Re: Reject email

[Reindl Harald]

Am 10.05.2013 08:26, schrieb Stan Hoeppner:
>> nobody expect that if he make mistakes in his DNS configs and is too
>> lazy to verify what he configured that others configure their servers
>> to help him
> 
> Again you miss the point. The reason for a 4xx here is so the mail gets
> queued and can simply be flushed after the DNS or other error is
> corrected. Thus the message isn't needlessly returned to the sender.
> Most of such errors are found and corrected pretty quickly. Using a 4xx
> in this case keeps things more transparent to users, whether mine,
> yours, or the guy at the remote SMTP site.

most of these errors are corrected after someone complaints and with
a 4xx it takes up to 5 days until this happens

a wrong configuration is a wrong configuration
period

>> with this attitude you would needto reject all with 4xx because
>> someone could have make a mistake - this is a bad attitude in
>> context of e-mail
> 
> No, Reindl, this is called courtesy to fellow network operators. The
> only bad attitude here is yours. You display it both here and on the
> Dovecot list regularly.  Being brash and arrogant is one thing.  Most
> people dislike that but tolerate it. But the constant cursing and
> berating anyone who disagrees with you crosses the line.

diagree is one thing but disagree on clear technical facts is another

> Frankly I'm surprised that Wietse and Victor have let you get away with
> this behavior for so long. I guess they're leaving it up to members to
> add you to local kill files...

frankly i am surprised that you not attack Wietse sometimes after
he rferes to some documentation flowed by "to unsubscribe."



signature.asc
Description: OpenPGP digital signature

Re: Reject email

[Reindl Harald]

Am 10.05.2013 08:26, schrieb Stan Hoeppner:
> On 5/9/2013 9:55 AM, Reindl Harald wrote:
>>
>> Am 09.05.2013 16:44, schrieb Stan Hoeppner:
>>> Normally I'd avoid arguing with your Reindl as it simply 
>>> clutters the list
>>
>> keep this bullshit for you
> 
> Nice etiquette...

and what was your quoted line clown ?

>>> On 5/9/2013 7:26 AM, Reindl Harald wrote:
>>>
>>>> if you have a A-record for "example.com" and you incoming
>>>> mail-server is on this IP you do not need any MX record
>>>> and postfix will happily use the A-record to deliver mail
>>>
>>> When did you last come across a domain configured strictly for fallback
>>> to A?  While RFC may require it
>>
>> NOT SO LONG AGO
>>
>> a few years ago i was so naive and stupid to implement
>> a DNS check in the verify-function of my php-framework
>> to prevent import / subscribe to newsletter lists with
>> undeliverable domains
>>
>> i had it to learn the hard way that RFC's are
>> not only for fun
> 
> You missed the point entirely.  I think this is because you are
> predisposed to argue with anyone who disagrees with you, even when they
> are correct and you are incorrect.  Hence the preface in my previous reply

but your problem is that you are not correct




signature.asc
Description: OpenPGP digital signature

Re: Reject email

[Reindl Harald]

Am 09.05.2013 16:44, schrieb Stan Hoeppner:
> Normally I'd avoid arguing with your Reindl as it simply 
> clutters the list

keep this bullshit for you

> On 5/9/2013 7:26 AM, Reindl Harald wrote:
> 
>> if you have a A-record for "example.com" and you incoming
>> mail-server is on this IP you do not need any MX record
>> and postfix will happily use the A-record to deliver mail
> 
> When did you last come across a domain configured strictly for fallback
> to A?  While RFC may require it

NOT SO LONG AGO

a few years ago i was so naive and stupid to implement
a DNS check in the verify-function of my php-framework
to prevent import / subscribe to newsletter lists with
undeliverable domains

i had it to learn the hard way that RFC's are
not only for fun

>> another story is if there is a MX-Record but the listed
>> hostname does not resolve and at least for me the intention
>> of "if the MX does not exist" is not clear enough if it means
>>
>> a) no MX record for the domain
>> b) a MX record with a non-resloving hostname
>>
>> reject b) would be fine
> 
> Only if the response is 4xx. People fat finger records all the time

that's their problem
after fixing this the next mails would go through

nobody expect that if he make mistakes in his DNS configs and is too
lazy to verify what he configured that others configure their servers
to help him

with this attitude you would needto reject all with 4xx because
someone could have make a mistake - this is a bad attitude in
context of e-mail



signature.asc
Description: OpenPGP digital signature

Re: Reject email

[Reindl Harald]

Am 09.05.2013 14:14, schrieb Stan Hoeppner:
> On 5/9/2013 5:28 AM, Reindl Harald wrote:
>>
>> Am 09.05.2013 12:24, schrieb Héctor Moreno Blanco:
>>> I would like to reject an email if the MX does not exist. We have enable 
>>> the setting /reject_unknown_sender_domain/
>>> and /reject_unknown_recipient_domain/. However, if the domain has DNS and 
>>> resolves it, the message is sent, and we
>>> don’t want that
>>
>> this is a completly broken idea
> 
> Not completely broken.  It's not really "no MX" that Hector is after,
> but undeliverable sender addresses in snowshoe spam.  "No MX" would fall
> under this umbrella

if you have a A-record for "example.com" and you incoming
mail-server is on this IP you do not need any MX record
and postfix will happily use the A-record to deliver mail

another story is if there is a MX-Record but the listed
hostname does not resolve and at least for me the intention
of "if the MX does not exist" is not clear enough if it means

a) no MX record for the domain
b) a MX record with a non-resloving hostname

reject b) would be fine
reject a) would be stupid




signature.asc
Description: OpenPGP digital signature

Re: Reject email

[Reindl Harald]

Am 09.05.2013 12:24, schrieb Héctor Moreno Blanco:
> I would like to reject an email if the MX does not exist. We have enable the 
> setting /reject_unknown_sender_domain/
> and /reject_unknown_recipient_domain/. However, if the domain has DNS and 
> resolves it, the message is sent, and we
> don’t want that

this is a completly broken idea

no RFC at this world says that a domain must have a MX record and many
do not - your idea would result in drop a lot of legit email



signature.asc
Description: OpenPGP digital signature

Re: reject_unknown_reverse_client_hostname safe?

[Reindl Harald]

Am 08.05.2013 02:09, schrieb Vincent Lefevre:
> While I agree that a PTR should be set, this is different. A MTA
> sending legitimate mail (not spam) but without a PTR doesn't cause
> any damage

and because machines does not guess and smell if it is legitimate
there are rules which are enforced and anybody these days who
thinks he needs to maintain his own MTA has to read manuals
and best practices before plug the machine to the internet



signature.asc
Description: OpenPGP digital signature

Re: reject_unknown_reverse_client_hostname safe?

[Reindl Harald]

Am 08.05.2013 01:58, schrieb Vincent Lefevre:
> BTW, if I understand correctly what has been said earlier, DEFER would
> be better than REJECT as the reverse_client_name==unknown error may be
> temporary

RTFM

http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname
The reply is always 450 in case the address->name lookup failed due to a 
temporary problem



signature.asc
Description: OpenPGP digital signature

Re: reject_unknown_reverse_client_hostname safe?

[Reindl Harald]

Am 08.05.2013 01:47, schrieb Vincent Lefevre:
> On 2013-05-07 14:19:40 +0200, Reindl Harald wrote:
>> Am 07.05.2013 14:02, schrieb Vincent Lefevre:
>>> depending on the recipient or other factors. And it seems that
>>> some users forget to set up a PTR for all their IPv6 addresses.
>>> This apparently includes Debian's mailing-list server.
>>
>> that's their problem
> 
> Not just the sender's problem, but also the recipients

no - if someone lacks basics how to fullfil requirements
for a MTA it is his problem and i am not a recipients

>> and because this attitude they are not enforced to fix their
>> setups - if any MTA would reject the mails the problem would
>> not exist since years because even the dumbest admin would
>> realize it if any outgoing message fails
> 
> My server is just for me and partly for a few members of my family.
> My attitude won't change anything in practice

and because everybody seeks a different excuse to not enforce
mail policies we have since decades the same discussions



signature.asc
Description: OpenPGP digital signature

Re: reject_unknown_reverse_client_hostname safe?

[Reindl Harald]

Am 08.05.2013 01:41, schrieb Vincent Lefevre:
> On 2013-05-07 17:36:49 -0500, /dev/rob0 wrote:
>> I'm going to take this chance to pipe into this thread that I am 
>> confused about Vincent's issue. He says that the client which lacked 
>> PTR (the one run by a Debianista) was not a mail exchanger, or not
>> exchanging mail.
>>
>> Why, then, would reject_unknown_reverse_client_hostname be an issue? 
>> Obviously one must never apply this against one's own submitting 
>> users. Or was Vincent confused about the distinction between mail 
>> exchanging clients and submission clients?
> 
> I'm not sure about your terminology. When I hear "mail exchanger",
> I think about "MX" and a machine pointed to by a MX record. At
> least this is what I get when searching for "mail exchanger" on
> Google

yes MX in case of sending MTA is irrelevant

but as explained you need a PTR on a MTA which wants to
deliver mail to another server or you have to expect
that you mail is rejetced

it is perfectly safe to call anybody who wants deliver
mails to you without having a valid PTR on his machine
a foll and rehect his message and if he complains simply
recommend him to let the job do someone else with more
qualification

period



signature.asc
Description: OpenPGP digital signature

Re: grep maillog by date

[Reindl Harald]

Am 07.05.2013 16:20, schrieb Martin Schütte:
> On 05/07/2013 04:03 PM, Reindl Harald wrote:
>> exactly the format like below from /var/log/maillog and yesterday?
> 
> With GNU date:
> fgrep -e "`date -d yesterday +'%b %e'`" /var/log/mail.log | fgrep NOQUEUE

perfect - thank you very much!



signature.asc
Description: OpenPGP digital signature

Re: grep maillog by date

[Reindl Harald]

the main question is

a) dynamically
b) ! yesterday ! from the time the script runs

this is intended for a cron-job

Am 07.05.2013 16:09, schrieb Newton Pasqualini Filho:
> Use AWK
> 
> Like this:
> 
> cat /var/log/maillog | awk '{ if ($1=="May" && $2=="7") print $0 }' | grep 
> NOQUEUE
> 
> 
> Em 07/05/2013, às 11:03, Reindl Harald  escreveu:
> 
>> Hi
>>
>> i would like a grep of all records from the previous
>> day with "NOQUEUE" in a bash script - how do i get
>> exactly the format like below from /var/log/maillog
>> and yesterday?
>>
>> May  7 12:29:39 mail postfix/smtpd[29696]: NOQUEUE
>>
>> final goal:
>> add the output at the bottom a my daily logwatch



signature.asc
Description: OpenPGP digital signature

grep maillog by date

[Reindl Harald]

Hi

i would like a grep of all records from the previous
day with "NOQUEUE" in a bash script - how do i get
exactly the format like below from /var/log/maillog
and yesterday?

May  7 12:29:39 mail postfix/smtpd[29696]: NOQUEUE

final goal:
add the output at the bottom a my daily logwatch



signature.asc
Description: OpenPGP digital signature

Re: reject_unknown_reverse_client_hostname safe?

[Reindl Harald]

Am 07.05.2013 14:02, schrieb Vincent Lefevre:
> On 2013-05-07 10:54:06 +0200, Reindl Harald wrote:
>> it is common practice to not accept mails from hosts without a
>> valid PTR
> 
> A PTR is not associated with a host, but with an IP address. That's
> important because mail may be sent from different IP addresses

and nay IP address has a A-Record and a PTR
period

> depending on the recipient or other factors. And it seems that
> some users forget to set up a PTR for all their IPv6 addresses.
> This apparently includes Debian's mailing-list server.

that's their problem

>> and you can ignore this but you also need to understand the the
>> rules from which machines i and many others accept mail are not up
>> to you
> 
> I agree, but I repeat that I cannot change the config of other
> users. From what I can see in my mail archive, it is *not* safe
> to blindly reject mail from IPs without a valid PTR. At least
> currently

and because this attitude they are not enforced to fix their
setups - if any MTA would reject the mails the problem would
not exist since years because even the dumbest admin would
realize it if any outgoing message fails



signature.asc
Description: OpenPGP digital signature

Re: reject_unknown_reverse_client_hostname safe?

[Reindl Harald]

Am 07.05.2013 10:40, schrieb Vincent Lefevre:
> On 2013-05-07 10:18:21 +0200, Reindl Harald wrote:
>> Am 07.05.2013 03:05, schrieb Vincent Lefevre:
>>> There's no mail exchanger here. The machine in question
>>> (carotte.tilapin.org) just sends the mail.
>>
>> and in this case it needs a vaild PTR
> 
> Perhaps (any quote from the RFC's?). But anyway I can't do anything
> about it. I receive important mail from users whose IP doesn't have
> a reverse hostname. Not one user, several ones

the world is not turning around you

it is common practice to not accept mails from hosts without a
valid PTR and you can ignore this but you also need to understand
the the rules from which machines i and many others accept mail
are not up to you

it is also common pratice to not accept mail from dynamic IPs
hence if you are coming with a PTR starting with "dyndsl-23..."
you have godd chances to get also blocked

* it is common practice
* it is widely accepted
* everybody who has the knowledge to maintain a mailserver knows this
* a valid PTR is not rocket science

and so if you want a relieable mail-service accept it or
continue whining, but not here





signature.asc
Description: OpenPGP digital signature

Re: reject_unknown_reverse_client_hostname safe?

[Reindl Harald]

Am 07.05.2013 03:05, schrieb Vincent Lefevre:
> There's no mail exchanger here. The machine in question
> (carotte.tilapin.org) just sends the mail.

and in this case it needs a vaild PTR

>> Don't try to run a mail exchanger on a dynamic IP address or one 
>> lacking FCrDNS. It's definitely his fault for doing so.
> 
> Except that the machine is just the client, not a mail exchanger.

has to do WHAT with the topic?

>>>   * one can lose rather important mail (e.g. related to work).
>>
>> Yes. Reread Noel's post upthread. I was the one who originally said 
>> reject_unknown_reverse_client_hostname is safe, and Noel explained 
>> why: the mail you reject is also being rejected by most major 
>> receivers.
> 
> I don't think this is really true. This may depend on the country
> and the people one communicates with. If users still send mail from
> an IP without rDNS, there may be a reason...

it is true

face it or live with mails from you rejected



signature.asc
Description: OpenPGP digital signature

Re: reject_unknown_reverse_client_hostname safe?

