from:"George"

Reject bounces

2017-09-15 Thread George

Hi,

I have a mail server running postfix that sends a lot of emails and gets
back a lot of bounces. These bounces a filling up my server and causing
additional load.

Is there any way on a postfix level to reject/not accept any type of bounce
that gets sent to the mail server?

Please let me know.

Postfix gateway with per relayed host outgoing IP

2020-05-29 Thread George

Hi,

I have an anti spam postfix gateway running on an Ubuntu server. Currently
I use relayhost on multiple web servers for sending mail through the
gateway.

On the postfix gateway I have multiple secondary IPs. What I want to do is
to configure the gateway so mail sent from a particular web server through
the gateway to go out from a particular secondary IP from the gateway
server like below:
webserver1 -> gateway -> secondaryIP1
webserver2 -> gateway -> secondaryIP2

I tried to use sender_dependent_default_transport_maps but had no luck so
far.

Can someone please advise on how I can go with implementing this?
Thanks in advance.

Re: Postfix gateway with per relayed host outgoing IP

2020-05-29 Thread George

> how?
>
> if you define different smtp transports with different smtp_bind_address
> defined in master.cf, the sender_dependent_default_transport_maps should
> do
> what you want.
>
>
> Hi,

Thanks for your response. My problem is that I do not know what to use in
the file where sender_dependent_default_transport_maps is defined.

Do I set it like this:
@domain1_from_webserver1.com mastercf_transport1:
@domain2_from_webserver1.com mastercf_transport1:
@domain1_from_webserver2.com mastercf_transport2:
@domain1_from_webserver2.com mastercf_transport2:

Or is there any way for me to define the incoming webserver IP in
sender_dependent_default_transport_maps?

Please let me know
Thanks in advance

Re: Postfix gateway with per relayed host outgoing IP

2020-05-29 Thread George

Hi,

Wow! Your solution worked like a charm from first attempt. This is genius.

Thanks a lot for the help everyone.

It is possible to use the 'filter' command for this.
>
> /etc/postfix/main.cf
> smtpd_client_restrictions =
> check_client_access hash:/etc/postfix/client_access
>
> /etc/postfix/client_access:
> 1.2.3.4 filter smtp-for-4:
> 1.2.3.5 filter smtp-for-5:
>
> /etc/postfix/master.cf:
> smtp-for-4 .. .. .. .. .. .. smtp
> -o smtp_bind_address=x.x.x.x
> smtp-for-5 .. .. .. .. .. .. smtp
> -o smtp_bind_address=y.y.y.y
>
> This is supported as of Postfix 2.7.
>
> The 'filter' feature can also be used for rate limits > 1/s by using
> paralel deliveries, for IP address reputations (see below) and more.
>
>

separate IP per domain

2009-02-06 Thread George

Hi,

I am running latest postfix on CentOS with virtual user/domain in mysql db.

I host multiple domains. Is it possible for me to make each domain
send using a separate IP frmo the server? How can this be done?

Please help

Thanks

forward to an external command

2009-03-06 Thread George

Hi,

I have postfix with postfixadmin and everything stored in a mysql database.

How do I forward emails sent to a mail account to an external command?

Please help

THanks

Re: forward to an external command

2009-03-06 Thread George

Hi,

Thanks for your reply

I am sorry but I am not very technical.
I am the type of guy that can follow howtos

Can you please be more detailed?

What is "my_custom_transport.example.com" ? A subdomain?
What is "my_custom_transport:"? The command to which the email is
forwarded? Is "| /path/to/some/php/file:" what it needs to be? Is ":"
required in the end?

Thanks

On Fri, Mar 6, 2009 at 7:20 PM, J.P. Trosclair
 wrote:
> George wrote:
>>
>> I have postfix with postfixadmin and everything stored in a mysql
>> database.
>>
>> How do I forward emails sent to a mail account to an external command?
>
> Since you are using virtual aliases (postfixadmin w/mysql assumes so) you'll
> need to setup a pipe transport in master.cf and proper settings in
> /etc/postfix/transports. See the man pages of pipe and transport for more
> details than what you'll find in this email.
>
> virtual alias:
> foo...@exampe.com foo...@my_custom_transport.example.com
>
> add to /etc/postfix/transports:
> my_custom_transport.example.com         my_custom_transport:
>
> add to /etc/postfix/main.cf:
> transport_maps = hash:/etc/postfix/transports
>
> add to /etc/postfix/master.cf:
> my_custom_transport unix - n n - - pipe
>  flags=flags_from_pipe_manual
>  user=some_user:some_group
>  argv=/path/to/my_custom_script vars_from_pipe_manual
>
> This may be incomplete. It is a rough (very rough?) example of the
> configuration. I strongly recommend having a look at the pipe and transport
> manuals before attempting to implement any of this.
>

Re: forward to an external command

2009-03-06 Thread George

Hi,

Thanks all for your help.

If anyone needs this in future, here's how I did it:
1. Added the following line to /etc/postfix/main.cf:
transport_maps = hash:/etc/postfix/transport

2. create a subdomain like(postfixadmin does not allow to add an alias
to a not existing domain):
command1.domain.org

2. go to postfixadmin and create the alias like this:
Alias: recipi...@domain.org
To: anyth...@command1.domain.org

3. edit /etc/postfix/transport and add like this:
anyth...@command1.domain.org some_name:

4. run: postmap /etc/postfix/transport

5. edit /etc/postfix/master.cf and add like this:
some_name unix - n n - - pipe
user=SOMEUSER argv=/path/to/php/script

6. run: postfix reload

On Fri, Mar 6, 2009 at 9:42 PM, J.P. Trosclair
 wrote:
>>> What is "my_custom_transport.example.com" ? A subdomain?
>>>
>>
>> Yes.  In addition, this list uses example.com as a basis quite frequently.
>> You didn't provide your own domain, so J.P. used this as an example.
>>
>
> As a side note, it doesn't have to be a real sub-domain. When the mail is
> handed off to postfix my_custom_transport.example.com will be found in the
> transport_maps table since you defined it there (or will soon enough) along
> with my_custom_transport. From there postfix will try to deliver the mail
> using the definition of my_custom_transport in master.cf. I'm sure some
> folks can get into more details than I can on what really happens, but in a
> nutshell this is how things will flow.
>
> When you create your pseudo domain for use in this setup, it's probably best
> to use a non existent sub-domain or some variant of your real domain just to
> help avoid confusion or complications down the road. This is not guaranteed
> to prevent problems, but in my opinion it's a good first step to avoiding
> them. I haven't personally seen a best practices guide for these sorts of
> situations. Just don't call your pseudo domain (gmail|yahoo|hotmail).com or
> some other real domain that accepts mail.
>
>
>
>

email/postfix guru help needed, will compensate

2010-06-04 Thread George

Clearly we are no good with email servers, so we come to the experts.

Centos 5.3, dbmail, postfix, pgsql. All up and running.

1. Outgoing mail works fine.
2. Incoming we get the 
Recipient address rejected: User unknown in local recipient table

virtual
queries return the 1 and empty per dbmail wiki instructions. Sounds like we
are missing something obvious but we have ran out of time.

Is anyone available to help us out get this server going?, we will be more than 
happy to compensate for time spent. - george

Re: email/postfix guru help needed, will compensate

2010-06-04 Thread George

Thank you to all who replied with offers to help.
postfix does indeed work great out of the box with minimal configuration. Our 
dns related issue was fixed after a 45 minute investigation with one of you, 
thanks again - george

--- On Fri, 6/4/10, George  wrote:
From: George 
Subject: email/postfix guru help needed, will compensate
To: postfix-users@postfix.org
Date: Friday, June 4, 2010, 10:23 PM

Clearly we are no good with email servers, so we come to the experts.

Centos 5.3, dbmail, postfix, pgsql. All up and running.

1. Outgoing mail works fine.
2. Incoming we get the 
Recipient address rejected: User unknown in local recipient table

virtual
queries return the 1 and empty per dbmail wiki instructions. Sounds like we
are missing something obvious but we have ran out of time.

Is anyone available to help us out get this server going?, we will be more than 
happy to compensate for time spent. - george

Rewrite header - Postfix and mailman

2010-08-02 Thread George


Hi,

I'm trying to set Mailman 2.1.9 to handle multiple domains. 9?

I have apply the patch from http://nxsy.org/139.html and this way I have 
a list called mydomain.com-list. The issue is that if I'm posting to 
mydomain.com-l...@mydomain.com everything seems to work fine. However, 
when posting to l...@mydomain.com the mail is set to quarantine.


I have tried to rewrite the address on postfix (using alias) to match 
mydomain.com-list, but it still doesn't work. I have also tried with 
canonical and smtp_generic_maps setting them as:

l...@mydomain.com  mydomain.com-l...@mydomain.com

However mailman is still complaining with "Message has implicit 
destination" and the mail arrives at mailman with the l...@mydomain.com. 
I want to make any mail with this address arriving at mailman as 
mydomain.com-l...@mydomain.com?


Any idea how can I make it working?

I'm using postfix with virtual domains, mysql and mailman with 
postfix-to-mailman.py


Any help is more than appreciated!!
TA
Jorge

P.S.: If you require further info, just tell me. I'm really desperate.

Restrict Senders for some recipient addresses

2021-04-26 Thread George Papas


Hi  list,


what the title says actually,   I have an alias  for all current users 
of an SMTP server but


I want to restrict sending to this alias address to some specific 
senders only (the actual


users of the domain plus a small group of external senders ).

What I'm I looking for in the documentation ? Sender/Recipient Restrictions

or something different?


Thanks in advance

George Papas

Re: Restrict Senders for some recipient addresses

2021-04-26 Thread George Papas

Yeap  thanks a lot , seems to be configurable cause I also want some 
external users also


but thats it  I guess.


Thanks again


On 4/26/21 2:46 PM, Tobi wrote:

something like this?
http://www.postfix.org/RESTRICTION_CLASS_README.html#internal

On 4/26/21 10:11 AM, George Papas wrote:

Hi  list,


what the title says actually,   I have an alias  for all current users
of an SMTP server but

I want to restrict sending to this alias address to some specific
senders only (the actual

users of the domain plus a small group of external senders ).

What I'm I looking for in the documentation ? Sender/Recipient
Restrictions

or something different?


Thanks in advance

George Papas

Re: Alias expansion in a milter service?

2022-08-11 Thread Dominik George

Hi,

[ please excuse me if this kind of progress reports for learning ]
[ and feedback are discouraged on this list  ]

On Thu, Aug 11, 2022 at 10:31:00AM +, Claus Assmann wrote:
> On Thu, Aug 11, 2022, Dominik George wrote:
> 
> > only that these have a very limited set of tables available, and
> 
> Have you taken a look at socketmap_table(5)?
> Maybe that can be used to solve your problem.

Here's how it's going, in case anyone needs to write such a lookup
service in the future:

  https://pkg.go.dev/codeberg.org/bergblau/postfix-socketmap-table

Cheers,
Nik


signature.asc
Description: PGP signature

Cannot resolve support@ alias

2022-10-25 Thread Dominik George

Hi,

I am facing a strange issue here, where I cannot resolve a virtual
alias with the local part support@.

I have a domain example.com in $virtual_mailbox_domains. The virtual
transport sends mail on to Dovecot. For virtual aliases, I use a basic
hash table, containing:

  i...@example.comn...@example.com
  supp...@example.com n...@example.com
  suppo...@example.comn...@example.com

The strange thing is that only the first and third aliases work. The
support@ alias is not resolved, Postfix just sends it on to Dovecot
with supp...@example.com as final recipient.

Is there some special-casing for a support@ local poart of some kind?
I am really lost here…

Cheers,
Nik


signature.asc
Description: PGP signature

Re: Cannot resolve support@ alias

2022-10-25 Thread Dominik George

Hi,


> I suspect a subtle typo is at work. Try:
>  postmap -q supp...@example.com hash:/path/to/your/virtual_alias_map

I of course tested such things before asking...

The alias resolves using postmap.

Also, the support2 alias was deliberately created using copy&paste to avoid 
typos. Adding the 2 makes the alias work.

I also copy&pasted the alias from the map file when writing the test e-mail to 
rule out typos.

-nik

Re: Cannot resolve support@ alias

2022-10-26 Thread Dominik George

Hi,

eh…

OK, that's getting stranger. At least it works now – but I don't know
why. Postfix started accepting the mail and correctly resolving the
alias some time in the night  between 24th and 25th of October. I had
a script sitting here sending test mails every hour (because all of
this was supposed to become a test/benchmark framework for a support
hotline system), and I see the log seitching from reject to accept
at 0:29 in that night for no obvious reason.

Cheers,
Nik


signature.asc
Description: PGP signature

Bypass REDIRECT rule in header_checks for specific sender ?

2023-01-10 Thread George Papas


Happy new year everybody,


I have a filter in my header_checks file that redirects messages send to 
undisclosed recipients


to a mailbox to monitor and fw to intended users if of any value like 
this :


/(^To:\ undisclosed-recipients\:\;)|(To:\ undisclosed-recipients\:\ ;)/ 
REDIRECT s...@email.add



Unfortunately there are some valid recipients that use this technique to 
send messages and


I tried to bypass this by adding their address before the redirect rule 
with a FILTER action but discovered


(after reading the manual page ) that :


Note: this action overrides the*FILTER*  action, and  affects  all
   recipients  of  the  message. If multiple*REDIRECT*  actions 
fire,
   only the last one is executed.


Is there any other way to stop the check on the first hit ( the sender 
address) and not fire the


REDIRECT action ?


Thanks in advance for any info

GP

Postfix backscatter HELP !!!

2021-02-02 Thread George Papas


Hi

I have a small  SMTP server for around 35 users in the company I work .

The last 3 -4 days I'm being bombed with backstatter  mails from all 
over the world .


I have found out the abusing IP who sends the messages as one of my 
accounts but


I cant find out how to stop bombing my server with backscatter mails 
from all over .


I tried to implement body_checks using the following :


my main.cf :

header_checks = regexp:/etc/postfix/header_checks
body_checks = pcre:/etc/postfix/body_checks


body_checks :

# Do not indent the patterns between "if" and "endif".
if /^[> ]*Received:/
/^[> ]*Received: +from +ip53\.ip-139-99-176\.net /
reject forged sender name in Received: header: $1
endif


and I get this in the logs  but the messages bounce back :

warning: body_checks lookup of Received: from ip53.ip-139-99-176.net 
(ip53.ip-139-99-176.net [139.99.176.53]) returns an empty string result
Feb  2 02:59:13 postfix/cleanup[25450]: warning: body_checks should 
return NO RESULT in case of NOT FOUND



Can somebody help me ? I,m getting over a thousand reports per hour in 
my postmaster mailbox



thanks in advance

GP

Re: Postfix backscatter HELP !!!

2021-02-02 Thread George Papas


Thanks guys in the mean time I found the way to do it by trial and error

and works OK now

On 2/2/21 8:12 PM, Viktor Dukhovni wrote:

On Tue, Feb 02, 2021 at 12:27:40PM +0200, George Papas wrote:


# Do not indent the patterns between "if" and "endif".
if /^[> ]*Received:/
/^[> ]*Received: +from +ip53\.ip-139-99-176\.net /
reject forged sender name in Received: header: $1
endif

The above syntax is wrong.  The "reject ..." action needs to be on the
same line as the pattern:

 if /^[> ]*Received:/
 /^[> ]*Received: +from +ip53\.ip-139-99-176\.net / reject forged sender 
name in Received: header: $1
 endif



I had  hard time to understand this pattern :  [> ]


Anyway thanks a lot !!  I learned some new things by doing this.

GP

Address rewrite while relaying

2008-11-24 Thread George Vilches

The question: Is it possible to have a domain do address rewriting and  
relaying in some combination?


The network structure is as follows:

All mail goes to a single border gateway server, which is the one that  
all of the following will talk about.  From this gateway, mail then  
passes to a spam filtering server, with particular requirements.   
Then, mail is passed to one of the internal servers.


The requirements of the spam filtering server:

1) The e-mail address arriving must be a real user (i.e. all address  
resolution must already be done)
2) The e-mail address of the envelope must be the real user's e-mail  
address.  i.e. [EMAIL PROTECTED], not [EMAIL PROTECTED]


Given that, here's what our current virtual tables look like (the last  
entry was changed for illustrating the point):


example.net Domain
@example.net@example.org

example.infoDomain
[EMAIL PROTECTED]   [EMAIL PROTECTED]

example.org Domain
[EMAIL PROTECTED]   [EMAIL PROTECTED]
[EMAIL PROTECTED]		bob <--  ILLUSTRATION ONLY!  To point out a  
real user.


What this indicates is that bob is the only real user in the entire  
system, and hence the only user that mail should ever be passed  
through from the border gateway server to the spam server.  All other  
users need their addresses resolved (or bounces need to occur) to [EMAIL PROTECTED] 
 before being passed on to the spam server.  Naturally this is a  
simplification, but if I can get it working for one user on one  
domain, more should be straightforward.


Examples:

1) [EMAIL PROTECTED] arrives at border gateway, gets rewritten to [EMAIL PROTECTED] 
, gets relayed to spam filtering service with new envelope sender)
2) [EMAIL PROTECTED] arrives at border gateway, gets rewritten to [EMAIL PROTECTED] 
, gets relayed to spam filtering service with new envelope sender)
3) [EMAIL PROTECTED] arrives at border gateway, gets rewritten to [EMAIL PROTECTED] 
, cannot be rewritten further, cannot be found, bounces.


