Re: cannot find your hostname
On Sep 2, 2009, at 4:07 PM, Sahil Tandon wrote: As clearly documented in postconf(5), How exactly does one get to that man page? man postconf That of course works. man postconf(5) -bash: syntax error near unexpected token `(' man postconf5 No manual entry for postconf5 Does this imply there are version 1, 2, 3, and 4 as well? How do I find out? -- Scott * If you contact me off list replace talklists@ with scott@ *
Re: Email server health check?
On Aug 12, 2009, at 10:33 PM, email builder wrote: I am wondering if anyone has advice on where there are any email health checks online. I used to use dnsstuff.com but they have since gone commercial. You have been given links and other suggestions for this that are sound, I would follow those suggestions. It's frustrating to have your users' emails land in Yahoo or Gmail spam folders, but not be able to understand why. DNS checks out fine as far as I can tell (tried out intodns.com and did my own DIGging) and all the rest as far as I am able to check. Checked the big name RBLs and got nothing there, either. At that point, you sound like you are doing ok. Where do people turn to try to get feedback on their outgoing emails? Even a spamassassin score checker would be nice, but alas (and specific issues with Yahoo/Gmail are of course nearly hopeless because those companies could care less about us little people). I have around 10 servers that have had issues with yahoo or hotmail or aol, ranging from ending up in the spam folder, to bounces, to eating the messages silently and not providing any data. I have been able to resolve all cases. Aol: http://postmaster.aol.com/ Start there, you need to get into their feedback loop, this will alert you any time someone reports your emails as spam. They make it hard by only giving a message id, which I find can be tough to track down on a BCC/CC delivery with a lot of aol.com addresses in it. Apply for their whitelist, follow the feedback loop reports, and act on them, and you will be fine. Email their support system. While it will take 10-20 frustrating emails, that had they just read the first email in full, you will get unblocked. * Different providers like different things, some like DKIM, others SPF, and others something more proprietary, you just have to work with them, and you can get in their good graces. yahoo and hotmail http://help.yahoo.com/l/us/yahoo/mail/postmaster/ http://postmaster.msn.com/ Their general policy is to send to the spam folder, and ask questions later. If they do not do that, and you have a new IP they have never seen, they may accept the message, not deliver it, and not notify anyone about it. It is all about IP history, if you have none, you are considered a bad guy. With both providers, you will need to email their support system. You will fill out a form, asking for attention. They will reply, asking you to fill out the same form again. They will reply, asking for clarification that you already provided in forms 1 and 2. Those will then be replied to asking for specifics that you answered in form 3. This will go on for a while. I generally see it takes 15 emails back and forth to get resolution. At some point, you will get a survey, to rate their performance on the issue. This is when you know they have unblocked you. By filling out the survey, at least with yahoo, that closes the ticket, so unless you have tested you are done, do not fill the survey out until you are sure you are deliverable. They may get you to a real human, who asks you to do telnet tests, and other things they should be doing on their end by looking at their logs. Just go through the motions, be polite, or they will drop the email communication and ignore. The email address of ticket-id-x...@silly-big-provider.example.com will expire and you get to start it all over. Many of the questions will ask how you manage your mailing lists, which most of the time for me, are not applicable. Others ask questions about a setup that would not be applicable to an outbound only smtp host for formmail type things. You sort of just have to logically fill in the blanks. The up front forms you are filling out are just a process to get you to a real human who will look into your issues. Be diligent, I have never walked away with emails that could not hit an inbox. I have not ran into this issue with google, though with a close personal friend in their gmail department, I would cheat on that issue. If you do not have that ability, I do not know how to deal with google, they seem rather vague about their systems. During all this, you will be curious to know why the blocks are happening, and how they determine them. Do not waste your time asking, they consider it proprietary, and part of their anti-spam strengths. Hope that helps. It is a pain, but it can be done. -- Scott * If you contact me off list replace talklists@ with scott@ *
Re: how to forbid the bounced mail?
