Re: Case sensitive local user accounts

[Randy Ramsdell]

On 01/07/2013 07:17 PM, Wietse Venema wrote:
> Randy Ramsdell:
>> What is the configuration forces postfix to honor what is found in
>> virtual_alias_maps ?
>>
>> e.g.
>>
>> support@$domain.com LocalAccount
> 
> It does.
> 
> However, the local(8) delivery agent case-folds recipient names.
> 
>   Wietse

Okay. So added these domains to mydestination and removing the vitual
configuration all together.

A pointer to how to not fold the local accounts?

thanks

Case sensitive local user accounts

[Randy Ramsdell]

What is the configuration forces postfix to honor what is found in
virtual_alias_maps ?

e.g.

support@$domain.com LocalAccount

Thanks.

Re: Many to one address rewriting, exceptions exist.

[Randy Ramsdell]

On 09/27/11 09:33, Noel Jones wrote:

On 9/27/2011 8:03 AM, Randy Ramsdell wrote:

/etc/postfix/virtual:
#f...@example.com  stays itself.
f...@example.comf...@example.com

#b...@example.com  goes elsewhere.
b...@example.comother@elsewhere

/etc/postfix/virtual.pcre:
# Everything else goes to the mailsink.
/./mails...@example.net

?

Plus the portion of my example that you left out, and that lists
the PCRE file last in the virtual_alias_maps settings.

 Wietse

virtual_alias_maps =
 hash:/etc/postfix/virtual pcre:/etc/postfix/virtual.pcre

Has been this way since I started with your example.




When you have a /./ catchall, you need an identity mapping in the
hash file for every user to keep the catchall from grabbing it.

In your example above, you would add
other@elsewhere   other@elsewhere
to your hash file.

Wietse's examples started out with just aliasing @example.com and
not the whole world.  In the case of aliasing only @example.com, no
identity mapping would be needed for @elsewhere as it wouldn't match
the domain wildcard.  But you're using a global wildcard, not just a
domain wildcard.


   -- Noel Jones
Okay. Tried so many iterations of this also had another person try 
without success.


CONFIGS:

r...@mail1-test.dfb.qa.vn:/etc/postfix # cat virtual
r...@mail1.dfb.qa.vnrramsdell@elsewhere

r...@mail1-test.dfb.qa.vn:/etc/postfix # cat virtual.pcre
/rramsdell\@elsewhere/  rramsdell@elsewhere
/./ itstaff

r...@mail1-test.dfb.qa.vn:/etc/postfix # cat main.cf | grep virtual.pcre
virtual_alias_maps = hash:/etc/postfix/virtual 
pcre:/etc/postfix/virtual.pcre


TESTING

r...@mail1-test.dfb.qa.vn:/etc/postfix # telnet 192.168.21.31 25
Trying 192.168.21.31...
Connected to 192.168.21.31.
Escape character is '^]'.
220 mail1.dfb.qa.vn ESMTP Postfix
helo rramsdell
250 mail1.dfb.qa.vn
mail from: rramsd...@elsewhere.com
250 2.1.0 Ok
rcpt to: r...@mail1.dfb.qa.vn
250 2.1.5 Ok
data
354 End data with .
.
250 2.0.0 Ok: queued as 6252A17A809


RESULT

Sep 27 12:25:38 mail1-test postfix/smtpd[16575]: 6252A17A809: 
client=mail1-test.dfb.qa.vn[192.168.21.31]
Sep 27 12:25:42 mail1-test postfix/cleanup[16592]: 6252A17A809: 
message-id=<20110927162538.6252a17a...@mail1.dfb.qa.vn>
Sep 27 12:25:42 mail1-test postfix/qmgr[16563]: 6252A17A809: 
from=, size=352, nrcpt=1 (queue active)
Sep 27 12:25:42 mail1-test postfix/error[16593]: 6252A17A809: 
to=, orig_to=, relay=none, 
delay=25, delays=25/0/0/0.03, dsn=5.0.0, status=bounced (User unknown in 
virtual alias table)
Sep 27 12:25:42 mail1-test postfix/cleanup[16592]: A556C17A810: 
message-id=<20110927162542.a556c17a...@mail1.dfb.qa.vn>
Sep 27 12:25:42 mail1-test postfix/qmgr[16563]: A556C17A810: from=<>, 
size=2208, nrcpt=1 (queue active)
Sep 27 12:25:42 mail1-test postfix/bounce[16594]: 6252A17A809: sender 
non-delivery notification: A556C17A810

Sep 27 12:25:42 mail1-test postfix/qmgr[16563]: 6252A17A809: removed
Sep 27 12:25:42 mail1-test postfix/error[16593]: A556C17A810: 
to=, relay=none, delay=0.06, delays=0.03/0/0/0.03, 
dsn=5.0.0, status=bounced (User unknown in virtual alias table)

Sep 27 12:25:42 mail1-test postfix/qmgr[16563]: A556C17A810: removed

POSTCONF

r...@mail1-test.dfb.qa.vn:/etc/postfix # postconf -n
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter =
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
defer_transports =
delay_warning_time = 1h
disable_dns_lookups = no
disable_mime_output_conversion = no
home_mailbox = Maildir/
html_directory = /usr/share/doc/packages/postfix-doc/html
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 0
mailbox_transport =
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
message_size_limit = 0
message_strip_characters = \0
mydestination = $myhostname, localhost.$mydomain
myhostname = mail1.dfb.qa.vn
mynetworks = 192.168.21.0/24 127.0.0.0/8
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix-doc/samples
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_enforce_tls = no
smtp_sasl_auth_enable = no
smtp_use_tls = no
smtpd_client_restrictions =
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_use_tls = no
strict_8bitmime = no
strict_rfc821_envelopes = no
t

Re: Many to one address rewriting, exceptions exist.

[Randy Ramsdell]

On 09/26/11 16:12, Wietse Venema wrote:

Randy Ramsdell:
[ Charset ISO-8859-1 unsupported, converting... ]

On 09/26/11 14:36, Noel Jones wrote:

On 9/26/2011 1:31 PM, Randy Ramsdell wrote:

On 09/26/11 14:18, Noel Jones wrote:

On 9/26/2011 1:00 PM, Randy Ramsdell wrote:

On 09/22/11 13:45, Randy Ramsdell wrote:

I cannot find the the way to grab all "to's" rewritten to go to a
single "to:". We need to send all mail coming out of our QA
environment and send that to a single, probably, local address.
The list of senders will be in the thousands and so using a
catchall for these has to be configured.

We will also select a few "to's" where we send these off as normal.

No external to our network mail we need to be routed.

So far I read about transport maps and the address rewriting but
don't see a way or the best way to accomplish this.

Advice appreciated,
Randy Ramsdell

When virtual_alias_maps using two maps as suggested.

virtual_alias_maps =
   hash:/etc/postfix/virtual pcre:/etc/postfix/virtual.pcre

This has order correct ?i.e As in the maps are checked sequentially?



The maps are checked sequentially and recursively. Recursion stops
when the result is the same as the input key or "not found".

For this application, you would need 1-1 "identity" mappings in the
hash file, and a catchall in the pcre.


 -- Noel Jones

r...@mail1-test.dfb.qa.vn:/etc/postfix # cat virtual
real@madeupdomain rramsdell@nonlocaldomain

need to add an identity mapping to the hash file:

rramsdell@nonlocaldomain   rramsdell@nonlocaldomain






r...@mail1-test.dfb.qa.vn:/etc/postfix # cat virtual.pcre
/./ itstaff


This per Wietse.

Debug :

Sep 26 13:54:43 mail1-test postfix/smtpd[6842]: maps_find:
virtual_alias_maps: hash:/etc/postfix/virtual(0,lock|fold_fix):
real@madeupdomain = rramsdell@nonlocaldomain

. . .

Sep 26 13:54:53 mail1-test postfix/local[6848]: C311517A7BF:
to=, orig_to=,
relay=local, delay=19, delays=19/0/0/0.05, dsn=2.0.0, status=sent
(delivered to maildir)

This looks like it matches virtual and then applies the pcre virtual.



Yes, that's what recursion does.




-- Noel Jones

/etc/postfix/virtual:
   #f...@example.com  stays itself.
   f...@example.com f...@example.com

   #b...@example.com  goes elsewhere.
   b...@example.com other@elsewhere

/etc/postfix/virtual.pcre:
   # Everything else goes to the mailsink.
   /./  mails...@example.net

?

Plus the portion of my example that you left out, and that lists
the PCRE file last in the virtual_alias_maps settings.

Wietse

virtual_alias_maps =
hash:/etc/postfix/virtual pcre:/etc/postfix/virtual.pcre

Has been this way since I started with your example.

Re: Many to one address rewriting, exceptions exist.

[Randy Ramsdell]

On 09/26/11 14:36, Noel Jones wrote:

On 9/26/2011 1:31 PM, Randy Ramsdell wrote:

On 09/26/11 14:18, Noel Jones wrote:

On 9/26/2011 1:00 PM, Randy Ramsdell wrote:

On 09/22/11 13:45, Randy Ramsdell wrote:

I cannot find the the way to grab all "to's" rewritten to go to a
single "to:". We need to send all mail coming out of our QA
environment and send that to a single, probably, local address.
The list of senders will be in the thousands and so using a
catchall for these has to be configured.

We will also select a few "to's" where we send these off as normal.

No external to our network mail we need to be routed.

So far I read about transport maps and the address rewriting but
don't see a way or the best way to accomplish this.

Advice appreciated,
Randy Ramsdell

When virtual_alias_maps using two maps as suggested.

virtual_alias_maps =
  hash:/etc/postfix/virtual pcre:/etc/postfix/virtual.pcre

This has order correct ?i.e As in the maps are checked sequentially?



