Re: DISCORD from a user to noreply
Well.. I should have checked but assumed the action statements are similar
whether its transport or access.. obviously that does not seem to be the
case.
*Mail is either accepted or rejected (the sender is **told which) *- this
is my I wished or made up silent with reject. I don't want sender to know
about the rejects.
I guess I am going to go with below which will silently drop the email and
wont notify the sender.
check_recipient_access inline:{{nore...@example.com = discard}}
On Thu, Feb 13, 2020 at 3:43 PM Viktor Dukhovni
wrote:
> On Thu, Feb 13, 2020 at 03:33:42PM -0500, Linux Addict wrote:
>
> > I have no reason to use DISCARD. I also dont want sender to receive
> > anything back. Is reject silently is an option?
> >
> > /^From:.?(no|No)(reply|-reply)@.*/ REJECT:silently
>
> First of all, as you've already been told, header checks are entirely
> the wrong tool for this. You need to use either access(5) restrictions
> or else rewriting to an address which is dropped on delivery.
>
> You're also randomly making up syntax. The "discard:silently" example
> was transport table example and only makes sense in that context.
>
> Lastly, and sadly, you may need better command of English to get help on
> this list. There's no such thing as a silent "REJECT", that's a
> contradiction. Mail is either accepted or rejected (the sender is
> told which), delivered or discarded (after the message is accepted).
>
> --
> Viktor.
>
Re: DISCORD from a user to noreply
I have no reason to use DISCARD. I also dont want sender to receive anything back. Is reject silently is an option? /^From:.?(no|No)(reply|-reply)@.*/ REJECT:silently On Thu, Feb 13, 2020 at 3:12 PM Viktor Dukhovni wrote: > On Thu, Feb 13, 2020 at 03:06:37PM -0500, Linux Addict wrote: > > > Sorry.. yeah discard. > > > > But is it possible to discard noreply email for just > > only one sender? I am clear on how to discard when everything sent to > > noreply@.*. > > Nothing built into Postfix will discard just the one recipient > in a multi-recipient mail based on the sender. > > In a single-recipient message (unsafe assumption), discarding > the whole message is possible via restriction classes. > > Now it turns out that "recipient_restrictions" configured via: > > smtpd_data_restrictions = ... > > only run on single-recipient messages, if the message had two or more > recipients, the restriction is skipped. Thus it would be safe to > use a sender-based rule that resolves to a restriction class that > processes the recipient, and run that sender rule in the data > restrictions, and be sure to discard just single-recipient mail. > > -- > Viktor. >
Re: DISCORD from a user to noreply
Sorry.. yeah discard.
though there are headers checks already on this system, I can do recipient
check for this one. But is it possible to discard noreply email for just
only one sender? I am clear on how to discard when everything sent to
noreply@.*.
check_recipient_access inline:{{nore...@example.com = discard}}
On Thu, Feb 13, 2020 at 2:57 PM Wietse Venema wrote:
> Linux Addict:
> > Folks, I am trying to configure discord when supp...@company.com sends
> to
> > noreply@ / no-reply@.
>
> Did you mean "discard"?
>
> > The smtp recipient/header checks seems to parse line by line so I can
> > discord to noreply, but how do add a condition. I looked if.. endif, but
> I
> > am unsure how to get this done with from and to lines in one regex.
>
> Headers are not a good way to determine where email is being sent
> to. The recipient is part of the envelope. It is sent with the RCPT
> TO command.
>
> /etc/postfix/main.cf:
> smtpd_recipient_restrictions =
> ...
> reject_unauth_destination
> check_recipient_access inline:{{nore...@example.com = discard}}
> ...
>
> Wietse
>
DISCORD from a user to noreply
Folks, I am trying to configure discord when supp...@company.com sends to noreply@ / no-reply@. The smtp recipient/header checks seems to parse line by line so I can discord to noreply, but how do add a condition. I looked if.. endif, but I am unsure how to get this done with from and to lines in one regex. any help would be appreciated.
Re: Is it time for 2.x.y - x.y?
After 2.9, it should have been 3, not 2.10 ;) Sent from my iPhone On Jun 1, 2013, at 8:33 AM, Len Conrad lcon...@go2france.com wrote: At 07:18 AM 6/1/2013, you wrote: Am 31.05.2013 22:56, schrieb Wietse Venema: After the confusion that Postfix 2.10 is not Postfix 2.1, maybe it is time to change the release numbering scheme. don't dumb postfix down. keep the current numbering style. Len
Re: Upgrade 2.5.4
On Wed, Nov 3, 2010 at 4:48 AM, Terry Kemp tk...@klc.net.nz wrote: On 11/3/10, Linux Addict linuxaddi...@gmail.com wrote: On Tue, Nov 2, 2010 at 1:31 PM, Wietse Venema wie...@porcupine.org wrote: Linux Addict: If the package is not well constructed: Read the RELEASE_NOTES file for 2.6 and 2.7, then: # postfix stop # mkdir -p /etc/postfix/cfsavedir # cp /etc/postfix/main.cf /etc/postfix/master.cf \ /etc/postfix/cfsavedir/ # some-command-to-install-updated-poorly-constructed-package # cp /etc/postfix/cfsavedir/main.cf/etc/postfix/cfsavedir/ master.cf \ /etc/postfix/ # postfix set-permissions upgrade-configuration # postfix start A package is not well contstructed if it fails to preserve and upgrade your existing main.cf and master.cf files. Thanks Victor. Reading from 2.6 releasing notes, it looks like postfix changed how multiple instances are handled. I am going to test on sandbox. Sorry about beating the dead horse, but just came to know that there are few 2.2 postfix instances which needs to upgraded to 2.7 as well. Does upgrade stands true for 2.2 to 2.7 or install a clean 2.7 and just port the postconf -n will suffice? No. The config files need to be upgraded, not overwritten. If you install clean 2.7, then follow instructions above as with not well constructed package, i.e. save the config files, install Postfix, restore the config files and do postfix set-permissions upgrade-configuration. Wietse Awsome, thank you. Testing the upgrade from 2.2 to 2.7. -- Sent from my mobile device Victor, I see these message after upgrade and in fact its RHEL4 w/ openssl-0.9.7a-43.17.el4_6.1 Nov 3 12:02:11 MXHOST postfix/smtp[6209]: certificate verification failed for MXHOST-1[10.46.200.23]:25: untrusted issuer /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority Nov 3 12:02:11 MXHOST postfix/smtp[6209]: warning: tls_text_name: MXHOST-1[10.46.200.23]:25: error decoding peer subject CN of ASN.1 type=12 Nov 3 12:02:11 MXHOST postfix/smtp[6209]: warning: TLS library problem: 6209:error:0D07A0A0:asn1 encoding routines:ASN1_mbstring_copy:unknown format:a_mbstr.c:142: I see your patch coded_CN_buf = vstring_alloc(strlen(CN) + 1); \ on http://www.mailinglistarchive.com/postfix-users@postfix.org/msg35241.html which already in place for 2.7.1. I know its not postfix issue, cause I was getting cert error even before upgrade, but TLS Library Problem is an additional error after the upgrade. Cheers.
