Re: Refuse mail from hosts with closed port 25

[John Peach]

On 9/16/19 8:47 AM, Paul van der Vlis wrote:

Hello,

How can I refuse mail from hosts who don't have an open port 25?

What do you think from such a check?



DO NOT DO THIS!

A significant number of installations will use different servers for 
inbound and outbound email. What is worth checking, is that the sender 
has MX records.




Is there more needed?  E.g. a list of exceptions for some big providers?

Background:
I've investigated why somebody did not receive mail from a virtual
machine, and I found out her provider (reviced.nl) refuses all mail from
a host what does not have port 25 open. I have much problems with spam
and I would like to reduce it.








--
John
PGP Public Key: 412934AC

Re: GEO IP based restrictions?

[John Peach]

On 5/14/19 1:41 PM, @lbutlr wrote:

Has anyone implemented geo based restrictions for postfix login connections, or 
is this something that needs to be done in dovecot?

I was thinking someway to add most of Asia and Eastern Europe to postscreen 
checks would be useful?



You can always use access_client and reject based on TLD. I ban most of 
the new TLDs that are used for nothing but spam and Eastern Europe..


I use the geo-ip extension to iptables for restricting IMAP access.



--
John
PGP Public Key: 412934AC

Re: spam from own email address

[John Peach]

On 4/23/19 11:54 AM, Ralph Seichter wrote:

* John Peach:


/^From:.*\@example\.com/ REJECT


This header check will not catch the envelope sender, so I suggest
adding "check_sender_access pcre:/path/to/sender_access" to the mix
(file content according to your needs, of course).


It is not meant to catch the envelope sender. That should be in your 
normal checks. This is specifically for the data From:, which is what 
these are using.





-Ralph






--
John
PGP Public Key: 412934AC

Re: spam from own email address

[John Peach]

On 4/23/19 11:39 AM, Paul wrote:

Yes I agree with Kevin here, the best solution to this problem is an spf record 
set to reject mail from any ip that’s not in your allowed list of ips for your 
domain. Forging a from address is very easy and is one of the main purposes of 
why spf was created.


There is no need to go to those lengths - assuming that all your own 
email is being submitted over port 587, include -o 
receive_override_options=no_header_body_checks in the master.cf entry 
for submission and use a PCRE header checks file for port 25.


/^From:.*\@example\.com/REJECT



Sent from my iPhone


On Apr 23, 2019, at 11:26 AM, Kevin A. McGrail  wrote:


On 4/23/2019 10:02 AM, Ian Jones wrote:
I am getting emails like the one below, in which the header from is my
own address.


Ian, are you using Apache SpamAssassin or something in the mix?  I've
published a lot of rules for these sexploitation scams in KAM.cf and
with an SPF record, you really shouldn't get these in your inbox.


Regards,

KAM






--
John
PGP Public Key: 412934AC

Re: Discard subject UTF8

[John Peach]

On 2/28/19 8:51 AM, Emanuel wrote:

it's not what I need thanks.

El 28/2/19 a las 10:45, Bastian Blank escribió:

ou block the users sending them.


It probably is - legitimate Amazon email comes from servers in 
amazonses.com - block email purporting to be from Amazon if the server 
is not in that domain.




--
John
PGP Public Key: 412934AC

Re: Open Relay on local lan

[John Peach]

On 07/25/2018 01:36 PM, @lbutlr wrote:


On 24 Jul 2018, at 11:31, Software Information  
wrote:

Recently though, auditors made a deal that the server is an open relay.


Based on the rest of this thread, it sounds very much like the auditors are 
incompetent. I mean, not knowing what an open relay is is concerning.


I still remember trying to explain to auditors why I did not have AV on 
a Solaris server and, having won that battle, having to prove it really 
was Solaris.











--
John
PGP Public Key: 412934AC

Re: Question regarding use of amavisd-new

[John Peach]

On 12/13/2017 10:52 AM, L.P.H. van Belle wrote:

Hai,


mailscanner runs fine here for about 5-6 years now, with postfix.
Mailscanner + postfix (postscreen) rules here :-)


You *think* it's been running fine. When the author of postfix 
specifically warns against using it, it would be foolhardy to ignore him.




But if you want a quicky to test.
https://efa-project.org/  = Mailscanner + mailwatch +... Lots of extra's.


Greetz,

Louis




-Oorspronkelijk bericht-
Van: postfixlists-070...@billmail.scconsult.com
[mailto:owner-postfix-us...@postfix.org] Namens Bill Cole
Verzonden: woensdag 13 december 2017 16:46
Aan: Postfix users
Onderwerp: Re: Question regarding use of amavisd-new

On 13 Dec 2017, at 4:45 (-0500), Maarten wrote:


According to  their documentation using MailScanner with

postfix works

too.

https://www.mailscanner.info/postfix/


Yes, and there's a link at the bottom of that page to the postfix.org
add-on page which specifically warns against MailScanner.


What would be the advantage to switching to something like
amavisd-new?


The advantage to something that uses the SMTP Proxy interface or the
Milter interface is that you can trust that it won't be
broken without
warning or documentation in a future Postfix release. Apart from the
risk that it relies on Postfix not changing queue structures and
behaviors which are explicitly unsupported and subject to change,
MailScanner works directly with the Postfix queue in a way
that Wietse
has been saying for years is already not safe. I haven't analyzed the
Postfix queue-handling code (life is too short...) but I trust his
judgment of safety in working with the Postfix queue over
that of anyone
who didn't write that code. The MailScanner argument
(essentially that
what they do doesn't break enough to notice) is entirely unpersuasive.

--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole









--
John
PGP Public Key: 412934AC

Re: regexp for allowing helo host

[John Peach]

On 11/15/16 13:43, Eric Abrahamsen wrote:
> I'm trying to successfully receive emails from my state's health care
> service, which is apparently broken in the way it sends emails. These
> are the errors:
> 
> ericabrahamsen.net/smtpd[24193]: warning: hostname\
>  mail-relay.secure-24.net does not resolve to address 199.71.239.178


You could just whitelist 199.71.236.0/22

> 
> ericabrahamsen.net/smtpd[24193]: NOQUEUE: reject: RCPT from\
>  unknown[199.71.239.178]: 550 5.7.1\
>  : Helo command rejected: Host\
>  not found; from=\
>  to= proto=ESMTP\
>  helo=
> 
> The helo host seems to change ever time; at least there are a lot of
> them.
> 
> I just want to check here: is it safe to change my check_helo_access
> from a hash to a regexp, and do:
> 
> /msp.secure-24.net/ OK
> 
> Is that likely to cause me any problems?
> 
> Thanks!
> Eric
> 




-- 
John
PGP Public Key: 412934AC

Re: Postfix + relayhost via riseup.net = Problems?

[John Peach]

On Sat, 22 Mar 2014 19:45:08 +0200
Anonymous12 anonymou...@riseup.net wrote:

[snip]
  show your /etc/postfix/sasl_passwd with passwords replaced and the rest 
  untouched
  
  OS: Ubuntu 12.04 LTS
  I'll not show what packages I have installed as I see no reason to
  
  well then help yourself, nobody asked for all installed packages
  only the relevant sasl ones
  
  if i type yum remove cyrus-sasl-md5 cyrus-sasl-plain i get also
  no mechanism available for very clear reasons, thats all
  
 
 root@vps44713:~# apt-get install cyrus-sasl-md5 cyrus-sasl-plain
 Reading package lists... Done
 Building dependency tree
 Reading state information... Done
 E: Unable to locate package cyrus-sasl-md5
 E: Unable to locate package cyrus-sasl-plain
 
 OS is debian based.
 
 250-AUTH LOGIN PLAIN
 250-AUTH=LOGIN PLAIN
 
 What package do I need installed?
 
 
 
Oh dear, are you sure you should be managing a linux system, let alone
a mailserver?

apt-cache search sasl

suggests that libsasl2-2 may be what you need.


-- 
John
PGP Public Key: 412934AC


signature.asc
Description: PGP signature

Re: SMTP sender accepted when from a different domain

[John Peach]

On Fri, 30 Aug 2013 15:52:22 -0400
Jean-Sébastien Nicaise jsnica...@gmail.com wrote:

 On Fri, Aug 30, 2013 at 3:48 PM, John Peach post...@johnpeach.com wrote:
 
  On Fri, 30 Aug 2013 15:43:01 -0400
  Jean-Sébastien Nicaise jsnica...@gmail.com wrote:
 
  [snip]
  
   I'm hoping for something simple like: user sends an email. Postfix looks
  at
   MAIL FROM. Is the email address part of $mydomain? if so, relay mail. If
   not, don't relay mail.
 
  You really, really do NOT want that. Anyone can then spoof your address
  and you are an open relay.
 
 
 
 
  --
  John
  PGP Public Key: 412934AC
 
 
 How would restricting local users make me an open relay?

You are not restricting to local users, but to anyone claiming to be a
local user. $mynetworks is the way to restrict to local users, or use
authentication.



-- 
John
PGP Public Key: 412934AC


signature.asc
Description: PGP signature

Re: Does Postfix understand MX 0 . ?

[John Peach]

On Tue, 25 Jun 2013 18:22:22 +0100
Jim Reid j...@rfc1035.com wrote:

 On 25 Jun 2013, at 18:01, John Levine jo...@iecc.com wrote:
 
  There is a somewhat popular convention that if a domain publishes an
  MX like this:
  
   whatever.example MX 0 .
  
  it means the domain does not receive mail.
 
 Well yes. But it only works as long as there are no A or  records for . 
 in the root zone. If that was ever to change, anyone who adopted this Bad 
 Idea will be in for a nasty surprise.

It's useful for rejecting email that purports to be from that domain

[snip]

-- 
John
GPG Public Key: 412934AC

Re: Too much traffic

[John Peach]

On Tue, 2 Apr 2013 11:25:09 -0300
Fernando Maior fernando.souto.ma...@gmail.com wrote:

 Hi,
 
 I am not an specialist in Postfix, just a common admin. Yet, I can
 see two things from your message:
 
1. You sure have a DNS resolution problem. No external server
 should be resolved to 192.168.x.x, that is an internal network. Also,
 the last two octets (255.255) are almost allways used for
 broadcasting packets in the network. The IP address for mx1.likya.com
 should never be 192.168.255.255;
2. Because of the DNS resolution problem, postfix is just trying to
connect to 192.168.255.255 to deliver the message to
 za...@likya.com, but could not, of course.
 
 I issued three commands:
 # dig likya.com ns
 # dig likya.com mx
 # host mx1.likya.com
 
 The first two seems that likya.com is configured correctly, instead
 the last command resolved to the IP address 192.168.255.255, that is
 wrong. So, problem with DNS resolution is with the admins of
 likya.com, not you. Best thing to do? I would just remove all entries
 in postfix queue that are for the wrong configured server (likya.com).
 
