Outbound rate throttling

[MacShane, Tracy]

I realise this has been covered before, but I'm having a problem with
getting outbound mail to a destination domain. The ISP in question has
an interesting policy of refusing messages sent to a single email
address in excess of 30/min. Their servers also go on and offline at
random intervals, due to telecoms issues. We have an application that
sends messages to a single recipient on the destination domain, usually
in excess of 200 a day. If a server has gone offline for a while,
naturally we have a backlog of mail waiting to deliver when the server
is up again, and we quickly exceed the 30/min limit.
 
I've upgraded a server to Postfix 2.5.2 (from 2.2) and tried
implementing a slow transport for this purpose:
 
master.cf
---
# transport for touchy domains
slowunix-   -   n   -   1smtp

main.cf
-
slow_destination_concurrency_limit = 1
slow_destination_rate_delay = 2

transport
---
solomon.com.sb  slow:
 
However, at the next retry interval, the entire queue is trying to empty
itself concurrently:
 
Aug 13 15:59:14 smtptest postfix/error[4456]: 4569E15E00F9:
to=<[EMAIL PROTECTED]>, relay=none, delay=3283,
delays=3282/0.08/0/0.01, dsn=4.4.1, status=deferred (delivery
temporarily suspended: connect to mx.telekom.net.sb[202.1.161.20]:25:
Connection refused)
Aug 13 15:59:14 smtptest postfix/error[4468]: F40FE15E00BD:
to=<[EMAIL PROTECTED]>, relay=none, delay=4906,
delays=4906/0.08/0/0.01, dsn=4.4.1, status=deferred (delivery
temporarily suspended: connect to mx.telekom.net.sb[202.1.161.20]:25:
Connection refused)
Aug 13 15:59:14 smtptest postfix/error[4476]: 6023715E009D:
to=<[EMAIL PROTECTED]>, relay=none, delay=4905,
delays=4905/0.08/0/0, dsn=4.4.1, status=deferred (delivery temporarily
suspended: connect to mx.telekom.net.sb[202.1.161.20]:25: Connection
refused)
Aug 13 15:59:14 smtptest postfix/error[4460]: 4061815E00C0:
to=<[EMAIL PROTECTED]>, relay=none, delay=4906,
delays=4905/0.08/0/0.01, dsn=4.4.1, status=deferred (delivery
temporarily suspended: connect to mx.telekom.net.sb[202.1.161.20]:25:
Connection refused)
[... 75 messages in the queue]

I expect the messages to try filtering themselves out at a rate of one
every two seconds to this destination, not all of them in the same
second. Could someone please clarify what I've omitted or misunderstood
here?
 
Thanks.

RE: Outbound rate throttling

[MacShane, Tracy]

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Noel Jones
> Sent: Wednesday, 13 August 2008 10:53 PM
> To: MacShane, Tracy
> Cc: postfix-users@postfix.org
> Subject: Re: Outbound rate throttling
> 
>
> >  
> > I've upgraded a server to Postfix 2.5.2 (from 2.2) and tried 
> > implementing a slow transport for this purpose:
> >  
> > master.cf
> > ---
> > # transport for touchy domains
> > slowunix-   -   n   -   1smtp
> 
> You can add
>-o syslog_name=postfix-slow
> to the above to differentiate it in the logs so you know it's 
> being used.

Great, that's showing up beautifully now. 

> > 15:59:14 smtptest postfix/error[4460]: 4061815E00C0:
> > to=<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>,
> > relay=none, delay=4906, delays=4905/0.08/0/0.01, dsn=4.4.1, 
> > status=deferred (delivery temporarily suspended: connect to
> > mx.telekom.net.sb[202.1.161.20]:25: Connection refused) [
> 
> These are not delivery attempts.  Delivery attempts are 
> logged by postfix/smtp.
> These are all from the error: service notifying you that the 
> destination has been throttled because of multiple previous 
> "connection refused" error.

Ahah! Clear as day, once you see the difference between postfix/smtp and
postfix/error. It looks like it's working perfectly, then - postfix-slow
is trying a connection every few minutes at present, and the rest are
the errors/backoffs.

So it should be fine, once they start accepting my mail again. 

RE: [SPAM?] Re: First Time Configuration assistance

[MacShane, Tracy]

 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Paul Cocker
> Sent: Friday, 5 September 2008 11:56 PM
> To: postfix-users@postfix.org
> Subject: RE: [SPAM?] Re: First Time Configuration assistance
> 
> With an ever changing list of over 600 e-mail addresses, 
> manually maintaining relay_recepient_maps doesn't strike me 
> as appealing, or practical.
> 
> Unsurprisingly we have an AD back-end, is there any way for 
> the two to communicate? I see this as being the only 
> practical way to check valid recipients, though let me know 
> if there is a better way.
> 
> Thanks for all the advice.
> 
> Paul Cocker
> 

And for where you are using Postfix as a "bridgehead" server and
relaying to multiple Exchange hosts, I have a solution that builds on a
script that grabs all the valid email recipients from the AD:
http://postfixnotes.wiki.zoho.com/HomePage.html. I also prefer not to be
doing constant AD lookups for mail from servers in the DMZ - it's a wee
bit better for performance to have the map files sitting on the Postfix
servers.

RE: my networks exclusions not working?

[MacShane, Tracy]

 
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Chris St Denis
> Sent: Tuesday, 9 September 2008 10:41 AM
> To: postfix-users@postfix.org
> Subject: my networks exclusions not working?
> 
> I have the following mynetworks defined
> 
> Dispite having "69.31.160.0/20" defined and "!69.31.174.220" 
> defined, I can still relay mail from 69.31.174.220 without 
> smtp authentication. Why is this?
> 
> Does order matter or is there another problem with my syntax?
> 
> mynetworks = 69.31.160.0/20,
>  [...]
>  !69.31.174.220,

Table lookups generally return the first match encountered, and since
it's a trivial change, try putting the exclusion before the broader
inclusion to see if that makes the difference.

But I'm sure someone can give us the official word if that's not quite
right.

 

FW: Proposing postfix to mgmt as an Exchange replacement

[MacShane, Tracy]

 
> > -Original Message-
> > From: [EMAIL PROTECTED] 
> > [mailto:[EMAIL PROTECTED] On Behalf Of Adam Tauno 
> > Williams
> > Sent: Wednesday, 10 September 2008 12:13 PM
> > To: postfix-users@postfix.org
> > Subject: Re: Proposing postfix to mgmt as an Exchange replacement
> > 
> > The below isn't meant to shoot down your idea, but I'm an 
> Open Source 
> > groupware developer and am very familiar with the Exchange-vs-XYZ 
> > equation.
> > 
> > > As per the subject, I am about to pitch the idea of 
> dumping Exchange 
> > > and moving to Postfix.
> > ...
> > 
> > Is that true? "Everything we use exchange for" needs to be
> > *very* carefully researched.  
> >  
> > > I hate trying to sell this kind of thing when my impulse 
> is to wave 
> > > my arms around yelling "IT'S OBVIOUS!" :)
> > 
> > But it isn't.
> 
> I totally agree with these remarks, not least the confusion 
> between the roles that Postfix and Exchange carry out. I'd be 
> extremely surprised to find any organisation that has more 
> than 6 users on Exchange that doesn't use 
> calendaring/scheduling, just as one example. How are you 
> judging the use of that functionality organisation-wide?
> 
> Really, if you hate Exchange that much - and I actually think 
> it's fairly robust (these days) and good at doing what it 
> does (if we don't talk to much about TLS) - you need to 
> research something like Zimbra, which uses Postfix as the 
> MTA, but incorporates IMAP mailboxes and calendaring via 
> Webdav (I think).
> 
> Of course, my primary role is that of an Exchange admin, so 
> you can take my opinion FWIW.

FW: how to specify any/catch_all domain/email in HASH access map?

[MacShane, Tracy]

 > -Original Message-
 > From: [EMAIL PROTECTED] 
 > [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
 > Sent: Wednesday, 8 October 2008 2:12 PM
 > To: postfix-users@postfix.org
 > Subject: how to specify any/catch_all domain/email in HASH 
 access map?
 > 
 > For example in this hash I wanna OK for all domains except 
 mail.ru and 
 > yandex.ru:
 > hash:/etc/postfix/maps/check_sender:
 >   mail.ru  REJECT
 >   yandex.ru  REJECT
 >OK
 > 
 > So what I must write insteed of ? Maybe . (single point)?
 > Thanks.
 > 
 > 
 
 Are you *sure* you want to explictly pass all mail from every 
 other domain in the Internet other than those two - that 
 means all mail originating from other domains will skip the 
 rest of any checks you may have. 
 
 You don't need to specify anything for all other domains if 
 you are just intending to block the two domains you list - 
 the default action for any message that's traversing the 
 header checks is DUNNO (which will then pass the message onto 
 the next header check, if you have one, or the message is 
 accepted for delivery).
 
 

RE: [SPAM?] Re: My first config - unable to telnet to port 25, virtual.db missing

[MacShane, Tracy]

 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Paul Cocker
> Sent: Wednesday, 8 October 2008 6:00 PM
> To: postfix-users@postfix.org
> Subject: RE: [SPAM?] Re: My first config - unable to telnet 
> to port 25, virtual.db missing
> 
> The primary passes to an internal mail server, but performs 
> recipient validation before doing so. This is why I don't 
> believe it's worth doing on the secondary because it means 
> genuine recipients will be checked with the internal server 
> twice (should they be received by the secondary, not primary MX).
> 
> Apologies if my terminology is off here. I always think of MX 
> servers as gateways, though I realise in some companies the 
> gateway server and the internal mail server will be one and the same.
> 
> From reading further into your response, perhaps I 
> misunderstanding MX records. So far as I know, if the 
> secondary MX server receives the e-mail, it shouldn't pass it 
> inside but rather should pass it to the primary MX server, 
> which should be the single point of contact with the internal 
> mail server. Is this incorrect?
> 
> Paul Cocker
> 
> 

As has been mentioned a number of times, please don't top post.

MX records do not work in the way you think. Any MX server - unless
configured to do otherwise - will relay mail directly to the recipients.
The MX priorities are so that you can direct the bulk of mail (which
should look at the lowest-numbered MX, although spammers don't care
about such niceties) to your most specced-up server or best Internet
link, or whatever, while your secondary MX might have a lesser hardware
configuration or be sitting on a smaller pipe. But they still can accept
mail (and will).

We have a primary and secondary Postfix MX on our DMZ, with the primary
sitting next to our fattest Internet pipe. Both servers will deliver
mail to the Exchange servers on the internal network; both servers do AD
lookups using a perl script to build valid relay_recipient and transport
tables every hour. We have no problem permitting a service account a
one-way lookup through the firewall to the LDAP port for the domain
controllers.