[Reindl Harald]

Am 06.05.2013 23:13, schrieb Vincent Lefevre:
>> Being a Debian developer carries zero weight here.
> 
> I just meant that
>   * his mail config is probably sane (the fact that the IP doesn't
> have a rDNS is not his fault, but the ISP's)

no, it's clearly his fault

how should the ISP smell which PTR he needs?
anybody who setups a mailsever where a-record and PTR does not
match is a fool and if your ISP does not provide a way to
get a mathcing PTR you simply can't have a mailserver
on this IP



signature.asc
Description: OpenPGP digital signature

Re: Probleme with bounce

[Reindl Harald]

Am 03.05.2013 17:51, schrieb Phibee Network Operation Center:
> we have installed today Postfix and we have a small problems with bounce.
> 
> All email genered by Postfix, for "Mailbox Unknow" sample, put a blank from:
> 
> May  3 15:01:27 smtp-1 postfix/qmgr[9482]: EDA7D281D2: from=<>, size=5511, 
> nrcpt=1 (queue active)
> 
> where i can specify the email address of basic from ?

you can't and you should read manuals and RFC's

the bounce sender MUST BE empty to prevent loops with autoresponders
or in case the target of the bounce itself would bounce again



signature.asc
Description: OpenPGP digital signature

Re: sender-based-routing challenge

[Reindl Harald]

Am 03.05.2013 00:40, schrieb Noel Jones:
> Postfix transport features are global to each instance, and are
> non-conditional. If you're using sender dependent transports, you're
> going to have a hard time without multiple instances

not if you are firm with mysql-tables and queries

sender/sender-domain dependent relay hosts are no problem
even combined with different auth-users




signature.asc
Description: OpenPGP digital signature

Re: attachments on bounce messages generated by postfix

[Reindl Harald]

Am 02.05.2013 21:30, schrieb Charles Marcus:
> On 2013-05-02 3:24 PM, Reindl Harald  wrote:
>> Am 02.05.2013 21:16, schrieb Charles Marcus:
>>> Unsupported according to the postfix site..
> 
>> says who?
> 
> Wietse?
> 
> ftp://ftp.porcupine.org/mirrors/postfix-release/index.html
> Scroll down, genius. The 'no longer supported stable releases' start with 2.6

tht's all true and fine

but who are you creeping out of your whole 12 hours after
one of the postfix maintainers had a simple solution with
a one-liner to tell the world what is supported or not?



signature.asc
Description: OpenPGP digital signature

Re: attachments on bounce messages generated by postfix

[Reindl Harald]

Am 02.05.2013 21:16, schrieb Charles Marcus:
> On 2013-05-02 9:15 AM, Reindl Harald  wrote:
>> Am 02.05.2013 14:08, schrieb Charles Marcus:
>>> >On 2013-05-01 6:31 PM, Ben WIlliams  wrote:
>>>> >>The version is postfix 2.3.3.
>>> >Really? 7 yrs old, unsupported since the last patch (2.3.19) in 2009...
>> stoneold yes, but unsupported not really
> 
> Unsupported according to the postfix site...

says who?

>> [root@vmware-recovery:~]$ rpm -qa | grep postfix
>> postfix-2.3.3-6.el5
>>
>> rpm -q --changelog postfix
>> * Tue Jul 03 2012 Jaroslav Škarvada  - 2:2.3.3-6
> 
> So he should have asked on the redhat list...

you genius realized that the question was answered before your post?
so why you needed to post 12 hours after the solution?

 Original-Nachricht 
Betreff:Re: attachments on bounce messages generated by postfix
Datum:  Thu, 2 May 2013 12:13:45 +1200
Von:Ben WIlliams 
An: postfix-users@postfix.org

Thanks that fixed it.

On Thu, May 2, 2013 at 11:56 AM, Viktor Dukhovni mailto:postfix-us...@dukhovni.org>>
wrote:

On Thu, May 02, 2013 at 10:31:43AM +1200, Ben WIlliams wrote:

> Please can someone help me understand how to configure what is attached to
> bounce messages.
>
> The version is postfix 2.3.3. Originally it only attached the message
> headers of the failed email with Content-Description: Undelivered Message
> Headers
>
> Now it attaches the entire failed email with Content-Description:
> Undelivered Message
>
> I would like to revert to the previous behaviour where only the headers 
are
> attached to the bounce.

This depends on the message size and the bounce size limit.

http://www.postfix.org/postconf.5.html#bounce_size_limit

If you set

bounce_size_limit = 1

bounces will only include headers (no rfc822 message fits in a
single byte). Postfix does not permit setting the limit to zero or less.



signature.asc
Description: OpenPGP digital signature

Re: attachments on bounce messages generated by postfix

[Reindl Harald]

Am 02.05.2013 14:08, schrieb Charles Marcus:
> On 2013-05-01 6:31 PM, Ben WIlliams  wrote:
>> The version is postfix 2.3.3.
> 
> Really? 7 yrs old, unsupported since the last patch (2.3.19) in 2009...

stoneold yes, but unsupported not really

[root@vmware-recovery:~]$ rpm -qa | grep postfix
postfix-2.3.3-6.el5

rpm -q --changelog postfix
* Tue Jul 03 2012 Jaroslav Škarvada  - 2:2.3.3-6
- Fixed FD leak in biff
  Resolves: rhbz#766499
- Removed exec mode from documentation files

* Wed Jun 27 2012 Jaroslav Škarvada  - 2:2.3.3-5
- Packaged example scripts
  Resolves: rhbz#251677
- Fixed recipient duplicate elimination
  Resolves: rhbz#474541
- Compiled with mysql support
  Resolves: rhbz#502412
- Clarified documentation about reject_invalid_helo_hostname
  Resolves: rhbz#514948
- Fixed milter communication if single header is larger than 64k
  Resolves: rhbz#617069
- Improved init script to check for PID
  Resolves: rhbz#645348
- Fixed mailq, newaliases, sendmail, aliases man pages display
  Resolves: rhbz#664627



signature.asc
Description: OpenPGP digital signature

Re: Make install or upgrade for new install location

[Reindl Harald]

Am 30.04.2013 21:20, schrieb Larry Stone:
> FWIW, I consider Lion (10.7) to be the last version of OS X for which the 
> Apple provided Postfix is usable. For
> Mountain Lion (10.8), they changed a lot of the default directories but also 
> removed amavisd-new (compatability
> through OS upgrades apparently is not something Apple thinks has value)

and that is why nobody seriously uses Apple OSX for production servers

been there, seen that crap over years
never ever i will use any Apple hardware / software for servers

long ago they burried their only server hardware X-serve to
give a clear public statement that "Apple Inc." formerly
known as "Apple Compuiters Inc." is no longer interested
in any professional user and has switched to the customer
bullshit market



signature.asc
Description: OpenPGP digital signature

Re: enable_long_queue_ids and pickup

[Reindl Harald]

Am 30.04.2013 16:33, schrieb Pau Amma:
> On Tue, April 30, 2013 2:17 pm, Reindl Harald wrote:
>> Am 30.04.2013 16:02, schrieb Viktor Dukhovni:
>>> On Tue, Apr 30, 2013 at 11:33:25AM +0200, Reindl Harald wrote:
>>>> Apr 29 02:33:03 localhost postfix/cleanup[8012]: 36CA45F1B2:
>>>> message-id=<20120429003303.36CA45F1B2@localhost>
>>
>> damned - where did you notice it is from 2012?
> 
> Guessing, from the 2012 in the message-id?

ah - that explains anything
may bad eyes :-(



signature.asc
Description: OpenPGP digital signature

Re: enable_long_queue_ids and pickup

[Reindl Harald]

Am 30.04.2013 16:02, schrieb Viktor Dukhovni:
> On Tue, Apr 30, 2013 at 11:33:25AM +0200, Reindl Harald wrote:
> 
>> i have on all machines "enable_long_queue_ids = yes" and one of them is 
>> producing
>> the old queue-id's daily by pickup via logwatch and interesting is that there
>> exists a 1:1 clone (put one of the RAID1 disks into the same hardware
>> and change only the machine-name) without this behavior
>>
>> [root@localhost:~]$ postconf -n | grep long
>> enable_long_queue_ids = yes
>>
>> Apr 29 02:33:03 localhost postfix/qmgr[1202]: 36CA45F1B2: removed
>> Apr 29 02:33:03 localhost postfix/pickup[7570]: 36CA45F1B2: uid=0 from=
>> Apr 29 02:33:03 localhost postfix/smtp[8033]: 36CA45F1B2: to=, 
>> relay=**.**.**.**[**.**.**.**]:587,
>> delay=0.96, delays=0.54/0.02/0.34/0.06, dsn=2.0.0, status=sent (250 2.0.0 
>> Ok: queued as 9B5798F)
>> Apr 29 02:33:03 localhost postfix/cleanup[8012]: 36CA45F1B2: 
>> message-id=<20120429003303.36CA45F1B2@localhost>
>> Apr 29 02:33:03 localhost postfix/qmgr[1202]: 36CA45F1B2: from=, 
>> size=3774, nrcpt=1 (queue active)
> 
> This log entry is from one year ago

damned - where did you notice it is from 2012?
thank you!

> how are you searching your logs? 

this is from daily logwatch

> When you create a clone, do you wipe the logs?  

yes - i thought
but i forgot by clone the logrotate config that on this router
it should also daily rotate /var/log/maillog which is on
mailservers in a extra config only active monthly

> You should also consider naming your machines something a 
> tad less generic than "localhost"

my machines have perfect configurations, this was a replacement for
the list because the hostname does not matter



signature.asc
Description: OpenPGP digital signature

enable_long_queue_ids and pickup

[Reindl Harald]

Hi

i have on all machines "enable_long_queue_ids = yes" and one of them is 
producing
the old queue-id's daily by pickup via logwatch and interesting is that there
exists a 1:1 clone (put one of the RAID1 disks into the same hardware
and change only the machine-name) without this behavior

[root@localhost:~]$ postconf -n | grep long
enable_long_queue_ids = yes

Apr 29 02:33:03 localhost postfix/qmgr[1202]: 36CA45F1B2: removed
Apr 29 02:33:03 localhost postfix/pickup[7570]: 36CA45F1B2: uid=0 from=
Apr 29 02:33:03 localhost postfix/smtp[8033]: 36CA45F1B2: to=, 
relay=**.**.**.**[**.**.**.**]:587,
delay=0.96, delays=0.54/0.02/0.34/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: 
queued as 9B5798F)
Apr 29 02:33:03 localhost postfix/cleanup[8012]: 36CA45F1B2: 
message-id=<20120429003303.36CA45F1B2@localhost>
Apr 29 02:33:03 localhost postfix/qmgr[1202]: 36CA45F1B2: from=, 
size=3774, nrcpt=1 (queue active)


postconf -n
address_verify_sender = postmas...@localhost.net
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
body_checks_size_limit = 1024
bounce_template_file = /etc/postfix/bounce.cf
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
disable_vrfy_command = yes
double_bounce_sender = double-bou...@localhost.net
empty_address_recipient = postmas...@localhost.net
enable_long_queue_ids = yes
html_directory = no
in_flow_delay = 0
inet_protocols = ipv4
mail_name = THELOUNGE MTA
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maximal_backoff_time = 3600
message_size_limit = 10485760
minimal_backoff_time = 900
mydestination =
mydomain = esx1.localhost.net
myhostname = internal.localhost.net
mynetworks = 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
queue_run_delay = 300
readme_directory = /usr/share/doc/postfix-2.10.0/README_FILES
relayhost = [91.118.73.15]:587
sample_directory = /usr/share/doc/postfix-2.10.0/samples
sender_canonical_maps = hash:/etc/postfix/canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_cert_file = /etc/postfix/certs/localhost.pem
smtp_tls_key_file = /etc/postfix/certs/localhost.pem
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP
smtpd_discard_ehlo_keywords = silent-discard, etrn, dsn, vrfy, 
enhancedstatuscodes
smtpd_recipient_limit = 500
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, 
reject_unauth_destination
unknown_address_reject_code = 550
unknown_hostname_reject_code = 501
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550



signature.asc
Description: OpenPGP digital signature

Re: 454 instead 5xx status for "Relay access denied"

[Reindl Harald]

Am 29.04.2013 06:10, schrieb Stan Hoeppner:
> On 4/28/2013 7:33 PM, Viktor Dukhovni wrote:
>> There is an important difference, which is why the defer variant
>> is used as a safety net, and the use-case is precisely when the
>> client is an MTA.
> 
> Apparently I didn't make my point clear, which is that a hard fail isn't
> necessary here, and that a temp fail is preferable to cover all client
> types.  I think Reindl was advocating a hard fail.  I was countering his
> argument

uhm as i said:

* the machine is not MX for any single domain
* the machine must not accept any unauthenticated message
* and so any aerror is NOT tenporary until smtp auth is used



signature.asc
Description: OpenPGP digital signature

Re: 454 instead 5xx status for "Relay access denied"

[Reindl Harald]

Am 29.04.2013 01:52, schrieb Stan Hoeppner:
> On 4/28/2013 9:52 AM, Reindl Harald wrote:
>> Am 28.04.2013 14:41, schrieb Wietse Venema:
>>> Reindl Harald:
>>>> 454: smtpd_relay_restrictions = permit_mynetworks, 
>>>> permit_sasl_authenticated, defer_unauth_destination
>>>> 554: smtpd_relay_restrictions = permit_mynetworks, 
>>>> permit_sasl_authenticated, reject_unauth_destination
>>>>
>>>> was the default changed from 2.10-devel to 2.10 final?
>>>
>>> defer_unauth_destination etc.. is the default safety net for
>>> sites that haven't set smtpd_relay_restrictions
>>
>> ah, i remembered correct it was set by "postfix upgrade-configuration"
>> at the bottom of "main.cf", maybe the "safety net" should be the
>> same as "postconf -d" which is "reject_unauth_destination"?
> 
> What practical difference do you see between these two reject codes?
> The client in this transaction is almost certainly not an MTA.  It's
> most likely rat/malware, which typically either:

that one is a temporary and the other a permenently error?
that i can hardly complain that Apple Inc. is a idiotic company
by trying again and again send mails from iPhones without
SMTP-Auth even after a hard-error when i randomly answer
with a soft error?