 Probably, someone at likya.com just made a wrong config. May be - in
 the interests of your users - you should try the likya.com site and
 look for a way to talk to them and tell them about the problem. Else
 you should keep an eye on the postfix queue and keep removing any
 messages for that domain, if they continue to pop.


in main.cf

check_sender_mx_access cidr:/etc/postfix/mx_access.cidr

and in mx_access.cidr:

192.168.0.0/16  REJECT MX in bogon address space



 
 Cheers,
 ---
 Fernando Maciel Souto Maior
 
 On Mon, Apr 1, 2013 at 3:25 AM, Ceyhun Ganioglu
 ceyhunganio...@gmail.comwrote:
 
  Hi everybody,
 
  ** **
 
  I was using Postfix without any problems but last two months time
  the traffic usage of the server is increased too much. When I
  checked the mail queue I see emails for an account za...@likya.com
  which does not exist on my server. Below is an example how the mail
  queue looks like. I checked for open relay both manually and some
  online sites. There’s no open relay. Is this a kind of spam method?
  If yes, does anyone give me an idea how to fix it.
 
  ** **
 
  Kindest Regards
 
  Ceyhun 
 
  ** **
 
  ** **
 
  Email queue:
 
  ** **
 
  AC5A615038A  635 Mon Apr  1 03:47:47  za...@likya.com
 
   (connect to mx1.likya.com[192.168.255.255]: Connection
  timed out)
 
   za...@likya.com
 
  ** **
 
  A05E7150098  635 Sat Mar 30 13:33:46  za...@likya.com
 
  (delivery temporarily suspended: connect to
  mx1.likya.com[192.168.255.255]: Connection timed out)
 
   za...@likya.com
 
  ** **
 
  ABDC81500CB  641 Sun Mar 31 05:28:05  za...@likya.com
 
  (delivery temporarily suspended: connect to
  mx1.likya.com[192.168.255.255]: Connection timed out)
 
   za...@likya.com
 
  ** **
 
  A333F150086 2786 Sat Mar 30 09:55:01  MAILER-DAEMON
 
  (delivery temporarily suspended: connect to
  mx1.likya.com[192.168.255.255]: Connection timed out)
 
   za...@likya.com
 
  ** **
 
  A594015008E  629 Sat Mar 30 12:03:53  za...@likya.com
 
  (delivery temporarily suspended: connect to
  mx1.likya.com[192.168.255.255]: Connection timed out)
 
   za...@likya.com
 
  ** **
 
  A122F150381  631 Mon Apr  1 00:34:18  za...@likya.com
 
  (delivery temporarily suspended: connect to
  mx1.likya.com[192.168.255.255]: Connection timed out)
 
   za...@likya.com
 

Re: Does this IP have reverse DNS?

[John Peach]

On Mon, 04 Mar 2013 12:06:20 -0600
Blake Hudson bl...@ispn.net wrote:

 Just hoping to get a consensus on this. Postfix is stating that a
 host (in fact several hosts from the same ISP) does not have rDNS,
 because our DNS (Bind 9.8) returns SERVFAIL when looking up a PTR
 record for it. The IP in question is 63.171.0.212. From my
 perspective, this IP does not have a PTR record and as such does not
 have proper rDNS. Other tools (including older versions of bind)
 might say otherwise; What do you say?

dig  +trace 212.0.171.63.in-addr.arpa

;  DiG 9.8.1-P1  +trace 212.0.171.63.in-addr.arpa
;; global options: +cmd
.   107196  IN  NS  c.root-servers.net.
.   107196  IN  NS  j.root-servers.net.
.   107196  IN  NS  h.root-servers.net.
.   107196  IN  NS  b.root-servers.net.
.   107196  IN  NS  e.root-servers.net.
.   107196  IN  NS  d.root-servers.net.
.   107196  IN  NS  a.root-servers.net.
.   107196  IN  NS  k.root-servers.net.
.   107196  IN  NS  f.root-servers.net.
.   107196  IN  NS  m.root-servers.net.
.   107196  IN  NS  l.root-servers.net.
.   107196  IN  NS  g.root-servers.net.
.   107196  IN  NS  i.root-servers.net.
;; Received 436 bytes from 192.168.1.2#53(192.168.1.2) in 29 ms

in-addr.arpa.   172800  IN  NS  e.in-addr-servers.arpa.
in-addr.arpa.   172800  IN  NS  a.in-addr-servers.arpa.
in-addr.arpa.   172800  IN  NS  b.in-addr-servers.arpa.
in-addr.arpa.   172800  IN  NS  f.in-addr-servers.arpa.
in-addr.arpa.   172800  IN  NS  c.in-addr-servers.arpa.
in-addr.arpa.   172800  IN  NS  d.in-addr-servers.arpa.
;; Received 419 bytes from 192.228.79.201#53(192.228.79.201) in 94 ms

63.in-addr.arpa.86400   IN  NS  t.arin.net.
63.in-addr.arpa.86400   IN  NS  z.arin.net.
63.in-addr.arpa.86400   IN  NS  u.arin.net.
63.in-addr.arpa.86400   IN  NS  w.arin.net.
63.in-addr.arpa.86400   IN  NS  r.arin.net.
63.in-addr.arpa.86400   IN  NS  y.arin.net.
63.in-addr.arpa.86400   IN  NS  x.arin.net.
63.in-addr.arpa.86400   IN  NS  v.arin.net.
;; Received 179 bytes from 199.212.0.73#53(199.212.0.73) in 20 ms

171.63.in-addr.arpa.86400   IN  NS  NS3-AUTH.SPRINTLINK.NET.
171.63.in-addr.arpa.86400   IN  NS  NS2-AUTH.SPRINTLINK.NET.
171.63.in-addr.arpa.86400   IN  NS  NS1-AUTH.SPRINTLINK.NET.
;; Received 126 bytes from 199.212.0.63#53(199.212.0.63) in 18 ms

212.0.171.63.in-addr.arpa. 86400 IN CNAME
63.171.0.212.cust.lkq.sprintlink.net. 171.63.in-addr.arpa.86400
IN  NS  ns1-auth.sprintlink.net. 171.63.in-addr.arpa.
86400   IN  NS  ns2-auth.sprintlink.net.
171.63.in-addr.arpa.86400   IN  NS
ns3-auth.sprintlink.net. ;; Received 162 bytes from
144.228.255.10#53(144.228.255.10) in 35 ms

 
 --Blake*
 
 
 
 
 *

Re: Public free (libre) mailbox hosting service for everybody!

[John Peach]

On Thu, 28 Feb 2013 12:00:58 -0500
James Seymour jseym...@linxnet.com wrote:

 On Thu, 28 Feb 2013 18:51:15 +0200
 אנטולי קרסנר  tomback...@gmail.com wrote:
 
  No, the mailing list is a legitimate way to connect with all postfix
  users ...
 
 The mailing list I thought was supposed to be about Postfix, or at
 least vaguely Postfix-related, issues. By your logic: If I want to
 interact with all Postfix users on the subject of motorcycle repair,
 then it would be on-topic, because it's only Postfix users with whom I
 wish to discuss motorcycle repair?

+1

Re: destination_rate_delay and connection_reuse_time_limit

[John Peach]

On Wed, 9 Jan 2013 13:29:06 -0200
Rafael Azevedo - IAGENTE raf...@iagente.com.br wrote:

 I was watching my log files now looking for deferred errors, and for
 my surprise, we got temporary blocked by Yahoo on some SMTPs (ips),
 as shown:
 
 Jan  9 13:20:52 mxcluster yahoo/smtp[8593]: 6731A13A2D956: host
 mta5.am0.yahoodns.net[98.136.216.25] refused to talk to me: 421 4.7.0
 [TS02] Messages from X.X.X.X temporarily deferred - 4.16.56.1; see
 http://postmaster.yahoo.com/errors/421-ts02.html
 
 So guess what, I still have another 44k messages on active queue (a
 lot of them are probably to yahoo) and postfix is wasting its time
 and cpu trying to deliver to Yahoo when there's an active block.
 
 Yahoo suggests to try delivering in few hours, but we'll never get
 rid from the block if we keep trying while the block is active.
 
 This doesn't happens only with bulk senders. Many people use their
 hosting company to send few hundreds emails together with many other
 users sending legitimate mails from their mail clients… Eventually,
 one user will compromise all infrastructure and many people may have
 problem delivering their messages.
 
 There's gotta be a solution for this.

There is - you need to register your mailserver(s) with yahoo.

 
 - Rafael

Re: Why i cann't email to majord...@openssl.org

[John Peach]

On Sun, 16 Sep 2012 01:08:58 +0800
LEON l...@kingdest.com wrote:

 
 How to avoid receive the mail that i post to this mail list?

Stop posting to the list.

 
 
 On 09/16/2012 01:00 AM, Ralf Hildebrandt wrote:* LEON l...@kingdest.com:
 What command to get this information?
 
 host -t ns 54.107.218.in-addr.arpa
 


-- 
John

Re: Bulk Mailing Performance

[John Peach]

On Sun, 2 Sep 2012 22:46:10 +0200
Lorens Kockum postfix-users-4...@tagged.lorens.org wrote:

 The exact same question was sent by someone calling himself
 Ron White to the exim mailing list at almost exactly the same
 time. Peddling one's services by soliciting comparisons with
 competitors is so passé . . .

I find it rather useful; lets me know what I should be blocking
 


-- 
John

Re: amavisd debug:Permission denied

[John Peach]

On Fri, 13 Jul 2012 02:09:45 +0800
Feel Zhou feelz...@gmail.com wrote:

 Thank you very much
 My system is Centos6.2/64bit
 do not have the command sealert
 Maybe not install
 So I set setenforce 0, make selinux permissive
 And it has no change for debug log

Whichever system account you're running amavisd under does not have
permissions to write to that directory

[snip]

Re: Ubuntu Precise packaged 2.9.1 SSL 1.0.1

[John Peach]

On Tue, 26 Jun 2012 11:04:16 -0700
Daniel L. Miller dmil...@amfes.com wrote:

 After a recent Ubuntu server upgrade, the packaged versions of Postfix - 
 using Ubuntu's Precise version, as well as the security, updates, 
 and backports repositories - Postfix's TLS is broken with the known 
 SSL version issue:
 
 warning: TLS library problem: 4425:error:1408F10B:SSL 
 routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:340:
 
 I've tried a couple different main.cf settings, including:
 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
 
 but the only option that has given me temporary functionality is:
 smtpd_tls_security_level=none
 
 Is there a way I can restore TLS functionality via configuration? Or is 
 an updated Postfix, possibly a self-compiled version, my only option?

