[pfx] SASL_README correction
Hi, I was reading the SASL_README, "The ldapdb plugin" at: https://www.postfix.org/SASL_README.html#auxprop_ldapdb [quote] Tip: [...snip...] Instead, you can use "saslauthd -a ldap" to query the LDAP database directly, with appropriate configuration in saslauthd.conf, as described here. [...snip...] [/quote] The link for "as described here" points to: http://git.cyrusimap.org/cyrus-sasl/tree/saslauthd/LDAP_SASLAUTHD Which returns a "No page found" message. I guess it is currently hosted at: https://github.com/cyrusimap/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD -- Rob ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: 25 years today
On 14-12-2023 14:20, Wietse Venema via Postfix-users wrote: As a few on this list may recall, it is 25 years ago today that the "IBM secure mailer" had its public beta release. This was accompanied by a nice article in the New York Times business section. ... That was a long time ago. Postfix has evolved as the Internet has changed. I am continuing the overhaul of this software, motivated by people like you on this mailing list. Wietse Back in 2001 or so, I needed an MTA at the place I worked, and I wasn't too experienced. So I tried Sendmail because it was the default, didn't understand it, so that didn't work out. Next I somehow found Qmail (it's too long ago to remember how that happened), and found it even worse to handle. Then I found Postfix, and immediately got it to work for what I needed it to do. Since then, I've been using Postfix for all mail servers I've ever built, never looked back. A big thank you for this excellent piece of software and all the support we're still getting! -- Rob ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
Re: blocking compromised sasl users ?
On 10/07/2015 05:35 PM, Viktor Dukhovni wrote: If your smtpd is not chrooted, you might have better luck with CDB, than Berkeley DB, though I am not sure whether tinycdb (like DJB's original implementation) detects table file changes and automatically reopens the table on the fly. It seems it does: postfix/smtpd[20438]: table cdb:/path/to/recipients(0,lock|fold_fix| utf8_request) has changed -- restarting -- Rob
Re: blocking compromised sasl users ?
On 10/08/2015 05:01 PM, Viktor Dukhovni wrote: On Thu, Oct 08, 2015 at 04:54:08PM +0200, Rob Sterenborg (Lists) wrote: On 10/07/2015 05:35 PM, Viktor Dukhovni wrote: If your smtpd is not chrooted, you might have better luck with CDB, than Berkeley DB, though I am not sure whether tinycdb (like DJB's original implementation) detects table file changes and automatically reopens the table on the fly. It seems it does: postfix/smtpd[20438]: table cdb:/path/to/recipients(0,lock|fold_fix| utf8_request) has changed -- restarting That's not sufficient. It would have to see the new data without restarting. With DJB's CDB, I think the underlying mmaped file is reopened transparently if it changes. With tinycdb, it might not be. At the very least, that can't happen if Postfix is chrooted, or the table can only be opened by root. As the filename implies it contains recipients. When the file is updated, I see the above line and after that Postfix knows about any change in the file. There's one thing though that I overlooked when posting and what you're referring to: we're not running Postfix chrooted so we wouldn't be running into that. Wietse Venema wrote: > Yes, but the check happens at the beginning of an SMTP session, not > in the middle. A Postfix process does not reopen files mid-flight > because it may not have sufficient privileges to do so (iin addition, > cdb files are renamed, not overwritten, so the lookup result does > not change during the lifetime of the SMTP daemon process; if you > need instant visibility, use LMDB, LDAP or *SQL). I see. Except for recipients we already have most lookup tables in SQL. So far having recipients in a regularly updated cdb hasn't been a problem for us, but it seems it could be in the future so I think I'll change that to SQL too. -- Rob
Re: Smtp balancer: banner mismatch