Re: Upgrade 2.5.4
On Wed, Oct 20, 2010 at 3:21 PM, Linux Addict linuxaddi...@gmail.comwrote: On Tue, Oct 19, 2010 at 3:37 PM, fake...@fakessh.eu fake...@fakessh.euwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Le 19.10.2010 19:42, Victor Duchovni a écrit : On Tue, Oct 19, 2010 at 12:17:23PM -0400, Linux Addict wrote: Hello, I am running postfix 2.5.4 and would like to upgrade it to latest stable 2.7.0. What is the best way upgrade? Do a clean install and port the settings to newer version? Any help is appreciated. No. Do an upgrade. If installing from source: Read the RELEASE_NOTES file for 2.6 and 2.7, then: % make % su root # postfix stop # make upgrade # postfix start If installing from a well constructed package: Read the RELEASE_NOTES file for 2.6 and 2.7, then: # postfix stop # some-command-to-install-updated-package # postfix start In either case, save the updated main.cf and master.cf files that are automatically upgraded as part of the install process. If the package is not well constructed: Read the RELEASE_NOTES file for 2.6 and 2.7, then: # postfix stop # mkdir -p /etc/postfix/cfsavedir # cp /etc/postfix/main.cf /etc/postfix/master.cf \ /etc/postfix/cfsavedir/ # some-command-to-install-updated-poorly-constructed-package # cp /etc/postfix/cfsavedir/main.cf /etc/postfix/cfsavedir/ master.cf \ /etc/postfix/ # postfix set-permissions upgrade-configuration # postfix start A package is not well contstructed if it fails to preserve and upgrade your existing main.cf and master.cf files. Thanks Victor. Reading from 2.6 releasing notes, it looks like postfix changed how multiple instances are handled. I am going to test on sandbox. Sorry about beating the dead horse, but just came to know that there are few 2.2 postfix instances which needs to upgraded to 2.7 as well. Does upgrade stands true for 2.2 to 2.7 or install a clean 2.7 and just port the postconf -n will suffice? thanks again.
Re: Upgrade 2.5.4
On Tue, Nov 2, 2010 at 1:31 PM, Wietse Venema wie...@porcupine.org wrote: Linux Addict: If the package is not well constructed: Read the RELEASE_NOTES file for 2.6 and 2.7, then: # postfix stop # mkdir -p /etc/postfix/cfsavedir # cp /etc/postfix/main.cf /etc/postfix/master.cf \ /etc/postfix/cfsavedir/ # some-command-to-install-updated-poorly-constructed-package # cp /etc/postfix/cfsavedir/main.cf /etc/postfix/cfsavedir/ master.cf \ /etc/postfix/ # postfix set-permissions upgrade-configuration # postfix start A package is not well contstructed if it fails to preserve and upgrade your existing main.cf and master.cf files. Thanks Victor. Reading from 2.6 releasing notes, it looks like postfix changed how multiple instances are handled. I am going to test on sandbox. Sorry about beating the dead horse, but just came to know that there are few 2.2 postfix instances which needs to upgraded to 2.7 as well. Does upgrade stands true for 2.2 to 2.7 or install a clean 2.7 and just port the postconf -n will suffice? No. The config files need to be upgraded, not overwritten. If you install clean 2.7, then follow instructions above as with not well constructed package, i.e. save the config files, install Postfix, restore the config files and do postfix set-permissions upgrade-configuration. Wietse Awsome, thank you. Testing the upgrade from 2.2 to 2.7.
Re: Upgrade 2.5.4
On Tue, Oct 19, 2010 at 3:37 PM, fake...@fakessh.eu fake...@fakessh.euwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Le 19.10.2010 19:42, Victor Duchovni a écrit : On Tue, Oct 19, 2010 at 12:17:23PM -0400, Linux Addict wrote: Hello, I am running postfix 2.5.4 and would like to upgrade it to latest stable 2.7.0. What is the best way upgrade? Do a clean install and port the settings to newer version? Any help is appreciated. No. Do an upgrade. If installing from source: Read the RELEASE_NOTES file for 2.6 and 2.7, then: % make % su root # postfix stop # make upgrade # postfix start If installing from a well constructed package: Read the RELEASE_NOTES file for 2.6 and 2.7, then: # postfix stop # some-command-to-install-updated-package # postfix start In either case, save the updated main.cf and master.cf files that are automatically upgraded as part of the install process. If the package is not well constructed: Read the RELEASE_NOTES file for 2.6 and 2.7, then: # postfix stop # mkdir -p /etc/postfix/cfsavedir # cp /etc/postfix/main.cf /etc/postfix/master.cf \ /etc/postfix/cfsavedir/ # some-command-to-install-updated-poorly-constructed-package # cp /etc/postfix/cfsavedir/main.cf /etc/postfix/cfsavedir/ master.cf \ /etc/postfix/ # postfix set-permissions upgrade-configuration # postfix start A package is not well contstructed if it fails to preserve and upgrade your existing main.cf and master.cf files. Thanks Victor. Reading from 2.6 releasing notes, it looks like postfix changed how multiple instances are handled. I am going to test on sandbox.
Upgrade 2.5.4
Hello, I am running postfix 2.5.4 and would like to upgrade it to latest stable 2.7.0. What is the best way upgrade? Do a clean install and port the settings to newer version? Any help is appreciated. ~LA
Disable NDR
Hello, One of my postfix server is sending thousands of messages to non-existent mail box in another internal server. The internal application sends mail as mailb...@domain.net thru postfix. The TO addresses are invalid. I need reject messages from those domains not resolved. to=dmr0613420524125827...@dsaperftest.edu, relay=none, delay=0.05, delays=0.01/0/0.04/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=dsaperftest.edu type=A: Host not found) thank you LA
Re: Disable NDR
On Mon, May 24, 2010 at 2:25 PM, John Adams mailingli...@belfin.ch wrote: On 24.05.2010 20:05, Linux Addict wrote: Hello, One of my postfix server is sending thousands of messages to non-existent mail box in another internal server. The internal application sends mail as mailb...@domain.net mailto:mailb...@domain.net thru postfix. The TO addresses are invalid. I need reject messages from those domains not resolved. to=dmr0613420524125827...@dsaperftest.edu mailto:dmr0613420524125827...@dsaperftest.edu, relay=none, delay=0.05, delays=0.01/0/0.04/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=dsaperftest.edu http://dsaperftest.edu type=A: Host not found) thank you LA Well, if its one of your hosts doing the spamming turn of the application that is causing it. Or blacklist the sender host's IP address on the first receiving smtp server. Or do some sender address verification on your mail gateway (or however your email architecture looks like - I have no idea). The postfix MX are behind a load balancer so they dont show the actual IP. I stopped the postfix, then did postcat on one of the queued message and found the spam host. thanks for your help.
