Re: Mail Statistics (OFF TOPIC)
Carlos Mennens wrote: Guys I apologize if this doesn't belong here but I did a 'Google' search and I decided it would be best to ask the community who uses Postfix from an 'administrative' perspective. I am looking for a statistics utility for mail. I don't really have any specific requirements but anything that can give me an overview of what my mail server is doing in bulk. Obviously viewing '/var/log/mail.log' is not practical unless I am searching for something specific. If you guys have any utilities and or programs you recommend for Linux / Postfix, please let me know. I deeply apologize if this is not the proper place to ask such a question. pflogsumm.pl Since it is written in Perl you can use your distribution's package manager to install it. For CentOS 5.x it is postfix-pflogsumm-2.3.3-2.1.el5_2 \\||/ Rod --
Re: Postfix 2.7 for RHEL 5?
On 07/03/2010 01:27 PM, /dev/rob0 wrote: On Sat, Jul 03, 2010 at 02:53:44PM -0500, Stan Hoeppner wrote: Morten P.D. Stevens put forth on 7/3/2010 2:40 PM: Does anyone know backported Postfix 2.6.x or 2.7.x RPM packages for RHEL5? This binary rpm is for x86-64 only: http://ftp.wl0.org/official/2.7/RPMS-rhel5-x86_64/postfix-2.7.1-1.rhel5.x86_64.rpm You'll have to google more than I did to find an i386 binary rpm for 2.6.x or 2.7.x. I would suggest using a SRPM: http://ftp.wl0.org/official/2.7/SRPMS/postfix-2.7.1-1.src.rpm which can be configured and built as desired. Love to -- plus I'm dealing with not-64 bit machines -- but I can't find a RPM for tinycdb I feel comfortable with. All were circa 2002. Is this OK? What are others using? \\||/ Rod --
Re: Postfix 2.7 for RHEL 5?
On 07/06/2010 09:07 AM, Bas Mevissen wrote: On Tue, 06 Jul 2010 09:01:53 -0700, Roderick A. Anderson Love to -- plus I'm dealing with not-64 bit machines -- but I can't find a RPM for tinycdb I feel comfortable with. All were circa 2002. Is this OK? What are others using? \\||/ Rod http://www.corpit.ru/mjt/tinycdb.html Latest version is 0.77, released 31 Jan 2009, and can be found here. It can be built on systems using RedHat Package Manager (rpm) with -tb option to create installable .rpm package. On a Debian GNU/Linux system, the preferred way to install it is to use standard apt repository. For other versions of the package and pre-built rpms look here. Guess you will manage now :-) Thanks. That was the ticket. Rod --
Re: postscreen questions
Andy Dills wrote: On Thu, 27 May 2010, Wietse Venema wrote: Andy Dills: I've been investigating postscreen, as we've been address probed/bombed for years, as we have a few domains that are very old (well, early 90s) that had a lot of users back in the dialup days. Our approach was to just throw hardware at the problem, and we've had a whole cluster of servers just sending out 550s all day long for years now. We don't do any RBL checks at the postfix level; we have amavisd-new handle all of that via spamassassin. I'm hesitant to allow a single blacklist to determine the fate of mail acceptance, especially when we have a very low false negative rate with amavisd/SA. Essentially, we'd rather throw hardware at the problem than potentially reject legit mail. My primary question is, would we see significant improvement by using postscreen if we don't use RBLs? In my experience, the pregreet check kills off 50% of the zombies. Of course malware will improve and I expect to add deeper protocol checks (command pipelining, greylist) in anticipation. That seems worth investigating, thank you. I appreciate how you're evolving postfix to address this (and the improvements to handle content filtering pre-queue, we will be moving to that once amavisd-new is more mature with regards to that). Also, would postscreen_cache_map work with a mysql backend? postscreen needs very low latency (I put in explicit tests for this). Also, postscreen requires read, write, iterate support which is implemented only for file-based databases. If table access requires 10ms, then postscreen can handle only 100 connection requests per second. You would be better off not using postscreen and instead turning up the number of smtpd processes. That makes sense. I was just looking for a way to provide some shared knowledge among the servers in the cluster. Run a cron job that checks for changes in the RDBMS and then rebuilds the postscreen_cache_map files if needed. \\||/ Rod -- Thanks, Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
Re: postscreen questions
Wietse Venema wrote: Roderick A. Anderson: Also, would postscreen_cache_map work with a mysql backend? postscreen needs very low latency (I put in explicit tests for this). Also, postscreen requires read, write, iterate support which is implemented only for file-based databases. If table access requires 10ms, then postscreen can handle only 100 connection requests per second. You would be better off not using postscreen and instead turning up the number of smtpd processes. That makes sense. I was just looking for a way to provide some shared knowledge among the servers in the cluster. Run a cron job that checks for changes in the RDBMS and then rebuilds the postscreen_cache_map files if needed. That implies shared access to the postscreen_cache_map _file_, and is not supported. My bad. I was thinking how I keep the relay and transport maps up to date on MX servers. The data is in a MSSQL table and each spool rebuilds it's (hashed) maps when told to. \\||/ Rod --
Re: Consolidating Virtual Domain Delivery
Daniel L'Hommedieu wrote: On Mar 28, 2010, at 15:23, Wietse Venema wrote: BTW, Postfix 2.3 is no longer maintained. It is almost four years old. Wietse, After seeing this comment, I decided to see what versions of postfix I have installed. The RPM available for both CentOS 5 and RHEL5 is postfix-2.3.3-2.1.el5_2. It's interesting that both of these Linux versions offer a version of postfix that is so old... Maybe I need to look into maintaining postfix manually... Please see the thread starting on 23-Mar-2010 Should I update Postfix? which discusses this. \\||/ Rod -- Daniel
Re: Return-Path, Envelope From, etc.
