[pfx] Re: Cant join postfix users mailing list
On Tue, 30 Jul 2024 at 09:51, Phil Biggs via Postfix-users wrote: > I only use list.dnswl.org (for good ones) and zen.spamhaus.org (bad) in > postscreen. Very effective but I did, just once, see an IP simultaneously > listed in both. DNSWL is not for the good ones. It is for well-known mailservers. Useful for example to avoid greylisting them as you are certain they will retry later. So it is possible that a mailserver will be temporarily listed in a blacklist like ZEN if it also sends spam. BTW has there been any recent study on the effectiveness of greylisting? Is it still useful for some part of spam? Because I still see delayed incoming emails due to greylisting when the sender uses a bunch of different IPs for each delivery retry. -- bye, Marki ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: webmail with multi-domains supported
On Sat, 20 Jul 2024 at 06:28, timothy via Postfix-users <
postfix-users@postfix.org> wrote:
>
> When I open webmail, it always displays a dropdown menu for me to select
> an IMAP host.This is so frustrating.How to disable this drop-down menu and
> automatically match email addresses to imap hosts?
>
>
You need to use a few lines of PHP code - just create a plugin, which will
set the imap_host variable based on the email address given by the user.
Plugin is a PHP class, in its own folder under plugins/dir with filename
same as dir name. Then just add the plugin into active plugins in your
config. See examples to see other options you can change.
Something like this (simplified, as I actually take the IMAP host from
database):
class multi_imap extends rcube_plugin {
public $task = 'login';
public function init() { $this->add_hook('authenticate', array($this,
'authenticate')); }
public function authenticate($args) {
if (preg_match("~@free\.fr$~", $args["user"])) $args["host"]="
imap.free.fr";
return $args;
}
}
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: managesieve filter not working
On Tue, 4 Jun 2024 at 11:19, Celal.Dikici via Postfix-users <
postfix-users@postfix.org> wrote:
> Hello,
> For the e-mail infrastructure we use roundcube 1.6.6 postfix 3.7.10,
> dovecot 2.3.19.1 installed on debian 12.05. We use the larry theme as the
> interface. We use managesieve plugin for filtering. I have extracted some
> configurations below. Although the services are working properly, the
> filtering rules are not working. Although I have activated the Sieve logs,
> no negative logs are being sent. It is as if postfix/dovecot is not talking
> to managesieve. I wonder where I am doing wrong?
> Thank you for your help.
>
> *dovecot -n*
> protocol lmtp {
>
> mail_plugins = sieve
>
> }
>
> protocol lda {
>
> mail_plugins = sieve
>
> }
>
> *postconf -n*
> virtual_transport = lmtp:unix:private/dovecot
>
You seem to have enabled sieve in both lmtp and lda in dovecot (have you
restarted dovecot since then?).
Logs would help. Is postfix really delivering mail via dovecot? I see you
have virtual_transport defined, but don't see virtual users/domains. Are
you really using virtual users? Paste here log from postfix for delivering
email which should be filtered via sieve, something like this:
kenny postfix/pipe[22010]: 2431C: to=, orig_to=,
relay=dovecot, delay=1.8, delays=1.7/0/0/0.06, dsn=2.0.0, status=sent
(delivered via dovecot service)
LMTP/LDA should log info about sieve processing to the same log destination
as rest of dovecot, for example:
kenny dovecot: lda(marki@xxx)<26865>: sieve:
msgid=<20240603221836.xxx@xxx>: stored mail into mailbox 'INBOX'
--
bye, Marki
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: duplicate deliveries
On Sun, 14 Apr 2024 at 01:15, Wietse Venema via Postfix-users <
postfix-users@postfix.org> wrote:
> If there is a difference in deduplication, then you have introduced
> a difference up-stream of the delivery agents. You need to find
> that difference.
>
Unfortunately I don't remember in which cases there were issues with
duplicate emails. However they also use some forwarding in sieve filters
(which caused message loops sometimes), so maybe this is the reason? I know
that when forwarding from sieve filter (as opposed to using aliases), it is
a completely new message (with new queue id) for postfix.
The differences between the servers are not large, the newer one is based
on the older, with some settings changed to be more "how it should be
currently done". On the old server (original config maybe 15 years old,
with debian/postfix upgrades but minimal config changes), I prefer the
"don't touch running system" approach, as modifying working parameters to
be better (but with same functionality) could cause unpredicted issues.
Both servers use the same underlying database structure.
I'm not sure if I can use LMTP instead of LDA. My notes say that for sieve
to have information about the original recipient I should add the "O" flag
for the dovecot pipe entry in master.cf. And it also has "D" (from dovecot
documentation example). And both these flags require
destination_recipient_limit=1 to work. Do these features/flags work with
LMTP implicitly and without the requirement of the recipient limit being 1?