Re: NMAP information about postfix
On Mon, Apr 19, 2010 at 11:37 AM, Wietse Venema wie...@porcupine.orgwrote: Gaby L: Hi I scan with my postfix server with NMap from other location. The NMAP creats report smtp port open (It is OK) but apear Postfix smtpd and other information about MTA program. I dont want to apear any information about my MTA server. To disclose no information, close the SMTP port. Seriously. Even when you change the smtpd_banner value to say $myhostname ESMTP Sendmail (this text MUST start with the hostname), the server's replies (especially error messages) still reveal that it's really Postfix. Wietse Disclaimer :- It may violate some RFCs and possibly break the smtp system itself. [r...@stick ~]# grep ^smtpd_banner /etc/postfix/main.cf smtpd_banner = unknown [r...@stick ~]# telnet 0 25 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. 220 unknown
Re: NMAP information about postfix
On Tue, Apr 20, 2010 at 1:33 PM, Brian Evans - Postfix List grkni...@scent-team.com wrote: On 4/20/2010 1:23 PM, Linux Addict wrote: On Mon, Apr 19, 2010 at 11:37 AM, Wietse Venema wie...@porcupine.org mailto:wie...@porcupine.org wrote: Gaby L: Hi I scan with my postfix server with NMap from other location. The NMAP creats report smtp port open (It is OK) but apear Postfix smtpd and other information about MTA program. I dont want to apear any information about my MTA server. To disclose no information, close the SMTP port. Seriously. Even when you change the smtpd_banner value to say $myhostname ESMTP Sendmail (this text MUST start with the hostname), the server's replies (especially error messages) still reveal that it's really Postfix. Wietse Disclaimer :- It may violate some RFCs and possibly break the smtp system itself. [r...@stick ~]# grep ^smtpd_banner /etc/postfix/main.cf http://main.cf smtpd_banner = unknown [r...@stick ~]# telnet 0 25 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. 220 unknown As Wietse mentioned, the above has no effect on determining the server type. Just because the banner doesn't say Postfix, doesn't mean a script/person couldn't figure it out from the response/error messages. True. seems nmap doesn't even check the banner, it does an EHLO and picks the mta from response code. 25/tcp open smtpPostfix smtpd postfix/smtpd[21190]: lost connection after EHLO from stick127.0.0.1]
Re: [Postfix] Wrong Time
On Tue, Oct 27, 2009 at 10:51 AM, Dan Schaefer d...@performanceadmin.comwrote: Wietse Venema wrote: Try without SeLinux, AppArmor, and other security add-ons. They are not covered by the Postfix warranty. Wietse Postfix has a warranty? :) It's a free product... -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp. This issue(-0600) is usually caused by an application/script sends mail without setting time offset.
Transport Maps
I have a postfix MTA server running. I was asked to setup relay mail to a specific domain thru MX record. Domain - Example.com An A record smtp.example.com MX Records smtp.example.com - smtp1.example.com and smtp2.example.com. In simple, When I send a mail to @example.com, postfix must send the mail to the MX records of smtp.example.com. I tried using transport maps, example.com :[smtp1.example.com] and example.com smtp:[smtp1.example.com], but of them didn't use smtp.example.com. Please help me set this one up. ~LA
Re: Transport Maps
On Tue, Jul 21, 2009 at 12:00 PM, Ralf Hildebrandt ralf.hildebra...@charite.de wrote: * Ralf Hildebrandt ralf.hildebra...@charite.de: In simple, When I send a mail to @example.com, postfix must send the mail to the MX records of smtp.example.com. example.com smtp.example.com OK, not too sure if Postfix will perform an MX lookup for the RHS (smtp.example.com in this example). Please try -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de I just tried, Its NOT using MX records of smtp.example.com. I can manipulate it thru DNS, but will more comfortable if we can do it through Postfix.
Re: Transport Maps
On Tue, Jul 21, 2009 at 12:03 PM, Simon Waters sim...@zynet.net wrote: On Tuesday 21 July 2009 16:53:52 Linux Addict wrote: I tried using transport maps, example.com :[smtp1.example.com] and example.com smtp:[smtp1.example.com], but of them didn't use smtp.example.com. Not clear what you mean here. Documentation of transport (man transport) suggests you don't want the [] if you want MX lookup. So I think you want: example.com smtp:smtp.example.com Simon, I already tried that. Its not doing MX lookup I guess.
Re: Transport Maps
I tried digging, I get the MX servers on the ANSWER section. I manage DNS as well, so I know its resolving correctly. On Tue, Jul 21, 2009 at 12:20 PM, Jaroslaw Grzabel ja...@meil.me wrote: Linux Addict wrote: Simon, I already tried that. Its not doing MX lookup I guess. Maybe it works but you're using your local DNS which doesn't know MX record for that remote domain you want to relay your messages through. Try locally run dig domainname.com MX and see the result. If it's empty it means that it's something wrong with that domain name and there is nothing to do with postfix in this case because postfix will not cast a spell for you and charm MX record. syntax as: domainname.com smtp:server.domain.com should work for you Regards, Jarek P.S. Sorry I posted that to your priv as well... reply to the list please.
Re: Transport Maps
On Tue, Jul 21, 2009 at 12:24 PM, Jaroslaw Grzabel ja...@meil.me wrote: Linux Addict wrote: I tried digging, I get the MX servers on the ANSWER section. I manage DNS as well, so I know its resolving correctly. What is in the log files then when you're trying to relay your messages ? Regards, Jarek Good Question. It is using the MX records of example.com, but we need postfix to use the MX records of smtp.example.com
Re: Transport Maps
On Tue, Jul 21, 2009 at 12:37 PM, Linux Addict linuxaddi...@gmail.comwrote: On Tue, Jul 21, 2009 at 12:24 PM, Jaroslaw Grzabel ja...@meil.me wrote: Linux Addict wrote: I tried digging, I get the MX servers on the ANSWER section. I manage DNS as well, so I know its resolving correctly. What is in the log files then when you're trying to relay your messages ? Regards, Jarek Good Question. It is using the MX records of example.com, but we need postfix to use the MX records of smtp.example.com Thanks all. I just worked around by adding internal CNAME pointing to 2 MX servers. I will come back later and check
Re: tls_random_source and OSX
On Tue, Jul 21, 2009 at 5:13 PM, Quanah Gibson-Mount qua...@zimbra.comwrote: I noticed that on my OSX builds, there is no default tls_random_source defined, yet /dev/urandom exists on those systems: OSX 10.4: build24:~ build$ ls -l /dev/urandom crw-rw-rw- 1 root wheel8, 1 Jun 18 13:38 /dev/urandom build24:~ build$ uname -a Darwin build24.lab.zimbra.com 8.11.1 Darwin Kernel Version 8.11.1: Wed Oct 10 18:23:28 PDT 2007; root:xnu-792.25.20~1/RELEASE_I386 i386 i386 OSX 10.5: build09:~ build$ ls -l /dev/urandom crw-rw-rw- 1 root wheel8, 1 Jun 23 12:42 /dev/urandom build09:~ build$ uname -a Darwin build09.lab.zimbra.com 9.7.0 Darwin Kernel Version 9.7.0: Tue Mar 31 22:52:17 PDT 2009; root:xnu-1228.12.14~1/RELEASE_I386 i386 Is there a particular reason for this? --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration Was the postfix compiled with TLS enabled? If yes what does postconf -d|grep tls_random_source shows?
Log file for Second Instance.
Greetings, I have Two instacnes of postfix running, but all the logs getting to /var/log/maillog. Could someone please point me on how to create separate log file for the 2nd instance?