I've tried putting [EMAIL PROTECTED] in the transport table with a  
transport of smtp:[www.xxx.yyy.zzz] which causes a relay denied  
error.  I've tried setting it up as a relay_domain which gets this  
warning: "warning: do not list domain example.org in BOTH  
virtual_alias_domains and relay_domains" and doesn't seem to give the  
expected behavior anyway.  I've changed the virtual alias line for [EMAIL PROTECTED] 
 to have a value of [EMAIL PROTECTED] as well, with no change in results.


So, what do I need to do to make this work as described?  Postfix's  
address resolution is spectacular for our needs, which is why we don't  
want to deal with some external rewriting mechanism, but we have not  
been able to get both address resolution and relaying within the  
domains listed.


Thanks,
George

Re: Address rewrite while relaying

2008-11-24 Thread George Vilches



On Nov 24, 2008, at 1:32 PM, Noel Jones wrote:


This document should be helpful:
http://www.postfix.org/SOHO_README.html


I reviewed this document carefully, but it didn't seem to quite cover  
my use case.


Given that, here's what our current virtual tables look like (the  
last entry was changed for illustrating the point):

example.netDomain
@example.net@example.org


Don't use "@domain @domain" wildcard mappings.  These defeat  
recipient validation and turn you into a backscatter source.
Rather use an explicit list of all valid user mappings.  Use your  
scripting skills to generate the list rather than keeping it by hand.


Okay, I've updated my example to consider this, although the outcome  
is the same.


cat /etc/postfix/virtual.cf:

[EMAIL PROTECTED] [EMAIL PROTECTED]
[EMAIL PROTECTED][EMAIL PROTECTED]
[EMAIL PROTECTED]   [EMAIL PROTECTED]
[EMAIL PROTECTED] [EMAIL PROTECTED]

cat transport.cf:

example.net relay:[www.xxx.yyy.23]
example.org relay:[www.xxx.yyy.23]

cat relay_recipients.cf:

[EMAIL PROTECTED]   ok
[EMAIL PROTECTED]   ok

And the relevant lines from main.cf:

relay_domains = example.org, example.net, example.info
relay_recipient_maps = hash:/etc/postfix/hashmaps/relay_recipients.cf
transport_maps = hash:/etc/postfix/hashmaps/transport.cf
virtual_alias_maps = hash:/etc/postfix/hashmaps/virtual.cf

So the example has been clarified to indicate users that are  
"legitimate".  This means that messages to them should be forwarded on  
to the spam gateway.  Everyone else should be bounced.  There is *no*  
local delivery on this box.


The legitimate users are [EMAIL PROTECTED] and [EMAIL PROTECTED]  [EMAIL PROTECTED] 
 is a forward to an address that is in the list of valid virtual  
users on our local servers, and [EMAIL PROTECTED] is a forward to an  
address that is not in the list of valid virtual users on our local  
servers.


Sounds as if you need to decide what address class your domain  
belongs to.  Please see:

http://www.postfix.org/ADDRESS_CLASS_README.html


I reviewed all the entries from both your e-mail and Victor  
Duchovni's, and I haven't found any description that quite covers my  
case entirely.  I can't find an explanation of what happens to a  
message that gets virtual aliased and *then* relayed.


[EMAIL PROTECTED] = relays internally, fine
[EMAIL PROTECTED] = relays internally, fine
[EMAIL PROTECTED] = relays internally, fine (to [EMAIL PROTECTED], as  
expected)
[EMAIL PROTECTED] = Fails, and does so right in the SMTP session:  
550 5.1.1 <[EMAIL PROTECTED]>: Recipient address rejected: User  
unknown in relay recipient table


So far, so good.  Now, we try:

[EMAIL PROTECTED] = relays internally like the others above.

How can I prevent this from happening?  [EMAIL PROTECTED]/org does not  
have a valid virtual resolution, and does not exist in  
relay_recipient_maps, and yet it's still happily forwarding along  
internally.


I only want legitimate users to forward, and the one place I thought I  
might be able to filter the list down, relay_recipient_maps, isn't  
doing anything to stop him, even though I have a user from each domain  
listed, which from what I read in the Postfix docs means it's  
inclusive, and only should allow those users to relay, and everyone  
else gets a bounce.



Thanks,
George

Re: Address rewrite while relaying

2008-11-24 Thread George Vilches



On Nov 24, 2008, at 7:50 PM, mouss wrote:

*snip*


So far, so good.  Now, we try:

[EMAIL PROTECTED] = relays internally like the others above.

How can I prevent this from happening?  [EMAIL PROTECTED]/org does not
have a valid virtual resolution, and does not exist in
relay_recipient_maps, and yet it's still happily forwarding along
internally.


but you have a mapping for joe in your virtual:

[EMAIL PROTECTED] [EMAIL PROTECTED]

so [EMAIL PROTECTED] is accepted.



I only want legitimate users to forward, and the one place I  
thought I
might be able to filter the list down, relay_recipient_maps, isn't  
doing
anything to stop him, even though I have a user from each domain  
listed,

which from what I read in the Postfix docs means it's inclusive, and
only should allow those users to relay, and everyone else gets a  
bounce.


addresses found in virtual_alias_maps are accepted during the smtp
transaction. they may result in a later bounce if they cannot be  
delivered.


This is useful if this is the case.  Unfortunately, all the resolution  
MUST happen at this server, as the spam gateway requires that I only  
send it real users, not users that have any translations left to apply  
to their user account or do not exist.  This requirement is  
unfortunately hard and fast due to the functionality and licensing  
requirements of the gateway.


Is there something else in Postfix I can do that could force the  
address resolution to be fully resolved before relaying?  If the  
virtual tables were left to their own devices and not tied to  
relaying, this would work fine, because the virtual would attempt to  
resolve [EMAIL PROTECTED] -> [EMAIL PROTECTED] -> FAIL, and bounce the  
message.  That's the behavior I want here, I just want all valid ones  
to move to another server instead of delivering locally.


Thanks,
George

Re: Address rewrite while relaying

2008-11-24 Thread George Vilches



On Nov 24, 2008, at 8:24 PM, Wietse Venema wrote:


George Vilches:

Is there something else in Postfix I can do that could force the
address resolution to be fully resolved before relaying?


Yes. Do not use wild-card rewriting rules (@xxx -> @yyy) and list
all valid recipients in appropriate tables.


What do I do if I need wildcard rewriting rules?  I have several users  
that have domains that use @domain.com -> [EMAIL PROTECTED]   
Yes, I know about the issues related to spam and the other resolution- 
based issues.  However, if I host anotherdomain.com and they enter a  
forward address that doesn't exist, the message gets passed on  
anyway.  I really, really want to prevent this from happening.



- List recipients in virtual_alias_maps for [EMAIL PROTECTED] -> [EMAIL 
PROTECTED],
 with domains listed in virtual_alias_domains.


And when [EMAIL PROTECTED] doesn't exist, but I am still a valid domain for  
yyy?  Right now, the messages relay.  I need them to bounce, like they  
would do if this was a local delivery instead of a relay.  This is  
separate from the previous problem.



- List recipients in relay_recipient_maps for addresses that don't
 rewrite, with domains listed in relay_domains.


This works just fine in the other cases I have used this, and the  
online docs are very well written in this regard.



Postfix is really simple to configure.


I wholeheartedly agree, I've been using it for over 6 years now quite  
happily in a variety of complicated situations.  There's always a way  
with Postfix. :)


Thanks,
George

[no subject]

2008-12-04 Thread George Forman


Hi,I have compiled 2.5.1 and installed postfix on my dev box. Everything is 
working as expected.Red Hat Enterprise Linux Server release 5.1 (Tikanga)Linux 
devserver 2.6.18-53.1.14.el5xen #1 SMP Tue Feb 19 07:33:17 EST 2008 x86_64 
x86_64 x86_64 GNU/LinuxI installed the same version on a second box (and go 
through the same configuration/setup procedures).Red Hat Enterprise Linux 
Server release 5.2 (Tikanga)Linux serverA 2.6.18-92.1.1.el5 #1 SMP Thu May 22 
09:01:47 EDT 2008 x86_64 x86_64 x86_64 GNU/LinuxWhen I enable TLS, I get the 
following error.Dec  3 15:56:23 serverA postfix/tlsmgr[4776]: 
tls_prng_dev_open: opened entropy device /dev/urandomDec  3 15:56:23 serverA 
postfix/tlsmgr[4776]: set_eugid: euid 89 egid 89Dec  3 15:56:23 serverA 
postfix/tlsmgr[4776]: fatal: tls_prng_exch_open: cannot open PRNG exchange file 
/opt/zimbra/postfix-2.5.1/data/prng_exch: Permission deniedDec  3 15:56:24 
serverA postfix/master[4704]: warning: process 
/opt/zimbra/postfix-2.5.1/libexec/tlsmgr pid 4776 exit status 1Dec  3 15:56:24 
serverA postfix/master[4704]: warning: 
/opt/zimbra/postfix-2.5.1/libexec/tlsmgr: bad command startup -- throttlingI've 
read where SELinux has been an issue. However, serverA system's SELinux is 
disabled. cat /etc/selinux/config# This file controls the state of SELinux on 
the system.# SELINUX= can take one of these three values:#   enforcing - 
SELinux security policy is enforced.#   permissive - SELinux prints 
warnings instead of enforcing.#   disabled - SELinux is fully 
disabled.SELINUX=disabled# SELINUXTYPE= type of policy in use. Possible values 
are:#   targeted - Only targeted network daemons are protected.#   
strict - Full SELinux protection.SELINUXTYPE=targeted# SETLOCALDEFS= Check 
local definition changesSETLOCALDEFS=0 I have confirmed that 
/opt/zimbra/postfix-2.5.1/data directory ownership and permissionsare the same 
on both boxes.drwx--2 postfix  root 4096 Dec  3 15:15 dataAny 
help is greatly appreciated!!
_
Suspicious message? There’s an alert for that. 
http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_broad2_122008

tlsmgr fails

2008-12-05 Thread George Forman





Hi,
I have compiled 2.5.1 and installed postfix on my dev box. Everything is 
working as expected.
Red Hat Enterprise Linux Server release 5.1 (Tikanga)Linux devserver 
2.6.18-53.1.14.el5xen #1 SMP Tue Feb 19 07:33:17 EST 2008 x86_64 x86_64 x86_64 
GNU/Linux


I installed the same version on a second box (and go through the same 
configuration/setup procedures).Red Hat Enterprise Linux Server release 5.2 
(Tikanga)Linux serverA 2.6.18-92.1.1.el5 #1 SMP Thu May 22 09:01:47 EDT 2008 
x86_64 x86_64 x86_64 GNU/Linux

When I enable TLS, I get the following error.
Dec  3 15:56:23 serverA postfix/tlsmgr[4776]: tls_prng_dev_open: opened entropy 
device /dev/urandomDec  3 15:56:23 serverA postfix/tlsmgr[4776]: set_eugid: 
euid 89 egid 89Dec
 3 15:56:23 serverA postfix/tlsmgr[4776]: fatal: tls_prng_exch_open:
cannot open PRNG exchange file
/opt/zimbra/postfix-2.5.1/data/prng_exch: Permission deniedDec  3 15:56:24 
serverA postfix/master[4704]: warning: process 
/opt/zimbra/postfix-2.5.1/libexec/tlsmgr pid 4776 exit status 1Dec
 3 15:56:24 serverA postfix/master[4704]: warning:
/opt/zimbra/postfix-2.5.1/libexec/tlsmgr: bad command startup --
throttling
I've read where SELinux has been an issue. However, serverA system's SELinux is 
disabled. cat /etc/selinux/config# This file controls the state of SELinux on 
the system.# SELINUX= can take one of these three values:#   enforcing - 
SELinux security policy is enforced.#   permissive - SELinux prints 
warnings instead of enforcing.#   disabled - SELinux is fully 
disabled.SELINUX=disabled# SELINUXTYPE= type of policy in use. Possible values 
are:#   targeted - Only targeted network daemons are protected.#   
strict - Full SELinux protection.SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changesSETLOCALDEFS=0 
I have confirmed that /opt/zimbra/postfix-2.5.1/data directory ownership and 
permissionsare the same on both boxes.drwx--2 postfix  root 
4096 Dec  3 15:15 data
Any help is greatly appreciated!!
_
You live life online. So we put Windows on the web. 
http://clk.atdmt.com/MRT/go/127032869/direct/01/

RE: tlsmgr fails - Resolved

2008-12-05 Thread George Forman




> Date: Fri, 5 Dec 2008 10:33:49 -0500
> From: [EMAIL PROTECTED]
> To: postfix-users@postfix.org
> Subject: Re: tlsmgr fails
> 
> George Forman wrote:
> > Hi,
> >
> > I have compiled 2.5.1 and installed postfix on my dev box. Everything
> > is working as expected.
> > Red Hat Enterprise Linux Server release 5.1 (Tikanga)
> > Linux devserver 2.6.18-53.1.14.el5xen #1 SMP Tue Feb 19 07:33:17 EST
> > 2008 x86_64 x86_64 x86_64 GNU/Linux
> >
> >
> > I installed the same version on a second box (and go through the same
> > configuration/setup procedures).
> > Red Hat Enterprise Linux Server release 5.2 (Tikanga)
> > Linux serverA 2.6.18-92.1.1.el5 #1 SMP Thu May 22 09:01:47 EDT 2008
> > x86_64 x86_64 x86_64 GNU/Linux
> >
> > When I enable TLS, I get the following error.
> >
> > Dec  3 15:56:23 serverA postfix/tlsmgr[4776]: tls_prng_dev_open:
> > opened entropy device /dev/urandom
> > Dec  3 15:56:23 serverA postfix/tlsmgr[4776]: set_eugid: euid 89 egid 89
> > Dec  3 15:56:23 serverA postfix/tlsmgr[4776]: fatal:
> > tls_prng_exch_open: cannot open PRNG exchange file
> > /opt/zimbra/postfix-2.5.1/data/prng_exch: Permission denied
> > Dec  3 15:56:24 serverA postfix/master[4704]: warning: process
> > /opt/zimbra/postfix-2.5.1/libexec/tlsmgr pid 4776 exit status 1
> > Dec  3 15:56:24 serverA postfix/master[4704]: warning:
> > /opt/zimbra/postfix-2.5.1/libexec/tlsmgr: bad command startup --
> > throttling
> >
> > I have confirmed that /opt/zimbra/postfix-2.5.1/data directory
> > ownership and permissions
> > are the same on both boxes.
> > drwx--2 postfix  root 4096 Dec  3 15:15 data
> >
> > Any help is greatly appreciated!!
> 
> What are the permissions for /opt, /opt/zimbra and
> /opt/zimbra/postfix-2.5.1?
> Remember that permissions are heirarchical.
> 
> Brian


Thank you for the help, /opt/zimbra was a link which didn't have the correct 
ownership.



_
You live life online. So we put Windows on the web. 
http://clk.atdmt.com/MRT/go/127032869/direct/01/

multiple virtual ip's bind to outgoing mails

2008-12-09 Thread Agnello George

Hi

i am  searching for a solution where we can  install postfix in a multi-IP
environment,

With the followin this tutorial i am able to install two instances of
postfix

http://souptonuts.sourceforge.net/postfix_sbr.html

smtpd is listening on eth0 192.168.1.200 port 25

but i need to send mail out usinga pool of ipaddress ( 192.168.1.201 to
192.168.1.206)

and i have got virtual insterfaces  on the same server

( eth0:1 = 192.168.1.201

eth0:2,  = 192.168.1.202

eth0:3 =  192.168.1.203 )

taking the first  instance only In my main.cf i have

inet_interfaces = 192.168.1.200,

smtp_bind_address = 192.168.1.201

with the above  following parameter i tell   postfix to send mails out using
 only one ip ( 192.168.1.201 )

how do i tell postfix  to send mail out using multiple ips (   192.168.1.201to
192.168.1.206 )... is there a way to tell postfix to rotate the use of these
ip's. in sending out mails .



-- 
Regards
Agnello D'souza

Re: multiple virtual ip's bind to outgoing mails

2008-12-09 Thread Agnello George

On Tue, Dec 9, 2008 at 5:58 PM, Wietse Venema <[EMAIL PROTECTED]> wrote:

> Agnello George:
> > how do i tell postfix  to send mail out using multiple ips (
> 192.168.1.201to
> > 192.168.1.206 )... is there a way to tell postfix to rotate the use of
> these
> > ip's. in sending out mails .
>
> No. If you want multiple IP addresses, Postfix lets the kernel choose.
>
>Wietse
>
ok , but

how do i  mention in "smtp_bind_addresses"  parameter  multiple ipaddress .


-- 
Regards
Agnello D'souza

Re: multiple virtual ip's bind to outgoing mails

2008-12-09 Thread Agnello George

On Tue, Dec 9, 2008 at 6:09 PM, Agnello George <[EMAIL PROTECTED]>wrote:

>
>
> On Tue, Dec 9, 2008 at 5:58 PM, Wietse Venema <[EMAIL PROTECTED]>wrote:
>
>> Agnello George:
>> > how do i tell postfix  to send mail out using multiple ips (
>> 192.168.1.201to
>> > 192.168.1.206 )... is there a way to tell postfix to rotate the use of
>> these
>> > ip's. in sending out mails .
>>
>> No. If you want multiple IP addresses, Postfix lets the kernel choose.
>>
>>Wietse
>>
> ok , but
>
> how do i  mention in "smtp_bind_addresses"  parameter  multiple ipaddress
> .
>
> if there is any alternate way could your'll suggest  thanks a million
!!

