Re: Password mismatch. Might the md5usm be wrong?
On Sun, 7 Jul 2013 11:29:55 +0300, Dotan Cohen dotanco...@gmail.com
wrote:
On an Ubuntu Server 12.04 system with Dovecot 2.0.19 I am having some
$ /usr/bin/doveadm pw -u u...@somedomain.com -s DIGEST-MD5
Enter new password: # Here I have typed 12345
{DIGEST-MD5}f4e442b0dec5009eaa8b9b4104923edc
$ printf 12345 | md5sum
827ccb0eea8a706c4c34a16891f84e7b -
Shouldn't that password match the md5sum check? Also, might I have the
file formats wrong?
The best place for this question is the Dovecot mailing list.
That said, as a hint you should look at:
http://wiki2.dovecot.org/Tools/Doveadm/Pw
While at that page, if go to the part about '-u user' it clearly reads:
'When the DIGEST-MD5 scheme is used, also the user name must be
given, because the user name is a part of the generated hash.'
Where in 'printf 12345 | md5sum', is that (required) user name?
M.
Re: Forwarding from a particular email address
On Thu, 11 Apr 2013 03:01:58 +0300, Indiana Jones indian...@inbox.lv wrote: # for single address printf us...@example1.com us...@example2.com\n /etc/postfix/virtual # for multiple addresses printf us...@example1.com us...@example2.com\nus...@example3.com us...@example4.com\n /etc/postfix/virtual Thank you very much! I edited main.cf and created the file /postfix/virtual and followed all these steps, but this way Postfix does not leave copies of the forwarded messages on the server. I need postfix to leave a copy of the forwarded message so that it can also be collected locally by the recipient! i.e. the recipient wants to receive his incoming mail on the two different addresses simultaneously! Could you possibly explain how to do that? Try to also map each address to itself: us...@example1.com us...@example1.com us...@example1.com us...@example2.com us...@example3.com us...@example3.com us...@example3.com us...@example4.com M.
Re: Forwarding from a particular email address
On Thu, 11 Apr 2013 06:56:13 -0400 (EDT), Wietse Venema wie...@porcupine.org wrote: That should be: us...@example1.com us...@example1.com us...@example2.com us...@example3.com us...@example3.com us...@example4.com Makes sense and perhaps it seems obvious for the postfix developers, but I do not remember seeing such usage case (a /etc/postfix/virtual file with user1 - user1 user2) in the postfix documentation, namely, neither at: http://www.postfix.org/ADDRESS_REWRITING_README.html nor at: http://www.postfix.org/VIRTUAL_README.html. M.
Re: Forwarding from a particular email address
On Wed, 10 Apr 2013 15:32:14 +0300, Indiana Jones indian...@inbox.lv wrote: Thank you, but I don't have file /postfix/virtual What should I do? Create one? Use any text editor and create it. Or, you can try something like this: # for single address printf us...@example1.com us...@example2.com\n /etc/postfix/virtual # for multiple addresses printf us...@example1.com us...@example2.com\nus...@example3.com us...@example4.com\n /etc/postfix/virtual M.
Re: Could you help me with Postfix + MimeDefang?
On Mon, 04 Feb 2013 22:13:14 -0500, Bill Cole postfixlists-070...@billmail.scconsult.com wrote: alternative to hooking the MD milter into your main smtpd would be to define a transport in master.cf running smtpd with MD as a milter, and use postfix's transport map to route just the one address there. This would also allow you to avoid the ugly problem of envelope recipient splitting inside MD. Well, that was also my gut feeling, that was why I posted here to try to find some (solid) evidence. So, assuming MD SPOOLDIR='/var/spool/postfix/mimedefang' and SOCKET='/var/spool/postfix/mimedefang/mimedefang.sock', would the following do the job? postconf -e 'virtual_alias_maps = /etc/postfix/virtual-alias-maps # /etc/postfix/virtual-alias-maps mailing_lis...@example.com mailing_list_1@localhost.mlmmj ... postconf -e 'transport_maps = /etc/postfix/virtual-transport' # /etc/postfix/virtual-transport mailing_list_1@localhost.mlmmj filteredmlmmj:mailing_list_1 ... # /etc/postfix/master.cf # transport for the mlmmj mailing lists mlmmj unix - n n - - pipe flags=ORhu user=mlmmj argv=/usr/bin/mlmmj-receive -F -L /var/spool/mlmmj/$nexthop # filtered transport for the mlmmj mailing list manager filteredmlmmj unix - - - - - mlmmj -o smtpd_milters = unix:mimedefang/mimedefang.sock Please note, in this last statement, 'unix', 'mlmmj' and '-o smtpd_milters' nad the 5 dashes. You can probably get a more complete answer on the MD mailing list. Not at all. The stated problem is an old problem. I have researched extensively a lot of discussions about this subject both in MD list and in the postfix list (and a lot of useless 'recipes' too). People tend to see this issue as some sort of magically solved hit or miss issue. And the people that develop MD seems to be more in the business of selling canned solutions (pun intended), than into producing good and clear documentation. Also note that configuring MD means writing a collection of Perl functions with predefined interfaces to implement the message filtering. If you are not comfortable writing Perl, No problem with the needed Perl functions. MD may not be the right tool for you. MD is certainly resources hungry. But I do not know any other app that meets the specs: convert html-text, remove unsafe attachments (offenders with known ext's), remove+webserve file attachments larger than 500KB Right now we are piping email into altermime --input=- --removeall, but altermime is orphaned/abandonware and it does not do that file attachment remove+webserve job. Thank you, Mark.
Could you help me with Postfix + MimeDefang?
Hello list, I would like to use MimeDefang to sanitize the emails that arrive at one of our 3 mailing lists, i.e., to convert html-text, remove unsafe attachments, and remove+webserve file attachments larger than 500KB. There are few tutorials on this subject and most, like Mickey Hill's http://www.mickeyhill.com/mimedefang-howto , ask for the installation of sendmail and present a config tightly coupled with sendmail internals (the real sendmail, not postfix's sendmail). Could you please provide (or point to) a couple of working examples on how to setup mimedefang with postfix (would it be better done as a transport+filter, or as milter?) and, if possible, throw some light on the advantages/disadvantages of each alternative? Thank you, Mark PS: My current setup uses postfix 2.9.3 + mlmmj 1.2.18 + ubuntu 12.04, to manage 2 low volume mailing lists ( 300 subscribers and less than 50 emails/month), as follows: MAILING_LIST_1 mailing_lis...@example.com MAILING_LIST_2 mailing_lis...@example.com postconf -e 'virtual_alias_maps = /etc/postfix/virtual-alias-maps # /etc/postfix/virtual-alias-maps mailing_lis...@example.com mailing_list_1@localhost.mlmmj mailing_lis...@example.com mailing_list_2@localhost.mlmmj postconf -e 'transport_maps = /etc/postfix/virtual-transport' # /etc/postfix/virtual-transport mailing_list_1@localhost.mlmmj mlmmj:mailing_list_1 mailing_list_2@localhost.mlmmj mlmmj:mailing_list_2 # /etc/postfix/master.cf # transport for the mlmmj mailing list manager mlmmj unix - n n - - pipe flags=ORhu user=mlmmj argv=/usr/bin/mlmmj-receive -F -L /var/spool/mlmmj/$nexthop
Re: Could you help me with Postfix + MimeDefang?
