mailbox_transport and mail start looping
Hi, We have an issue with integrating a spam filter into postfix. When a mail enters the mail system a loop start between postfix and dspam. And I don't know why the loop start because when the mail returns to postfix (localhost:10026) we override mailbox_transport and the mail should be delivered with the mailbox_command option (dovecot). What am I doing wrong? Thanks, Martijn part of the logs: Jan 7 13:57:02 chuck postfix-dspam/smtpd[8673]: [ID 197553 mail.info] connect from localhost[127.0.0.1] Jan 7 13:57:02 chuck postfix-dspam/smtpd[8673]: [ID 197553 mail.info] 5C8C420A79: client=localhost[127.0.0.1] Jan 7 13:57:02 chuck postfix-dspam/cleanup[8665]: [ID 197553 mail.info] 5C8C420A79: message-id=aanlkti=gvq95v3vp6z4jdmdjmb_q_nehotu_ro+rf...@mail.gmail.com Jan 7 13:57:02 chuck postfix-dspam/smtpd[8673]: [ID 197553 mail.info] disconnect from localhost[127.0.0.1] Jan 7 13:57:02 chuck postfix-dspam/qmgr[8581]: [ID 197553 mail.info] 5C8C420A79: from=martijndemun...@gmail.com, size=19021, nrcpt=1 (queue active) Jan 7 13:57:02 chuck postfix-dspam/pipe[8681]: [ID 197553 mail.info] 9A97E20A6F: to=martijn_dspam.redknot...@chuck.redknot.nl, orig_to=martijn_dspam.redknot.nl, relay=dspam, delay=0.79, delays=0.04/0/0/0.75, dsn=2.0.0, status=sent (delivered via dspam service) Jan 7 13:57:02 chuck postfix-dspam/qmgr[8581]: [ID 197553 mail.info] 9A97E20A6F: removed Jan 7 13:57:03 chuck postfix-dspam/smtpd[8673]: [ID 197553 mail.info] connect from localhost[127.0.0.1] Jan 7 13:57:03 chuck postfix-dspam/smtpd[8673]: [ID 197553 mail.info] 120E220A7E: client=localhost[127.0.0.1] Jan 7 13:57:03 chuck postfix-dspam/cleanup[8665]: [ID 197553 mail.info] 120E220A7E: message-id=aanlkti=gvq95v3vp6z4jdmdjmb_q_nehotu_ro+rf...@mail.gmail.com Jan 7 13:57:03 chuck postfix-dspam/smtpd[8673]: [ID 197553 mail.info] disconnect from localhost[127.0.0.1] Jan 7 13:57:03 chuck postfix-dspam/qmgr[8581]: [ID 197553 mail.info] 120E220A7E: from=martijndemun...@gmail.com, size=19430, nrcpt=1 (queue active) Jan 7 13:57:03 chuck postfix-dspam/pipe[8667]: [ID 197553 mail.info] 5C8C420A79: to=martijn_dspam.redknot...@chuck.redknot.nl, orig_to=martijn_dspam.redknot.nl, relay=dspam, delay=0.74, delays=0.03/0.02/0/0.69, dsn=2.0.0, status=sent (delivered via dspam service) Jan 7 13:57:03 chuck postfix-dspam/qmgr[8581]: [ID 197553 mail.info] 5C8C420A79: removed Jan 7 13:57:03 chuck postfix-dspam/smtpd[8673]: [ID 197553 mail.info] connect from localhost[127.0.0.1] Jan 7 13:57:03 chuck postfix-dspam/smtpd[8673]: [ID 197553 mail.info] DE3F120A83: client=localhost[127.0.0.1] Jan 7 13:57:03 chuck postfix-dspam/cleanup[8665]: [ID 197553 mail.info] DE3F120A83: message-id=aanlkti=gvq95v3vp6z4jdmdjmb_q_nehotu_ro+rf...@mail.gmail.com Jan 7 13:57:03 chuck postfix-dspam/smtpd[8673]: [ID 197553 mail.info] disconnect from localhost[127.0.0.1] Jan 7 13:57:03 chuck postfix-dspam/qmgr[8581]: [ID 197553 mail.info] DE3F120A83: from=martijndemun...@gmail.com, size=19839, nrcpt=1 (queue active) Jan 7 13:57:03 chuck postfix-dspam/pipe[8681]: [ID 197553 mail.info] 120E220A7E: to=martijn_dspam.redknot...@chuck.redknot.nl, orig_to=martijn_dspam.redknot.nl, relay=dspam, delay=0.87, delays=0.03/0.01/0/0.83, dsn=2.0.0, status=sent (delivered via dspam service) Jan 7 13:57:03 chuck postfix-dspam/qmgr[8581]: [ID 197553 mail.info] 120E220A7E: removed Jan 7 13:57:04 chuck postfix-dspam/smtpd[8660]: [ID 197553 mail.info] disconnect from mail-gx0-f179.google.com[209.85.161.179] Jan 7 13:57:04 chuck postfix-dspam/smtpd[8673]: [ID 197553 mail.info] connect from localhost[127.0.0.1] Jan 7 13:57:04 chuck postfix-dspam/smtpd[8673]: [ID 197553 mail.info] B553F20A88: client=localhost[127.0.0.1] Jan 7 13:57:04 chuck postfix-dspam/cleanup[8665]: [ID 197553 mail.info] B553F20A88: message-id=aanlkti=gvq95v3vp6z4jdmdjmb_q_nehotu_ro+rf...@mail.gmail.com Jan 7 13:57:04 chuck postfix-dspam/smtpd[8673]: [ID 197553 mail.info] disconnect from localhost[127.0.0.1] Jan 7 13:57:04 chuck postfix-dspam/qmgr[8581]: [ID 197553 mail.info] B553F20A88: from=martijndemun...@gmail.com, size=20247, nrcpt=1 (queue active) Jan 7 13:57:04 chuck postfix-dspam/pipe[8667]: [ID 197553 mail.info] DE3F120A83: to=martijn_dspam.redknot...@chuck.redknot.nl, orig_to=martijn_dspam.redknot.nl, relay=dspam, delay=0.97, delays=0.06/0/0/0.91, dsn=2.0.0, status=sent (delivered via dspam service) Jan 7 13:57:04 chuck postfix-dspam/qmgr[8581]: [ID 197553 mail.info] DE3F120A83: removed Jan 7 13:57:05 chuck postfix-dspam/smtpd[8673]: [ID 197553 mail.info] connect from localhost[127.0.0.1] Jan 7 13:57:05 chuck postfix-dspam/smtpd[8673]: [ID 197553 mail.info] 8B60C20A8E: client=localhost[127.0.0.1] Jan 7 13:57:05 chuck postfix-dspam/smtpd[8673]: [ID 197553 mail.info] disconnect from localhost[127.0.0.1] Jan 7 13:57:05 chuck postfix-dspam/pipe[8681]: [ID 197553 mail.info] B553F20A88: to=martijn_dspam.redknot...@chuck.redknot.nl,
Re: integrate dspam into postfix
Is there a way to use virtual_tranport with virtual_alias for this case? On Sep 3, 2010, at 1:35 AM, Martijn de Munnik wrote: Hi list, I'm trying to integrate dspam filtering into my postfix system. The way I have it now works for local users but when a user has an alias to an external domain the mail bounces. This server is for receiving mail only, so no submission is needed. --- This is the mail system at host chuck.redknot.nl. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system martijndemun...@chuck.redknot.nl (expanded from martijndemunnik): unknown user: martijndemunnik Reporting-MTA: dns; chuck.redknot.nl X-Postfix-Queue-ID: 1C455D2A2 X-Postfix-Sender: rfc822; mart...@youngguns.nl Arrival-Date: Thu, 2 Sep 2010 21:58:12 +0200 (CEST) Final-Recipient: rfc822; martijndemun...@chuck.redknot.nl Original-Recipient: rfc822;martijndemunnik Action: failed Status: 5.1.1 Diagnostic-Code: X-Postfix; unknown user: martijndemunnik --- The virtual file contains: just...@suezkade.nl martijndemun...@gmail.com I'm sure this is because I pass --user ${mailbox} to the dspam command, but I'm not sure how to solve this. I want dspam to learn what is spam for my local user, so I guess dspam should be as close as possible to final delivery. There is also another problem. Dspam calls clamav to scan the message for viruses. When A virus is found dspam dies because the shell can't handle a negative error return code. The dspam list told me to use the server part of dspam to fix this and let postfix talk to dspam with lmtp. I'm not sure how to do this. virtual_transport doesn't seem to have any effect because I'm not using virtual_domains? Any ideas? Thanks, Martijn Output of postconf -n: address_verify_map = btree:${data_directory}/verify alias_maps = dbm:/etc/opt/redknot/postfix/aliases config_directory = /etc/opt/redknot/postfix content_filter = dspam:dpsam disable_vrfy_command = yes home_mailbox = Maildir/ mailbox_command = /opt/redknot/libexec/dovecot/deliver -a $RECIPIENT -m $EXTENSION -s mydestination = $myhostname, localhost.$mydomain, localhost mydomain = chuck.redknot.nl myhostname = chuck.redknot.nl recipient_delimiter = + relay_domains = $mydestination, atdstramproy.nl smtpd_banner = $myhostname ESMTP smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_proxy_filter = 127.0.0.1:10027 smtpd_proxy_options = speed_adjust smtpd_recipient_restrictions = reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, reject_rbl_client virbl.dnsbl.bit.nl, check_policy_service inet:localhost:10031, check_policy_service inet:localhost:10030, check_policy_service inet:localhost:10029, permit smtpd_tls_cert_file = /etc/opt/redknot/ssl/chuck.redknot.nl.cer smtpd_tls_key_file = /etc/opt/redknot/ssl/chuck.redknot.nl.key smtpd_use_tls = yes soft_bounce = yes strict_rfc821_envelopes = yes transport_maps = dbm:/etc/opt/redknot/postfix/transport unknown_address_reject_code = 550 unknown_hostname_reject_code = 550 unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550 virtual_alias_maps = dbm:/etc/opt/redknot/postfix/virtual and my master.cf # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: man 5 master). # # Do not forget to execute postfix reload after editing this file. # # = = = = == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # = = = = == smtp inet n - n - - smtpd #submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #smtps inet n - n - - smtpd # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING pickupfifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgrunix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial
Re: integrate dspam into postfix
Hi List, I'm still struggling with dspam integration with postfix. Now I have: -- address_verify_map = btree:${data_directory}/verify alias_maps = dbm:/etc/opt/redknot/postfix/aliases config_directory = /etc/opt/redknot/postfix disable_vrfy_command = yes home_mailbox = Maildir/ mailbox_command = /opt/redknot/libexec/dovecot/deliver -a $RECIPIENT -m $EXTENSION -s mailbox_transport = dspam-lmtp:[127.0.0.1]:10025 mydestination = $myhostname, localhost.$mydomain, localhost mydomain = chuck.redknot.nl myhostname = chuck.redknot.nl recipient_delimiter = + relay_domains = $mydestination, atdstramproy.nl smtpd_banner = $myhostname ESMTP smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_proxy_filter = 127.0.0.1:10027 smtpd_proxy_options = speed_adjust smtpd_recipient_restrictions = reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, reject_rbl_client virbl.dnsbl.bit.nl, check_policy_service inet:localhost:10031, check_policy_service inet:localhost:10030, check_policy_service inet:localhost:10029, permit smtpd_tls_cert_file = /etc/opt/redknot/ssl/chuck.redknot.nl.cer smtpd_tls_key_file = /etc/opt/redknot/ssl/chuck.redknot.nl.key smtpd_use_tls = yes soft_bounce = yes strict_rfc821_envelopes = yes transport_maps = dbm:/etc/opt/redknot/postfix/transport unknown_address_reject_code = 550 unknown_hostname_reject_code = 550 unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550 virtual_alias_maps = dbm:/etc/opt/redknot/postfix/virtual -- So I'm using a mailbox_transport to call dspam. Unfortantly the mail doesn't show up in the logs after the lmtp part (I have lmtp -v in master.cf) and the mail isn't delivered. When I remove the mailbox_transport and restart postfix the mails get delivered. Why does the LMTP conversation stop in the last three lines, I expect to see the actual message? Sep 8 16:38:32 chuck postfix/smtpd[24691]: [ID 197553 mail.info] connect from mail-yw0-f44.google.com[209.85.213.44] Sep 8 16:38:38 chuck policyd-spf[24698]: [ID 702911 mail.info] None; identity=helo; client-ip=209.85.213.44; helo=mail-yw0-f44.google.com; envelope-from=martijndemun...@gmail.com ; receiver=mart...@redknot.nl Sep 8 16:38:38 chuck policyd-spf[24698]: [ID 702911 mail.info] Pass; identity=mailfrom; client-ip=209.85.213.44; helo=mail-yw0- f44.google.com; envelope-from=martijndemun...@gmail.com; receiver=mart...@redknot.nl Sep 8 16:38:38 chuck postfix/smtpd[24691]: [ID 197553 mail.info] NOQUEUE: client=mail-yw0-f44.google.com[209.85.213.44] Sep 8 16:38:39 chuck postfix/smtpd[24686]: [ID 197553 mail.info] connect from localhost[127.0.0.1] Sep 8 16:38:39 chuck postfix/smtpd[24686]: [ID 197553 mail.info] 167E810897: client=mail-yw0-f44.google.com[209.85.213.44] Sep 8 16:38:39 chuck postfix/cleanup[24687]: [ID 197553 mail.info] 167E810897: message-id=aanlkti=5jghf56pzvnfr0qqhvxqwk_zvxndx18eox...@mail.gmail.com Sep 8 16:38:39 chuck postfix/qmgr[24585]: [ID 197553 mail.info] 167E810897: from=martijndemun...@gmail.com, size=2401, nrcpt=1 (queue active) Sep 8 16:38:39 chuck postfix/smtpd[24691]: [ID 197553 mail.info] proxy-accept: END-OF-MESSAGE: 250 2.0.0 Ok: queued as 167E810897; from=martijndemun...@gmail.com to=mart...@redknot.nl proto=ESMTP helo=mail-yw0-f44.google.com Sep 8 16:38:39 chuck postfix/smtpd[24686]: [ID 197553 mail.info] disconnect from localhost[127.0.0.1] Sep 8 16:38:39 chuck postfix/lmtp[24700]: [ID 197553 mail.info] dict_eval: const mail Sep 8 16:38:39 chuck postfix/lmtp[24700]: [ID 197553 mail.info] dict_eval: const ipv4 Sep 8 16:38:39 chuck postfix/lmtp[24700]: [ID 197553 mail.info] dict_eval: const Sep 8 16:38:39 chuck last message repeated 2 times Sep 8 16:38:39 chuck postfix/lmtp[24700]: [ID 197553 mail.info] name_mask: ipv4 Sep 8 16:38:39 chuck postfix/lmtp[24700]: [ID 197553 mail.info] dict_eval: const chuck.redknot.nl Sep 8 16:38:39 chuck last message repeated 1 time Sep 8 16:38:39 chuck postfix/lmtp[24700]: [ID 197553 mail.info] dict_eval: const Postfix Sep 8 16:38:39 chuck postfix/lmtp[24700]: [ID 197553 mail.info] dict_eval: expand ${multi_instance_name:postfix}${multi_instance_name? $multi_instance_name} - postfix Sep 8 16:38:39 chuck postfix/lmtp[24700]: [ID 197553 mail.info] dict_eval: const postfix Sep 8 16:38:39 chuck postfix/lmtp[24700]: [ID 197553 mail.info] dict_eval: const postdrop Sep 8 16:38:39 chuck postfix/lmtp[24700]: [ID 197553 mail.info] dict_eval: expand $myhostname, localhost.$mydomain, localhost - chuck.redknot.nl, localhost.chuck.redknot.nl, localhost Sep 8 16:38:39 chuck postfix/lmtp[24700]: [ID 197553 mail.info] dict_eval: expand $myhostname - chuck.redknot.nl Sep 8 16:38:39 chuck postfix/lmtp[24700]: [ID 197553 mail.info] dict_eval: const Sep 8
Re: integrate dspam into postfix
On Sep 8, 2010, at 5:34 PM, Wietse Venema wrote: Martijn de Munnik: So I'm using a mailbox_transport to call dspam. Unfortantly the mail doesn't show up in the logs after the lmtp part (I have lmtp -v in master.cf) and the mail isn't delivered. When I remove the The mailbox_transport delivers the mail to dspam, therefore the mail no longer exists in the Postfix mail queue. But the mails are still listed when I issue a mailq and when I remove the mailbox_transport line from main.cf and restart postfix the mails are delivered immediately. DSPAM should reinsert the message into the postfix queue after processing. This works when I use a content_filter and call dspam using a pipe. I suggest that you have a look at the Postfix FILTER_README documentation. Will do. Wietse
integrate dspam into postfix
Hi list, I'm trying to integrate dspam filtering into my postfix system. The way I have it now works for local users but when a user has an alias to an external domain the mail bounces. This server is for receiving mail only, so no submission is needed. --- This is the mail system at host chuck.redknot.nl. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system martijndemun...@chuck.redknot.nl (expanded from martijndemunnik): unknown user: martijndemunnik Reporting-MTA: dns; chuck.redknot.nl X-Postfix-Queue-ID: 1C455D2A2 X-Postfix-Sender: rfc822; mart...@youngguns.nl Arrival-Date: Thu, 2 Sep 2010 21:58:12 +0200 (CEST) Final-Recipient: rfc822; martijndemun...@chuck.redknot.nl Original-Recipient: rfc822;martijndemunnik Action: failed Status: 5.1.1 Diagnostic-Code: X-Postfix; unknown user: martijndemunnik --- The virtual file contains: just...@suezkade.nl martijndemun...@gmail.com I'm sure this is because I pass --user ${mailbox} to the dspam command, but I'm not sure how to solve this. I want dspam to learn what is spam for my local user, so I guess dspam should be as close as possible to final delivery. There is also another problem. Dspam calls clamav to scan the message for viruses. When A virus is found dspam dies because the shell can't handle a negative error return code. The dspam list told me to use the server part of dspam to fix this and let postfix talk to dspam with lmtp. I'm not sure how to do this. virtual_transport doesn't seem to have any effect because I'm not using virtual_domains? Any ideas? Thanks, Martijn Output of postconf -n: address_verify_map = btree:${data_directory}/verify alias_maps = dbm:/etc/opt/redknot/postfix/aliases config_directory = /etc/opt/redknot/postfix content_filter = dspam:dpsam disable_vrfy_command = yes home_mailbox = Maildir/ mailbox_command = /opt/redknot/libexec/dovecot/deliver -a $RECIPIENT -m $EXTENSION -s mydestination = $myhostname, localhost.$mydomain, localhost mydomain = chuck.redknot.nl myhostname = chuck.redknot.nl recipient_delimiter = + relay_domains = $mydestination, atdstramproy.nl smtpd_banner = $myhostname ESMTP smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_proxy_filter = 127.0.0.1:10027 smtpd_proxy_options = speed_adjust smtpd_recipient_restrictions = reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, reject_rbl_client virbl.dnsbl.bit.nl, check_policy_service inet:localhost:10031, check_policy_service inet:localhost:10030, check_policy_service inet:localhost:10029, permit smtpd_tls_cert_file = /etc/opt/redknot/ssl/chuck.redknot.nl.cer smtpd_tls_key_file = /etc/opt/redknot/ssl/chuck.redknot.nl.key smtpd_use_tls = yes soft_bounce = yes strict_rfc821_envelopes = yes transport_maps = dbm:/etc/opt/redknot/postfix/transport unknown_address_reject_code = 550 unknown_hostname_reject_code = 550 unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550 virtual_alias_maps = dbm:/etc/opt/redknot/postfix/virtual and my master.cf # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: man 5 master). # # Do not forget to execute postfix reload after editing this file. # # = = # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # = = smtp inet n - n - - smtpd #submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #smtps inet n - n - - smtpd # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING pickupfifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgrunix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounceunix - - n - 0 bounce defer unix - - n - 0 bounce trace