> And BTW, reject_unknown_reverse_client_hostname would have rejected much
> earlier.  This IP returns NXDOMAIN.  Why aren't you using
> reject_unknown_reverse_client_hostname?

because it does not matter on a machine which is not MX for any single domain



signature.asc
Description: OpenPGP digital signature

Re: 454 instead 5xx status for "Relay access denied"

[Reindl Harald]

Am 28.04.2013 14:41, schrieb Wietse Venema:
> Reindl Harald:
>> 454: smtpd_relay_restrictions = permit_mynetworks, 
>> permit_sasl_authenticated, defer_unauth_destination
>> 554: smtpd_relay_restrictions = permit_mynetworks, 
>> permit_sasl_authenticated, reject_unauth_destination
>>
>> was the default changed from 2.10-devel to 2.10 final?
> 
> defer_unauth_destination etc.. is the default safety net for
> sites that haven't set smtpd_relay_restrictions

ah, i remembered correct it was set by "postfix upgrade-configuration"
at the bottom of "main.cf", maybe the "safety net" should be the
same as "postconf -d" which is "reject_unauth_destination"?



signature.asc
Description: OpenPGP digital signature

Re: 454 instead 5xx status for "Relay access denied"

[Reindl Harald]

Am 28.04.2013 11:47, schrieb Reindl Harald:
> should this not be a permanent error instead temporary?
> in fact some spammer tried for open relay
> 
> Apr 28 00:32:49 mail postfix/smtpd[25333]: NOQUEUE: reject: RCPT from 
> unknown[221.5.24.12]: 454 4.7.1
> : Relay access denied; 
> from= to=
> proto=ESMTP helo=
> 
> FYI: the "permit_sasl_authenticated reject" followed by more restrictions
> in "smtpd_recipient_restrictions" is intentional and this "reject"
> would be removed if the machine has to play MX again

ouch - fixed

454: smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, 
defer_unauth_destination
554: smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, 
reject_unauth_destination

was the default changed from 2.10-devel to 2.10 final?
i am pretty sure the "defer_unauth_destination" was not invited by me




signature.asc
Description: OpenPGP digital signature

454 instead 5xx status for "Relay access denied"

[Reindl Harald]

Hi

should this not be a permanent error instead temporary?
in fact some spammer tried for open relay

Apr 28 00:32:49 mail postfix/smtpd[25333]: NOQUEUE: reject: RCPT from 
unknown[221.5.24.12]: 454 4.7.1
: Relay access denied; from= 
to=
proto=ESMTP helo=

FYI: the "permit_sasl_authenticated reject" followed by more restrictions
in "smtpd_recipient_restrictions" is intentional and this "reject"
would be removed if the machine has to play MX again
___

postconf -n | grep code
unknown_address_reject_code = 550
unknown_hostname_reject_code = 501
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
___

postconf -n | grep smtpd | grep -v tls
barracuda_smtpd_recipient_restrictions = permit_mynetworks, reject
smtpd_banner = $myhostname ESMTP
smtpd_client_connection_rate_limit = 50
smtpd_client_recipient_rate_limit = 400
smtpd_discard_ehlo_keywords = silent-discard, etrn, dsn, vrfy
smtpd_error_sleep_time = ${stress?1}${stress:2}s
smtpd_hard_error_limit = ${stress?5}${stress:10}
smtpd_helo_required = yes
smtpd_peername_lookup = yes
smtpd_proxy_options = speed_adjust
smtpd_recipient_limit = 100
smtpd_recipient_restrictions = permit_mynetworks reject_non_fqdn_recipient 
reject_non_fqdn_sender
reject_unlisted_sender reject_authenticated_sender_login_mismatch 
permit_sasl_authenticated reject
reject_unauth_destination reject_unknown_sender_domain 
reject_unknown_recipient_domain reject_invalid_hostname
reject_unknown_reverse_client_hostname reject_unauth_pipelining 
reject_rbl_client dnsbl-1.uceprotect.net
check_policy_service unix:/var/spool/postfix/postgrey/socket 
check_recipient_access
proxy:mysql:/etc/postfix/mysql-spamfilter.cf
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, 
defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-senderaccess.cf
smtpd_soft_error_limit = ${stress?2}${stress:5}
___




signature.asc
Description: OpenPGP digital signature

Re: OT - mail archive

[Reindl Harald]

Am 27.04.2013 23:03, schrieb grarpamp:
>>> specified out there that applications could utilize...
>>> where n is your split width... tmp/n, new/n, cur/n.
> 
>> it is what you want
> 
> No, actually right up there is what I was surveying.
> But you failed to grok that in your search for more pfft.
> I'm sure it's a nice day, go outside :)

maybe you should learn how to use a mail-client and quote
before you post to a mail-server list - your answer above
makes no sense at all in context of the thread



signature.asc
Description: OpenPGP digital signature

Re: OT - mail archive

[Reindl Harald]

Am 27.04.2013 04:32, schrieb grarpamp:
>>> specified out there that applications could utilize...
>>> where n is your split width... tmp/n, new/n, cur/n.
> 
>> pff and you realized that the "not a file per message" is
>> exactly the solution for problems with tens thousands of
> 
> It is *a* solution, not *the* solution, and obviously not one
> of the type I describes. And a fine pff to you my friend.

boy you replied to "Faster disks don't solve algorithmic problems
(problems related to the number of files per directory)" with
"And mdbox does not support one message per file"

no it is not *the* solution, but "does not support one message
püer file is pure bullshit in this context because it is what
you want



signature.asc
Description: OpenPGP digital signature

Re: OT - mail archive

[Reindl Harald]

Am 26.04.2013 21:24, schrieb grarpamp:
> specified out there that applications could utilize...
> where n is your split width... tmp/n, new/n, cur/n.
> 
>> alternate you may use mdbox
>> http://wiki2.dovecot.org/MailboxFormat/dbox
> 
> Both of these hold all messages in a single directory.
> So sdbox would be no advantage there.
> And mdbox does not support one message per file

pff and you realized that the "not a file per message" is
exactly the solution for problems with tens thousands of
files in a folder?



signature.asc
Description: OpenPGP digital signature

Re: Message_size_limit issue with postfix v 2.8.8-1 on RHEL 6

[Reindl Harald]

Am 24.04.2013 19:45, schrieb Nicolas HAHN:
> The "archietcture" is not a good excuse for me, I'm sorry. As a coder

well, that's the difference between "coder" and "delevoper"

a "coder" writes something which works for now and every
few years all is thrown away because the architecture
and software-design does not fit in growing needs

look back how many years postfix is perfectly maintained
AND documentaed like no other software with nearly zero
breakages of existung setups while it is as scaleable
as possible for near to any environment

sorry, but after following the thread you are not qualified
enough to judge design-patterns of a software you do not
understand enough



signature.asc
Description: OpenPGP digital signature

Re: Message_size_limit issue with postfix v 2.8.8-1 on RHEL 6

[Reindl Harald]

Am 24.04.2013 15:22, schrieb Nicolas HAHN:
> As you wrote, here below is a set of log lines during the issue. The emails 
> staying in the growing active queue are
> the bounce messages (we intercept them to send a copy to postmaster):
> 
> [root@iccpfxor04 postfix]# grep 6B34360BAA /var/log/maillog
> 2013-04-24T12:32:01.439701+00:00 iccpfxor04 postfix/cleanup[24423]: 
> 6B34360BAA:
> message-id=<20130424123201.6b34360...@iccpfxor04.svc.unicc.org>
> 2013-04-24T12:32:01.442962+00:00 iccpfxor04 postfix/qmgr[24391]: 6B34360BAA:
> from=, size=8389, nrcpt=1 (queue 
> active)
> 2013-04-24T12:32:01.442970+00:00 iccpfxor04 postfix/bounce[26517]: 
> D4B8460078: postmaster non-delivery
> notification: 6B34360BAA
> 2013-04-24T12:36:09.981198+00:00 iccpfxor04 postfix/qmgr[27126]: 6B34360BAA:
> from=, size=8389, nrcpt=1 (queue 
> active)
> 2013-04-24T12:40:44.391001+00:00 iccpfxor04 postfix/qmgr[27707]: 6B34360BAA:
> from=, size=8389, nrcpt=1 (queue 
> active)
> 
> As you can see in the logs above, it seems to be blocked in the qmgr process, 
> sending the same
> "from=

signature.asc
Description: OpenPGP digital signature

Re: Message_size_limit issue with postfix v 2.8.8-1 on RHEL 6

[Reindl Harald]

Am 24.04.2013 14:58, schrieb Nicolas HAHN:
> Does somebody knows what is happening? 

no because you missed to send any log-information
maybe to less memory to proceed messages with 150 MB



signature.asc
Description: OpenPGP digital signature

Re: Add a log line in postfix logs

[Reindl Harald]

Am 23.04.2013 16:40, schrieb Abhijeet Rastogi:
> How flexible is postfix-2.8.7 to add one more log line in logs.
> 
> My requirement is to have a line which will contain "queueid", "form",
> "to" & "subject"  header in the same log line

the problem is that the specific lines are from different processes
and stages of the mail-flow




signature.asc
Description: OpenPGP digital signature

Re: sender_dependent_relayhost_maps Syntax

[Reindl Harald]

Am 19.04.2013 14:25, schrieb awingnut:
> I have a series of user names that need to be relayed through a server
> other then the default. It is not clear from the documentation if wild
> cards are allowed but it appears they are not

no and wildchars in case of mail are generally a bad idea

> If that is true then I need to list each one individually. 
> However, I am also using generic mapping and again it is not 
> explained in the documentation which address needs to be in the 
> relay maps file, the local address vs. the translated
> address. Can some please clarify? Thanks.

what additional mapping?

we are using "sender_dependent_relayhost_maps" to allow specific
senders which are not hosted on our server and rely them to
the customers MTA with the users login/password without
rewrite anything



signature.asc
Description: OpenPGP digital signature

Re: Multiple owners in smtpd_sender_login_maps

[Reindl Harald]

Am 19.04.2013 10:44, schrieb Ram:
> I have a requirement of 2 different users  using the same sender email address
> 
> I found a very old patch for doing this in postfix.
> http://permalink.gmane.org/gmane.mail.postfix.devel/4
> 
> Is this patch still the only way of doing multiple owners

why does this need a patch?

we are doing this since years with a mysql-table and the query returns
a list of allowed login-names
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-senderaccess.cf

http://www.postfix.org/postconf.5.html
In all cases the result of table lookup must be either "not found" or a
list of SASL login names separated by comma and/or whitespace



signature.asc
Description: OpenPGP digital signature

Re: How bounce mail with error

[Reindl Harald]

Am 17.04.2013 14:46, schrieb Pol Hallen:
> Almost configured postfix on my lan, I can't discover how bounce mail
> when the size attachments is too big to destination server.
> 
> i.e. I send an email with attachments 30Mb to @yahoo.it, @tiscali.it
> 
> by mailq I see the error: destination server can't accept that mail
> because the attachments is too big.
> 
> I need that postfix bounce that mail to sender of mail. Otherwise, my
> users can't known if email is correct sent.
> 
> any idea?

it DOES bounce if it can not be delivered
how do you come to the conclusion that it does not?
why did you not post specific log records?



signature.asc
Description: OpenPGP digital signature

Re: Case sensivity: Strict rfc5321 or reality compliance

[Reindl Harald]

Am 15.04.2013 14:24, schrieb Jan P. Kessler:
> Hi,
> 
> sorry, I know this is not directly related to postfix but I know that
> there are several very experienced people reading this list. My question
> is how you (the people that use and administer mailservers) handle the
> localpart case sensivity according to rfc5321:
> 
> "The local-part of a mailbox MUST BE treated as case sensitive."

nobody

i see all the time users having their adress mixed uppercase and lowercase
from incoming mails and i would call it quite dumb if "m...@dydomain.tld"
and "m...@dydomain.tld" is received from different people



signature.asc
Description: OpenPGP digital signature

Re: SMTPS 465

[Reindl Harald]

Am 15.04.2013 14:14, schrieb DTNX Postmaster:
> Besides, aren't the odd kernel versions such as 3.5.x, 3.7.x etc. development 
> kernels?

why should they?

since kernel 2.6 released around 10 years ago the versioning is no longer this 
way
and 3.0.x is only a renumbering from 2.6.40

https://www.kernel.org/
stable: 3.8.7
stable: 3.7.10 [EOL]



signature.asc
Description: OpenPGP digital signature

Re: SMTPS 465

[Reindl Harald]

Am 15.04.2013 13:57, schrieb Joan Moreau:
> Le 15/04/2013 10:24, Charles Marcus a écrit :
> Roll back to the previous kernel.
> 
> Seriously. If you updated the kernel but didn't keep the last known
> good/working one, then hopefully you have learned why doing this is such
> a good idea and will do so in the future.
> 
> Reverted to 3.7.10. Recompiled openssl + cyrus + posfix . Same errors. Where 
> does the inconsistency reside ?
> 
> 2013-04-15T13:55:29.921960+02:00 server postfix/smtpd[3308]: warning: TLS 
> library problem: 3308:error:1411C146:SSL
> routines:tls1_prf:unsupported digest type:t1_enc.c:276:
> 2013-04-15T13:55:29.921966+02:00 server postfix/smtpd[3308]: warning: TLS 
> library problem: 3308:error:140D308A:SSL
> routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable:t1_enc.c:597

for me this sound like you are doing "configure && make && make install"
well this does not cleanup all garbage, doing so repeatly let's as
example fail mysql to compile at all

this is why things like "rpmbuild" was invited, they are working in a
predictable and clean buildroot and with the resulting binaries you
can predictable downgrade/upgrade packages and since dependencies
for libraries and APIs are automatically injected in the RPM packages
you normally recognize a binary incompatible update because RPM
refuse to install the package

additionally NOBODY builds his binaries on the production machine
and fires "make install", NOBODY - this has to be done on a testmachine
and if the binary package works there you minimize the risk

i know that this does not help you very much now

but that should be what you learned the hardway by brick a production
environement without take care how to make sure updates are working

however, this is not a postfix-problem, this is revenge of bad practice



signature.asc
Description: OpenPGP digital signature

Re: SMTPS 465

[Reindl Harald]

