Re: virus_scan_failed
Oscar m Cruz wrote: F003D25C001 2057 Fri Aug 21 16:10:58 u...@domain.com (host 127.0.0.1[127.0.0.1] said: 451-4.5.0 Error in processing, id=08510-11, virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: CODE(0x816e564) Too many retries to talk to 127.0.0.1:3310 (Can't connect to INET socket 127.0.0.1:3310: Connection refused) at (eval 69) line 310. at (eval 69) line 511.; Avira AntiVir av-scanner FAILED: /usr/sbin/antivir unexpected exit 200, output=error (not enough memory available): 451-4.5.0 451-4.5.0 AntiVir / Linux Version 2.1.10-15 451-4.5.0 Copyright (c) 2007 by Avira GmbH. 451-4.5.0 All rights reserved. 451 4.5.0 at (eval 69) line 511.; ClamAV-clamscan av-scanner FAILED: /usr/bin/clamscan run_command (open pipe): Can't fork at /usr/lib/perl5/5.8.8/i586-linux-thread-multi/IO/File.pm line 192. at /usr/sbin/amavisd line 2565. at (eval 69) line 511. (in reply to end of DATA command)) u...@domain.com Notice the out of memory error above: error (not enough memory available) I've seen this happen on our server before when people send us emails with large attachments. Check your mailq (postqueue -p) output, look at the size column. You may have a message in there that's so large is crashing amavisd while it attempts to scan it. If this indeed the problem you may want to extract or delete it (postsuper postcat) from the mail spool and look at setting a lower message_size_limit in your main.cf file.
Re: How to forwad emails to specific IP address
Peter Macko wrote: How can I forward emails to a specific mailserver ip address? I do not want postfix to make DNS lookup for actual mailserver ip address. I am using /etc/aliases u...@domain1.com: u...@domain2.com I would like to specify mailserver's ip address for @domain2.com in some configuration file. Is that possible? Try: /etc/postfix/transport: domain2.com smtp:[x.x.x.x] /etc/postfix/main.cf: transport_maps = hash:/etc/postfix/transport $ postmap /etc/postfix/transport More detailed info: http://www.postfix.org/transport.5.html
Re: Tip: Restricting mail reception using a remote service's SPF records
Ville Walveranta wrote: It works except that the Postfix refresh message (postfix/postfix-script: refreshing the Postfix mail system) is displayed despite of the attempt to redirect it to /dev/null? Any idea how I could hide it? It's probably writing to stderr, postfix reload 2/dev/null # stderr only postfix reload /dev/null # stdout stderr Though if it writes an error to the screen, you'll miss it. J.P.
Re: spammers masquerading as me
Stuart Matthews wrote: I have already tried editing /usr/local/etc/postfix/access, adding: eff.orgREJECTyou can't send mail as me! And of course I ran postmap after this. I have also tried using the setting that rejects mail that says HELO eff.org. You say check_sender_access didn't work, did you use it with smtpd_recipient_restrictions? A similar setup to the following works for us (this is a modified version of your output from postconf -n): smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated check_sender_access hash:$config_directory/access # Look Here reject_non_fqdn_recipient reject_multi_recipient_bounce reject_unknown_recipient_domain reject_unauth_destination reject_unlisted_recipient permit_mx_backup permit $config_directory/access: t...@eff.orgREJECT This is just a guess and a proposed solution, you probably need to supply supporting log entries for cases it didn't work to get to the bottom of what's really wrong.
keep recipient_bcc_maps from picking up aliases in virtual_alias_maps
Is it possible to avoid recipient_bcc_maps picking up aliases in the virtual_alias_maps table? I have a pcre recipient_bcc_map entry that catches an entire domain and forwards it in such a way that the transports table hands it to my archivemail transport: # cat recipient_bcc /(.*)@judelawfirm.com$/ $...@judelawfirm.com.archive # cat transports s...@spam-catcher.spam spam-mail: h...@ham-catcher.ham ham-mail: .archivearchivemail: .vacation vacation: The problem is the recipient_bcc_map catches virtual aliases too and tries to hand them over to my archivemail transport which doesn't like it because the virtual alias isn't a real mail box. I suppose I could tweak my archivemail service in such that it checked if the account was a real mail box or not and discard it accordingly... just wondering if there is possibly another way around it. # postconf -n alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no broken_sasl_auth_clients = yes config_directory = /etc/postfix content_filter = amavis:[127.0.0.1]:10024 disable_vrfy_command = yes inet_interfaces = all mailbox_size_limit = 0 maximal_backoff_time = 1h message_size_limit = 0 minimal_backoff_time = 10m mydestination = vmail1.judelawfirm.com, vmail1.jude myhostname = vmail1.judelawfirm.com mynetworks = 127.0.0.0/8192.168.1.0/24 myorigin = vmail1.judelawfirm.com queue_run_delay = 120s readme_directory = no recipient_bcc_maps = pcre:/etc/postfix/recipient_bcc recipient_delimiter = + sender_bcc_maps = pcre:/etc/postfix/recipient_bcc smtp_enforce_tls = no smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name smtpd_client_restrictions = check_client_access hash:/etc/postfix/white_listcheck_client_access pcre:/etc/postfix/black_list_client_country check_client_access hash:/etc/postfix/black_list smtpd_data_restrictions = reject_unauth_pipelining permit_mynetworks permit_sasl_authenticated smtpd_enforce_tls = no smtpd_helo_required = yes smtpd_helo_restrictions = permit_sasl_authenticated permit_mynetworks reject_invalid_hostnamereject_non_fqdn_hostname check_helo_access hash:/etc/postfix/white_list check_helo_access pcre:/etc/postfix/black_list_helo_country check_helo_access hash:/etc/postfix/black_list smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated check_sender_access hash:/etc/postfix/white_listcheck_sender_access hash:/etc/postfix/black_listcheck_sender_access pcre:/etc/postfix/black_list_sender_country reject_unlisted_recipient reject_non_fqdn_hostnamereject_non_fqdn_sender reject_non_fqdn_recipient reject_unauth_destination reject_unauth_pipelining reject_invalid_hostname smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes strict_rfc821_envelopes = yes transport_maps = hash:/etc/postfix/transports virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:1000 virtual_mailbox_base = /var/vmail virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_minimum_uid = 1000 virtual_transport = dovecot virtual_uid_maps = static:1000
Re: reverse lookups
Yes it does: # host adsl-99-29-103-142.dsl.hstntx.sbcglobal.net adsl-99-29-103-142.dsl.hstntx.sbcglobal.net has address 99.29.103.142 SBC Global's ns1.swbell.net does answer with the appropriate IP address, but neither our companies name servers or my local dns on my home network can resolve adsl-99-29-103-142.dsl.hstntx.sbcglobal.net. I restarted named on my local network (cleared it's cache) and now it resolves. This behavior can be expected when dealing with dynamic dns updates, in other words, the updates do not propagate across the internet instantly.
Re: reverse lookups
ghe wrote: Oh, dear! I'm not sure what, if anything, I can do about this, but thanks to you all for the response(s). Maybe a non-caching name server might help. I don't think there's anything you can do about it. The settings for how long a cached record stays alive and when an update is attempted for said record is set in the zone's SOA record which is controlled by the DNS administrator(s) at SBC Global in this case.
Re: [maybe OT] postfix HA
mouss wrote: I am trying to collect methods to setup postfix in an HA configuration, for outbound relay (no MUA involved). a use case is using multiple postfix boxes to relay mail out for one or more exchange servers. there are many possibilities. which one is good/recommended/easy/blahblah? This is somewhat off topic since the problem is mostly on the client (exchange or other) side rather than postfix. but I think this is a real need. and if I get enough infos, I can aggregate them and submit that as a howto/readme. OpenBSD has a protocol called CARP (Common Address Redundancy Protocol) that in a nutshell allows a virtual IP address to be shared among many systems. It can do load balancing and fail-overs and is pretty easy to work with from my experience. I've only used it in testing, so I can't speak for how it stands up to real world scenarios. It was developed to be an improvement over VRRP (previously mentioned in another email to this thread) and because of licensing issues with VRRP. CARP appears to be supported on FreeBSD and NetBSD also. There is a project for Linux called uCARP that implements a user-space daemon of this protocol. Here's some links for some more info: http://www.openbsd.org/faq/faq6.html#CARP http://www.freebsd.org/doc/en/books/handbook/carp.html http://www.netbsd.org/docs/guide/en/chap-carp.html http://www.ucarp.org/project/ucarp http://www.countersiege.com/doc/pfsync-carp/
RE: Outbound mail routing
On Tue, 10 Mar 2009 09:12:43 -0400, Zachary Fortna zfor...@cxtec.com wrote: Is it possible to do this on the domain level as opposed to the user level? That way everything from example.com goes to gateway 1 and everything from example.net goes to gateway 2? Have a look at: http://www.postfix.org/postconf.5.html#transport_maps And: http://www.postfix.org/transport.5.html
RE: Outbound mail routing
On Tue, 10 Mar 2009 09:12:43 -0400, Zachary Fortna zfor...@cxtec.com wrote: Is it possible to do this on the domain level as opposed to the user level? That way everything from example.com goes to gateway 1 and everything from example.net goes to gateway 2? I may have goofed, I'm not sure what I suggested is good for outbound mail. Probably worth having a look anyway.