Re: Verisign Cert
On Wed, Jul 15, 2009 at 3:07 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Wed, Jul 15, 2009 at 02:33:46PM -0400, Linux Addict wrote: I ran openssl test command that you provided and doesn't look like my cert config is good. [r...@mx01 ~]# openssl s_client -starttls smtp -connect localhost:25 CONNECTED(0003) --- Certificate chain 0 s:/C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX i:/C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX --- No client certificate CA names sent --- SSL handshake has read 1595 bytes and written 350 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit --- 220 XXX ESMTP This is exactly what you would expect. Everything is working fine. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly. I am reading TLS page on postfix and here http://www.state-of-mind.de/assets/postfix_tls.pdf. I have one last question. What I am trying to setup is, I have set of hosts in LAN which use postfix relay servers in DMZ to send (secure) mails to one of our external client. The external client insists on using verisign cert. On this scenario my postfix server will send mails to the external client's server, so should I configure the Client Certificate on my postfix. Thank you,
Re: Verisign Cert
On Thu, Jul 16, 2009 at 12:03 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Thu, Jul 16, 2009 at 09:33:24AM -0400, Linux Addict wrote: I am reading TLS page on postfix and here http://www.state-of-mind.de/assets/postfix_tls.pdf. I have one last question. What I am trying to setup is, I have set of hosts in LAN which use postfix relay servers in DMZ to send (secure) mails to one of our external client. The external client insists on using verisign cert. This is not sufficiently precise, what does using mean? Printing it on a piece of paper and using it as bathroom wallpaper? :-) :-) Honestly I haven't spoke to them directly, just working based on using piece of mail I got. You need to understand what role the private key and associated (Verisign or other CA) certificate is to play in your communications with this party. On this scenario my postfix server will send mails to the external client's server, so should I configure the Client Certificate on my postfix. If they restrict access to their server, and allow only (certain) TLS authenticated clients to connect, then indeed you may need to configure a client certificate. This is never true for MX hosts, but if this is a dedicated gateway used only by specially configured clients, it may be one of the exceptions where SMTP client certs are useful. Being secure, I think they allow only specific clients to connect. The postfix TLS doc says the key should be in .pem format, but I see many howtos usng .key or .crt as well. I used the openssl command to generate keys, and they both .pem and .key seems to be just rsa encryption with BEGIN and END. I assume the extension can be .pem or .crt or can be anything. Is that right?
Verisign Cert
Hello Gurus, Currently my postfix server runs with self-signed cert, but now I was asked to implement verisign cert for some of the outgoing mails. My question is when the verisign is cert installed, will all the outgoing mails such as toyahoo.com, gmail.com will be encrypted? Do the clients neeeds any certificate information? I am not very clear. Please throw some light.. ~LA
Re: Verisign Cert
On Wed, Jul 15, 2009 at 12:52 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Wed, Jul 15, 2009 at 10:38:55AM -0400, Linux Addict wrote: Hello Gurus, Currently my postfix server runs with self-signed cert, but now I was asked to implement verisign cert for some of the outgoing mails. You are mightily confused. X.509 certificates with SMTP STARTTLS are for *incoming* mail, so that *senders* can authenticate your server: http://www.postfix.org/TLS_README.html#client_tls_secure The *server installs* a certificate signed by a trusted CA, and the *client verifies* it. My question is when the verisign is cert installed, will all the outgoing mails such as toyahoo.com, gmail.com will be encrypted? Do the clients neeeds any certificate information? I am not very clear. Please throw some light.. Your client certificate play no role in the delivery of email to other domains, and will almost never be used, because the vast majority of MX hosts that support STARTTLS do not request client certificates. The recommended configuration for TLS enabled Postfix servers is: # SMTP Server TLS (cert + key): smtpd_tls_cert_file = /etc/postfix/your-cert.pem smtpd_tls_key_file = /etc/postfix/your-key.pem # SMTP Client TLS (no cert or key): smtp_tls_cert_file = smtp_tls_key_file = -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly. On Wed, Jul 15, 2009 at 10:46 AM, Thomas Gelf tho...@gelf.net wrote: I assume you're using this certificate for TLS, so the answer is NO, no single mails will be encrypted - TLS is only there to allow MTA's to encrypt their transport layer. If no restrictions are configured this happens automagically if both endpoints support TLS. Best regards, Thomas Gelf Linux Addict wrote: Hello Gurus, Currently my postfix server runs with self-signed cert, but now I was asked to implement verisign cert for some of the outgoing mails. My question is when the verisign is cert installed, will all the outgoing mails such as toyahoo.com http://yahoo.com/, gmail.com http://gmail.com/ will be encrypted? Do the clients neeeds any certificate information? I am not very clear. Please throw some light.. ~LA Thank you. Looks like I need to stand up another postfix instance since the outgoing mails domain will different from the one on $mydomain. On the current instance(self-signed), when I do telnet to port 25, I get the below. 250-PIPELINING 250-SIZE 1024 250-ETRN 250-STARTTLS 250-AUTH PLAIN DIGEST-MD5 LOGIN CRAM-MD5 250-AUTH=PLAIN DIGEST-MD5 LOGIN CRAM-MD5 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN The postconf output is below smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_tls_CAfile = /usr/share/ssl/certs/cacert.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /usr/share/ssl/certs/cert.pem smtpd_tls_key_file = /usr/share/ssl/certs/key.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_exchange_name = /var/lib/postfix/prng_exch tls_random_source = dev:/dev/urandom I read on one of the doc, http://palmcoder.net/files/howtos/Postfix%20SSL/Postfix_SSL-HOWTO-2.html#ss2.1, for a successfull TLS setup, the last line shud be 220 Ready to start TLS. I dont see any error on the logs, does my current setup really has TLS enabled? thanks LA
Re: Verisign Cert