On Mon, 04 Feb 2013 09:40:41 -0600, Noel Jones njo...@megan.vbhcs.org wrote: On 2/4/2013 4:14 AM, Mark Alan wrote: I would like to use MimeDefang to sanitize the emails that arrive at one of our 3 mailing lists, i.e., to convert html-text, remove unsafe attachments, and remove+webserve file attachments larger than 500KB. There are few tutorials on this subject and most, like Mickey Hill's http://www.mickeyhill.com/mimedefang-howto , ask for the installation of sendmail and present a config tightly coupled with sendmail internals (the real sendmail, not postfix's sendmail). Could you please provide (or point to) a couple of working examples on how to setup mimedefang with postfix (would it be better done as a transport+filter, or as milter?) and, if possible, throw some light on the advantages/disadvantages of each alternative? Thank you, Mark mimedefang works as a milter, so that's how you must interface it with postfix. .../... the config details you will mostly be interested in: http://www.postfix.org/MILTER_README.html#config First, thank you Noel for sharing your experience and spending your time at trying to help. Regarding mimedefang, and its ability to work as a milter, and the general setup of a milter under postfix, well... I have been there and done that (in due time, I even described in this list, the config that we use to run opendkim as a milter, communicating by a unix socket with a chrooted postfix). But the question here was entirely different: ... to use MimeDefang to sanitize the emails that arrive at ONE of our 3 mailing lists The problem was not to apply mimedefang to all incoming mail (like a milter base config usually does). The problem is how to do it in order to to process a SINGLE target email address (the address of a given mailing list), without consuming unnecessary machine resources, i.e., without miltering all the email that arrives at the postfix server. That was why I also attached the main.cf/master.cf filter+transport config that we use to pipe the emails addressed to mailing lists into the mailing list management software. Thank you, Mark
Re: Bounces back to myself
On Tue, 04 Dec 2012 10:10:05 +0200, Muzaffer Tolga Özses to...@ozses.net wrote: ... append_dot_mydomain = no biff = no inet_interfaces = all recipient_delimiter = + relayhost = You don't need to be re-declaring the postfix default settings again. Try if the following helps simplifying your main.cf: (postconf -d;postconf -n)|sort|uniq -d smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot ... We also have setup our postfix+dovecot using: smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot But we opt for: mailbox_command = smtpd_sasl_local_domain = virtual_transport = dovecot dovecot_destination_recipient_limit = 1 And, for insurance, we let mailbox_size_limit at its default value (the safe and very reasonable 5120). We use cdb instead of mysql so I am afraid that I cannot help you with the mysql part. The last time we checked for postfix+dovecot+mysql we set for something based in this: http://library.linode.com/email/postfix/dovecot-mysql-ubuntu-10.04-lucid I hope this helps you. Mark
Re: Is postscreen really this good? [how to configure postscreen]
On Wed, 10 Oct 2012 10:43:47 -0500, Paul Schmehl g...@stovebolt.com wrote: readme files, but some of this stuff is above my pay grade. I get confused and am not sure what to do. In order to benefit from postscreen you need to change both master.cf and main.cf. Assuming that you are starting with a fresh Postfix install: I. To change master.cf: a) comment out the line that starts with smtp and ends with smtpd b) uncomment the lines that: start with smtpd and end in pass; or the lines that have the following terms in them 'postscreen', 'dnsblog' 'tlsproxy' In a debian/ubuntu linux you would only need to execute the following single line command as root: sed -i 's,^smtp .*smtpd$,#,;/\(smtpd .*pass\|postscreen\|dnsblog\|tlsproxy\)/s/^#//' /etc/postfix/master.cf II. To change main.cf (maybe it will be safer for you to use the postconf -e '' construct, instead of editing main.cf directly). You could start with the following: a) to enforce tests log attempts postconf -e 'postscreen_blacklist_action = enforce' postconf -e 'postscreen_dnsbl_action = enforce' postconf -e 'postscreen_greet_action = enforce' b) to benefit from RBL lists # ( do check options at: http://www.sdsc.edu/~jeff/spam/cbc.html ) postconf -e 'postscreen_dnsbl_sites = bl.spamcop.net, zen.spamhaus.org, dnsbl.sorbs.net' postconf -e 'postscreen_dnsbl_threshold = 1' c) to enable (more expansive) tests after the 220 SMTP greeting postconf -e 'postscreen_pipelining_enable = yes' postconf -e 'postscreen_non_smtp_command_enable = yes' postconf -e 'postscreen_bare_newline_action = enforce' postconf -e 'postscreen_bare_newline_enable = yes' All other postscreen related settings will work rather well at their default values. Probably you will not need to explicitly set them. Finally, remember that changes at master.cf need a Postfix restart. A simple 'reload' won't be enough). So, after executing the above commands, run as root: /etc/init.d/postfix restart Regards, Mark
Re: [SOLVED] Postfix 2.9.x vs iptables 1.4.x interaction issues under Debian/Ubuntu
On Sun, 29 Jul 2012 00:33:49 +0200, Reindl Harald h.rei...@thelounge.net wrote: Am 28.07.2012 20:03, schrieb Mark Alan: The solution is to exempt traffic sent from the machine from the rate controls. In 2012, in a server facing the net and running other services besides mail, I would not call it a safe bet. In the event (that must be accounted for) of an intrusion, one should consider that a syn flood DOS isn't an exclusive of the INPUT stream if you do not trust you OUTGOING traffic the only valid reason is that you doubt your machine is comprimised [The problem, as said in another email, is (mostly) solved] - I do not trust anything connected 24h to the Internet. - I do not trust anything in a Xen VPS that sits in a datacenter owned / managed / maintained by I do not know exactly who. - I do not trust any software, open source or otherwise, that has a level of complexity high enough to not be fully understood by the installer, maintainer, user, etc. [ Just google for OpenSSH FBI backdoor. Its IPSEC stack was a relatively small but nevertheless highly sensitive piece of software. Look how it managed to elude, for so many years, so many security conscious people, including most of the more security conscious developers around: the developers of the OpenBSD - the Ultra-Secure Operating System. ] This 'thing' just become so complex and with so many variables, that it became impossible to know them all and to account for them all. We can only reduce the size of the target and make it a little more difficult to break in. And that is why we keep an eye on syslog and cousins and ask for help here on this list when we start to see firewall drop outs related with Postfix. and NO a synflood will never come in the OUTPUT stream except your machine is compromised, but if so shut it down I am afraid that time will show you otherwise. These systems are not 'simple', not even 'complicated', they are real 'complex systems'. And, worse, with so many knowledgeable people with time and resources to invest into breaking these systems, these are now real 'complex adaptive systems'. Thank you, M.
Re: Postfix 2.9.x vs iptables 1.4.x interaction issues under Debian/Ubuntu
On Fri, 27 Jul 2012 19:43:59 +0100, Mark Alan va...@e-healthexpert.org wrote: after upgrading to Postfix 2.9.x, using I am now finding a lot of syslog entries like these: /var/log/syslog:Jul 27 12:00:32 mx kernel: [485xxx.x] FW DROP-OUT IN= OUT=eth0 SRC=xx.xxx.xxx.xx DST=xxx.xx.xxx.xx LEN=77 TOS=0x00 PREC=0x00 TTL=64 ID=x DF PROTO=TCP SPT=x DPT=25 WINDOW=26280 RES=0x00 ACK PSH URGP=0 A more thorough check revealed that this only happens when requesting VERP style delivery to process a mailing list. Has anything changed in Postfix 2.9.x VERP processing? My VERP settings include: postconf -n | grep 'verp\|recipient_delimiter' recipient_delimiter = + smtpd_authorized_verp_clients = $mynetworks The mailing list is managed by mlmmj (which is a ezmlm clone that works with Postfix under Linux). mlmmj adds XVERP=-= to the MAIL FROM: line. mlmmj needs to set =-= to be able to process owner-listname internally. mlmmj sets verp recipients to 100. grep 'foo:' /etc/aliases # foo is a mailing list = 1000 subscribers foo: |/usr/bin/mlmmj-recieve -L /var/spool/mlmmj/foo/ Any other thoughts ? Thank you, M.
Re: Postfix 2.9.x vs iptables 1.4.x interaction issues under Debian/Ubuntu
On Sat, 28 Jul 2012 13:48:55 +0200, Benny Pedersen m...@junc.org wrote: Den 2012-07-27 20:43, Mark Alan skrev: While using Postfix 2.9.3, iptables 1.4.12, under Ubuntu 12.04 LTS, after upgrading to Postfix 2.9.x, using suggest here apt-get install shorewall I am afraid that shorewall is just a front end to iptables. Using that exact same iptables configuration with qmail (instead of Postfix 2.9.x) does not raise any firewall drop-outs. Thank you, M.
[SOLVED] Postfix 2.9.x vs iptables 1.4.x interaction issues under Debian/Ubuntu
On Sat, 28 Jul 2012 14:42:59 +, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Sat, Jul 28, 2012 at 09:10:34AM -0400, Wietse Venema wrote: Thus, VERP increases the number of parallel connections. This may result in overflow of state tables in under-powered stateful routers, causing them to drop packets that don't match any existing state. Or perhaps the state tables don't overflow, but rate limits apply regardless of connection state. In fact that would be correct behaviour I think. Rate enforcement has little to do with whether the connection table is full or not... [SOLVED] It was rate limiting kicking in. As it should. I was unaware that Postfix could be so fast while VERP'ing. This postfix setup resides in a fairly modest Xen VPS server. Due to strict policies that we must comply with, it has fairly conservative --limit and --limit-burst settings. And, as expected, when those limits are topped those extra packets get logged and trapped by the final -A OUTPUT -j DROP). I would guess that the OP's iptables configuration unwisely fails to discriminate between incoming and outgoing traffic. Not in this case. All streams (and not only INPUT and OUTPUT) are fully discrete, have their own needs and their own policies. The solution is to exempt traffic sent from the machine from the rate controls. In 2012, in a server facing the net and running other services besides mail, I would not call it a safe bet. In the event (that must be accounted for) of an intrusion, one should consider that a syn flood DOS isn't an exclusive of the INPUT stream. Thank you all, M.
