Re: relay_domains vs virtual_mailbox_domains

[Clunk Werclick]

On Wed, 2009-09-09 at 07:16 +0100, Steve Heaven wrote:
> On Wed, 2009-09-09 at 00:27 +0200, mouss wrote:
> > Steve Heaven a écrit :
> > >
> > 
> > 
> > the old: "try to pass to next, until  final server accepts or rejects"
> > is n more acceptable. recipients must be checked at the "edge".
> > 
> > postfix provides reject_unverified_recipient to help you for that
> > (assuming the next relay really validates the recipient).
> 
> That's the problem. Most of our clients that we relay mail for run
> Microsoft SBS Exchange which doesnt verify probes. It accepts mail for
> any user and sends an undeliverable report back to the sender.

Are you saying that it is not possible to configure it to reject users
that don't exist at the SMTP level? Are you *sure*? So if you telnet in
to it and send mail for anyoldrubb...@domain.co.uk it accepts it?

I would be gobsmacked. Surely this is a simple configuration issue ?
-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

RE: [Bounce Handling] Searching information

[Clunk Werclick]

On Tue, 2009-09-08 at 14:02 +0200, no_s...@cardiff.fr wrote:
> [Humour on]Wooow
{snip}

The answer is you check your logs, write a script to check your logs and
update your databases - or use one of the many mailing list manager
programs that exist. Postfix is simply the MTA. In fact I guess this
very mailing list is using something similar to what you need.

Forgive the bluntness of my response. 

-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: [Bounce Handling] Searching information

[Clunk Werclick]

On Tue, 2009-09-08 at 13:27 +0200, no_s...@cardiff.fr wrote:
> Hello postfix users
> We have approx 150 customers that wish to do marketing email with their
> customers, and we have had these customers knowing former spam listing,
> because they / we did not cope feedback loops, list retrieval and all the
> ‘quality service’ recommendations.
So they *are* spammers then?

> Where am I wrong, and what is necessary to setup bounce handling knowing
> that : 
> 1- Bounces return addresses are constructed dynamically, and there is no
> real user account corresponding to bounce.--x...@bounces.f.net
If you are sending mail to valid users who have opted in, it won't
bounce. Will it :-)
-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: relay_domains vs virtual_mailbox_domains

[Clunk Werclick]

From: 
Clunk Werclick

Reply-to: 
mailbacku...@googlemail.com
  Cc: 
postfix-users@postfix.org
 Subject: 
Re: relay_domains
vs
virtual_mailbox_domains
Date: 
Tue, 08 Sep 2009
09:28:36 +0100
  Mailer: 
Evolution 2.24.3 



On Tue, 2009-09-08 at 08:52 +0100, Steve Heaven wrote:
> On Mon, 2009-09-07 at 11:50 -0400, Sahil Tandon wrote:
> 
> > 
> > You should not accept mail for invalid recipients.  Use existing
> > functionality to build a cache/database of valid recipients "on the
fly".
> > See:
http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient
> 
> We have no way of knowing if the recipient address is valid or not as
> we are only acting as a relay for the final destination.
> We cannot build a database of recipients on the fly as that
> information is held on the various servers of our clients, to which we
> do not have access.
> 
Please forgive the bluntness - and drifting off a bit as I've not seen
all of this; If you are acting as a relay and not able to verify the
final recipients exist - you will quickly run into serious problems and
side effects.

Postfix provides a probing/discovery mechanism that spares you the need
to build maps - it's not ideal when compared to the sheer speed of SQL,
MAPS or LDAP, but it exists - so there is no excuse to accept mail for
invalid recipients with Postfix. The link given tells you how this
'probing' works.

Failing to verify final recipients means you will probably accept mail
that is sequentially refused, leaving you holding the baby and having to
bounce it. (Old Chinese Proverb say, man who gives 250 OK to SMTP, take
ownership and responsibility). With invalid recipients, the sender is
usually forged and as your relay has nothing left to do but bounce the
message, your IP(s) are going to become really unpopular *fast*, and
probably have it blacklisted in no time at all.

This is, of course, not only limited to invalid recipients. Accepting
any kind of mail for a destination that cannot be delivered gives the
same problem. Perhaps the recipient is valid, but the destination
refused the message because of the content/spam. You end up holding the
baby again.

If you really need the ability to catch all without bounce then the
final destination needs to absolutely white list everything your throw
at it - regardless of recipient or content. That is most certainly *not*
ideal without some serious UCE measures on the relay itself.

In commercial solutions I have seen, RELAYS have held the message and
not given a 250 until the final destination has taken it -or- (less
ideal) taken the message and put it into an 'outbound' Postfixen where
it is retried for 48-72 hours. This gives the Relay admin time to see it
and liase with the final destination host admin. This would be a real
headache if you wind up with thousands of messages in the queue for
invalid recipients, bringing us full circle to the topic once more.

Good luck with what it is you are doing.


-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: How to block spammers appearing as local users?

[Clunk Werclick]

On Wed, 2009-09-02 at 18:22 +0200, Benny Pedersen wrote:
> On ons 02 sep 2009 18:07:27 CEST, LuKreme wrote
> >> who says this ip is dynamic, just becurse the hostname look like
> >> it is ?
> > Erm don't be naive. If they can't be bothered to have a better  
> > rDNS then I can't be bothered to get their spam.
> 
> who is naive now ?, i have seen dynamic ip with a static looking  
> hostname, should you just accept it ?
1. ppp = point to point protocol? Tends to smell a bit of dsl/dialup
2. The IP is in the PBL because it is dynamic. 
Forgive Benny, he is just a bit odd.
-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

report to consolidate allowed messages

[Clunk Werclick]

Hello,

I have been toying with the best way to produce a report of 'allowed'
messages that have made it all the way through my Postfix. I love the
Postfix logs, they give such detail on failures and refusals and parsing
this is quite straightforward. 

The entertainment commences when I try to figure out how to produce a
report of 'allowed' messages. This needs to contain just a few pieces of
key information;

date/time   fromto  subject client IP

At first, I thought 'this will be easy' but upon closer examination this
is not as simple as it looks. Where Postfix is multi-process, the bits
of information are in different places and consolidating this has some
challenges. In particular matching up (by script) the interaction for a
transaction between;

postfix/smtpd
postfix/cleanup
postfix/virtual
postfix/qmgr

Perhaps there is an easy way to get the five metrics I would like in a
report?

I am starting to think I may need to plug something in to 'scan' the
headers of a message after Postfix is done with it or pipe the messages
through a script?

To keep things lean and for learning, I am interested to achieve this
with a some Perl- so my interest is really in finding the 'key' to link
the information together from what is already produced - or - to work
out how to get messages to pipe through a script as 'virtual' delivers
them. Unless Virtual can give me all the information I need (logging
options)

Perhaps some of the very clever guru's here have some useful suggestion?


-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: Reverse DNS requirement

[Clunk Werclick]

On Wed, 2009-08-05 at 09:44 +0200, Robert Schetterer wrote:
> LuKreme schrieb:
> > On Aug 4, 2009, at 3:42, Thomas Gelf  wrote:
> > 
> >> the person who did not correctly set up the network is to be blamed,
> >>   if you have equipment acting as MTA it should be configured the right
> >>   way, otherwise use a relay server
> > 
> > SHOULD be blamed? Yes. But the blame will fall on the mail admin.
> > 
> > "The mail was sent, YOU caused the server to reject it."
> > 
> 
> this is the postfix mail list,
> the option make_world_a_better_place wasnt implemented yet *g

It is in my version! You must have old version:
postconf -n
header_checks = regexp:/etc/postfix/header_checks
mail_name = cupoftea
make_world_a_better_place = regex:/destroy/M$/exchange


-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: Black magic rejecting header Subjects

[Clunk Werclick]

On Tue, 2009-08-04 at 11:44 +0200, Robin Smidsrød wrote:
> Lukas Ruf wrote:
> > Please find attached the header_checks file currently in use:
> > 
> > When I comment the line in main.cf
> > header_checks   = pcre:/etc/postfix/header_checks.pcre
> > everything works for me as expected.  Thus, I strongly assume there
> > must be a bug somewhere in the definitions
> 
> /^X-Mailer: MIME\:\:Lite/ REJECT
> 
> I use this one in my Perl mail applications. It's a legitimate CPAN
> module (see http://search.cpan.org/perldoc?MIME::Lite) that is quite
> popular. Blocking it will probably reject a lot of email from scripts
> (of various nature, some probably spam, some not).
> 
> -- Robin
I too use it, but I changed the X-Mailer so it does not say
'MIME::Lite'. I am sure that spammers may think of that also? The people
who write bots and spam scripts are very skilled - it would only be a
child or rank amateur who would leave that silly header as it is.