Re: forward to an external command
George wrote: I have postfix with postfixadmin and everything stored in a mysql database. How do I forward emails sent to a mail account to an external command? Since you are using virtual aliases (postfixadmin w/mysql assumes so) you'll need to setup a pipe transport in master.cf and proper settings in /etc/postfix/transports. See the man pages of pipe and transport for more details than what you'll find in this email. virtual alias: foo...@exampe.com foo...@my_custom_transport.example.com add to /etc/postfix/transports: my_custom_transport.example.com my_custom_transport: add to /etc/postfix/main.cf: transport_maps = hash:/etc/postfix/transports add to /etc/postfix/master.cf: my_custom_transport unix - n n - - pipe flags=flags_from_pipe_manual user=some_user:some_group argv=/path/to/my_custom_script vars_from_pipe_manual This may be incomplete. It is a rough (very rough?) example of the configuration. I strongly recommend having a look at the pipe and transport manuals before attempting to implement any of this.
Re: forward to an external command
What is my_custom_transport.example.com ? A subdomain? Yes. In addition, this list uses example.com as a basis quite frequently. You didn't provide your own domain, so J.P. used this as an example. As a side note, it doesn't have to be a real sub-domain. When the mail is handed off to postfix my_custom_transport.example.com will be found in the transport_maps table since you defined it there (or will soon enough) along with my_custom_transport. From there postfix will try to deliver the mail using the definition of my_custom_transport in master.cf. I'm sure some folks can get into more details than I can on what really happens, but in a nutshell this is how things will flow. When you create your pseudo domain for use in this setup, it's probably best to use a non existent sub-domain or some variant of your real domain just to help avoid confusion or complications down the road. This is not guaranteed to prevent problems, but in my opinion it's a good first step to avoiding them. I haven't personally seen a best practices guide for these sorts of situations. Just don't call your pseudo domain (gmail|yahoo|hotmail).com or some other real domain that accepts mail.
Re: Postfix tarball uninstall
Paul wrote: That will only list the files which are installed, but it also configures FreeBSD to use it as it's MTA, that will not be uninstalled by just removing to files I guess. That should be easy to deal with. These settings are changed in a file called mailer.conf. Here's the documentation from FreeBSD on the topic: http://www.freebsd.org/doc/en/books/handbook/mail-changingmta.html
submission port requiring starttls even when set not to
I'm trying to implement a white list with check_sender_access in smtpd_recipient_restrictions. The problem I'm running into is that the submission port is requiring TLS even when I have set smtpd_enforce_tls=no and smtp_enfoce_tls=no in main.cf and specified them as options for the submission entry master.cf. The details are, I'm trying to change the transport for white listed domains so that the spam filters and what not are bypassed. The mail delivery attempt via the submission port fails every time with Must issue a STARTTLS command first. I feel confident that I'm overlooking something obvious but I've given all the various config settings I can think of an attempt with the same outcome. This is all dev stuff, none of it is set in stone. If anyone has a better suggestion on how to bypass the spam filters and what not for certain domains, I'm ready to listen. From here on is my postconf -n, white_list file for check_sender_access, submission entry from master.cf and the relevant log entries. postconf -n: alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no broken_sasl_auth_clients = yes config_directory = /etc/postfix content_filter = amavis:[127.0.0.1]:10024 disable_vrfy_command = yes inet_interfaces = all mailbox_size_limit = 0 maximal_backoff_time = 300s message_size_limit = 0 minimal_backoff_time = 120s mydestination = maildev.judelawfirm.com myhostname = maildev.judelawfirm.com mynetworks = 127.0.0.0/8192.168.1.0/24 myorigin = maildev.judelawfirm.com queue_run_delay = 120s readme_directory = no recipient_bcc_maps = pcre:/etc/postfix/recipient_bcc recipient_delimiter = + sender_bcc_maps = pcre:/etc/postfix/recipient_bcc smtp_enforce_tls = no smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name smtpd_data_restrictions = reject_unauth_pipelining permit_mynetworks permit_sasl_authenticated smtpd_enforce_tls = no smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname reject_non_fqdn_hostname smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated check_sender_access hash:/etc/postfix/black_listcheck_sender_access hash:/etc/postfix/white_listreject_unlisted_recipient reject_non_fqdn_hostnamereject_non_fqdn_sender reject_non_fqdn_recipient reject_unauth_destination reject_unauth_pipeliningreject_invalid_hostname smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes strict_rfc821_envelopes = yes transport_maps = hash:/etc/postfix/transports virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:1000 virtual_mailbox_base = /var/vmail virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_minimum_uid = 1000 virtual_transport = dovecot virtual_uid_maps = static:1000 /etc/postfix/white_list: gmail.com FILTER smtp:[127.0.0.1]:submission submission entry from /etc/postfix/master.cf: submission inet n - - - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_enforce_tls=no -o smtp_enforce_tls=no -o mynetworks=127.0.0.0/8 -o smtpd_client_restrictions=permit_my_networks,permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o content_filter= log entries: Mar 4 13:48:10 mail1 postfix/smtpd[15692]: connect from qw-out-2122.google.com[74.125.92.26] Mar 4 13:48:11 mail1 postfix/smtpd[15692]: NOQUEUE: filter: RCPT from qw-out-2122.google.com[74.1 25.92.26]: jptroscl...@gmail.com: Sender address triggers FILTER smtp:[127.0.0.1]:submission; fr om=jptroscl...@gmail.com to=jptroscl...@itdevel.net proto=ESMTP helo=qw-out-2122.google.com Mar 4 13:48:11 mail1 postfix/smtpd[15692]: 35B9C19C717: client=qw-out-2122.google.com[74.125.92.2 6] Mar 4 13:48:11 mail1 postfix/cleanup[15697]: 35B9C19C717: message-id=49aedb33.1020...@gmail.com Mar 4 13:48:11 mail1 postfix/qmgr[15691]: 35B9C19C717: from=jptroscl...@gmail.com, size=1989, n rcpt=2 (queue active) Mar 4 13:48:11 mail1 postfix/smtpd[15699]: connect from localhost[127.0.0.1] Mar 4 13:48:11 mail1 postfix/smtp[15698]: 35B9C19C717: to=jptroscl...@itdevel.net, relay=127.0. 0.1[127.0.0.1]:587, delay=0.34, delays=0.31/0.01/0.02/0, dsn=5.7.0, status=bounced (host 127.0.0.1 [127.0.0.1] said: 530 5.7.0 Must issue a STARTTLS command first (in reply to MAIL FROM command)) Mar 4 13:48:11 mail1 postfix/smtp[15698]: 35B9C19C717: to=jptroscl...@itdevel.net.archive,
Re: submission port requiring starttls even when set not to (Resolved)
LuKreme wrote: On 4-Mar-2009, at 13:08, J.P. Trosclair wrote: submission inet n - - - - smtpd -o smtpd_tls_security_level=encrypt Why? I didn't explicitly add it. It was a left over from the default master.cf for the postfix package on debian 5.0. It's gone and everything is good, for now.
Re: submission port requiring starttls even when set not to (Resolved)
Jorey Bump wrote: Put it back. smtpd_enforce_tls is deprecated since Postfix 2.3 and smtpd_tls_security_level should be used instead. I'll research the smtpd_tls_security_level option further. It didn't present a problem until I started working on this specific feature with the white lists. I have created another smtpd instance to forward white listed domains to rather than trying to utilize the submission port. I felt like I was over-complicating (because of archiving with *_bcc_maps and duplicate mails) the functionality of the submission service and thus headed down a bumpy road, maybe I'm wrong about this though. At the same time the submission service seems like the ideal place to hand this mail over to for final delivery since it's intended (for us) to allow trusted clients to bypass filtering and spam checks.
comcast mx's -- bad ssl certs?