Re: STARTTLS problems
On Tue, 24 Apr 2012 19:42:20 -0400 (EDT), Wietse Venema wie...@porcupine.org wrote: So, TLSv1.2 is giving trouble. ... Works with OpenSSL 1.0.1a with smtp_tls_protocols = !TLSv1.2: ... So it is a good thing that I put out those updates today. ... Which leaves me wondering how other MTAs deal with this. Given the way OpenSSL works, there is no way for a program to specify what TLS protocols it wants to use. Instead, a program can only specify what TLS protocols it does not want. This means that new code needs to be added whenever a new protocol is added to OpenSSL, otherwise that protocol can't be turned off. While the postfix updates do not get into into each distribution repositories, should we use the following? postconf -e 'smtpd_tls_protocols = !SSLv2, !TLSv1.2' postconf -e 'smtp_tls_protocols = !SSLv2, !TLSv1.2' M.
Re: STARTTLS problems
On Wed, 25 Apr 2012 10:07:19 +0100, Mark Alan va...@e-healthexpert.org wrote: While the postfix updates do not get into into each distribution repositories, should we use the following? postconf -e 'smtpd_tls_protocols = !SSLv2, !TLSv1.2' postconf -e 'smtp_tls_protocols = !SSLv2, !TLSv1.2' Never mind. I have seen the answer elsewhere in this mailing list. M.
Re: Behavior of postscreen_access_list = static:retry
On Mon, 30 Jan 2012 19:17:17 -0500 (EST), Wietse Venema wie...@porcupine.org wrote: Mark Alan: Would the following be an acceptable way to do it? postconf -e 'postscreen_access_list = reject' postconf -e 'soft_bounce = yes' Only if this is documented. The soft_bounce parameter is listed on the postscreen(8) manpage, this is perhaps a sufficient promise to match user expectations and so I would expect it to work. Sadly it does not. Although postscreen marks it as BLACKLISTED, then tlsproxy kicks in and lets the email pass: Only because you failed to configure postscreen_blacklist_action = drop. Wietse Not exactly a failure, as doing so would instruct postscreen to simply DISCONNECT (i.e., drop the connection immediately). In which case a single 'master_service_disable = inet' would be more elegant and similarly effective. My question should have been: Using only the frugal postscreen resources is there a way to achieve something like 'postscreen_blacklist_action = defer' , i.e., to configure it to immediately NOQUEUE all connections with a 450 SMTP reply? Thank you, M.
Re: Behavior of postscreen_access_list = static:retry
On Tue, 31 Jan 2012 06:17:39 -0600, Noel Jones njo...@megan.vbhcs.org wrote: You need to set both postscreen_blacklist_action = drop and soft_bounce = yes. The soft_bounce changes the 521 hangup into a 421 hangup. Thank you Noel, If we wanted a mere 4.x.x hangup, it would be more elegant to set a single 'master_service_disable = inet' as Viktor Dukhovni pointed out. Alternately, you can use postscreen_blacklist_action = enforce with soft_bounce = yes. This delays the 450 reject until the client sends recipient information. The intention is neither to delay until some other event. The intention is to simply have postscreen immediately answer '450 Service currently unavailable' to all connections (friend or foe) that are presented to it. So, ideally: a) postscreen must answer. It is not enough to simply drop the connection as 421 does; b) it must the answer as it does at every first encounter with a new IP, i.e., with a '450 Service currently unavailable'. It did not imagine that it would be so difficult to configure postscreen/postfix to achieve such a simple specification. Thank you, M.
Re: Behavior of postscreen_access_list = static:retry
On Mon, 30 Jan 2012 21:50:52 +, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Mon, Jan 30, 2012 at 09:26:42PM +, Mark Alan wrote: Is there any other way to make the postscreen/postfix combination temporarily defer all incoming emails with '450 4.3.2 Service currently unavailable' (in order to give us some time to migrate the postfix server to some other IP) ? Just turn off the SMTP listener. This functionally identical to a 4.X.X reject and saves resources on both client and server. Thank you Viktor, In this particular setup I really need to have the server answering: Don't worry, I am alive but right now I am not able to accept your email, i.e., 450 Service currently unavailable The documentation for the postscreen_access_list parameter. Would the following be an acceptable way to do it? postconf -e 'postscreen_access_list = reject' postconf -e 'soft_bounce = yes' Only if this is documented. The soft_bounce parameter is listed on the postscreen(8) manpage, this is perhaps a sufficient promise to match user expectations and so I would expect it to work. Sadly it does not. Although postscreen marks it as BLACKLISTED, then tlsproxy kicks in and lets the email pass: Jan 30 23:12:36 mx postfix/postscreen[11975]: CONNECT from [74.125.82.181]:61868 Jan 30 23:12:36 mx postfix/postscreen[11975]: BLACKLISTED [74.125.82.181]:61868 Jan 30 23:12:42 mx postfix/tlsproxy[11978]: CONNECT from [74.125.82.181]:61868 Jan 30 23:12:42 mx postfix/tlsproxy[11978]: setting up TLS connection from [74.125.82.181]:61868 Jan 30 23:12:42 mx postfix/tlsproxy[11978]: Anonymous TLS connection established from [74.125.82.181]:61868: TLSv1 with cipher RC4-SHA (128/128 bits) This said, it is far simpler to turn off SMTP service. # postconf -e 'master_service_disable = inet' # postfix reload That is true. I too prefer to keep setups simpler (and near to the default configuration). But in this particular setup it does not help at making my server send, to every connection attempt, a 450 Service currently unavailable . Again, thank you Viktor for your time. M.
Re: SSL3_GET_CLIENT_HELLO:wrong version number
On Sun, 22 Jan 2012 20:03:09 -0500 (EST), Wietse Venema wie...@porcupine.org wrote: Mark Alan: /var/log/mail.log:Jan 22 19:09:29 mx postfix-submission/smtpd[2797]: warning: TLS library problem:2797:error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number:s3_srvr.c:771: Does your SMTP server accept SSLv3 connections? It seems that it should renegotiate (to TLSv1) a connection from: openssl s_client -crlf -starttls smtp -connect mail.example.com:587 But it does not. It fails with a Secure Renegotiation IS NOT supported Although it is capable of a perfectly good TLSv1 connection from: openssl s_client -crlf -starttls smtp -connect mail.example.com:587 -tls # grep -A 9 'submission' /etc/postfix/master.cf submission inet n - - - - smtpd -o syslog_name=postfix-submission -o tls_preempt_cipherlist=yes -o smtpd_tls_mandatory_ciphers=high -o smtpd_tls_mandatory_protocols=TLSv1 -o smtpd_tls_exclude_ciphers=AES128,DES,3DES,CAMELLIA128,MD5,aNULL -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING Should your SMTP server accept such connections? It should renegotiate and accept an openssl s_client TLS connection. In 'man s_client' we can find: By default the initial handshake uses a method which should be compatible with all servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. Unfortunately there are a lot of ancient and broken servers in use which cannot handle this technique and will fail to connect. Mark
Re: Postfix 2.8 + and Berkerley DB 4.7
On Sat, 21 Jan 2012 18:38:48 -0700, The Doctor doc...@doctor.nl2k.ab.ca wrote: Any issues with Berkeley DB 4.7 with current Postfix ? With: libdb4.84.8.30 postfix 2.8.5 Each 4 hours we get a lot of: (...) postfix/postscreen[]: close database /var/lib/postfix/postscreen_cache.db: No such file or directory (possible Berkeley DB bug) M.