On 09/15/2015 10:46 AM, Giuseppe Civitella wrote: Hi all, I'm setting up an Haproxy load balancer for multiple Postfix instances. The balancer forwards smtp traffic to a dedicated postscreen service on every instance. Every instance has its own $myhostname and exposes it on the smtp banner so it happens that the FQDN and PTR of the balancer do not match the hostname presented in the SMTP banner. Online tools like MXtoolbox complain about the mismatch while checking the mailserver. I thought to configure every Postfix instance whit the same hostname of the balancer. This gets the rid of the mismatch complaints but keeping a different hostname per instance would help in case of troubleshooting, so I ask if there is a better way of doing this. http://www.postfix.org/postconf.5.html#postscreen_greet_banner http://www.postfix.org/postconf.5.html#smtpd_banner -- Rob
unknown macro name in expansion request
Hi, This Postfix 3.0.2. I see this in maillog: Aug 7 09:43:12 pfxp001 postfix/smtpd[18610]: warning: unknown macro name myhostname_ext in expansion request Aug 7 09:43:34 pfxp001 postfix/postscreen[12699]: warning: unknown macro name myhostname_ext in expansion request However: # postconf mydomain_ext mydomain_ext = our_ext_domain_name.nl # postconf myhostname_ext myhostname_ext = mx2.$mydomain_ext I'm also having mydomain_int and myhostname_int, but it's not complaining about that. What is it I'm overlooking? # postconf -n | grep myhostname_ext myhostname_ext = mx2.$mydomain_ext smtp_helo_name = $myhostname_ext smtpd_banner = $myhostname_ext smtpd_reject_footer = For assistance, call +31 our_phone_no. Please provide the following information: time ($localtime), client ($client_address) and sending server ($myhostname_ext). # postconf -n | grep myhostname_int myhostname = $myhostname_int myhostname_int = pfxp001.$mydomain_int myorigin = $myhostname_int == Rob
Re: Is it time for 2.x.y - x.y?
On 01-06-13 04:15, Mike. wrote: On 5/31/2013 at 4:56 PM wie...@porcupine.org wrote: |After the confusion that Postfix 2.10 is not Postfix 2.1, = In 20/20 hindsight, perhaps Postfix 2.1 should have been Postfix 2.01, allowing 100 minor versions before the major version was forced to change. Wherever I went to school, I cannot remember I was ever taught that 1 equals 10: not decimal, binary, hexadecimal, ... So, personally I find it strange why anyone would think so. A version 'number' is not a decimal; it's a numerical code that tells the user what the version of the software (s)he is using. Every number between the dots stands on it's own, having just this relationship: - they are read from left to right, - increments go from the individual right to left numbers (first patchlevel, then minor version, then major version increments), - the individual numbers always increment, never decrement. To me it seems quite easy to figure out what the latest version is. +1 for keeping the current version scheme intact. -- Rob
RE: Postscreen Error: /usr/libexec/postfix/postscreen: No such file or directory
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix- us...@postfix.org] On Behalf Of Ove JK. Evensen Sent: Tuesday, September 11, 2012 10:09 AM To: postfix-users@postfix.org Subject: RE: Postscreen Error: /usr/libexec/postfix/postscreen: No such file or directory OK, last question: I am looking here: http://www.postfix.org/packages.html and then - here for centos http://ramix.jp/~ramsy/postfix.html And it says the last version is a 2.6 so clearly that is the reason why I get this in centos: Setting up Install Process Package 2:postfix-2.6.6-2.2.el6_1.x86_64 already installed and latest version Nothing to do So guess I need to find a repository with a newer version of postfix. Anyone have a link on how to and a good repository? Simon J. Mudd creates RHEL RPM packages: http://ftp.wl0.org/official/2.9/ -- Rob
Re: status=bounced (user unknown)
On Tue, 2012-08-28 at 04:37 -0700, Thufir wrote: On 08/28/2012 04:16 AM, Ralf Hildebrandt wrote: * Thufirhawat.thu...