Re: (Semi OT) RBL shakedown
On 24 Oct 2016, at 16:54, li...@lazygranch.com wrote: So you block all of AS14061 because there supposedly is a spammer in the block? The relevant TXT record in that DNSBL asserts 276 "abusers" on AS14061 in the past week. Eyeballing the visible routes for AS14061, that seems to be something like 0.2% of the advertised addresses. I grumblingly agreed when Wietse said it was proper to block a specific IP when only one user was spamming, but this seems excessive. It is, which is why UCEPROTECT and especially their "Level 3" list are not widely trusted as a basis for absolute banning. I don't recall seeing evidence that *any* of their lists are used as outright banning criteria by any sites with a significant number of users outside of German-speaking Europe.
Re: OT: "X-PHP-Script" header
On 24 Oct 2016, at 12:29, Allen Coates wrote: Over the weekend I had three spam messages get through to my in-box. Two contained an "X-PHP-Script" header one was X-PHP-Script: folar.org/wp-content/plugins/the-events-calendar/src/Tribe/Aggregator/uploader.php for 110.83.63.152 and the other X-PHP-Script: 118k.org/wp-content/plugins/formidable/classes/views/frm-entries/stats.php for 110.83.62.203 I suppose I could block them using header_checks, but first, does anybody know what they (are supposed to) do? I have not encountered them before. They are added by the PHP mail() function (if the active PHP config has them turned on) as a weak but surprisingly useful way for web server admins to identify exactly where some spam-sending malware has been deployed. This is a weak tool in theory because a script can effectively clobber the pathname component, but apparently the folks writing that class of malware include examples of "any moron can write working PHP" because I still see these with apparently real values (as above) in spam at a substantial rate despite this feature existing for over a decade. I wouldn't advise using the existence of a X-PHP-Script header as an absolute reason to block mail. In my personal archives I have 30 entirely legitimate, desired messages with that header and 173 spam. In a workplace account which gets essentially no spam I have no spam with it in the past 8 years, during which I've received dozens (maybe hundreds) of absolutely non-spam messages with X-PHP-Script headers generated by various tools that use PHP (e.g. MediaWiki page change notices) and from external sources. The content of a X-PHP-Script header can be useful in more complex filtering systems (e.g. SpamAssassin) because the spamware scripts often hide themselves in odd directories like /tmp, /images, and frequently claim to be triggered from IPs that bear no relationship to the source host (like the above: consumer broadband IPs in Fuqing, Fujian, China.) You can't do that sort of analysis in Postfix itself.
incoming queue question: 'not found'
I monitor Postfix queue with Cacti, normally see warning on deffered queue, charts in red, sends treshold warning, when there is some issues today, first time ever saw that, I see incoming queue in Cacti growing, up to 14/16, (charts blue) never observed that before...? mailq gives nothing, pfqueue has like(1); how to better asses what's going on? Queue: 'incoming', 7 messages, 0 tagged, unsorted ATCSB ID FromTo E29D64CBC2 *Not found* *Not found* 1B8654CBC1 *Not found* *Not found* 93E464CBBB *Not found* *Not found* 080504CBB8 *Not found* *Not found* D2B494CB7F *Not found* *Not found* 172154CBCA *Not found* *Not found* 24A8F4CBAF *Not found* *Not found*
Re: (Semi OT) RBL shakedown
li...@lazygranch.com [2016-10-24 14:52 -0700] : > Oh, I didn't me YOU as in you personally. Sorry about that. > Maybe it is an American was of speaking. No offenSe taken. ;-) > The reply from Digital Ocean is just to change my IP. I'm > shocked they don't want to defend their IP space. I suppose if > I actually get blocked, I will go though the hassle of changing > the IP. (Not trivial). Have you checked your logs whether you already got rejected because of level 3? Niklaas
Re: (Semi OT) RBL shakedown
Oh, I didn't me YOU as in you personally. Sorry about that. Maybe it is an American was of speaking. The reply from Digital Ocean is just to change my IP. I'm shocked they don't want to defend their IP space. I suppose if I actually get blocked, I will go though the hassle of changing the IP. (Not trivial). Original Message From: Niklaas Baudet von Gersdorff Sent: Monday, October 24, 2016 2:33 PM To: postfix-users@postfix.org Reply To: st...@niklaas.eu Subject: Re: (Semi OT) RBL shakedown li...@lazygranch.com [2016-10-24 13:54 -0700] : > So you block all of AS14061 because there supposedly is > a spammer in the block? I grumblingly agreed when Wietse said > it was proper to block a specific IP when only one user was > spamming, but this seems excessive. No, I personally don't. And I don't think anyone should. I only wanted to mention that (and I guess this is in line with what you wrote), next to mismanaging DNSBL's, you can misuse them. Niklaas