Some of Comcast's MX servers (mx1.comcast.net, mx2.comcast.net are the ones I've verified so far) appear to be handing out test SSL certificates, at least that's the best guess I can make from the research I've done so far. I reserve the right to be absolutely wrong. I've been battling over this for 2 days now. I've seen other references to this problem and even some (one from this list back in January) suggesting that comcast says they're going to fix the problem, but it doesn't seem that they have. None of the references to the bad SSL certificate that I've seen have indicated delivery failures such as the ones I'm about to describe. The problem this is causing us are connections dropping and connections timing out while trying to deliver mail to comcast (I don't understand why just yet). It doesn't happen all the time, but it happens enough that we're getting complaints about it. For now I've disabled smtp_tls_* which gets the comcast destined mail out of the queue and on to their servers. I'm not really happy about these changes and I don't understand how the bad SSL certs are related to the connection drops and timeouts, but to the best I can tell they are related because turning off TLS in the smtp client pushes the mail out just fine. Maybe it's just coincidence but every single time this has happened, turning off TLS in the smtp client was the only way I could get the mail to change hands with comcast without a connection drop or timeout in the middle. I've included logs, postconf -n as well as openssl s_client tests at the end of this email in that order. J.P. Feb 12 10:37:45 mail1 postfix/smtp[15974]: certificate verification failed for mx1.comcast.net: num=19:self signed certificate in certificate chain Feb 12 10:37:45 mail1 postfix/smtp[15974]: certificate verification failed for mx1.comcast.net: num=24:invalid CA certificate Feb 12 10:37:45 mail1 postfix/smtp[15974]: certificate verification failed for mx1.comcast.net: num=26:unsupported certificate purpose Feb 12 10:37:45 mail1 postfix/smtp[15974]: certificate verification failed for mx1.comcast.net: num=10:certificate has expired Feb 12 10:37:45 mail1 postfix/smtp[15974]: certificate verification failed for mx1.comcast.net:certificate has expired Feb 12 10:37:45 mail1 postfix/smtp[15974]: certificate verification failed for mx1.comcast.net:certificate has expired Feb 12 10:37:45 mail1 postfix/smtp[15974]: certificate verification failed for mx1.comcast.net: num=10:certificate has expired Feb 12 10:37:45 mail1 postfix/smtp[15974]: certificate verification failed for mx1.comcast.net:certificate has expired Feb 12 10:37:45 mail1 postfix/smtp[15974]: certificate verification failed for mx1.comcast.net:certificate has expired Feb 12 10:38:21 mail1 postfix/smtp[15974]: 1D48E6A011B: lost connection with mx1.comcast.net[76.96.62.116] while sending message body Feb 12 10:39:15 mail1 postfix/smtp[15974]: 1D48E6A011B: to=omittedforpriva...@comcast.net, relay=mx2.comcast.net[76.96.30.116]:25, delay=108, delays=3.5/0.01/64/41, dsn=4.4.2, status=deferred (lost connection with mx2.comcast.net[76.96.30.116] while sending message body) Feb 12 10:41:39 mail1 postfix/qmgr[30562]: 1D48E6A011B: from=omittedforpriv...@judelawfirm.com, size=5299467, nrcpt=2 (queue active) Feb 12 10:50:41 mail1 postfix/error[16632]: 1D48E6A011B: to=omittedforpriva...@comcast.net, relay=none, delay=793, delays=252/542/0/0, dsn=4.4.2, status=deferred (delivery temporarily suspended: conversation with mx2.comcast.net[76.96.30.116] timed out while sending message body) alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 disable_vrfy_command = yes html_directory = no inet_interfaces = all mail_owner = postfix mailbox_size_limit = 0 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man maximal_backoff_time = 300s message_size_limit = 0 minimal_backoff_time = 120s mydestination = judelawfirm.com, mail1.judelawfirm.com, mail1.jude, localhost, localhost.localdomain, localhost.judelawfirm.com mydomain = judelawfirm.com myhostname = mail1.judelawfirm.com mynetworks = 127.0.0.0/8, 192.168.1.0/24 myorigin = mail1.judelawfirm.com newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix queue_run_delay = 120s readme_directory = /usr/share/doc/postfix-2.4.5/README_FILES sample_directory = /usr/share/doc/postfix-2.4.5/samples sender_bcc_maps = hash:/etc/aliases_bcc sender_canonical_classes = header_sender sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_banner = $myhostname ESMTP smtpd_data_restrictions = reject_unauth_pipelining permit_mynetworks permit_sasl_authenticated smtpd_helo_required = yes smtpd_helo_restrictions =
Re: Mail Received But Not Delivered
Rich Shepard wrote: On Wed, 11 Feb 2009, Terry Carmen wrote: What do you get with: grep E4041AAE /var/log/maillog Terry, Feb 9 11:43:58 salmo postfix/smtpd[17963]: E4041AAE: client=vms173007pub.verizon.net[206.46.173.7] Feb 9 11:43:59 salmo postfix/cleanup[17966]: E4041AAE: message-id=88ba18204f8d4137a8f4a4b0601d2...@mrdsoffice Feb 9 11:43:59 salmo postfix/qmgr[32715]: E4041AAE: from=usern...@gte.net, size=4572, nrcpt=1 (queue active) Feb 9 11:44:01 salmo postfix/local[17967]: E4041AAE: to=rshep...@appl-ecosys.com, relay=local, delay=4, delays=1.4/0/0/2.6, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail) Feb 9 11:44:01 salmo postfix/qmgr[32715]: E4041AAE: removed Might be worth turning on logging procmail. I don't see any problem from postfix, looks like the mail was delivered and whatever procmail did with it will probably revealed via procmail's log for future messsages. In procmailrc: LOGFILE=/path/to/procmail.log J.P.
Re: Duplicate messages
Gabriel Hahmann wrote: Ok J.P In fact the log entries looks like normal, like normal message sent. When I sent a mail to the global alias (which is my alias to all users), in the mail.log appear a message from me to the global alias and then a message from me to each user listed in the alias. The problem is that this message, after sent to all users, appear again, like if I sent them again. So the logs looks normal. The alias is as follows: MAILER-DAEMON: postmaster postmaster: root webmaster: root daemon: root clamav: root # Well-known aliases. manager:root abuse: root root: super nilton: super ead:super,rosangelaalemmos limpezaesperia: cris manutencao: rosanaveraldi limpezafund:rosanaveraldi portaria: ceciliapougy odilon: rosanaveraldi transpescolar: ceciliapougy cantina:ceciliapougy portariainf:soniaregina manutencaoinf: sueliyatabe limpezainf: syeliyatabe eadadmin: super,rosangelaalemmos giselebourdon: giselebordon rrlucas:rosangelaalemmos #Alias temporário regiane:regianefernandes global: adelina,adrianacampioni,adrianarogatto,anapaula,andreacordeiro,andreakleiber,andrearodrigues,associacaodepais,beatriz,bete,bia_marquezi,biblioteca,camilla,ceciliapougy,clicie,cris,crisciencias,cristiane,cristianeserra,cristina,danielacamargo,daniele,daniella,deboranaso,deborarana,elaine,elainemartins,elaineoliveira,elaineponce,elenice,erica,evandro,fabia,fabiana,fabianabargieri,fanny,fernanda,filipe,giselebordon,heloisa,ismenia,jamaika,jessica,jo,joycenunes,joycecarolina,julianacodognato,julianashimizu,katarina,kell,ledacruz,leticia,lilian,luciane,luizgreco,malu,marcia,marciateixeira,margafurginele,margarethdacquarica,margarethtieppo,mariadocarmo,mariaeugenia,mariaines,marialucia,mariana,marianasilva,miriam,miriammello,monicafarias,monicapadroni,monicasouza,nanci,nilvarosa,nycollebriz,patriciaferraz,projetovida,recepcao,regianefernandes,renatarodrigues,rita,ritapalma,rosanaabranches,rosanaveraldi,rosangelabrito,roseliorsolon,sandra,shirley,silviacristina,silviaelayne,solan ger,soniagodoy,soniaregina,sueliyatabe,suzanamesquita,suzanarodrigues,valeria,valeriabenelli,webmaster,ymeit,kamila,camila,carolferigolli,alessandra,neide,jaircapoeira,fernandojudo,joaoteatro,annathereza,clarice,fabiofutsal,magda,mariacarmoalmeida,marialuiza,max,raquel,tathiana,tereza,verlucia,danielly,eduardo,marina,viviane,julianabonito,deboraballet,marcosjudo,renataballet,leofutsal,gugacirco,katarinasilva,juliana,soniafavaretto,marciatubone,cassiaviana,paula,nayana,geisa,meire,andreamalvar,comissao9ano,fernandapaes,renatapetri,julia,tatiana,geraldo,pauloteatro,lorilisa,carlarizzo,andreamiguel,eriana,renata,monicateixeira,rosangelaalemmos,thaina,juliana,filomena,julianacristina,andreaabrantes,giseleanselmo,carolina,yara,nathaliagomes,netecardoso,nete,fernandavaladares,fabio,mariatereza,thiago,mariapaula,valeriafederici,mayra,francine,suzane,janaina,daniele.henriques,ritadecassia,danielehenriques,ritafreitas,mariangela,julianaprezia,rosangelacremaschi,adrianacoan,affonsoneto ,mariangela,super Any help will be appreciated. Thanks, Gabriel. On Wed, Jan 28, 2009 at 4:15 PM, J.P. Trosclair jptroscl...@judelawfirm.com wrote: Gabriel Hahmann wrote: When somebody sends an email to that alias, all users from my organization keep receiving this message 10, 20, 30, 40 times, 40 times the same message that was sended only once. Relevant log entries and a copy of the alias would also help while trying to figure out what's wrong. Most answers are a shot in the dark without them. Is it possible the messages are being passed through a filter that is causing some sort of loop? I know you say the logs are fine, but it's really a shot in the dark without seeing them. The logs will reveal where the messages are originating from each time they pass through the system. This will help to indicate if some sort of loop is occurring internally. For example, if the messages arrive from localhost the second, third and fourth time they get sent out to everyone then the cause is almost definitely internal and we know to look harder at what's going on internally. The logs are where the clues will be. Also, for your benefit, please CC the list when replying. There are people on this list that know postfix far better than myself. The more eyes the better if you want your problem resolved as quickly as possible.
