SOLVED: Re: relay access denied by relayhost, but I have permit_mynetworks
Hello /dev/rob0 , Yup, this seems to have been it. Thanks very much for your eyes. On 05/25/2016 03:34 PM, /dev/rob0 wrote: > 50.250.218.164 is not in 50.250.218.0/28 ... not in $mynetworks -- David Benfell, Ph.D. benf...@parts-unknown.org signature.asc Description: OpenPGP digital signature
Re: relay access denied by relayhost, but I have permit_mynetworks
On Wed, May 25, 2016 at 02:43:09PM -0700, David Benfell wrote: > I'm getting relay access denied when my main web server attempts to > relay mail through my main mail server to outside domains. The web > server also functions as a secondary MX (and this seems to work). > Here is the main mail server configuration: > > [root@home ~]# postconf -nf A lot of junk in there, but I won't comment on that stuff for now. > mynetworks = 127.0.0.0/8, [::1]/128, 192.168.1.0/24, 10.8.0.0/16, > 50.250.218.0/28, [2001:470:67:119::]/64 ->^^^ > smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated > defer_unauth_destination > Here is the configuration on the web server: > relayhost = mail.parts-unknown.org (That means it does a MX lookup first for "mail.parts-unknown.org" before falling back to A/.) > smtp_bind_address = 50.250.218.164 > A sample log entry on the web server (with email address obscured): > May 25 07:52:18 vegan postfix/smtp[33049]: 17457F040DA9: > to=, relay=mail.parts-unknown.org[50.250.218.162]:25, > delay=241020, delays=241020/0.04/0.59/0.02, dsn=4.7.1, status=deferred > (host mail.parts-unknown.org[50.250.218.162] said: 454 4.7.1 > : Relay access denied (in reply to RCPT TO command)) > > The corresponding entry on the mail server: > May 25 07:52:18 home postfix/smtpd[55825]: NOQUEUE: reject: RCPT from > unknown[50.250.218.164]: 454 4.7.1 : Relay access > denied; from= to= > proto=ESMTP helo= > What other information do I need to supply? What is wrong? 50.250.218.164 is not in 50.250.218.0/28 ... not in $mynetworks -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Re: ot: pre emptive throttling/limiting ?
On Wed, May 25, 2016 at 08:18:23PM +1000, Voytek wrote: > I have a small server with several domains, always worry some dumb users' > account will get hacked and start spamming (including this dumb user, > like, my own forgotten test account got hacked) > > is it a good idea to put some limits or throttling 'just in case' ? Yes, it is always a good idea to have message send limits 'just in case'. I use policyd2 and give users the ability to send 200 messages per hour and 500 messages per 24 hours. 99.9% of my users are okay with those limits and I haven't been blacklisted since. Then next 0.09% of users are okay with me resetting their counters once or twice per year when they send out class reunion mailings or some other rare legitimate mass mailing. My brother used his account from a hotspot once and got compromised. So yes, I run the limits even on my personal mail server where I trust everyone. -- Scott LambertKC5MLE Unix SysAdmin lamb...@lambertfam.org
relay access denied by relayhost, but I have permit_mynetworks
Hi all, I'm getting relay access denied when my main web server attempts to relay mail through my main mail server to outside domains. The web server also functions as a secondary MX (and this seems to work). Here is the main mail server configuration: [root@home ~]# postconf -nf address_verify_map = btree:$data_directory/verify_cache alias_database = $alias_maps alias_maps = hash:/etc/aliases, hash:/usr/local/mailman/data/aliases broken_sasl_auth_clients = yes command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont; echo where) | gdb $daemon_directory/$process_name $process_id 2>&1 >$config_directory/$process_name.$process_id.log & sleep 5 fast_flush_domains = $relay_domains header_checks = pcre:/usr/local/etc/postfix/header_checks home_mailbox = Maildir/ html_directory = /usr/local/share/doc/postfix in_flow_delay = 1s inet_interfaces = 127.0.0.1, [::1], 10.8.0.1, 50.250.218.162, [2001:470:67:119::4] inet_protocols = ipv4, ipv6 lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3 lmtp_tls_protocols = !SSLv2 !SSLv3 local_destination_concurrency_limit = 2 mail_owner = postfix mailbox_command_maps = hash:/usr/local/etc/postfix/mailbox_commands mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 20971520 mydestination = localhost, localhost.