SSL3_GET_CLIENT_HELLO:wrong version number
While using Ubuntu 10.10 postfix 2.8.5-2 openssl 0.9.8o Socket Layer (SSL) binary and related cryptographic tools ii postfix 2.8.5-2~build0.10.10 High-performance We are getting a few of these: /var/log/mail.log:Jan 22 19:09:28 mx postfix-submission/smtpd[2797]: connect from mail.example.com[xx.xx.xx.xx.xx] /var/log/mail.log:Jan 22 19:09:29 mx postfix-submission/smtpd[2797]: setting up TLS connection from mail.example.com[xx.xx.xx.xx.xx] /var/log/mail.log:Jan 22 19:09:29 mx postfix-submission/smtpd[2797]: SSL_accept error from mail.example.com[xx.xx.xx.xx.xx]: -1 /var/log/mail.log:Jan 22 19:09:29 mx postfix-submission/smtpd[2797]: warning: TLS library problem:2797:error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number:s3_srvr.c:771: /var/log/mail.log:Jan 22 19:09:29 mx postfix-submission/smtpd[2797]: lost connection after STARTTLS from mail.example.com[xx.xx.xx.xx.xx] /var/log/mail.log:Jan 22 19:09:29 mx postfix-submission/smtpd[2797]: disconnect from mail.example.com[xx.xx.xx.xx.xx] Should we worry? Is it any known glitch? Regards, M.
Re: Declaring options for submission port daemon
On Thu, 19 Jan 2012 17:10:00 -0500 (EST), Wietse Venema wie...@porcupine.org wrote: I found these with: postconf | grep '[A-Z][A-Z][A-Z]:' :-) postconf | grep '[A-Z][A-Z][A-Z]:' :-) results in: bash: syntax error near unexpected token `)' ... and at my system man grep refuses to show what that last :-) switch stands for. M.
Re: postscreen supersedes fqrdns.pcre table
On Sun, 15 Jan 2012 11:04:21 -0500, Charles Marcus cmar...@media-brokers.com wrote: But I'd still be interested in seeing some example postscreen configs actually in use right now, by you and anyone else willing to share... This works pretty well: as root: ## configure Postfix to use postscreen sed -i 's/^smtp .*smtpd$/#/' /etc/postfix/master.cf sed -i '/\(smtpd .*pass\|postscreen\|dnsblog\|tlsproxy\)/s/^#//' /etc/postfix/master.cf grep '\(smtp .*smtpd$\|smtpd .*pass\|postscreen\|dnsblog\|tlsproxy\)' /etc/postfix/master.cf ## enable tests before the 220 SMTP server greeting postconf -e 'postscreen_blacklist_action = enforce' postconf -e 'postscreen_dnsbl_action = enforce' # about RBL lists http://www.sdsc.edu/~jeff/spam/cbc.html postconf -e 'postscreen_dnsbl_sites = zen.spamhaus.org*2, dnsbl-1.uceprotect.net*1, b.barracudacentral.org*1' postconf -e 'postscreen_dnsbl_threshold = 2' postconf -e 'postscreen_greet_action = enforce' ## enable tests after the 220 SMTP server greeting postconf -e 'postscreen_pipelining_enable = yes' #postconf -e 'postscreen_pipelining_action = enforce' postconf -e 'postscreen_non_smtp_command_enable = yes' #postconf -e 'postscreen_non_smtp_command_action = drop' postconf -e 'postscreen_bare_newline_enable = yes' postconf -e 'postscreen_bare_newline_action = enforce' /etc/init.d/postfix restart # pick /etc/postfix/master.cf changes M.
Re: Stan's List [was: free antivirus scanner ?]
On Wed, 11 Jan 2012 10:19:36 -0600, Noel Jones njo...@megan.vbhcs.org wrote: I would classify it as low risk of false positives, and fairly safe. (but not 100% safe; few rules are. YMMV and such.) I've had a couple of FP's from idiots that run their business mail servers on a cablemodem with a dynamic rDNS name (their IP is static, but the rDNS incorrectly says dynamic), so I added their IP to a local whitelist. You may or may not run into the same easily-fixed problem. Use it like: smtpd_client_restrictions = permit_mynetworks # uncomment next line if using SASL # permit_sasl_authenticated check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre I would also be interesting to be able to use a similar mechanism earlier, from the postscreen_access_list (after permit_mynetworks but before going outside to fetch the postscreen_dnsbl_* stuff): postscreen_access_list = permit_mynetworks, check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre But http://www.postfix.org/postconf.5.html#postscreen_access_list states: To discourage the use of hash, btree, etc. tables, there is no support for substring matching like smtpd(8). Use CIDR tables instead. M.
Re: Problem with DNS lookup when chrooted
On Thu, 11 Aug 2011 12:33:44 -0500, Stan Hoeppner
s...@hardwarefreak.com wrote:
Trivial fix: modify the init script to invoke postfix start etc.
instead of directly invoking the master daemon.
I don't believe the current init script directly invokes the master
daemon,
Debian/Ubuntu's current /etc/init.d/postfix script does not invoke
master.
That script sets: DAEMON=/usr/sbin/postfix
NOTE: file /usr/sbin/postfix being: /usr/sbin/postfix: ELF 32-bit LSB
shared object, Intel 80386, version 1 (SYSV), dynamically linked (uses
shared libs), for GNU/Linux 2.6.15, stripped
and then uses $DAEMON in start), stop), restart), etc.
start) uses:
awk '/^[0-9a-z]/ ($5 ~ [-yY])' /etc/postfix/master.cf
to check if anything is to be chrooted.
If anything chrooted, the relevant files are copied to the chroot and
after that /usr/sbin/postfix is started as a daemon with:
start-stop-daemon --start --exec ${DAEMON} -- quiet-quick-start
stop)
stop uses: ${DAEMON} quiet-stop
reload)
reload uses: ${DAEMON} quiet-reload
Regards,
M.
I am attaching the Debian/Ubuntu current /etc/init.d/postfix script:
##
#!/bin/sh -e
# Start or stop Postfix
#
# LaMont Jones lam...@debian.org
# based on sendmail's init.d script
### BEGIN INIT INFO
# Provides: postfix mail-transport-agent
# Required-Start:$local_fs $remote_fs $syslog $named $network $time
# Required-Stop: $local_fs $remote_fs $syslog $named $network
# Should-Start: postgresql mysql clamav-daemon postgrey
spamassassin saslauthd dovecot # Should-Stop: postgresql mysql
clamav-daemon postgrey spamassassin saslauthd dovecot #
Default-Start: 2 3 4 5 # Default-Stop: 0 1 6
# Short-Description: start and stop the Postfix Mail Transport Agent
# Description: postfix is a Mail Transport agent
### END INIT INFO
PATH=/bin:/usr/bin:/sbin:/usr/sbin
DAEMON=/usr/sbin/postfix
NAME=Postfix
TZ=
unset TZ
# Defaults - don't touch, edit /etc/default/postfix
SYNC_CHROOT=y
test -f /etc/default/postfix . /etc/default/postfix
test -x $DAEMON test -f /etc/postfix/main.cf || exit 0
. /lib/lsb/init-functions
#DISTRO=$(lsb_release -is 2/dev/null || echo Debian)
running() {
queue=$(postconf -h queue_directory 2/dev/null ||
echo /var/spool/postfix) if [ -f ${queue}/pid/master.pid ]; then
pid=$(sed 's/ //g' ${queue}/pid/master.pid)
# what directory does the executable live in. stupid prelink
systems. dir=$(ls -l /proc/$pid/exe 2/dev/null | sed 's/.* - //;
s/\/[^\/]*$//') if [ X$dir = X/usr/lib/postfix ]; then
echo y
fi
fi
}
case $1 in
start)
log_daemon_msg Starting Postfix Mail Transport Agent postfix
RUNNING=$(running)
if [ -n $RUNNING ]; then
log_end_msg 0
else
# if you set myorigin to 'ubuntu.com' or 'debian.org', it's
wrong, and annoys the admins of # those domains. See also
sender_canonical_maps.