I've not seen this at all, but I've always used:

smtpd_tls_security_level = may

This gives me TLS when the client wants to use it.


-- 
John

Re: problem with postfix configuration - Relay Access Denied

[John Peach]

On Tue, 19 Jun 2012 19:44:31 +0800
JonL jonl...@hotmail.com wrote:

 I'm getting the following in my mail logs for a new postfix system.
 OS = SuSE Linux Enterprise v10
 
 Thanks
 
 mail log error
 Jun 18 15:20:24 linux-srv postfix/smtpd[6509]: NOQUEUE: reject: RCPT from 
 emessenger.cisco.com[192.86.51.17]: 554 jlmil...@mmtnetworks.com.au: Relay 
 access denied; from=emsg-1474-18cf-repl...@emessenger.cisco.com 
 to=jlmil...@mmtnetworks.com.au proto=ESMTP helo=emessenger.cisco.com
 Jun 18 15:20:24 linux-srv postfix/smtpd[6509]: disconnect from 
 emessenger.cisco.com[192.86.51.17]
 Jun 18 15:20:29 linux-srv postfix/smtpd[6509]: connect from 
 ccm24.constantcontact.com[208.75.123.132]
 Jun 18 15:20:30 linux-srv postfix/smtpd[6509]: NOQUEUE: reject: RCPT from 
 ccm24.constantcontact.com[208.75.123.132]: 554 jlmil...@jlorenzo.com.au: 
 Relay access denied; 
 from=esc1110217818469_1110190421834_12336_...@in.constantcontact.com 
 to=jlmil...@jlorenzo.com.au proto=ESMTP helo=ccm24.constantcontact.com
 
 
 
 
 postconf

should be postconf -n

[snip]
 mydestination = $myhostname, localhost.$mydomain
 mydomain = mmtnetworks.com.au
 myhostname = linux-srv.mmtnetworks.com.au

jlorenzo.com.au is not there.


[snip]


-- 
john

Re: problem with postfix configuration - Relay Access Denied

[John Peach]

On Tue, 19 Jun 2012 20:08:33 +0800
Looks like you should read up on the basics.

Never try and postmap main.cf; it is not a map.

mydomain is just that - one domain. If you are accepting mail for
multiple domains use mydestination.

JonL jonl...@hotmail.com wrote:

 Sorry
 When I put in the 2nd domain this is what shows up in the mail log or when I 
 try to type a postmap command
 postmap: warning: valid_hostname: invalid character 44(decimal): 
 mmtnetworks.com.au,   jlorenzo.com.au
 postmap: fatal: file /etc/postfix/main.cf: parameter mydomain: bad parameter 
 value: mmtnetworks.com.au,   jlorenzo.com.au
 
 Jun 19 18:33:42 linux-srv postfix/master[1756]: reload configuration 
 /etc/postfix
 Jun 19 18:33:42 linux-srv postfix/master[1756]: warning: valid_hostname: 
 invalid character 44(decimal): mmtnetworks.com.au, jlorenzo.com.au
 Jun 19 18:33:42 linux-srv postfix/master[1756]: fatal: file 
 /etc/postfix/main.cf: parameter mydomain: bad parameter value: 
 mmtnetworks.com.au, jlorenzo.com.au
 Jun 19 18:33:42 linux-srv postfix[2103]: warning: valid_hostname: invalid 
 character 44(decimal): mmtnetworks.com.au, jlorenzo.com.au
 Jun 19 18:33:42 linux-srv postfix[2103]: fatal: file /etc/postfix/main.cf: 
 parameter mydomain: bad parameter value: mmtnetworks.com.au, jlorenzo.com.au
 
 
 postconf -n
 alias_maps = hash:/etc/aliases
 biff = no
 canonical_maps = hash:/etc/postfix/canonical
 command_directory = /usr/sbin
 config_directory = /etc/postfix
 daemon_directory = /usr/lib/postfix
 debug_peer_level = 2
 defer_transports =
 disable_dns_lookups = no
 disable_mime_output_conversion = no
 html_directory = /usr/share/doc/packages/postfix/html
 inet_interfaces = all
 inet_protocols = all
 mail_owner = postfix
 mail_spool_directory = /var/mail
 mailbox_command =
 mailbox_size_limit = 0
 mailbox_transport =
 mailq_path = /usr/bin/mailq
 manpage_directory = /usr/share/man
 masquerade_classes = envelope_sender, header_sender, header_recipient
 masquerade_domains =
 masquerade_exceptions = root
 message_size_limit = 1024
 mydestination = $myhostname, localhost.$mydomain
 mydomain = mmtnetworks.com.au, jlorenzo.com.au
 myhostname = linux-srv.mmtnetworks.com.au
 mynetworks = 192.168.2.0/24, 127.0.0.0/8
 mynetworks_style = subnet
 newaliases_path = /usr/bin/newaliases
 queue_directory = /var/spool/postfix
 readme_directory = /usr/share/doc/packages/postfix/README_FILES
 relayhost =
 relocated_maps = hash:/etc/postfix/relocated
 sample_directory = /usr/share/doc/packages/postfix/samples
 sender_canonical_maps = hash:/etc/postfix/sender_canonical
 sendmail_path = /usr/sbin/sendmail
 setgid_group = maildrop
 smtp_sasl_auth_enable = no
 smtp_use_tls = no
 smtpd_client_restrictions =
 smtpd_helo_required = no
 smtpd_helo_restrictions =
 smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
 smtpd_sasl_auth_enable = no
 smtpd_sender_restrictions = hash:/etc/postfix/access
 smtpd_use_tls = no
 strict_8bitmime = no
 strict_rfc821_envelopes = no
 transport_maps = hash:/etc/postfix/transport
 unknown_local_recipient_reject_code = 550
 virtual_alias_domains = hash:/etc/postfix/virtual
 virtual_alias_maps = hash:/etc/postfix/virtual
 It's not delivering to the mmtnetworks.com.au domain also.
 
 
 regards
 
 Jon
 --
 From: John Peach post...@johnpeach.com
 Sent: Tuesday, June 19, 2012 7:51 PM
 To: postfix-users@postfix.org
 Subject: Re: problem with postfix configuration - Relay Access Denied
 
  On Tue, 19 Jun 2012 19:44:31 +0800
  JonL jonl...@hotmail.com wrote:
 
  I'm getting the following in my mail logs for a new postfix system.
  OS = SuSE Linux Enterprise v10
 
  Thanks
 
  mail log error
  Jun 18 15:20:24 linux-srv postfix/smtpd[6509]: NOQUEUE: reject: RCPT from 
  emessenger.cisco.com[192.86.51.17]: 554 jlmil...@mmtnetworks.com.au: 
  Relay access denied; from=emsg-1474-18cf-repl...@emessenger.cisco.com 
  to=jlmil...@mmtnetworks.com.au proto=ESMTP helo=emessenger.cisco.com
  Jun 18 15:20:24 linux-srv postfix/smtpd[6509]: disconnect from 
  emessenger.cisco.com[192.86.51.17]
  Jun 18 15:20:29 linux-srv postfix/smtpd[6509]: connect from 
  ccm24.constantcontact.com[208.75.123.132]
  Jun 18 15:20:30 linux-srv postfix/smtpd[6509]: NOQUEUE: reject: RCPT from 
  ccm24.constantcontact.com[208.75.123.132]: 554 
  jlmil...@jlorenzo.com.au: Relay access denied; 
  from=esc1110217818469_1110190421834_12336_...@in.constantcontact.com 
  to=jlmil...@jlorenzo.com.au proto=ESMTP 
  helo=ccm24.constantcontact.com
 
 
 
 
  postconf
 
  should be postconf -n
 
  [snip]
  mydestination = $myhostname, localhost.$mydomain
  mydomain = mmtnetworks.com.au
  myhostname = linux-srv.mmtnetworks.com.au
 
  jlorenzo.com.au is not there.
 
 
  [snip]
 
 
  -- 
  john
  



-- 
john

Re: Flexible formatting of Postfix log entries?

[John Peach]

On Sat, 28 Apr 2012 08:30:54 -0700
kar...@mailcan.com wrote:

 
 I've been writing scripts for my loganalysis chores.  A typical log
 entry for a mail transaction looks like,
[snip]

 Since it's Postfix doing the writing to the logs in the 1st place, is it 
 possible to config Postfix to (free)format those

It's not postfix - it's syslog.

[snip]

-- 
John

Re: Linux.3 in makedefs Ubuntu12

[John Peach]

On Thu, 29 Mar 2012 12:10:26 -0700
Quanah Gibson-Mount qua...@zimbra.com wrote:

 --On Thursday, March 29, 2012 10:56 PM +0400 Michael Tokarev 
 m...@tls.msk.ru wrote:
 
  Besides, gcc --print-search-dirs (as already used in makedefs)
  includes all necessary multiarch directories already.  So
  I'm not really sure why the OP have this problem to start
  with.  Here's the content of SEARCHDIRS variable from
  makedefs script on my 32bit system:
 
 If postfix doesn't find nsl or resolv in the directories in that
 list, it won't add them to the library list.  Thus the build fails.
 
 --Quanah
 
 --
 
 Quanah Gibson-Mount
 Sr. Member of Technical Staff
 Zimbra, Inc
 A Division of VMware, Inc.
 
 Zimbra ::  the leader in open source messaging and collaboration


My Ubuntu Precise box has the following in in /etc/ld.so.conf which
will pick up those directories:

cat /etc/ld.so.conf
include /etc/ld.so.conf.d/*.conf

cat /etc/ld.so.conf.d/*.conf
# Multiarch support
/lib/i386-linux-gnu
/usr/lib/i386-linux-gnu
/lib/i686-linux-gnu
/usr/lib/i686-linux-gnu
# libc default configuration
/usr/local/lib
/usr/lib/nvidia-settings
# Multiarch support
/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu
/usr/lib/nvidia-current
/usr/lib32/nvidia-current
# Legacy biarch compatibility support
/lib32
/usr/lib32

Re: Problem delivering through one barracuda gateway from postfix

[John Peach]

On Fri, 23 Mar 2012 13:19:14 -0300
francis picabia fpica...@gmail.com wrote:

 On Fri, Mar 23, 2012 at 12:43 PM, Giles Coochey gi...@coochey.net
 wrote:
  On 23/03/2012 15:37, francis picabia wrote:
 
  On Fri, Mar 23, 2012 at 11:33 AM, francis
  picabiafpica...@gmail.com wrote:
 
  We have a difficulty delivering to a site running a barracuda
  appliance. I can email them from a gmail account, or via a telnet
  session, but not via postfix on our SMTP gateway. I've contacted
  the remote site from my gmail to discuss it but no progress so
  far.
 
