Re: Newsletter server setup questions

[John Adams]

1. All Postfix mail logs must be able to check via some kind of web
interface,where one will be able to see the MessageID,Subject,To,
Date,Time and status of sent message,the similar can be seen on the
following URL:

http://www.kyapanel.com/images/rsgallery/original/kp8.png (although not
necessarily using this software)

The purpose of this requirement is for somebody to be able to find out
if any of the emails sent out was not delivered,and if not,
what was the reason.


I use syslog-ng to feed logs to a mysql db which can be easily looked at 
via web interface.




2. The scripts will send 'important' and 'less important' emails. If
script is programmed to send 'important' ones,the copy of email
must be sent to a separate account that will archive all sent emails
(automatically BCC or something similar).
If script will send 'less important' email,there is no need to keep a
copy of sent email.
The purpose of this request is for somebody to be able to find out the
same copy of email if a recipient confirm that he has not
received that very same email.


?


3. Some emails will have kind of 'no-r...@domain.com' email address in
'From' field. If recipient of this email by accident or so
does send a reply back to 'no-re...@domain.com',he should receive an
error email ('User does not exist' or similar error) and
also certain local user at 'domai.com' should be alerted that an attempt
of email delivery to 'no-re...@domain.com' has been
occurred.


check_recipient_access main.cf config parameter pointing to a file that 
contains:

no-re...@domain.com REJECT no such user

Re: Disable NDR

[John Adams]

On 24.05.2010 20:05, Linux Addict wrote:

Hello, One of my postfix server is sending thousands of messages to
non-existent mail box in another internal server. The internal
application sends mail as mailb...@domain.net
 thru postfix. The TO addresses are invalid.
I need reject  messages from those domains not resolved.



to=mailto:dmr0613420524125827...@dsaperftest.edu>>, relay=none,
delay=0.05, delays=0.01/0/0.04/0, dsn=5.4.4, status=bounced (Host or
domain name not found. Name service error for name=dsaperftest.edu
 type=A: Host not found)

thank you
LA



Well, if its one of your hosts doing the spamming turn of the 
application that is causing it. Or blacklist the sender host's IP 
address on the first receiving smtp server. Or do some sender address 
verification on your mail gateway (or however your email architecture 
looks like - I have no idea).

Re: Address Rewriting for relayed emails

[John Adams]

Am 29.11.2010 16:24, schrieb michael.h.gr...@googlemail.com:

Dear all,

Is it possible to configure postfix for the following scenario?
Our ERP-System wants to send emails over a dedicated account to it's
users. As it tries to send the email as the current user, using the
users address, the e-mail gets rejected by our provider (who is running
Exchange).
As the providers security policy doesn't allow me to grant the Exchange
"Send as" permission to the ERP-Account I want to do the following:

Configure an internal postfix installation to accept these "faked" emails
Forward them to the Exchange server
replacing the faked senders address with the valid address of the
account dedicated to the ERP-System.

Is this possible?
I guess I have to use the Address Rewriting capabilities in Postfix. But
where to start?

Kind regards and many thanks in advance
Michael


man generic
  u...@domain address
  Replace u...@domain by address. This form has the highest Precedence.

HTH
John

mysql based blacklist

[John Adams]

Hi

I host several domains on my mail system. The various domains all have 
their own dedicated spamassassin blacklist. Because spamassassin's 
blacklist implementation is not waterproof (if message size > spamc -s 
$size, let mail pass unchecked), I want to run the blacklist via 
smtpd_sender_restrictions check_sender_access. Because I must use 
spamassassins blacklist_from syntax the sql query looks like this:


query = SELECT 'REJECT sender blacklisted' as action FROM sa_prefs WHERE 
preference='blacklist_from' AND (value='%...@%d' OR value like '%%%d')


This works in the global system context. Unfortunatley this does not 
respect that a blacklist entry always belongs to a recipient domain and 
therefore should not be valid for all recipient domains.


In http://www.postfix.org/mysql_table.5.html I could not find a hint 
that would enable the sql query to utilize a parameter that would 
reflect the recipient domain, like shown below:


query = SELECT 'REJECT sender blacklisted' as action FROM sa_prefs WHERE 
preference='blacklist_from' AND (value='%...@%d' OR value like '%%%d') AND 
recipientdomain='%r'


where %r would stand for the recipient's domain.

I hope I managed to write down understandably what I want. Would be nice 
if any of you knew an answer.


Thanks
John

postfix policy deamon accepting custom mysql queries

[John Adams]

Hi

Do you know of any postfix policy daemon that allows for custom mysql 
queries?


I would like to reject a sender if that sender matches the recipient or 
recipient domain who blacklisted the sender (following the suggestion 
from thread "mysql based blacklist" some days ago).


