
> Agree - I did never mean to suggest to include any file (externally 
> owned, potentially unsafe or not) into main.cf.
> 
> What I was suggesting was that main.cf should instruct postfix to fetch 
> the dnsbl list from an external file - in my mind this is not the same 
> as to include anothoer file into main.cf

The lists of DNSBL/DNSWL sites in postscreen_dsbl_sites is not
supposed to change all the time. It is supposed to be a limited
number of sites that you trust. Postscreen performance depends on
the slowest DNSBL service.

Wietse

maximal_queue_lifetime customized for 1 domain

[Douglas Mortensen]

Is there a way to set a maximal_queue_lifetime value customized/specific for 1 
recipient email domain?

I have 1 client who uses our spam filtering service & is constantly clogging up 
my queues because they frequently have users whose mailbox is full (reached 
quota). These produce a deferral and leave the messages in my queue until the 
maximal_queue_lifetime expires.

If I had a way to give their domain a shorter maximal_queue_lifetime, it would 
help me out, and possibly motivate them to fix this problem on their end.

Any help would be appreciated.

Sincerely,
-
Doug Mortensen
Network Consultant
Impala Networks Inc
CCNA, MCSA, Security+, A+
Linux+, Network+, Server+
A.A.S. Information Technology
.
www.impalanetworks.com
P: (505) 327-7300
F: (505) 327-7545

Re: maximal_queue_lifetime customized for 1 domain

[li...@rhsoft.net]

Am 24.06.2014 21:18, schrieb Douglas Mortensen:
> Is there a way to set a maximal_queue_lifetime value customized/specific for 
> 1 recipient email domain?
> 
> I have 1 client who uses our spam filtering service & is constantly clogging 
> up my queues because they frequently have users whose mailbox is full 
> (reached quota). These produce a deferral and leave the messages in my queue 
> until the maximal_queue_lifetime expires.
> 
> If I had a way to give their domain a shorter maximal_queue_lifetime, it 
> would help me out, and possibly motivate them to fix this problem on their end

you dig on the wrong side
if they defer in case of full quota they could fix that and reject

in case of dbmail you have "quota_failure = hard" to do that
so not your problem as delivering MTA, don't try to solve
problems you ar enot creating!

RE: maximal_queue_lifetime customized for 1 domain

[Douglas Mortensen]

I realize it's not my problem. And the fact is that I really don't have control 
over the end-users' email servers either. So there's nothing I can do about it 
from the end of the server that is causing the problem. However if there is a 
way that I can actually manipulate the behavior a bit on my end (my postfix 
spam filter/relay), then I'd like to.

Do you know of any way that we can modify the maximal_queue_lifetime just for 1 
recipient domain name?

Thanks,
-
Doug Mortensen
Network Consultant
Impala Networks
P: 505.327.7300

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of li...@rhsoft.net
Sent: Tuesday, June 24, 2014 1:27 PM
To: postfix-users@postfix.org
Subject: Re: maximal_queue_lifetime customized for 1 domain



Am 24.06.2014 21:18, schrieb Douglas Mortensen:
> Is there a way to set a maximal_queue_lifetime value customized/specific for 
> 1 recipient email domain?
> 
> I have 1 client who uses our spam filtering service & is constantly clogging 
> up my queues because they frequently have users whose mailbox is full 
> (reached quota). These produce a deferral and leave the messages in my queue 
> until the maximal_queue_lifetime expires.
> 
> If I had a way to give their domain a shorter maximal_queue_lifetime, 
> it would help me out, and possibly motivate them to fix this problem 
> on their end

you dig on the wrong side
if they defer in case of full quota they could fix that and reject

in case of dbmail you have "quota_failure = hard" to do that so not your 
problem as delivering MTA, don't try to solve problems you ar enot creating!

Re: maximal_queue_lifetime customized for 1 domain

[Viktor Dukhovni]

On Tue, Jun 24, 2014 at 01:18:43PM -0600, Douglas Mortensen wrote:

> Is there a way to set a maximal_queue_lifetime value customized/specific
> for 1 recipient email domain?

Only by routing mail for that domain to an intermediate queue
(separate Postfix instance) where the queue lifetime is different.

Queue lifetime is a message property, not a recipient property.
When the message expires, all remaining recipients are bounced
together.  This avoids a common path for bounce amplification.

-- 
Viktor.

RE: maximal_queue_lifetime customized for 1 domain

[Douglas Mortensen]

OK. So I could use my master.cf to create an instance with the -o flag to add 
the appropriate override configuration I want, correct? Then I could put that 
on a separate public IP address and have our client redirect their MX record to 
the new address. Does this sound like a correct way to do it?

