Re: Password mismatch. Might the md5usm be wrong?
On Sun, 7 Jul 2013 11:29:55 +0300, Dotan Cohen dotanco...@gmail.com wrote: On an Ubuntu Server 12.04 system with Dovecot 2.0.19 I am having some $ /usr/bin/doveadm pw -u u...@somedomain.com -s DIGEST-MD5 Enter new password: # Here I have typed 12345 {DIGEST-MD5}f4e442b0dec5009eaa8b9b4104923edc $ printf 12345 | md5sum 827ccb0eea8a706c4c34a16891f84e7b - Shouldn't that password match the md5sum check? Also, might I have the file formats wrong? The best place for this question is the Dovecot mailing list. That said, as a hint you should look at: http://wiki2.dovecot.org/Tools/Doveadm/Pw While at that page, if go to the part about '-u user' it clearly reads: 'When the DIGEST-MD5 scheme is used, also the user name must be given, because the user name is a part of the generated hash.' Where in 'printf 12345 | md5sum', is that (required) user name? M.
Re: Forwarding from a particular email address
On Thu, 11 Apr 2013 03:01:58 +0300, Indiana Jones indian...@inbox.lv wrote: # for single address printf us...@example1.com us...@example2.com\n /etc/postfix/virtual # for multiple addresses printf us...@example1.com us...@example2.com\nus...@example3.com us...@example4.com\n /etc/postfix/virtual Thank you very much! I edited main.cf and created the file /postfix/virtual and followed all these steps, but this way Postfix does not leave copies of the forwarded messages on the server. I need postfix to leave a copy of the forwarded message so that it can also be collected locally by the recipient! i.e. the recipient wants to receive his incoming mail on the two different addresses simultaneously! Could you possibly explain how to do that? Try to also map each address to itself: us...@example1.com us...@example1.com us...@example1.com us...@example2.com us...@example3.com us...@example3.com us...@example3.com us...@example4.com M.
Re: Forwarding from a particular email address
On Thu, 11 Apr 2013 06:56:13 -0400 (EDT), Wietse Venema wie...@porcupine.org wrote: That should be: us...@example1.com us...@example1.com us...@example2.com us...@example3.com us...@example3.com us...@example4.com Makes sense and perhaps it seems obvious for the postfix developers, but I do not remember seeing such usage case (a /etc/postfix/virtual file with user1 - user1 user2) in the postfix documentation, namely, neither at: http://www.postfix.org/ADDRESS_REWRITING_README.html nor at: http://www.postfix.org/VIRTUAL_README.html. M.
Re: Forwarding from a particular email address
On Wed, 10 Apr 2013 15:32:14 +0300, Indiana Jones indian...@inbox.lv wrote: Thank you, but I don't have file /postfix/virtual What should I do? Create one? Use any text editor and create it. Or, you can try something like this: # for single address printf us...@example1.com us...@example2.com\n /etc/postfix/virtual # for multiple addresses printf us...@example1.com us...@example2.com\nus...@example3.com us...@example4.com\n /etc/postfix/virtual M.
Re: Could you help me with Postfix + MimeDefang?
On Mon, 04 Feb 2013 22:13:14 -0500, Bill Cole postfixlists-070...@billmail.scconsult.com wrote: alternative to hooking the MD milter into your main smtpd would be to define a transport in master.cf running smtpd with MD as a milter, and use postfix's transport map to route just the one address there. This would also allow you to avoid the ugly problem of envelope recipient splitting inside MD. Well, that was also my gut feeling, that was why I posted here to try to find some (solid) evidence. So, assuming MD SPOOLDIR='/var/spool/postfix/mimedefang' and SOCKET='/var/spool/postfix/mimedefang/mimedefang.sock', would the following do the job? postconf -e 'virtual_alias_maps = /etc/postfix/virtual-alias-maps # /etc/postfix/virtual-alias-maps mailing_lis...@example.com mailing_list_1@localhost.mlmmj ... postconf -e 'transport_maps = /etc/postfix/virtual-transport' # /etc/postfix/virtual-transport mailing_list_1@localhost.mlmmj filteredmlmmj:mailing_list_1 ... # /etc/postfix/master.cf # transport for the mlmmj mailing lists mlmmj unix - n n - - pipe flags=ORhu user=mlmmj argv=/usr/bin/mlmmj-receive -F -L /var/spool/mlmmj/$nexthop # filtered transport for the mlmmj mailing list manager filteredmlmmj unix - - - - - mlmmj -o smtpd_milters = unix:mimedefang/mimedefang.sock Please note, in this last statement, 'unix', 'mlmmj' and '-o smtpd_milters' nad the 5 dashes. You can probably get a more complete answer on the MD mailing list. Not at all. The stated problem is an old problem. I have researched extensively a lot of discussions about this subject both in MD list and in the postfix list (and a lot of useless 'recipes' too). People tend to see this issue as some sort of magically solved hit or miss issue. And the people that develop MD seems to be more in the business of selling canned solutions (pun intended), than into producing good and clear documentation. Also note that configuring MD means writing a collection of Perl functions with predefined interfaces to implement the message filtering. If you are not comfortable writing Perl, No problem with the needed Perl functions. MD may not be the right tool for you. MD is certainly resources hungry. But I do not know any other app that meets the specs: convert html-text, remove unsafe attachments (offenders with known ext's), remove+webserve file attachments larger than 500KB Right now we are piping email into altermime --input=- --removeall, but altermime is orphaned/abandonware and it does not do that file attachment remove+webserve job. Thank you, Mark.
Could you help me with Postfix + MimeDefang?
Hello list, I would like to use MimeDefang to sanitize the emails that arrive at one of our 3 mailing lists, i.e., to convert html-text, remove unsafe attachments, and remove+webserve file attachments larger than 500KB. There are few tutorials on this subject and most, like Mickey Hill's http://www.mickeyhill.com/mimedefang-howto , ask for the installation of sendmail and present a config tightly coupled with sendmail internals (the real sendmail, not postfix's sendmail). Could you please provide (or point to) a couple of working examples on how to setup mimedefang with postfix (would it be better done as a transport+filter, or as milter?) and, if possible, throw some light on the advantages/disadvantages of each alternative? Thank you, Mark PS: My current setup uses postfix 2.9.3 + mlmmj 1.2.18 + ubuntu 12.04, to manage 2 low volume mailing lists ( 300 subscribers and less than 50 emails/month), as follows: MAILING_LIST_1 mailing_lis...@example.com MAILING_LIST_2 mailing_lis...@example.com postconf -e 'virtual_alias_maps = /etc/postfix/virtual-alias-maps # /etc/postfix/virtual-alias-maps mailing_lis...@example.com mailing_list_1@localhost.mlmmj mailing_lis...@example.com mailing_list_2@localhost.mlmmj postconf -e 'transport_maps = /etc/postfix/virtual-transport' # /etc/postfix/virtual-transport mailing_list_1@localhost.mlmmj mlmmj:mailing_list_1 mailing_list_2@localhost.mlmmj mlmmj:mailing_list_2 # /etc/postfix/master.cf # transport for the mlmmj mailing list manager mlmmj unix - n n - - pipe flags=ORhu user=mlmmj argv=/usr/bin/mlmmj-receive -F -L /var/spool/mlmmj/$nexthop
Re: Could you help me with Postfix + MimeDefang?