  I have the default pix conf settings and we are running postfix
  2.8.6
 
  In the logs we see it times out.
 
  Mar 21 15:01:30 thabit postfix-internal/smtpd[9296]: 6E7211F44DD:
  client=localhost[127.0.0.1]
  Mar 21 15:01:30 thabit postfix-internal/cleanup[9274]:
  6E7211F44DD: message-id=moodlepost153...@acorn.mydomain.ca
  Mar 21 15:01:30 thabit postfix-internal/qmgr[28954]: 6E7211F44DD:
  from=lms.ad...@mydomain.ca, size=6449, nrcpt=1 (queue active)
  Mar 21 15:01:30 thabit postfix-internal/lmtp[9288]: 2A0561F44EE:
  to=usern...@theirdomain.ca, relay=127.0.0.1[127.0.0.1]:10026,
  delay=189085, delays=189084/0.03/0.01/0.3, dsn=2.0.0, status=sent
  (250 2.0.0 Ok, id=09101-06, from MTA([127.0.0.1]:10027): 250
  2.0.0 Ok: queued as 6E7211F44DD)
  Mar 21 15:01:30 thabit postfix-internal/smtp[9198]: 6E7211F44DD:
  enabling PIX workarounds: disable_esmtp delay_dotcrlf for
  barracuda1.theirdomain.ca[24.224.X.Y]:25
  Mar 21 15:11:30 thabit postfix-internal/smtp[9198]: 6E7211F44DD:
  conversation with barracuda1.theirdomain.ca[24.224.X.Y] timed out
  while sending end of data -- message may be sent more than once
 
  I saw an older article about delivering to a barracuda gateway and
  tried the solution with
 
  smtp_discard_ehlo_keyword_address_maps =
  hash:/etc/postfix-internal/smtp_discard_ehlo
 
  and that file containing:
 
  24.224.X.Y      pipelining
 
  This setting made no difference in the result and error.
 
  I wonder if the pix settings are not the right fit for this case?
 
  Is there a method to not use the pix workarounds for a single
  destination?
 
  I read another old thread about Cisco firewalls associated with the
  pix workaround.
 
  When I telnet to the remote site, the response shows:
 
  220 
 
  Is this a sign of the Cisco firewall or could it be something else
  masked?
 
  Should I look at suppressing dkim headers?
 
  It is a sign of the PIX firewall removing data.
 
  To disable:
 
  1. Logon to firewall command line
  2. type enable
  3. enter enable password or secret
  4. type configure terminal
  5. use 'no fixup protocol smtp 25' to disable SMTP protocol mangling
  6. type 'write memory' to save config to device
  7. restart or reload the PIX firewall
 
 
 Thanks, but this issue is on the remote site.  Given they can receive
 email from gmail and other sites, I'm not sure I can convince
 them to make these changes on their firewall.  There must
 be another solution so that I'm sending email to them
 they can digest.

http://blog.arschkrebs.de/blog/working-around-broken-cisco-pix-or-asa-installations/

Re: spamcop abusing mail systems worldwide

[John Peach]

On Thu, 17 Nov 2011 08:08:13 -0600 (CST)
Dan The Man d...@sunsaturn.com wrote:

 
 
 I agree completely, but I don't think a student failing a course
 because he only has a yahoo/shaw etc address and got a legitimate
 email bounced would agree very much :)
 
 I think my solution should stand, we got all the other rbl's, 
 and spamassassin etc, there really no need to have anything
 legitimate dropped till they fix their issues.

Spamcop recommend you use it for scoring, not blocking

[snip]

Re: Is there a RHSBL for parked domains?

[John Peach]

On Thu, 13 Oct 2011 15:33:48 +0530
Ram r...@netcore.co.in wrote:

 
 
 On 10/13/2011 02:37 AM, Ralf Hildebrandt wrote:
  * Noel Jonesnjo...@megan.vbhcs.org:
 
  You might be able to do something with check_recipient_mx_access.
  Mostly, these domains have no MX, but only an A record. But yes, I
  havne'T yet checked if they all resolve to but a few IPs
 
 Since all the non existing domains are now being typo-squatted with A 
 records and MX records too
 What I saw that most of these domains use common MX or NS records
 
 I use  check_recipient_mx_access   and reject these mails at SMTPD
 I typically reject all mails where MX points to mx.fakemx.net , or 
 mxs1.tradenames.com  .. among others

check_recipient_ns_access would make more sense I think. sedoparking,
at least, uses ns1.sedoparking.com, ns2.sedoparking.com.

-- 
John

Re: Issue integrating with Cyrus-SASL

[John Peach]

On Fri, 16 Sep 2011 14:17:13 -0400 (EDT)
Wietse Venema wie...@porcupine.org wrote:

 Crazedfred:
  ? Crazedfred crazedf...@yahoo.com:
What is the result of:find / -name smtpd.conf
   
   sudo find / -name smtpd.conf
   /usr/lib/sasl2/smtpd.conf
 
  read the debian documentation!
 
 Could you elaborate?
 Am I looking for the wrong file?
 
 I have seen several hints on this mailing list that Debian Postfix
 wants to read /etc/postfix/sasl/smtpd.conf.

That's exactly where it is on mine.

Re: postscreen dnsbl services down ß

[John Peach]

On Wed, 31 Aug 2011 12:10:29 +0200
Michael Weissenbacher m...@dermichi.com wrote:

 On Wed Aug 31 2011 12:01:20 GMT+0200 (CET), we...@zackbummfertig.de
 wrote:
  Hello,
  
  annyone can acknowledge that following dnsbl services are not
  reachable?
  
  zen.spamhaus.org*2DOWN
  b.barracudacentral.orgDOWN
  bl.spamcop.net*2
  combined.rbl.msrbl.net*2
  ix.dnsbl.manitu.net*2DOWN
  dnsrbl.swinog.ch*2
  dnsbl.njabl.org*2no-more-funn.moensted.dk
  db.wpbl.infoDOWN
  psbl.surriel.com
  
  i get a loot 550 service not available entries in log
  and sender gets error messages.
  
 They all work fine here, i'd say check for routing problems.

...or you've been blocked for too many requests.


 
 cheers,
 Michael

Re: selective greylisting with a long delay

[John Peach]

On Mon, 11 Apr 2011 17:39:43 -0400
Jerry postfix-u...@seibercom.net wrote:

 On Mon, 11 Apr 2011 15:43:09 -0500
 Stan Hoeppner s...@hardwarefreak.com articulated:
 
  pf at alt-ctrl-del.org put forth on 4/10/2011 10:33 PM:
  
   My thought on auto combating this is to use a CIDR list to kick
   these networks (and only these networks) over to a greylist policy
   that delays these emails for 4+ hours. By then, most of the bad IPs
   would be listed in one or more RBL and be blocked.
   
   So, has anyone else already done something like this?
  
  Why bother with this complex greylisting setup?  Simply hammer the big
  blocks with a CIDR entry and whitelist individual IPs in the range
  from which you need legit mail.  If such IPs are used to send both
  snowshoe spam and ham, that's a human shield tactic, and deserves
  permanent blocking, FOREVER.  If anyone complains, lay the full
  skinny on them as to why.  I.e. lay the blame at the proper feet, and
  direct complaints at the guilty.
  
  Life is too short to waste _your_ valuable time playing whack-a-mole
  with spammers, isn't it?  We don't live in a totally collateral
  damage free world.  People must get used to this.
 
 Unless of course you get hit with a law suit.

My server, my rules.
 

Re: Question about: postfix/smtpd[ ]: connect from unknown[unknown]

[John Peach]

On Thu, 03 Feb 2011 10:44:13 +0100
J4K ju...@klunky.co.uk wrote:

 On 02/02/2011 11:54 PM, Steve Jenkins wrote:
  On Wed, Feb 2, 2011 at 2:33 PM, Stan Hoeppner s...@hardwarefreak.com 
  wrote:
  In the mean time, maybe give this a go.  1600+ expressions matching rDNS
  patterns of many millions of broadband IPs worldwide that shouldn't be 
  sending
  direct SMTP.  Catches quite a bit that PBL/CBL/SORBS-DYNA/etc don't and 
  with
  less delay, reduced load on dnsbl servers and your own network.  Potential 
  FPs
  will be SOHO and Linux weenie MTAs on consumer IPs.  Usage instructions 
  are
  comments at the top of the file.  Insert the restriction above/before any
  greylisting daemons in main.cf, obviously.  Some on this list and many on 
  the
  Dovecot list can testify to its effectiveness.
 
  http://www.hardwarefreak.com/fqrdns.pcre
  I can attest to the awesomeness of Stan's pcre file. I run it on all 5
  of our Postfix servers, and it catches a LOT of stuff. From my logs,
  what it seems to do best is block zombie mailers on dynamic IPs.
 
  And I updated to your latest version today, Stan. Thanks :)
 
  SteveJ
 Its a good idea, but this would limit a user from using a server on his
 residential ADSL from being an Email server, and force them to use their
 ISPs relay.  Else they might have to upgrade to a business package or
 spend more money for a static IP address that they can amend the reverse
 lookup record for.  Pros and cons.
 

No cons that I can see.

Re: Text Substitution with pcre:

[John Peach]

On Sat, 29 Jan 2011 12:30:35 +0100
Bastian Blank bastian+postfix-users=postfix@waldi.eu.org wrote:

 On Fri, Jan 28, 2011 at 03:49:55PM -0500, Jerrale G wrote:
  from *mail.sheltoncomputers.com (mail [127.0.0.1]) *   by
  mail.sheltoncomputers.com (SC Mail Server) with ESMTP id
  182431B60017for jerr...@sheltoncomputers.com; Fri, 28 Jan 2011
  15:44:05 -0500 (EST)
  
  The correct address, for mail.sheltoncomputers.com is 173.50.101.12.
  I am actually doing this to make the headers correct, due to the bug
  of Centos.
 
 No. 127.0.0.1 is always _the_ valid address for the system.

127.0.0.1 is localhost or, possibly, localhost.localdomain. I would
take great exception to anything trying to redefine it.