-- 
Regards
Agnello D'souza

Limiting mail relay only to users who have an account on the system

2009-01-31 Thread Siju George

Hi,

I have configured Postfix on my system to accept mails for my users.
Now I want to configure Postfix to so that users can send mails using the
server.
But I donot want to open the server so that anyone can connect and send
mail.
How will I limit mail relay so that only users who have an account on the
system can use it to send mails.

Thanks

Siju

Re: Limiting mail relay only to users who have an account on the system

2009-01-31 Thread Siju George

On Sat, Jan 31, 2009 at 2:09 PM, Magnus Bäck  wrote:
>
> On Saturday, January 31, 2009 at 09:28 CET,
> Siju George  wrote:
>
> > How will I limit mail relay so that only users who have an account on
> > the system can use it to send mails.
>
> http://www.postfix.org/SASL_README.html
>

Thank you so much Magnus for the Link.

--Siju

Re: Yahoo and spams

2009-02-13 Thread Agnello George

On Fri, Feb 13, 2009 at 9:34 PM, ddaas  wrote:

> Hello everybody !
>
> We have a lot of clients that have yahoo e-mails.
> Yahoo accept e-mail from our server but by default sort them as spams.
> What could it be? Does anyone know what does yahoo like or dislike?
> They don't have words related to spams, they are not advertisment etc.
> Related the keywords I think no system could sort the emails as spams. There
> should be something else.
>
> I post the header from such a e-mail (from yahoo):
>
> From Myname Fri Feb 13 07:53:19 2009
> Return-Path:  
> Authentication-Results: mta301.mail.mud.yahoo.com  from=mydomain.ro;
> domainkeys=neutral (no sig)
> Received: from 80.96.x.x  (EHLO mail.mydomain.ro) (80.96.x.x)
>   by mta301.mail.mud.yahoo.com with SMTP; Fri, 13 Feb 2009 07:53:21 -0800
> Received: from [192.168.0.2] (unknown [95.76.x.x])
> by mail.mydomain.ro (Postfix) with ESMTPA id 5779CAEBB3
> for  ; Fri, 13 Feb 2009 17:53:00
> +0200 (EET)
> Message-ID: <4995976f.5000...@mydomain.ro> <4995976f.5000...@mydomain.ro>
> Date: Fri, 13 Feb 2009 17:53:19 +0200
> From: Myname  
> User-Agent: Thunderbird 2.0.0.19 (X11/20090105)
> MIME-Version: 1.0
> To: em...@yahoo.com
> Subject: test
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: 7bit
> Content-Length: 1735
>
>
> Thanks
> Dan
>



Are you getting a bounce-back for all  mail you are sending to yahoo or is
it random bounce back .
Is it specific to yahoo.com or are mail being rejected  to yahoo.co.in ,
yahoo.co.uk also ..


-- 
Regards
Agnello D'souza

Using relative paths in main.cf

2009-02-13 Thread George Forman


Hi,I have created a main.cf.auth and linked it to main.cf in 
/opt/zimbra/pf.auth/conf directory.I am using alternate_config_directories to 
specify a parent directory path, such as,alternate_config_directories = 
/opt/zimbra/pf.auth/confqueue_directory = 
$alternate_config_directories/../spoolbounce_template_file = 
$alternate_config_directories/bounce.cfWhen postfix start, it remove the linked 
file and replaces with a new main.cf file.All the relative paths have been 
changed to queue_directory = 
/opt/zimbra/pf.auth/conf/../spoolbounce_template_file = 
/opt/zimbra/pf.auth/conf/bounce.cfHow can I preserve the original main.cf soft 
link and have postfix use the relative paths?George
_
Windows Live™: E-mail. Chat. Share. Get more ways to connect. 
http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t2_allup_howitworks_022009

Re: Yahoo and spams

2009-02-14 Thread Agnello George

On Sat, Feb 14, 2009 at 1:42 PM, ddaas  wrote:

> Hi, thanks.
> One more  question: I have  virtual hosting on my server. This means that
> the reverse dns of the server ip is ns1.mydomain.com and the EHLO hostname
> is mail.maindomain.com
> Could this be a problem? I mean the server tries to reverse the ip and it
> doesn't get what's in EHLO.
>
>
> Yes it is not a postfix issue. I wrote here because I use postifix as the
> e-mail server and any configuration or misconfiguration that yahoo.comdoesn't 
> like is server related.
> Sorry, I will not go further with this thread.
>
>
> Thank you
>

if you feel that your server's IP is being blacklisted by yahoo , here  is
what you can do , send them a mail  informing them that you are a genuine
user and not a spammer and that that you have spf and domins keys set up (
if u do ) , give  theme the ip that your postfix server users and also the
error logs if you hvae access to them .Also send them the mail server
hostname  & the  company domain name from  which you send mails to yahoo
clients  and send them  a mails to  mail-abuse-bulkATcc.yahoo-inc.com  with
this content , they should send you a reply in few hours sayin that they
have delisted your IP  from their SpamGuard Technology.

Let us know if it works

Agnello .

using reject_rbl_client with rbldnsd daemon

2009-02-17 Thread George Forman


Hi,

I am attempting to setup and run my own dnsbl service.
I am using rbldnsd: Small Daemon for DNSBLs from 
http://www.corpit.ru/mjt/rbldnsd.html
I have setup the dnsbl daemon to run on server3.com (same server postfix is 
running on).
I have verified using dig that the A record is found:

dig @server3.com  -p 53 47.85.81.1.server3.com

; <<>> DiG 9.3.3rc2 <<>> @server3.com -p 53 47.85.81.1.server3.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 719
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;47.85.81.1.server3.com. IN A

;; ANSWER SECTION:
47.85.81.1.server3.com. 2100 IN A 127.0.0.2

;; Query time: 1 msec
;; SERVER: 1.81.85.97#53(1.81.85.97)
;; WHEN: Tue Feb 17 13:24:33 2009
;; MSG SIZE  rcvd: 70

I then started an smtp session from server2 (1.81.85.47). I am expecting 
postfix to refuse the connection,
however, it fails to find the A record and allows the mail to be sent.
Below is a snipet of the logs:

dict_lookup: smtpd_client_restrictions = reject_unauth_pipelining 
reject_rbl_client server3.com
mac_parse: reject_unauth_pipelining reject_rbl_client server3.com
dict_eval: const  reject_unauth_pipelining reject_rbl_client server3.com
connect from server2.com[1.81.85.47]
>>> START Client host RESTRICTIONS <<<
generic_checks: name=reject_unauth_pipelining
reject_unauth_pipelining: CONNECT
generic_checks: name=reject_unauth_pipelining status=0
generic_checks: name=reject_rbl_client
reject_rbl: Client host 1.81.85.47
dns_query: 47.85.81.1.server3.com (A): Host not found
ctable_locate: install entry key 47.85.81.1.server3.com
generic_checks: name=reject_rbl_client status=0
>>> END Client host RESTRICTIONS <<<
> server2.com[1.81.85.47]: 220 server3.com ESMTP Internet Inbound
watchdog_pat: 0x13641ed0
vstream_fflush_some: fd 13 flush 51
vstream_buf_get_ready: fd 13 got 28
< server2.com[1.81.85.47]: ehlo server2.com
>>> START Helo command RESTRICTIONS <<<


Has anyone used this rbldnsd daemon service with postfix?

Thanks - George


_
Stay up to date on your PC, the Web, and your mobile phone with Windows Live.
http://clk.atdmt.com/MRT/go/msnnkwxp1020093185mrt/direct/01/

RE: using reject_rbl_client with rbldnsd daemon RESOLVED

2009-02-18 Thread George Forman

Noel,

Thanks for pointing out the obvious!!!
I had my head in the weeds. I'm in the processes of setting up a valid DNS
entry for the authoritative query and it should then connect to my rbldnsd 
server.

Charles

> Date: Tue, 17 Feb 2009 13:39:15 -0600
> From: njo...@megan.vbhcs.org
> To: georgeforma...@hotmail.com; postfix-users@postfix.org
> Subject: Re: using reject_rbl_client  with rbldnsd daemon
> 
> George Forman wrote:
> > Hi,
> > 
> > I am attempting to setup and run my own dnsbl service.
> > I am using rbldnsd: Small Daemon for DNSBLs from 
> > http://www.corpit.ru/mjt/rbldnsd.html
> > I have setup the dnsbl daemon to run on server3.com (same server postfix 
> > is running on).
> > I have verified using dig that the A record is found:
> > 
> > dig @server3.com  -p 53 47.85.81.1.server3.com
> 
> You must test with
> dig 47.85.81.1.server3.com.
> 
> Additionally, if you are running postfix with the chroot flag 
> in master.cf, you need to test as the postfix user from within 
> the chroot jail.
> 
> 
>-- Noel Jones

_
Get more out of the Web. Learn 10 hidden secrets of Windows Live.
http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008

Rerouting bounce messages

2009-03-12 Thread George Forman


All,

If I am a secondary server hosting part of a domain.
I must route all bounce messages back to the primary service
for delivery.

Does Postfix have this capability?

George

_
Hotmail® is up to 70% faster. Now good news travels really fast. 
http://windowslive.com/online/hotmail?ocid=TXT_TAGLM_WL_HM_70faster_032009

RE: Rerouting bounce messages

2009-03-13 Thread George Forman




> Date: Fri, 13 Mar 2009 00:37:08 +0100
> From: mo...@ml.netoyen.net
> To: postfix-users@postfix.org
> Subject: Re: Rerouting bounce messages
> 
> George Forman a écrit :
>> All,
>> 
>> If I am a secondary server hosting part of a domain.
>> I must route all bounce messages back to the primary service
>> for delivery.
>> 
>> Does Postfix have this capability?
>> 
> 
> this is unclear. which bounce messages? please clarify (explict
> examples). also explain what you mean by "secondary server". there is no
> such thing as a "secondary server" in smtp.


The DNS record is hosted by primary A. Primary A determines if the account is 
to be sent to secondary B (a Postfix MTA). When secondary B, tries to deliver 
the mail via lmtp and lmtp rejects depositing the mail message,a bounce message 
is generated. This bounce message must be sent backto the primary A server. 
Primary A service must deliver the bouncemail message. It cannot appear to come 
from the secondary B service.
If I use relayhost to forward all mail not hosted on secondary B, it becomesan 
open relay. This behavior works for forwarding the bounce messages but doesn't 
allow secondary B to reject unknown addresses.
_
Express your personality in color! Preview and select themes for Hotmail®. 
http://www.windowslive-hotmail.com/LearnMore/personalize.aspx?ocid=TXT_MSGTX_WL_HM_express_032009#colortheme

account migration

2009-05-04 Thread George Forman


Postfix gurus,
I am a primary for system X where the mails accounts and messages are split 
betweentwo separate complexes. In order for an account to be migrated, I must 
stop acceptingthe mail temporarily until it has been migrated to the other 
system.
I am using a ldap back-end that containing transport information to 
distinguishing between the two systems.I would like to create a new ldap 
attribute (ie inMigration) that causes postfix to return 4XX on the rcpt 
tountil the account is migrated. 
Does anyone have a suggestion on how this can be accomplished?
Thanks in advance,
George
_
Hotmail® has a new way to see what's up with your friends.
http://windowslive.com/Tutorial/Hotmail/WhatsNew?ocid=TXT_TAGLM_WL_HM_Tutorial_WhatsNew1_052009

customised smtpd_sasl_authenticated_header

2010-04-30 Thread Agnello George

we use smtp login maps to autheticate  our clients  and the parameter
 "smtpd_sasl_authenticated_header = yes"  to add the a authenticated user to
the header ...

Received: from somedom.domain,com ([124.254.23.13]) by
f38.Bay0.hotmail.comwith Microsoft SMTPSVC(6.0.3790.3959);
  Tue, 27 Apr 2010 06:11:30 -0700
Received: from exampledomain.com (unknown [124.152.35.201])
 (Authenticated sender: re...@olvy.com)
 by somedom.domain,com(Postfix) with ESMTPA id 9686C5D870E
 for ; Tue, 27 Apr 2010 18:41:25 +0530 (IST)
From: Full of Life
To: marialo...@hotmail.com
=---
is there  way to customize the authenticated_header for example instead of
" (Authenticated sender: re...@olvy.com)"
we require  -->   " ( mm-Authenticated-User: re...@olvy.com) "
i heard is i possible via header checks .. but apart from that is it
possible
This will  help in our parser script ..
Thanks
-- 
Regards
Agnello D'souza

header information error while relaying mail via gmail server from localserver using cert

2010-11-13 Thread Agnello George

Hi

Since my server does not relay  directly to the internet , i have
tried to relay mails via gmail using tls and was quite successful ,

my main.cf details is as follows :

myhostname = mail.server.com
relayhost = smtp.gmail.com:587
# auth
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
# tls
smtp_tls_security_level = may
smtp_tls_CApath = /etc/postfix/cert
smtp_tls_session_cache_timeout = 3600s
smtp_tls_loglevel = 1
tls_random_source = dev:/dev/urandom
smtp_use_tls = yes

my /etc/postfix/sasl_passwd file contains the following :

smtp.gmail.com  agnello.dso...@gmail.com:mypassword123


my /etc/postfix/cert/  contains

ll /etc/postfix/cert/
total 8
lrwxrwxrwx 1 root root   31 2010-11-14 04:39 709afd2b.0 -> Thawte
Personal Freemail CA.pem
-rw-r--r-- 1 root root 1202 2010-11-14 03:26 Thawte Personal Freemail CA.pem


 I am trying to send a mail from agne...@exapmple.com to
agnello.dso...@gmail.com  and have success

[r...@localhost cert]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.server.com ESMTP Postfix
ehlo data
250-mail.server.com
250-PIPELINING
250-SIZE 1024
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: agne...@example.com
250 2.1.0 Ok
rcpt to: agnello.dso...@gmail.com
250 2.1.5 Ok
data
354 End data with .
test data
.
250 2.0.0 Ok: queued as EB595430B
quit
221 2.0.0 Bye
Connection closed by foreign host.


in /var/log/mailllog it shows success sent

Nov 14 04:43:22 localhost postfix/smtpd[16035]: EB595430B:
client=localhost.localdomain[127.0.0.1]
Nov 14 04:43:37 localhost postfix/cleanup[16047]: EB595430B:
message-id=<20101113231322.eb5954...@mail.server.com>
Nov 14 04:43:37 localhost postfix/qmgr[15997]: EB595430B:
from=, size=355, nrcpt=1 (queue active)
Nov 14 04:43:38 localhost postfix/smtp[16050]: setting up TLS
connection to smtp.gmail.com[74.125.155.109]:587
Nov 14 04:43:39 localhost postfix/smtp[16050]: Trusted TLS connection
established to smtp.gmail.com[74.125.155.109]:587: TLSv1 with cipher
RC4-MD5 (128/128 bits)
Nov 14 04:43:39 localhost postfix/smtpd[16035]: disconnect from
localhost.localdomain[127.0.0.1]
Nov 14 04:43:42 localhost postfix/smtp[16050]: EB595430B:
to=,
relay=smtp.gmail.com[74.125.155.109]:587, delay=37,
delays=32/0.04/3/1.9, dsn=2.0.0, status=sent (2502.0.0 OK 1289682852
w22sm6055097wfd.7)
Nov 14 04:43:42 localhost postfix/qmgr[15997]: EB595430B: removed



however when i receive mail on my gmail-login my header information is
as follows ;


 -
fromagnello.dso...@gmail.com
to  
dateSun, Nov 14, 2010 at 4:43 AM
mailed-by   gmail.com

test data


the "from address" show  the same email id mentioned in sasl_passwd
file ( agnello.dso...@gmai.com ) .. instead of agne...@example.com
and the "to address" shows empty


the "show original headers" of this mail in gmail is as follows

-
Return-Path: 
Received: from mail.server.com (triband-mum-59.184.162.117.mtnl.net.in
[59.184.162.117])
by mx.google.com with ESMTPS id w22sm6055097wfd.7.2010.11.13.13.14.10
(version=TLSv1/SSLv3 cipher=RC4-MD5);
Sat, 13 Nov 2010 13:14:11 -0800 (PST)
Received: from data (localhost.localdomain [127.0.0.1])
by mail.server.com (Postfix) with ESMTP id EB595430B
for ; Sun, 14 Nov 2010 04:43:05 +0530 (IST)
Message-Id: <20101113231322.eb5954...@mail.server.com>
Date: Sun, 14 Nov 2010 04:43:05 +0530 (IST)
From: agnello.dso...@gmail.com
To: undisclosed-recipients:;

test data
-

Could some one please help me as to why gmail will change the header
information from what i originally sent . .

Thanks a million

--
Regards
Agnello D'souza

Invalid response code: 503 5.7.0 Error: access denied

2010-11-17 Thread George Forman


All,

We are experiencing a problem where Postfix (Using 2.6.2) continuously returns 
a 503 5.7.0 Error: access denied response.

The scenario is as follows (see log snipet below for sequence details):
   The client MTA attempts to send a message. On the DOT command, Postfix 
returns: '451 4.3.0 Error: queue file write error'
   The client MTA sends a RSET command. Postfix responds with '503 5.7.0 Error: 
access denied'
   The client MTA ignores the RSET response (based on RFC2821).
   The client MTA sends MAIL FROM command. Postfix responds with '503 5.7.0 
Error: access denied'
   The client MTA bounces the message.
   The client MTA repeats sequence (RSET, MAIL FROM and bounces the message) 
until Postfix hard error limit has been exceeded (ours is set to 75).
   Postfix closes the connnection.
   