Plenty of people use Mxes at the same priority level as a load-balancing
mechanism. It doesn't matter - even the primary/secondary model should
validate all mail coming through as rigorously on each server. The whole
point of the redundancy and using MX records is that if one server dies,
you don't need to do *anything* for mail services to keep running.

RE: LDAP_STRONG_AUTH_REQUIRED

[MacShane, Tracy]

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Paul Cocker
> Sent: Thursday, 9 October 2008 12:38 AM
> To: postfix-users@postfix.org
> Subject: LDAP_STRONG_AUTH_REQUIRED
> 
> The postfix HOWTO links to
> http://www-personal.umich.edu/~malth/gaptuning/postfix/ which 
> has a script for contacting Active Directory and grabbing an 
> up to date list of e-mail addresses. Very handy.
> 
> Alas, upon attempting to use it I receive the error 
> LDAP_STRONG_AUTH_REQUIRED, due to Active Directory at our 
> site being setup to require LDAP signing. Changing the script 
> is outside my abilities, so I'm hoping someone else might 
> have followed the same process and hit this stumbling block first.
> 
> Any advice beyond reducing LDAP signing to 'Negotiate' is welcome.
> 
> Paul Cocker
> 

It might be easier to do it the other way round (exporting from the
Windows domain to Postfix) with that configuration. But I'll put some
info here in case anyone is bored one day.

Net::LDAP actually does have a SASL authentication mechanism built in. I
can't be bothered seeing how to plug it into the script, but the
connection string could be changed to something similar to what follows:

$ldap = Net::LDAP->new("ldap.example.com", port => 389,
version => 3);

$sasl = Authen::SASL->new(
  mechanism => "DIGEST-MD5",
  callback => {
pass => "secret",
user => "[EMAIL PROTECTED]",
}
 );
$res = $ldap->bind(sasl => $sasl);


DIGEST-MD5 only works on 2003 and up AD domains. If you have a 2000
domain, you can try running ldapsearch to verify the auth methods:

ldapsearch -h  -s base -b "" supportedSASLMechanisms

RE: cannot find reverse hostname for ip with enormous result

[MacShane, Tracy]

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Wolfe
> Sent: Saturday, 11 October 2008 5:58 AM
> To: postfix-users@postfix.org
> Subject: cannot find reverse hostname for ip with enormous result
> 
> Hello,
> 
> We use reject_unknown_client to fail messages from hosts with no rDNS.
>  We have a situation with the host 216.163.249.229, which 
> give the following results:
> 
> 
> NOQUEUE: reject: RCPT from unknown[216.163.249.229]: 450 
> 4.7.1 Client host rejected: cannot find your reverse 
> hostname, [216.163.249.229];
> 
> There actually is reverse DNS for this address... 239 PTR records!
> using 'host' returns them all, with a warning:
> 
> ;; Truncated, retrying in TCP mode.
>  .. and then all the results
> 
> So I guess the result is so large that UDP cannot contain it, 
> and within postfix the TCP method either isn't being tried or 
> isn't working.  Is this a problem with my resolver or 
> something I can fix in postfix?  The lookup does work on this 
> machine using 'host' with the above error.
> 
> -Aaron
> 

While there may be problems with the fact that some of the PTRs are
unresolvable, I also suggest checking what might be thought of as the
obvious, namely, that your firewall is not blocking *UDP* DNS lookup. 

I had this same problem a few months back, and didn't initially think to
ask the question. It turned out that our external firewall (maintained
by a separate group) was only permitting TCP queries. The problem didn't
emerge until we tried resolving hosts with many multiple PTRs (36 for
one particular host); the 10s of thousands of other DNS queries were
working perfectly. Enabling UDP over port 53 fixed things for that one
host as if by magic.

RE: Postfix listening on 25, unable to telnet to 25 - my first config

[MacShane, Tracy]

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Paul Cocker
> Sent: Monday, 13 October 2008 8:58 PM
> To: postfix-users@postfix.org
> Subject: Postfix listening on 25, unable to telnet to 25 - my 
> first config
> 
> Okay, so last week I posted an issue about the above with 
> lots of errors
> and it turns out I hadn't generated the relevant .db files, 
> along with a
> couple of other problems. So, I sorted all that out and fired up
> postfix, checked that the server was listening on port 25 and 
> then tried
> to telnet:
> 
> Connecting To 10.100.1.1...Could not open connection to the host, on
> port 25: Connect failed
> 
> 
> Then tried to send a test message using blat from another machine:
> 
> Blat v2.6.2 w/GSS encryption (build : Feb 25 2007 12:06:19)
> 
> unexpected error 10065 from winsock
> Error: Can't connect to server (timed out if winsock.dll error 10060)
> 
> 
> I checked /var/log/secure and found no record of the connection being
> dumped; messages contained nothing, nor did maillog tell me anything
> useful.
> 
> Oct 13 09:56:17 server postfix/postfix-script: starting the 
> Postfix mail
> system
> Oct 13 09:56:17 server postfix/master[30342]: daemon started 
> -- version
> 2.3.3, configuration /etc/postfix
> 

As well as telnetting to localhost/25, can you telnet to the FQDN
hostname from the host itself? If you're on the server "mail", what
happens if you telnet mail.example.com 25?

RE: Best anti-spam

[MacShane, Tracy]

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Stroller
> Sent: Thursday, 23 October 2008 12:53 AM
> To: Postfix
> Subject: Re: Best anti-spam
> 
> 
> On 22 Oct 2008, at 12:56, Richard Foley wrote:
> >> ...
> >> spam_ip_regex file:
> >>
> >> /[ax]dsl.*\..*\..*/i 450 AUTO_XDSL Email Rejected. You appear  
> >> to be
> >
> > This looks fairly useful.  Does anyone else have any experience with

> > this approach, who might be able to offer insight into whether it's 
> > valid or not?
> 
> 
> My experience is on the butt-end of such filters - they're a 
> sure fire way to annoy me if I'm sending you mail.
> 
> I run a Postfix server on my home ADSL connection and it is 
> extremely frustrating to have mail rejected because of that. 
> The common response of admins to complaints about this is 
> "you should use your ISP's mail server", but really it is 
> just nice to have a a proper "receipt" for emails one has sent.
> 
> If a message appears undelivered (it may have been 
> incorrectly have been classified  as spam by the recipient's 
> filter) then, using Postfix & connecting directly, I can say 
> "the mailserver listed in your domain's MX records 
> acknowledged receipt for this message at $time on $date; 
> here's the log entry". If I use my ISP's relay then the blame 
> is uncertain.
> 
> I have to admit that I can't say I've ever had to use this 
> "proof of delivery" - perhaps if I reported a missing mail 
> (through their
> servers) to my ISP they would help track it down, but I am 
> not very optimistic. It is quite aggravating, however, to be 
> treated like a second-class citizen when I am following RFC. 
> Some major ISPs do not, and yet they get away with it just 
> because one can't simply ignore their whole huge customer base.
> 
> Stroller.
> 
> 

I implement those checks as a helo check. If you can't be bothered
having a proper DNS entry for your mail server (ie. not a dynamic
consumer one provided by your ISP), I tend to think it's a bot or at
least a mickey-mouse outfit, and I really don't have to worry too much
about accepting mail from them. However, due to the fact it seems that a
number of actual businesses can't be bothered getting proper (r)DNS for
their mail servers, I've had to relax that attitude a bit, and
fortunately I've found that virtually all can configure a proper HELO
hostname (except for the idiots who install Microsoft Small Business
Server who don't realise you should configure a different hostname to
.local). I still reject over 30% of mail from that check alone, and
with no false-positives (I had a couple right at the start).

To get around the problem that some people have pointed out with servers
having domains with strings like "/dial/" inside them, I do a few
/^mail.*/ /^smtp.*/ and so on DUNNO entries at the top of the helo
access map. Those actually don't get triggered very often.

Of course, I'm running a corporate network, not an ISP, and I feel quite
strongly that such brute-force measures should not be used by ISPs. But
I also feel that ISPs should force authentication for mail sending...
speed the day.

I also feel that the zen RBL is an excellent tool, and if I can get my
employers to pay for it, I'll be ditching the brute-force checks (at
present, using them allows us to be below the threshold for free lookups
against zen). Fail2ban is also great. I have 15 minutes on the primary
MX and 30 minutes on the secondary MX as lockout times.

OT: Email courtesy

[MacShane, Tracy]

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Vince LaMonica
> Sent: Tuesday, 28 October 2008 4:11 AM
> To: Patrick Ben Koetter
> Cc: postfix-users@postfix.org
> Subject: Re: problems authenticating
> 
> [snip]
> 
> TIA once again,
> 
> /vjl/
> 

Could you please remove the annoying header that tells me I should use
Pine instead of Outlook if "I'm worried about Outlook viruses"? I have
the courtesy not to tell you that Pine doesn't have the functionality I
(and my corporate environment) require in each and every one of my
emails, so please have the courtesy not to give unsolicited opinions by
default. Especially when they're based on misleading information (what
"Outlook" viruses? Also, many of the vulnerabilities in older versions
of Outlook have been fixed).

RE: Spam: IP not authorized

[MacShane, Tracy]

 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Tony Yarusso
> Sent: Thursday, 30 October 2008 3:03 PM
> To: Postfix users
> Subject: Spam: IP not authorized
> 
> We're having no end of trouble setting up a new server here, 
> so I'm hoping someone can explain what's going on.  
> Basically, we have a new server that of course will generate 
> messages from cron jobs, PHP mailers, and that sort of thing, 
> and we want them to be able to make it out to people.  To do 
> so we wanted to use GMail as our SMTP server to relay 
> through.  We seem to have gotten all of the TLS stuff taken 
> care of okay, but now are getting the error described on 
> http://mail.google.com/support/bin/answer.py?answer=10336.  
> It appears that this comes up on the _Receiving_ end of 
> things, with any address that belongs to Google (either 
> through standard GMail or Google Apps).
>  We've tried sending out through GMail, no-ip's alternate 
> port SMTP, and Comcast's SMTP.  Other errors occur with 
> different providers, which I suspect are from the same root reason.
> 
> My theory is that it has something to do with the 
> A/MX/PTR/SPF records for the domain.
> The domain is flamtap.com
> The IP address is currently 76.113.154.202, but is dynamic 
> (through no-ip.com) That address also goes by 
> c-76-113-154-202.hsd1.mn.comcast.net
> 
> Any ideas of what we need to do to appear legitimate and not 
> get caught by anti-spam measures?
> 
> --
> Tony Yarusso
> http://tonyyarusso.com/
> 

Please provide examples of your logs that show the errors you mention,
and the output of your postconf -n. Assuming you're a Comcast customer,
and you have everything set up to their specification, I imagine you
should be able to relay via their servers, so perhaps figuring out that
particular issue should be the priority.