Am 15.04.2013 00:30, schrieb Joan Moreau:
> Le 14/04/2013 22:24, Viktor Dukhovni a écrit :
> 
>> On Sun, Apr 14, 2013 at 10:21:58PM +, Joan Moreau wrote:
>>
>> However, how can postfix NOT use the only openssl library ? or fail to have 
>> SHA2 when loading the .so ?
>>
>> Find a less broken operating system. This works on every system
>> I've ever used, and finding out what's wrong with yours is not a
>> good use of your time or mine.
> 
> 
> Well, this server has worked since ever, supporting plenty of web operations 
> (so I can not really 'delete and
> re-install'  and broke only after updating the kernel

well, the operating systems i use have package managers like yum
and updates can be predictable reverted by "yum downgrade" because
these is no single file which is not covered by a package



signature.asc
Description: OpenPGP digital signature

Re: SMTPS 465

[Reindl Harald]

Am 14.04.2013 19:24, schrieb Viktor Dukhovni:
> On Sun, Apr 14, 2013 at 07:22:28PM +0200, Reindl Harald wrote:
> 
>>> -UHAS_IPV6 -DUSE_TLS -I/usr/include/mysql/ -I/usr/include/sasl ' 
>>> 'AUXLIBS=-L/usr/lib/mysql/ -lmysqlclient -lssl
>>> -lcrypto -lz -lm -lpcre -lsasl2'
>>
>> i am missing here the path to openssl
>> below the ARGS from my fedora-rpm-SPEC
>>
>> -DUSE_TLS -I/usr/include/openssl
> 
> This is not a good idea. The OpenSSL header files are accessed by Postfix
> via:
> 
>   #include 
> 
> Unless you have /usr/include/openssl/opennssl/ssl.h you should NOT do this

Fedora has (i guess openssl/opennssl was a typo)

[root@buildserver:~]$ rpm -q --file /usr/include/openssl/ssl.h
openssl-devel-1.0.0k-1.fc17.20130221.rh.x86_64



signature.asc
Description: OpenPGP digital signature

Re: SMTPS 465

[Reindl Harald]

Am 14.04.2013 17:57, schrieb Joan Moreau:
> Le 14/04/2013 15:25, Viktor Dukhovni a écrit :
> 
>> On Sun, Apr 14, 2013 at 01:30:53PM +, Joan Moreau wrote:
>>
>> [ You're using a mail client, whose plain-text response does not properly
>> "quote" material you're replying to. When posting to this list please
>> use a non-HTML client that gets the plain-text message right. ]
>>
>> Ok, I tried 1 - to re-install openssl 1.0.1 then recompile postfix
>>
>> Done right, this is sufficient. Your compiler settings must
>> be wrong. Post the exact command you use the create the
>> Postfix "makefiles".
> 
> 
> make -f Makefile.init makefiles 'CCARGS=-DHAS_PCRE -DHAS_MYSQL 
> -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -UHAS_LDAP
> -UHAS_IPV6 -DUSE_TLS -I/usr/include/mysql/ -I/usr/include/sasl ' 
> 'AUXLIBS=-L/usr/lib/mysql/ -lmysqlclient -lssl
> -lcrypto -lz -lm -lpcre -lsasl2'

i am missing here the path to openssl
below the ARGS from my fedora-rpm-SPEC

-DUSE_TLS -I/usr/include/openssl

CCARGS="-fPIC -DHAS_PCRE -I%{_includedir}/pcre -DHAS_MYSQL 
-I%{_includedir}/mysql -DUSE_SASL_AUTH -DUSE_CYRUS_SASL
-I%{_includedir}/sasl -DUSE_TLS -I/usr/include/openssl 
-DDEF_CONFIG_DIR=\\\"%{postfix_config_dir}\\\""
AUXLIBS="-lpcre -L%{_libdir}/mysql -lmysqlclient -lm -L%{_libdir}/sasl2 -lsasl2 
-lssl -lcrypto -pie -Wl,-z,relro"




signature.asc
Description: OpenPGP digital signature

Re: Another sanity check request

[Reindl Harald]

Am 13.04.2013 22:36, schrieb b...@bitrate.net:
>> fine - in the real life you start not from scratch
> 
> in the real world, both [and more] things happen.

and "another" in the subject is a clear sign

>> have fun calling hundrets and thousands of users especially with broken
>> clients like a iPhone and explain them what to do to change the port
> 
> perhaps, perhaps not.
> 
>> in a perfect world i would even close port 25 from the WAN because
>> the MX is a dedicated spam-firewall, but as said above this world
>> exists mostly only if you are a startup with no existing customers
> 
> huh?

you forgot you mendtioned remove SASL from port 25?

>>> i really just discourage use of permit_mynetworks altogether
>>
>> if you are not stupid enough to add a /24 network there it is pretty fine
>> you do not want to pass every internal server sending a system-message to
>> check_recipient_access which may be a spam-filter
> 
> sorry, i have no idea what you're talking about

that your "discourage use of permit_mynetworks" is far from reality as
also "do not use SASAL and submission on port 25" as well if someone
asks for ANOTHER sanity check after upgrade to a new version?



signature.asc
Description: OpenPGP digital signature

Re: Another sanity check request

[Reindl Harald]

Am 13.04.2013 21:42, schrieb b...@bitrate.net:
> 
> On Apr 13, 2013, at 15.33, Russell Jones  wrote:
> 
>> Hi all,
>>
>> Upgrading mail server from Postfix 2.9 to 2.10. Could I get a quick sanity 
>> check to ensure my (fairly simple) setup is sane with the new 
>> smtpd_relay_restrictions? Thanks :-)
>>
>> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated 
>> reject_unauth_destination
>> smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated 
>> check_client_access hash:/etc/postfix/rbl_override reject_rbl_client 
>> zen.spamhaus.org
> 
> really, neither of permit_mynetworks nor permit_sasl_authenticated belong in 
> any global restrictions.  
> smtp auth [e.g sasl] is for submission clients, which should be using 
> submission/587, and these days, 

fine - in the real life you start not from scratch

have fun calling hundrets and thousands of users especially with broken
clients like a iPhone and explain them what to do to change the port

in a perfect world i would even close port 25 from the WAN because
the MX is a dedicated spam-firewall, but as said above this world
exists mostly only if you are a startup with no existing customers

> i really just discourage use of permit_mynetworks altogether

if you are not stupid enough to add a /24 network there it is pretty fine
you do not want to pass every internal server sending a system-message to
check_recipient_access which may be a spam-filter







signature.asc
Description: OpenPGP digital signature

Re: Another sanity check request

[Reindl Harald]

Am 13.04.2013 21:33, schrieb Russell Jones:
> Hi all,
> 
> Upgrading mail server from Postfix 2.9 to 2.10. Could I get a quick sanity 
> check to ensure my (fairly simple) setup
> is sane with the new smtpd_relay_restrictions? Thanks :-)

if your setup was safe before it is now also and with the new default a litle 
more in doubt

> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated 
> reject_unauth_destination

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, 
defer_unauth_destination
works fine with in combination with "smtpd_recipient_restrictions"

> smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated 
> check_client_access
> hash:/etc/postfix/rbl_override reject_rbl_client zen.spamhaus.org

i would ALWAYS include "reject_unauth_destination" BEFORE "check_client_access" 
here






signature.asc
Description: OpenPGP digital signature

Re: SMTPS 465

[Reindl Harald]

Am 13.04.2013 12:43, schrieb Joan Moreau:
> This lead to a error 404.
> Maybe can you rather explain how "toppost" would solve the SSL problem?

you should post your reply BELOW the quote to make a thread
readable by people which may come later to it and they may
ignore it if it is unreadable for them by having ansers
randomly at top and bottom of qquotes


to your problem:

you said "after kernel update"

well, did you try to boot with the previous kernel?
any unix i personally know supports to boot from the
last kernel if a newer one makes troubles and if this
solves the problem it is no longer a postfix-issue



signature.asc
Description: OpenPGP digital signature

Re: [feature request] Subzero postscreen/dnsblog score to bypass after-220 tests?

[Reindl Harald]

Am 12.04.2013 16:52, schrieb /dev/rob0:
> I believe that DNS-based whitelisting will grow in importance, 
> especially in the IPv6 world. I expect to move into IPv6 with a 
> default-deny policy, where non-whitelisted hosts are rejected

how do you imagine this working?

in this case it would be better you stay at ipv4 at all instead
answer AAA dns-requests which may be preferred from dual-stack
machines try to deliver to your customer

it does not work that anybody who wants to send you e-mail he
must prove that he is no spammer, really this does not work



signature.asc
Description: OpenPGP digital signature

Re: postfix and Berkeley DB

[Reindl Harald]

Am 12.04.2013 02:00, schrieb LuKreme:
> Reindl Harald opined on Thursday 11-Apr-2013@17:03:50
>>
>>
>> Am 12.04.2013 00:35, schrieb LuKreme:
>>> # ldd /usr/local/libexec/postfix/smtpd  
>>> /usr/local/libexec/postfix/smtpd:
>>>libmysqlclient.so.16 => /usr/local/lib/mysql/libmysqlclient.so.16 
>>> (0x280cf000)
>>>libz.so.3 => /lib/libz.so.3 (0x28139000)
>>>libm.so.4 => /lib/libm.so.4 (0x2814a000)
>>>libssl.so.7 => /usr/local/lib/libssl.so.7 (0x2816)
>>>libcrypto.so.7 => /usr/local/lib/libcrypto.so.7 (0x281ad000)
>>>libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x2830a000)
>>>libpcre.so.0 => /usr/local/lib/libpcre.so.0 (0x28321000)
>>>libc.so.6 => /lib/libc.so.6 (0x28354000)
>>>libcrypt.so.3 => /lib/libcrypt.so.3 (0x2843b000)
>>> # file /etc/postfix/virtual.db 
>>> /etc/postfix/virtual.db: Berkeley DB 1.85 (Hash, version 2, native 
>>> byte-order)
>>> So, postfix appears to be using Berkeley DB but is not linked against it?
>>
>> unlikely generated with the build from the ldd-output
> 
> I don’t understand what you mean. That is the output of my mailserver running 
> postfix 2.8

i can not imagine that this file is created by the postfix
of which you posted the ld-output because it is not linked
against it

>> libdb-5.3.so => /lib64/libdb-5.3.so (0x7f28243c5000)
>>
>> rpm -q --file /lib64/libdb-5.3.so
>> libdb-5.3.21-3.fc18.x86_64
> 
> Well, I do have libdb.so:
> 
> # locate libdb.so
> /usr/local/lib/db42/libdb.so
> /usr/local/lib/db44/libdb.so
> /usr/local/lib/db48/libdb.so

which doe snot matter because it depends how postfix was compiled

>> libdb-5.3.so => /lib64/libdb-5.3.so (0x7f28243c5000)
> 
> And I was expecting a line like that, only "libdb.so => 
> /usr/local/lib/db48/libdv.so", only it is not there. 
> Postfix seems to be using it anyway

postconf -m
btree (berkeley)
cidr
environ
fail
hash (berkeley)
internal
memcache
mysql

nis

pcre
proxy
regexp
socketmap
static
tcp
texthash
unix

http://www.postfix.org/DB_README.html

> though I am not sure which version of libdb corresponds to Berkeley DB 1.85. 
> I’m pretty sure it is not 4.8

the 1.85 is not the libdb version, the file command is generic



signature.asc
Description: OpenPGP digital signature

Re: postfix and Berkeley DB

[Reindl Harald]

Am 12.04.2013 00:35, schrieb LuKreme:
> # ldd /usr/local/libexec/postfix/smtpd  
> /usr/local/libexec/postfix/smtpd:
> libmysqlclient.so.16 => /usr/local/lib/mysql/libmysqlclient.so.16 
> (0x280cf000)
> libz.so.3 => /lib/libz.so.3 (0x28139000)
> libm.so.4 => /lib/libm.so.4 (0x2814a000)
> libssl.so.7 => /usr/local/lib/libssl.so.7 (0x2816)
> libcrypto.so.7 => /usr/local/lib/libcrypto.so.7 (0x281ad000)
> libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x2830a000)
> libpcre.so.0 => /usr/local/lib/libpcre.so.0 (0x28321000)
> libc.so.6 => /lib/libc.so.6 (0x28354000)
> libcrypt.so.3 => /lib/libcrypt.so.3 (0x2843b000)
> # file /etc/postfix/virtual.db 
> /etc/postfix/virtual.db: Berkeley DB 1.85 (Hash, version 2, native byte-order)
> So, postfix appears to be using Berkeley DB but is not linked against it?

unlikely generated with the build from the ldd-output

libdb-5.3.so => /lib64/libdb-5.3.so (0x7f28243c5000)

rpm -q --file /lib64/libdb-5.3.so
libdb-5.3.21-3.fc18.x86_64

Name: libdb
Arch: x86_64
Version : 5.3.21
Release : 3.fc18
Size: 1.7 M
Repo: installed
Summary : The Berkeley DB database library for C
URL : http://www.oracle.com/database/berkeley-db/
License : BSD

ldd /usr/libexec/postfix/smtpd
linux-vdso.so.1 =>  (0x7fff8478)
libpcre.so.1 => /lib64/libpcre.so.1 (0x7f28257d2000)
libmysqlclient.so.18 => /usr/lib64/mysql/libmysqlclient.so.18 
(0x7f28252db000)
libm.so.6 => /lib64/libm.so.6 (0x7f2824fd9000)
libsasl2.so.2 => /lib64/libsasl2.so.2 (0x7f2824dbe000)
libssl.so.10 => /lib64/libssl.so.10 (0x7f2824b55000)
libcrypto.so.10 => /lib64/libcrypto.so.10 (0x7f2824779000)
libdb-5.3.so => /lib64/libdb-5.3.so (0x7f28243c5000)
libnsl.so.1 => /lib64/libnsl.so.1 (0x7f28241ac000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x7f2823f92000)
libgomp.so.1 => /lib64/libgomp.so.1 (0x7f2823d83000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x7f2823b67000)
libc.so.6 => /lib64/libc.so.6 (0x7f28237ae000)

libz.so.1 => /lib64/libz.so.1 (0x7f2823596000)
libdl.so.2 => /lib64/libdl.so.2 (0x7f2823392000)
librt.so.1 => /lib64/librt.so.1 (0x7f2823189000)
libstdc++.so.6 => /lib64/libstdc++.so.6 (0x7f2822e86000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x7f2822c4f000)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x7f2822a0b000)
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x7f2822726000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x7f2822522000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x7f28222f6000)
/lib64/ld-linux-x86-64.so.2 (0x7f2825cde000)
libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x7f28220e)
libfreebl3.so => /lib64/libfreebl3.so (0x7f2821e73000)
libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x7f2821c68000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x7f2821a64000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x7f2821841000)



signature.asc
Description: OpenPGP digital signature

Re: Setting up secure submission for remote users

[Reindl Harald]