On Aug 4, 2009, at 9:00 PM, Chookiex wrote: Hi All, I want to do a test with postfix. For example, I will relay many mails to postfix and postfix delivery maiils to mda. But you know, mda may not be stable enough, so mda would not work occasionally. At this time, the postfix would bounce mails, I can not hope to see it. So, how to forbid the bounced mail? It is generally not in your control. The sending server should know to retry again later, for at the least, a few hours. I retry 12 hours by default, many others use a much greater time. A second line of protection would be a secondary MX, which will accept all emails and hold them until your primary comes back online. I have decided that due to spammers the secondary MX is not worth it for me. Spammers like to target a secondary MX directly, and I was unable to keep the secondary and primary in sync with regard to anti spam measures and configs. I figured, most retry intervals are long enough that I should be able to get some form of limited receiving server back online within that time window. -- Scott * If you contact me off list replace talklists@ with scott@ *
Re: How to setup postfix to have port 25 for receive only
I don't think that's a terribly good idea, but anyway: main.cf: smtpd_client_restrictions = check_client_access pcre:/path/to/file /path/to/file: /(ppp|dialup|adsl)/ REJECT You can move the check_client_access restriction to any other smtpd_xxx_restrictions if you want. You probably want to implement a stricter regexp to avoid collateral damage. Stricter expressions have been posted here in the past. Finally, this assumes that your Postfix has PCRE support. If not, replace `pcre' with `regexp'. Magnus, I can see why he would want to do that - 99% of the spam I get is from US-based cable modem- and DSL-hosted systems. My host - earthlink - recently reconfigured their routers to disallow outbound email that doesn't go through their servers, and I wish all ISPs would do that. Thanks for telling us how to do this - I'm going to configure it and try it out. Wouldn't using a Dial-up and Dynamic Black List catch these, and do so with greater accuracy since most of them delist those that were listed in error? Add in score based analytics on the BL's and it seems you could be more aggressive, with a lot less risk. I personally find greylisting catches the lions share of the dialup and dynamic ranges at this time, though I am not sure how much longer that tactic is going to work so well. -- Scott * If you contact me off list replace talklists@ with scott@ *
Re: OT: Why are my servers strong passwords compromised
On Jul 18, 2009, at 4:38 AM, Damian Myerscough wrote: Hello, Just out of curiosity how do you let your users change their passwords? Adding to this, do you have a forgot password feature that perhaps gives them passwords to a master control panel of some form? Did you distribute their passwords to them via an email at some point in time? If a password exists in email, some worm will find it and reveal it to someone else at some point in time. I suspect the problem you are having has nothing to do with the strength of your password policy. You could have users with passwords of a very simple nature, and that would probably not change your troubles. Even the most well thought out password will be compromised if there are ways to do so outside of a dictionary attack. In your case, I think you need to determine what the details are of your users who are being compromised. What is their platform, what email client do they use, etc. I would bet that Linux and Mac are not in that mix, if they are not, you can start to look into what virus/worm/trojan does this sort of malicious act, and provide a simple tool to remove it for your users. If it is phishing attacks, there is little you can do, as you will simply not be able to educate your users. You may consider sending them off to openDNS, or implementing such features yourself, as they have built in phishing url detection. Using something like FireFox or Safari that has phishing url detection built in will help as well. At this point, I would find the cause, so you can work to solve it, I strongly suspect it has nothing to do with password quality. Have you looked at the IP space of the AUTH's that come in one a compromised account? You may find they all come from the same place, if you have no users in that space, blackhole that IP space from authing. -- Scott * If you contact me off list replace talklists@ with scott@ *
Best practices for port setup
Hello. I am looking for clarification on RFC 5068 3.2 or any related/ updated/replaced RFC's. Outside of those, general best practice ideas for moving forward would be appreciated. In regards to AUTH on ports 25 and 587, I was under the impression we should be trying to migrate all clients to 587 for AUTH when in submission. Does this also mean best practice would be to close AUTH on 25 in order to more aggressively pursue this? What administrative plusses are there by doing so, if any. I would think at the least, being able to disable 25 when under attack but still allow users to sumbit would be one reason. Are there other benefits? Is there another RFC that addresses this? I'm being told that disabling AUTH on 25 would be in violation of the above RFC, though that is not how I read it. In regards to opportunistic TLS, a quick telnet to 10 random MX's shows STARTTLS after ehlo in about 50% of the cases. Disabled AUTH was in 90%. Is there RFC for opportunistic TLS? I'm running it now, but wonder what your experiences are. It's certainly nice to see a 50% use rate, but I worry I may have delivery problems. Is there general high reliability to this? Is there a way to disable opportunistic TLS coming from specific senders if I do run into problems? I am looking to do the right thing moving forward, and want to be sure I am not implementing bad internal policy as a result of misunderstanding RFC and best practices for moving forward. Thank you postfixers. -- Scott Iphone says hello.