Thanks,
John

Re: postfix policy deamon accepting custom mysql queries

[John Adams]

Am 10.12.2010 21:54, schrieb mouss:

Le 10/12/2010 13:10, John Adams a écrit :

Hi

Do you know of any postfix policy daemon that allows for custom mysql
queries?

I would like to reject a sender if that sender matches the recipient


check postfwd if it does what you want. otherwise, you can write your own.


Thanks for the advises.
I try to avoid the latter of your advices, if somehow possible.




or
recipient domain who blacklisted the sender (following the suggestion
from thread "mysql based blacklist" some days ago).

Thanks,
John

Re: MYSql Issues

[John Adams]

Am 11.12.2010 19:18, schrieb Jonathan Tripathy:

Hi Everyone,

This is maybe a little off-topic, but is anyone having any problems with
their mysql servers today? I have 3 separate mysql servers (running in 3
different VMs). One of them is used to do my Postfix SASL
authentication. Auth is failing today (possibly timing out). Also, the 2
other mysql servers are used for web services and both of them are
really slow today. All servers are running near idle.

Any ideas, at least on the postfix issue? I see this when my WHMCS (PHP
billing system) tried to connect to the postfix server:

warning: unknown[10.87.14.2]: SASL LOGIN authentication failed:
VXNlcm5hbWU6

This setup has been working for months without issue. Just today it's
playing up..

Thanks


Hard to say without further info.
Can you please follow the instructions here

http://www.postfix.org/DEBUG_README.html#mail

before you post debugging requests?
This could help isolating the problem.

Re: postfix queue tuning

[John Adams]

Am 23.12.2010 04:59, schrieb Yaoxing:
> Hi all,
> I'm looking for some help of postfix server configuration. hope this is
> the right place to ask.
> I have a mail server running iRedMail (which is based on postfix). It
> sends mails to our subscribers every 4s. I think this doesn't seem to be
> a very heavy load. however, there're likely 140,000 mails congesting
> after several days' running. So I tried qshape to analyse the queue, and
> found that almost all mails are congesting in incoming queue, while
> active queue reaches it's limit of 20,000 mails. Mails rarely went to
> deferred queue. I think this means something reaches its limitation. So
> I checked the following features, and this is the result:
> 1. CPU is not busy at all
> 2. Almost 3GB memory left
> 3. 3.2MB/s disk IO write, 0.01MB/s read.
> 4. Less than 20 postfix process (while limitation is explicitly set to 100)
> There seems to be nothing wrong (or did I miss anything?). Can anybody
> provide some more information on locating the problem?
> Any help is appreciated.
> 

Does your postfix check whether the recipients' exist on your side?

Re: Change error messages returned by Postfix

[John Adams]

Am 03.01.2011 19:44, schrieb Ralf Hildebrandt:

* Wietse Venema:


 421-4.4.2 host.example.com Error: timeout exceeded
 421 4.4.2 For assistance, contact the helpdesk at 800-555-0101

I wonder how many calls you would actually get for that.


Almost none, because users cannot read.



well, actually they can. They just don't read the automated gibberish 
that comes from us admins.

Re: Change error messages returned by Postfix

[John Adams]

Am 03.01.2011 20:00, schrieb Victor Duchovni:

On Mon, Jan 03, 2011 at 07:44:51PM +0100, Ralf Hildebrandt wrote:


* Wietse Venema:


 421-4.4.2 host.example.com Error: timeout exceeded
 421 4.4.2 For assistance, contact the helpdesk at 800-555-0101

I wonder how many calls you would actually get for that.


Almost none, because users cannot read [bounce messages].


hmmm.


They understand that the message did not arrive:

 http://funstoo.blogspot.com/2010/12/what-we-say-to-dogs-what-they-hear.html



:)


This said, in a B2B context, a less experienced postmaster of a
remote domain may in some cases benefit from a link to a more detailed
explanation of an SMTP reject message. A fixed suffix for SMTP error
responses is probably the right cost/benefit trade-off.


That's when you get calls from the remote site admin where he wants you 
to remove him from your postgrey greylist because his users cannot send 
mails to site x of customer x where postgrey runs. Real reason for 
failure: site x runs an ancient version of postgrey and the calling 
admin's mail server does not handle 451 correctly. Sometimes it really 
takes time to make them understand that postgrey IS NOT a dns based 
(black|grey)list or whatever.

Re: Change error messages returned by Postfix

[John Adams]

Am 04.01.2011 12:59, schrieb Wietse Venema:

Wietse Venema:

Instead of making every response configurable, a more practical
solution is to configure ONE response that gets appended to ALL
the SMTP server's reject messages. Effectively, this turns the
one-line reject into a two-line response, one chosen by Postfix
and one chosen by the system adminstrator.


I have added this yesterday to Postfix 2.8. This provides a fixed
text that is added as an extra line to server responses.

