Re: abusive language by Reindl
On 2013-01-14 Reindl Harald wrote: Am 13.01.2013 23:18, schrieb Matthias Andree: Sorry for the noise, and apologies for confusing two persons. One has apparently learned their lesson, the other jumped to defend the trespasser and has now resorted to insults rather than limiting himself to pointing out the misaddressing. maybe the next time you should consider not reply offlist and explain somebody that he making himself to a monkey in the public and that he should configure his thunderbird or make a new thunderbird profile and RTFM as long you are not able to recognize who is who in a thread and do not understand what he tried to explain especially you should at least stop reply offlist after the one explained you that you are talking to the wrong person but you still continue your b***t This conversation is extremely off-topic, so kindly stop dragging it back on-list. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Simplest approach to full-adress aliases?
On 2012-11-17 Jan Johansson wrote: Having mostly used Exim I am trying to sort out a few things with a postfix (2.8.5-2~build0.11.04 on Ubuntu) install. Basically, I want a forwarding mechanism that can map us...@domainalpha.commailto:us...@domainalpha.com to anotheru...@anotherdomain.commailto:anotheru...@anotherdomain.com So, whats the easiest way to set this up? Manually handling flat files would be sufficient. That's what $virtual_alias_maps [1] is for. Add the following line to main.cf: virtual_alias_maps = hash:/etc/postfix/virtual Create a file /etc/postfix/virtual with the mappings you need: us...@domainalpha.com anotheru...@anotherdomain.com Run postmap /etc/postfix/virtual to create the hash database. For further information see the VIRTUAL_README [2]. [1] http://www.postfix.org/postconf.5.html#virtual_alias_maps [2] http://www.postfix.org/VIRTUAL_README.html Regards Ansgar Wiechers -- All vulnerabilities deserve a public fear period prior to patches becoming available. --Jason Coombs on Bugtraq
Re: status=bounced (user unknown)
On 2012-08-28 Thufir wrote: http://askubuntu.com/a/155676/45156 says to remove $mydomain from mydestination = $mydomain, localhost.$mydomain, localhost but why? As the answer says you should only do that when the host is not supposed to be the final destination for $mydomain. Just as anything to @localhost should get spooled to /var/mail/, shouldn't $mydomain similarly get spooled exactly as localhost? Isn't that rather the point, to spool only what's in mydestination, anything else gets bounced or sent on? $mydestination defines those domains that the server is the final destination for. Under the circumstances outlined in the post you mentioned, you don't want the server to be the final destination for $mydomain, thus you remove it from $mydestination. [...] Aug 28 02:42:35 dur postfix/pipe[22396]: 14C6E182CA7: to=thu...@dur.bounceme.net, relay=mailman, delay=38, delays=38/0.03/0/0.41, dsn=5.1.1, status=bounced (user unknown) [...] This sorta kinda works, in that at least the message is accepted, although it's later bounced. Why is the user unknown? To my mind, the user should be known. We wouldn't know unless you decide to provide some more information. Apparently your server is configured to relay mail for the domain dur.bounceme.net to mailman, which doesn't seem to be configured to accept the recipient thu...@dur.bounceme.net. Please post the output of postconf -n. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Secondary mail serveur for non local adress
On 2012-08-28 VALOIS, Pascal wrote: I want to set up a postfix server, who receive mails for domain @test.fr, with a fallback for unknown adress, where unknown adresses @devinci.fr will be sent to a secondary serveur. i added to my main.cf fallback_transport_maps = hash:/etc/mail/transport my transport map containig : .test.fr SMTP:fallback.devinci.fr test.fr SMTP:fallback.devinci.fr but when i send a mail to bobisnotth...@devinci.fr, postfix replies me that the user is unknow in virtual alias table instead of sending him to the fallback. any idea ? I doubt that what you're trying to achieve is possible. A server cannot at the same time be the final destination and not the final destination for a given domain. What is the actual problem you're trying to solve with a setup like this? Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: status=bounced (user unknown)
On 2012-08-28 Thufir wrote: relay_domains = lists.dur.bounceme.net You configured list.dur.bounceme.net as the domain for your mailing lists, but ... Aug 28 04:28:36 dur postfix/smtp[5985]: E0507184319: to=b...@dur.bounceme.net, relay=none, delay=58, delays=58/0.02/0.06/0, dsn=4.4.1, status=deferred (connect to dur.bounceme.net[70.71.113.158]:25: Connection refused) ... then you use dur.bounceme.net (without the lists subdomain) as the recipient domain, i.e. you're not sending anything to a list address in the first place. Also, you don't seem to have a host that is the final destination for dur.bounceme.net (dur.bounceme.net is $myhostname, but not listed in $mydestination). What happens is most likely this: 1. You submit a message to b...@dur.bounceme.net from 127.0.0.1. 2. 127.0.0.1 is listed in $mynetworks and thus allowed to relay by the permit_mynetworks restriction in $smtpd_recipient_restrictions. 3. $relay_transport is set to relay (which is the default anyway), and neither $relay_transport, nor $sender_dependent_relayhost_maps, nor $relayhost are set, so the recipient domain (dur.bounceme.net) becomes the nexthop destination (see the relay_transport entry in man 5 postconf). 4. Postfix on dur.bounceme.net is not listening on the external interface ($inet_interfaces = loopback-only), so the connection to 70.71.113.158:25 fails. If you want your server to accept mail for dur.bounceme.net, you must either make it the final destination for that domain, or you have to make the server accept mail to that domain for relaying. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: error when using procmail to forward message
On 2012-08-07 Al Zick wrote: I setup procmail. I have a system wide config: LOGFILE=/var/log/procmail.log VERBOSE=on :0B: * (://[A-Za-z0-9.-]+\.ru) /dev/null :0: * ^Subject: (Rolex) /dev/null :0 * ^Subject: (anoncvs) ! m...@server1.com some...@server2.com I checked the log and it is putting spam in /dev/null, but there are errors in procmail.log when ever it tries to forward the emails: sendmail: warning: the Postfix sendmail command has set-uid root file permissions sendmail: warning: or the command is run from a set-uid root process sendmail: warning: the Postfix sendmail command must be installed without set-uid root file permissions These are warnings, not errors. Is there a way to fix this? chmod u-s /usr/sbin/sendmail Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Best way to protect backup-mx?
On 2012-08-07 tobi wrote: I'm currently doing some brainstorming on how to protect backup-mx servers from being directly contacted by clients. That kinda defeats the purpose of having a backup MX in the first place. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Best way to protect backup-mx?
On 2012-08-07 tobi wrote: Am 07.08.2012 20:04, schrieb Stan Hoeppner: The first thing you need to do is define for us what protect backup-mx servers means. What, exactly, do you want to protect them from? Sorry if my intention was only clear to myself ;-) I want to prevent clients from connecting my backup-mx as long as the main-mx is up and running. Like spammers sometimes try by connecting directly to a backup-mx instead trying main-mx first. Why do you consider this a problem? Your backup MX should neither accept nor allow anything the primary MX wouldn't. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Piping mail to script
On 2012-08-03 DN Singh wrote: I have a setup to receive mails for a subdomain, which is also the hostname of the server. I want to use system users as mailboxes. This used to work fine until I implemented catch-all address. I added an entry @domain.tld u...@domain.tld in virtual map. But, all mails went to that user. Umm... yes. This is expected behavior. Not to mention that a catch-all is a Really Bad Idea(tm) to begin with. What problem are you trying to solve by doing this? Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Recipient delimiter
On 2012-07-28 Andrea Gozzi wrote: I currently have a postfix setup with virtual users on a mysql database and dovecot as lda. I wanted to implement the + separator to route specific messages to a custom destination folder (within the account). Can I do that directly in postfix or should I create ad-hoc rules in dovecot (eg sieve) to do it? Moreover, I have recipient_bcc_maps on and the user requiring the delimiter is listed there. Will the separator have any impact on that? Postfix delivers to mailboxes. It doesn't know or care about the inner workings of a mailbox. For placing a message in a particular folder inside a mailbox you have to use sieve. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: BCP on throttling outbound mail
On 2012-07-25 mouss wrote: Le 24/07/2012 08:37, Stan Hoeppner a écrit : You'd think humans beings would be smart enough to follow directions and use strong passwords, AV software, etc, and not fall for phishing scams. Your adversary in this war isn't the spammers, it's not the technology, but your users. oh come on! the users excuse is wa too old. if your software accepts weak passwords, then the problem is with the software, not the user. I'd have to disagree on this one. How do you measure strength or weakness of a password? Length? Is aa strong? Complexity? Is Passw0rd strong? A combination of the above? Is JosephAverage4/1/1999 strong? Frequent password changes? Is simplepassword## strong? (## being a sequential number) How do you effectively protect your infrastructure against users or (worse) customers writing their passwords on PostIts and leaving them around? How do you effectively protect your infrastructure against customers getting their own systems compromised? If you happen to have a solution for this problem, I'm honestly interested in learning about it, because I don't see any. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: BCP on throttling outbound mail
Mark, On 2012-07-25 Mark Blackman wrote: On 25 Jul 2012, at 08:20, Ansgar Wiechers wrote: On 2012-07-25 mouss wrote: oh come on! the users excuse is wa too old. if your software accepts weak passwords, then the problem is with the software, not the user. I'd have to disagree on this one. How do you measure strength or weakness of a password? Length? Is aa strong? Complexity? Is Passw0rd strong? A combination of the above? Is JosephAverage4/1/1999 strong? Frequent password changes? Is simplepassword## strong? (## being a sequential number) How do you effectively protect your infrastructure against users or (worse) customers writing their passwords on PostIts and leaving them around? How do you effectively protect your infrastructure against customers getting their own systems compromised? If you happen to have a solution for this problem, I'm honestly interested in learning about it, because I don't see any. Isn't the conventional wisdom that a long password consisting of 3 or 4 common but longer words is sufficient and memorable, along the lines of the famous XKCD panel? Please re-read what I wrote, particularly the second half of it. Is Joseph Zebediah Average 4/1/1999 really a strong password? If not: how do you prevent users/customers from using a password like that? And how do you prevent a customer's system from being compromised with, say, a keylogger? Obviously there's more to it than that, but I didn't think there was much disagreement about the ideal form of a memorable and strong password. It's a given that your attacker will have an idea what form of password to test for, if not the actual password. Indeed there isn't much disagreement on what forms a strong password (in principle). I do fail to see how this could be enforced on a technical level, though. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: BCP on throttling outbound mail
On 2012-07-25 Mark Blackman wrote: On 25 Jul 2012, at 10:09, Ansgar Wiechers wrote: Please re-read what I wrote, particularly the second half of it. Is Joseph Zebediah Average 4/1/1999 really a strong password? It is a strong password, unless you believe attackers would regard that format as a promising format to exploit. I think that's unlikely to be a promising format to exploit at the moment. I would regard any combination of personal name and birth date as a pretty darn promising format to exploit at any time. If not: how do you prevent users/customers from using a password like that? Well, if you really believe that format is likely, you test for it. How would you test for likely combinations of users' (or customers') personal information? And how do you account for the reduction in key space these checks would introduce? And how do you prevent a customer's system from being compromised with, say, a keylogger? Keyloggers are a completely separate question from passwords and operate on a different level. I beg to differ. Keyloggers are a rather prominent means for obtaining passwords. Obviously there's more to it than that, but I didn't think there was much disagreement about the ideal form of a memorable and strong password. It's a given that your attacker will have an idea what form of password to test for, if not the actual password. Indeed there isn't much disagreement on what forms a strong password (in principle). I do fail to see how this could be enforced on a technical level, though. You can readily enforce minimum length of say 12-16 characters which is a great place to start and of course that says nothing about keyloggers or other infiltrations. Length is just that: a good start. It's nothing more. Particularly it's not a silver bullet. I can easily name you passwords or phrases of 20 characters length, which would require very, VERY little effort to break. being the simplest of examples. If you're assuming that keyloggers are omnipresent, then you've already given up on security. No. That doesn't change anything about keyloggers being an apparent threat, though. Omnipresence is not required. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Postfix Issue
