Re: NOQUEUE: reject: ... 451 4.3.5 Server configuration error

2017-03-18 Thread lestraw
*Problem solved
*

It turns out that in *smtpd_client_restrictions =*

I was missing the *permit_sasl_authenticated sentence*


Thanks for everything 



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/NOQUEUE-reject-451-4-3-5-Server-configuration-error-tp89530p89536.html
Sent from the Postfix Users mailing list archive at Nabble.com.


Re: NOQUEUE: reject: ... 451 4.3.5 Server configuration error

2017-03-18 Thread lestraw
I put the result of postconf -n

I will put it back, I will also place the most detailed result of the
postfix log

*
Postfix LOG:*

Mar 18 21:03:27 server postfix/smtpd[28381]: warning: unknown[DD.D.D.DD]:
SASL LOGIN authentication failed: AAA
Mar 18 21:03:27 server postfix/smtpd[26211]: warning: unknown smtpd
restriction: "combined.rbl.msrbl.net"
*Mar 18 21:03:27 server postfix/smtpd[26211]: NOQUEUE: reject: RCPT from
unknown[DDD.D.DDD.DDD]: 451 4.3.5 Server configuration error;
from= to=<...@a.com> proto=ESMTP
helo=<[DD.D.D.DD]>*
Mar 18 21:03:27 server postfix/smtpd[28381]: lost connection after AUTH from
unknown[DD.D.D.DD]
Mar 18 21:03:27 server postfix/smtpd[28381]: disconnect from
unknown[DD.D.D.DD]
Mar 18 21:03:28 server postfix/cleanup[30157]: C1077620DF6:
message-id=<20170319010328.c1077620...@a.com>



*Postconf - N: *

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_percent_hack = no
bounce_queue_lifetime = 30m
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 776
default_destination_recipient_limit = 776
default_process_limit = 776
delay_warning_time = 2h
fast_flush_purge_time = 30m
fast_flush_refresh_time = 15m
home_mailbox = Maildir/
html_directory = no
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_backoff_time = 1000s
maximal_queue_lifetime = 2h
message_size_limit = 0
minimal_backoff_time = 300s
mydestination = /etc/postfix/mydestination
mydomain = .AAA
mynetworks = 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
qmgr_message_active_limit = 4
qmgr_message_recipient_limit = 4
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
relay_domains = $mydestination, bonofull.com, maillion.net, unityfull.com
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sender_bcc_maps = hash:/etc/postfix/bcc
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_connection_cache_on_demand = no
smtp_destination_concurrency_limit = 400
smtp_mx_session_limit = 776
smtp_use_tls = yes
smtpd_banner = $mydomain
smtpd_client_connection_count_limit = 400
smtpd_client_restrictions = permit_mynetworks permit_inet_interfaces
permit_tls_all_clientcerts reject_rbl_client reject_rbl_client
reject_rbl_client reject_rbl_client reject_rbl_client reject_rbl_client
reject_rbl_client psbl.surriel.com reject_rhsbl_client bl.spamcop.net
combined.rbl.msrbl.net reject_rbl_client reject_rhsbl_client
reject_rbl_client reject_rhsbl_client bl.spamcannibal.org
smtpd_peername_lookup = no
smtpd_recipient_limit = 776
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
permit_inet_interfaces check_relay_domains reject_sender_login_mismatch
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_exceptions_networks = !DDD.DD.DD.D, DDD.DDD.D.D/DD
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders
smtpd_tls_CAfile = /home/maillion/ssl.ca
smtpd_tls_cert_file = /home//ssl.cert
smtpd_tls_key_file = /home//ssl.key
smtpd_tls_security_level = may
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual


Please, help me



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/NOQUEUE-reject-451-4-3-5-Server-configuration-error-tp89530p89535.html
Sent from the Postfix Users mailing list archive at Nabble.com.