On Mon, 04 Feb 2013 09:40:41 -0600, Noel Jones njo...@megan.vbhcs.org wrote: On 2/4/2013 4:14 AM, Mark Alan wrote: I would like to use MimeDefang to sanitize the emails that arrive at one of our 3 mailing lists, i.e., to convert html-text, remove unsafe attachments, and remove+webserve file attachments larger than 500KB. There are few tutorials on this subject and most, like Mickey Hill's http://www.mickeyhill.com/mimedefang-howto , ask for the installation of sendmail and present a config tightly coupled with sendmail internals (the real sendmail, not postfix's sendmail). Could you please provide (or point to) a couple of working examples on how to setup mimedefang with postfix (would it be better done as a transport+filter, or as milter?) and, if possible, throw some light on the advantages/disadvantages of each alternative? Thank you, Mark mimedefang works as a milter, so that's how you must interface it with postfix. .../... the config details you will mostly be interested in: http://www.postfix.org/MILTER_README.html#config First, thank you Noel for sharing your experience and spending your time at trying to help. Regarding mimedefang, and its ability to work as a milter, and the general setup of a milter under postfix, well... I have been there and done that (in due time, I even described in this list, the config that we use to run opendkim as a milter, communicating by a unix socket with a chrooted postfix). But the question here was entirely different: ... to use MimeDefang to sanitize the emails that arrive at ONE of our 3 mailing lists The problem was not to apply mimedefang to all incoming mail (like a milter base config usually does). The problem is how to do it in order to to process a SINGLE target email address (the address of a given mailing list), without consuming unnecessary machine resources, i.e., without miltering all the email that arrives at the postfix server. That was why I also attached the main.cf/master.cf filter+transport config that we use to pipe the emails addressed to mailing lists into the mailing list management software. Thank you, Mark
Re: Bounces back to myself
On Tue, 04 Dec 2012 10:10:05 +0200, Muzaffer Tolga Özses to...@ozses.net wrote: ... append_dot_mydomain = no biff = no inet_interfaces = all recipient_delimiter = + relayhost = You don't need to be re-declaring the postfix default settings again. Try if the following helps simplifying your main.cf: (postconf -d;postconf -n)|sort|uniq -d smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot ... We also have setup our postfix+dovecot using: smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot But we opt for: mailbox_command = smtpd_sasl_local_domain = virtual_transport = dovecot dovecot_destination_recipient_limit = 1 And, for insurance, we let mailbox_size_limit at its default value (the safe and very reasonable 5120). We use cdb instead of mysql so I am afraid that I cannot help you with the mysql part. The last time we checked for postfix+dovecot+mysql we set for something based in this: http://library.linode.com/email/postfix/dovecot-mysql-ubuntu-10.04-lucid I hope this helps you. Mark
Re: Is postscreen really this good? [how to configure postscreen]
On Wed, 10 Oct 2012 10:43:47 -0500, Paul Schmehl g...@stovebolt.com wrote: readme files, but some of this stuff is above my pay grade. I get confused and am not sure what to do. In order to benefit from postscreen you need to change both master.cf and main.cf. Assuming that you are starting with a fresh Postfix install: I. To change master.cf: a) comment out the line that starts with smtp and ends with smtpd b) uncomment the lines that: start with smtpd and end in pass; or the lines that have the following terms in them 'postscreen', 'dnsblog' 'tlsproxy' In a debian/ubuntu linux you would only need to execute the following single line command as root: sed -i 's,^smtp .*smtpd$,#,;/\(smtpd .*pass\|postscreen\|dnsblog\|tlsproxy\)/s/^#//' /etc/postfix/master.cf II. To change main.cf (maybe it will be safer for you to use the postconf -e '' construct, instead of editing main.cf directly). You could start with the following: a) to enforce tests log attempts postconf -e 'postscreen_blacklist_action = enforce' postconf -e 'postscreen_dnsbl_action = enforce' postconf -e 'postscreen_greet_action = enforce' b) to benefit from RBL lists # ( do check options at: http://www.sdsc.edu/~jeff/spam/cbc.html ) postconf -e 'postscreen_dnsbl_sites = bl.spamcop.net, zen.spamhaus.org, dnsbl.sorbs.net' postconf -e 'postscreen_dnsbl_threshold = 1' c) to enable (more expansive) tests after the 220 SMTP greeting postconf -e 'postscreen_pipelining_enable = yes' postconf -e 'postscreen_non_smtp_command_enable = yes' postconf -e 'postscreen_bare_newline_action = enforce' postconf -e 'postscreen_bare_newline_enable = yes' All other postscreen related settings will work rather well at their default values. Probably you will not need to explicitly set them. Finally, remember that changes at master.cf need a Postfix restart. A simple 'reload' won't be enough). So, after executing the above commands, run as root: /etc/init.d/postfix restart Regards, Mark
Re: [SOLVED] Postfix 2.9.x vs iptables 1.4.x interaction issues under Debian/Ubuntu
On Sun, 29 Jul 2012 00:33:49 +0200, Reindl Harald h.rei...@thelounge.net wrote: Am 28.07.2012 20:03, schrieb Mark Alan: The solution is to exempt traffic sent from the machine from the rate controls. In 2012, in a server facing the net and running other services besides mail, I would not call it a safe bet. In the event (that must be accounted for) of an intrusion, one should consider that a syn flood DOS isn't an exclusive of the INPUT stream if you do not trust you OUTGOING traffic the only valid reason is that you doubt your machine is comprimised [The problem, as said in another email, is (mostly) solved] - I do not trust anything connected 24h to the Internet. - I do not trust anything in a Xen VPS that sits in a datacenter owned / managed / maintained by I do not know exactly who. - I do not trust any software, open source or otherwise, that has a level of complexity high enough to not be fully understood by the installer, maintainer, user, etc. [ Just google for OpenSSH FBI backdoor. Its IPSEC stack was a relatively small but nevertheless highly sensitive piece of software. Look how it managed to elude, for so many years, so many security conscious people, including most of the more security conscious developers around: the developers of the OpenBSD - the Ultra-Secure Operating System. ] This 'thing' just become so complex and with so many variables, that it became impossible to know them all and to account for them all. We can only reduce the size of the target and make it a little more difficult to break in. And that is why we keep an eye on syslog and cousins and ask for help here on this list when we start to see firewall drop outs related with Postfix. and NO a synflood will never come in the OUTPUT stream except your machine is compromised, but if so shut it down I am afraid that time will show you otherwise. These systems are not 'simple', not even 'complicated', they are real 'complex systems'. And, worse, with so many knowledgeable people with time and resources to invest into breaking these systems, these are now real 'complex adaptive systems'. Thank you, M.
Re: Postfix 2.9.x vs iptables 1.4.x interaction issues under Debian/Ubuntu
On Fri, 27 Jul 2012 19:43:59 +0100, Mark Alan va...@e-healthexpert.org wrote: after upgrading to Postfix 2.9.x, using I am now finding a lot of syslog entries like these: /var/log/syslog:Jul 27 12:00:32 mx kernel: [485xxx.x] FW DROP-OUT IN= OUT=eth0 SRC=xx.xxx.xxx.xx DST=xxx.xx.xxx.xx LEN=77 TOS=0x00 PREC=0x00 TTL=64 ID=x DF PROTO=TCP SPT=x DPT=25 WINDOW=26280 RES=0x00 ACK PSH URGP=0 A more thorough check revealed that this only happens when requesting VERP style delivery to process a mailing list. Has anything changed in Postfix 2.9.x VERP processing? My VERP settings include: postconf -n | grep 'verp\|recipient_delimiter' recipient_delimiter = + smtpd_authorized_verp_clients = $mynetworks The mailing list is managed by mlmmj (which is a ezmlm clone that works with Postfix under Linux). mlmmj adds XVERP=-= to the MAIL FROM: line. mlmmj needs to set =-= to be able to process owner-listname internally. mlmmj sets verp recipients to 100. grep 'foo:' /etc/aliases # foo is a mailing list = 1000 subscribers foo: |/usr/bin/mlmmj-recieve -L /var/spool/mlmmj/foo/ Any other thoughts ? Thank you, M.
Re: Postfix 2.9.x vs iptables 1.4.x interaction issues under Debian/Ubuntu
On Sat, 28 Jul 2012 13:48:55 +0200, Benny Pedersen m...@junc.org wrote: Den 2012-07-27 20:43, Mark Alan skrev: While using Postfix 2.9.3, iptables 1.4.12, under Ubuntu 12.04 LTS, after upgrading to Postfix 2.9.x, using suggest here apt-get install shorewall I am afraid that shorewall is just a front end to iptables. Using that exact same iptables configuration with qmail (instead of Postfix 2.9.x) does not raise any firewall drop-outs. Thank you, M.