Roderick A. Anderson wrote: My understanding, from following several threads here and some research, is the return-path is transmitted out-of-band in the SMTP MAIL request and placed in the message by the LDA. How would a proxy determine the value(s) that will be used to create the Return-Path? Sahil, Victor; Thank you for your quick responses. You explanations make my understanding more concise. A little more reading about AMIL FROM on the Postfix site and I think I'm on my way towards building the proxy I need. Again thanks, Rod --
Re: Return-Path, Envelope From, etc.
Roderick A. Anderson wrote: Roderick A. Anderson wrote: My understanding, from following several threads here and some research, is the return-path is transmitted out-of-band in the SMTP MAIL request and placed in the message by the LDA. How would a proxy determine the value(s) that will be used to create the Return-Path? Sahil, Victor; Thank you for your quick responses. You explanations make my understanding more concise. A little more reading about AMIL FROM on the Postfix site and I think I'm on my way towards building the proxy I need. Besides the typo above (MAIL FROM) I forgot to ask is there an example of how a message is formatted on it's way into the proxy? I only need to look at the MAIL FROM, the message Subject header, and possibly another message header. Content isn't needed. Again thanks, Rod -- Again thanks, Rod
Re: Bounce queue times
Neil Smith wrote: I run Postfix to handle my personal mail. I also act as a backup MX host for a friend. To give him time to return from holiday and fix a broken Postfix installation, I want to keep messages for the backup domains for up to 21 days. However, I want undeliverable messages for other domains to be returned to the sender after 3 days. This will probably cause a serious amount of flames but how about just doing a HOLD action from header_checks for anything to the domain(s)? When he returns remove the statement and release the messages. \\||/ Rod -- I've tried this setup of /etc/postfix/main.cf, but it doesn't do what I want. If a message can't be delivered to, say some...@example.com, Postfix will keep trying for 21 days before giving up, and that's a bit long. smtpd_recipient_restrictions = permit_mynetworks permit_mx_backup \ reject_unauth_destination permit_mx_backup_networks = other.com other.org maximal_queue_lifetime = 21d bounce_queue_lifetime = 3d Any suggestions? (It's Posfix 2.5.1) Thanks, Neil.
Re: Country IP block list
ghe wrote: On Aug 22, 2009, at 9:56 AM, Security Admin (NetSec) wrote: Could someone provide links to sites where IP addresses are grouped by country? ASNs would work too but would prefer IP lists that I could put in a file that my postfix mail gateway could read. Obvious countries like China and Brazil I would like to block wholesale. Thanks in advance! I haven't done anything but Asia yet, and I've implemented that with a perl / shell script that downloads the assignments from Apnic, filters on country code, and builds a shell script to block the nets in a Linux packet filter chain. It never gets to Postfix. If you're interested in that approach, I'd be happy to share the code... Thanks. I would (coming in late to this thread) be interested. \\||/ Rod --
Re: deflecting attacks
AMP Admin wrote: Does anyone use iptables or something to defend against attacks? Like if x amount of requests per x amount of time send away. If so I would love some examples. Thanks! Probably based on Glenn English's work (in another email) I found this during a brute force search with Google. It blocks the ssh script-kiddies really well. You may be able to modify for your purposes. I have used denyhosts and fail2ban but found this did the most good with the least effort. I'm thinking of modifying it to use TARPIT instead of DROP to make the script-kiddies pay more for even trying. -N SSH_WHITELIST # Pretend this is my workstation's IP. You can add similar liens for # more IPs -A SSH_WHITELIST -s 10.10.3.21 -m recent --remove --name SSH -j ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
Re: deflecting attacks
Jorey Bump wrote: Martijn de Munnik wrote, at 08/22/2009 02:06 PM: I use fail2ban with ipf on Solaris 10. When a host produces to many 5xx errors or sends to much spam it is banned in the firewall. failregex = reject: RCPT from (.*)\[HOST\]: 5\d\d ban time 1h failregex = Passed SPAM, \[HOST\] ban time 10m When a host is banned multiple short times it gets banned for 1 day. It should be easy to get this working with iptables. While fail2ban is an excellent tool (as is the recent module in iptables), don't go overboard. For example, keep in mind that SMTP is a very different animal than SSH or HTTP when determining sane amounts of time to block a host. It's relatively safe to block repeat offenders from SSH/HTTP because they usually represent connections from individual clients (although you might catch a proxy or network behind a NAT). But legitimate SMTP connections tend to come from a shared resource, such as an MTA representing thousands of clients. Don't set yourself up for a DoS by allowing someone to easily block Gmail, AOL, etc. at your site simply by sending a few spam messages. Good point. I didn't think of it in this context. Rod --
Postfix as outbound relay