Re: How to reject bad hosts
On Mon, 09 Aug 2010 16:29:21 +0200, Nicolas Michel nicolas.mic...@lemail.be wrote: Hello, I want to know if there is a way to reject connections from host not listed in the MX records of the domain it claims to be. For example : a host with IP WWW.XXX.YYY.ZZZ try so send a mail to my domain (we'll call it mydomain.be) and claims that the sender is u...@otherdomain.com If WWW.XXX.YYY.ZZZ is not a MX server of otherdomain.com my mail server will reject the connection. This is not exactly what you want but it comes close http://www.rfc-ignorant.org/policy-bogusmx.php If it is possible, will it cause some troubles? Will I loose some legitimate mails? Because of misconfiguration or an other reason? Thank you. nm
dspam breaks return-path and to address/address extension
(stevie.youngguns.nl [127.0.0.1]) (amavisd-new, port 10024) with LMTP id m1J1acFpU+zk for munnik+t...@chuck.redknot.nl; Thu, 17 Jun 2010 22:37:41 +0200 (CEST) Received: from Unknown-00-17-f2-4d-f7-35.lan (a80-101-149-154.adsl.xs4all.nl [80.101.149.154]) (Authenticated sender: mart...@youngguns.nl) by stevie.youngguns.nl (Postfix) with ESMTPSA id 0EABA3B5BA for munnik+t...@chuck.redknot.nl; Thu, 17 Jun 2010 22:37:40 +0200 (CEST) Message-Id: 859284ee-dd63-4b7c-8cde-53b8baa90...@youngguns.nl From: Martijn de Munnik mart...@youngguns.nl To: munnik+t...@chuck.redknot.nl Content-Type: text/plain Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v936) Subject: Date: Thu, 17 Jun 2010 22:37:37 +0200 X-Mailer: Apple Mail (2.936) X-DCC-EATSERVER-Metrics: chuck 1166; Body=0 X-DSPAM-Result: Innocent X-DSPAM-Processed: Thu Jun 17 22:37:54 2010 X-DSPAM-Confidence: 0.9899 X-DSPAM-Improbability: 1 in 9809 chance of being spam X-DSPAM-Probability: 0. X-DSPAM-Signature: 4c1a87a117261438818001 Thanks, Martijn
Re: User unknown in virtual alias table
# /opt/csw/sbin/postmap -q mart...@youngguns.nl hash:/opt/csw/etc/postfix/maps/virtual martijn-youngguns.nl so that seems to work? On Wed, May 19, 2010 at 12:48 PM, Martijn de Munnik martijndemun...@gmail.com wrote: Hi, Since this morning I get these error messages in maillog. This happens for all our users: May 19 12:43:08 stevie.youngguns.nl postfix/error[23550]: [ID 197553 mail.info] EFEAC1C176: to=mart...@youngguns.nl, relay=none, delay=5511, delays=5509/1.6/0/0.04, dsn=4.0.0, status=SOFTBOUNCE (User unknown in virtual alias table) This user is in the virtual alias table: # grep mart...@youngguns.nl /opt/csw/etc/postfix/maps/virtual mart...@youngguns.nl martijn-youngguns.nl mart...@redknot.nl mart...@youngguns.nl We let virtualmin handle the creation of users and aliases. I've removed a faulty alias in the virtual file and recreated the .db file with postmap. Postmap doesn't complain about errors but I keep getting the 'User unknown' errors in the logs. # /opt/csw/sbin/postconf -n address_verify_map = btree:${data_directory}/verify alias_maps = hash:/opt/csw/etc/postfix/maps/aliases,hash:/opt/youngguns/mailman/data/aliases body_checks = regexp:/opt/csw/etc/postfix/maps/body_checks broken_sasl_auth_clients = yes command_directory = /opt/csw/sbin config_directory = /etc/postfix daemon_directory = /opt/csw/libexec/postfix data_directory = /opt/csw/var/lib/postfix default_database_type = hash delay_warning_time = 4h disable_vrfy_command = yes header_checks = regexp:/opt/csw/etc/postfix/maps/header_checks home_mailbox = Maildir/ html_directory = /opt/csw/share/doc/postfix/html inet_interfaces = all mailbox_command = /opt/csw/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME mailbox_size_limit = 0 mailq_path = /opt/csw/bin/mailq manpage_directory = /opt/csw/share/man maximal_backoff_time = 8000s maximal_queue_lifetime = 7d message_size_limit = 52428800 mime_header_checks = regexp:/opt/csw/etc/postfix/maps/mime_header_checks minimal_backoff_time = 1000s mydestination = $myhostname, localhost.$mydomain myhostname = stevie.youngguns.nl mynetworks_style = host myorigin = $myhostname newaliases_path = /opt/csw/bin/newaliases readme_directory = /opt/csw/share/doc/postfix/README_FILES receive_override_options = no_address_mappings recipient_delimiter = + relay_domains = slagenlandwonen.nl, wfcommunicatie.nl, gooischebrink.com, interjute.nl, melamo.nl, fair-play.nl, loopbaankamer.nl, ospl.nl, ospl.de, printcontrol.nl, dankers-schilderwerken.nl, promonta.nl, interim-denbosch.nl, vanherpt.biz, rodersana.nl relayhost = sample_directory = /opt/csw/share/doc/postfix/samples sendmail_path = /opt/csw/sbin/sendmail smtp_bind_address = 213.207.90.2 smtp_fallback_relay = mx2.youngguns.nl smtp_helo_timeout = 60s smtp_pix_workaround_delay_time = 10s smtp_send_xforward_command = yes smtp_skip_quit_response = yes smtp_tls_loglevel = 1 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP smtpd_client_connection_count_limit = 10 smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes smtpd_hard_error_limit = 12 smtpd_helo_required = yes smtpd_recipient_limit = 1000 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/opt/csw/etc/postfix/maps/relay_access, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_destination, reject_non_fqdn_helo_hostname, reject_rbl_client virbl.dnsbl.bit.nl, check_policy_service inet:127.0.0.1:12525, check_sender_mx_access cidr:/opt/csw/etc/postfix/maps/bogon_networks, check_client_access cidr:/opt/csw/etc/postfix/maps/drop, check_sender_mx_access cidr:/opt/csw/etc/postfix/maps/drop, check_sender_ns_access cidr:/opt/csw/etc/postfix/maps/drop, reject_unverified_recipient, check_client_access cidr:/opt/csw/etc/postfix/maps/dnswl_header, check_client_access cidr:/opt/csw/etc/postfix/maps/dnswl_permit, check_policy_service inet:127.0.0.1:10023 smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_soft_error_limit = 3 smtpd_tls_cert_file = /home/yghosting/ssl/secure-youngguns-nl.pem smtpd_tls_key_file = /home/yghosting/ssl/secure-youngguns-nl.key smtpd_tls_loglevel = 1 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache soft_bounce = yes strict_rfc821_envelopes = yes tls_random_source = dev:/dev/urandom transport_maps = hash:/opt/csw/etc/postfix/maps/transport unknown_address_reject_code = 550 unknown_hostname_reject_code = 550 unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550 virtual_alias_maps = hash:/opt/csw/etc/postfix/maps/virtual
Re: User unknown in virtual alias table
smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o smtpd_restriction_classes= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o local_header_rewrite_clients= On Wed, May 19, 2010 at 1:09 PM, Martijn de Munnik martijndemun...@gmail.com wrote: # /opt/csw/sbin/postmap -q mart...@youngguns.nl hash:/opt/csw/etc/postfix/maps/virtual martijn-youngguns.nl so that seems to work? On Wed, May 19, 2010 at 12:48 PM, Martijn de Munnik martijndemun...@gmail.com wrote: Hi, Since this morning I get these error messages in maillog. This happens for all our users: May 19 12:43:08 stevie.youngguns.nl postfix/error[23550]: [ID 197553 mail.info] EFEAC1C176: to=mart...@youngguns.nl, relay=none, delay=5511, delays=5509/1.6/0/0.04, dsn=4.0.0, status=SOFTBOUNCE (User unknown in virtual alias table) This user is in the virtual alias table: # grep mart...@youngguns.nl /opt/csw/etc/postfix/maps/virtual mart...@youngguns.nl martijn-youngguns.nl mart...@redknot.nl mart...@youngguns.nl We let virtualmin handle the creation of users and aliases. I've removed a faulty alias in the virtual file and recreated the .db file with postmap. Postmap doesn't complain about errors but I keep getting the 'User unknown' errors in the logs. # /opt/csw/sbin/postconf -n address_verify_map = btree:${data_directory}/verify alias_maps = hash:/opt/csw/etc/postfix/maps/aliases,hash:/opt/youngguns/mailman/data/aliases body_checks = regexp:/opt/csw/etc/postfix/maps/body_checks broken_sasl_auth_clients = yes command_directory = /opt/csw/sbin config_directory = /etc/postfix daemon_directory = /opt/csw/libexec/postfix data_directory = /opt/csw/var/lib/postfix default_database_type = hash delay_warning_time = 4h disable_vrfy_command = yes header_checks = regexp:/opt/csw/etc/postfix/maps/header_checks home_mailbox = Maildir/ html_directory = /opt/csw/share/doc/postfix/html inet_interfaces = all mailbox_command = /opt/csw/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME mailbox_size_limit = 0 mailq_path = /opt/csw/bin/mailq manpage_directory = /opt/csw/share/man maximal_backoff_time = 8000s maximal_queue_lifetime = 7d message_size_limit = 52428800 mime_header_checks = regexp:/opt/csw/etc/postfix/maps/mime_header_checks minimal_backoff_time = 1000s mydestination = $myhostname, localhost.$mydomain myhostname = stevie.youngguns.nl mynetworks_style = host myorigin = $myhostname newaliases_path = /opt/csw/bin/newaliases readme_directory = /opt/csw/share/doc/postfix/README_FILES receive_override_options = no_address_mappings recipient_delimiter = + relay_domains = slagenlandwonen.nl, wfcommunicatie.nl, gooischebrink.com, interjute.nl, melamo.nl, fair-play.nl, loopbaankamer.nl, ospl.nl, ospl.de, printcontrol.nl, dankers-schilderwerken.nl, promonta.nl, interim-denbosch.nl, vanherpt.biz, rodersana.nl relayhost = sample_directory = /opt/csw/share/doc/postfix/samples sendmail_path = /opt/csw/sbin/sendmail smtp_bind_address = 213.207.90.2 smtp_fallback_relay = mx2.youngguns.nl smtp_helo_timeout = 60s smtp_pix_workaround_delay_time = 10s smtp_send_xforward_command = yes smtp_skip_quit_response = yes smtp_tls_loglevel = 1 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP smtpd_client_connection_count_limit = 10 smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes smtpd_hard_error_limit = 12 smtpd_helo_required = yes smtpd_recipient_limit = 1000 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/opt/csw/etc/postfix/maps/relay_access, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_destination, reject_non_fqdn_helo_hostname, reject_rbl_client virbl.dnsbl.bit.nl, check_policy_service inet:127.0.0.1:12525, check_sender_mx_access cidr:/opt/csw/etc/postfix/maps/bogon_networks, check_client_access cidr:/opt/csw/etc/postfix/maps/drop, check_sender_mx_access cidr:/opt/csw/etc/postfix/maps/drop, check_sender_ns_access cidr:/opt/csw/etc/postfix/maps/drop, reject_unverified_recipient, check_client_access cidr:/opt/csw/etc/postfix/maps/dnswl_header, check_client_access cidr:/opt/csw/etc/postfix/maps/dnswl_permit, check_policy_service inet:127.0.0.1:10023 smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_soft_error_limit = 3 smtpd_tls_cert_file = /home/yghosting/ssl/secure-youngguns-nl.pem smtpd_tls_key_file = /home
RE: Postfix Logfile Statistics
On Wed, 14 Apr 2010 11:17:51 +0200, Kammen van, Marco, Springer SBM NL marco.vankam...@springer.com wrote: Patric Falinder Kammen van, Marco, Springer SBM NL skrev 2010-04-14 10:50: Hi All, Searched on the web for this but couldn't find anything close to what I'm looking for. Any of you know tool that generates web based (graph) statistics based on information in the postfix logfile. I'm looking for things like amount of messages sent/received daily weekly monthly etc ... Thanks in advance for any suggestions! Try mailgraph http://mailgraph.schweikert.ch/ Mailgraph in action: http://www.stat.ee.ethz.ch/mailgraph.cgi Thanks for your very fast reply. One thing I'm missing (or at least my management is), they want to be able to see how many messages where sent/received on specific days. So instaid of a total amount of messages sent/received the current day or in the entire week/month/year, they want to see how many messages where sent/received on January 1th, or June 16th... etc etc I could make a script and put this stuff in a separate MySQL database, but if something like that exists already why do it twice! http://jimsun.linxnet.com/postfix_contrib.html This will send an e-mail with a log summary each day. Now you only have to store that info in a database and make it available via a frontend. Martijn
Relayhost dependend on destination MX
Hi, Our smtp server has some issues when talking to some remote mx's. This results in a timeout and the message not being delivered (this was discussed on this mailinglist but there doesn't seem to be a real solution available now). When we relay the message through another server the remote mx happily accepts the message. I only want to relay messages through the other server when a timeout occurs. I was thinking of using fail2ban for this. I want to watch the maillog with fail2ban and when timeouts appear I want fail2ban to write a line to the transport??? map. How do I redirect messages with a certain destination mx to another mail server (one of our relays)? Example: mail to i...@goofyandtheregulars.com will be delivered to mx-cluster-b1.one.com or mx-cluster-b2.one.com. But will give a timeout when talking to that machine. So I want to redirect message to mx-cluster-b1.one.com and mx-cluster-b2.one.com to mx2.youngguns.nl. thanks, Martijn
Re: Relayhost dependend on destination MX
On Wed, 24 Mar 2010 09:45:55 -0400 (EDT), Wietse Venema wie...@porcupine.org wrote: Martijn de Munnik: Hi, Our smtp server has some issues when talking to some remote mx's. This results in a timeout and the message not being delivered (this was discussed on this mailinglist but there doesn't seem to be a real solution available now). When we relay the message through another server the remote mx happily accepts the message. I only want to relay messages through the other server when a timeout occurs. I was thinking of using fail2ban for this. I want to watch the maillog with fail2ban and when timeouts appear I want fail2ban to write a line to the transport??? map. How do I redirect messages with a certain destination mx to another mail server (one of our relays)? See: http://www.postfix.org/postconf.5.html#smtp_fallback_relay Dankjewel ;) That was so much easier then my idea with fail2ban! Martijn Wietse Example: mail to i...@goofyandtheregulars.com will be delivered to mx-cluster-b1.one.com or mx-cluster-b2.one.com. But will give a timeout when talking to that machine. So I want to redirect message to mx-cluster-b1.one.com and mx-cluster-b2.one.com to mx2.youngguns.nl. thanks, Martijn
Re: Mails bounced 550 5.7.1
On Fri, 19 Mar 2010 15:31:18 +0100, Sam Przyswa s...@arial-concept.com wrote: The problem occur when we send mail to this domain, we had no problems before we changed our IP mail server and MX record for our domain. Your mailserver seems to be listed on several blacklists, please fix those problems first. Backscatter.org SORBS-SPAM UCEPROTECTL2 maybe others... Sam. Martijn de Munnik - Postfix List a écrit : On Fri, 19 Mar 2010 15:06:42 +0100, Sam Przyswa s...@arial-concept.com wrote: Hi, On last Postfix install on new server some mails are refused with error 550 5.7.1 se the report : Are these mails entering your system or are these mails leaving your system? If the mails are leaving your system then the remote site has decided not to accept your e-mail. c.tra...@aflo.be: host gw.aflo.be[87.66.26.108] said: 550 5.7.1 Your email messages have been blocked by the recipient OR by Trend Micro Email Reputation Service. Contact the recipient or his/her administrator using alternate means to resolve the issue. (in reply to RCPT TO command) How to fix ? Thanks for your help. Sam.