[SOLVED] Postfix 2.9.x vs iptables 1.4.x interaction issues under Debian/Ubuntu
On Sat, 28 Jul 2012 14:42:59 +, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Sat, Jul 28, 2012 at 09:10:34AM -0400, Wietse Venema wrote: Thus, VERP increases the number of parallel connections. This may result in overflow of state tables in under-powered stateful routers, causing them to drop packets that don't match any existing state. Or perhaps the state tables don't overflow, but rate limits apply regardless of connection state. In fact that would be correct behaviour I think. Rate enforcement has little to do with whether the connection table is full or not... [SOLVED] It was rate limiting kicking in. As it should. I was unaware that Postfix could be so fast while VERP'ing. This postfix setup resides in a fairly modest Xen VPS server. Due to strict policies that we must comply with, it has fairly conservative --limit and --limit-burst settings. And, as expected, when those limits are topped those extra packets get logged and trapped by the final -A OUTPUT -j DROP). I would guess that the OP's iptables configuration unwisely fails to discriminate between incoming and outgoing traffic. Not in this case. All streams (and not only INPUT and OUTPUT) are fully discrete, have their own needs and their own policies. The solution is to exempt traffic sent from the machine from the rate controls. In 2012, in a server facing the net and running other services besides mail, I would not call it a safe bet. In the event (that must be accounted for) of an intrusion, one should consider that a syn flood DOS isn't an exclusive of the INPUT stream. Thank you all, M.
Re: STARTTLS problems
On Tue, 24 Apr 2012 19:42:20 -0400 (EDT), Wietse Venema wie...@porcupine.org wrote: So, TLSv1.2 is giving trouble. ... Works with OpenSSL 1.0.1a with smtp_tls_protocols = !TLSv1.2: ... So it is a good thing that I put out those updates today. ... Which leaves me wondering how other MTAs deal with this. Given the way OpenSSL works, there is no way for a program to specify what TLS protocols it wants to use. Instead, a program can only specify what TLS protocols it does not want. This means that new code needs to be added whenever a new protocol is added to OpenSSL, otherwise that protocol can't be turned off. While the postfix updates do not get into into each distribution repositories, should we use the following? postconf -e 'smtpd_tls_protocols = !SSLv2, !TLSv1.2' postconf -e 'smtp_tls_protocols = !SSLv2, !TLSv1.2' M.
Re: STARTTLS problems
On Wed, 25 Apr 2012 10:07:19 +0100, Mark Alan va...@e-healthexpert.org wrote: While the postfix updates do not get into into each distribution repositories, should we use the following? postconf -e 'smtpd_tls_protocols = !SSLv2, !TLSv1.2' postconf -e 'smtp_tls_protocols = !SSLv2, !TLSv1.2' Never mind. I have seen the answer elsewhere in this mailing list. M.
Re: Behavior of postscreen_access_list = static:retry
On Mon, 30 Jan 2012 19:17:17 -0500 (EST), Wietse Venema wie...@porcupine.org wrote: Mark Alan: Would the following be an acceptable way to do it? postconf -e 'postscreen_access_list = reject' postconf -e 'soft_bounce = yes' Only if this is documented. The soft_bounce parameter is listed on the postscreen(8) manpage, this is perhaps a sufficient promise to match user expectations and so I would expect it to work. Sadly it does not. Although postscreen marks it as BLACKLISTED, then tlsproxy kicks in and lets the email pass: Only because you failed to configure postscreen_blacklist_action = drop. Wietse Not exactly a failure, as doing so would instruct postscreen to simply DISCONNECT (i.e., drop the connection immediately). In which case a single 'master_service_disable = inet' would be more elegant and similarly effective. My question should have been: Using only the frugal postscreen resources is there a way to achieve something like 'postscreen_blacklist_action = defer' , i.e., to configure it to immediately NOQUEUE all connections with a 450 SMTP reply? Thank you, M.
Re: Behavior of postscreen_access_list = static:retry
On Tue, 31 Jan 2012 06:17:39 -0600, Noel Jones njo...@megan.vbhcs.org wrote: You need to set both postscreen_blacklist_action = drop and soft_bounce = yes. The soft_bounce changes the 521 hangup into a 421 hangup. Thank you Noel, If we wanted a mere 4.x.x hangup, it would be more elegant to set a single 'master_service_disable = inet' as Viktor Dukhovni pointed out. Alternately, you can use postscreen_blacklist_action = enforce with soft_bounce = yes. This delays the 450 reject until the client sends recipient information. The intention is neither to delay until some other event. The intention is to simply have postscreen immediately answer '450 Service currently unavailable' to all connections (friend or foe) that are presented to it. So, ideally: a) postscreen must answer. It is not enough to simply drop the connection as 421 does; b) it must the answer as it does at every first encounter with a new IP, i.e., with a '450 Service currently unavailable'. It did not imagine that it would be so difficult to configure postscreen/postfix to achieve such a simple specification. Thank you, M.
Re: Behavior of postscreen_access_list = static:retry
On Mon, 30 Jan 2012 21:50:52 +, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Mon, Jan 30, 2012 at 09:26:42PM +, Mark Alan wrote: Is there any other way to make the postscreen/postfix combination temporarily defer all incoming emails with '450 4.3.2 Service currently unavailable' (in order to give us some time to migrate the postfix server to some other IP) ? Just turn off the SMTP listener. This functionally identical to a 4.X.X reject and saves resources on both client and server. Thank you Viktor, In this particular setup I really need to have the server answering: Don't worry, I am alive but right now I am not able to accept your email, i.e., 450 Service currently unavailable The documentation for the postscreen_access_list parameter. Would the following be an acceptable way to do it? postconf -e 'postscreen_access_list = reject' postconf -e 'soft_bounce = yes' Only if this is documented. The soft_bounce parameter is listed on the postscreen(8) manpage, this is perhaps a sufficient promise to match user expectations and so I would expect it to work. Sadly it does not. Although postscreen marks it as BLACKLISTED, then tlsproxy kicks in and lets the email pass: Jan 30 23:12:36 mx postfix/postscreen[11975]: CONNECT from [74.125.82.181]:61868 Jan 30 23:12:36 mx postfix/postscreen[11975]: BLACKLISTED [74.125.82.181]:61868 Jan 30 23:12:42 mx postfix/tlsproxy[11978]: CONNECT from [74.125.82.181]:61868 Jan 30 23:12:42 mx postfix/tlsproxy[11978]: setting up TLS connection from [74.125.82.181]:61868 Jan 30 23:12:42 mx postfix/tlsproxy[11978]: Anonymous TLS connection established from [74.125.82.181]:61868: TLSv1 with cipher RC4-SHA (128/128 bits) This said, it is far simpler to turn off SMTP service. # postconf -e 'master_service_disable = inet' # postfix reload That is true. I too prefer to keep setups simpler (and near to the default configuration). But in this particular setup it does not help at making my server send, to every connection attempt, a 450 Service currently unavailable . Again, thank you Viktor for your time. M.
Re: SSL3_GET_CLIENT_HELLO:wrong version number
On Sun, 22 Jan 2012 20:03:09 -0500 (EST), Wietse Venema wie...@porcupine.org wrote: Mark Alan: /var/log/mail.log:Jan 22 19:09:29 mx postfix-submission/smtpd[2797]: warning: TLS library problem:2797:error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number:s3_srvr.c:771: Does your SMTP server accept SSLv3 connections? It seems that it should renegotiate (to TLSv1) a connection from: openssl s_client -crlf -starttls smtp -connect mail.example.com:587 But it does not. It fails with a Secure Renegotiation IS NOT supported Although it is capable of a perfectly good TLSv1 connection from: openssl s_client -crlf -starttls smtp -connect mail.example.com:587 -tls # grep -A 9 'submission' /etc/postfix/master.cf submission inet n - - - - smtpd -o syslog_name=postfix-submission -o tls_preempt_cipherlist=yes -o smtpd_tls_mandatory_ciphers=high -o smtpd_tls_mandatory_protocols=TLSv1 -o smtpd_tls_exclude_ciphers=AES128,DES,3DES,CAMELLIA128,MD5,aNULL -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING Should your SMTP server accept such connections? It should renegotiate and accept an openssl s_client TLS connection. In 'man s_client' we can find: By default the initial handshake uses a method which should be compatible with all servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. Unfortunately there are a lot of ancient and broken servers in use which cannot handle this technique and will fail to connect. Mark
Re: Postfix 2.8 + and Berkerley DB 4.7
On Sat, 21 Jan 2012 18:38:48 -0700, The Doctor doc...@doctor.nl2k.ab.ca wrote: Any issues with Berkeley DB 4.7 with current Postfix ? With: libdb4.84.8.30 postfix 2.8.5 Each 4 hours we get a lot of: (...) postfix/postscreen[]: close database /var/lib/postfix/postscreen_cache.db: No such file or directory (possible Berkeley DB bug) M.