And that is as vague as it gets! :-) I've been looking and searching but just can't seem to find what I'm looking for. I need to configure Postfix (and sasl?) so a select group of users from multiple domains can send email. Originally it was to allow some users/domains to send email from (DSL,cable,etc.) providers that block port 25. They are not local users on the mail server. I've found several HOWTOs including Patrick Koetter's smtpauth pages but I'm feeling really thick so just don't seem to get how to fit all the pieces together. Are there any other HOWTOs on setting up Postfix to do smtpauth? Ones for the mail challenged would be best. :-) Of course an example main.cf and its supporting cast of files with the minimum stanzas needed would be perfect. \\||/ Rod --
Multiple PTR entries
With all the traffic recently on DNS and friends I got overloaded and stopped reading. :-( But now I've run into a situation that I don't remember seeing addressed. How will Postfix deal with a machine that has two different names for the same IP and multiple PTR records? \\||/ Rod --
Re: Multiple PTR entries
Victor Duchovni wrote: On Thu, Jul 16, 2009 at 09:18:07AM -0700, Roderick A. Anderson wrote: With all the traffic recently on DNS and friends I got overloaded and stopped reading. :-( But now I've run into a situation that I don't remember seeing addressed. How will Postfix deal with a machine that has two different names for the same IP and multiple PTR records? Postfix will use the first (typically randomly selected) PTR record, the rest will be ignored. People publishing multiple PTR records are IMHO misguided. I agree! But sometimes it takes other input to convince the powers that be. \\||/ Rod --
Re: Multiple PTR entries
Wietse Venema wrote: Roderick A. Anderson: With all the traffic recently on DNS and friends I got overloaded and stopped reading. :-( But now I've run into a situation that I don't remember seeing addressed. How will Postfix deal with a machine that has two different names for Thanks. More ammo for my battle, which may not be. I just have to come up with a workable solution that they can understand. I do the DNS also. But knowing how Postfix will react will help with them configuring their MTA (probably Exchange) so it plays well with the rest of the world. \\||/ Rod -- Wietse
Re: Tip: Restricting mail reception using a remote service's SPF records
Ville Walveranta wrote: Here's the completed script (the IP/CIDR extract worked perfectly -- thanks Barney!): --- #!/bin/sh ORIGINAL=/usr/local/etc/postfix/tables/client_access_maps.cidr NEW=/tmp/postfix_clients.tmp dig +short senderdomain.net TXT | grep 'v=spf1' | egrep -o 'ip4:[0-9./]+' | sed 's/^ip4://' | sed 's/$/ OK/' $NEW ORIGINAL_CK=`cksum $ORIGINAL | awk '{print $1}'` NEW_CK=`cksum $NEW | awk '{print $1}'` if [ -s $NEW ] ; then if [ $ORIGINAL_CK != $NEW_CK ] ; then cp -f $NEW $ORIGINAL postfix reload /dev/null fi fi rm $NEW exit 0 --- It works except that the Postfix refresh message (postfix/postfix-script: refreshing the Postfix mail system) is displayed despite of the attempt to redirect it to /dev/null? Any idea how I could hide it? postfix reload /dev/null 21 Rod --
Re: Postfix-2.6.0 RPM
Ralf Hildebrandt wrote: * Brian Collins lis...@newnanutilities.org: I noticed that Postfix V#2.6.0 is now out. Does anybody know where to get RPM files? GOOGLE did not help. Simon Mudd picks up the releases and makes good source and binary RPMs from them with lots of options. However, he's a busy man and does not always get to them right after release. A kindly-worded email to him might yield you an estimate of when he'll get to 2.6. He's a bit busy right now due to family issues. Sorry to hear that but in the mean time you can grab .src.rpm for a prior release, the tarball for the current release and modify the .spec file to reflect this. As mentioned in an earlier message Simon's RPMs are built as simply as possible so can be handled this way. \\||/ Rod --
Re: Relay problem: NOQUEUE: reject: RCPT from unknown[::1]:
Wade Williams wrote: I'm having a problem where an installation of Mantis bug tracking software cannot send mail to external addresses. It sends mail to me (w...@dogwatchsw.com mailto:w...@dogwatchsw.com) fine. However, it will not send to external email addresses. I've done a lot of google searching, but not come up with a fix. All other mail operations including email to/from my mail client via courier-imap work fine. Apr 23 10:27:43 anagram postfix/smtpd[21916]: connect from unknown[::1] Apr 23 10:27:43 anagram postfix/smtpd[21916]: NOQUEUE: reject: RCPT from unknown[::1]: 554 5.7.1 wwill...@cisco.com mailto:wwill...@cisco.com: Relay access denied; from=w...@dogwatchsw.com mailto:w...@dogwatchsw.com to=wwill...@cisco.com mailto:wwill...@cisco.com proto=ESMTP helo=www.dogwatchsw.com http://www.dogwatchsw.com Maybe I can get to you before the others do. Relevant portions of main.cf: Think Ghostbusters: There are no 'Relevant portions of main.cf' there is only 'postconf -n'. \\||/ Rod -- myhostname = anagram.dogwatchsw.com #mydomain = domain.tld myorigin = $mydomain proxy_interfaces = 10.1.1.2 mydestination = /etc/postfix/local-host-names #local_recipient_maps #mynetworks_style mynetworks = 10.0.0.0/24, 10.1.1.0/24,127.0.0.0/8 relay_domains = $mydestination relayhost = [smtp.comcast.net] #relay_recipient_maps = hash:/etc/postfix/relay_recipients Contents of /etc/postfix/local-host-names: localhost localhost.dogwatchsw.com anagram anagram.dogwatchsw.com dogwatchsw.com www.dogwatchsw.com http://www.dogwatchsw.com One google search suggested that the problem might be IPv6 host names in /etc/hosts, so I removed those and rebooted with no effect. Contents of /etc/hosts: 127.0.0.1 localhost.dogwatchsw.com localhost 10.1.1.2 anagram.dogwatchsw.com anagram Any thoughts? Wade
Re: Fedora10 RPM build from src fails.