MYORIGIN=$(postconf -h myorigin | tr 'A-Z' 'a-z')
if [ X${MYORIGIN#/} != X${MYORIGIN} ]; then
MYORIGIN=$(tr 'A-Z' 'a-z' $MYORIGIN)
fi
if [ X$MYORIGIN = Xubuntu.com ] || [ X$MYORIGIN =
Xdebian.org ]; then log_failure_msg Invalid \$myorigin
($MYORIGIN), refusing to start log_end_msg 1
exit 1
fi
# see if anything is running chrooted.
NEED_CHROOT=$(awk '/^[0-9a-z]/ ($5 ~ [-yY]) { print
y; exit}' /etc/postfix/master.cf)
if [ -n $NEED_CHROOT ] [ -n $SYNC_CHROOT ]; then
# Make sure that the chroot environment is set up
correctly. oldumask=$(umask)
umask 022
queue_dir=$(postconf -h queue_directory)
cd $queue_dir
# copy the CA path if specified
ca_path=$(postconf -h smtp_tls_CApath)
case $ca_path in
'') :;; # no ca_path
$queue_dir/*) :;; # skip stuff already in chroot
*)
if test -d $ca_path; then
dest_dir=$queue_dir/${ca_path#/} new=0
if test -d $dest_dir
# write to a new directory ...
then dest_dir=$dest_dir.NEW new=1
else mkdir --parent ${dest_dir%/*}
fi
# handle files in subdirectories
find $ca_path -print0 | cpio -0pdL
$dest_dir if [ $new = 1 ]; then
# and replace the old directory
rm -r ${dest_dir%.NEW}
mv $dest_dir ${dest_dir%.NEW}
fi
fi
;;
esac
# if there is
Re: mailq full but nothing in active/deferred/incoming
On Mon, 06 Jun 2011 19:45:17 +0200, Stéphane MERLE stephane.me...@distrigame.com wrote: (I am using ubuntu 10.04LTS). I am a little surprised by the fact that I would be using sendmail #dpkg --get-selections | grep -i sendmail I got no package installed for sendmail ... Postfix installs a pseudo-sendmail. In Ubuntu you can see that it is there with: sudo which sendmail And confirm that it is a child of Postfix with: dpkg -S sendmail | grep bin M
Re: Unable to enforce the usage of the stronger tls ssl ciphers by Postfix
On Sun, 22 May 2011 22:00:49 -0500, Noel Jones njo...@megan.vbhcs.org
wrote:
Is postfix also the client? What are the settings on that
machine?
Client machines use Claws Mail as MUA (configured to use SMTP at 587)
and those machine have Postfix as the MTA, configured like this:
$ sudo postconf -n | grep -v '^smtpd_' | grep 'tls\|sasl\|master\|^my'
master_service_disable = inet
mydestination = localhost.localdomain, localhost
myhostname = desk.localhost.localdomain
myorigin = $mydomain
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = AES128, DES, MD5, aNULL
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
Are you certain you're connecting to the submission port?
adding -o syslog_name=postfix-submission or similar to the
master.cf submission entry is helpful.
After adding -o syslog_name=postfix-submission I get the same result
as previously reported:
May 23 09:37:36 mx postfix-submission/smtpd[29693]: connect from
unknown[192.168.1.60] May 23 09:37:37 mx
postfix-submission/smtpd[29693]: setting up TLS connection from
unknown[192.168.1.60] May 23 09:37:38 mx
postfix-submission/smtpd[29693]: Anonymous TLS connection established
from unknown[192.168.1.60]: TLSv1 with cipher DHE-RSA-AES128-SHA
(128/128 bits) May 23 09:37:44 mx postfix-submission/smtpd[29693]:
A95E1816B: client=unknown[192.168.1.60], sasl_method=LOGIN,
sasl_username=test...@example.org May 23 09:37:45 mx
postfix/cleanup[29712]: A95E1816B: message-id= May 23 09:37:45 mx
postfix/qmgr[29480]: A95E1816B: from=test...@example.org, size=507,
nrcpt=1 (queue active) May 23 09:37:46 mx
postfix-submission/smtpd[29693]: disconnect from unknown[192.168.1.60]
Remove your *_exlude_ciphers entries and let openssl figure it
out itself. It usually does a better job of finding the best
common cipher than you can by hand.
Removing smtpd_tls_mandatory_exclude_ciphers and reloading in the
receiving server did not help.
Doing the same with the smtp_tls_mandatory_exclude_ciphers at the
sender machines did not help either
In any case setting 'smtpd_tls_mandatory_exclude_ciphers = AES128, DES,
MD5, aNULL' should not interfere with postfix ability to choose from
the strongest to the weakest of the remaining ciphers (as shown by
openssl ciphers -v 'ALL:@STRENGTH')
Is it a postfix bug? If so, I wonder what other configs can trigger
the selection of weaker ciphers by postfix?
Thank you for your time Noel.
Best regards,
M.
Unable to enforce the usage of the stronger tls ssl ciphers by Postfix
Hello list,
While using ubuntu 10.10, postfix 2.8.1, dovecot 2.0.12, openssl
0.9.8o, and trying to connect to the mail server via postfix
'submission' the best cipher that I am able to get is
DHE-RSA-AES128-SHA (128/128 bits)
As it is only the 11th entry in the list showed by
openssl ciphers -v 'ALL:@STRENGTH'
and giving that openssl in both mail server and client
machines show that better ciphers are supported, is there a way to
enforce a higher ciphers?
logs follow:
The (anonymized) session log goes like this:
May 22 09:25:27 mx postfix/smtpd[7984]: connect from
unknown[192.168.1.60]
May 22 09:25:27 mx postfix/smtpd[7984]: setting up TLS connection from
unknown[192.168.1.60]
May 22 09:25:28 mx postfix/smtpd[7984]: Anonymous TLS connection
established from unknown[192.168.1.60]: TLSv1 with cipher
DHE-RSA-AES128-SHA (128/128 bits)
May 22 09:25:35 mx postfix/smtpd[7984]: 299CD8192:
client=unknown[192.168.1.60], sasl_method=LOGIN,
sasl_username=test...@example.org
May 22 09:25:36 mx postfix/cleanup[8004]: 299CD8192: message-id=
May 22 09:25:36 mx postfix/qmgr[7946]: 299CD8192:
from=test...@example.org, size=506, nrcpt=1 (queue active)
May 22 09:25:36 mx postfix/smtpd[7984]: disconnect from
unknown[192.168.1.60]
$ grep -A 4 'submission' /etc/postfix/master.cf
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - - - smtpd
Both client MUA and server MTA machines show:
$ openssl ciphers -v 'ALL:@STRENGTH' | head -n 11
ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
ADH-DES-CBC3-SHASSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHASSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHASSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHASSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
$ sudo postconf -n | grep -v '^smtp_' | grep 'tls\|sasl'
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_unknown_recipient_domain, permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_unauth_pipelining, reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname, reject_non_fqdn_sender,
reject_unlisted_sender, reject_unknown_sender_domain
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth-client
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/example.crt
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /etc/ssl/private/example.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = AES128, DES, MD5, aNULL
smtpd_tls_protocols = !SSLv2
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
Thank you,
Mark
Re: Adjust smtp to limitations of a host
On Sat, 2 Apr 2011 18:03:29 -0400 (EDT), Wietse Venema wie...@porcupine.org wrote: slow unix - - - - - smtp -o syslog_name=postfix-slow -o default_destination_rate_delay=1s -o default_destination_recipient_limit=20 -o smtp_connection_cache_on_demand=no THAT DOES NOT WORK. Please follow the instructions. As documented, the following parameters: xxx_destination_rate_delay xxx_destination_recipient_limit are implemented by the QUEUE MANAGER not SMTP CLIENT. I keep forgetting the inner workings of the multiple inner postfix modules. So here it is the revised setting: /etc/postfix/master.cf slow unix - - - - - smtp -o syslog_name=postfix-slow -o smtp_connection_cache_on_demand=no /etc/postfix/main.cf slow_destination_rate_delay = 1s postconf -e 'slow_destination_recipient_limit = 20 I will be reporting the results. Thank you very much for your guidance. M.
Re: Adjust smtp to limitations of a host (REPOST without postconf)
On Sat, 2 Apr 2011 18:03:29 -0400 (EDT), Wietse Venema wie...@porcupine.org wrote: slow unix - - - - - smtp -o syslog_name=postfix-slow -o default_destination_rate_delay=1s -o default_destination_recipient_limit=20 -o smtp_connection_cache_on_demand=no THAT DOES NOT WORK. Please follow the instructions. As documented, the following parameters: xxx_destination_rate_delay xxx_destination_recipient_limit are implemented by the QUEUE MANAGER not SMTP CLIENT. I keep forgetting the inner workings of the multiple inner postfix modules. So here it is the revised setting: /etc/postfix/master.cf slow unix - - - - - smtp -o syslog_name=postfix-slow -o smtp_connection_cache_on_demand=no /etc/postfix/main.cf slow_destination_rate_delay = 1s slow_destination_recipient_limit = 20 I will be reporting the results. Thank you very much for your guidance. M.