Re: looking for solution
On Mon, 2010-03-01 at 15:47 +0100, Ilja Beeskow wrote: Hello @ll I have a little problem with postfix 2.5, trendmicro viruswall and an old exchange 2k behind it. Perhaps somebody could give me a hint because I'm really confused after some days of trying different things. for incoming mail everything is clear: relay_domains and transport_maps, tmvw as a content_filter do the job! Internet DMZ Intranet - -- tmvw (as cf) 10025 ^ | | v 10026 smtp (25)- pf (25)- exchange2k outgoing mail should be handled a litte different: Internet DMZ Intranet - -- tmvw (as cf) (10025) | (10025) | (10026)| ^ | not possible! v | | MX -(25) pf pf-sec -(25) ex2k Because of the fact the ex2k was migrated from 5.5 we actually have the problem that ex2k is not configurable to use any other port than 25. This breaks the design of tmvw. My idea is a second smtp-process (I have two IPs) like this master.cf 192.168.1.3:25 inet n - n - - smtpd 192.168.1.4:25 inet n - n - - smtpd What I want ist a forwarding process getting it's mail on port 25 and forwarding it to port 10025 of tmvw. tmvw should reinject on port 10026 of the first (outbound) smtpd process . I think it is easier to use a transparent proxy which redirects incoming connections to port 25 to localhost port 10025. Check your firewall documentation for your platform. Ipchains of ipfilter or ... What I think to know is that my second process has to have set this 192.168.1.4:25 inet n - n - - smtpd -o myhostname=gw.mydomain.local -o relayhost=smtp:[127.0.0.1]:10025 -o content_filter= -o smtpd_use_tls=no -o mynetworks=192.168.0.0/24 -o mydestination= -o relay_transport= Is this possible and why does it not forward to port 10025? Do you have a source for me dealing with a similar problem? with kind regards Ilja Beeskow
Re: timeout after CONNECT
On Thu, 2010-02-25 at 15:43 +0100, Zoltan Balogh wrote: Hi List, I have an old postfix install where I am getting timeout after CONNECT from error messages upon e-mails being send from one particular host. The user is complaining that he is not able to send out any e-mail. Other users from the same system are sending mail happily without errors. User claims to use MS Outlook client. He was trying to send an e-mail with about 500 recipients in one mail (no comment) but he says before it was processed without problems. Now he claims to have only one outgoing email in his Outbox (others including one with 500 recipients was removed). I do not really understand why Outlook makes so many SMTP connections to send out a single mail. Of course I recommended to check for viruses or spambots on his computer - client computer seems to be clean. I am guessing this is a client problem, but may be there is something I am missing in my postfix config. If you have any idea, please let me know. Stop all Outlook instances on the client computer and check if the computer is still making SMTP connections. If so then a virus or a spambot is likely to be installed. Here is a snip from /var/log/mail/info: Feb 25 14:07:53 ns postfix/smtpd[1642]: connect from adsl-d128.84-47-53.t-com.sk[84.47.53.128] Feb 25 14:08:09 ns postfix/smtpd[1649]: connect from adsl-d128.84-47-53.t-com.sk[84.47.53.128] Feb 25 14:08:10 ns postfix/smtpd[1695]: connect from adsl-d128.84-47-53.t-com.sk[84.47.53.128] Feb 25 14:09:15 ns postfix/smtpd[1924]: connect from adsl-d128.84-47-53.t-com.sk[84.47.53.128] Feb 25 14:09:15 ns postfix/smtpd[1925]: connect from adsl-d128.84-47-53.t-com.sk[84.47.53.128] Feb 25 14:10:16 ns postfix/smtpd[3172]: connect from adsl-d128.84-47-53.t-com.sk[84.47.53.128] Feb 25 14:10:16 ns postfix/smtpd[1667]: connect from adsl-d128.84-47-53.t-com.sk[84.47.53.128] Feb 25 14:11:07 ns postfix/smtpd[32530]: timeout after CONNECT from adsl-d128.84-47-53.t-com.sk[84.47.53.128] Feb 25 14:11:07 ns postfix/smtpd[32530]: disconnect from adsl-d128.84-47-53.t-com.sk[84.47.53.128] Feb 25 14:11:07 ns postfix/smtpd[17571]: timeout after CONNECT from adsl-d128.84-47-53.t-com.sk[84.47.53.128] Feb 25 14:11:07 ns postfix/smtpd[17571]: disconnect from adsl-d128.84-47-53.t-com.sk[84.47.53.128] Feb 25 14:11:07 ns postfix/smtpd[16099]: timeout after CONNECT from adsl-d128.84-47-53.t-com.sk[84.47.53.128] Feb 25 14:11:07 ns postfix/smtpd[16099]: disconnect from adsl-d128.84-47-53.t-com.sk[84.47.53.128] Feb 25 14:11:19 ns postfix/smtpd[32530]: connect from adsl-d128.84-47-53.t-com.sk[84.47.53.128] Feb 25 14:11:19 ns postfix/smtpd[16099]: connect from adsl-d128.84-47-53.t-com.sk[84.47.53.128] Feb 25 14:11:21 ns postfix/smtpd[15515]: timeout after CONNECT from adsl-d128.84-47-53.t-com.sk[84.47.53.128] Feb 25 14:11:21 ns postfix/smtpd[15515]: disconnect from adsl-d128.84-47-53.t-com.sk[84.47.53.128] Feb 25 14:11:21 ns postfix/smtpd[15816]: timeout after CONNECT from adsl-d128.84-47-53.t-com.sk[84.47.53.128] Feb 25 14:11:21 ns postfix/smtpd[15816]: disconnect from adsl-d128.84-47-53.t-com.sk[84.47.53.128] .. such log messages are appearing constantly for the past 2 days. Of course reguraly I get the following: Feb 25 14:13:40 ns postfix/anvil[21586]: statistics: max connection rate 9/60s for (smtp:84.47.53.128) at Feb 25 14:07:07 Feb 25 14:13:40 ns postfix/anvil[21586]: statistics: max connection count 19 for (smtp:84.47.53.128) at Feb 25 14:10:16 There are always 5 to 15 SMTP connects hanging from the same IP. # netstat -ap tcp0 0 *:smtp *:* LISTEN 1519/smtpd tcp0 24 ns.myhost.sk:smtp adsl-d128.84-47-5:23729 ESTABLISHED 16165/smtpd tcp0 24 ns.myhost.sk:smtp adsl-d128.84-47-5:23732 ESTABLISHED 1519/smtpd tcp0 24 ns.myhost.sk:smtp adsl-d128.84-47-5:23682 ESTABLISHED 1667/smtpd tcp0 24 ns.myhost.sk:smtp adsl-d128.84-47-5:23681 ESTABLISHED 3172/smtpd tcp0 24 ns.myhost.sk:smtp adsl-d128.84-47-5:23710 ESTABLISHED 32530/smtpd tcp0 24 ns.myhost.sk:smtp adsl-d128.84-47-5:23711 ESTABLISHED 16099/smtpd tcp0 24 ns.myhost.sk:smtp adsl-d128.84-47-5:23662 ESTABLISHED 1925/smtpd tcp0 24 ns.myhost.sk:smtp adsl-d128.84-47-5:23661 ESTABLISHED 1924/smtpd In the following my server host domain is forged to myhost.sk: # postconf -n alias_database = hash:/usr/local/postfix/conf/aliases alias_maps = hash:/usr/local/postfix/conf/aliases body_checks = regexp:/usr/local/postfix/conf/body_checks command_directory = /usr/local/postfix-2.2.3/bin config_directory = /usr/local/postfix-2.2.3/conf content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/local/postfix-2.2.3/libexec debug_peer_level = 2 delay_notice_recipient = i...@myhost.sk disable_vrfy_command = yes error_notice_recipient =
Re: copy all e-mails to a new domain
On Tue, 2010-02-23 at 13:23 +0200, Razvan Cosma wrote: Hello, While moving the IMAP services to a new host, I'd need to copy all messages addressed to anyu...@example.com to the old inbox, and to the new at anyu...@tempsubdomain.example.com Virtual maps allows this, but needs the full list in the form us...@example.com: user1 us...@tempdomain.example.com us...@example.com: user2 us...@tempdomain.example.com ... Is there some shortcut to write replace the domain part for any user of example.com and copy to the new address? Thank you. Please have a look at http://freshmeat.net/projects/imapsync/ I think that is what your really need. -- Martijn
Re: Timeout of SMTP servers
On Jan 23, 2010, at 4:24 PM, Sahil Tandon wrote: On Fri, 22 Jan 2010, Martijn de Munnik wrote: RFC2821 section 4.5.3.2 Timeouts reads An SMTP server SHOULD have a timeout of at least 5 minutes while it is awaiting the next command from the sender. The key word is SHOULD, as opposed to MUST. SHOULD equals MUST unless you have a really good reason. I'm trying to figure out if somebody on the list knows a really good reason. When I try to connect to an one.com mx (mx-cluster1.one.com or mx-cluster2.one.com) I notice they will close the connection after about 3 seconds. Why do they do this? Is anybody else using such short timeouts? That timeout does seem foolishly short, but they might have legitimate reasons that are best explained by ... them! Try pinging their postmaster. -- Sahil Tandon sa...@tandon.net
Re: mail for mx2.youngguns.nl loops back to myself
On Thu, 21 Jan 2010 19:35:25 -0500 (EST), wie...@porcupine.org (Wietse Venema) wrote: Martijn de Munnik: Jan 21 17:02:30 marcus postfix/qmgr[16421]: 523FD1C11A: from=mart...@youngguns.nl, size=650750, nrcpt=1 (queue active) Jan 21 17:02:30 marcus postfix/smtp[16449]: 523FD1C11A: host mx-cluster1.one.com[91.198.169.10] said: 450 4.7.1 r...@musicscool.nl: Recipient address rejected: Greylisted for 5 minutes (in reply to RCPT TO command) Jan 21 17:02:30 marcus postfix/smtp[16449]: 523FD1C11A: to=r...@musicscool.nl, relay=mx-cluster2.one.com[91.198.169.11]:25, delay=32, delays=32/0.01/0.57/0.13, dsn=4.7.1, status=deferred (host mx-cluster2.one.com[91.198.169.11] said: 450 4.7.1 r...@musicscool.nl: Recipient address rejected: Greylisted for 5 minutes (in reply to RCPT TO command)) Above, musicscool.nl is delivered directly to its MX hosts: musicscool.nl mail is handled by 10 mx-cluster1.one.com. musicscool.nl mail is handled by 10 mx-cluster2.one.com. Jan 21 17:23:02 marcus postfix/qmgr[16900]: 523FD1C11A: from=mart...@youngguns.nl, size=650750, nrcpt=1 (queue active) Jan 21 17:23:02 marcus postfix/smtp[17064]: 523FD1C11A: to=r...@musicscool.nl, relay=none, delay=1264, delays=1264/0.01/0/0, dsn=5.4.6, status=bounced (mail for mx2.youngguns.nl loops back to myself) Jan 21 17:23:02 marcus postfix/bounce[17065]: 523FD1C11A: sender non-delivery notification: B15A81C76E Jan 21 17:23:02 marcus postfix/qmgr[16900]: 523FD1C11A: removed Above, the queue manager was restarted (pid changes from 16421 to 16900), presumably because some Postfix setting was changed. Ahh my mistake, the transport map is automatically copied between the hosts using a cron job. I forgot about that... I solved it using two separate transport maps. Now, musicscool.nl is NOT delivered directly to its MX hosts. Try undoing the change in Postfix setting. Wietse -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
Timeout of SMTP servers
Hi List, RFC2821 section 4.5.3.2 Timeouts reads An SMTP server SHOULD have a timeout of at least 5 minutes while it is awaiting the next command from the sender. When I try to connect to an one.com mx (mx-cluster1.one.com or mx-cluster2.one.com) I notice they will close the connection after about 3 seconds. Why do they do this? Is anybody else using such short timeouts? Thanks, Martijn -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
Re: Error: timeout exceeded (in reply to end of DATA command)
On Thu, 21 Jan 2010 10:30:54 -0500 (EST), wie...@porcupine.org (Wietse Venema) wrote: It's nice for a change to work with someone who provides actual information, instead of that dork from last week who was just venting his opinions and not giving people a chance to help. I don't know how one can help me if I don't supply info ;) In this case it looks like a Solaris TCP bug when sending data over a connection that suffers from heavy packet loss. Apparently, Solaris 10 stops retransmitting, and therefore the other side times out. Ok, this is useful help. I did reroute the message via a linux postfix server and now it is successfully delivered. I try to find out if I can solve the Solaris bug but at least our customer is happy now! I'm not wrapping the packets this time, so you will have to widen your window to read this message comfortably. With your explanation I'm able to read the tcp dump, one day I will fully understand it... Wietse The three-way TCP handshake show no wscale options, so we don't have to worry about borked firewalls mis-handling this: 09:16:40.786945 IP 213.207.90.2.59301 145.222.14.10.25: S 2466228028:2466228028(0) win 49640 mss 1460,nop,nop,sackOK 09:16:40.789806 IP 145.222.14.10.25 213.207.90.2.59301: S 3886146351:3886146351(0) ack 2466228029 win 5840 mss 1380 09:16:40.789829 IP 213.207.90.2.59301 145.222.14.10.25: . ack 1 win 49680 The handshake shows a round-trip time of 2.9ms. The receiver's MTU is smaller than 1460, which suggests that his packets are encapsulated in some other protocol. It does not matter for the problem at hand. Next is a segment from the middle of transmission. The sender has sent a full window up to byte 22233, but apparently there was major packet loss after byte 5673. 09:16:51.869847 IP 145.222.14.10.25 213.207.90.2.59301: P ack 5673 win 16560 09:16:51.869861 IP 213.207.90.2.59301 145.222.14.10.25: P 20853:22233(1380) ack 137 win 49680 09:16:51.869874 IP 213.207.90.2.59301 145.222.14.10.25: . 5673:7053(1380) ack 137 win 49680 09:16:51.869976 IP 145.222.14.10.25 213.207.90.2.59301: P ack 5673 win 16560 09:16:51.869977 IP 145.222.14.10.25 213.207.90.2.59301: P ack 5673 win 16560 09:16:51.869978 IP 145.222.14.10.25 213.207.90.2.59301: P ack 5673 win 16560 09:16:51.870110 IP 145.222.14.10.25 213.207.90.2.59301: P ack 5673 win 16560 09:16:51.870111 IP 145.222.14.10.25 213.207.90.2.59301: P ack 5673 win 16560 09:16:51.870376 IP 145.222.14.10.25 213.207.90.2.59301: P ack 5673 win 16560 09:16:56.216513 IP 213.207.90.2.59301 145.222.14.10.25: . 5673:7053(1380) ack 137 win 49680 09:16:56.260383 IP 145.222.14.10.25 213.207.90.2.59301: . ack 7053 win 19320 09:16:56.260414 IP 213.207.90.2.59301 145.222.14.10.25: . 7053:8433(1380) ack 137 win 49680 09:16:56.260421 IP 213.207.90.2.59301 145.222.14.10.25: . 8433:9813(1380) ack 137 win 49680 09:16:56.263577 IP 145.222.14.10.25 213.207.90.2.59301: . ack 8433 win 22080 09:16:56.263588 IP 213.207.90.2.59301 145.222.14.10.25: . 9813:11193(1380) ack 137 win 49680 09:16:56.263610 IP 213.207.90.2.59301 145.222.14.10.25: . 11193:12573(1380) ack 137 win 49680 09:16:56.263844 IP 145.222.14.10.25 213.207.90.2.59301: . ack 9813 win 24840 09:16:56.263855 IP 213.207.90.2.59301 145.222.14.10.25: . 12573:13953(1380) ack 137 win 49680 09:16:56.263865 IP 213.207.90.2.59301 145.222.14.10.25: . 13953:15333(1380) ack 137 win 49680 09:16:56.266641 IP 145.222.14.10.25 213.207.90.2.59301: P ack 9813 win 24840 09:16:56.266776 IP 145.222.14.10.25 213.207.90.2.59301: . ack 11193 win 28980 09:16:56.266777 IP 145.222.14.10.25 213.207.90.2.59301: P ack 11193 win 28980 09:16:56.266800 IP 213.207.90.2.59301 145.222.14.10.25: . 15333:16713(1380) ack 137 win 49680 Sequences like this repeat through the entire session. This network connection is so bad that your machine can send only 107656 bytes in 85 seconds or 1.27 kbyte/s. I notice there are many sequences like this: 09:16:51.869844 IP 145.222.14.10.25 213.207.90.2.59301: P ack 5673 win 16560 09:16:51.869845 IP 145.222.14.10.25 213.207.90.2.59301: P ack 5673 win 16560 09:16:51.869846 IP 145.222.14.10.25 213.207.90.2.59301: P ack 5673 win 16560 09:16:51.869847 IP 145.222.14.10.25 213.207.90.2.59301: P ack 5673 win 16560 and this: 09:16:51.869976 IP 145.222.14.10.25 213.207.90.2.59301: P ack 5673 win 16560 09:16:51.869977 IP 145.222.14.10.25 213.207.90.2.59301: P ack 5673 win 16560 09:16:51.869978 IP 145.222.14.10.25 213.207.90.2.59301: P ack 5673 win 16560 and this: 09:17:20.597737 IP 145.222.14.10.25 213.207.90.2.59301: P ack 40173 win 32767 09:17:20.597738 IP 145.222.14.10.25 213.207.90.2.59301: P ack 40173 win 32767 09:17:20.597739 IP 145.222.14.10.25 213.207.90.2.59301: P ack 40173 win 32767 And many more. This is consistent with network congestion. These identical ACKs would have been sent several ms separated from each other
mail for mx2.youngguns.nl loops back to myself
Hi list, I had a problem with my primary mailserver which was not able to deliver mail to some remote mx's. One of the mx's that we couldn't deliver to was mx-cluster[1-2].one.com. After I modified the transport maps on mx1.youngguns.nl (stevie.youngguns.nl) the message now is deliverd to mx2.youngguns.nl (marcus.youngguns.nl). This is as I expected. Then mx2.youngguns.nl tries to deliver the message but it is greylisted by both one.com servers. Then after about 20 minutes the message is bounced and I don't understand why? I searched the log file for the queueid and I found these log entries: Jan 21 17:01:58 marcus postfix/smtpd[16434]: 523FD1C11A: client=stevie.youngguns.nl[213.207.90.2] Jan 21 17:01:58 marcus postfix/cleanup[16431]: 523FD1C11A: message-id=ef40a21d-0444-487c-a6dd-1128c2e2b...@youngguns.nl Jan 21 17:02:30 marcus postfix/qmgr[16421]: 523FD1C11A: from=mart...@youngguns.nl, size=650750, nrcpt=1 (queue active) Jan 21 17:02:30 marcus postfix/smtp[16449]: 523FD1C11A: host mx-cluster1.one.com[91.198.169.10] said: 450 4.7.1 r...@musicscool.nl: Recipient address rejected: Greylisted for 5 minutes (in reply to RCPT TO command) Jan 21 17:02:30 marcus postfix/smtp[16449]: 523FD1C11A: to=r...@musicscool.nl, relay=mx-cluster2.one.com[91.198.169.11]:25, delay=32, delays=32/0.01/0.57/0.13, dsn=4.7.1, status=deferred (host mx-cluster2.one.com[91.198.169.11] said: 450 4.7.1 r...@musicscool.nl: Recipient address rejected: Greylisted for 5 minutes (in reply to RCPT TO command)) Jan 21 17:23:02 marcus postfix/qmgr[16900]: 523FD1C11A: from=mart...@youngguns.nl, size=650750, nrcpt=1 (queue active) Jan 21 17:23:02 marcus postfix/smtp[17064]: 523FD1C11A: to=r...@musicscool.nl, relay=none, delay=1264, delays=1264/0.01/0/0, dsn=5.4.6, status=bounced (mail for mx2.youngguns.nl loops back to myself) Jan 21 17:23:02 marcus postfix/bounce[17065]: 523FD1C11A: sender non-delivery notification: B15A81C76E Jan 21 17:23:02 marcus postfix/qmgr[16900]: 523FD1C11A: removed thanks, Martijn -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
Error: timeout exceeded (in reply to end of DATA command)
Hi list, I have a problem with delivering mail to a host and get this error: host mx2.amsterdam.nl[145.222.14.10] said: 421 enepmx02.amsterdam.nl Error: timeout exceeded (in reply to end of DATA command) This error only seems to occur with 'large' mails. Currently I have a mail of ~600KB and ~8MB stuck in the queue. I don't think this is a postfix issue on our site but an issue with the mailserver on the other site. What can cause such issues? Thanks, Martijn -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
Re: Error: timeout exceeded (in reply to end of DATA command)