Re: (Semi OT) RBL shakedown
li...@lazygranch.com [2016-10-24 13:54 -0700] : > So you block all of AS14061 because there supposedly is > a spammer in the block? I grumblingly agreed when Wietse said > it was proper to block a specific IP when only one user was > spamming, but this seems excessive. No, I personally don't. And I don't think anyone should. I only wanted to mention that (and I guess this is in line with what you wrote), next to mismanaging DNSBL's, you can misuse them. Niklaas
Re: (Semi OT) RBL shakedown
So you block all of AS14061 because there supposedly is a spammer in the block? I grumblingly agreed when Wietse said it was proper to block a specific IP when only one user was spamming, but this seems excessive. One of the reasons I went VPS is not to be lumped in with spammers nor the occasional DDOS because some fool annoyed another fool. I guess I was delusional that a personal IP would solve that problem. Grumble. I've said enough. On a positive note, freebsd ports had a postfix update yesterday and as usual, no problem. Original Message From: Niklaas Baudet von Gersdorff Sent: Monday, October 24, 2016 1:41 PM To: postfix-users@postfix.org Reply To: st...@niklaas.eu Subject: Re: (Semi OT) RBL shakedown li...@lazygranch.com [2016-10-24 13:20 -0700] : > If you use the uceprotect RBL, note that they are involved in a > shakedown to solicit money to be removed from their list. Much like > spamrl, I'd suggest not using them since they have an obvious false > positive problem. > > http://www.uceprotect.net/en/rblcheck.php?ipr=107.170.248.198 > Their own system shows my domain is not the same as the spammers domain. You're only listed on Level 3, aren't you? They (kind of) recommend not to use that list: We believe that a professional service provider or carrier should be able to act promptly before listings are escalating up to Level 3, therefore by using Level 3 the chances are that you will mostly block “learning-resistant” service providers or carriers and their customers. NOTE: By using Level 3 for blocking, be prepared to lose some required mails too. DO NOT BLAME US, YOU HAVE BEEN FOREWARNED! The recommended use of Level 3 is incorporating it into a scoring system, to give e.g. 2 points on a ‘match’ where 5 or more points trigger a spam tag. Use of Level 3 for blocking is recommended only if you are a HARDLINER and you want to cause service providers and carriers that have spammer / abusive clients to be quickly and effectively blocked and it does not matter to you when required email is also rejected. This can bring a lot of pressure on service providers and carriers to get their act in order and resolve the issues within their responsibility. http://www.uceprotect.net/en/index.php?m=3=5 So, normally -- in case postmasters read uceprotect's advice, which we cannot be sure of -- your server shouldn't be blocked by serious mail servers. As far as I understand their policy, probably you're listed because your network has quite some spammers. > Plenty of good RBLs out there. No uses feeding the criminals > (uceprotect) or the incompetent (spamrl). Niklaas
Re: (Semi OT) RBL shakedown
li...@lazygranch.com [2016-10-24 13:20 -0700] : > If you use the uceprotect RBL, note that they are involved in a > shakedown to solicit money to be removed from their list. Much like > spamrl, I'd suggest not using them since they have an obvious false > positive problem. > > http://www.uceprotect.net/en/rblcheck.php?ipr=107.170.248.198 > Their own system shows my domain is not the same as the spammers domain. You're only listed on Level 3, aren't you? They (kind of) recommend not to use that list: We believe that a professional service provider or carrier should be able to act promptly before listings are escalating up to Level 3, therefore by using Level 3 the chances are that you will mostly block “learning-resistant” service providers or carriers and their customers. NOTE: By using Level 3 for blocking, be prepared to lose some required mails too. DO NOT BLAME US, YOU HAVE BEEN FOREWARNED! The recommended use of Level 3 is incorporating it into a scoring system, to give e.g. 2 points on a ‘match’ where 5 or more points trigger a spam tag. Use of Level 3 for blocking is recommended only if you are a HARDLINER and you want to cause service providers and carriers that have spammer / abusive clients to be quickly and effectively blocked and it does not matter to you when required email is also rejected. This can bring a lot of pressure on service providers and carriers to get their act in order and resolve the issues within their responsibility. http://www.uceprotect.net/en/index.php?m=3=5 So, normally -- in case postmasters read uceprotect's advice, which we cannot be sure of -- your server shouldn't be blocked by serious mail servers. As far as I understand their policy, probably you're listed because your network has quite some spammers. > Plenty of good RBLs out there. No uses feeding the criminals > (uceprotect) or the incompetent (spamrl). Niklaas