 
 Bastian
 


-- 
John

Re: my server being used for spam

[John Peach]

On Wed, 22 Dec 2010 19:52:03 +0200
Razvan Chitu c...@topedge.ro wrote:

 Hello again,
  This time the question is simple: my server is being maliciously 
 used to send spam, and this has to stop. Here are the log entries in 
 question (latest ones):
[snip]
 Also, I'm having a lot of these kind of entries lately (*Dec 22
 19:03:18 raptor postfix/qmgr[23830]: 42B741BC5C9: from=, size=3425,
 nrcpt=1 (queue active)*) with unknown sender. Unfortunately these
 bounces are what put my server on several backscatter lists. Is there 
 any way to reject these kind of senders  from start 
 (reject_unknown_sender?). Is there any way to insert longer and
 longer delays for unauthorized connections such as the ones from 
 88.166.185.164 with each connection attempt? Something like proftpd's 
 throttle module.
 
 Thank you and be kind. Point me to the right manual :))

Stop accepting mail for non-existent users.

 
 Kind regards,
 


-- 
John

Re: my server being used for spam

[John Peach]

On Wed, 22 Dec 2010 20:23:51 +0200
Razvan Chitu c...@topedge.ro wrote:

 *For* non-existent or *From *non-existent?
 I never knew that Postfix had a reject_unknown_sender. Does it have
 any caveats that I should watch over?

I wrote for, which is what I meant and is why you get on backscatter
lists.

 
 Thanks,
 C.R.
 
 On 12/22/2010 7:53 PM, John Peach wrote:
  On Wed, 22 Dec 2010 19:52:03 +0200
  Razvan Chituc...@topedge.ro  wrote:
 
 
  Hello again,
This time the question is simple: my server is being
  maliciously used to send spam, and this has to stop. Here are the
  log entries in question (latest ones):
   
  [snip]
 
  Also, I'm having a lot of these kind of entries lately (*Dec 22
  19:03:18 raptor postfix/qmgr[23830]: 42B741BC5C9: from=,
  size=3425, nrcpt=1 (queue active)*) with unknown sender.
  Unfortunately these bounces are what put my server on several
  backscatter lists. Is there any way to reject these kind of
  senders  from start (reject_unknown_sender?). Is there any way
  to insert longer and longer delays for unauthorized connections
  such as the ones from 88.166.185.164 with each connection attempt?
  Something like proftpd's throttle module.
 
  Thank you and be kind. Point me to the right manual :))
   
  Stop accepting mail for non-existent users.
 
 
  Kind regards,
 
   
 
 
 


-- 
John

Re: fqrdns.pcre

[John Peach]

On Tue, 07 Dec 2010 17:10:45 -0500
Paul Cartwright deb...@pcartwright.com wrote:

 On 12/07/2010 04:48 PM, Steffan A. Cline wrote:
  CIDR blocking all of China with an auto whitelist for those that
  you email directly?
 I don't know anyone in China, I know someone who travels there, but he
 has a Bellsouth address..
 so how do you implement CIDR blocking?? well I see where you can add a
 hash file, but all I see are IP ranges, not *.cn .

I also block both sender and client addresses in the cn TLD

 
 


-- 
John

Re: Posfix: deliver to spam folder analog of reject_rbl_client

[John Peach]

On Thu, 28 Oct 2010 14:28:42 +1000
Noel Butler noel.but...@ausics.net wrote:

 On Wed, 2010-10-27 at 22:15 -0400, John Peach wrote:
 
  On Thu, 28 Oct 2010 11:17:00 +1000
  Noel Butler noel.but...@ausics.net wrote:
  
   On Tue, 2010-10-26 at 14:11 +0300, Покотиленко Костик wrote:
   
   
   
sorbs.net is very agressive, many ISPs get blocked for several
years and are not willing to delist b/c sorbs doesn't offer
free delist for them.

   
   
   That is complete FUD, yes, I know what their website says, but
   knowing the people behind them I can assure you it has never been
   demanded, it is a deterrent, a request to their ticketing system
   is all it takes to get out, please don't fall for the mistruths
   by those who have been in SORBS, infact, better to ask yourself
   why they were in there in the first place.
   
  
  ... because we have so-called educated professionals who fall for
  phishing scams on a regular basis, despite regular warnings about
  the same.
 
 
 
 Right, so, how is THAT a false positive, it is a justifiable listing
 if they became part of the problem.
 
I never said it was a false positive. Just that it's a waste of time
trying to get delisted; we gave up with that years ago.


-- 
John

Re: Posfix: deliver to spam folder analog of reject_rbl_client

[John Peach]

On Thu, 28 Oct 2010 11:17:00 +1000
Noel Butler noel.but...@ausics.net wrote:

 On Tue, 2010-10-26 at 14:11 +0300, Покотиленко Костик wrote:
 
 
 
  sorbs.net is very agressive, many ISPs get blocked for several years and
  are not willing to delist b/c sorbs doesn't offer free delist for them.
  
 
 
 That is complete FUD, yes, I know what their website says, but knowing
 the people behind them I can assure you it has never been demanded, it
 is a deterrent, a request to their ticketing system is all it takes to
 get out, please don't fall for the mistruths by those who have been in
 SORBS, infact, better to ask yourself why they were in there in the
 first place.
 

... because we have so-called educated professionals who fall for
phishing scams on a regular basis, despite regular warnings about the
same.
We have given up trying to do anything with SORBS - caveat emptor.


[snip]

-- 
John

Re: ..::Spoofing Issues::..

[John Peach]

On Wed, 6 Oct 2010 12:13:25 +1100
James Gray ja...@gray.net.au wrote:

 
 On 06/10/2010, at 9:37 AM, Noel Butler wrote:
 
  On Tue, 2010-10-05 at 23:46 +0200, mouss wrote:
  Le 04/10/2010 23:03, Terry Gilsenan a écrit : 
  Configure postfix to use SPF, and setup an SPF record in DNS for that 
  domain.
  
  
  then what? you reject mail because of spf fail? that would lead to false 
  positives...
  
  
  
  We've used it for years, had very little complaints, maybe half a dozen in 
  all that time. 
  SPF is a must use IMHO, and by use of  -all ...  providing you 
  configure your DNS correctly.
 
 ...and then a user puts in a .forward file (or equivalent) to send mail to 
 another address.  Now SPF if broken on the forwarded account as your mail 
 server very likely doesn't have an SPF record for the original sender.  Ooops 
 - SPF is broken in these situations and therefore can't be used to 
 arbitrarily reject messages on SPF failures.  The best it can do is be added 
 as a heuristic to an overall message evaluation (spamassassin et al).

We neither publish nor use SPF records; broken by design.

 
 Cheers,
 
 James

-- 
John

Re: unknow user 450 to 550 reject code

[John Peach]

On Sat, 05 Jun 2010 23:26:46 +0200
Jeroen Geilman jer...@adaptr.nl wrote:

  Ciao
 
  Somebody have any idea how can i change User unknown in virtual 
  mailbox table reject code from 450 to 550 (don't send again)
 
 
 The unknown_virtual_mailbox_reject_code response defaults to 550.
 If it is not 550 on your system, somebody altered it from the default.
 (I don't see how an undeliverable address could be anything but a 
 permanent error)

soft_bounce is set to yes by default (so that you can correct your
config before putting it into production).




-- 
John

Re: unknow user 450 to 550 reject code

[John Peach]

On Sat, 05 Jun 2010 23:33:04 +0200
Jeroen Geilman jer...@adaptr.nl wrote:

 
  On Sat, 05 Jun 2010 23:26:46 +0200
  Jeroen Geilmanjer...@adaptr.nl  wrote:
 
 
  Ciao
 
  Somebody have any idea how can i change User unknown in virtual
  mailbox table reject code from 450 to 550 (don't send again)
 
 
  The unknown_virtual_mailbox_reject_code response defaults to 550.
  If it is not 550 on your system, somebody altered it from the default.
  (I don't see how an undeliverable address could be anything but a
  permanent error)
   
  soft_bounce is set to yes by default (so that you can correct your
  config before putting it into production).
 
 
 
 A REJECT isn't a bounce, is it ? Unless this is documented as such, I 
 don't see the connection.

As with all of postfix, it is clearly documented:

http://www.postfix.org/SMTPD_ACCESS_README.html


-- 
John

Re: Sender address rejected: Domain not found

[John Peach]

On Wed, 02 Jun 2010 08:50:53 -0400
Robert Fitzpatrick li...@webtent.net wrote:

 I am getting a lot of these for various domains...
 
 Jun  2 07:21:08 esmtp postfix/smtpd[55535]: NOQUEUE: reject: RCPT
 from mail.cypresspartners.com[72.242.211.227]: 450 4.1.8 
 onlinebanking.ela...@onlinealert.bankofamerica.com: Sender address 
 rejected: Domain not found; 
 from=onlinebanking.ela...@onlinealert.bankofamerica.com 
 to=de...@plasticert.com proto=ESMTP helo=mail.cypresspartners.com
 
 I assume these are legitimate rejects since the helo domain is 
 cypresspartners.com and I did not find an A record for that domain.
 Is that correct?
 
 Just want to confirm since I have a user not receiving an auto-email 
 from BOA. But not this user above.

Phishing scam:

** server can't find onlinealert.bankofamerica.com: NXDOMAIN

besides which, BoA is not likely to send anything through
cypresspartners.com.


 
 Thanks, Robert


-- 
John

Re: Mail discarded with http

[John Peach]

On Fri, 21 May 2010 15:03:22 +0200
Sasa s...@shoponweb.it wrote:

 Hi, I have a problem with some mails that are discarded when in body
 message there is a web link with http prefix, i.e. with:
 
 http://www.example.com/example
 
 with this link the mail is discarded and in log file I have:
 
 [r...@mail ~]# grep 707F026A302 /var/log/maillog
 May 20 10:52:16 mail postfix/smtpd[12804]: 707F026A302: 
 client=unknown[192.168.1.88], sasl_method=LOGIN, 
 sasl_username=u...@mydomain.com
 May 20 10:52:16 mail postfix/cleanup[13001]: 707F026A302: 
 message-id=000d01caf7f9$c95308e0$5bf91a...@com
 May 20 10:52:20 mail postfix/qmgr[12573]: 707F026A302: 
 from=u...@mydomain.com, size=3075, nrcpt=2 (queue active)
 May 20 10:52:39 mail postfix/smtp[13776]: 707F026A302: 
 to=dvd...@domain.it, relay=127.0.0.1[127.0.0.1]:10024,delay=23, 
   ^^^
 delays=4.2/0/0.01/19, dsn=2.7.1, status=sent (250 2.7.1 Ok,
 discarded, UBE, id=13116-02)

Discarded by amavisd-new (presumably spamassassin).



[snip]


-- 
John

Re: which port to use for SSL/TLS?

[John Peach]

On Fri, 21 May 2010 15:35:55 -0400
Phil Howard ttip...@gmail.com wrote:

 On Fri, May 21, 2010 at 15:29, John Peach post...@johnpeach.com
 wrote:
 
  465 is for SMTP over SSL, which is deprecated.
 