$mydomain, cybernude.org, mail.cybernude.org, munich.cybernude.org, vegan.cybernude.org, www.cybernude.org, disunitedstates.com, mail.disunitedstates.com, munich.disunitedstates.com, vegan.disunitedstates.com, www.disunitedstates.com, disunitedstates.org, mail.disunitedstates.org, munich.disunitedstates.org, vegan.disunitedstates.org, www.disunitedstates.org, greybeard95a.com, mail.greybeard95a.com, munich.greybeard95a.com, vegan.greybeard95a.com, www.greybeard95a.com, n4rky.me, mail.n4rky.me, munich.n4rky.me, vegan.n4rky.me, www.n4rky.me, parts-unknown.org, mail.parts-unknown.org, munich.parts-unknown.org, www.parts-unknown.org, vegan.parts-unknown.org, n4rky.parts-unknown.org, carolb.parts-unknown.org, home.parts-unknown.org, humansci.org, home.humansci.org, mail.humansci.org, vegan.humansci.org, www.humansci.org, humanscience.institute, home.humanscience.institute, mail.humanscience.institute, vegan.humanscience.institute, www.humanscience.institute, reykjavik.parts-unknown.org, reykjavik2.parts-unknown.org mydomain = parts-unknown.org myhostname = mail.parts-unknown.org mynetworks = 127.0.0.0/8, [::1]/128, 192.168.1.0/24, 10.8.0.0/16, 50.250.218.0/28, [2001:470:67:119::]/64 mynetworks_style = subnet myorigin = $myhostname newaliases_path = /usr/local/bin/newaliases postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr postscreen_bare_newline_action = enforce postscreen_blacklist_action = drop postscreen_dnsbl_action = enforce postscreen_dnsbl_reply_map = pcre:$config_directory/postscreen_dnsbl_reply_map.pcre postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4 list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-3 list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 postscreen_dnsbl_threshold = 3 postscreen_dnsbl_whitelist_threshold = -1 postscreen_greet_action = enforce queue_directory = /var/spool/postfix queue_run_delay = 200s readme_directory = /usr/local/share/doc/postfix recipient_delimiter = + sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtp_bind_address = 50.250.218.162 smtp_tls_ciphers = medium smtp_tls_key_file = /var/www/ssl/home-2015-03-23/privateKey.key smtp_tls_mandatory_protocols = !SSLv2 !SSLv3 smtp_tls_note_starttls_offer = yes smtp_tls_protocols = !SSLv2, !SSLv3 smtp_use_tls = yes smtpd_authorized_verp_clients = $mynetworks smtpd_banner = $myhostname ESMTP $mail_name smtpd_client_restrictions = permit_mynetworks,permit_sasl_authenticated,check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre smtpd_command_filter = pcre:/etc/postfix/append_verp.pcre smtpd_peername_lookup = no smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,check_sender_access hash:/etc/postfix/sender_access,reject_unauth_destination,reject_rbl_client zen.spamhaus.org,reject_rbl_client bl.spamcop.net,check_policy_service unix:private/spf-policy smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $mydomain smtpd_sasl_path = /var/spool/postfix/private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = $smtpd_sasl_security_optio
Re: postfix / dovecot / virtual_mailbox_maps regex
On Wed, May 25, 2016 at 10:56:36PM +0200, Dirk wrote: > > What kind of mappings happen in that regexp table? Sure you can > > the mail delivered to some maildir or other, but how are users able > > to read the mail? Presumably dovecot still needs to know about > > the mailboxes created by virtual(8) so it can grant access to them > > to suitably authenticated users via IMAP. > > /.*\.d...@x.domain1.com/ x.domains1.com/dirk/ > > This is kind of my own "spamgourmet.com" implementation where I can give > email Addresses on the fly to any "webpage". > Everything is dilvered to one maildir. > > > > But now I would like to use sieve with dovecot. > > > > For both domains? Or just one of them? > > Ideally both. > > >> Therefore I would have to enable > >> #virtual_transport = lmtp:unix:private/dovecot-lmtp > > > > Fine, now the LMTP recipient needs to be a recipient name known to > > dovecot, but that's not much different from the requirement that > > dovecot be able to associated users with mailboxes for IMAP. > > > > So you've not explained your problem in sufficient detail. > > As to my knowlege dovecot can not handle "dynamically" created emails > addresses. Give it addresses it knows. > > Well dovecot does not know about that mailbox. Deliver to a mailbox > > that dovecot does know about. You'd typically use virtual_alias_maps > > for that. > > Not possible - there is no mapping until the mail arrives. The email > address is dynamic. Nonsense, essentially the same regexp table can be used in virtual_alias_maps instead of virtual_mailbox_maps: /\.d...@x.domain1.com/ d...@x.domain1.com -- Viktor.