Thanks,
-
Doug Mortensen
Network Consultant
Impala Networks
P: 505.327.7300

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Viktor Dukhovni
Sent: Tuesday, June 24, 2014 2:04 PM
To: postfix-users@postfix.org
Subject: Re: maximal_queue_lifetime customized for 1 domain

On Tue, Jun 24, 2014 at 01:18:43PM -0600, Douglas Mortensen wrote:

> Is there a way to set a maximal_queue_lifetime value 
> customized/specific for 1 recipient email domain?

Only by routing mail for that domain to an intermediate queue (separate Postfix 
instance) where the queue lifetime is different.

Queue lifetime is a message property, not a recipient property.
When the message expires, all remaining recipients are bounced together.  This 
avoids a common path for bounce amplification.

-- 
Viktor.

Re: maximal_queue_lifetime customized for 1 domain

[Viktor Dukhovni]

On Tue, Jun 24, 2014 at 02:21:30PM -0600, Douglas Mortensen wrote:

> OK. So I could use my master.cf to create an instance with the
> -o flag to add the appropriate override configuration I want,
> correct?

No, that's not a separate Postfix instance.

http://www.postfix.org/MULTI_INSTANCE_README.html

or route to a dedicated (virtual) machine.

> Then I could put that on a separate public IP address and
> have our client redirect their MX record to the new address. Does
> this sound like a correct way to do it?

No, that's not a separate instance.  A separate instance has its
main.cf and master.cf file, its own queue_directory, ...

-- 
Viktor.

logging when message_size_limit is exceeded

[btb]

hi-

when message_size_limit is exceeded, i see the following logs:

Jun 24 11:20:21 mta postfix/postscreen[5758]: CONNECT from 
[173.201.193.182]:45771 to [10.3.70.5]:25
Jun 24 11:20:21 mta postfix/postscreen[5758]: PASS OLD [173.201.193.182]:45771
Jun 24 11:20:21 mta postfix/smtpd[7066]: connect from 
p3plsmtp18-01-2.prod.phx3.secureserver.net[173.201.193.182]
Jun 24 11:20:21 mta postfix/smtpd[7066]: NOQUEUE: reject: MAIL from 
p3plsmtp18-01-2.prod.phx3.secureserver.net[173.201.193.182]: 552 5.3.4 Message 
size exceeds fixed limit; proto=ESMTP 
helo=
Jun 24 11:21:21 mta postfix/smtpd[7066]: disconnect from 
p3plsmtp18-01-2.prod.phx3.secureserver.net[173.201.193.182]

can this event be correlated with the envelope sender and recipient[s]?  it 
would be a helpful detail in the process of associating reports from end users 
with this event.

-ben

Limit number of deliveries for pipe delivery

[Julian Mehnle]

Hi all!

I have a transport "foo" defined in master.cf that delivers messages via a pipe 
command.  In an edge case Postfix is receiving messages with multiple 
recipients (multiple RCPT TO commands).  I'm looking for a way to have such 
messages delivered to the pipe command only once, period, not once per 
recipient.

At first I thought I could just set foo_destination_recipient_limit = 1 in 
main.cf (per 
),
 but it turns out this has no effect on pipe deliveries, as the pipe command 
seems to *always* be invoked once per recipient anyway.  Is this correct?

Is there a way to have a pipe command be invoked only once per message?

-Julian

Re: logging when message_size_limit is exceeded

[Wietse Venema]

btb:
> Jun 24 11:20:21 mta postfix/postscreen[5758]: CONNECT from 
> [173.201.193.182]:45771 to [10.3.70.5]:25
> Jun 24 11:20:21 mta postfix/postscreen[5758]: PASS OLD [173.201.193.182]:45771
> Jun 24 11:20:21 mta postfix/smtpd[7066]: connect from 
> p3plsmtp18-01-2.prod.phx3.secureserver.net[173.201.193.182]
> Jun 24 11:20:21 mta postfix/smtpd[7066]: NOQUEUE: reject: MAIL from 
> p3plsmtp18-01-2.prod.phx3.secureserver.net[173.201.193.182]: 552 5.3.4 
> Message size exceeds fixed limit; proto=ESMTP 
> helo=
> Jun 24 11:21:21 mta postfix/smtpd[7066]: disconnect from 
> p3plsmtp18-01-2.prod.phx3.secureserver.net[173.201.193.182]
> 
> can this event be correlated with the envelope sender and recipient[s]?
> it would be a helpful detail in the process of associating reports
> from end users with this event.

There is no sender and there is no recipient. Postfix rejects the
MAIL FROM command.

In fact, a smart client would have hung up before even sending the
MAIL FROM command. Postfix announces the SIZE limit in the EHLO
response. All you'd see in the logfile are a connect and disconnect.

Wietse

Re: Limit number of deliveries for pipe delivery

[Wietse Venema]

Julian Mehnle:
> Hi all!
> 
> I have a transport "foo" defined in master.cf that delivers messages
> via a pipe command.  In an edge case Postfix is receiving messages
> with multiple recipients (multiple RCPT TO commands).  I'm looking
> for a way to have such messages delivered to the pipe command only
> once, period, not once per recipient.

