Re: relay_domains vs virtual_mailbox_domains
On Wed, 2009-09-09 at 07:16 +0100, Steve Heaven wrote: On Wed, 2009-09-09 at 00:27 +0200, mouss wrote: Steve Heaven a écrit : the old: try to pass to next, until final server accepts or rejects is n more acceptable. recipients must be checked at the edge. postfix provides reject_unverified_recipient to help you for that (assuming the next relay really validates the recipient). That's the problem. Most of our clients that we relay mail for run Microsoft SBS Exchange which doesnt verify probes. It accepts mail for any user and sends an undeliverable report back to the sender. Are you saying that it is not possible to configure it to reject users that don't exist at the SMTP level? Are you *sure*? So if you telnet in to it and send mail for anyoldrubb...@domain.co.uk it accepts it? I would be gobsmacked. Surely this is a simple configuration issue ? -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
Re: relay_domains vs virtual_mailbox_domains
From: Clunk Werclick mailbacku...@googlemail.com Reply-to: mailbacku...@googlemail.com Cc: postfix-users@postfix.org Subject: Re: relay_domains vs virtual_mailbox_domains Date: Tue, 08 Sep 2009 09:28:36 +0100 Mailer: Evolution 2.24.3 On Tue, 2009-09-08 at 08:52 +0100, Steve Heaven wrote: On Mon, 2009-09-07 at 11:50 -0400, Sahil Tandon wrote: You should not accept mail for invalid recipients. Use existing functionality to build a cache/database of valid recipients on the fly. See: http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient We have no way of knowing if the recipient address is valid or not as we are only acting as a relay for the final destination. We cannot build a database of recipients on the fly as that information is held on the various servers of our clients, to which we do not have access. Please forgive the bluntness - and drifting off a bit as I've not seen all of this; If you are acting as a relay and not able to verify the final recipients exist - you will quickly run into serious problems and side effects. Postfix provides a probing/discovery mechanism that spares you the need to build maps - it's not ideal when compared to the sheer speed of SQL, MAPS or LDAP, but it exists - so there is no excuse to accept mail for invalid recipients with Postfix. The link given tells you how this 'probing' works. Failing to verify final recipients means you will probably accept mail that is sequentially refused, leaving you holding the baby and having to bounce it. (Old Chinese Proverb say, man who gives 250 OK to SMTP, take ownership and responsibility). With invalid recipients, the sender is usually forged and as your relay has nothing left to do but bounce the message, your IP(s) are going to become really unpopular *fast*, and probably have it blacklisted in no time at all. This is, of course, not only limited to invalid recipients. Accepting any kind of mail for a destination that cannot be delivered gives the same problem. Perhaps the recipient is valid, but the destination refused the message because of the content/spam. You end up holding the baby again. If you really need the ability to catch all without bounce then the final destination needs to absolutely white list everything your throw at it - regardless of recipient or content. That is most certainly *not* ideal without some serious UCE measures on the relay itself. In commercial solutions I have seen, RELAYS have held the message and not given a 250 until the final destination has taken it -or- (less ideal) taken the message and put it into an 'outbound' Postfixen where it is retried for 48-72 hours. This gives the Relay admin time to see it and liase with the final destination host admin. This would be a real headache if you wind up with thousands of messages in the queue for invalid recipients, bringing us full circle to the topic once more. Good luck with what it is you are doing. -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
Re: [Bounce Handling] Searching information
On Tue, 2009-09-08 at 13:27 +0200, no_s...@cardiff.fr wrote: Hello postfix users We have approx 150 customers that wish to do marketing email with their customers, and we have had these customers knowing former spam listing, because they / we did not cope feedback loops, list retrieval and all the ‘quality service’ recommendations. So they *are* spammers then? Where am I wrong, and what is necessary to setup bounce handling knowing that : 1- Bounces return addresses are constructed dynamically, and there is no real user account corresponding to bounce.--x...@bounces.f.net If you are sending mail to valid users who have opted in, it won't bounce. Will it :-) -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
RE: [Bounce Handling] Searching information
On Tue, 2009-09-08 at 14:02 +0200, no_s...@cardiff.fr wrote:
[Humour on]Wooow
{snip}
The answer is you check your logs, write a script to check your logs and
update your databases - or use one of the many mailing list manager
programs that exist. Postfix is simply the MTA. In fact I guess this
very mailing list is using something similar to what you need.
Forgive the bluntness of my response.
--
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.
This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment.
Re: How to block spammers appearing as local users?
On Wed, 2009-09-02 at 18:22 +0200, Benny Pedersen wrote: On ons 02 sep 2009 18:07:27 CEST, LuKreme wrote who says this ip is dynamic, just becurse the hostname look like it is ? Erm don't be naive. If they can't be bothered to have a better rDNS then I can't be bothered to get their spam. who is naive now ?, i have seen dynamic ip with a static looking hostname, should you just accept it ? 1. ppp = point to point protocol? Tends to smell a bit of dsl/dialup 2. The IP is in the PBL because it is dynamic. Forgive Benny, he is just a bit odd. -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
report to consolidate allowed messages
Hello, I have been toying with the best way to produce a report of 'allowed' messages that have made it all the way through my Postfix. I love the Postfix logs, they give such detail on failures and refusals and parsing this is quite straightforward. The entertainment commences when I try to figure out how to produce a report of 'allowed' messages. This needs to contain just a few pieces of key information; date/time fromto subject client IP At first, I thought 'this will be easy' but upon closer examination this is not as simple as it looks. Where Postfix is multi-process, the bits of information are in different places and consolidating this has some challenges. In particular matching up (by script) the interaction for a transaction between; postfix/smtpd postfix/cleanup postfix/virtual postfix/qmgr Perhaps there is an easy way to get the five metrics I would like in a report? I am starting to think I may need to plug something in to 'scan' the headers of a message after Postfix is done with it or pipe the messages through a script? To keep things lean and for learning, I am interested to achieve this with a some Perl- so my interest is really in finding the 'key' to link the information together from what is already produced - or - to work out how to get messages to pipe through a script as 'virtual' delivers them. Unless Virtual can give me all the information I need (logging options) Perhaps some of the very clever guru's here have some useful suggestion? -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
