File count mismatch in spool directories
I installed a monitor for the postfix queue directories to catch queue buildup problems before they become critical and cause mail delays of several hours. We've had problems with sudden email storms from misconfigured internal systems ... when you suddenly get 2 new messages in the queue, whether they are deliverable or not, all email gets significantly delayed. The monitor counts files in the spool directories. I noticed today that the number of files in the spool directory doesn't agree with the tool-level view of the mail queue. Last line of mailq output: -- 1375 Kbytes in 162 Requests. Number of files in a couple of spool directories: root@nexus1:~# find /var/spool/postfix/defer -type f | wc -l 711 root@nexus1:~# find /var/spool/postfix/deferred -type f | wc -l 162 I *think* that what I can do is gather the queue ID numbers for each of those 162 messages shown by mailq, and use that to filter the list in the deferred directory, then delete all the other files in that directory. I would like to sanity check that with you guys. Does that sound reasonable? Will the problem clear up on its own if I do nothing? Thanks, Shawn
Re: File count mismatch in spool directories
On Mon, Mar 23, 2015 at 08:41:04AM -0600, Shawn Heisey wrote: root@nexus1:~# find /var/spool/postfix/defer -type f | wc -l 711 root@nexus1:~# find /var/spool/postfix/deferred -type f | wc -l 162 I *think* that what I can do is gather the queue ID numbers for each of those 162 messages shown by mailq, and use that to filter the list in the deferred directory, then delete all the other files in that directory. Not while Postfix is running. Because queue ids might be re-used there is not a race-condition free way to do that, and you might be deleting bounce logs for newly arrived messages that were not yet deferred when you constructed the deferred message list. I would like to sanity check that with you guys. Does that sound reasonable? Will the problem clear up on its own if I do nothing? The extra files are not a problem. Don't count files in defer. If you're using long queue-ids, and your clock is not prone to moving backwards, you can automate removal of defer files that are older than some reasonable multiple of the maximal_queue_lifetime. With a queue lifetime of 5 days, removing long queue-id defer files older than 30 days is likely safe. Otherwise, you have to stop Postfix and run postsuper -s. -- Viktor.
Problem with smtpd_sasl_local_domain
I'm setting up Postfix+Dovecot on CentOS 7 (prefer to use the OS-provided versions, Postfix 2.10.1 and Dovecot 2.2.10). I need to handle SMTP AUTH for a couple of different domains where the customer doesn't want to make their users change from username to usern...@example.com. I have tried doing this with different listeners on different IPs in master.cf, like: 10.1.1.2:25 inet n - n - 150 smtpd -o mydomain=example.com -o mynetworks=$mynet,cidr:/etc/postfix/mynetworks-example.com -o smtpd_sasl_local_domain=example.com That did not work, because Postfix doesn't appear to do anything with the realm, verified both by process tracing and looking at the source code. The Postfix Cyrus SASL code passes the realm, but the Postfix Dovecot SASL code only references it in a log entry (this appears to be the case even with the latest Postfix 3.1 snapshot). Am I missing something? Is there another way to do this? -- Chris Adams c...@cmadams.net
Re: Add header with original IP?
Can it be done without a policy service or milter? Eg with some header
checks? Or maybe a configuration option?
-Ursprungligt meddelande-
From: Noel Jones
Sent: Monday, March 23, 2015 7:57 PM
To: postfix-users@postfix.org
Subject: Re: Add header with original IP?
On 3/23/2015 1:20 PM, Sebastian Nielsen wrote:
How can I in postfix add a header with the original client IP (like
“X-Original-IP”), such as, it cannot be forged, eg any incoming mail
will have such headers stripped out, before Postfix adds its own.
The intention of this header is to use it at a later processing step
for separating phishing mail from legit mail (using SPF), but the
check must be done after a heavy processing step for technical
reasons, thus I have to “save” the client IP in the header, then
process the mail through the heavy step, and then use the client IP
in authentication. For this reason, any such headers must be
stripped off first, so a fraudulent user cannot add one or more of
such a header to “forge” the SPF check.
Or is there some way in a milter/macro to “read” off the XFORWARD
ip? Im currently using {client_addr} but is there any other macro
that would “display” the XFORWARD ip?