On Wed, 20 Jan 2010 10:56:39 +0100, Martijn de Munnik mart...@youngguns.nl wrote: Hi list, I have a problem with delivering mail to a host and get this error: host mx2.amsterdam.nl[145.222.14.10] said: 421 enepmx02.amsterdam.nl Error: timeout exceeded (in reply to end of DATA command) This error only seems to occur with 'large' mails. Currently I have a mail of ~600KB and ~8MB stuck in the queue. I don't think this is a postfix issue on our site but an issue with the mailserver on the other site. What can cause such issues? I tried the http://ftp.nluug.nl/mail/postfix/faq.html#timeouts Cisco PIX workaround but that doesn't make any difference? I think the remote site is running PIX: Connected to mx2.amsterdam.nl (145.222.14.10). Escape character is '^]'. 220 ** postconf -n address_verify_map = btree:${data_directory}/verify alias_maps = hash:/opt/csw/etc/postfix/maps/aliases body_checks = regexp:/opt/csw/etc/postfix/maps/body_checks broken_sasl_auth_clients = yes command_directory = /opt/csw/sbin config_directory = /etc/postfix content_filter = amavisfeed:localhost:10024 daemon_directory = /opt/csw/libexec/postfix data_directory = /opt/csw/var/lib/postfix default_database_type = hash delay_warning_time = 4h disable_vrfy_command = yes header_checks = regexp:/opt/csw/etc/postfix/maps/header_checks home_mailbox = Maildir/ html_directory = /opt/csw/share/doc/postfix/html inet_interfaces = all mailbox_command = /opt/csw/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME mailbox_size_limit = 0 mailq_path = /opt/csw/bin/mailq manpage_directory = /opt/csw/share/man maximal_backoff_time = 8000s maximal_queue_lifetime = 7d message_size_limit = 52428800 mime_header_checks = regexp:/opt/csw/etc/postfix/maps/mime_header_checks minimal_backoff_time = 1000s mydestination = $myhostname, localhost.$mydomain myhostname = stevie.youngguns.nl mynetworks_style = host myorigin = $myhostname newaliases_path = /opt/csw/bin/newaliases readme_directory = /opt/csw/share/doc/postfix/README_FILES receive_override_options = no_address_mappings recipient_delimiter = + relay_domains = slagenlandwonen.nl, wfcommunicatie.nl, gooischebrink.com, interjute.nl, melamo.nl, fair-play.nl, loopbaankamer.nl, ospl.nl, ospl.de, printcontrol.nl, dankers-schilderwerken.nl, promonta.nl, interim-denbosch.nl, vanherpt.biz, rodersana.nl relayhost = sample_directory = /opt/csw/share/doc/postfix/samples sendmail_path = /opt/csw/sbin/sendmail smtp_bind_address = 213.207.90.2 smtp_helo_timeout = 60s smtp_pix_workaround_delay_time = 10s smtp_send_xforward_command = yes smtp_skip_quit_response = yes smtp_tls_loglevel = 1 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP smtpd_client_connection_count_limit = 10 smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes smtpd_hard_error_limit = 12 smtpd_helo_required = yes smtpd_recipient_limit = 100 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/opt/csw/etc/postfix/maps/relay_access, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_destination, reject_non_fqdn_helo_hostname, reject_rbl_client virbl.dnsbl.bit.nl, check_policy_service inet:127.0.0.1:12525, check_sender_mx_access cidr:/opt/csw/etc/postfix/maps/bogon_networks, check_client_access cidr:/opt/csw/etc/postfix/maps/drop, check_sender_mx_access cidr:/opt/csw/etc/postfix/maps/drop, check_sender_ns_access cidr:/opt/csw/etc/postfix/maps/drop, reject_unverified_recipient, check_client_accesscidr:/opt/csw/etc/postfix/maps/dnswl_header, check_client_accesscidr:/opt/csw/etc/postfix/maps/dnswl_permit, check_policy_service inet:127.0.0.1:10023 smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_soft_error_limit = 3 smtpd_tls_cert_file = /home/yghosting/ssl/secure-youngguns-nl.pem smtpd_tls_key_file = /home/yghosting/ssl/secure-youngguns-nl.key smtpd_tls_loglevel = 1 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache soft_bounce = no strict_rfc821_envelopes = yes tls_random_source = dev:/dev/urandom transport_maps = hash:/opt/csw/etc/postfix/maps/transport unknown_address_reject_code = 550 unknown_hostname_reject_code = 550 unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550 virtual_alias_maps = hash:/opt/csw/etc/postfix/maps/virtual Thanks, Martijn -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
Re: Error: timeout exceeded (in reply to end of DATA command)
On Wed, 20 Jan 2010 11:10:50 +0100, Martijn de Munnik mart...@youngguns.nl wrote: On Wed, 20 Jan 2010 10:56:39 +0100, Martijn de Munnik mart...@youngguns.nl wrote: Hi list, I have a problem with delivering mail to a host and get this error: host mx2.amsterdam.nl[145.222.14.10] said: 421 enepmx02.amsterdam.nl Error: timeout exceeded (in reply to end of DATA command) I also found a mail in the queue to mx-cluster1.one.com with exactly the same problem, this mail is also ~600kb. This error only seems to occur with 'large' mails. Currently I have a mail of ~600KB and ~8MB stuck in the queue. I don't think this is a postfix issue on our site but an issue with the mailserver on the other site. What can cause such issues? I tried the http://ftp.nluug.nl/mail/postfix/faq.html#timeouts Cisco PIX workaround but that doesn't make any difference? I think the remote site is running PIX: Connected to mx2.amsterdam.nl (145.222.14.10). Escape character is '^]'. 220 ** postconf -n address_verify_map = btree:${data_directory}/verify alias_maps = hash:/opt/csw/etc/postfix/maps/aliases body_checks = regexp:/opt/csw/etc/postfix/maps/body_checks broken_sasl_auth_clients = yes command_directory = /opt/csw/sbin config_directory = /etc/postfix content_filter = amavisfeed:localhost:10024 daemon_directory = /opt/csw/libexec/postfix data_directory = /opt/csw/var/lib/postfix default_database_type = hash delay_warning_time = 4h disable_vrfy_command = yes header_checks = regexp:/opt/csw/etc/postfix/maps/header_checks home_mailbox = Maildir/ html_directory = /opt/csw/share/doc/postfix/html inet_interfaces = all mailbox_command = /opt/csw/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME mailbox_size_limit = 0 mailq_path = /opt/csw/bin/mailq manpage_directory = /opt/csw/share/man maximal_backoff_time = 8000s maximal_queue_lifetime = 7d message_size_limit = 52428800 mime_header_checks = regexp:/opt/csw/etc/postfix/maps/mime_header_checks minimal_backoff_time = 1000s mydestination = $myhostname, localhost.$mydomain myhostname = stevie.youngguns.nl mynetworks_style = host myorigin = $myhostname newaliases_path = /opt/csw/bin/newaliases readme_directory = /opt/csw/share/doc/postfix/README_FILES receive_override_options = no_address_mappings recipient_delimiter = + relay_domains = slagenlandwonen.nl, wfcommunicatie.nl, gooischebrink.com, interjute.nl, melamo.nl, fair-play.nl, loopbaankamer.nl, ospl.nl, ospl.de, printcontrol.nl, dankers-schilderwerken.nl, promonta.nl, interim-denbosch.nl, vanherpt.biz, rodersana.nl relayhost = sample_directory = /opt/csw/share/doc/postfix/samples sendmail_path = /opt/csw/sbin/sendmail smtp_bind_address = 213.207.90.2 smtp_helo_timeout = 60s smtp_pix_workaround_delay_time = 10s smtp_send_xforward_command = yes smtp_skip_quit_response = yes smtp_tls_loglevel = 1 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP smtpd_client_connection_count_limit = 10 smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes smtpd_hard_error_limit = 12 smtpd_helo_required = yes smtpd_recipient_limit = 100 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/opt/csw/etc/postfix/maps/relay_access, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_destination, reject_non_fqdn_helo_hostname, reject_rbl_client virbl.dnsbl.bit.nl, check_policy_service inet:127.0.0.1:12525, check_sender_mx_access cidr:/opt/csw/etc/postfix/maps/bogon_networks, check_client_access cidr:/opt/csw/etc/postfix/maps/drop, check_sender_mx_access cidr:/opt/csw/etc/postfix/maps/drop, check_sender_ns_access cidr:/opt/csw/etc/postfix/maps/drop, reject_unverified_recipient, check_client_accesscidr:/opt/csw/etc/postfix/maps/dnswl_header, check_client_accesscidr:/opt/csw/etc/postfix/maps/dnswl_permit, check_policy_service inet:127.0.0.1:10023 smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_soft_error_limit = 3 smtpd_tls_cert_file = /home/yghosting/ssl/secure-youngguns-nl.pem smtpd_tls_key_file = /home/yghosting/ssl/secure-youngguns-nl.key smtpd_tls_loglevel = 1 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache soft_bounce = no strict_rfc821_envelopes = yes tls_random_source = dev:/dev/urandom transport_maps = hash:/opt/csw/etc/postfix/maps/transport unknown_address_reject_code = 550 unknown_hostname_reject_code = 550 unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550 virtual_alias_maps = hash:/opt/csw/etc/postfix/maps/virtual Thanks
Re: Error: timeout exceeded (in reply to end of DATA command)
On Wed, 20 Jan 2010 07:20:01 -0500 (EST), wie...@porcupine.org (Wietse Venema) wrote: Martijn de Munnik: Hi list, I have a problem with delivering mail to a host and get this error: host mx2.amsterdam.nl[145.222.14.10] said: 421 enepmx02.amsterdam.nl Error: timeout exceeded (in reply to end of DATA command) This error only seems to occur with 'large' mails. Currently I have a mail of ~600KB and ~8MB stuck in the queue. I don't think this is a postfix issue on our site but an issue with the mailserver on the other site. What can cause such issues? Record a tcpdump trace. The way the session fails will indicate the kind of problem (MTU, Window scaling, and so on). http://www.postfix.org/DEBUG_README.html Wietse Ok, I tried that and I'm not really sure where to look for. I opened the tcpdump file in wireshark and there are a lot of warnings and notes in the file. -- Notes: Duplicate ACK(#1) [145.222.14.10 - 213.207.90.2] Duplicate ACK(#2) [145.222.14.10 - 213.207.90.2] Duplicate ACK(#3) [145.222.14.10 - 213.207.90.2] Duplicate ACK(#4) [145.222.14.10 - 213.207.90.2] . . . Duplicate ACK(#44) [145.222.14.10 - 213.207.90.2] Retransmission (suspected) [213.207.90.2 - 145.222.14.10] Warnings: Fast retransmission (suspected) [213.207.90.2 - 145.222.14.10] Out-Of-Order segment [213.207.90.2 - 145.222.14.10] -- This is abracadabra for me ;) Martijn -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
Re: Error: timeout exceeded (in reply to end of DATA command)
On Jan 20, 2010, at 9:28 PM, Victor Duchovni wrote: On Wed, Jan 20, 2010 at 03:22:56PM -0500, Wietse Venema wrote: The broken router then throws away the bytes with higher sequence numbers than 14233. Workaround: turn off window scaling support on the sender's kernel. This problem is sufficiently common, that on Linux MTAs I always add: net.ipv4.tcp_window_scaling = 0 I'm running Solaris 10 x86 and I did sudo ndd -set /dev/tcp tcp_wscale_always 0 before I did this the value was 1. After I did this I flushed the queue but the messages stay stuck in the queue with the same problem. I'm not sure this is the right kernel parameter for Solaris? /etc/system has no specific setting for tcp, so everything is default Solaris 10. Wietse, the broken router you mentioned, could that be a Cisco PIX on the receivers site? Jan 20 22:58:43 stevie.youngguns.nl postfix/smtp[18765]: [ID 197553 mail.info] 8A5553BA0C: enabling PIX workarounds: disable_esmtp delay_dotcrlf for mx2.amsterdam.nl[145.222.14.10]:25 Thanks, Martijn to sysctl.conf. Adjust for other systems as necessary. This hurts long-haul throughput, but email tolerates latency, provided most of your outbound traffic is not a high-bandwidth channel to Mars (but then you would not be using TCP anyway...) -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
OT: How do mail clients discover submission and imap servers
Hi List, This is not a real postfix related question… We offer e-mail services to our customers and some of our customers have a hard time configuring their mail client. I noticed that most mail clients try to 'find' the correct settings when an account is configured. So the mail client (at least the ones I've tried) only ask for a friendly username, mail address and password and then they try to find the servers. First I thought this was done by requesting the appropriate SRV records in DNS so I set them up for our domain (youngguns.nl) and tried to configure an account in Thunderbird with no success. So mail clients don't seem to use SRV records. Does anybody know what technique is behind the auto-discovery? thanks, Martijn
Re: OT: How do mail clients discover submission and imap servers
On Jan 10, 2010, at 9:24 PM, Eero Volotinen wrote: On 1/10/10 10:17 PM, Martijn de Munnik wrote: Hi List, This is not a real postfix related question… We offer e-mail services to our customers and some of our customers have a hard time configuring their mail client. I noticed that most mail clients try to 'find' the correct settings when an account is configured. So the mail client (at least the ones I've tried) only ask for a friendly username, mail address and password and then they try to find the servers. First I thought this was done by requesting the appropriate SRV records in DNS so I set them up for our domain (youngguns.nl) and tried to configure an account in Thunderbird with no success. So mail clients don't seem to use SRV records. Does anybody know what technique is behind the auto-discovery? Well, it looks like fuzzy logic: some dns lookups + common ports on mail, mx, smtp -prefixed hostnames? I was hoping that was not the answer ;) We try to let our customers use the submission port and imaps port. We have a SSL certificate for secure.youngguns.nl but it seems most mail clients are just trying mail.example.com on smtp en imap ports if the the mail address is custo...@example.com -- Eero
Re: Rejecting invalid email addresses with SMTP relay/forward
On Wed, 2009-12-30 at 22:09 +1300, Michael wrote: I have a couple of mail servers that act only as SMTP relay, and SMTP backup servers. How can I reject invalid recipient addresses at these servers? I have investigated the manual on local_recipient_maps, however it appears that this is only useful for email where the machine involved is the final destination. In this case these 2 machines operate in a load-balanced manner, forwarding email onto the final server, or in a few instances acting as an MX20 backup. I can make available to these servers (via SQL replication) a list of 'valid' email addresses from the destination mail server(s), how can the valid/invalid address accept/deny be deployed? Look for relay_domains and relay_recipient_maps, that will solve your problem. -- Martijn de Munnik mart...@youngguns.nl YoungGuns
Re: General mail delivery question
On Dec 26, 2009, at 9:08 PM, Edwin Minneboo wrote: Hi all, I wonder how and why mail is delivered in the following case: I own a domain, let’s say example.com. In this domain mail for user w...@example.com is delivered to e...@example.com. Now I find mail for To: wilma.vivi...@nwu.ac.za Delivered-To: e...@example.com As I don’t understand the routing of this mail, and where the w...@example.com come from I ask you to shine a led on this. I do understand it is obvious spam, and so rated right with DSPAM, but I really wonder why it is actually delivered. Your message to this list uses the same idea, its To address is postfix-users@postfix.org but it is deliverd to my mailbox and many others. Thanks in advanced for time and energy to answer. Grtz Ed Header: Return-Path: steffyco...@hotmail.com X-Original-To: w...@example.com Delivered-To: e...@example.com Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.example.com (Postfix) with SMTP id E89E9191456D for w...@example.com ; Sat, 26 Dec 2009 17:23:17 +0100 (CET) X-Greylist: delayed 62 seconds by postgrey-1.27 at mail; Sat, 26 Dec 2009 17:23:13 CET Received: from bay0-omc3-s3.bay0.hotmail.com (bay0-omc3-s3.bay0.hotmail.com [65.54.190.141]) by mail.example.com (Postfix) with ESMTP id 8567D1914020 for w...@example.com ; Sat, 26 Dec 2009 17:23:13 +0100 (CET) Received: from BAY109-W21 ([65.54.190.189]) by bay0-omc3-s3.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Sat, 26 Dec 2009 08:22:10 -0800 Message-ID: bay109-w21b89328217ae7849b4f80af...@phx.gbl Content-Type: multipart/alternative; boundary=_a85800fe-3835-4c5f-8133-23fd6e45da9b_ X-Originating-IP: [123.53.119.183] From: steff copin steffyco...@hotmail.com To: wilma.vivi...@nwu.ac.za Subject: |-| HiSECOND Date: Sat, 26 Dec 2009 17:22:09 +0100 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 26 Dec 2009 16:22:10.0247 (UTC) FILETIME=[931D9570:01CA8647] X-DSPAM-Result: Spam X-DSPAM-Processed: Sat Dec 26 17:23:17 2009 X-DSPAM-Confidence: 0.6521 X-DSPAM-Probability: 1. X-DSPAM-Signature: 1,4b363875263351744829672 X-DSPAM-Factors: 15, notre, 0.99000, Received*for+wilma, 0.97554, Received*wil, 0.97554, Received*wil+example.com , 0.97541, Windows+7, 0.97107, are+interested, 0.97073, www, 0.03312, international, 0.95316, to+order, 0.95145, brand+new, 0.93921, Date*Sat+26, 0.06236, our+website, 0.93752, brand, 0.93720, Best+regards, 0.08001, comnbsp, 0.90646 __ NOD32 EMON 4717 (20091226) informatie __ Dit bericht is gecontroleerd door het NOD32 antivirus systeem: e-mail with subject General mail delivery question dated 12/26/2009 21:08 - is OK http://www.nod32.nl
Re: postfix architecture
On Dec 20, 2009, at 9:37 PM, Houssam El Hallak wrote: Hello this is my first post here , so If any mistake with this post please let me know . question 1 : is this a good postfix architecture ?? I have 2 postfix Servers : DMZ_postfix which has basic protection (192.168.0.1). and forward emails to LAN_postfix What do you mean with 'basic protection'? The way I read it this could cause backscatter and thus is not a good idea. LAN_postfix which has the users accounts , amavis_new , spamassassin and clamav Why do you want to use 2 postfix machines? is it good to install tha anitspam and the anti firus on the lan server ,or I had to do it on the DMZ server ?? Depends, I think most antispam/antivirus should be on the DMZ postfix server and only the user dependent antispam should be on the LAN postfix server. Question 2 : Lan_postfix server consider my DMZ_postfix as local , is it normal ? If it is in your local network then probably yes, please provide 'postconf -n' I have something like this in the log : Passed Clean LOCAL 192.168.0.1 , 217.17.80.8 I understand that emails sent from my server are considered LOCAL , but not emails coming from outside . infact amavis consider all my emails as LOCAL Thank you in advance for your help Windows Live: Make it easier for your friends to see what you’re up to on Facebook.