James A R Brown wrote: Hi Alan, Looks like its not the paths. I edited /usr/lib/rpm/macros :- #Path to top of build area. #%_topdir %(echo $HOME)/rpmbuild %_topdir/usr/src/redhat Then I tried again from fresh. You can see below same error, but new path is being used. James [r...@jblaptop SPECS]# rpmbuild -bb postfix.spec Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.GAhWtR + umask 022 + cd /usr/src/redhat/BUILD + umask 022 + '[' 0 '!=' 0 ']' +++ rpm --eval /usr/src/redhat/SOURCES ++ sh /usr/src/redhat/SOURCES/postfix-get-distribution + distribution=fedora-10.0 + '[' fedora-10.0 '!=' fedora-10.0 ']' + cd /usr/src/redhat/BUILD + rm -rf postfix-2.5.6 + /usr/bin/gzip -dc /usr/src/redhat/SOURCES/postfix-2.5.6.tar.gz + /bin/tar -xf - + STATUS=0 + '[' 0 -ne 0 ']' + cd postfix-2.5.6 + /bin/chmod -Rf a+rX,u+w,g-w,o-w . + echo 'Patch #3 (postfix-files.patch):' Patch #3 (postfix-files.patch): + /bin/cat /usr/src/redhat/SOURCES/postfix-files.patch + /usr/bin/patch -s -p1 -b --suffix .alternatives --fuzz=0 1 out of 2 hunks FAILED -- saving rejects to file conf/postfix-files.rej Try looking in conf/postfix-files.rej to find out why the patch is failing. Then maybe look in look in the file /usr/src/redhat/SOURCES/postfix-files.patch. I don't have a build system available right now (and I run CentOS 5.x systems) but it could be a bleeding-edge-Fedora problem. \\||/ Rod -- error: Bad exit status from /var/tmp/rpm-tmp.GAhWtR (%prep) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.GAhWtR (%prep) James I'm seeing the same problem with Simon's sources. He is aware of this as I've been in contact with him about this for a little while. The cause looks like it is due to the change of the default location for the build tree in Fedora 10. In previous versions it has been under /usr/src/readhat/ while it now appears to be under ~/ Alan
Re: The flow of messages through Postfix (Ref: Sensible config?)
Wietse Venema wrote: Roderick A. Anderson: I keep seeing and having questions on valid parameters and valid values for them. The Postfix.org site and manual have great listings and this list has provided excellent info on them. Still I stay a bit confused as I started with an older version (could have been in the 1.x series) and got much of my main.cf from non-authoritative sources. :-) And as I upgraded I never changed main.cf much unless I found a problem. So here I am now wanting to optimize the installations I support but feel I can't do it right. Why? Because I don't know how a message flows through the settings in Postfix. It's documented. http://www.postfix.org/OVERVIEW.html Totally missed this. I think I might have skipped it because so many OVERIEWs are ... lame. To try and bring this to the subject line; is there a flow chart or a way to create one of how a message would/should/could be processed? Plus I have questions like: Does the order of the parameters in main.cf make a difference? Can I specify *_client_* after *_recipient_*, which parameter values are standalone parameters now, etc. It's documented. http://www.postfix.org/postconf.5.html Been there, done that but forgot about the non-ordered portion. Now I come to what I was trying to ask. In a main.cf I have: smtpd_helo_restrictions = ... smtpd_data_restrictions = ... smtpd_recipient_restrictions = ... header_checks = ... I'm assuming smtpd_* means the the first three are handled by smtpd but in what order? I'm leaning towards helo, recipient, then data; but there are others. Where do they fall in the processing order? And who handles header_checks and when? Sorry to be a pain but I was hoping to not have to dive into the code. I sometimes need to justify/explain settings to others with less experience than me. Plus if they are in main.cf grouped and ordered it makes the logic clearer. \\||/ Rod --
Re: The flow of messages through Postfix (Ref: Sensible config?)