My analysis has shown the Postfix's milter interface fails when waiting for a 
response.
I am still actively investigating specifically the vstream event that triggers 
CLEANUP_STAT_WRITE to be returned. 

My QUICK FIX was to modify the 503 to a 521 error code in smtpd.c (smtpd_proto 
function).
This prevented the problem from continuing.

I am looking for suggestions on a longer term solution.
I have made a change in smtpd_proto function:

/* XXX We use the real client for connect access control. */
if (state->access_denied && cmdp->action != quit_cmd) {
smtpd_chat_reply(state, "503 5.7.0 Error: access denied for %s",
 state->namaddr);RFC 2821 Sec 3.1 */
state->error_count++;
continue;
}
 
New code:
/* XXX We use the real client for connect access control. */
if (state->access_denied &&
   (! (cmdp->action == quit_cmd || cmdp->action == rset_cmd))) {
smtpd_chat_reply(state, "%s", state->access_denied);
state->error_count++;
continue;
}


The only side effect (I have found) is the following case where access to the 
host response is 
changed on any commands.  

New code: On connect this is returned:
554 5.7.1 : Client host rejected: Access 
denied
New code: Any commands would return:

554 5.7.1 : Client host rejected: Access 
denied


Old code: On connect this is returned:

554 5.7.1 : Client host rejected: Access 
denied
Old code: Any commands would return:
503 5.7.0 Error: access denied for remote.mta.clent[xxx.xx.xxx.xxx]


I don't know if my solution breaks RFC2821 Sec 3.1.
Any help is greatly appreciated.

George


Log snipet:

Nov 11 14:03:24 mtain-dc12 postfix/smtpd[26639]: rec_put: type N len 0 data  
Nov 11 14:03:24 mtain-dc12 postfix/smtpd[26639]: rec_put: type N len 45 data 
--=_Ne
Nov 11 14:03:24 mtain-dc12 postfix/smtpd[26639]: rec_put: type N len 0 data  
Nov 11 14:03:24 mtain-dc12 postfix/smtpd[26639]: rec_put: type X len 0 data
Nov 11 14:03:24 mtain-dc12 postfix/smtpd[26639]: rec_put: type E len 0 data
Nov 11 14:03:24 mtain-dc12 postfix/smtpd[26639]: vstream_fflush_some: fd 24 
flush 1079
==> added debugging log messages
Nov 11 14:03:24 mtain-mb02 postfix/smtpd-log[26639]: vstream_buf_get_ready: 
read_fn flags indicate VSTREAM_FLAG_TIMEOUT
Nov 11 14:03:24 mtain-mb02 postfix/smtpd-log[26639]: attr_scan0: EOF Check
Nov 11 14:03:24 mtain-mb02 postfix/smtpd-log[26639]: mail_stream_finish_ipc: 
attr_scan failed != 2 - CLEANUP_STAT_WRITE
===> end of added debugging log messages
Nov 11 14:03:29 mtain-dc12 postfix/smtpd[26639]: > 
remote.mta.clent[xx.xx.xx.xx]: 451 4.3.0 Error: queue file write error
Nov 11 14:03:29 mtain-dc12 postfix/smtpd[26639]: abort all milters
Nov 11 14:03:29 mtain-dc12 postfix/smtpd[26639]: milter8_abort: abort milter 
inet:localhost:12345
Nov 11 14:03:29 mtain-dc12 postfix/smtpd[26639]: watchdog_pat: 0xf3a8a40
Nov 11 14:03:29 mtain-dc12 postfix/smtpd[26639]: vstream_fflush_some: fd 20 
flush 41
Nov 11 14:03:29 mtain-dc12 postfix/smtpd[26639]: vstream_buf_get_ready: fd 20 
got 6
Nov 11 14:03:29 mtain-dc12 postfix/smtpd[26639]: < 
remote.mta.clent[xx.xx.xx.xx]: RSET
Nov 11 14:03:29 mtain-dc12 postfix/smtpd[26639]: > 
remote.mta.clent[xx.xx.xx.xx]: 503 5.7.0 Error: access denied for 
remote.mta.clent[xx.xx.xx.xx]
Nov 11 14:03:29 mtain-dc12 postfix/smtpd[26639]: watchdog_pat: 0xf3a8a40
Nov 11 14:03:29 mtain-dc12 postfix/smtpd[26639]: vstream_fflush_some: fd 20 
flush 88
Nov 11 14:03:57 mtain-dc12 postfix/smtpd[26639]: vstream_buf_get_ready: fd 20 
got 84
Nov 11 14:03:57 mtain-dc12 postfix/smtpd[26639]: < 
remote.mta.clent[xx.xx.xx.xx]: MAIL FROM:
Nov 11 14:03:57 mtain-dc12 postfix/smtpd[26639]: > 
remote.mta.clent[xx.xx.xx.xx]: 503 5.7.0 Error: access denied for 
remote.mta.clent[xx.xx.xx.xx]
Nov 11 14:03:57 mtain-dc12 postfix/smtpd[26639]: watchdog_pat: 0xf3a8a40
Nov 11 14:03:57 mtain-dc12 postfix/smtpd[26639]: vstream_fflush_some: fd

RE: Invalid response code: 503 5.7.0 Error: access denied

2010-11-17 Thread George Forman


> Date: Wed, 17 Nov 2010 13:01:05 -0500
> From: victor.ducho...@morganstanley.com
> To: postfix-users@postfix.org
> Subject: Re: Invalid response code: 503 5.7.0 Error: access denied
> 
> On Wed, Nov 17, 2010 at 05:24:12PM +, George Forman wrote:
> 
> > 
> > The scenario is as follows (see log snipet below for sequence details):
> >The client MTA attempts to send a message. On the DOT command, Postfix 
> > returns: '451 4.3.0 Error: queue file write error'
> 
> This happens when a milter malfunctions. Check your logs, they contain
> lots of relevant details.

Yes - The milter is failing to respond in this case.

> 
> >The client MTA sends a RSET command. Postfix responds with '503 5.7.0 
> > Error: access denied'
> 
> Postfix is intended to disconnect with a:
> 
> 421 4.3.0 Mail system error
> 
> The code in question:
> 
> if (smtpd_milters != 0 && (state->err & CLEANUP_STAT_WRITE) != 0)
> state->access_denied = mystrdup("421 4.3.0 Mail system error");
> 
> does not have the intended effect.
> 
> >The client MTA ignores the RSET response (based on RFC2821).
> 
> It should not ignore a 5XX return code from RSET. It should disconnect.
> 

I agree. The MTA client is not honoring the response code sent by Postfix.
This is the crux of our problem. We cannot get the remote MTA to fix their 
client
and we're forced to make changes.

> >The client MTA sends MAIL FROM command. Postfix responds with '503 5.7.0 
> > Error: access denied'
> 
> The client is wrong to keep re-using a session after a 5XX error on RSET.
> 
> > My analysis has shown the Postfix's milter interface fails when waiting
> > for a response.
> 
> More likely, the milter, not the interface, but this is what I
> expected before getting this far in your post.
> 
> > I am still actively investigating specifically the vstream event that
> > triggers CLEANUP_STAT_WRITE to be returned.
> 
> Most likely a milter failed. Look in the logs!

Yes it is the milter service that is failing in this situation. I should have 
made that clear
from the beginning.

> 
> > My QUICK FIX was to modify the 503 to a 521 error code in smtpd.c
> > (smtpd_proto function).
> 
> > I am looking for suggestions on a longer term solution.
> > I have made a change in smtpd_proto function:
> > 
> > New code:
> > /* XXX We use the real client for connect access control. */
> > if (state->access_denied &&
> >(! (cmdp->action == quit_cmd || cmdp->action == rset_cmd))) {
> > smtpd_chat_reply(state, "%s", state->access_denied);
> > state->error_count++;
> > continue;
> > }
> 
> No, RFC 2821/5321 notwithstanding, Postfix must reject RSET, to give
> clients a chance to disconnect before before real mail is rejected.
> So DO NOT exempt "rset_cmd". Otherwise, the change makes sense. Postfix
> gives the intended response after "." (Queue file write error) and
> the next command if any (say RSET) triggers a "421" disconnect.
> 
> -- 
>   Viktor.

Thanks for the feed back.  I have tested the changes. The sequence is now:
.
451 4.3.0 Error: queue file write error
RSET
421 4.3.0 Mail system error


This change does violate RFC2821/5321 for RSET:
An SMTP server MUST NOT close the connection as the 
result of receiving a RSET; that action is reserved
for QUIT (see Section 4.1.1.10).



By excluding rset_cmd as in the code snipet,
the RSET response is 250 OK.
The next command's response '421 4.3.0 Mail System Error'.

Thoughts?
George

RE: Invalid response code: 503 5.7.0 Error: access denied

2010-11-19 Thread George Forman




> Date: Thu, 18 Nov 2010 00:55:44 -0500
> From: victor.ducho...@morganstanley.com
> To: postfix-users@postfix.org
> Subject: Re: Invalid response code: 503 5.7.0 Error: access denied
> 
> On Wed, Nov 17, 2010 at 03:27:20PM -0500, Wietse Venema wrote:
> 
> > I had a similar patch that I was going to post 30 mins ago when
> > someone walked into my room:
> 
> OK, we are on the same page then.
> 
> > > On a somewhat related note, should the documentation explicitly warn that
> > > with smtpd_delay_reject=no, clients can keep going even when rejected by
> > > helo restrictions, if "smtpd_helo_required = no"? Of course the client
> > > could just not send "helo/ehlo", and avoid the helo restrictions that way.
> > > This may not be clear to those tempted to put substantive checks in
> > > the HELO branch, without enforcing the use of "HELO".
> > 
> > Um, people who put restrictions on HELO commands need
> > smtpd_helo_required=yes, regardless of smtpd_delay_reject settings.
> 
> Yes, my point was that they may not think this through, and
> perhaps we should more explicitly explain this in the docs for
> smtpd_helo_restrictions, smtpd_delay_reject and in SMTP_ACCESS_README.
> 
> -- 
>   Viktor.

I've made the change to my local code base. Will this change make it into a 
2.7.x release or 2.8?

RE: Invalid response code: 503 5.7.0 Error: access denied

2010-11-19 Thread George Forman




> Date: Fri, 19 Nov 2010 12:12:43 -0500
> From: victor.ducho...@morganstanley.com
> To: postfix-users@postfix.org
> Subject: Re: Invalid response code: 503 5.7.0 Error: access denied
> 
> On Fri, Nov 19, 2010 at 10:08:19AM -0500, Wietse Venema wrote:
> 
> > Wietse:
> > > I had a similar patch that I was going to post 30 mins ago when
> > > someone walked into my room:
> > 
> > Victor:
> > > OK, we are on the same page then.
> > 
> > George Forman:
> > > I've made the change to my local code base. Will this change make
> > > it into a 2.7.x release or 2.8?
> > 
> > It is in Postfix 2.8.  I haven't decided if this will be back-ported.
> > If I back-port every fix to every supported release then I would
> > not get work done.
> > 
> > This fix is needed for a buggy client that fails to disconnect
> > after Postfix replies to RSET with an error status.  It is unlikely
> > that OS distributions will pick it up even if I go through the
> > effort of back-porting and testing.
> 
> That said, if you were feeling very generous, we've had a 2.7.2-RC2 in
> the wings for a while. The change to not send 503, when we really mean
> "421" is fairly safe. I would not object to inclusion in 2.7.2, (I don't
> think we need to go back to 2.4, 2.5 or 2.6).
> 
> -- 
>   Viktor.

As long as I know the fix is in 2.8 I know I don't need to carry my patch 
forwardindefinitely.  Having it in a 2.7.x release just makes my life easier 
but I do understand Wietse'spoint of back-porting and I'm sure their are other 
higher priorities issue.
Thanks for the quick response. 
George

Slowly drain the active queue

2009-06-24 Thread George Forman


Hi,
I'm trying to understand how I can control postfix active queue.We ran into a 
problem where out back end LMTP deposit service had failures.Therefore, the 
queues grew quite large.We had trouble stabilizing the LTMP back end because 
postfix active queuewas trying to deliver very quickly to LMTP service.
How can I control or slowly drain the active queue so it doesn't slam LMTP?
I was reading and found the following information but I'm not sure it 
applies.Can I change default_destination_rate_delay to limit the delivery 
rate?I also see  queue_run_delay and minimal/maximal_backoff_times but it seems 
thisapplies to the defer queue, correct?
George
_
Microsoft brings you a new way to search the web.  Try  Bing™ now
http://www.bing.com?form=MFEHPG&publ=WLHMTAG&crea=TEXT_MFEHPG_Core_tagline_try_bing_1x1

Oldest message in the queue

2009-06-24 Thread George Forman



Hi,
It appears we would need to write a script to parse all the messages.
What is an efficient way to get the age of the oldest message in the queue?

George
_
Microsoft brings you a new way to search the web.  Try  Bing™ now
http://www.bing.com?form=MFEHPG&publ=WLHMTAG&crea=TEXT_MFEHPG_Core_tagline_try_bing_1x1

customize bounce behavior

2009-06-25 Thread George Forman


Hi,



I apologize if this has already been covered but I can't seem to find any 
information.
I need to customize the bounce behavior for the following:
1. If a bounce message is created because it can't deliver to a specified
   list of email addresses we don't want a bounce returned.
2. If a bounce message is created, we need to use the recipient's domain
   for the mailer-daemon domain instead of myorigin parameter.

Is the some type of check policy feature I can add to support this behavior?


George

_
Lauren found her dream laptop. Find the PC that’s right for you.
http://www.microsoft.com/windows/choosepc/?ocid=ftp_val_wl_290

RE: customize bounce behavior

2009-06-25 Thread George Forman


> Date: Thu, 25 Jun 2009 23:56:34 +0200
> From: mo...@ml.netoyen.net
> To: postfix-users@postfix.org
> Subject: Re: customize bounce behavior
> 
> George Forman a écrit :
> > Hi,
> > 
> > 
> > I apologize if this has already been covered but I can't seem to find
> > any information.
> > I need to customize the bounce behavior for the following:
> > 1. If a bounce message is created because it can't deliver to a specified
> >list of email addresses we don't want a bounce returned.
> 
> can you explain a little? what exactly do you mean by a "list"? and why
> it wouldn't be delivered? (the reason is important).
We have several mail accounts (ie list) that have automated mailgenerated and 
sent to these accounts for security reasons. Under normal conditions, the 
mailbox for these few accountsshould accept mail. However, there have been 
situation in the past wherethe process on these boxes accepting the mail has 
problems and the mailcan't be delivered. Typically they resolve the problems 
and SMTP retries.However for extend period outages or their is a bug in their 
code,the process rejects the mail, postfix will generate a bounce message.In 
these cases, we don't want to have a bounce message generated.
> 
> > 2. If a bounce message is created, we need to use the recipient's domain
> >for the mailer-daemon domain instead of myorigin parameter.
> 
> to use * domain for what? the bounce sender is "<>". no domain there.
> This is mandated by the standard.
My apologies, I wasn't clear. In the bounce message's RFC822 From header,the 
mailer-daemon must contain the appropriate domain. 
> 
> > 
> > Is the some type of check policy feature I can add to support this behavior?
> > 
> > 
> > George
> > 
> > 
> > Lauren found her dream laptop. Find the PC that’s right for you.
> > <http://www.microsoft.com/windows/choosepc/?ocid=ftp_val_wl_290>
> 

_
Windows Live™ SkyDrive™: Get 25 GB of free online storage.
http://windowslive.com/online/skydrive?ocid=TXT_TAGLM_WL_SD_25GB_062009

RE: customize bounce behavior

2009-07-15 Thread George Forman




From: georgeforma...@hotmail.com
To: mouss+nob...@netoyen.net; postfix-users@postfix.org
Subject: RE: customize bounce behavior
Date: Fri, 26 Jun 2009 02:00:58 +








> Date: Thu, 25 Jun 2009 23:56:34 +0200
> From: mo...@ml.netoyen.net
> To: postfix-users@postfix.org
> Subject: Re: customize bounce behavior
> 
> George Forman a écrit :
> > Hi,
> > 
> > 
> > I apologize if this has already been covered but I can't seem to find
> > any information.
> > I need to customize the bounce behavior for the following:
> > 1. If a bounce message is created because it can't deliver to a specified
> >list of email addresses we don't want a bounce returned.
> 
> can you explain a little? what exactly do you mean by a "list"? and why
> it wouldn't be delivered? (the reason is important).
>We have several mail accounts (ie list) that have automated mail>generated and 
>sent to these accounts for security reasons. >Under normal conditions, the 
>mailbox for these few accounts>should accept mail. However, there have been 
>situation in the past where>the process on these boxes accepting the mail has 
>problems and the mail>can't be delivered. Typically they resolve the problems 
>and SMTP retries.>However for extend period outages or their is a bug in their 
>code,>the process rejects the mail, postfix will generate a bounce message.>In 
>these cases, we don't want to have a bounce message generated.