Since the sender domain is "flamtrap.com" and your sending server's rDNS
is "...comcast.net", I imagine that's what Gmail is objecting to.

RE: Authenticating aginst ActiveDirectory?

[MacShane, Tracy]

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Ville Walveranta
> Sent: Friday, 14 November 2008 3:27 PM
> To: Postfix users
> Subject: Authenticating aginst ActiveDirectory?
> 
> There is very little on the topic on the web and on the 
> Postfix Users archives. The little I find seems to imply it's 
> very difficult to extract password information from AD (say, 
> to sync to OpenLDAP).
> 
> Since the last thread about this topic in this group is from 
> last year, I'm asking whether a solution exists at this 
> point. There is a product called PowerADvantage that would 
> seem to do the job, but the fact that they don't post their 
> prices on their website probably suggests that the cost is 
> likely in four figures which exceeds the available budget 
> (I'm checking with them anyway). The environment where I'd 
> need this solution is small, with a dozen or so AD logins, 
> and so I may just have to maintain the domain passwords 
> separately from the mail passwords. AD will be kept around to 
> facilitate resource sharing on the Windows LAN but the mail 
> is moving from Exchange 2003 to Postfix as soon as possible.
> 
> An OpenSource solution would be preferable, though on 
> Windows/AD side a utility worth few hundred dollars might 
> skirt the budget.
> 
> Many thanks again for any advice!
> 

I'm sorry, why do you need to sync passwords to relay mail to your
Exchange servers? To do relay recipient validation, you just need to do
a simple LDAP lookup to the AD to verify valid email addresses. Since
you only have a single Exchange server, you don't even need to do
anything out of the ordinary with LDAP queries to specify the
destination relay server for your recipients.

If you want AD users to logon to *nix boxes (which is nothing to do with
mail services), enable Services for Unix on the AD, and setup LDAP
authentication for the specified users in PAM.

RE: Authenticating aginst ActiveDirectory?

[MacShane, Tracy]

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Ville Walveranta
> Sent: Friday, 14 November 2008 4:29 PM
> To: Postfix users
> Subject: Re: Authenticating aginst ActiveDirectory?
> 
> On Thu, Nov 13, 2008 at 10:32 PM, MacShane, Tracy 
> <[EMAIL PROTECTED]> wrote:
> > I'm sorry, why do you need to sync passwords to relay mail to your 
> > Exchange servers? 
> 
> Actually there won't be an Exchange server any more; I'm 
> replacing it with Postfix. It's a small environment and there 
> isn't a dedicated server for Exchange available; it's been 
> sharing a server with AD which is a bad idea in the first 
> place. ...

Ahah, light dawns. 

> 
> > If you want AD users to logon to *nix boxes (which is nothing to do 
> > with mail services), enable Services for Unix on the AD, and setup 
> > LDAP authentication for the specified users in PAM.
> 
> Perhaps this mechanism could be used for the mail 
> authentication as well in the above scenario. Postfix/Dovecot 
> should be able to do LDAP authentication via PAM 
> (http://www.dovecot.org/list/dovecot/2006-April/012454.html,
> http://www.lxtreme.nl/index.pl/docs/linux/dovecot_postfix_pam).
> 
> Ville
> 

Yes, I certainly haven't had any problem with Unix services when
enabling regular logons to a *nix server via AD authentication (I
haven't tried Postfix/Dovecot authentication myself, but there's plenty
of info for that, as you have found). It should certainly make your
solution a lot simpler to implement.

Body checks and warning log

[MacShane, Tracy]

I'm trying to create a very simple body check for a limited time to get
an indicative idea of how many users may be sending credit card numbers
via email. I have a simple pcre body_check map that is logging a warning
when it encounters a match. Unfortunately, the entire message line that
triggers the warning is added to the mail log, naturally with the
potential credit card number in plain text.
 
cat /etc/postfix/body_checks.pcre
/\b(?:\d[ -]*){13,16}\b/WARN Credit card number

Nov 14 11:54:28 smtptest postfix/cleanup[21394]: 98D7015E0091: warning:
body text 1243 1211 1232 1232 blah blah from
localhost.localdomain[127.0.0.1]; from=<[EMAIL PROTECTED]>
to=test.user  @
 domain.example.com proto=SMTP
helo=: Credit card number

Our security people are having wibbles about this logging regime, so I
was wondering if there was some way to ensure the WARN action doesn't
log the matched line (I can obviously append a truncated version of the
apparent number with the optional text), or if there might be a better
way to do this auditing task.

RE: Body checks and warning log

[MacShane, Tracy]

> 
> - Original Message 
> > From: mouss <[EMAIL PROTECTED]>
> > To: Postfix users 
> > Sent: Friday, November 14, 2008 7:58:45 AM
> > Subject: Re: Body checks and warning log
> > 
> > MacShane, Tracy wrote:
> > > I'm trying to create a very simple body check for a limited time
to 
> > > get an indicative idea of how many users may be sending credit
card 
> > > numbers via email. ...
> > > Our security people are having wibbles about this logging regime,
so 
> > > I was wondering if there was some way to ensure the WARN action 
> > > doesn't log the matched line (I can obviously append a truncated 
> > > version of the apparent number with the optional text), or if
there 
> > > might be a better way to do this auditing task.
> > > 
> > 
> > 
> > you can use HOLD, then have a cron job to check the message and
release it.
> > 
> > Alternatively, you can use FILTER to pass the message to another
smtpd. example:
> > 
> > 
> > == body_checks:
> > //FILTER filter:[127.0.0.1]:25666
> > 
> > == master.cf
> > 127.0.0.1:25666.smtpd
> >   -o syslog_name=postwatch
> >   -o receive_override_options=no_address_mappings
> >   -o mynetworks=127.0.0.1
> >   -o smtpd_recipient_restrictions=${smtpd666_recipient_restrictions}
> >   ...
> > 
> > == main.cf
> > smtpd666_recipient_restrictions=
> >   check_client_access pcre:/etc/postfix/logcard
> >   permit_mynetworks
> >   reject
> > 
> > == logcard
> > /./WARN credit card blah blah
> > 
> > 
> > note that this will override your content filter setting. if you had

> > one, then make sure it is used in the :25666 smtpd (either explicit
-o content_filter=...
> > in master.cf, or a content_filter=... in main.cf will do).
> > 
> > PS. if you use clamav, check its Data Loss Protection feature.
> 
> Do you have American Express cards covered and other store 
> based credit cards?  Also do you account for the expiration 
> date and 3 digit security code?
> 
> 
> 

Thanks for the great suggestions, mouss. We use Trend Micro IMSS, which
is very similar to amavisd. I'm sure we can work around it.

Daniel, I'm not too concerned about absolute accuracy at this stage,
since I just want to assess whether we need to take firmer measures. The
regexp I have should trap Amex numbers, although there may be a number
of false positives. I'll be reviewing them manually in any case. I'm not
worried about the expiration date or security code (with the latter, I
know of at least one example of a "pay-by-email" form that didn't
require that number at all) - I'm not planning to *use* the cards, heh.
Also, I believe crooks can use a credit card number to generate both an
expiry date and security code using some algorithm.

RE: suggestions with transport and virtual

[MacShane, Tracy]

 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Erick Perez
> Sent: Thursday, 27 November 2008 9:39 AM
> To: postfix-users@postfix.org
> Subject: suggestions with transport and virtual
> 
> And correctly delivers the emails to both servers. This is all good.
> However when the user (using ms outlook express) sees the 
> email, the email has "undisclosed recipients" as the To:
> 
> Here are the headers:
> 
> #Return-Path: <[EMAIL PROTECTED]>
> #Received: from postfix1.oj.gob.pa ([192.168.10.10])
> #   by sendmail1.oj.gob.pa (8.10.2/8.10.2) with ESMTP id 
> mAQKhEq28642
> #   for <[EMAIL PROTECTED]>; Wed, 26 Nov 2008 15:43:14 -0500
> #Received: from erick (localhost.localdomain [127.0.0.1])
> #   by postfix1.oj.gob.pa (Postfix) with SMTP id 3098F77003D
> #   for <[EMAIL PROTECTED]>; Wed, 26 Nov 2008 23:49:57 -0500 (EST)
> #Subject: Testing
> #Message-Id: <[EMAIL PROTECTED]>
> #Date: Wed, 26 Nov 2008 23:49:57 -0500 (EST)
> #From: [EMAIL PROTECTED]
> #To: undisclosed-recipients:;
> 
> Both for sendmail and for postfix recipients, then TO: 
> arrived "undisclosed recipients". Is this normal postfix 
> behavior? How can i "fix" this so [EMAIL PROTECTED] is 
> correctly displayed in the TO field?
> 
> BTW if you have a better way to do what i am doing, please 
> share ;)
> 
> thanks.
> 


The email _body_ doesn't have a "To:" field - while some mail software
(such as Exchange) will add the envelope recipient to the "To" field in
the email body, Postfix doesn't, and you get that "undisclosed
recipients".

The simplest solution is to ensure that the message body is formatted
with the standard "From:", "To:" and "Subject:" fields (in addition to
the message headers).

RE: SuSE repository - old postfix ?

[MacShane, Tracy]

 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Alexander Grüner
> Sent: Monday, 8 December 2008 7:16 PM
> To: postfix-users@postfix.org
> Subject: SuSE repository - old postfix ?
> 
> Hello,
> 
> I am installing a new server with SuSE Linux Enterprise SP2 
> and want to use the SuSE mail repository.
> 
> http://download.opensuse.org/repositories/server:/mail/SLE_10/
> x86_64/?C=M;O=D
> 
> They offer a postfix24-2.4.5-1.1.x86_64.rpm which seems to be 
> quite old from August 2007 and even unsecure (?).
> 
> http://download.opensuse.org/repositories/server:/mail/SLE_10/
> repodata/repoview/postfix24-0-2.4.5-1.1.html
> 
> Is there a better rpm source available ? (Yes, I might compile it by
> myself...) Or is this the right release for a productive environment ?
> 
> Sorry if this is slightly OT, but I have not found an answer, yet.
> 
> Regards,
> Alexander
> 
> 
> 

Open SUSE includes more recent posfix rpms (but in the "factory" not the 
repos): 
http://download.opensuse.org/factory/repo/oss/suse/x86_64/postfix-2.5.5-6.6.x86_64.rpm
http://download.opensuse.org/factory/repo/oss/suse/i586/postfix-2.5.5-6.5.i586.rpm

Obviously, there may be dependencies you need to meet. There are also SRC rpms 
available.