Am 12.04.2013 00:04, schrieb LuKreme:
> On Apr 8, 2013, at 13:26, Jeroen Geilman  wrote:
> 
>> The clue is that there should be no permit_ rules before /or/ after 
>> permit_sasl_authenticated, and the last rule should be an explicit "reject".
> 
> Quick question on this, not ever a permit mynetworks?
> 
> (I mean, I can't think of a reason mynetworks would need to use submission, 
> but is there any reason not to allow it?)

mynetworks may be OK in most cases but

* without authentication use port 25 and mynetworks
* if a client is using submission it is good practice to have a user in the logs

mynetworks should be genrally used with care and only for specific
address instead whole networks with sooner or later potentially
infected clients which can be banned if using auth even if the
malware leaks auth data and abuse it from outside



signature.asc
Description: OpenPGP digital signature

Re: Stripping Received: headers

[Reindl Harald]

Am 11.04.2013 19:20, schrieb Reindl Harald:
> 
> 
> Am 11.04.2013 18:55, schrieb Benny Pedersen:
>>> smtp_header_checks are performed on outgoing mail during smtp(5)
>>> delivery.
>>
>> is submission not using smtp_header_checks?
> 
> has your submission service smtp or smtpd in master.cf?
> mine has smtpd as all other working ones out there

to make it clear:

submission is nothing else as smtpd on port 587
and if you want not rely on /etc/services you would
even write 587 instead submission

the only difference between port 25 and 587 is
usually that you require authentication on 587

[harry@srv-rhsoft:~]$ cat /etc/services | grep submission
submission  587/tcp msa # mail message submission
submission  587/udp msa # mail message submission



signature.asc
Description: OpenPGP digital signature

Re: Stripping Received: headers

[Reindl Harald]

Am 11.04.2013 18:55, schrieb Benny Pedersen:
>> smtp_header_checks are performed on outgoing mail during smtp(5)
>> delivery.
> 
> is submission not using smtp_header_checks?

has your submission service smtp or smtpd in master.cf?
mine has smtpd as all other working ones out there



signature.asc
Description: OpenPGP digital signature

Re: Forwarding from a particular email address

[Reindl Harald]

do NOT top-post please!

Am 10.04.2013 14:32, schrieb Indiana Jones:
> Thank you, but I don't have file /postfix/virtual
> What should I do?

so what - create it?

> Quoting *Wietse Venema  *:
> 
> Indiana Jones:
> >How can I forward all e-mail messages sent to a particular address
> >on my domain to another address on another domain?
> 
> /etc/postfix/main.cf:
> virtual_alias_maps = hash:/etc/postfix/virtual
> 
> /etc/postfix/virtual:
> us...@example1.com us...@example2.com
> 
> Execute "postmap /etc/postfix/virtual" after edinting the file



signature.asc
Description: OpenPGP digital signature

Re: Scheduling policies for outgoing smtp server

[Reindl Harald]

Am 08.04.2013 21:08, schrieb Stan Hoeppner:
> Isn't this a class of problem that can be fairly easily solved using
> virtual machines?  Dedicate a VM and Postfix per customer, without
> needing to hack up the MTA.  If the issue is "queue fairness" then one
> virtual machine per customer should address this.  Disk space is so
> cheap today that dedicating a few GB to a queue for each customer isn't
> a limiting factor.  With a sufficiently stripped down custom Linux or
> FreeBSD image the OS memory footprint should be small enough to pack
> many VMs/customers onto one machine.  In the case of Linux one may be
> able to use KVM/KSM to consolidate all the like in memory binary images,
> cutting down the total memory footprint even further.  The same can be
> done with VMWare ESXi, probably more easily in the latter case, but this
> freebie version probably limits the number of virtual machines to a
> value lower than what you'd need

have fun with a grwoing number of customers up to some hundret
http://www.postfix.org/MULTI_INSTANCE_README.html







signature.asc
Description: OpenPGP digital signature

Re: misunderstanding INSTALL "vs" compile-time config ? (and MacOSX patch)

[Reindl Harald]

Am 06.04.2013 21:22, schrieb Viktor Dukhovni:
> Since the OP is installing into /usr/local, a non-packaged version
> is fine.  I would go further and install into:
> 
>   /usr/local/postfix/${version}/{etc,sbin,libexec,man,html}/
> 
> with "sendmail", "mailq" and "newaliases" in
> 
>   /usr/local/postfix/${version}/sbin/
> 
> and symlinks from /usr/sbin, /usr/bin to the right version.  This
> makes it easy to switch between versions and delete stale files.
> For example to build with TLS support

adn exatcly that DOES NOT WORK because the package manager ignores
the stuff in /usr/local and you hardly can remove MTA dependencies
at all which means every OS update may randomly overwrite your
/usr/sbin/sendmail symlink

been there, done that, stopped to mangle this way by learning




signature.asc
Description: OpenPGP digital signature

Re: misunderstanding INSTALL "vs" compile-time config ? (and MacOSX patch)

[Reindl Harald]

Am 06.04.2013 21:22, schrieb Viktor Dukhovni:
> On Sat, Apr 06, 2013 at 08:38:41PM +0200, Reindl Harald wrote:
> 
>>> (1) I'm no longer intersted in someone's 'downstream idea' of what
>>> version and how I should configure, build & use postfix
>>
>> what exactly did you not understand in "based on"?
> 
> No need to hammer your point in.  There's more than one way to skin
> this cat.  The OP will use whatever is most comfortable for him

that's right

but "I'm no longer intersted in someone's downstream idea" in
context of "build your OWN package" is in fact the wrong answer



signature.asc
Description: OpenPGP digital signature

Re: misunderstanding INSTALL "vs" compile-time config ? (and MacOSX patch)

[Reindl Harald]

Am 06.04.2013 20:25, schrieb ixlo...@sent.at:
> On Sat, Apr 6, 2013, at 10:59 AM, Reindl Harald wrote:
>> and why do you not build a package based on your distros one?
> 
> Because
> 
> (1) I'm no longer intersted in someone's 'downstream idea' of what
> version and how I should configure, build & use postfix

what exactly did you not understand in "based on"?

> (2) I've had enough of being told "go talk to the distro" by the broader
> Postfix community, and the #irc folks specifically.

you missed COMPLETLY what i saied

> If I build it cleanly, from upstream, and according to the Postfix docs,
> and ONLY the Postfix docs, then I can minimize, if not avoid, both
> problems

and what do you believe does my own build?

the point is that it is a very dirty style to use a system
with a apckage manager and blindly make && make install away
from package managmement

your whole problems with uid/gid would not be present if
you would not refuse to learn how this all is done in
your distribution and this does NOT mean mangle anything
in postfix at all



signature.asc
Description: OpenPGP digital signature

Re: misunderstanding INSTALL "vs" compile-time config ? (and MacOSX patch)

[Reindl Harald]

x_command_dir}/postalias
%attr(0755, root, root) %{postfix_command_dir}/postcat
%attr(0755, root, root) %{postfix_command_dir}/postconf
%attr(0755, root, root) %{postfix_command_dir}/postfix
%attr(0755, root, root) %{postfix_command_dir}/postkick
%attr(0755, root, root) %{postfix_command_dir}/postlock
%attr(0755, root, root) %{postfix_command_dir}/postlog
%attr(0755, root, root) %{postfix_command_dir}/postmap
%attr(0755, root, root) %{postfix_command_dir}/postmulti
%attr(0755, root, root) %{postfix_command_dir}/postsuper
%attr(0755, root, root) %{postfix_command_dir}/qshape
%attr(0755, root, root) %{postfix_command_dir}/pflogsumm
%attr(0644, root, root) %config(noreplace) %{postfix_config_dir}/access
%attr(0644, root, root) %config(noreplace) %{postfix_config_dir}/canonical
%attr(0644, root, root) %config(noreplace) %{postfix_config_dir}/generic
%attr(0644, root, root) %config(noreplace) %{postfix_config_dir}/header_checks
%attr(0644, root, root) %config(noreplace) %{postfix_config_dir}/relocated
%attr(0644, root, root) %config(noreplace) %{postfix_config_dir}/transport
%attr(0644, root, root) %config(noreplace) %{postfix_config_dir}/virtual
%attr(0755, root, root) %{postfix_daemon_dir}/[^mp]*
%attr(0644, root, root) %{postfix_daemon_dir}/main.cf
%attr(0644, root, root) %{postfix_daemon_dir}/master.cf
%attr(0755, root, root) %{postfix_daemon_dir}/master
%attr(0755, root, root) %{postfix_daemon_dir}/pickup
%attr(0755, root, root) %{postfix_daemon_dir}/pipe
%attr(0755, root, root) %{postfix_daemon_dir}/post-install
%attr(0644, root, root) %{postfix_daemon_dir}/postfix-files
%attr(0755, root, root) %{postfix_daemon_dir}/postfix-script
%attr(0755, root, root) %{postfix_daemon_dir}/postfix-wrapper
%attr(0755, root, root) %{postfix_daemon_dir}/postmulti-script
%attr(0755, root, root) %{postfix_daemon_dir}/postscreen
%attr(0755, root, root) %{postfix_daemon_dir}/proxymap
%attr(0755, root, root) %{_bindir}/mailq
%attr(0755, root, root) %{_bindir}/newaliases
%attr(0755, root, root) %{_bindir}/rmail
%config(noreplace) %{_sysconfdir}/pam.d/smtp.postfix

%files manpages
%defattr(-, root, root)
%{postfix_doc_dir}
%attr(0644, root, root) %{_mandir}/man1/*
%attr(0644, root, root) %{_mandir}/man5/*
%attr(0644, root, root) %{_mandir}/man8/*

%changelog
* Fri Feb 1 2013 Reindl Harald 
- remove all the "alternatives" crap - we only use postfix

* Mon Jan 28 2013 Reindl Harald 
- remove distribution configs from package

* Thu Jan 24 2013 Reindl Harald 
- combine postfix and pflogsum in one package
- split out all manpages in a sub-package



signature.asc
Description: OpenPGP digital signature

Re: StartTLS frustrations

[Reindl Harald]

Am 05.04.2013 17:23, schrieb Peter L. Berghold:
> On Fri, Apr 05, 2013 at 05:19:36PM +0200, Reindl Harald wrote:
>>
>>
>> well, and this remains from your ACTIVE config
>> do you notice the "smtpd_use_tls = no"?
> 
> Yes.  I turned it off for now while I seek out advise as to why it is not 
> working for now.  It will be turned back on when I have some idea as to 
> why *else* it isn't working

what about fixing the path?
you ignored this response!

> smtpd_tls_certfile=/etc/postfix/ssl/server.crt
The correct parameter is smtpd_tls_cert_file

and that is why you should always start to debug
with "postconf -n" and "grep" to see if you have
fantasy names aka typos in your config which may
even overseen by people trying to help



signature.asc
Description: OpenPGP digital signature

Re: StartTLS frustrations

[Reindl Harald]

Am 05.04.2013 17:13, schrieb Peter L. Berghold:
> On Fri, Apr 05, 2013 at 04:58:14PM +0200, Reindl Harald wrote:
>>
>> we don't know because you refused to provide output of
>> "postconf -n" 
> 
> as you wish:

well, and this remains from your ACTIVE config
do you notice the "smtpd_use_tls = no"?