On 2012-07-23 Marius Lewies wrote: We have a situation where a certain email address get the following error. All other mail gets relayed. SMTP error from remote mail server after RCPT TO:mariu...@vegaspartnerlounge.dk: host maila.vegaspartnerlounge.dk [196.14.16.67]: 554 5.7.1 mariu...@vegaspartnerlounge.dk: Relay access denied Below is the main.cf file. As requested per the list's welcome message: do NOT post your main.cf, but the output of postconf -n. The latter is your active Postfix configuration. Also post an excerpt from your mail log demonstrating the problem. The email address is added to all_ad_recipients and the domain to relay_domains. I have checked and we are not black listed What am I missing? Did you postmap all_ad_recipients after adding the recipient address? And $relay_domains is a list, not a map, so the line in main.cf should be like this: relay_domains = /etc/postfix/relay_domains Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Postfix Issue
Please keep this on-list. You're neither family, nor personal friend, nor paying customer, so you're not entitled to personal support. On 2012-07-23 Marius Lewies wrote: Did you postmap all_ad_recipients after adding the recipient address? = Yes did run a ./getadusers and verified that address does exsist. That was not the question. I don't know what the command getadusers does, but I assume that it's a script querying users' mail addresses from AD and writing them to a file. Does the script run the postmap command on the file afterwards? And how did you verify that the address exists. Should I do somtehinge else with postmap what is the meaning? You need to run the command to convert the (plain text) map into the database file that Postfix uses. You can also use the command to check the map for existence of a particular key, e.g.: postmap -q mariu...@vegaspartnerlounge.dk \ hash:/etc/postfix/all_ad_recipients And $relay_domains is a list, not a map, so the line in main.cf should be like this: = This used to work before new address was added. All other domains within the file is relaying. What is the difference between a map and a list? A map is mapping one thing to another thing. Hence the name. f...@example.com x b...@example.com x ... For some maps the right-hand value defines the action to be taken (e.g. DUNNO, REJECT, OK). For $relay_recipient_maps, however, the right-hand value merely needs to exist, which will indicate a valid address. A list OTOH is just a list, i.e. a flat file with one item per line. example.com example.org ... relay_domains = /etc/postfix/relay_domains Postconf -n result [...] relay_domains = hash:/etc/postfix/relay_domains Fix that. [...] smtpd_recipient_restrictions = permit_mynetworks, reject_non_fqdn_recipient, reject_unauth_destination, This is barely safe. The reject_unauth_destination restriction is the one that prevents you from being an open relay. It should be the first rule after those that allow relaying for selected clients (i.e. permit_mynetworks and/or permit_sasl_authenticated). reject_unauth_pipelining, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, check_client_access regexp:/etc/postfix/blacklist_clients, RBL lookups are usually more expensive than lookups in local tables, so reject_rbl_client should go after check_client_access. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Postfix Issue
On 2012-07-23 Marius Lewies wrote: Referring to Ansgar reply it seems that relay_domains.db is out of date. Ansgar suggested You need to run the command to convert the (plain text) map into the database file that Postfix uses How to do or else, where can I find the instruction to do this. This is the test I done. root@mxgw:/etc/postfix# postmap -q vegaspartnerlounge.dk hash:/etc/postfix/relay_domains postmap: warning: database /etc/postfix/relay_domains.db is older than source file /etc/postfix/relay_domains root@mxgw:/etc/postfix# Please re-read my previous mail. Why is $relay_domains still a map in your config? Change this relay_domains = hash:/etc/postfix/relay_domains into this relay_domains = /etc/postfix/relay_domains and run /etc/init.d/postfix reload. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: [OT] anyone with hmailserver ?
On 2012-07-10 J. Bakshi wrote: I generally configured postfix in linux (ubuntu) boxes, where users can send email from their local boxes to the internet ( our own email system ) for testing email form, online form etc... during development. For the window boxes, is there anything similar like postfix ? Windows servers come with an SMTP service that should be able to do that. Or do you want an SMTP service on every developer client? Why would you want to do that instead of running an infrastructure server providing this service for the developer clients? I have found hmailserver as an easy alternative, but I am not successful yet to do the same which I could with postfix in Linux. hmailserver always throws error destination is not allowed for delivery . Could anyone by any chance have any clue / fix ? Define the same. What are your requirements? Without knowing them, the only thing we could tell you is that hMailServer most likely does not have the exact same functionality as Postfix. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: /usr/local/sbin/amavisd debug How to
On 2012-07-03 Feel Zhou wrote: I got some messages when I install the software of amavis,Can you do me a favor fetch_modules: error loading optional module MIME/Decoder/BinHex.pm: Can't locate Convert/BinHex.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5) at /usr/local/share/perl5/MIME/Decoder/BinHex.pm line 45. BEGIN failed--compilation aborted at /usr/local/share/perl5/MIME/Decoder/BinHex.pm line 45. Compilation failed in require at /usr/local/sbin/amavisd line 205. Jul 3 16:42:53.683 ym.iopkl.com /usr/local/sbin/amavisd[2242]: logging initialized, log level 0, syslog: amavis.mail Jul 3 16:42:53.683 ym.iopkl.com /usr/local/sbin/amavisd[2242]: PID file /var/amavis/amavisd.pid is inaccessible: Permission denied PID file /var/amavis/amavisd.pid is inaccessible: Permission denied It appears that you don't have the Convert::BinHex package installed, and the account running the amavisd process does not have permission to access the PID file. Install the missing package (however that's done for whatever operating system you're using), and make sure that the account used for running amavisd has proper permissions to access the PID file (may be incorrect permissions on the file itself or on the containing directory). Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: /usr/local/sbin/amavisd debug How to
On 2012-07-03 Feel Zhou wrote: My PC is Windows7, I install vmware in it I setup the centos6.2/64bit in the vmware for the test. Maybe This is the problem? Hardly. CentOS running on VMware shouldn't behave any different than CentOS running on physical hardware in this respect. I just came across this post [1], which may or may not help. If it doesn't, I'd suggest to consult a more appropriate list, as this isn't a Postfix issue. [1] http://lists.mailscanner.info/pipermail/mailscanner/2006-April/060174.html Regards Ansgar Wiechers -- All vulnerabilities deserve a public fear period prior to patches becoming available. --Jason Coombs on Bugtraq
Re: How to fix alias goof
On 2012-06-30 Richard B. Pyne wrote: We forward email for a few customers we host using virtual alias maps through postfixadmin. As I always do with making major changes to postfix, I set it for soft_bounce. I recently move a mail system to a new server and created a problem by mistyping an alias. I now have over 300 emails stuck in the queue with the wrong address. How can I fix the address on these emails? I fixed the alias and re-queued everything, but it did not rewrite the address to correct the mistake. I'd try adding a temporary alias mapping the mis-typed address to the correct address and re-queue the mail. Then remove the temporary alias after all mail was delivered. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: What wrong with my postfix
On 2012-06-29 Kshitij mali wrote: Please delete this thread from the archive of the gmane.org or atleast hide the ipaddress and email address from the logs from the below archive. http://comments.gmane.org/gmane.mail.postfix.user/227441 What in the blue blazes would lead you to believe that anything you write to the POSTFIX MAILING LIST would cause the person running the GMANE.ORG WEBSITE to take any kind of action? Please get a clue and stop bothering this list with your misplaced requests. Thank you. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Larning about relays
On 2012-06-28 email builder wrote: Do not accept mail that you know you can't deliver. Either use $relay_recipient_maps (building the list and pushing it to the frontend server can be implemented with a simple script), use LDAP lookups (in case your recipients are listed in an LDAP directory), or use the reject_unverified_recipient restriction [1]. So either way, the relay server ends up with a list of valid destination addresses right? Looks like there's just no other correct way to do it. Right? There may be other ways, but I'm not aware of any. OK. To be clear, if one were to keep the recipient list out of the hands of the relay server, the only reasonable thing to do in that scenario is to silently discard all bounces from the internal MTA, right? The reasonable thing to do in a situation like that would be to re-evaluate the reasoning that led to the decision to not have the relay know about valid recipients. This avoids backscatter but no one would get the helpful bounces in the case of address typos, user being over quota, etc. Yes. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Larning about relays
On 2012-06-28 email builder wrote: Specific questions I had were if I can use the standard DNS load balancing (multiple MX records, same priority, possibly multiple IPs resolving to one A record) setup *behind* a relay server (those MTAs behind the relay only being available via the relay and never directly). Well, it looks like I could do relay_domains = example.com transport table: example.com relay:other.com I have to use other.com in the transport because I need to use DNS-based load balancing of multiple SMTP servers on the backend, but the relay is listed as the primary MX for example.com (my understanding is that I can't do this: example.com relay:internal.smtp.example.com because mail would loop, right? So will using another (essentially junk) domain work for this? As long as internal.smtp.example.com IS the final destination for example.com and the relaying server is NOT the final destination for example.com, the mail should not loop. Also need to make sure I know how address verification works when ideally the relay doesn't have access to the list of (virtual) users. It looks like with relay_recipient_maps empty, all mail just gets sent through the relay to the main SMTP server, which is fine. No, that ain't fine, because ... But when the main SMTP server gets mail to invalid recipients, how does it reject it? It doesn't reject it. Instead it generates bounces, which - in case of spam - will hit innocent bystanders whose addresses were spoofed. Do not accept mail that you know you can't deliver. Either use $relay_recipient_maps (building the list and pushing it to the frontend server can be implemented with a simple script), use LDAP lookups (in case your recipients are listed in an LDAP directory), or use the reject_unverified_recipient restriction [1]. Am I correct to assume that because the relay server already did the SMTP conversation with the client, the main SMTP server can't do any real time address checks? This seems less than ideal. The main server will do real time address checks. For the transaction between frontend and backend, that is. However, since SMTP defines a store-and-forward architecture, mail transactions aren't end-to-end, but hop-to-hop. Also, it looks like any bounces or anything else that the main SMTP server needs to send back go through the relay if I specify it in either the relayhost setting or if I put it in the transport table with: * smtp:relay.example.com Is there a difference between that and relayhost? Which is better? Do both methods force postfix to send anything outgoing (bounces OR outgoing user email OR anything else) through that given host? If I understand man 5 transport correctly, both settings should do the same. I would prefer $relayhost for better readability, though. And assuming I can run postscreen on the relay and not need to do much connection, client and RBL filtering on the main MTAs (except address related since the relay won't have access to local addresses). I still need to learn about this more, I don't know how much of my recipient/client/helo (etc.) restrictions I can put on the relay and how the main SMTP server will handle those restrictions that the relay can't handle when it is being relayed to indirectly. All of your restrictions should be implemented on the frontend server, and the backend server should accept mail only from trusted locations. [1] http://www.postfix.org/postconf.5.html#reject_unverified_recipient Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Larning about relays