RE: Stopping backscatter with before-queue

[MacShane, Tracy]

 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Chris Turan
> Sent: Tuesday, 9 December 2008 7:39 AM
> To: Terry Carmen
> Cc: postfix-users@postfix.org
> Subject: Re: Stopping backscatter with before-queue
> 
> Terry Carmen wrote:
> > To eliminate *sending* backscatter, all you need to do is not accept

> > mail you won't be able to deliver:
> 
> I am rejecting unknown recipients but the bounces are coming from 
> messages with a spamassassin score above 12.
> 
> 
> Hmmm.  I did get a suggestion about checking the headers against RBL's

> using builtin postfix content filters.  After that, it can be passed 
> onto the real scanners.
> 
> I get 10K emails per day, so its still fairly small.  Do you have a 
> before-queue scanner installed?  There are warnings all over 
> amavisd-new's documentation saying not to use it as a before queue 
> scanner and rightly so.
> 
> > Back to your actual problem, if you can post the output 
> from postconf 
> > -n, someone can probably tell you what's wrong.
> 
> [EMAIL PROTECTED] /]# postconf -n
> alias_maps = hash:/etc/aliases
> bounce_queue_lifetime = 4h
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> content_filter = amavis:[127.0.0.1]:10024
> daemon_directory = /usr/libexec/postfix
> debug_peer_level = 2
> home_mailbox = Maildir/
> html_directory = no
> inet_interfaces = all
> local_recipient_maps =
> mail_owner = postfix
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> maximal_queue_lifetime = 1d
> message_size_limit = 20971520
> mynetworks = a.a.a.a/32, b.b.b.b/32, c.c.c.c/32, d.d.d.d/32, 
> e.e.e.e/32
> newaliases_path = /usr/bin/newaliases.postfix
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix-2.4.5/README_FILES
> receive_override_options = no_address_mappings
> relay_domains = hash:/etc/postfix/relay_domains
> relay_recipient_maps = hash:/etc/postfix/relay_recipient_maps
> sample_directory = /usr/share/doc/postfix-2.4.5/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtpd_tls_CAfile = /etc/postfix/certs/gd_intermediate_bundle.crt
> smtpd_tls_CApath = /etc/postfix/certs
> smtpd_tls_cert_file = /etc/postfix/certs/.crt
> smtpd_tls_key_file = /etc/postfix/certs/.key
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_security_level = may
> smtpd_use_tls = yes
> transport_maps = hash:/etc/postfix/transport_maps
> unknown_local_recipient_reject_code = 550

I don't see the smtpd_*_restrictions. Sensible ones there cut down on
acres of spam and take load off the content scanner, without much in the
way of false positives (in fact, I have none). I suggest (after
permit_mynetworks, for each set):

smtpd_helo_restrictions =
  reject_invalid_helo_hostname,
  reject_non_fqdn_helo_hostname, (this one traps the most from bots)
smtpd_client_restrictions =
  reject_non_fqdn_hostname,
  reject_unknown_reverse_client_hostname OR
  reject_unknown_client_hostname (this one tends to cause more false
positives, due to idiots configuring their DNS)
smtpd_sender_restrictions = 
  reject_non_fqdn_sender,
  reject_unknown_sender_domain 
smtpd_recipient_restrictions =
  reject_unauth_destination
  reject_non_fqdn_recipient,
  reject_rbl_client zen.spamhaus.org,
smtpd_data_restrictions =
  reject_unauth_pipelining

Also set strict_rfc821_envelopes = yes (unless you have ancient mail
clients you need to support)

All my senders are in mynetworks (or I'd be using auth, in any case), so
I can have a sender access map (after permit_mynetworks) that basically
consists of "@mydomain.com  REJECT". You can have helo access maps
that reject servers purporting to be your own.

RE: mail forward based on user to specific filter then to another address

[MacShane, Tracy]

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of J.P. Trosclair
> Sent: Thursday, 11 December 2008 10:32 AM
> To: postfix-users@postfix.org
> Subject: mail forward based on user to specific filter then 
> to another address
> 
> Hi,
> 
> I've got a user that wants their mail forwarded to their 
> blackberry account. No big deal. The catch is they want 
> attachments stripped first. 
> I've found this tool called renattach that does just that. I 
> set this up in main.cf:
> 

This is not solving the question you asked, but what is wrong with the
user not selecting the option on his/her Blackberry to download the
attachments? Attachments are not delivered to the device until such time
as you specifically prompt to download them. The attachment pointer is
just that, a *pointer*.  

OT: RE: Postfix does not dot the i's when client sends gibberish

[MacShane, Tracy]

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Larry Stone
> Sent: Friday, 12 December 2008 3:53 PM
> To: postfix-users@postfix.org
> Subject: Re: Postfix does not dot the i's when client sends gibberish
> 
> On 12/11/08 9:41 PM, Victor Duchovni at 
> victor.ducho...@morganstanley.com
> wrote:
> 
> > On Fri, Dec 12, 2008 at 12:59:41AM +0100, klondike wrote:
> > 
> >> According to section 4.2.4 on the RFC 282, the SMTP server should 
> >> return
> >> 502 only when a command is recognised but not implemented, 
> and 500 if 
> >> it isn't recognised.
> > 
> > This is not a bug, but it is admittedly an unecessary deviation from

> > SHOULD normative language in the RFC when the client is in flagrant 
> > violation by sending garbage.
> 
> At the risk of moving away from Postfix technical issues, RFC 
> 2821 is poorly written. SHOULD, despite much misuse in 
> commonly used English, is the past tense of SHALL. Something 
> that SHALL be done is mandatory yet in common but incorrect 
> use, SHOULD is often used to mean present tense MAY (as in 
> you can do so but it is not mandatory). As a formal document, 
> the RFC ought to say either SHALL (mandatory) or MAY 
> (optional) with SHOULD, being in the past tense, completely 
> incorrect in the context of that paragraph. Unfortunately, 
> given the incorrect use of SHOULD, it is unclear to me what 
> the RFC really means.
> 
> --
> Larry Stone
> lston...@stonejongleux.com
> http://www.stonejongleux.com/
> 

I don't know when it happened (I don't have the OED to hand), but for
quite some time (at least decades), "should" has not *solely* been the
past tense of "shall". As an _auxiliary_ verb, it has the following
accepted senses:

1. ought (to be or do something); Indicates that the subject of the
sentence has some obligation to execute the sentence predicate. 
You should go to the doctor if you have a severe fever. 
2. will likely (become or do something) Indicates that the subject of
the sentence is likely to execute the sentence predicate. 
You should be fine soon if he treats you with an anti-pyretic. 
3. If; in case of; Indicates that its subordinate clause refers to a
hypothetical condition for the event expressed by main clause. 
Should you need to contact the doctor right away, you will need to use
the after-hours number.

To insist you don't understand a common and accepted modern usage of
"should" is disingenous in the extreme. I do think "ought" is often
better in formal documentation, though. But as long as the use of a term
is clearly defined in a document - as it is in the RFCs - it actually
doesn't matter what might be "correct". Technical, scientific and
academic English can be quite different to Standard English.

RE: helo being rejected

[MacShane, Tracy]

From: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] On Behalf Of Joey
Sent: Tuesday, 16 December 2008 1:05 PM
To: postfix-users@postfix.org
Subject: helo being rejected



Hello All,

I have a clients who's email server is getting a lot of helo
rejects from it (windows box).  The client has a .NET domain for their
servers ( hardware ) and a .COM for their email address.

I manually had a conversation with my postfix server that has
these settings:

reject_invalid_helo_hostname,
check_helo_access hash:/etc/postfix/helo_access,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,

 
I verified reverse DNS, all domains exist etc.

Here are my results:

220 receivingserver.net ESMTP Postfix

EHLO sendingserver.net 250-receivingserver.net
250-PIPELINING
250-SIZE 2400
250-ETRN
250-AUTH DIGEST-MD5 PLAIN LOGIN CRAM-MD5
250-AUTH=DIGEST-MD5 PLAIN LOGIN CRAM-MD5
  250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

MAIL From: < m...@sendingserver.com>250
  2.1.0 O
 

RCPT To: 554 5.7.1 <
sendingserver.net>: Helo command rejected: Helo Chec

 
Any ideas appreciated!

 

Thanks!

=
 

That error message is not coming from the *_helo_hostname checks, it
must be coming from your helo_access map. Show the transaction logging
from the maillog and the contents of your helo_access.

RE: helo being rejected

[MacShane, Tracy]

 

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Joey
> Sent: Wednesday, 17 December 2008 12:06 AM
> To: postfix-users@postfix.org
> Subject: RE: helo being rejected
> 
> > -Original Message-
> > From: owner-postfix-us...@postfix.org
> [mailto:owner-postfix-us...@postfix.org]
> > On Behalf Of MacShane, Tracy
> > Sent: Monday, December 15, 2008 9:18 PM
> > To: postfix-users@postfix.org
> > Subject: RE: helo being rejected
> > 
> > From: owner-postfix-us...@postfix.org
> > [mailto:owner-postfix-us...@postfix.org] On Behalf Of Joey
> > Sent: Tuesday, 16 December 2008 1:05 PM
> > To: postfix-users@postfix.org
> > Subject: helo being rejected
> > 
> > 
> > 
> > Hello All,
> > 
> > I have a clients who's email server is getting a lot of helo
rejects 
> > from it (windows box).  The client has a .NET domain for their
servers 
> > ( hardware ) and a .COM for their email address.
> > 
> > I manually had a conversation with my postfix server that has
these 
> > settings:
> > 
> > reject_invalid_helo_hostname,
> > check_helo_access hash:/etc/postfix/helo_access,
> > reject_invalid_helo_hostname,
> > reject_non_fqdn_helo_hostname,
> > 
> > [...]
> > =
> > 
> > 
> > That error message is not coming from the *_helo_hostname checks, it

> > must be coming from your helo_access map. Show the transaction
logging 
> > from the maillog and the contents of your helo_access.
> 
> I see what you are saying... I have this in helo_access ...
> 
> sendingserver.net REJECT Helo Check
> sendingserver.com REJECT Helo Check
> 
> Whoever set this up was trying from what I can tell to reject 
> spoofers from those domains... and had a rule to bypass their 
> own servers in mynetworks.
> This basically brute force stopped it right?
> 
> Thanks!
> 
> 

Yep, it's common (and often explicitly recommended) to have a helo check
that rejects external hosts that announce themselves with your own
domain. 

I would suggest putting a more meaningful reject message - "REJECT
External host spoofing internal HELO" or whatever, while ensuring that
all the appropriate servers are in mynetworks, and that you have
permit_mynetworks occuring before the helo check.