The maps are checked sequentially and recursively. Recursion stops
when the result is the same as the input key or "not found".

For this application, you would need 1-1 "identity" mappings in the
hash file, and a catchall in the pcre.


-- Noel Jones

r...@mail1-test.dfb.qa.vn:/etc/postfix # cat virtual
real@madeupdomain rramsdell@nonlocaldomain

need to add an identity mapping to the hash file:

rramsdell@nonlocaldomain   rramsdell@nonlocaldomain







r...@mail1-test.dfb.qa.vn:/etc/postfix # cat virtual.pcre
/./ itstaff


This per Wietse.

Debug :

Sep 26 13:54:43 mail1-test postfix/smtpd[6842]: maps_find:
virtual_alias_maps: hash:/etc/postfix/virtual(0,lock|fold_fix):
real@madeupdomain = rramsdell@nonlocaldomain

. . .

Sep 26 13:54:53 mail1-test postfix/local[6848]: C311517A7BF:
to=, orig_to=,
relay=local, delay=19, delays=19/0/0/0.05, dsn=2.0.0, status=sent
(delivered to maildir)

This looks like it matches virtual and then applies the pcre virtual.



Yes, that's what recursion does.




   -- Noel Jones


/etc/postfix/virtual:
 #f...@example.com  stays itself.
 f...@example.com   f...@example.com

 #b...@example.com  goes elsewhere.
 b...@example.com   other@elsewhere

/etc/postfix/virtual.pcre:
 # Everything else goes to the mailsink.
 /./mails...@example.net

?

Re: Many to one address rewriting, exceptions exist.

[Randy Ramsdell]

On 09/26/11 14:18, Noel Jones wrote:

On 9/26/2011 1:00 PM, Randy Ramsdell wrote:

On 09/22/11 13:45, Randy Ramsdell wrote:

I cannot find the the way to grab all "to's" rewritten to go to a
single "to:". We need to send all mail coming out of our QA
environment and send that to a single, probably, local address.
The list of senders will be in the thousands and so using a
catchall for these has to be configured.

We will also select a few "to's" where we send these off as normal.

No external to our network mail we need to be routed.

So far I read about transport maps and the address rewriting but
don't see a way or the best way to accomplish this.

Advice appreciated,
Randy Ramsdell

When virtual_alias_maps using two maps as suggested.

virtual_alias_maps =
 hash:/etc/postfix/virtual pcre:/etc/postfix/virtual.pcre

This has order correct ?i.e As in the maps are checked sequentially?




The maps are checked sequentially and recursively. Recursion stops
when the result is the same as the input key or "not found".

For this application, you would need 1-1 "identity" mappings in the
hash file, and a catchall in the pcre.


   -- Noel Jones


r...@mail1-test.dfb.qa.vn:/etc/postfix # cat virtual
real@madeupdomain rramsdell@nonlocaldomain


r...@mail1-test.dfb.qa.vn:/etc/postfix # cat virtual.pcre
/./ itstaff


This per Wietse.

Debug :

Sep 26 13:54:43 mail1-test postfix/smtpd[6842]: maps_find: 
virtual_alias_maps: hash:/etc/postfix/virtual(0,lock|fold_fix): 
real@madeupdomain = rramsdell@nonlocaldomain


. . .

Sep 26 13:54:53 mail1-test postfix/local[6848]: C311517A7BF: 
to=, orig_to=, relay=local, 
delay=19, delays=19/0/0/0.05, dsn=2.0.0, status=sent (delivered to maildir)


This looks like it matches virtual and then applies the pcre virtual.

Re: Many to one address rewriting, exceptions exist.

[Randy Ramsdell]

On 09/22/11 13:45, Randy Ramsdell wrote:
I cannot find the the way to grab all "to's" rewritten to go to a 
single "to:". We need to send all mail coming out of our QA 
environment and send that to a single, probably, local address. The 
list of senders will be in the thousands and so using a catchall for 
these has to be configured.


We will also select a few "to's" where we send these off as normal.

No external to our network mail we need to be routed.

So far I read about transport maps and the address rewriting but don't 
see a way or the best way to accomplish this.


Advice appreciated,
Randy Ramsdell


When virtual_alias_maps using two maps as suggested.

virtual_alias_maps =
hash:/etc/postfix/virtual pcre:/etc/postfix/virtual.pcre

This has order correct ?i.e As in the maps are checked sequentially?

Re: Many to one address rewriting, exceptions exist.

[Randy Ramsdell]

On 09/23/11 13:35, Randy Ramsdell wrote:


Please disregard. Typo but I doubt you've seen the last issue regarding 
this configuration. :)

Re: Many to one address rewriting, exceptions exist.

[Randy Ramsdell]

On 09/22/11 16:33, Wietse Venema wrote:

Randy Ramsdell:

/etc/postfix/main.cf:
  virtual_alias_maps = hash:/etc/postfix/virtual

/etc/postfix/virtual:
  # All example.com users become mails...@example.net.
  @example.com  mails...@example.net

  # Except for f...@example.com, which stays itself.
  f...@example.com  f...@example.com

  # And except for b...@example.com, which goes elsewhere.
  b...@example.com  other@elsewhere

See http://www.postfix.org/DATABASE_README.html for tips to translate
this into other database formats.

Wietse

ahh however we need :

@singleuser@domain.

I tried this but does not work.

No surprise. The form "@" is not documented anywhere.

If you really must rewrite any domain, use regular expressions instead.

/etc/postfix/main.cf:
 virtual_alias_maps =
hash:/etc/postfix/virtual pcre:/etc/postfix/virtual.pcre

/etc/postfix/virtual:
 # f...@example.com stays itself.
 f...@example.com   f...@example.com

 # b...@example.com goes elsewhere.
 b...@example.com   other@elsewhere

/etc/postfix/virtual.pcre:
 # Everything else goes to the mailsink.
 /./mails...@example.net

Wietse
Well this worked and somehow I broke it or really not sure. We only want 
to accept mail from the app servers.


hostname -f
mail1-test.dfb.qa.vn

Relevant logs:

Sep 23 13:28:20 mail1-test postfix/error[18015]: 2760D17A7F6: 
to=, orig_to=, relay=none, 
delay=0.07, delays=0.04/0/0/0.03, dsn=5.0.0, status=bounced (User 
unknown in virtual alias table)



postconf -n
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter =
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
defer_transports =
delay_warning_time = 1h
disable_dns_lookups = no
disable_mime_output_conversion = no
html_directory = /usr/share/doc/packages/postfix-doc/html
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 0
mailbox_transport =
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
message_size_limit = 0
message_strip_characters = \0
mydestination = $myhostname, localhost.$mydomain,*.com
myhostname = mail1-test.dfb.qa.vn
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix-doc/samples
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_enforce_tls = no
smtp_sasl_auth_enable = no
smtp_use_tls = no
smtpd_client_restrictions =
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_use_tls = no
strict_8bitmime = no
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = pcre:/etc/postfix/virtual.pcre

Re: Many to one address rewriting, exceptions exist.

[Randy Ramsdell]

On 09/22/11 15:51, Wietse Venema wrote:

Randy Ramsdell:

I cannot find the the way to grab all "to's" rewritten to go to a single
"to:". We need to send all mail coming out of our QA environment and
send that to a single, probably, local address. The list of senders will
be in the thousands and so using a catchall for these has to be configured.

We will also select a few "to's" where we send these off as normal.

No external to our network mail we need to be routed.

So far I read about transport maps and the address rewriting but don't
see a way or the best way to accomplish this.

The Berkeley DB version:

/etc/postfix/main.cf:
 virtual_alias_maps = hash:/etc/postfix/virtual

/etc/postfix/virtual:
 # All example.com users become mails...@example.net.
 @example.com   mails...@example.net

 # Except for f...@example.com, which stays itself.
 f...@example.com   f...@example.com

 # And except for b...@example.com, which goes elsewhere.
 b...@example.com   other@elsewhere

See http://www.postfix.org/DATABASE_README.html for tips to translate
this into other database formats.

Wietse

ahh however we need :

@singleuser@domain.

I tried this but does not work.

Thanks,
RCR

Many to one address rewriting, exceptions exist.

[Randy Ramsdell]

I cannot find the the way to grab all "to's" rewritten to go to a single 
"to:". We need to send all mail coming out of our QA environment and 
send that to a single, probably, local address. The list of senders will 
be in the thousands and so using a catchall for these has to be configured.


We will also select a few "to's" where we send these off as normal.

No external to our network mail we need to be routed.

So far I read about transport maps and the address rewriting but don't 
see a way or the best way to accomplish this.


Advice appreciated,
Randy Ramsdell

Re: E-mail file location

[Randy Ramsdell]

Wietse Venema wrote:

Randy Ramsdell:
Looking through our logs, I see a java process connecting to a bulk-mail 
server but cannot find any mail it is sending.


How do you know that it is sending email? Postfix logs
all email transactions, including rejects and deliveries.

Wietse



I do not know. It is "supposed" to be sending our alert e-mails but all 
I see is connects, disconnects and nothing else. It is like the alert 
application server is sending nothing which is what I suspect.


IIRC, the first queue would be the active queue and if email files are 
not found there, then something is broken on  this alert application server.


Trying to find the document on the flow of email through postfix as I 
write this.



The logs are as follows and this continues for a long time.