Wietse

smtpd_reject_contact_information (default: empty)
Optional contact information that is appended after  each  SMTP  server
4XX or 5XX response.

Example:

/etc/postfix/main.cf:
smtpd_reject_contact_information = For assistance, call 800-555-0101

Server response:

550-5.5.1

Cool. Thanks.
Can this be configured in a multi-domain environment e.g. via 
restriction  classes in a way where every domain admin can supply his 
own contact details?

Re: Change error messages returned by Postfix

[John Adams]

Am 04.01.2011 14:59, schrieb Victor Duchovni:

On Tue, Jan 04, 2011 at 01:24:51PM +0100, John Adams wrote:


 550-5.5.1

Cool. Thanks.
Can this be configured in a multi-domain environment e.g. via restriction
classes in a way where every domain admin can supply his own contact
details?


If you want multiple Postfix personalities, use multiple Postfix instances:

http://www.postfix.org/MULTI_INSTANCE_README.html


That is very interesting. Thanks for the link.



If you have light-weight instances via master.cf smtpd/inet services
bound to secondary IPs, you can configure each instance with a different
response via "-o" overrides.

Otherwise, the feature is correctly designed to append optional contact
information for the *system administrator* or a troubleshooting help URL
for senders having trouble delivering email via the *system* in question.



Yes, I understand that. But that is not how I experienced the world. 
Usually, if person X from domain X could not mail to person Z from 
domain Z for a reject reason given by mail provider M, then X would call 
Z (I cannot send you mails) and Z would call M (X cannot send us mails). 
Does this sound reasonable to you?

Re: Question about Postfix Installation

[John Adams]

Am 10.01.2011 10:06, schrieb Buzai Andras:

Hi,

I want to install Postfix 2.7.2 by compiling it from sources.
In the INSTALL file I saw the following statement:

 "In the instructions below, a command written as "#
command" should be executed as the superuser.
  A command written as "% command" should be executed as an
unprivileged user."

My question is:
The user used to configure/compile the sources is used in anyway in
Postfix later?


No.


Is there any security risk if I configure/compile all the sources
as the superuser? (I am referring only to the build/installation
process)


For installing, take a look at the software packaging procedure of your 
distro/OS. This is much cleaner than just run 'make install'.





Thank you,

Buzai

Re: Question about Postfix Installation

[John Adams]

Am 10.01.2011 13:37, schrieb Reindl Harald:



Am 10.01.2011 11:33, schrieb Buzai Andras:

Hi,

I use Ubuntu 10.04 and the package repository does not contain the
latest Postfix release.
Also I prefer installing packages from source. This way I think I can
always learn something new.


nobody said anything against

"software packaging procedure of your distro/OS" is NOT apt-get
it was menat to build an rpm/deb-package instead a dump install
with "make install" your system will get dirty after some updates
because old files are not removed, a package does this clean

>

To your querstion about superuser:
NERVER EVER build sources as superuser necause
if there are bugs in the build-process you can
damage you system which is impossible with
restricted permissions.


As it may take some time to build up software packaging facility, I 
suggest you make a clean install on a vmware (or whatever you use) 
server and use this virutal host as a software building facility. There, 
you can revert to snapshot if something goes wrong during the scripted 
packaging procedure.
I do use root permissions to build, but I do it on a build host. More 
than that I do preliminary checks of the Makefile's capabilities - if 
there is a Makefile - before I am building. These tests perhaps do not 
apply on you because I don't use Ubuntu or Debian.
Before I deploy a package, I usually test it. Are the permissions right? 
Does it install the files into the right directories? Does it create the 
needed links, devices, ...? When I configure the software and start it, 
does it start up? And then, finally, when I am sure, I deploy it to a 
productive server and always have a way back to the old version if the 
new still does not work.



rpmbuild as example should EVER called with explicit user and
if there is a bug in the bzild-process which wants to touch files
outside the build-folder it fails an dnothing happens - do this
as root overwrites files on your build-system, mybe fails later
and you have an undefined state of your system


To summarize:
* If avoidable, don't use root for software building
* put your software packaging facility away from your productive servers
* before deploying to production, test your new built package

This may sound like overkill. But it's worth the trouble.


On Mon, Jan 10, 2011 at 10:43 AM, John Adams  wrote:

Am 10.01.2011 10:06, schrieb Buzai Andras:


Hi,

I want to install Postfix 2.7.2 by compiling it from sources.
In the INSTALL file I saw the following statement:

 "In the instructions below, a command written as "#
command" should be executed as the superuser.
  A command written as "% command" should be executed as an
unprivileged user."

My question is:
The user used to configure/compile the sources is used in anyway in
Postfix later?


No.


Is there any security risk if I configure/compile all the sources
as the superuser? (I am referring only to the build/installation
process)


For installing, take a look at the software packaging procedure of your
distro/OS. This is much cleaner than just run 'make install'.




