Question about Postfix Stress

2015-08-05 Thread Michael Peter 
Hi,

i have set on postfix that max process for SMTPD is 10 using master.cf

So once simulations concurrent connections reached 10, Postfix started
STRESS behaviour

so the SMTPD using command stress=yes

Now after the connections drooped from 10 till 5 , still postfix handle
new connections with stress=yes although the current connections is 5 and
did not reach yet again 10

so i understand from this behaviour than once stress behaviour is
activated by postfix, it remains for some time (even if the current
processes connections has decreased than the max process connections
limit).

My question is how long the time that the stress behaviour continue to be
activated after current processes connections has decreased than the max
process connections limit

I have read he documentations and searched alot but i couldn't find an
answer...

Thank you.

Michael Peter

Re: check_policy_service not working - need a 4eye method or..

2015-08-05 Thread Istvan Prosinger 

On 2015-08-03 16:16, Viktor Dukhovni wrote:

On Mon, Aug 03, 2015 at 09:48:35AM -0400, Postfix User wrote:


On Mon, 03 Aug 2015 14:52:33 +0200, Istvan Prosinger stated:

 Yeah when I took the server for audit, Postfix was dead and couldn't
 start -the config file was (and stil is) in mess.

 Nevertheless, accepting SMTP is not the issue at this moment.
 The issue is that it seems to be disregarding the policy check.
 I have even precompiled it from source yesterday, thinking that it might
 be damaged, but no effect...

I assume you have read everything at
http://www.postfix.org/DEBUG_README.html#mail

Might I suggest you provide output from the postfinger tool. This can 
be found

at http://ftp.wl0.org/SOURCES/postfinger.


Also post the output of:

ps -o pid,command -p $(pgrep -x master)

along with the output of:

strings $command | grep /postfix

where $command is the full pathname of the master executable
reported running by ps.  If you can examine the process environment
via /proc or by other means, also report the value of the MAIL_CONFIG
environment variable of the master process.



Here goes:

[root@top ~]# ./postfinger
postfinger - postfix configuration on Wed Aug  5 02:41:25 MDT 2015
version: 1.30

Warning: postfinger output may show private configuration information,
such as ip addresses and/or domain names which you do not want to show
to the public.  If this is the case it is your responsibility to modify
the output to hide this private information.  [Remove this warning with
the --nowarn option.]

--System Parameters--
mail_version = 3.0.2
hostname = top.tesspot.com
uname = Linux top.tesspot.com 3.10.0-229.7.2.el7.x86_64 #1 SMP Tue Jun 
23 22:06:11 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux


--Packaging information--
looks like this postfix comes from RPM package: 
postfix-2.10.1-6.el7.x86_64


--main.cf non-default parameters--
alias_maps = hash:/etc/aliases
allow_percent_hack = no
broken_sasl_auth_clients = yes
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd 
$daemon_directory/$process_name $process_id  sleep 5

home_mailbox = Maildir/
inet_protocols = ipv4
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, 
top.tesspot.com

myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sender_bcc_maps = hash:/etc/postfix/bcc
sendmail_path = /usr/sbin/sendmail.postfix
smtpd_end_of_data_restrictions = check_policy_service 
inet:127.0.0.1:10031
smtpd_recipient_restrictions = check_policy_service 
inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, 
reject_unauth_destination

smtpd_sasl_auth_enable = yes
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtual

--master.cf--
smtpinetn   -   n   -   -   smtpd -o 
smtpd_sasl_auth_enable=yes
smtps   inetn   -   n   -   -   smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
pickupunix  n   -   n   60  1   pickup
cleanup   unix  n   -   n   -   0   cleanup
qmgr  unix  n   -   n   300 1   qmgr
tlsmgrunix  -   -   n   1000?   1   tlsmgr
rewrite   unix  -   -   n   -   -   trivial-rewrite
bounceunix  -   -   n   -   0   bounce
defer unix  -   -   n   -   0   bounce
trace unix  -   -   n   -   0   bounce
verifyunix  -   -   n   -   1   verify
flush unix  n   -   n   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
proxywrite unix -   -   n   -   1   proxymap
smtp  unix  -   -   n   -   -   smtp
relay unix  -   -   n   -   -   smtp
showq unix  n   -   n   -   -   showq
error unix  -   -   n   -   -   error
retry unix  -   -   n   -   -   error
discard   unix  -   -   n   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   n   -   -   lmtp
anvil unix  -

virtualdomains recipient_delimiter and catch-all troubles

2015-08-05 Thread Palica 

Hi list,

I have a postfix server with virtualdomains delivery only. I use sqlite 
as db backend to lookup virtual aliases, domains and mailboxes.


relay_domains = sqlite:/etc/postfix/sqlite_relay_domain_maps.cf
relay_recipient_maps = 
sqlite:/etc/postfix/sqlite_relay_recipient_maps.cf

virtual_alias_maps = sqlite:/etc/postfix/sqlite_virtual_alias_maps.cf
virtual_mailbox_domains = 
sqlite:/etc/postfix/sqlite_virtual_domain_maps.cf
virtual_mailbox_maps = 
sqlite:/etc/postfix/sqlite_virtual_mailbox_maps.cf


So here my problem. I wanted to enable catchall address for a 
virtualdomain to gather some spam to train my dspam. I used an address 
with recipient_delimiter to recieve the messages (something like 
someone+s...@domain.tld). I like to use the recipient_delimiter 
addresses for other purposes as well, but when a lookup is made for 
someone+someth...@domain.tld (some...@domain.tld exists in the db) it 
finds only the catchall domain alias because of my query:


query = SELECT alias FROM alias WHERE address='%s' AND active='1' UNION 
ALL SELECT alias FROM alias WHERE address='@%d' AND active='1' AND NOT 
EXISTS (SELECT alias FROM alias WHERE address='%s' AND active='1' UNION 
ALL SELECT username FROM mailbox WHERE username='%s' AND active='1')


Is there a better way of doing this? Or do I have to somehow manipulate 
%s to remove +part where it exists? I could use some hints.


Thank you very much.

Palica

Re: Question about Postfix Stress

2015-08-05 Thread Wietse Venema 
Michael Peter:
 Hi,
 
 i have set on postfix that max process for SMTPD is 10 using master.cf
 
 So once simulations concurrent connections reached 10, Postfix started
 STRESS behaviour
 
 so the SMTPD using command stress=yes
 
 Now after the connections drooped from 10 till 5 , still postfix handle
 new connections with stress=yes although the current connections is 5 and
 did not reach yet again 10

stress=yes stays persists for some time, perhaps 1000s, to prevent
Postfix from logging tons of warnings as load fluctuates. Why does
it matter what the precise time is? Address the problem (why is the
limit reached?), not the symptom (short timeouts etc.).

Wietse

Re: tls_policy

2015-08-05 Thread Brad Chandler 

On 2015-08-04 5:59 pm, Viktor Dukhovni wrote:

On Tue, Aug 04, 2015 at 05:04:20PM -0500, Brad Chandler wrote:

I would like to enforce smtp tls for a domain and all of it's 
subdomains
except one. For example my tls_policy file would look something like 
this:


.example.com  encrypt
test.example.com  may

Will this work?


Mostly.  However, note that as written foo.test.example.com will
be subject to the encrypt policy and example.com will not.
Perhaps you want:

example.comencrypt
.example.com   encrypt
test.example.com   may
.test.example.com  may


Is there a particular order the records should be in?


No, Postfix database files built via postmap(1) are indexed.  Order
requirements depend on the database type, not content semantics.

pcre, regexp, cidr, ... are order dependent
hash, btree, cdb, ... are not



Thank you! That worked great.