Jun 29 10:36:43 dfbbl05 postfix/smtpd[2905]: disconnect from 
dfbbl9.shared.activedatatech.net[192.168.22.109]
Jun 29 10:36:43 dfbbl05 postfix/smtpd[2907]: connect from 
dfbbl9.shared.activedatatech.net[192.168.22.109]
Jun 29 10:36:43 dfbbl05 postfix/smtpd[2907]: disconnect from 
dfbbl9.shared.activedatatech.net[192.168.22.109]
Jun 29 10:36:44 dfbbl05 postfix/smtpd[2904]: connect from 
dfbbl9.shared.activedatatech.net[192.168.22.109]
Jun 29 10:36:44 dfbbl05 postfix/smtpd[2904]: disconnect from 
dfbbl9.shared.activedatatech.net[192.168.22.109]
Jun 29 10:36:44 dfbbl05 postfix/smtpd[2906]: connect from 
dfbbl9.shared.activedatatech.net[192.168.22.109]
Jun 29 10:36:44 dfbbl05 postfix/smtpd[2906]: disconnect from 
dfbbl9.shared.activedatatech.net[192.168.22.109]
Jun 29 10:36:44 dfbbl05 postfix/smtpd[2905]: connect from 
dfbbl9.shared.activedatatech.net[192.168.22.109]


dfbbl9 is one on our alert application servers. I cannot find where any 
of this mail is being stored until sent. I checked all the queues in 
"var/spool/postfix/*" and do not find a single email.


Where would I look for this mail?

E-mail file location

[Randy Ramsdell]

Looking through our logs, I see a java process connecting to a bulk-mail 
server but cannot find any mail it is sending.


The logs are as follows and this continues for a long time.

Jun 29 10:36:43 dfbbl05 postfix/smtpd[2905]: disconnect from 
dfbbl9.shared.activedatatech.net[192.168.22.109]
Jun 29 10:36:43 dfbbl05 postfix/smtpd[2907]: connect from 
dfbbl9.shared.activedatatech.net[192.168.22.109]
Jun 29 10:36:43 dfbbl05 postfix/smtpd[2907]: disconnect from 
dfbbl9.shared.activedatatech.net[192.168.22.109]
Jun 29 10:36:44 dfbbl05 postfix/smtpd[2904]: connect from 
dfbbl9.shared.activedatatech.net[192.168.22.109]
Jun 29 10:36:44 dfbbl05 postfix/smtpd[2904]: disconnect from 
dfbbl9.shared.activedatatech.net[192.168.22.109]
Jun 29 10:36:44 dfbbl05 postfix/smtpd[2906]: connect from 
dfbbl9.shared.activedatatech.net[192.168.22.109]
Jun 29 10:36:44 dfbbl05 postfix/smtpd[2906]: disconnect from 
dfbbl9.shared.activedatatech.net[192.168.22.109]
Jun 29 10:36:44 dfbbl05 postfix/smtpd[2905]: connect from 
dfbbl9.shared.activedatatech.net[192.168.22.109]


dfbbl9 is one on our alert application servers. I cannot find where any 
of this mail is being stored until sent. I checked all the queues in 
"var/spool/postfix/*" and do not find a single email.


Where would I look for this mail?

Re: Sending Bulk Mails

[Randy Ramsdell]

Wietse Venema wrote:

Stan Hoeppner:

On 6/4/2011 6:25 AM, /dev/rob0 wrote:

My recommendation to the OP is to consider outsourcing this. It will 
not cost that much, and a reputable email service provider can be 
well worth what they charge.


Conversely to do it inhouse I would recommend tearing it all down and 
starting over with a recent and well-supported OS. It might look 
cheaper on the short-term bottom line to beg on the Internet for help 
in keeping the old install running, but when things go wrong, as they 
surely will, the costs will skyrocket in ways not yet imagined.

+1

Outsource the sending of these shareholder notifications to a reputable
bulk mailer.  Stating you are running an EOL OS and EOL Postfix tells us
you are not up to the task of successfully pulling this operation off.


Sorry, you can tell people they run old code, but there is no need
to say they are an idiot. The platform may lack some features, but
it is technically good for a 15k mail sending operation. The
recommendation to outsource has nothing to do with the software.

Wietse
hah go to the postfix IRC and they most certainly are more rude than 
this. It is nothing for them to tell you you are lazy and don't know 
what your talking about. if fact, calling people an idiot may be the 
norm there. I never go there anymore, but it is good that the mailing 
list, at least, has people trying to be more polite.

Re: Selective "RCPT TO" restrictions.

[Randy Ramsdell]

Randy Ramsdell wrote:

Randy Ramsdell wrote:
I am trying to configure a very selective list on who can send to a 
certain local accounts ( could be many and currently contains maybe 30 ).



Currently, this is covered by:

smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/protected_lists,permit_mynetworks,permit_sasl_authenticated 
 etc...


In this protected list we have this:

us...@localdomain.com permit_mynetworks,permit_sasl_authenticated,reject
.
.
.
user...@localdomain.com


I need to add an allow for specific cases for each 
user{1-100+}@NONlocaldomain.com to send to user{1-100+}@localdomain.com.


Sort of stuck here since the protected_lists only allow the form 
permit_mynetworks,permit_sasl_authenticated,reject and not include 
$allow_some_specific_non_local_user


Help with this would be greatly appreciated.

Thanks,
RCR


I removed the address from protected_lists until I come up with an setup 
which would include these lists and the lists using these list.


I decided to use the following solution. Yes, I am responding to myself, 
but maybe someone else would find this useful. I issue I that was 
confusing was wrapping my head around the fact that I would have to 
create N lists of N members where N could be 1000.


Given:
smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/protected_lists,etc...


&&
smtpd_restriction_classes = list1, ... listN


In main.cf :

list1 = check_sender_access hash:/etc/postfix/list1_members,reject
.
.
.
1istN = check_sender_access hash:/etc/postfix/listN_members,reject

In list1_members:
user1@extdomain1 OK
user2@extdomain2 OK

In listN_members:
userN@extdomainN OK

In protected_lists :
protecteduser1@locdomain1 list1_members
.
.
.
protecteduserN@locdomainN listN_members

Seems like cludge, but works. The problem I see is if N == 1000. Maybe 
then a DB would be best suited.


Thanks,
RCR

Re: Selective "RCPT TO" restrictions.

[Randy Ramsdell]

Randy Ramsdell wrote:
I am trying to configure a very selective list on who can send to a 
certain local accounts ( could be many and currently contains maybe 30 ).



Currently, this is covered by:

smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/protected_lists,permit_mynetworks,permit_sasl_authenticated 
 etc...


In this protected list we have this:

us...@localdomain.com permit_mynetworks,permit_sasl_authenticated,reject
.
.
.
user...@localdomain.com


I need to add an allow for specific cases for each 
user{1-100+}@NONlocaldomain.com to send to user{1-100+}@localdomain.com.


Sort of stuck here since the protected_lists only allow the form 
permit_mynetworks,permit_sasl_authenticated,reject and not include 
$allow_some_specific_non_local_user


Help with this would be greatly appreciated.

Thanks,
RCR


I removed the address from protected_lists until I come up with an setup 
which would include these lists and the lists using these list.

Selective "RCPT TO" restrictions.

[Randy Ramsdell]

I am trying to configure a very selective list on who can send to a 
certain local accounts ( could be many and currently contains maybe 30 ).



Currently, this is covered by:

smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/protected_lists,permit_mynetworks,permit_sasl_authenticated 
 etc...


In this protected list we have this:

us...@localdomain.com permit_mynetworks,permit_sasl_authenticated,reject
.
.
.
user...@localdomain.com


I need to add an allow for specific cases for each 
user{1-100+}@NONlocaldomain.com to send to user{1-100+}@localdomain.com.


Sort of stuck here since the protected_lists only allow the form 
permit_mynetworks,permit_sasl_authenticated,reject and not include 
$allow_some_specific_non_local_user


Help with this would be greatly appreciated.

Thanks,
RCR

Re: how to flush frozen email from queue

[Randy Ramsdell]

/dev/rob0 wrote:


As you can see, sendmail does not appear ... How can I fix it?


This could be ugly. Installation from source, even correctly done, 
interferes with OS features like this "alternatives" thing. It is 
well worth your while to spend some time learning how properly to 
manage your OS before undertaking mail admin.


With Redhat-based systems, I suggest using Simon Mudd's SRPMs for a
recent Postfix release.

As to how to repair the damage, that would be a matter for your 
CentOS documentation and forums. Good luck.


Using source is fine and necessary at times when you can't wait for 
certain vendors to fix things on their time frame. We run source for 
several things. You just need to manage it accordingly.


In fact, I have found more than one borked rpm with wrong install 
dependencies, incorrect configurations that break things or overwrite 
prod configurations or incorrect remove dependencies.


Does postfix compile without sendmail by default?

You could recompile if you feel comfortable. Fairly I would do just that 
but I feel comfortable with this.

Re: Am I sending backscatter?

[Randy Ramsdell]

Steve Jenkins wrote:

I saw this in my maillog just now:

Apr 15 09:03:00 carbonfiber postfix/qmgr[28665]: 53D87104259C:
from=, size=16858, nrcpt=1 (queue
active)
Apr 15 09:03:01 carbonfiber amavis[28076]: (28076-20) Blocked
BAD-HEADER, [50.22.180.134] [50.22.180.134]
 -> , Message-ID:
<3297072511617582...@ibu134.olepykorin.info>, mail_id: mlACmT6BzNRX,
Hits: -, size: 17055,
dkim_id=shoppers_cent...@olepykorin.info,shoppers_cent...@olepykorin.info,
181 ms
Apr 15 09:03:04 carbonfiber postfix/smtp[31065]: 17795104259D:
to=,
relay=ibu134.olepykorin.info[50.22.180.134]:25, delay=3.5,
delays=0.05/0/3.5/0, dsn=4.0.0, status=deferred (host
ibu134.olepykorin.info[50.22.180.134] refused to talk to me: 421
ibu134.olepykorin.info out of connection slots)
Apr 15 09:12:50 carbonfiber postfix/smtp[31179]: 17795104259D:
to=,
relay=ibu134.olepykorin.info[50.22.180.134]:25, delay=590,
delays=586/0.01/3.7/0, dsn=4.0.0, status=deferred (host
ibu134.olepykorin.info[50.22.180.134] refused to talk to me: 421
ibu134.olepykorin.info out of connection slots)
Apr 15 09:22:51 carbonfiber postfix/smtp[31320]: 17795104259D:
to=,
relay=ibu134.olepykorin.info[50.22.180.134]:25, delay=1190,
delays=1186/0.01/3.6/0, dsn=4.0.0, status=deferred (host
ibu134.olepykorin.info[50.22.180.134] refused to talk to me: 421
ibu134.olepykorin.info out of connection slots)
Apr 15 09:42:53 carbonfiber postfix/smtp[6303]: 17795104259D:
to=,
relay=ibu134.olepykorin.info[50.22.180.134]:25, delay=2392,
delays=2386/0.01/3.6/2.5, dsn=2.6.0, status=sent (250 2.6.0 message
received)

Is that first "postfix/smtp" line sending a reject message to olepykorin.info?