-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: New Antispam settings

[Clunk Werclick]

On Tue, 2009-08-04 at 04:17 -0400, Dave wrote:
> Hello,
>   I'm trying to adjust my current antispam measures as they are no
> longer working. I'm running postfix 2.3 on a rel5 machine. I've got the
> below, which is a postconf -n output of my current configuration. To it i'd
> like to add spf, and postgrey support in smtpd_recipient_restrictions after
> the rbl checks, and dkim-milter last in the file. I'd appreciate any
> feedback on these settings and suggested improvements if any.
> Thanks.
> Dave.
> 
> address_verify_map = btree:/var/spool/postfix/verified_senders
> alias_database = hash:/etc/postfix/aliases
> alias_maps = hash:/etc/postfix/aliases
> biff = no
> broken_sasl_auth_clients = yes
> canonical_maps = hash:/etc/postfix/canonical
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/libexec/postfix
> disable_vrfy_command = yes
> empty_address_recipient = MAILER-DAEMON
> home_mailbox = Maildir/
> html_directory = no
> inet_interfaces = 127.0.0.1, 
> invalid_hostname_reject_code = 554
> local_recipient_maps = proxy:unix:passwd.byname $alias_maps
> mail_owner = postfix
> mail_spool_directory = /var/spool/mail
> mailbox_size_limit = 104857600
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> message_size_limit = 20971520
> multi_recipient_bounce_reject_code = 554
> mydomain = example.com
> myhostname = mail.example.com
> mynetworks = 127.0.0.0/8
> myorigin = $mydomain
> newaliases_path = /usr/bin/newaliases.postfix
> non_fqdn_reject_code = 554
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
> recipient_delimiter = +
> relay_domains_reject_code = 554
> sample_directory = /usr/share/doc/postfix-2.3.3/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> show_user_unknown_table_name = no
> smtp_helo_timeout = 60s
> smtpd_banner = $myhostname
> smtpd_data_restrictions = reject_unauth_pipelining
> smtpd_error_sleep_time = 5s
> smtpd_hard_error_limit = 20
> smtpd_helo_required = yes
> smtpd_recipient_restrictions = reject_invalid_hostname,
> reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient,
> reject_unknown_sender_domain, reject_unknown_recipient_domain,
> reject_unverified_sender reject_unverified_recipient
> reject_multi_recipient_bounce, permit_sasl_authenticated, permit_mynetworks,
> reject_unauth_destination,check_recipient_access
> pcre:/etc/postfix/recipient_checks.pcre,  check_helo_access
> hash:/etc/postfix/helo_checks,check_sender_access
> hash:/etc/postfix/sender_checks, check_sender_mx_access
> cidr:/etc/postfix/bogus_mx check_recipient_access
> hash:/etc/postfix/recipient_accesscheck_client_access
> hash:/etc/postfix/client_checks,  check_client_access
> pcre:/etc/postfix/client_checks.pcre, reject_rbl_client
> zen.spamhaus.org, reject_rbl_client black.uribl.com, reject_rbl_client
> combined.rbl.msrbl.net, reject_rhsbl_sender dsn.rfc-ignorant.org
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain = 
> smtpd_sasl_path = private/auth
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_type = dovecot
> smtpd_soft_error_limit = 10
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/postfix/ssl/smtp.crt
>  smtpd_tls_CAfile = /etc/postfix/ssl/ca-cert.pem
> smtpd_tls_key_file = /etc/postfix/ssl/smtp.key
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
> smtpd_tls_session_cache_timeout = 3600s
> strict_rfc821_envelopes = yes
> tls_random_source = dev:/dev/urandom
> unknown_address_reject_code = 554
> unknown_client_reject_code = 554
> unknown_hostname_reject_code = 554
> unknown_local_recipient_reject_code = 550
> unknown_relay_recipient_reject_code = 554
> unknown_virtual_alias_reject_code = 554
> unknown_virtual_mailbox_reject_code = 554
> unverified_recipient_reject_code = 554
> unverified_sender_reject_code = 554
> virtual_alias_maps = hash:/etc/postfix/virtual_alias
> virtual_gid_maps = static:5000
> virtual_mailbox_base = /home/vmail
> virtual_mailbox_domains = /etc/postfix/vhosts
> virtual_mailbox_maps = hash:/etc/postfix/vmaps
> virtual_minimum_uid = 1000
> virtual_uid_maps = static:5000

Postgrey is a reasonable suggestion, but I don't tend to like allowing
repeat connections myself. I like to do a simple 'yes or no' and not
beat the bush around.

If I may comment about your usage of DKIM & SPF.
Many many people, even legitimate senders, don't have DKIM or SPF. So
implementation would almost certainly be carnage for lots of your HAM if
you decide to block on this criteria. SPF & DKIM are really only useful
for white listing IMHO.

What kind of spam is failing to get caught? Perhaps get Postfix to work
with Spamassassin or put in some basic header/body checks to catch
obvious spams?


-- 
--

Re: too many postfix smtp active internet connections

[Clunk Werclick]

On Tue, 2009-08-04 at 08:12 +0200, Patrick Ben Koetter wrote:
> 
> You need the milter capabilities from Postfix 2.6. Use the
> batv-milter.
> 
> That's all I know at the moment.

I am confused? batv-milter? Is it not pvrs? I see this:

http://sourceforge.net/projects/batv-milter/

The idea looks very credible, and I have seen mails with pvrs= in the
'from' field. I think there is milter support in 2.5.5 (not just 2.6) as
I have a clam milter running myself - but I am not so sure that this
'batv' milter would require something special to 2.6?

-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: too many postfix smtp active internet connections

[Clunk Werclick]

On Mon, 2009-08-03 at 16:08 -0400, Wietse Venema wrote:
> Get rid of the backscatter:
> http://www.postfix.org/BACKSCATTER_README.html
> 
>   Wietse

Has anybody implemented something like this with Postfix?

http://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation

Any observations or advice?

-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: too many postfix smtp active internet connections

[Clunk Werclick]

On Mon, 2009-08-03 at 16:08 -0400, Wietse Venema wrote:

> Get rid of the backscatter:
> http://www.postfix.org/BACKSCATTER_README.html

Has anybody inplemented something like this with Postfix yet?



-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: [OT] Spam Prevention

[Clunk Werclick]

On Mon, 2009-08-03 at 16:52 +1000, Thomas wrote:
> Hey,
> 
> [..]
> > Yes, I use that too - but I like a quick summary on demand.
> See: 
> You can use the scripts _without_ logwatch and get an instant summary of 
> your mail.log.
> 
> Cheers,
> Thomas
Indeed it does and that is interesting, thank you. My long term goal is
to get my Perl to log, in single line;

DATE/TIME INBOUND/OUTBOUND TO FROM SUBJECT SPAM SCORE IP

That is what I really would like to be able to do - but so far I do not
find a way that is easy or straightforward to bring all of this
information together in a single 'delivered' log. Rejected or dropped
mail is straightforward, but delivered mail seems to be harder to cobble
something together to give it, how do you say, 'the inside leg
measurements' ? 