I saw a other suggestion to use XCLIENT, but postfix smtp doesnt
support XCLIENT in client mode.
The client IP is already in the top-most Received: header added by
postfix. Any header below that may be forged, but the top-most
Received: header is added by your system and cannot be forged.
If you want to add some extra header with that same IP, you'll need
to use a policy service with the PREPEND action.
http://www.postfix.org/SMTPD_POLICY_README.html
-- Noel Jones
smime.p7s
Description: S/MIME Cryptographic Signature
Re: Add header with original IP?
Not possible with header_checks. A milter /should/ be able to do
this, but you'll have to do some research to find one. Maybe
milter_regex is a possibility.
-- Noel Jones
On 3/23/2015 2:03 PM, Sebastian Nielsen wrote:
Can it be done without a policy service or milter? Eg with some
header checks? Or maybe a configuration option?
-Ursprungligt meddelande- From: Noel Jones
Sent: Monday, March 23, 2015 7:57 PM
To: postfix-users@postfix.org
Subject: Re: Add header with original IP?
On 3/23/2015 1:20 PM, Sebastian Nielsen wrote:
How can I in postfix add a header with the original client IP (like
“X-Original-IP”), such as, it cannot be forged, eg any incoming mail
will have such headers stripped out, before Postfix adds its own.
The intention of this header is to use it at a later processing step
for separating phishing mail from legit mail (using SPF), but the
check must be done after a heavy processing step for technical
reasons, thus I have to “save” the client IP in the header, then
process the mail through the heavy step, and then use the client IP
in authentication. For this reason, any such headers must be
stripped off first, so a fraudulent user cannot add one or more of
such a header to “forge” the SPF check.
Or is there some way in a milter/macro to “read” off the XFORWARD
ip? Im currently using {client_addr} but is there any other macro
that would “display” the XFORWARD ip?
I saw a other suggestion to use XCLIENT, but postfix smtp doesnt
support XCLIENT in client mode.
The client IP is already in the top-most Received: header added by
postfix. Any header below that may be forged, but the top-most
Received: header is added by your system and cannot be forged.
If you want to add some extra header with that same IP, you'll need
to use a policy service with the PREPEND action.
http://www.postfix.org/SMTPD_POLICY_README.html
-- Noel Jones
virtual domains and hosting
Hello, I have this situation in one server I have many domains, normally postfix delivers email direct locally but when user change email hosting, system still sends emails to old server (don't checks mx and delivers locally). I read something about postfix two instances, but when I set it i have this same error message Recipient address rejected: User unknown in virtual mailbox table; (user create new account on new server but doesn't in old server) What I must change in Postfix to check mx and delivers directly without locally prioritization. Thanks for help
Add header with original IP?
How can I in postfix add a header with the original client IP (like
“X-Original-IP”), such as, it cannot be forged, eg any incoming mail will have
such headers stripped out, before Postfix adds its own.
The intention of this header is to use it at a later processing step for
separating phishing mail from legit mail (using SPF), but the check must be
done after a heavy processing step for technical reasons, thus I have to “save”
the client IP in the header, then process the mail through the heavy step, and
then use the client IP in authentication. For this reason, any such headers
must be stripped off first, so a fraudulent user cannot add one or more of such
a header to “forge” the SPF check.
Or is there some way in a milter/macro to “read” off the XFORWARD ip? Im
currently using {client_addr} but is there any other macro that would “display”
the XFORWARD ip?
I saw a other suggestion to use XCLIENT, but postfix smtp doesnt support
XCLIENT in client mode.
smime.p7s
Description: S/MIME Cryptographic Signature
Re: Add header with original IP?
On 3/23/2015 1:20 PM, Sebastian Nielsen wrote:
How can I in postfix add a header with the original client IP (like
“X-Original-IP”), such as, it cannot be forged, eg any incoming mail
will have such headers stripped out, before Postfix adds its own.
The intention of this header is to use it at a later processing step
for separating phishing mail from legit mail (using SPF), but the
check must be done after a heavy processing step for technical
reasons, thus I have to “save” the client IP in the header, then
process the mail through the heavy step, and then use the client IP
in authentication. For this reason, any such headers must be
stripped off first, so a fraudulent user cannot add one or more of
such a header to “forge” the SPF check.