SSL3_GET_CLIENT_HELLO:wrong version number
While using Ubuntu 10.10 postfix 2.8.5-2 openssl 0.9.8o Socket Layer (SSL) binary and related cryptographic tools ii postfix 2.8.5-2~build0.10.10 High-performance We are getting a few of these: /var/log/mail.log:Jan 22 19:09:28 mx postfix-submission/smtpd[2797]: connect from mail.example.com[xx.xx.xx.xx.xx] /var/log/mail.log:Jan 22 19:09:29 mx postfix-submission/smtpd[2797]: setting up TLS connection from mail.example.com[xx.xx.xx.xx.xx] /var/log/mail.log:Jan 22 19:09:29 mx postfix-submission/smtpd[2797]: SSL_accept error from mail.example.com[xx.xx.xx.xx.xx]: -1 /var/log/mail.log:Jan 22 19:09:29 mx postfix-submission/smtpd[2797]: warning: TLS library problem:2797:error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number:s3_srvr.c:771: /var/log/mail.log:Jan 22 19:09:29 mx postfix-submission/smtpd[2797]: lost connection after STARTTLS from mail.example.com[xx.xx.xx.xx.xx] /var/log/mail.log:Jan 22 19:09:29 mx postfix-submission/smtpd[2797]: disconnect from mail.example.com[xx.xx.xx.xx.xx] Should we worry? Is it any known glitch? Regards, M.
Re: Declaring options for submission port daemon
On Thu, 19 Jan 2012 17:10:00 -0500 (EST), Wietse Venema wie...@porcupine.org wrote: I found these with: postconf | grep '[A-Z][A-Z][A-Z]:' :-) postconf | grep '[A-Z][A-Z][A-Z]:' :-) results in: bash: syntax error near unexpected token `)' ... and at my system man grep refuses to show what that last :-) switch stands for. M.
Re: postscreen supersedes fqrdns.pcre table
On Sun, 15 Jan 2012 11:04:21 -0500, Charles Marcus cmar...@media-brokers.com wrote: But I'd still be interested in seeing some example postscreen configs actually in use right now, by you and anyone else willing to share... This works pretty well: as root: ## configure Postfix to use postscreen sed -i 's/^smtp .*smtpd$/#/' /etc/postfix/master.cf sed -i '/\(smtpd .*pass\|postscreen\|dnsblog\|tlsproxy\)/s/^#//' /etc/postfix/master.cf grep '\(smtp .*smtpd$\|smtpd .*pass\|postscreen\|dnsblog\|tlsproxy\)' /etc/postfix/master.cf ## enable tests before the 220 SMTP server greeting postconf -e 'postscreen_blacklist_action = enforce' postconf -e 'postscreen_dnsbl_action = enforce' # about RBL lists http://www.sdsc.edu/~jeff/spam/cbc.html postconf -e 'postscreen_dnsbl_sites = zen.spamhaus.org*2, dnsbl-1.uceprotect.net*1, b.barracudacentral.org*1' postconf -e 'postscreen_dnsbl_threshold = 2' postconf -e 'postscreen_greet_action = enforce' ## enable tests after the 220 SMTP server greeting postconf -e 'postscreen_pipelining_enable = yes' #postconf -e 'postscreen_pipelining_action = enforce' postconf -e 'postscreen_non_smtp_command_enable = yes' #postconf -e 'postscreen_non_smtp_command_action = drop' postconf -e 'postscreen_bare_newline_enable = yes' postconf -e 'postscreen_bare_newline_action = enforce' /etc/init.d/postfix restart # pick /etc/postfix/master.cf changes M.
Re: Stan's List [was: free antivirus scanner ?]
On Wed, 11 Jan 2012 10:19:36 -0600, Noel Jones njo...@megan.vbhcs.org wrote: I would classify it as low risk of false positives, and fairly safe. (but not 100% safe; few rules are. YMMV and such.) I've had a couple of FP's from idiots that run their business mail servers on a cablemodem with a dynamic rDNS name (their IP is static, but the rDNS incorrectly says dynamic), so I added their IP to a local whitelist. You may or may not run into the same easily-fixed problem. Use it like: smtpd_client_restrictions = permit_mynetworks # uncomment next line if using SASL # permit_sasl_authenticated check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre I would also be interesting to be able to use a similar mechanism earlier, from the postscreen_access_list (after permit_mynetworks but before going outside to fetch the postscreen_dnsbl_* stuff): postscreen_access_list = permit_mynetworks, check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre But http://www.postfix.org/postconf.5.html#postscreen_access_list states: To discourage the use of hash, btree, etc. tables, there is no support for substring matching like smtpd(8). Use CIDR tables instead. M.
Re: Problem with DNS lookup when chrooted
On Thu, 11 Aug 2011 12:33:44 -0500, Stan Hoeppner s...@hardwarefreak.com wrote: Trivial fix: modify the init script to invoke postfix start etc. instead of directly invoking the master daemon. I don't believe the current init script directly invokes the master daemon, Debian/Ubuntu's current /etc/init.d/postfix script does not invoke master. That script sets: DAEMON=/usr/sbin/postfix NOTE: file /usr/sbin/postfix being: /usr/sbin/postfix: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, stripped and then uses $DAEMON in start), stop), restart), etc. start) uses: awk '/^[0-9a-z]/ ($5 ~ [-yY])' /etc/postfix/master.cf to check if anything is to be chrooted. If anything chrooted, the relevant files are copied to the chroot and after that /usr/sbin/postfix is started as a daemon with: start-stop-daemon --start --exec ${DAEMON} -- quiet-quick-start stop) stop uses: ${DAEMON} quiet-stop reload) reload uses: ${DAEMON} quiet-reload Regards, M. I am attaching the Debian/Ubuntu current /etc/init.d/postfix script: ## #!/bin/sh -e # Start or stop Postfix # # LaMont Jones lam...@debian.org # based on sendmail's init.d script ### BEGIN INIT INFO # Provides: postfix mail-transport-agent # Required-Start:$local_fs $remote_fs $syslog $named $network $time # Required-Stop: $local_fs $remote_fs $syslog $named $network # Should-Start: postgresql mysql clamav-daemon postgrey spamassassin saslauthd dovecot # Should-Stop: postgresql mysql clamav-daemon postgrey spamassassin saslauthd dovecot # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: start and stop the Postfix Mail Transport Agent # Description: postfix is a Mail Transport agent ### END INIT INFO PATH=/bin:/usr/bin:/sbin:/usr/sbin DAEMON=/usr/sbin/postfix NAME=Postfix TZ= unset TZ # Defaults - don't touch, edit /etc/default/postfix SYNC_CHROOT=y test -f /etc/default/postfix . /etc/default/postfix test -x $DAEMON test -f /etc/postfix/main.cf || exit 0 . /lib/lsb/init-functions #DISTRO=$(lsb_release -is 2/dev/null || echo Debian) running() { queue=$(postconf -h queue_directory 2/dev/null || echo /var/spool/postfix) if [ -f ${queue}/pid/master.pid ]; then pid=$(sed 's/ //g' ${queue}/pid/master.pid) # what directory does the executable live in. stupid prelink systems. dir=$(ls -l /proc/$pid/exe 2/dev/null | sed 's/.* - //; s/\/[^\/]*$//') if [ X$dir = X/usr/lib/postfix ]; then echo y fi fi } case $1 in start) log_daemon_msg Starting Postfix Mail Transport Agent postfix RUNNING=$(running) if [ -n $RUNNING ]; then log_end_msg 0 else # if you set myorigin to 'ubuntu.com' or 'debian.org', it's wrong, and annoys the admins of # those domains. See also sender_canonical_maps. MYORIGIN=$(postconf -h myorigin | tr 'A-Z' 'a-z') if [ X${MYORIGIN#/} != X${MYORIGIN} ]; then MYORIGIN=$(tr 'A-Z' 'a-z' $MYORIGIN) fi if [ X$MYORIGIN = Xubuntu.com ] || [ X$MYORIGIN = Xdebian.org ]; then log_failure_msg Invalid \$myorigin ($MYORIGIN), refusing to start log_end_msg 1 exit 1 fi # see if anything is running chrooted. NEED_CHROOT=$(awk '/^[0-9a-z]/ ($5 ~ [-yY]) { print y; exit}' /etc/postfix/master.cf) if [ -n $NEED_CHROOT ] [ -n $SYNC_CHROOT ]; then # Make sure that the chroot environment is set up correctly. oldumask=$(umask) umask 022 queue_dir=$(postconf -h queue_directory) cd $queue_dir # copy the CA path if specified ca_path=$(postconf -h smtp_tls_CApath) case $ca_path in '') :;; # no ca_path $queue_dir/*) :;; # skip stuff already in chroot *) if test -d $ca_path; then dest_dir=$queue_dir/${ca_path#/} new=0 if test -d $dest_dir # write to a new directory ... then dest_dir=$dest_dir.NEW new=1 else mkdir --parent ${dest_dir%/*} fi # handle files in subdirectories find $ca_path -print0 | cpio -0pdL $dest_dir if [ $new = 1 ]; then # and replace the old directory rm -r ${dest_dir%.NEW} mv $dest_dir ${dest_dir%.NEW} fi fi ;; esac # if there is