-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: [OT] Spam Prevention

[Clunk Werclick]

On Mon, 2009-08-03 at 08:29 +0200, Willy De la Court wrote:
> On Sun, 02 Aug 2009 17:04:17 -0400, Jon  wrote:
> > Clunk Werclick wrote:
> >> 
> >> 
> >>   PRE DNSBL  321
> >> 
> >>  NO PTR  201
> >>SPOOFING  120
> >>  RELAY ATTEMPTS0
> >>   BLOCKED OTHER0
> >> WHITELISTED4
> >> 
> >>   BLOCKED DNSBL  287
> >> 
> >> 
> > 
> > What tools are you using to generate your counts and get your output 
> > presented this way?
> 
> The logwatch package can do something similar.
> 
> See example below. I stripped out some sections with sensitive information
> but you get the idea.
> 
>  - Postfix Begin (detail=5)  
> 
>  ** Summary
> *
>  
>28.893M  Bytes accepted30,296,112
> 4.471M  Bytes sent via SMTP4,687,715
>25.310M  Bytes delivered   26,538,982
>     
>  
>   370   Accepted   1.79%
> 20326   Rejected  98.21%
>     
> 20696   Total100.00%
>     
>  
>   124   5xx Reject relay denied0.61%
>  5423   5xx Reject HELO/EHLO  26.68%
>   154   5xx Reject unknown user0.76%
> 14625   5xx Reject RBL71.95%
>     
> 20326   Total 5xx Rejects100.00%
>     
>  
>20   4xx Reject HELO/EHLO   2.11%
> 2   4xx Reject unknown user0.21%
>   102   4xx Reject recipient address  10.75%
>   648   4xx Reject sender address 68.28%
>   158   4xx Reject unknown reverse client host16.65%
>19   4xx Reject RBL 2.00%
>     
>   949   Total 4xx Rejects100.00%
>     
>  
> 14952   Connections made  
>  5149   Connections lost (inbound) 
> 14947   Disconnections
>   368   Removed from queue
>   334   Delivered 
>   127   Sent via SMTP 
>10   Resent
> 2   Deferred  
> 2   Deferrals 
> 2   Bounced (remote)  
> 2   Notifications sent
>  
>45   Timeout (inbound) 
>23   Illegal address syntax in SMTP command 
>56   Numeric hostname  
> 7   SMTP dialog error 
>   106   Excessive errors in SMTP dialog 
>  3071   Hostname verification errors 
> 1   Hostname validation errors 
>  
> 
>  ** Detail
> **
>  
>   124   5xx Reject relay denied
> -
>20  81.192.186.79adsl-79-186-192-81.adsl.iam.net.ma
>20  85.181.161.97e181161097.adsl.alicedsl.de
>20  95.110.96.169g95-110-96-169.broadband.bashtel.ru
>20  190.48.158.110   unknown
>20  201.80.36.14 unknown
>20  202.142.223.169  unknown
> 2  83.36.234.113113.red-83-36-234.dynamicip.rima-tde.net
> 2  90.176.249.5858.249.broadband9.iol.cz
>  
>  5423   5xx Reject HELO/EHLO
> 
>  5423  Need fully-qualified hostname
>  
>   154   5xx Reject unknown user
> -
>   154  Virtual mailbox table
>  
> 14625   5xx Reject RBL
> --
>  7959  bl.spamcop.net
>    zen.spamhaus.org
>  
>20   4xx Reject HELO/EHLO
> 
>20  Need fully-qualified hostname
>  
> 

Re: Spam Prevention

[Clunk Werclick]

On Sun, 2009-08-02 at 17:04 -0400, Jon wrote:
> Clunk Werclick wrote:
> > 
> > 
> >   PRE DNSBL  321
> > 
> >  NO PTR  201
> >SPOOFING  120
> >  RELAY ATTEMPTS0
> >   BLOCKED OTHER0
> > WHITELISTED4
> > 
> >   BLOCKED DNSBL  287
> > 
> > 
> 
> What tools are you using to generate your counts and get your output 
> presented this way?
A dirty little Perl script + cron.
-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: Spam Prevention

[Clunk Werclick]

On Sun, 2009-08-02 at 11:56 +0200, Willy De la Court wrote:
> Hi all,
> 
> Just a question about spam prevention and resource optimalisation.
> 
> What is the best way to go. I have this as spam prevention at the moment.
> 
> smtpd_helo_restrictions =
>permit_mynetworks,
>permit_sasl_authenticated,
>reject_non_fqdn_hostname,
>reject_invalid_hostname,
>permit
> 
> smtpd_sender_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> reject_non_fqdn_sender,
> reject_unknown_sender_domain,
> permit
> 
> smtpd_recipient_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> reject_unauth_pipelining,
> reject_non_fqdn_recipient,
> reject_unknown_recipient_domain,
> reject_unauth_destination,
> reject_invalid_hostname,
> reject_rbl_client bl.spamcop.net,
> reject_rbl_client zen.spamhaus.org,
> reject_unlisted_recipient,
> check_policy_service inet:127.0.0.1:6,
> permit
> 
> This mean that there are a number of tests before the actual recipient
> address is tested, would it not be better to place the
> reject_unlisted_recipient very early in the chain? Or am I wrong here. In
> placing the reject_unlisted_recipient earlier in the chain would I not make
> it easier for dictionary attacks to succeed? The check_policy_server is the
> postgrey implementation of http://postgrey.schweikert.ch/
> 
> I added the reject_unlisted_recipient before the postgrey policy test
> because I noticed unknown recipients being passed to the postgrey policy
> test.
> 
> Any comments would be welcome.
Hello Willy,

It depends on how aggressive you wish to be. Looking at the last half an
hour in my logs, the statistics show my blocking going on. The big fishy
is 'No PTR' (in words of another no reverse DNS at all) then followed by
spoof attempts (b...@example.com to b...@example.com).

I block both of these types before passing to a big list of dnsbl's -
but they may not be entirely suitable in production and it depends upon
your BOFH mentality/level -v- your users complaining;



  PRE DNSBL  321

 NO PTR  201
   SPOOFING  120
 RELAY ATTEMPTS0
  BLOCKED OTHER0
WHITELISTED4

  BLOCKED DNSBL  287



smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
reject_unknown_reverse_client_hostname
check_sender_access hash:/etc/postfix/nospoof
reject_rbl_client no-more-funn.moensted.dk
reject_rbl_client bl.spamcop.net
reject_rbl_client dnsbl-1.uceprotect.net
reject_rbl_client dnsbl-2.uceprotect.net
reject_rbl_client dnsbl-3.uceprotect.net
reject_rbl_client dnsbl.sorbs.net
reject_rbl_client bl.spamcannibal.org
reject_rbl_client spam.dnsbl.sorbs.net
reject_rbl_client zen.spamhaus.org
reject_rbl_client b.barracudacentral.org
permit


This;
/etc/postfix/nospoof

is just a postmapped flat file of our domains that looks like this;

/etc/postfix/nospoof
...
example.com REJECT spoofing go away 
example.net REJECT spoofing go away
example.org REJECT spoofing go away
...
Have much fun and remember some spam is nice. Especially in a baguette
with some 'daddies' sauce
-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: OT Configuration Questions/Help {LDAP}

[Clunk Werclick]

On Fri, 2009-07-31 at 09:50 -0500, Noel Jones wrote:
> Clunk Werclick wrote:
> > On Thu, 2009-07-30 at 22:45 -0500, Noel Jones wrote:
> >> Jeff Grossman wrote:
> > 
> >>> have seen articles about exporting the Exchange users via LDAP and putting
> >>> them in an access map file on the Postfix server, but I am not a big fan 
> >>> of
> >>> that.  I would prefer to just query the Exchange server directly for valid
> >>> addresses.
> >> OK, your choice.
> > 
> > Ehlo and sorry to high jack a little here {hence subjective change}, but
> > some thing has crossed my mind along these lines with multiple exchange
> > servers using active directory.
> > 
> > Perhaps someone has, say, 10 different domains and uses Postfix as a
> > common incoming gateway. From a look cursory I see there exists a ldap
> > map system.
> > 
> > Would this allow each domain to define a different LDAP server to query?
> > Perhaps to be clear;
> > 
> > DOMAIN.ONE   -> LDAP{1.2.3.4}
> > DOMAIN.TWO   -> LDAP{1.2.3.5}
> > DOMAIN.THREE -> LDAP{1.2.3.6}
> > ... repeat to fade ...
> > 
> > Can this be achieved and is there some further reading I can do this
> > weekend whilst I sip champagne in the sun ?
> 
> http://www.postfix.org/postconf.5.html#relay_recipient_maps
> Notice "maps" is plural; list as many maps as necessary. 
> Separate multiple map definitions with a comma and/or space.
> 
> There is no limit built into postfix concerning how many maps 
> you can define, but each map definition consumes system 
> resources (memory, file handles, etc).  At some point too many 
> maps will impact system performance.
> 
> Many admins find it easier and cleaner to create a single map 
> by dumping related data together under the control of a Makefile.
> 
>-- Noel Jones
Thank you Noel. I will sip some champagne for you this weekend whilst I
consider the options :-)