RE: Using Postfix for business continuity

[MacShane, Tracy]

From: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] On Behalf Of Kenneth Kalmer
Sent: Tuesday, 6 January 2009 11:49 PM
To: Postfix users
Subject: Re: Using Postfix for business continuity


On Mon, Jan 5, 2009 at 3:25 PM, Wietse Venema
 wrote:


Kenneth Kalmer:

> Hi all
>
> Just got asked by one our sales guys if we could
implement a Postfix
> business continuity service, by his definition it
means that Postfix acts as
> a normal backup MX but gives the users access to their
email via webmail of
> sorts.
>
> I understand the issues of user authentication,
validating users, etc.
>
> I'd just like to find out if anyone has implemented
something similar, or
> have any pointers for implementing something like
this.




The way we envisioned it it would be an offsite server acting as
a normal backup MX, giving the users access to their email through a web
interface. This would involve reading through the spool files, which for
high volumes would be horribly slow.

Most of our potential clients would be running MS Exchange (I
see this as the continuity issue) and we'll be far removed from them.
 



Exchange 2007 has pretty good clustering and cross-site replication
(using log-shipping) these days. Of course, any replication partner
would need to be in the same domain, but it might be possible to host
several instances on one box using a virtual server solution. Naturally,
if a business has multiple sites, they'd be much better off doing any
replication internally anyway.

Otherwise, Victor's suggestion about BCCing everything and hosting an
IMAP server is the best other option (given all the account
co-ordination hassles).

RE: Re: smtp_helo_name ignored

[MacShane, Tracy]

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Sahil Tandon
> Sent: Monday, 12 January 2009 3:20 PM
> To: postfix-users@postfix.org
> Subject: Spam: Re: smtp_helo_name ignored
> 
> On Mon, 12 Jan 2009, David Cottle wrote:
> 
> > So I should be using smtpd_helo_name to set the server helo name?
> 
> ...
> 
> For the umpteenth time, please stop top-posting.
> 


Unfortunately, in a similar way to Blackberries, iPhones do not permit
bottom posting or in-line comments in reply to a message. I for one wish
they would fix it on a Blackberry, which is supposed to be a *business*
tool.

OT: iPhone replies

[MacShane, Tracy]

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of MacShane, Tracy
> Sent: Monday, 12 January 2009 3:34 PM
> To: postfix-users@postfix.org
> Subject: RE: Re: smtp_helo_name ignored
> 
> Unfortunately, in a similar way to Blackberries, iPhones do 
> not permit bottom posting or in-line comments in reply to a 
> message. I for one wish they would fix it on a Blackberry, 
> which is supposed to be a *business* tool.
> 

Well, it turns out I'm talking through a hole in my head with regard to
iPhones. Apologies for the confusion!

RE: relay_domain = * safe configuration?

[MacShane, Tracy]

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of James Robertson
> Sent: Monday, 26 January 2009 1:50 AM
> To: postfix-users@postfix.org
> Subject: Re: relay_domain = * safe configuration?
> 
> On Sun, 25 Jan 2009 23:58:36 mouss wrote:
> > James Robertson a écrit :
> > > Hi,
> > >
> > >
> > > Can I safely set:
> > >
> > > relay_domains = *
> >
> > do you mean
> > relay_domains = static:all
> > ?
> >
> > why would you do that? I mean what is the (real, business) problem you 
> > are trying to solve?
> >
> > since you update the list of recipients, you can also update the list 
> > of relay domains, with something like:
> >
> > sed 's/^...@]*@/@/' relay_recipients |sort|uniq > relay_domains
> 
> Sorry for the bad initial question.  *cringes*
> 
> I am using the getadsmtp.pl script to pull addresses from an 
> exchange server to a box that does spam filtering on the 
> inbound mail (no mail is delivered locally to the antipspam 
> box).  when we have to add domains to the Exchange Server we 
> have also been adding them to relay_domains and transport in 
> postfix on the antispam box.
> 
> We just run the getadsmtp.pl script every hour on the hour to 
> grab any addresses that may have been added or removed from 
> the domain/s.
> 
> the main issue is that we have quite a few of these postfix 
> antispam boxes installed at clients sites now and not alot of 
> Linux/Postfix able technicians to make changes to them, so if 
> a domain is added and a Windows tech forgets to advise us or 
> no-one is available to configure it, mail won't deliver to the domain.


Well, when that happens, it suddenly becomes in the interest of the Windows 
admin to advise you that they have configured a new domin. I don't understand 
why you're interested in cleaning up someone else's mess. Of course, this 
assumes that you have a clearly-documented process about adding new domains, 
which stipulates that you must be advised if they expect mail to be delivered.

You also might consider pulling your antispam process back a layer - don't 
install Postfix boxes at each crappy little site. Have a couple of big boxes 
that act as Mxes for the customer domains, and which then relay to their 
Exchange servers. Of course, that would assume you don't quarantine spam emails 
on the Postfix servers, but tag-and-deliver. 

It won't solve the problem of the Windows admins advising you when they've 
configured a new domain, but perhaps that should be done as soon as the 
customer "signs up". You get a new customer, they are going to manage 
blah.domain, you configure the relay stuff then, even before they get their 
Exchange server up.

RE: I thought I had a send-only Postfix server, but I see someone connected to it!

[MacShane, Tracy]

From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Dave
Sent: Tuesday, 27 January 2009 9:34 AM
To: mouss+nob...@netoyen.net
Cc: postfix-users@postfix.org
Subject: Re: I thought I had a send-only Postfix server, but I see someone 
connected to it!

On Mon, Jan 26, 2009 at 4:00 PM, mouss  wrote:

Dave a écrit :

> On Mon, Jan 26, 2009 at 12:58 PM, Bjørn Ruberg 
 > wrote:
>
> [snip]
>
> An even easier alternative is to let Postfix listen to 
localhost

> OK, I did this too. (In addition to setting inet_interfaces = 
127.0.0.1

> in main.cf .)


This may cause problems because the IP will also be used for
smtp_bind_address, which means smtp will use it as the source 
IP when
talking to other mail servers.

better not play with inet_interfaces and edit master.cf instead.



Thanks for the tip. As far as I know, however, my Postfix only needs to 
talk to my gmail-provided smtp server. I just tested, and I can indeed still 
send email (which is relayed via gmail) even with the above change in place. 

I don't want anyone connecting to my Postfix server and I don't want it 
to send any email from any other machine and I only want it to relay email via 
gmail smtp. Given all that, is there any reason to undo the inet_interfaces 
change I made? 
  
===


Personally, I wonder why you're using Postfix at all if you're just sending and 
receiving mail via Gmail. Postfix is a full-blown MTA, so it seems like a lot 
of overkill for mail you could collect via IMAP/POP using the mail client of 
your preference.

RE: I thought I had a send-only Postfix server, but I see someoneconnected to it!

[MacShane, Tracy]

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of MountainX
> Sent: Tuesday, 27 January 2009 1:42 PM
> To: postfix-users@postfix.org
> Subject: RE: I thought I had a send-only Postfix server, but 
> I see someoneconnected to it!
> 
> MacShane, Tracy wrote:
> > 
> > 
> > 
> > Personally, I wonder why you're using Postfix at all if you're just 
> > sending and receiving mail via Gmail. Postfix is a 
> full-blown MTA, so 
> > it seems like a lot of overkill for mail you could collect via 
> > IMAP/POP using the mail client of your preference.

> 
> Well, now that Postfix is almost working the way I want, it 
> would require more time to switch to something else. But you 
> have aroused my curiosity.
> What is a simple solution that will allow my Linux server to 
> send all notifications (such as those generated by system 
> events or otherwise and addressed to root @localhost or any 
> other user account) to me at my gmail account without using Postfix?

There's no reason to take it all so personally. This list is extremely
helpful if you just do a bit of preliminary research, and don't just go
off one third-party document. It also wasn't clear why you wanted to
relay via Gmail servers. There's a doco on SOHO configurations in the
Postfix READMEs or on postfix.org:
http://www.postfix.org/SOHO_README.html

And it's often easier to just send via your ISP than directly through
Google's SMTP servers.

But a doco here has sending via Mutt using msmtp as the MTA (Postfix
works fine instead): http://www.andrews-corner.org/mutt.html

Provide logs if the SOHO document doesn't help you.

RE: postfix blocking yahoo and gmail

[MacShane, Tracy]

 

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of jan gestre
> Sent: Friday, 6 February 2009 12:16 PM
> To: postfix users list
> Subject: postfix blocking yahoo and gmail
> 
> Hi Guys,
> 
> Why is it that whenever I send emails using yahoo/gmail from a
> connection that uses dynamic ip address to the company's smtp server,
> postfix blocks them and say it comes from a dynamic ip address using
> sbl-xbl, and whenever I send emails using the same yahoo/gmail account
> in the office that has a public static ip address, the mail is
> received.
> 
> TIA
> 
> Jan
> 
> Here's my postconf -n:
> 
> reject_rbl_client sbl-xbl.spamhaus.org
> reject_rbl_client zen.spamhaus.org 
> reject_rhsbl_sender dsn.rfc-ignorant.org
> reject_rbl_client bl.spamcop.net 

Because the dynamic address you're relaying from is on the Spamhaus
list, and the static address is not?

You should also not have *both* zen.spamhaus.org AND
sbl-xbl.spamhaus.org - the Zen list includes sbl-xbl.

You can query the zen list for your dynamic host by running "dig
rev.erse.IP.addr.zen.spamhaus.org" and seeing if there are any entries. 

Show some logs for your rejected emails, if that doesn't seem to be the
problem.

RE: Sender-Recipient forged mail

[MacShane, Tracy]

 

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of itsramesh_s
> Sent: Friday, 6 February 2009 4:25 PM
> To: postfix-users@postfix.org
> Subject: Sender-Recipient forged mail
> 
> 
> Hi,
> 
> I have configured postfix postfix-2.4.5-2.fc8. all mail user are
> getting forged mails as sender and recipient are same. we have
> secondary mx i am sending both postconf output,
> 
> Please help me to stop forged mail.
> 
> Postconf -n of primary MTA   
> 
> smtpd_recipient_restrictions = permit_sasl_authenticated,
> permit_mynetworks, reject_unauth_pipelining,
> reject_unknown_recipient_domain, reject_non_fqdn_sender,
> reject_unauth_destination

You could do with a whole lot more smtpd restrictions, such as
reject_non_fqdn_recipient, reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,  reject_unknown_sender_domain,
reject_unknown_reverse_client_hostname (or
reject_unknown_client_hostname, but this tends to give a lot of false
positives due to admins who can't configure DNS properly,
unfortunately).