Thank you,

Buzai

Re: Question about Postfix Installation

[John Adams]

Am 10.01.2011 14:23, schrieb Reindl Harald:



Am 10.01.2011 14:11, schrieb John Adams:


As it may take some time to build up software packaging facility


where is the problem to take the source-package and
try to replace the programsource for a rebuild?

On RHEL/Fedora you take the srpm, install it as builduser, put
the newer tarball under SOURCES, edit the SPECFILE and do
a "rpmbuild -bb postfix.spec", i do this since a long time
necause i rebuild all our core-services with optimized
gcc-flags


I use Slackware. There's no deb, no rpm, no spec, no dependency 
checking, no whatever you may have in ubuntu debian centos rhel sles 
etc..., it's not there :)
Just plain old tgz. Great, isn't it? No tight corsett, it gives you all 
the freedom you may ever require.



To learn building/rebuilding packages for your distro
is good knowhow because it affects other packages too
and later you can deploy your version with a own repo
on thousands of machines if needed, dependencies are
resolved and so on


I suggest you make a clean install on a vmware


Jep the builduser, environemnt etc. should be a VM
Jere too, one for i386 and one for x86_64 :-)


I do use root permissions to build, but I do it on a build host


bad practice is everywhere bad practice


A bad practice that works for me.


some source packages disallowing this as long you do not
modifie the sources,


Well, if you use the tar ball, you can always use root. Slackware.

ok a snapshot can revert back

but it is nicer prevent damage instead repair and


Exactly. That's why I usually check the Makefile for a very specific 
capability before running 'make install DESTDIR=/installation/path'.



be sure if this happens your latest snapshot is old enough
that revert hurts :-)


My build scripts are svn-ized :) I would just lose the time to delete 
the checkout and type svn up. 2 minutes with a cup of coffee in between?



More than that I do preliminary checks of the

Makefile's capabilities - if there is a Makefile - before I am building. These 
tests perhaps do not apply on you
because I don't use Ubuntu or Debian.
Before I deploy a package, I usually test it. Are the permissions right? Does 
it install the files into the right
directories? Does it create the needed links, devices, ...? When I configure 
the software and start it, does it
start up? And then, finally, when I am sure, I deploy it to a productive server 
and always have a way back to the
old version if the new still does not work.


rpmbuild as example should EVER called with explicit user and
if there is a bug in the bzild-process which wants to touch files
outside the build-folder it fails an dnothing happens - do this
as root overwrites files on your build-system, mybe fails later
and you have an undefined state of your system


To summarize:
* If avoidable, don't use root for software building
* put your software packaging facility away from your productive servers
* before deploying to production, test your new built package

This may sound like overkill. But it's worth the trouble.


On Mon, Jan 10, 2011 at 10:43 AM, John Adams   wrote:

Am 10.01.2011 10:06, schrieb Buzai Andras:


Hi,

I want to install Postfix 2.7.2 by compiling it from sources.
In the INSTALL file I saw the following statement:

  "In the instructions below, a command written as "#
command" should be executed as the superuser.
   A command written as "% command" should be executed as an
unprivileged user."

My question is:
 The user used to configure/compile the sources is used in anyway in
Postfix later?


No.


 Is there any security risk if I configure/compile all the sources
as the superuser? (I am referring only to the build/installation
process)


For installing, take a look at the software packaging procedure of your
distro/OS. This is much cleaner than just run 'make install'.




Thank you,

Buzai

Re: Question about Postfix Installation

[John Adams]

I use Slackware.


And he is using Ubuntu


the basics still apply.


with other words: a system from the 1990's


... which is very up-to-date with it's software, much more than centos 
or debian. And because I like KISS :)



you are not packaging because you do not want, you can not :-)


Nono, packaging is involved there, too. The mechanism is just quite 
simple. Primitive, so to say.

Re: Network Ideas

[John Adams]

Am 10.01.2011 23:21, schrieb Jonathan Tripathy:

Hi Everyone,

Not really an issue directly related to postfix, however I'm sure I can
get some goods ideas here.

I wish to host managed email servers for some customers. Each customer
will have their own email server which will be an all-in-one virtual
machine running postfix, dovecot and some webmail suite.

Even though each customer will have their own server,


Will your maintenance costs explode?
cost for n customers =(( n virtual servers + 1/n host machine) x 2), 
because you perhaps require HA for mail applications? + 1/n per proxy



I do not wish to
give each email server it's own public facing IP. I wish to avail the
use of proxy servers so all customers use the same public IP. As for the
"smtp-in" from the public internet, this isn't a problem as I can set up
many mx servers (using postfix of course) which will store-and-forward
the mail to the correct server (using transport maps). As for the IMAP
access from the customer, I was thinking of using perdition which is an
IMAP proxy - I believe that this will suit my needs.

