FILTER and transport_maps
Hi, Our outbound servers send out mails through different IPs and this is doneas follows (postconf -n output: https://gist.github.com/clement1289/2dfeea7b7625aee4a637 ). smtpd_end_of_data_restrictions = check_sender_access pgsql:/etc/postfix/random-transports.cf # which will return FILTER outbound1: and master.cf has each of the transports definedas below. outbound1 unix--n--smtp -o smtp_bind_address=1.2.3.4 -o syslog_name=postfix-outbound1 One of a remotedomaindomain.com has 4 MX records with priority 5,10,15 and 20 MX server with priority 10 has some configuration issues and wasn't accepting the mails. Though MX with priority 5 is accepting mails normally, our mailq is full of deferred mails trying to connect to MX server with priority 10 We planned of adding a transport_maps entry domain.com smtp:[mx_with_priority_5.mydomain.com] , but since we use FILTER to send out mails through different IPs, the transport_maps wasn'tconsidered during delivery. Why was postfix trying MX with priority 10? Is there anyway to specify transport_maps to clear the mails in queue? Regards, Clement
Re: FILTER and transport_maps
As documented, FILTER takes precedence over transport_maps. Wietse
Re: FILTER and transport_maps
On 8/28/2014 3:24 AM, Clement Thomas wrote: Hi, Our outbound servers send out mails through different IPs and this is doneas follows (postconf -n output: https://gist.github.com/clement1289/2dfeea7b7625aee4a637 ). smtpd_end_of_data_restrictions = check_sender_access pgsql:/etc/postfix/random-transports.cf # which will return FILTER outbound1: and master.cf has each of the transports definedas below. outbound1unix--n--smtp -o smtp_bind_address=1.2.3.4 -o syslog_name=postfix-outbound1 One of a remotedomaindomain.com has 4 MX records with priority 5,10,15 and 20 MX server with priority 10 has some configuration issues and wasn't accepting the mails. Though MX with priority 5 is accepting mails normally, our mailq is full of deferred mails trying to connect to MX server with priority 10 Only the LAST failure is noted in the mailq. To find errors connecting to lower numbered MX hosts, search the maillog for prior smtp connection warnings. Note the QUEUEID is not included on those warnings, you must search for the smtp process. -- Noel Jones We planned of adding a transport_maps entry domain.com smtp:[mx_with_priority_5.mydomain.com] , but since we use FILTER to send out mails through different IPs, the transport_maps wasn'tconsidered during delivery. Why was postfix trying MX with priority 10? Is there anyway to specify transport_maps to clear the mails in queue? Regards, Clement
Relay loop
Hello. I'm trying to enable SRS for external aliases, but not for intra-cluster communication (mailboxes are split on different hosts, and mails are forwared on the right one if the come by another node) I disabled virtual_alias_maps in general smtpd, I've added a map in transport_maps which matches to-be-rewrited mails that relay on 127.0.0.1:27 transport_maps = ldap:/etc/postfix/ldap-relay-transport.cf, ldap:/etc/postfix/ldap-trash.cf, ldap:/etc/postfix/ldap-virtual-transport.cf, ldap:/etc/postfix/ldap-local-transport.cf /etc/postfix/ldap-relay-transport.cf: query_filter = ((|(mail=%s)(mailAlternateAddress=%s))(accountStatus=active)(deliveryMode=forwardonly)) result_attribute = mailForwardingAddress result_format = lrelay:[127.0.0.1]:27 I defined a smtpd on :27 like this: 27 inetn - - - - smtpd -o syslog_name=postfix/relay -o virtual_alias_maps=ldap:/etc/postfix/ldap-virtual-relay.cf -o transport_maps=fail: -o smtpd_milters= -o smtpd_client_restrictions=permit_inet_interfaces,reject -o sender_canonical_maps=tcp:127.0.0.1:10001 the ldap-virtual-relay.cf was working when it were in the general smtpd process : query_filter = ((|(mail=%s)(mailAlternateAddress=%s))(accountStatus=active)(deliveryMode=forwardonly)) result_attribute = mailForwardingAddress mails for an account that matches deliveryMode=forwardonly are sent to 127.0.0.1:27, but there they are not rewritten to their alias, but sent to 127.0.0.1:27 again. After a few loops they're discarded (too many hops) I've got a complete log here : http://paste.ee/p/QbkZ8#ahdqK3ELR5wygvQIXkEUDznBQeAKR51K do you have hints for me to solve this ? Thanks, -- Bastien
configuring autoreply on a relay?