SV: (Semi OT) RBL shakedown
Agreed, they even list AS23456 , which is a reserved AS used for BGP32 routers to annouce themselves to BGP16 routers. (the BGP32 ASN is then embedded in the payload of the BGP16 packet, which result that when this BGP16 router then further annouce themselves to a BGP32 router, the real 32 bit ASN will unfold itself). UCEprotect then list this reserved ASN, instead of unfolding the packet and looking at the real payload, causing every BGP32 network which annouce BGP16 compatibility, to be listed in UCEPROTECT L3. -Ursprungligt meddelande- Från: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] För li...@lazygranch.com Skickat: den 24 oktober 2016 22:20 Till: postfix-users@postfix.org Ämne: (Semi OT) RBL shakedown If you use the uceprotect RBL, note that they are involved in a shakedown to solicit money to be removed from their list. Much like spamrl, I'd suggest not using them since they have an obvious false positive problem. http://www.uceprotect.net/en/rblcheck.php?ipr=107.170.248.198 Their own system shows my domain is not the same as the spammers domain. Plenty of good RBLs out there. No uses feeding the criminals (uceprotect) or the incompetent (spamrl). smime.p7s Description: S/MIME Cryptographic Signature
(Semi OT) RBL shakedown
If you use the uceprotect RBL, note that they are involved in a shakedown to solicit money to be removed from their list. Much like spamrl, I'd suggest not using them since they have an obvious false positive problem. http://www.uceprotect.net/en/rblcheck.php?ipr=107.170.248.198 Their own system shows my domain is not the same as the spammers domain. Plenty of good RBLs out there. No uses feeding the criminals (uceprotect) or the incompetent (spamrl).
Re: Blacklisting googlegroups
On 24/10/2016 6:46 μμ, Noel Jones wrote: header_checks can't be used there. Use a second check_sender_access instead. Thank you Noel, Your suggestion worked fine! The only change I did was to escape the + sign: /^oursuperclub-members\+bnc(.*)@googlegroups\.com$/ REJECT All the best, Nick
Re: OT: "X-PHP-Script" header
On 24/10/16 17:37, Jan Ceuleers wrote: > On 24/10/16 18:29, Allen Coates wrote: >> Over the weekend I had three spam messages get through to my in-box. Two >> contained an "X-PHP-Script" header >> >> one was >> X-PHP-Script: >> folar.org/wp-content/plugins/the-events-calendar/src/Tribe/Aggregator/uploader.php >> for 110.83.63.152 >> >> and the other >> X-PHP-Script: >> 118k.org/wp-content/plugins/formidable/classes/views/frm-entries/stats.php >> for 110.83.62.203 >> >> I suppose I could block them using header_checks, but first, does >> anybody know what they (are supposed to) do? I have not encountered >> them before. > First Google hit? How to insert / remove / munge them, but not what they do. Or their value as a spam indicator. >
Re: OT: "X-PHP-Script" header
On 24/10/16 18:29, Allen Coates wrote: > > Over the weekend I had three spam messages get through to my in-box. Two > contained an "X-PHP-Script" header > > one was > X-PHP-Script: > folar.org/wp-content/plugins/the-events-calendar/src/Tribe/Aggregator/uploader.php > for 110.83.63.152 > > and the other > X-PHP-Script: > 118k.org/wp-content/plugins/formidable/classes/views/frm-entries/stats.php > for 110.83.62.203 > > I suppose I could block them using header_checks, but first, does > anybody know what they (are supposed to) do? I have not encountered > them before. First Google hit?
OT: "X-PHP-Script" header
Over the weekend I had three spam messages get through to my in-box. Two contained an "X-PHP-Script" header one was X-PHP-Script: folar.org/wp-content/plugins/the-events-calendar/src/Tribe/Aggregator/uploader.php for 110.83.63.152 and the other X-PHP-Script: 118k.org/wp-content/plugins/formidable/classes/views/frm-entries/stats.php for 110.83.62.203 I suppose I could block them using header_checks, but first, does anybody know what they (are supposed to) do? I have not encountered them before. Allen C
Re: How to limite incoming email with defined mail sender?