Victor Duchovni wrote: On Tue, Mar 10, 2009 at 09:05:28AM -0700, Roderick A. Anderson wrote: snip / Well, the only opportunity to respond an SMTP command is in respnse to *that* command, so originally these took place at the time of the correspoding SMTP command. connect:client restrictions EHLO: helo restrictions MAIL FROM: sender restrictions RCPT TO:recipient restrictions DATA: data restrictions .: end of data restrictions (added recently) Later is was recognized that there are good reasons to delay processing of and error responses in connect, EHLO and MAIL until RCPT, hence: http://www.postfix.org/postconf.5.html#smtpd_delay_reject this does not change the order, just the timing, but the earlier restrictions are now evaluated once for each recipient, rather than once per message, and can make use of the (current) recipient address. And who handles header_checks and when? http://www.postfix.org/header_checks.5.html I've read this before but missed/forgot this portion, though it is in the first paragraph of the Description. Sorry to be a pain but I was hoping to not have to dive into the code. You could try the documentation instead. http://www.postfix.org/documentation.html http://www.postfix.org/postfix-manuals.html Oh I have but find myself getting lost as I follow links that lead to other links that lead to more links. Pretty soon I forgot what I started out looking for. :-( Old age? :-) You know I think I better go back to lurking and reading. \\||/ Rod --
Re: New Pflogsumm Maintainer Needed
Jim Seymour wrote: Hi All, I'm simplifiying my life. Amonst other things, that means I'm dropping my business class DSL circuit and all of my involvement in projects, documentation, anti-spam efforts, etc. If somebody *qualified* wants to officially take over maintenance of Pflogsumm, please speak up. Jim, Did you get any takers? Rod -- Qualified means at least as knowledgable as I about Perl (not too-difficult a hurdle) and not the type to bloat a utility beyond all reason by bowing to every piddling little feature request everybody asks for in a bid to retain the popularity of your project. If somebody has a recommentation for another individual, that, too, is welcome. I hope those of you that have used it have found pflogsumm useful, and I'll take this opportunity to again thank the various contributors, over the years. Regards, Jim
virtual_mailbox_domains as a hash file
Everything I'm reading in The Book of Postfix and from the web site seem to indicate that virtual_mailbox_domains has to be a list of values in main.cf. Is this correct? Anyway to put them in a file instead? TIA, Rod --
Re: Problems with Postfix / Round-Robin
Pablo Scheri wrote: dig mx trendargentina.com.ar. ; DiG 9.3.3rc2 mx trendargentina.com.ar. ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 27701 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; QUESTION SECTION: ;trendargentina.com.ar.INMX ;; ANSWER SECTION: trendargentina.com.ar.0INMX10 mx.trendargentina.com.ar. ;; AUTHORITY SECTION: trendargentina.com.ar.0INNSimsva.trendargentina.com.ar. ;; ADDITIONAL SECTION: mx.trendargentina.com.ar. 0INA10.0.0.208 mx.trendargentina.com.ar. 0INA10.0.0.207 What this says to me is every time Postfix requests the MX for trendargentina.com.ar the name server software will look it up and come back with _either_ 10.0.0.208 or 10.0.0.207 and depending on how many other DNS requests are made it might be the same over and over. If your zone file had trendargentina.com.ar.0INMX10 mx1.trendargentina.com.ar. trendargentina.com.ar.0INMX10 mx2.trendargentina.com.ar. ... mx1.trendargentina.com.ar. 0INA10.0.0.208 mx2.trendargentina.com.ar. 0INA10.0.0.207 Then when Postfix asked for the MX record for trendargentina.com.ar the DNS server would send back the two IP addresses and Postfix would round-robin/randomize them. I got the DNS info from readings in Pro DNS and bind and the Postfix from this list and the online documentation. You implementation has DNS doing the round-robin with the results depending on how busy the name server is. Mine lets Postfix do it with a single query to the name server. As always YMMV. ;-) Rod -- ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jan 22 16:10:05 2009 ;; MSG SIZE rcvd: 110 - dig a mx.trendargentina.com.ar. ; DiG 9.3.3rc2 a mx.trendargentina.com.ar. ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 4096 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;mx.trendargentina.com.ar.INA ;; ANSWER SECTION: mx.trendargentina.com.ar. 0INA10.0.0.207 mx.trendargentina.com.ar. 0INA10.0.0.208 ;; AUTHORITY SECTION: trendargentina.com.ar.0INNSimsva.trendargentina.com.ar. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jan 22 16:10:13 2009 ;; MSG SIZE rcvd: 94 postconf | grep dns disable_dns_lookups = no lmtp_host_lookup = dns smtp_host_lookup = dns --- grep '10\.0\.0\.20..:25' /var/log/maillog | grep -v status= No result. Thanks! Pablo.- Subject: Re: Problems with Postfix / Round-Robin To: postfix-users@postfix.org Date: Fri, 6 Feb 2009 09:46:43 -0500 From: wie...@porcupine.org The DNS looks good. Can you give output for: $ dig mx trendargentina.com.ar. $ dig a mx.trendargentina.com.ar. $ postconf | grep dns The records that result in some kind of error while delivering to the mx.trendargentina.com.ar machines. Something like: $ grep '10\.0\.0\.20..:25' /var/log/maillog | grep -v status= That's two dots before the :. Wietse Adminístralas todas usando Windows Live Mail. ¡Descárgalo gratis! ¿Tienes más de una cuenta de correo? http://download.live.com
Re: Problems with Postfix / Round-Robin
Victor Duchovni wrote: On Fri, Feb 06, 2009 at 09:11:43AM -0800, Roderick A. Anderson wrote: mx.trendargentina.com.ar. 0INA10.0.0.208 mx.trendargentina.com.ar. 0INA10.0.0.207 What this says to me is every time Postfix requests the MX for trendargentina.com.ar the name server software will look it up and come back with _either_ 10.0.0.208 or 10.0.0.207 and depending on how many other DNS requests are made it might be the same over and over. No, this is wrong. Postfix shuffles MX host A records of equal priority. OK. Obviously we're talking Postfix and after looking at the initial post again I'm assuming the Exchange servers are on the local network (10.0.0.x) so this makes sense. Out in the wild with non-postfix/exim/sendmail mail servers requesting MX records (because I wear several other hats including DNS admin) I'll stick with equal priority/weight MX records. Thanks, Rod -- If your zone file had trendargentina.com.ar.0INMX10 mx1.trendargentina.com.ar. trendargentina.com.ar.0INMX10 mx2.trendargentina.com.ar. ... mx1.trendargentina.com.ar. 0INA10.0.0.208 mx2.trendargentina.com.ar. 0INA10.0.0.207 Then when Postfix asked for the MX record for trendargentina.com.ar the DNS server would send back the two IP addresses and Postfix would round-robin/randomize them. This is wrong, see above. I got the DNS info from readings in Pro DNS and bind and the Postfix from this list and the online documentation. You implementation has DNS doing the round-robin with the results depending on how busy the name server is. Mine lets Postfix do it with a single query to the name server. Postfix does not rely on DNS servers shuffling the MX or A RRsets.