Re: NOQUEUE: reject: ... 451 4.3.5 Server configuration error

2017-03-18 Thread Wietse Venema
lestraw:
> Hi postfix familiy,
> 
> I'm using thunderbird as a email client, and when sending an email is giving
> me the following error on /var/log/maillog:
> 
> Mar 18 19:54:39 server postfix/smtpd[21712]: NOQUEUE: reject: RCPT from
> unknown[DDD.D.DDD.DDD]: 451 4.3.5 Server configuration error;
> from= to=<...@a.com> proto=ESMTP
> helo=<[DD.D.D.DD]>

That text is sent to the remote client, and therefore it has no
configuration details.

Instead, Postfix logs internal details BEFORE replying to the client.

Wietse


Re: NOQUEUE: reject: ... 451 4.3.5 Server configuration error

2017-03-18 Thread lestraw
Hi postfix familiy,

I'm using thunderbird as a email client, and when sending an email is giving
me the following error on /var/log/maillog:

Mar 18 19:54:39 server postfix/smtpd[21712]: NOQUEUE: reject: RCPT from
unknown[DDD.D.DDD.DDD]: 451 4.3.5 Server configuration error;
from= to=<...@a.com> proto=ESMTP
helo=<[DD.D.D.DD]>

Postconf - n shows the following:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_percent_hack = no
bounce_queue_lifetime = 30m
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 776
default_destination_recipient_limit = 776
default_process_limit = 776
delay_warning_time = 2h
fast_flush_purge_time = 30m
fast_flush_refresh_time = 15m
home_mailbox = Maildir/
html_directory = no
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_backoff_time = 1000s
maximal_queue_lifetime = 2h
message_size_limit = 0
minimal_backoff_time = 300s
mydestination = /etc/postfix/mydestination
mydomain = .AAA
mynetworks = 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
qmgr_message_active_limit = 4
qmgr_message_recipient_limit = 4
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
relay_domains = $mydestination, bonofull.com, maillion.net, unityfull.com
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sender_bcc_maps = hash:/etc/postfix/bcc
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_connection_cache_on_demand = no
smtp_destination_concurrency_limit = 400
smtp_mx_session_limit = 776
smtp_use_tls = yes
smtpd_banner = $mydomain
smtpd_client_connection_count_limit = 400
smtpd_client_restrictions = permit_mynetworks permit_inet_interfaces
permit_tls_all_clientcerts reject_rbl_client reject_rbl_client
reject_rbl_client reject_rbl_client reject_rbl_client reject_rbl_client
reject_rbl_client psbl.surriel.com reject_rhsbl_client bl.spamcop.net
combined.rbl.msrbl.net reject_rbl_client reject_rhsbl_client
reject_rbl_client reject_rhsbl_client bl.spamcannibal.org
smtpd_peername_lookup = no
smtpd_recipient_limit = 776
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
permit_inet_interfaces check_relay_domains reject_sender_login_mismatch
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_exceptions_networks = !DDD.DD.DD.D, DDD.DDD.D.D/DD
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders
smtpd_tls_CAfile = /home/maillion/ssl.ca
smtpd_tls_cert_file = /home//ssl.cert
smtpd_tls_key_file = /home//ssl.key
smtpd_tls_security_level = may
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual


*What is wrong with this configuration?*



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/NOQUEUE-reject-451-4-3-5-Server-configuration-error-tp89530p89533.html
Sent from the Postfix Users mailing list archive at Nabble.com.