I am confused however on what to use for the "smtp-out" proxy. The
customers will have to authenticate with their receptive email server,
however they will have to go via a proxy of some sort as they won't have
direct access to their server instance.


Do they require direct access to their server instance? As far as I can 
tell from your description your proxies seem to solve all problems of 
that kind.



It probably can't be a
store-and-forward proxy either.

Does anyone have any idea on what I could use here?

Many Thanks

Re: Network Ideas

[John Adams]

Am 11.01.2011 11:30, schrieb Jonathan Tripathy:

Am 10.01.2011 23:21, schrieb Jonathan Tripathy:

Hi Everyone,

Not really an issue directly related to postfix, however I'm sure I can
get some goods ideas here.

I wish to host managed email servers for some customers. Each customer
will have their own email server which will be an all-in-one virtual
machine running postfix, dovecot and some webmail suite.

Even though each customer will have their own server,


Will your maintenance costs explode?
cost for n customers =(( n virtual servers + 1/n host machine) x 2),
because you perhaps require HA for mail applications? + 1/n per proxy

These are virtual servers, so no costs to deploy HA or one per customer


What do you do if your virtual hosts hosting server dies? All customers 
down?



Do they require direct access to their server instance? As far as I
can tell from your description your proxies seem to solve all problems
of that kind.

Just for authentication when sending emails


Dovecot or cyrus sasl can be used for SASL/smtp auth. Take a look at 
Postfix' SASL config parameters.

Re: Network Ideas

[John Adams]

Am 11.01.2011 13:27, schrieb Jonathan Tripathy:

On tir 11 jan 2011 11:52:12 CET, Jonathan Tripathy wrote


I guess another way to do this would be to have the "front end
smtp-out" server do the sending itself and ask a customer's
respective dovecot server for authentication. How can I do this where
on a domain-by-domain basis? (i.e. each domain is authenticated by a
different dovecot server)


one dovecot auth server to more then one postfix, and lda/pop3/imap,
and admin is then just postfixadmin, i cant see the problem here

ask help on dovecot maillist since its not really a postfix problem


Other way round, which is a postfix issue :)

I'm trying to use a single postfix server for many dovecot auth servers


make sasl auth against a DB (ldap or sql) via dovecot.
Postfix -> dovecot sasl -> user db.

This way you can use as many proxies as you want.

Re: Network Ideas

[John Adams]

Am 11.01.2011 13:47, schrieb Jonathan Tripathy:

if you believe you have received this email in error. Am 11.01.2011
13:27, schrieb Jonathan Tripathy:

On tir 11 jan 2011 11:52:12 CET, Jonathan Tripathy wrote


I guess another way to do this would be to have the "front end
smtp-out" server do the sending itself and ask a customer's
respective dovecot server for authentication. How can I do this where
on a domain-by-domain basis? (i.e. each domain is authenticated by a
different dovecot server)


one dovecot auth server to more then one postfix, and lda/pop3/imap,
and admin is then just postfixadmin, i cant see the problem here

ask help on dovecot maillist since its not really a postfix problem


Other way round, which is a postfix issue :)

I'm trying to use a single postfix server for many dovecot auth servers


make sasl auth against a DB (ldap or sql) via dovecot.
Postfix -> dovecot sasl -> user db.

This way you can use as many proxies as you want.

Yes, this is how it's done normally. But when a request comes into
postfix, how will postfix know which dovecot server to authenticate
against?


Postfix doesn't care. Dovecot does.

Re: Network Ideas

[John Adams]

Am 11.01.2011 13:56, schrieb Jonathan Tripathy:

Am 11.01.2011 13:47, schrieb Jonathan Tripathy:

if you believe you have received this email in error. Am 11.01.2011
13:27, schrieb Jonathan Tripathy:

On tir 11 jan 2011 11:52:12 CET, Jonathan Tripathy wrote


I guess another way to do this would be to have the "front end
smtp-out" server do the sending itself and ask a customer's
respective dovecot server for authentication. How can I do this
where
on a domain-by-domain basis? (i.e. each domain is authenticated by a
different dovecot server)


one dovecot auth server to more then one postfix, and lda/pop3/imap,
and admin is then just postfixadmin, i cant see the problem here

ask help on dovecot maillist since its not really a postfix problem


Other way round, which is a postfix issue :)

I'm trying to use a single postfix server for many dovecot auth
servers


make sasl auth against a DB (ldap or sql) via dovecot.
Postfix -> dovecot sasl -> user db.

This way you can use as many proxies as you want.

Yes, this is how it's done normally. But when a request comes into
postfix, how will postfix know which dovecot server to authenticate
against?


Postfix doesn't care. Dovecot does.