Re: Reverse DNS requirement
On Wed, 2009-08-05 at 09:44 +0200, Robert Schetterer wrote: LuKreme schrieb: On Aug 4, 2009, at 3:42, Thomas Gelf tho...@gelf.net wrote: the person who did not correctly set up the network is to be blamed, if you have equipment acting as MTA it should be configured the right way, otherwise use a relay server SHOULD be blamed? Yes. But the blame will fall on the mail admin. The mail was sent, YOU caused the server to reject it. this is the postfix mail list, the option make_world_a_better_place wasnt implemented yet *g It is in my version! You must have old version: postconf -n header_checks = regexp:/etc/postfix/header_checks mail_name = cupoftea make_world_a_better_place = regex:/destroy/M$/exchange -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
Re: too many postfix smtp active internet connections
On Tue, 2009-08-04 at 08:12 +0200, Patrick Ben Koetter wrote: You need the milter capabilities from Postfix 2.6. Use the batv-milter. That's all I know at the moment. I am confused? batv-milter? Is it not pvrs? I see this: http://sourceforge.net/projects/batv-milter/ The idea looks very credible, and I have seen mails with pvrs= in the 'from' field. I think there is milter support in 2.5.5 (not just 2.6) as I have a clam milter running myself - but I am not so sure that this 'batv' milter would require something special to 2.6? -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
Re: New Antispam settings
On Tue, 2009-08-04 at 04:17 -0400, Dave wrote: Hello, I'm trying to adjust my current antispam measures as they are no longer working. I'm running postfix 2.3 on a rel5 machine. I've got the below, which is a postconf -n output of my current configuration. To it i'd like to add spf, and postgrey support in smtpd_recipient_restrictions after the rbl checks, and dkim-milter last in the file. I'd appreciate any feedback on these settings and suggested improvements if any. Thanks. Dave. address_verify_map = btree:/var/spool/postfix/verified_senders alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases biff = no broken_sasl_auth_clients = yes canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix disable_vrfy_command = yes empty_address_recipient = MAILER-DAEMON home_mailbox = Maildir/ html_directory = no inet_interfaces = 127.0.0.1, External IP invalid_hostname_reject_code = 554 local_recipient_maps = proxy:unix:passwd.byname $alias_maps mail_owner = postfix mail_spool_directory = /var/spool/mail mailbox_size_limit = 104857600 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 20971520 multi_recipient_bounce_reject_code = 554 mydomain = example.com myhostname = mail.example.com mynetworks = 127.0.0.0/8 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix non_fqdn_reject_code = 554 queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES recipient_delimiter = + relay_domains_reject_code = 554 sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop show_user_unknown_table_name = no smtp_helo_timeout = 60s smtpd_banner = $myhostname smtpd_data_restrictions = reject_unauth_pipelining smtpd_error_sleep_time = 5s smtpd_hard_error_limit = 20 smtpd_helo_required = yes smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unverified_sender reject_unverified_recipient reject_multi_recipient_bounce, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,check_recipient_access pcre:/etc/postfix/recipient_checks.pcre, check_helo_access hash:/etc/postfix/helo_checks,check_sender_access hash:/etc/postfix/sender_checks, check_sender_mx_access cidr:/etc/postfix/bogus_mx check_recipient_access hash:/etc/postfix/recipient_accesscheck_client_access hash:/etc/postfix/client_checks, check_client_access pcre:/etc/postfix/client_checks.pcre, reject_rbl_client zen.spamhaus.org, reject_rbl_client black.uribl.com, reject_rbl_client combined.rbl.msrbl.net, reject_rhsbl_sender dsn.rfc-ignorant.org smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_soft_error_limit = 10 smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/ssl/smtp.crt smtpd_tls_CAfile = /etc/postfix/ssl/ca-cert.pem smtpd_tls_key_file = /etc/postfix/ssl/smtp.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache smtpd_tls_session_cache_timeout = 3600s strict_rfc821_envelopes = yes tls_random_source = dev:/dev/urandom unknown_address_reject_code = 554 unknown_client_reject_code = 554 unknown_hostname_reject_code = 554 unknown_local_recipient_reject_code = 550 unknown_relay_recipient_reject_code = 554 unknown_virtual_alias_reject_code = 554 unknown_virtual_mailbox_reject_code = 554 unverified_recipient_reject_code = 554 unverified_sender_reject_code = 554 virtual_alias_maps = hash:/etc/postfix/virtual_alias virtual_gid_maps = static:5000 virtual_mailbox_base = /home/vmail virtual_mailbox_domains = /etc/postfix/vhosts virtual_mailbox_maps = hash:/etc/postfix/vmaps virtual_minimum_uid = 1000 virtual_uid_maps = static:5000 Postgrey is a reasonable suggestion, but I don't tend to like allowing repeat connections myself. I like to do a simple 'yes or no' and not beat the bush around. If I may comment about your usage of DKIM SPF. Many many people, even legitimate senders, don't have DKIM or SPF. So implementation would almost certainly be carnage for lots of your HAM if you decide to block on this criteria. SPF DKIM are really only useful for white listing IMHO. What kind of spam is failing to get caught? Perhaps get Postfix to work with Spamassassin or put in some basic header/body checks to catch obvious spams? -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail
Re: Black magic rejecting header Subjects
On Tue, 2009-08-04 at 11:44 +0200, Robin Smidsrød wrote: Lukas Ruf wrote: Please find attached the header_checks file currently in use: When I comment the line in main.cf header_checks = pcre:/etc/postfix/header_checks.pcre everything works for me as expected. Thus, I strongly assume there must be a bug somewhere in the definitions /^X-Mailer: MIME\:\:Lite/ REJECT I use this one in my Perl mail applications. It's a legitimate CPAN module (see http://search.cpan.org/perldoc?MIME::Lite) that is quite popular. Blocking it will probably reject a lot of email from scripts (of various nature, some probably spam, some not). -- Robin I too use it, but I changed the X-Mailer so it does not say 'MIME::Lite'. I am sure that spammers may think of that also? The people who write bots and spam scripts are very skilled - it would only be a child or rank amateur who would leave that silly header as it is. -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
Re: Spam Prevention
On Sun, 2009-08-02 at 17:04 -0400, Jon wrote: Clunk Werclick wrote: PRE DNSBL 321 NO PTR 201 SPOOFING 120 RELAY ATTEMPTS0 BLOCKED OTHER0 WHITELISTED4 BLOCKED DNSBL 287 What tools are you using to generate your counts and get your output presented this way? A dirty little Perl script + cron. -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
Re: [OT] Spam Prevention
On Mon, 2009-08-03 at 08:29 +0200, Willy De la Court wrote:
On Sun, 02 Aug 2009 17:04:17 -0400, Jon jo...@iotk.net wrote:
Clunk Werclick wrote:
PRE DNSBL 321
NO PTR 201
SPOOFING 120
RELAY ATTEMPTS0
BLOCKED OTHER0
WHITELISTED4
BLOCKED DNSBL 287
What tools are you using to generate your counts and get your output
presented this way?
The logwatch package can do something similar.
See example below. I stripped out some sections with sensitive information
but you get the idea.