Hello list- Our Postfix instance is set up as a relay for our Exchange server. It utilizes anti-spam and anti-viruses measures such as postscreen, clamav, and sanesecurity sigs. We want to send out an autoreply for each incoming email addressed to a specific email address listed in the relay_recipient table. I've located an appropriate vacation.pl script at https://github.com/valkum/postfixadmin/blob/cdcccddbe2e1d6758cd63899e7b8973156f1412a/VIRTUAL_VACATION/vacation.pl which could be modified for our situation (no need to reinvent the wheel). I'm looking for a trigger that will fire off an autoreply message when it has detected an incoming email that is addressed to a specific email address in the relay_recipient table. Every autoreply posting I've seen on the Internet deals with local users using virtual addresses. But I am unable to find any information on how I can do this in a relay configuration. I looked at milters and unfortunately I cannot seem to identify one that would work in our case. PostfixAdmin seems to be overkill for a mail relay. Does anyone know how this can be accomplished? ~Doug
Problem about STATTLS and TLS
Hi, How do you do. I setup a mail system with centos-postfix-dovecot, I can sent mail with STARTTLS in port 25, but SSL/TLS (port 993) doesn't work. This is related configuration in main.cf: smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_authenticated_header = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes smtpd_tls_security_level = encrypt smtpd_tls_loglevel = 4 smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/postfix/ssl-cert-snakeoil.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain, reject_unauth_pipelining [root@centos postfix]# netstat -ln |more Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 0.0.0.0:143 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:993 0.0.0.0:* LISTEN tcp0 0 :::25 :::*LISTEN Can anyone tell me what's wrong with my system? By the way, there is INPUT OUTPUT ACCEPT in iptables. -- *Leon Wei* Guangzhou, China E-mail: leon...@mail.kingdest.com
Re: Problem about STATTLS and TLS
Am 28.08.2014 um 21:16 schrieb Leon Wei: I setup a mail system with centos-postfix-dovecot, I can sent mail with STARTTLS in port 25, but SSL/TLS (port 993) doesn't work. how is 993 related to SMTP or postfix? 993 is IMAP over SSL and your daemon listening on the port is most likely not a SMTP server SMTP over SSL is 465 and needs to be enabled in *master.cf* with -o smtpd_tls_wrappermode=yes which *must* not be enabled for STARTTLS ports 465 inet n - n - 60 smtpd -o smtpd_client_connection_count_limit=15 -o smtpd_client_connection_rate_limit=80 -o smtpd_sasl_auth_enable=yes -o smtpd_delay_reject=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_relay_restrictions= -o smtpd_tls_wrappermode=yes -o max_idle=1800 -o max_use=500 -o syslog_name=postfix/smtps
Re: configuring autoreply on a relay?
Doug Sampson: Hello list- Our Postfix instance is set up as a relay for our Exchange server. It utilizes anti-spam and anti-viruses measures such as postscreen, clamav, and sanesecurity sigs. We want to send out an autoreply for each incoming email addressed to a specific email address listed in the relay_recipient table. I've located an appropriate vacation.pl script at https://github.com/valkum/postfixadmin/blob/cdcccddbe2e1d6758cd63899e7b8973156f1412a/VIRTUAL_VACATION/vacation.pl which could be modified for our situation (no need to reinvent the wheel). I'm looking for a trigger that will fire off an autoreply message when it has detected an incoming email that is addressed to a specific email address in the relay_recipient table. Every autoreply posting I've seen on the Internet deals with local users using virtual addresses. But I am unable to find any information on how I can do this in a relay configuration. I looked at milters and unfortunately I cannot seem to identify one that would work in our case. PostfixAdmin seems to be overkill for a mail relay. As described in vacation.pl's INSTALL.TXT file set up a virtual_alias_maps (NOT: virtual_alias_domains) entry such that e.g. mail to bi...@goat.com will be delivered to bi...@goat.com AND billy#goat@autoreply.goat.com I.e. a virtual alias mapping bi...@goat.com - bi...@goat.com, billy#goat@autoreply.goat.com and follow instructions to deliver billy#goat@autoreply.goat.com to the vacation.pl script. Wietse