I don't follow, sorry


Postfix is only required to know the result of the query that dovecot does.
Dovecot asks the userdb (via e.g. sql): select 'whatever' as result from 
MyUserDB where user='unixusername' and password='password';
Dovecot returns the result to postfix. Postfix allows or does not allow 
the auth'ed or not auth'ed user to relay.


This is a dovecot question. RTMF dovecot (their online help is really 
good - got it from there, too) or ask their list.

Re: Network Ideas

[John Adams]

Am 11.01.2011 14:10, schrieb Jonathan Tripathy:

Am 11.01.2011 13:56, schrieb Jonathan Tripathy:

Am 11.01.2011 13:47, schrieb Jonathan Tripathy:

if you believe you have received this email in error. Am 11.01.2011
13:27, schrieb Jonathan Tripathy:

On tir 11 jan 2011 11:52:12 CET, Jonathan Tripathy wrote


I guess another way to do this would be to have the "front end
smtp-out" server do the sending itself and ask a customer's
respective dovecot server for authentication. How can I do this
where
on a domain-by-domain basis? (i.e. each domain is authenticated
by a
different dovecot server)


one dovecot auth server to more then one postfix, and
lda/pop3/imap,
and admin is then just postfixadmin, i cant see the problem here

ask help on dovecot maillist since its not really a postfix problem


Other way round, which is a postfix issue :)

I'm trying to use a single postfix server for many dovecot auth
servers


make sasl auth against a DB (ldap or sql) via dovecot.
Postfix -> dovecot sasl -> user db.

This way you can use as many proxies as you want.

Yes, this is how it's done normally. But when a request comes into
postfix, how will postfix know which dovecot server to authenticate
against?


Postfix doesn't care. Dovecot does.

I don't follow, sorry


Postfix is only required to know the result of the query that dovecot
does.
Dovecot asks the userdb (via e.g. sql): select 'whatever' as result
from MyUserDB where user='unixusername' and password='password';
Dovecot returns the result to postfix. Postfix allows or does not
allow the auth'ed or not auth'ed user to relay.

This is a dovecot question. RTMF dovecot (their online help is really
good - got it from there, too) or ask their list.

Ah! So you're saying that I should run Dovecot on the "Front End"
servers, and get dovecot to authenticate directly with the customer
database running on the customer servers?

So there must be a way for dovecot to ask different databases depending
on domain..


That depends on how you design your userdb. There's really a fine 
documentation about exactly this topic on the dovecot web page. Look it up.

Re: Success story: smtpd_reject_footer

[John Adams]

Am 11.01.2011 21:46, schrieb Ralf Hildebrandt:

smtpd_reject_footer = Contact postmaster at charite.de for assistance
caused a SIGNIFICANT increase in postmaster tickets :|

So users do read.



drop the technical gibberish and suddenly people understand you :)

Re: Success story: smtpd_reject_footer

[John Adams]

Am 11.01.2011 21:50, schrieb Ralf Hildebrandt:

* John Adams:


drop the technical gibberish and suddenly people understand you :)


Hey, I didn't drop that, I just added one line :)



Now, if you replace the technical gibberish by something people 
understand you will get less tickets :)
The line you added just suggests that. They call you because they don't 
understand our language.

Re: Network Ideas

[John Adams]

Am 12.01.2011 12:03, schrieb Jonathan Tripathy:


On 12/01/11 10:45, John Doe wrote:

From: Jonathan Tripathy

> While your idea would work in HA mode, would that cause any problems
if both
postfix servers were used at the same time? (i.e. load balanced)

In fact I may be able to answer my own question by saying yes, it
would cause
a problem as you're not supposed to write to a DRBD secondary...

I saw some active-active DRBD howtos; but they used filesystems
likeOCFS2 or GFS
and such...
http://www.sourceware.org/cluster/wiki/DRBD_Cookbook
But I am no expert...

JD


If I used a nfs cluster, I could use both postfix server at the same
time, couldn't i?


these questions you should really ask in the heartbeat/drbd mailinglist(s).
Just one hint: think about complexity in an active-active cluster 
running ocfs2 and mail. Think about file locking.
Building this is one thing. Managing the unexpected afterwards is 
another thing.

Re: Network Ideas

[John Adams]

Am 12.01.2011 14:36, schrieb Steve:


 Original-Nachricht 

Datum: Wed, 12 Jan 2011 13:47:00 +0100
Von: John Adams
An: postfix-users@postfix.org
Betreff: Re: Network Ideas



Am 12.01.2011 12:03, schrieb Jonathan Tripathy:


On 12/01/11 10:45, John Doe wrote:

From: Jonathan Tripathy


While your idea would work in HA mode, would that cause any problems

if both
postfix servers were used at the same time? (i.e. load balanced)

In fact I may be able to answer my own question by saying yes, it
would cause
a problem as you're not supposed to write to a DRBD secondary...