On Wed, Jul 15, 2009 at 1:58 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Wed, Jul 15, 2009 at 01:49:24PM -0400, Linux Addict wrote: smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_tls_CAfile = /usr/share/ssl/certs/cacert.pem Make that: smtp_tls_CAfile = ... you don't need an smtpd_tls_CAfile, unless your cert file is missing the intermediate CA issuing certificates that are found in this file. The right solution is to include your trust chain in the cert.pem file (in the right order, subject cert before issuer cert, leaf to root). smtpd_tls_session_cache_timeout = 3600s No need if you don't also specify a btree cache database. smtpd_use_tls = yes Make that: smtpd_tls_security_level = may I read on one of the doc, http://palmcoder.net/files/howtos/Postfix%20SSL/Postfix_SSL-HOWTO-2.html#ss2.1 , for a successfull TLS setup, the last line should be 220 Ready to start TLS. No, this is not the case. To test: openssl s_client -starttls stmp -connect 192.0.2.1:25 where 192.0.2.1 is replaced by the IP address of your SMTP server. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly. I think I lack knowledge on this.. I gotta do some reading. I ran openssl test command that you provided and doesn't look like my cert config is good. [r...@mx01 ~]# openssl s_client -starttls smtp -connect localhost:25 CONNECTED(0003) depth=0 /C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX i:/C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX --- Server certificate -BEGIN CERTIFICATE- MIIDvzCCAyigAwIBAgIBATANBgkqhkiG9w0BAQQFADCBkzELMAkGA1UEBhMCVVMx CzAJBgNVBAgTAk5ZMQswCQYDVQQHEwJOWTEOMAwGA1UEChMFV2ViTUQxDzANBgNV BAsTBnN5c29wczEjMCEGA1UEAxMabXgwMXgtb3BzLTAxLnBvZC53ZWJtZC5uZXQx JDAiBgkqhkiG9w0BCQEWFW1rYW50aGFzYW15QHdlYm1kLm5ldDAeFw0wODA5MTIx NjM1MzRaFw0wOTA5MTIxNjM1MzRaMIGTMQswCQYDVQQGEwJVUzELMAkGA1UECBMC TlkxCzAJBgNVBAcTAk5ZMQ4wDAYDVQQKEwVXZWJNRDEPMA0GA1UECxMGc3lzb3Bz MSMwIQYDVQQDExpteDAxeC1vcHMtMDEucG9kLndlYm1kLm5ldDEkMCIGCSqGSIb3 DQEJARYVbWthbnRoYXNhbXlAd2VibWQubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQC9FTsWjPgYo6mxFVwuEkS9VkAdzZCpWHjx1Dyu+LhNdGhatz309tiw lMo45z+DhIm0mlm8GoIsWRneZSQMHWAL6Jq1uDg5BaATtntsZAF+29oLeB5CsCZL IScdGs0NI5gnV4OC8r/Ne5mH47gKMSXVifhR9TGGF/rweuXYuK3CdwIDAQABo4IB HzCCARswCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0 ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFMzUytMgpvHMtuIvrPwl86EIYsKLMIHA BgNVHSMEgbgwgbWAFGNNJBeYOV6PTYePdDE1mDPyd8bioYGZpIGWMIGTMQswCQYD VQQGEwJVUzELMAkGA1UECBMCTlkxCzAJBgNVBAcTAk5ZMQ4wDAYDVQQKEwVXZWJN RDEPMA0GA1UECxMGc3lzb3BzMSMwIQYDVQQDExpteDAxeC1vcHMtMDEucG9kLndl Ym1kLm5ldDEkMCIGCSqGSIb3DQEJARYVbWthbnRoYXNhbXlAd2VibWQubmV0ggEA MA0GCSqGSIb3DQEBBAUAA4GBAKValmAURkIp3r17tNbehKsRCsYsEjtUDGE9T+EB 4Ig9N2G8JztAWeXIltDRgpS1j2sKVrXTxxA5UntrB0T7nYRzPpEG6B7wl4pu4jHf iq+hUiiPU8vdED4/d5xiM0bpn9TdFRpgqI+0DNNBE34613P5Hw8iqwH1KTJE2/nU PZ6H -END CERTIFICATE- subject=/C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX issuer=/C=US/ST=NY/L=NY/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX --- No client certificate CA names sent --- SSL handshake has read 1595 bytes and written 350 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA Session-ID: E73EFFA5B6E8331A2571E2B15E43189D1F585D4B9D64128E6C09CE67190E2B64 Session-ID-ctx: Master-Key: BD77CCB997AFCD42BDFDC750763FD56FD82237E09686F6E596A9E885AD5B46C5FD99E9C5B45A7BBDE25A183F8BAA05D5 Key-Arg : None Krb5 Principal: None Start Time: 1247682108 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- 220 XXX ESMTP
Re: Header Time
On Thu, Jun 25, 2009 at 10:18 PM, Linux Addict linuxaddi...@gmail.comwrote: On Thu, Jun 25, 2009 at 5:11 PM, Blake Hudson bl...@ispn.net wrote: Original Message Subject: Re: Header Time From: Linux Addict linuxaddi...@gmail.com I dont think this is something to do with outlook as I tested with yahoo and gmail as well. I see the same pattern. Looks to me message leaves postfix with updated time stamp. �Is there any verbose can enabled in postfix to see what its doing to check time change process? The only problem I see is that your appliance sends the date as Date: Wed, 24 Jun 2009 17:11:41 when it should send as Date: Wed, 24 Jun 2009 17:11:41 -0400. Since no time zone is provided, most mail clients likely interpret this as UTC time and display accordingly. If your device send email for the correct time zone, set the clock as UTC on the device. -Blake A RHEL host(mailx) was able to sent correctly, but I didn't compare headers of the both. I will do it next morning and will confirm. Thank you everyone, I am all set. The appliance can set time, but no option to setup timezone.
Header Time
Hi, I am sure someone can clarify it for me. A device uses postfix relay to send mails out. When I receive them in outlook, they are 4 hrs behind. When I looked at the header, postfix seems to doing -400 (EDT). by postfixmta.domain.net (Postfix) with SMTP id 62B1257AB5 for myu...@mydomain.net; Thu, 25 Jun 2009 12:16:12 -0400 (EDT) But I looked at var log messages, it shows the right time there. Did I configured anything wrong or how to fix this? Thank you very much!! ~LA
Re: Header Time
On Thu, Jun 25, 2009 at 1:41 PM, ghe g...@slsware.com wrote: On 6/25/09 9:50 AM, Linux Addict wrote: A device uses postfix relay to send mails out. When I receive them in outlook, they are 4 hrs behind. When I looked at the header, postfix seems to doing -400 (EDT). Hmmm. 4 hours. Are you using greylisting? -- Glenn English g...@slsware.com We are, but these aren't even going out. There is a transport map which directs it to internal exchange servers. I am curious where its getting the -400(EDIT) from.
Re: Header Time
On Thu, Jun 25, 2009 at 2:22 PM, Sahil Tandon sa...@tandon.net wrote: On Jun 25, 2009, at 2:06 PM, Linux Addict linuxaddi...@gmail.com wrote: On Thu, Jun 25, 2009 at 1:41 PM, ghe g...@slsware.comg...@slsware.comwrote: On 6/25/09 9:50 AM, Linux Addict wrote: A device uses postfix relay to send mails out. When I receive them in outlook, they are 4 hrs behind. When I looked at the header, postfix seems to doing -400 (EDT). Hmmm. 4 hours. Are you using greylisting? -- Glenn English g...@slsware.comg...@slsware.com We are, but these aren't even going out. There is a transport map which directs it to internal exchange servers. I am curious where its getting the -400(EDIT) from. No Outlook help here but what exactly is the Postfix problem? Or is the GMT - EDT terminology confusing you? EDT = Eastern Daylight Time = GMT - 4:00. Not looking for any outlook. See below the complete header. The BOLD text is where message enters the postfix and time seem adjusted. On my Mail Client, the sent time is showing as Wed 6/24/2009 *1:12 PM*instead of *5:12PM* ie. -4 hours. I believe that was caused by -0400 (EDT) modified by postfix. Microsoft Mail Internet Headers Version 2.0 Received: from NYCEX20.MYDOMAIN.NET ([XX.XX.XX.XX]) by NYCEX20.MYDOMAIN.NETwith Microsoft SMTPSVC(6.0.3790.3959); Wed, 24 Jun 2009 17:13:42 -0400 Received: from POSTFIXMTA.MYDOMAIN.NET ([XX.XX.XX.XX]) by NYCEX20.MYDOMAIN.NET with Microsoft SMTPSVC(6.0.3790.3959); Wed, 24 Jun 2009 17:13:42 -0400 Received: from LCM (unknown [XX.XX.XX.XX]) by POSTFIXMTA.MYDOMAIN.NET (Postfix) with SMTP id A21103A006F for backups-al...@mydomain.net; *Wed, 24 Jun 2009 17:13:39 -0400 (EDT)* From: bac...@mydomain.net To: backups-al...@mydomain.net Subject: T120 Test Mail Date: *Wed, 24 Jun 2009 17:11:41* Message-Id: 20090624211340.a21103a0...@postfix.mydomain.net Return-Path: bac...@mydomain.net X-OriginalArrivalTime: 24 Jun 2009 21:13:42.0727 (UTC) FILETIME=[A7067570:01C9F510]
Re: Header Time
On Thu, Jun 25, 2009 at 4:17 PM, ghe g...@slsware.com wrote: I can't say much because I know next to nothing about Outlook and friends, but MS keeps time in local time (I hear), and *nix goes on GMT, and there's a 4 hour time correction for your local time, and you're seeing a 4 hour time change in your headers in mail being passed between *nix and MS. Betcha it's in there somewhere... -- Glenn English g...@slsware.com I dont think this is something to do with outlook as I tested with yahoo and gmail as well. I see the same pattern. Looks to me message leaves postfix with updated time stamp. Is there any verbose can enabled in postfix to see what its doing to check time change process?