Re: Duplicate messages
Gabriel Hahmann wrote: When somebody sends an email to that alias, all users from my organization keep receiving this message 10, 20, 30, 40 times, 40 times the same message that was sended only once. Relevant log entries and a copy of the alias would also help while trying to figure out what's wrong. Most answers are a shot in the dark without them.
postfix / maildir / nfs -- and good nfs implementations
I've got a couple of questions about using maildir on top of nfs in a HA setup. 1. What are the chances of duplicate file names when running multiple instances of postfix delivering in maildir format to the same location? 2. That said, Postfix will in many cases work very well on NFS, because Postfix implements a number of workarounds (see below). Good NFS implementations seldom if ever give problems with Postfix, so Wietse recommends that you spend your money wisely. Could someone provide information on success utilizing particular NFS implementations in their setups? I've used NFS more than once but I honestly have no idea if the systems I've used it on would be good candidates alongside postfix. Thanks
null local-part addresses
I found this old thread suggesting that postfix doesn't allow null local-part addresses but it doesn't say which version this policy went into effect: http://archives.neohapsis.com/archives/postfix/2006-08/0445.html I'm using postfix 2.4.5 and experiencing this problem. From what I can tell this version was released in 2007 but the thread dates back to 2006. I'd just like to confirm that this is a version affected and not a configuration issue before I run out and upgrade. grep 906B36A009B /var/log/maillog: Jan 21 07:46:07 mail1 postfix/smtpd[27871]: 906B36A009B: client=unknown[201.255.125.23] Jan 21 07:46:08 mail1 postfix/cleanup[27881]: 906B36A009B: message-id=20090121134607.906b36a0...@mail1.judelawfirm.com -- here -- Jan 21 07:46:08 mail1 postfix/qmgr[4724]: 906B36A009B: from=@judelawfirm.com, size=2093, nrcpt=1 (queue active) -- Jan 21 07:46:09 mail1 amavis[26797]: (26797-20) Blocked SPAMMY, [201.255.125.23] [201.255.125.23] @judelawfirm.com - @judelawfirm.com, Message-ID: 20090121134607.906b36a0...@mail1.judelawfirm.com, mail_id: O5s6kr+zG+UF, Hits: 20.129, 1024 ms Jan 21 13:46:09 mail1 postfix/smtp[27876]: 906B36A009B: to=@judelawfirm.com, relay=127.0.0.1[127.0.0.1]:10024, delay=2.7, delays=1.7/0/0/1, dsn=5.5.0, status=bounced (host 127.0.0.1[127.0.0.1] said: 501 5.5.0 Rejected by MTA([127.0.0.1]:10025): 501 5.1.7 Bad sender address syntax, id=26797-20 (in reply to end of DATA command)) Jan 21 07:46:10 mail1 postfix/bounce[28005]: 906B36A009B: sender non-delivery notification: F40CE6A011B Jan 21 07:46:10 mail1 postfix/qmgr[4724]: 906B36A009B: removed postconf -n: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 disable_vrfy_command = yes html_directory = no inet_interfaces = all mail_owner = postfix mailbox_size_limit = 0 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = judelawfirm.com, mail1.judelawfirm.com, mail1.jude, localhost, localhost.localdomain, localhost.judelawfirm.com mydomain = judelawfirm.com myhostname = mail1.judelawfirm.com mynetworks = 127.0.0.0/8, 192.168.1.0/24 myorigin = mail1.judelawfirm.com newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.4.5/README_FILES sample_directory = /usr/share/doc/postfix-2.4.5/samples sender_bcc_maps = hash:/etc/aliases_bcc sender_canonical_classes = header_sender sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_banner = $myhostname ESMTP smtpd_data_restrictions = reject_unauth_pipelining permit_mynetworks permit_sasl_authenticated smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination reject_unlisted_recipientcheck_sender_access hash:/etc/postfix/sender_access reject_non_fqdn_recipient smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_sender_restrictions = reject_non_fqdn_sender reject_unknown_sender_domain smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550
Re: understanding postfix log
William Kisman wrote: What are the possibilities that the spammer could use my mail server to spam ? First check if your server is an open relay using this service: http://www.abuse.net/relay.html Also if you think that a sasl user/pass has been compromised, change the password. You can look through the mail log for an instance where a spam passed through and get the id: Jan 2 07:05:04 mail1 postfix/smtp[26253]: 0B2DC6A009B: -- This is the id Once you get the id, you can grep that specific id to get all of the log entries related to it at which point you can see where the connection came from and if it was authenticated: Jan 2 01:05:03 mail1 postfix/smtpd[25860]: 0B2DC6A009B: client=mail1.xxx.com[x.x.x.x], sasl_method=LOGIN, sasl_username=johndoe If the connection was authenticated and you know it should not have been and the message should have been rejected, then a password has possibly been compromised. J.P.
Re: howto setup outgoing port to 587 ?
sean darcy wrote: I've have an asterisk voip server that receives faxes and converts them to pdf. What I then want to do is email the pdf's to my two mailboxes - one on 1and1.com, the other on gmail. My ISP, ATT blocks port 25. I think if I just send the email to port 587 ( which is how I've configured Thunderbird ) this should work. I'm using Fedora 9, which come with sendmail as the default MTA. I've spent a lot of time avoiding learning how to use or configure an MTA. Looking at the sendmail docs, it's clear postfix is a _lot_ easier to configure. So, I'm switching. But I still haven't figured out how to just set the outgoing port to 587. Any help appreciated. sean You can look at using transport_maps in main.cf, here's an example: /etc/postfix/main.cf: transport_maps = hash:/etc/postfix/transports /etc/postfix/transports: gmail.com smtp:[smtp.gmail.com]:587 1and1.com smtp:[smtp.1and1.com]:587 After you make these changes you'll need to postmap the transports file and reload postfix's configuration. J.P.
Re: howto setup outgoing port to 587 ?
sean darcy wrote: postmap the transports file? as in postmap /etc/postfix/transports ?? Yes and reload postfix's configuration. service postfix restart ?? Sure, or 'postfix reload', unless stated otherwise. How do I set up postfix to provide SASL authentication? Check this link out: http://www.postfix.org/SASL_README.html#client_sasl Also might want to have a look at the transport man(ual) page. J.P.
Re: mail forward based on user to specific filter then to another address
On Dec 10, 2008, at 9:31 PM, MacShane, Tracy wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J.P. Trosclair Sent: Thursday, 11 December 2008 10:32 AM To: postfix-users@postfix.org Subject: mail forward based on user to specific filter then to another address Hi, I've got a user that wants their mail forwarded to their blackberry account. No big deal. The catch is they want attachments stripped first. I've found this tool called renattach that does just that. I set this up in main.cf: This is not solving the question you asked, but what is wrong with the user not selecting the option on his/her Blackberry to download the attachments? Attachments are not delivered to the device until such time as you specifically prompt to download them. The attachment pointer is just that, a *pointer*. We allow attachments larger than what the blackberry smtp servers allow and this generates a bounce message to the sender when the limit is reached or exceeded. The bounce is to be avoided. It has nothing to do with the user downloading the attachment on to their blackberry. This is the setup requested by the user, I'm looking for a way to deliver on it. It should be noted that the user's blackberry email is provided by their cellular carrier, not us. As a last resort I'll ask the user to reconfigure their blackberry accounts to check our server for mail rather than have it forwarded, but for now forwarding is what they want and what I'm trying to make happen. So I setup a filter for stripping the attachments. I want to route mail based on [EMAIL PROTECTED] through this filter before it is passed on to domain's MX address. I think it's possible by using transport_maps and some tricks in master.cf, at least thats what I was told in a dream last night. I haven't tried it yet but will in a little while.