-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: No such file or directory

[Clunk Werclick]

On Fri, 2009-07-31 at 11:40 +0200, Ruud v.d Burg wrote:
> Clunk Werclick schreef:
> > On Fri, 2009-07-31 at 09:16 +0200, Ruud v.d Burg wrote:
> >   
> >> Hi,
> >>
> >> i followed this guide for setting up postfix with virtual users.
> >> http://www.howtoforge.com/virtual-users-and-domains-postfix-courier-mysql-centos5.1
> >>
> >> After i finished i got several errors that i fixed but im stuck on this:
> >> Jul 31 05:09:49 localhost pop3d: chdir advies4you.nl/admin/: No such 
> >> file or directory
> >>
> >> Im trying to log in with a account named ad...@advies4you.nl and this is 
> >> what i get when i look at the /var/log/maillog
> >>
> >> Also, where does postfix store its data/email for the users?
> >> 
> > Good morning Ruud,
> >
> > First of all the log line 'pop3d' is not Postfix saying that to you. It
> > is a pop/imap server which I guess is courier.
> >
> > That to one side, this will almost certainly be the wrong leading path
> > set somewhere *or* chrooting.
> >
> > I am sure that directory advies4you.nl/admin/ does not exists, but
> > /home/advies4you.nl/admin/ may do - so the leading directory is missing
> > somewhere. 
> >
> > Postfix for example defines the top directory in main.cf like this;
> > queue_directory = /path/to/queue/directory/ {don't change this... just
> > for example}
> >
> > Dovecot Pop/Imap has:
> > mail_location = maildir:/path/to/mailbox/%h/ 
> >
> > I'm not familiar with courier imap/pop server but you will probably find
> > a similar directive in the configuration file that needs to be set to
> > point to the directory where advies4you.nl/admin/ can be found.
> >
> > There is also an outside chance that there is some chroot issue going on
> > here, but I would forget this until you prove that your popd is looking
> > in the right top directory.
> >
> >   
> Good morning!
> 
> I only added the user in the mysql db. Is there any web admin panel for 
> postfix that adds the user with mailx and in the mysql or something? My 
> company currently has qmailrocks and here we use the web admin panel to 
> add users. Is there something similair for postfix?
There may be, but I am not a user so I could not recommend one. Some
people speak of webmin but personally I have command line scripts to
manage my setup. 

> 
> main.cf points to queue_directory = /var/spool/postfix
> But i cant find the config for the pop3 thing. I also manually created 
> the advies4you/admin thing in the home/vmail folder (the home/vmail did 
> exist) but that did not fix the problem.
I do not use that pop3 - I use dovecot so I cannot really help you.
However, a look at: http://www.courier-mta.org/pop3d.html refers to a
config file: /etc/courier/pop3d

Further use of google took me here which has some information I would
find useful if I were using that server:

http://www.linuxfromscratch.org/hints/downloads/files/OLD/courier.txt

> I cant recall i edited any config that has mail_location either, or 
> atleast i cant find it.
> 
> Best regards,
> 
> Ruud
Cutting to the chase here and not confusing yourself, the log error you
have specifically points to pop3d not being able to find your directory.
This is either because it does not exist or it is looking in the wrong
place. It is no more complex than that so do not confuse yourself. You
may be best to ask on a courier mail list.

If after solving your directory issues you have other Postfix issues be
sure to check back here for help.
-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: No such file or directory

[Clunk Werclick]

On Fri, 2009-07-31 at 09:16 +0200, Ruud v.d Burg wrote:
> Hi,
> 
> i followed this guide for setting up postfix with virtual users.
> http://www.howtoforge.com/virtual-users-and-domains-postfix-courier-mysql-centos5.1
> 
> After i finished i got several errors that i fixed but im stuck on this:
> Jul 31 05:09:49 localhost pop3d: chdir advies4you.nl/admin/: No such 
> file or directory
> 
> Im trying to log in with a account named ad...@advies4you.nl and this is 
> what i get when i look at the /var/log/maillog
> 
> Also, where does postfix store its data/email for the users?
Good morning Ruud,

First of all the log line 'pop3d' is not Postfix saying that to you. It
is a pop/imap server which I guess is courier.

That to one side, this will almost certainly be the wrong leading path
set somewhere *or* chrooting.

I am sure that directory advies4you.nl/admin/ does not exists, but
/home/advies4you.nl/admin/ may do - so the leading directory is missing
somewhere. 

Postfix for example defines the top directory in main.cf like this;
queue_directory = /path/to/queue/directory/ {don't change this... just
for example}

Dovecot Pop/Imap has:
mail_location = maildir:/path/to/mailbox/%h/ 

I'm not familiar with courier imap/pop server but you will probably find
a similar directive in the configuration file that needs to be set to
point to the directory where advies4you.nl/admin/ can be found.

There is also an outside chance that there is some chroot issue going on
here, but I would forget this until you prove that your popd is looking
in the right top directory.

-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

OT Configuration Questions/Help {LDAP}

[Clunk Werclick]

On Thu, 2009-07-30 at 22:45 -0500, Noel Jones wrote:
> Jeff Grossman wrote:

> 
> > have seen articles about exporting the Exchange users via LDAP and putting
> > them in an access map file on the Postfix server, but I am not a big fan of
> > that.  I would prefer to just query the Exchange server directly for valid
> > addresses.
> 
> OK, your choice.

Ehlo and sorry to high jack a little here {hence subjective change}, but
some thing has crossed my mind along these lines with multiple exchange
servers using active directory.

Perhaps someone has, say, 10 different domains and uses Postfix as a
common incoming gateway. From a look cursory I see there exists a ldap
map system.

Would this allow each domain to define a different LDAP server to query?
Perhaps to be clear;

DOMAIN.ONE   -> LDAP{1.2.3.4}
DOMAIN.TWO   -> LDAP{1.2.3.5}
DOMAIN.THREE -> LDAP{1.2.3.6}
... repeat to fade ...

Can this be achieved and is there some further reading I can do this
weekend whilst I sip champagne in the sun ?
-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: Directory Harvest

[Clunk Werclick]