Thanks,

SteveJ


As long as the you accept mail for "your edit" u...@example.com, then 
you are bouncing the message not rejecting it.

Re: Reject /Discard outbound domain?

[Randy Ramsdell]

Noel Jones wrote:

On 4/12/2011 10:41 AM, Randy Ramsdell wrote:

Noel Jones wrote:
Sorry, this is simply related to file format it appears.


Ah! A question!


Well, not really.





main.cf
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/protected_lists

protected_lists
@someinvaliddomainname.com reject


This won't work.


I only used this because nothing else worked.



and I have used:
someinvaliddomainname.com reject


This will work.




Holy crap! This was the first configuration I did and I think multiple 
times because I could not believe it wasn't working. I hope that I did 
not forget to postmap it EVERY time, but it appears that is where the 
problem was. This should have taking 5 minutes!!!


I could have easily used access I suppose, but that is only set for 
smtpd_sender_restrictions and protected_lists is there so.


Thanks,
RCR

Re: acquire Postfix statistics

[Randy Ramsdell]

Zhou, Yan wrote:
Hi There, 


How do you gather statistics for messages delivered and processed via
Postfix (both inbound and outbound)? For instance, to show on a daily
basis, how many messages we have received from each domain, how many
messages we have delivered to each domain, etc.

I have seen some options relying on passing the maillog file, I wonder
if there is any other option?

Thanks,
Yan





Confidentiality Notice: The information contained in this electronic 
transmission is confidential and may be legally privileged. It is intended only 
for the addressee(s) named above. If you are not an intended recipient, be 
aware that any disclosure, copying, distribution or use of the information 
contained in this transmission is prohibited and may be unlawful. If you have 
received this transmission in error, please notify us by telephone (513) 
229-5500 or by email (postmas...@medplus.com). After replying, please erase it 
from your computer system.


You have to write script or download something.


external : grep on "relay=" and sent excluding local domains.
internal : grep on "relay=local" or where ever the mail store is.

cut, sort and uniq work well for this in Bash.

Re: Reject /Discard outbound domain?

[Randy Ramsdell]

Noel Jones wrote:

On 4/12/2011 10:12 AM, Randy Ramsdell wrote:

Noel Jones wrote:

On 4/12/2011 8:28 AM, Randy Ramsdell wrote:

Hi,

I am trying to block all mail going to a certain domain. We
use
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/protected_lists

and it counterpart:

smtpd_restriction_classes = list_blocks
list_blocks = check_sender_access
hash:/etc/postfix/list_members,reject

The user@host is not found in list_members.

I added the domain in protected_lists in this form.

$domain.com reject

When sending to his domain, the message bounces with a "Host
or domain name not found"

The domain does not exist but until the code can reviewed and
changed, I have to block these messages.

Any suggestions as to why this does not work?


You've not given enough evidence for anyone to say where the
error is.



I use the protected_lists to block certain groups, people etc
from sending to internal lists. There really is no error
thrown by postfix. It is a configuration problem in general.

An example:
$USER@ permit_mynetworks,permit_sasl_authenticated,reject


The proper configuration can be found here:
http://www.postfix.org/RESTRICTION_CLASS_README.html

You don't give us enough details to point out your error.





Or how do I
configure postfix to not check DNS and simply reject/discard?


I think the easiest way to ban a domain is to add it to the
transport_maps with an entry something like
bad.example.com error:invalid domain


-- Noel Jones


I added this to transports and postmapped it:

.someinvaliddomainname.com error:Mail for
*.someinvaliddomainname.com not delivered.

I can still recieve the bounce which is what I am trying to
stop. I do not want to bounce for DNS issues. I want to simply
reject or better yet, discard.



That does reject the mail.

If you want postfix to discard the mail, use discard: instead of error:

It's hard to help when you issue evidence and requirements a bit at a time.


  -- Noel Jones


Sorry, this is simply related to file format it appears.

main.cf
smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/protected_lists


protected_lists
@someinvaliddomainname.com  reject

and I have used:
someinvaliddomainname.com  reject

I can use this form in protected_lists which works as expected:
d...@someinvaliddomainname.com  reject


There really isn't any more information to give. The problem is I have 
not found out how to wild card the domain.


I am going to spend some time understanding the file format because that 
is where this fails.

Re: Reject /Discard outbound domain?

[Randy Ramsdell]

Noel Jones wrote:

On 4/12/2011 8:28 AM, Randy Ramsdell wrote:

Hi,

I am trying to block all mail going to a certain domain. We use
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/protected_lists

and it counterpart:

smtpd_restriction_classes = list_blocks
list_blocks = check_sender_access
hash:/etc/postfix/list_members,reject

The user@host is not found in list_members.

I added the domain in protected_lists in this form.

$domain.com reject

When sending to his domain, the message bounces with a "Host
or domain name not found"

The domain does not exist but until the code can reviewed and
changed, I have to block these messages.

Any suggestions as to why this does not work?


You've not given enough evidence for anyone to say where the error is.



I use the protected_lists to block certain groups, people etc from 
sending to internal lists. There really is no error thrown by postfix. 
It is a configuration problem in general.


An example:
$USER@   permit_mynetworks,permit_sasl_authenticated,reject


Or how do I
configure postfix to not check DNS and simply reject/discard?


I think the easiest way to ban a domain is to add it to the 
transport_maps with an entry something like

bad.example.com  error:invalid domain


  -- Noel Jones


I added this to transports and postmapped it:

.someinvaliddomainname.com error:Mail for 
*.someinvaliddomainname.com not delivered.


I can still recieve the bounce which is what I am trying to stop. I do 
not want to bounce for DNS issues. I want to simply reject or better 
yet, discard.

Reject /Discard outbound domain?

[Randy Ramsdell]

Hi,

I am trying to block all mail going to a certain domain. We use
smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/protected_lists


and it counterpart:

smtpd_restriction_classes = list_blocks
list_blocks = check_sender_access hash:/etc/postfix/list_members,reject

The user@host is not found in list_members.

I added the domain in protected_lists in this form.

$domain.com   reject

When sending to his domain, the message bounces with a "Host or domain 
name not found"


The domain does not exist but until the code can reviewed and changed, I 
have to block these messages.


Any suggestions as to why this does not work? Or how do I configure 
postfix to not check DNS and simply reject/discard?

Re: qmgr warning

[Randy Ramsdell]

Dennis Guhl wrote:

On Mon, Apr 11, 2011 at 01:04:46PM -0400, Randy Ramsdell wrote:

[..]


What is the "postfix-files" that list say postmap.1 vs.


If you take a peek at postfix.1 you will see a section FILES. There
you can find the files referenced in this man page, including the
postfix-files:

 $daemon_directory/postfix-files, file/directory permissions

With

 # postconf daemon_directory

you can find the path for $daemon_directory.


postmap.1.gz? Are you conveying that the postfix set-permissions
uses some file that lists what man pages to look for?


Dennis

[..]


Okay thanks for the glue. Odd though 
https://bugzilla.novell.com/show_bug.cgi?id=684302 shows that 
postfix-files is not part of the distribution yet is referenced. Maybe 
Matthias Andree's second comment regarding 11.4 does not need to include 
postfix-files since it is referenced using postfix set-permissions with 
Version: 2.7.2-12.3.

Re: qmgr warning

[Randy Ramsdell]

Victor Duchovni wrote:

On Mon, Apr 11, 2011 at 12:43:38PM -0400, Randy Ramsdell wrote:


Victor Duchovni wrote:

On Mon, Apr 11, 2011 at 11:49:00AM -0400, Randy Ramsdell wrote:
Okay every single man page, and there are MANY, is also causing an error. 
This are all related to opensuse's postfix-docs rpm which does not create 
sym links to the gzipped page.

If they change the names of the installed files, they MUST change the
contents of the "postfix-files" included with the package. Failure to
do so is a broken package, complain loudly to the package maintainers.

Correction: The man pages are from the postfix rpm.

They did not change the man page names. It is common to use $manpage.1.gz. 


Yes, but if they ship manpage.gz files, then the "postfix-files" file
MUST list those and not files they don't ship. If you change the list
of delivered files, change the package manifest. It does not get much
easier...



What is the "postfix-files" that list say postmap.1 vs. postmap.1.gz? 
Are you conveying that the postfix set-permissions uses some file that 
lists what man pages to look for?


They simply compress the man page. I had to create links like postmap.1 
---> postmap.1.gz. Every manpage for every piece of software is in the for 
$manpage.1.gz. Agreed that the package maintainer could have created these 
links.


Or updated "postfix-files", if the links are not needed for the "man"
command to work.


Of course the link is not needed.