Re: mail forward based on user to specific filter then to another address
J.P. Trosclair wrote: So I setup a filter for stripping the attachments. I want to route mail based on [EMAIL PROTECTED] through this filter before it is passed on to domain's MX address. I think it's possible by using transport_maps and some tricks in master.cf, at least thats what I was told in a dream last night. I haven't tried it yet but will in a little while. I've been messing with this idea of using transport_maps without much success because it seems a loop is unavoidable since transport_maps can't be overridden (I've googled and confirmed it from posts in the past). Any suggestions would be appreciated. Here's what I've tested which I've deemed unusable based on transport_maps being a global setting (besides that, the whole thing is a big hack): Entries added in master.cf: renattach unix- n n - - pipe flags=q user=nobody argv=/mailtools/bin/renattach -dal -p /mailtools/bin/mini_sendmail -v -s127.0.0.1 -p10001 -f${sender} ${recipient} 127.0.0.1:1 inet n - n - - smtpd -o content_filter=renattach -o mynetworks=127.0.0.0/8 -o smtpd_enforce_tls=no -o smtpd_client_restrictions=permit_mynetworks,reject 127.0.0.1:10001 inet n - n - - smtpd -o content_filter= -o mynetworks=127.0.0.0/8 -o smtpd_enforce_tls=no -o smtpd_client_restrictions=permit_mynetworks,reject -o transport_maps= -o receive_override_options=no_milters,no_address_mappings Entry added to main.cf: transport_maps = hash:/etc/postfix/transport /etc/postfix/transport: [EMAIL PROTECTED] smtp:[127.0.0.1]:1 J.P.
Re: Postfix on Solaris 10
Bailo, John wrote: Is Postfix available for or part of Sun's Solaris 10 OS as a compiled package? Check blastwave and sun freeware, afaik there is no official release from sun. There are some guides on building SMF scripts for postfix on solaris 10.
mail forward based on user to specific filter then to another address
Hi, I've got a user that wants their mail forwarded to their blackberry account. No big deal. The catch is they want attachments stripped first. I've found this tool called renattach that does just that. I set this up in main.cf: renattach unix- n n - - pipe flags=q user=postfix argv=/mailtools/bin/renattach -dal -p /usr/sbin/sendmail -i -f ${sender} -- ${recipient} What I would like to do is when mail arrives for [EMAIL PROTECTED], deliver the mail to their local mailbox as normal and then send the same mail to [EMAIL PROTECTED] with the mail first being run through the renattach filter I have setup above. I'm not sure how to accomplish this. I'm guessing I will need to setup a special submission for this filter as the next step that uses content_filter=renattach but I'm not sure how to make sure the forward gets pushed through the renattach filter before it goes out to the user's blackberry address. J.P.
Re: 554 5.7.1 some IP: Client host rejected. Access denied.
Miguel Angel Cañedo wrote: Hi I have set up my postfix server: Every SMTP connection from evolution works. Every SMTP connection from Outlook fails (smtp authentication is marked) they get 554 5.7.1 some IP: Client host rejected. Access denied. This is driving me nuts, any help will be grat, thanks in advance Here are my files: main.cf *** # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate delayed mail warnings delay_warning_time = 4h readme_directory = no # TLS parameters smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt smtpd_tls_key_file = /etc/ssl/private/smtpd.key smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = mydomain.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = mydomain.com, localhost.localdomain, localhost relayhost = #mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 172.16.0.0/16 mynetworks = 127.0.0.0/8 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = ipv4 home_mailbox = Maildir/ smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth-client smtpd_sasl_local_domain = #mcanedo noanonymous smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_rbl_client dnsbl.sorbs.net,check_policy_service inet:127.0.0.1:6 #smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains #smtpd_reject_unlisted_recipient = no smtpd_tls_auth_only = no smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom content_filter = smtp-amavis:[127.0.0.1]:10024 #Indicar que vaya a buscarar el transporte elegido (como smtproutes en qmail) #transport_maps = hash:/etc/postfix/transport #todo via no-ip default_transport=smtp:smtp-auth.no-ip.com:3325 #Archivo con Contraseña para servidores relay (ej. no-ip) smtp_sender_dependent_authentication = yes smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd local_recipient_maps = *** master.cf *** # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} # # See the Postfix UUCP_README file for configuration details. # uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # ifmailunix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} #mcanedo: Añadido para amavis FILTRS antivirus y spam smtp-amavis unix- - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inetn - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o
Re: Relay access denied
Tolga wrote: On Mon, Dec 08, 2008 at 02:29:51PM -0600, J.P. Trosclair wrote: Tolga wrote: Hi, When I try to send mail, I get 5.7.1 Relay access denied. Although I don't get this when I send mail with mutt, I am wondering if this is a Postfix issue. If not, can you redirect me? Regards, mto Sounds like a postfix configuration issue. Are you using mutt on the same server postfix is running on or on a machine located in a network covered by postfix's mynetworks setting? Please include the output of postconf -n in your reply. Mutt is on the same server with postfix. Below is my postconf -n: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix inet_interfaces = all mailbox_size_limit = 0 mydestination = ozses.net, localhost.net, , localhost myhostname = ozses.net mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 Here (mynetworks) you will either want to add your local network or setup SMTP authentication (depends on your requirements) so that users not originating from localhost can relay mail through your server. Quick example: mynetworks = 127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, etc myorigin = /etc/mailname readme_directory = no recipient_delimiter = + relayhost = smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unknown_reverse_client_hostname, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_rbl_client zen.spamhaus.org I see you have permit_sasl_authenticated but I don't see any smtp auth specific settings other than this one. smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes Regards, mto J.P. After you get done modifying these settings to suit your needs I suggest you go here and make sure you haven't opened up relaying to spammers and what not (just a safety measure): http://www.abuse.net/relay.html J.P.
Re: Sender = Receiver?
Christian Desrochers wrote: Hi all, We have a spam problem. We get a lot of emails, where the sender (MAIL FROM) address is equal to the receiver (RCPT TO) address. When I look at the Received: header field, the IP address of the server it's coming from, is not our mail server. I would like to know if there is a way to block (or tag as spam) those emails, either with Postfix, SpamAssassin or Procmail, if they don't come from our mail server? Thanks, Chris This has been the popular topic for the past few days. You can block it with postfix using something like this: smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination reject_unlisted_recipient check_sender_access hash:/etc/postfix/sender_access # Look Here reject_non_fqdn_recipient /etc/postfix/sender_access: .my_domain.ext REJECT Rejection reason here [EMAIL PROTECTED] REJECT Not authenticated There are pitfalls to using this approach. Forwarded mail from another server will be rejected, for example. Thus, there are cases where you get false positives. It's up to you to make the decision of what's acceptable and what not. You can implement it on a per-user basis as well which is what I'm really doing. I chose to inform the users of the change and let them opt-in after knowing the potential risks. I can't help you with solving the problem from spamassassin or procmail. J.P.