If all your senders are sending from hosts in mynetworks, then the
easiest method is to do  "check_sender_access
hash:/etc/postfix/sender_access" after reject_unauth_destination (and
permit_mynetworks, of course), where /etc/postfix/sender_access is as
follows:

mydomain.comREJECT Mail from our senders must come from our
hosts

RE: whitelisting not working

[MacShane, Tracy]

 

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of 
> webmas...@aus-city.com
> Sent: Monday, 9 February 2009 3:21 PM
> To: postfix-users@postfix.org; Sahil Tandon
> Cc: postfix-users@postfix.org
> Subject: Re: whitelisting not working
> >
> 
> Sorry I forgot to ask another question...
> 
> The whitelist (assuming its the silly timestamp mismatch 
> causing the issue), can you whitelist actual email addresses 
> as well as the SMTP servers?
> 
> For instance if I have a friend like myfri...@hisdomain.com  
> can you put target email addresses in the whitelist and they pass?
> 

http://www.postfix.org/postconf.5.html#check_sender_access - check the
examples at the end of this section


It is not recommended that you do that globally, since everyone can
forge an envelope sender address. You're better off OKing a specific
client.

RE: reject_unverified_sender vs greylisting

[MacShane, Tracy]

 

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of mouss
> Sent: Tuesday, 10 February 2009 8:39 AM
> To: postfix-users@postfix.org
> Subject: Re: reject_unverified_sender vs greylisting
> 
> João Miguel Neves a écrit :
>
> > Yes, I was. Thanks for the heads up. I don't have high traffic, but 
> > I'm limiting the effect of SAV.
> 
> and how do you limit it? 71.66.121.221 is listed on 
> zen.spamhaus.org (via cbl) and spamcop (as well as Barracuda 
> BRBL, SORBS, ... etc). it is also a residential IP as can be 
> seen from the rDNS (.res.rr.com).
> 

My simple solution to this is have a line in a client_access map of "res.rr.com 
REJECT Please relay mail via your ISP". I've more recently added biz.rr.com as 
well (and plenty of others). There is just a set of (mainly consumer) domains 
I'm not going to accept mail from. Also, Spamhaus Zen catches these.

RE: mysql lookup errors

[MacShane, Tracy]

 
> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of /dev/rob0
> Sent: Tuesday, 3 March 2009 7:31 AM
> To: postfix-users@postfix.org
> Subject: Re: mysql lookup errors
> 
> On Mon March 2 2009 12:51:23 kj wrote:
> > I'm seeing this in the logs:
> >
> > Mar  2 18:18:05 web postfix/cleanup[27207]: warning: mysql query
> > failed: MySQL server has gone away
> snip
> > Mar  2 18:18:30 web postfix/pickup[26468]: E381E7102B3: uid=48 
> > from=
> snip
> > RHEL5, with the stock Red Hat rpm recompiled with mysql support.
> 
> That RPM is probably chroot'ed by the distributor. My first 
> guess is that you're seeing a chroot problem. My second 
> guess, SELinux. In either case, seek support from your vendor 
> for these problems.
> 

RedHat does not have Postfix chrooting enabled in the distro by default
- it seems to be more the Debian-based distros that have that problem.
Also, I've never had any problems with SELinux and Postfix in stock RH
installs (although I haven't used it with MySql)

RE: Spam attacks

[MacShane, Tracy]

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Pawel Lesniak
> Sent: Wednesday, 4 March 2009 4:19 AM
> To: postfix users list
> Subject: Re: Spam attacks
> 
> W dniu 2009-03-03 17:46, Noel Jones pisze:
> > Some people reject their own domain from outside, unauthenticated 
> > clients, but this will certainly reject some amount of legit mail.
> 
> Could you write a little bit how is it possible to reject 
> legit mail by rejecting unauthenticated clients when all 
> users do use SASL authentication or are in my_networks?
> 
> 
> Pawel Lesniak
> 
> 

We have a very clear policy that users are only permitted to relay mail
from our networks. If they are sending from home, they use webmail.
We've had one or two instances where external organisations have used
some kind of auto-reply mechanism which purports to send from our users,
but we simply tell them to fix the sender address. We use a sender
access map to reject the spurious senders that aren't coming from
my_networks. You can use warn_if_reject to test the impact of this
measure for a few days or weeks.

main.cf
==
smtpd_recipient_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination,
  reject_non_fqdn_sender,
  check_sender_access hash:/etc/postfix/sender_access


# cat /etc/postfix/sender_access
ourdomain.com   REJECT
ourdomain.gov.au  REJECT

RE: Spam attacks

[MacShane, Tracy]

From: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] On Behalf Of Pawel Lesniak
Sent: Wednesday, 4 March 2009 7:32 PM
To: postfix users list
Subject: Re: Spam attacks


W dniu 2009-03-03 23:34, MacShane, Tracy pisze: 


>   We have a very clear policy that users are only
permitted to relay mail
from our networks.

So you too advocate (if I clearly understand you) my point of
view, where those "legit mails", which Noel was talking about, are just
misconfigurations of others' servers.  
I believe that we share opinion that restricting own users to
sending from my_networks and/or authenticated clients works perfectly to
stop getting spam from u...@example.com to u...@example.com.

Pawel Lesniak

=

Actually, no, I wouldn't go that far. I'm fortunate in that I can
dictate such a policy, because it's existed since we've had email in
this organisation (well before my time), and we don't generally have
users subscribing to mailers that use this technique to get the mail
through. I do think it's a silly practice, but it's not technically a
"misconfiguration", nor is it necessarily spam, if a user signed up to
such a service.

For my organisation, it works perfectly as far as it goes, but that's
because of the established history and _clear policy_. We may one day
encounter a situation where we need to create an exemption for a
specific purpose. We only catch a couple of hundred or so messages a day
using this measure at present (it was higher when the botnets were more
active, and before we implemented Fail2ban), but that's a couple of
hundred lookups to Zen we don't have to do each day (not even 0.5% of
the total, though).

RE: Too strict?

[MacShane, Tracy]

 

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Alberto Lepe
> Sent: Monday, 16 March 2009 4:18 PM
> To: postfix-users@postfix.org
> Subject: Too strict?
> 
> Hello, and thank you in advance for your time!
> 
> I have been setting up a mail server since more than a week 
> and after reading several posts/articles and some pages of 
> the Postfix manual, I'm a little confused about how to setup 
> the security.
> The mail server is outside my LAN and it will be used to 
> serve some domains, with maybe 10 users per domain.
> 
> This is my main.cf (restrictions):
> 
> smtpd_data_restrictions = reject_unauth_pipelining 
> smtpd_recipient_restrictions =
>  reject_non_fqdn_sender,
>  reject_non_fqdn_recipient,
>  permit_mynetworks,
>  permit_sasl_authenticated,
> # reject_unknown_sender_domain,
> # reject_unknown_recipient_domain,
>  reject_unauth_destination,
>  reject_invalid_helo_hostname,
>  reject_unlisted_recipient,
>  reject_unlisted_sender,
>  reject_invalid_hostname,
> #   reject_non_fqdn_hostname,
> #   reject_unknown_client_hostname,
>  reject_rbl_client zen.spamhaus.org,
>  reject_rbl_client bl.spamcop.net,
> permit
> 

Leaving aside the other comments people have made, I have
reject_unknown_sender_domain (AFTER reject_unauth_destination) and
reject_non_fqdn_hostname configured. The latter check in particular
rejects thousands of connections a day so I don't have to keep hitting
the Zen lookups. No FPs that I've ever been made aware of.
reject_unlisted_recipient is redundant, since it's "yes" by default (but
no harm leaving it in).

RE: Dropping rejected mail from a transport server

[MacShane, Tracy]

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Terry Carmen
> Sent: Wednesday, 18 March 2009 6:14 AM
> Cc: postfix-users@postfix.org
> Subject: Re: Dropping rejected mail from a transport server
> 
> Chris Cameron wrote:
> > I have a Postfix server that sits in front of Exchange. Exchange has

> > anti-spam software running that will reject what it deems as spam.
> > This is creating a problem for Postfix, which accepts a message, and

> > tries to send it to Exchange, who then rejects it. That leaves
Postfix 
> > with an email it has to try to bounce to a (usually) non-legitimate 
> > sender.
> 
> My suggestion would be to:
> 
> * Do the spam processing on or before the postfix box and 
> turn it off on exchange, or
> * Configure Exchange to deliver spammy mail and just mark it as spam.
> 
> Any solution that accepts mail and them bounces it later will 
> make you a bounce-back spam source and get your servers 
> blacklisted. Any solution that accepts mail and deletes it 
> will have the users at your door with pitchforks and torches.
> 
> Terry
> 

We do both of these. Spam scanning occurs on the Postfix front-end
(using Trend Micro IMSS, ick, but we're migrating to PureMessage), and
we have a tag-and-deliver or quarantine mechanism (in addition, we
discard messages with executables rather than rejecting them).
Rejections only occur during the initial SMTP transaction on the Postfix
server.

RE: [maybe OT] postfix HA

[MacShane, Tracy]

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of J.P. Trosclair
> Sent: Thursday, 26 March 2009 11:05 AM
> To: mouss+nob...@netoyen.net
> Cc: postfix-users@postfix.org
> Subject: Re: [maybe OT] postfix HA
> 
> mouss wrote:
> > I am trying to "collect" methods to setup postfix in an HA 
> > configuration, for "outbound" relay (no MUA involved). a use case is

> > using multiple postfix boxes to relay mail out for one or more 
> > exchange servers. there are many possibilities. which one is 
> > "good/recommended/easy/blahblah"? This is somewhat off topic since
the 
> > problem is mostly on the client (exchange or other) side rather than

> > postfix. but I think this is a real need. and if I get enough infos,
I 
> > can aggregate them and submit that as a howto/readme.


We have an Exchange infrastructure (9 servers) with two Postfix servers
as the sole outbound MUAs in geographically-diverse sites. All we use is
simply a DNS round-robin alias that points to both Postfix servers,
which the external STMP connector for the Exchange org (and all the
servers inside it) is configured to use. Fairly standard setup - some
round-robin implementations can also do some smarts to determine which
hosts are actually up before returning the IP to the enquirer.

Since these are real SMTP connections, if the first host that is
resolved via the round-robin is unavailable, the Exchange server will
simply retry until get gets a host that replies.

If you want to direct outbound traffic via a specific Postfix
server/round robin alias for specific Exchange servers, and perhaps
another group of Exchange servers via a different outbound route, there
is no problem with setting up more than one SMTP connecter in the
Exchange org, and adding the appropriate servers/round-robin alias  to
that specific SMTP connector.