[harry@srv-rhsoft:~/Desktop]$ cat postconf | grep tls | grep smtpd
smtp_tls_CApath = $smtpd_tls_CAPath
smtpd_tls_CAfile = /etc/postfix/ssl/ca-bundle.pem
smtpd_tls_CApath = /etc/postfix/ssl
smtpd_tls_key_file = /etc/postfix/ssl/mydomain.key
smtpd_tls_loglevel = 4
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = no

> # postconf -n
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> content_filter = scan:127.0.0.1:10025
> daemon_directory = /usr/libexec/postfix
> debug_peer_level = 2
> default_destination_concurrency_limit = 30
> disable_vrfy_command = yes
> home_mailbox = Maildir/
> html_directory = no
> inet_interfaces = all
> mail_owner = postfix
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> mydestination = mydomain.net,$myhostname,www.$mydomain, localhost.$mydomain, 
> localhost
> myhostname = smtp.mydomain.net
> mynetworks = 
> 98.158.185.135/32,127.0.0.1/32,68.38.202.165/32,206.217.196.75/32,216.119.148.53/32,137.236.241.122/32
> mynetworks_style = host
> newaliases_path = /usr/bin/newaliases.postfix
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
> receive_override_options = no_address_mappings
> relay_domains = mydomain.net,localhost
> sample_directory = /usr/share/doc/postfix-2.3.3/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtp_tls_CAfile = /etc/postfix/ssl/ca-bundle.pem
> smtp_tls_CApath = $smtpd_tls_CAPath
> smtp_tls_note_starttls_offer = yes
> smtp_use_tls = no
> smtpd_banner = $myhostname ESMTP $mail_name
> smtpd_helo_required = yes
> smtpd_helo_restrictions = reject_unknown_helo_hostname
> smtpd_recipient_restrictions = reject_sender_login_mismatch,
> permit_sasl_authenticated,permit_mynetworks,check_sender_access 
> hash:/etc/postfix/access,reject_invalid_hostname, 
> reject_non_fqdn_sender, reject_non_fqdn_recipient, 
> reject_unknown_sender_domain, reject_unknown_recipient_domain, 
> reject_unauth_pipelining, permit_mynetworks, 
> reject_unauth_destination, reject_rbl_client bl.spamcop.net permit
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_path = private/auth
> smtpd_sasl_type = dovecot
> smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders
> smtpd_tls_CAfile = /etc/postfix/ssl/ca-bundle.pem
> smtpd_tls_CApath = /etc/postfix/ssl
> smtpd_tls_key_file = /etc/postfix/ssl/mydomain.key
> smtpd_tls_loglevel = 4
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = no
> tls_random_source = dev:/dev/urandom
> transport_maps = hash:/etc/postfix/transport
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = hash:/etc/postfix/virtual
> 
> 
> 
> 

-- 

Reindl Harald
the lounge interactive design GmbH
A-1060 Vienna, Hofmühlgasse 17
CTO / CISO / Software-Development
p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40
icq: 154546673, http://www.thelounge.net/

http://www.thelounge.net/signature.asc.what.htm



signature.asc
Description: OpenPGP digital signature

Re: StartTLS frustrations

[Reindl Harald]

Am 05.04.2013 16:46, schrieb Peter L. Berghold:
> Gettting very frustrated with trying to set up TLS using a StartSSL (StartCom)
> cert. 
> 
> Here are the applicable lines (sanitized of course) I used to set this 
> up:
> smtpd_use_tls = yes
> smtp_use_tls = yes
> smtp_tls_note_starttls_offer = yes
> smtpd_tls_CAfile=/etc/postfix/ssl/ca-bundle.pem
> smtp_tls_CAfile=/etc/postfix/ssl/ca-bundle.pem
> smtpd_tls_CApath=/etc/postfix/ssl
> smtp_tls_CApath=$smtpd_tls_CAPath
> smtpd_tls_certfile=/etc/postfix/ssl/server.crt
> smtpd_tls_key_file=/etc/postfix/ssl/mydomain.key
> smtpd_tls_loglevel=4
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_timeout = 3600s
> tls_random_source = dev:/dev/urandom
> 
> This is aping everything I've read on the topic on a variety of sites.
> 
> The error I'm seeing in the maillog is:
> Apr  5 10:43:36 myhostname  postfix/smtpd[14839]: warning: No server certs 
> available. TLS won't be enabled
> 
> I've double checked the files (especially the cert file) and they are all 
> where
> I expect them to be.  What in the world am I missing?

we don't know because you refused to provide output of
"postconf -n" as statet in the welcome message as well
as in the documentation

random snippets of a config-file are worthless because
often enough people overwrite settings somewhere later
and only "postconf -n" show the REALLY active config
_

this a for sure working config for both incoming and outgoing

[root@srv-rhsoft:~]$ postconf -n | grep smtpd_tls
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_cert_file = /etc/postfix/certs/localhost.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
smtpd_tls_key_file = /etc/postfix/certs/localhost.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s

[root@srv-rhsoft:~]$ postconf -n | grep smtp_tls
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_cert_file = /etc/postfix/certs/localhost.pem
smtp_tls_exclude_ciphers = DES-CBC3-SHA
smtp_tls_key_file = /etc/postfix/certs/localhost.pem
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtp_tls_session_cache_timeout = 3600s





signature.asc
Description: OpenPGP digital signature

Re: Delivery to command in aliases ignored ?

[Reindl Harald]

Am 04.04.2013 20:35, schrieb Charles Marcus:
> On 2013-04-01 10:21 AM, Kajetan Dolinar  wrote:
>> By a detailed and systematic search into my main.cf , I have 
>> found out that I had a stale
>> alias_maps setting somewhere in the bushes amidst the comments and other 
>> settings. The first setting in the file
>> was the correct setting (doing the mailman job) and the second one was the 
>> stale one, which remained valid in the
>> runtime of the local process. I appologize for the confusion.
> 
> This is *precisely* why you should always use postconf -n output (both for 
> your *own* troubleshooting efforts, as
> well as for when asking for help here).
> 
> Using postcinf -n would have shown you immediately (before you even got to 
> the point of asking for help here) your
> problem.
> 
> Incidentally, this is why I always leave the original main.cf as is and 
> append *all* of my custom settings to the
> very end of the file...

or if you want a REALLY clean "main.cf" copy the shipped somewhere in
a docs folder and write a COMPLETE own which is EXPLICIT

see below a example which is clear and does not need any comment line, well
this is a setup which does not provide smtp on the network but any other of
my machines looks identical with a smtpd-block after the smtp-ones

why should i want any random line in a servers config which was not
explicitly written by myself which implicates i understand it independent
if we speak about postfix, dovecot, mysql, apache?

myhostname  = 
mydomain= 
myorigin= $mydomain
mynetworks  = 127.0.0.0/8
smtpd_banner= $myhostname ESMTP
mail_name   = MTA

relayhost   = [my-relayhost]:587
smtp_sasl_auth_enable   = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

smtp_use_tls= yes
smtp_tls_loglevel   = 1
smtp_tls_cert_file  = /etc/postfix/certs/localhost.pem
smtp_tls_key_file   = /etc/postfix/certs/localhost.pem
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_security_level = may
smtp_tls_note_starttls_offer= yes
smtp_tls_session_cache_timeout  = 3600s
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache

enable_long_queue_ids   = yes
smtpd_discard_ehlo_keywords = silent-discard, etrn, dsn, vrfy, 
enhancedstatuscodes
smtpd_relay_restrictions= permit_mynetworks, 
permit_sasl_authenticated, defer_unauth_destination
smtpd_recipient_limit   = 500
disable_vrfy_command= yes

mydestination   =
alias_maps  = hash:/etc/aliases
alias_database  = hash:/etc/aliases
sender_canonical_maps   = hash:/etc/postfix/canonical

double_bounce_sender= double-bounce@
address_verify_sender   = postmaster@
empty_address_recipient = postmaster@
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code= 550
unknown_hostname_reject_code= 501
unknown_address_reject_code = 550
bounce_template_file= /etc/postfix/bounce.cf
message_size_limit  = 10485760

body_checks_size_limit  = 1024
in_flow_delay   = 0
queue_run_delay = 300
minimal_backoff_time= 900
maximal_backoff_time= 3600
inet_protocols  = ipv4

readme_directory = /usr/share/doc/postfix-2.10.0/README_FILES
sample_directory = /usr/share/doc/postfix-2.10.0/samples
sendmail_path = /usr/sbin/sendmail
html_directory = no
setgid_group = postdrop
manpage_directory = /usr/share/man
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix



signature.asc
Description: OpenPGP digital signature

Re: need advice

[Reindl Harald]

Am 01.04.2013 16:59, schrieb Muhammad Yousuf Khan:
> i have been working on Postfix dovecot etc for couple of months and suddenly 
> my my management ask the question that
> they want to sync mobile device calendar along with i map. i am sure about 
> IMAP i can implement this with no issues
> but calendar sync is something that i am looking for.
>  so the criteria is to sync all calender items on android and iphone and 
> outlook etc.
> so what you please have to suggest.
> and obviously no option of third party like google calender etc.
> we are looking for some centralized solution

what you search is a groupware and has nothing to do with IMAP
and at least not with postfix which is a MTA and only a MTA



signature.asc
Description: OpenPGP digital signature

Re: smtp_sender_dependent_authentication hanging

[Reindl Harald]

Am 31.03.2013 00:13, schrieb Dennis Putnam:
> On 3/30/2013 6:48 PM, Reindl Harald wrote:
>>> sasl_passwd
>>>
>>> [in.mailjet.com]   
>>> 21a8f6casdasdasdadad850539efca7:ea330afe99asdasdasdasdasdfbbd3fd69
>>>
>>> sender_relay
>>>
>>> myu...@mydomain.com[in.mailjet.com]:587
>>>
>>> P.S. There is not a socket connection problem. telnet to port 587 works
>>> fine as does authentication and commands to send a test email
>> so in "sasl_passwd" you do not use the port
>>
>> well, and if you would have provided this info at begin the
>> problem would be solved with ONE reply at all
>>
>> [in.mailjet.com] is for port 25 as long you do dont specify 
>> [in.mailjet.com]:587
>>
> First, my ISP blocks port 25 that is why 587 is needed. Second, I tried
> specifying the port in the passwd file and that did not work either. You
> must have woke up on the wrong side of the bed this morning to be so
> unnecessarily rude and ornery. Never mind. I'll find an other source for
> help

do so

if you change configurations, provide out of context ones and are not
able to provide requested infos multiple times i am sure there are
enough manpages and howtos to learn at your own

> you must have woke up on the wrong side of the bed this morning

no, if someone has a question he has to provide asked informations
or simply shut up in my world and this world works well




signature.asc
Description: OpenPGP digital signature

Re: smtp_sender_dependent_authentication hanging

[Reindl Harald]

Am 30.03.2013 23:30, schrieb Dennis Putnam:
>> so come back with output of "postconf -n" and the both config
>> files for "smtp_sender_dependent_authentication" replaced only
>> the username and passwort or read manuals and solve your
>> troubles at your own
>>
> Sorry but I wanted to try to figure this out on my own first

so leave us in peace until you are done with this

> That is the way I learn

and waste others time useless

> That is also why all my questions were asking how to
> debug this rather than ask for a solution

the world doe not work this way

first you need to understand what you are doing and then
you can debug and you can not learn if asking questions
without provide informations

> I did not mean to come across as uncooperative or ungrateful but my 
> mind was just in a different solving mode than yours

no problem if your mind works alone

> sasl_passwd
> 
> [in.mailjet.com]   
> 21a8f6casdasdasdadad850539efca7:ea330afe99asdasdasdasdasdfbbd3fd69
> 
> sender_relay
> 
> myu...@mydomain.com[in.mailjet.com]:587
> 
> P.S. There is not a socket connection problem. telnet to port 587 works
> fine as does authentication and commands to send a test email

so in "sasl_passwd" you do not use the port

well, and if you would have provided this info at begin the
problem would be solved with ONE reply at all

[in.mailjet.com] is for port 25 as long you do dont specify [in.mailjet.com]:587



signature.asc
Description: OpenPGP digital signature

Re: smtp_sender_dependent_authentication hanging

[Reindl Harald]

Am 30.03.2013 19:28, schrieb Dennis Putnam:
> On 3/30/2013 2:07 PM, Gerald Vogt wrote:
>> Sorry, but maybe you should not try to configure a mail server/relay for
>> the internet if you have trouble understanding this simple error
>> message. It seems a very bad idea to run an internet server if you have
>> so many difficulties with the absolute basics (like providing the
>> information requested multiple times by now...) There are already too
>> many open relays in the internet...
>> As the error message says, it times out while receiving the initial
>> server greeting. There is no dialog. It doesn't even start. There is not
>> even the initial greeting. So figure what could be the problem for
>> that... Should be pretty straight forward to understand...

+1

> I know very well what the error message means. It is the underlying
> events that I don't understand. How am I supposed to know if this is a
> timeout trying to open a port as opposed to making a successful socket
> connection and then not receiving a response to the HELO command?

by "telnet in.mailjet.com 25" as everybody looks if a tcp connection
itself is succesful

> E7B1E1FA81: conversation with in.mailjet.com[46.105.158.233] timed out
> while receiving the initial server greeting

but since we here NOT se a different port as 25 and you refuse MULTIPLE
tims to post your damned config i guess again that you do not try to
configrue youre server to submit euthenticated messages to port 587
and coming from a IP which is not allowed to submit via port 25 for
whatever reason on the destination - but what do i know because you
refuse to help others helping you all the time

so come back with output of "postconf -n" and the both config
files for "smtp_sender_dependent_authentication" replaced only
the username and passwort or read manuals and solve your
troubles at your own



signature.asc
Description: OpenPGP digital signature

Re: smtp_sender_dependent_authentication help

[Reindl Harald]

Am 30.03.2013 17:03, schrieb Dennis Putnam:
> Here's 2 (the ones I use the most) where bottom posting gets complaints.
> 
> rusht...@csdco.com
> cufsalumni-l...@bellsouth.com

refer this idiots to some examples like:
http://fedoraproject.org/wiki/Mailing_list_guidelines#Proper_posting_style
http://ffmpeg.org/contact.html

and look at this message to understand the problem

* you write a message
* you become a answer at bottom
* you answer on top

how do you imagine that anybody can follow the thread?