Suggest another server?
Not too clear from the subject and probably a lame idea. Situation: We have a system (MX1) that is having hardware problems. Currently they are irritations but we want to rebuild the system before it really crashes. There are actually two systems so there is back up (MX2) in case there is a failure. We created another system (MX3) and added it to the DNS records with a priority the same as MX2 and gave MX1 a really low priority hoping to slowly reduce traffic to it. It is going too slowly! So I was thinking instead of just shutting it down it would be nice to the tell the connecting systems to go to the other system then refuse to accept the mail. After a day or so shout it down. Is this possible? If so what is it called? (I'm completely at loss here for terms to search with.) Thanks, Rod --
Re: Suggest another server?
Roderick A. Anderson wrote: Not too clear from the subject and probably a lame idea. Situation: We have a system (MX1) that is having hardware problems. Currently they are irritations but we want to rebuild the system before it really crashes. There are actually two systems so there is back up (MX2) in case there is a failure. We created another system (MX3) and added it to the DNS records with a priority the same as MX2 and gave MX1 a really low priority hoping to slowly reduce traffic to it. It is going too slowly! So I was thinking instead of just shutting it down it would be nice to the tell the connecting systems to go to the other system then refuse to accept the mail. After a day or so shout it down. Is this possible? If so what is it called? (I'm completely at loss here for terms to search with.) Thanks to you all for the replies. I was thinking it was as simple as you said and Wietse's suggestion to just shut off the SMTP port is neat. My queue is not loaded much of the time but I could catch it wrong if I just shut Postfix down. Turning port 25 off at the fire wall is neat too. Yes it Postfix. I stopped using Sendmail several years ago when I found how simple it was to set up and use for most of the servers and systems I support. The rest are a little more difficult to deal with but Postfix is the answer there too, just not as simply done. Again thanks, Rod -- Thanks, Rod
Re: Testing SASL HOWTO using telnet/Postfix/dovecot?
Magnus Bäck wrote: On Wednesday, December 03, 2008 at 23:06 CET, Roderick A. Anderson [EMAIL PROTECTED] wrote: Magnus Bäck wrote: [...] You can choose any username you like as long as it matches whatever is in your credential database. So far we don't know anything about that. MySQL, sasldb, LDAP, what? smtpd_sasl_type = dovecot Yes, but how does Dovecot store the credentials? But never mind, let's see some logs from the failed authentication attempt. Thanks for the help. I'm going to have to back-burner this for a bit. Until I get the server set up the way it should be instead of my kludged setup. Rod Why do you insist on testing this with telnet? You will introduce another possible error source (incorrect encoding of the credentials) and it's a use case that you're supposedly not really interested in. Because I can do it one step at a time and see the results that Postfix sends back. I hadn't thought of telnet possibly munging base64 encoded values. They looked like ASCII-only to me. Telnet won't munge your encoded credentials (they are indeed pure ASCII), but you may do the encoding incorrectly or mess up in some other way. We've seen that on the list quite a few times, so I'd recommend using a real MUA for this testing. Postfix will log everything that's relevant anyway. But it's a good instinct you've got -- generally it's of course good to introduce complexity gradually and module test things separately before you put them together. Useless since local_transport != local. Thanks. This was built by looking at _many_ HOWTOs and documentation pages and based on a working non-virtual main.cf file. Sadly many how to documents are written by people who aren't that very knowledgable. [...]
Testing SASL HOWTO using telnet/Postfix/dovecot?
I'm trying to test my Postfix/Dovecot set up to determine why (what I'm doing wrong) a Perl script using Mail::Sender is failing. Errors say connection failed -- rather ambiguous I'd say! :-) This is for a system with multiple (virtual?) domains. I'm using telnet to test but am having a problem figuring out what I should use for the actual username before it is base64 encoded. I'm having no problems using the system and Thunderbird seems to have done the right thing when I created the SMTP server settings for each of the domains. I did not find any examples via Google and both the Postfix and Dovecot sites using telnet to test with virtual domains. This is on a CentOS 5 guest (Linux-Vserver). postfix-2.3.3-2.1.el5_2 postgrey-1.31-1.el5.rf dovecot-1.1.3-0_80.el5 dovecot-sieve-1.1.5-8.el5 The output of postconf -n is attached. Pointers/suggestions? TIA Rod -- alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases broken_sasl_auth_clients = yes config_directory = /etc/postfix default_destination_concurrency_limit = 10 disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks.regexp inet_interfaces = nnn.nn.nnn.nnn, 127.0.0.1 local_recipient_maps = local_transport = virtual message_size_limit = 20971520 mydestination = localhost mydomain = domain.tld myhostname = mx0.domain2.tld mynetworks = 127.0.0.0/8 recipient_delimiter = + smtp_bind_address = nnn.nn.nnn.nnn smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce smtpd_discard_ehlo_keywords = silent-discard, dsn smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated reject_invalid_hostname reject_non_fqdn_hostname smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_helo_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, check_policy_service unix:postgrey/socket, permit smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $mydomain smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_tls_cert_file = /etc/pki/tls/certs/mail.pem smtpd_tls_key_file = /etc/pki/tls/private/mail.pem smtpd_tls_security_level = may virtual_gid_maps = static:5000 virtual_mailbox_base = /var/mail/vhosts virtual_mailbox_domains = $mydomain, domain1.tld, domain2.tld virtual_mailbox_maps = hash:/etc/postfix/vmailbox virtual_minimum_uid = 500 virtual_transport = dovecot virtual_uid_maps = static:5000
Re: Testing SASL HOWTO using telnet/Postfix/dovecot?