Here is postconf -n form the newer system:
mysql-virtual.cf returns email-->destination mapping
mysqlvirtual-maps.cf returns mailbox location for an existing virtual user
mysql-transport.cf returns "virtual:" for our domains
afterproxy_sender_restrictions = check_recipient_mx_access
hash:/etc/postfix/checks/access_sender
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
anvil_rate_time_unit = 300s
anvil_status_update_time = 1800s
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 2d
bounce_size_limit = 1
compatibility_level = 2
dovecot_destination_recipient_limit = 1
enable_original_recipient = yes
header_checks = pcre:/etc/postfix/checks/header_hold.pcre
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4, ipv6
local_recipient_maps = $alias_maps, $virtual_mailbox_maps,
unix:passwd.byname
mailbox_size_limit = 0
maximal_queue_lifetime = 2d
message_size_limit = 57671680
mua_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject
mydestination = $myhostname, mail.xx.sk, baru, localhost.localdomain,
localhost
myhostname = mail.xx.sk
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
sender_bcc_maps = hash:/etc/postfix/checks/bcc_sender
smtp_address_preference = ipv4
smtp_connect_timeout = 15s
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_connection_count_limit = 20
smtpd_client_connection_rate_limit = 300
smtpd_client_event_limit_exceptions = 127.0.0.1 37.9.172.161
smtpd_client_message_rate_limit = 700
smtpd_client_new_tls_session_rate_limit = 0
smtpd_client_restrictions =
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_proxy_filter = 127.0.0.1:27
smtpd_proxy_options = speed_adjust
smtpd_proxy_timeout = 180
smtpd_recipient_limit = 1500
smtpd_recipient_restrictions = hash:/etc/postfix/checks/access_dest,
check_policy_service inet:127.0.0.1:10031, permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination, permit_dnswl_client
list.dnswl.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client
virbl.dnsbl.bit.nl, check_policy_service inet:127.0.0.1:10023,
smtpd_relay_restrictions =
smtpd_restriction_classes =
mua_recipient_restrictions,afterproxy_sender_restrictions
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = hash:/etc/postfix/checks/access_sender,
check_sender_access hash:/etc/postfix/checks/check_backscatterer,
reject_unknown_sender_domain, warn_if_reject, reject_non_fqdn_sender
smtpd_timeout = ${stress?10}${stress:60}s
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.xx.sk/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.xx.sk/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
syslog_facility = local1
transport_maps = hash:/etc/postfix/checks/transport
virtual_alias_domains =
virtual_alias_maps = hash:/etc/postfix/virt_alias,
proxy:mysql:/etc/postfix/mysql/mysql-virtual.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/mysql-transport.cf
virtual_mailbox_limit = 62914560
virtual_mailbox_maps = proxy:mysql:/etc/post
[pfx] duplicate deliveries
Hi, When/how does postfix prevent duplicate deliveries when delivering to an alias and explicitly also to the alias result? For example all@domain + Cc to one of the members of that alias. I have found parameters "duplicate_filter_limit" and "enable_original_recipient" that mention it, but I don't understand how exactly it works. I have an older mailserver where this works (no duplicate deliveries, otherwise someone would complain). I am using virtual users with default virtual delivery. I also have another mail server also with the same type of virtual users (same database schema), but which was setup with Dovecot LDA as delivery agent. And there the deduplication doesn't work, I had to use dovecot-sieve's "duplicate" extension, which discards the duplicated email. Is it because for LDA I have destination_recipient_limit=1? Or maybe just because of using sender_bcc_maps and not related to LDA? I have setup sieve rule in the past according to https://serverfault.com/questions/112958/postfix-aliases-and-duplicate-e-mails-how-to-fix which mentions old faq.html on postfix web and some broken links to old mail list archives claiming the deduplication is not implemented. So what are the prerequisites for it to work? I am now planning to migrate the old server from courier to dovecot + lda and want to know if I will need the sieve solution again or not... -- bye, Marki ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Incoming mail server blocks outlook / microsoft servers
On Wed, 10 Jan 2024 at 16:45, Viktor Dukhovni via Postfix-users < postfix-users@postfix.org> wrote: > > Keeping in mind > that of course in smtpd(8) there's no scoring, so the whitelists with > negative scores aren't available. If you absolutely want to ensure > that the whitelists are honoured, then you need to stick to just > postscreen. > > He can use permit_dnswl_client in smtpd_*_restrictions to use whitelists without postscreen. -- bye, Marki ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: implementing recipient rate limits
On Tue, 2 Jan 2024 at 13:13, Matus UHLAR - fantomas via Postfix-users < postfix-users@postfix.org> wrote: > Hello, > > http://www.postfwd.org/ratelimits.html > > Of course, if there is any other tool that can do that, I'll look. > > > However, I need to find the limits to set. Guessing is quite hard as some > clients post too many mails, I'd like to have limits safe and not limiting. > > I am using limits per sasl_sender set via postfix-cluebringer. I have a per-hour and per-day limit set. To avoid customer complains, email which is over the limit is not rejected, just put into the HOLD queue for manual inspection and release and alert in monitoring system is triggered when there is any email waiting in the HOLD queue. I know it's not very scalable, but with reasonable limits it's working fine. I have 3 policy groups - normal, higher limits and spam. I put users which send many emails in the second group and senders which send from 5 different countries in 24 hours into the spam group, which has limit only 1 per day (so basically all emails go to HOLD queue). I might need another group, which would be just for bulk senders (for example 150 pay slips at the beginning of month and then nothing for the rest of the month). -- bye, Marki ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: queue_lifetime clarification
On Thu, 14 Dec 2023 at 12:14, anant--- via Postfix-users < postfix-users@postfix.org> wrote: > > and used header_checks to hold the mails in queue. > > Now, as no decision is made, I want to continue to hold for another 13 > days more. > > > Will this change, hold the queue for another 13 days more? Or it > remembers the earlier lifetime of 7 days for those in hold queue? > > IMHO messages will stay in hold queue forever. Man page for "postsuper" mentions that if you want to release a message from hold queue, which has been there for a long time, you should use "postfix -r", so it gets a new queue id and its lifetime starts from 0. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: No Postfix novice, but need novice-like advice (was Postfix or Dovecot cracked?!)