> On 3/30/2013 11:59 AM, Reindl Harald wrote:
>>
>> Am 30.03.2013 16:54, schrieb Dennis Putnam:
>>> On 3/30/2013 11:46 AM, Reindl Harald wrote:
>>>>>> please try to understand that nobody can answer your questions
>>>>>> without any useful information!
>>>>>>
>>>>>> * why should "debug_level" indicate a authentication failure?
>>>>>> * what sort of typo
>>>>>>
>>>>>> provide a valid example
>>>>>>
>>>>> Sorry. Habit. I get the opposite complaint from all my other lists
>>>> impossible
>>>>
>>>> you get only the opposite complaint if you post complete logfiles
>>>> and complete, unspecific and large configuration files instead
>>>> post specific parts
>>>>
>>>> with the informations you posted in this thread you get a complaint
>>>> on ANY mailing-list or no answer at all because our crystal balls
>>>> are broken and so we need infos about what someone speaks to give
>>>> answers
>>> Are we talking about the same thing? Top posting rather than bottom posting?
>> no - but the same:
>> show me ONE list where you get no complaint for top-posting



signature.asc
Description: OpenPGP digital signature

Re: smtp_sender_dependent_authentication hanging

[Reindl Harald]

Am 30.03.2013 16:52, schrieb Dennis Putnam:
> I think I have everything set up correctly now but when I send a message
> from the sender in question, something is hanging and there is no debug
> output in the log. Here are the running processes:
> 
> root  6353  0.0  0.2  12488  2444 ?Ss   07:16   0:00
> /usr/libexec/postfix/master
> postfix   8242  0.0  0.2  13524  2564 ?S11:36   0:00 qmgr -l
> -t fifo -u
> postfix   8243  0.0  0.2  12564  2396 ?S11:36   0:00 pickup
> -l -t fifo -u
> postfix   8274  0.0  0.4  13496  4176 ?S11:40   0:00 smtp -t
> unix -u
> postfix   8275  0.0  0.2  12560  2488 ?S11:40   0:00 tlsmgr
> -l -t unix -u
> 
> I am not familiar enough with postfix to figure out which process is
> hanging but based on 'top' none are using any resources. I can only
> guess that there is something going on with authentication (tlsmgr?) but
> I don't know how to get any debug out of it. Can someone suggest a way
> to debug this? Perhaps this symptom is common to initial setup and
> someone can suggest a cause.

ok now it is enough

* read the welcome message of the list
* provide output of "postconf -n"
* provide content of "master.cf" if you changed it
* provide the part of /var/log/maillog from connection to your "hang"
* BEFORE post maillog-parts DISABLE debug as you can read in debug-howto
* read http://www.postfix.org/DEBUG_README.html



signature.asc
Description: OpenPGP digital signature

Re: smtp_sender_dependent_authentication help

[Reindl Harald]

Am 30.03.2013 16:54, schrieb Dennis Putnam:
> On 3/30/2013 11:46 AM, Reindl Harald wrote:
>>>> please try to understand that nobody can answer your questions
>>>> without any useful information!
>>>>
>>>> * why should "debug_level" indicate a authentication failure?
>>>> * what sort of typo
>>>>
>>>> provide a valid example
>>>>
>>> Sorry. Habit. I get the opposite complaint from all my other lists
>> impossible
>>
>> you get only the opposite complaint if you post complete logfiles
>> and complete, unspecific and large configuration files instead
>> post specific parts
>>
>> with the informations you posted in this thread you get a complaint
>> on ANY mailing-list or no answer at all because our crystal balls
>> are broken and so we need infos about what someone speaks to give
>> answers
>
> Are we talking about the same thing? Top posting rather than bottom posting?

no - but the same:
show me ONE list where you get no complaint for top-posting



signature.asc
Description: OpenPGP digital signature

Re: smtp_sender_dependent_authentication help

[Reindl Harald]

Am 30.03.2013 16:42, schrieb Dennis Putnam:
> On 3/30/2013 11:39 AM, Reindl Harald wrote:
>> do NOT top-post
>>
>> Am 30.03.2013 16:34, schrieb Dennis Putnam:
>>> On 3/30/2013 7:16 AM, Reindl Harald wrote:
>>>> Am 30.03.2013 12:10, schrieb Dennis Putnam:
>>>>> I'm trying to set up  smtp_sender_dependent_authentication and am having
>>>>> trouble. Here are the relevant main.cf directives:
>>>>>
>>>>> smtp_sasl_auth_enable = yes
>>>>> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
>>>>> smtp_sasl_security_options =
>>>>> smtp_generic_maps = hash:/etc/postfix/generic
>>>>> alias_database = hash:/etc/postfix/aliases
>>>>> smtp_sender_dependent_authentication = yes
>>>>> sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
>>>>> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
>>>>>
>>>>> When I set peer level debugging = 2, there is no attempt to authenticate
>>>>> to the relay host. It simply tries to send mail which is rejected with a
>>>>> relay access denied error. What am I missing?
>>>> without details of "/etc/postfix/sasl_passwd" and 
>>>> "/etc/postfix/sender_relay"
>>>> as also a specific log-entry nobody can say anything
>>>>
>>>> did you postmap both files?
>>> Thanks for the reply. I found the problem but the debug was no help. I
>>> had a typo in the password file. Why did debug level 2 not indicate an
>>> authentication failure?
>> please try to understand that nobody can answer your questions
>> without any useful information!
>>
>> * why should "debug_level" indicate a authentication failure?
>> * what sort of typo
>>
>> provide a valid example
>>
> Sorry. Habit. I get the opposite complaint from all my other lists

impossible

you get only the opposite complaint if you post complete logfiles
and complete, unspecific and large configuration files instead
post specific parts

with the informations you posted in this thread you get a complaint
on ANY mailing-list or no answer at all because our crystal balls
are broken and so we need infos about what someone speaks to give
answers



signature.asc
Description: OpenPGP digital signature

Re: smtp_sender_dependent_authentication help

[Reindl Harald]

do NOT top-post

Am 30.03.2013 16:34, schrieb Dennis Putnam:
> On 3/30/2013 7:16 AM, Reindl Harald wrote:
>>
>> Am 30.03.2013 12:10, schrieb Dennis Putnam:
>>> I'm trying to set up  smtp_sender_dependent_authentication and am having
>>> trouble. Here are the relevant main.cf directives:
>>>
>>> smtp_sasl_auth_enable = yes
>>> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
>>> smtp_sasl_security_options =
>>> smtp_generic_maps = hash:/etc/postfix/generic
>>> alias_database = hash:/etc/postfix/aliases
>>> smtp_sender_dependent_authentication = yes
>>> sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
>>> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
>>>
>>> When I set peer level debugging = 2, there is no attempt to authenticate
>>> to the relay host. It simply tries to send mail which is rejected with a
>>> relay access denied error. What am I missing?
>> without details of "/etc/postfix/sasl_passwd" and "/etc/postfix/sender_relay"
>> as also a specific log-entry nobody can say anything
>>
>> did you postmap both files?
>
> Thanks for the reply. I found the problem but the debug was no help. I
> had a typo in the password file. Why did debug level 2 not indicate an
> authentication failure?

please try to understand that nobody can answer your questions
without any useful information!

* why should "debug_level" indicate a authentication failure?
* what sort of typo

provide a valid example



signature.asc
Description: OpenPGP digital signature

Re: smtp_sender_dependent_authentication help

[Reindl Harald]

Am 30.03.2013 12:10, schrieb Dennis Putnam:
> I'm trying to set up  smtp_sender_dependent_authentication and am having
> trouble. Here are the relevant main.cf directives:
> 
> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_sasl_security_options =
> smtp_generic_maps = hash:/etc/postfix/generic
> alias_database = hash:/etc/postfix/aliases
> smtp_sender_dependent_authentication = yes
> sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
> 
> When I set peer level debugging = 2, there is no attempt to authenticate
> to the relay host. It simply tries to send mail which is rejected with a
> relay access denied error. What am I missing?

without details of "/etc/postfix/sasl_passwd" and "/etc/postfix/sender_relay"
as also a specific log-entry nobody can say anything

did you postmap both files?



signature.asc
Description: OpenPGP digital signature

Re: Postfix SSL client config

[Reindl Harald]

Am 29.03.2013 13:16, schrieb sulli...@indra.com:
> I'm trying to set up a simple email relay host, with my home
> linux box sending to smtp.indra.com.
> I'm running Postfix 2.9.6-1~12.1 on Xubuntu 3.5.0.26,
> and I need to use SSL to talk to indra.
> 
> I think SSL works on port 465 because I can use openssl to connect

yes, but not for the postfix-client as you have even quoted

> Mar 28 14:22:02 helix postfix/smtp[10392]: CLIENT wrappermode (port
> smtps/465) is unimplemented
> Mar 28 14:22:02 helix postfix/smtp[10392]: instead, send to (port
> submission/587) with STARTTLS

so use port 587 instead 465



signature.asc
Description: OpenPGP digital signature

Re: Vaction for Virtual Domains?

[Reindl Harald]

Am 27.03.2013 00:03, schrieb craig.post...@noboost.org:
> Product: 
> postfix-2.6.6-2.2.el6_1.x86_64
> 
> 
> We used to use the old vacation package for ages
> http://sourceforge.net/projects/vacation/. However since moving to
> virtual domains, I've had to move away from this product (as virtual
> domains don't support .forward files).
> 
> Has anyone else found a solution? 

sieve on dovecot-lmtp / dbmail-lmtp
vacation is not really the job of the MTA



signature.asc
Description: OpenPGP digital signature

Re: dictionary-attack

[Reindl Harald]

Am 26.03.2013 19:36, schrieb Lima Union:
> On Tue, Mar 26, 2013 at 3:21 PM, Wietse Venema  wrote:
>> A common mistake is to turn on chroot operation in the master.cf
>> file without going through all the necessary steps to set up a
>> chroot environment. This causes Postfix daemon processes to fail
>> due to all kinds of missing files.
>>
>> The example below shows an SMTP server that is configured with
>> chroot turned off:
>>
>> /etc/postfix/master.cf:
>> # =
>> # service type  private unpriv  chroot  wakeup  maxproc command
>> #   (yes)   (yes)   (yes)   (never) (100)
>> # =
>> smtp  inet  n   -   n   -   -   smtpd
>>
>> Inspect master.cf for any processes that have chroot operation not
>> turned off. If you find any, save a copy of the master.cf file, and
>> edit the entries in question. After executing the command "postfix
>> reload", see if the problem has gone away.
>>
> Wietse, ok, I'll disable the fqrdns check for now and check the chroot
> configuration after I return from holidays

this is ONE char in the master.cf and if i where you i
would not make holidays as long a production server is
known misconfigured



signature.asc
Description: OpenPGP digital signature

Re: TLS Question, untrusted connection

[Reindl Harald]

Am 26.03.2013 10:53, schrieb Marko Weber|ZBF:
> 
> 
> Am 2013-03-26 10:30, schrieb Reindl Harald:
>> Am 26.03.2013 09:44, schrieb Marko Weber|ZBF:
>>> Mar 25 14:04:35 mail postfix/smtpd[31103]: Untrusted TLS connection 
>>> established from
>>> loninmrp15.uk.db.com[160.83.44.131]: TLSv1 with cipher DHE-RSA-AES256-SHA 
>>> (256/256 bits)
>>>
>>> why is on incoming mails the TLS connection untrusted?
>>
>> http://www.mailinglistarchive.com/postfix-users@postfix.org/msg57760.html
> 

did you read the link?

> u seen that "outgoing" mails do "verified TLS connection?"

the server on the other side has a verified cert

> i ask myself why the connection ist "UNTRUSTED" when this client sends to me
> the connection is not "trusted" ?

does the client have a verified cert?
no it does not!



signature.asc
Description: OpenPGP digital signature

Re: TLS Question, untrusted connection

[Reindl Harald]

Am 26.03.2013 09:44, schrieb Marko Weber|ZBF:
> Mar 25 14:04:35 mail postfix/smtpd[31103]: Untrusted TLS connection 
> established from
> loninmrp15.uk.db.com[160.83.44.131]: TLSv1 with cipher DHE-RSA-AES256-SHA 
> (256/256 bits)
> 
> why is on incoming mails the TLS connection untrusted?

http://www.mailinglistarchive.com/postfix-users@postfix.org/msg57760.html



signature.asc
Description: OpenPGP digital signature

Re: limit for messages per connection?

[Reindl Harald]

Am 20.03.2013 17:33, schrieb Wietse Venema:> Reindl Harald:
>> smtpd_recipient_limit = 100
>> anvil_rate_time_unit = 1800s
>> smtpd_client_connection_rate_limit = 80
>
> Have you considered:
> smtpd_client_message_rate_limit
> smtpd_client_recipient_rate_limit

thank you - no i have not because i still was in the middle
for the documentation searching for "limit" :-)

i have exactly 1418 messages between
Mar 20 16:08:06
Mar 20 16:24:09

normally we have not more than 1000 messages outgoing on this
machine a day because real mass-mailing is prohibited but i
am unsere about the impact of the anvil / limit calculation
to not make troubles for legitimate mail in case someone sends
as example 5 mails to 20 RCPT's in a few minutes which may
happen from time to time

would you consider this as safe?
smtpd_client_message_rate_limit = 500
smtpd_client_recipient_rate_limit = 500



signature.asc
Description: OpenPGP digital signature

Re: block remote clients

[Reindl Harald]

Am 20.03.2013 17:17, schrieb Ron Rondis:
> I'm trying to configure Postfix in a way that it will block post from remote 
> clients to local (system) users of the
> mail server.
> 
> In my current configuration I set "local_transport = error:local delivery is 
> disabled" but I don't like it. Is
> there another
> way to configure Postfix so it will reject post to system users from remote 
> clients and at the same time will
> accept posts from $myorigin?

smtpd_recipient_restrictions = permit_mynetworks
 reject_non_fqdn_recipient
 reject_non_fqdn_sender
 permit_sasl_authenticated

i would wonder how a system-users passes the fqdn check
and before "permit_sasl_authenticated" it will also
reject mistakes from authenticated users



signature.asc
Description: OpenPGP digital signature

limit for messages per connection?

[Reindl Harald]

Hi


smtpd_recipient_limit = 100
anvil_rate_time_unit = 1800s
smtpd_client_connection_rate_limit = 80

some minutes ago a user sent out 1500 messages
i see more than one SASL auth per second, none
of the settings above are stopping this and so i
assume that outlook is using the same connection
but sending always a single mail to ignore the
"smtpd_recipient_limit" and also get not blocked
by the "smtpd_client_connection_rate_limit"

is there a way to prevent such idiots from
working around limits this way?



signature.asc
Description: OpenPGP digital signature

Re: Migration from Microsoft Exchange Server

[Reindl Harald]

Am 20.03.2013 12:12, schrieb Ashok Kumar J:
> I want to migrate from Microsoft Exchange Server to Postfix mail server. 
> please give your valuable suggestion.

http://www.postfix.org/documentation.html

and postfix is only a MTA
so you need dovecot or whatever for IMAP/POP3 too

sorry, a mailing-list is not the place to start!



signature.asc
Description: OpenPGP digital signature

Re: What does Postfix do with a 554 on connection?

[Reindl Harald]

Am 20.03.2013 00:54, schrieb Wietse Venema:
> Reindl Harald:
>>> I don't think that Postfix has ever distinguished between 5xx codes
>>> at this protocol stage. The documentation says:
>>>
>>>smtp_skip_5xx_greeting (default: yes)
>>>
>>>Skip remote SMTP servers that greet with a 5XX status code
>>>(go away, do not try again later).
>>>
>>>By default, the Postfix SMTP client moves on the next  mail
>>>exchanger.  Specify "smtp_skip_5xx_greeting = no" if Postfix
>>>should bounce the mail immediately. The default setting is
>>>incorrect, but it is what a lot  of people expect to happen
>>
>> now i am more confused as before
>>
>> what the documentation above and the description says is not to
>> bounce it, the RFC seems to indicate this too, so i do not get
>> "The default setting is incorrect" in my picture
> 
> As I wrote, I will update the documentation which predates the
> time that 554 was a defined greeting code

sorry if i sound stupid this time

should it be bounced and unsubscribed or left in the newsletter-list?
from a users point of view "greeting code" is vague



signature.asc
Description: OpenPGP digital signature

Re: What does Postfix do with a 554 on connection?