Does anyone have an answer to my problem?Thanks,
George





_
Lauren found her dream laptop. Find the PC that’s right for you.
http://www.microsoft.com/windows/choosepc/?ocid=ftp_val_wl_290

enable selective features based on IP

2009-09-12 Thread George Forman


All,
I want to set up a postfix server which only takes traffic from 
'mynetworks'.For N out M IP addresses, the postfix server must 
reject_unauth_destination.Pretty simple so far...
However, for a select few IP addresses in the list, I want the postfix serverto 
behave differently. I want to enforce smtpd_sender_restrictions andallow the 
users to send to the internet. 
I have been reading http://www.postfix.org/SMTPD_ACCESS_README.htmltrying to 
figure out if it is possible to support this without running twoseparate 
postfix servers. 
Any help is greatly appreciated,
George
_
Ready for Fall shows? Use Bing to find helpful ratings and reviews on digital 
tv's.
http://www.bing.com/shopping/search?q=digital+tv's&form=MSHNCB&publ=WLHMTAG&crea=TEXT_MSHNCB_Vertical_Shopping_DigitalTVs_1x1

Invitation to connect on LinkedIn

2009-10-26 Thread Siju George

LinkedIn




   
I'd like to add you to my professional network on LinkedIn.

- Siju

Confirm that you know Siju George
https://www.linkedin.com/e/isd/822151906/TaU6iNvw/

Every day, millions of professionals like Siju George use LinkedIn to connect 
with colleagues, find experts, and explore opportunities.



 
--
(c) 2009, LinkedIn Corporation

Invalid recipients for a known domain

2009-11-19 Thread George Forman


Hi,

I am having problems understanding how I can configure my outbound server
to send mail both locally hosted users for a given list of domains and users on 
unknown domain (such as msn.com, yahoo.com, aol.com, etc).

Currently, I can send to both locally hosted users and non-hosted domains.
However, I can't seem to solve a problem where locally hosted domains,
if I send to unknown_u...@locallyhosteddomain, I don't get a 550 error code.
I don't see postfix calling the virtual_mailbox_domain ldap query to check if
the domain is local.


Any suggestion on how I can modify the configuration to solve my problem? 
- George


alias_maps = 
bounce_queue_lifetime = 1d
bounce_size_limit = 1
bounce_template_file = $config_directory/bounce.cf
command_directory = /opt/zimbra/pf.out/sbin
config_directory = /opt/zimbra/pf.out/conf
daemon_directory = /opt/zimbra/pf.out/libexec
data_directory = /opt/zimbra/pf.out/data
debug_peer_level = 2
disable_vrfy_command = yes
html_directory = no
mail_name = MUA Thirdparty client Interface
mail_owner = postfix
mailq_path = /opt/zimbra/pf.out/sbin/mailq
manpage_directory = /opt/zimbra/pf.out/man
maximal_queue_lifetime = 1d
message_size_limit = 2300
milter_connect_macros = j {daemon_name} v {client_name} {client_ptr}
milter_header_checks = regexp:$config_directory/oms_header_check
mydestination = 
mynetworks = $config_directory/mynetworks
myorigin = example.com
newaliases_path = /opt/zimbra/pf.out/sbin/newaliases
notify_classes = 
queue_directory = /opt/zimbra/pf.out/spool
readme_directory = no
recipient_canonical_maps = hash:$config_directory/domain_name_maps
sample_directory = /opt/zimbra/pf.out/conf
sendmail_path = /opt/zimbra/pf.out/sbin/sendmail
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = 
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = no
smtpd_etrn_restrictions = reject
smtpd_helo_required = yes
smtpd_helo_restrictions = 
smtpd_recipient_limit = 100
smtpd_recipient_restrictions = permit_mynetworks,
reject_sender_login_mismatch, permit_sasl_authenticated,  
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sender_login_maps = ldap:$config_directory/ldap-auth.cf
smtpd_sender_restrictions = reject_non_fqdn_sender,  
reject_unlisted_sender,  check_sender_access 
ldap:$config_directory/ldap-sender.cf,  reject_sender_login_mismatch,  
reject
smtpd_timeout = 1m
smtpd_tls_CAfile = $config_directory/intermediate.crt
smtpd_tls_auth_only = no
smtpd_tls_cert_file = $config_directory/smtp.crt
smtpd_tls_key_file = $config_directory/smtp.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = ldap:$config_directory/ldap--transport.cf
unknown_local_recipient_reject_code = 550
virtual_alias_maps = ldap:$config_directory/ldap-vam.cf
virtual_mailbox_domains = hash:$config_directory/hash-vmd   
   ldap:$config_directory/ldap-vmd.cf



  
_
Windows 7: I wanted simpler, now it's simpler. I'm a rock star.
http://www.microsoft.com/Windows/windows-7/default.aspx?h=myidea?ocid=PID24727::T:WLMTAGL:ON:WL:en-US:WWL_WIN_myidea:112009

queue manager delaying delivery of message

2009-12-14 Thread George Forman


Hi,

I am running into a problem where (it seems) queue manager
doesn't pickup the queued message for delivery.  SMTPD returns
a 250 OK at  16:26:39. However, oqmgr doesn't pick it up until 16:35:41.
The is no post queue processing on the message.  I turned up logging
on cleanup, qmgr and oqmgr (see below). I could not find any clues 
as to why there would be a delay. Any help is greatly appreciated.  - George

Dec 14 16:26:39 mtain-da12 postfix/cleanup[28236]: open incoming/883D938000CBB
Dec 14 16:26:39 mtain-da12 postfix/cleanup[28236]: cleanup_open: open 
incoming/883D938000CBB
Dec 14 16:26:39 mtain-da12 postfix/cleanup[28236]: send attr queue_id = 
883D938000CBB
Dec 14 16:26:39 mtain-da12 postfix/smtpd[28280]: input attribute value: 
883D938000CBB
Dec 14 16:26:39 mtain-da12 postfix/smtpd[28280]: 883D938000CBB: 
client=mx2.todaysdailypromotion.net[11.111.111.111]
Dec 14 16:26:39 mtain-da12 postfix/smtpd[28280]: milter_macro_lookup: result 
"883D938000CBB"
Dec 14 16:26:39 mtain-da12 postfix/cleanup[28236]: cleanup_header_callback: 
'Received: from mx2.todaysdailypromotion.net (mx2.todaysdailypromotion.net 
[66.248.158.200])??by mtain-da12.example.com (Internet Inbound) with SMTP id 
883D938000CBB??for ; Mon, 1'
Dec 14 16:26:39 mtain-da12 postfix/cleanup[28236]: 883D938000CBB: 
message-id=<200912034113.35o400924...@77uiw6y396c3.vb_unknown.unknown>
Dec 14 16:26:39 mtain-da12 postfix/cleanup[28236]: milter_macro_lookup: result 
"883D938000CBB"
Dec 14 16:26:39 mtain-da12 postfix/cleanup[28236]: milter_macro_lookup: result 
"883D938000CBB"
Dec 14 16:26:39 mtain-da12 postfix/cleanup[28236]: event: SMFIC_HEADER; macros: 
i=883D938000CBB
Dec 14 16:26:39 mtain-da12 postfix/cleanup[28236]: event: SMFIC_HEADER; macros: 
i=883D938000CBB
Dec 14 16:26:39 mtain-da12 postfix/cleanup[28236]: event: SMFIC_HEADER; macros: 
i=883D938000CBB
Dec 14 16:26:39 mtain-da12 postfix/cleanup[28236]: event: SMFIC_HEADER; macros: 
i=883D938000CBB
Dec 14 16:26:39 mtain-da12 postfix/cleanup[28236]: event: SMFIC_HEADER; macros: 
i=883D938000CBB
Dec 14 16:26:39 mtain-da12 postfix/cleanup[28236]: event: SMFIC_HEADER; macros: 
i=883D938000CBB
Dec 14 16:26:39 mtain-da12 postfix/cleanup[28236]: event: SMFIC_HEADER; macros: 
i=883D938000CBB
Dec 14 16:26:39 mtain-da12 postfix/cleanup[28236]: event: SMFIC_HEADER; macros: 
i=883D938000CBB
Dec 14 16:26:39 mtain-da12 postfix/cleanup[28236]: event: SMFIC_HEADER; macros: 
i=883D938000CBB
Dec 14 16:26:39 mtain-da12 postfix/cleanup[28236]: event: SMFIC_HEADER; macros: 
i=883D938000CBB
Dec 14 16:26:39 mtain-da12 postfix/cleanup[28236]: event: SMFIC_HEADER; macros: 
i=883D938000CBB
Dec 14 16:26:39 mtain-da12 postfix/cleanup[28236]: event: SMFIC_EOH; macros: 
i=883D938000CBB
Dec 14 16:26:39 mtain-da12 postfix/cleanup[28236]: event: SMFIC_BODY; macros: 
i=883D938000CBB
Dec 14 16:26:39 mtain-da12 postfix/cleanup[28236]: event: SMFIC_BODYEOB; 
macros: i=883D938000CBB
Dec 14 16:26:39 mtain-da12 postfix/smtpd[28280]: > 
mx2.todaysdailypromotion.net[11.111.111.111]: 250 2.0.0 Ok: queued as 
883D938000CBB
Dec 14 16:35:41 mtain-da12 postfix/oqmgr[32135]: 883D938000CBB: 
from=, size=2598, nrcpt=1 (queue active)
Dec 14 16:35:41 mtain-da12 postfix/smtp[32446]: 883D938000CBB: 
to=, relay=relay.example.com[111.11.111.11]:25, delay=542, 
delays=542/0.03/0/0.15, dsn=2.0.0, status=sent (250 OK)
Dec 14 16:35:41 mtain-da12 postfix/oqmgr[32135]: 883D938000CBB: removed





postconf -n below:

2bounce_notice_recipient = /dev/null
bounce_notice_recipient = /dev/null
bounce_queue_lifetime = 4h
bounce_size_limit = 1
bounce_template_file = $config_directory/bounce.cf
command_directory = /opt/postfix/sbin
config_directory = /opt/postfix/conf
daemon_directory = /opt/postfix/libexec
data_directory = /opt/postfix/data
debug_peer_level = 2
default_destination_concurrency_limit = 500
default_rbl_reply = $rbl_code : (RLY:B1) 
http://postmaster.example.com/errors/554rlyb1.html
delay_notice_recipient = /dev/null
disable_vrfy_command = yes
empty_address_recipient = MAILER-DAEMON
error_notice_recipient = /dev/null
html_directory = no
lmtp_destination_concurrency_limit = 1200
local_recipient_maps = proxy:ldap:$config_directory/ldap-vam.cf
mail_name = Internet Inbound
mail_owner = postfix
mailq_path = /opt/postfix/sbin/mailq
manpage_directory = /opt/postfix/man
maximal_queue_lifetime = 1d
message_size_limit = 2300
milter_connect_macros = j {daemon_name} v {client_name} {client_ptr}
milter_protocol = 2
mydestination = 
mynetworks = $config_directory/mynetworks
myorigin = example.com
newaliases_path = /opt/postfix/sbin/newaliases
notify_classes = 
qmgr_message_active_limit = 10
qmgr_message_recipient_limit = 10
queue_directory = /postfix/mqueues/spool
rbl_reply_maps = hash:$config_directory/rbl_reply_maps
readme_directory = no
recipient_canonical_maps = hash:$config_directory/recipient_canonical_maps
relay_domains = $config_directory/relay_domains
relay_recipient_maps = h

RE: queue manager delaying delivery of message

2009-12-14 Thread George Forman


> Subject: Re: queue manager delaying delivery of message
> To: georgeforma...@hotmail.com; postfix-users@postfix.org
> Date: Mon, 14 Dec 2009 19:31:44 -0500
> From: wie...@porcupine.org
> 
> The queue manager will leave a file in the incoming queue when:
> 
> 1) Some "security" software does not allow the cleanup daemon
> to write to the qmgr FIFO. Try without SeLinux, AppArmor, etc.
> 
> 2) The queue file system is not on a local disk, and either file
> server's clock and the Postfix machine's clock are out of whack.
> 
> 3) Mailscanner or other non-Postfix software directly manipulates
> Postfix queue files.
> 
> 4) The file system does weird things with the "execute" file
> permission bit. Postfix sets this bit when a queue file is ready
> for delivery.
> 
> 5) The queue manager is blocked for other reasons. Some vendors
> make changes to Postfix source code and thereby break things.
> 
> To investigate, does the delay happen with local submission
> (the Postfix sendmail command)? 
> 
We are trying to replace our inbound MTA.  Because of the
problems encountered, we brought down the server.
I will try this tomorrow and report back with the results.

> You wrote that you made the queue manager verbose, but there is
> no verbose queue manager logging in your report.

Unfortunately, I don't know how to associate the queue manager's
output with respect to the email message queue id. The log file is
huge, I will see if I can find the logs entries and included them.

Thanks for the information,
George


  
_
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
http://clk.atdmt.com/GBL/go/171222985/direct/01/

RE: queue manager delaying delivery of message

2009-12-16 Thread George Forman



> Subject: Re: queue manager delaying delivery of message
> To: postfix-users@postfix.org
> Date: Mon, 14 Dec 2009 20:08:41 -0500
> From: wie...@porcupine.org
> 
> George Forman:
> > 
> > > Subject: Re: queue manager delaying delivery of message
> > > To: georgeforma...@hotmail.com; postfix-users@postfix.org
> > > Date: Mon, 14 Dec 2009 19:31:44 -0500
> > > From: wie...@porcupine.org
> > > 
> > > The queue manager will leave a file in the incoming queue when:
> > > 
> > > 1) Some "security" software does not allow the cleanup daemon
> > > to write to the qmgr FIFO. Try without SeLinux, AppArmor, etc.
> > > 
> > > 2) The queue file system is not on a local disk, and either file
> > > server's clock and the Postfix machine's clock are out of whack.
> > > 
> > > 3) Mailscanner or other non-Postfix software directly manipulates
> > > Postfix queue files.
> > > 
> > > 4) The file system does weird things with the "execute" file
> > > permission bit. Postfix sets this bit when a queue file is ready
> > > for delivery.
> > > 
> > > 5) The queue manager is blocked for other reasons. Some vendors
> > > make changes to Postfix source code and thereby break things.
> > > 
> > > To investigate, does the delay happen with local submission
> > > (the Postfix sendmail command)? 
> > > 
> > We are trying to replace our inbound MTA.  Because of the
> > problems encountered, we brought down the server.
> > I will try this tomorrow and report back with the results.
> > 
> > > You wrote that you made the queue manager verbose, but there is
> > > no verbose queue manager logging in your report.
> > 
> > Unfortunately, I don't know how to associate the queue manager's
> > output with respect to the email message queue id. The log file is
> > huge, I will see if I can find the logs entries and included them.
> 
> Don't bother, you have no idea what records are triggered
> by cleanup server activity.
> 
> The queue manager handles other deliveries while it is ignoring
> this file? The cleanup server attempts to write to the qmgr FIFO,
> and the queue manager will log that it receives a request.
> 
> Dec 14 20:04:13 tail postfix/qmgr[2053]: trigger_server_accept_fifo: trigger 
> arrived
> 
> If there is no such logging then the cleanup-to-qmgr notification
> is broken, and delivery is delayed until the queue manager does
> the routine queue_run_delay=300s queue scan.
> 
>   Wietse

I am seeing trigger_server_accept_fifo log entries unfortunately I 
cannotassociate the trigger to a specific message. I did notice the numberof 
qmgr trigger log entries are 60% the number of message  processedlog entries. I 
know postfix logs a single line per recipient and that couldaccount for some 
but not a 40% difference.
I completely left out one observation. The messages are accepted, theyare 
sitting in the incoming queue. There is little or no mail in the deferqueue. 
The active queue has a few hundred messages. I am not seeingany significant 
number of errors for milter nor ldap queries.



  
_
Hotmail: Trusted email with Microsoft’s powerful SPAM protection.
http://clk.atdmt.com/GBL/go/177141664/direct/01/

how to use specific version of tls/ssl in postfix

2012-05-07 Thread Agnello George

Hi

I have heard of the vulnerability  that exists in SSL 3.0 and TLS 1.0 that
 could allow information disclosure if an attacker intercepts encrypted
 traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher
 suites that do not use CBC mode are not affected.

 How do i use specific versions of tls in postfix .

 thanks !!

-- 
Regards
Agnello D'souza

postfix mailling list test .

2012-05-08 Thread Agnello George

I am not able to post in the group. please help .. neither am i
receiving mails from the group .

-- 
Regards
Agnello D'souza

Re: local_header_rewrite_clients behaving weird

2012-10-22 Thread Dominik George

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

> But as a matter of fact, both test clients are covered by 
> permit_inet_interfaces, the default for local_header_rewrite_cients. Plus, 
> rewrites stopped working without changing Postfix version or config.

OK, can it. I got it.


http://www.postfix.org/postconf.5.html#local_header_rewrite_clients

permit_inet_interfaces
Append the domain name in $myorigin or $mydomain when the client IP 
   address matches $inet_interfaces. This is enabled by default.


This says everything. However, what happened to that system is a complete 
mystery to me. The problem began to show within the last two weeks and we 
sure as hell weren't using Postfix <2.2 before that.

Oh well, never mind.