- Postfix Begin (detail=5)
** Summary
*
28.893M Bytes accepted30,296,112
4.471M Bytes sent via SMTP4,687,715
25.310M Bytes delivered 26,538,982
370 Accepted 1.79%
20326 Rejected 98.21%
20696 Total100.00%
124 5xx Reject relay denied0.61%
5423 5xx Reject HELO/EHLO 26.68%
154 5xx Reject unknown user0.76%
14625 5xx Reject RBL71.95%
20326 Total 5xx Rejects100.00%
20 4xx Reject HELO/EHLO 2.11%
2 4xx Reject unknown user0.21%
102 4xx Reject recipient address 10.75%
648 4xx Reject sender address 68.28%
158 4xx Reject unknown reverse client host16.65%
19 4xx Reject RBL 2.00%
949 Total 4xx Rejects100.00%
14952 Connections made
5149 Connections lost (inbound)
14947 Disconnections
368 Removed from queue
334 Delivered
127 Sent via SMTP
10 Resent
2 Deferred
2 Deferrals
2 Bounced (remote)
2 Notifications sent
45 Timeout (inbound)
23 Illegal address syntax in SMTP command
56 Numeric hostname
7 SMTP dialog error
106 Excessive errors in SMTP dialog
3071 Hostname verification errors
1 Hostname validation errors
** Detail
**
124 5xx Reject relay denied
-
20 81.192.186.79adsl-79-186-192-81.adsl.iam.net.ma
20 85.181.161.97e181161097.adsl.alicedsl.de
20 95.110.96.169g95-110-96-169.broadband.bashtel.ru
20 190.48.158.110 unknown
20 201.80.36.14 unknown
20 202.142.223.169 unknown
2 83.36.234.113113.red-83-36-234.dynamicip.rima-tde.net
2 90.176.249.5858.249.broadband9.iol.cz
5423 5xx Reject HELO/EHLO
5423 Need fully-qualified hostname
154 5xx Reject unknown user
-
154 Virtual mailbox table
14625 5xx Reject RBL
--
7959 bl.spamcop.net
zen.spamhaus.org
20 4xx Reject HELO/EHLO
20 Need fully-qualified hostname
2 4xx Reject unknown user
-
2 Virtual mailbox table
102 4xx Reject recipient address
648 4xx Reject sender address
---
648 Domain not found
5149 Connections lost (inbound)
--
3274 After DATA
1532 After RCPT
261
Re: [OT] Spam Prevention
On Mon, 2009-08-03 at 16:52 +1000, Thomas wrote: Hey, [..] Yes, I use that too - but I like a quick summary on demand. See: http://www.mikecappella.com/logwatch/ You can use the scripts _without_ logwatch and get an instant summary of your mail.log. Cheers, Thomas Indeed it does and that is interesting, thank you. My long term goal is to get my Perl to log, in single line; DATE/TIME INBOUND/OUTBOUND TO FROM SUBJECT SPAM SCORE IP That is what I really would like to be able to do - but so far I do not find a way that is easy or straightforward to bring all of this information together in a single 'delivered' log. Rejected or dropped mail is straightforward, but delivered mail seems to be harder to cobble something together to give it, how do you say, 'the inside leg measurements' ? -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
Re: too many postfix smtp active internet connections
On Mon, 2009-08-03 at 16:08 -0400, Wietse Venema wrote: Get rid of the backscatter: http://www.postfix.org/BACKSCATTER_README.html Wietse Has anybody implemented something like this with Postfix? http://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation Any observations or advice? -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
Re: Spam Prevention
On Sun, 2009-08-02 at 11:56 +0200, Willy De la Court wrote: Hi all, Just a question about spam prevention and resource optimalisation. What is the best way to go. I have this as spam prevention at the moment. smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_hostname, reject_invalid_hostname, permit smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, permit smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_invalid_hostname, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:6, permit This mean that there are a number of tests before the actual recipient address is tested, would it not be better to place the reject_unlisted_recipient very early in the chain? Or am I wrong here. In placing the reject_unlisted_recipient earlier in the chain would I not make it easier for dictionary attacks to succeed? The check_policy_server is the postgrey implementation of http://postgrey.schweikert.ch/ I added the reject_unlisted_recipient before the postgrey policy test because I noticed unknown recipients being passed to the postgrey policy test. Any comments would be welcome. Hello Willy, It depends on how aggressive you wish to be. Looking at the last half an hour in my logs, the statistics show my blocking going on. The big fishy is 'No PTR' (in words of another no reverse DNS at all) then followed by spoof attempts (b...@example.com to b...@example.com). I block both of these types before passing to a big list of dnsbl's - but they may not be entirely suitable in production and it depends upon your BOFH mentality/level -v- your users complaining; PRE DNSBL 321 NO PTR 201 SPOOFING 120 RELAY ATTEMPTS0 BLOCKED OTHER0 WHITELISTED4 BLOCKED DNSBL 287 smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_unknown_reverse_client_hostname check_sender_access hash:/etc/postfix/nospoof reject_rbl_client no-more-funn.moensted.dk reject_rbl_client bl.spamcop.net reject_rbl_client dnsbl-1.uceprotect.net reject_rbl_client dnsbl-2.uceprotect.net reject_rbl_client dnsbl-3.uceprotect.net reject_rbl_client dnsbl.sorbs.net reject_rbl_client bl.spamcannibal.org reject_rbl_client spam.dnsbl.sorbs.net reject_rbl_client zen.spamhaus.org reject_rbl_client b.barracudacentral.org permit This; /etc/postfix/nospoof is just a postmapped flat file of our domains that looks like this; /etc/postfix/nospoof ... example.com REJECT spoofing go away example.net REJECT spoofing go away example.org REJECT spoofing go away ... Have much fun and remember some spam is nice. Especially in a baguette with some 'daddies' sauce -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
OT Configuration Questions/Help {LDAP}
On Thu, 2009-07-30 at 22:45 -0500, Noel Jones wrote:
Jeff Grossman wrote:
have seen articles about exporting the Exchange users via LDAP and putting
them in an access map file on the Postfix server, but I am not a big fan of
that. I would prefer to just query the Exchange server directly for valid
addresses.
OK, your choice.
Ehlo and sorry to high jack a little here {hence subjective change}, but
some thing has crossed my mind along these lines with multiple exchange
servers using active directory.
Perhaps someone has, say, 10 different domains and uses Postfix as a
common incoming gateway. From a look cursory I see there exists a ldap
map system.
Would this allow each domain to define a different LDAP server to query?
Perhaps to be clear;
DOMAIN.ONE - LDAP{1.2.3.4}
DOMAIN.TWO - LDAP{1.2.3.5}
DOMAIN.THREE - LDAP{1.2.3.6}
... repeat to fade ...
Can this be achieved and is there some further reading I can do this
weekend whilst I sip champagne in the sun ?
--
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.
This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment.
Re: No such file or directory
On Fri, 2009-07-31 at 09:16 +0200, Ruud v.d Burg wrote:
Hi,
i followed this guide for setting up postfix with virtual users.
http://www.howtoforge.com/virtual-users-and-domains-postfix-courier-mysql-centos5.1
After i finished i got several errors that i fixed but im stuck on this:
Jul 31 05:09:49 localhost pop3d: chdir advies4you.nl/admin/: No such
file or directory
Im trying to log in with a account named ad...@advies4you.nl and this is
what i get when i look at the /var/log/maillog
Also, where does postfix store its data/email for the users?