On 2012-06-28 email builder wrote: Well, it looks like I could do relay_domains = example.com transport table: example.com relay:other.com I have to use other.com in the transport because I need to use DNS-based load balancing of multiple SMTP servers on the backend, but the relay is listed as the primary MX for example.com (my understanding is that I can't do this: example.com relay:internal.smtp.example.com because mail would loop, right? So will using another (essentially junk) domain work for this? As long as internal.smtp.example.com IS the final destination for example.com and the relaying server is NOT the final destination for example.com, the mail should not loop. I'm not sure whether or not you understood me or if we are in agreement. There is a third option. smtp.example.com is will be the relay server, which is the primary MX. However, multiple SMTP servers behind it need to be DNS-load balanced. So if I do this, mail should loop because the current (relay) server is, as far as DNS MX records are concerned, the correct destination server: example.com relay:internal.smtp.example.com You're confusing DNS and MTA configuration. MX records tell the world where to send mail for example.com. However, the MX record does NOT magically make an MTA running on that host the final destination for example.com SMTP-wise. An MTA becomes the final destination for example.com when the domain is configured in either $mydestination, $virtual_alias_domains or $virtual_mailbox_domains. It is NOT the final destination for any domain configured in $relay_domains. There's also nothing wrong with suppressing MX lookups. You don't need MX records for load-balancing mail sent to backend servers. Example: 8 $ORIGIN example.com @ IN MX 10 external1 @ IN MX 10 external2 external1 IN A 10.42.23.11 external2 IN A 10.42.23.12 internal IN A 10.42.23.101 internal IN A 10.42.23.102 8 The above snippet defines two MX records external1.example.com and external2.example.com. These are the hosts that the world should send mail for example.com to. Since both records are defined with the same preference, inbound mail will be (DNS-)load-balanced over the two servers. Both servers run Postfix with $relay_domains = example.com and a transport map example.com relay:[internal.example.com] This will cause the two frontend servers to relay all mail for example.com to internal.example.com. No MX lookup is required for this, because you already know (and control) the destination host. And resolution of the A record internal.example.com will automatically load-balance the delivery, because the A record is configured with more than one address (round-robin DNS). Finally, the two backend servers 10.42.23.101 and 10.42.23.102 also run Postfix, but with a configuration like $mydestination = example.com $relay_domains = or $virtual_mailbox_domains = example.com $relay_domains = making them the final destination for SMTP delivery. I can't use brackets [] to disable MX lookups since I need the DNS load balancing. Thus I thought to use a different junk domain name example.com relay:other.tld As explained above: you don't need MX lookups for DNS load-balancing in the backend. [...] But when the main SMTP server gets mail to invalid recipients, how does it reject it? It doesn't reject it. Instead it generates bounces, which - in case of spam - will hit innocent bystanders whose addresses were spoofed. Do not accept mail that you know you can't deliver. Either use $relay_recipient_maps (building the list and pushing it to the frontend server can be implemented with a simple script), use LDAP lookups (in case your recipients are listed in an LDAP directory), or use the reject_unverified_recipient restriction [1]. So either way, the relay server ends up with a list of valid destination addresses right? Looks like there's just no other correct way to do it. Right? There may be other ways, but I'm not aware of any. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: How to move msgs from deferred to HOLD?
On 2012-06-23 Len Conrad wrote: Releasing from HOLD to deliverable is clear (and used often) but how to move deferred to HOLD? man postsuper | grep -A 11 -- -h -h queue_id Put mail on hold so that no attempt is made to deliver it. Move one message with the named queue ID from the named mail queue(s) (default: incoming, active and deferred) to the hold queue. If a queue_id of - is specified, the program reads queue IDs from standard input. Specify -h ALL to hold all messages; for example, specify -h ALL deferred to hold all mail in the deferred queue. As a safety measure, the word ALL must be specified in upper case. Regards Angsgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Forwarding without a relay-map?
On 2012-06-22 James B. Byrne wrote: host2 (PF) -- host3 (PF) host3 (PF) (has no local domains) (has no relay_domains) (has no virtual aliases for example.com) (has transport entry) example.com relay:[host4.local.tld] host3 (PF) -- host4 (SM) host4 (SM) is the usual final delivery host for example.com but is not listed as an MX for example.com. Host4 does not accept connections from outside its local network segment (IP:a.b.c.0/192). Host2 and host3 are both on the same segment as host4. On host3, both etc/postfix/virtual_aliases_regexp and /etc/postfix/virtual_aliases are empty files as is /etc/postfix/virtual_domains. None of the aliases files contain any reference to example.com. Given what I have read, with this configuration I expect that host3 should reject mail for example.com relayed from host2. But it does not, it accepts it and forwards it on to host4. The forwarding from host3 to host4 I expect given that message was accepted by host3. What I do not understand is why it was accepted by host3 to begin with. Check the output of the following commands on host3: postconf -d mynetworks postconf -d | grep smtpd_.*_restrictions Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Forwarding without a relay-map?
On 2012-06-22 James B. Byrne wrote: So, I take it that this is what is happening? # TRUST AND RELAY CONTROL # The mynetworks parameter specifies the list of trusted SMTP # clients that have more privileges than strangers. # # In particular, trusted SMTP clients are allowed to relay mail # through Postfix. Yes. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: High Availability Solution for Postfix SMTP Server
On 2012-06-18 Kaushal Shriyan wrote: Are there any High Availability Solution for Postfix SMTP Server meaning primary and secondary nodes in Active/Active or Active/Passive Clustering mode? Please describe the problem you're trying to solve instead of what you perceive as the solution. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Relay some domain users to foreign domain, deliver others to virtual mailboxes
On 2012-06-17 Chris Richards wrote: I'm sure this can't be the first time this has come up, but my google-foo just isn't strong enough to find what I'm looking for. Here's the scenario: Postfix is final destination for domain1.tld, and is implemented as virtual mailboxes (no local unix accounts), with mysql lookups. So far so good, and that's easy to setup. u...@domain1.tld either gets delivered to the local mailbox, or rejected. Now the wrinkle: if u...@domain1.tld doesn't exist, RELAY to u...@domain2.tld (same user in a different domain). domain2.tld exists on another server and the databases are NOT shared. I've setup an entry in virtual-alias-domains so that @domain1.tld returns @domain2.tld. $virtual_alias_domains is a list of virtual domains your server accepts mail for. It doesn't take any input nor does it return any output. I suppose you mean $virtual_alias_maps. It's my understanding that should cause u...@domain1.tld to be mapped to u...@domain2.tld according to the virtaul(5) readme. That didn't seem to be working, so I thought well maybe it's because I'm not a delay for domain2.tld, so I setup a relay-domains entry that says I'm a relay for domain2.tld (again, all of this is driven by a mysql database). Virtual domains are domains that your server is the final destination for. Relay domains are domains that your server is NOT the final destination for. Do not confuse the two. Since your mail server is only responsible for domain1.tld, not for domain2.tld, the latter belongs in $relay_domains. Use either - $relay_recipient_maps (if you can obtain a list of valid recipients of domain2.tld) - LDAP lookups (if you have access to an LDAP server listing the valid recipients of domain2.tld) - reject_unverified_recipient [1] to avoid bounces. Whenever I send mail to u...@domain1.tld (where a mailbox actually exists), the mail gets delivered exactly like I'd expact. Whenever I send mail to us...@domain2.tld, it bounces with: 'Recipient address rejected: User unknown in virtual mailbox table' Who bounces the message? Your server, or the upstream server? If it's your server generating the bounce, then your server apparently considers domain2.tld to be one of its virtual MAILBOX domains (which is something entirely different from virtual ALIAS domains). Please post the output of postconf -n (as requested per the list's welcome message), and the relevant content of $virtual_alias_domains, $virtual_alias_maps, $virtual_mailbox_domains, $virtual_mailbox_maps, and $relay_domains. Is what I'm attempting to do even possible? Also, I really don't want to become a backscatter source. Can I turn on address probes for this one domain, or is it pretty much on for everyone? By putting a wildcard mapping (@domain1.tld @domain2.tld) into your $virtual_alias_maps, you do become a backscatter source, because virtual aliases are not resolved recursively. A left-hand value of @domain1.tld means accept all mail to domain1.tld and send it to whatever is the right-hand value. Dynamic routing like if us...@domain1.tld doesn't exist, then forward the mail to us...@domain2.tld is not possible in Postfix (at least not that I'm aware of). [1] http://www.postfix.org/postconf.5.html#reject_unverified_recipient Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Postmaster info reset password
Harald On 2012-06-14 Reindl Harald wrote: sadly to say but this all sounds that you have no plan what are you doing at all - please consult the admin for the mailsystem (hopefully one exists) If you don't want to provide help, it'd be better to not respond at all. Snide remarks will not help anyone. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Postmaster info reset password
On 2012-06-14 Giuseppe Perna wrote: I allow relaying only to the hosts declared in main.cf file and users are in the file / etc / passwd. postmaster is the user in this file. I can confidently change the password or disable the user postmaster? I'm not going to cause damage to the Postfix configuration? The postmaster address is a role address (see RFC 2142) and should not be a mailbox (and thus not have a login) in the first place. It's common practice to alias that address to one or more user mailboxes. Changing the IMAP password to a postmaster mailbox will not change anything about mail routing in Postfix. Postfix is not an IMAP server and will thus not be affected by changes to your IMAP configuration. It's also unwise to make all local user accounts valid mail recipients. Better set local_recipient_maps = $alias_maps in main.cf and explicitly specify which local account has a mailbox associated with it. these doors open. 22/tcp open ssh 25/tcp open smtp 37/tcp open time 80/tcp open http 110/tcp open pop3 113/tcp open auth 125/tcp open locus-map 143/tcp open imap 443/tcp open https The open ports of your server are unlikely to help with identifying the problem. [...] this is my configuration: #postconf -n [...] mydestination = $mydomain,esempio.it (local domain) I may be wrong, but I don't believe $mydestination should contain something like (local domain). [...] relay_domains = $mydestination This is wrong. $relay_domains MUST NOT contain $mydestination. See http://www.postfix.org/ADDRESS_CLASS_README.html for more details. Also, your postconf output didn't show $smtpd_*_restrictions, so your server is running on default values in this respect: smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination This means that your Postfix doesn't allow user authentication in the first place, so it accepts mail only from pickup and $mynetworks. That said, your log excerpt does not provide sufficinet information to determine how exactly the suspected spam entered your server. Find the queue ID of such an e-mail (e.g. 23094B81BD7) and run the command grep QUEUE_ID /var/log/mail.log replacing QUEUE_ID with the actual queue ID (and /var/log/mail.log with the path to your actual mail log). Also make sure that the lines are not truncated like they were in the log snippet from your first mail. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: newsreader and subscription
On 2012-05-29 Georg Schönweger wrote: Am 29.05.2012 09:37, schrieb Stan Hoeppner: On 5/29/2012 2:10 AM, Georg Schönweger wrote: How can i activate no mail mode? Your list options are here: http://www.postfix.org/lists.html#lists Browsing those, it appears there is no method to accomplish what you desire. Thus, I'd suggest you simply create an access list and discard all mail from this list, something like: [...] If you use the 'everything-under-smtpd_recipient_restrctions' style of main.cf, simply add the check_sender_access there. Good idea, but unfortunately i do not host our domain on our own server (at least not yet). Unsubscribe from the newsgroup. Problem solved. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: conditional body_checks
On 2012-05-23 Loïc Latreille wrote: I would check if a string is present in the message body only if the To field is equal to j...@example.org. I tried to use IF...ENDIF but it doesn't work because the pattern between IF and ENDIF doesn't match the same input string that the IF pattern. A part of the body : ... To: JDOE j...@example.org From: t...@otherexample.org t...@otherexample.org X-Email-Type-Id: TT123MM ... My pcre table for the body_checks : IF /To: JDOE jdoe@example\.org/ /X-Email-Type-Id: TT123MM/ REDIRECT m...@example.org ENDIF AFAICS these are headers and thus not processed by body_checks. Also, as documented, checks are processed one line at a time, meaning that nested matches can only operate on the same line. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Odd behavior?