Re: postfix / dovecot / virtual_mailbox_maps regex
Hi Viktor, thanks or you reply. On 25.05.2016 22:27, Viktor Dukhovni wrote: > On Wed, May 25, 2016 at 10:00:55PM +0200, Dirk wrote: > >> Which user to what maildir is definend in. >> virtual_mailbox_maps = hash:/etc/postfix/vmaps >> >> The second (sub)domain has not fixed user assignment. The users must >> match an regex defined as well in >> virtual_mailbox_maps = regexp:/etc/postfix/vmaps-regex > Presumably, you have: > > virtual_mailbox_maps = > hash:/etc/postfix/vmaps, > regexp:/etc/postfix/vmaps-regex > > to accomplish both. Right? Yes you are right. > What kind of mappings happen in that regexp table? Sure you can > the mail delivered to some maildir or other, but how are users able > to read the mail? Presumably dovecot still needs to know about > the mailboxes created by virtual(8) so it can grant access to them > to suitably authenticated users via IMAP. /.*\.d...@x.domain1.com/ x.domains1.com/dirk/ This is kind of my own "spamgourmet.com" implementation where I can give email Addresses on the fly to any "webpage". Everything is dilvered to one maildir. >> But now I would like to use sieve with dovecot. > For both domains? Or just one of them? Ideally both. >> Therefore I would have to enable >> #virtual_transport = lmtp:unix:private/dovecot-lmtp > Fine, now the LMTP recipient needs to be a recipient name known to > dovecot, but that's not much different from the requirement that > dovecot be able to associated users with mailboxes for IMAP. > > So you've not explained your problem in sufficient detail. As to my knowlege dovecot can not handle "dynamically" created emails addresses. >> [private/dovecot-lmtp] said: 550 5.1.1 User >> doesn't exist: test.d...@x.domain1.com (in reply to RCPT TO command) > Well dovecot does not know about that mailbox. Deliver to a mailbox > that dovecot does know about. You'd typically use virtual_alias_maps > for that. Not possible - there is no mapping until the mail arrives. The email address is dynamic. >> It would maybe solve my probelm if I could enable the virtual_transport >> only for domain1.com not x.domain1.com. > You can certainly use the transport(5) table to direct either domain > to a different transport, but it is not clear that this is the right > approach. > > http://www.postfix.org/ADDRESS_REWRITING_README.html > http://www.postfix.org/ADDRESS_CLASS_README.html > http://www.postfix.org/virtual.5.html > http://www.postfix.org/postconf.5.html#virtual_alias_maps > http://www.postfix.org/postconf.5.html#transport_maps > I read to virtual and transport_maps serveral times - no luck till now.