Re: mailq full but nothing in active/deferred/incoming
On Mon, 06 Jun 2011 19:45:17 +0200, Stéphane MERLE stephane.me...@distrigame.com wrote: (I am using ubuntu 10.04LTS). I am a little surprised by the fact that I would be using sendmail #dpkg --get-selections | grep -i sendmail I got no package installed for sendmail ... Postfix installs a pseudo-sendmail. In Ubuntu you can see that it is there with: sudo which sendmail And confirm that it is a child of Postfix with: dpkg -S sendmail | grep bin M
Re: Unable to enforce the usage of the stronger tls ssl ciphers by Postfix
On Sun, 22 May 2011 22:00:49 -0500, Noel Jones njo...@megan.vbhcs.org wrote: Is postfix also the client? What are the settings on that machine? Client machines use Claws Mail as MUA (configured to use SMTP at 587) and those machine have Postfix as the MTA, configured like this: $ sudo postconf -n | grep -v '^smtpd_' | grep 'tls\|sasl\|master\|^my' master_service_disable = inet mydestination = localhost.localdomain, localhost myhostname = desk.localhost.localdomain myorigin = $mydomain smtp_tls_ciphers = high smtp_tls_mandatory_ciphers = high smtp_tls_mandatory_exclude_ciphers = AES128, DES, MD5, aNULL smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache Are you certain you're connecting to the submission port? adding -o syslog_name=postfix-submission or similar to the master.cf submission entry is helpful. After adding -o syslog_name=postfix-submission I get the same result as previously reported: May 23 09:37:36 mx postfix-submission/smtpd[29693]: connect from unknown[192.168.1.60] May 23 09:37:37 mx postfix-submission/smtpd[29693]: setting up TLS connection from unknown[192.168.1.60] May 23 09:37:38 mx postfix-submission/smtpd[29693]: Anonymous TLS connection established from unknown[192.168.1.60]: TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits) May 23 09:37:44 mx postfix-submission/smtpd[29693]: A95E1816B: client=unknown[192.168.1.60], sasl_method=LOGIN, sasl_username=test...@example.org May 23 09:37:45 mx postfix/cleanup[29712]: A95E1816B: message-id= May 23 09:37:45 mx postfix/qmgr[29480]: A95E1816B: from=test...@example.org, size=507, nrcpt=1 (queue active) May 23 09:37:46 mx postfix-submission/smtpd[29693]: disconnect from unknown[192.168.1.60] Remove your *_exlude_ciphers entries and let openssl figure it out itself. It usually does a better job of finding the best common cipher than you can by hand. Removing smtpd_tls_mandatory_exclude_ciphers and reloading in the receiving server did not help. Doing the same with the smtp_tls_mandatory_exclude_ciphers at the sender machines did not help either In any case setting 'smtpd_tls_mandatory_exclude_ciphers = AES128, DES, MD5, aNULL' should not interfere with postfix ability to choose from the strongest to the weakest of the remaining ciphers (as shown by openssl ciphers -v 'ALL:@STRENGTH') Is it a postfix bug? If so, I wonder what other configs can trigger the selection of weaker ciphers by postfix? Thank you for your time Noel. Best regards, M.
Unable to enforce the usage of the stronger tls ssl ciphers by Postfix
Hello list, While using ubuntu 10.10, postfix 2.8.1, dovecot 2.0.12, openssl 0.9.8o, and trying to connect to the mail server via postfix 'submission' the best cipher that I am able to get is DHE-RSA-AES128-SHA (128/128 bits) As it is only the 11th entry in the list showed by openssl ciphers -v 'ALL:@STRENGTH' and giving that openssl in both mail server and client machines show that better ciphers are supported, is there a way to enforce a higher ciphers? logs follow: The (anonymized) session log goes like this: May 22 09:25:27 mx postfix/smtpd[7984]: connect from unknown[192.168.1.60] May 22 09:25:27 mx postfix/smtpd[7984]: setting up TLS connection from unknown[192.168.1.60] May 22 09:25:28 mx postfix/smtpd[7984]: Anonymous TLS connection established from unknown[192.168.1.60]: TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits) May 22 09:25:35 mx postfix/smtpd[7984]: 299CD8192: client=unknown[192.168.1.60], sasl_method=LOGIN, sasl_username=test...@example.org May 22 09:25:36 mx postfix/cleanup[8004]: 299CD8192: message-id= May 22 09:25:36 mx postfix/qmgr[7946]: 299CD8192: from=test...@example.org, size=506, nrcpt=1 (queue active) May 22 09:25:36 mx postfix/smtpd[7984]: disconnect from unknown[192.168.1.60] $ grep -A 4 'submission' /etc/postfix/master.cf submission inet n - - - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #smtps inet n - - - - smtpd Both client MUA and server MTA machines show: $ openssl ciphers -v 'ALL:@STRENGTH' | head -n 11 ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1 DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 ADH-DES-CBC3-SHASSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1 EDH-RSA-DES-CBC3-SHASSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHASSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHASSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-MD5SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 $ sudo postconf -n | grep -v '^smtp_' | grep 'tls\|sasl' smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_unlisted_sender, reject_unknown_sender_domain smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth-client smtpd_sasl_type = dovecot smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/certs/example.crt smtpd_tls_ciphers = medium smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem smtpd_tls_fingerprint_digest = sha1 smtpd_tls_key_file = /etc/ssl/private/example.key smtpd_tls_loglevel = 1 smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = AES128, DES, MD5, aNULL smtpd_tls_protocols = !SSLv2 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes Thank you, Mark
Re: Adjust smtp to limitations of a host
On Sat, 2 Apr 2011 18:03:29 -0400 (EDT), Wietse Venema wie...@porcupine.org wrote: slow unix - - - - - smtp -o syslog_name=postfix-slow -o default_destination_rate_delay=1s -o default_destination_recipient_limit=20 -o smtp_connection_cache_on_demand=no THAT DOES NOT WORK. Please follow the instructions. As documented, the following parameters: xxx_destination_rate_delay xxx_destination_recipient_limit are implemented by the QUEUE MANAGER not SMTP CLIENT. I keep forgetting the inner workings of the multiple inner postfix modules. So here it is the revised setting: /etc/postfix/master.cf slow unix - - - - - smtp -o syslog_name=postfix-slow -o smtp_connection_cache_on_demand=no /etc/postfix/main.cf slow_destination_rate_delay = 1s postconf -e 'slow_destination_recipient_limit = 20 I will be reporting the results. Thank you very much for your guidance. M.
Re: Adjust smtp to limitations of a host (REPOST without postconf)
On Sat, 2 Apr 2011 18:03:29 -0400 (EDT), Wietse Venema wie...@porcupine.org wrote: slow unix - - - - - smtp -o syslog_name=postfix-slow -o default_destination_rate_delay=1s -o default_destination_recipient_limit=20 -o smtp_connection_cache_on_demand=no THAT DOES NOT WORK. Please follow the instructions. As documented, the following parameters: xxx_destination_rate_delay xxx_destination_recipient_limit are implemented by the QUEUE MANAGER not SMTP CLIENT. I keep forgetting the inner workings of the multiple inner postfix modules. So here it is the revised setting: /etc/postfix/master.cf slow unix - - - - - smtp -o syslog_name=postfix-slow -o smtp_connection_cache_on_demand=no /etc/postfix/main.cf slow_destination_rate_delay = 1s slow_destination_recipient_limit = 20 I will be reporting the results. Thank you very much for your guidance. M.