RE: Postfix - Yahoo parameters settings

[MacShane, Tracy]

 

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Andrew Long
> Sent: Monday, 30 March 2009 9:58 AM
> To: Jacky Chan
> Cc: postfix-users@postfix.org
> Subject: Re: Postfix - Yahoo parameters settings
> 
> > In short, the principle of the setting is to delay the 
> delivery from 
> > your Postfix to yahoo.
> > In which rate yahoo can accept.
> >
> > Basically, you may take the following steps as reference, 
> 1. Create a 
> > seperate mail for the destination is yahoo, let's name it 'slow'
> > queue
> > (You may search in this mailling list too, someone has asked before)
> 
> Jumping in here because I am interested in the same solution 
> but not quite clear how to bind the new transport to the 
> destination (yahoo.com). I did the googling and afraid I'm no closer.
> 
> - Andrew
> 

(my slow transport is VERY slow, due to one domain we send to that only
accepts one message every 30 seconds)

master.cf
-

# transport for delicate domains
slowunix-   -   n   -   1smtp
-o syslog_name=postfix-slow


transport
--

yahoo.com   slow:

RE: Logging Postfix Activity

[MacShane, Tracy]

 

From: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] On Behalf Of Marky Yehezkiel
(SNC)
Sent: Tuesday, 31 March 2009 12:53 PM
To: postfix-users@postfix.org
Subject: Logging Postfix Activity



Dear All,

Is there any way to logging/record the activity pop3,IMAP when
they deleted email via IMAP and POP3 ( outlook deleted email when
outlook download it from server)

 

I have problem when my customer he lost his email on my server
he said he didn't deleted his email, he set his outlook 'leave copy on
server' without set when it will be removed from server, but old his
email were gone.

 

Anyone can help? Thank you 


-

Postfix does not do POP or IMAP. You need to look at the configuration
and logs for whatever is running those services, eg.
Dovecot/Cyrus/Courier/whatever you're using.

 

 

RE: How to set catchall mailbox to /dev/null or remove at once?

[MacShane, Tracy]

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of wen.yongzheng
> Sent: Wednesday, 8 April 2009 1:04 PM
> To: postfix-users@postfix.org
> Subject: How to set catchall mailbox to /dev/null or remove at once?
> 
> Hello everybody:
> 
> I can set catchall mailbox in virtual_mailbox_map like this:
> @domain.name domain.name/catchall/
> 
> But I really do not want to check or read the catchall mails, 
> The only thing I want to do is to remove all mails in 
> catchall maildir. I wonder if I can set my catchall mailbox 
> directly to /dev/null or remove at once.
> 
> Can anybody help me ? Thanks.
> 

The usual requirement for a catch-all address is to "train" an antispam
engine, or similar tasks. If you don't require a catch-all, then remove
it. It also means you're not accepting mail for invalid addresses, which
means that you should be able to employ some useful
smtpd_recipient_restrictions and reduce your spam burden in general.

RE: A better backscatter killer?

[MacShane, Tracy]

 

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Dennis Carr
> Sent: Tuesday, 14 April 2009 12:15 PM
> To: postfix-users@postfix.org
> Subject: A better backscatter killer?
> 
> Looking at options here for eliminating backscatter.  
> 
> 
> One thing I've been looking at doing is basically checking 
> headers, and if the From: header is null, then reject it immediately.
> 

Then you won't receive some genuine messages, both bounce and
non-bounce.

Try the ips.backscatterer.org RBL; it works well for us.

http://www.mailinglistarchive.com/postfix-users@postfix.org/msg57402.htm
l

RE: A better backscatter killer?

[MacShane, Tracy]

 

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of mouss
> Sent: Wednesday, 15 April 2009 7:11 AM
> To: postfix-users@postfix.org
> Subject: Re: A better backscatter killer?
> 
> Ralf Hildebrandt a écrit :
> > * MacShane, Tracy :
> > 
> >> Then you won't receive some genuine messages, both bounce and 
> >> non-bounce.
> >>
> >> Try the ips.backscatterer.org RBL; it works well for us.
> >>
> >> 
> http://www.mailinglistarchive.com/postfix-users@postfix.org/msg57402.
> >> html
> > 
> > They are retarded. mail.charite.de is listed in it.
> > 
> 
> and I guess postfix members would be bothered to block:
>   camomile.cloud9.net[168.100.1.3]
>   english-breakfast.cloud9.net[168.100.1.7]
> 
> $ host 3.1.100.168.ips.backscatterer.org 
> 3.1.100.168.ips.backscatterer.org has address 127.0.0.2 $ 
> host 7.1.100.168.ips.backscatterer.org 
> 7.1.100.168.ips.backscatterer.org has address 127.0.0.2
> 
> so if one uses this list, then
> - use a whitelist (dnswl and possibly local WL)
> - use it in smtpd_data_restrictions to avoid blocking SAV 
> sources. while you may hate SAV, it's different than backscatter.
> 
> 

I do whitelist one of our backscatterers, since it's our Defence department. As 
it happens, it seems all of the backscatter I've trapped from them *is* 
backscatter, because they're bounces to non-existent addresses or evident spam 
messages. But I accept it all from them just in case. And yes, my restriction 
is in smtpd_data_restrictions, as shown in the original message I linked to.

Frankly, I'm not that fussed about blocking potential bounces from list mail. 
Also, if I were running an ISP rather than a corporate email system, I probably 
wouldn't use this RBL. I do wish there were a slightly less problematic one - 
ie. one that would respond promptly to requests for removal without gouging 50 
euro, and which didn't care so much about SAV - but I don't think it's *that* 
problematic. 

Our main source of spam that was getting through our header checks was from 
backscatter, and since I've instituted the RBL, it has entirely gone. Only a 
couple of hundred or so messages a day currently, but it makes a difference to 
our end-users, some of whom were disproportionally affected by the problem (we 
have a tag-and-forward content scanner, and some of these individuals were 
having to review and discard hundreds of messages a week).

RE: How to change the log location

[MacShane, Tracy]

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Scott Haneda
> Sent: Friday, 24 April 2009 11:54 AM
> To: postfix-users@postfix.org
> Subject: How to change the log location
> 
> I think I have traveled from one end of the internet to the 
> other on this one :)  How do you change the log location for postfix?
> 
> Currently, the log is sent to /var/log/mail.log on Mac OS X.  
> I would like to move it to 
> /opt/local/var/log/postfix/mail.log since that is where postfix is.
> 
> OS X has a log roller built in, that rolls things out, I need 
> to keep my logs longer.  If I edit the OS X log roller to 
> exclude the mail.log, every system update seems to put it back.
> 
> I did not see any log path in the configure options for 
> building it out, or in any of the cf files.
> 
> Thanks
> --
> Scott * If you contact me off list replace talklists@ with scott@ *
> 


http://developer.apple.com/documentation/Darwin/Reference/ManPages/man5/
syslog.conf.5.html#//apple_ref/doc/man/5/syslog.conf

http://developer.apple.com/documentation/Darwin/Reference/Manpages/man5/
newsyslog.conf.5.html#//apple_ref/doc/man/5/newsyslog.conf

RE: Strange Bounce

[MacShane, Tracy]

 

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Vince Sabio
> Sent: Friday, 24 April 2009 1:06 PM
> To: postfix-users@postfix.org
> Subject: Strange Bounce
> 
> One of my users sent me the attached bounce (note: I've made 
> some purely cosmetic changes to the bounce message, to remove 
> the user's e-mail address and change FQDNs so that the server 
> doesn't start getting spammed as a result of this posting -- 
> but the content of the bounce has not been materially 
> changed). It does not make sense to me ... the spool file no 
> longer exists, but I cannot conceive of a reason why it would 
> have two hard links (per the bounce message). 
> None of the other spool files have multiple hard links. Is 
> this a Postfix error? A known bug? An unknown bug?
> 
> I am running Postfix v2.0.18 on FreeBSD v7.0. Any 
> help/pointers greatly appreciated.
> 
> Thanks,
> Vince
> 

While someone might have some immediate ideas, it'd be more helpful to
post the relevant entries from the Postfix log, and the output of your
postfix -n, as specified in the list welcome message.

I'd also grep the postfix log for warning messages that might be related
to the spool file. This all assumes you manage the
"hermes.mailbounce.net" server.

RE: Postfix-2.6.0 RPM

[MacShane, Tracy]

 
> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Victor Duchovni
> Sent: Thursday, 14 May 2009 9:04 AM
> To: postfix-users@postfix.org
> Subject: Re: Postfix-2.6.0 RPM
> 
> On Wed, May 13, 2009 at 04:07:39PM -0600, Just E. Mail wrote:
> 
> > I noticed that Postfix V#2.6.0 is now out. Does anybody 
> know where to 
> > get RPM files? GOOGLE did not help.
> 
> If the purpose of using RPM files is to facilitate binary 
> updates from distribution servers, wait until *your 
> distribution* upgrades to a newer supported version of Postfix.
> 
> If you incorporate your own Postfix into your O/S, why 
> download some random stranger's binary RPM?
> 
> Is there a real use case for binary RPMs not maintained by 
> the distribution release engineering teams? What's wrong with 
> the Postfix source, which is typically less likely to have 
> ill-advised patches dropped into it?
> 

Yes, there is unfortunately such a need, because RHEL5 is only up to
Postfix 2.3, and we require functionality from Postfix 2.5 and up
(destination_rate_delay). The OS administrators do not permit GCC and
devel libraries on the SMTP servers I maintain (and fair enough). Also,
installing non-RPM packages can obviously cause clashes when installing
other RH updates (at least RPM is clever enough not to try installing
Postfix 2.3 patches when it finds 2.5 already installed).

It would certainly be useful if an approved distributor provided
reliable and up-to-date RPM and DEB packages with a sensible set of
options compiled in.