Re: postfix / dovecot / virtual_mailbox_maps regex
On Wed, May 25, 2016 at 10:00:55PM +0200, Dirk wrote: > Which user to what maildir is definend in. > virtual_mailbox_maps = hash:/etc/postfix/vmaps > > The second (sub)domain has not fixed user assignment. The users must > match an regex defined as well in > virtual_mailbox_maps = regexp:/etc/postfix/vmaps-regex Presumably, you have: virtual_mailbox_maps = hash:/etc/postfix/vmaps, regexp:/etc/postfix/vmaps-regex to accomplish both. Right? What kind of mappings happen in that regexp table? Sure you can the mail delivered to some maildir or other, but how are users able to read the mail? Presumably dovecot still needs to know about the mailboxes created by virtual(8) so it can grant access to them to suitably authenticated users via IMAP. > But now I would like to use sieve with dovecot. For both domains? Or just one of them? > Therefore I would have to enable > #virtual_transport = lmtp:unix:private/dovecot-lmtp Fine, now the LMTP recipient needs to be a recipient name known to dovecot, but that's not much different from the requirement that dovecot be able to associated users with mailboxes for IMAP. So you've not explained your problem in sufficient detail. > [private/dovecot-lmtp] said: 550 5.1.1 User doesn't > exist: test.d...@x.domain1.com (in reply to RCPT TO command) Well dovecot does not know about that mailbox. Deliver to a mailbox that dovecot does know about. You'd typically use virtual_alias_maps for that. > It would maybe solve my probelm if I could enable the virtual_transport > only for domain1.com not x.domain1.com. You can certainly use the transport(5) table to direct either domain to a different transport, but it is not clear that this is the right approach. http://www.postfix.org/ADDRESS_REWRITING_README.html http://www.postfix.org/ADDRESS_CLASS_README.html http://www.postfix.org/virtual.5.html http://www.postfix.org/postconf.5.html#virtual_alias_maps http://www.postfix.org/postconf.5.html#transport_maps -- Viktor.
postfix / dovecot / virtual_mailbox_maps regex
I going in circels with a problem I have with postfix/dovecot. I have a setup for two virtual_mailbox_domains on my postfix. domain1.com x.domain1.com both domains are delivered by postfix to users maildir which is accessed via dovecot Which user to what maildir is definend in. virtual_mailbox_maps = hash:/etc/postfix/vmaps The second (sub)domain has not fixed user assignment. The users must match an regex defined as well in virtual_mailbox_maps = regexp:/etc/postfix/vmaps-regex This works quite fine. But now I would like to use sieve with dovecot. Therefore I would have to enable #virtual_transport = lmtp:unix:private/dovecot-lmtp If I do so - the mails for the sub domain x.domain1.com which has "dynamic users" based on a pattern is rejected by dovecot [private/dovecot-lmtp] said: 550 5.1.1 User doesn't exist: test.d...@x.domain1.com (in reply to RCPT TO command) The question is now - how can I set this up that i can define dovcot-lmtp to enable sieve and stick to my dynamic users. It would maybe solve my probelm if I could enable the virtual_transport only for domain1.com not x.domain1.com. But this configuration I did in transports fails. Can someone give me a hint how to get this fixed ? best regards Dirk
Re: Send mail to /dev/null without other filtering
On Wed, May 25, 2016 at 11:46:45AM -0600, Richard B. Pyne wrote: > Is there a simple way to discard email coming to a specific address, such as > nore...@domain.com without it having to go through all the other spam > filtering I have in place and clogging my mail queue? See the "DISCARD" action in the access(5) manpage. Obviously use with great caution. -- Viktor.
Send mail to /dev/null without other filtering
Is there a simple way to discard email coming to a specific address, such as nore...@domain.com without it having to go through all the other spam filtering I have in place and clogging my mail queue? Thanks. --Richard
ot: pre emptive throttling/limiting ?
I have a small server with several domains, always worry some dumb users' account will get hacked and start spamming (including this dumb user, like, my own forgotten test account got hacked) is it a good idea to put some limits or throttling 'just in case' ? Postfix 2.11, average server usage is like: Per-Day Traffic Summary --- date received delivered deferredbounced rejected May 23 2016 1422 1794 21 0 3399 May 24 2016 1683 2239 10 0 4509 May 25 2016 1583 2031 11 1 5402 May 15 2016 576633 15 1 5343 May 16 2016 1438 2007 18 6 8497 May 17 2016 1579 2128 11 1 7738 May 18 2016 1598 1912 8 2 5889 May 19 2016 1604 2044 13 6 4947 May 20 2016 1196 1292 9 2 5100 May 21 2016 723788 9 1 4349 May 22 201684 89 0 0450 May 8 2016 1753 1823 8 1222 2498 May 9 2016 2894 3286 10 1440 3365 May 10 2016 3064 3401 26 1440 2413 May 11 2016 3004 3428 20 1440 3255