Re: Should MX record name be same as hostname?
On Jul 14, 2009, at 12:06 PM, Tim Legg wrote: ;; ANSWER SECTION: timothylegg.com.9220IN MX 10 mail.timothylegg.com. My hostname is genex.timothylegg.com on my machine and my MX record points to mail.timothylegg.com I was wondering if the MX record should point to the same name as my hostname. Obviously, this isn't too big of a problem, since my mail works after all. I don't know if this something that I should have corrected or if is it standard as it is? The MX should point to an A record that resolves to the IP address that postfix listens on. I believe that is the only requirement. My postfix server will use the hostname of the ehlo/helo in a transaction, which is not the same as my MX, and has never caused me any trouble. I believe your setup is perfectly reasonable, and should work fine. -- Scott * If you contact me off list replace talklists@ with scott@ *
Re: TLS library problems
On Jul 10, 2009, at 4:42 PM, Sahil Tandon wrote: On Fri, 10 Jul 2009, Scott Haneda wrote: system.log:Jul 10 00:07:57 trex postfix/smtpd[45598]: warning: TLS library problem: 45598:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:571: Debug the proxy. What is it? Not Postfix, I'd guess. The proxy is ASSP. Not many people are doing TLS with this, I suspect it will be a challenge for me to pin down, since I know very little about crypto stuff with regard to TLS. -- Scott * If you contact me off list replace talklists@ with scott@ *
Re: TLS library problems
On Jul 11, 2009, at 6:40 PM, Barney Desmond wrote: 2009/7/11 Wietse Venema wie...@porcupine.org: system.log:Jul 10 00:07:57 trex postfix/smtpd[45598]: warning: TLS library problem: 45598:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:571: This is openssl's way of saying that the client sent garbage. To expand on that, I imagine it means the client tried to talk plaintext when Postfix was expecting crypto. Thanks for the estimation. Comparing a working transaction with one that does not work, shows no difference. The one part I need even more debug log data, only states start tls and then failure. I somehow need to get to the data that happens between those two log lines. It is good to finally know this is more than likely the proxy though. Can you clarify exactly how this is meant to work? You said you want MTA-to-MTA crypto, I assume in this particular case you mean Proxy-Postfix crypto. Depending on how much control you have over the configuration, you could use a dumb method like an stunnel pipe, or something smarter like STARTTLS in-band. I am trying to avoid stunnel, because this is supposed to be built into the proxy, and I have invested a lot of time into a package for the proxy. I have invested about as much time into testing and trying to debug this issue. My basic setup is Internet - proxy - postfix Where postfix is a working MTA that has worked for months on end as a rock solid MTA. The basics are, an email comes in on port 25, from anywhere, it could be the local machine or inbound from any host. Connect to port 25 on the proxy, which is then connected up to the remote postfix machine. STARTTLS is issued, and a secured connection from the proxy to postfix is made. The majority of the time, emails do make it, and are secured. Some times they do not. I have found some hosts that simply never make it, others that will make it in many hours time. I have found in 99% of the cases, a machine on the local subnet to the proxy, will fail, but can eventually deliver a few hours later. They just sit in that local machines postfix queue and are tried later. This is a convenient way for me to test. For what it is worth, turning off STARTTLS on port 25 in postfix, and I am back to 100% reliability. It sounds like you're trying to do the latter, Correct. but you say STARTTLS is issued. At that point, the proxy will either make the crypto connection, and deliver the mail off to postfix, or, it will drop the connection.. Dropped connection. What is more odd, is telnet prxoy.example.com 25 then the ehlo, mail from, rcpt to, data dance works. Where it fails, is when I use `mail u...