[Reindl Harald]

Am 20.03.2013 00:26, schrieb Wietse Venema:
> John Levine:
>> RFC 5321 says that if a mail server gives an initial banner with a 554
>> status code, that means "no mail server here", so the client should do
>> whatever it normally does on a connection failure, looking for another
>> MX at equal or lower priority.
> 
> I don't think that Postfix has ever distinguished between 5xx codes
> at this protocol stage. The documentation says:
> 
>smtp_skip_5xx_greeting (default: yes)
> 
>Skip remote SMTP servers that greet with a 5XX status code
>(go away, do not try again later).
> 
>By default, the Postfix SMTP client moves on the next  mail
>exchanger.  Specify "smtp_skip_5xx_greeting = no" if Postfix
>should bounce the mail immediately. The default setting is
>incorrect, but it is what a lot  of people expect to happen

now i am more confused as before

what the documentation above and the description says is not to
bounce it, the RFC seems to indicate this too, so i do not get
"The default setting is incorrect" in my picture

until now i had 554 in my bounce-management to implicit unsubscribe
from newsletters, removed it after the initial post and not sure
what is the best thing to do



signature.asc
Description: OpenPGP digital signature

Re: SMTP authentication

[Reindl Harald]

Am 19.03.2013 18:47, schrieb Matteo Marescotti:
> 250 DSN
> mail from:
> 250 2.1.0 Ok
> rcpt to:
> 554 5.7.1 : Client host rejected: Access denied
> 
> because user authentication is now required. I simply wondered why the client 
> is rejected after "rcpt to" and not
> just after "mail from". Maybe there is no configuration which allows for 
> rejecting an unauthenticated client after
> the first command. I asked because you are certainly more familiar than me 
> with Postfix configuration options.
> Thank you anyway

because it is a really stupid idea to reject too soon and
after that missing informations from logfiles which can
be helpful if your user calls you for support or you
want provide the user actively support

iPhones as exmaple are here regulary clients losing for
whatever reason the auth-settings and try for weeks
and months to submit the same message

in such cases it is helful provide the user a logentry
with MAIL FROM and MAIL TO because he thinks the
message was sent



signature.asc
Description: OpenPGP digital signature

Re: postfix / dkim: no signature for emails submitted through ssh tunnel

[Reindl Harald]

Am 16.03.2013 20:51, schrieb patrick.proniew...@free.fr:
> main.cf reads: 
> 
> smtpd_milters = unix:/var/milter-greylist/milter-greylist.sock 
> inet:127.0.0.1:8891 
> non_smtpd_milters = inet:127.0.0.1:8891

that is only a snippet and statet in the welcome
message post output of "postconf -n"



signature.asc
Description: OpenPGP digital signature

Re: Spam milters

[Reindl Harald]

Am 14.03.2013 21:47, schrieb The Doctor:
> I want to avoid perl-ware like amavisd and MailScanner
> Any recommendations for a milter that would drop high spam?

i would filter spam ALWAYS with a dedicated spam-firewall
appliance in front of the postfix server acting as MX





signature.asc
Description: OpenPGP digital signature

Re: LDA understanding

[Reindl Harald]

Am 14.03.2013 21:31, schrieb Kris Deugau:
> Reindl Harald wrote:
>> usually sieve comes AFTER SpamAssassin because it is a broken
>> setup using a POST queue filter because it results in become
>> a backscatter and you are usually not permitted by law
>> accept a message with "250 OK" and drop it silent
> 
> Laws vary by region.  So far as my personal mail handling goes, I also
> want to divert eg mailing lists like this one to a mail folder *before*
> calling an expensive content filter on a message that isn't spam

forget the law

if you would be my mailadmin and kill messages with SpamAssassin
without reject them properly so a sane sender would get a bounce
from it's own mailserver i would kill you



signature.asc
Description: OpenPGP digital signature

Re: LDA understanding

[Reindl Harald]

Am 14.03.2013 21:04, schrieb Ansgar Wiechers:
> On 2013-03-14 Reindl Harald wrote:
>> Am 14.03.2013 17:07, schrieb Kris Deugau:
>>> Jerry wrote:
>>>> Personally, I have no idea why anyone uses "procmail". For
>>>> relatively fine grain sorting of mail upon delivery, I use Dovecot
>>>> and Sieve. From what I can ascertain, procmail hasn't even been
>>>> maintained in over a decade.
>>>
>>> Sieve can't call outside programs (eg SpamAssassin) by design.  IMO
>>> the inability to call any external filtering programs (even from a
>>> restricted whitelist) makes overall mail filtering significantly
>>> harder
>>
>> usually sieve comes AFTER SpamAssassin because it is a broken setup
>> using a pre queue filter because it results in become a backscatter
>> and you are usually not permitted by law accept a message with "250
>> OK" and drop it silent
> 
> That would be a post-queue filter. A pre-queue filter rejects, so you
> don't become a backscatter source

sorry, yes, i reverted the terminology

however, in the order of Sieve it would be way too late to
call SpamAssassin because you CAN NOT reject at this time
and spam has to be REJETED long before LDA / Sieve



signature.asc
Description: OpenPGP digital signature

Re: LDA understanding

[Reindl Harald]

Am 14.03.2013 17:07, schrieb Kris Deugau:
> Jerry wrote:
>> Personally, I have no idea why anyone uses "procmail". For relatively
>> fine grain sorting of mail upon delivery, I use Dovecot and Sieve. From
>> what I can ascertain, procmail hasn't even been maintained in over a
>> decade.
> 
> Sieve can't call outside programs (eg SpamAssassin) by design.  IMO the
> inability to call any external filtering programs (even from a
> restricted whitelist) makes overall mail filtering significantly harder

usually sieve comes AFTER SpamAssassin because it is a broken
setup using a pre queue filter because it results in become
a backscatter and you are usually not permitted by law
accept a message with "250 OK" and drop it silent



signature.asc
Description: OpenPGP digital signature

Re: Limiting email relays to non-existent users

[Reindl Harald]

Am 14.03.2013 12:47, schrieb Elaconta.com Webmaster:
> Also for more clarification: We require authentication for all of our email 
> users, and have hourly email sending
> quotas in place.
> But there's nothing stopping auth'ed users from sending emails to lots of 
> non-existent users, and that affects the
> email server's reputation negatively.
> 
> Hence our trying to reduce to amount of emails send to non-existent emails

if you are sending mass-email you need a working BOUNCE-MANAGMENT
and remove non existent users from any lists, if you are not
able to do this avoid mass e-mails or try to educate your
users not to ignore bounces





signature.asc
Description: OpenPGP digital signature

Re: Postfix being an ass: Relay access denied when rcpt to: is issued

[Reindl Harald]

Am 13.03.2013 20:45, schrieb Archangel:
> here's the output of the grep command on mail.log:
> Mar 12 17:13:01 mediaserver postfix/smtpd[12785]: error: open database 
> /etc/postfix/filtered_domains.db: No such
> file or directory
> Mar 12 17:13:01 mediaserver postfix/smtpd[12785]: connect from 
> ip68-227-115-116.ok.ok.cox.net
> [68.227.115.116]
> Mar 12 17:13:01 mediaserver postfix/smtpd[12785]: warning: 
> hash:/etc/postfix/filtered_domains is unavailable. open
> database /etc/postfix/filtered_domains.db: No such file or directory
> Mar 12 17:13:01 mediaserver postfix/smtpd[12785]: warning: 
> hash:/etc/postfix/filtered_domains: table lookup problem
> Mar 12 17:13:01 mediaserver postfix/smtpd[12785]: NOQUEUE: reject: RCPT from 
> ip68-227-115-116.ok.ok.cox.net
> [68.227.115.116]: 451 4.3.5 
>  >: Recipient address rejected: Server 
> configuration error;
> from= > to= > proto=ESMTP helo= >
> Mar 12 17:13:01 mediaserver postfix/smtpd[12785]: disconnect from 
> ip68-227-115-116.ok.ok.cox.net
> [68.227.115.116]

and you do not think it would be good idea to fix
the errors?

"/etc/postfix/filtered_domains" what is with that?
does it exist at all?
did you postmap it?



signature.asc
Description: OpenPGP digital signature

Re: [Postfix] request

[Reindl Harald]

Am 12.03.2013 15:16, schrieb Jerry:
> On Tue, 12 Mar 2013 09:46:14 -0400 (EDT)
> Wietse Venema articulated:
> 
>> andr...@cymail.eu:
>>> I would like to make a suggestion regarding the Postfix lists to
>>> adopt a labelling for each message subject such that the subject
>>> begins with the fingerprint
>>> [Postfix].
>>
>> Use a mail filter. If you receive all your mail in the same inbox,
>> then you are working too hard.
> 
> You should be able to filter on one of the List-{mumble} entries.
> Personally, I use "List-Id:" for all of my lists except Postfix, since
> there isn't one to filter on although RFC 2919 seems to support it

the To-Header is enough
all messages are going to "postfix-users@postfix.org"
both, sieve and tunderbird are happy to filter



signature.asc
Description: OpenPGP digital signature

Re: quiet or broken

[Reindl Harald]

Am 12.03.2013 08:21, schrieb Erwan David:
> On Tue, Mar 12, 2013 at 01:33:43AM CET, Viktor Dukhovni 
>  said:
>> On Mon, Mar 11, 2013 at 08:28:11PM -0400, Wietse Venema wrote:
>>
>>> Either it has become very quiet here, or something has broken.
>>
>> Nah, it's just that the 2.10.0 release is perfect and nobody has
>> any questions anymore. :-)
> 
> Even those using a distribution which did not set the 
> smtpd_relay_restrictions?

well, they have no working mailserver until they fix it and so
after they fixed it they have no longer questions :-)



signature.asc
Description: OpenPGP digital signature

Re: quiet or broken

[Reindl Harald]

Am 12.03.2013 01:33, schrieb Viktor Dukhovni:
> On Mon, Mar 11, 2013 at 08:28:11PM -0400, Wietse Venema wrote:
> 
>> Either it has become very quiet here, or something has broken.
> 
> Nah, it's just that the 2.10.0 release is perfect and nobody has
> any questions anymore. :-)

runs absolutely fine here, yes

> Next year we'll turn it up to 11

as long the updates/upgrades are so smooth like all
the last years with postfix call the version numer
however you like :-)



signature.asc
Description: OpenPGP digital signature

Re: check_recipient_access and transport maps question

[Reindl Harald]

Am 09.03.2013 23:41, schrieb Alex:
> Hi,
> 
> I have a postfix-2.9.5 install on fc16 which manages mail for a few
> domains. The server just relays mail for a few domains and doesn't
> deliver any mail locally.
> 
> The question I have is regarding precedence. Is the
> smtpd_recipient_restrictions consulted before transport_maps?
> 
> I have a few check_recipient_access, listing each user that exists on
> the remote system, so as to reject any mail for non-existent users.
> However, I've noticed that one of my check_recipient_access maps is
> missing, yet there doesn't appear to be any mail bouncing. Does this
> mean it is all being forwarded to the remote system?
> 
> The transport map looks like this:
> 
> mail01.myserver.com   local:
> example.com   smtp:[206.111.222.20]
> cs.example.comsmtp:[206.111.222.20]
> .cs.example.com   smtp:[206.111.222.20]
> mail1.prop.example.comsmtp:[66.123.218.101]
> prop.example.com  smtp:[66.123.218.100]
> .prop.example.com smtp:[66.123.218.100]
> 
> Is it possible to even specify just mail for the
> mail1.prop.example.com host to be forwarded to a separate host when
> I've also specified the entire domain be forwarded to a different
> host?

be specific in your configuration
avoid .domain.tld

mail1.prop.example.comsmtp:[66.123.218.101]
prop.example.com  smtp:[66.123.218.100]

works, for postfix these are two completly different domains

.prop.example.com smtp:[66.123.218.100]

is additionally to mouch




signature.asc
Description: OpenPGP digital signature

Re: Transport maps in MySQL

[Reindl Harald]

DO NOT POST HTML-MESSAGES

Am 07.03.2013 21:17, schrieb Alfredo Saldanha:
> In line...
> On 3/7/2013 1:37 PM, Alfredo Saldanha wrote:
>>> Hi people,
>>>
>>> Simple question:
>>>
>>> Is safe use mysql to get the transport maps information? if the
>>> connection with database drops ? is there cache?
>>>
>>> BR,
>>>
>>> Junix
>>> 
> 
>> The transport table is a critical table used by pretty much every
>>part of postfix (by way of the trivial_rewrite service).  If the
>>mysql database is unavailable, no mail will flow.  If the lookups
>>are slow, all postfix performance will suffer.
> 
> In case of mysql connection drop, Postfix doesn't use the last transport 
> information ?
> And another stuffs that use MySQL, like virtual aliases, users, etc. the 
> message will be rejected ?
> 
>>While it is certainly possible to successfully use mysql with
>>transport, it will require some care and feeding -- especially for a
>>high-volume server.
> 
> OK.
> 
>>Transport tables don't usually change frequently, and it's better to
>>keep that information in a local hash: or cdb: table for both
>>performance and availability.  If you want to keep everything in
>>mysql, consider creating a process to periodically dump the data to
>>a local hash: or cdb: table.

in short: if you use mysql for your config your mysqld MUST NOT
be unreachable, ever at all, if your setup is OK this will never
happen - i am saying this after 5 years dbmail where ANYTHING
is in a innodb-database, not only postfix-config

never ever shutdown mysql alone, make sure you always stop any
mail-service before, make sure any mailservice is stopped before
mysqld at reboot/shutdown, make sure your mysqld is high available
with replication and you are fine



signature.asc
Description: OpenPGP digital signature