Your binary package is borked, don't use it.
Given it is an Opensuse problem, I still don't see why the postfix 
set-permissions cannot, use postmap.1* vs postmap.1 .


That would be wrong. The manifest is supposed to be correct. Changing
the permissions of some random file is a really bad idea.



What manifest are you referring to? Is this an official file that I 
should look into or something you reference simply as a reference? I 
agree that the exact name is preferable, but postmap.1 vs. postmap.1.gz
? In fact every manpage on this server is of the form 
$manpage.$number.gz and strace shows "man" loading zlib libraries. So it 
is a builtin.

Re: qmgr warning

[Randy Ramsdell]

Victor Duchovni wrote:

On Mon, Apr 11, 2011 at 11:49:00AM -0400, Randy Ramsdell wrote:

Okay every single man page, and there are MANY, is also causing an error. 
This are all related to opensuse's postfix-docs rpm which does not create 
sym links to the gzipped page.


If they change the names of the installed files, they MUST change the
contents of the "postfix-files" included with the package. Failure to
do so is a broken package, complain loudly to the package maintainers.



Correction: The man pages are from the postfix rpm.

They did not change the man page names. It is common to use 
$manpage.1.gz. They simply compress the man page. I had to create links 
like postmap.1 ---> postmap.1.gz. Every manpage for every piece of 
software is in the for $manpage.1.gz. Agreed that the package maintainer 
could have created these links.


Why not wildcard the man page search? If the script sees anvil.8.gz, 
wouldn't that be enough confirmation that a reasonable assumption could be 
made that this is in fact the manpage for anvil.8?


Reinstalling will not fix the main page thing of course.


Your binary package is borked, don't use it.


What binary? I cannot maintain my own postfix rpms from opensuse. We 
need the security notification and patches. I suppose I could create our 
specific postfix rpms, but who has time.


Given it is an Opensuse problem, I still don't see why the postfix 
set-permissions cannot, use postmap.1* vs postmap.1 .

Re: qmgr warning

[Randy Ramsdell]

Randy Ramsdell wrote:

Victor Duchovni wrote:

On Mon, Apr 11, 2011 at 10:54:57AM -0400, Randy Ramsdell wrote:

Now I am on dict_mysql.so. So I stalled postfix-mysql, now exiting 
for pqsql.


Is there a way to edit a configuration so the program skips certain 
features?


No, you need to fix all the problems. It seems that Postfix you are
installing is very different from the previously installed version,
I don't know whether Debian supports the upgrade path you have chosen,
and whether they upgrade the configuration files in the process or not.
In any case you're on the bleeding edge. It may be simplest to re-install
Postfix, then apply your customizations.



It really is only related to the README, now pgsql ( opensuse has a 
seperate rpm for pgsql ) and mysql ( opensuse has a separate package for 
mysql ). It is all logical, but I don't want to install these rpm's 
because we don't use them. I will install postfix-pgsql and see if that 
is the last issue.


Okay every single man page, and there are MANY, is also causing an 
error. This are all related to opensuse's postfix-docs rpm which does 
not create sym links to the gzipped page.
The script looks for EX. postcat.1 which is postcat.1.gz . I also had to 
fix the man page location in main.cf. So far I am creating sym links to 
all these. argh. what a pita. I don't blame Posftix maintainers but 
rather the rpm creator. This isn't the first time opensuse rpm's are 
written poorly, but I am also not sure why the postfix upgrade command 
does not consider a gzipped file.


Why not wildcard the man page search? If the script sees anvil.8.gz, 
wouldn't that be enough confirmation that a reasonable assumption could 
be made that this is in fact the manpage for anvil.8?


Reinstalling will not fix the main page thing of course.

Re: qmgr warning

[Randy Ramsdell]

Victor Duchovni wrote:

On Mon, Apr 11, 2011 at 10:54:57AM -0400, Randy Ramsdell wrote:

Now I am on dict_mysql.so. So I stalled postfix-mysql, now exiting for 
pqsql.


Is there a way to edit a configuration so the program skips certain 
features?


No, you need to fix all the problems. It seems that Postfix you are
installing is very different from the previously installed version,
I don't know whether Debian supports the upgrade path you have chosen,
and whether they upgrade the configuration files in the process or not.
In any case you're on the bleeding edge. It may be simplest to re-install
Postfix, then apply your customizations.



It really is only related to the README, now pgsql ( opensuse has a 
seperate rpm for pgsql ) and mysql ( opensuse has a separate package for 
mysql ). It is all logical, but I don't want to install these rpm's 
because we don't use them. I will install postfix-pgsql and see if that 
is the last issue.

Re: qmgr warning

[Randy Ramsdell]

Victor Duchovni wrote:

On Mon, Apr 11, 2011 at 10:02:47AM -0400, Randy Ramsdell wrote:

Argh, I ran postfix upgrade-configuration but not set-permissions. When I 
do add the set-permissions argument, there is an error for README_FILES.


postfix upgrade-configuration set-permissions
chown: cannot access `/usr/share/doc/packages/postfix/README_FILES': No 
such file or directory


locate README_FILES
/usr/share/doc/packages/postfix-doc/README_FILES/
...

rpm -qvf /usr/share/doc/packages/postfix-doc/README_FILES/
postfix-doc-2.7.2-12.3.noarch

Opensuse postfix-doc rpm writes the files to 
/usr/share/doc/packages/postfix-doc/README_FILES/. So the the rpm 
maintainer broke postfix a little. I suppose I could ln to 
/usr/share/doc/packages/postfix/README_FILES.


No, just change "readme_directory" in /etc/postfix/main.cf. Also
update any other "installation parameters" that moved.



Okay this exits on each error.  I mean, it is functional however, each 
run continues to add additional problems. I fix one, the script exits 
for another problem, I fix the next, the script exits for another 
problem, etc...


Now I am on dict_mysql.so. So I stalled postfix-mysql, now exiting for 
pqsql.


Is there a way to edit a configuration so the program skips certain 
features? An argument maybe?


RCR

Re: qmgr warning

[Randy Ramsdell]

Wietse Venema wrote:

Randy Ramsdell:

Ralf Hildebrandt wrote:

* Ralf Hildebrandt :

* Randy Ramsdell :

Apr  8 10:10:30 atlbl6 postfix/qmgr[11959]: warning: connect to transport 
private/retry: Connection refused

grep retry /etc/postfix/master.cf

what do you see?

# grep retry /etc/postfix/master.cf
retry unix  -   -   -   -   -   error
should be the result

Thanks. That was it. It appears the upgrade dealing with the config 
files were not complete.


I recommend that you use  "postfix upgrade-configuration set-permissions"
just to be sure that there are no more surprises later.

Wietse


Argh, I ran postfix upgrade-configuration but not set-permissions. When 
I do add the set-permissions argument, there is an error for README_FILES.


postfix upgrade-configuration set-permissions
chown: cannot access `/usr/share/doc/packages/postfix/README_FILES': No 
such file or directory


locate README_FILES
/usr/share/doc/packages/postfix-doc/README_FILES/
...

rpm -qvf /usr/share/doc/packages/postfix-doc/README_FILES/
postfix-doc-2.7.2-12.3.noarch

Opensuse postfix-doc rpm writes the files to 
/usr/share/doc/packages/postfix-doc/README_FILES/. So the the rpm 
maintainer broke postfix a little. I suppose I could ln to 
/usr/share/doc/packages/postfix/README_FILES.


Does the command stop if it has errors or continue so that I can trust 
that this is the only permissions that were not changed?


Thanks,
RCR

Re: qmgr warning

[Randy Ramsdell]

Ralf Hildebrandt wrote:

* Ralf Hildebrandt :

* Randy Ramsdell :

Apr  8 10:10:30 atlbl6 postfix/qmgr[11959]: warning: connect to transport 
private/retry: Connection refused

grep retry /etc/postfix/master.cf

what do you see?


# grep retry /etc/postfix/master.cf
retry unix  -   -   -   -   -   error
should be the result



Thanks. That was it. It appears the upgrade dealing with the config 
files were not complete.

qmgr warning

[Randy Ramsdell]

Apr  8 10:10:30 atlbl6 postfix/qmgr[11959]: warning: connect to 
transport private/retry: Connection refused


 This is a new postfix server Version: 2.7.2-12.3 opensuse 11.4

Where would I begin to troubleshoot this?

RCR

Re: Windows Live problems

[Randy Ramsdell]

Mark Moellering wrote:
I am new to postfix.  I have it set it up with dovecot on a unix box : 
postfix 2.8 on freebsd 8.1


While it tests fine under Thunderbird (and kde-mail), I currently can't 
send mail via Windows Live, although I can receive it.


I have been looking at the log files.  This is the error I am seeing:

Mar 18 11:50:53 mail postfix/smtpd[8376]: NOQUEUE: reject: RCPT from 
c-10-0-0-0.hsd1.mi.comcast.net[10-0-0-0]: 554 5.7.1 : 
Relay access denied; from= to= 
proto=ESMTP helo=




m...@msen.com

Re: ..::Smtp Attacks::..

[Randy Ramsdell]

mouss wrote:

Le 13/03/2011 17:57, Alfonso Alejandro Reyes Jimenez a écrit :

Hi everyone.

I'm sending this email because I'm looking for a reference regarding smtp 
attacks, this is because I'm working to create some smtp signatures for the 
snort solution.

It's not directly with snort, I'm willing to contribute with the bleeding snort 
proyect.

I can't find any information regarding the smtp attacks only the relay test and 
that kind of stuff.

The question is:

Is there any book related with smtp attacks, exploits or any other type of 
attack related with the smtp protocol?

I will highly appreciated any recomendation, this signatures will help us 
everyone.