Re: NOQUEUE: reject: ... 451 4.3.5 Server configuration error

2017-03-18 Thread Wietse Venema
lestraw:
> Hello Postfix Familty, 
> 
> I have configured it according to the postfix manuals a Postfix SASL e-mail
> server with Dovecot. And I'm having the following error, when I'm going to
> send an email from a client
> 
> *451 4.3.5 Server configuration error *
> 
> Postfix version 2.6.6 + Dovecot Version 2.0.9 
> 
> 
> ### ~> Postfix main.cf CENTOS6_X64
> command_directory = /usr/sbin
> daemon_directory = /usr/libexec/postfix
> 
> mydomain = domain.example
> myorigin = $mydomain
> unknown_local_recipient_reject_code = 550
> alias_maps = hash:/etc/aliases
> alias_database = hash:/etc/aliases
> home_mailbox = Maildir/
> smtpd_banner = $mydomain
> debug_peer_level = 2
> debugger_command =
>PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
>xxgdb $daemon_directory/$process_name $process_id & sleep 5
> sendmail_path = /usr/sbin/sendmail.postfix
> newaliases_path = /usr/bin/newaliases.postfix
> mailq_path = /usr/bin/mailq.postfix
> setgid_group = postdrop
> html_directory = no
> manpage_directory = /usr/share/man
> sample_directory = /usr/share/doc/postfix-2.3.3/samples
> readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
> 
> #sasl autentication start
> smtpd_sasl_type = dovecot
> smtpd_sasl_path = private/auth
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
> smtpd_sasl_local_domain = $myhostname
> broken_sasl_auth_clients = yes
> relay_domains = $mydestination, second.example, domain.example
> smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders
> smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
> permit_inet_interfaces check_relay_domains reject_sender_login_mismatch 
> #sasl autentication end
> 
> delay_warning_time = 2h
> fast_flush_refresh_time = 15m
> fast_flush_purge_time = 30m
> smtpd_recipient_limit = 776
> bounce_queue_lifetime = 30m
> maximal_queue_lifetime = 2h
> mailbox_size_limit = 0
> message_size_limit = 0
> smtp_connection_cache_on_demand = no
> smtpd_peername_lookup = no
> default_process_limit = 776
> qmgr_message_active_limit = 4
> qmgr_message_recipient_limit = 4
> default_destination_concurrency_limit = 776
> default_destination_recipient_limit = 776
> smtp_mx_session_limit = 776
> smtpd_client_connection_count_limit = 400
> smtp_destination_concurrency_limit = 400
> maximal_backoff_time = 1000s
> minimal_backoff_time = 300s
> virtual_alias_maps = hash:/etc/postfix/virtual
> sender_bcc_maps = hash:/etc/postfix/bcc
> mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
> mydestination = /etc/postfix/mydestination
> allow_percent_hack = no
> recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
> 
> # TLS parameters start
> smtpd_tls_key_file = /home/maillion/ssl.key
> smtpd_tls_CAfile = /home/maillion/ssl.ca
> smtpd_tls_cert_file = /home/maillion/ssl.cert
> smtp_use_tls = yes
> smtpd_tls_security_level = may
> # TLS parameters end
> 
> smtpd_client_restrictions = permit_mynetworks permit_inet_interfaces
> permit_tls_all_clientcerts reject_rbl_client reject_rbl_client
> reject_rbl_client reject_rbl_client reject_rbl_client reject_rbl_client
> reject_rbl_client psbl.surriel.com reject_rhsbl_client bl.spamcop.net
> combined.rbl.msrbl.net reject_rbl_client reject_rhsbl_client
> reject_rbl_client reject_rhsbl_client bl.spamcannibal.org
> mynetworks = 127.0.0.0/8
> 
> 
> *
> There is any error?*
> 
> Please help me!!

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail

TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Thank you for using Postfix.


Re: How to setup a no-answer email properly

2017-03-18 Thread Wietse Venema
Dirk St?cker:
> On Sat, 18 Mar 2017, Richard Damon wrote:
> 
> >>  - On your side, don't reject RCPT TO for the no-reply address.
> >>
> >>  - On your side, add a telepathic policy service that can distinguish
> >>  between RCPT TO to verify an address, and RCPT to deliver mail.
> >>
> >>  smtpd_recipient_restrictions =
> >>   
> >>   reject_unauth_destination
> >>   check_policy_service unix:/some/where/telepathic-service
> >>   check_recipient_access inline:{
> >>   { t...@email.tld = reject this address does not receive email }
> >>   }
> >>
> >>   Wietse
> >> 
> > Couldn't you do something where you accept at the RCPT TO, and then reject 
> > at 
> > End of Data having it just reject everything as spam?

Rejecting mail for a do-not-reply address at DATA or end-of-data?
That might work, but keep in mind that this rejects mail for all
recipients of the message, not just the do-not-reply address.