Or is there some way in a milter/macro to “read” off the XFORWARD
ip? Im currently using {client_addr} but is there any other macro
that would “display” the XFORWARD ip?
I saw a other suggestion to use XCLIENT, but postfix smtp doesnt
support XCLIENT in client mode.
The client IP is already in the top-most Received: header added by
postfix. Any header below that may be forged, but the top-most
Received: header is added by your system and cannot be forged.
If you want to add some extra header with that same IP, you'll need
to use a policy service with the PREPEND action.
http://www.postfix.org/SMTPD_POLICY_README.html
-- Noel Jones
Re: virtual domains and hosting
Rafa? Michalak: Hello, I have this situation in one server I have many domains, normally postfix delivers email direct locally but when user change email hosting, system still sends emails to old server (don't checks mx and delivers locally). I read something about postfix two instances, but when I set it i have this same error message Recipient address rejected: User unknown in virtual mailbox table; (user create new account on new server but doesn't in old server) What I must change in Postfix to check mx and delivers directly without locally prioritization. We can suggest configuration changes, when provided with the present configuration. Otherwise, you will have to make crystal balls available. http://www.postfix.org/DEBUG_README.html#mail Wietse
Re: Problem with smtpd_sasl_local_domain
Chris Adams: I'm setting up Postfix+Dovecot on CentOS 7 (prefer to use the OS-provided versions, Postfix 2.10.1 and Dovecot 2.2.10). I need to handle SMTP AUTH for a couple of different domains where the customer doesn't want to make their users change from username to usern...@example.com. I have tried doing this with different listeners on different IPs in master.cf, like: 10.1.1.2:25 inet n - n - 150 smtpd -o mydomain=example.com -o mynetworks=$mynet,cidr:/etc/postfix/mynetworks-example.com -o smtpd_sasl_local_domain=example.com That did not work, because Postfix doesn't appear to do anything with the realm, verified both by process tracing and looking at the source code. The Postfix Cyrus SASL code passes the realm, but the Postfix Dovecot SASL code only references it in a log entry (this appears to be the case even with the latest Postfix 3.1 snapshot). You mean: Dovecot SASL logs but otherwise ignores the realm? In that case, the question is better asked on the Dovecot mailing list. Wietse
Re: Add header with original IP?
Thanks, works perfectly now. It now adds a header. Did do a parsing check in my milter which takes the From: header and X-AntiPhishing-IP: header, feeds it into the SPF engine and off we go :-) Also did a anti-forgery-check, so if it detects duplicate or none X-AntiPhishing-IP headers, or a non-existent/invalid From: address, it will set the SPF engine to output a invalid-authentication-data header. Thus I can reliability detect if someone is attempting to circumvent the SPF check, and thus I can mark the mail as a guranteed forgery. -Ursprungligt meddelande- From: Wietse Venema Sent: Tuesday, March 24, 2015 12:33 AM To: Postfix users Subject: Re: Add header with original IP? Sebastian Nielsen: Can it be done without a policy service or milter? Eg with some header checks? Or maybe a configuration option? If it is not possible to use the address in Postfix's own Received: header, you can copy the client IP address into a header with a pcre or regexp table. For example: /etc/postfix/main.cf smtpd_client_restrictions = pcre:/etc/postfix/prepend-client.pcre /etc/postfix/prepend-client.pcre: /^([0-9a-f:.]+)$/ prepend X-Client-Addr: $1 This syntax is also supported with regexp tables. smtpd_client_restrictions uses the client IP address that is used for SMTP server access control. It does not use the forwarded IP address which is used for logging only. Wietse smime.p7s Description: S/MIME Cryptographic Signature
Re: Add header with original IP?
Sebastian Nielsen: Can it be done without a policy service or milter? Eg with some header checks? Or maybe a configuration option? If it is not possible to use the address in Postfix's own Received: header, you can copy the client IP address into a header with a pcre or regexp table. For example: /etc/postfix/main.cf smtpd_client_restrictions = pcre:/etc/postfix/prepend-client.pcre /etc/postfix/prepend-client.pcre: /^([0-9a-f:.]+)$/ prepend X-Client-Addr: $1 This syntax is also supported with regexp tables. smtpd_client_restrictions uses the client IP address that is used for SMTP server access control. It does not use the forwarded IP address which is used for logging only. Wietse