Re: Adjust smtp to limitations of a host
On Thu, 31 Mar 2011 14:53:11 -0400, Victor Duchovni victor.ducho...@morganstanley.com wrote: /etc/postfix/master.cf slow unix - - - - - smtp -o syslog_name=postfix-slow -o smtp_connection_reuse_time_limit=30s EOT /etc/postfix/main.cf slow_initial_destination_concurrency = 2 slow_destination_concurrency_limit = 15 slow_destination_concurrency_failed_cohort_limit = 5 slow_destination_concurrency_positive_feedback = 1/5 slow_destination_concurrency_negative_feedback = 1/8 (...) You can certainly try, and report your findings. Tried the above setup. It does not help. We have much more 421 with this approach than we had with our former setup. We will now try the following transport settings (based on a recent Wietse sugestion): slow unix - - - - - smtp -o syslog_name=postfix-slow -o default_destination_rate_delay=1s -o default_destination_recipient_limit=20 -o smtp_connection_cache_on_demand=no As usual we will be reporting here the results. Thank you for your time and good will. M.
Re: Adjust smtp to limitations of a host
On Thu, 31 Mar 2011 12:39:20 -0400, Victor Duchovni victor.ducho...@morganstanley.com wrote: The receiving sites policies are stupid if they don't implement them sensibly by just returning 4XX responses without penalizing subsequent transactions. I am sorry to hijack this thread but we have what seems to be the same problem. While using the default Postfix settings (v.2.8.1 on Ubuntu 10.10), we do have trouble to connect with several MTA's (usually smtp1.min-saude.pt and smtp2.min-saude.pt, but sometimes others at .min-saude.pt). The server at smtp3.min-saude.pt never complains, nor do any of the other email MTA at .min-saude.pt whose name do not start with smtpNN. When they refuse our connections, they seem to start shutting down at 25 to 30 RCPT commands, with: ...mx postfix-slow/smtp[4907]: 36BB7818B: to=some_subscri...@subdomain.min-saude.pt, relay=smtp1.min-saude.pt[194.65.151.38]:25, delay=415, delays=414/0.25/0.41/0, dsn=4.0.0, status=deferred (host smtp1.min-saude.pt[194.65.151.38] refused to talk to me: 421 #4.4.5 Too many connections from your host.) To deal with this we are currently using: /etc/postfix/transport .min-saude.pt slow: /etc/postfix/master.cf slow unix - - - - - smtp -o syslog_name=postfix-slow -o smtp_connection_cache_on_demand=no EOT /etc/postfix/main.cf slow_destination_concurrency_failed_cohort_limit = 3 # we give up after getting three 421 slow_destination_recipient_limit = 20 # keep it bellow 25 slow_destination_rate_delay = 1 # do not know if we really need this Have you considered the less aggressive concurrency feedback controls in Postfix 2.5? Do you think that the following would be a more elegant approach than the above described setting? /etc/postfix/master.cf slow unix - - - - - smtp -o syslog_name=postfix-slow -o smtp_connection_reuse_time_limit=30s EOT /etc/postfix/main.cf slow_initial_destination_concurrency = 2 slow_destination_concurrency_limit = 15 slow_destination_concurrency_failed_cohort_limit = 5 slow_destination_concurrency_positive_feedback = 1/5 slow_destination_concurrency_negative_feedback = 1/8 Thank you, M.
Re: Adjust smtp to limitations of a host
On Thu, 31 Mar 2011 14:53:11 -0400, Victor Duchovni victor.ducho...@morganstanley.com wrote: Why would this be a response to too many recipient commands, a single message with many recipients is sent over a single connection, unless you have set an ill-advised destination recipient limit. All _recipient_limit parameters are all at their defaults. With the exception of things related to ciphers and TLS, we try hard to keep the default Postfix settings. /etc/postfix/main.cf slow_destination_concurrency_failed_cohort_limit = 3 # we give up after getting three 421 slow_destination_recipient_limit = 20 # keep it bellow 25 This increases the number of connections, which is unlikely what you want, provided of course you have messages with a large recipient count. It was not obvious to us. The idea was simply to put a limit on each burst of messages sent to the slow transport MTA's. These messages are related to a low traffic (2-3 messages a month), low volume (280 subscribers) mailing list, managed with mlmmj and using VERP tagging. We have exactly 142 subscribers from subdomains at .min-saude.pt. Hardly huge numbers. slow_destination_rate_delay = 1 # do not know if we really need this This limits you to one connection at-a-time. The idea was to have a 1s delay between each message delivered. But, of course not knowing if this helped or not. /etc/postfix/master.cf slow unix - - - - - smtp -o syslog_name=postfix-slow -o smtp_connection_reuse_time_limit=30s Should we use only those 2 lines, or should we also add -o smtp_connection_cache_on_demand=no /etc/postfix/main.cf slow_initial_destination_concurrency = 2 slow_destination_concurrency_limit = 15 slow_destination_concurrency_failed_cohort_limit = 5 slow_destination_concurrency_positive_feedback = 1/5 slow_destination_concurrency_negative_feedback = 1/8 That depends on how determined the remote site is to damage the SMTP eco-system by imposing counter-productive punitive mechanisms on legitimate senders. Being it the health ministry bureaucracy, I am pretty sure that they have the time and resources to be creative at it. We know for sure that up until now they did not answer any emails regarding their strange mail server policies. You can certainly try, and report your We will wait for your opinion on the above -o smtp_connection_cache... parameter, to try to those new settings. Thank you, M.
Error: close database /var/lib/postfix/postscreen_cache.db: No such file or directory (possible Berkeley DB bug)
While using Postfix 2.8.1 + Ubuntu 10.10, after enabling postscreen the
system seems to be working well (sends and receives email without any
apparent problems) but has sporadic errors as shown bellow (without
any other errors or warnings).
sudo grep 'postscreen_cache.db' /var/log/syslog
Mar 10 11:02:24 mx postfix/postscreen[9697]:
cache /var/lib/postfix/postscreen_cache.db full cleanup: retained=0
dropped=0 entries
Mar 10 11:04:26 mx postfix/postscreen[9697]: close
database /var/lib/postfix/postscreen_cache.db: No such file or
directory (possible Berkeley DB bug)
Mar 10 11:12:08 mx postfix/postscreen[10135]: close
database /var/lib/postfix/postscreen_cache.db: No such file or
directory (possible Berkeley DB bug)
Mar 10 11:49:58 mx postfix/postscreen[12596]: close
database /var/lib/postfix/postscreen_cache.db: No such file or
directory (possible Berkeley DB bug)
# /var/lib/postfix/postscreen_cache.db exists and postfix
seems to be accessing it, as shown by the changing date/times in:
ls -l /var/lib/postfix/
total 32
-rw--- 1 postfix postfix 17 2011-03-10 11:06 master.lock
-rw--- 1 postfix postfix 8192 2011-03-10 11:10 postscreen_cache.db
-rw--- 1 postfix postfix 1024 2011-03-10 11:07 prng_exch
-rw--- 1 postfix postfix 8192 2011-03-10 11:07 smtpd_scache.db
-rw--- 1 postfix postfix 8192 2011-03-10 11:07 smtp_scache.db
# the berkeley modules are there too (the so.2's are links to the .so's)
ls -1 /var/spool/postfix/lib/
libnss_compat-2.12.1.so
libnss_compat.so.2
libnss_dns-2.12.1.so
libnss_dns.so.2
libnss_files-2.12.1.so
libnss_files.so.2
libnss_hesiod-2.12.1.so
libnss_hesiod.so.2
libnss_nis-2.12.1.so
libnss_nisplus-2.12.1.so
libnss_nisplus.so.2
libnss_nis.so.2
sudo postconf -n # some sasl/tls entries were edited out
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
disable_vrfy_command = yes
fast_flush_domains =
mail_name = ESMTPserver
mydestination = localhost.localdomain, localhost
mydomain = example.org
myhostname = mx.example.org
mynetworks = 127.0.0.0/8
mynetworks_style = host
myorigin = $mydomain
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = yes
postscreen_blacklist_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*2, dnsbl-1.uceprotect.net*1,
b.barracudacentral.org*1 postscreen_dnsbl_threshold = 2
postscreen_greet_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_enable = yes
readme_directory = no
recipient_delimiter = +
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_authorized_verp_clients = $mynetworks
smtpd_banner = $myhostname ESMTP
smtpd_discard_ehlo_keywords = silent-discard, etrn
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_unknown_recipient_domain, permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_unauth_pipelining, reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname, reject_non_fqdn_sender,
reject_unlisted_sender, reject_unknown_sender_domain
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth-client
smtpd_sasl_type = dovecot smtpd_tls_auth_only = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
soft_bounce = yes
virtual_alias_maps = hash:/etc/postfix/virtual-alias-maps
virtual_mailbox_domains = example.org
virtual_mailbox_maps = hash:/etc/postfix/virtual-mailbox-maps
virtual_transport = dovecot
Any ideas?
r.