I saw some active-active DRBD howtos; but they used filesystems
likeOCFS2 or GFS
and such...
http://www.sourceware.org/cluster/wiki/DRBD_Cookbook
But I am no expert...

JD


If I used a nfs cluster, I could use both postfix server at the same
time, couldn't i?


these questions you should really ask in the heartbeat/drbd
mailinglist(s).
Just one hint: think about complexity in an active-active cluster
running ocfs2 and mail. Think about file locking.
Building this is one thing. Managing the unexpected afterwards is
another thing.


I run a two node mail server using GlusterFS with replication. It is ultra easy 
to setup. File locking in mail environments is no big issue. Mostly mail 
arrives on one of the mx nodes, gets processed and then passed to the delivery 
agent, the delivery agent then saves the mail (in my case maildir format) into 
the final destination. In the whole processing there is almost no locking 
involved since the mail saved in the maildir has an unique number and that 
alone mostly avoids the need for locking. The POP/IMAP server does then 
indexing and this is the place where locking is/can be involved. But a good 
IMAP/POP server can handle that (dovecot can).

The whole storage part works so well that I often forget that it is clustered. 
The good thing about GlusterFS is that I can add as many active nodes as I like.

The only part where you have to take care about a clustered mail servers or a 
n-node mail server setup is more the other things that you glue into the mail 
server. Things like greylisting, antispam, mailing list software, etc... This 
kind of stuff requires to be cluster aware. The storage is the lesser problem 
IMHO.


This is exactly what I mean. You have to be aware of all these little 
things that can turn out to be very nasty one day. Thanks for your input.

Re: Create a custom autoresponder for postfix

[John Adams]

Am 17.01.2011 10:38, schrieb roby65:


Hi guys,

i'm using goldfish as autoresponder for now, but here comes the problem:
i looked at the source and i understood it, but i need that when an email
arrives, an autorespond is sent also if the email is read from the receiver
(the goldfish script checks the "new" folder for emails, but the emails are
removed from there if they are read so it doesn't work if the receiver reads
the mail before the script is executed).

Is there a workaround or a way to do what i need without installing nothing
more on my server?

Roby


Hi

if the solution does not have to be in Postfix, you can use sieve within 
imap for individual auto responders. Works quite nicely with 
dovecot+managesieve.


John

Re: Postfix autoresponder and transport problem

[John Adams]

Am 18.01.2011 17:37, schrieb roby65:


Hi guys,
i finally made it in the intent of adding an autoresponder to my postfix
server, and it works, butit creates problems with dovecot!

This is what i've done:

master.cf:
vacationunix-   n   n   -   -   pipe
   flags=DRhu   user=vacation   argv=/var/spool/vacation/vacation.pl -f 
${sender}
${recipient}

transport:
myu...@mydomain.com vacation

Here is the problem:
when i send a message to this account, i get the autoreply (this is ok) but
the receiving account doesn't receive the mail i send (i think because the
autoresponder plugin gets it and dovecot doesn't get the email).

How to fix it?


As I suggested yesterday. Use dovecot+sieve. All your problems will 
vanish. It's really worth the "trouble".


John

Re: Postfix autoresponder and transport problem

[John Adams]

Am 19.01.2011 09:16, schrieb roby65:


Ok, the aliases thing is not possible for me and creates me a lots of
troubles...
Can you link me to a tutorial for configuring sieve?

Thanks,
Roby


John Adams-19 wrote:


Am 18.01.2011 17:37, schrieb roby65:


Hi guys,
i finally made it in the intent of adding an autoresponder to my postfix
server, and it works, butit creates problems with dovecot!

This is what i've done:

master.cf:
vacationunix-   n   n   -   -   pipe
flags=DRhu  user=vacation   argv=/var/spool/vacation/vacation.pl -f
${sender}
${recipient}

transport:
myu...@mydomain.com vacation

Here is the problem:
when i send a message to this account, i get the autoreply (this is ok)
but
the receiving account doesn't receive the mail i send (i think because
the
autoresponder plugin gets it and dovecot doesn't get the email).

How to fix it?


As I suggested yesterday. Use dovecot+sieve. All your problems will
vanish. It's really worth the "trouble".

John







I RTFM'ed this documentation:
http://wiki.dovecot.org/LDA/Sieve/Dovecot

making sieve work requires to patch the dovecot sources and re-compile. 
It's all in the link above.
Then, setup a web mail that supports sieve scripts. I use Squirrelmail 
with the sieve plugin. I think roundcube has also somewhere hidden 
somebody who wrote a sieve supporting add-on. Horde/IMP do as well 
support sieve in quite a user friendly way.
There is a thunderbird sieve extension. I found it to be a good start 
but I could not expect normal users to write sieve scripts.