This is the wrong place. if we find attacks on postfix, we would report
them and they will be fixed.

anyway, that signature approach is say what...? it's helpful to find
software that's not maintained. but do we need signatures for that?


It is useful. There are many vendors that are not patching the STARTTLS 
bug right away and many still showing unknown.

Re: message id is a unique number?

[Randy Ramsdell]

Victor Duchovni wrote:

On Wed, Mar 09, 2011 at 04:05:18PM -0500, Wietse Venema wrote:


Postfix uses the inode number in the name, because the name needs
to be unique across the incoming, active, and deferred directories.

Postfix could lengthen the time before reuse, by including more
time information (four hex digits for ~1 day, six hex digits for
~0.5 year, eight hex digits for ~100 years). Seven hex digits should
be sufficient to silence any complaints. Tighter packing is possible,
but we're restricted to letters and digits (i.e. base 62 math).


Couldn't one also freely use "_" and "+" for a complete base64 "alphabet"?
Certainly log parsers would have to adapt, but is there another reason?



time since EPOCH?

Re: Postix Newbie: Send all outbound mail to another postfix server

[Randy Ramsdell]

Stan Hoeppner wrote:

Randy Ramsdell put forth on 3/8/2011 3:57 PM:

Stan Hoeppner wrote:



FYI, the PBL isn't limited to dynamic listings.  Many corporations add
their unused IP space to the PBL, along with other IPs within their
netblocks that shouldn't be sending direct mail.  They do this as part
of a multi-layered approach to network security, in addition to egress
filtering at the edge firewalls.  One errant mouse click by an
apprentice/junior SA can accidentally disable an egress filter, as can a
botched firmware update on a firewall or router, etc, etc.  If, when
such a thing occurs, you already have an internal spambot outbreak that
the firewalls/routers were containing...

I would have never considered this until one day the chief of network
security at Nortel informed me they do precisely what I described above.

Dorothy, you're not in Kansas anymore.


If the firewall is blocking an outbreak of spam bots from sending mail
to the outside, why did they not know and fix this? I mean is it so bad
that the whole network team can't contain it? And then someone botched
the firewall which allowed the spam to be sent? Nortel hmmm.


Randy, you misread what I posted.  Or maybe I didn't state things
clearly.  There were two separate things here.  My 1st paragraph above
describes why companies list some of their IP space in the PBL, and
describes one hypothetical scenario which makes doing so useful.  I
didn't understand the scenario.  That "..." means you, the reader, are
supposed to imagine the rest of the outcome.  I think my prose threw you
off, and caused you to reverse cause and effect.

The 2rd paragraph simply states that I first learned of this use of the
PBL by the chief of network security at Nortel, and that Nortel lists
some of their netspace on the PBL.  The hypothetical scenario did _not_
occur at Nortel.



Ahhh, I see. I can see that listing non-mail sending ips you use on PBL 
as useful.

Re: Postix Newbie: Send all outbound mail to another postfix server

[Randy Ramsdell]

Stan Hoeppner wrote:

Dennis Guhl put forth on 3/8/2011 11:52 AM:


If you are blocked because of Spamhaus' PBL you are on an consumer
dial up (http://www.spamhaus.org/pbl/) 


FYI, the PBL isn't limited to dynamic listings.  Many corporations add
their unused IP space to the PBL, along with other IPs within their
netblocks that shouldn't be sending direct mail.  They do this as part
of a multi-layered approach to network security, in addition to egress
filtering at the edge firewalls.  One errant mouse click by an
apprentice/junior SA can accidentally disable an egress filter, as can a
botched firmware update on a firewall or router, etc, etc.  If, when
such a thing occurs, you already have an internal spambot outbreak that
the firewalls/routers were containing...

I would have never considered this until one day the chief of network
security at Nortel informed me they do precisely what I described above.

Dorothy, you're not in Kansas anymore.



If the firewall is blocking an outbreak of spam bots from sending mail 
to the outside, why did they not know and fix this? I mean is it so bad 
that the whole network team can't contain it? And then someone botched 
the firewall which allowed the spam to be sent? Nortel hmmm.

Re: Question on how to setup amavisd with dovecot

[Randy Ramsdell]

Islam, Towhid wrote:
I am trying to set up a mail system with postfix being the core (smtp) 
and dovecot for imap/pop3 for end-user mail delivery/retrieval.  While I 
have configured spam and virus scanning for my postfix based mail relay 
hosts, I’m not sure how to incorporate amavisd (for clamav and 
spamassassin) in this new system.  My question is how does it work in 
theory and where to put the necessary configuration parameters in 
main.cf and/or master.cf in postfix?  The way it should work, as I  
believe it should, would be: mail is received by postfix then sent to 
amavisd for virus/spam checking then it is returned to postfix when 
postfix sends it to dovecot.  Am I correct?
 
Thanks.
 


yes

Re: mysql GPL/postfix IPL incompatibility

[Randy Ramsdell]

mouss wrote:

Le 01/03/2011 11:25, Matthias Andree a écrit :

Am 28.02.2011 23:57, schrieb Quanah Gibson-Mount:


The main issue I see at the moment really is the inability to legally
link Postfix to MySQL, removing a valuable piece of Postfix functionality.

Not a loss.  If MySQL and Postfix turn out to be incompatible
license-wise, this prevents one particular SQL *implementation* from
being used - but not the functionality (SQL lookups) per se.

If you cannot or do not want to use MySQL due to licensing, use
PostgreSQL.  It not only removes the license worries [1], but also
worries around table storage engines, transactional modes, and ACID
compliance.

[1] 


fully agreed. I started moving out of mysql after oracle acquistion. and
I'm pushing for the same move at $dayjob and "beyond".


Looks like what Oracle wanted is working.

Re: Work-in-progress: trickle attack defense

[Randy Ramsdell]

Randy Ramsdell wrote:

Wietse Venema wrote:

I added the following entry to the wip.html file on the Postfix website.

Wietse

Trickle attack defense

The postscreen daemon, available with Postfix 2.8 and later, already
implements time limits to receive one complete SMTP command line.
Postscreen uses a default time limit of 300s for RFC compliance,
but it will switch to a 10s limit under overload conditions.
Postscreen never receives mail, so this is a complete solution.




The rest of Postfix still uses per-read time limits, instead of
per-line time limits. Support for per-line time limits is currently
tested in Postfix 2.9. This solves most of the problem; it limits
the time to receive one complete SMTP command line, but it does
not yet limit the total amount of time to receive the content of
an email message. Instead, use the existing spam blocking mechanisms
to reject mail before the SMTP "DATA" command.


300s for each line as in: mail from: blah ---> 300s?


What I am getting at here is that the attack will still succeed if using 
it for DOS. I am not trying trivialize this work, but understand how 
this will stop an attack vs. increase the time before the system is 
fully hosed.


rcr

Re: Work-in-progress: trickle attack defense

[Randy Ramsdell]

Wietse Venema wrote:

I added the following entry to the wip.html file on the Postfix website.

Wietse

Trickle attack defense

The postscreen daemon, available with Postfix 2.8 and later, already
implements time limits to receive one complete SMTP command line.
Postscreen uses a default time limit of 300s for RFC compliance,
but it will switch to a 10s limit under overload conditions.
Postscreen never receives mail, so this is a complete solution.




The rest of Postfix still uses per-read time limits, instead of
per-line time limits. Support for per-line time limits is currently
tested in Postfix 2.9. This solves most of the problem; it limits
the time to receive one complete SMTP command line, but it does
not yet limit the total amount of time to receive the content of
an email message. Instead, use the existing spam blocking mechanisms
to reject mail before the SMTP "DATA" command.


300s for each line as in: mail from: blah ---> 300s?

Re: Relay config assistance

[Randy Ramsdell]

Cameron Smith wrote:

Hello,

I have a VPS with postfix as my MTA.
vps.sweetwise.com 

My MX is handled by another remote server and mail accounts for my 
domain are configured there.


sweetwise.com . 3600 IN MX 0 smtp.secureserver.net 
.
sweetwise.com . 3600 IN MX 10 
mailstore1.secureserver.net .



My VPS needs to send mail to people outside my domain and to accounts on 
my domain.


I set the virtual_alias_domains and virtual_alias_maps entries in 
main.cf  and populated the /etc/postfix/virtual file 
with this style entries:


jo...@sweetwise.com  johng
sweetwise.com  sweetwise.com 
postmas...@sweetwise.com  
jo...@sweetwise.com 


emails to domains other than this one are sending fine.
Emails to my domain have the following entry in maillog but do not 
arrive at the remote mailserver.


Jan 20 09:39:10 vps postfix/local[13436]: BE37CA6D1B16: 
to=mailto:jo...@vps.sweetwise.com>>, 
relay=local, delay=0.47, delays=0.03/0.01/0/0.43, dsn=2.0.0, status=sent 
(delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME


What have I missed or mis configured?

mydestination = $myhostname, localhost.$mydomain, localhost, 
vps.sweetwise.com 


Your server handles mail for vps.sweetwise.com.

rcr

Re: Network Ideas

[Randy Ramsdell]

Jonathan Tripathy wrote:


On 11/01/11 16:34, Aaron C. de Bruyn wrote:

On 2011-01-11 at 16:25:38 +, Jonathan Tripathy wrote:

So have my entire email system run on 2 boxes alone? What if the
postfix box were to go down? What if the Dovecot box were to go
down? In my solution, if a box (or VM in my case) were to go down,
at least something parts of the system would still function.

I worked for an ISP that handled mail for about 25,000 mailboxes
and over 500,000 messages per day.  We had two identical boxes
with Postfix and Dovecot serving our customers.  If one went down
our load balancer directed all traffic to the other one.

You could do the same thing with virtual machines if necessary.