Re: Avoiding (trivial) spoofed mail from
LuKreme wrote: On 2-Dec-2008, at 20:21, DJ Lucas wrote: I can find absolutely no reason to inadvertently mislead, or worse, intentionally deceive the recipient by forging the envelope sender's address. In fact, the only reason I can see, is to intentionally deceive the recipient. Is there any other reason? Sure there is. First off, the envelope from is not FOR the user, it's for the mailserver. This address should always be where the 'physical' delivery of the message is originating. The From header is the PERSON that initiated the message. These are often the same, but not always. A perfect example is my mom sends out electronic cards from Jacquie Lawson1 which arrive with headers like this: Return-Path: [EMAIL PROTECTED] Received: from iport3.jacquielawson.com (iport3.jacquielawson.com [64.14.122.52]) by mail.covisp.net (Postfix) with ESMTP id D4AD9118B83F for [EMAIL PROTECTED]; Thu, 27 Nov 2008 02:27:05 -0700 (MST) Date: Thu, 27 Nov 2008 04:27:02 -0500 X-AG-MIPS: ag867 Sender: [EMAIL PROTECTED] From: **my mom** I don't see how this particular case would be affected. The only forged part was in the header that I can see from your example, not the actual MAIL FROM during the initial part of the SMTP conversation. Currently I have our configuration set to reject mail claiming a MAIL FROM that originates in our domain if the session has not been authenticated or coming from the local network. Example where MAIL FROM is not forged, but From part of header is: $ telnet mail1.omitted_for_privacy.com 25 Trying x.x.x.x... Connected to mail1.omitted_for_privacy.com. Escape character is '^]'. 220 mail1.omitted_for_privacy.com ESMTP EHLO omitted_for_privacy.com 250-mail1.omitted_for_privacy.com 250-PIPELINING 250-SIZE 2147483647 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN MAIL FROM:[EMAIL PROTECTED] 250 2.1.0 Ok RCPT TO:[EMAIL PROTECTED] 250 2.1.5 Ok DATA 354 End data with CRLF.CRLF From: [EMAIL PROTECTED] Subject: proof that only the mail from portion is rejected This email should be accepted by our mail server . 250 2.0.0 Ok: queued as 241056A006F QUIT 221 2.0.0 Bye Connection closed by foreign host. Example where MAIL FROM is forged: $ telnet mail1.omitted_for_privacy.com 25 Trying 12.48.244.4... Connected to mail1.omitted_for_privacy.com. Escape character is '^]'. 220 mail1.omitted_for_privacy.com ESMTP EHLO judelawfirm.com 250-mail1.omitted_for_privacy.com 250-PIPELINING 250-SIZE 2147483647 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN MAIL FROM:[EMAIL PROTECTED] 250 2.1.0 Ok RCPT TO:[EMAIL PROTECTED] 554 5.7.1 [EMAIL PROTECTED]: Sender address rejected: Not authenticated QUIT 221 2.0.0 Bye Connection closed by foreign host. This is perfectly OK. In fact, this is exactly how this should be handled. I agree completely, I do not think it's OK to forge the MAIL FROM portion of the SMTP conversation though. I think this is what DJ Lucas was getting at. This method is also used when someone is sending, for example, a petition request where they've 'signed' and want to let others know to sign also. Many pages (particularly political ones) have these sorts of tell your friends links and they to will use the person's email/name as the from and their own server info for the envelope. I would be far more likely to take a look at the FROM_ and compare it to the Received header than with the From: header, as I think that is far more likely to spot spam. Extending this to a physical letter situation it would be like Barack Obama's campaign sending me a letter that was signed by, say, my mom. She wrote the letter and signed it, but the campaign office mailed it in their own envelope. Seems fine to me. If they don't like my policy, they can find another place to put their mail. Others may not be lucky enough to be able to enforce such a policy, as the counter argument would be to find a less rigid admin. ;-) What is 'acceptable' has to be determined on a site by site basis. If it works for this site...great! If it doesn't, then get rid of it. Just so you know that there are common and legitimate uses for this, and that you will lose valid emails that, presumably, your users actually want. And if you are rejecting them, do your users know they are missing those emails? I mean, are they informed enough that they can make a real choice about getting MOST of their email from you or getting ALL of their email from someone else? 1 I have no connection with Jacquie Lawson. I'm not even a customer, I am merely a recipient. I do like the cards though. At this point I think there is some confusion about what is being stated is acceptable and what is not.
Re: Avoiding (trivial) spoofed mail from
Roman Medina-Heigl Hernandez wrote: DJ Lucas escribió: Return-Path: [EMAIL PROTECTED] X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] ... Received: from gangotri.ubuntu.com (localhost.localdomain [127.0.0.1]) by gangotri.ubuntu.com (Postfix) with ESMTP id 0C222318376 for [EMAIL PROTECTED]; Fri, 28 Jul 2006 04:10:09 +0100 (BST) From: RoMaNSoFt [EMAIL PROTECTED] Maybe I'm incorrect, but I believe there was a subtle misunderstanding in the above conversation. The From: header is not the same as MAIL FROM: command in smtp transaction. MAIL FROM for this message was [EMAIL PROTECTED] Feel fee to find that message in your logs and Thank you for the correction, you are right: my example is wrong but that doesn't change the fact we were discussing since Noel and I were always referring to the mail from (i.e. the sender). If some silly ticket system spoofs the From header, there is a good chance that it spoofs the mail from too... verify. Anyway, the Postfix directive you are looking for is reject_unauthenticated_sender_login_mismatch. http://www.postfix.org/postconf.5.html#reject_unauthenticated_sender_login_mismatch Yes, I think that's the directive I was looking for. That said, cheap web scripts often do use the recipient's address in the transaction. Latest complaint I had was from some star rewards thing for frequent visits to a restaurant (for which I promptly replied: choose a different restaurant ;-) ). I have been working on a similar if not the exact same problem from what I've seen in this thread. The problem being from = to address and how to stop spam that does this. My idea for a solution to this problem was to require any mail claiming to be from a local account to authenticate first when arriving from outside of the network and heading to a local mailbox. As it has already been pointed out, there are cases where you have false positives, in fact I found one yesterday with a user's blackberry setup shortly after I set it up. I'm thinking that utilizing check_client_access before check_sender_access under smtpd_recipient_restrictions and adding exceptions for these few cases is a sound solution. It's obviously not perfect because of the administration overhead of having to watch for these special circumstances. I have yet to test this. Any thoughts on this approach?
Re: stop accepting mail and clear mailq
J.P. Trosclair wrote: Is there a way to put postfix in state so that it stops accepting mail so that I can clear the queue of all undelivered mail? Rundown of what and why: We are a small company, we have two mail servers (mail1, mail2). Mail1 is our primary server, mail2 pretty much just sits there to be used for special tasks like the one I'm planning or as a replacement if mail1 takes a total meltdown. I'm planning to bring mail1 down this weekend to create backup images of the entire disk. Before I create the images I want to flush the mail queue and temporarily move the user's mailboxes to a storage location so they are not included in the imaging process. I also want to have the mail queue on mail1 clean before I bring it completely down. My plan to do this is to reconfigure mail2 to accept mail for our domain and queue it to be forwarded to mail1 once it comes back online (I think this should be transparent with minimal impact for mail being undeliverable if I change the routing in our network for our MX host to go to mail2, comments or suggestions on this are appreciated). At some point mail1 will be online still accepting mail and mail2 will be online receiving and accepting mail for the same domain as well as attempting to forward it to mail1 and queuing it if mail1 doesn't answer. I want to force mail1 not to accept the mail and flush any remaining mail to the user's mailboxes for the reasons I mentioned in the paragraph above. J.P. This is the configuration I'm planning on using to catch the mail while mail1 is down. I would like to test it but I'm not sure of a good way to do it without messing with our live mail services. If someone has a suggestion please pass it on. Also if someone could take a look and point out anything they think I might be missing I'd appreciate it too. Again, the point of this config is to catch mail for [EMAIL PROTECTED] and queue it until mail1.mydomain.com comes back online. The primary MX host will be routed directly to this postfix server running this configuration while our main server is down for maintenance: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 disable_vrfy_command = yes html_directory = no inet_interfaces = all mail_owner = postfix mailbox_size_limit = 0 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man maximal_backoff_time = 1h maximal_queue_lifetime = 10d minimal_backoff_time = 30m mydestination = mail2.judelawfirm.com mydomain = judelawfirm.com myhostname = mail2.judelawfirm.com mynetworks = 127.0.0.0/8 myorigin = mail2.judelawfirm.com newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix queue_run_delay = 5m readme_directory = /usr/share/doc/postfix-2.5.4/README_FILES relay_domains = mail1.judelawfirm.com judelawfirm.com relay_recipient_maps = hash:/etc/postfix/relay_recipients sample_directory = /usr/share/doc/postfix-2.5.4/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_banner = $myhostname ESMTP smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination reject_unlisted_recipient reject_non_fqdn_recipient smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_sender_restrictions = reject_non_fqdn_sender reject_unknown_sender_domain smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550
Re: stop accepting mail and clear mailq
J.P. Trosclair wrote: J.P. Trosclair wrote: Is there a way to put postfix in state so that it stops accepting mail so that I can clear the queue of all undelivered mail? Rundown of what and why: We are a small company, we have two mail servers (mail1, mail2). Mail1 is our primary server, mail2 pretty much just sits there to be used for special tasks like the one I'm planning or as a replacement if mail1 takes a total meltdown. I'm planning to bring mail1 down this weekend to create backup images of the entire disk. Before I create the images I want to flush the mail queue and temporarily move the user's mailboxes to a storage location so they are not included in the imaging process. I also want to have the mail queue on mail1 clean before I bring it completely down. My plan to do this is to reconfigure mail2 to accept mail for our domain and queue it to be forwarded to mail1 once it comes back online (I think this should be transparent with minimal impact for mail being undeliverable if I change the routing in our network for our MX host to go to mail2, comments or suggestions on this are appreciated). At some point mail1 will be online still accepting mail and mail2 will be online receiving and accepting mail for the same domain as well as attempting to forward it to mail1 and queuing it if mail1 doesn't answer. I want to force mail1 not to accept the mail and flush any remaining mail to the user's mailboxes for the reasons I mentioned in the paragraph above. J.P. This is the configuration I'm planning on using to catch the mail while mail1 is down. I would like to test it but I'm not sure of a good way to do it without messing with our live mail services. If someone has a suggestion please pass it on. Also if someone could take a look and point out anything they think I might be missing I'd appreciate it too. Again, the point of this config is to catch mail for [EMAIL PROTECTED] and queue it until mail1.mydomain.com comes back online. The primary MX host will be routed directly to this postfix server running this configuration while our main server is down for maintenance: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 disable_vrfy_command = yes html_directory = no inet_interfaces = all mail_owner = postfix mailbox_size_limit = 0 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man maximal_backoff_time = 1h maximal_queue_lifetime = 10d minimal_backoff_time = 30m mydestination = mail2.judelawfirm.com mydomain = judelawfirm.com myhostname = mail2.judelawfirm.com mynetworks = 127.0.0.0/8 myorigin = mail2.judelawfirm.com newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix queue_run_delay = 5m readme_directory = /usr/share/doc/postfix-2.5.4/README_FILES relay_domains = mail1.judelawfirm.com judelawfirm.com relay_recipient_maps = hash:/etc/postfix/relay_recipients sample_directory = /usr/share/doc/postfix-2.5.4/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_banner = $myhostname ESMTP smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination reject_unlisted_recipient reject_non_fqdn_recipient smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_sender_restrictions = reject_non_fqdn_sender reject_unknown_sender_domain smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 I realized shortly after sending this that changing the routing and not the IP address our MX host resolves to would cause a loop back to mail2 so I added the transport_maps option and for our domain I used the local network IP address which from my testing should address that problem in case anyone reading this thread picked up on it. /etc/postfix/transport: mydomain.comsmtp[x.x.x.x] J.P.