 
 What is deprecated?  Using port 465?  Or doing SMTP over SSL?

SMTP over SSL

 Unfortunately, I need to do the latter because of some network
 security and access issues (and for like reason am doing IMAP over
 SSL on port 993 and POP over SSL on port 995).
 
 I could go ahead and do SMTP over SSL on port 465.  Are you sure it
 won't conflict with anything?

Just use port 465 if you want, but the submission port would make more
sense (587)

 
 I'm doing optional STARTTLS (e.g. smtpd_tls_security_level=may and
 smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination)
 on port 25.
 
 What should I be doing on port 587?

Why not use smtpd_tls_security_level  = encrypt on port 587?

http://www.postfix.org/TLS_README.html


-- 
John

Re: ISP bounces email

[John Peach]

On Sun, 16 May 2010 20:52:54 +0100
Frank Shute boysh...@googlemail.com wrote:

 Hi,
 
 My ISP suddenly started bouncing my mail.
 
 I phoned them up and they started saying In profiles do I
 pointed out at that point that I used
 Unix and the tech took fright  said that he'd get somebody to ring me
 back; nobody ever did.

Maybe you should have listened to what he had to say; it's trivial to
extrapolate the necessities once you know the windoze setup.

 
 I assume that they've added some sort of authentication scheme on
 their mail server in addition
 to IP based. Beforehand I could push mail to their server without any
 special setup.
 
 They run Sendmail on Linux IIRC.
 
 I tried setting up cyrus-sasl with my Postfix running on FreeBSD-8-STABLE.
 
 This is what I did:
 
 added the lines:
 
 smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl_passwd

I also have:

smtp_sasl_security_options =

 
 to main.cf
 
 put this in /usr/local/etc/postfix/sasl_passwd
 
 [mail.zetnet.co.uk]  esperance.zetnet.co.uk:X
 
 since I've got a pop3 email address of: fr...@.

I would have expected the login to be fr...@esperance.zetnet.co.uk not
just esperance.zetnet.co.uk

However, you really need to ask your ISP what mechanism they are using.


[snip]


-- 
John

Re: Postfix logging to syslog

[John Peach]

On Wed, 28 Apr 2010 00:47:08 -0400
Sahil Tandon sa...@freebsd.org wrote:

 On Wed, 28 Apr 2010, N. Yaakov Ziskind wrote:
 
  Sahil Tandon wrote (on Wed, Apr 28, 2010 at 12:02:34AM -0400):
   On Tue, 27 Apr 2010, N. Yaakov Ziskind wrote:
   
Sahil Tandon wrote (on Tue, Apr 27, 2010 at 11:23:22PM -0400):
 Assuming you did not make any mistakes while editing
 syslog.conf, did you restart syslogd(8) after making the
 changes? Postfix simply logs to the mail facility; how
 syslogd(8) handles this is not a Postfix issue.

yes, with /etc/init.d/sysklogd restart; I also HUPed the only
process, 'rsyslogd -c4', to come out of 'ps ax|grep log'.
   
   You are aware that rsyslogd != sys(k)logd, right?
  
  In the interest of clarity, system is running Ubuntu Lucid, and
  there is no syslogd on the system (except /etc/default/syslogd),
  only sysklogd, which seems to be its replacement.
 
 And yet your ps(1) output indicates that only rsyslogd is running?
 I'm not an Ubuntu user, so perhaps someone else can chime with a
 hint. Since this does not appear to be a Postfix issue, you might
 also wish to pursue this on a more appropriate mailing list.

syslogd has been replaced by rsyslogd.

man rsyslogd

hint: /etc/rsyslogd.conf

 


-- 
John

Re: DNS RBL error

[John Peach]

On Mon, 19 Apr 2010 08:53:03 -0400
donovan jeffrey j dono...@beth.k12.pa.us wrote:

 
 On Apr 19, 2010, at 8:41 AM, Ralf Hildebrandt wrote:
 
  * donovan jeffrey j dono...@beth.k12.pa.us:
  Greetings
  
  i have been seeing tons of errors coming from spamhaus, it seems
  it's not resolving. at least for me. is anyone else having any
  problems ?
  
  You might have been blocked because you exceeded the limits for free
  usage.
 
 i did not know there was such a thing. I may be having some type of
 dns issue with zen. My local dns server does not resolve zen, but
 google public dns does. i found this
 

http://www.spamhaus.org/organization/dnsblusage.html

-- 
John

Re: DNS RBL error

[John Peach]

On Mon, 19 Apr 2010 09:09:38 -0400
donovan jeffrey j dono...@beth.k12.pa.us wrote:

 
 On Apr 19, 2010, at 9:03 AM, Ralf Hildebrandt wrote:
 
  * donovan jeffrey j dono...@beth.k12.pa.us:
  
  this system in question picks up mail ( primary MX ) for about
  2000 users.
  
  This should well be within the limits. We're execeeding the limit at
  about 30k users. Maybe you're using your ISPs DNS forwarder?
 
 Im not sure i understand. I know my isp pulls zone files from me, and
 runs a secondary dns server. -j

Your nslookup shows you using 207.172.3.20 as a nameserver:

20.3.172.207.in-addr.arpa   name = auth1.dns.rcn.net

Your ISP's nameserver. You need to run your own, so that you query
spamhaus directly. They are counting all the hits from RCN.


 


-- 
John

Re: Changes in PCRE handling postfix etch vs lenny?

[John Peach]

On Tue, 19 Jan 2010 17:15:59 -0600
Stan Hoeppner s...@hardwarefreak.com wrote:

 
 Well, there's one positive side to this thread Noel.  Your reply to 
 undisclosed
 recipients instead of the list address broke my postfix-users sort filter.  I
 just spent 20 minutes trying to figure it out.  I tried received and
 return-path and all kinds of header checks in the T-Bird message filter, and
 none of them work on this message.  They clearly should.
 
 So now I get to file a bug report on T-Bird as it's clearly not processing the
 headers correctly or obeying custom headers I plug in.  Hell, it won't even
 filter on Sender: owner-postfix-us...@postfix.org for Pete's sake and Sender 
 is
 built into the filter, not custom, IIRC.
 
 Regardless of the T-Bird issue, could we all please reply to the list address
 instead of burying it in a BCC?  That's just plain silly.

I only accept mail to post...@johnpeach.com from cloud9.net and I do
the same thing for other mailing lists to which I subscribe - that
should get rid of your bcc problems..

-- 
John

Re: Does Postfix cache resolv.conf?

[John Peach]

On Sun, 10 Jan 2010 11:32:34 +0100
Dr. Lars Hanke l...@lhanke.de wrote:

 I had a quite strange issue. About a week ago my bind9 broke down and I 
 could not get it running again on the same machine. So moved it to 
 another machine and changed the /etc/resolv.conf of my machines to try 
 both IP. Apparently everything worked fine.
 
 Today I was puzzled that the corresponding bug-report to the Debian list 
 was somehow missing. I resent it watching the postfix logs and found 
 that potfix was missing the MX entry of my relay host and refused to 
 send. Since the host itself actually does not have a MX entry, I was 
 sidetracked assuming postfix was not smart enough to strip the host name 
 from the domain. During this trouble shooting I had postfix reload its 
 configuration a couple of times. After setting the name in [] postfix 
 reported that the A entry was missing, which definitely was wrong.
 
 I restarted postfix and voilá it continued working like it did all the 
 years before. Now I know that it is smart enough to strip the relay host 
 name from the domain to lookup MX. ;)
 
 Apparently postfix missed the switching of nameservers and did not learn 
 of the new DNS until restart. Is this a bug or a feature?

This is true of most services, not just postfix. They will
read /etc/resolv.conf at startup and not again unless told to do so


-- 
John

Re: smtpd_helo_required compliance with the RFC

[John Peach]

On Sun, 27 Dec 2009 18:10:53 +0100
Philippe Cerfon philc...@googlemail.com wrote:

 On Sun, Dec 27, 2009 at 2:11 AM, Wietse Venema wie...@porcupine.org wrote:
  With smtpd_helo_required = yes, the Postfix SMTP server requires
  HELO (or EHLO) before the MAIL, ETRN and AUTH commands (*).
 I've just tried it vor ETRN, and as far as I understand the RFC it
 should not be necessary for ETRN (as well as AUTH and STARTTLS which
 you named) to require HELO/EHLO.
 
 
  If you disagree, then you MUST show the evidence that Postfix
  behaves otherwise.
 Well,.. I do not claim that the RFC is superior in all points. I've
 just read that HELO/EHLO should be only necessary for mail
 transactions (= MAIL)... q.e.d. ;-)
 
 
 I don't wanna be nit-picking,.. but as I read through rfc 5321 right
 now, I found some other places where postfix might be not stricly
 speaking compliant... or where the check/restriction keywords forbid
 more that the rfc forbids.
 Should this brought to the attention of the developers? (-devel list or so?)
No it should not - they know. The RFCs were written way before the
problems we have now. Feel free to update the RFCs if you so wish.

-- 
John

Re: smtpd_helo_required compliance with the RFC

[John Peach]

On Sun, 27 Dec 2009 20:22:33 +0100
Ansgar Wiechers li...@planetcobalt.net wrote:

 On 2009-12-26 Stan Hoeppner wrote:
  Len Conrad put forth on 12/26/2009 3:49 PM:
  Requiring HELO is hardly an RFC-abusive setting.  I expect almost no
  legit, nor illegit, SMTP servers send EXPN or VRFY before helo, 
  
  I'll add that just about everyone disables VRFY these days to prevent
  valid address harvesting,
 
 Which, of course, is utterly pointless.
 
 HELO example.org
 MAIL FROM:pr...@example.org
 RCPT TO:address_to_be_verif...@example.net
 QUIT
 

wrong.

there is a world of difference between;

502 5.5.1 VRFY command is disabled

and

250 2.1.5 Ok

or

550 5.1.1 redacted Recipient address rejected




-- 
John

Re: smtpd_helo_required compliance with the RFC

[John Peach]

On Sun, 27 Dec 2009 23:34:47 +0100
Ansgar Wiechers li...@planetcobalt.net wrote:

 On 2009-12-27 John Peach wrote:
  On Sun, 27 Dec 2009 20:22:33 +0100 Ansgar Wiechers wrote:
  On 2009-12-26 Stan Hoeppner wrote:
  I'll add that just about everyone disables VRFY these days to
  prevent valid address harvesting,
  
  Which, of course, is utterly pointless.
  