The part that seems wrong to me is setting up an entire VM for
each customer.  If your VM host goes down, you have lots of little
VMs to recover instead of a few VMs or a few physical servers.

Just food for thought.
You know your network and setup better than I do.  I just know
what you've passed on to the list.

-A


I really do appreciate where you are coming from.

However, our current infrastructure is VM based. We don't really have 
the rackspace to set up physical boxes (yet anyway).


While I have outline my setup on this list, I haven’t mentioned this yet:

I intend to setup multiple instances of each component (except the 
customer servers) spread out on different VM hosts, and use our 
load-balancer to distribute the traffic. I could also set up some 
central storage for the customer servers and set up multiple instances 
of those as well


VM's can do precisely what he suggested. Why would a VM environment 
preclude you from setting these up the same as a strickly hardware based 
server setup?

Re: mycingular listed on xbl

[Randy Ramsdell]

Victor Duchovni wrote:

On Tue, Dec 21, 2010 at 01:01:25PM -0500, Randy Ramsdell wrote:


Yes, they should be listed.

Why should they? They have mail servers too. I just don't get this.


The individual phones sending directly to your MX host should be
black-listed. The ISP's outbound SMTP servers should not. Which traffic
are you rejecting?

Actually I did not think of this and now I see I overlooked the 
possibility that the phone itself can do a direct connection to our mail 
server which SHOULD be blocked. I simply was thinking their mail server 
was listed and it appears I flew off halve cocked.

Re: mycingular listed on xbl

[Randy Ramsdell]

Victor Duchovni wrote:

On Tue, Dec 21, 2010 at 12:37:24PM -0500, Randy Ramsdell wrote:

It appears mycingular ( iphone ) ips are listed on spamhaus ( XBL and PBL ) 
for 8 days. I have reject at the smtpd level if found. So my users are 
complaining and I am stuck on the phone with ATT to get them to fix this.


Which listing? Please post the SpamHaus listing URL...



XBL/PBL
http://www.spamhaus.org/query/bl?ip=166.137.11.72

Checked against 70,71,73,74 --- PBL

In any case. The problem is resolved by making sure they use the correct 
mail server ( ours and set to default when sending )

Re: mycingular listed on xbl

[Randy Ramsdell]

Noel Jones wrote:

On 12/21/2010 11:37 AM, Randy Ramsdell wrote:

It appears mycingular ( iphone ) ips are listed on spamhaus (
XBL and PBL ) for 8 days.


Yes, they should be listed.


Why should they? They have mail servers too. I just don't get this.




I have reject at the smtpd level if
found.


Yes, you should reject listed IPs **if they don't authenticate**.



That is for PBL correct? I don't reject for PBL.


So my users are complaining and I am stuck on the phone
with ATT to get them to fix this.


Nothing for ATT to fix, stop bothering them.

And I don't get this either. They should always police their servers and 
what is going on.


btw, I did not want to, but I don't make up my daily tasks.


Any suggestions ( other than disable the checks ) to work
around this?


Allow authenticated connections.   Put permit_sasl_authenticated, 
permit_mynetworks before any reject_rbl_*.




  -- Noel Jones


Actually I re-thunk this and did the obvious. No work around needed. but 
thanks.

mycingular listed on xbl

[Randy Ramsdell]

It appears mycingular ( iphone ) ips are listed on spamhaus ( XBL and 
PBL ) for 8 days. I have reject at the smtpd level if found. So my users 
are complaining and I am stuck on the phone with ATT to get them to fix 
this.


Any suggestions ( other than disable the checks ) to work around this?

Thanks,
Randy Ramsdell

Re: CC all messages relayed through postfix

[Randy Ramsdell]

Jeroen Geilman wrote:

On 12/14/10 4:04 PM, Randy Ramsdell wrote:

Matt Hayes wrote:





BCC'ing all of your user's email is unethical IMHO.  Scan outgoing and
incoming email for spam; done.  That way you aren't compromising your
users' private information nor possible security to your clients.

-Matt


Not unethical or compromising private data. If the information can be 
sniffed unencrypted on the wire it is already compromised. Most email 
administrators already have access to mail stores where the same data 
is stored unencrypted. A company's mail server and storage is not for 
personal use and anyone sending e-mail they want to be private should 
not use public/unecrypted methods.
That is an unwarranted assumption. If the OP provides email hosting, 
then he is certainly bound by fairly strict privacy laws.

Nothing in the above suggests this is solely for professional use.



You are correct and should have keep my point more narrow in purpose. 
But I meant to express something similar to... BCC'ing is not unethical 
unless you read all the mail. I could easily BCC all the users mail and 
simply maintain a copy. It is the same as having root access to the mail 
store which I think the OP does.

Re: CC all messages relayed through postfix

[Randy Ramsdell]

Matt Hayes wrote:

On 12/13/2010 9:31 PM, Jerrale G wrote:

How would you store a CC of all mailings relayed through postfix, sent
by our users. We have plenty of logs but they dont tell us if someone
sends spam and how much, so that we may reprimand the user early before
ending up on spam lists. We could even use other third party software to
track and collect the mailings stored within the folders. We do require
everyone to store messages in their sent items but we do NOT traverse
the users' mail folders for privacy and they could also delete the spam
messages, from the sent folder, after sending.

The idea is to keep a copy ourselves for reference and only be able to
reference the mailing by the queue id in the mail log; we dont want
other admins to be able to search for a specific user's mailings, 
within the CC folder, by the originating user's email address or such,

which means we will have to obfuscate certain headers before storing in
the CC folder; for privacy and security, the only way any admin should
be able to track sent mail is by the queue id reported by the receiving
smtpd postmaster. If another remote postmaster says they are receiving
mail from our system, they may or may not include a copy as long as they
tell us the queue id(s), for privacy of their end user.

Happy Holidays,

Jerrale Gayle
SC Senior Admin




BCC'ing all of your user's email is unethical IMHO.  Scan outgoing and
incoming email for spam; done.  That way you aren't compromising your
users' private information nor possible security to your clients.

-Matt


Not unethical or compromising private data. If the information can be 
sniffed unencrypted on the wire it is already compromised. Most email 
administrators already have access to mail stores where the same data is 
stored unencrypted. A company's mail server and storage is not for 
personal use and anyone sending e-mail they want to be private should 
not use public/unecrypted methods.

Re: Empty From when generating bounce

[Randy Ramsdell]

Trigve Siver wrote:

From: Michael Tokarev 



To: Trigve Siver 
Cc: postfix-users@postfix.org
Sent: Tue, December 7, 2010 10:08:04 AM
Subject: Re: Empty From when generating bounce

07.12.2010 11:21, Trigve Siver wrote:
[]
yes I know but I'm not in  charge of realyhost and they (who are in charge) 
told 

me that they  don't accept empty From. Could I somehow change From to some 
kind 


of  "black hole" which will discard all the mails?

Postfix tries hard to  conform to existing standards.
Breaking standards is not done in Postfix,  sorry.
And it is a wrong target anyway - the right target
is to fix the  piece that actually violates the
standard.


Thanks for reply.

Could some post the except from standard where this is defined to be able to 
argue with relayhost provider, please?


Thank you
 

/mjt



Trigve



Beating a dead horse, but I would use a relay where the admins do not 
know the standards. The admins of that server should delegate duties to 
someone else.

Re: Getting connection timed out error

[Randy Ramsdell]

Avinash Pawar wrote:

Hello,

I am getting the following error whenever try to send email to gmail :

connect to alt4.gmail-smtp-in.l.google.com 
[74.125.79.27]: Connection timed 
out (port 25)


And for rediff :

connect to mx.rediffmail.rediff.akadns.net 
[202.137.235.10]: Connection 
timed out


Can you suggest why this is happened?

Thanks & Regards,
Avinash


Outage?

Re: Drop the rejects from a forwarded alias

[Randy Ramsdell]

Victor Duchovni wrote:

On Mon, Nov 29, 2010 at 03:01:45PM -0500, Randy Ramsdell wrote:

So to rephrase, what would be the best practices way given I have to do 
forward this email and am powerless to change the design other than our 
setup which may only include trying to mitigate backskatter?


If list expansion happens on your server, you can implement standard
list management methods (an envelope sender address that is a list
bounce-parser that uses VERP).

>

If you are simply forwarding mail to an already expanded list, there
is not much you can do. The list management problem is upstream, and
needs to be handled there.



We simply alias

$user  $u...@$othermailserver

The $users we forward to are known by our mail server and no mail will 
forward otherwise. I cannot think of a scenario which rejected mail from 
$othermailserver would be anything other than UCE in this case. The 
fringe issues would be a borked config which reject because of 
misconfiguration on their end which would result is lost mail if we drop 
all rejects from $othermailserver.


What scenarios could occur which would make dropping these rejects a bad 
idea?

Re: Drop the rejects from a forwarded alias

[Randy Ramsdell]

lst_ho...@kwsoft.de wrote:

Zitat von Randy Ramsdell :


Hi,

I am going to have to implement something that drops rejected mail 
from one of our aliases.


The scenario is that we forward to a external server and cannot match 
its spam/UCE rules so our server backskatters mail.


One way would be to drop all rejects. I think this will work because 
our server handles the $users and only forwards known.


Or what would be the best practices way?



Best practice is to not forward mail to destinations which don't accept 
it. If the detination has no feature of "whitelist" your server, disable 
forwarding to that destination. All other options lead to potential mail 
blackholes which are worse than spam.


Regards

Andreas





I understand this. However, I cannot tell the President of our company 
that he can't use his exchange server and it is beyond my control to 
change the hosted exchange server configuration. I have to forward this 
mail no matter what I think should be done.


So to rephrase, what would be the best practices way given I have to do 
forward this email and am powerless to change the design other than our 
setup which may only include trying to mitigate backskatter?