Wietse


NOQUEUE: reject: ... 451 4.3.5 Server configuration error

2017-03-18 Thread lestraw
Hello Postfix Familty, 

I have configured it according to the postfix manuals a Postfix SASL e-mail
server with Dovecot. And I'm having the following error, when I'm going to
send an email from a client

*451 4.3.5 Server configuration error *

Postfix version 2.6.6 + Dovecot Version 2.0.9 


### ~> Postfix main.cf CENTOS6_X64
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix

mydomain = domain.example
myorigin = $mydomain
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
home_mailbox = Maildir/
smtpd_banner = $mydomain
debug_peer_level = 2
debugger_command =
 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
 xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.3.3/samples
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES

#sasl autentication start
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_authenticated_header = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
relay_domains = $mydestination, second.example, domain.example
smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
permit_inet_interfaces check_relay_domains reject_sender_login_mismatch 
#sasl autentication end

delay_warning_time = 2h
fast_flush_refresh_time = 15m
fast_flush_purge_time = 30m
smtpd_recipient_limit = 776
bounce_queue_lifetime = 30m
maximal_queue_lifetime = 2h
mailbox_size_limit = 0
message_size_limit = 0
smtp_connection_cache_on_demand = no
smtpd_peername_lookup = no
default_process_limit = 776
qmgr_message_active_limit = 4
qmgr_message_recipient_limit = 4
default_destination_concurrency_limit = 776
default_destination_recipient_limit = 776
smtp_mx_session_limit = 776
smtpd_client_connection_count_limit = 400
smtp_destination_concurrency_limit = 400
maximal_backoff_time = 1000s
minimal_backoff_time = 300s
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mydestination = /etc/postfix/mydestination
allow_percent_hack = no
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc

# TLS parameters start
smtpd_tls_key_file = /home/maillion/ssl.key
smtpd_tls_CAfile = /home/maillion/ssl.ca
smtpd_tls_cert_file = /home/maillion/ssl.cert
smtp_use_tls = yes
smtpd_tls_security_level = may
# TLS parameters end

smtpd_client_restrictions = permit_mynetworks permit_inet_interfaces
permit_tls_all_clientcerts reject_rbl_client reject_rbl_client
reject_rbl_client reject_rbl_client reject_rbl_client reject_rbl_client
reject_rbl_client psbl.surriel.com reject_rhsbl_client bl.spamcop.net
combined.rbl.msrbl.net reject_rbl_client reject_rhsbl_client
reject_rbl_client reject_rhsbl_client bl.spamcannibal.org
mynetworks = 127.0.0.0/8


*
There is any error?*

Please help me!!




--
View this message in context: 
http://postfix.1071664.n5.nabble.com/NOQUEUE-reject-451-4-3-5-Server-configuration-error-tp89530.html
Sent from the Postfix Users mailing list archive at Nabble.com.


Re: How to setup a no-answer email properly

2017-03-18 Thread Dirk Stöcker

On Sat, 18 Mar 2017, Richard Damon wrote:


 - On your side, don't reject RCPT TO for the no-reply address.

 - On your side, add a telepathic policy service that can distinguish
 between RCPT TO to verify an address, and RCPT to deliver mail.

 smtpd_recipient_restrictions =
  
  reject_unauth_destination
  check_policy_service unix:/some/where/telepathic-service
  check_recipient_access inline:{
  { t...@email.tld = reject this address does not receive email }
  }

  Wietse

Couldn't you do something where you accept at the RCPT TO, and then reject at 
End of Data having it just reject everything as spam?


http://www.postfix.org/SMTPD_PROXY_README.html

When its even possible to check spam without generating a bounce message, 
why do I need telepathy to reject a mail for a known situation in a later 
stage of mail delivery?


It is a bit of overkill to write a filter for that. I hoped there would be 
an easier way.


Could it work to "Configure the Postfix SMTP pass-through proxy feature" 
with the after filter SMTP server being directly the target (i.e. omitting 
the filter) and putting the recipient reject on this one instead of the 
initial connect?