On Thu, 2009-07-30 at 08:59 +0200, Ralf Hildebrandt wrote:
> * Evan Platt :
> > At 03:59 PM 7/29/2009, you wrote:
> > >It looks like somebody is trying to figure out my internal users as
> > >evidenced by log excerpts below.  Is there something I could do to, if
> > >not prevent this, reduce it?
> > 
> > If  you're seeing a lot of attempts, I say just block them in your 
> > firewall...
> > 
> > # whois 93.85.224.123
> > 
> > OrgName:RIPE Network Coordination Centre
> > OrgID:  RIPE
> > Address:P.O. Box 10096
> > City:   Amsterdam
> > StateProv:
> > PostalCode: 1001EB
> > Country:NL
> > 
> > ReferralServer: whois://whois.ripe.net:43
> > 
> > NetRange:   93.0.0.0 - 93.255.255.255
> > CIDR:   93.0.0.0/8
> 
> Your whois is broken:
> inetnum:93.85.224.0 - 93.85.231.255
> netname:BELPAK
> descr:  Republican Unitary Enterprise BELTELECOM
> descr:  MINSK branch
> descr:  Republic of Belarus
> country:BY
> admin-c:DG1612-RIPE
> tech-c: OB1713-RIPE
> status: ASSIGNED PA
> mnt-by: AS6697-MNT
> source: RIPE # Filtered
> 
> person:   Dmitry Gorbukov
> address:  Belarus
> address:  220088, Minsk
> address:  ul. Zaharova, 57
> address:  UC MINSKOBLTELECOM
> phone:+375 17 5001131
> fax-no:   +375 17 5001193
> e-mail:   d...@minsktelecom.by
> nic-hdl:  DG1612-RIPE
> mnt-by:   AS6697-MNT
> source:   RIPE # Filtered
> 
> person: Oleg Bylina
> address:Belarus
> address:220088, Minsk
> address:ul. Zaharova, 57
> address:UC MINSKOBLTELECOM
> phone:  +375 17 5001383
> fax-no: +375 17 5001193
> e-mail: o...@minsktelecom.by
> nic-hdl:OB1713-RIPE
> mnt-by: AS6697-MNT
> source: RIPE # Filtered
> 
Apart from the IPTables a more autonomous fix could be done with the
(improper ?) use of Anvil. Any more than X connections in a couple of
minutes and goodnight sweetheart. 

This combined with max errors perhaps?
-- 
---

C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

RE: Stop spammers sending us spam from users in our domain...

[Clunk Werclick]

On Wed, 2009-07-29 at 23:26 +0930, Nick Sharp wrote:
> > >
> > This is how I block those pesky spoof mail spams;
> >
> > EDIT main.cf
> > smtpd_recipient_restrictions =
> > permit_mynetworks
> > permit_sasl_authenticated
> > reject_unauth_destination
> > 
> > check_sender_access hash:/etc/postfix/spoofprotection
> >
> >
> > CREATE /etc/postfix/spoofprotection
> > #spoof protection
> > domain1.com REJECT we dont mail ourselves
> > domain2.com REJECT we dont mail ourselves
> >
> > BUILD MAP TO IT
> > postmap /etc/postfix/spoofprotection
> >
> > RELOAD
> > postfix reload
> >
> > Caveats;
> > Breaks forwarding (where this is relevant)
> > Other caveats may exist too and someone else may point out a better way
> > or other issues. This has worked for me and I am very happy with it.
> >
> 
> Thanks Clunk,
> This looks like the way to go, both Brian and yourselves concur..
> 
> Just about to test this, but wanted to confirm your 'breaks forwarding'
> caveat, I do have some transports configured, and internal filters (amavis
> and procmail) but it sounds like these should be ok, can you elaborate a
> little? (the mail serve is stupid busy at around 15000 mails a day - thats
> delivered mail!! So want to be sure.. 1 min of problems means a lot of mail
> to find/verify :)
> 
> Thanks Again.
> Nick
> 
> 
My apologies for the terse caveat. As I understand it, there are some
external mail services that roaming users may use that forward mail into
your Postfix claiming to be from your domain. Myself I do not use this.
Relations in England talk of this with Blackberry and O2 when using
IPhone but these are far too modern for me to understand.

Please hope an expert comes along and soon with a fuller answer, but I
think you will be mostly safe with that. If there should be a problem
your sender will no right away in most cases.
-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: Stop spammers sending us spam from users in our domain...

[Clunk Werclick]

On Wed, 2009-07-29 at 22:22 +0930, Nick Sharp wrote:
> Hi all,
> 
> I am new to this list, so forgive me if I am not up with your current level
> of etiquette, I do tune in pretty quickly.. so starting with a long email..
> 
> Been trying to stop people sending email to us setting FROM as a user in our
> domains. Seems basic enough spam limitation.
> 
> It seems if I configure reject_unauthenticated_sender_login_mismatch in
> smtp_sender_restrictions all email gets rejected (with my config below)
> (even to $virtual_mailbox_domains) _if_ not in $mynetworks (no auth needed -
> seems ok) or if the client is not sasl auth'd (smtp ok again in this
> situation)
> 
> So email to somevalidu...@ourdomain.com from
> someotheru...@anotherdomain.com.au (external domain) not sasl auth'd gets
> rejected with 'not logged in' - now I know that we shouldn't use
> $mydestination with virtual domains, so should it be looking at
> virtual_mailbox_domains? (which appears to be mysql mapped ok)
> 
> I would presume the default is to always accept email to our domains and the
> reject_unauthenticated_sender_login part just says if FROM matches our
> domain maps, then you must be authenticated to send it? (this is mainly what
> I want to confirm)
> 
> Or am I missing something obvious? (its not unknown :)
> 
> 
> #some conf stuff..
> mydestination =
> relay_domains = mysql:/etc/postfix/mysql_relay_domains.cf
> smtpd_sender_login_maps=mysql:/etc/postfix/mysql_sender_login_maps.cf
> virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
> smtpd_sender_restrictions = permit_sasl_authenticated,
> 
> permit_mynetworks,reject_unauthenticated_sender_login_mismatch,
>   reject_non_fqdn_sender,
> reject_unauth_pipelining, permit
> 
> 
> /etc/postfix/mysql_sender_login_maps.cf
> 
> select_field=id  #which is the email address in full
> where_field='%s'
> additional_conditions = and enabled = 1
> 
> /etc/postfix/mysql_domains.cf
> 
> select_field=domain
> where_field=domain
> additional_conditions = and enabled = 1
> 
> Let me know if you want some more config/info to help you help me?
> 
> TIA
> 
> Nick
> 
This is how I block those pesky spoof mail spams;

EDIT main.cf
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination

check_sender_access hash:/etc/postfix/spoofprotection


CREATE /etc/postfix/spoofprotection
#spoof protection
domain1.com REJECT we dont mail ourselves 
domain2.com REJECT we dont mail ourselves

BUILD MAP TO IT
postmap /etc/postfix/spoofprotection

RELOAD
postfix reload

Caveats;
Breaks forwarding (where this is relevant)
Other caveats may exist too and someone else may point out a better way
or other issues. This has worked for me and I am very happy with it.

-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: Many SQL Lookups on outbounding mails

[Clunk Werclick]

On Thu, 2009-07-23 at 11:57 +0200, Thomas Gelf wrote:
> Clunk Werclick wrote:
> > That is very reassuring Thomas, thank you. 
> > 
> > Now I don't know if I should stay with SQL or drop to maps ? It is
> > easier to configure with SQL from a web based front end - but to get SQL
> > to dump to flat files and Postmap is also only a few Perl lines. What is
> > a fool to do ? :-#
> 
> If you're comfortable with SQL: stay with SQL. Load should absolutely
> not be an issue with your estimated traffic - and even if I could tell
> some scary anecdotes regarding MySQL: it is pretty stable. Please also
> note that all my Postfix instances are using TCP, not local sockets. And
> it still performs very well!
> 
> "Dump to flat files" is an option, but I don't see any reason why you
> should do so: it just adds one more layer of complexity to your system.
> If you're writing an SQL frontend you have all config right there in
> realtime, are not forced to reflect about possible locking issues (what
> happens if you run your "recreate-flat-files"-script simultaneously more
> than once etc) - and if you add another Postfix host in the future all
> you need to do is providing it some credentials to connect to your DB.
> 
> Regards,
> Thomas
Thank you Thomas. I stick with Mysql and worry if I ever have to set up
a server so big it fails. If that happens I have lots of £$£ and pay
someone else to do it whilst I sit on beach sipping wine.

I have now got proxy working on the maps too, so that is off my to be do
list.