On 2012-05-16 James Lay wrote: Thanks Ben and Brian. I haven't found too much information on implementing this... Postfix is well-documented. I suggest you start here: http://www.postfix.org/documentation.html I'm guessing it's just adding: transport_maps = regexp:/etc/postfix/reject-users ? No. Does my transport_maps file contain domains or can it contain email addresses? The answer to that question can be found in man 5 transport. However, you don't want to mess around with a reject-users table in the first place (particularly not as a transport map). Instead just change your smtpd_recipient restrictions like this: smtpd_recipient_restricitons = permit_mynetworks reject_unauth_destination reject_unlisted_recipient ... As Brian already explained, it's the default to reject undefined recipients, so you wouldn't need to do anything (unless you have configured a catch-all somewhere, which you shouldn't). However, I consider it good practice to reject mail for invalid recipients early on (before doing more expensive checks), which is what the reject_unlisted_recipient restriction is for. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: my server generates spam
On 2012-05-09 Giuseppe Perna wrote: but analysis of the log does not show any indication. in / var / log / maillog there are no indications of ip and user that generates emails with sender freelo...@hotmail.it this is the resulter to grep Please post the full output of grep BE80AB81E65 /var/log/maillog. Do not make assumptions about what is or isn't relevant in that output. I would like to increase the debug log, how do I? You don't, unless someone specifically asks you to. Please follow the advice in http://www.postfix.org/DEBUG_README.html#mail. Particularly post the output of postconf -n. May 9 05:06:02 neruda postfix/smtp[20559]: BE80AB81E65: to=goverl...@mn.rr.com, relay=smart-relay.pippo.xxt.it[210.85.7.10], delay=74841, status=deferred (host smart-smart-relay.pippo.xxt.it[210.85.7.10]said: 451 DNS temporary error. (in reply to RCPT TO command)) smart-relay.pippo.xxt.it does not have the IP address 210.85.7.10. Do not fake or obfuscate log excerpts. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Spoofing the From address
On 2012-05-09 Dennis Putnam wrote: I have recently migrated from Mandriva to CentOS and am have the return of an old problem. My ISP requires that I go through their reply to send mail. That is all working with the exception of the generated from address. They require that I have a valid FDQN in the from response. This was all working with my Mandriva main.cf but CentOS apparently has a newer version of Postfix (6.2.2) and the config files are not 100% compatible. I had to manually create the equivalent settings based on the old main.cf. That seemed straightforward enough however, the from response is being rejected by my ISP because the domain on the from response is being picked up from /etc/hosts (which is a fake local domain) rather than the 'myorigin' parameter in main.cf. I cannot find how I fixed this on the old OS but obviously I am missing some parameter somewhere that sets the from FDQN to what my ISP requires. Can someone point me in the right direction? Thanks. As requested per http://www.postfix.org/DEBUG_README.html#mail, please post the output of postconf -n and a log excerpt demonstrating the problem. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: A major fuckup on part of spamhaus:
On 2012-05-04 Steve wrote: 1) Should not happen but it did. No one is perfect. 2) I hope you guys don't just blindly trust one RBL provider? Postscreen allows perfectly to craft weighted BL. policyd-weight does weighted checks, too. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Can I improve the efficiency of my dnsbl reject configuration?
On 2012-04-27 kar...@mailcan.com wrote: On Fri, Apr 27, 2012, at 06:43 PM, Bastian Blank wrote: On Fri, Apr 27, 2012 at 08:55:15AM -0700, kar...@mailcan.com wrote: reject_non_fqdn_recipient Why? Because countless documentation examples suggest it, including in The Postfix Book. For my personal mail server I use this rule, too. However, you need to be aware that it might reject some legit mail (e.g. from mail servers configured by stupid, but valid, customers), hence the rule may be inappropriate in situations where you handle business mail or mail for third parties. permit_sasl_authenticated permit_mynetworks reject_unauth_destination reject_unlisted_recipient reject_non_fqdn_sender reject_unknown_sender_domain reject_rbl_client zen.spamhaus.org reject_rbl_client b.barracudacentral.org permit Remove, it does nothing anyway. Remove what, specifically? All of those? What does nothing? Bastian probably meant just the trailing permit, because that's the default anyway. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: message in etc/var/mail
On 2012-04-26 Jon Miller wrote: I'm experiencing a problem in my mail logs that keeps showing the following message: Apr 26 11:33:41 mmtlnx postfix/qmgr[2798]: warning: connect to transport smtp-amavis: Connection refused I've gone through every file in /etc/postfix and cannot find any reference of this message, I've checked chkconfig to make sure that amavis is turned off and it was, I'm at a lost atm. Instead of saying what you don't have, please provide the information that you have. Particularly the contents of your master.cf and the output of postconf -n. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Using Header_checks to stop specific incoming mails
On 2012-04-13 Kizito Thomas wrote: I have been trying to block some incoming mails using header_checks but I am failing to block them, they are still going through. I have read and used info from http://www.postfix.org/header_checks.5.html and specifically followed the synopsis of: header_checks = regexp:/etc/postfix/header_checks. I am using regexp because under Table Format regexp support is more widely available and it is also the look up table for my installation. I have also followed http://www.techiepark.com/wp-content/uploads/2009/09/header_checks.txt while designing my /etc/postfix/header_checks file, which looks like below: # more /etc/postfix/header_checks /^From:t...@mayengo.or.ug/ REJECT ## For this am still testing with one email address to make sure the implementation is safe. I have also edited the /etc/postfix/main.cf to have a line: header_checks = regexp:/etc/postfix/header_checks I have restarted postfix but the mails from t...@mayengo.or.ug are still going through. I don't know what am doing wrong, may be people from here can help me. cobalt@iridium:~ $ man header_checks | grep added by the cleanup -A2 Message headers added by the cleanup(8) daemon itself are excluded from inspection. Examples of such message headers are From:, To:, Message- ID:, Date:. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: how to fix forwarding loop
On 2012-04-08 Rich wrote: I am still getting the loop. I am getting the message back at my mail.domain.com. could it be something to do with dns or my mx for my domain? As already requested twice by mouss: provide details about the issue. That includes at least the output of postconf -n and a log excerpt demonstrating the problem. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Postfix and LDAP lookups
On 2012-04-10 Igmar Palsenberg wrote: Anyone with a suggestion on how to start debugging this ? You received the following link with the welcome message when you subscribed to this list: http://www.postfix.org/DEBUG_README.html#mail Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: how to fix forwarding loop
On 2012-04-08 Rich wrote: My domain is domain.com my email server is mail.domain.com and the main.cf settings are: mydomain is domain.com myhostname is mail.domain.com I have a sender_bcc file that says user u...@archive.domain.com the archive server is archive.domain.com the main.cf settings are: mydomain = domain.com myhostname is archive.domain.com mydestination = archive.domain.com When I send mail from mail.domain.com it forwards the mail to archive.domain.com. I get the following error on the archive server. mail forwarding loop for u...@archive.domain.com Where am I making mistake in the main.cf of the archive server? u...@archive.domain.com has a localpart user too, causing mail that was bcc'd to u...@archive.domain.com to loop back to archive.domain.com. Change the line user u...@archive.domain.com into u...@domain.com u...@archive.domain.com u...@mail.domain.com u...@archive.domain.com Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: mail delivery system message
On 2012-04-07 Jon Miller wrote: Yes I'm the postmaster of the mail server, just trying to stop the amount of spamming and now it's not accepting or sending mail. This is the content of the master.cf file Noel referred you to the list's welcome message, which specifically mentions http://www.postfix.org/DEBUG_README.html#mail. Please help us help you by following the directions given there. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Mail delivery for local mailbox
On 2012-03-28 Andrea Cappelli wrote: I have a Postfix (2.7.1) with local mailboxes delivered through Dovecot agent (which is also used as pop3/imap server) The same server is also used to send mail for SASL authenticad users, without relay on any external server When a user send a mail to another local mailbox, the mail get delivered without check for the MX of the domain, so if I put the gmail.com domain as local I will never able to send mail di Gmail users anymore. Well, don't make gmail.com a local domain when it isn't a local domain. Problem solved. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: virtual user rejected
On 2012-03-22 Tim Dunphy wrote: after adding a new virtual user called request to the virtual conf file user is rejected: [...] [sysmail01:/data/home/dunphy] root% grep virtual /etc/postfix/main.cf virtual_maps = dbm:/etc/postfix/virtual Apparently you have $virtual_maps in main.cf ... [sysmail01:/data/home/dunphy] root% postconf -n anvil_rate_time_unit = 60s [...] smtpd_milters = unix:/var/run/clamav/clamav-milter unknown_local_recipient_reject_code = 550 ... but not in your active configuration. Is your Postfix chrooted (causing it to use a different main.cf)? Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: How do I handle mails for only one user of a certain domain?