Re: store and forward and reject_unverified_recipient
On Mon, 2009-12-14 at 13:32 +, Jaroslaw Grzabel wrote: Hi, I've just had a hard nut to crack, as I've got SMTP server which stores and forwards or I only hoped so. Why ? As I checked now if the remote server is down, and I use reject_unverified_recipient it gives me an error like: 450 4.1.1 em...@domain.com: Recipient address rejected: unverified address: connect to mail.domain.com[1.1.1.1]: Connection timed out Where it should accept it and store the things are not obvious for me as when I will disable reject_unverified_recipient then if message goes to anyth...@domain.com which doesn't exist on the remote server that message will bounce back to the sender and I will have to take a risk of block. Is there any easy way to store and forward with keeping reject_unverified_recipient option ? http://www.postfix.org/ADDRESS_VERIFICATION_README.html#caching Regards, Jarek
Re: store and forward and reject_unverified_recipient
On Mon, 2009-12-14 at 14:24 +, Jaroslaw Grzabel wrote: Martijn de Munnik wrote: http://www.postfix.org/ADDRESS_VERIFICATION_README.html#caching Hi Martin, Thank you for your reply. The only problem with that database is that if customer add some users into his machine then database will always reject that email... let's say for example: somebody is spamming address like j...@domain.com Obviously jon doesn't exist. But after a week company hire Jon and creates an email for him. What postfix does ? Reject all messages until I will not be notified and remove the database and let postfix to recreate it again. That doesn't satisfy me. That is a problem, you can define different values for cache time for positive and negative hits. When you keep the negative cache time low that will not be much of an issue. Regards, Jarek
Re: Does postfix avoid logs flooding?
On Dec 12, 2009, at 6:28 PM, Kārlis Repsons wrote: After seeing these: postfix/smtpd[14497]: warning: 118.71.107.14: hostname adsl-dynamic-pool-xxx.fpt.vn verification failed: Name or service not known postfix/smtpd[14497]: connect from unknown[118.71.107.14] postfix/smtpd[14497]: NOQUEUE: reject: RCPT from unknown[118.71.107.14]: 550 5.1.1 d...@dd.lv: Recipient address rejected: User unknown in virtual mailbox table; from=d...@dd.lv to=d...@dd.lv proto=SMTP helo=adsl-dynamic-pool-xxx.fpt.vn in my logfiles, I got curious: what would happen, if anyone keeps on spamming at full speed to nonexistent address all day long? Would logfiles get flooded or some quota would get exhausted? Yes and no. You could something like fail2ban to block hosts which try to spam you too much. I use fail2ban and block host for 10 minutes that produce too many 550 rejects. -- Martijn
Re: Should Anyone Be Able To Send Telnet Email
On Dec 4, 2009, at 8:08 PM, Carlos Williams wrote: I was just thinking today that if anyone knew a valid email address on my Postfix mail server, anyone could simply telnet to it (assuming they're on a trusted network / mynetworks) and send mail posed as that valid email address. I know this is not a huge security deal since it's come from a client listed in the mynetworks parameter but sometimes we have not so nice people we are forced to trust. Does this sound correct to anyone here? Normally on any mail client you need a username / password to send / receive email for a specific user but in the case of Telnet or just sending, it appears this is not required. Is there something I over looked? If sending e-mail via telnet without a username/password is possible it is also possible with a client.
Re: What Is Causing This Failure
On Tue, 2009-12-01 at 10:03 -0500, Carlos Williams wrote: I am getting a report from someone on my network that they are getting delivery failures when attempting to send an email from my Postfix server to the remote mail server. I see the message stuck on my Postfix servers queue: CB87E778055 1337 Mon Nov 30 08:59:15 tprem...@iamghost.com (connect to a.mx.premore.net[198.186.193.20]: No route to host) b...@premore.net This is a network issue and not a postfix issue. Try connecting to a.mx.premore.net using telnet on port 25. Check your routing tables to find out why a network connection to that host is not possible. I am guessing that this is a problem with the remote mail server 'a.mx.premore.net' since my server is sending and receiving email just fine to every other destination. I then decided to do a MX lookup for this domain premore.net see if there is anything wrong: ;; QUESTION SECTION: ;premore.net. IN MX ;; ANSWER SECTION: premore.net. 3093IN MX 0 a.mx.premore.net. ;; ADDITIONAL SECTION: a.mx.premore.net. 3093IN A 198.186.193.20 However my mail server wont send to this destination address and I have no idea why. Can someone tell me how I can better examine this situation to understand where the fault lies. Thank you! -- Martijn de Munnik mart...@youngguns.nl YoungGuns
Re: What Is Causing This Failure
On Tue, 2009-12-01 at 16:27 +, Frog wrote: Perhaps your mail server is on a DNSBL? Regards Frog Nope, this is a problem at the ip level, routing. This is not a postfix or mail/smtp issue. - Original Message - From: Carlos Williams carlosw...@gmail.com To: postfix-users@postfix.org Sent: Tuesday, 1 December, 2009 4:05:25 PM Subject: Re: What Is Causing This Failure On Tue, Dec 1, 2009 at 10:43 AM, Ralf Hildebrandt ralf.hildebra...@charite.de wrote: What is the output of traceroute 198.186.193.20 ? I get no results from my mail server: traceroute to 198.186.193.20 (198.186.193.20), 30 hops max, 40 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * . . . 29 * * * 30 * * * Strange...
Test e-mailservice
Hi, Last night we had a issue with our mail server which went unnoticed till this morning. Our spam filter crashed and postfix couldn't feed mails for check to localhost:10024. The mails stayed in the queue till we noticed that we didn't received any mail this morning. I restarted the spam filter and now the queue is being processed. Of course I don't want this to happen again in the future. How do people test their mail server periodically? So far we use webmin which tries to connect to port 25, 110 and 143 and checks if the greeting is correct. If one of these connections fail we get a phone call. I can't check services which are only running on localhost because webmin is checking from a remote host. Does anybody use a check which checks the complete mail loop? I was thinking of sending a mail from a remote host (with webmin) to a test mail account and see if I can download the mail with imap and then with pop which removes the mail. The test mail account should also send a reply to the original sender (maybe explaining it's a test address) and the test server should also check for this reply. Does anybody have such a test setup? Thanks, Martijn -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
RE: Test e-mailservice
Hi Peter, On Wed, 11 Nov 2009 10:08:34 +0100, Peter Sørensen mas...@sdu.dk wrote: Hi, We have a server outside Our network which will send an mail every 5 minutes to a specific mailbox on Our exchange system. This has a limit on 0 which means that it will bounce the mail back to the sender. We use this to document a baseline. When sending we generate a Uniq Message-id - save this in a Database (MySql) along with the timestamp. When the bounced mail get back we grap the Message-id and timeinfo and all this is saved in the DB. Could you make this script public, it sounds very helpful to me. I would like to test it and maybe extend it with pop and imap checks too. You could use this info test if mailloop is to long. Best regards Peter Sørensen Phone.6550 2858 Fax 6550 2860 mail mas...@sdu.dk Web http://intern.sdu.dk/it-service/ansatte/ps-238/ Adr.Campusvej 55, 5230 Odense M University of Southern Denmark ___ Campusvej 55 * 5230 * Odense M * Tlf. 6550 1000 * www.sdu.dk -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Martijn de Munnik Sent: 11. november 2009 09:54 To: postfix-users@postfix.org Subject: Test e-mailservice Hi, Last night we had a issue with our mail server which went unnoticed till this morning. Our spam filter crashed and postfix couldn't feed mails for check to localhost:10024. The mails stayed in the queue till we noticed that we didn't received any mail this morning. I restarted the spam filter and now the queue is being processed. Of course I don't want this to happen again in the future. How do people test their mail server periodically? So far we use webmin which tries to connect to port 25, 110 and 143 and checks if the greeting is correct. If one of these connections fail we get a phone call. I can't check services which are only running on localhost because webmin is checking from a remote host. Does anybody use a check which checks the complete mail loop? I was thinking of sending a mail from a remote host (with webmin) to a test mail account and see if I can download the mail with imap and then with pop which removes the mail. The test mail account should also send a reply to the original sender (maybe explaining it's a test address) and the test server should also check for this reply. Does anybody have such a test setup? Thanks, Martijn -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
RE: Test e-mailservice
On Wed, 11 Nov 2009 12:17:01 +0100, Peter Sørensen mas...@sdu.dk wrote: Hi Martin, I will do that. I probably have to do a little bit of cleanup/docs before I send it. Will do that in the next couple of days. Hope this is OK for you. Sure that's fine with me. Thank you very much! Best regards Peter -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Martijn de Munnik Sent: 11. november 2009 11:31 To: Peter Sørensen Cc: postfix-users@postfix.org Subject: RE: Test e-mailservice Hi Peter, On Wed, 11 Nov 2009 10:08:34 +0100, Peter Sørensen mas...@sdu.dk wrote: Hi, We have a server outside Our network which will send an mail every 5 minutes to a specific mailbox on Our exchange system. This has a limit on 0 which means that it will bounce the mail back to the sender. We use this to document a baseline. When sending we generate a Uniq Message-id - save this in a Database (MySql) along with the timestamp. When the bounced mail get back we grap the Message-id and timeinfo and all this is saved in the DB. Could you make this script public, it sounds very helpful to me. I would like to test it and maybe extend it with pop and imap checks too. You could use this info test if mailloop is to long. Best regards Peter Sørensen Phone.6550 2858 Fax 6550 2860 mail mas...@sdu.dk Web http://intern.sdu.dk/it-service/ansatte/ps-238/ Adr.Campusvej 55, 5230 Odense M University of Southern Denmark ___ Campusvej 55 * 5230 * Odense M * Tlf. 6550 1000 * www.sdu.dk -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Martijn de Munnik Sent: 11. november 2009 09:54 To: postfix-users@postfix.org Subject: Test e-mailservice Hi, Last night we had a issue with our mail server which went unnoticed till this morning. Our spam filter crashed and postfix couldn't feed mails for check to localhost:10024. The mails stayed in the queue till we noticed that we didn't received any mail this morning. I restarted the spam filter and now the queue is being processed. Of course I don't want this to happen again in the future. How do people test their mail server periodically? So far we use webmin which tries to connect to port 25, 110 and 143 and checks if the greeting is correct. If one of these connections fail we get a phone call. I can't check services which are only running on localhost because webmin is checking from a remote host. Does anybody use a check which checks the complete mail loop? I was thinking of sending a mail from a remote host (with webmin) to a test mail account and see if I can download the mail with imap and then with pop which removes the mail. The test mail account should also send a reply to the original sender (maybe explaining it's a test address) and the test server should also check for this reply. Does anybody have such a test setup? Thanks, Martijn -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
Re: How to override an MX value for a particular domain only?