Now I fight the recipient verification process for many many domains
hosted on one Postfix - but that is a new adventure.
-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: Many SQL Lookups on outbounding mails

[Clunk Werclick]

On Thu, 2009-07-23 at 11:24 +0200, Thomas Gelf wrote:
> Clunk Werclick wrote:
> > On Thu, 2009-07-23 at 13:50 +1000, Barney Desmond wrote:
> >> You need to ask yourself if this is a real problem, or something
> >> you're just imagining. Mysql generally works fine, 50,000 messages a
> >> day at 12 queries each, equates to several queries per second. This is
> >> an "easy" load. 
> > That is a comfort to know. My main concern was this hammering was not
> > optimal, but it is welcome to make as many queries as it likes if it
> > does not crash the database server. Perhaps Postgresql would be a bit
> > more manly ? but slower ?
> 
> You'll probably not note a difference. I guess MySQL will allow you to
> connnect() faster if using a local socket. However you should always use
> proxy_read_maps - so connect()-times are not so relevant.
> 
> I gave a quick look at the server statistics of our MySQL instance
> providing Postix and Amavis config (not used as Amavis storage etc, its
> only purpose is providing "configuration"): DB uptime 250 days with an
> average of 300 queries per second (our reports are showing peeks of
> slightly more than 6 million delivery attempts a day).
> 
That is very reassuring Thomas, thank you. 

Now I don't know if I should stay with SQL or drop to maps ? It is
easier to configure with SQL from a web based front end - but to get SQL
to dump to flat files and Postmap is also only a few Perl lines. What is
a fool to do ? :-#

> We are using multiple servers, but that's mostly as of disaster recovery
> and failover reasons - you could handle similar traffic also on a single
> host (using recent server hardware).
> 
> A certain percentage of queries could of course be avoided if Postfix
> where optimized for DB usage. As we know it isn't - this design choice
> however keeps it flexible and simple.
> 
> Best regards,
> Thomas Gelf

-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: Many SQL Lookups on outbounding mails

[Clunk Werclick]

On Thu, 2009-07-23 at 18:47 +1000, Barney Desmond wrote:
>  From: 
> Barney Desmond
> 
>To: 
> postfix users list
> 
>   Subject: 
> Re: Many SQL Lookups on outbounding
> mails
>  Date: 
> Thu, 23 Jul 2009 18:47:54 +1000
> (09:47 BST)
> 
> 
> 2009/7/23 Clunk Werclick :
> > That is a comfort to know. My main concern was this hammering was
> not
> > optimal, but it is welcome to make as many queries as it likes if it
> > does not crash the database server. Perhaps Postgresql would be a
> bit
> > more manly ? but slower ?
> 
> Realistically you shouldn't notice a difference, but every system will
> be different, and between those two it'll depend somewhat on tuning as
> well.
> 
> > to disable parent domain searching'. I would like to do this and see
> if
> > it makes a difference. What do I need to take out/add to do this ?
> 
> You can do this in main.cf, I believe you just set an empty value.
> http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains
> 
> Something like:
> 
> parent_domain_matches_subdomains =
OK, done and reload but I'm still finding this (see below). What is
weird is the lookups it does based on the mail_from command. It's
recursing those in the database for a reason I am not sure I fully
understand? I understand why it do this for rcpt_to, makes full sense to
me, but for the sender also?
> 
> 
> Anecdotally, hash-based tables are "very fast". CDB tables are said to
> perform well at least up to a million entries.
> http://www.postfix.org/DATABASE_README.html#types
That scales well and I will re-engineer what I am doing to take
advantage of that. There seems little useful point to use SQL for
anything other than as a holding container that is used to generate maps
if these figures are correct. {in my context at least}
> 
{trim} 
> a little while ago, but the outcome was that the potential performance
> gain of not using proxymap when it's not needed was low, so you might
> as well always use it.
This is in my to be doing list and I thank you Sir.

After making single change suggestted and reload
A single test message by telnet where;

mail from: user...@yahoo.co.uk
rcpt to: t...@destination.co.uk

generated a lot of lookups for the 'mail from' command ?
803 Connect postfi...@localhost on mndb
803 Query   SELECT transport FROM transport WHERE destination='*'
803 Query   SELECT transport FROM transport WHERE destination='*'

804 Connect postfi...@localhost on mndb
804 Query   SELECT virtual_user_email FROM recipients WHERE
alias='yahoo.co.uk'
805 Connect postfi...@localhost on mndb
805 Query   SELECT domain FROM domains WHERE domain='yahoo.co.uk'
AND local=1
806 Connect postfi...@localhost on mndb
806 Query   SELECT domain FROM domains WHERE domain='yahoo.co.uk'
AND local=0
806 Query   SELECT domain FROM domains WHERE domain='.co.uk' AND
local=0
806 Query   SELECT domain FROM domains WHERE domain='.uk' AND
local=0
803 Query   SELECT transport FROM transport WHERE
destination='user...@yahoo.co.uk'
803 Query   SELECT transport FROM transport WHERE
destination='yahoo.co.uk'
803 Query   SELECT transport FROM transport WHERE
destination='.co.uk'
803 Query   SELECT transport FROM transport WHERE destination='.uk'

090723 10:18:07 804 Query   SELECT virtual_user_email FROM
recipients WHERE alias='destination.co.uk'
805 Query   SELECT domain FROM domains WHERE
domain='destination.co.uk' AND local=1
806 Query   SELECT domain FROM domains WHERE
domain='destination.co.uk' AND local=0
803 Query   SELECT transport FROM transport WHERE
destination='t...@destination.co.uk'
803 Query   SELECT transport FROM transport WHERE
destination='destination.co.uk'

807 Connect postfi...@localhost on mndb
807 Query   SELECT virtual_user_email FROM recipients WHERE
alias='t...@destination.co.uk'
807 Query   SELECT virtual_user_email FROM recipients WHERE
alias='@destination.co.uk'

808 Connect postfi...@localhost on mndb
808 Query   SELECT virtual_user_email FROM recipients WHERE
alias='t...@destination.co.uk'
808 Query   SELECT virtual_user_email FROM recipients WHERE
alias='@destination.co.uk'
808 Query   SELECT virtual_user_email FROM recipients WHERE
alias='postmas...@destination.co.uk'
808 Query   SELECT virtual_user_email FROM recipients WHERE
alias='@destination.co.uk'
090723 10:18:21 804 Query   SELECT virtual_user_email FROM
recipients WHERE al

Re: Many SQL Lookups on outbounding mails

[Clunk Werclick]

On Thu, 2009-07-23 at 13:50 +1000, Barney Desmond wrote:
> You need to ask yourself if this is a real problem, or something
> you're just imagining. Mysql generally works fine, 50,000 messages a
> day at 12 queries each, equates to several queries per second. This is
> an "easy" load. 
That is a comfort to know. My main concern was this hammering was not
optimal, but it is welcome to make as many queries as it likes if it
does not crash the database server. Perhaps Postgresql would be a bit
more manly ? but slower ?
> If you're concerned, then disable the parent domain
> searching as mentioned before.
Forgive my sincere stupidness, but I did not see where it said 'do this
to disable parent domain searching'. I would like to do this and see if
it makes a difference. What do I need to take out/add to do this ?
>  If you're worried about mysql's
> stability then you probably shouldn't be using it. Using a database as
> a table backend carries its own share of risks and failure cases.
It is not ideal to use it but it makes it easy to write web front ends
for management. I could script the generation of index postmaps from the
database but will this scale well? How big can the postmaps be before it
gets a little crazy? 100 lines? 1000 lines? 10,000 lines? 100,000 lines?
I cannot find any figures to say at which point it is best to cross
over ? This would be very useful and help me make an informed choice.
>  I
> notice in your postconf output that you're not using proxymap with
> mysql. This is generally recommended:
> http://www.postfix.org/MYSQL_README.html (notes on client connections)
Thank you. I have looked at this and taken your notes on board.
> http://www.postfix.org/proxymap.8.html (specific proxy:mysql example)
And this also. I don't think there is any major benefit being sold to me
here for using a proxy map and I am wondering if this will introduce a
small amount of latency perhaps? But I wont kick the gifted horse and I
will try this today - thank you Sir.
-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: blocking "supp...@..."