Ciao
--
http://www.dstoecker.eu/ (PGP key available)


Re: [SPAM?] Re: How to setup a no-answer email properly

2017-03-18 Thread Richard Damon

On 3/18/17 11:39 AM, Wietse Venema wrote:

Dirk St?cker:

: host mail.remotemail.tld[X.X.X.X] said:
  550-Verification failed for  550-Called:
  Y.Y.Y.Y 550-Sent: RCPT TO:
  550-Response: 554 5.7.1 : Recipient address
  rejected: THis trac does not have an e-mail input functionality. 550 
Sender
  verify failed (in reply to RCPT TO command)

Options:

- On your side, don't reject RCPT TO for the no-reply address.

- On your side, add a telepathic policy service that can distinguish
between RCPT TO to verify an address, and RCPT to deliver mail.

smtpd_recipient_restrictions =
 
 reject_unauth_destination
 check_policy_service unix:/some/where/telepathic-service
 check_recipient_access inline:{
 { t...@email.tld = reject this address does not receive email }
 }

Wietse

Couldn't you do something where you accept at the RCPT TO, and then 
reject at End of Data having it just reject everything as spam?



--
Richard Damon



Re: How to setup a no-answer email properly

2017-03-18 Thread Wietse Venema
Dirk St?cker:
> : host mail.remotemail.tld[X.X.X.X] said:
>  550-Verification failed for  550-Called:
>  Y.Y.Y.Y 550-Sent: RCPT TO:
>  550-Response: 554 5.7.1 : Recipient address
>  rejected: THis trac does not have an e-mail input functionality. 550 
> Sender
>  verify failed (in reply to RCPT TO command)

Options:

- On your side, don't reject RCPT TO for the no-reply address.

- On your side, add a telepathic policy service that can distinguish
between RCPT TO to verify an address, and RCPT to deliver mail.

smtpd_recipient_restrictions =

reject_unauth_destination
check_policy_service unix:/some/where/telepathic-service
check_recipient_access inline:{
{ t...@email.tld = reject this address does not receive email }
}

Wietse


Re: How to setup a no-answer email properly

2017-03-18 Thread Dirk Stöcker

On Sat, 18 Mar 2017, Wietse Venema wrote:


I'm operating a bug tracker which sends out emails to participants
notifying of ticket changes. For new submitters it often happened, that
they simply did reply by mail which wont work with this instance.

Now I changed our setup a bit

In postfix main.cf:
smtpd_recipient_restrictions = ...check_recipient_access 
hash:/etc/postfix/recipient_access...

and
recipient_access:
t...@mail.tld reject This trac does not have an e-mail input functionality.

This works like a charm, but then today something new did pop up. Sender
verify. It seems there are mail servers outside which connect back to the
original server and check for errors:

 550-Verification failed for  550-Previous
 (cached) callout verification failure 550 Sender verify failed (in reply to
 RCPT TO command)

This prevents to notify them completely, as their servers wont accept any
mail from the ticket system. Turning off that feature I'd need to manually
inform mail senders again which I want to prevent.

Is there any solution to satisfy the "no-reply" mail address feature and
these sender verifiers. They don't actually send a mail, so maybe my
reject can come a bit later in the mail receiving process?


Whitelist the address up-stream:

   
   reject_unauth_destination
   check_recipient_access inline:{t...@mail.tld=permit}
   reject_unverified_recipient
   

or the equivalent idiom for a non-Postfix system that makes the callout.


You mean on the receivers side? I don't have control over their systems. 
I can change only the sending server. Maybe I've been unclear? The error 
message is an excerpt from the local postfix for an email I sent - Here's 
the full text:


: host mail.remotemail.tld[X.X.X.X] said:
550-Verification failed for  550-Called:
Y.Y.Y.Y 550-Sent: RCPT TO:
550-Response: 554 5.7.1 : Recipient address
rejected: THis trac does not have an e-mail input functionality. 550 Sender
verify failed (in reply to RCPT TO command)

or in a second mail

: host mail.remotemail.org[X.X.X.X] said:
550-Verification failed for  550-Previous
(cached) callout verification failure 550 Sender verify failed (in reply to
RCPT TO command)

I got two rejects, because I did not properly handle mail rejects for this 
address (all the others had an owner-xxx, except this one :-(. That should 
be fixed now.