Good morning Ruud,
First of all the log line 'pop3d' is not Postfix saying that to you. It
is a pop/imap server which I guess is courier.
That to one side, this will almost certainly be the wrong leading path
set somewhere *or* chrooting.
I am sure that directory advies4you.nl/admin/ does not exists, but
/home/advies4you.nl/admin/ may do - so the leading directory is missing
somewhere.
Postfix for example defines the top directory in main.cf like this;
queue_directory = /path/to/queue/directory/ {don't change this... just
for example}
Dovecot Pop/Imap has:
mail_location = maildir:/path/to/mailbox/%h/
I'm not familiar with courier imap/pop server but you will probably find
a similar directive in the configuration file that needs to be set to
point to the directory where advies4you.nl/admin/ can be found.
There is also an outside chance that there is some chroot issue going on
here, but I would forget this until you prove that your popd is looking
in the right top directory.
--
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.
This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment.
Re: No such file or directory
On Fri, 2009-07-31 at 11:40 +0200, Ruud v.d Burg wrote:
Clunk Werclick schreef:
On Fri, 2009-07-31 at 09:16 +0200, Ruud v.d Burg wrote:
Hi,
i followed this guide for setting up postfix with virtual users.
http://www.howtoforge.com/virtual-users-and-domains-postfix-courier-mysql-centos5.1
After i finished i got several errors that i fixed but im stuck on this:
Jul 31 05:09:49 localhost pop3d: chdir advies4you.nl/admin/: No such
file or directory
Im trying to log in with a account named ad...@advies4you.nl and this is
what i get when i look at the /var/log/maillog
Also, where does postfix store its data/email for the users?
Good morning Ruud,
First of all the log line 'pop3d' is not Postfix saying that to you. It
is a pop/imap server which I guess is courier.
That to one side, this will almost certainly be the wrong leading path
set somewhere *or* chrooting.
I am sure that directory advies4you.nl/admin/ does not exists, but
/home/advies4you.nl/admin/ may do - so the leading directory is missing
somewhere.
Postfix for example defines the top directory in main.cf like this;
queue_directory = /path/to/queue/directory/ {don't change this... just
for example}
Dovecot Pop/Imap has:
mail_location = maildir:/path/to/mailbox/%h/
I'm not familiar with courier imap/pop server but you will probably find
a similar directive in the configuration file that needs to be set to
point to the directory where advies4you.nl/admin/ can be found.
There is also an outside chance that there is some chroot issue going on
here, but I would forget this until you prove that your popd is looking
in the right top directory.
Good morning!
I only added the user in the mysql db. Is there any web admin panel for
postfix that adds the user with mailx and in the mysql or something? My
company currently has qmailrocks and here we use the web admin panel to
add users. Is there something similair for postfix?
There may be, but I am not a user so I could not recommend one. Some
people speak of webmin but personally I have command line scripts to
manage my setup.
main.cf points to queue_directory = /var/spool/postfix
But i cant find the config for the pop3 thing. I also manually created
the advies4you/admin thing in the home/vmail folder (the home/vmail did
exist) but that did not fix the problem.
I do not use that pop3 - I use dovecot so I cannot really help you.
However, a look at: http://www.courier-mta.org/pop3d.html refers to a
config file: /etc/courier/pop3d
Further use of google took me here which has some information I would
find useful if I were using that server:
http://www.linuxfromscratch.org/hints/downloads/files/OLD/courier.txt
I cant recall i edited any config that has mail_location either, or
atleast i cant find it.
Best regards,
Ruud
Cutting to the chase here and not confusing yourself, the log error you
have specifically points to pop3d not being able to find your directory.
This is either because it does not exist or it is looking in the wrong
place. It is no more complex than that so do not confuse yourself. You
may be best to ask on a courier mail list.
If after solving your directory issues you have other Postfix issues be
sure to check back here for help.
--
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.
This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment.
Re: OT Configuration Questions/Help {LDAP}
On Fri, 2009-07-31 at 09:50 -0500, Noel Jones wrote:
Clunk Werclick wrote:
On Thu, 2009-07-30 at 22:45 -0500, Noel Jones wrote:
Jeff Grossman wrote:
have seen articles about exporting the Exchange users via LDAP and putting
them in an access map file on the Postfix server, but I am not a big fan
of
that. I would prefer to just query the Exchange server directly for valid
addresses.
OK, your choice.
Ehlo and sorry to high jack a little here {hence subjective change}, but
some thing has crossed my mind along these lines with multiple exchange
servers using active directory.
Perhaps someone has, say, 10 different domains and uses Postfix as a
common incoming gateway. From a look cursory I see there exists a ldap
map system.
Would this allow each domain to define a different LDAP server to query?
Perhaps to be clear;
DOMAIN.ONE - LDAP{1.2.3.4}
DOMAIN.TWO - LDAP{1.2.3.5}
DOMAIN.THREE - LDAP{1.2.3.6}
... repeat to fade ...
Can this be achieved and is there some further reading I can do this
weekend whilst I sip champagne in the sun ?
http://www.postfix.org/postconf.5.html#relay_recipient_maps
Notice maps is plural; list as many maps as necessary.
Separate multiple map definitions with a comma and/or space.
There is no limit built into postfix concerning how many maps
you can define, but each map definition consumes system
resources (memory, file handles, etc). At some point too many
maps will impact system performance.
Many admins find it easier and cleaner to create a single map
by dumping related data together under the control of a Makefile.
-- Noel Jones
Thank you Noel. I will sip some champagne for you this weekend whilst I
consider the options :-)
--
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.
This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment.
Re: Directory Harvest
On Thu, 2009-07-30 at 08:59 +0200, Ralf Hildebrandt wrote: * Evan Platt e...@espphotography.com: At 03:59 PM 7/29/2009, you wrote: It looks like somebody is trying to figure out my internal users as evidenced by log excerpts below. Is there something I could do to, if not prevent this, reduce it? If you're seeing a lot of attempts, I say just block them in your firewall... # whois 93.85.224.123 OrgName:RIPE Network Coordination Centre OrgID: RIPE Address:P.O. Box 10096 City: Amsterdam StateProv: PostalCode: 1001EB Country:NL ReferralServer: whois://whois.ripe.net:43 NetRange: 93.0.0.0 - 93.255.255.255 CIDR: 93.0.0.0/8 Your whois is broken: inetnum:93.85.224.0 - 93.85.231.255 netname:BELPAK descr: Republican Unitary Enterprise BELTELECOM descr: MINSK branch descr: Republic of Belarus country:BY admin-c:DG1612-RIPE tech-c: OB1713-RIPE status: ASSIGNED PA mnt-by: AS6697-MNT source: RIPE # Filtered person: Dmitry Gorbukov address: Belarus address: 220088, Minsk address: ul. Zaharova, 57 address: UC MINSKOBLTELECOM phone:+375 17 5001131 fax-no: +375 17 5001193 e-mail: d...@minsktelecom.by nic-hdl: DG1612-RIPE mnt-by: AS6697-MNT source: RIPE # Filtered person: Oleg Bylina address:Belarus address:220088, Minsk address:ul. Zaharova, 57 address:UC MINSKOBLTELECOM phone: +375 17 5001383 fax-no: +375 17 5001193 e-mail: o...@minsktelecom.by nic-hdl:OB1713-RIPE mnt-by: AS6697-MNT source: RIPE # Filtered Apart from the IPTables a more autonomous fix could be done with the (improper ?) use of Anvil. Any more than X connections in a couple of minutes and goodnight sweetheart. This combined with max errors perhaps? -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
Re: Stop spammers sending us spam from users in our domain...