RE: Postfix with PostgreSQL

[MacShane, Tracy]

 

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Just E. Mail
> Sent: Wednesday, 20 May 2009 10:10 AM
> To: postfix-users@postfix.org
> Subject: Re: Postfix with PostgreSQL
> 
> In my first post, I mentioned that I plan to use a PostgreSQL 
> server at the backend to store emails.
> 
> Now my question: How to  build  Postfix  with   PostgreSQL support?
> 
> I noticed that http://www.postfix.org has example of  
> "Postfix PostgreSQL Howto" but it is for Postfix installed 
> source (tar.gz?). Is there a similar procedure when Postfix 
> is installed from RPMs.
> 
> PS: English is my 2nd language!
> 

Straight from "The Book of Postfix":

Execute:

$ ldd `/usr/sbin/postconf -h daemon_directory`/smtpd

On my RHEL system, I get the following, which is perfect since I didn't
add any PostgreSQL support to my build.

libldap-2.2.so.7 => /usr/lib64/libldap-2.2.so.7
(0x0035f9c0)
liblber-2.2.so.7 => /usr/lib64/liblber-2.2.so.7
(0x0035f9e0)
libpcre.so.0 => /lib64/libpcre.so.0 (0x0035f9a0)
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x0035f7f0)
libssl.so.4 => /lib64/libssl.so.4 (0x0035f910)
libcrypto.so.4 => /lib64/libcrypto.so.4 (0x0035f930)
libz.so.1 => /usr/lib64/libz.so.1 (0x0035f830)
libdb-4.2.so => /lib64/tls/libdb-4.2.so (0x0035f8d0)
libnsl.so.1 => /lib64/libnsl.so.1 (0x0035f890)
libresolv.so.2 => /lib64/libresolv.so.2 (0x0035f8b0)
libc.so.6 => /lib64/tls/libc.so.6 (0x0035f7a0)
libdl.so.2 => /lib64/libdl.so.2 (0x0035f7d0)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x0035f850)
libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2
(0x0035f8f0)
libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x0035f960)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x0035f870)
libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3
(0x0035f980)
libpthread.so.0 => /lib64/tls/libpthread.so.0
(0x0035f810)
/lib64/ld-linux-x86-64.so.2 (0x0035f780)

Query re logs

[MacShane, Tracy]

We've been having an intermittent problem with mail originating from a
specific domain, which may or may not be related to a specific host or
message type. It seems that the sending host is timing out before it
finishes the message transmission. I enabled debug logging (and bumped
up the smtp timeout back to 300s) for this domain.

Just to be sure I'm not barking up the wrong tree, would I expect to see
a log entry for the EOM in the verbose log from the sending server if it
existed? Here're some snipped logs:

May 20 10:22:22 smtp3 postfix/smtpd[17136]: connect from
dfw-mailout1.example.com[199.xxx.xxx.xx]
May 20 10:22:22 smtp3 postfix/smtpd[17136]: >
dfw-mailout1.example.com[199.xxx.xxx.xx]: 220
smtp3.ourdomain.example.net ESMTP Postfix
May 20 10:22:22 smtp3 postfix/smtpd[17136]: <
dfw-mailout1.example.com[199.xxx.xxx.xx]: EHLO dfw-mailout1.example.com
May 20 10:22:22 smtp3 postfix/smtpd[17136]: >
dfw-mailout1.example.com[199.xxx.xxx.xx]:
250-smtp3.ourdomain.example.net
May 20 10:22:22 smtp3 postfix/smtpd[17136]: >
dfw-mailout1.example.com[199.xxx.xxx.xx]: 250-PIPELINING
May 20 10:22:22 smtp3 postfix/smtpd[17136]: >
dfw-mailout1.example.com[199.xxx.xxx.xx]: 250-SIZE 10485760
May 20 10:22:22 smtp3 postfix/smtpd[17136]: >
dfw-mailout1.example.com[199.xxx.xxx.xx]: 250-ETRN
May 20 10:22:22 smtp3 postfix/smtpd[17136]: >
dfw-mailout1.example.com[199.xxx.xxx.xx]: 250-ENHANCEDSTATUSCODES
May 20 10:22:22 smtp3 postfix/smtpd[17136]: >
dfw-mailout1.example.com[199.xxx.xxx.xx]: 250-8BITMIME
May 20 10:22:22 smtp3 postfix/smtpd[17136]: >
dfw-mailout1.example.com[199.xxx.xxx.xx]: 250 DSN
May 20 10:22:23 smtp3 postfix/smtpd[17136]: <
dfw-mailout1.example.com[199.xxx.xxx.xx]: MAIL
From: SIZE=486707
May 20 10:22:23 smtp3 postfix/smtpd[17136]: >
dfw-mailout1.example.com[199.xxx.xxx.xx]: 250 2.1.0 Ok
May 20 10:22:23 smtp3 postfix/smtpd[17136]: <
dfw-mailout1.example.com[199.xxx.xxx.xx]: RCPT
To:
May 20 10:22:24 smtp3 postfix/smtpd[17136]: 3697B2080A4:
client=dfw-mailout1.example.com[199.xxx.xxx.xx]
May 20 10:22:24 smtp3 postfix/smtpd[17136]: >
dfw-mailout1.example.com[199.xxx.xxx.xx]: 250 2.1.5 Ok
May 20 10:22:24 smtp3 postfix/smtpd[17136]: <
dfw-mailout1.example.com[199.xxx.xxx.xx]: DATA
May 20 10:22:24 smtp3 postfix/smtpd[17136]: >
dfw-mailout1.example.com[199.xxx.xxx.xx]: 354 End data with
.
May 20 10:27:25 smtp3 postfix/smtpd[17136]: >
dfw-mailout1.example.com[199.xxx.xxx.xx]: 421 4.4.2
smtp3.ourdomain.example.net Error: timeout exceeded


It seems pretty clear to me that we didn't receive an EOM (especially
since the timeout-exceeded caused the disconnection), but since I'm
going to be telling them it's a problem at their end, I'd like to be
sure I'm not telling them a pile of rubbish. 

I'm also going to try some tcpdump logging to see what I can find - any
recommendations for what I should be looking for?

Thanks.

RE: Query re logs

[MacShane, Tracy]

 

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Victor Duchovni
> Sent: Wednesday, 20 May 2009 6:19 PM
> To: postfix-users@postfix.org
> Subject: Re: Query re logs
> 
> On Wed, May 20, 2009 at 02:44:57PM +1000, MacShane, Tracy wrote:
> 
> > May 20 10:27:25 smtp3 postfix/smtpd[17136]: >
> > dfw-mailout1.example.com[199.xxx.xxx.xx]: 421 4.4.2 
> > smtp3.ourdomain.example.net Error: timeout exceeded
> 
> What I see for the same host is just overly-aggressive 
> connection caching, they hold idle connections open for 120s 
> after ".":
> ...
> The evidence that the problem is on their end is not yet in 
> hand. Either side could have path MTU issues, window-scaling 
> issues, ... with some insufficiently robust or slightly 
> misconfigured firewall.
> ...

Great, thanks very much for the investigation, illumination re
connection caching and timeout after EOM, and the suggestions for
further analysis. I did have a notion that there could be some strange
firewall problem going on at either or both ends (as you say, Sendmail
should be reliable), so I didn't want to jump to any conclusions that we
were exempt from any issues.

I'll get them to directly send me some test emails tomorrow and I'll go
through tcpdump to see what eventuates. We certainly have no problem
receiving messages *without* attachments from them or ~400KB messages
with or without Word attachments from elsewhere. I also want to exclude
whether message format (they may be sending "rich text") might having
some kind of synergistic effect as well.

RE: rejecting non-local senders

[MacShane, Tracy]

From: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] On Behalf Of Matt Hersant
Sent: Thursday, 21 May 2009 7:42 AM
To: postfix-users@postfix.org
Subject: 


I'm having problems with spam for users who forge the sender to
appear as one of my domains.  The spam is coming from an external mail
server.  Is there anything I can add to my main.cf to combat this?  Any
suggestions are appreciated.

smtpd_recipient_restrictions = 
# allow password auth
permit_sasl_authenticated,

# allow local mail
permit_mynetworks,

# ease load on greylisting: drop wrong domains...
reject_unauth_destination,

# reject forged senders
reject_non_fqdn_sender,

# reject fake local senders
#check_sender_access /etc/postfix/local_host_names
... 
# check RBL
reject_rbl_client sbl-xbl.spamhaus.org,



You might as well use zen.spamhaus.org instead of just sbl-xbl

If you're happy to block all email from external hosts that's purporting
to be from your senders, you can do a check_sender_access, which comes
after reject_unauth_destination. I'd put it after
reject_non_fqdn_sender, just to save the lookup. I see you have a
check_sender_access commented out already - perhaps your hash file was
wrong?

smtpd_recipient_restrictions = 
   permit_sasl_authenticated,
   permit_mynetworks,
   reject_unauth_destination,
   check_sender_access=hash:/etc/postfix/reject_fake_senders

Contents of reject_fake_senders:
#
yourdomain.example.com  REJECT You are not sending from our network
yourdomain.example.gov.au   REJECT 


This won't work if you have senders relaying mail from external hosts
without authenticating, and it will break those subscription things that
use your recipient addresses as sender addresses (such as some online
"greeting cards" or newspaper notifications and the like). In our
domain, we don't care about rejecting such mail.

RE: BackScatter Problem

[MacShane, Tracy]

 

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of jan gestre
> Sent: Wednesday, 27 May 2009 5:00 PM
> To: postfix-users@postfix.org
> Subject: Re: BackScatter Problem
> 
> > If it's backscatter, it should be coming from <>, not a 
> "valid company 
> > address".  Please show your logs during delivery of the 
> alleged backscatter.
> >
> 
> I don't have anymore the logs from Postfix and I'm not sure 
> if it really is a backscatter problem, all I have right now is the
> following:
> 
> --
> -Original Message-
> From: Judy Aguilar [mailto:judyagui...@example.com]
> Sent: Tuesday, May 26, 2009 4:41 PM
> To: Sheila Villanueva
> Subject: Fw: No branding needed!
> 
> Pls see "VIAGRA.Official Site's email address -- creati...@example.com
> 
> Fyi.
> 
> - Original Message - From: "Biba Cabuquit" 
> 
> To: "VIAGRA . Official Site" 
> Sent: Tuesday, May 26, 2009 3:16 PM
> Subject: No branding needed!
> 
> --- end-
> 
> The creati...@example.com is a valid email address and yet it 
> has the name VIAGRA Official site, is the mail server the 
> causing the issue or there is a worm on the users PC that' 
> causing this.
> 
> 
> >> My /etc/postfix/header_checks contain only the following:
> >>
> >> /^Received:/ HOLD
> >
> > Very odd that you want to hold ALL email with this check.  Does 
> > MailScanner examine messages in the hold queue and then 
> release them?
> >
> 
> MailScanner really examines messages in the HOLD queue 
> because all emails incoming/outgoing are tagged by 
> MailScanner as having scanned or I'm totally wrong?
> 


While others might have better luck trying to divine why you're getting the 
spam, it's very difficult to do so with a couple of message snips (you haven't 
even included the full headers). However, as a guess, someone is spoofing the 
"creati...@example.com" to send spam, and now you're getting the backscatter. 
It could be any machine on the internet spoofing that address.

As for Mailscanner, perhaps it's better to ask over on their support site. If 
you look at the Addons page on the postfix.org site, it says "* mailscanner 
system, works with Postfix and other MTAs. WARNING: This software uses 
unsupported methods to manipulate Postfix queue files directly. This will 
result in corruption or loss of mail. The mailscanner authors have sofar 
refused to discuss a proper access API or protocol."