On 10/24/2016 8:02 AM, vod vos wrote: > Hi guys, > > I want to set up only the defined mail sender from outside can send > mail to defined user on my server, and reject the undefined sender, > > how to do it? > > thanks. > perhaps you're looking for the smtpd_reject_unlisted_sender parameter. http://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_sender -- Noel Jones
Re: chrooting cleanup process ?
On 10/24/2016 3:58 AM, Mickaël DEQUIDT wrote: > Hello all, > > I have been trying to build a canonical address mapping through > ldap, in order to replace login names by better-looking addresses, > as stated in the ADDRESS_REWRITING_README, and I stumbled upon a > weird behaviour : with the canonical_maps on, every time a mail is > sent to my server, Postfix refuses to treat it and the logs state > the following : > > Oct 20 13:57:13 server postfix/master[pid]: warning: > /usr/lib/postfix/cleanup: bad command startup -- throttling > Oct 20 13:58:13 server postfix/master[pid]: warning: process > /usr/lib/postfix/cleanup pid 18924 killed by signal 11 Look for a prior warning or error. The cleanup service should run fine chroot, and config files are loaded before the chroot. Perhaps some system library is missing from your chroot directory. That said, non-chroot is the default shipping configuration. Enabling chroot is an advanced configuration and may require additional setup. -- Noel Jones
Re: How to limite incoming email with defined mail sender?
For example; only allow receiving sender j...@example.com from example.com to send mail to my server foo.com, and user only alex can receive it. a...@foo.com how to configure postfix/main.cf ? Thanks. On 星期一, 24 十月 2016 06:02:32 -0700vod vos vod...@zoho.com wrote Hi guys, I want to set up only the defined mail sender from outside can send mail to defined user on my server, and reject the undefined sender, how to do it? thanks.
Strange behavior on virtual_alias
Hi, my problem is this: i have in my postfix (ver. 2.11.3 installed on a debian stable box) installation placed in front of a dovecot server a virtual_alias_map like this local_recipient_maps = $virtual_alias_maps virtual_mailbox_domains = mail.cgilfe.it, cgilfe.it virtual_alias_maps = mysql:/etc/postfix/mysql-valias.cf if i query the "map" with below command postmap -q @mail.cgilfe.it mysql:/etc/postfix/mysql-alias.cf i receive the correct composition of the virtual-alias but in some cases dovecot pass the alias to the lmtp service installed on dovecot (in this case delivery faile with 5.5.0 error) in other cases with virtual_alias retrived from map all go smoothly. i dont know why this happens only for some aliases and not for all. Thanks in advance for helping me.
RE: Blacklisting googlegroups
Personally I have a test postfix server, so I try all my configs to confirm they do what I want. Use telnet to send an email to trigger the rule is my advice. Also my REGEX example may not be the best solution. I got the idea from this line in my server, it's part of the virtual_alias_maps= setting. regexp:/etc/postfix/maps/subaddressing which is this /^(.*)\+(.*)@(.*).mydomain.dom/ ${1}@${3}.mydomain.com -ALF -Angelo Fazzina Operating Systems Programmer / Analyst University of Connecticut, UITS, SSG-Linux/ M 860-486-9075 -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Nikolaos Milas Sent: Monday, October 24, 2016 10:25 AM To: postfix usersSubject: Re: Blacklisting googlegroups On 24/10/2016 5:15 μμ, Fazzina, Angelo wrote: > Can't you use REGEX to write a rule to catch them, and then decide what you > want to do with those emails ? Would the following be valid? smtpd_recipient_restrictions = ... check_sender_access hash:/etc/postfix/blacklisted_senders header_checks pcre:/etc/postfix/blacklisted_maillists ... /etc/postfix/blacklisted_maillists /^Return-Path: / REJECT Nick
Re: Blacklisting googlegroups
On 24/10/2016 5:15 μμ, Fazzina, Angelo wrote: Can't you use REGEX to write a rule to catch them, and then decide what you want to do with those emails ? Would the following be valid? smtpd_recipient_restrictions = ... check_sender_access hash:/etc/postfix/blacklisted_senders header_checks pcre:/etc/postfix/blacklisted_maillists ... /etc/postfix/blacklisted_maillists /^Return-Path:/ REJECT Nick
Re: Blacklisting googlegroups