On Nov 4, 2009, at 10:52 PM, Eric B. wrote: Hi, I'm running postfix on an internal network with an internal DNS. My internal DNS is configured for my particular domain (ie: mydomain.com). I have an MX pointer that points to my postfix machine so any email being generated for mydomain.com from the internal network ends up at the postfix machine. All that setup works fine. My problem is the following. The email received by Postfix for mydomain.com actually needs to be resent out into the internet destined for the actual mydomain.com email server located in a geographically different location. At the moment, Postfix will do an MX query for mydomain.com, realize that it is itself, and understandably not forward the email to the appropriate place. How can I instruct Postfix on that server to ignore the MX record being served by the internal DNS and actually query an external DNS server for the MX pointer instead? I looked through the main.cf config file, but can't seem to find anything. Can I configure Postfix to use a different DNS server as opposed to the internal one specified by my resolve.conf file? Any help or suggestions would be appreciated. http://www.postfix.org/postconf.5.html#transport_maps mydomain.com smtp:[realmx.mydomain.com] Thanks, Eric
Verify address before delivery, spam run
Hi List, Some of our customers use our mailservers as antispam/antivirus gateway. So our server accepts mail, does some spam and virus checking and delivers the mail to a remote server. Of course I don't want to accept mail for non existing users so our mailserver verifies the recipient. So far so good. But when a spam run is started and our server receive over 100 messages per minute the final server wouldn't handle the verifies anymore and is responding: [ID 197553 mail.info] NOQUEUE: reject: RCPT from smtp.zonder.com[64.244.96.100]: 450 4.1.1 rerer...@example.com: Recipient address rejected: unverified address: host xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx] refused to talk to me: 421 too many connections; from= to=rerer...@example.com proto=ESMTP helo=pluto.vrocorp.com Our server response to the spammer is 450. This response seems to stimulate spammers to do even more tries. Are there things I could do to stop this problem. Currently I'm blocking connections for 10 minutes with ipf that gave to many errors. But this still doesn't stop the spammers. === postconf -n: address_verify_map = btree:${data_directory}/verify alias_maps = hash:/opt/csw/etc/postfix/aliases body_checks = regexp:/opt/csw/etc/postfix/maps/body_checks broken_sasl_auth_clients = yes command_directory = /opt/csw/sbin config_directory = /etc/postfix content_filter = amavisfeed:localhost:10024 daemon_directory = /opt/csw/libexec/postfix data_directory = /opt/csw/var/lib/postfix default_database_type = hash delay_warning_time = 4h disable_vrfy_command = yes header_checks = regexp:/opt/csw/etc/postfix/maps/header_checks home_mailbox = Maildir/ html_directory = /opt/csw/share/doc/postfix/html inet_interfaces = all mailbox_command = /opt/csw/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME mailbox_size_limit = 0 mailq_path = /opt/csw/bin/mailq manpage_directory = /opt/csw/share/man maximal_backoff_time = 8000s maximal_queue_lifetime = 7d message_size_limit = 20971520 mime_header_checks = regexp:/opt/csw/etc/postfix/maps/mime_header_checks minimal_backoff_time = 1000s mydestination = $myhostname, localhost.$mydomain myhostname = stevie.youngguns.nl mynetworks_style = host myorigin = $myhostname newaliases_path = /opt/csw/bin/newaliases readme_directory = /opt/csw/share/doc/postfix/README_FILES receive_override_options = no_address_mappings recipient_delimiter = + relay_domains = slagenlandwonen.nl, wfcommunicatie.nl, gooischebrink.com, interjute.nl, melamo.nl, fair-play.nl, loopbaankamer.nl, ospl.nl, ospl.de, printcontrol.nl, dankers-schilderwerken.nl, promonta.nl, interim-denbosch.nl, vanherpt.biz relayhost = sample_directory = /opt/csw/share/doc/postfix/samples sendmail_path = /opt/csw/sbin/sendmail smtp_bind_address = 213.207.90.2 smtp_helo_timeout = 60s smtp_send_xforward_command = yes smtp_skip_quit_response = yes smtp_tls_loglevel = 1 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP smtpd_client_connection_count_limit = 10 smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes smtpd_hard_error_limit = 12 smtpd_helo_required = yes smtpd_recipient_limit = 100 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_destination, reject_unverified_recipient, reject_non_fqdn_helo_hostname, reject_rbl_client virbl.dnsbl.bit.nl, check_policy_service inet:127.0.0.1:12525, check_client_access cidr:/opt/csw/etc/postfix/dnswl_header, check_client_access cidr:/opt/csw/etc/postfix/dnswl_permit, check_policy_service inet:127.0.0.1:10023 smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_soft_error_limit = 3 smtpd_tls_cert_file = /home/yghosting/ssl/secure-youngguns-nl.pem smtpd_tls_key_file = /home/yghosting/ssl/secure-youngguns-nl.key smtpd_tls_loglevel = 1 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache soft_bounce = no tls_random_source = dev:/dev/urandom transport_maps = hash:/opt/csw/etc/postfix/transport unknown_address_reject_code = 550 unknown_hostname_reject_code = 550 unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550 virtual_alias_maps = hash:/opt/csw/etc/postfix/virtual
Re: Verify address before delivery, spam run
On Thu, 2009-10-22 at 13:03 +0200, Martijn de Munnik wrote: On Thu, 2009-10-22 at 06:35 -0400, Wietse Venema wrote: Martijn de Munnik: Hi List, Some of our customers use our mailservers as antispam/antivirus gateway. So our server accepts mail, does some spam and virus checking and delivers the mail to a remote server. Of course I don't want to accept mail for non existing users so our mailserver verifies the recipient. So far so good. But when a spam run is started and our server receive over 100 messages per minute the final server wouldn't handle the verifies anymore and is responding: [ID 197553 mail.info] NOQUEUE: reject: RCPT from smtp.zonder.com[64.244.96.100]: 450 4.1.1 rerer...@example.com: Recipient address rejected: unverified address: host xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx] refused to talk to me: 421 too many connections; from= to=rerer...@example.com proto=ESMTP To make fewer connections to the downstream machine, see: http://www.postfix.org/master.5.html http://www.postfix.org/postconf.5.html#transport_destination_concurrency_limit These parameters limit the number of simultaneous address verify connections? But my master.cf already has: verifyunix - - n - 1 verify So it is already limited to 1 connection per ...? I guess I don't completely understand how this works? Or should I also limit the relay transport? http://www.postfix.org/ADDRESS_VERIFICATION_README.html#probe_routing Wietse
Re: outgoing spam
On Mon, 2009-10-19 at 13:50 +0200, Martin Schiøtz wrote: Hi I'm configuring a simple postfix smtp-server that is only used for outgoing emails for lots of users. I want to do some simple spam checking with postfix. I was thinking of: rbl spf RBL and SPF are techniques only used for incoming mail. Any other sugestions? I'm not sure were to configure rbl and spf for outgoing emails in main.cf? postconf -n - broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 html_directory = no mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 2100 message_strip_characters = \0 mynetworks = 127.0.0.0/8, 10 etc. newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_banner = $myhostname ESMTP $mail_name smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_type = cyrus smtpd_tls_CAfile = /etc/ssl/blackpete.cirque.dk.pem smtpd_tls_cert_file = /etc/ssl/blackpete.cirque.dk.pem smtpd_tls_key_file = /etc/ssl/blackpete.cirque.dk.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 - Best regards, Martin
content_filter and relay_domains/transport_maps
Hi, It seems that e-mails which are relayed to other servers (using relay_domains and transport_maps) don't go through content_filter. How can I make sure that all mails go through the content_filter? thanks, Martijn address_verify_map = btree:${data_directory}/verify alias_maps = hash:/opt/csw/etc/postfix/aliases body_checks = regexp:/opt/csw/etc/postfix/maps/body_checks broken_sasl_auth_clients = yes command_directory = /opt/csw/sbin config_directory = /etc/postfix content_filter = amavisfeed:localhost:10024 daemon_directory = /opt/csw/libexec/postfix data_directory = /opt/csw/var/lib/postfix default_database_type = hash delay_warning_time = 4h disable_vrfy_command = yes header_checks = regexp:/opt/csw/etc/postfix/maps/header_checks home_mailbox = Maildir/ html_directory = /opt/csw/share/doc/postfix/html inet_interfaces = all mailbox_command = /opt/csw/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME mailbox_size_limit = 0 mailq_path = /opt/csw/bin/mailq manpage_directory = /opt/csw/share/man maximal_backoff_time = 8000s maximal_queue_lifetime = 7d message_size_limit = 20971520 mime_header_checks = regexp:/opt/csw/etc/postfix/maps/mime_header_checks minimal_backoff_time = 1000s mydestination = $myhostname, localhost.$mydomain myhostname = stevie.youngguns.nl mynetworks_style = host myorigin = $myhostname newaliases_path = /opt/csw/bin/newaliases readme_directory = /opt/csw/share/doc/postfix/README_FILES receive_override_options = no_address_mappings recipient_delimiter = + relay_domains = slagenlandwonen.nl, wfcommunicatie.nl, gooischebrink.com, interjute.nl, melamo.nl, fair-play.nl, loopbaankamer.nl, ospl.nl, ospl.de, printcontrol.nl, dankers-schilderwerken.nl, promonta.nl, interim-denbosch.nl relayhost = sample_directory = /opt/csw/share/doc/postfix/samples sendmail_path = /opt/csw/sbin/sendmail smtp_bind_address = 213.207.90.2 smtp_helo_timeout = 60s smtp_send_xforward_command = yes smtp_skip_quit_response = yes smtp_tls_loglevel = 1 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP smtpd_client_connection_count_limit = 10 smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes smtpd_hard_error_limit = 12 smtpd_helo_required = yes smtpd_recipient_limit = 100 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_destination, reject_unverified_recipient, reject_non_fqdn_helo_hostname, reject_rbl_client virbl.dnsbl.bit.nl, check_policy_service inet:127.0.0.1:12525, check_client_access cidr:/opt/csw/etc/postfix/dnswl_header, check_client_access cidr:/opt/csw/etc/postfix/dnswl_permit, check_policy_service inet:127.0.0.1:10023 smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_soft_error_limit = 3 smtpd_tls_cert_file = /home/yghosting/ssl/secure-youngguns-nl.pem smtpd_tls_key_file = /home/yghosting/ssl/secure-youngguns-nl.key smtpd_tls_loglevel = 1 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache soft_bounce = no tls_random_source = dev:/dev/urandom transport_maps = hash:/opt/csw/etc/postfix/transport unknown_address_reject_code = 550 unknown_hostname_reject_code = 550 unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550 virtual_alias_maps = hash:/opt/csw/etc/postfix/virtual
Re: Rejecting Reverse Hostname in Logs
Hi Carlos, On Thu, 2009-09-24 at 09:08 -0400, Carlos Williams wrote: I have someone telling me that they can't send email to my mail server. I checked the logs and it appears that Postfix is not happy with the way their client or server is sending the message to me. I want to understand what is causing this. I would like to know if anyone can please help me understand what is at fault here. I am guessing that this is being caused by: smtpd_sender_restrictions = reject_unknown_reverse_client_hostname I think this is not too restrictive and the sending mailserver should fix their rdns, YMMV. We use a policy server (policyd-weight) which gives scores for things like no rdns, dailup ip, ip in dnsbl etc. Can someone please help me understand? Should I have the noted above restriction in my main.cf or is this being too restrictive? Is that even the correct parameter that is causing the delivery failure? I removed the senders user name and my recipients full email address for privacy. Sep 22 18:11:55 mail postfix/smtpd[6052]: NOQUEUE: reject: RCPT from unknown[204.117.196.2]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [204.117.196.2]; from=***...@pmcatt-ppss.com to=**...@***.com proto=ESMTP helo=mail.pmcatt-ppss.com **Postconf -n* alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = amavisfeed:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix home_mailbox = Maildir/ html_directory = no inet_interfaces = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, $mydomain, mail.$mydomain mydomain = iamghost.com myhostname = mail.iamghost.com mynetworks = $config_directory/mynetworks myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES recipient_delimiter = + relay_domains = sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_banner = $myhostname ESMTP smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname,permit smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_unlisted_recipient, check_policy_service unix:postgrey/socket, check_sender_access hash:/etc/postfix/sender_access, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated,reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_reverse_client_hostname, permit smtpd_tls_CAfile = /etc/ssl/intermediate.crt smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/mail.crt smtpd_tls_key_file = /etc/ssl/mail.key smtpd_tls_loglevel = 1 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 Met vriendelijke groet, Martijn de Munnik -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
Re: Rejecting Reverse Hostname in Logs
On Thu, 2009-09-24 at 15:48 +0200, Martijn de Munnik wrote: On Thu, 2009-09-24 at 09:41 -0400, Carlos Williams wrote: On Thu, Sep 24, 2009 at 9:16 AM, Martijn de Munnik mart...@youngguns.nl wrote: I think this is not too restrictive and the sending mailserver should fix their rdns, YMMV. We use a policy server (policyd-weight) which gives scores for things like no rdns, dailup ip, ip in dnsbl etc. So the problem then is that the servers reverse DNS is not resolving to their sending IP, correct? When I do a RDNS on the server, I get the following: 204.117.196.2 resolves to mail.pmcatt-ppss.com Top Level Domain: pmcatt-ppss.com 204.117.196.2 has a reverse dns entry: 2.196.117.204.in-addr.arpa domain name pointer mail.pmcatt-ppss.com. So the problem is on your postfix box. Postfix replied a 450 temporary failure, the sending mailserver should try again later. Check if you can resolve the ip on your postfix box. Is that not correct? I am still confused as to trying to simply understand why the message was rejected. Met vriendelijke groet, Martijn de Munnik -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
Re: postfix logging feature
On Mon, 2009-09-21 at 15:55 +0200, Slezak Roman wrote: Hi, Is possible to add in postfix logging “cient`s local IP address”? Public IP is logged, but if is possible, in my condition will be best to know his local IP. I assume that what you mean with the local IP of a client is the private IP of a client which is behind a NAT? There is no way for postfix to know that IP of the client so it can't be logged (it's a private IP). Thank`s, Roman Sep 21 15:44:47 mail postfix/smtpd[21591]: connect from my.company.sk [pu.bl.ic.ip] Sep 21 15:44:47 mail postfix/smtpd[21591]: 5BA29411BEE2: client= my.company.sk [pu.bl.ic.ip] [senders local IP address] Sep 21 15:44:47 mail postfix/cleanup[28274]: 5BA29411BEE2: message-id=001a01ca3ac1$ae42c130$0ac843...@sk Met vriendelijke groet, Martijn de Munnik -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
Re: headerchecks
On Wed, 16 Sep 2009 12:00:15 +0100, Laurence Moughan laurence.moug...@aerlingus.com wrote: Hi All, Would someone just please give me a headsup on the format for reg exp headerchecks files, Im not sure how to format for searching for a string within an email address, eg to reject all mail with the word boarding eg for the from address boarding...@domain.com and newboarding_pc...@domain.com I have /^From:(.*)boarding_...@domain\.com/ REJECT junk /^From:(*)boarding(*)\...@adomain\.com/ REJECT junk /^From: *boardin...@domain\.com/ REJECT junk /^From: (.*)boarding(.)*...@domain\.com/ REJECT junk /^From: .*boarding...@domain\.com$/ REJECT junk this is working now - which one is right ? im a bit confused Thanks Laurence -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
Re: From Altered After Mail Accepted
On Tue, 15 Sep 2009 10:59:20 -0400, wiskbr...@hotmail.com wrote: I am seeing a few spams coming through with a from address (seen on my postfix logs) that does not match the From address shown on my users Outlook. In fact my users are seeing a From address as their own, something that my postfix server currently does not allow using mynetworks and permitting this using smtpd_recipient_restrictions. The rcpt from at the smtp level and the from in the mail header can be different. Has anyone else recently encountered this problem? Thanks, .vp
Re: Blocking mail from me to me (was: Country IP block list)
On Mon, 2009-08-24 at 10:28 -0400, Daniel L'Hommedieu wrote: On Aug 24, 2009, at 10:10, Mikael Bak wrote: Daniel L'Hommedieu wrote: The spam I see pretty much all originates in China Brazil, with some originating in Korea US. It also pretty much all originates on dynamic IP addresses, so if there's a way to block email from dynamic address ranges, I would very much be interested in that. Not exactly what you ask for, but it'll stop most of them: http://www.spamhaus.org/zen/ Mikael, Thanks - I saw that in a previous comment or thread, so I instituted the rules that guy was using. The one bit of spam I'd like to stop, and I seem to remember seeing talk of it at some point (but I've been unable to find it again) is the spam appears to be from me to me. That is, the spammers who use my email address as the from address. Those emails get past the relay and auth checks because the mail is not being relayed. If I could stop that spam, it would probably kill 100% of my spam. Can anyone point me in the right direction for that one? Most of this spam is also blocked using spamhaus. Also you could add SPF to your own domain so no other servers could send mail using your domain. http://www.openspf.org/Introduction Daniel
Re: Blocking mail from me to me (was: Country IP block list)
Most of this spam is also blocked using spamhaus. Also you could add SPF to your own domain so no other servers could send mail using your domain. http://www.openspf.org/Introduction Off course your server should check the SPF records for incoming mail.
log check_client_access
Hi, How can I write a message to syslog when a check_client_access rule matches? thanks, Martijn
Re: log check_client_access
On Aug 24, 2009, at 7:57 PM, /dev/rob0 wrote: On Monday 24 August 2009 12:43:16 Martijn de Munnik wrote: How can I write a message to syslog when a check_client_access rule matches? See the WARN result. If you mean that you want to log and to trigger some other action, do note that REJECT and DEFER results are logged anyway. If you're wanting to log an accept action, you could make a multiple result using a restriction class: http://www.postfix.org/RESTRICTION_CLASS_README.html http://www.postfix.org/postconf.5.html#smtpd_restriction_classes Could someone please provide an example, this is a little bit too technical for me ;) smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unverified_recipient, reject_unauth_destination, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_rbl_client virbl.dnsbl.bit.nl, check_policy_service inet:127.0.0.1:12525, check_client_access cidr:/opt/csw/etc/postfix/postfix-dnswl-permit, check_policy_service inet:127.0.0.1:10023 (Technically I think restriction classes are not necessary for this; similar results could be had from simply defining a restriction as a variable in main.cf.) -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: log check_client_access
On Aug 24, 2009, at 8:31 PM, Martijn de Munnik wrote: On Aug 24, 2009, at 7:57 PM, /dev/rob0 wrote: On Monday 24 August 2009 12:43:16 Martijn de Munnik wrote: How can I write a message to syslog when a check_client_access rule matches? See the WARN result. If you mean that you want to log and to trigger some other action, do note that REJECT and DEFER results are logged anyway. If you're wanting to log an accept action, you could make a multiple result using a restriction class: http://www.postfix.org/RESTRICTION_CLASS_README.html http://www.postfix.org/postconf.5.html#smtpd_restriction_classes Could someone please provide an example, this is a little bit too technical for me ;) smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unverified_recipient, reject_unauth_destination, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_rbl_client virbl.dnsbl.bit.nl, check_policy_service inet:127.0.0.1:12525, check_client_access cidr:/opt/csw/etc/postfix/postfix-dnswl-permit, check_policy_service inet:127.0.0.1:10023 I want to log the accept action from the check_client_access rule so I can use the whitelist hits in stats. (Technically I think restriction classes are not necessary for this; similar results could be had from simply defining a restriction as a variable in main.cf.) -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: deflecting attacks
On Aug 22, 2009, at 7:53 PM, AMP Admin wrote: Does anyone use iptables or something to defend against attacks? Like if x amount of requests per x amount of time send away. If so I would love some examples. Thanks! Hi, I use fail2ban with ipf on Solaris 10. When a host produces to many 5xx errors or sends to much spam it is banned in the firewall. failregex = reject: RCPT from (.*)\[HOST\]: 5\d\d ban time 1h failregex = Passed SPAM, \[HOST\] ban time 10m When a host is banned multiple short times it gets banned for 1 day. It should be easy to get this working with iptables. -- Martijn
Re: deflecting attacks
On Aug 22, 2009, at 8:16 PM, AMP Admin wrote: Ø Does anyone use iptables or something to defend against attacks? Like if x amount of requests per x amount of time send away. If so I would love some examples. Thanks! Thanks for the tips guys. How does that do with search engine bots? It doesn’t block them, right? Not sure what you mean? I only block port 25 (smtp).