Ciao
--
http://www.dstoecker.eu/ (PGP key available)


Re: How to setup a no-answer email properly

2017-03-18 Thread Wietse Venema
Dirk St?cker:
> Hello,
> 
> I'm operating a bug tracker which sends out emails to participants 
> notifying of ticket changes. For new submitters it often happened, that 
> they simply did reply by mail which wont work with this instance.
> 
> Now I changed our setup a bit
> 
> In postfix main.cf:
> smtpd_recipient_restrictions = ...check_recipient_access 
> hash:/etc/postfix/recipient_access...
> 
> and
> recipient_access:
> t...@mail.tld reject This trac does not have an e-mail input functionality.
> 
> This works like a charm, but then today something new did pop up. Sender 
> verify. It seems there are mail servers outside which connect back to the 
> original server and check for errors:
> 
>  550-Verification failed for  550-Previous
>  (cached) callout verification failure 550 Sender verify failed (in reply 
> to
>  RCPT TO command)
> 
> This prevents to notify them completely, as their servers wont accept any 
> mail from the ticket system. Turning off that feature I'd need to manually 
> inform mail senders again which I want to prevent.
> 
> Is there any solution to satisfy the "no-reply" mail address feature and 
> these sender verifiers. They don't actually send a mail, so maybe my 
> reject can come a bit later in the mail receiving process?

Whitelist the address up-stream:

 
reject_unauth_destination 
check_recipient_access inline:{t...@mail.tld=permit}
reject_unverified_recipient


or the equivalent idiom for a non-Postfix system that makes the callout.

Wietse


How to setup a no-answer email properly

2017-03-18 Thread Dirk Stöcker

Hello,

I'm operating a bug tracker which sends out emails to participants 
notifying of ticket changes. For new submitters it often happened, that 
they simply did reply by mail which wont work with this instance.


Now I changed our setup a bit

In postfix main.cf:
smtpd_recipient_restrictions = ...check_recipient_access 
hash:/etc/postfix/recipient_access...

and
recipient_access:
t...@mail.tld reject This trac does not have an e-mail input functionality.

This works like a charm, but then today something new did pop up. Sender 
verify. It seems there are mail servers outside which connect back to the 
original server and check for errors:


550-Verification failed for  550-Previous
(cached) callout verification failure 550 Sender verify failed (in reply to
RCPT TO command)

This prevents to notify them completely, as their servers wont accept any 
mail from the ticket system. Turning off that feature I'd need to manually 
inform mail senders again which I want to prevent.


Is there any solution to satisfy the "no-reply" mail address feature and 
these sender verifiers. They don't actually send a mail, so maybe my 
reject can come a bit later in the mail receiving process?


Ciao
--
http://www.dstoecker.eu/ (PGP key available)


Re: policyd-spf and temperrors

2017-03-18 Thread Scott Kitterman


On March 18, 2017 6:13:15 AM EDT, Alex JOST  wrote:
>Am 17.03.2017 um 22:38 schrieb James B. Byrne:
>> The host system runs under CentOS-6.  Other than Postfix itself all
>> the packages on this system are either from CentOS or EPEL.  Python
>> was last updated in September 2016.  pypolicd-spf was last updated
>> January 2017.  These problems only evidenced themselves very
>recently:
>
>> Moving to the most recent version of pypolicyd-spf requires upgrading
>> python.  Since the YUM package manager on CentOS-6 requires python
>2.6
>> this is a non-starter.
>
>AFAIK Red Hat provides a newer version of python via Software 
>Collections. That should make it easy to run both versions side by
>side.

The new version needs python3, FYI.