[Clunk Werclick]

On Wed, 2009-07-22 at 10:31 -0600, Robert Lopez wrote:
> We get a lot of spam from a marketing company that uses hundreds of ip
> addresses and hundreds of domain names but it always comes from
> "support" at which ever names they are using that day.
> 
> My supervisor wants me to block all email coming from "supp...@*".
> 
> I have concerns about blocking legitimate email.
> 
> Which postfix list would be best used for such a block?  Could it be
> sender_access?
> 
Perhaps try making this file;
/etc/postfix/header_checks
#start of file
/^From:.*support\@/REJECT Your mail was rejected - call us on
1-800 xxx xxx to unblock
#end of file

Then add this to the foot of your main.cf

header_checks = regexp:/etc/postfix/header_checks

This will block any header with from support in it, including legitimate
ones and is very aggressive.

Perhpas better to add this to your smtpd_recipient_restrictions in
main.cf and see if this stops it.


smtpd_recipient_restrictions =
  
reject_rbl_client zen.spamhaus.org
-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: Many SQL Lookups on outbounding mails

[Clunk Werclick]

On Wed, 2009-07-22 at 11:04 -0500, Noel Jones wrote:
> Clunk Werclick wrote:
> > I think perhaps 4-12 queries per message is not optimal?
> > If server handle 50,000 a day X 12 that is quite a lot? I don't think
> > it is going to get may fields returned for .co.uk .uk in my database?
> > 
> 
> Postfix does the lookups required to route your mail properly.
It is a bit silly to do this for .co.uk then .uk yes?
> 
> > I stress much that this is not Postfix, it is my silly configuration of
> > Postfix. Am learning as I go along so plenty of things wrong probably:
> > 
> > This is output;
> > 
> > postconf -n
> > relay_domains = mysql:/etc/postfix/mysql/relay_domains.cf
> 
> Unless relay_domains changes frequently, better to keep it in 
> a hash table.  Or just set it explicitly empty if you don't 
> have any relay_domains.

They change frequently that is why I have a database back end.

> > transport_maps = mysql:/etc/postfix/mysql/transport.cf
> 
> better to keep transport_maps in a hash: table unless it 
> changes frequently.
> 
> > virtual_mailbox_domains = mysql:/etc/postfix/mysql/virtual_domains.cf
> 
> better to keep virtual_mailbox_domains in a hash table unless 
> it changes frequently.

They change frequently that is why I have a database back end. 
> 
> For the tables that I suggest you keep in a hash, if you want 
> to still store the data in mysql you can automate a daily dump 
> to a hash file for postfix to use.

This seems to be a bit silly, that is what the database is for, but
thank you for your advice. I may have to do this to stop this DoS type
of hammering for silly lookups. Thank you anyhow.

> 
> 
>-- Noel Jones
-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: Many SQL Lookups on outbounding mails

[Clunk Werclick]

On Wed, 2009-07-22 at 20:31 +1000, Barney Desmond wrote:
> 2009/7/22 Clunk Werclick :
> > What I am not understanding is this is my list:
> >
> > debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
> >
> > I don't understand which 'table type' is in charge of virtual and relay.
> > It is perhaps not very clear?
> 
> It just means that when one of these features is used, it will test
> parent domains. Seeing as you haven't shown us the output of `postconf
> -n`, we can only guess. I'm going to guess that it's most likely using
> mynetworks and smtpd_access_maps.
> 
> >> >>> Please may I ask someone to reassure me this is doing the thing that 
> >> >>> is right.
> 
> As Noel said, you should rest assured that postfix is doing exactly
> the checks it needs to implement the functionality as documented.
> 
> >> >>> It seems lots of lookups per message and I'm not sure that mysql will 
> >> >>> not crash like this
> 
> Who's to say what "a lot" of lookups are? Why do you think mysql will
> Just Crash? You're far better off looking at the general load and
> responsiveness of your server than checking how many queries mysql is
> doing.
I think perhaps 4-12 queries per message is not optimal?
If server handle 50,000 a day X 12 that is quite a lot? I don't think
it is going to get may fields returned for .co.uk .uk in my database?

I stress much that this is not Postfix, it is my silly configuration of
Postfix. Am learning as I go along so plenty of things wrong probably:

This is output;

postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
anvil_rate_time_unit = 60s
body_checks = regexp:/etc/postfix/maps/body_checks
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/maps/header_checks
mail_name = testbox
milter_default_action = accept
mime_header_checks = regexp:/etc/postfix/maps/mime_header_checks
mydestination = testbox localhost
mydomain = wibblywobblyteapot.co.uk
myhostname = testbox.wibblywobblyteapot.co.uk
mynetworks = 127.0.0.0/8
myorigin = $mydomain
queue_directory = /home/mail/email
rbl_reply_maps = hash:/etc/postfix/maps/rbl_reply
relay_domains = mysql:/etc/postfix/mysql/relay_domains.cf
smtpd_banner = $myhostname ESMTP Hello Dolly
smtpd_client_connection_count_limit = 3
smtpd_client_connection_rate_limit = 3
smtpd_client_event_limit_exceptions = 212.202.241.232
smtpd_delay_reject = yes
smtpd_error_sleep_time = 3s
smtpd_hard_error_limit = 10
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks permit
smtpd_junk_command_limit = 2
smtpd_milters = unix:/home/mail/email/private/clamav-milter,
unix:/home/mail/email/private/samilter
smtpd_recipient_restrictions = permit_mynetworks
permit_sasl_authenticated
reject_unauth_destinationcheck_recipient_access
hash:/etc/postfix/maps/recipient_checks
reject_unknown_reverse_client_hostname  check_sender_access
hash:/etc/postfix/maps/no_from_usreject_rbl_client
zen.spamhaus.orgpermit
smtpd_restriction_classes = LOG
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks
permit_sasl_authenticated
smtpd_soft_error_limit = 5
smtpd_timeout = 30
transport_maps = mysql:/etc/postfix/mysql/transport.cf
unknown_client_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql/virtual_alias_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/mail/mailbox
virtual_mailbox_domains = mysql:/etc/postfix/mysql/virtual_domains.cf
virtual_mailbox_maps =
mysql:/etc/postfix/mysql/virtual_mailbox_recipients.cf
virtual_uid_maps = static:5000

-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: Many SQL Lookups on outbounding mails

[Clunk Werclick]

On Tue, 2009-07-21 at 12:34 -0500, Noel Jones wrote:
> Clunk Werclick wrote:
> > On Tue, 2009-07-21 at 10:39 -0500, Noel Jones wrote:
> >> Clunk Werclick wrote:
> >>> Hello.
> >>>
> >>> Postfix is new to me and I have spent many hours of reading and testing.
> >>> I do not have much experience to look at things and say they are normal 
> >>> or not.
> >>> ...
> >>> Please may I ask someone to reassure me this is doing the thing that is 
> >>> right.
> >>> It seems lots of lookups per message and I'm not sure that mysql will not 
> >>> crash like this 
> >> Yes, normal.  Please see
> >> http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains
> > :: parent_domain_matches_subdomains =
> > debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
> > 
> > Not making sense to me ?
> 
> When the table type is listed in 
> parent_domain_matches_subdomains, postfix looks up each 
> subdomain to see if it's listed.  See the documented "Search 
> Order" in the man page for the specific feature; access, 
> transport, etc.
> 
> So for example u...@some.foo.example.com would trigger the 
> following with a check_sender_access table:
> u...@some.foo.example.com
> some.foo.example.com
> foo.example.com
> example.com
> com
> 
>-- Noel Jones
What I am not understanding is this is my list:

debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps

I don't understand which 'table type' is in charge of virtual and relay.
It is perhaps not very clear?

-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: Complex canonical rewrite with ldap and regexp

[Clunk Werclick]

On Wed, 2009-07-22 at 12:27 +0700, Olivier Nicole wrote:
> Hi,
> 
> I want to know if the following canonical rewrite is possible with
> Postfix, and how?
> 
> In my LDAP directory, for each user, I have a givenName and a
> familyName attributes. 
> 
> The canonical name should be givenName.familyName or
> familyName.givenName, the order is depending on a thrid attribute
> (certain countries put the family name before the given name...)
> 
> Then the string should be rewritten to replace all non alphanumerical
> characters by an hyphen.
> 
> Is that possible with a combination of ldap: and regexp:, and how?
> 
> On the other hand, if I receive and email addressed to some canonical
> name, how/where is the correspondance made with the uid?
> 
> Best regards,
> 
> Olivier
Perhaps view the problem a different way?