Re: Header Time
On Thu, Jun 25, 2009 at 5:11 PM, Blake Hudson bl...@ispn.net wrote: Original Message Subject: Re: Header Time From: Linux Addict linuxaddi...@gmail.com I dont think this is something to do with outlook as I tested with yahoo and gmail as well. I see the same pattern. Looks to me message leaves postfix with updated time stamp. �Is there any verbose can enabled in postfix to see what its doing to check time change process? The only problem I see is that your appliance sends the date as Date: Wed, 24 Jun 2009 17:11:41 when it should send as Date: Wed, 24 Jun 2009 17:11:41 -0400. Since no time zone is provided, most mail clients likely interpret this as UTC time and display accordingly. If your device send email for the correct time zone, set the clock as UTC on the device. -Blake A RHEL host(mailx) was able to sent correctly, but I didn't compare headers of the both. I will do it next morning and will confirm.
smtpd_recipient_restrictions Check
Dear Group, I am modifying my recipient restrictions to displayed below. I referred many documents to compile the options. I want you experts to once verify it for me. smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unauth_pipelining, reject_unknown_reverse_client_hostname reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit Thank you ~LA
Re: smtpd_recipient_restrictions Check
On Tue, Mar 10, 2009 at 12:24 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Tue, Mar 10, 2009 at 12:17:29PM -0400, Matt Hayes wrote: Linux Addict wrote: Dear Group, I am modifying my recipient restrictions to displayed below. I referred many documents to compile the options. I want you experts to once verify it for me. smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unauth_pipelining, reject_unknown_reverse_client_hostname reject_rbl_client zen.spamhaus.org http://zen.spamhaus.org, reject_rbl_client bl.spamcop.net http://bl.spamcop.net, permit Thank you ~LA I would suggest moving permit_sasl_authenticated to the top of that list. Either that or using the submission service for SASL authenticated users THere is not much point in acceping invalid sender and recipient addresses from MUAs. The restriction is fine where it is. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly. The reason I moved below is there seems to be some rogue hosts/users(Mostly things like Refer a Link) misusing the priority and injecting spam.
Re: smtpd_recipient_restrictions Check
On Tue, Mar 10, 2009 at 12:22 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Tue, Mar 10, 2009 at 11:59:22AM -0400, Linux Addict wrote: Dear Group, I am modifying my recipient restrictions to displayed below. I referred many documents to compile the options. I want you experts to once verify it for me. smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, This mostly for hosts that handle submission from MUAs. Often best to move submission to port 587 and apply only there. You'll reject bogus domains from untrusted senders anyway. permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_invalid_helo_hostname The two above are the same. reject_non_fqdn_helo_hostname Why so much emphasis on HELO names, they are not a very effective spam sign. reject_unauth_pipelining, Currently best in smtpd_data_restrictions, where it is effective after EHLO, as during RCPT TO, additional RCPT TO commands or the DATA command can be legitimately PIPELINED in the same packet. reject_unknown_reverse_client_hostname reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit Fairly sensible overall. Is it better to place rbl rejections under smtpd_client_restrictions? -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: rbl clients.
Thank you everyone!! Lot of information. On Fri, Feb 13, 2009 at 4:44 PM, Res r...@ausics.net wrote: On Thu, 12 Feb 2009, Linux Addict wrote: reject_rbl_client blackholes.easynet.nl,reject_rbl_client cbl.abuseat.org,reject_rbl_client proxies.blackholes.wirehub.net, reject_rbl_client bl.spamcop.net,reject_rbl_client sbl.spamhaus.org, reject_rbl_client dnsbl.njabl.org,reject_rbl_client list.dsbl.org, reject_rbl_client multihop.dsbl.org,permit As others have mentioned, some of these have been dead for a long time, and with others, you are doing twice the work, since some RBL's interact with each other. We find the following work great, some recommend using spamhaus first, on my private mail server I use it last, to keep under their 'hits per day', I don't use spamhaus on employers because of the 'hits per day', and I cant justify the rates they want, I find even at home I only get one or two hits in a blue moon from spamhaus because SORBS and spamcop end up stopping pretty much all of it. Privately I use: reject_rbl_client dnsbl.njabl.org reject_rbl_client dnsbl.sorbs.net reject_rbl_client bl.spamcop.net reject_rbl_client b.barracudacentral.org (you need to register, but its free) reject_rbl_client zen.spamhaus.org commercially we use: reject_rbl_client dnsbl.sorbs.net reject_rbl_client bl.spamcop.net reject_rbl_client b.barracudacentral.org and along with things like reject_unknown_client_hostname reject_unknown_helo_hostname reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_non_fqdn_sender reject_non_fqdn_recipient we also use sendmails milter-regex with all these combined, its rare spam gets through to MailScanner to deal with. (milter regex rules used: http://kb.ausics.net/sendmail/milter-regex.conf) -- Res All we need, is just a little patience -- William Bruce (Axl) Rose
Re: Bounces.
Magnus Bäck wrote: On Monday, January 26, 2009 at 23:39 CET, Linux Addict linuxaddi...@gmail.com wrote: I am seeing multiple messages on Postfix Maillog. The mx server cant reach the host in question and its timing out. We monitor the mailq size and because of 100 of messages like this, we are bombarded with pages. What is the best practice to handle these messages? Any help or link to documentation is greatly appreciated. A414CD52788 3706 Fri Jan 23 02:36:41 bounce.7d54cafd@example.net (connect to a34-mta03.direcpc.com[66.82.4.104]:25: Connection timed out) movieaho...@direcway.com Where do these messages come from? Check the logs and inspect the messages with postcat(1). Are any of these domains hosted by you? If not, why are they being relayed in the first place? 100 deferred messages in the queue is nothing. Typo. Its 100s of messages, currently its more than 1600. We are sending this from one of our internal application. What I would like to do is, if a destination host does not have an MX record, then I would like to drop the message, don't want to bounce it.
Re: Bounces.