@example.com` on the command line. openssl client to the remote postfix, and the proxy, connect up fine as well. But maybe I just am not testing it enough it hit a failure. Why should the proxy drop the connection? In any case, I think the proxy needs debugging. I agree. You might also try adding the proxy as a verbose peer in Postfix, it might make the client's mistakes quickly evident. Doing a search on that turns up this very thread :) Can you point me to docs on verbose peer, as well as an other suggestion you may have now that you know a little more. If there is a kind soul out there that knows this stuff well, and could ever allow me to point an MX at them, and add an account, so I could point the proxy to them, allowing a little help with debugging this, I would be most appreciative. Thank Barney for the suggestions. -- Scott * If you contact me off list replace talklists@ with scott@ *
Re: TLS library problems
On Jul 12, 2009, at 1:07 PM, Wietse Venema wrote: Scott Haneda: Thanks for the estimation. Comparing a working transaction with one that does not work, shows no difference. The one part I need even more debug log data, only states start tls and then failure. I somehow need to get to the data that happens between those two log lines. OpenSSL does not like what the proxy sends. To find out where the proxy errs, you will need to go beyond logfiles, and look at the data that is actually sent over the wire. As Tsutomu once said, tcpdump is your friend (*). Where is the best place to run tcpdump from, the proxy machine, or the postfix machine? Could you suggest a tcpdump command that would help me with this? I imagine, as long as tcpdump is instructed to send out something that is human readable, I can compare a packet dump of a working case, and a failing case, and look for the differences. For example one mistake is to send STARTTLS in a network packet that also contains the first portion of the TLS handshake. The proxy should send STARTTLS, wait for a positives server reply, and then it should send the TLS handshake. Thanks. Can you make any estimations as to why some sending servers have no issue, and others fail? If you can't figure out what OpenSSL does not like about what the proxy sends, then you will have to find someone to do it for you. I won't. Thanks for your help, I will not continue this thread since I now know that it has nothing to do with postfix. I will look to debug the proxy. -- Scott * If you contact me off list replace talklists@ with scott@ *
Re: Allow a group of unauthenticated senders
On Jul 10, 2009, at 10:49 PM, priscilla prisci...@bheltry.co.in wrote: In domain x.com i want to authenticate all users who needs to send mail. For some users alone (i will specify them in a seperate text file) i dont want to authenticate the sender. For example a...@x.com should provide password for sending mail. Whereas b...@x.com need not provide password for sending mail. Unless b...@x.com is restricted by some means, this could be dangerous. If the restriction is for example that the be allowed to send with no pass and/or auth, but must be within the local submet, it becomes more safe. Restriction by ip address would be another. Though both are dangerous in my opinion. With no restrictions I believe each address will be a ticking time bomb, eventually to be discovered by spammers and their scanning and attacking tools. I'm curious what your reasons are for wanting to do this. -- Scott Iphone says hello.
TLS library problems
Hello, I am seeing a lot of these in my syslog logs. I am not sure what they mean, google did not yield a lot other than people calling out an incorrctly named cert/key system.log:Jul 10 00:07:57 trex postfix/smtpd[45598]: warning: TLS library problem: 45598:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:571: The reason I am looking, is I am having trouble with a proxy that will sit in front of postfix. The basic workflow for the one domain I am testing the proxy in: Internet - Proxy - Postfix Proxy is geographically separate from postfix, not same subnet. I would like MTA to MTA crypto. Sometimes it works, and mail is delivered, and other times it is not. An email will hit the proxy on port 25, which will talk to postfix also on port 25. STARTTLS is issued. At that point, the proxy will either make the crypto connection, and deliver the mail off to postfix, or, it will drop the connection. -- Scott * If you contact me off list replace talklists@ with scott@ *
Re: Strategies to Prevent Abuse in Bulk-Mailing?