M.
Re: Configuration of postfix 2.8.1 + ezmlm 1.2.17
On Sun, 6 Mar 2011 18:46:44 -0500 (EST), Wietse Venema wie...@porcupine.org wrote: In order to have postfix 2.8.1 feeding email to a ezmlm 1.2.17 If you follow the mlmmj website's instructions, then it should work. Do you mean the README.Postfix at http://mlmmj.org/archive/mlmmj/att-0511/README.postfix ? I prefer not to review alternative variations. I can understand that. But in this case, as this is rather generic regarding MLM proper interfacing with Postfix, it sure would be welcome to have your view about the proper way to setup a generic interface between Postfix and a generic MLM. By the way, the mlmmj setup can now be simplified, and no longer needs the kludge with the mlmmj/pipe transport. I know that it also consumes time but... could you give a tiny example/usage case? postfix-2.9-20110228 fixes a problem where the local delivery agent ignored the ownership of regexp-based alias tables. Will this bug fix be backported into 2.8.x ? Why was this fixed 20110228? Because I recently stumbled upon this problem when I visited the mlmmj/postfix webpage. That page is marked Nov 12th 2005 but in fact, as it is clear from the change log, it just appeared in the latest (1.2.17.1, Nov 2010) release. M.
Re: Configuration of postfix 2.8.1 + ezmlm 1.2.17
On Mon, 7 Mar 2011 09:43:40 -0500 (EST), Wietse Venema wie...@porcupine.org wrote: The basic idea is that with a local aliases file, file ownership determines the execution privileges for |command and /file/name destinations, and the envelope sender address for non-delivery notifications. Meaning that (keeping with the example lis...@example.org mailing list) the following would simply work as expected: /etc/postfix/virtual-alias-maps lis...@example.org list01@localhost /etc/aliases list01: |/usr/bin/mlmmj-recieve -L /var/spool/mlmmj/list01/ In other words, alias ownership of regexp/pcre files now works as documented. If not for anything else, at least this was good to fix that bug. ... and, by the way, the subject of this thread should have been Configuration of postfix 2.8.1 + mlmmj 1.2.17, not ezmlm... but it seems that old habits don't die easily. Thank you Wietse and keep up this great work M.
Configuration of postfix 2.8.1 + ezmlm 1.2.17
Hello list,
In order to have postfix 2.8.1 feeding email to a ezmlm 1.2.17 mailing
list manager (under Debian/Ubuntu) we have a tentative setup that
goes like described bellow.
I have 2 questions:
1. is there a way to do the same without (the rather expensive)
regexp:/ lists?
2. in case of not being possible to do without regexp (or just in case
the regexp happens to be the right solution) is this the right regex
syntax to serve this setup?
# about the mailing list manager
mailing list manager:
mlmmj (which is a MTA agnostic ezmlm clone)
list address:
lis...@example.org
control commands:
list01+subscr...@example.org
list01+unsubscr...@example.org
list01+h...@example.org
# VERP Return-Path:
list01+bounces-12-john.doe=domain@example.org
# the tentative configuration:
virtual_alias_maps = cdb:/etc/postfix/virtual-alias-maps,
regexp:/etc/postfix/mlmmj-virtual-alias-maps
/etc/postfix/mlmmj-virtual-alias-maps
/^(list01.*)@example\.com$/ ${1}
mlmmj_destination_recipient_limit = 1
transport_maps = regexp:/etc/postfix/mlmmj-transport
/etc/postfix/mlmmj-transport
/^(list01).*$/mlmmj:$1
/etc/postfix/master.cf:
# transport for the mlmmj mailing list
mlmmj unix - nn-- pipe flags=DORhu user=nobody
argv=/usr/local/bin/mlmmj-receive -F -L /var/spool/mlmmj/$nexthop/
postconf |grep default_privs = default_privs = nobody
Thanks,
M.
Re: postqueue
On Wed, 16 Feb 2011 13:03:37 +0300, Ejaz me...@cyberia.net.sa wrote: Postqueue -p command taking so long time to execute, start and stopping the postfix also the same, in the meanwhile I checked server performance is quite normal, no load Is yours /etc/hosts sane? M.
Re: How to parameterize postscreen to act like openbsd spamd
On Wed, 9 Feb 2011 15:18:39 -0500 (EST), Wietse Venema wie...@porcupine.org wrote: postscreen currently does not implement greylisting - smtpd(8) currently can do that with policy daemons. Yes but they do it very late in the process smtpd_recipient_restrictions = ... reject_unauth_destination, check_policy_service inet:127.0.0.1:1 ... If possible, expensive tests like check_policy_service should be in postscreen, i.e., outside any real smtpd and processed even before postscreen's first 451. As for the other features, perhaps you can translate them into plain language, and then we can see if there is an equivalent. If it is not planned to enable postscreen to do greylisting, then the purpose of my question is greatly reduced. I know that any attempt at doing greylisting needs either some kind of db, or probabilistic data structures like, for instance, Bloom filters (the Gross Posfix greylister does just this), but if I am not wrong 2.8 already includes hooks for SQLite. How would one configure postscreen's parameters to act like the spamd defaults, i.e., passtime = 25 m, greyexp to 4h, and whiteexp to 864h ? It is all (and in better English than mine) at spamd's man page http://www.openbsd.org/cgi-bin/man.cgi?query=spamdapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html M.
How to parameterize postscreen to act like openbsd spamd
Hello list, The things that I miss from OpenBSD are spamd and pf (iptables are almost there). It seems that postscreen has the potential to, finally, replace spamd. So, my question is: How would one configure postscreen's parameters to act like the spamd defaults, i.e., passtime = 25 m, greyexp to 4h, and whiteexp to 864h ? As may be seen in 'man spamd' http://goo.gl/ofTKj Regards, M.
Re: Ubuntu/Debian Postfix 2.8.x repository
On Mon, 7 Feb 2011 00:40:16 -0500, Victor Duchovni victor.ducho...@morganstanley.com wrote: Debian Postfix has significant integration enhancements, dynamic loading of table drivers, Debian-specific SASL configuration directory, hostname setting in external file, ... Debian users should probably not build directly from unpatched Postfix source, unless they've not relied on any of the integrated features in the past, and do not plan to use them going forward. Wise words indeed. M.
Re: Ubuntu/Debian Postfix 2.8.x repository
On Sun, 6 Feb 2011 22:22:52 +0100, Patrick Ben Koetter p...@state-of-mind.de wrote: If there are significant differences that are not Debian related Stefan certainly has had reasons to add them. That's certainly a way to view things and I respect your opinion. But it is hard to see the rationale in, for instance: diff -u tmp/postfix-2.8.0/conf/master.cf lixo/postfix-2.8.0~cite/conf/master.cf --- tmp/postfix-2.8.0/conf/master.cf2011-02-07 10:18:11.0 + +++ lixo/postfix-2.8.0~cite/conf/master.cf2010-12-31 14:14:51.0 + @@ -8,49 +8,49 @@ # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # == -smtp inet n - - - - smtpd -#smtp inet n - - - 1 postscreen -#smtpd pass - - - - - smtpd -#dnsblog unix - - - - 0 dnsblog -#tlsproxy unix - - - - 0 tlsproxy -#submission inet n - - - - smtpd +smtp inet n - n - - smtpd +#smtp inet n - n - 1 postscreen +#smtpd pass - - n - - smtpd +#dnsblog unix - - n - 0 dnsblog +#tlsproxy unix - - n - 0 tlsproxy +#submission inet n - n - - smtpd M.