Re: Problem about STATTLS and TLS
On 2014/8/29 3:26, li...@rhsoft.net wrote: Am 28.08.2014 um 21:16 schrieb Leon Wei: I setup a mail system with centos-postfix-dovecot, I can sent mail with STARTTLS in port 25, but SSL/TLS (port 993) doesn't work. how is 993 related to SMTP or postfix? 993 is IMAP over SSL and your daemon listening on the port is most likely not a SMTP server Sorry, I wrote a wrong port number, in fact SSL/TLS port should be 465. SMTP over SSL is 465 and needs to be enabled in *master.cf* with -o smtpd_tls_wrappermode=yes which *must* not be enabled for STARTTLS ports 465 inet n - n - 60 smtpd -o smtpd_client_connection_count_limit=15 -o smtpd_client_connection_rate_limit=80 -o smtpd_sasl_auth_enable=yes -o smtpd_delay_reject=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_relay_restrictions= -o smtpd_tls_wrappermode=yes -o max_idle=1800 -o max_use=500 -o syslog_name=postfix/smtps By your suggestion, I have fixed the problem. SSL/TLS port is listening on 465 and working well now.Thanks for your help! -- *Leon Wei* Guangzhou, China E-mail: leon...@mail.kingdest.com
Re: pflogsum don't count postscreen rejects
On Mon, 25 Aug 2014 16:12:12 +0200 li...@rhsoft.net li...@rhsoft.net wrote: Aug 25 14:55:15 mail-gw postfix/postscreen[29302]: NOQUEUE: reject: RCPT from [119.75.11.68]:53210: 550 5.7.1 Service unavailable; client [119.75.11.68] blocked using *; from=, to=mik...@outlook.it, proto=ESMTP, helo=jchzfsrgvu pflogsumm don't count postscreen RBL rejects already using pflogsumm-1.1.5.tar.gz Beta sadly mailgraph and logwatch also hide them :-( Send me a log file snippet big enough to generate meaningful stats and I'll look at adding it. I haven't used postscreen, yet, so I haven't the data. (Nor, that being the case, have I seen the need.) I've got some other things people have sent me I need to look to. I suppose it's about time pflogsumm got some attention. Regards, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at http://jimsun.LinxNet.com/contact/scform.php.
Re: Positive DSN if delay_warning_time is reached?
Florian Pritz: Hi, I've currently set delay_warning_time = 4h and maximal_queue_lifetime = 5d, which are nice values and all, but if I get a delay DSN I'd like to know sooner than after 5 days if the mail went through. I can't seem to find an option that sends me a positive DSN for delayed mail, is there one? If not, is this something you'd consider implementing? I think that this can be implemented without a significant amount of code. Thus, it is likely to work correctly. First, when the queue manager selects a message for delivery, it needs to find out that a delayed DSN was sent for that message. That is easy. Each Postfix queue file either contains no delay warning record, or it contains a delay warning record with a time value that says when to send a delayed warning. A zero time value means that the delayed warning was already sent. Once the queue manager sees that the delayed DSN was already sent, it sets a new NOTIFY flag for all subsequent delivery attempts. That new flag is almost like the standard NOTIFY=SUCCESS flag, except that this flag is not sent to a remote SMTP server. Instead, the Postfix SMTP client reports a relayed status. Other Postfix delivery agents will treat this new flag as the standard NOTIFY=SUCCESS flag, and report a delivered status. Wietse
Re: pflogsum don't count postscreen rejects
Am 29.08.2014 um 01:57 schrieb Jim Seymour: On Mon, 25 Aug 2014 16:12:12 +0200 li...@rhsoft.net li...@rhsoft.net wrote: Aug 25 14:55:15 mail-gw postfix/postscreen[29302]: NOQUEUE: reject: RCPT from [119.75.11.68]:53210: 550 5.7.1 Service unavailable; client [119.75.11.68] blocked using *; from=, to=mik...@outlook.it, proto=ESMTP, helo=jchzfsrgvu pflogsumm don't count postscreen RBL rejects already using pflogsumm-1.1.5.tar.gz Beta sadly mailgraph and logwatch also hide them Send me a log file snippet big enough to generate meaningful stats and I'll look at adding it. I haven't used postscreen, yet, so I haven't the data. (Nor, that being the case, have I seen the need.) I've got some other things people have sent me I need to look to. I suppose it's about time pflogsumm got some attention attached - IMHO it's only the processname i have a perl script from 2006 producing that stats below which really surprised me dnsbl.thelounge.net8 dul.dnsbl.sorbs.net7 = Total DNSBL rejections:15 Aug 27 11:29:04 mail-gw postfix/postscreen[10987]: NOQUEUE: reject: RCPT from [80.34.231.21]:56383: 550 5.7.1 Service unavailable; client [80.34.231.21] blocked using b.barracudacentral.org; from=har...