Wietse Venema wrote: Linux Addict: What I would like to do is, if a destination host does not have an MX record, then I would like to drop the message, don't want to bounce it. The Internet email RFCs do not require MX records. They specify that the MTA must deliver by A records when MX records don't exist. Wietse I dont know if its convincing to send mails to a host where no smtp is running(hence no MX record) but is there anyway at all in Postfix to check for MX record before the qmgr accepts the mail? I know Postfix is compliant to all RFCs, but just wondering anything customizable exists. ~LA
Re: Reject/Discard mails to a Receipient
Wietse Venema wrote: Linux Addict: Sahil Tandon wrote: Linux Addict wrote: Hello, I have clients sending mails to an non-existent email address/domain, emailerm...@exchange.example.net. I want to discard any mail sent to this address. I looked at smtpd_recipient_restrictions, but cant figure out how to get this done. Please help me!! Why not simply reject such messages? What is the reason you want to accept but silently discard messages to that non-existent user? It is your choice to do so, but please offer some rationale for the archives. Sorry.. I wasn't checking my mails for sometime. I am open to Rejecting those mails as well.. Well. The mails are sent by one of the legacy app which has the hard coded the email address. The email domain has been decommed recently. The engineering will update this email address in their next release. But till that time, I don't want postfix to spend energy on these mails. So How will I reject mails to the email in question. Transport will do? Transport rules such as: u...@example.com error:5.1.1 user unknown example.com error:5.1.2 domain unknown will do the job. Wietse thank you!
Re: Reject/Discard mails to a Receipient
Sahil Tandon wrote: Linux Addict wrote: Hello, I have clients sending mails to an non-existent email address/domain, emailerm...@exchange.example.net. I want to discard any mail sent to this address. I looked at smtpd_recipient_restrictions, but cant figure out how to get this done. Please help me!! Why not simply reject such messages? What is the reason you want to accept but silently discard messages to that non-existent user? It is your choice to do so, but please offer some rationale for the archives. Sorry.. I wasn't checking my mails for sometime. I am open to Rejecting those mails as well.. Well. The mails are sent by one of the legacy app which has the hard coded the email address. The email domain has been decommed recently. The engineering will update this email address in their next release. But till that time, I don't want postfix to spend energy on these mails. So How will I reject mails to the email in question. Transport will do? Cheers LA
Reject/Discard mails to a Receipient
Hello, I have clients sending mails to an non-existent email address/domain, emailerm...@exchange.example.net. I want to discard any mail sent to this address. I looked at smtpd_recipient_restrictions, but cant figure out how to get this done. Please help me!! ~LA
Re: DKIMproxy Information.
On Tue, Nov 11, 2008 at 4:53 PM, Charles Marcus [EMAIL PROTECTED]wrote: On 11/11/2008 4:49 PM, Charles Marcus wrote: Common administrative practices include submission on 587 for trusted clients only and should not be permitted on the internet. This port should be firewalled outside of your network. Excuse me?!?!? Thats ridiculous... in fact, just the OPPOSITE is true. Well... correction... Port 587 is designed to provide smtp_auth services to trusted clients VIA an UNtrusted network (like the internet)... So, no WAY should it be firewalled - just limit it to sasl_auth based sessions - and hopefully you enforce strong password policies too... -- Best regards, Charles My reason for configuring domain keys is yahoo not filtering my mails as spam. I dont want to go back and change more than 1000 clients port from 25 to 587. So is there anyway we can achieve domainkeys authentication on port 25? Thanks, LA
Re: DKIMproxy Information.
On Wed, Nov 12, 2008 at 12:44 PM, mouss [EMAIL PROTECTED] wrote: Linux Addict wrote: On Tue, Nov 11, 2008 at 4:53 PM, Charles Marcus [EMAIL PROTECTED]wrote: On 11/11/2008 4:49 PM, Charles Marcus wrote: Common administrative practices include submission on 587 for trusted clients only and should not be permitted on the internet. This port should be firewalled outside of your network. Excuse me?!?!? Thats ridiculous... in fact, just the OPPOSITE is true. Well... correction... Port 587 is designed to provide smtp_auth services to trusted clients VIA an UNtrusted network (like the internet)... So, no WAY should it be firewalled - just limit it to sasl_auth based sessions - and hopefully you enforce strong password policies too... -- Best regards, Charles My reason for configuring domain keys is yahoo not filtering my mails as spam. because you think once you sign your mail they will deliver it to Inbox? :-) I know they may or may not. As an admin, we are trying our best. I dont want to go back and change more than 1000 clients port from 25 to 587. if they come from specific networks, you can use a NAT implementation to redirect them to port 587. otherwise, see below. So is there anyway we can achieve domainkeys authentication on port 25? smtpd_client_restrictions = check_client_access pcre:/etc/postfix/filter_outbound permit_mynetworks permit_sasl_authenticated check_client_access pcre:/etc/postfix/filter_inbound == filter_outbound # pass to outbound filter /./ FILTER scan:[127.0.0.1]:10586 == filter_inbound # pass to inbound filter /./ FILTER scan:[127.0.0.1]:10024 if you wonder what that does: - if mail comes from mynetworks or is sasl authenticated, then it is passed to port 10586 - otherwise, it is passed to port 10024
Re: DKIMproxy Information.
On Mon, Nov 10, 2008 at 5:19 PM, Noel Jones [EMAIL PROTECTED] wrote: Linux Addict wrote: Hi, Please excuse me if it is not relevant on this forum. I am planning to use domain keys and dkim for our domain just to send mails outside. Is DKIMproxy good enough to cover both older Yahoo Domainkeys and new DKIM? thanks you. ~LA dkimproxy supports both DKIM and DomainKeys. http://dkimproxy.sourceforge.net/ -- Noel Jones While I read through this, I understand that to use domain keys, the client has to send mails through submission port 587. Does that sound right? Just to use domainkeys, all clients to has to send mails to port 587 instead of port 25? Please clarify. Thank you ~LA
DKIMproxy Information.
Hi, Please excuse me if it is not relevant on this forum. I am planning to use domain keys and dkim for our domain just to send mails outside. Is DKIMproxy good enough to cover both older Yahoo Domainkeys and new DKIM? thanks you. ~LA
Re: Spam on deck!!
On Sat, Nov 8, 2008 at 12:06 AM, Sahil Tandon [EMAIL PROTECTED] wrote: Terry Carmen [EMAIL PROTECTED] wrote: Sahil Tandon wrote: Linux Addict [EMAIL PROTECTED] wrote: Steven King wrote: Postfix is very cautious about system resource usage. It keeps an eye on RAM usage, disk space, and CPU usage. I battered my postfix server with 200K mails once. Just for a stress test. The load on the server went up sharply and was a bit sluggish but postfix chugged along through it with very little impact to other services running on the system. Linux Addict wrote: We have a java mailer application which was hung and queued more than 100k mails. People are working to fix it. I am worried that all 100k mails may hit postfix server and cause some damage. Anyway I can prepare for it? ~LA Thanks! I am not just worried about the system performance, but possible blacklisting as it may send flurry of mails to external domains. If you're really worried, you can parse the queue for large amounts of messages heading to the same external domain and release the associated QUEUE IDs slowly. Bit of a crude option, but one you might consider. I'm not sure that would be helpful. One of my IPs got throttled at Yahoo for sending exactly two messages that looked spammy (but actually weren't). The OP will probably have to take his lumps and fix it later. Yahoo! is especially atrocious in this regard and considers almost any frequent sender as spammer unless the server is whitelisted. I only have anecdotal evidence to back that up, so I am sure some will disagree. The advice was disclaimed as crude for a reason. :-) It's no panacea, but it should help on the margin. -- Sahil Tandon [EMAIL PROTECTED] Well... I worked with yahoo in the past to whitelist an IP and they ask tons of information but literally they think were always right in blacklisting. I am planning to sign domain keys and dkim. I hope yahoo doesn't block me. thank you. ~LA
Re: Spam on deck!!