Scott K


Re: Monitoring Postfix Mail queue with SNMP

2017-03-18 Thread Wietse Venema
Geert Stappers:
> On Fri, Mar 17, 2017 at 01:25:45PM -0400, Viktor Dukhovni wrote:
> > > On Mar 17, 2017, at 1:06 PM, Sean Son  
> > > wrote:
> > > 
> > > Hello all
> > > 
> > > We would like to monitor Postfix mail queues using SMNP so we
> > > can receive alerts whenever the mail queue reaches a certain
> > > threshold. What OID and MIB would we have to use to be able to
> > > monitor Postfix mail queues?
> > 
> > I don't recall a specific MIB that covers mail queues, however
> > I recommend against monitoring the queue's message count, too
> > many false alarms from spikes in traffic.  What is more useful
> > to monitor is average time from queue entry to queue exit, and
> > also average age in the active queue.
> > 
> > See QSHAPE_README and also monitor the "c+d" delay sum from
> > the "delays=a/b/c/d" log entries (de-duping for multi-recipient
> > deliveries of a single message).  At prior employer, we computed
> > a slowly exponentially decaying moving average of the "c+d" times
> > as indicators of current congestion, and queue age as indicators
> > of "stuck" messages.
> > 
> > Just counting messages is not terribly useful IMHO.
> > 
> 
> Is the delay information available in /var/spool/postfix/public/showq ?

Viktor is talking about files that are no longer in the queue.

There is a fundamental difference between queue (current state)
and logging (history).

Wietse


Re: gmail servers on blacklists?

2017-03-18 Thread Christian Kivalo

On 2017-03-17 22:47, David Mehler wrote:

Hello,

Thank you.

Hi

Please reply to the list


I have postwhite running, not sure if it's updating?

Do you run postwhite and if so do you have an update procedure so you
always have the updated postwhite?
I use it but doing updates manually. Doing it automatically is on a todo 
list ;)

Thanks.
Dave.

On 3/17/17, Christian Kivalo  wrote:



On 2017-03-17 22:12, David Mehler wrote:

Hello,

I'm starting to see blocks on my messages to my mail server. For some
reason postscreen is not letting any gmail servers send mail, it's
blocking them.

Has anyone got an idea or have you seen this?

You could use postwhite https://github.com/stevejenkins/postwhite to
whitelist gmail.
The map is created by postwhite from gmails spf records.

--
  Christian Kivalo



--
 Christian Kivalo


Re: policyd-spf and temperrors

2017-03-18 Thread Alex JOST

Am 17.03.2017 um 22:38 schrieb James B. Byrne:

The host system runs under CentOS-6.  Other than Postfix itself all
the packages on this system are either from CentOS or EPEL.  Python
was last updated in September 2016.  pypolicd-spf was last updated
January 2017.  These problems only evidenced themselves very recently:



Moving to the most recent version of pypolicyd-spf requires upgrading
python.  Since the YUM package manager on CentOS-6 requires python 2.6
this is a non-starter.


AFAIK Red Hat provides a newer version of python via Software 
Collections. That should make it easy to run both versions side by side.


--
Alex JOST


Re: Monitoring Postfix Mail queue with SNMP

2017-03-18 Thread Geert Stappers
On Fri, Mar 17, 2017 at 01:25:45PM -0400, Viktor Dukhovni wrote:
> > On Mar 17, 2017, at 1:06 PM, Sean Son  
> > wrote:
> > 
> > Hello all
> > 
> > We would like to monitor Postfix mail queues using SMNP so we
> > can receive alerts whenever the mail queue reaches a certain
> > threshold. What OID and MIB would we have to use to be able to
> > monitor Postfix mail queues?
> 
> I don't recall a specific MIB that covers mail queues, however
> I recommend against monitoring the queue's message count, too
> many false alarms from spikes in traffic.  What is more useful
> to monitor is average time from queue entry to queue exit, and
> also average age in the active queue.
> 
> See QSHAPE_README and also monitor the "c+d" delay sum from
> the "delays=a/b/c/d" log entries (de-duping for multi-recipient
> deliveries of a single message).  At prior employer, we computed
> a slowly exponentially decaying moving average of the "c+d" times
> as indicators of current congestion, and queue age as indicators
> of "stuck" messages.
> 
> Just counting messages is not terribly useful IMHO.
> 

Is the delay information available in /var/spool/postfix/public/showq ?

So could the info be used by https://github.com/kumina/postfix_exporter ?



Groeten
Geert Stappers
-- 
Leven en laten leven