@camping-pembrokeshire.co.uk, to=ha...@rhsoft.net, proto=ESMTP, helo=21.Red-80-34-231.staticIP.rima-tde.net Aug 27 12:07:15 mail-gw postfix/postscreen[12188]: NOQUEUE: reject: RCPT from [24.245.39.231]:53536: 550 5.7.1 Service unavailable; client [24.245.39.231] blocked using dul.dnsbl.sorbs.net; from=harr...@comcast.net, to=ha...@rhsoft.net, proto=ESMTP, helo=c-24-245-39-231.hsd1.mn.comcast.net Aug 27 12:41:35 mail-gw postfix/postscreen[12188]: NOQUEUE: reject: RCPT from [201.9.92.1]:50306: 550 5.7.1 Service unavailable; client [201.9.92.1] blocked using dul.dnsbl.sorbs.net; from=harry5...@veloxzone.com.br, to=ha...@rhsoft.net, proto=ESMTP, helo=201-9-92-1.user.veloxzone.com.br Aug 27 13:12:26 mail-gw postfix/postscreen[12188]: NOQUEUE: reject: RCPT from [50.167.251.44]:4759: 550 5.7.1 Service unavailable; client [50.167.251.44] blocked using dnsbl.inps.de; from=harry9...@comcast.net, to=ha...@rhsoft.net, proto=ESMTP, helo=c-50-167-251-44.hsd1.ga.comcast.net Aug 27 13:42:34 mail-gw postfix/postscreen[16261]: NOQUEUE: reject: RCPT from [190.217.149.212]:53304: 550 5.7.1 Service unavailable; client [190.217.149.212] blocked using dnsbl.inps.de; from=harry...@180atm.com, to=ha...@rhsoft.net, proto=ESMTP, helo=[190.217.149.212] Aug 27 14:11:44 mail-gw postfix/postscreen[16261]: NOQUEUE: reject: RCPT from [187.6.120.163]:62488: 550 5.7.1 Service unavailable; client [187.6.120.163] blocked using b.barracudacentral.org; from=har...@pantherstabilizers.com, to=ha...@rhsoft.net, proto=ESMTP, helo=[187.6.120.163] Aug 27 15:19:22 mail-gw postfix/postscreen[17394]: NOQUEUE: reject: RCPT from [89.216.29.231]:2506: 550 5.7.1 Service unavailable; client [89.216.29.231] blocked using b.barracudacentral.org; from=harry1...@static.sbb.rs, to=ha...@rhsoft.net, proto=ESMTP, helo=cable-89-216-29-231.static.sbb.rs Aug 27 16:06:00 mail-gw postfix/postscreen[17394]: NOQUEUE: reject: RCPT from [85.255.174.115]:2623: 550 5.7.1 Service unavailable; client [85.255.174.115] blocked using b.barracudacentral.org; from=har...@thehomegrownfamily.com, to=ha...@rhsoft.net, proto=ESMTP, helo=[85.255.174.115] Aug 27 16:40:31 mail-gw postfix/postscreen[19126]: NOQUEUE: reject: RCPT from [151.232.62.178]:63234: 550 5.7.1 Service unavailable; client [151.232.62.178] blocked using b.barracudacentral.org; from=harr...@groix-et-nature.com, to=ha...@rhsoft.net, proto=ESMTP, helo=[151.232.62.178] Aug 27 17:09:45 mail-gw postfix/postscreen[19126]: NOQUEUE: reject: RCPT from [190.41.141.147]:28781: 550 5.7.1 Service unavailable; client [190.41.141.147] blocked using dnsbl.inps.de; from=harry...@intellispacesoftware.com, to=ha...@rhsoft.net, proto=ESMTP, helo=[190.41.141.147] Aug 27 17:37:02 mail-gw postfix/postscreen[19126]: NOQUEUE: reject: RCPT from [91.136.144.208]:55992: 550 5.7.1 Service unavailable; client [91.136.144.208] blocked using dnsbl.inps.de; from=harry3...@ahw.ch, to=ha...@rhsoft.net, proto=ESMTP, helo=[91.136.144.208] Aug 27 18:03:31 mail-gw postfix/postscreen[19126]: NOQUEUE: reject: RCPT from [31.10.31.106]:21141: 550 5.7.1 Service unavailable; client [31.10.31.106] blocked using b.barracudacentral.org; from=harry2...@priscovans.ca, to=ha...@rhsoft.net, proto=ESMTP, helo=[31.10.31.106] Aug 27 18:29:35 mail-gw postfix/postscreen[19126]: NOQUEUE: reject: RCPT from [217.216.2.121]:61485: 550 5.7.1 Service unavailable; client [217.216.2.121] blocked using dul.dnsbl.sorbs.net; from=harr...@ono.com, to=ha...@rhsoft.net, proto=ESMTP, helo=217.216.2.121.dyn.user.ono.com Aug 27 18:55:10 mail-gw postfix/postscreen[21435]: NOQUEUE: reject: RCPT from [209.252.182.194]:4102: 550 5.7.1 Service unavailable; client [209.252.182.194]
Re: pflogsum don't count postscreen rejects
Jim Seymour: Send me a log file snippet big enough to generate meaningful stats and I'll look at adding it. I have 3.5 years of maillog lying around. I'll try to dig up a sample of each postscreen logging record. Wietse