* Nikolaos Milas: > On 24/10/2016 5:15 μμ, Fazzina, Angelo wrote: > > > Can't you use REGEX to write a rule to catch them, and then decide what you > > want to do with those emails ? > > Would the following be valid? > > smtpd_recipient_restrictions = > ... > check_sender_access hash:/etc/postfix/blacklisted_senders > header_checks pcre:/etc/postfix/blacklisted_maillists > ... No. header_checks cannot be listed in smtpd_recipient_restrictions -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
RE: Blacklisting googlegroups
Hi, Can't you use REGEX to write a rule to catch them, and then decide what you want to do with those emails ? Maybe: /etc/postfix/catch_spammer file has this: /^oursuperclub-members(.*)@googlegroups.com ${1}@spammer.google.bad Not sure where you add the file to do the rejection, maybe mynetworks line in main.cf ?? -Angelo Fazzina Operating Systems Programmer / Analyst University of Connecticut, UITS, SSG-Linux/ M 860-486-9075 -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Nikolaos Milas Sent: Monday, October 24, 2016 10:06 AM To: postfix usersSubject: Blacklisting googlegroups Hello, I am using: smtpd_recipient_restrictions = ... check_sender_access hash:/etc/postfix/blacklisted_senders ... to blacklist certain senders in blacklisted_senders file. I would like to block a certain spam googlegroups mailing list but sender is not constant; it's like: oursuperclub-members+bncbcg7bjnotikrbewdwpaakgqeabvw...@googlegroups.com and the part is constantly changing. Which would be the best way to block this? Please advise. Thanks, Nick
Blacklisting googlegroups
Hello, I am using: smtpd_recipient_restrictions = ... check_sender_access hash:/etc/postfix/blacklisted_senders ... to blacklist certain senders in blacklisted_senders file. I would like to block a certain spam googlegroups mailing list but sender is not constant; it's like: oursuperclub-members+bncbcg7bjnotikrbewdwpaakgqeabvw...@googlegroups.com and the part is constantly changing. Which would be the best way to block this? Please advise. Thanks, Nick
How to limite incoming email with defined mail sender?
Hi guys, I want to set up only the defined mail sender from outside can send mail to defined user on my server, and reject the undefined sender, how to do it? thanks.
RE: Open relay, found it
Hai Paul, I saw you got it fixed, comprimized pass as i suspected. ;-) I saw also this in you log. from [127.0.0.1] (87-92-55-206.bb.dnainternet.fi [87.92.55.206] This should never be allowed. ( from 127.0.0.1 ) ( on the external ip ) Thats impossible imo. To fix that you can use something like below. Just make sure every known hostname and ipnumber of the server is listed here. Beware with these 3, these can give false positives. reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, (pcre:/etc/postfix/helo.pcre) ## Namebase /^ip6-localhost$/ 554 Don't use my own hostname /^localhost$/ 554 Don't use my own hostname /^localhost\.localdomain$/ 554 Don't use my own hostname /^localhost\.yourdomain\.tld$/ 554 Don't use my own hostname /^localhost\.subdom\.yourdomain\.tld$/554 Don't use my own hostname /^yourdomain\.tld$/ 554 Don't use my own domainname /^hostname\.yourdomain\.tld$/ 554 Don't use my own hostname /^hostname\.subdom\.yourdomain\.tld$/ 554 Don't use my own hostname ## IP Based /^127\.0\.0\.1$/554 Don't use my own IP address /^\[127\.0\.0\.1\]$/554 Don't use my own IP address /^\:\:1$/ 554 Don't use my own IP address /^\[\:\:1\]$/ 554 Don't use my own IP address /^\1\.2\.3\.4$/ 554 Don't use my own IP address /^\[1\.2\.3\.4]$/ 554 Don't use my own IP address # and add ipv6 ip if you use it. ## Optional, but can gives false blocks. #/^[0-9.]+$/ 554 Your software is not RFC 2821 compliant: EHLO/HELO must be a hostname.domain.tld or an address-literal (IP enclosed in brackets) #/^[0-9]+(\.[0-9]+){3}$/ 554 Your software is not RFC 2821 compliant: EHLO/HELO must be a hostname.domain.tld or an address-literal (IP enclosed in brackets) # /^[0-9.-]+$/ 550 Your software is not RFC 2821 compliant: EHLO/HELO must be a hostname.domain.tld or an address-literal (IP enclosed in brackets) # /^[0-9]+(\.