- -nik
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iQJOBAEBAgA4BQJQhb6YMRpodHRwczovL3d3dy5kb21pbmlrLWdlb3JnZS5kZS9n
cGctcG9saWN5LnR4dC5hc2MACgkQx86z/xVBKI4MGA//X9gz/q1g0izpQZPUSAGj
TENUJEjCisv4F9pCCCkCE9Zs+c7pZQyi/okPhBEFEhWenA1LA1WkGFYZyJCamzfC
4kj9cnIHeKjf6itw7oS316fbO9hcU4gmhOjkM6twD7QKwv86xvopbd1qgXMIUUI4
sjNh/A6x4fhVghZsjG5V89WfH3Wu7ujYVm6uWzzUYqyJNWqduFejAqlymIQ8jbn7
AUcC6FCsdNqdZA0ks6IsE8RETxVxb3tMiawAkpIOmb7jy1bgRXS83KeYz50NjVTJ
TmHou+YGaF4lFQgGlMo1AIz4xfrLDYRW5n0rN6aQTNtnc/1j605bL5ZClUSJzCqm
bHOFfxN3kVV5OthaKILJdYzDA0y2dGLip/l/z4E5TCqBfuUi53J2ajWGtkYUuqXB
4t3L5fzScttY254Dcc+hHQD+DeDpVpucYy2moTdYmfYgIWWU0wzrT4WTT4/GeMG6
l68ccOW50HC5Q19/KJnakwdPj/gBD4HzxwVEzCFHNBCsb6+pbBdHd6rkO4bLq3QU
uEnj4gxn4758SuHvb5TY/nY2/vHFAsqtgo5Ouu+luysdrZU7qqi6OBrZJVcPjE63
VpfaQQr1wRJSxeU94ueHSCTpp4gUXer+vTR4MWkl0PnPW0JfaimK7pA3wcKgfBKM
SzzGspDcux/zgfL9WNEn4ik=
=Yf40
-END PGP SIGNATURE-

Re: Block ip address on ratelimit

2012-12-12 Thread Dominik George

Hi,

look at postfwd.

Cheers,
Nik



Ram  schrieb:

>Our client's postfix servers are being frequently getting attacks using
>
>compromised accounts
>In most cases it seems the spammer simply uses a phished 
>username/password , sends a whole lot of 419ers until we manually
>change 
>the password , but the damage is already done
>
>
>Implementing ratelimits is not really helping because ultimately the 
>mail will go through after the anvil time.
>Since the legitimate users are extremely low email users , I can safely
>
>block "anyone" permanently who sends more than 1 mail in 10s with zero
>FP's
>
>
>
>How can I do this ?
>
>
>Thanks
>Ram

Re: abusive language by Reindl (was: generally use of mailing-lists)

2013-01-13 Thread Dominik George

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Yeah, shitstorm!

Now *that's* real distributed Postfix load-testing :)!

SCNR.

- -nik

- -- 
* mirabilos is handling my post-1990 smartphone *
 Aaah, it vibrates! Wherefor art thou, daemonic device??

PGP fingerprint: 2086 9A4B E67D 1DCD FFF6  F6C1 59FC 8E1D 6F2A 8001
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.19 (GNU/Linux)

iQFOBAEBCAA4BQJQ8zUoMRpodHRwczovL3d3dy5kb21pbmlrLWdlb3JnZS5kZS9n
cGctcG9saWN5LnR4dC5hc2MACgkQWfyOHW8qgAFCCAf+L2NkXJum54al1zCez0ro
d6YB+Tu298C5WEAFNyWKFYieXIq0pPVPfxo1lLx+d0heNajYMDKrGT7ecOkyBgOO
ax1eYIJ+F9du8e+G5C39WhSMJHGhwhhsRHFqztE9KvvDZ1jOf4uvXc5obpmBYbhL
B62+wSquLBk8L68sO1kBIz1sHQH6/5rMxAWV+EkKXkaIy92fCgjoVsqgqUl7DGT7
J2vy09W3DBia2iiur84mnhLe3HR5mYi/WkJG/P5lLA3EaLC5iJ2v2RqW8205IvVP
+CLCTYmD7wtw/qSWvZ0hjDkHxdIag2BLbMvazV3Hy4JU1dKddE5s/GdmMvmBj4Cq
cg==
=7fNL
-END PGP SIGNATURE-

Re: block email on number of recipients and on message size

2013-01-23 Thread Dominik George

Hi,

as always, postfwd might be the answer.

-nik



Antonio Tommasi  schrieb:

>Hi to all
>i need to block email if the number of recipients is greater than a
>specific number and message size exceeds fixed limit.
>In main.cf i can configure message_size_limit and
>smtpd_recipient_limit, but i want to reject email only 
>if (message_size > message_size_limit) and (smtpd_recipient_number >
>smtpd_recipient_limit)
>
>Hope in your support
>
>Thnaks
>Antonio Tommasi

-- 
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.

Re: Restrict some users to local recipients only?

2013-02-12 Thread Dominik George

Hi Patrick,

> I have a customer who would like to configure the Postfix server he uses
> such that certain users can only send to local users. I'm wondering if
> there are any built-in facilities for restricting which delivery agents can
> be used by particular users? (Or some other clever way of achieving the
> same end result.) I realize security measures would also need to be taken
> to lock down the machine from which the mail is being sent, but that's not
> my problem ;)

Does "users" for you mean

 a) clients
 b) envelope senders
 c) SASL authenticated users?

-nik

-- 
* mirabilos is handling my post-1990 smartphone *
 Aaah, it vibrates! Wherefore art thou, demonic device??

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296


signature.asc
Description: Digital signature

Re: Secure alternative to smtp_sasl_password_maps?

2013-03-18 Thread Dominik George

Hi,

imho, the best approach to getting a road-warrior (laptop) authenticated
as a sattelite sytem using your central MTA as a relayhost is have it in
mynetworks. As in, connect it to the MTA through a VPN tunnel.

Then, there is nothing that that limits you to use PAM for
authenticaiton. You can additionally add a static passdb to Dovecot that
serves an account that you can use for relay.

-nik

-- 
* concerning Mozilla code leaking assertion faiures to tty without D-BUS *
 That means, D-BUS is a tool that makes software look better
than it actually is.

2013-05-19 - 05-21  Geocaching-TourHamburg(2 Betten frei)
2013-06-28 - 06-30  http://project-eck.de  Koblenz
2013-08-01 - 08-04  http://berlin-mega.de  Berlin (2 Betten frei)
2013-08-28 - 09-02  http://prora2013.deRügen
2013-12-27 - 12-31  30c3   Hamburg(2 Betten frei)

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296


signature.asc
Description: Digital signature

Re: 250-AUTH LOGIN PLAIN & 250-AUTH=LOGIN PLAIN

2013-06-20 Thread Dominik George

Hi,

> But i don't see two following lines in above:
> 250-AUTH LOGIN PLAIN
> 250-AUTH=LOGIN PLAIN

have you upgraded Postfix to 2.10 recently?

In this case, you might have missed the smtpd_relay_restrictions change
pointed out in the release notes [1]:

> Feature 20121007] This version introduces the smtpd_relay_restrictions
> feature for mail relay control. The new built-in default settings
> are:
> 
> smtpd_relay_restrictions = 
>   permit_mynetworks 
>   reject_unauth_destination
> 
> smtpd_recipient_restrictions =
>   ( optional spam blocking rules would go here )

Cheers,
Nik

[1] http://de.postfix.org/ftpmirror/official/postfix-2.10.0.RELEASE_NOTES

-- 
 Auf welchem Server liegt das denn jetzt…?
 Wenn es nicht übers Netz kommt bei Hetzner, wenn es nicht
gelesen wird bei STRATO, wenn es klappt bei manitu.

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296


signature.asc
Description: Digital signature

Re: Sending a lot of emails

2013-07-19 Thread Dominik George

Hi,

the key is that by sendmail, we mean the sendmail command. Postfix has a 
sendmail-compatible frontend.

You can just use the mail command like so:

$ mail -a "From: Your Name " -s "Your Subject" 
recpm...@example.com < schrieb:

>I received this database from a government organization because I
>joined a
>export  support program held by polish gov organizations . Those
>companies
>I have mails to had to apply for this also because afaik it is also a
>project supported by EU.
>
>Because sendmail and postfix cannot run simulatenusely and I am using
>my
>email. Also my postfix is configured with ssl certs and it would look
>much
>more trusted than simple sendmail i think? Correct me if i am wrong.
>
>
>2013/7/19 Charles Marcus 
>
>> On 2013-07-19 1:23 PM, Krzysztof Szarlej 
>wrote:
>>
>>> I have a database with 5000 mails and I want to send to each address
>a
>>> mail with my company offer(not a spam just offer to companies with
>the same
>>> profile that my company have)
>>>
>>
>> Do you have their explicit permission to send them this offer?
>>
>> If not, IT IS SPAM.
>>
>>

-- 
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.

Re: Sending a lot of emails

2013-07-19 Thread Dominik George

Hi,

what is wrong with the sendmail program and a simple shell script?

What is wrong with sending all mails in a batch?

Last but not least, what aspect of your plan dos NOT match plain spamming?

Cheers,
Nik



Krzysztof Szarlej  schrieb:

>Hey guys i have finally set my mail server with dovecot and postfix. I
>configured also a tls and sasl authentication. I have revdns and txt
>record
>also.
>
>I have a database with 5000 mails and I want to send to each address a
>mail
>with my company offer(not a spam just offer to companies with the same
>profile that my company have) How to achive this? Do I need to use for
>example PHP? I was thinking of a cron script that would each 30 minuts
>send
>i.e 200mails. but i dont know wheter it is possible to send those mails
>only by cron, or i need a for example php script that would be execed
>each
>20 minutes?
>
>Afaik it is not possible to use apache with postfix? Only with default
>linux sendmail program?
>
>Thank you for your suggestions

-- 
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.

Re: SMTP auth without mailbox

2013-08-12 Thread Dominik George

Hi,

you can run saslauthd as a standalone auth process.

-nik



massi  schrieb:
>Hi there,
>I need to activate SMTP authentication on a Postfix server that has no
>mailbox on board (it relays email for Google Apps service and certified
>emails). All the mailbox are stored on a remote server, they asked me
>to
>activate only the SMTP auth service.
>
>Can you please give me some suggestions?
>
>Thanks in advance.
>Massi 
>
>
>
>--
>View this message in context:
>http://postfix.1071664.n5.nabble.com/SMTP-auth-without-mailbox-tp60293.html
>Sent from the Postfix Users mailing list archive at Nabble.com.

-- 
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.

Re: How to send more than 1 email per sec per domain?

2013-08-13 Thread Dominik George

Hi,

postfwd allows for fine tuning of such limitation.

-nik



Philippe Bloix  schrieb:
>Hi!
>
>
>I would like to set a limit rate per domain. I know i can use
>« destination_rate_delay » and it works ! The problem is that the
>minimum
>period is 1s. It permits to send 1 email per domain per second .
>
>If i want to send for example 5 emails per domain per second, how is it
>possible by using postfix?
>
>
>
>Thanks
>
>
>
>PB

-- 
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.

sasl problem on osx server

2015-01-08 Thread George Johnson

I'm hoping someone here may have encountered this problem and can suggest a
solution. I'm running postfix 2.5.14 on Snow Leopard for use as a personal mail
server. My server is configured for SMTP relaying (using the MailServe gui) and
to use the Mac user accounts (plaintext passwords) for authentication. Every 10
minutes, give or take a few seconds, the same eight lines appear in my mail log
(with fresh process numbers for the smtp demon):

postfix/smtpd[18872]: disconnect from sanacacio.net[65.19.28.60]
postfix/smtpd[18872]: warning: sanacacio.net[65.19.28.60]: SASL PLAIN
authentication failed postfix/smtpd[18872]: error: CF: Credentials could not be
verified username or password is invalid. postfix/smtpd[18872]: connect from
sanacacio.net[65.19.28.60] postfix/smtpd[18865]: disconnect from
sanacacio.net[65.19.28.60] sanacacio postfix/smtpd[18865]: warning:
sanacacio.net[65.19.28.60]: SASL PLAIN authentication failed sanacacio
postfix/smtpd[18865]: error: CF: Credentials could not be verified username or
password is invalid. sanacacio postfix/smtpd[18865]: connect from
sanacacio.net[65.19.28.60]

My domain is sanacacio.net.

In addition, whenever I send an email I get an error like this:

sanacacio postfix/local[19315]: od[getpwnam_ext]: no attribute
dsAttrTypeStandard:MailAttribute in record for user . . .

Can anyone suggest how I can fix this? As a workaround I've set up the server so
it doesn't require SSL for smtp relay. But I want to be sure it is secure as
possible.

Thanks in advance. Here are more details:

Postconf -a cyrus dovecot:

saslauthd -v saslauthd 2.1.22 authentication mechanisms: getpwent kerberos5
rimap

Postconf |grep sasl:

broken_sasl_auth_clients = yes cyrus_sasl_config_path =
lmtp_sasl_auth_cache_name = lmtp_sasl_auth_cache_time = 90d
lmtp_sasl_auth_enable = no lmtp_sasl_auth_soft_bounce = yes
lmtp_sasl_mechanism_filter = lmtp_sasl_password_maps = lmtp_sasl_path =
lmtp_sasl_security_options = noplaintext, noanonymous
lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options
lmtp_sasl_type = cyrus proxy_write_maps = $smtp_sasl_auth_cache_name
$lmtp_sasl_auth_cache_name send_cyrus_sasl_authzid = no
smtp_sasl_auth_cache_name = smtp_sasl_auth_cache_time = 90d
smtp_sasl_auth_enable = no smtp_sasl_auth_soft_bounce = yes
smtp_sasl_mechanism_filter = smtp_sasl_password_maps = smtp_sasl_path =
smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options =
$smtp_sasl_security_options smtp_sasl_tls_verified_security_options =
$smtp_sasl_tls_security_options smtp_sasl_type = cyrus
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination, check_recipient_access
hash:/usr/local/cutedge/postfix/etc/access smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no smtpd_sasl_exceptions_networks =
smtpd_sasl_local_domain = $mydomain smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options =
$smtpd_sasl_security_options smtpd_sasl_type = cyrus

Re: sasl problem on osx server

2015-01-08 Thread George Johnson

> http://www.postfix.org/SASL_README.html


Thank you. I have read that along with "The missing Cyrus SASL man pages.” And 
I have been scouring the Internet for answers. But there is some point that 
still eludes me. I’d be grateful if someone could point me in the right 
direction.


> On Jan 8, 2015, at 6:39 PM, Edgar Pettijohn  wrote:
> 
> 
> On 01/08/15 19:29, George Johnson wrote:
>> I'm hoping someone here may have encountered this problem and can suggest a
>> solution. I'm running postfix 2.5.14 on Snow Leopard for use as a personal 
>> mail
>> server. My server is configured for SMTP relaying (using the MailServe gui) 
>> and
>> to use the Mac user accounts (plaintext passwords) for authentication. Every 
>> 10
>> minutes, give or take a few seconds, the same eight lines appear in my mail 
>> log
>> (with fresh process numbers for the smtp demon):
>> 
>> postfix/smtpd[18872]: disconnect from sanacacio.net[65.19.28.60]
>> postfix/smtpd[18872]: warning: sanacacio.net[65.19.28.60]: SASL PLAIN
>> authentication failed postfix/smtpd[18872]: error: CF: Credentials could not 
>> be
>> verified username or password is invalid. postfix/smtpd[18872]: connect from
>> sanacacio.net[65.19.28.60] postfix/smtpd[18865]: disconnect from
>> sanacacio.net[65.19.28.60] sanacacio postfix/smtpd[18865]: warning:
>> sanacacio.net[65.19.28.60]: SASL PLAIN authentication failed sanacacio
> http://www.postfix.org/SASL_README.html
> 
>> postfix/smtpd[18865]: error: CF: Credentials could not be verified username 
>> or
>> password is invalid. sanacacio postfix/smtpd[18865]: connect from
>> sanacacio.net[65.19.28.60]
>> 
>> My domain is sanacacio.net.
>> 
>> In addition, whenever I send an email I get an error like this:
>> 
>> sanacacio postfix/local[19315]: od[getpwnam_ext]: no attribute
>> dsAttrTypeStandard:MailAttribute in record for user . . .
>> 
>> Can anyone suggest how I can fix this? As a workaround I've set up the 
>> server so
>> it doesn't require SSL for smtp relay. But I want to be sure it is secure as
>> possible.
>> 
>> Thanks in advance. Here are more details:
>> 
>> Postconf -a cyrus dovecot:
>> 
>> saslauthd -v saslauthd 2.1.22 authentication mechanisms: getpwent kerberos5
>> rimap
>> 
>> Postconf |grep sasl:
>> 
>> broken_sasl_auth_clients = yes cyrus_sasl_config_path =
>> lmtp_sasl_auth_cache_name = lmtp_sasl_auth_cache_time = 90d
>> lmtp_sasl_auth_enable = no lmtp_sasl_auth_soft_bounce = yes
>> lmtp_sasl_mechanism_filter = lmtp_sasl_password_maps = lmtp_sasl_path =
>> lmtp_sasl_security_options = noplaintext, noanonymous
>> lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
>> lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options
>> lmtp_sasl_type = cyrus proxy_write_maps = $smtp_sasl_auth_cache_name
>> $lmtp_sasl_auth_cache_name send_cyrus_sasl_authzid = no
>> smtp_sasl_auth_cache_name = smtp_sasl_auth_cache_time = 90d
>> smtp_sasl_auth_enable = no smtp_sasl_auth_soft_bounce = yes
>> smtp_sasl_mechanism_filter = smtp_sasl_password_maps = smtp_sasl_path =
>> smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options =
>> $smtp_sasl_security_options smtp_sasl_tls_verified_security_options =
>> $smtp_sasl_tls_security_options smtp_sasl_type = cyrus
>> smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
>> reject_unauth_destination, check_recipient_access
>> hash:/usr/local/cutedge/postfix/etc/access smtpd_sasl_auth_enable = yes
>> smtpd_sasl_authenticated_header = no smtpd_sasl_exceptions_networks =
>> smtpd_sasl_local_domain = $mydomain smtpd_sasl_path = smtpd
>> smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options =
>> $smtpd_sasl_security_options smtpd_sasl_type = cyrus
>> 
>> 
>

Primary vs Backup MX?