On 2012-03-19 Luca Pacor wrote: On 19 Mar 2012, at 20:04, Ansgar Wiechers li...@planetcobalt.net wrote: On 2012-03-19 Luca Pacor wrote: If that.domain is in mydestination everything @ that.domain is delivered locally (wrong), if it's in transport everything will be delivered to that.domain, including myuser (wrong) A domain can be either local or not. It cannot be both at the same time. Perhaps you could use a virtual alias to send mail for myuser@that.domain myuser@exchangeserver.local? ... and how?... I forgot to mention that I do have an entry in the alias table: myuser. myuser@that.domain From my understanding of your objective, the $virtual_alias_maps entry should look like this: myuser@that.domain myuser@exchangeserver.local However, I didn't test it, so I'm not entirely sure it will work that way, since that.domain would be a relay domain in your scenario. Perhaps one of the more expirienced contributors to this list can provide a little more insight. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: How do I handle mails for only one user of a certain domain?
On 2012-03-19 Luca Pacor wrote: On Sun, Mar 04, 2012 at 11:58:26AM +, Luca Pacor wrote: Now postfix delivers everything @ that.domain to their mailer, also for the user I manage locally: Mar 4 12:24:07 server6 postfix/trivial-rewrite[7155]: warning: do not list domain that.domain in BOTH mydestination and virtual_alias_domains That is a plain-language warning which should have told you at least one thing that you have done wrong. Apparently your munged domain name is listed in BOTH mydestination and virtual_alias_domains. Pick one or the other, no more than one address class per domain. If that.domain is in mydestination everything @ that.domain is delivered locally (wrong), if it's in transport everything will be delivered to that.domain, including myuser (wrong) A domain can be either local or not. It cannot be both at the same time. Perhaps you could use a virtual alias to send mail for myuser@that.domain myuser@exchangeserver.local? Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: sender_canonical_maps and from= address\
On 2012-03-05 santosh malavade wrote: smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access, check_recipient_access hash:/etc/postfix/sender_access reject Rob already said all there is to say about this. Fix it. mynetworks = 127.0.0.1/8 , 192.168.40.0/24 ,172.25.10.94/32 Why do you define additional $mynetworks when you don't accept mail from there (permit_mynetworks)? canonical_maps = hash:/etc/postfix/canonical recipient_canonical_maps = hash:/etc/postfix/recipient_canonical relocated_maps = hash:/etc/postfix/relocated sender_canonical_maps = hash:/etc/postfix/sender_canonical transport_maps = hash:/etc/postfix/transport virtual_maps = hash:/etc/postfix/virtual What is the reason behind all these maps? You don't define any domain aside from $myhostname and localhost.localdomain. What is the actual purpose of your MTA? debug_peer_list = 173.225.251.221 Also, do not enable debug logging unless you have specific reasons to do so. Postfix' default logging is sufficient for any normal amount of troubleshooting. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Virtual mailboxes only
On 2012-03-02 Karol Babioch wrote: I've got a server, which can be found at the domain example.com (including a PTR record for reverse DNS lookups). Now I want to run a mailserver for example.com, but I don't want to create local users, but instead use virtual mailboxing. Furthermore I've got the domain example.net which I want to be a mail host for - once again using virtual mailboxing. Emails to i...@example.com should be stored (using dovecot) in /var/spool/mail/example.com/info. The emails for the example.net domain should be treated the same way (e.g. /var/spool/mail/example.net/info). Now what would be the best way to deal with these kind of problem? From my understanding the documentation seems to assume that virtual mailboxing is only used for additional domains, but not for the main one. True, and the recommended way of handling things. However, the main domain of the server can be the server itself, and you can restrict the valid local mailboxes via $local_recipient_maps: 8 mydestination = $myhostname local_recipient_maps = $alias_maps 8 I'd suggest to have $alias_maps look somewhat like this: 8 mailer-daemon: postmaster postmaster: root hostmaster: root abuse: root root: mailad...@example.com 8 For the virtual mailbox domain setup follow the examples in the Virtual Domain Hosting Howto [1]. [1] http://www.postfix.org/VIRTUAL_README.html Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: sender_canonical_maps and from= address
On 2012-02-28 santosh malavade wrote: I am trying to change the envelope sender appearing in Non Delivery Reports as from= using sender_canonical_maps hash file This is likely to cause mail loops, so don't do it. The null sender is the established and perfectly valid sender address for NDRs. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: sender_canonical_maps and from= address\
On 2012-02-28 santosh malavade wrote: In my mail server, i have enabled sender access using the following parameter. smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access, check_recipient_access hash:/etc/postfix/sender_access reject This was rejecting the mail with the 554 Recipient address rejected: Access denied That's because you added an explicit reject at the end of smtpd_recipient_restrictions. Remove it and the problem will go away. Now, I have enabled null sender using in file /etc/postfix/sender_access, based on the information available in http://www.postfix.org/access.5.html ( refer Note: in section EMAIL ADDRESS PATTERNS ) That is unnecessary. Postfix' default configuration is safe. The default implicit permit in smtpd_recipient_restrictions does not make your server an open relay. It just means that it will accept mail for its $mydestination domains. Now, my concern is my mail server should not be an OPEN RELAY. I tried checking it on http://www.checkor.com/ Although, the results are negative, the site has the following disclaimer. * We do our best to check to see if you mailserver is an open relay. Even if your mail server tests negative on this site, it may still not be 100% secure Pls. suggest. Please post the output of postconf -n. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: spam issues
On 2012-01-15 Al Zick wrote: Here is where I am at: I had about 10 of RBLs at one time (including some of the ones you mentioned), but I slowly removed them. What do you do when people that you need to be in contact with everyday are being blocked? I guess that you can use them if you don't mind having an ever growing whitelist. Can they they be weighted somehow? policyd-weight does a weighted check on several RBLs. And even without that you can always add a whitelist before an RBL check. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: CIDR
On 2011-12-17 Tolga wrote: I've been getting a lot of Chinese spam. I've googled and come across a guide that advises to use a cidr file and tell postfix to use it. I got the file, edited it, and told postfix to use it. However, it doesn't seem to be working (I tested it by putting in my own IP address). How can I fix it? Below is my postconf -n: [root@bilgisayarciniz ~]# postconf -n [...] smtpd_client_restrictions = check_client_access cidr:/etc/postfix/sinokorea.cidr Move the check_client_access restriction to $smtpd_recipient_restrictions. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: change of relayhost for queued messages
On 2011-09-17 Reindl Harald wrote: for whatever reason after upgrade to VMware Workstation 8 the address for the host in a nat-network has to be changed from 192.168.196.2 to 192.168.196.1 and was also changed for relayhost of a VM in main.cf but independet how often i restart the VM, postfix or even call postqueue -f some system-mails from before the change are hanging around what am i missing to tell postfix to recognize the change and deliver the messages? _ postfix-2.8.5-7.fc15.rh.20110917.x86_64 [root@testserver:~]$ cat /etc/postfix/main.cf relayhost = 192.168.196.1 Sep 17 20:34:37 testserver postfix/smtp[15421]: AF3EB42A95: to=rhs...@test.rh, relay=none, delay=14926, delays=14926/0.42/0.03/0, dsn=4.4.1, status=deferred (connect to 192.168.196.2[192.168.196.2]:25: Connection refused) You're long enough on this list to know that the contents of main.cf are far less relevant than the output of postconf -n. Did you restart Postfix after changing the config? Did you try to re-queue the mail (postsuper -r ALL) instead of flushing the queue? Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Postfix talking smtp through stdio command?
On 2011-09-06 Matthias Andree wrote: I am in a situation where I would like to achieve either of these solutions: Alternative A: - have Postfix's smtp client talk through a command via stdin/stdout (instead of a TCP stream). That command would be ssh -W mailhub:25, with a user-specified password and possibly some sort of credentials cache (like ssh-agent). - Ideally, I would be able to pass relevant environment variables such as SSH_AUTH_SOCK to the SMTP client somehow, and Postfix's smtp client would run under my own unprivileged user ID if possible (else I need to find a proxy for ssh-agent, too, because it checks the peer user ID). - What I can do, but dislike because it's unreliable and consequently insecure, is: set up a regular ssh tunnel (with local listening TCP stream socket) with -L local forwarding and redirect Postfix there. What makes you believe that an SSH tunnel were any less reliable than ssh -W? Regards Ansgar Wiechers -- All vulnerabilities deserve a public fear period prior to patches becoming available. --Jason Coombs on Bugtraq
Re: Request For Port 587
On 2011-08-18 Jeroen Geilman wrote: On 2011-08-18 14:59, Reindl Harald wrote: 587 is AUTHENTICATED submission Says who ? Chapter 4.3 of RFC 4409, unless I'm misunderstanding something. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: sender_bcc - patterns questions
On 2011-08-10 Jeroen Geilman wrote: On 2011-08-10 09:20, Troy Piggins wrote: 2. Can you recommend a better or more elegant solution to the second part of the table with the /us...@mydomain.com/ etc? I tried using something like this: /(user1)@mydomain.com/ \1_s...@mydomain.com but it occurred to me that the variable \1 to the right is probably not recognised outside the actual pattern within the //. Correct? It is not a variable expansion. Use this instead: /(user1)@mydomain.com/ $1_s...@mydomain.com Read http://www.postfix.org/pcre_table.5.html, section Text Substitution for details. Note that this offers zero advantage over an exact match. Unless you're using wildcards/alternatives in the group, that is. /(user1|user2|user3)@mydomain.com/ $1_s...@mydomain.com /(foobar-.+)@mydomain.com/ $1_s...@mydomain.com I'd also suggest anchoring the expression on both sides, and escaping the dot in the domain name: /^(.+)@mydomain\.com$/ $1_s...@mydomain.com Otherwise the expression might inadvertently match other addresses as well (like f...@mydomain1com.net). Yes, not very likely in this context, I know, but I prefer to keep regular expressions as exact as possible. It helps avoiding problems where you least expect them. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: using smtpd_sender_restrictions to block mail from a domain
On 2011-08-08 Christopher Adams wrote: I have attempted to block a domain from sending through my mail system. The result of my efforts is that this domain can still send mail. Here is what I have done. Created a sender_access file in /etc/postfix. The content: zeusmail.org REJECT apotmail.org REJECT postmap /etc/postfix/sender_access I added this to main.cf: smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access I restarted Postfix. As I said above, mail from the apotmail.org domain continues to come through. What have I missed? To show evidence. Please post a) output of postconf -n b) output of postmap -q apotmail.org hash:/etc/postfix/sender_access c) a log excerpt demonstrating the issue (from submission to delivery of the mail in question) Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Postfix , aliases : send messages failed
On 2011-08-03 Baptiste Bauer wrote: On 2011-08-03 Baptiste Bauer wrote: I phoned yesterday my provider, it propose me a relay with necessary opening port. But securities system problems could exist , what is the critical level ? To be clear : It is IMPOSSIBLE to transport, forward , alias a mail from an unknow domain to an outdoordomain ( like @blackberry), WITH A closed Relay? No hint ? no ticks ? Sorry, but this isn't clear at all. Please rephrase, because I have no idea what you're asking here. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Postfix , aliases : send messages failed
On 2011-08-03 Baptiste Bauer wrote: De : Ansgar Wiechers [mailto:li...@planetcobalt.net] Envoyé : mercredi Sorry, but this isn't clear at all. Please rephrase, because I have no idea what you're asking here. I draw something, it could be easy to explain : http://img827.imageshack.us/img827/5074/shemax.jpg you must know my relay is close. And my Boss forbids me to open it ! Umm... I would certainly hope so. You probably won't get any help from anyone on this list for configuring an open relay. We're getting enough spam as it is, thank you. So, Is it possible for a mail from foreigner@otherland to be forward : nam...@domaine.com -- Alias @world The sender address (From:) isn't relevant for relaying. The recipient address (To:) is. So, at which point does the message delivery fail? Please show a full transaction from the point where a mail from foreig...@otherland.fr enters your Postfix to the point where the delivery fails. Try to grep a specific queue-ID from your mail.log. Example with the queue-ID from the log-line you posted earlier: grep 87CA012C922 /var/log/mail.log If the delivery fails because your relayhost refuses to relay the message, then - like I said before - the problem lies with the relayhost and must be fixed by the postmaster of the relayhost. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Postfix , aliases : send messages failed
On 2011-08-02 Baptiste Bauer wrote: What can i do ? i am the host . I am not a veteran user of postfix configuration. Where can I find the configuration of the relay ? Please post the output of postconf -n and an excerpt from your mail log demonstrating the problem. Also please don't top-post. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Postfix , aliases : send messages failed
On 2011-08-02 Baptiste Bauer wrote: A mail from local domain : Aug 2 10:41:01 linux postfix/local[9724]: 51F1712C828: to=xxx@epsmd-aisne.fr, relay=local, delay=0.92, delays=0.87/0/0/0.05, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail) That's a mail delivery TO your local domain. A mail from Extra : Aug 2 13:03:36 linux postfix/smtp[21004]: 87CA012C922: to=xxx@blackberry.orange.fr, orig_to=xxx@gmail.fr, relay=mail.option-service.fr[62.244.112.128]:25, delay=0.47, delays=0.15/0/0.04/0.27, dsn=5.7.1, status=bounced (host mail.option-service.fr[62.244.112.128] said: 530 5.7.1 relay restricted (in reply to RCPT TO command)) You need to contact the postmaster of mail.option-service.fr and ask him to allow relaying from your server. If he refuses, the only thing you can do is find a different relayhost. Sorry for the top-post , how don't ? You configure your mail client to start your reply BELOW the qoute. Or you do it manually. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: ????????: Anyone solely using SMTP Auth for outbound mail?