[0-9]+){3}$/ REJECT Invalid hostname # added in main.cf smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/overrule/allow_helo_access.map check_helo_access pcre:/etc/postfix/pcre/helo.pcre, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, reject_unauth_destination, reject_unauth_pipelining Greetz, Louis > -Oorspronkelijk bericht- > Van: p...@vandervlis.nl [mailto:owner-postfix-us...@postfix.org] Namens > Paul van der Vlis > Verzonden: zondag 23 oktober 2016 13:51 > Aan: postfix-users@postfix.org > Onderwerp: Re: Open relay, found it > > Op 23-10-16 om 13:32 schreef Ansgar Wiechers: > > On 2016-10-23 Paul van der Vlis wrote: > >> Op 22-10-16 om 18:23 schreef /dev/rob0: > >>> The only actual conclusion is that you have failed to put forth the > >>> necessary information, as Bill [I think] pointed you to the > >>> http://www.postfix.org/DEBUG_README.html#mail link. > >> > >> The problem is that somebody did send spam using port 587 with a not > >> excisting username, and I am interested how that is possible. > >> > >> sigmund:/var/log# postconf -Mf > > > > So you finally decided to show the output of "postconf -Mf" and > > "saslfinger -s". Good. Now you just need to provide the rest of the > > information Bill Cole asked of you 2 days ago: > > > > - Full output of "postconf -nf". > > - Full headers of a sample message (you may obfuscate personal > > information about the recipient). > > - All log lines associated with that particular message. At the very > > least the output of "grep /var/log/mail.log". > > I am sorry when I did not give the right information. I did read the > link, and did what was asked there. > > > In case you don't know how to find the queue ID in a log message, it's > > this part of the log line: > > > > postfix/smtpd[]: 2758BBF4062: ... > > ^^^ > > And did you already investigate why the authentication backend considers > > "p...@puk.nl" a valid user, as Noel Jones asked? What did you find out? > > Yes, and I found out that when the username is "p...@puk.nl" SASL > actually checks on "piet": > -- > saslauthd[19855] :do_auth : auth success: [user=piet] > [service=smtp] [realm=puk.nl] [mech=pam] > -- > > I did some more tests, and it seems to be that the spammer actually did > know the password. After changing the password, the logging changed: > -- > saslauthd[20161] :do_auth : auth failure: [user=piet] > [service=smtp] [realm=puk.nl] [mech=pam] > - > > > > With regards, > Paul van der Vlis. > > > > -- > Paul van der Vlis Linux systeembeheer Groningen > https://www.vandervlis.nl/
chrooting cleanup process ?
Hello all, I have been trying to build a canonical address mapping through ldap, in order to replace login names by better-looking addresses, as stated in the ADDRESS_REWRITING_README, and I stumbled upon a weird behaviour : with the canonical_maps on, every time a mail is sent to my server, Postfix refuses to treat it and the logs state the following : Oct 20 13:57:13 server postfix/master[pid]: warning: /usr/lib/postfix/cleanup: bad command startup -- throttling Oct 20 13:58:13 server postfix/master[pid]: warning: process /usr/lib/postfix/cleanup pid 18924 killed by signal 11 I understood that it came from the fact that my cleanup process was chrooted - which means, I suppose, that the files I was using to store the ldap config for postfix were out of its permission area. When I un-chroot the process, everything works fine. Now, my question would be : obviously chroot isn't necessary for cleanup to work, but is it not a bit dangerous to let it run outside of the cage ? Could you tell me what are the risks of such a configuration ? Thanks, -- Mickaël DEQUIDT IFREMER - Service IMN/IDM/RIC Centre Ifremer Bretagne - ZI de la pointe du diable CS 10070 - 29280 Plouzané Tel : +33 (0)2 98 22 46 04 - Fax : +33 (0)2 98 22 46 47 smime.p7s Description: Signature cryptographique S/MIME
Re: Problem with ldap failover
Yes, these three are FreeIPA DS servers. Ldap in Dovecot running on the same server works fine. Regards, Michal. 21. října 2016 23:46:46 CEST, "A. Schulze"napsal: > > >Am 21.10.2016 um 13:49 schrieb MichalZ: >> server_host = ldaps://ldap3.img.local:636 >> ldaps://ldap2.img.local:636 >> ldaps://ldap.img.local:636 > >did you check that every single server work without the others? > >try1: server_host = ldaps://ldap3.img.local:636 >try2: server_host = ldaps://ldap2.img.local:636 >try3: server_host = ldaps://ldap.img.local:636