Re: Adjust smtp to limitations of a host
On Thu, 31 Mar 2011 14:53:11 -0400, Victor Duchovni victor.ducho...@morganstanley.com wrote: /etc/postfix/master.cf slow unix - - - - - smtp -o syslog_name=postfix-slow -o smtp_connection_reuse_time_limit=30s EOT /etc/postfix/main.cf slow_initial_destination_concurrency = 2 slow_destination_concurrency_limit = 15 slow_destination_concurrency_failed_cohort_limit = 5 slow_destination_concurrency_positive_feedback = 1/5 slow_destination_concurrency_negative_feedback = 1/8 (...) You can certainly try, and report your findings. Tried the above setup. It does not help. We have much more 421 with this approach than we had with our former setup. We will now try the following transport settings (based on a recent Wietse sugestion): slow unix - - - - - smtp -o syslog_name=postfix-slow -o default_destination_rate_delay=1s -o default_destination_recipient_limit=20 -o smtp_connection_cache_on_demand=no As usual we will be reporting here the results. Thank you for your time and good will. M.
Re: Adjust smtp to limitations of a host
On Thu, 31 Mar 2011 12:39:20 -0400, Victor Duchovni victor.ducho...@morganstanley.com wrote: The receiving sites policies are stupid if they don't implement them sensibly by just returning 4XX responses without penalizing subsequent transactions. I am sorry to hijack this thread but we have what seems to be the same problem. While using the default Postfix settings (v.2.8.1 on Ubuntu 10.10), we do have trouble to connect with several MTA's (usually smtp1.min-saude.pt and smtp2.min-saude.pt, but sometimes others at .min-saude.pt). The server at smtp3.min-saude.pt never complains, nor do any of the other email MTA at .min-saude.pt whose name do not start with smtpNN. When they refuse our connections, they seem to start shutting down at 25 to 30 RCPT commands, with: ...mx postfix-slow/smtp[4907]: 36BB7818B: to=some_subscri...@subdomain.min-saude.pt, relay=smtp1.min-saude.pt[194.65.151.38]:25, delay=415, delays=414/0.25/0.41/0, dsn=4.0.0, status=deferred (host smtp1.min-saude.pt[194.65.151.38] refused to talk to me: 421 #4.4.5 Too many connections from your host.) To deal with this we are currently using: /etc/postfix/transport .min-saude.pt slow: /etc/postfix/master.cf slow unix - - - - - smtp -o syslog_name=postfix-slow -o smtp_connection_cache_on_demand=no EOT /etc/postfix/main.cf slow_destination_concurrency_failed_cohort_limit = 3 # we give up after getting three 421 slow_destination_recipient_limit = 20 # keep it bellow 25 slow_destination_rate_delay = 1 # do not know if we really need this Have you considered the less aggressive concurrency feedback controls in Postfix 2.5? Do you think that the following would be a more elegant approach than the above described setting? /etc/postfix/master.cf slow unix - - - - - smtp -o syslog_name=postfix-slow -o smtp_connection_reuse_time_limit=30s EOT /etc/postfix/main.cf slow_initial_destination_concurrency = 2 slow_destination_concurrency_limit = 15 slow_destination_concurrency_failed_cohort_limit = 5 slow_destination_concurrency_positive_feedback = 1/5 slow_destination_concurrency_negative_feedback = 1/8 Thank you, M.
Re: Adjust smtp to limitations of a host
On Thu, 31 Mar 2011 14:53:11 -0400, Victor Duchovni victor.ducho...@morganstanley.com wrote: Why would this be a response to too many recipient commands, a single message with many recipients is sent over a single connection, unless you have set an ill-advised destination recipient limit. All _recipient_limit parameters are all at their defaults. With the exception of things related to ciphers and TLS, we try hard to keep the default Postfix settings. /etc/postfix/main.cf slow_destination_concurrency_failed_cohort_limit = 3 # we give up after getting three 421 slow_destination_recipient_limit = 20 # keep it bellow 25 This increases the number of connections, which is unlikely what you want, provided of course you have messages with a large recipient count. It was not obvious to us. The idea was simply to put a limit on each burst of messages sent to the slow transport MTA's. These messages are related to a low traffic (2-3 messages a month), low volume (280 subscribers) mailing list, managed with mlmmj and using VERP tagging. We have exactly 142 subscribers from subdomains at .min-saude.pt. Hardly huge numbers. slow_destination_rate_delay = 1 # do not know if we really need this This limits you to one connection at-a-time. The idea was to have a 1s delay between each message delivered. But, of course not knowing if this helped or not. /etc/postfix/master.cf slow unix - - - - - smtp -o syslog_name=postfix-slow -o smtp_connection_reuse_time_limit=30s Should we use only those 2 lines, or should we also add -o smtp_connection_cache_on_demand=no /etc/postfix/main.cf slow_initial_destination_concurrency = 2 slow_destination_concurrency_limit = 15 slow_destination_concurrency_failed_cohort_limit = 5 slow_destination_concurrency_positive_feedback = 1/5 slow_destination_concurrency_negative_feedback = 1/8 That depends on how determined the remote site is to damage the SMTP eco-system by imposing counter-productive punitive mechanisms on legitimate senders. Being it the health ministry bureaucracy, I am pretty sure that they have the time and resources to be creative at it. We know for sure that up until now they did not answer any emails regarding their strange mail server policies. You can certainly try, and report your We will wait for your opinion on the above -o smtp_connection_cache... parameter, to try to those new settings. Thank you, M.
Error: close database /var/lib/postfix/postscreen_cache.db: No such file or directory (possible Berkeley DB bug)
While using Postfix 2.8.1 + Ubuntu 10.10, after enabling postscreen the system seems to be working well (sends and receives email without any apparent problems) but has sporadic errors as shown bellow (without any other errors or warnings). sudo grep 'postscreen_cache.db' /var/log/syslog Mar 10 11:02:24 mx postfix/postscreen[9697]: cache /var/lib/postfix/postscreen_cache.db full cleanup: retained=0 dropped=0 entries Mar 10 11:04:26 mx postfix/postscreen[9697]: close database /var/lib/postfix/postscreen_cache.db: No such file or directory (possible Berkeley DB bug) Mar 10 11:12:08 mx postfix/postscreen[10135]: close database /var/lib/postfix/postscreen_cache.db: No such file or directory (possible Berkeley DB bug) Mar 10 11:49:58 mx postfix/postscreen[12596]: close database /var/lib/postfix/postscreen_cache.db: No such file or directory (possible Berkeley DB bug) # /var/lib/postfix/postscreen_cache.db exists and postfix seems to be accessing it, as shown by the changing date/times in: ls -l /var/lib/postfix/ total 32 -rw--- 1 postfix postfix 17 2011-03-10 11:06 master.lock -rw--- 1 postfix postfix 8192 2011-03-10 11:10 postscreen_cache.db -rw--- 1 postfix postfix 1024 2011-03-10 11:07 prng_exch -rw--- 1 postfix postfix 8192 2011-03-10 11:07 smtpd_scache.db -rw--- 1 postfix postfix 8192 2011-03-10 11:07 smtp_scache.db # the berkeley modules are there too (the so.2's are links to the .so's) ls -1 /var/spool/postfix/lib/ libnss_compat-2.12.1.so libnss_compat.so.2 libnss_dns-2.12.1.so libnss_dns.so.2 libnss_files-2.12.1.so libnss_files.so.2 libnss_hesiod-2.12.1.so libnss_hesiod.so.2 libnss_nis-2.12.1.so libnss_nisplus-2.12.1.so libnss_nisplus.so.2 libnss_nis.so.2 sudo postconf -n # some sasl/tls entries were edited out alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix disable_vrfy_command = yes fast_flush_domains = mail_name = ESMTPserver mydestination = localhost.localdomain, localhost mydomain = example.org myhostname = mx.example.org mynetworks = 127.0.0.0/8 mynetworks_style = host myorigin = $mydomain postscreen_bare_newline_action = enforce postscreen_bare_newline_enable = yes postscreen_blacklist_action = enforce postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = zen.spamhaus.org*2, dnsbl-1.uceprotect.net*1, b.barracudacentral.org*1 postscreen_dnsbl_threshold = 2 postscreen_greet_action = enforce postscreen_non_smtp_command_enable = yes postscreen_pipelining_enable = yes readme_directory = no recipient_delimiter = + smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_authorized_verp_clients = $mynetworks smtpd_banner = $myhostname ESMTP smtpd_discard_ehlo_keywords = silent-discard, etrn smtpd_helo_required = yes smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_unlisted_sender, reject_unknown_sender_domain smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth-client smtpd_sasl_type = dovecot smtpd_tls_auth_only = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes soft_bounce = yes virtual_alias_maps = hash:/etc/postfix/virtual-alias-maps virtual_mailbox_domains = example.org virtual_mailbox_maps = hash:/etc/postfix/virtual-mailbox-maps virtual_transport = dovecot Any ideas? r. M.