stop accepting mail and clear mailq
Is there a way to put postfix in state so that it stops accepting mail so that I can clear the queue of all undelivered mail? Rundown of what and why: We are a small company, we have two mail servers (mail1, mail2). Mail1 is our primary server, mail2 pretty much just sits there to be used for special tasks like the one I'm planning or as a replacement if mail1 takes a total meltdown. I'm planning to bring mail1 down this weekend to create backup images of the entire disk. Before I create the images I want to flush the mail queue and temporarily move the user's mailboxes to a storage location so they are not included in the imaging process. I also want to have the mail queue on mail1 clean before I bring it completely down. My plan to do this is to reconfigure mail2 to accept mail for our domain and queue it to be forwarded to mail1 once it comes back online (I think this should be transparent with minimal impact for mail being undeliverable if I change the routing in our network for our MX host to go to mail2, comments or suggestions on this are appreciated). At some point mail1 will be online still accepting mail and mail2 will be online receiving and accepting mail for the same domain as well as attempting to forward it to mail1 and queuing it if mail1 doesn't answer. I want to force mail1 not to accept the mail and flush any remaining mail to the user's mailboxes for the reasons I mentioned in the paragraph above. J.P.
Re: stop accepting mail and clear mailq
On Nov 19, 2008, at 6:06 PM, Wietse Venema wrote: To stop receiving mail from the network, comment out the network facing smtpd entry in master.cf, do postfix reload, and look for warnings in the maillog file. You can get a lot fancier and set up an access rule that replies with 421 Service unavailable for migration. Wietse Thanks for the info, I'll look into taking this approach. J.P.
Re: Save output mail
[EMAIL PROTECTED] wrote: Hi I have postifx and i want to save email that are send. If this is possible i want to save not email of all users but only of some users. How can i make? Vuoi essere presente online? Vuoi dare voce alla tua attivita`? Acquista un dominio su domini.interfree.it. A partire da 18,59 euro Have a look at this: http://www.postfix.org/postconf.5.html#sender_bcc_maps
Re: Best anti-spam
Tuesday, October 21, 2008, 5:29:59 PM, Jim Balo ([EMAIL PROTECTED]) wrote: Hi, I am currently using Postfix w/ Amavis-new, Pyzor, DCC and Clam. I have trained the Bayesian Classifier with over 2,000 ham and 2,000 spam, but I am still getting quite a bit of spam. I am about to install a new mail server and I wonder if there is something better than SpamAssassin that works well with Postfix? The whole combination of Amavis, Pyzor, DCC, etc. seems a bit complex and it also uses quite a bit of system resources. I saw someone recommend policy-weightd, but that is no longer developed since February 2008. I also came across ASSP, but I do not know much about it yet. Could someone recommend a really good open source or affordable commercial anti-spam solution? Thanks, JB Ps. Maybe it is just that I need to tweak SpamAssassin better? Some good links on this would be helpful as well. I haven't done gray listing personally, but I've seen good remarks made aobut it here on the list and in other places. From what I've read it seems to be very effective in stopping spam by itself (without spamassassin, et. al.) I've contemplated implementing it here but the idea of any sort of delay in mail being delivered doesn't sit well with the people who ultimately make the call in what I can and can't do for reducing spam so we're stuck with spamaassassin. There are some good sites out there that cover gray listing and the ins and outs of it. I suggest you do some reading about it before hand so you can make an informed decision on going that route. J.P.
proxymap signal 11
Postfix's proxmap is segfaulting or at least that's what I think the signal 11 means. Some background info first: This is a fedora mail server (core 6) that I've upgraded to postfix 2.5.4. I used the rpm spec file from the last release of postfix on fc6 to build a rpm to upgrade with and also to make sure I keep the file system layout as close as possible to fedora's postfix packages. Any how, I had to make some heavy modifications to the spec file to get everything to mesh but it seemed to work out okay but ultimately I think that I have caused this problem by doing so. Tonight I noticed that proxymap is segfaulting. I'm not sure what proxymap does exactly but it hasn't affected normal operation of the server I'm testing on to the best I can tell. All the same I'd like to address the problem. According to the debug readme, I changed master.cf: proxymap unix - - n - - proxymap -D I added this line to main.cf which isn't showing up in postconf -n's output for some reason even after postfix reload: debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin (strace -p $process_id 21 | tee /var/log/postfix_debug.log | logger -p mail.info) sleep 5 As you've probably noticed, I changed the debug command slightly from what was in the debug readme to have the output written to syslog and a custom log file. So instead of the segfault now I'm seeing this and getting nothing else in mail.info or my custom log file about proxymap and I'm wondering I've done something wrong: Oct 9 21:51:34 mail2 postfix/proxymap[27643]: running: PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin?(strace -p 27643 21 | logger -p mai l.error) sleep 5 Log entries: Oct 6 03:38:11 mail2 postfix/master[2256]: warning: process /usr/libexec/postfix/proxymap pid 7311 killed by signal 11 Oct 6 03:38:11 mail2 postfix/master[2256]: warning: /usr/libexec/postfix/proxymap: bad command startup -- throttling Oct 8 07:40:02 mail2 postfix/master[2256]: warning: process /usr/libexec/postfix/proxymap pid 3323 killed by signal 11 Oct 8 07:40:02 mail2 postfix/master[2256]: warning: /usr/libexec/postfix/proxymap: bad command startup -- throttling postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 disable_vrfy_command = yes html_directory = no inet_interfaces = all mail_owner = postfix mailbox_command = /usr/libexec/dovecot/deliver mailbox_size_limit = 0 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man maximal_queue_lifetime = 60d message_size_limit = 1 mydestination = mydomain.com, mail2.mydomain.com, mail2 mydomain = mydomain.com myhostname = mail2.mydomain.com mynetworks = 127.0.0.0/8, 192.168.1.0/24 myorigin = mail2.mydomain.com newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.5.4/README_FILES sample_directory = /usr/share/doc/postfix-2.5.4/samples sender_bcc_maps = hash:/etc/aliases_bcc sender_canonical_classes = header_sender sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_banner = $myhostname ESMTP smtpd_helo_required = yes smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550
Re: Mail Archiving
We use something similar. We are a small company so what suits us may not be usable for you, either way I'll give you the run down so you can decide. We use an alias to forward mail to the regular mail box that is accessed via imap/pop and then to a custom program that stores the mail in mbox format. The only reason we use a custom program (a script of sort would probably do however ours is written in C) is to sort the mail by month. To archive sent mail we use the same technique via sender_bcc_maps to the same program that dates the mailboxes by month. A quick example of the end product is: joeuser-recv-MM- joeuser-sent-MM- This technique has worked very well for us. You can use the mbox style files with thunderbird or mutt if you need to extract mail from them. The only downside is the complexity of setting up an email account. You need to remember to add the proper aliases and what not. I've automated the process with scripts to make it less likely that we miss something. Chris St Denis wrote: James wrote: I was wondering if anyone here knew of a good way to duplicate emails for archival purposes. What i want to do is use a gateway machine that will deliver mail to two machines. one being an active imap/pop3 system and the other being a mail archival system i was thinking that there might be something like editing the transport file to do that but that only allows a single destination per domain as far as i know. Any help is appreciated, Thanks Try recipient_bcc_maps http://www.postfix.org/postconf.5.html#recipient_bcc_maps
Re: Postfix setup with no true domain just a no-ip/dyndns address?