On Wed, 2009-07-29 at 22:22 +0930, Nick Sharp wrote: Hi all, I am new to this list, so forgive me if I am not up with your current level of etiquette, I do tune in pretty quickly.. so starting with a long email.. Been trying to stop people sending email to us setting FROM as a user in our domains. Seems basic enough spam limitation. It seems if I configure reject_unauthenticated_sender_login_mismatch in smtp_sender_restrictions all email gets rejected (with my config below) (even to $virtual_mailbox_domains) _if_ not in $mynetworks (no auth needed - seems ok) or if the client is not sasl auth'd (smtp ok again in this situation) So email to somevalidu...@ourdomain.com from someotheru...@anotherdomain.com.au (external domain) not sasl auth'd gets rejected with 'not logged in' - now I know that we shouldn't use $mydestination with virtual domains, so should it be looking at virtual_mailbox_domains? (which appears to be mysql mapped ok) I would presume the default is to always accept email to our domains and the reject_unauthenticated_sender_login part just says if FROM matches our domain maps, then you must be authenticated to send it? (this is mainly what I want to confirm) Or am I missing something obvious? (its not unknown :) #some conf stuff.. mydestination = relay_domains = mysql:/etc/postfix/mysql_relay_domains.cf smtpd_sender_login_maps=mysql:/etc/postfix/mysql_sender_login_maps.cf virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks,reject_unauthenticated_sender_login_mismatch, reject_non_fqdn_sender, reject_unauth_pipelining, permit /etc/postfix/mysql_sender_login_maps.cf User/Pass/DB/host/table stuff removed select_field=id #which is the email address in full where_field='%s' additional_conditions = and enabled = 1 /etc/postfix/mysql_domains.cf removed connection stuff select_field=domain where_field=domain additional_conditions = and enabled = 1 Let me know if you want some more config/info to help you help me? TIA Nick This is how I block those pesky spoof mail spams; EDIT main.cf smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_sender_access hash:/etc/postfix/spoofprotection CREATE /etc/postfix/spoofprotection #spoof protection domain1.com REJECT we dont mail ourselves domain2.com REJECT we dont mail ourselves BUILD MAP TO IT postmap /etc/postfix/spoofprotection RELOAD postfix reload Caveats; Breaks forwarding (where this is relevant) Other caveats may exist too and someone else may point out a better way or other issues. This has worked for me and I am very happy with it. -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
RE: Stop spammers sending us spam from users in our domain...
On Wed, 2009-07-29 at 23:26 +0930, Nick Sharp wrote: This is how I block those pesky spoof mail spams; EDIT main.cf smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_sender_access hash:/etc/postfix/spoofprotection CREATE /etc/postfix/spoofprotection #spoof protection domain1.com REJECT we dont mail ourselves domain2.com REJECT we dont mail ourselves BUILD MAP TO IT postmap /etc/postfix/spoofprotection RELOAD postfix reload Caveats; Breaks forwarding (where this is relevant) Other caveats may exist too and someone else may point out a better way or other issues. This has worked for me and I am very happy with it. Thanks Clunk, This looks like the way to go, both Brian and yourselves concur.. Just about to test this, but wanted to confirm your 'breaks forwarding' caveat, I do have some transports configured, and internal filters (amavis and procmail) but it sounds like these should be ok, can you elaborate a little? (the mail serve is stupid busy at around 15000 mails a day - thats delivered mail!! So want to be sure.. 1 min of problems means a lot of mail to find/verify :) Thanks Again. Nick My apologies for the terse caveat. As I understand it, there are some external mail services that roaming users may use that forward mail into your Postfix claiming to be from your domain. Myself I do not use this. Relations in England talk of this with Blackberry and O2 when using IPhone but these are far too modern for me to understand. Please hope an expert comes along and soon with a fuller answer, but I think you will be mostly safe with that. If there should be a problem your sender will no right away in most cases. -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
Re: Many SQL Lookups on outbounding mails
On Thu, 2009-07-23 at 13:50 +1000, Barney Desmond wrote: You need to ask yourself if this is a real problem, or something you're just imagining. Mysql generally works fine, 50,000 messages a day at 12 queries each, equates to several queries per second. This is an easy load. That is a comfort to know. My main concern was this hammering was not optimal, but it is welcome to make as many queries as it likes if it does not crash the database server. Perhaps Postgresql would be a bit more manly ? but slower ? If you're concerned, then disable the parent domain searching as mentioned before. Forgive my sincere stupidness, but I did not see where it said 'do this to disable parent domain searching'. I would like to do this and see if it makes a difference. What do I need to take out/add to do this ? If you're worried about mysql's stability then you probably shouldn't be using it. Using a database as a table backend carries its own share of risks and failure cases. It is not ideal to use it but it makes it easy to write web front ends for management. I could script the generation of index postmaps from the database but will this scale well? How big can the postmaps be before it gets a little crazy? 100 lines? 1000 lines? 10,000 lines? 100,000 lines? I cannot find any figures to say at which point it is best to cross over ? This would be very useful and help me make an informed choice. I notice in your postconf output that you're not using proxymap with mysql. This is generally recommended: http://www.postfix.org/MYSQL_README.html (notes on client connections) Thank you. I have looked at this and taken your notes on board. http://www.postfix.org/proxymap.8.html (specific proxy:mysql example) And this also. I don't think there is any major benefit being sold to me here for using a proxy map and I am wondering if this will introduce a small amount of latency perhaps? But I wont kick the gifted horse and I will try this today - thank you Sir. -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
Re: Many SQL Lookups on outbounding mails
On Thu, 2009-07-23 at 18:47 +1000, Barney Desmond wrote:
From:
Barney Desmond
barneydesm...@gmail.com
To:
postfix users list
postfix-users@postfix.org
Subject:
Re: Many SQL Lookups on outbounding
mails
Date:
Thu, 23 Jul 2009 18:47:54 +1000
(09:47 BST)
2009/7/23 Clunk Werclick clunk.wercl...@wibblywobblyteapot.co.uk:
That is a comfort to know. My main concern was this hammering was
not
optimal, but it is welcome to make as many queries as it likes if it
does not crash the database server. Perhaps Postgresql would be a
bit
more manly ? but slower ?