Magnus Bäck wrote: On Wednesday, December 03, 2008 at 19:52 CET, Roderick A. Anderson [EMAIL PROTECTED] wrote: I'm trying to test my Postfix/Dovecot set up to determine why (what I'm doing wrong) a Perl script using Mail::Sender is failing. Errors say connection failed -- rather ambiguous I'd say! :-) Please post full logs instead of anecdotes. Right now it's not even obvious that it's Postfix that's complaining. For SASL debugging help output from saslfinger is often useful (or perhaps not that useful with Dovecot). Sorry. This is for a system with multiple (virtual?) domains. I'm using telnet to test but am having a problem figuring out what I should use for the actual username before it is base64 encoded. You can choose any username you like as long as it matches whatever is in your credential database. So far we don't know anything about that. MySQL, sasldb, LDAP, what? smtpd_sasl_type = dovecot I'm having no problems using the system and Thunderbird seems to have done the right thing when I created the SMTP server settings for each of the domains. I did not find any examples via Google and both the Postfix and Dovecot sites using telnet to test with virtual domains. Why do you insist on testing this with telnet? You will introduce another possible error source (incorrect encoding of the credentials) and it's a use case that you're supposedly not really interested in. Because I can do it one step at a time and see the results that Postfix sends back. I hadn't thought of telnet possibly munging base64 encoded values. They looked like ASCII-only to me. [...] alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases Useless since local_transport != local. Thanks. This was built by looking at _many_ HOWTOs and documentation pages and based on a working non-virtual main.cf file. [...] local_recipient_maps = local_transport = virtual Why fight the system? If a domain is a virtual mailbox domain, list the domain in virtual_mailbox_domains and leave local_transport alone. Again thanks. I'll study up on this but, as above, it came from far too many sources of information. I got it working, for the most part, and then let it ride. I think it might have been done this way because I'm using Dovecot's deliver and dovecot-sieve. Could have been because I'm putting mail in /var/mail/vhosts/%d/%u/ and have per-domain password files. Who knows; someday I too might learn think and speak SMTP like a native and get it all correct. Rod --
Re: [Q] when to call greylisting?
Wietse Venema wrote: Roderick A. Anderson: I'm implementing greylisting on CentOS 5 systems. These are spools for the actual mailserver/mailbox systems. Currently we have: smtpd_recipient_restrictions = reject_unauth_pipelining, cheap reject_non_fqdn_sender,cheap reject_non_fqdn_recipient, cheap reject_unknown_recipient_domain, expensive reject_unknown_sender_domain, expensive reject_unlisted_recipient, medium permit_mynetworks, cheap reject_unauth_destination, cheap reject_invalid_hostname, cheap reject_non_fqdn_hostname, cheap reject_rbl_client zombie.dnsbl.sorbs.net, expensive reject_rbl_client cbl.abuseat.org, expensive permit Generally, put expensive checks after cheap ones (policy server lookup is cheap to medium, depending on what it does). If a policy server can return ok, then never put it before reject_unauth_destination, otherwise you could become an open relay. Aren't there other order sensitive issues? I'd like to make sure I have the safest and most optimal settings. Rod -- Wietse
Re: [Q] when to call greylisting?