  HELO example.org
  MAIL FROM:pr...@example.org
  RCPT TO:address_to_be_verif...@example.net
  QUIT
  
  wrong.
  
  there is a world of difference between;
  
  502 5.5.1 VRFY command is disabled
  
  and
  
  250 2.1.5 Ok
  
  or
  
  550 5.1.1 redacted Recipient address rejected
 
 Perhaps I'm missing something, but I fail to see the big difference when
 it comes to address verification. Regardless of whether you use VRFY or
 MAIL FROM/RCPT TO/QUIT, if the address is invalid the response will be
 
   550 5.1.1 address_to_be_verif...@example.net: Recipient address rejected
 
 If it isn't, the address can be considered verified. Unless, of course,
 the server produces backscatter. Which it shouldn't.
No it is not.

502 5.5.1 VRFY command is disabled

just tells you that VRFY has been disabled; not the validity of the
address.

-- 
John

Re: always get 450 for non-existent domain

[John Peach]

On Sat, 19 Dec 2009 04:40:02 -0400
D G Teed donald.t...@gmail.com wrote:

[snip]


 
 Due to the hardwired default of 450, all sent mail becomes sluggish
 on the Exchange queue as hundreds of messages are retried
 every few minutes (one mistyped domain in a mail list triggers this
 behaviour in MS Exchange).

Fix the problem, then.

Hint - the problem is exchange, not postfix.

 
 --Donald


-- 
John

Re: [OT?] blocking replies (WAS: whitelisting problem)

[John Peach]

On Wed, 09 Dec 2009 03:58:28 -0600
Stan Hoeppner s...@hardwarefreak.com wrote:

[snip]
 Two words:  LIST MAIL.  When you reply directly to senders, all kinds
 of unpleasant things can happen.  Keep replies on list only and you
 can avoid seeing some of the draconian things folks do.
 
setting the reply-to header helps that enormously
 


-- 
John

Re: OT: need some advice as to distro

[John Peach]

On Tue, 01 Dec 2009 16:30:36 +0200
Eero Volotinen eero.voloti...@iki.fi wrote:

 
  Centos 5.4 - while it looks like a good choice, there has been some
  political infighting going on recently which makes us a little
  nervous about its future. In addition we have found that a number
  of the core packages we wish to use are out of date (postfix,
  dovecot, amavisd-new among them).
 
 Centos 5.x is my selection. You can also use packages from epel and 
 dag's rpm repositories.

It suffers from Red Hat's liking for sendmail. The postfix package is
aeons old. I would go with Ubuntu (probably 9.04 which is a long-term
support version).


-- 
John

Re: sender check

[John Peach]

On Thu, 26 Nov 2009 18:29:00 +0100
Marco Giardini m...@tecnogi.com wrote:

 * Wietse Venema wie...@porcupine.org [2009-11-26 12:20:19 -0500]:
 
  Marco Giardini:
   I have a barracuda server that receives mails, filter them  and forward 
   to a
   linux system running postfix.
   
   Both machine have a public IP (static).
   
   The linux system is configured to be used as SMTP for sasl authenticated
   users as well, besides to be used as SMTP for the people on $mynetworks
   (permit_mynetworks in the smtpd_recipient_restrictions).
   
   Unfortunatley, some spammers, have found it and use to spam local 
   recipients
   using the linux machine, avoiding so to be filtered through the barracuda
   system.
   
   I'm wondering if there is a way to allow OLNY local users or users 
   belonging
   to the domains hosted by the linux server to use SMTP.
  
  To permit only local systems (incl. barracuda box), or users that
  have a relationship with your server:
  
  smtpd_recipient_restrictions = 
  permit_mynetworks permit_sasl_authenticated reject
  
  Wietse
 
 i do use:
 smtpd_recipient_restrictions =
 permit_mynetworks
 permit_sasl_authenticated
 reject_unauth_destination
 
 but it seems from the log that spammer still send me and to other
 local users spam mails.
 Humm...strange

Not at all; try reading what Wietse wrote.

reject, NOT reject_unauth_destination.

 
 mg
 
 
 


-- 
John

Re: Backscatter being generated from mail aliased to other servers.

[John Peach]

On Mon, 16 Nov 2009 13:00:26 -0700
Jim Lang post...@guscreek.com wrote:

 Wietse Venema wrote:
  Jim Lang:

  OK here is the scenario.   
 
  Spammer sends mail to: u...@myclientsdomain.com from forged
  address vic...@randomdomain.com
 
  If u...@myclientsdomain.com is delivered locally, not a problem,
  if the address is invalid, postix rejects the mail during the smtp
  connection.
 
  But if u...@myclientsdomain.com is an alias to
  mycli...@otherserver.com, postfix accepts the mail as deliverable
  and forwards it to hotmail.com.  
 
  But if mycli...@otherserver.com  can for whatever reason not be 
  delivered, otherserver.com does what it is supposed to do and
  rejects the mail during the smtp connection, which causes postfix
  to send out a non-delivery  report to vic...@randomdomain.com  --
  backscatter.
 
  Is there a way to stop this? 
  
 
  Yes. Don't forward SPAM.
 
  Wietse

 And how do I do that in this scenario?

You use recipient verification.

 
 


-- 
John

Re: Backscatter being generated from mail aliased to other servers.

[John Peach]

On Mon, 16 Nov 2009 13:07:05 -0700
Jim Lang post...@guscreek.com wrote:

 John Peach wrote:
  On Mon, 16 Nov 2009 13:00:26 -0700
  Jim Lang post...@guscreek.com wrote:
 

  Wietse Venema wrote:
  
  Jim Lang:


  OK here is the scenario.   
 
  Spammer sends mail to: u...@myclientsdomain.com from forged
  address vic...@randomdomain.com
 
  If u...@myclientsdomain.com is delivered locally, not a problem,
  if the address is invalid, postix rejects the mail during the
  smtp connection.
 
  But if u...@myclientsdomain.com is an alias to
  mycli...@otherserver.com, postfix accepts the mail as deliverable
  and forwards it to hotmail.com.  
 
  But if mycli...@otherserver.com  can for whatever reason not be 
  delivered, otherserver.com does what it is supposed to do and
  rejects the mail during the smtp connection, which causes postfix
  to send out a non-delivery  report to vic...@randomdomain.com  --
  backscatter.
 
  Is there a way to stop this? 
  
  
  Yes. Don't forward SPAM.
 
Wietse


  And how do I do that in this scenario?
  
 
  You use recipient verification.
 

 I must have been really inarticulate when I wrote out the scenario.
 I do use recipient verification on my server.  How is it that that is
 not clear? Do I need to rewrite this post?
 
Clearly, you are *NOT* doing recipient verification, or
myotherserver.com would not be rejecting it. Never accept mail which
cannot be delivered.




-- 
John

Re: Adding headers in Postfix mails

[John Peach]

On Wed, 28 Oct 2009 08:43:34 +
Sharma, Ashish ashish.shar...@hp.com wrote:

 Hello,
 
 I am unable to see the following headers in e-mails received on my
 Postfix e-mail receiving server:
 
 
 1.   Return-Path
 
 2.   Received: from
 
 Similar to header on gmail
 
 Received: from dev16 ([123.123.123.123])
 
 by mx.google.com with SMTP id ;
 
 Tue, 27 Oct 2009 05:52:56 -0700 (PDT)
 
 3.   Return-To:
 
 Please suggest me what should I do to add these headers in the
 received e-mails.
 
 Thanks in advance.

Configure your MUA to show them.


-- 
John

Re: Adding headers in Postfix mails

[John Peach]

On Wed, 28 Oct 2009 12:22:43 +
Sharma, Ashish ashish.shar...@hp.com wrote:

 John
 
 Thanks for the reply.
 
 But please post some reference link or samples as I am unable to
 understand your answer.

It is not a function of postfix; you need to configure whatever
mail-reading program you use to show them.

[snip]

-- 
John

Re: smtp client and aliased addresses

[John Peach]

On Wed, 30 Sep 2009 01:03:36 +1000
Barney Desmond barneydesm...@gmail.com wrote:

 2009/9/30 Postfix User post...@linuxnet.ca:
 
  I've since implemented an iptables SNAT rule as a temporary
  workaround as I really needed this working this morning. I doubt
  this will interfere with the verbose logging output. What exactly
  is it I should be looking for?
 
 Can you show us some proof that it's not working? Eg. send mail via
 that machine and show the headers that appear on the receiving end.
 
 If you really want to use iptables, I'd use it for logging first. Just
 some trivial rules.
 
 iptables -I OUTPUT -s 142.22.75.146 -p tcp --dport smtp -m state
 --state NEW iptables -I OUTPUT -s 142.22.75.147 -p tcp --dport smtp
 -m state --state NEW
 
 Send some mail and check your packet counters with `iptables -L
 OUTPUT -vn`
 
 I don't doubt that you're seeing some sort of problem, but we need
 more evidence to believe there's actually something broken/wrong with
 postfix. I wouldn't bother turning on verbose logging just yet; I'm
 not sure it'll show the source address, and it's a lot of information
 to wade through (and noone here will read through it unless they're
 sure there's a problem that needs it).

Why would you think there's a problem? Postfix does not determine what
interface is used for outbound email. The OS routing tables do that, so
iptables will do what he wants.



-- 
John

Re: relayhost and authentication

[John Peach]

On Tue, 15 Sep 2009 16:06:54 +0200
K bharathan kbhara...@gmail.com wrote:

 if the relay host has got a username and password how can i specify
 these in the main.cf
 a google on this showed me the following:
 
 relayhost = smtp.example.com:25
   smtp_sasl_auth_enable=yes
   smtp_sasl_password_maps=hash:/etc/postfix/sasl_passwd
   smtp_sasl_security_options=
 
 /etc/postfix/sasl_passwd:
 smtp.example.com userid:password
 
 is it the proper way of doing it? guidance appreciated
 
 bharathan

relayhost = [smtp.example.com]

[smtp.example.com] userid:password





-- 
John

Re: postfix mx check

[John Peach]

On Mon, 3 Aug 2009 22:11:49 +0800
sosogh sos...@126.com wrote:

 
 2009-08-03 21:02:01 Udo Mueller wrote:
 
 My question: Is it possible to disable the domain check an let
 postfix send these emails to me.vodafone.com 
 
 Yes.You can use transport_maps
 http://www.postfix.org/transport.5.html
 
 debian:/etc/postfix# postconf  -e 'transport_maps =
 hash:/etc/postfix/transport_maps.txt'
 
 add this line into file /etc/postfix/transport_maps.txt
 vf.uk.vodafone.com   smtp:vodafone.com
 
 debian:/etc/postfix# postmap /etc/postfix/transport_maps.txt
 debian:/etc/postfix# /etc/init.d/postfix reload
 

...and you would really expect vodafone to accept those emails?