John

Re: Postfix autoresponder and transport problem

[John Adams]

Am 19.01.2011 09:32, schrieb John Adams:

Am 19.01.2011 09:16, schrieb roby65:


Ok, the aliases thing is not possible for me and creates me a lots of
troubles...
Can you link me to a tutorial for configuring sieve?

Thanks,
Roby


John Adams-19 wrote:


Am 18.01.2011 17:37, schrieb roby65:


Hi guys,
i finally made it in the intent of adding an autoresponder to my
postfix
server, and it works, butit creates problems with dovecot!

This is what i've done:

master.cf:
vacation unix - n n - - pipe
flags=DRhu user=vacation argv=/var/spool/vacation/vacation.pl -f
${sender}
${recipient}

transport:
myu...@mydomain.com vacation

Here is the problem:
when i send a message to this account, i get the autoreply (this is ok)
but
the receiving account doesn't receive the mail i send (i think because
the
autoresponder plugin gets it and dovecot doesn't get the email).

How to fix it?


As I suggested yesterday. Use dovecot+sieve. All your problems will
vanish. It's really worth the "trouble".

John







I RTFM'ed this documentation:
http://wiki.dovecot.org/LDA/Sieve/Dovecot

making sieve work requires to patch the dovecot sources and re-compile.
It's all in the link above.
Then, setup a web mail that supports sieve scripts. I use Squirrelmail
with the sieve plugin. I think roundcube has also somewhere hidden
somebody who wrote a sieve supporting add-on. Horde/IMP do as well
support sieve in quite a user friendly way.
There is a thunderbird sieve extension. I found it to be a good start
but I could not expect normal users to write sieve scripts.

John


I forgot to say that I run dovecot 1.2.x, not 2.0.x. I don't know 
whether 2.0 still requires to be recompiled with sieve support.

Re: Reliably distinguishing authorized vs unauthorized users

[John Adams]

Am 19.01.2011 21:03, schrieb Ron Garret:

I am working on a spam filter.  I want both incoming and outgoing messages to go through 
the filter, not because the outgoing messages need to be filtered, but because I want the 
filter to know who my authorized users have sent messages to because that is a very 
reliable indicator of non-spam. My setup requires users to authenticate, so postfix knows 
who they are.  My question is: is there a reliable way to pass this information to a 
filter?  I can't find anything about this in the documentation.  Reverse engineering 
indicates that postfix puts an "Authenticated sender" note in the received-from 
header, but that can be forged.  Is there a reliable way for a filter to tell if a 
message is from an authenticated user?

Thanks,
rg



Yes, spamassassin+amavisd-new.
spamassassin recognizes the authentication header put there by postfix.
There's plenty of documentation around how to do this kind of setup.

John

Re: filter emails not only by domain

[John Adams]

Am 20.01.2011 17:34, schrieb Andrea Scarso:

Hi,
i need to make a configuration to send mails as below:

u...@domain.com >  IP1
user.to...@domain.com >  IP2

So i added on transport_maps:
domain.com smtp:[IP1]

and on header_checks:
/^to:.*\.town1@domain\.com/   FILTER smtp:[IP2]

It's ugly, but it works... obviously EXCEPTS for mails sent to both addresses.
In fact if I send to us...@domain.com and in copy to
user2.to...@domain.com, the FILTER sends the mail to IP2 only.

Is there a way to make postfix send one mail to us...@domain.com via
IP1, and one mail to user2.to...@domain.com via IP2?

I know a third level domain should be used, but I'm not the admin of
the domain.com servers.

Thanks!
Andrea


Hi Andrea,

If I get you right you want filtering (or no filtering) per domain.
Try restriction classes.
http://www.postfix.org/RESTRICTION_CLASS_README.html

John

Re: smtpd: warning: network_biopair_interop: error writing 53 bytes to the network: Broken pipe AND spamass-milter config & disable SMTP-AUTH on port 25

[John Adams]

Am 25.01.2011 15:33, schrieb Wietse Venema:


With Postfix 2.8 I removed the network_biopair_interop
layer, so it won't report network_biopair_interop errors anymore.


thanks, Wietse.

Re: Vacation with maildir format ?

[John Adams]

Am 03.02.2011 10:24, schrieb Frank Bonnet:

Hello

I'm migrating my mailhub.

on the fly I'm converting the mailboxes format from MBOX to Maildir
and I wonder how to use the vacation program ( or equivalent ) with
Maiidir format ?

Thanks for any infos , links ... etc.




Hi

take a look at dovecot and sieve.
I think that is the most appropriate way of how to do vacation.
http://wiki.dovecot.org/LDA/Sieve

John

Re: How to configure postfix to reject every incoming mail with a temporary error?

[John Adams]

http://people.ee.ethz.ch/~maegger/ieee/bad_smtp_connection.jpg


You get a lot of Duplicates. This could indicate a network problem.