mailbox_size_limit and Maildir
Hi list, What is the use of mailbox_size_limit when mail is delivered to Maildirs? I have mailbox_size_limit message_size_limit but I think I can safely change it to 0? -- Martijn de Munnik -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
address_verify_map and relay_domains
Hi list, We are using address_verify_map to cache and limit the number of checks on remote smtp servers. This is done because we act as a spam/virus filter for some domains that have there own mail server. Now it seems the address_verify_map is also used for local domains. One of our clients created a mail address after a mail was send to that mail address. So that mail was rejected, but after the mail address was created mail is still being rejected. I suspect this is because of the address_verify_map (I don't know how to check the btree file?). How can I enable the address_verify_map only for the relay_domains? postconf -n address_verify_map = btree:${data_directory}/verify alias_maps = hash:/opt/csw/etc/postfix/aliases body_checks = regexp:/opt/csw/etc/postfix/maps/body_checks broken_sasl_auth_clients = yes command_directory = /opt/csw/sbin config_directory = /etc/postfix content_filter = amavisfeed:localhost:10024 daemon_directory = /opt/csw/libexec/postfix data_directory = /opt/csw/var/lib/postfix default_database_type = hash delay_warning_time = 4h disable_vrfy_command = yes header_checks = regexp:/opt/csw/etc/postfix/maps/header_checks home_mailbox = Maildir/ html_directory = /opt/csw/share/doc/postfix/html inet_interfaces = all mailbox_command = /opt/csw/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME mailbox_size_limit = 0 mailq_path = /opt/csw/bin/mailq manpage_directory = /opt/csw/share/man maximal_backoff_time = 8000s maximal_queue_lifetime = 7d message_size_limit = 20971520 mime_header_checks = regexp:/opt/csw/etc/postfix/maps/mime_header_checks minimal_backoff_time = 1000s mydestination = $myhostname, localhost.$mydomain myhostname = stevie.youngguns.nl mynetworks_style = host myorigin = $myhostname newaliases_path = /opt/csw/bin/newaliases readme_directory = /opt/csw/share/doc/postfix/README_FILES receive_override_options = no_address_mappings recipient_delimiter = + relay_domains = slagenlandwonen.nl, wfcommunicatie.nl, gooischebrink.com, interjute.nl, melamo.nl, fair-play.nl, loopbaankamer.nl, ospl.nl, ospl.de, printcontrol.nl, dankers-schilderwerken.nl, promonta.nl, interim-denbosch.nl relayhost = sample_directory = /opt/csw/share/doc/postfix/samples sendmail_path = /opt/csw/sbin/sendmail smtp_bind_address = 213.207.90.2 smtp_helo_timeout = 60s smtp_send_xforward_command = yes smtp_skip_quit_response = yes smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP smtpd_client_connection_count_limit = 10 smtpd_client_restrictions = reject_rbl_client virbl.dnsbl.bit.nl smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes smtpd_hard_error_limit = 12 smtpd_helo_required = yes smtpd_recipient_limit = 100 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unverified_recipient, reject_unauth_destination, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_rbl_client virbl.dnsbl.bit.nl check_policy_service inet:127.0.0.1:12525, check_policy_service inet:127.0.0.1:10023 smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_soft_error_limit = 3 smtpd_tls_cert_file = /home/yghosting/ssl/secure-youngguns-nl.pem smtpd_tls_key_file = /home/yghosting/ssl/secure-youngguns-nl.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom transport_maps = hash:/opt/csw/etc/postfix/transport unknown_address_reject_code = 550 unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550 virtual_alias_maps = hash:/opt/csw/etc/postfix/virtual
Re: address_verify_map and relay_domains
On Wed, 2009-08-19 at 09:10 -0400, Brian Evans - Postfix List wrote: Martijn de Munnik wrote: Hi list, How can I enable the address_verify_map only for the relay_domains? postconf -n smtpd_client_restrictions = reject_rbl_client virbl.dnsbl.bit.nl This is rather redundant since you also specify it in recipient restrictions and delay reject is yes. Best to remove this line to avoid confusion and limit DNS queries to destinations you control. Thank you for the tip! smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unverified_recipient, reject_unauth_destination, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_rbl_client virbl.dnsbl.bit.nl check_policy_service inet:127.0.0.1:12525, check_policy_service inet:127.0.0.1:1002 To answer the query: Replace reject_unverified_recipient with check_recipient_access hash:/path/to/file /path/to/file: slagenlandwonen.nl reject_unverified_recipient wfcommunicatie.nl reject_unverified_recipient #add rest after #Note: add periods before each in another entry if you want to cover sub-domains as well #Current default behavior will allow them without the period, but may change in the future #or if you change parent_domain_matches_subdomains setting Okay! Met vriendelijke groet, Martijn de Munnik -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
Re: address_verify_map and relay_domains
On Wed, 2009-08-19 at 09:10 -0400, Brian Evans - Postfix List wrote: Martijn de Munnik wrote: Hi list, How can I enable the address_verify_map only for the relay_domains? To answer the query: Replace reject_unverified_recipient with check_recipient_access hash:/path/to/file /path/to/file: slagenlandwonen.nl reject_unverified_recipient wfcommunicatie.nl reject_unverified_recipient All the domains where this should be applied to are listed in relay_domains. Can I apply the reject_unverified_recipient rule to those domains without a separate file? I want a single place to manage the relay_domains.
450 temp error when 550 perm error is possible
Hi all, Sometimes our mail server is 'under attack' and we get a lot of these entries in our log file: Aug 17 11:08:19 stevie.youngguns.nl postfix/smtpd[14890]: [ID 197553 mail.info] NOQUEUE: reject: RCPT from unknown[212.22.199.165]: 450 4.1.8 indispensabl...@homepc: Sender address rejected: Domain not found; from=indispensabl...@homepc to=banquetastrophys...@rpc-design.nl proto=ESMTP helo=homepc Normally we reject about 15 msgs/min but when such an attack happens it peaks to about 700 msgs/min. The error is returned to the sending mail (spam) server is 450 domain not found. Because a domain lookup could also be a temporary failure this is a temporary error returned. The 450 error triggers the spammer to retry sending the mail. The to address is an unknown user on my system so postfix could return a 550 error. How can I do this? I've attached postconf -n output in main.cf. -- Martijn de Munnik address_verify_map = btree:${data_directory}/verify alias_maps = hash:/opt/csw/etc/postfix/aliases body_checks = regexp:/opt/csw/etc/postfix/maps/body_checks broken_sasl_auth_clients = yes command_directory = /opt/csw/sbin config_directory = /etc/postfix content_filter = amavisfeed:localhost:10024 daemon_directory = /opt/csw/libexec/postfix data_directory = /opt/csw/var/lib/postfix default_database_type = hash delay_warning_time = 4h disable_vrfy_command = yes header_checks = regexp:/opt/csw/etc/postfix/maps/header_checks home_mailbox = Maildir/ html_directory = /opt/csw/share/doc/postfix/html inet_interfaces = all mailbox_command = /opt/csw/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME mailbox_size_limit = 209715200 mailq_path = /opt/csw/bin/mailq manpage_directory = /opt/csw/share/man maximal_backoff_time = 8000s maximal_queue_lifetime = 7d message_size_limit = 20971520 mime_header_checks = regexp:/opt/csw/etc/postfix/maps/mime_header_checks minimal_backoff_time = 1000s mydestination = $myhostname, localhost.$mydomain myhostname = stevie.youngguns.nl mynetworks_style = host myorigin = $myhostname newaliases_path = /opt/csw/bin/newaliases readme_directory = /opt/csw/share/doc/postfix/README_FILES receive_override_options = no_address_mappings recipient_delimiter = + relay_domains = $mydestination, slagenlandwonen.nl, wfcommunicatie.nl, gooischebrink.com, interjute.nl, melamo.nl, fair-play.nl, loopbaankamer.nl, ospl.nl, ospl.de, printcontrol.nl, dankers-schilderwerken.nl, promonta.nl, interim-denbosch.nl relayhost = sample_directory = /opt/csw/share/doc/postfix/samples sendmail_path = /opt/csw/sbin/sendmail smtp_bind_address = 213.207.90.2 smtp_helo_timeout = 60s smtp_send_xforward_command = yes smtp_skip_quit_response = yes smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP smtpd_client_connection_count_limit = 10 smtpd_client_restrictions = reject_rbl_client dnsbl.njabl.org, permit smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes smtpd_hard_error_limit = 12 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks,warn_if_reject reject_non_fqdn_hostname,reject_invalid_hostname, permit smtpd_recipient_limit = 100 smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_recipient, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_unauth_destination, reject_unlisted_recipient, reject_unknown_recipient_domain,reject_unverified_recipient, reject_invalid_hostname,reject_rbl_client virbl.dnsbl.bit.nl, check_policy_service inet:127.0.0.1:12525, check_policy_service inet:127.0.0.1:10023, permit smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_mynetworks, reject_unknown_sender_domain, permit smtpd_soft_error_limit = 3 smtpd_tls_cert_file = /home/yghosting/ssl/secure-youngguns-nl.pem smtpd_tls_key_file = /home/yghosting/ssl/secure-youngguns-nl.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom transport_maps = hash:/opt/csw/etc/postfix/transport unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550 virtual_alias_maps = hash:/opt/csw/etc/postfix/virtual
Re: 450 temp error when 550 perm error is possible
On Mon, 2009-08-17 at 11:28 +0200, Ralf Hildebrandt wrote: * Martijn de Munnik mart...@youngguns.nl: Hi all, Sometimes our mail server is 'under attack' and we get a lot of these entries in our log file: Aug 17 11:08:19 stevie.youngguns.nl postfix/smtpd[14890]: [ID 197553 mail.info] NOQUEUE: reject: RCPT from unknown[212.22.199.165]: 450 4.1.8 indispensabl...@homepc: Sender address rejected: Domain not found; from=indispensabl...@homepc to=banquetastrophys...@rpc-design.nl proto=ESMTP helo=homepc Normally we reject about 15 msgs/min but when such an attack happens it peaks to about 700 msgs/min. The error is returned to the sending mail (spam) server is 450 domain not found. Because a domain lookup could also be a temporary failure this is a temporary error returned. The 450 error triggers the spammer to retry sending the mail. Do you have a caching DNS server? Yes, but still things can go wrong and I don't want a failing DNS lookup to be fatal. The to address is an unknown user on my system so postfix could return a 550 error. How can I do this? Reorder the checks relay_domains = $mydestination, slagenlandwonen.nl, wfcommunicatie.nl, gooischebrink.com, interjute.nl, melamo.nl, fair-play.nl, loopbaankamer.nl, ospl.nl, ospl.de, printcontrol.nl, dankers-schilderwerken.nl, promonta.nl, interim-denbosch.nl mydestination, is not a relay domain! Oke thanks, stupid mistake. smtpd_client_restrictions = reject_rbl_client dnsbl.njabl.org, permit Does this one still work? As far as I know it does. But I see it is also included in xbl.spamhaus.org. smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_recipient, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_unauth_destination, reject_unlisted_recipient, reject_unknown_recipient_domain, reject_unverified_recipient, reject_invalid_hostname, reject_rbl_client virbl.dnsbl.bit.nl, check_policy_service inet:127.0.0.1:12525, check_policy_service inet:127.0.0.1:10023, permit Your problem is that you distributed the checks all ocver smtpd_sender_restrictions, smtpd_recipient_restrictions and smtpd_client_restrictions smtpd_sender_restrictions = permit_mynetworks, reject_unknown_sender_domain, permit Mmm, I think I need to read the manual to really understand where all those rejects/permits belong. Met vriendelijke groet, Martijn de Munnik -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
Re: 450 temp error when 550 perm error is possible
On Mon, 2009-08-17 at 12:46 +0200, Ralf Hildebrandt wrote: * Martijn de Munnik mart...@youngguns.nl: Do you have a caching DNS server? Yes, but still things can go wrong and I don't want a failing DNS lookup to be fatal. Postfix always returns a 4xx in case of such failures As far as I know it does. But I see it is also included in xbl.spamhaus.org. Rather use zen.spamhaus.borg I was referring to xbl because I use policyd-weight. policyd-weight includes the spamhaus zones (http://www.policyd-weight.org/) Mmm, I think I need to read the manual to really understand where all those rejects/permits belong. I'd put them all into smtpd_recipient_restrictions #:) http://www.postfix.org/SMTPD_ACCESS_README.html#danger
Re: 450 temp error when 550 perm error is possible
On Mon, 2009-08-17 at 12:46 +0200, Ralf Hildebrandt wrote: * Martijn de Munnik mart...@youngguns.nl: Do you have a caching DNS server? Yes, but still things can go wrong and I don't want a failing DNS lookup to be fatal. Postfix always returns a 4xx in case of such failures As far as I know it does. But I see it is also included in xbl.spamhaus.org. Rather use zen.spamhaus.org Mmm, I think I need to read the manual to really understand where all those rejects/permits belong. I'd put them all into smtpd_recipient_restrictions #:) I did some updates in my main.cf. I've attached the updated file. I kept the restrictions with the different smtpd_*_restrictions, I find it a little easier to understand. thanks, Martijn address_verify_map = btree:${data_directory}/verify alias_maps = hash:/opt/csw/etc/postfix/aliases body_checks = regexp:/opt/csw/etc/postfix/maps/body_checks broken_sasl_auth_clients = yes command_directory = /opt/csw/sbin config_directory = /etc/postfix content_filter = amavisfeed:localhost:10024 daemon_directory = /opt/csw/libexec/postfix data_directory = /opt/csw/var/lib/postfix default_database_type = hash delay_warning_time = 4h disable_vrfy_command = yes header_checks = regexp:/opt/csw/etc/postfix/maps/header_checks home_mailbox = Maildir/ html_directory = /opt/csw/share/doc/postfix/html inet_interfaces = all mailbox_command = /opt/csw/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME mailbox_size_limit = 209715200 mailq_path = /opt/csw/bin/mailq manpage_directory = /opt/csw/share/man maximal_backoff_time = 8000s maximal_queue_lifetime = 7d message_size_limit = 20971520 mime_header_checks = regexp:/opt/csw/etc/postfix/maps/mime_header_checks minimal_backoff_time = 1000s mydestination = $myhostname, localhost.$mydomain myhostname = stevie.youngguns.nl mynetworks_style = host myorigin = $myhostname newaliases_path = /opt/csw/bin/newaliases readme_directory = /opt/csw/share/doc/postfix/README_FILES receive_override_options = no_address_mappings recipient_delimiter = + relay_domains = slagenlandwonen.nl, wfcommunicatie.nl, gooischebrink.com, interjute.nl, melamo.nl, fair-play.nl, loopbaankamer.nl, ospl.nl, ospl.de, printcontrol.nl, dankers-schilderwerken.nl, promonta.nl, interim-denbosch.nl relayhost = sample_directory = /opt/csw/share/doc/postfix/samples sendmail_path = /opt/csw/sbin/sendmail smtp_bind_address = 213.207.90.2 smtp_helo_timeout = 60s smtp_send_xforward_command = yes smtp_skip_quit_response = yes smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP smtpd_client_connection_count_limit = 10 smtpd_client_restrictions = reject_rbl_client virbl.dnsbl.bit.nl smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes smtpd_hard_error_limit = 12 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks,reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit smtpd_recipient_limit = 100 smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_recipient, reject_unverified_recipient,reject_unauth_destination, check_policy_service inet:127.0.0.1:12525, check_policy_service inet:127.0.0.1:10023, permit smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit smtpd_soft_error_limit = 3 smtpd_tls_cert_file = /home/yghosting/ssl/secure-youngguns-nl.pem smtpd_tls_key_file = /home/yghosting/ssl/secure-youngguns-nl.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom transport_maps = hash:/opt/csw/etc/postfix/transport unknown_address_reject_code = 550 unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550 virtual_alias_maps = hash:/opt/csw/etc/postfix/virtual
Re: Catchall account and lots of spam in a short period
On Mon, 2009-07-27 at 19:56 +0200, Martijn de Munnik wrote: I guess I need prohibit the catch all account and offer the solution with the delimiter instead. That way all spam to bogus email addresses get rejected because the address does not exist. But still I wonder if there is a way to stop the spam attack. The catchall account did exist for a long time but was under attack only for a short period (couple of hours). Is there a way to limit the effect of such attacks? The user normally only receives about 10 messages per hour. So hundreds of messages per hour is a clear sign that a spam attack is happening. I have another almost similar issue with domains we relay mail for. Our mail servers are in the mx records for that domain and we receive their mail, but it is forwarded (using the transport file) to the final mail server (mostly MS exchange servers in the customers' office). We act as spam filter, their mail server only needs to accept mail from our mail servers. Of course we don't know which email addresses are valid so all mail for the domain is accepted on our servers. Is there a way to check for a valid email before accepting the mail? I was thinking about greylisting the mail. In the greylist period our server could check the validity of the email address on the final server using a short smtp session (helo, mail from, rcpt to and check for 250 ok ). This info can be stored in a db or file so after the greylist period a decision to accept the mail can be made? Of course the discision needs to expire so our customers can add and remove email addresses on their server. Has this been done before? Is this a good idea? Martijn de Munnik -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
Re: Catchall account and lots of spam in a short period
On Thu, 2009-07-30 at 07:06 -0400, Charles Marcus wrote: On 7/30/2009, Martijn de Munnik (mart...@youngguns.nl) wrote: Of course we don't know which email addresses are valid so all mail for the domain is accepted on our servers. That is your problem to be fixed. Maybe this helps: http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient That's what i was looking for, thanks! One more question: I assume it is better to put the reject_unknown_recipient_domain and reject_unverified_recipient controls after the rbls en policy services. This way only address verification is needed when the mail passes the rbls en policies? Met vriendelijke groet, Martijn de Munnik -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
Re: Catchall account and lots of spam in a short period