Hello, On Fri, 9 Jun 2023 at 02:40, Richard Troy via Postfix-users < postfix-users@postfix.org> wrote: > > Given all the work I did on Postfix to stop relaying from unauthorized > parties, and how after a mountain of work the "open-mail-relaying" was > only coming from a couple of spammers in Russia, it's my view they somehow > cracked things, even though we changed 100% of ALL user passwords to VERY, > and I mean completely impractical to crack values (30 chars plus). And so > I want to blame Dovecot for letting through the relaying. They say no, > it's Postfix! > What exactly happens? Do unauthenticated users send spam through your server? Or do the spammers somehow login with a valid SASL username/password? If the second, it's not the fault of postfix nor dovecot. We run a postfix server for your clients and at least once a month we get spam through "hacked" email accounts. And even if the customer changes the password, the spam continues, because guess what - they have a virus on their Windows machine which reads the saved password directly from Outlook or other email clients. So you can keep changing the password forever... > A new feature that would make a HUGE difference to sites like mine: Give > me a white-list of the ONLY accounts (usernames) that can relay; NOTHING > ELSE can relay. ... THAT would do it! But no! Neither in Postfix nor > Dovecot is there such a thing! ...Such a thing CANNOT be that hard to > implement and obviously useful to many; is there a good reason NOT to do > this? Or am I wrong and it HAS been done? > It is possible to limit accepted email to have the same envelope sender as the SASL username directly in postfix. Using milters, you can also limit other headers before accepting that email. > Combine that with a greylist type function (similar to the postgrey > package I have installed now) where the usual IP addresses for particular > relay users were let through, and new ones delayed, THAT would be awesome, > too! And this isn't even all that hard to do - I could do it if I didn't > already have a thousand obligations in life! > We have policyd which limits the number of emails per SASL username per hour and per day. Excessive emails go into the postfix HOLD queue and are inspected manually before releasing them. That limits the spam to reasonable numbers to prevent our IP being blacklisted immediately. Also I have a script which does a GEO-IP lookup on all SASL logins from the postfix logs. If a user logs in from more than 3 countries in 24 hours, I get an alert + the user is put into a bucket where the limit is 1 email per hour. > As a small digression on some of the above: I think I don't know enough > about how Postfix's use of port 587 is properly secured - the "submission > port". OK, STARTTLS we're told, but is it Postfix or Dovecot doing the > authentication? Does Postfix EVER read a password file? I think it does > not, and so I say it has to be Dovecot, but some clearing up of that would > be nice... And, now that I think of it could this be a way to prove which > is guilty of letting the spammers in? > You must know which authentication provider you are using for your SASL logins in postfix. It can be Dovecot, but can also be something else. -- bye, Marki ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Contradicting Postfix documentation
On Tue, 2 May 2023 at 15:54, Kolusion K via Postfix-users < postfix-users@postfix.org> wrote: > Greetings > > > I have found some contradicting Postfix documentation and I feel that it > is my duty to make a revelation of it. > > https://www.postfix.org/postconf.5.html > > The inet_interface parameter is described as for receiving connections; > > The smtp_bind_address parameter is described as for making connections, > and note 1 describes the inet_interface parameter as for making > connections, contradicting the inet_interface parameter description. > > My experience with the inet_interface parameter is that it has no effect > on making connections. > Have you read the note 1 completely? It says it will use the addr from inet_interfaces by default. But The whole smtp_bind_address is just for IPv4. There is a separate smtp_bind_address6 for IPv6. And your issue was with IPv6. The only thing that is not entirely clear in the Note1 is if the value from inet_interface is used only when smtp_bind_address is not set, or it always overrides its value. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Error when telnet testing, 1st cmd always fails
It is a feature. Putty has option to use "Telnet" protocol or "Raw" protocol. On Tue, 25 Apr 2023 at 16:43, Wietse Venema via Postfix-users < postfix-users@postfix.org> wrote: > Ue netcat (nc) instead of putty. > > I suspsect that putty is sending telnet protocol options, even when > it connets to a server on a non-telnet port. That would be a putty > bug. > > Wietse > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