mouss wrote: Roderick A. Anderson wrote: I'm implementing greylisting on CentOS 5 systems. These are spools for the actual mailserver/mailbox systems. Currently we have: smtpd_recipient_restrictions = reject_unauth_pipelining, useless. reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unknown_sender_domain, reject_unlisted_recipient, permit_mynetworks, reject_unauth_destination, reject_invalid_hostname, reject_non_fqdn_hostname, reject_rbl_client zombie.dnsbl.sorbs.net, reject_rbl_client cbl.abuseat.org, permit All the install documents I've found say to put the check_policy_service after reject_unauth_destination but looking at this I wonder if it should go further down on the list. Possibly after reject_invalid_hostname or reject_non_fqdn_hostname. if it returns defer_if_permit, put it at last (after reject_rbl_client ...). if it returns defer, put it just before the first reject_rbl_client. if in doubt, put it at last. PS. when I say put it at last, I mean before the (useless) permit. In fact how does the above listing look? It has been working for years but maybe there is a better order or some additional checks that could be done. depends on what you want. the following is somewhat similar to your setup: smtpd_recipient_restrictions = reject_non_fqdn_sender reject_non_fqdn_recipient permit_mynetworks #permit_sasl_authenticated reject_unauth_destination reject_unlisted_recipient reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_sender_domain reject_rbl_client zen.spamhaus.org #check_policy_service ... the differences with your setup are left as an excercice;-p Thanks ... I think! Well actually it was a good exercise. We started upgrading all the systems OS' which gave us /more/ current version of Postfix and just copied main.cf over and everything seemed to work fine. Two questions -- the second sort-of a double question. 1) Why would we want/need permit_sasl_authenticated? This is an inbound spool/relay. Should only forward to those domains in transport maps and mail for accounts in relay_recipient maps. 2) Why only the one rbl_client? (I see it is a commercial service) And the second part is where do I find a list of valid/good RBL services/providers. My search using Google didn't seem quite right. ?) One last one to sneak in. Does it make sense to have a bunch of reject_rbl_client entires? I saw one article that had 10. I know it will cost more to do more so are there any indications that it is worth the expense? Rod -- But mostly I'm wondering where I should place the check_policy_service line. TIA, Rod
Re: Handle messages where From (Envelope Sender) matches To:
mouss wrote: Roderick A. Anderson wrote: [snip] If your problem is that From: equals To:, then Postfix can help only with an external content filter. If your problem is that MAIL FROM equals RCPT TO, then Postfix can help only with an external policy daemon or external content filter. In the case of the above headers I'm going to say both! 8-( But I haven't seen the messages the others are having problems with. Tomorrow I'll be on site and will check if it is the same for them. But either way I'm guessing I'll have some research and experimenting to do. Damn I was hoping for a one-liner in main.cf or master.cf. not possible in postfix. but it's also a bad idea to block such mail. I've seen many Bcc mail using this method (instead of To: undisclosed...). spamassassin is more appropriate for such mail. Thanks mouss. Beside my personal domains server(s) Postfix is being used on several other systems (I support/admin) as a spool (relay) to the actual mail servers (running proprietary software). We try to keep the spools lightly loaded so I have to get permission/consensus to run spamassassin on them. Mostly we were hoping to tag them as probable spam, based on the MAIL FROM/RCPT TO -- From:/To:, and let the users deal with it in their spam folders. There is SPAM software on the actual mail servers but not all users or domains are using it. I'll suggest that if they don't use the SPAM filtering the SPAM is not /our/ problem. Maybe we would turn up greylisting. That might help them. Again thanks, Rod --
Handle messages where From (Envelope Sender) matches To:
I'm starting to get a lot of SPAM where the Sender matches the To:. I hear the same from several others. There was the thread recently on something similar but dealing with lists so it seems to not apply. I'm at a complete loss after being six pages into a search using Google.com with postfix from matches to: as the search criteria. If doable, what terms or concepts should I search for to see how to do this using Postfix? TIA, Rod --
Re: Handle messages where From (Envelope Sender) matches To:
Wietse Venema wrote: Roderick A. Anderson: I'm starting to get a lot of SPAM where the Sender matches the To:. You mean, the From: and To: headers, or the MAIL FROM and the RCPT TO address in SMTP commands? One of these days I'll stating thinking in the correct terms. Probably about a week before I retire or die! :-) Note that From: and To: headers can be completely different from the MAIL FROM and the RCPT TO address in SMTP commands. This is probably a bad example as the [EMAIL PROTECTED] is a forwarding address to the actual [EMAIL PROTECTED] but here are the headers form one of the messages I get. Return-Path: [EMAIL PROTECTED] X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from acm26-4.acm.org (acm26-4.acm.org [63.118.7.109]) by mail.cyber-office.net (Postfix) with ESMTP id 4CA8F80077 for [EMAIL PROTECTED]; Mon, 10 Nov 2008 16:31:26 -0800 (PST) Received: from psmtp.com ([64.18.14.107]) by acm26-4.acm.org (ACM Email Forwarding Service) with SMTP id RLQ42223 for [EMAIL PROTECTED]; Mon, 10 Nov 2008 19:31:23 -0500 Received: from source ([216.183.146.13]) by chip3mx111.postini.com ([64.18.6.10]) with SMTP; Mon, 10 Nov 2008 19:31:23 EST To: [EMAIL PROTECTED] Subject: Even presidents use it From: [EMAIL PROTECTED] MIME-Version: 1.0 Importance: High Content-Type: text/html Message-Id: [EMAIL PROTECTED] Date: Mon, 10 Nov 2008 16:31:26 -0800 (PST) A reverse lookup of the IP address (dig -x 216.183.146.13) gives me this snipped out section. ;; ANSWER SECTION: 13.146.183.216.in-addr.arpa. 10800 IN PTR cheetah-tiv-ppp265.bmts.com. See, for example, this message that reaches you via mailing lists. Header: From: me To: postfix-users@postfix.org SMTP envelope: MAIL FROM: [EMAIL PROTECTED] RCPT TO:you If your problem is that From: equals To:, then Postfix can help only with an external content filter. If your problem is that MAIL FROM equals RCPT TO, then Postfix can help only with an external policy daemon or external content filter. In the case of the above headers I'm going to say both! 8-( But I haven't seen the messages the others are having problems with. Tomorrow I'll be on site and will check if it is the same for them. But either way I'm guessing I'll have some research and experimenting to do. Damn I was hoping for a one-liner in main.cf or master.cf. Oh well, off to the books. Thanks, Rod