On Jul 30, 2009, at 2:48 PM, Charles Marcus wrote: On 7/30/2009 8:26 AM, Martijn de Munnik wrote: I assume it is better to put the reject_unknown_recipient_domain and reject_unverified_recipient controls after the rbls en policy services. This way only address verification is needed when the mail passes the rbls en policies? Actually, I think it should be the other way around... You want to put the least expensive checks first... reject_unverified_recipient is, I believe, much cheaper than RBL lookups... but maybe I'm wrong? Mmmm, I'm using transport maps to forward mail to the final mail server. So the verify should contact the remote server and I think that is almost as expensive as a RBL check. Also I want to use the address_verify_map cache and want it to be as small as possible. -- Best regards, Charles
request to update ... in non-postfix directory
What do these log entries mean and how can I fix this problem: Jul 29 02:19:39 stevie.youngguns.nl postfix/postfix-script[24806]: [ID 197553 mail.info] starting the Postfix mail system Jul 29 02:19:41 stevie.youngguns.nl postfix/master[24807]: [ID 197553 mail.info] daemon started -- version 2.7-20090607, configuration /etc/ postfix Jul 29 02:19:41 stevie.youngguns.nl postfix/tlsmgr[24813]: [ID 947731 mail.warning] warning: request to update table btree:/var/spool/ postfix/smtpd_scache in non-postfix directory /var/spool/postfix Jul 29 02:19:41 stevie.youngguns.nl postfix/tlsmgr[24813]: [ID 947731 mail.warning] warning: redirecting the request to postfix-owned data_directory /opt/csw/var/lib/postfix Jul 29 02:19:41 stevie.youngguns.nl postfix/tlsmgr[24813]: [ID 947731 mail.warning] warning: request to update table btree:/var/spool/ postfix/smtp_scache in non-postfix directory /var/spool/postfix Jul 29 02:19:41 stevie.youngguns.nl postfix/tlsmgr[24813]: [ID 947731 mail.warning] warning: redirecting the request to postfix-owned data_directory /opt/csw/var/lib/postfix postconf -n alias_maps = hash:/opt/csw/etc/postfix/aliases body_checks = regexp:/opt/csw/etc/postfix/maps/body_checks broken_sasl_auth_clients = yes command_directory = /opt/csw/sbin config_directory = /etc/postfix content_filter = amavisfeed:localhost:10024 daemon_directory = /opt/csw/libexec/postfix data_directory = /opt/csw/var/lib/postfix default_database_type = hash delay_warning_time = 4h disable_vrfy_command = yes header_checks = regexp:/opt/csw/etc/postfix/maps/header_checks home_mailbox = Maildir/ html_directory = /opt/csw/share/doc/postfix/html inet_interfaces = all mail_spool_directory = /opt/csw/var/lib/postfix mailbox_command = /opt/csw/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME mailbox_size_limit = 209715200 mailq_path = /opt/csw/bin/mailq manpage_directory = /opt/csw/share/man maximal_backoff_time = 8000s maximal_queue_lifetime = 7d message_size_limit = 20971520 mime_header_checks = regexp:/opt/csw/etc/postfix/maps/mime_header_checks minimal_backoff_time = 1000s mydestination = $myhostname, localhost.$mydomain myhostname = stevie.youngguns.nl mynetworks_style = host myorigin = $myhostname newaliases_path = /opt/csw/bin/newaliases readme_directory = /opt/csw/share/doc/postfix/README_FILES receive_override_options = no_address_mappings recipient_delimiter = + relay_domains = $mydestination, slagenlandwonen.nl, wfcommunicatie.nl, gooischebrink.com, interjute.nl, melamo.nl, fair-play.nl, loopbaankamer.nl, ospl.nl, ospl.de, printcontrol.nl, dankers- schilderwerken.nl, promonta.nl, interim-denbosch.nl relayhost = sample_directory = /opt/csw/share/doc/postfix/samples sendmail_path = /opt/csw/sbin/sendmail smtp_bind_address = 213.207.90.2 smtp_helo_timeout = 60s smtp_send_xforward_command = yes smtp_skip_quit_response = yes smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache smtpd_banner = $myhostname ESMTP smtpd_client_connection_count_limit = 10 smtpd_client_restrictions = reject_rbl_client dnsbl.njabl.org, permit smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes smtpd_hard_error_limit = 12 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks,warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname,permit smtpd_recipient_limit = 25 smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_recipient, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_invalid_hostname, reject_unauth_destination, reject_unlisted_recipient, reject_rbl_client virbl.dnsbl.bit.nl, check_policy_service inet: 127.0.0.1:12525, check_policy_service inet: 127.0.0.1:10023, permit smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_mynetworks, reject_unknown_sender_domain, permit smtpd_soft_error_limit = 3 smtpd_tls_cert_file = /home/yghosting/ssl/secure-youngguns-nl.pem smtpd_tls_key_file = /home/yghosting/ssl/secure-youngguns-nl.key smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom transport_maps = hash:/opt/csw/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/opt/csw/etc/postfix/virtual
Catchall account and lots of spam in a short period
/csw/etc/postfix/virtual Kind regards, Martijn de Munnik -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
Re: Catchall account and lots of spam in a short period
On Mon, 2009-07-27 at 11:40 +0200, Martijn de Munnik wrote: Hi, I'm using a couple of anti-spam techniques which successfully reject (5xx) or ban (ipfilter firewall rule) most spam before even getting in the queue. A couple of days ago about 2600 spam messages where delivered to an user with a catch-all account. These messages where classified as SPAM or SPAMMY by spamassassin and where indeed spam. I wonder why these messages got through at all? I use greylisting, blacklists, ban hosts that send one spam message for 10 minutes (ipfilter) and ban hosts that send three spam messages for one day (ipfilter). Are there ways to block these spam attacks? I don't see any pattern in ips. Maybe increase the greylist period for the domain under attack (I don't know how to do that without effecting the other domains). https://secure.youngguns.nl/mailgraph.cgi#G1 See the attack on friday, 2994 spam messages in that week. On a normal day we receive about 100 spam messages. Met vriendelijke groet, Martijn de Munnik -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
Re: Catchall account and lots of spam in a short period
On Mon, 2009-07-27 at 10:55 +0100, Simon Waters wrote: On Monday 27 July 2009 10:40:34 Martijn de Munnik wrote: I'm using a couple of anti-spam techniques which successfully reject (5xx) or ban (ipfilter firewall rule) most spam before even getting in the queue. You use a LOT of blacklists, which probably results in more false positives than needed. I'd suggest if you want to use more than one or two blacklists you use something like policyd-weight, although it is a little fiddly to get set-up just so in my experience once running it is pretty good. http://www.policyd-weight.org/ Oke I'm going to check that! A couple of days ago about 2600 spam messages where delivered to an user with a catch-all account. These messages where classified as SPAM or SPAMMY by spamassassin and where indeed spam. I wonder why these messages got through at all? Without knowing the content of the email, or details of the senders, it is going to be hard for folks to comment. It seems most of those messages are DSNs. Here the usual catchall problem is bounces, which defeat greylisting and block lists because they come from servers we'd (plausibly at least) want to accept email from. I'd suggest losing the catch-alls, it is simple, effective, and has a low false positive rate as not many genuine correspondents make up email addresses to try. Losing catchall seems to be the best solution but some of my customers want to create an emailaddress for every website the register on. m...@desjors.nl pay...@desjors.nl deb...@desjors.nl etc. Then they use their mail client to filter the messages and put them in folders. Off course they can create aliases on the admin panel but customers are lazy ;) Simon Met vriendelijke groet, Martijn de Munnik -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
Re: Catchall account and lots of spam in a short period
On Jul 27, 2009, at 7:18 PM, /dev/rob0 wrote: On Monday 27 July 2009 05:47:29 Simon Waters wrote: On Monday 27 July 2009 11:13:34 Martijn de Munnik wrote: Losing catchall seems to be the best solution but some of my customers want to create an emailaddress for every website the register on. m...@desjors.nl pay...@desjors.nl deb...@desjors.nl They could use the recipient_delimiter for this. $postconf -n | grep recipient_delimiter recipient_delimiter = + simon+pay...@example.com simon+...@example.com Of course the spammers might figure that one out eventually, but most fall into the stupid category. Besides if the spammers figure it out I'll just change my email to s+i+m+...@example.com and refuse email to lesser parts of the address. Unfortunately, I have found that many Web programmers don't bother to read RFC's and find out what characters are allowed in email addresses. Many sites will not accept a + in your username. I think the old default qmail delimiter, -, is a better choice for those just now switching to recipient_delimiter use. Another good one would be .. To name one, I tried to get automobile insurance with GEICO, a large insurer in the USA. If I had access to my old virtual_alias_maps I could find many more who rejected the +. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header I guess I need prohibit the catch all account and offer the solution with the delimiter instead. That way all spam to bogus email addresses get rejected because the address does not exist. But still I wonder if there is a way to stop the spam attack. The catchall account did exist for a long time but was under attack only for a short period (couple of hours). Is there a way to limit the effect of such attacks? The user normally only receives about 10 messages per hour. So hundreds of messages per hour is a clear sign that a spam attack is happening.
Backup mx config
Hi List, A script just screwed my main.cf of a backup mx. Unfortunately I don't have a backup of the main.cf. I restored the main.cf but one thing is still not working as before. The relay*_for_stevie files contain the domains and emailaddresses which accept mail on stevie.youngguns.nl. When I test the backup mx with an invalid domain I get an 5** error, but if I test the backup mx an invalid address but valid domain I see they messages is greylisted. Off course this should also be denied 5**. What is wrong in this config? BTW I just configured bacula to also include the postfix config ;) alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases config_directory = /etc/postfix disable_vrfy_command = yes inet_interfaces = all inet_protocols = ipv4 mailbox_size_limit = 0 maximal_backoff_time = 8000s maximal_queue_lifetime = 15d minimal_backoff_time = 1000s mydestination = marcus.youngguns.nl, localhost.youngguns.nl, localhost myhostname = marcus.youngguns.nl mynetworks = 127.0.0.0/8 myorigin = /etc/mailname receive_override_options = no_address_mappings recipient_delimiter = + relay_domains = hash:/etc/postfix/relaydomains_for_stevie relay_recipient_maps = hash:/etc/postfix/relayaddresses_for_stevie smtp_helo_timeout = 60s smtp_send_xforward_command = yes smtp_skip_quit_response = yes smtpd_banner = Welkom bij $myhostname, stuur ook eens een kaartje! smtpd_client_connection_count_limit = 10 smtpd_client_restrictions = reject_rbl_client dnsbl.njabl.org, reject_rbl_client blackholes.easynet.nl,reject_unauth_pipelining, reject_unknown_client, permit smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes smtpd_hard_error_limit = 12 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks,warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname,permit smtpd_recipient_limit = 25 smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_invalid_hostname, reject_unknown_recipient_domain,reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client psbl.surriel.com, check_policy_service inet:127.0.0.1:2525permit smtpd_sender_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit smtpd_soft_error_limit = 3 soft_bounce = no unknown_local_recipient_reject_code = 450 Met vriendelijke groet, Martijn de Munnik -- YoungGuns Kasteleinenkampweg 7b 5222 AX 's-Hertogenbosch T. 073 623 56 40 F. 073 623 56 39 www.youngguns.nl KvK 18076568
Re: Backup mx config
Hi Noel, List, Thanks for your reply! I changed things according to your settings but I guess I overlooked a thing? Still they backup mailserver relays everything for *...@validdomain.org. Invalid domains are not relayed. alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases config_directory = /etc/postfix disable_vrfy_command = yes inet_interfaces = all inet_protocols = ipv4 mailbox_size_limit = 0 maximal_backoff_time = 8000s maximal_queue_lifetime = 15d minimal_backoff_time = 1000s mydestination = marcus.youngguns.nl, localhost.youngguns.nl, localhost myhostname = marcus.youngguns.nl mynetworks = 127.0.0.0/8 myorigin = /etc/mailname recipient_delimiter = + relay_domains = hash:/etc/postfix/relaydomains_for_stevie relay_recipient_maps = hash:/etc/postfix/relayaddresses_for_stevie smtp_helo_timeout = 60s smtp_skip_quit_response = yes smtpd_banner = $myhostname ESMTP smtpd_client_connection_count_limit = 10 smtpd_client_restrictions = reject_rbl_client dnsbl.njabl.org, permit smtpd_data_restrictions = reject_unauth_pipelining smtpd_hard_error_limit = 12 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit smtpd_recipient_restrictions = permit_mynetworks, reject_unlisted_recipient, reject_non_fqdn_recipient, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_invalid_hostname, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client psbl.surriel.com, reject_unauth_destination, reject_unknown_recipient_domain, check_policy_service inet:127.0.0.1:2525 permit smtpd_sender_restrictions = permit_mynetworks, reject_unknown_sender_domain, permit smtpd_soft_error_limit = 3 soft_bounce = yes unknown_local_recipient_reject_code = 450 On Jul 13, 2009, at 7:57 PM, Noel Jones wrote: Martijn de Munnik wrote: Hi List, A script just screwed my main.cf of a backup mx. Unfortunately I don't have a backup of the main.cf. I restored the main.cf but one thing is still not working as before. The relay*_for_stevie files contain the domains and emailaddresses which accept mail on stevie.youngguns.nl. When I test the backup mx with an invalid domain I get an 5** error, but if I test the backup mx an invalid address but valid domain I see they messages is greylisted. Off course this should also be denied 5**. What is wrong in this config? Comments below... receive_override_options = no_address_mappings Not recommended unless you also have content_filter set. relay_domains = hash:/etc/postfix/relaydomains_for_stevie OK. relay_recipient_maps = hash:/etc/postfix/relayaddresses_for_stevie Good, you appear to have a list of valid recipients for your relay_domains. smtp_send_xforward_command = yes This is usually set in specific master.cf services, not main.cf. You don't usually want to send XFORWARD information to the whole world. smtpd_banner = Welkom bij $myhostname, stuur ook eens een kaartje! This should be = $myhostname ESTMP your text here smtpd_client_connection_count_limit = 10 WARNING: The purpose of this feature is to limit abuse. It must not be used to regulate legitimate mail traffic. smtpd_client_restrictions = reject_rbl_client dnsbl.njabl.org, reject_rbl_client blackholes.easynet.nl,reject_unauth_pipelining, reject_unknown_client, permit The easynet blacklist has been dead for years. reject_unknown_client is a very strict check and is known to reject legit mail. reject_unauth_pipelining probably doesn't do any good here, but it won't hurt anything. smtpd_data_restrictions = reject_unauth_pipelining OK. smtpd_delay_reject = yes yes is the default. Don't change it. smtpd_helo_restrictions = permit_mynetworks,warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit OK. smtpd_recipient_limit = 25 only if you have 25 or fewer users. smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, add here: reject_unlisted_recipient reject_unauth_pipelining, reject_non_fqdn_recipient, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_invalid_hostname, reject_unknown_recipient_domain,reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client psbl.surriel.com, check_policy_service inet:127.0.0.1:2525permit reject_unauth_pipelining is not effective here. smtpd_sender_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit reject_unauth_pipelining is not effective here. I notice you have several duplicated restrictions. No need to list things such as reject_non_fqdn_sender more than once. smtpd_soft_error_limit = 3 soft_bounce = no unknown_local_recipient_reject_code = 450 Change this to 550 once postfix correctly recognizes valid recipients. -- Noel
Re: Backup mx config
On Jul 13, 2009, at 10:59 PM, Noel Jones wrote: Martijn de Munnik wrote: Hi Noel, List, Thanks for your reply! I changed things according to your settings but I guess I overlooked a thing? Still they backup mailserver relays everything for *...@validdomain.org. Invalid domains are not relayed. Please don't top-post. Valid recipients for relay_domains should be listed in relay_recipient_maps, check that file. http://www.postfix.org/postconf.5.html#relay_recipient_maps http://www.postfix.org/ADDRESS_CLASS_README.html Hi, I'm sure that file is correct, it used to work before I broke the main.cf. The relay*_for_stevie files haven't been touched since then. So I guess it must be something in my main.cf, that's the only changed file. Recipient validation can also be thwarted by a catch-all in virtual_alias_maps or *canonical_maps, but you don't seem to be using either of those (unless you've defined them in master.cf - don't do that). Hmm, the backward-compatible default value of virtual_alias_maps is the deprecated parameter $virtual_maps, so that won't show in postconf output. If you have virtual_maps defined in your main.cf, make sure there aren't any catch-all mappings. -- Noel Jones
Re: Backup mx config
On Jul 13, 2009, at 11:12 PM, Martijn de Munnik wrote: On Jul 13, 2009, at 10:59 PM, Noel Jones wrote: Martijn de Munnik wrote: Hi Noel, List, Thanks for your reply! I changed things according to your settings but I guess I overlooked a thing? Still they backup mailserver relays everything for *...@validdomain.org. Invalid domains are not relayed. Please don't top-post. Valid recipients for relay_domains should be listed in relay_recipient_maps, check that file. http://www.postfix.org/postconf.5.html#relay_recipient_maps http://www.postfix.org/ADDRESS_CLASS_README.html Hi, I'm sure that file is correct, it used to work before I broke the main.cf. The relay*_for_stevie files haven't been touched since then. So I guess it must be something in my main.cf, that's the only changed file. Mmm I guess this was always wrong in my config, I need to fix the file... Recipient validation can also be thwarted by a catch-all in virtual_alias_maps or *canonical_maps, but you don't seem to be using either of those (unless you've defined them in master.cf - don't do that). Hmm, the backward-compatible default value of virtual_alias_maps is the deprecated parameter $virtual_maps, so that won't show in postconf output. If you have virtual_maps defined in your main.cf, make sure there aren't any catch-all mappings. -- Noel Jones
Re: Backup mx config
Hi, On Jul 13, 2009, at 7:57 PM, Noel Jones wrote: Martijn de Munnik wrote: smtpd_recipient_limit = 25 only if you have 25 or fewer users. I thought this means a user can send an e-mail to 25 users max at once?