2015-01-16 Thread George Ficzeri

Hello.

I hope these aren't silly questions: How does Postfix (2.9.6) determine
whether the local mail system is backup or primary MX when
permit_mx_backup is specified in main.cf?  Is it just MX record
priorities in DNS?

http://www.postfix.org/postconf.5.html#permit_mx_backup
* permit_mx_backup
Permit the request when the local mail system is backup MX for the RCPT
TO domain, ...

*Safety: as of Postfix version 2.3, permit_mx_backup no longer accepts
the address when the local mail system is primary MX for the recipient
domain.

Does this mean a MX record pointing to a mail host w/ permit_mx_backup
all that's needed to relay to it?

Re: Postfix not trying to authenticate to SMTP relay.

2015-03-05 Thread Dominik George

Hi,

> I am having an issue where Postfix does not attempt to authenticate to
> the relay I am using, even though the settings appear to be correct.
> When I look in the maillog, I see *"530 Authentication is required
> before sending"*, and when I run a packet trace, I don't see Postfix
> ever using AUTH PLAIN.* *Are there any other tools I can run to give me
> an idea of why Postfix is not Here is the output of postconf -n. Relay
> name and domain are sanitized for Privacy. Note that I have been able to
> successfully authenticate manually with the username/password stored in
> /etc/postfix/sasl/passwd, and that it is trying to send to the correct
> relay that is in that file.

Did you postmap the saslpasswd file?

What are its contents, minus the password?

Cheers,
Nik



signature.asc
Description: OpenPGP digital signature

Re: How to allow each user on an Ubuntu server use his/her google email and password to send the email via google smtp?

2015-03-18 Thread Dominik George

Hi,

> But the problem is that all users on the same ubuntu server will be
> able to use the same google account to send emails. Is there a way to
> configure postfix so that each Ubuntu user will use his/her own google
> account to send emails? Thanks.

You could always build transport maps dependent on sender addresses and
put something together that makes Postfix use the correct saslpass for them.

But, if you feel the need to map all your system users to Google
accounts for sending system mail, you are doing something seriously wrong.

-nik



signature.asc
Description: OpenPGP digital signature

RE: OpenDKIM

2015-11-09 Thread George Kasica

Steve & others:

I see references to RPM installs in Fedora and CentOS. Anything out there for 
the Ubuntu 14.x product?

George


From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Steve Jenkins
Sent: Friday, November 06, 2015 13:16
To: John Allen ; postfix users 
Subject: Re: OpenDKIM


On Fri, Nov 6, 2015 at 10:13 AM, John Allen mailto:j...@klam.ca>> 
wrote:
Is OpenDKIM worth while?
I use amavis and it says it signs and verifies DKIM so do need anything else?

Disclaimer: as the OpenDKIM package maintainer for Fedora/EPEL, and a 
contributor to the upstream project, I'm a bit biased. :)

I'm not sure how flexible amavis' DKIM signing and verification is, but If 
you're wanting to sign for multiple domains and/or sign with different keys 
depending on the sender, OpenDKIM is an easy way to go. Very easy to use as a 
Postfix milter. OpenDKIM is still a very actively maintained project (2.11 
Alpha just came out) and focuses 100% on DKIM. I tend to like tools that focus 
on doing their "one main thing" well. And OpenDKIM is literally a 5 minute 
install.

SteveJ

Re: ldap-attribute-based routing question

2013-08-14 Thread Dominik George

Hi,

> there is no mailHost attribute in ldap (or *any* attribute that is the
> "next hop" dns name).  I need to map an attribute in ldap to something that
> *isn't* in ldap.

You could define transports with the names from LDAP as SMTP transports
in master.cf and then use these names from within your transport map.

But mailHost in LDAP would be a lot cleaner.

-nik

-- 
* concerning Mozilla code leaking assertion failures to tty without D-BUS *
 That means, D-BUS is a tool that makes software look better
than it actually is.

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296


signature.asc
Description: Digital signature

Re: Google rejecting IPv6 mails

2013-09-30 Thread Dominik George

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

>Needless to say, that if I use IPv4 Google accepts every mail.
>
>Dis this happened to anyone else?

Yes, I also face that issue and have forced IPv4 on known Google domains. 
Google have been ignoring my support tickets about that for several weeks now.

I somehow consider Google not fit for anything a mail server should do, for a 
ton of reasons, and am thinking about blocking them in both directions (along 
with Yahoo!), if it weren't for quite some important users switching to Google 
Apps.

I am trying to get a valuable customer of Google to complain that they do not 
receive my mail, we will see how that works.

- -nik
- --
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
-BEGIN PGP SIGNATURE-
Version: APG v1.0.8-fdroid

iQFNBAEBCgA3BQJSSlwTMBxEb21pbmlrIEdlb3JnZSAobW9iaWxlIGtleSkgPG5p
a0BuYXR1cmFsbmV0LmRlPgAKCRAvLbGk0zMOJWzUB/0VsEtvWLuaR7aYFPXYVevM
s4iTirQu8lH+48FTLNP09WJv54Z0r++G3TM4pVvRst/ptJ8YOfttyZsf8odjS2Si
Dk/NmL8u8bEcGww2JBiyrdi95B4iQXk4cxiZuYjlBbnG74eR96+QnUJ8ioFLLuoM
iD09pAkLSgTS/Ltkdi+OyGUWKLHSXPPMNjzG9f7ycw1+6njoTteAO2vu5kzIfJnk
52qIRntZPT3zT4Oq7CJKfgKuFl3p7aZ6lAO0OBatORJKZvkq+EGGaIEj/zMn7inN
9KzcT3GM1fO5MB53SAJUh+0LUARDwrUgrXEBZNyJmRfFg8YT/Xgilg5fYemre+IH
=3TDF
-END PGP SIGNATURE-

Re: Google rejecting IPv6 mails

2013-10-07 Thread Dominik George

Hi,

> > I somehow consider Google not fit for anything a mail server should
> > do, for a ton of reasons, and am thinking about blocking them in
> > both directions (along with Yahoo!), if it weren't for quite some
> > important users switching to Google Apps.
> >
> 
> I would love to know the rest of your reasons for blocking Google. A
> few months ago I moved our company's email to Gmail and users are
> extremely happy. Maybe there are some things that we are ignorant of.

Just read . My mate
got it sumemd up quite well.

-nik

-- 
 Ein Jabber-Account, sie alle zu finden; ins Dunkel zu treiben
und ewig zu binden; im NaturalNet, wo die Schatten droh'n ;)!

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296


signature.asc
Description: Digital signature

Re: Google rejecting IPv6 mails

2013-10-07 Thread Dominik George

> > SMTP from an address with no reverse DNS is a fairly good indicator
> > of a spam source. YMMV.
> 
> Agreed.

As a matter of fact, I *do* have working PTR, SPF, and all that stuff,
for both IPv4 and IPv6, and it doesn't help. I should note that I did
have that all the time, not just after Google decided to blacklist me. I
have tested my setup against some very restrictive mail servers, to make
sure it is sane, and a friend and I have worked together closely to
create waterproof and well-functioning mail systems. I am PMed in
various chat rooms when Postfix questions come up. The reason for Google
rejecting IPv6 mail is *not* only broken client setups. Period.

Google started rejecting IPv6 mail from my n...@naturalnet.de address to
their servers, even legitimate mail to us...@jitsi.org (why an open
source project uses Google services and *then* relay mail to their own
mail server is a mystery to me), which is an address tuple that by all
means should be known to Google as being legitimate.

Jesus, I have worked around a lot of misconfigurations by other
providers to allow me and my users to send mail there, the most
prominent one being United Internet's failure to accept 8bit MIME
messages (they were advertising 8bitmime in EHLLO, then when being hit
by a real 8bit MIME message, they accepted it and cast it away in an
awful attempt to prevent backscatter because some of their internal
systems could not handle 8bit MIME). I am just tired of big companies
that sell their services not being up to the task while virtually every
little person out here in the community is.

Paying Google customers, please help us get our mails through!

Google users in general, please move away there!

-nik

-- 
* mirabilos is handling my post-1990 smartphone *
 Aaah, it vibrates! Wherefore art thou, demonic device??

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296


signature.asc
Description: Digital signature

Re: restricting few users from sending mails outside domain (mymailsystem.com)

2013-10-08 Thread Dominik George

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi,

>smtpd_recipient_restrictions = check_sender_access

Are you using Postfix >=2.10? If so, have you tried smtpd_relay_access?

Cheers,
Nik
-BEGIN PGP SIGNATURE-
Version: APG v1.0.8-fdroid

iQFNBAEBCgA3BQJSU9BkMBxEb21pbmlrIEdlb3JnZSAobW9iaWxlIGtleSkgPG5p
a0BuYXR1cmFsbmV0LmRlPgAKCRAvLbGk0zMOJe0rCACZiUkFvXjwyNs1Z0Nh9mZA
veCBa/H0a0PIPPz46thmK0V23YOecpCcV8+1GQ22mx/5gSSExSBSNGFvvGu9feoy
REMKJuxIgcqMvuG3Ky1TgSWdtSCsy4YIJ7GxzYrNpngAx5myGvwX1/siYsnUqfNu
ug4U8F9y8toCYcwLOse8OSb751tv6YyL8C2bhdcCDQo1jyj0d9Kn9p5xTE3FhjRz
QovG3suuEr860yGyjvYHO2uDbioyaByo5PX0qgsUkktWDvUAYyF3sIjI5pmejoK3
cHNV85D6EWWULR3jypUHYJ+Lzz3F4wP1bImCLQnjmkXjgmBdBr+9f80L0Rc5HE/Q
=l1Hi
-END PGP SIGNATURE-

Re: restricting few users from sending mails outside domain (mymailsystem.com)

2013-10-08 Thread Dominik George

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



Dominik George  schrieb:
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA512
>
>Hi,
>
>>smtpd_recipient_restrictions = check_sender_access
>
>Are you using Postfix >=2.10? If so, have you tried smtpd_relay_access?

smtpd_relay_restrictions, anyway.
- --
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
-BEGIN PGP SIGNATURE-
Version: APG v1.0.8-fdroid

iQFNBAEBCgA3BQJSU9L6MBxEb21pbmlrIEdlb3JnZSAobW9iaWxlIGtleSkgPG5p
a0BuYXR1cmFsbmV0LmRlPgAKCRAvLbGk0zMOJfp/CACm7AT1jPeggEKy2qV4jasS
XzJZcWD8lvoLtipQxTUqHni/qm/TCjwqm4UYfTbfw85b/MivsKWZZaRJbphRG0c0
+jyKCW2VSLcIePZ6rHMzmikk54XlSxvw3eo9Afvh95dMpO4/jK+DorbHdvuPEnMk
3lQBRD3JSVXpGzYekigMhQ6R9Ze+S8yl5oCUyl6p6LFOmZCuvJXqfbXlivEqqRja
iR2s+WDJUgRcjbVWJiYQU/2q6APBaB3F33asWcYjwHqQP2jb6hLbe9CoZ5NtE+dq
suXeX8KjNhqAxuIoQpS3H85YbSkwOBfwFZ9nkZ7yj/oEDXmFYrwpARmckx3jfp6/
=+887
-END PGP SIGNATURE-

Re: Clarification on smtp_client config settings

2013-10-08 Thread Dominik George

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



wie...@porcupine.org schrieb:
>Thomas Moretto:
>>Can someone add some clarification to this setting:
>>
>> smtpd_client_message_rate_limitThe number of
>> messages and advisor would be able to send in a 5 minute period
>> Does the counter count each unique postfix id assigned to a message
>> or does it count to each recipient?
>
>As documented this counts the number of message delivery requests.
>One message delivery request, well, requests the delivery of one
>message.
>
>   Wietse
>
>> For example, if I submit one message with the id of 09AE3ZBX
>addressed 100 different recipients does postfix count that as 1 message
>submitted or 100?
>>
>>
>
>

I think that latter part was the real question.

- -nik
- --
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
-BEGIN PGP SIGNATURE-
Version: APG v1.0.8-fdroid

iQFNBAEBCgA3BQJSVDjtMBxEb21pbmlrIEdlb3JnZSAobW9iaWxlIGtleSkgPG5p
a0BuYXR1cmFsbmV0LmRlPgAKCRAvLbGk0zMOJfFfCADBx+kYHKDUDZRojQWgvEsv
v6CGvRpXqvZzuTJWyxbeLFRV0J8G6kTBZpNYpsnuNups8YUq0m6dQNXDi9as96Sj
+i0/J7SR/EoE/WWgUYJIxZWPVFVfV2hPveU8rDEIJh2+wCJd6qKCMgWu2AA3E4jv
gV/z1KY4w5N71so8P9CDZrLPSfoVK5BKFxC8zQyOubd6sxY0Jr3cyEvYaXOLwish
vSw5r8DhW/mme5t/fz83jUGI0zO/87nV29YhVpfrPpEYmVA59XTi/heiYvpoDRrI
J0lPhUS+5B6o1Zj/31WAeE261J9cMQmdBy1UW0WO9uxy6mJQjGt/I9cUQH6naoE/
=8hUb
-END PGP SIGNATURE-

RE: Clarification on smtp_client config settings

2013-10-08 Thread Dominik George

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On a side note: Stop the threadjacking.

Thanks!
-BEGIN PGP SIGNATURE-
Version: APG v1.0.8-fdroid

iQFNBAEBCgA3BQJSVFIPMBxEb21pbmlrIEdlb3JnZSAobW9iaWxlIGtleSkgPG5p
a0BuYXR1cmFsbmV0LmRlPgAKCRAvLbGk0zMOJaolB/9PgX5yhulip3+5JQFBqAHP
GSoZGll0bVjdzBGSMBBZXG1M4jKl3SCQgH0hq7bnt/UyWUcgchCpEKNqibXL58d3
WX8VYh+qrIlTaTVu/kivoXAir3L0U92lvxjxX3bfKdq7q1KtGUaBG/5FCwjZOFBZ
OWsjE3EEw283UzssQTxz5oVsfMOePy3C1ju+6UtIRombpAfXm/as54brRwnxQm/1
u2IFNqwnXSFZflhcNdphA78g2/wOmlPpQvr30aVGc3dfqmdzi1Xm31VHfe5RGh31
wnS92BxoCM69Y/Q09pmEm1fYM7YTPErM2Uzc7/ZHR9Ji7QHCjirIai7mBQzi4yBg
=WjeQ
-END PGP SIGNATURE-

Postfix DNS resolver blindly relying on cached Additional section?

2013-10-09 Thread Dominik George

Hi,

while debugging the Google/IPv6 issue, we discovered something strange.
Our uplink provider operates caching DNS servers, and they reply with a
rather detailed Additional section when asked for MX records, but only
with cached results.

For example, if example.com has an MX record pointing to mx.example.com,
and mx.example.com has one A and one  record, then the caching DNS
server will return as many of those records as it has cached in memory.
As most systems using the cache seem to only ask for A records, A
records appear to be cached more often than  records, but that is
irrelevant.

Most tools, mainly libc's resolver, seem to ignore the Additional
section and resolve relevant names on their owns, explicitly asking for
the RR types they are itnerested in, and that's what seems to be
appropriate. Postfix, however, seems to rely on the Additional section
(if it has at least one RR for the MX host?), missing out on any records
that might be there but not cached by the uplink DNS server.

We do not quite see an situation where this might break badly, because
normally one MX result is to be considered as good as any other, but I
still wanted to ask whether this behaviour is intentional and the
limitations are known.

Cheers,
Nik

-- 
 Auf welchem Server liegt das denn jetzt…?
 Wenn es nicht übers Netz kommt bei Hetzner, wenn es nicht
gelesen wird bei STRATO, wenn es klappt bei manitu.

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296


signature.asc
Description: Digital signature

Re: Postfix DNS resolver blindly relying on cached Additional section?

2013-10-09 Thread Dominik George

> Confirmed, Postfix looks at the answer section only. Claims to
> the contrary are based on false speculation.

Hmm, that leads us to the original question:

Why does postfix sometimes not find the  record for any given MX?

-nik

-- 
# apt-assassinate --help
Usage: apt-assassinate [upstream|maintainer] 

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296


signature.asc
Description: Digital signature

Re: Postfix DNS resolver blindly relying on cached Additional section?

2013-10-09 Thread Dominik George

> The correct description is:
> 
> When both IPv4 and IPv6 support are enabled, the Postfix SMTP
> client, for Postfix versions prior to 2.8, will attempt to
> connect via IPv6 before attempting to use IPv4.  Starting
> with 2.8 protocol preference is controlled via the new
> smtp_address_preference parameter.

That's not the case on two independent systems here. Whether IPv4 or
IPv6 is used is completely random. This:

 for i in $(seq 1 30); do
  echo bar$i | mail -s foo$i some...@example.com
 done

has lead to ~10 mails being sent with IPv6 and ~20 mails being sent with
IPv4 in our tests.

-nik

-- 
 Ein Jabber-Account, sie alle zu finden; ins Dunkel zu treiben
und ewig zu binden; im NaturalNet, wo die Schatten droh'n ;)!