On 2011-07-22 mouss wrote: Le 20/07/2011 22:15, Peter Tselios a écrit : Well, since I plan to move into the Postfix wagon, from scratch, I want to learn more about the 587 port submission and the blockage of port 25 for that. What are the best practices on the matter? Are there any documents on that? Soren how do you implement it? The new standard recommends using port 587 (now called submission) for mail submission, instead of overloading port 25. it is recommended that submission access requires authentication. Authentication is mandatory for mail submission, according to RFC4409. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Iptables stopping smtp_bind_address from working properly
On 2011-07-08 Jeffrey Starin wrote: When I turn off the firewall (which I am loath to do) to my VPS I am able to use the command smtp_bind_address just fine. Otherwise, with firewall turned on, I am getting these time out errors in my maillog files: Jul 7 13:00:04 who postfix/pickup[36846]: 1F3274160009: uid=10003 from=blabla...@mydomain.com Jul 7 13:00:04 who postfix/cleanup[38864]: 1F3274160009: message-id=20110707170002.38758.1650417736.sw...@www.mydomain.com Jul 7 13:00:04 who postfix/qmgr[36847]: 1F3274160009: from=blablabla@mydomain, size=996, nrcpt=1 (queue active) Jul 7 13:00:34 who postfix/smtp[40187]: connect to 127.0.0.1[127.0.0.1]: Connection timed out (port 10027) Jul 7 13:00:34 who postfix/smtp[40187]: 1F3274160009: to=blublu...@gmail.com, relay=none, delay=32, delays=1.9/0.01/30/0, dsn=4.4.1, status=deferred (connect to 127.0.0.1[127.0.0.1]: Connection timed out) I cannot find in the following list of rules (which is the default iptables policy for the hosting company I use) what is causing the connection timed out issue. If someone sees something please advise what needs to be done. I am at my wits end with this problem. Thank you. Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT icmp -- anywhere anywhereicmp Almost 400 rules with tons of duplicates in them? You gotta be kidding. Nobody's gonna bother checking these (unless they have A LOT of free time on their hands). Seriously, clean your ruleset (or rather: rebuild it from scratch) before you try anything else. As Harald already pointed out: for connections to localhost something like iptables -A INPUT -i lo -j ACCEPT is perfectly fine. And unless you have rather strict security requirements (in which case your ruleset would allow far less protocols to begin with), you can simply accept everything in the OUTPUT chain: iptables -P OUTPUT ACCEPT Also, when posting your tables somewhere, use iptables -nL rather than just iptables -L. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: smtp_tls or smtpd_tls
On 2011-07-05 gaby wrote: I confuse smtp_tls. parameters setings (i.e. smtp_tls_CAfile=...) with smtpd_tls_ parameters setings. For postfix witth TLS which settings is used smtpd_tls.. or smtp_tls...? Depends. Do you want encrypted connections from somewhere TO Postfix? That is achieved by smtpd_tls_* (Postfix is the server). Or do you want encrypted connections FROM Postfix to somewhere else? That is achieved by smtp_tls_* (Postfix is the client). What port is good for sent email via outlook express with postfix TLS 25 with requires a secure connections (SSL) or port 465 ? Neither, nor. Use submission (port 587/tcp) for this purpose. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: unverified_recipient_tempfail_action = permit
On 2011-06-12 Wiebe Cazemier wrote: From: Reindl Harald h.rei...@thelounge.net Am 11.06.2011 16:55, schrieb Wiebe Cazemier: That's not what I meant. I meant that 99% of the time, the primary server will be up and recipient address verification will work to reject (spam) messages to unknown users. Those two scenario's you mentioned are when the primary is down or otherwise deferring. And those cases happen 1% of the time (figure meant to be illustrative). so you do not need any backup-MX because if your primary is not available the edferring happens on the sender this is teh way smtp works Default defer time for most SMTP servers is only 3 to 5 days, that is not long enough for me. With all due respect, if you cannot get your primary MX up and running again within three days, you should not be providing professional e-mail services. The correct solution to your problem is not a modification to some backup MX, but fixing your response times. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Spam problem
On 2011-06-14 Harry Lachanas ( via Freemail ) wrote: Just by looking at the headers Return-Path, From: and To: one can sense that the following is spam ... --- Return-Path:access...@ms29.hinet.net X-Original-To: postmas...@example.com Delivered-To: postmas...@example.com Received: from localhost (unknown [127.0.0.1]) by mail.example.gr (Postfix) with ESMTP id D17E557547EC forpostmas...@example.com; Tue, 14 Jun 2011 00:39:48 +0300 (EEST) X-Virus-Scanned: Debian amavisd-new at mail.example.gr Received: from mail.example.gr ([127.0.0.1]) by localhost (mail.example.gr [127.0.0.1]) (amavisd-new, port 10024) with LMTP id yHroNA2goYHC forpostmas...@example.com; Tue, 14 Jun 2011 00:39:40 +0300 (EEST) Received: from [186.194.3.66] (unknown [186.194.3.66]) by mail.example.gr (Postfix) with ESMTP id 7567357547E2 forpostmas...@example.com; Tue, 14 Jun 2011 00:39:39 +0300 (EEST) Received: from [95.53.111.119] (helo=uvthdjg.mnghdffxosiys.net) by with esmtpa (Exim 4.69) (envelope-from ) id 1MMI1H-7816uo-2U for postmas...@example.com; Mon, 13 Jun 2011 18:39:39 -0300 From:postmas...@example.com To:postmas...@example.com Subject: Re: CV 54 --- a) helo host uvthdjg.mnghdffxosiys.net does not have an ip http://www.postfix.org/postconf.5.html#reject_unknown_helo_hostname b) rdns for 95.53.111.119 gives pppoe.95-53-111-119.dynamic.lenobl.avangarddsl.ru This might be covered by Stan Hoeppner's PCRE for dynamic IP ranges: http://www.hardwarefreak.com/fqrdns.pcre c) Envelope sender ie return path is different that From: header That is not a valid indicator for spam. Take a look at arbitrary messages you received from this list. d) from: and to: headers are pretending to be postmaster @ my domain. You could use a milter to check if From: == To: and the address is from your domain(s), but AFAIK Postfix does not have a built-in check for this. I would, however, blacklist any client who sends spam to a postmaster address. HTH Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Spam problem
On 2011-06-14 Rich Wales wrote: b) rdns for 95.53.111.119 gives pppoe.95-53-111-119.dynamic.lenobl.avangarddsl.ru This might be covered by Stan Hoeppner's PCRE for dynamic IP ranges: http://www.hardwarefreak.com/fqrdns.pcre Additionally, a reliable DNSBL (block list) could be used to detect and block IP addresses which are known spam sources and/or are dynamically assigned. Personally I prefer policyd-weight (to avoid rejecting valid mails because of false positives on a single RBL), but yes. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Spam problem
On 2011-06-14 mouss wrote: Le 14/06/2011 20:35, Ansgar Wiechers a écrit : On 2011-06-14 Rich Wales wrote: b) rdns for 95.53.111.119 gives pppoe.95-53-111-119.dynamic.lenobl.avangarddsl.ru This might be covered by Stan Hoeppner's PCRE for dynamic IP ranges: http://www.hardwarefreak.com/fqrdns.pcre Additionally, a reliable DNSBL (block list) could be used to detect and block IP addresses which are known spam sources and/or are dynamically assigned. Personally I prefer policyd-weight (to avoid rejecting valid mails because of false positives on a single RBL), but yes. non sense. IBTD. just because they are a lot doesn't mean they are right. a single zen hit is more reliable than thousands of hits from arbitrary DNSBLs. You may want to take an actual look at the DNSBLs policyd-weight uses. policyd-weight is nice. use it if you think it is the right tool for you. but for the sake of whatever you like: keep that for yourself unless you have real (mathematical) argments. My rationale is that no matter how reliable a single source is, they can still be wrong at times. Getting a second opinion helps mitigating these cases. The false negative rate is probably somewhat higher with this setup, but I consider a limited amount of false negatives far more tolerable than a single false positive. If you think there's something wrong with this rationale: please elaborate. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Spam problem
On 2011-06-14 Benny Pedersen wrote: On Tue, 14 Jun 2011 12:34:10 +0300, Harry Lachanas ( via Freemail ) wrote: Is there an rfc compliant way to reject this ??? reject if sender is postmaster@ your domain and not sasl authed make this email a mailbox so sasl works The sender isn't the postmaster address of his domain, so how is this suggestion supposed to help? reject all .hinet.net email senders based on evelope sender That would be throwing out the baby with the bath water. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Spam problem
On 2011-06-15 mouss wrote: Le 14/06/2011 23:21, Ansgar Wiechers a écrit : My rationale is that no matter how reliable a single source is, they can still be wrong at times. Getting a second opinion helps mitigating these cases. [...] now consider: P1 = listed on zen P2 = listed on spamcops do you really think that P1 P2 is any better than P1 OR P2 ? explain why? Because (P1 || P2) = (P1 P2) for all P1, P2. I'm trying to reduce my FRR. I am aware that this does increase my FAR. do you believe P1 and P2 are independent? Yes, I do. Because P1 and P2 are maintained by independent entities (at least AFAIK), and I'm concerned about false positives, i.e. entries that were added by mistake. I do assume that two independent entities won't make the same mistake at the same time. [...] not convinced yet? now replace P2 with korea.services and try to argue. then try with P2 = sorbs. etc etc. Why? I'm talking about policyd-weight, not an arbitrary list of RBLs. There seems to be some misunderstanding on your part about what policyd- weight actually does. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: relay all mails through my postfix mail server
On 2011-06-10 Suresh Kumar Prajapati wrote: I want to relay all mails through my postfix email server like anytho...@nohting.com I'm getting relay access denied for this in maillogs. EINSUFFICIENTDATA Please elaborate on what you're trying to do. Relay what from where to where? Then show a log excerpt demonstrating the problem. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: unverified_recipient_tempfail_action = permit
On 2011-06-09 Wiebe Cazemier wrote: I was setting up a fallback MX server with Postfix and was struggling with preventing backscatter mail. I thought I found a good solution, but it turned out to be an illegal option. Postfix has the ability to do recipient address verification. When postfix acts as a relay server, this prevents backscatter mail (bounces of messages because the server that is relayed to doesn't accept the user). Backscatter is usually caused by spam of course, because spam is sent to all kinds of users @example.com. I had in mind to use recipient address verification to avoid that and then set unverified_recipient_tempfail_action = permit. The idea behind this was: - Prevent backscatter mail when the primary host is up because every address is verified first. - Accept all mail when the primary host is down, so that incoming messages aren't deferred. Why? What issue in particular do you see with simply doing recipient verification (and rejection of messages to invalid recipients) on bot MXs? Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: unverified_recipient_tempfail_action = permit