Re: Ubuntu/Debian Postfix 2.8.x repository [SOLVED]
On Mon, 7 Feb 2011 17:49:38 +0100, Stefan Foerster cite+postfix-us...@incertum.net wrote: [chroot disabled] ... and the mysql client libraries will then try to use the unix socket. This socket is, of course, not present in the chroot. Now I know there are better ways around this - use proxymap(8), e.g., but frankly, I don't ever want to be responsible for any person entering #postfix and asking why his mysql maps don't work. The repository is yours. As such you are free to diverge from Debian common practice of chrooting Postfix's smtpd. Apparently you did so just to cope with the novice user that does not know how to use MySQL with Postfix chrooted services. As a matter of fact Postfix's original master.cf also disables chroot. Besides, I never understood why the Debian default installation chroots smtpd. That would start another (off-topic) discussion: should apps facing the net be chrooted? Does chroot improve security? Personally I tend to think that chroot (as a security measure) is greatly overrated. But that is how Debian does it and we have to cope with this little idiosyncrasies in order to be able to periodically do an 'apt-get dist-upgrade' and just have everything upgraded, with all dependencies taken care for and 'just working'. A quick google search shows that, for years, Wietse have been answering questions related with users trying to use chrooted parts of Postfix. But, I wonder, in his machines does he use chroot or not? P.S: One last remark: My packages are tagged as experimental, meaning that apt(itude|-get) won't install them without further encouragement. I chose to do this for a reason. Well, yes, there are many more differences that will be shown by a simple diff -r postfix-2.8.0 postfix-2.8.0~cite. Best regards, M.
Re: Ubuntu/Debian Postfix 2.8.x repository -- general chroot question
On Mon, 7 Feb 2011 14:21:39 -0500 (EST), Wietse Venema wie...@porcupine.org wrote: Except for all those beginners that get into trouble because they use someone elses cookbook instructions instead of their own expertise. And instead of being continuously consumed by same beginner questions, wouldn't it be easier to have the most frequent usage cases (and the related cookbooks) well documented in some kind of user continuously improved wiki like dovecot or nginx are doing? My background is qmail not postfix. As such I tend to think much in the lines exposed in DJB's seminal paper Some thoughts on security after ten years of qmail 1.0 http://cr.yp.to/qmail/qmailsec-20071101.pdf Having migrated from Debian to Ubuntu (which unlike Debian early saw Postfix and not Exim as the way to go) and due to crescent spam fighting needs I am a newcomer to Postfix. From the outside the way I see the Postfix project is: - has much of the modular and paranoid untrustworthiness in code of qmail - takes standards compliance very seriously; - very well documented; hélas, scientifically documented!; meaning that it will be possible to find a terse and clean description of almost any aspects of postfix (not so well in the matters related with security encryption, ciphers protocols) Unfortunately, if you aren't an scientist in this field and/or an expert in Postfix coding you will have a hard time understanding it. [Clear usage cases and (God forbids!) official cookbooks would be an added value.] - has a supportive and vibrant community: knowledgeable, friendly and usually with good humor. And yes I will continue to bother you with questions, bug reports, patches (if I ever will be up to such a difficult job), and all kinds of disruptive ideas. Please excuse my English as it is not my mother tongue. Regards, M.
Ubuntu/Debian Postfix 2.8.x repository
Hello, Do you know any reliable Debian/Ubuntu repositories for the newest Postfix 2.8? Regards, M.
Gross greylist app. while we wait for Postfix 2.8 and its postscreen processor
While we do not have Postfix 2.8 (in Debian/Ubuntu) and its postscreen processor, Is there someone in this list with experience of using the Gross greylist app. with Postfix? Is it stable? Is it less resource hungry than greyfix or postgrey? Has it major problems? Regards, M.
Re: spammers getting better? help with filtering this one
On Thu, 03 Feb 2011 04:36:26 -0500, Daniel Bromberg dan...@basezen.com wrote: Those who can block this, how did you do it? I hope whatever technique(s) also help block many more like it. Blocked here with bogofilter (bayesian header+body filter). M.
Re: Looking for a maillist manager
On Sun, 30 Jan 2011 07:19:48 +0200, Jaques Cochet jcochet.li...@gmail.com wrote: I'm currently using qmail with ezmlm maillist manager. I intent to move to postfix, and i'm looking for a mail list manager that stores maillists subscribers in mysql databse, includes posting permissions, and can handle several hundreds of mail lists. Any suggestions? In terms of mail listing, postfix + mlmmj (http://mlmmj.org/) is roughly equivalent to qmail + ezmlm. But it will do its stuff using only plain text files just like ezmlm. I.e., 'touched' files to signal options, email addresses or header and footer customization inside plain files. On the other hand, just like ezmlm, there will be no deamons runing and no security problems associated with .cgi web interfaces and most of the admin stuff will be done by simple email messages sent by the owners, admins, moderators, etc. M.
Re: Order of policies?
On Mon, 10 Jan 2011 23:04:31 +0100, mouss mo...@ml.netoyen.net wrote:
Le 10/01/2011 10:33, Mark Alan a écrit :
Well then, would the following order make sense?
smtpd_recipient_restrictions = sleep 1,
reject_unlisted_recipient, reject_unauth_pipelining,
reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination,check_policy_service inet:127.0.0.1:10031
make that
smtpd_recipient_restrictions =
reject_non_fqdn_sender
reject_non_fqdn_recipient
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
sleep 1
reject_unlisted_recipient
reject_unlisted_sender
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
#reject_unknown_sender_domain
#reject_rbl_client zen.spamhaus.org
check_policy_service${policy_service}
details:
- I am assuming that: you should queue errors for your own users (so
permit_* comes soon)
Thank you for your time mouss.
I do not fully understood that. Lets see if I am able to follow you:
Only after reject_unauth_destination, we start to analyze strangers
that were already checked to have a proper fqdn'ized mail to our domain:
reject_unlisted_recipient: reject unknown recipient addresses
reject_unlisted_sender: reject unknown sender addresses
reject_invalid_helo_hostname: reject invalid (HE\|EH)LO host syntax
reject_non_fqdn_helo_hostname: reject if (HE\|EH)LO not RFC fqdn
- reject_unknown_recipient_domain is only uselful in an MSA. and even
then... (you want to bounce not reject. because MUAs are bad
I see your point and I deleted it.
Regarding 'reject_unlisted_sender', I am not able to see your point.
- reject_unauth_pipelining is useless here. check the pipelining
specs. (RCPT TO is an async command...)
I use 'smtpd_delay_reject = yes'
man 5 postconf | less +/per-session\ flag
shows this:
'With Postfix 2.6 and later, the SMTP server sets a per-session flag
whenever it detects illegal pipelining, including pipelined EHLO or
HELO commands. The reject_unauth_pipelining feature simply tests
whether the flag was set at any point in time during the session.'
I thought that this would assure that reject_unauth_pipelining would
also do its work inside smtpd_recipient_restrictions.
- experience here shows that reject_unknown_sender_domain only
rejets legit mail.
This I do not understand, because also from man 5 postconf:
'when Postfix is not final destination for the sender address, and the
MAIL FROM address has no DNS A or MX record, or when it has a malformed
MX record'
If our server is not the final destination AND it may happen that
there is no A and, at the same time, MX has problems.
Best regards,
M.
Re: Order of policies?
On Sun, 9 Jan 2011 10:17:57 -0500 (EST), Wietse Venema wie...@porcupine.org wrote: Jan Johansson: I have the following config: smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination check_policy_service inet:127.0.0.1:10031 For that, specify reject_unlisted_recipient before permit_mynetworks. Well then, would the following order make sense? smtpd_recipient_restrictions = sleep 1, reject_unlisted_recipient, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,check_policy_service inet:127.0.0.1:10031 Regards, M.
Is there a way to make Postfix 2.7.x stop announcing ETRN?
While using Postfix 2.7.1 at an Ubuntu 10.10 server: We disabled ETRN as stated in the 'Configuring the Postfix fast ETRN service' section of the ETRN_README.html (...) smtpd_delay_reject = yes fast_flush_domains = mydestination = localhost.localdomain, localhost mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 relay_domains = $mydestination smtpd_etrn_restrictions = (...) The problem is that Postfix is still announcing 250-ETRN, and we are being hit by very persistent machines that keep issuing: etrn some.domain.tld just to get: 459 some.domain.tld: service unavailable Regards, M.
Re: Is there a way to make Postfix 2.7.x stop announcing ETRN?
On Sun, 09 Jan 2011 14:49:11 -0600, Noel Jones njo...@megan.vbhcs.org wrote: http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keywords # main.cf smtpd_discard_ehlo_keywords = silent-discard, etrn That works. Problem solved. Thank you very much Noel. M.