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296


signature.asc
Description: Digital signature

Re: Google rejecting IPv6 mails

2013-10-13 Thread Dominik George

> > Just read . My mate
> > got it sumemd up quite well.
> >
> 
> Thanks, but I don't have access to you ~/.pine directory!
> 
> I'll dig through the thread, though, I'm sure that I'll find the post. Thanks!

It was posted to the list, so you will have received it, and any
reasonable MUA can search for it. Giving publlicm essage IDs is a
perfectly valid way of pointing to a message on a list.

-nik

-- 
* mirabilos is handling my post-1990 smartphone *
 Aaah, it vibrates! Wherefore art thou, demonic device??

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296


signature.asc
Description: Digital signature

Re: Google rejecting IPv6 mails

2013-10-13 Thread Dominik George

> > It was posted to the list, so you will have received it, and any
> > reasonable MUA can search for it. Giving publlicm essage IDs is a
> > perfectly valid way of pointing to a message on a list.
> 
> The string 'Pine.BSM.4.64L.1310010843490.20824' does not appear in my
> postfix-users@postfix.org folder, nor does that string appear in
> my postfix-users@postfix.org bounces folder. 

Yes. I asked the author, and  it was bounced by your mailman because the
author is not a list member. Apparently, you haven't moderated it.

-nik

-- 
 Auf welchem Server liegt das denn jetzt…?
 Wenn es nicht übers Netz kommt bei Hetzner, wenn es nicht
gelesen wird bei STRATO, wenn es klappt bei manitu.

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296


signature.asc
Description: Digital signature

Re: Google rejecting IPv6 mails

2013-10-13 Thread Dominik George

On Sun, Oct 13, 2013 at 01:09:52PM -0500, Stan Hoeppner wrote:
> On 10/13/2013 8:35 AM, Dominik George wrote:
> >>> It was posted to the list, so you will have received it, and any
> >>> reasonable MUA can search for it. Giving publlicm essage IDs is a
> >>> perfectly valid way of pointing to a message on a list.
> >>
> >> The string 'Pine.BSM.4.64L.1310010843490.20824' does not appear in my
> >> postfix-users@postfix.org folder, nor does that string appear in
> >> my postfix-users@postfix.org bounces folder. 
> > 
> > Yes. I asked the author, and  it was bounced by your mailman because the
> > author is not a list member. Apparently, you haven't moderated it.
> 
> If it has salient content, post the HTTP URL.

http://blog.gmane.org/gmane.os.miros.general/month=20131001

-- 
# apt-assassinate --help
Usage: apt-assassinate [upstream|maintainer] 

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296


signature.asc
Description: Digital signature

Re: Google rejecting IPv6 mails

2013-10-13 Thread Dominik George

> > http://blog.gmane.org/gmane.os.miros.general/month=20131001
> 
> WRT the first point in the blog post, Thorsten is incorrect.  Google
> does publish lists of their outbound IPs via their SPF records.
> 
> ~$ dig txt _netblocks.google.com _netblocks2.google.com

Sure, but how would you reliably whitelist them? We got information
directly from a Google lackey that this list may change at any time
because of their way to deploy servers, and I have not heard of a way to
dynamically whitelist all SPF-allowed MXs in, let's say, postgrey. You
can whitelist sender, recipients or client - now, whitelisting a sender
domain is not helpful because any domain might be Google hosted. There
is, in fact, no reliable lsit of *all* mail hosts that will ever (as in,
for a long time in the future) be the sending MTAs of Google-hosted
domains.

-nik

-- 
 Ein Jabber-Account, sie alle zu finden; ins Dunkel zu treiben
und ewig zu binden; im NaturalNet, wo die Schatten droh'n ;)!

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296


signature.asc
Description: Digital signature

Re: Google rejecting IPv6 mails

2013-10-13 Thread Dominik George

> There is, in fact, no reliable lsit of *all* mail hosts that will ever
> (as in, for a long time in the future) be the sending MTAs of
> Google-hosted domains.

Apart from that, I am tired of implementing exceptions for each and
every big proprietary mail provider out there. If a company desires to
take part in federated e-mail communicaiton, I expect them to set up
there stuff the way others expect it. If there setup is too huge to
manage it without awkward tricks, like Google dynamically assigning
roles to servers and not even reliably using subnets, whatever, for
certain roles, then they are by definition not up to the task of
operating it, be it for conceptional or personnel limitations. If we go
ahead and teach all _other_ mail systems to fit their needs, we
effectively do the work their customers pay them for.

I am close to deciding not to opt-in to that and simply not accepting
their mail if I can't using standard configurations.

-nik

-- 
# apt-assassinate --help
Usage: apt-assassinate [upstream|maintainer] 

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296


signature.asc
Description: Digital signature

Re: disable ipv6 when sending to gmail ?

2013-10-17 Thread Dominik George

Hi,

that all sounds cool, but ...

> Anyways, my users are happy. Their mail gets delivered. See my  blog
> post
> 
> about my fix.

could you please fix that to point to something more helpful than an
empty, albeit nicely decorated, page so I can test it ☺?

Cheers,
Nik

-- 
* concerning Mozilla code leaking assertion failures to tty without D-BUS *
 That means, D-BUS is a tool that makes software look better
than it actually is.

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296


signature.asc
Description: Digital signature

Re: Restriction classes and ldap groups

2013-10-17 Thread Dominik George

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Viktor Dukhovni  schrieb:
>On Thu, Oct 17, 2013 at 10:16:27AM -0400, Carlos R Laguna wrote:
>LDAP is not SQL, and inverse relations (groups of user, rather than
>users of group) are very difficult to express.

Whereas, if the LDAP users are system users, abusing nss to find this relation 
might work.

- -nik
.
-BEGIN PGP SIGNATURE-
Version: APG v1.0.8-fdroid

iQFNBAEBCgA3BQJSX/N3MBxEb21pbmlrIEdlb3JnZSAobW9iaWxlIGtleSkgPG5p
a0BuYXR1cmFsbmV0LmRlPgAKCRAvLbGk0zMOJTgnB/9VibDHAfrMgwKJWuuYFxM2
Z5QZkP+0pp6pExW5kD6xJI8pfZG56jZeuHS48ThWR5OO5q0jqLRpK/CHIgHD9E9o
VLANG3ElvXv/StLG9HSd2k2umGJ8/fNQ36bQzLaKNQiutWUcDh6GefZhybMEMaPh
sKIq7wzAH6prwCJbRvrfpIwtCohWYJV3pH6u89HvqaXNO5PksajRzpo4kBwjPHyt
wDnS5WkXe/7N313G1wT7USDKJIQYnSgOZ8s33An/Z9snFSchpkBZuzINYipBz2lQ
L1bPPSKyhVGilTtbm1Ucv6ksgWwVRk/TZZzzu4RbVRy8EDoODNVZZq6Aou4t1fBX
=sasT
-END PGP SIGNATURE-

Re: Restriction classes and ldap groups

2013-10-17 Thread Dominik George

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Carlos R Laguna  schrieb:
>Dominik George you mind to explain yourseld a little more further.


If your LDAP users are regular system users, i.e., have the posixAccount class, 
and your mail servers uses them for local authentication, then obviously, the 
groups command gives you a list of groups for any user.

You could reuse that in Postfix one way or another.

- -nik
-BEGIN PGP SIGNATURE-
Version: APG v1.0.8-fdroid

iQFNBAEBCgA3BQJSX/8kMBxEb21pbmlrIEdlb3JnZSAobW9iaWxlIGtleSkgPG5p
a0BuYXR1cmFsbmV0LmRlPgAKCRAvLbGk0zMOJUEXB/9C7vUCjMLrP7lUflaCuBKD
jo/CAiSbCpqt1Yg8DVO0FcoeBkxHHLuMhSOp3ef5R17GyBKA1sLPkxbr7lbui9vJ
tEQDLx6LTh+h/mB6nzzTRgQY/YV84ExPhohLQZz/iRrUn86XLfQ3jNcS7f4fprIn
MXZb/FaKi7j8m9Kkc2ynDD282ClF1B6CzXwSxF+ZbloUxVEalNGg54mDP+1j5E3s
02nzrjSHpRyGUXRxlluu5pBN3PPwRAYbp2flU6wTAa1yW/EIBAv9DVpRQedHmZcT
IJnZp90STCu6SzF11pUScqLlatKV7Ddn7DNm/AWQItZYwF7fLSgT6n1+K0iWvcWl
=QODh
-END PGP SIGNATURE-

Re: Restriction classes and ldap groups

2013-10-17 Thread Dominik George

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

>> Viktor Dukhovni  schrieb:
>> > On Thu, Oct 17, 2013 at 10:16:27AM -0400, Carlos R Laguna wrote:
>> > LDAP is not SQL, and inverse relations (groups of user, rather than
>> > users of group) are very difficult to express.

On second thought, Viktor, I wonder what's wrong with

query_filter = (memberUid=%s)
result_attribute = cn

?

- -nik
-BEGIN PGP SIGNATURE-
Version: APG v1.0.8-fdroid

iQFNBAEBCgA3BQJSYAAGMBxEb21pbmlrIEdlb3JnZSAobW9iaWxlIGtleSkgPG5p
a0BuYXR1cmFsbmV0LmRlPgAKCRAvLbGk0zMOJSQyCACtMAzA7zsJtXM6agScNjGo
bMb6dCNApvj9y62jJQWTY0MbFdNUPfwMGcmS1bF13px6nXGgpxJ4hruijdhUvVXG
Xor4wD/dAvctGVJeccLdFYqMlNzUtMqpbtBozyPrb1m6siFJOBhBlR2hmTUxpk+7
MNYr6Aqc5bVgnyOb9leoxAE4c4D+vB6s8qBBBftNCMR3wva1k9MEFkXwZ70Uyu6J
m921nU883KldzugrN82C0Oe+8lm9Zn8aAVsSwpPrYT6h/bqVYoqWsX2XN7WpRJOq
dqDBJN1RM0Q/ea1Q6SUB/1BRESqiPN+eDi9FH5cmZRNgC/41Nu0VUQw9Tik26pGN
=gAKC
-END PGP SIGNATURE-

Re: Restriction classes and ldap groups

2013-10-17 Thread Dominik George

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dominik George  schrieb:
>>> Viktor Dukhovni  schrieb:
>>> > On Thu, Oct 17, 2013 at 10:16:27AM -0400, Carlos R Laguna wrote:
>>> > LDAP is not SQL, and inverse relations (groups of user, rather
>than
>>> > users of group) are very difficult to express.
>
>On second thought, Viktor, I wonder what's wrong with
>
>query_filter = (memberUid=%s)
>result_attribute = cn
>
>?
>
>- -nik

Forget that. Just read my last mail ;).

- -nik
-BEGIN PGP SIGNATURE-
Version: APG v1.0.8-fdroid

iQFNBAEBCgA3BQJSYABxMBxEb21pbmlrIEdlb3JnZSAobW9iaWxlIGtleSkgPG5p
a0BuYXR1cmFsbmV0LmRlPgAKCRAvLbGk0zMOJa9+B/4kh013kBj8teNez9cG1Oz0
x4y9hGwDvZF0MlrEbPnvCn2dZGOB6gsTNCl/lSEaDDvGeUp9sI0typ7ERC1HQ4m8
7yZBDPqD1kC0D41KMAl5r/xfPDV+tQMfcaBNvFGVTj/G3AIvQE1F7CaA9fJHZJFW
YtSA4AjazfahizfPdAwH/6Px/awA8StjYMgqxPamXmwDDdDZIP6/GUvCIpeMvyPB
r7Lx4D6vGEObsiurBNAiq1E593Ojdr5Af7dIui0/+1NGuglBkkhRIeMhlTLtynYw
IV16CdEWrkmes+nxOTeK6oeaYocR289HigquPWw5+0hONaJswrIKcVIx/L9HulvR
=itsy
-END PGP SIGNATURE-

Re: smtpd does not use the content_filter

2013-10-18 Thread Dominik George

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi,

Rainer Stransky  schrieb:
>Although I have a content_filter configration (master.cf):
>
>smtp  inet  n   -   n   -   - smtpd
>-o content_filter = filter:dummy

vs.

>- maillog --
>
>Oct 18 14:42:13 ahorn postfix/pickup[4623]: BA6F76370C: uid=328
>from=


You have configured the content_filter for the smtp port, but your test mail 
entered postfix through the pickup service from a local command.

This very same issue was discussed on the list a few days ago.

- -nik
-BEGIN PGP SIGNATURE-
Version: APG v1.0.8-fdroid

iQFNBAEBCgA3BQJSYTfkMBxEb21pbmlrIEdlb3JnZSAobW9iaWxlIGtleSkgPG5p
a0BuYXR1cmFsbmV0LmRlPgAKCRAvLbGk0zMOJTQQB/kBrt1RElmO2HlmJwq3TUp8
dKnUvbKUers5oUXUhGgqFmlAYiXs6/XrZRrb72FLRjJeaoqwfHhPHop7/M13+RY2
zItx6bpw8Zq7G862AB1So3ypOQC0SCPHpuBGgL6s2VoTfxaymyuvXO4bnQRdt+Yy
8r28czDESsQ4H6y+HPyULkOkbzbrG7Hd+LHd++FNFqkmIhpqukcEK7ZoVnwKxlka
Jv3eZuYxkIwuwhao7wjawRN6QyGNpoEp/F/9rll57E4jMpsUG5zb4OCtjIOuBXNg
WkEtEDkU3oeY/FbiYOB/nA29Einvn5ccaz27Z4QFslptR+HxliANuLYN6wxHVSJx
=OPkF
-END PGP SIGNATURE-

Re: Fwd: Question on postfix set up: stopping new connections from outside on smtp server

2013-10-18 Thread Dominik George

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Viktor Dukhovni  schrieb:
>On Fri, Oct 18, 2013 at 04:32:54PM +0200, Benny Pedersen wrote:
>> francis picabia skrev den 2013-10-18 16:04:
>>
>> >># smtpinet  n   -   n   -60   smtpd
>> >
>> >If I turn off smtp there, then smtp service can't accept LAN
>> >connections on port 25.
>>
>> 127.0.0.1:smtpinet  n   -   n   -60   smtpd
>>
>> just not listen on wan ip
>
>No, that also turns off SMTP for "LAN" clients.

Then.. Put your LAN IP there :D.

About your firewall failing, either your firewall admin lies (have you tested 
yourself?) or the connections come in on your other ports. Your logs tell 
nothing about that; just because you have SASL enabled doesn't mean it's tried 
and logged. If you really want to know, use iptables logging.

- -nik

- -nik
-BEGIN PGP SIGNATURE-
Version: APG v1.0.8-fdroid

iQFNBAEBCgA3BQJSYVLWMBxEb21pbmlrIEdlb3JnZSAobW9iaWxlIGtleSkgPG5p
a0BuYXR1cmFsbmV0LmRlPgAKCRAvLbGk0zMOJWD0B/92qFURKW9hBaE7KlDEAz2L
y3n9NxCi2QfFRm+O6NukHpJj8GqklL56Nrdp4Ft4jKhtPT4QwZQw2/Zl0JfpJgKF
QHut/cvMuRh/X8D75snzAlaguJKqIdUKiSO2ghR1jOoZ1PDoWQuUWPT9WT+ILIuw
+6JFG6clQCdweTdwJPVdn5gZ4+ZBkVOhKQ3Y1KvC5MlSqFAo7CNCzSXc8dNE7cAC
iRwiQXJv5WMuKofi1v+6+9EyV+J+hccL+Y3bNdV+iQtcmhin9wvgVCToxNTTv38Y
6xI5HZ8taT1gf64wyNQOPHBsW8WjmiqN1TEIa2oafhaYlI5gL1WvUTAyUVzPFqDM
=Xj/G
-END PGP SIGNATURE-

Re: disable ipv6 when sending to gmail ?

2013-10-18 Thread Dominik George

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Mark Martinec  schrieb:
>IMO, instead of working on workarounds, people's efforts would be
>better spent
>on setting up their DKIM and/or SPF, reverse DNS mapping, and making
>sure that
>postfix only binds to an intentionally configured IPv6 address (not on
>SLAAC
>or 'privacy extensions' random address).


I took care of all of this, and I do habe working SPF, DKIM and DNS for IPv6 
and did so forever.  Yet it does not make Google accept my mail.

- -nik
-BEGIN PGP SIGNATURE-
Version: APG v1.0.8-fdroid

iQFNBAEBCgA3BQJSYVpqMBxEb21pbmlrIEdlb3JnZSAobW9iaWxlIGtleSkgPG5p
a0BuYXR1cmFsbmV0LmRlPgAKCRAvLbGk0zMOJecgB/49OAPz9vrgBq+b0WsyyxAa
Q1GB78JRnzfR9O7xrwnM684SsPrPu+vf7ZvGLOqUnR4YCCEQyTfF41IXck/CEasJ
HjUYh1s9Bd9aoD+lmgAS3XnYS00IHz06Tnju/HKSsXkVKg+4Xd8aUeSM3AFNH4Ww
x2c8ZTCOruCxRm45vrNysXWVngL3Dor4bP6hC+fLQe8El7Zx8XA5JhVMzNnpL4ya
cGQKuCKWX0F69qjZ+FgsjFh9lLHeNWPfcWIBXxsrcaUtNFXyVE2CWJkkEQduDFwF
1XVF0cbpBS8EcqZXKcoYsPO2S5yFJHerQWUtzKESR5PigBoxIT8FxHV4xcVS2ATh
=Xdq8
-END PGP SIGNATURE-

1 2 >

1 - 100 of 125 matches

Mail list logo