Realistically you shouldn't notice a difference, but every system will
be different, and between those two it'll depend somewhat on tuning as
well.
to disable parent domain searching'. I would like to do this and see
if
it makes a difference. What do I need to take out/add to do this ?
You can do this in main.cf, I believe you just set an empty value.
http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains
Something like:
parent_domain_matches_subdomains =
OK, done and reload but I'm still finding this (see below). What is
weird is the lookups it does based on the mail_from command. It's
recursing those in the database for a reason I am not sure I fully
understand? I understand why it do this for rcpt_to, makes full sense to
me, but for the sender also?
Anecdotally, hash-based tables are very fast. CDB tables are said to
perform well at least up to a million entries.
http://www.postfix.org/DATABASE_README.html#types
That scales well and I will re-engineer what I am doing to take
advantage of that. There seems little useful point to use SQL for
anything other than as a holding container that is used to generate maps
if these figures are correct. {in my context at least}
{trim}
a little while ago, but the outcome was that the potential performance
gain of not using proxymap when it's not needed was low, so you might
as well always use it.
This is in my to be doing list and I thank you Sir.
After making single change suggestted and reload
A single test message by telnet where;
mail from: user...@yahoo.co.uk
rcpt to: t...@destination.co.uk
generated a lot of lookups for the 'mail from' command ?
803 Connect postfi...@localhost on mndb
803 Query SELECT transport FROM transport WHERE destination='*'
803 Query SELECT transport FROM transport WHERE destination='*'
804 Connect postfi...@localhost on mndb
804 Query SELECT virtual_user_email FROM recipients WHERE
alias='yahoo.co.uk'
805 Connect postfi...@localhost on mndb
805 Query SELECT domain FROM domains WHERE domain='yahoo.co.uk'
AND local=1
806 Connect postfi...@localhost on mndb
806 Query SELECT domain FROM domains WHERE domain='yahoo.co.uk'
AND local=0
806 Query SELECT domain FROM domains WHERE domain='.co.uk' AND
local=0
806 Query SELECT domain FROM domains WHERE domain='.uk' AND
local=0
803 Query SELECT transport FROM transport WHERE
destination='user...@yahoo.co.uk'
803 Query SELECT transport FROM transport WHERE
destination='yahoo.co.uk'
803 Query SELECT transport FROM transport WHERE
destination='.co.uk'
803 Query SELECT transport FROM transport WHERE destination='.uk'
090723 10:18:07 804 Query SELECT virtual_user_email FROM
recipients WHERE alias='destination.co.uk'
805 Query SELECT domain FROM domains WHERE
domain='destination.co.uk' AND local=1
806 Query SELECT domain FROM domains WHERE
domain='destination.co.uk' AND local=0
803 Query SELECT transport FROM transport WHERE
destination='t...@destination.co.uk'
803 Query SELECT transport FROM transport WHERE
destination='destination.co.uk'
807 Connect postfi...@localhost on mndb
807 Query SELECT virtual_user_email FROM recipients WHERE
alias='t...@destination.co.uk'
807 Query SELECT virtual_user_email FROM recipients WHERE
alias='@destination.co.uk'
808 Connect postfi...@localhost on mndb
808 Query SELECT virtual_user_email FROM recipients WHERE
alias='t...@destination.co.uk'
808 Query SELECT virtual_user_email FROM recipients WHERE
alias='@destination.co.uk'
808 Query SELECT virtual_user_email FROM recipients WHERE
alias='postmas...@destination.co.uk'
808 Query SELECT virtual_user_email FROM recipients WHERE
alias='@destination.co.uk'
090723 10:18:21 804 Query SELECT virtual_user_email FROM
recipients WHERE alias='destination.co.uk'
805 Query SELECT domain FROM domains WHERE
domain='destination.co.uk' AND local=1
806 Query SELECT domain FROM domains WHERE
domain='destination.co.uk' AND local=0
803 Query SELECT transport FROM transport WHERE
destination='postmas...@destination.co.uk'
803 Query SELECT transport FROM transport WHERE
destination='destination.co.uk'
I
Re: Many SQL Lookups on outbounding mails
On Thu, 2009-07-23 at 11:24 +0200, Thomas Gelf wrote: Clunk Werclick wrote: On Thu, 2009-07-23 at 13:50 +1000, Barney Desmond wrote: You need to ask yourself if this is a real problem, or something you're just imagining. Mysql generally works fine, 50,000 messages a day at 12 queries each, equates to several queries per second. This is an easy load. That is a comfort to know. My main concern was this hammering was not optimal, but it is welcome to make as many queries as it likes if it does not crash the database server. Perhaps Postgresql would be a bit more manly ? but slower ? You'll probably not note a difference. I guess MySQL will allow you to connnect() faster if using a local socket. However you should always use proxy_read_maps - so connect()-times are not so relevant. I gave a quick look at the server statistics of our MySQL instance providing Postix and Amavis config (not used as Amavis storage etc, its only purpose is providing configuration): DB uptime 250 days with an average of 300 queries per second (our reports are showing peeks of slightly more than 6 million delivery attempts a day). That is very reassuring Thomas, thank you. Now I don't know if I should stay with SQL or drop to maps ? It is easier to configure with SQL from a web based front end - but to get SQL to dump to flat files and Postmap is also only a few Perl lines. What is a fool to do ? :-# We are using multiple servers, but that's mostly as of disaster recovery and failover reasons - you could handle similar traffic also on a single host (using recent server hardware). A certain percentage of queries could of course be avoided if Postfix where optimized for DB usage. As we know it isn't - this design choice however keeps it flexible and simple. Best regards, Thomas Gelf -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
Re: Many SQL Lookups on outbounding mails
On Thu, 2009-07-23 at 11:57 +0200, Thomas Gelf wrote: Clunk Werclick wrote: That is very reassuring Thomas, thank you. Now I don't know if I should stay with SQL or drop to maps ? It is easier to configure with SQL from a web based front end - but to get SQL to dump to flat files and Postmap is also only a few Perl lines. What is a fool to do ? :-# If you're comfortable with SQL: stay with SQL. Load should absolutely not be an issue with your estimated traffic - and even if I could tell some scary anecdotes regarding MySQL: it is pretty stable. Please also note that all my Postfix instances are using TCP, not local sockets. And it still performs very well! Dump to flat files is an option, but I don't see any reason why you should do so: it just adds one more layer of complexity to your system. If you're writing an SQL frontend you have all config right there in realtime, are not forced to reflect about possible locking issues (what happens if you run your recreate-flat-files-script simultaneously more than once etc) - and if you add another Postfix host in the future all you need to do is providing it some credentials to connect to your DB. Regards, Thomas Thank you Thomas. I stick with Mysql and worry if I ever have to set up a server so big it fails. If that happens I have lots of £$£ and pay someone else to do it whilst I sit on beach sipping wine. I have now got proxy working on the maps too, so that is off my to be do list. Now I fight the recipient verification process for many many domains hosted on one Postfix - but that is a new adventure. -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