Re: Configuration of postfix 2.8.1 + ezmlm 1.2.17
On Sun, 6 Mar 2011 18:46:44 -0500 (EST), Wietse Venema wie...@porcupine.org wrote: In order to have postfix 2.8.1 feeding email to a ezmlm 1.2.17 If you follow the mlmmj website's instructions, then it should work. Do you mean the README.Postfix at http://mlmmj.org/archive/mlmmj/att-0511/README.postfix ? I prefer not to review alternative variations. I can understand that. But in this case, as this is rather generic regarding MLM proper interfacing with Postfix, it sure would be welcome to have your view about the proper way to setup a generic interface between Postfix and a generic MLM. By the way, the mlmmj setup can now be simplified, and no longer needs the kludge with the mlmmj/pipe transport. I know that it also consumes time but... could you give a tiny example/usage case? postfix-2.9-20110228 fixes a problem where the local delivery agent ignored the ownership of regexp-based alias tables. Will this bug fix be backported into 2.8.x ? Why was this fixed 20110228? Because I recently stumbled upon this problem when I visited the mlmmj/postfix webpage. That page is marked Nov 12th 2005 but in fact, as it is clear from the change log, it just appeared in the latest (1.2.17.1, Nov 2010) release. M.
Re: Configuration of postfix 2.8.1 + ezmlm 1.2.17
On Mon, 7 Mar 2011 09:43:40 -0500 (EST), Wietse Venema wie...@porcupine.org wrote: The basic idea is that with a local aliases file, file ownership determines the execution privileges for |command and /file/name destinations, and the envelope sender address for non-delivery notifications. Meaning that (keeping with the example lis...@example.org mailing list) the following would simply work as expected: /etc/postfix/virtual-alias-maps lis...@example.org list01@localhost /etc/aliases list01: |/usr/bin/mlmmj-recieve -L /var/spool/mlmmj/list01/ In other words, alias ownership of regexp/pcre files now works as documented. If not for anything else, at least this was good to fix that bug. ... and, by the way, the subject of this thread should have been Configuration of postfix 2.8.1 + mlmmj 1.2.17, not ezmlm... but it seems that old habits don't die easily. Thank you Wietse and keep up this great work M.
Configuration of postfix 2.8.1 + ezmlm 1.2.17
Hello list, In order to have postfix 2.8.1 feeding email to a ezmlm 1.2.17 mailing list manager (under Debian/Ubuntu) we have a tentative setup that goes like described bellow. I have 2 questions: 1. is there a way to do the same without (the rather expensive) regexp:/ lists? 2. in case of not being possible to do without regexp (or just in case the regexp happens to be the right solution) is this the right regex syntax to serve this setup? # about the mailing list manager mailing list manager: mlmmj (which is a MTA agnostic ezmlm clone) list address: lis...@example.org control commands: list01+subscr...@example.org list01+unsubscr...@example.org list01+h...@example.org # VERP Return-Path: list01+bounces-12-john.doe=domain@example.org # the tentative configuration: virtual_alias_maps = cdb:/etc/postfix/virtual-alias-maps, regexp:/etc/postfix/mlmmj-virtual-alias-maps /etc/postfix/mlmmj-virtual-alias-maps /^(list01.*)@example\.com$/ ${1} mlmmj_destination_recipient_limit = 1 transport_maps = regexp:/etc/postfix/mlmmj-transport /etc/postfix/mlmmj-transport /^(list01).*$/mlmmj:$1 /etc/postfix/master.cf: # transport for the mlmmj mailing list mlmmj unix - nn-- pipe flags=DORhu user=nobody argv=/usr/local/bin/mlmmj-receive -F -L /var/spool/mlmmj/$nexthop/ postconf |grep default_privs = default_privs = nobody Thanks, M.
Re: postqueue
On Wed, 16 Feb 2011 13:03:37 +0300, Ejaz me...@cyberia.net.sa wrote: Postqueue -p command taking so long time to execute, start and stopping the postfix also the same, in the meanwhile I checked server performance is quite normal, no load Is yours /etc/hosts sane? M.
Re: How to parameterize postscreen to act like openbsd spamd
On Wed, 9 Feb 2011 15:18:39 -0500 (EST), Wietse Venema wie...@porcupine.org wrote: postscreen currently does not implement greylisting - smtpd(8) currently can do that with policy daemons. Yes but they do it very late in the process smtpd_recipient_restrictions = ... reject_unauth_destination, check_policy_service inet:127.0.0.1:1 ... If possible, expensive tests like check_policy_service should be in postscreen, i.e., outside any real smtpd and processed even before postscreen's first 451. As for the other features, perhaps you can translate them into plain language, and then we can see if there is an equivalent. If it is not planned to enable postscreen to do greylisting, then the purpose of my question is greatly reduced. I know that any attempt at doing greylisting needs either some kind of db, or probabilistic data structures like, for instance, Bloom filters (the Gross Posfix greylister does just this), but if I am not wrong 2.8 already includes hooks for SQLite. How would one configure postscreen's parameters to act like the spamd defaults, i.e., passtime = 25 m, greyexp to 4h, and whiteexp to 864h ? It is all (and in better English than mine) at spamd's man page http://www.openbsd.org/cgi-bin/man.cgi?query=spamdapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html M.
How to parameterize postscreen to act like openbsd spamd
Hello list, The things that I miss from OpenBSD are spamd and pf (iptables are almost there). It seems that postscreen has the potential to, finally, replace spamd. So, my question is: How would one configure postscreen's parameters to act like the spamd defaults, i.e., passtime = 25 m, greyexp to 4h, and whiteexp to 864h ? As may be seen in 'man spamd' http://goo.gl/ofTKj Regards, M.
Re: Ubuntu/Debian Postfix 2.8.x repository
On Mon, 7 Feb 2011 00:40:16 -0500, Victor Duchovni victor.ducho...@morganstanley.com wrote: Debian Postfix has significant integration enhancements, dynamic loading of table drivers, Debian-specific SASL configuration directory, hostname setting in external file, ... Debian users should probably not build directly from unpatched Postfix source, unless they've not relied on any of the integrated features in the past, and do not plan to use them going forward. Wise words indeed. M.
Re: Ubuntu/Debian Postfix 2.8.x repository
On Sun, 6 Feb 2011 22:22:52 +0100, Patrick Ben Koetter p...@state-of-mind.de wrote: If there are significant differences that are not Debian related Stefan certainly has had reasons to add them. That's certainly a way to view things and I respect your opinion. But it is hard to see the rationale in, for instance: diff -u tmp/postfix-2.8.0/conf/master.cf lixo/postfix-2.8.0~cite/conf/master.cf --- tmp/postfix-2.8.0/conf/master.cf2011-02-07 10:18:11.0 + +++ lixo/postfix-2.8.0~cite/conf/master.cf2010-12-31 14:14:51.0 + @@ -8,49 +8,49 @@ # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # == -smtp inet n - - - - smtpd -#smtp inet n - - - 1 postscreen -#smtpd pass - - - - - smtpd -#dnsblog unix - - - - 0 dnsblog -#tlsproxy unix - - - - 0 tlsproxy -#submission inet n - - - - smtpd +smtp inet n - n - - smtpd +#smtp inet n - n - 1 postscreen +#smtpd pass - - n - - smtpd +#dnsblog unix - - n - 0 dnsblog +#tlsproxy unix - - n - 0 tlsproxy +#submission inet n - n - - smtpd M.