That is exactly what Postfix does by default, without any tweaking
of destination recipient settings.

Wietse

When milter (opendkim) is behind a proxy/relay, how to give it the original client IP?

[Thomas R.]

Hello,

OpenDKIM bases its decision whether mail can be signed on, among other 
things, the connecting IP.  However this only works if there has been no 
SMTP relay or proxy prior to the mail reaching the milter.  If there has 
been, OpenDKIM sees the IP address of the relay/proxy and treats it as 
"trusted".  This leads to it signing some incoming mail (if the From: 
has been forged to use my domain name).


My setup for incoming smtpd mail currently has proxsmtp acting as an 
SMTP proxy - this scans mail using bogofilter.


Setup:

Incoming mail -> postfix (25) -> proxsmtp (10025) -> postfix 
(10026) + opendkim milter -> cleanup, queue, etc.


XFORWARD is verified to be working through proxsmtp - this is confirmed 
in the log files which show Postfix giving the correct "orig_client" 
value right through to queuing.  I have verified that OpenDKIM is basing 
its decision to sign based on the client IP being 127.0.0.1 (it's coming 
from the proxy).


Questions:

1. When Postfix sends the {client_addr} macro to the milter, is that 
the originating client from XFORWARD?  Can it send that?


2. If not, is there any other way to provide a macro to the milter, 
that contains the originating client ID from XFORWARD?


3. Is there an alternative solution to my problem that does not involve 
removing the SMTP proxy, or using Amavisd-milter (I'm on low memory)?


Surely people who use secondary MX servers encounter this same issue, 
because the secondary MX relays to the first and OpenDKIM would see its 
IP address instead of the connecting client?

Re: logging when message_size_limit is exceeded

[btb]

On Jun 24, 2014, at 19.35, Wietse Venema  wrote:

> btb:
>> Jun 24 11:20:21 mta postfix/postscreen[5758]: CONNECT from 
>> [173.201.193.182]:45771 to [10.3.70.5]:25
>> Jun 24 11:20:21 mta postfix/postscreen[5758]: PASS OLD 
>> [173.201.193.182]:45771
>> Jun 24 11:20:21 mta postfix/smtpd[7066]: connect from 
>> p3plsmtp18-01-2.prod.phx3.secureserver.net[173.201.193.182]
>> Jun 24 11:20:21 mta postfix/smtpd[7066]: NOQUEUE: reject: MAIL from 
>> p3plsmtp18-01-2.prod.phx3.secureserver.net[173.201.193.182]: 552 5.3.4 
>> Message size exceeds fixed limit; proto=ESMTP 
>> helo=
>> Jun 24 11:21:21 mta postfix/smtpd[7066]: disconnect from 
>> p3plsmtp18-01-2.prod.phx3.secureserver.net[173.201.193.182]
>> 
>> can this event be correlated with the envelope sender and recipient[s]?
>> it would be a helpful detail in the process of associating reports
>> from end users with this event.
> 
> There is no sender and there is no recipient. Postfix rejects the
> MAIL FROM command.

thanks for this.  i wrongly assumed this event occurred after 
message_size_limit bytes had been transmitted.  i’ve read rfc 1870 and i think 
i better understand this now.  iiuc, given that the client supplies SIZE=N as a 
parameter to MAIL FROM, while rejected, is the attempted sender at least 
potentially known, and could perhaps be logged?  in that same vein, thinking 
about the spirit of smtpd_delay_reject - while i understand rejecting mail 
based on size is not an smtpd_*_restriction, could the same logic/rationale be 
applied - to allow postfix to log those additional details?

> In fact, a smart client would have hung up before even sending the
> MAIL FROM command. Postfix announces the SIZE limit in the EHLO
> response. All you'd see in the logfile are a connect and disconnect.

yes, it sadly seems uninterested in the announced SIZE limit.  it seems ironic 
now too, given that it’s using the MAIL FROM SIZE parameter.  i noticed the 60 
second delay before disconnecting, after it’s rejected, and wondered if the not 
so smart client is left confused when the rejection occurs prior to RCPT TO, 
and if honoring smtpd_delay_reject might be helpful in encouraging it to not 
sit idle, as the documentation alludes to.  of course, it could just be 
connection caching?  i can test some more and see if that client’s behavior 
differs when rejected after RCPT TO, which i guess would answer that question.

making some assumptions about the validity of my above comments, could i 
propose a setting to allow size rejections to wait until after RCPT TO?  i 
think the documentation might look like this:

smtpd_delay_size_reject (default: no)

Wait until the RCPT TO command before enforcing $message_size_limit.

This feature is turned off by default for backwards compatibility.

Like $smtpd_delay_reject turning on this setting has one major benefit: it 
allows Postfix to log recipient address information when rejecting a client 
name/address or sender address, so that it is possible to find out whose mail 
is being rejected.

-ben