-- 
John

Re: temporary errors for DNS

[John Peach]

On Mon, 13 Jul 2009 14:25:01 +0200
Keld J__rn Simonsen k...@dkuug.dk wrote:

 On Mon, Jul 13, 2009 at 07:07:01AM -0400, Charles Marcus wrote:
  On 7/13/2009, Keld J__rn Simonsen (k...@dkuug.dk) wrote:
   I am getting it via fetchmail
  
  snip
  
  If you are getting it through fetchmail, then the message has
  already been delivered... so you MUST NOT reject it later,
  *especially* if it is spam - unless of course you really *want* to
  end up blacklisted...
 
 OK, I want to DISCARD it then. Is that possible?
 
 And why would I end up being blacklisted for rejecting spam, already
 received at one of my mailboxes?

http://lmgtfy.com/?q=backscatter


-- 
John

Re: temporary errors for DNS

[John Peach]

On Mon, 13 Jul 2009 15:24:04 +0200
Keld J__rn Simonsen k...@dkuug.dk wrote:

[snip]
 #
 ==
 # service type  private unpriv  chroot  wakeup  maxproc command +
 args #   (yes)   (yes)   (yes)   (never) (100) #
 ==
 smtpinetn   -   y   -   -   smtpd -v
   

It is chrooted.

-- 
John

Re: backscatter

[John Peach]

On Sat, 4 Jul 2009 20:46:16 -0600
LuKreme krem...@kreme.com wrote:

 On 3-Jul-2009, at 20:35, Andrew Thompson wrote:
  what is the hate for backscatter founded in?
 
 
 Wait until you get hundreds of thousands of backscatter where
 someone has sent out spams with your user name as the From: address
 and helpful mail systems bounce them 'back' to you since your address
 is in the From: header. This is known as a 'joe-job' and it sucks.
 
 Besides that, a lot of spammers sent mail out with forged from  
 addresses so that if the spam isin't delivered to the To: i t might
 be delivered by some retarded mailserver to the forged From.

http://www.backscatterer.org/?target=usage

well worth looking at
 


-- 
John

Re: nobody is going to write a new MTA

[John Peach]

On Thu, 28 May 2009 11:56:38 +0200
Ralf Hildebrandt ralf.hildebra...@charite.de wrote:

 Turns out Wietse was wrong:
 http://lwn.net/SubscriberLink/334866/fffe7b1a0716c0e4/
 

All political; no real rational reasoning for it


-- 
John

Re: Consistent Entry Stuck in Queue

[John Peach]

On Fri, 22 May 2009 19:23:33 +0200
mouss mo...@ml.netoyen.net wrote:

 Carlos Williams a __crit :
  [snip]
  Content-filter at server.us wrote:
  
  A message from jthras...@server.us to: - jthras...@server.us
  was considered unsolicited bulk e-mail (UBE). Our internal reference
  code for your message is 16433-01/qNJBp5TNkzDa The message carried
  your return address, so it was either a genuine mail from you, or a
  sender address was faked and your e-mail address abused by third
  party, in which case we apologize for undesired notification. We do
  try to minimize backscatter for more prominent cases of UBE and for
  infected mail, but for less obvious cases of UBE some balance
  between losing genuine mail and sending undesired backscatter is
  sought, and there can be some collateral damage on both sides.
  First upstream SMTP client IP address: [88.255.159.190] unknown
  According to a 'Received:' trace, the message originated at:
  [88.255.159.190], [88.255.159.190] unknown [88.255.159.190]
  Return-Path: jthras...@server.us Message-ID:
  173702817170361.uflfwryznisq...@[88.255.159.190] Subject: Come to
  my place Delivery of the email was stopped!
  
  **
  
 
 so some filter (at server.us?)  is bouncing mail it considers
 possibly spam. This is a bad idea. once mail has been accepted by
 postfix, subsequent relays/filters/whatever should no more bounce.
 
 if spam is bounced to an innocent who never sent anything, you'll get
 in trouble... and even if not, you know it is bad to hit innocents
 whose email address was forged.
 
  [snip]
Looks worse than that:

host -t mx server.us   
server.us mail is handled by 10 cm1.dnsmadeeasy.com.

So they're not the primary MX and they're bouncing it.


-- 
John

Re: What makes a postfix server behave this way?

[John Peach]

On Tue, 24 Mar 2009 15:05:52 +0100
suomi post...@ayni.com wrote:

[snip]
 
 In the postfix log, where the php-pear-Mail-Mime client sends all mails, 
 for the mail in question I find the following:
 
 Mar 20 09:00:01 smtphost postfix/smtpd[3990]: connect from 
 senderhost.mydomain.com[xxx.xxx.xxx.163]
 Mar 20 09:00:01 smtphost postfix/smtpd[3990]: disconnect from 
 senderhost.mydomain.com[xxx.xxx.xxx.163]
 
 
 and no more.
 I am sure that the above log entry corresponds to the failed mail, 
 because in the application log I can see that the person sent the 
 message exactly at 09:00:01. postfix on the smtphost is not busy, the 
 last message before the failed was processed at 08:56:15 and the next 
 message after the failed was processed at 09:38:29.
 
 I also checked to see that no empty mail addresses had been sent in the 
 recipient list.
 
 Test with this application are very delicate, because I cannot send 
 interminable test-mail to the entire mail-list.
 
 Where could I try to find the error in this case?
 Thank you very much in advance.

On the client side; it connected and disconnected without doing
anything.
 

Re: DNS lookups not working?

[John Peach]

On Tue, 10 Feb 2009 21:50:26 +0800
jan gestre ipcopper...@gmail.com wrote:

[snip]
 I have this same problem that I was not able to solve for almost a
 week now. I posted too on various mailing lists including this (mail
 from gmail and yahoo are blocked), some suggested to install a caching
 nameserver but obviously in your case it doesn't work too. Replaced
 OpenDNS with other DNS server to no avail, still the same result. If
 rbl is enabled all incoming emails were blocked so I have no recourse
 but to turn it off, caveat is I've got lots of SPAM. Also I don't have
 Postfix in chroot environment.
 
 Here's my log:
 
 Feb 10 21:34:46 kartero postfix/smtpd[14176]: NOQUEUE: reject: RCPT
 from wf-out-1314.google.com[209.85.200.172]: 554 5.7.1 Service
 unavailable; Client host [209.85.200.172] blocked using
 bl.spamcop.net; from=ipcopper...@gmail.com
 to=jan.ges...@ddb.com.ph proto=ESMTP helo=wf-out-1314.google.com

It's working exactly as you configured it. If you want that mail,
remove bl.spamcop.net from your checks...

Re: No reason not to use reject_unverified sender (was Re: reject_unverified_sender vs greylisting)

[John Peach]

On Tue, 10 Feb 2009 18:49:05 +
Jo__o Miguel Neves joao.ne...@intraneia.com wrote:

 Charles Marcus escreveu:
  Here's a link informing why indiscriminate use of SAV is bad, and what
  it should be used for:
 
  http://www.backscatterer.org/?target=sendercallouts
 OK, I've finished reading and analyzing that text. My conclusion is that 
 there's no reason not to use reject_unverified sender.
 
 In this answer I'm assuming 1) the postfix implementation of SAV and 
 that any implementation and 2) that MTAs implement the RFCs (so they 
 have a configuration that matches, for instance, the Book of Postfix).
 
[snip]
 Have I missed anything?
 
Yes; your domain so that I can block it.

Re: TLS and Avast anti-virus

[John Peach]

On Mon, 17 Nov 2008 16:32:32 -0500
brian [EMAIL PROTECTED] wrote:

 A client who uses Windows/Thunderbird is reporting the following error 
 when attempting to connect to her INBOX:
 
 TLS not supported by avast mail scanner.
 
She needs to disable mail-scanning in Avast.

Re: Spammers abusing my postfix box

[John Peach]

On Tue, 11 Nov 2008 09:39:32 -0300
Jaap Westerbeek [EMAIL PROTECTED] wrote:

 Ok the (or some) spammer came back.
 
 For some reason everything seems to originate from localhost, which isn't
 telling me much.
 Where to look , what to do ?
 
[snip]
You need the log entries for the email BEFORE it gets fed into
amavisd-new.

Re: Can Anyone Make Sense of This Log Entry?

[John Peach]

On Fri, 31 Oct 2008 18:09:37 + (UTC)
Duane Hill [EMAIL PROTECTED] wrote:

 Responding to the original message...
 
 On Fri, 31 Oct 2008, Asai wrote:
 
[snip]
They may be having issues or you may be on their private blacklist.
 
 worldswidedomainnames.com isn't even a registered domain name.

worldwidedomainnames.com *is* and I would want to blackhole them

Re: Can Anyone Make Sense of This Log Entry?

[John Peach]

On Fri, 31 Oct 2008 11:29:04 -0700
Asai [EMAIL PROTECTED] wrote:

 John Peach wrote:
  On Fri, 31 Oct 2008 18:09:37 + (UTC)
  Duane Hill [EMAIL PROTECTED] wrote:
 

  Responding to the original message...
 
  On Fri, 31 Oct 2008, Asai wrote:
 
  
  [snip]

 They may be having issues or you may be on their private blacklist.
 
  worldswidedomainnames.com isn't even a registered domain name.
  
 
  worldwidedomainnames.com *is* and I would want to blackhole them
 
 

 Ok, thanks guys.  John, when you say blackhole them what do you mean?  
 I've been looking for a way to blacklist conveniently using MySQL.  Do 
 you know of a way?

Not with my*sql, per se, but you can reject them based on all sorts of
criteria.

host -t mx worldwidedomainnames.com
worldwidedomainnames.com mail is handled by 0 dev.null.

That would block them at a lot of sites...

check_sender_mx_access hash:/etc/postfix/mx_access

dev.nullREJECT

host -t ns worldwidedomainnames.com
worldwidedomainnames.com name server this-domain-for-sale.com.
worldwidedomainnames.com name server ns.buydomains.com.

check_sender_ns_access hash:/etc/postfix/ns_access

this-domain-for-sale.comREJECT
buydomains.com  REJECT

etc...
  


 

Re: valid_hostname chokes on trailing dot

[John Peach]

On Wed, 01 Oct 2008 12:40:57 -0400
Chad Whitacre [EMAIL PROTECTED] wrote:

   Please cite the relevant section of the relevant RFC.
   Happy to if you point me to it. I'm not an expert.
 
 Is this the right place?
 
https://tools.ietf.org/html/rfc5321#section-2.3.5
 

If it is, it does not back up your assertion that a trailing dot is
part of the FQDN.


-- 
John