Why not make your LDAP query lookup against the email address and any
alias fields in the LDAP? That is, fix the LDAP to have the data the
mail server can work with, rather than make the mail server guess what a
mailbox should be.

Probably possible to script something to run around the houses playing
lookup guessing games but seems to be making lots of work that is hard.

-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: Transport Maps

[Clunk Werclick]

On Tue, 2009-07-21 at 12:21 -0400, Linux Addict wrote:
> I tried digging, I get the MX servers on the ANSWER section. I manage
> DNS as well, so I know its resolving correctly.

Just one thing Sir and a shot in the water. Restart Postfix (not
reload). I was having a problem where it kept looking up against the
wrong name server. There seems to be some caching of name servers and
results.

After many hours it gave me such joy for a simplest fix.

-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: Transport Maps

[Clunk Werclick]

On Tue, 2009-07-21 at 17:10 +0100, Clunk Werclick wrote:
> On Tue, 2009-07-21 at 12:05 -0400, Linux Addict wrote:
> > 
> > 
> > On Tue, Jul 21, 2009 at 12:00 PM, Ralf Hildebrandt
> >  wrote:
> > * Ralf Hildebrandt :
> > 
> > > > In simple, When I send a mail to @example.com,  postfix
> > must send the mail
> > > > to the MX records of smtp.example.com.
> > 
> > 
> > > example.com  smtp.example.com
> > 
> > 
> > OK, not too sure if Postfix will perform an MX lookup for the
> > RHS
> > (smtp.example.com in this example). Please try
> > 
> > 
> > --
> > Ralf Hildebrandt
> >  Geschäftsbereich IT | Abteilung Netzwerk
> >  Charité - Universitätsmedizin Berlin
> >  Campus Benjamin Franklin
> >  Hindenburgdamm 30 | D-12203 Berlin
> >  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
> >  ralf.hildebra...@charite.de | http://www.charite.de
> > 
> > 
> > 
> > I just tried, Its NOT  using MX records of smtp.example.com. I can
> > manipulate it thru DNS, but will more comfortable if we can do it
> > through Postfix.
> > 
> > 
> > 
> What about plain old:
> 
> smtp:
> 
> and nothing else. I was trying to day to do the opposite but it kept
> looking up the mx for the destination domain when I did not have a
> transport map. 
Don't listen to me - I am an idiot. I have now read your request fully
and I am garbage spouting. Sorry.
-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: Transport Maps

[Clunk Werclick]

On Tue, 2009-07-21 at 12:05 -0400, Linux Addict wrote:
> 
> 
> On Tue, Jul 21, 2009 at 12:00 PM, Ralf Hildebrandt
>  wrote:
> * Ralf Hildebrandt :
> 
> > > In simple, When I send a mail to @example.com,  postfix
> must send the mail
> > > to the MX records of smtp.example.com.
> 
> 
> > example.com  smtp.example.com
> 
> 
> OK, not too sure if Postfix will perform an MX lookup for the
> RHS
> (smtp.example.com in this example). Please try
> 
> 
> --
> Ralf Hildebrandt
>  Geschäftsbereich IT | Abteilung Netzwerk
>  Charité - Universitätsmedizin Berlin
>  Campus Benjamin Franklin
>  Hindenburgdamm 30 | D-12203 Berlin
>  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
>  ralf.hildebra...@charite.de | http://www.charite.de
> 
> 
> 
> I just tried, Its NOT  using MX records of smtp.example.com. I can
> manipulate it thru DNS, but will more comfortable if we can do it
> through Postfix.
> 
> 
> 
What about plain old:

smtp:

and nothing else. I was trying to day to do the opposite but it kept
looking up the mx for the destination domain when I did not have a
transport map. 

-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Re: Many SQL Lookups on outbounding mails

[Clunk Werclick]

On Tue, 2009-07-21 at 10:39 -0500, Noel Jones wrote:
> Clunk Werclick wrote:
> > Hello.
> > 
> > Postfix is new to me and I have spent many hours of reading and testing.
> > I do not have much experience to look at things and say they are normal or 
> > not.
> > ...
> > Please may I ask someone to reassure me this is doing the thing that is 
> > right.
> > It seems lots of lookups per message and I'm not sure that mysql will not 
> > crash like this 
> 
> Yes, normal.  Please see
> http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains
:: parent_domain_matches_subdomains =
debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps

Not making sense to me ?
> 
> Also see:
> http://www.postfix.org/proxymap.8.html
> 
>-- Noel Jones
> 
To do - thank you.
-- 
---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

Many SQL Lookups on outbounding mails

[Clunk Werclick]

Hello.

Postfix is new to me and I have spent many hours of reading and testing.
I do not have much experience to look at things and say they are normal or not.

My Postfix hosts some virtual domains locally, and it also relays some
others to another Postfix. It looks up virtual domains, relay domains
and trasport information from mysql. It is working well, thank you.

One thing I notice in my SQL logs. When I send a mail to an outside
domain - yahoo for example - It makes lots of lookups and they are
confusing me. 

First it checks to see if the domain I am sending mail to is hosted locally;
SELECT domain FROM virtual_domains WHERE domain='yahoo.co.uk'
That I understand and it makes sense.

Next it checks to see if the domain I am sending to is a relay domain;
SELECT domain FROM virtual_domains WHERE domain='yahoo.co.uk' AND local=0
That I understand and it makes sense.

Then I get very confused as it seems to break the TLD apart and ask if it is a 
relay domain for each part;
SELECT domain FROM virtual_domains WHERE domain='.co.uk' AND local=0
and again;
SELECT domain FROM virtual_domains WHERE domain='.uk' AND local=0
This is confusing me and I would like to ask if this is normal? I think it may 
be, but it did not do this when it checked locally hosted domains.

Next it checks a transport map, which I can understand
SELECT transport FROM virtual_domains WHERE domain='n...@yahoo.co.uk'

But again it breaks each part down.
SELECT transport FROM virtual_domains WHERE domain='yahoo.co.uk'
SELECT transport FROM virtual_domains WHERE domain='.co.uk'
SELECT transport FROM virtual_domains WHERE domain='.uk'

Please may I ask someone to reassure me this is doing the thing that is right.
It seems lots of lookups per message and I'm not sure that mysql will not crash 
like this 
\\\   ///
 {.} {.}
..
 O

-- 
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment. 

RE: smtp time outs and delays

[Clunk Werclick]

> 
> 
> I get a very quick banner response when I telnet to port 25 and port
> 587   I do get different banners
> for port 25  I get:
> 220 *
> 
Cisco Pix running SMTP 'Fixup' ?

user local domain remote

[Clunk Werclick]

Helo,

Is somebody able to guide me?

I have Postfix as gateway machine. It is mixed and has some
local virtual mailboxes for domains, and for others it acts as an incoming 
relay forwarding to an internal Postfix.

The working is very good but now I have a tiny hitch. Until now I have been 
able to cope with the simple set up as local domains on the gateway are not the 
same as the domains on the internal server. Now I have a need to keep a couple 
of email addresses on the gateway for one of the domains that is on the 
internal Postix server.

Perhaps a diagram will help?

Current
INET -> GATEWAY -> INTERNAL
example.comnothing.com
box.comeggs.com

Trying to configure
INET -> GATEWAY -> INTERNAL
example.comnothing.com
box.comeggs.com
b...@eggs.com

Perhaps is possible somehow to have recipient on gateway Postfix
and rest of domain relayed to internal Postfix box?

---
C Werclick .Lot
Technical incompetent
Loyal Order Of The Teapot.

This e-mail and its attachments is intended only to be used as an e-mail
and an attachment. Any use of it for other purposes other than as an
e-mail and an attachment will not be covered by any warranty that may or
may not form part of this e-mail and attachment.