Re: Ubuntu/Debian Postfix 2.8.x repository [SOLVED]
On Mon, 7 Feb 2011 17:49:38 +0100, Stefan Foerster cite+postfix-us...@incertum.net wrote: [chroot disabled] ... and the mysql client libraries will then try to use the unix socket. This socket is, of course, not present in the chroot. Now I know there are better ways around this - use proxymap(8), e.g., but frankly, I don't ever want to be responsible for any person entering #postfix and asking why his mysql maps don't work. The repository is yours. As such you are free to diverge from Debian common practice of chrooting Postfix's smtpd. Apparently you did so just to cope with the novice user that does not know how to use MySQL with Postfix chrooted services. As a matter of fact Postfix's original master.cf also disables chroot. Besides, I never understood why the Debian default installation chroots smtpd. That would start another (off-topic) discussion: should apps facing the net be chrooted? Does chroot improve security? Personally I tend to think that chroot (as a security measure) is greatly overrated. But that is how Debian does it and we have to cope with this little idiosyncrasies in order to be able to periodically do an 'apt-get dist-upgrade' and just have everything upgraded, with all dependencies taken care for and 'just working'. A quick google search shows that, for years, Wietse have been answering questions related with users trying to use chrooted parts of Postfix. But, I wonder, in his machines does he use chroot or not? P.S: One last remark: My packages are tagged as experimental, meaning that apt(itude|-get) won't install them without further encouragement. I chose to do this for a reason. Well, yes, there are many more differences that will be shown by a simple diff -r postfix-2.8.0 postfix-2.8.0~cite. Best regards, M.
Re: Ubuntu/Debian Postfix 2.8.x repository -- general chroot question
On Mon, 7 Feb 2011 14:21:39 -0500 (EST), Wietse Venema wie...@porcupine.org wrote: Except for all those beginners that get into trouble because they use someone elses cookbook instructions instead of their own expertise. And instead of being continuously consumed by same beginner questions, wouldn't it be easier to have the most frequent usage cases (and the related cookbooks) well documented in some kind of user continuously improved wiki like dovecot or nginx are doing? My background is qmail not postfix. As such I tend to think much in the lines exposed in DJB's seminal paper Some thoughts on security after ten years of qmail 1.0 http://cr.yp.to/qmail/qmailsec-20071101.pdf Having migrated from Debian to Ubuntu (which unlike Debian early saw Postfix and not Exim as the way to go) and due to crescent spam fighting needs I am a newcomer to Postfix. From the outside the way I see the Postfix project is: - has much of the modular and paranoid untrustworthiness in code of qmail - takes standards compliance very seriously; - very well documented; hélas, scientifically documented!; meaning that it will be possible to find a terse and clean description of almost any aspects of postfix (not so well in the matters related with security encryption, ciphers protocols) Unfortunately, if you aren't an scientist in this field and/or an expert in Postfix coding you will have a hard time understanding it. [Clear usage cases and (God forbids!) official cookbooks would be an added value.] - has a supportive and vibrant community: knowledgeable, friendly and usually with good humor. And yes I will continue to bother you with questions, bug reports, patches (if I ever will be up to such a difficult job), and all kinds of disruptive ideas. Please excuse my English as it is not my mother tongue. Regards, M.
Ubuntu/Debian Postfix 2.8.x repository
Hello, Do you know any reliable Debian/Ubuntu repositories for the newest Postfix 2.8? Regards, M.
Gross greylist app. while we wait for Postfix 2.8 and its postscreen processor
While we do not have Postfix 2.8 (in Debian/Ubuntu) and its postscreen processor, Is there someone in this list with experience of using the Gross greylist app. with Postfix? Is it stable? Is it less resource hungry than greyfix or postgrey? Has it major problems? Regards, M.
Re: spammers getting better? help with filtering this one
On Thu, 03 Feb 2011 04:36:26 -0500, Daniel Bromberg dan...@basezen.com wrote: Those who can block this, how did you do it? I hope whatever technique(s) also help block many more like it. Blocked here with bogofilter (bayesian header+body filter). M.
Re: Looking for a maillist manager
On Sun, 30 Jan 2011 07:19:48 +0200, Jaques Cochet jcochet.li...@gmail.com wrote: I'm currently using qmail with ezmlm maillist manager. I intent to move to postfix, and i'm looking for a mail list manager that stores maillists subscribers in mysql databse, includes posting permissions, and can handle several hundreds of mail lists. Any suggestions? In terms of mail listing, postfix + mlmmj (http://mlmmj.org/) is roughly equivalent to qmail + ezmlm. But it will do its stuff using only plain text files just like ezmlm. I.e., 'touched' files to signal options, email addresses or header and footer customization inside plain files. On the other hand, just like ezmlm, there will be no deamons runing and no security problems associated with .cgi web interfaces and most of the admin stuff will be done by simple email messages sent by the owners, admins, moderators, etc. M.
Re: Order of policies?
On Mon, 10 Jan 2011 23:04:31 +0100, mouss mo...@ml.netoyen.net wrote: Le 10/01/2011 10:33, Mark Alan a écrit : Well then, would the following order make sense? smtpd_recipient_restrictions = sleep 1, reject_unlisted_recipient, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,check_policy_service inet:127.0.0.1:10031 make that smtpd_recipient_restrictions = reject_non_fqdn_sender reject_non_fqdn_recipient permit_sasl_authenticated permit_mynetworks reject_unauth_destination sleep 1 reject_unlisted_recipient reject_unlisted_sender reject_invalid_helo_hostname reject_non_fqdn_helo_hostname #reject_unknown_sender_domain #reject_rbl_client zen.spamhaus.org check_policy_service${policy_service} details: - I am assuming that: you should queue errors for your own users (so permit_* comes soon) Thank you for your time mouss. I do not fully understood that. Lets see if I am able to follow you: Only after reject_unauth_destination, we start to analyze strangers that were already checked to have a proper fqdn'ized mail to our domain: reject_unlisted_recipient: reject unknown recipient addresses reject_unlisted_sender: reject unknown sender addresses reject_invalid_helo_hostname: reject invalid (HE\|EH)LO host syntax reject_non_fqdn_helo_hostname: reject if (HE\|EH)LO not RFC fqdn - reject_unknown_recipient_domain is only uselful in an MSA. and even then... (you want to bounce not reject. because MUAs are bad I see your point and I deleted it. Regarding 'reject_unlisted_sender', I am not able to see your point. - reject_unauth_pipelining is useless here. check the pipelining specs. (RCPT TO is an async command...) I use 'smtpd_delay_reject = yes' man 5 postconf | less +/per-session\ flag shows this: 'With Postfix 2.6 and later, the SMTP server sets a per-session flag whenever it detects illegal pipelining, including pipelined EHLO or HELO commands. The reject_unauth_pipelining feature simply tests whether the flag was set at any point in time during the session.' I thought that this would assure that reject_unauth_pipelining would also do its work inside smtpd_recipient_restrictions. - experience here shows that reject_unknown_sender_domain only rejets legit mail. This I do not understand, because also from man 5 postconf: 'when Postfix is not final destination for the sender address, and the MAIL FROM address has no DNS A or MX record, or when it has a malformed MX record' If our server is not the final destination AND it may happen that there is no A and, at the same time, MX has problems. Best regards, M.
Re: Order of policies?
On Sun, 9 Jan 2011 10:17:57 -0500 (EST), Wietse Venema wie...@porcupine.org wrote: Jan Johansson: I have the following config: smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination check_policy_service inet:127.0.0.1:10031 For that, specify reject_unlisted_recipient before permit_mynetworks. Well then, would the following order make sense? smtpd_recipient_restrictions = sleep 1, reject_unlisted_recipient, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,check_policy_service inet:127.0.0.1:10031 Regards, M.
Is there a way to make Postfix 2.7.x stop announcing ETRN?
While using Postfix 2.7.1 at an Ubuntu 10.10 server: We disabled ETRN as stated in the 'Configuring the Postfix fast ETRN service' section of the ETRN_README.html (...) smtpd_delay_reject = yes fast_flush_domains = mydestination = localhost.localdomain, localhost mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 relay_domains = $mydestination smtpd_etrn_restrictions = (...) The problem is that Postfix is still announcing 250-ETRN, and we are being hit by very persistent machines that keep issuing: etrn some.domain.tld just to get: 459 some.domain.tld: service unavailable Regards, M.
Re: Is there a way to make Postfix 2.7.x stop announcing ETRN?
On Sun, 09 Jan 2011 14:49:11 -0600, Noel Jones njo...@megan.vbhcs.org wrote: http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keywords # main.cf smtpd_discard_ehlo_keywords = silent-discard, etrn That works. Problem solved. Thank you very much Noel. M.