On 2011-06-10 Wiebe Cazemier wrote: Ansgar Wiechers li...@planetcobalt.net wrote: On 2011-06-09 Wiebe Cazemier wrote: I was setting up a fallback MX server with Postfix and was struggling with preventing backscatter mail. I thought I found a good solution, but it turned out to be an illegal option. Postfix has the ability to do recipient address verification. When postfix acts as a relay server, this prevents backscatter mail (bounces of messages because the server that is relayed to doesn't accept the user). Backscatter is usually caused by spam of course, because spam is sent to all kinds of users @example.com. I had in mind to use recipient address verification to avoid that and then set unverified_recipient_tempfail_action = permit. The idea behind this was: - Prevent backscatter mail when the primary host is up because every address is verified first. - Accept all mail when the primary host is down, so that incoming messages aren't deferred. Why? What issue in particular do you see with simply doing recipient verification (and rejection of messages to invalid recipients) on bot MXs? Well, when the primar is down, all incoming messages on the fallback are deferred, because it can't do the verification. This means the result is the same as having no fallback at all. There's more than one way to do recipient verification. Use $relay_recipient_maps on the backup MX. And don't top-post. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Verifying relay recipients for upstream Exchange backend
On 2011-06-01 Len Conrad wrote: At 04:48 PM 6/1/2011, you wrote: On 2011-06-01 Shawn Heisey wrote: I do the first option by running a script on the exchange server every 15 minutes, then grabbing the result five minutes later from the mail relays. It does some sanity checks before replacing relay_recipients and postmapping it. The Windows side (Exchange 2010 on 2008R2) of the process consists of VBScript to grab the info from AD, which then runs a perl script to clean up the file. What for? You can easily do all the cleaning with VBScript. I've been using this one for a couple years: http://www-personal.umich.edu/~malth/gaptuning/postfix/getadsmtp.plhttp://www-personal.umich.edu/~malth/gaptuning/postfix/getadsmtp.pl awk to format it to a two-field ; delimited file, and then mysqlimport I'm aware that this can be done in Perl. I just don't see any point in using VBScript to extract the data, and then switching to Perl for further processing. I also don't see any point in using awk to transform the output of a Perl script, BTW. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Verifying relay recipients for upstream Exchange backend
Hello list I'm aware of two ways to verify recipients when relaying mail to upstream Exchange servers: - Export recipient addresses from AD and use that list as $relay_recipient_maps. - Use an LDAP query in $relay_recipient_maps. I seem to recall that there was a third option where Postfix would probe the nexthop before accepting the mail, but was unable to find it in the list archive. Can someone refresh my memory? Or did I mis-remember that? TIA Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Verifying relay recipients for upstream Exchange backend
On 2011-06-01 lst_ho...@kwsoft.de wrote: Zitat von Ansgar Wiechers li...@planetcobalt.net: I'm aware of two ways to verify recipients when relaying mail to upstream Exchange servers: - Export recipient addresses from AD and use that list as $relay_recipient_maps. - Use an LDAP query in $relay_recipient_maps. I seem to recall that there was a third option where Postfix would probe the nexthop before accepting the mail, but was unable to find it in the list archive. Can someone refresh my memory? Or did I mis-remember that? As always the really fine documentation is of help: http://www.postfix.org/postconf.5.html#reject_unverified_recipient Ah, yes, that seems to be it. Thank you. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Verifying relay recipients for upstream Exchange backend
On 2011-06-01 Shawn Heisey wrote: On 6/1/2011 12:57 PM, Ansgar Wiechers wrote: I'm aware of two ways to verify recipients when relaying mail to upstream Exchange servers: - Export recipient addresses from AD and use that list as $relay_recipient_maps. - Use an LDAP query in $relay_recipient_maps. I seem to recall that there was a third option where Postfix would probe the nexthop before accepting the mail, but was unable to find it in the list archive. Can someone refresh my memory? Or did I mis- remember that? I do the first option by running a script on the exchange server every 15 minutes, then grabbing the result five minutes later from the mail relays. It does some sanity checks before replacing relay_recipients and postmapping it. The Windows side (Exchange 2010 on 2008R2) of the process consists of VBScript to grab the info from AD, which then runs a perl script to clean up the file. What for? You can easily do all the cleaning with VBScript. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Bad recipient address syntax
On 2011-05-26 ??hsan Do??an wrote: I've got the issue, that the - character in an e-mail address is not accepted by Postfix. [...] What is the reason, that Postfix is not accepting - as the first character in an e-mail address? http://www.postfix.org/postconf.5.html#allow_min_user Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: filter incoming bounce messages for one email account
On 2011-05-10 Eero Volotinen wrote: Is there nice way to disable incoming bounces for one email account? This account is used for reporting and I want disable incoming bounce messages for it. http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt Section Back-Scatter To Non-Sending (Role) Addresses. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: SMTP AUTH
On 2011-05-04 Benny Pedersen wrote: On Wed, 4 May 2011 22:47:41 +0530, punit jain wrote: When I send a mail from a local user to local domain user hosted on my server I want to make sure it still asks for auth request. How do I achieve it ? remove any content of permit_mynetworks and replace it with permit_* of other choices Wouldn't it be better to leave permit_mynetworks in place and restrict $mynetworks to 127.0.0.0/8 instead? Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: SMTP AUTH
Please keep this conversation on-list. On 2011-05-05 punit jain wrote: Wouldn't it be better to leave permit_mynetworks in place and restrict $mynetworks to 127.0.0.0/8 instead? Exactly what I pointed out for webmail users. But that doesnot solve the issue of Auth enable for all users as SMTP AUTH doesnot apply when mail is sent locally. How do I enforce that ? Don't give your users login rights on your mail server. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Spoofing problem
On 2011-05-02 R F wrote: I thought I had this one fixed a while back but apparently not. I want to reject emails like this that are sent from one person but claim to be another. Ideas? Notice the first line and the last line: [...] Thanks for any ideas. Quoting from the headers of your own mail to this list: 8 Return-Path: owner-postfix-us...@postfix.org [...] From: R F mountain2cl...@gmail.com 8 Rejecting based on difference between from and envelope-from may not be as good an idea as you think. Regards Angar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: smptd_client_restriction
On 2011-04-12 mejaz wrote: Sorry may some lines were not copied properly in my previous Email. Here is the ouput of postconf -n and you will find mynetworks in second last line. [...] transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 In the second last line I find transport_maps [1], which is an entirely different beast than mynetworks [2]. [1] http://www.postfix.org/postconf.5.html#transport_maps [2] http://www.postfix.org/postconf.5.html#mynetworks Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: [PATCH] inet_interfaces = none
On 2011-04-05 Christoph Moench-Tegeder wrote: ## Wietse Venema (wie...@porcupine.org): Well, postfix still doesn't relay mail to hosts with it's own host name in the server greeting (host ... greeted me with my own hostname ... and host ... replied to HELO/EHLO with my own hostname ...), so it's not that easy to shoot one's own foot. Loops can happen between Postfix MTAs and non-Postfix MTAs. It's a mistake to assume that all non-Postfix MTAs will implement all the Postfix safety mechanisms. That's why I wrote not that easy, not impossible. Admittedly, linux distributors and their users were not included in my threat model, I simply disabled smtpd. To make the patch safe, it should add code to the SMTP server that refuses to receive mail when inet_interfaces is turned off. Thanks for the suggestion, I'll look into that (but propably not today). The beauty of open source. We solve a problem by removing a safety mechanism. It would be a shame if we spend more time on the discussion of the short-sightedness of my patch than I'd have to spend on fixing my patch - just to have a better patch documented for those trapped with broken setups like mine. Don't panic, I'll come up with that one later. Perhaps I'm missing something, but wouldn't it be a better solution for your problem to set inet_interfaces = loopback-only in main.cf and something like 2025 inet n - n - - smtpd in master.cf? Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Configuring TLS with sender login maps
On 2011-04-02 Reindl Harald wrote: Am 02.04.2011 23:17, schrieb Jeroen Geilman: I see Mr Reindl is butting his big mouth in again is your toilet broken or why is your neck so big? You've repeatedly shown an attitude on this list that I consider objectionable, to say the least. Would you mind keeping it to yourself? Thank you. I should do nothing. YOU can do waht you want, but do not recommend others wrong things He didn't. [...] Because the primary value of TLS on a mail client is to be able to send encrypted login information, and prevent sniffing on local LAN networks *lol* you know about cram-md5 / digest-md5 this is for login-information You do realize that these have other disadvantages, don't you? Like the requirement to store the user's unencrypted password on the server. [...] I can only repeat that your preposterous SHOULD demands are silly. Guaranteed end-to-end encryption is not a job for the MTA. Use PGP or GPG to achieve message confidentiality. you were the who spoke about the majority? the majority is not using GPG! Which doesn't change anything about the fact that PGP/GPG is suited for ensuring end-to-end confidentiality, while TLS is not. TLS only ever guarantees encrypted transmission to the next HOP. Period. Live with it. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: virtual_alias_maps and recipient_delimiter