Re: Many SQL Lookups on outbounding mails
On Tue, 2009-07-21 at 12:34 -0500, Noel Jones wrote: Clunk Werclick wrote: On Tue, 2009-07-21 at 10:39 -0500, Noel Jones wrote: Clunk Werclick wrote: Hello. Postfix is new to me and I have spent many hours of reading and testing. I do not have much experience to look at things and say they are normal or not. ... Please may I ask someone to reassure me this is doing the thing that is right. It seems lots of lookups per message and I'm not sure that mysql will not crash like this Yes, normal. Please see http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains :: parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps Not making sense to me ? When the table type is listed in parent_domain_matches_subdomains, postfix looks up each subdomain to see if it's listed. See the documented Search Order in the man page for the specific feature; access, transport, etc. So for example u...@some.foo.example.com would trigger the following with a check_sender_access table: u...@some.foo.example.com some.foo.example.com foo.example.com example.com com -- Noel Jones What I am not understanding is this is my list: debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps I don't understand which 'table type' is in charge of virtual and relay. It is perhaps not very clear? -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
Re: Many SQL Lookups on outbounding mails
On Wed, 2009-07-22 at 20:31 +1000, Barney Desmond wrote: 2009/7/22 Clunk Werclick clunk.wercl...@wibblywobblyteapot.co.uk: What I am not understanding is this is my list: debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps I don't understand which 'table type' is in charge of virtual and relay. It is perhaps not very clear? It just means that when one of these features is used, it will test parent domains. Seeing as you haven't shown us the output of `postconf -n`, we can only guess. I'm going to guess that it's most likely using mynetworks and smtpd_access_maps. Please may I ask someone to reassure me this is doing the thing that is right. As Noel said, you should rest assured that postfix is doing exactly the checks it needs to implement the functionality as documented. It seems lots of lookups per message and I'm not sure that mysql will not crash like this Who's to say what a lot of lookups are? Why do you think mysql will Just Crash? You're far better off looking at the general load and responsiveness of your server than checking how many queries mysql is doing. I think perhaps 4-12 queries per message is not optimal? If server handle 50,000 a day X 12 that is quite a lot? I don't think it is going to get may fields returned for .co.uk .uk in my database? I stress much that this is not Postfix, it is my silly configuration of Postfix. Am learning as I go along so plenty of things wrong probably: This is output; postconf -n alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases anvil_rate_time_unit = 60s body_checks = regexp:/etc/postfix/maps/body_checks broken_sasl_auth_clients = yes config_directory = /etc/postfix disable_vrfy_command = yes header_checks = regexp:/etc/postfix/maps/header_checks mail_name = testbox milter_default_action = accept mime_header_checks = regexp:/etc/postfix/maps/mime_header_checks mydestination = testbox localhost mydomain = wibblywobblyteapot.co.uk myhostname = testbox.wibblywobblyteapot.co.uk mynetworks = 127.0.0.0/8 myorigin = $mydomain queue_directory = /home/mail/email rbl_reply_maps = hash:/etc/postfix/maps/rbl_reply relay_domains = mysql:/etc/postfix/mysql/relay_domains.cf smtpd_banner = $myhostname ESMTP Hello Dolly smtpd_client_connection_count_limit = 3 smtpd_client_connection_rate_limit = 3 smtpd_client_event_limit_exceptions = 212.202.241.232 smtpd_delay_reject = yes smtpd_error_sleep_time = 3s smtpd_hard_error_limit = 10 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks permit smtpd_junk_command_limit = 2 smtpd_milters = unix:/home/mail/email/private/clamav-milter, unix:/home/mail/email/private/samilter smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destinationcheck_recipient_access hash:/etc/postfix/maps/recipient_checks reject_unknown_reverse_client_hostname check_sender_access hash:/etc/postfix/maps/no_from_usreject_rbl_client zen.spamhaus.orgpermit smtpd_restriction_classes = LOG smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated smtpd_soft_error_limit = 5 smtpd_timeout = 30 transport_maps = mysql:/etc/postfix/mysql/transport.cf unknown_client_reject_code = 550 virtual_alias_maps = mysql:/etc/postfix/mysql/virtual_alias_maps.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /home/mail/mailbox virtual_mailbox_domains = mysql:/etc/postfix/mysql/virtual_domains.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql/virtual_mailbox_recipients.cf virtual_uid_maps = static:5000 -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
Re: Many SQL Lookups on outbounding mails
On Wed, 2009-07-22 at 11:04 -0500, Noel Jones wrote: Clunk Werclick wrote: I think perhaps 4-12 queries per message is not optimal? If server handle 50,000 a day X 12 that is quite a lot? I don't think it is going to get may fields returned for .co.uk .uk in my database? Postfix does the lookups required to route your mail properly. It is a bit silly to do this for .co.uk then .uk yes? I stress much that this is not Postfix, it is my silly configuration of Postfix. Am learning as I go along so plenty of things wrong probably: This is output; postconf -n relay_domains = mysql:/etc/postfix/mysql/relay_domains.cf Unless relay_domains changes frequently, better to keep it in a hash table. Or just set it explicitly empty if you don't have any relay_domains. They change frequently that is why I have a database back end. transport_maps = mysql:/etc/postfix/mysql/transport.cf better to keep transport_maps in a hash: table unless it changes frequently. virtual_mailbox_domains = mysql:/etc/postfix/mysql/virtual_domains.cf better to keep virtual_mailbox_domains in a hash table unless it changes frequently. They change frequently that is why I have a database back end. For the tables that I suggest you keep in a hash, if you want to still store the data in mysql you can automate a daily dump to a hash file for postfix to use. This seems to be a bit silly, that is what the database is for, but thank you for your advice. I may have to do this to stop this DoS type of hammering for silly lookups. Thank you anyhow. -- Noel Jones -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
Re: blocking supp...@...
On Wed, 2009-07-22 at 10:31 -0600, Robert Lopez wrote: We get a lot of spam from a marketing company that uses hundreds of ip addresses and hundreds of domain names but it always comes from support at which ever names they are using that day. My supervisor wants me to block all email coming from supp...@*. I have concerns about blocking legitimate email. Which postfix list would be best used for such a block? Could it be sender_access? Perhaps try making this file; /etc/postfix/header_checks #start of file /^From:.*support\@/REJECT Your mail was rejected - call us on 1-800 xxx xxx to unblock #end of file Then add this to the foot of your main.cf header_checks = regexp:/etc/postfix/header_checks This will block any header with from support in it, including legitimate ones and is very aggressive. Perhpas better to add this to your smtpd_recipient_restrictions in main.cf and see if this stops it. smtpd_recipient_restrictions = reject_rbl_client zen.spamhaus.org -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
Many SQL Lookups on outbounding mails
Hello.