I would not point the MX record for your dynamic domain name (or any other domain name) at your ISP's server. The mail will almost certainly be rejected. Adam McCarthy wrote: So would I just tell no-ip.org (seperate from DynDNS as fair as I know, but they also have MX records.), to just put in my address or would I just throw in my ISP's SMTP server? On Fri, Sep 19, 2008 at 4:12 PM, J.P. Trosclair [EMAIL PROTECTED] wrote: I think DynDNS.com (the folks who have no-ip.org right?) have an option to setup a MX record for dynamic host names. You'll more than likely want to enable this unless you have a reason not to. Basic setup for accepting and sending mail with your ddns hostname: mydomain = mymachine.no-ip.org myhostname = $mydomain myorigin = $mydomain mydestination = $mydomain Problems to consider: 1. Your ISP may block smtp traffic from you to any other server except their very own smtp servers. This is pretty common from what I've seen. 2. Some servers may reject your mail if you do not have a valid PTR record for your IP address. By default your ISP will probably have one, but it won't resolve to mymachine.no-ip.org which may cause the delivery problem mentioned before. J.P. Adam McCarthy wrote: I have looked for a guide on the Internet on how to do this but I have never found one. I am wishing to run a request tracker (RT) and need postfix. Now I already have the email coming in, sent to RT by fetch mail of a gmail account. Now how can I make it so that postfix sends replies and other stuff back to the users that will work with me having either just an IP for my postfix or my DNS. I guess to sum it all up, how can I use postfix with just an IP or a DNS that just translates to my IP though I can't do stuff like add on to the DNS like mail.mymachine.no-ip.org. -- J.P. Trosclair Systems Administrator Jude Jude, PLLC Phone: (601) 579-8411 Fax: (601) 579-8461
Re: Postfix setup with no true domain just a no-ip/dyndns address?
Send us the output of postconf -n from your smtp server. If your logs didn't indicate the mail was rejected it could have been silently discarded by spam filters or something of the like. Adam McCarthy wrote: Well as far as I know SMTP is not blocked. I wanted to go through my ISP's server to begin with, because places such as GMail didn't like me. Yet everyone seems to love my ISP's server. I had relayhost set to my ISP, but I musta had something wrong, because some people would get replies, while other people wouldn't. On Fri, Sep 19, 2008 at 6:36 PM, Adam McCarthy [EMAIL PROTECTED] wrote: So would I just tell no-ip.org (seperate from DynDNS as fair as I know, but they also have MX records.), to just put in my address or would I just throw in my ISP's SMTP server? On Fri, Sep 19, 2008 at 4:12 PM, J.P. Trosclair [EMAIL PROTECTED] wrote: I think DynDNS.com (the folks who have no-ip.org right?) have an option to setup a MX record for dynamic host names. You'll more than likely want to enable this unless you have a reason not to. Basic setup for accepting and sending mail with your ddns hostname: mydomain = mymachine.no-ip.org myhostname = $mydomain myorigin = $mydomain mydestination = $mydomain Problems to consider: 1. Your ISP may block smtp traffic from you to any other server except their very own smtp servers. This is pretty common from what I've seen. 2. Some servers may reject your mail if you do not have a valid PTR record for your IP address. By default your ISP will probably have one, but it won't resolve to mymachine.no-ip.org which may cause the delivery problem mentioned before. J.P. Adam McCarthy wrote: I have looked for a guide on the Internet on how to do this but I have never found one. I am wishing to run a request tracker (RT) and need postfix. Now I already have the email coming in, sent to RT by fetch mail of a gmail account. Now how can I make it so that postfix sends replies and other stuff back to the users that will work with me having either just an IP for my postfix or my DNS. I guess to sum it all up, how can I use postfix with just an IP or a DNS that just translates to my IP though I can't do stuff like add on to the DNS like mail.mymachine.no-ip.org. -- J.P. Trosclair Systems Administrator Jude Jude, PLLC Phone: (601) 579-8411 Fax: (601) 579-8461
Re: Postfix setup with no true domain just a no-ip/dyndns address?
Also, have a look here: http://www.postfix.org/DEBUG_README.html Adam McCarthy wrote: Well as far as I know SMTP is not blocked. I wanted to go through my ISP's server to begin with, because places such as GMail didn't like me. Yet everyone seems to love my ISP's server. I had relayhost set to my ISP, but I musta had something wrong, because some people would get replies, while other people wouldn't. On Fri, Sep 19, 2008 at 6:36 PM, Adam McCarthy [EMAIL PROTECTED] wrote: So would I just tell no-ip.org (seperate from DynDNS as fair as I know, but they also have MX records.), to just put in my address or would I just throw in my ISP's SMTP server? On Fri, Sep 19, 2008 at 4:12 PM, J.P. Trosclair [EMAIL PROTECTED] wrote: I think DynDNS.com (the folks who have no-ip.org right?) have an option to setup a MX record for dynamic host names. You'll more than likely want to enable this unless you have a reason not to. Basic setup for accepting and sending mail with your ddns hostname: mydomain = mymachine.no-ip.org myhostname = $mydomain myorigin = $mydomain mydestination = $mydomain Problems to consider: 1. Your ISP may block smtp traffic from you to any other server except their very own smtp servers. This is pretty common from what I've seen. 2. Some servers may reject your mail if you do not have a valid PTR record for your IP address. By default your ISP will probably have one, but it won't resolve to mymachine.no-ip.org which may cause the delivery problem mentioned before. J.P. Adam McCarthy wrote: I have looked for a guide on the Internet on how to do this but I have never found one. I am wishing to run a request tracker (RT) and need postfix. Now I already have the email coming in, sent to RT by fetch mail of a gmail account. Now how can I make it so that postfix sends replies and other stuff back to the users that will work with me having either just an IP for my postfix or my DNS. I guess to sum it all up, how can I use postfix with just an IP or a DNS that just translates to my IP though I can't do stuff like add on to the DNS like mail.mymachine.no-ip.org. -- J.P. Trosclair Systems Administrator Jude Jude, PLLC Phone: (601) 579-8411 Fax: (601) 579-8461
Re: Fixing a SASL AUTH Problem
Hi, this is my first post on the list so if I do something out of the ordinary please forgive me. The reason your mail is working locally is probably because postfix is configured to accept mail from the local network or localhost without any sort of authentication but not when the mail is comming from an untrusted network: smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination As for the sasl errors, have you refered to this page to double check your setup: http://www.postfix.org/SASL_README.html#server_cyrus From the link: IMPORTANT: saslauthd usually establishes a UNIX domain socket in /var/run/saslauthd and waits for authentication requests. The Postfix SMTP server must have read+execute permission to this directory or authentication attempts will fail. So with that said, make sure postfix can read that directory and the files under it. J.P. Rich Shepard wrote: On Fri, 29 Aug 2008, mouss wrote: smtpd_* parameters are used by 'smtpd', the thing that listens for smtp connections. this is what you contact when you telnet or when Thunderbird send mail. mouss, Mea culpa! I cut this from the README file and pasted it into main.cf without paying close attention. dovecot is easier to setup. you can use cryus-sasl if you want. but you must configure it correctly. the error you have is that postfix cannot contact saslauthd because of a permission denied. that's the thing to fix. I installed cyrus-sasl a couple of postfix versions back, so I should learn how to properly configure it. I followed the SASL_README to set it up. Having changed perms to 777 on /var/spool/postfix/var and its subdirectories, I have no idea what other permissions are preventing this from working. I work on the server box as that's my main workstation, too. I've had no problems with mail in or out. The saslauthd permission affects only my wife's attempts to send mail from a different network host. Rich