On 2011-03-30 Corey Quinn wrote: On Mar 30, 2011, at 12:46 PM, Noel Jones wrote: # main.cf smtp_generic_maps = regexp:/etc/postfix/generic.regexp # generic.regexp IF /+.*@example\.com$/ /^(.*)+/ $1...@example.com ENDIF Threw this verbatim into my generic.regexp: [root@mx1 postfix]# postmap -q user+t...@example.com regexp:generic.regexp postmap: warning: regexp map generic.regexp, line 1: Invalid preceding regular expression postmap: warning: regexp map generic.regexp, line 4: ignoring ENDIF without matching IF user+t...@example.com@example.com On the plus side, I figured out how to do something interesting by reading through the regexp documentation-- this solved another challenge I'd been facing. '+' has a special meaning in regular expressions (one or more times the preceding term), so you need to escape it to match a literal '+': if /\+.*@example\.com$/ /^(.*)\+/ $1...@example.com endif Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: bcc: header
On 2011-03-23 Reindl Harald wrote: Am 23.03.2011 20:55, schrieb Jeroen van Aart: I tried the following in telnet session, but for some reason the email is only sent to the rcpt to: address. None of the Bcc'ed addresses receive a copy. Am I missing something obvious? Yes. Mail servers deliver mail only by envelope, not by the headers of the mail. Your mail client initially takes the addresses that you entered into the TO, CC and BCC fields and puts them onto the envelope for you (i.e. uses them in the RCPT TO command). This works almost exactly like snail mail. The postmen just look at the address you wrote on the envelope. They don't go opening the envelope to check what address you wrote on the letter inside it. rcpt to: n...@example.com 250 2.1.5 Ok data 354 End data with CRLF.CRLF bcc: somen...@example.net, anothern...@example.org testing BCC is a header so why you put it in the mail-body? Everything that isn't part of the envelope comes after the DATA command. This includes not only the body, but also the headers of the e-mail. Normally a Bcc: header wouldn't be included, though, because otherwise the B(lind) would be rather pointless and one could have just as well put the addresses into the Cc: header. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Kernel Oops
On 2011-03-07 Stan Hoeppner wrote: mouss put forth on 3/6/2011 7:03 PM: /^.*foo/ means it starts with something followed by foo. and this is the same thing as it contains foo, which is represented by /foo/ I was taught to always start my expressions with /^ and end them with $/. Why did Steven teach me to do this if it's not necessary? I wouldn't know what his rationale was, but Noel and mouss are certainly right. Anchoring something between wildcard matches is utterly pointless. As mouss explained above, /^.*foo/, /.*foo/ and /foo/ produce the same results. That is, unless your regexp processor implicitly anchors an expression at the beginning of the string, in which case you'd need the leading .*, but still won't need to explicitly anchor it with a ^. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: reverse dns problem
On 2011-03-01 Matteo Cazzador wrote: Ok thank's but if my server will be a virtual mail server? with same ip to serve different domain? Then that other domain should use mail.brunosrl.net as its MX. Problem solved. And please don't top-post. Regards Ansgar Wiechers -- All vulnerabilities deserve a public fear period prior to patches becoming available. --Jason Coombs on Bugtraq
Re: Spam Backscatter
On 2011-02-02 Simon wrote: We are receiving what appears to be backscatter from spam that is using a valid address in the Return Path. I have included an example of the header info from one of the spam messages below. The ?From? and ?To? addresses just seem to be random and are not related to us in any way. Does anyone know to block this sort of backscatter? I wrote a backscatter filter based on smtpprox to handle this. http://www.planetcobalt.net/sdb/backscatter.shtml WFM, but AFAIK not tested outside low traffic environments. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: why is messaging relaying happening
On 2011-01-22 Jerrale G wrote: you didnt include your entire postfix main.cf Posting main.cf is discouraged. It's better to post the output of postconf -n as that will show the current configuration. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: About website www.postfix.org
On 2011-01-17 ?? ?? wrote: Each time I want to read some documentation on www.postfix.org I type postfix.org in an address line and see an error, and each time I think, that main postfix site is down. Could site administrators finally configure main postfix site in the correct way, as for now - it's something shameful. Add redirect, alias or something else, but postfix.org without www ought to show something intelligible, not an error about non-existent site. You lack basic understanding of DNS. Fix that. The requirement you seem to presume doesn't exist. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: another stupid question about exporting valid users from windows 2008 domain to postfix valid users map
On 2011-01-08 Patrick Ben Koetter wrote: * Eero Volotinen eero.voloti...@iki.fi: Does this still works for windows 2008 ad? : http://postfix.state-of-mind.de/patrick.koetter/mailrelay/#d0e149 or is there better way to do it? The script is old. You are probably better off, if you use ldifde.exe to query the AD and get LDIF as export format. The rest is sed awk magic. That is one option. The VBScript below should work too. 8 Const OutputFile = virtual.txt Set rootDSE = GetObject(LDAP://RootDSE) ' open ADO connection Set adoConn = CreateObject(ADODB.Connection) adoConn.Provider = ADsDSOObject adoConn.Open Active Directory Provider Set adoCmd = CreateObject(ADODB.Command) adoCmd.ActiveConnection = adoConn adoCmd.CommandText = LDAP:// rootDSE.Get(defaultNamingContext) _ ;((objectCategory=person)(objectClass=user)); _ distinguishedName,proxyAddresses;subtree adoCmd.Properties(Page Size) = 100 adoCmd.Properties(Timeout) = 30 adoCmd.Properties(Cache Results) = False Set addresses = CreateObject(Scripting.Dictionary) ' enumerate all users from AD store all smtp addresses in a dictionary ' (to avoid duplicates) Set adoRS = adoCmd.Execute Do Until adoRS.EOF If Not IsNull(adoRS.Fields(proxyAddresses).Value) Then For Each addr In adoRS.Fields(proxyAddresses).Value If Left(LCase(addr), 5) = smtp: And Not addresses.Exists(addr) Then addresses.Add Mid(addr, 6) OK, True End If Next End If adoRS.MoveNext Loop adoRS.Close adoConn.Close ' create output file with Unix line breaks Set fso = CreateObject(Scripting.FileSystemObject) Set f = fso.OpenTextFile(OutputFile, 2, True) f.Write Join(addresses, vbLf) f.Close WScript.Echo Finished. 8 Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: another stupid question about exporting valid users from windows 2008 domain to postfix valid users map
On 2011-01-09 lst_ho...@kwsoft.de wrote: Zitat von Eero Volotinen eero.voloti...@iki.fi: Does this still works for windows 2008 ad? : http://postfix.state-of-mind.de/patrick.koetter/mailrelay/#d0e149 or is there better way to do it? In most cases it would be best to query Windows AD by LDAP without the need for script magic and without syncronisation delays. No, it wouldn't. The reason for this is explained in the section MAPS built from LDAP queries on the same page. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Reject unencrypted messages
On 2011-01-06 IT geek 31 wrote: My accountant and I both have digital certificates and most of the time encrypt our mails. But he often forgets, meaning sensitive information is sent in plaintext. Is there any way to instruct Postfix to reject his mail unless it is encrypted? I know I can setup TLS, but that is something I don't want to do just yet. Any ideas? I'm going to assume that you're talking about encrpyting the mail content for either outbound or internal mail. TLS won't help you there, because it encrypts only the connection to the next HOP, not end-to-end. What technology are you using? GPG/PGP or S/MIME? For GPG a friend of mine and myself wrote a simple encrypting proxy [1] (I suppose it could be adapted for S/MIME). The Proxy will drop all recipients for whom no encryption key exists from the mail. It will drop the mail altogether, if none of the recipients have an encryption key. Are you positive that your accountant will never have to send unencrypted mail? [1] http://www.planetcobalt.net/download/crypter.pl Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Postfix queue in Mysql ?
On 2010-12-29 Joan Moreau wrote: Well, I am surprised by the tone of those emails. I, on the other hand, am very surprised, how you're consistently avoid giving this list any details about your configuration or your actual problem. Please either supply the information you've been asked for (several times), or stop wasting everyone's time. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Alias problem
On 2010-12-17 Boštjan Müller wrote: I have a problem with aliases, and would like to make it work. I have the following situation I have two servers one postfix v 2.0.18 and on the other (new one) v 2.6.5. The problem is that I have migrated some users to the new server and set up transport maps for them on the old server. The users are also referred to in /etc/aliases file. Still somehow these specific users do not receive mail when sent to the alias they are in. And also there is no message in the logs that would explain the situation. aliases are grouped: aliasmaster: alias1, alias2, alias3, ... alias1: user1, user2, user3 alias2: user4, user5, user6 ... So the mail is allways sent to aliasmas...@domain.tld I have also tried adding usern...@newmailserverfqdn to the aliases file, but it seems to behave exactly the same as before - the users are just being ignored. I did run postalias (many times...). Can someone enlighten me on what I am doing wrong and how to fix it. I would really appreciate your help since right now I have run out of ideas. Please post the output of postconf -n as well as a log excerpt demonstrating the problem. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Adding a reply-to header when none is present
On 2010-12-10 thussvm wrote: Because of a domain move we're doing, we're trying to add a reply-to header in postfix when no reply-to header is already present. The rule we're using is: !/^Reply-To/ prepend Reply-To: Support supp...@ourdomain.org However, since the check is being applied to each header line we get a bunch of reply-to's prepended instead of just one. Is there a regex we can use to say: If no reply-to header exists anywhere in the headers then prepend one reply-to header As others have already said: header_checks inspects one header at a time, not all headers as a whole. If your mail goes through Postfix only once, you could try prepending some unique header (e.g. Subject or Message-ID) with the Reply-To header: if /^message-id:/ /^message-id:/ PREPEND Reply-To: Support supp...@example.org endif However, that's merely a workaround (and an ugly one at that), not a real solution. And please use RFC 2606 domain names instead of some made-up fake domain that may actually be a real domain belonging to someone else. That's why the domains in RFC 2606 are reserved after all. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