Postfix is new to me and I have spent many hours of reading and testing.
I do not have much experience to look at things and say they are normal or not.
My Postfix hosts some virtual domains locally, and it also relays some
others to another Postfix. It looks up virtual domains, relay domains
and trasport information from mysql. It is working well, thank you.
One thing I notice in my SQL logs. When I send a mail to an outside
domain - yahoo for example - It makes lots of lookups and they are
confusing me.
First it checks to see if the domain I am sending mail to is hosted locally;
SELECT domain FROM virtual_domains WHERE domain='yahoo.co.uk'
That I understand and it makes sense.
Next it checks to see if the domain I am sending to is a relay domain;
SELECT domain FROM virtual_domains WHERE domain='yahoo.co.uk' AND local=0
That I understand and it makes sense.
Then I get very confused as it seems to break the TLD apart and ask if it is a
relay domain for each part;
SELECT domain FROM virtual_domains WHERE domain='.co.uk' AND local=0
and again;
SELECT domain FROM virtual_domains WHERE domain='.uk' AND local=0
This is confusing me and I would like to ask if this is normal? I think it may
be, but it did not do this when it checked locally hosted domains.
Next it checks a transport map, which I can understand
SELECT transport FROM virtual_domains WHERE domain='n...@yahoo.co.uk'
But again it breaks each part down.
SELECT transport FROM virtual_domains WHERE domain='yahoo.co.uk'
SELECT transport FROM virtual_domains WHERE domain='.co.uk'
SELECT transport FROM virtual_domains WHERE domain='.uk'
Please may I ask someone to reassure me this is doing the thing that is right.
It seems lots of lookups per message and I'm not sure that mysql will not crash
like this
\\\ ///
{.} {.}
..
O
--
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.
This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment.
Re: Many SQL Lookups on outbounding mails
On Tue, 2009-07-21 at 10:39 -0500, Noel Jones wrote: Clunk Werclick wrote: Hello. Postfix is new to me and I have spent many hours of reading and testing. I do not have much experience to look at things and say they are normal or not. ... Please may I ask someone to reassure me this is doing the thing that is right. It seems lots of lookups per message and I'm not sure that mysql will not crash like this Yes, normal. Please see http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains :: parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps Not making sense to me ? Also see: http://www.postfix.org/proxymap.8.html -- Noel Jones To do - thank you. -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
Re: Transport Maps
On Tue, 2009-07-21 at 12:05 -0400, Linux Addict wrote: On Tue, Jul 21, 2009 at 12:00 PM, Ralf Hildebrandt ralf.hildebra...@charite.de wrote: * Ralf Hildebrandt ralf.hildebra...@charite.de: In simple, When I send a mail to @example.com, postfix must send the mail to the MX records of smtp.example.com. example.com smtp.example.com OK, not too sure if Postfix will perform an MX lookup for the RHS (smtp.example.com in this example). Please try -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de I just tried, Its NOT using MX records of smtp.example.com. I can manipulate it thru DNS, but will more comfortable if we can do it through Postfix. What about plain old: smtp: and nothing else. I was trying to day to do the opposite but it kept looking up the mx for the destination domain when I did not have a transport map. -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
Re: Transport Maps
On Tue, 2009-07-21 at 17:10 +0100, Clunk Werclick wrote: On Tue, 2009-07-21 at 12:05 -0400, Linux Addict wrote: On Tue, Jul 21, 2009 at 12:00 PM, Ralf Hildebrandt ralf.hildebra...@charite.de wrote: * Ralf Hildebrandt ralf.hildebra...@charite.de: In simple, When I send a mail to @example.com, postfix must send the mail to the MX records of smtp.example.com. example.com smtp.example.com OK, not too sure if Postfix will perform an MX lookup for the RHS (smtp.example.com in this example). Please try -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de I just tried, Its NOT using MX records of smtp.example.com. I can manipulate it thru DNS, but will more comfortable if we can do it through Postfix. What about plain old: smtp: and nothing else. I was trying to day to do the opposite but it kept looking up the mx for the destination domain when I did not have a transport map. Don't listen to me - I am an idiot. I have now read your request fully and I am garbage spouting. Sorry. -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
Re: Transport Maps
On Tue, 2009-07-21 at 12:21 -0400, Linux Addict wrote: I tried digging, I get the MX servers on the ANSWER section. I manage DNS as well, so I know its resolving correctly. Just one thing Sir and a shot in the water. Restart Postfix (not reload). I was having a problem where it kept looking up against the wrong name server. There seems to be some caching of name servers and results. After many hours it gave me such joy for a simplest fix. -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
Re: Complex canonical rewrite with ldap and regexp
On Wed, 2009-07-22 at 12:27 +0700, Olivier Nicole wrote: Hi, I want to know if the following canonical rewrite is possible with Postfix, and how? In my LDAP directory, for each user, I have a givenName and a familyName attributes. The canonical name should be givenName.familyName or familyName.givenName, the order is depending on a thrid attribute (certain countries put the family name before the given name...) Then the string should be rewritten to replace all non alphanumerical characters by an hyphen. Is that possible with a combination of ldap: and regexp:, and how? On the other hand, if I receive and email addressed to some canonical name, how/where is the correspondance made with the uid? Best regards, Olivier Perhaps view the problem a different way? Why not make your LDAP query lookup against the email address and any alias fields in the LDAP? That is, fix the LDAP to have the data the mail server can work with, rather than make the mail server guess what a mailbox should be. Probably possible to script something to run around the houses playing lookup guessing games but seems to be making lots of work that is hard. -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
user local domain remote
Helo, Is somebody able to guide me? I have Postfix as gateway machine. It is mixed and has some local virtual mailboxes for domains, and for others it acts as an incoming relay forwarding to an internal Postfix. The working is very good but now I have a tiny hitch. Until now I have been able to cope with the simple set up as local domains on the gateway are not the same as the domains on the internal server. Now I have a need to keep a couple of email addresses on the gateway for one of the domains that is on the internal Postix server. Perhaps a diagram will help? Current INET - GATEWAY - INTERNAL example.comnothing.com box.comeggs.com Trying to configure INET - GATEWAY - INTERNAL example.comnothing.com box.comeggs.com b...@eggs.com Perhaps is possible somehow to have recipient on gateway Postfix and rest of domain relayed to internal Postfix box? --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
RE: smtp time outs and delays
I get a very quick banner response when I telnet to port 25 and port 587 I do get different banners for port 25 I get: 220 * Cisco Pix running SMTP 'Fixup' ?