Drop the rejects from a forwarded alias

[Randy Ramsdell]

Hi,

I am going to have to implement something that drops rejected mail from 
one of our aliases.


The scenario is that we forward to a external server and cannot match 
its spam/UCE rules so our server backskatters mail.


One way would be to drop all rejects. I think this will work because our 
server handles the $users and only forwards known.


Or what would be the best practices way?

Thanks,
RCR

Re: Postfix Optimization

[Randy Ramsdell]

Victor Duchovni wrote:

On Fri, Nov 19, 2010 at 06:05:12PM +0530, Avinash Pawar // Viva wrote:


I also noticed the number of TCP connections by *ss -s *command

Whenever it goes beyond 900 then mail sending speed is 5-6 mails per second.

When the connections are below 900 then the mail sending speed is 100-200.


You are confusing cause and effect. When delivery latency is low, the
concurrency is low. When latency is high, concurrency is high too.

You've said nothing about where the mail is going, whether the recipients
want it or whether it is spam, have provided no quantitative analysis
of the "delays=..." entries in your logs.

Bulk mail delivery is often slow, because receiving systems (Yahoo,
Gmail, Hotmail, ...) rate limit sending systems not in their whitelists.



Yahoo will rate limit even if you are on their whitelist and feedback loop.

Re: postfix won't start, no messages anywhere

[Randy Ramsdell]

Len Conrad wrote:

Len Conrad:

At 09:12 AM 11/19/2010, you wrote:

Len Conrad:

The scan dir ownership was fixed by running postfix-install.  not
sure how another guy detected that scan was bad ownership, since
that finding was not logged after I moved the scan/* msgs out.

I've moved the 2176 msgs back to scan and set them to postfix:wheel,
but there they sit.  What now?

Do:

   # script
   # strace /some/where/master -dv; exit

and see what happens.

I stopped postfix and ran the above.
Um, you already had it running? 


I did say "fixed by running postfix-install", wasn't clear that postfix-install 
fixed postfix fail-to-run problem.

fsck or whatever Linux RH does to fix filesystems apparently converted "private/scan=" 
socket to "private/scan" dir, into which we got 2176 Maildir files as orphans.

no suggestions how to deliver these orpan Maildir msgs?

Len





So the filesystem has been repaired and you have these odd files laying 
around. I have not heard fsck change things as you mentioned and mostly 
look in lost+found to recover files and I do not have the scan socket on 
my system.


Why not read those files and resend them? However you want to do that is 
up to you but I would script it if possible. I am curious as to what the 
file contents are exactly. If they are emails such as you would find in 
Maildir directories, then the solution would be easy.

Re: A question about myorigin, myhostname, etc.

[Randy Ramsdell]

Chris G wrote:

I have a small SoHo network of machines and I have postfix installed on
most of them for sending mail.   The machines sit behind a NAT router
which connects them to the internet, the domain name (as seen from the
outside world) is zbmc.eu.  All the machines are running xubuntu 10.04
and have postfix 2.7.0.

Within the LAN behind the router the machines have names like
chris.zbmc.eu, mws.zbmc.eu, dps.zbmc.eu and so on.

Most things are working OK, I can send and receive mail on my desktop
machine OK via my ISP's smarthost and I get local messages OK.

My problem has arisen on one of the machines which is a headless server,
it's dps.zbmc.eu.  I want E-Mail from that machine to be sent out via
the mailhub machine on the network which is mws.zbmc.eu.  The problem is
that, whatever I try, the mailhub machine sees mail sent from dps.zbmc.eu
as coming from zbmc.eu (well, its IP) and rejects it with a 'relaying
denied' message.

The bottom of /etc/postfix/main.cf on dps.zbmc.eu is:-

myhostname = dps.zbmc.eu
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = dps.zbmc.eu, localhost.zbmc.eu, localhost
relayhost = mws.zbmc.eu
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = loopback-only
inet_protocols = ipv4

What I see in /var/log/mail.log is:-
Nov 16 16:04:20 mws postfix/smtpd[31242]: connect from unknown[84.45.228.40]
Nov 16 16:04:20 mws postfix/smtpd[31242]: NOQUEUE: reject: RCPT from unknown[84.45.228.40]: 554 
5.7.  1 : Relay access denied; from= 
to= proto=ESMTP helo=
Nov 16 16:04:20 mws postfix/smtpd[31242]: disconnect from 
unknown[84.45.228.40]

So why does postfix see the connection as if it comes from 84.45.228.40?
It's as if it thinks the connection is from zbmc.eu as opposed to
dps.zbmc.eu but everything is set to say I'm sending from dps.zbmc.eu.
The command 'host dps.zbmc.eu' returns 'dps.zbmc.eu has address
192.168.1.2' on both dps.zbmc.eu and on mws.zbmc.eu.  (Oh, /etc/mailname
contains dps.zbmc.eu too)



It connects from 84.45.228.40. Either fix the that or add that to 
mynetworks on mws.zbmc.eu.

Re: Forwarding pending emails

[Randy Ramsdell]

Victor Duchovni wrote:

On Mon, Nov 08, 2010 at 09:32:00PM +0100, Ralf Hildebrandt wrote:

When all links are down, you have a loop 


1-2-3-4-5-2-3-4-5

going at local network speeds.

But at least this will end really quickly :)


Mail should queue, not loop and bounce.



But what timings are used in a remote server overloaded, temp downed or 
anything like this? By timings, I mean what settings could be used to 
have any one of the relays retry before sending it to the next relay? I 
also am curious if when relayed to one in the rotor, it the message 
immediately retried, are deferrals sent to the relay rotor?

Re: Forwarding pending emails

[Randy Ramsdell]

Victor Duchovni wrote:

On Mon, Nov 08, 2010 at 08:43:07PM +0100, Ralf Hildebrandt wrote:


The fallback relays MUST be loop-free. Thus machine4 must NOT forward
back to machine1.

I was assuming that at least one machine CAN send mail :)


Your assumption is unwarranted, and fails to take into account the
possibility of remote failures, that result in mail looping between the
backup machines, while a remote destination is down.



If the receiving server is temp down, the message will continue to relay 
to each defined relay as fast as the servers are able to process the 
message and then the last queues it? Would this be an issue for bulk 
mailers, etc...? I could not find more granular documentation which 
states that a message may be retried or where options could be configured.

Re: SPF enforcement opinions?

[Randy Ramsdell]

Robert Fitzpatrick wrote:
I have SPF setup and Postfix is rejecting mail from explicitly 
unauthorized servers. If a customer wants me to customize the 
configuration so that they can receive mail from that server, is that 
wrong? Their current SPF TXT record contains a hard fail as ...


"v=spf1 a mx ptr -all"

--Robert


I say, the customer gets what they want.

Re: problem sending outside of local machine

[Randy Ramsdell]

Wietse Venema wrote:

Christopher Adams:
  

Hello,

I have a new Postfix install running under Centos 5.3. I am able to send
mail from the command line, but anything sent from another machine is not
sent, nor is it logged. I have read the debugging information and hopefully,
I am sending some useful information. I am including the log file from a
command line message that was sent, the Postfinger output, and the postconf
-n output. I noticed in the maillog that it refers to localhost, as opposed
to the actual host name. I have verified the hostname through all the
typical LInux methods. I appreciate any help.



Try:

$ telnet your.host.name smtp

from a different machine. You may need to update a firewall rule
before Postfix can receive mail from outside.

Wietse
  

Is it even bound to an ip other than 127.0.0.1?

Randy Ramsdell

Re: postfix as forwarder and backscatterer problem

[Randy Ramsdell]

Vasya Pupkin wrote:

Hello.

First, I have spent two days reading articles and searching web for
solution but failed there. I am using postfix as an mx for my domains,
it accpets mail for different addresses withing my domains which is
then forwarded to other external domains, i.e. google.com and other
mail services. Mail for unknown users is rejected, many other check
are performed, but still sometimes my system acts as a backscatterer
when something like this happens:

1. Incoming mail passes all tests, it's coming to one of the addresses
within my domain, i.e. existing-u...@mydomain.tld
2. Postfix then forwards mail to external domain, i.e. myem...@mailservice.tld
3. For some reason mailservice.tld rejects this mail, i.e. it doesn't
like it's content or size.
4. Postfix then bounces mail to sender, which can be forged, and thus,
becoming a backscatterer.

Is there any way to prevent postfix from sending bounces anywhere?
  
I am dealing with the same thing. I have to forward to non-local mail 
servers and I try to mimic some of those settings but we still get a few 
that pass local mail to external mail which is then rejected.
Maybe a script that checks for the rejects and discards would work? I 
will think through that approach for use here actually.


RCR
Linux System Administrator

Re: Best Practise

[Randy Ramsdell]

mouss wrote:

Simone Caruso a écrit :
  

Il 19/07/2010 22:04, Jonathan Tripathy ha scritto:


On 19/07/10 18:07, Angelo Amoruso wrote:
  

On 16/07/2010 10.10, Jonathan Tripathy wrote:


Hi Everyone,
I have set up a mail server (on a VM) as per this article:
http://workaround.org/ispmail/lenny
I wish to host this server for a customer. However, I don't think
it's "best practise" to simply place the whole VM in a DMZ and port
forward to it. My question is, what should I do and what should I
"split up"? The networks I have available to me are:
  


If using BSD or Linux, you can also enable the "local" packet filter (pf
under BSD, netfilter/iptables under Linux) to only allow explicitely
authorized traffic. if you are familiar with these tools, then you don't
even need a firewall (pf and netfilter/iptables are firewalls, so you
get a self protected box. but this is only true if "you are familiar..." ).
  
But a host based firewall which controls traffic is subject to 
compromise itself. If you compromise the DMZ'd mail server, then you 
could then change the firewall rules.