@gmail.com: Aug 28 02:40:57 dur postfix/smtpd[22388]: error: open database /var/lib/mailman/data/aliases.db: No such file or directory postalias /var/lib/mailman/data/aliases Aha! root@dur:~# root@dur:~# ll /var/lib/mailman/data/ total 32 drwxrwsr-x 2 root list 4096 Aug 28 04:35 ./ drwxrwsr-x 8 root list 4096 Aug 27 19:58 ../ -rw-r- 1 root list41 Aug 27 21:04 creator.pw -rw-rw-r-- 1 root list10 Aug 27 19:58 last_mailman_version -rw-r--r-- 1 root list 14100 Oct 19 2011 sitelist.cfg root@dur:~# root@dur:~# postalias /var/lib/mailman/data/aliases postalias: fatal: open /var/lib/mailman/data/aliases: No such file or directory root@dur:~# root@dur:~# touch /var/lib/mailman/data/aliases root@dur:~# root@dur:~# postalias /var/lib/mailman/data/aliases root@dur:~# root@dur:~# ll /var/lib/mailman/data/ total 44 drwxrwsr-x 2 root list 4096 Aug 28 04:36 ./ drwxrwsr-x 8 root list 4096 Aug 27 19:58 ../ -rw-r--r-- 1 root list 0 Aug 28 04:36 aliases -rw-r--r-- 1 root list 12288 Aug 28 04:36 aliases.db -rw-r- 1 root list41 Aug 27 21:04 creator.pw -rw-rw-r-- 1 root list10 Aug 27 19:58 last_mailman_version -rw-r--r-- 1 root list 14100 Oct 19 2011 sitelist.cfg root@dur:~# Like that? Not sure how to see what's in aliases.db, but that seems right. Usually you don't, as you can use the plain-text aliases file for that. When aliases is updated, you use postalias to update the aliases.db file. The file didn't exist, you just touched it, creating an empty aliases file, and then created the aliases.db file from it. There won't be any information in aliases.db. man 5 aliases -- Rob
Re: /usr/local/sbin/amavisd debug How to
On Tue, 2012-07-03 at 19:53 +0800, Feel Zhou wrote: Tnaks for Ansgar Wiechers Everytime I install the packages about Convert::BinHex, It will give me the same message [snip] t/comp2bin.t .. Can't locate package Exporter for @Checker::ISA at t/comp2bin.t line 3. It seems you're missing Exporter too. Install it before installing Convert::BinHex, and do the same for any other package Perl reports missing. After that you should be able to install Convert::BinHex. -- Rob
Re: /usr/local/sbin/amavisd debug How to
On Tue, 2012-07-03 at 22:25 +0800, Feel Zhou wrote: Thank you for Rob Install the Exporter, still can' install Convert::BinHex So long messages cpan[3] install Exporter Exporter is up to date (5.66). cpan[4] install Convert::BinHex Running install for module 'Convert::BinHex' [snip] Running make test PERL_DL_NONLAZY=1 /usr/bin/perl -MExtUtils::Command::MM -e test_harness(0, 'blib/lib', 'blib/arch') t/*.t t/comp2bin.t .. Can't locate package Exporter for @Checker::ISA at t/comp2bin.t line 3. Undefined subroutine main::check called at t/comp2bin.t line 75. t/comp2bin.t .. Dubious, test returned 255 (wstat 65280, 0xff00) Interestingly Perl says that Exporter is installed, but can't be found when some package (Convert::BinHex in this case) is tested before install while 'make' says 'OK'. I don't know enough about Perl why this would happen, so I can't help you here. (You can of course try to 'force install Convert::BinHex' but IMO that's not a real solution, so I'm not sure if that's such a great idea and if it will actually work.) -- Rob
RE: Stress docs update
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix- us...@postfix.org] On Behalf Of DTNX Postmaster Sent: Thursday, May 03, 2012 10:43 AM To: postfix users Subject: Re: Stress docs update Please let me know if this isn't the right format, style and such; $ diff -u STRESS_README.html STRESS_README-postscreen.html --- STRESS_README.html2012-05-03 10:20:36.0 +0200 +++ STRESS_README-postscreen.html 2012-05-03 10:26:27.0 +0200 @@ -520,11 +520,12 @@ server. Other clients are tarpitted, and will never get a chance to affect mail server performance. /p -p At some point in the future, Postfix may come with a simple -front-end daemon that does basic greylisting and pipelining detection -to keep zombies and other ratware away from Postfix itself. This -would use the pass service type which has been available in -stable Postfix releases since Postfix 2.5. /p +p Since version 2.8, Postfix ships with a front-end daemon called +a href=postscreen.8.htmlpostscreen(8)/a that does basic +greylisting and pipelining detection to keep zombies and other ratware +away from Postfix itself. For further information and implementation +details, see a href=POSTSCREEN_README.htmlPOSTSCREEN_README/a. +/p h2a name=credits Credits /a/h2 According to the POSTSCREEN_README, postscreen doesn't do greylisting at all: postscreen and greylisting are different things. The below is your patch adapted with a partial copy-paste from the POSTSCREEN_README. -- Rob --- STRESS_README.html 2012-05-03 10:54:00.624335965 +0200 +++ STRESS_README-postscreen.html 2012-05-03 10:58:40.638712109 +0200 @@ -503,11 +503,14 @@ server. Other clients are tarpitted, and will never get a chance to affect mail server performance. /p -p At some point in the future, Postfix may come with a simple -front-end daemon that does basic greylisting and pipelining detection -to keep zombies and other ratware away from Postfix itself. This -would use the pass service type which has been available in -stable Postfix releases since Postfix 2.5. /p +p Since version 2.8, Postfix ships with a front-end daemon called +a href=postscreen.8.htmlpostscreen(8)/a that performs triage +on multiple inbound SMTP connections at the same time. While a single +postscreen(8) process keeps zombies away from Postfix SMTP server +processes, more Postfix SMTP server processes remain available for +legitimate clients. For further information and implementation +details, see a href=POSTSCREEN_README.htmlPOSTSCREEN_README/a. +/p h2a name=credits Credits /a/h2
Re: OT: Question on max message size
On Mon, 2011-08-08 at 07:58 -0500, Stan Hoeppner wrote: On 8/6/2011 1:26 AM, Rob Sterenborg (Lists) wrote: On Sat, 2011-08-06 at 01:04 -0500, Stan Hoeppner wrote: Or do the smart thing: use a file transfer protocol for transferring files instead of an email protocol. HTTP and FTP are readily available good examples. We don't know why the OP wants this so it may not be that simple. Recently I had to allow for emails up to 100MB because a customer uses a scanner that sends emails containing the scan, apparently in hires. When I at first refused and asked for another solution (like FTP) I was told that sending the email was the only solution the scanner offers and the recipient supports. Go figure. Ok, this is really getting OT for both the subject and the list.. But here it goes. Trust, but verify. --President Ronald Reagan I assume you asked for and received the brand and model# of this scanner, then verified the email only claim with the manufacturer's data sheet? Yes, I asked and please, hold your pants: no one could answer my question (which translates to 'no one wanted to'). I'd bet that device supports all kinds of methods to transfer the image files. I'd also bet that the people using it simply didn't have the technical chops, nor wanted to spend time figuring the thing out. The people actually using it are regular users and no, you don't expect that from them (I don't). Regular users usually don't know the first thing about implementing any system. However, you'd expect that from the party that wants it's data delivered, since they have to implement the receiving system. Apparently, IMO, they didn't do that well enough, if they did. Or the wrong people thought about it, or someone met someone else at the golf club and you know what happens next, or [...]. It's not that actually suspect the scanner of not having another way of delivering the scans (I just don't believe that until proven), but because of the receiving party that's redundant here: I cannot tell our brand-new customer to take their administration business elsewhere. So they took a dump on you. Either you let them do so, or your superiors forced you to allow it. The first I don't know (although I don't believe it, it could be true), the latter for sure. The instant the email only claim was made, I'd have said our email systems can't accept files that large. So did I. And I was talking the truth because of the configuration. :-) They'd have countered with Other email servers do. We don't believe you. Prove it. I'd have countered, Prove your claim WRT the scanner. Yes, well, if the board of directors (or whatever it's called in English, I must be close) tells you to do something, you might have to do things you don't actually want to. I tried to minimize the damage by making sure that *only* the scanner can send 100MB emails to the *specified recipient* only. Although I do agree that this puts the door half open, it's the best I could do at the time. Only if they could have proven that claim would I have allowed what they were requesting. But, that's me, BOFH that I am. :) To keep the system as it IMO should be, I usually am too. And because of that there are people that sometimes do not like me very much. But there are times that I'm afraid it doesn't work. :-/ -- Rob
Re: Question on max message size