Linux Addict wrote: Steven King wrote: Postfix is very cautious about system resource usage. It keeps an eye on RAM usage, disk space, and CPU usage. I battered my postfix server with 200K mails once. Just for a stress test. The load on the server went up sharply and was a bit sluggish but postfix chugged along through it with very little impact to other services running on the system. Linux Addict wrote: We have a java mailer application which was hung and queued more than 100k mails. People are working to fix it. I am worried that all 100k mails may hit postfix server and cause some damage. Anyway I can prepare for it? ~LA Thanks! I am not just worried about the system performance, but possible blacklisting as it may send flurry of mails to external domains. ~LA I am reading the TUNING_README and it looks like anvil seems to be taking care of most things.
Re: Likely Spam.
On Thu, Oct 23, 2008 at 5:15 PM, Noel Jones [EMAIL PROTECTED] wrote: Linux Addict wrote: On Tue, Oct 21, 2008 at 7:33 AM, Noel Jones [EMAIL PROTECTED]mailto: [EMAIL PROTECTED] wrote: Linux Addict wrote: Nevermind.. I did strings on one of the messages on deferred and got the information. use postcat -q QUEUEID | more to view the contents of a queued messsage. --Noel Jones I got the culprit. Its was one of the internal host. Now how do I reject any mail from that particular email address. I tried with sender_access, but not working. Any ideas? Thanks, LA Use a check_client_access table to reject that host's IP. sample config: #main.cf smtpd_client_restrictions = check_client_access hash:/etc/postfix/client_blacklist # /etc/postfix/client_blacklist 192.168.1.33 REJECT your computer has a virus. then run: # postmap client_blacklist # postfix reload If you don't have a smtpd_client_restrictions section in your main.cf yet, the above example should work fine as is. -- Noel Jones Unfortuantly that hosts also sends some legitimate mails. I just want to block those two mail ids for now. smtpd_sender_restrictions = hash:/etc/postfix/sender_access sender_access has following entries, but not working. [EMAIL PROTECTED] REJECT [EMAIL PROTECTED] REJECT Anything wrong here?
Re: Likely Spam.
On Thu, Oct 23, 2008 at 5:49 PM, mouss [EMAIL PROTECTED] wrote: Linux Addict a écrit : Unfortuantly that hosts also sends some legitimate mails. I just want to block those two mail ids for now. unfortunately for you, if the host is owned, it will find other sender addresses... smtpd_sender_restrictions = hash:/etc/postfix/sender_access put the name of the check explicitely: smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access don't forget to postmap the hash map. sender_access has following entries, but not working. [EMAIL PROTECTED] REJECT [EMAIL PROTECTED] REJECT Anything wrong here? it's ok, but see note above (a sender address is easily forged unless you use reject_sender_login_mismatch). Thank you guys!! It worked. We have escalated to the DEV to fix the problem. Actually spammers are exploiting Email a Friend option on our webpage inserting spam note, but there are also legitimate referrals. Its a bit of politics as well as DEV is downplaying the issue. Thank you again.
Re: Likely Spam.
On Tue, Oct 21, 2008 at 3:29 AM, mouss [EMAIL PROTECTED] wrote: Linux Addict a écrit : [snip] local_recipient_maps = proxy:unix:passwd.byname $virtual_alias_maps $alias_maps remove $virtual_alias_maps from local_recipient_maps. [snip] mynetworks_style = class remove mynetworks_style (mynetworks is enough). [snip] relay_domains = $mydestination set relay_domains = The $mydestination setting is for compatibility reasons, and given your mydestination setting, you don't need it (you don't want mail to [EMAIL PROTECTED]). [snip] smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,reject_unauth_destination, reject_invalid_hostname,reject_unauth_pipelining, reject_unauth_pipelining is useless here. reject_non_fqdn_sender,reject_unknown_sender_domain, reject_non_fqdn_recipient,reject_unknown_recipient_domain, reject_unknown_recipient_domain is useless here. it only checks your own domains. reject_rbl_client blackholes.easynet.nl, reject_rbl_client cbl.abuseat.org, reject_rbl_client proxies.blackholes.wirehub.net, reject_rbl_client bl.spamcop.net, reject_rbl_client sbl.spamhaus.org, reject_rbl_client dnsbl.njabl.org, reject_rbl_client list.dsbl.org, reject_rbl_client multihop.dsbl.org, permit you should check that the DNSBLs you use are active. You can start with http://spamlinks.net/filter-dnsbl-dead.htm In particular, blackholes.easynet.nl and *.dsbl.org are gone. and I don't think blackholes.wirehub.net does anything (it once (2003) became blackholes.easynet.nl, which is dead now). and instead of using cbl and sbl, use xbl-sbl.spamhaus.org. Or better yet, use zen.spamhaus.org. [snip] Regarding your problem, do what Noel said. check how the message entered your system by finding all message Could someone please point to the direction of documents for tracking Queue ID.?
Re: Likely Spam.
On Mon, Oct 20, 2008 at 6:33 PM, Neil [EMAIL PROTECTED] wrote: On 20 Oct 2008, at 18:24, Linux Addict wrote: Hi, Looks like our MX servers are hit hard by a specific email address which is sending frequent mails trying to use our relay effectively many mail servers seems to be blacklisting. Oct 20 18:20:05 mx01 postfix/qmgr[6512]: DBB784BE68E: from= [EMAIL PROTECTED], size=3309, nrcpt=1 (queue active) Oct 20 18:20:05 mx0 postfix/error[9345]: DA960E73E11: to= [EMAIL PROTECTED], relay=none, delay=77080, delays=76950/130/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to exchange.net Connection timed out) Please help me stop this. Thank you! ~LA Unless I'm mistaken (and I'm not the most knowledgeable person on this list), I think your server thinks it's okay to accept mail for the domain exchange.net (and I'm assuming exchange.net isn't yours). So to fix this, you need to tell postfix only to accept mail for your domains. I think you should check my_destination, relay_domains, etc. Post the output of postconf -n. -N. Thanks for your reply. mydestination = $myhostname relay_domains = $mydestination Actually its not just exchange.net, most of the mails are being sent to bellsouth.net Oct 20 18:37:27 mx01 postfix/qmgr[6597]: 5CE74D08FE1: from= [EMAIL PROTECTED], size=3237, nrcpt=1 (queue active) Oct 20 18:37:27 mx01 postfix/error[6838]: 57AD01031088: to= [EMAIL PROTECTED], relay=none, delay=14928, delays=14928/0.05/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host gateway-f2.isp.att.net[207.115.11.16] refused to talk to me: 450 too frequent connects from 63.240.86.13, please try again later.) Thanks LA