On Sat, 2011-08-06 at 01:04 -0500, Stan Hoeppner wrote: Or do the smart thing: use a file transfer protocol for transferring files instead of an email protocol. HTTP and FTP are readily available good examples. We don't know why the OP wants this so it may not be that simple. Recently I had to allow for emails up to 100MB because a customer uses a scanner that sends emails containing the scan, apparently in hires. When I at first refused and asked for another solution (like FTP) I was told that sending the email was the only solution the scanner offers and the recipient supports. Go figure. This meant creating a solution specifically for this purpose because I don't want to offer this 'service' to all clients/users. -- Rob
RE: Mail in Inbox
On 2010-02-11, Dhiraj Chatpar wrote: Received: from mr.google.com http://mr.google.com/ ([10.141.106.5]) If mr.google.com resolves within Google's LAN, it doesn't have to resolve on the internet (and indeed it doesn't), especially if it's in 10/8, 172.16/12 or 192.168/16. If mr.google.com would resolve, I'm quite sure it wouldn't resolve to an IP address in 10/8. -- Rob Received: from mr.google.com ([10.141.106.5]) Doesnt even exist. did you try checking what this IP or the host is? Which part of private IP addresses did you fail to understand? Regards Ansgar Wiechers
RE: suitable webmail
On 2010-02-09, Thijssen wrote: On Tue, Feb 9, 2010 at 11:43, K bharathan kbhara...@gmail.com wrote: yes i've used and know it's too good; but all those for small number of users; i want to use it at an ISP level; at ISP level i require some addons like quota/autorespond etc..i'll give a try to squirrelmail XS4ALL, the largest Dutch ISP, uses Squirrelmail code for their webmail (https://webmail.xs4all.nl/). You can access and use the existing Quota and Autorespond systems that are out there using squirrelmail. However, their new (but perhaps still experimental) webmail server uses roundcube: https://roundcube.xs4all.nl/
RE: virtual_alias_maps mysql
I have but was hoping for something simpler like I do with dovecot deliver where you create a script that calls deliver after you do what you want for logging and then name your script in something like deliver_exec = script. Might be wrong with the names but thats more or less what takes place. I'd prefer to keep as much of this type of thing in the config files. It seems to be easier to quickly see what's up when there is a problem. I'll try the stored procedure if nothing more attractive turns up. Well, possibly you could edit your transport to use a script and pass all the relevant variables to it, it can then also do an insert on your database. Or write a simple policy daemon. All necessary information is sent to a policy deamon which in turn can put data in a table. (I wrote something in PHP using pcntl because I don't know how write it in C or Perl. It writes data to a MYSQL table taken from the details sent by Postfix. Our mailflow is not as big as some here, but so far it's proven to be quite stable and it fulfills our needs.) -- Rob
RE: Exchange -- Postfix
2. I know that communication between Exchange and Outlook is with MAPI protocol. Does Postfix use the MAPI protocol? 3. If 2 is no, Is Postfix POP or IMAP server? I would like to use POP or IMAP protocol instead MAPI. 4. Is this possible that Postfix has a Outlook calendar feature and other Outlook like feature. 5. Does Postfix support TLS, SSL? 6. Does Postfix support acces via http to mail box? You may want to look at Zarafa combined with Postfix and MySQL. It provides a client to use with Outlook (in a way just like Exchange does), it provides webaccess that looks like OWA/Outlook with working context menus (also in FF), POP, IMAP, etc. http://www.zarafa.com/ There's also a whitepaper about LDAP/AD integration in the website's documentation section. It's NOT free, but I guess it's certainly cheaper than Exchange (I just use the free community version that's limited to 5 users; you could use that to check out if Zarafa suits your needs). -- Rob
RE: Blocking Phishing emails
Is anyone using ClamAV with Postfix with the phishing filters? Are they effective? Does anyone know of any other service offering Phishing signatures that one can employ? SaneSecurity (they're back) is providing ClamAV signatures for spam, phishing, etc. Rsync scripts are available to download the signatures to your server and install them automatically. You can give them a try: http://www.sanesecurity.com/ Rob