On Jul 8, 2009, at 10:00 PM, ram wrote: On Wed, 2009-07-08 at 19:10 +0200, Ignacio Garcia wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi guys. I've been googling around looking for info on this without much sucess. Here we are: Some of my customers insist on sending bulk- email from their web php sites (you know, bulletins and such). My worst nightmare would be having our servers listed in any RBL list because of this. How do you guys deal with custommers sending bulk-mail? Are there any rules in postfix to prevent it, maybe even delaying them in the queue? Thanks, This may be OT here Outgoing spam scanning is a very good option. Unlike incoming , here you dont have to catch all the spam. Just one spam caught , and you know who is the culprit. What I do is to reduce the scanning I only scan messages sent to russia,china, taiwan etc. (based on domain tlds). Since legitimate traffic from my servers to these are much smaller they usually catch a lot of spam, with very little penalty of scanning. This works for me because most outbreaks are due to weak passwords or some virus. Ofcourse YMMV One more thing you must do is monitor abuse complaints, Create Feedback loops with aol, yahoo etc. (Unfortunately gmail doesnt seem to have one) Anyway you really dont have to worry too much. No one blacklists you because of just one or two spams inadvertently relayed thru your network. You just have to bother about customers who deliberately spam, we have had very bad experiences and since then we have been insisting on getting a bullet-proof TOS signed. You nailed it. You will get on a BL, nothing you can do about it. But if you are on the feedback loops, and most all BL's send you an email, so make sure you can get mail to abuse@ and postmater@, and check those. As long as you follow through with the email reports, you will be able to give your customer one warning, and on the second time, you kick them off your server. -- Scott * If you contact me off list replace talklists@ with scott@ *
Postfix and AUTH
Hello, I have been looking into this for the better part of today. I am using a proxy in front of postfix. In order to be able to AUTH a user through the proxy, the proxy needs the 250-AUTH credentials to show up. I discovered that mynetworks disables this for those hosts listed in mynetworks. I can of course, remove my local range from the mynetworks, but then local machines need to AUTH to send email through. Not all the systems have this ability. I have tested this with telnet, and the 250-AUTH will show up if I remove my range from mynetworks. Is there any way to get postfix to always show 250-AUTH? Am I approaching this entirely wrong? I could dedicate an IP to the proxy, and then enter in all the other IP's into mynetworks, which of course would work and solve this, but I thought I would ask the preferred method here. Thanks. -- Scott * If you contact me off list replace talklists@ with scott@ *
Version 2.5.5
I have a test server about ready to become a live server, version 2.5.5. Is it correct that prior to the 2.6 release, that 2.5.7 would be the latest I want to run? I see http://www.postfix.org/announcements/postfix-2.5.7.html shows what I would call minor issues for the 2.5.7 release set. I can not find out what happened between 2.5.5 and 2.5.7. If the advise is there are no security issues, I may be inclined to stick with my working 2.5.5, if there are security issues, I wold rather go through the trouble of updating now, before I am live and have to enable a staging server to rest builds. What would postfix users recommend in this case? Thanks everyone -- Scott * If you contact me off list replace talklists@ with scott@ *
Re: Version 2.5.5
On May 23, 2009, at 5:10 PM, Wietse Venema wrote: Scott Haneda: I have a test server about ready to become a live server, version 2.5.5. Is it correct that prior to the 2.6 release, that 2.5.7 would be the latest I want to run? Unlike other products, you are not expected to stop using Postfix version X when Postfix version X+1 is released. Postfix 2.5.7 has defect fixes back-ported from Postfix 2.6.0. Postfix 2.6.0 introduces new features, new incompatibilities, and opportunties for new defects. Use Postfix 2.6 if you need the new features, otherwise use Postfix 2.5. The same applies for the earlier releases for which fixes are still being released: Postfix 2.3 and Postfix 2.4. Of course it will be harder to answer questions about older versions. Thank you Wietse. One point of clarification please. If 2.5.7 has defect back ports from 2.6, then that equates to new features brought into 2.5.7? I am not looking to gain any new features, I am very happy with my current feature set, excellent results so far. I only want to make sure that comparing 2.2.5 to 2.5.7 has no security implications. Feature wise, I am more than happy. Thank you -- Scott * If you contact me off list replace talklists@ with scott@ *
Re: Sent Mail Shows FQDN in Email Address
On May 18, 2009, at 8:08 PM, LuKreme wrote: On 17-May-2009, at 19:44, Carlos Williams wrote: u...@mail.myserver.com myserver.com is a real domain name. Is it YOUR domain name? Somehow I doubt it. Thank you for pointing this out. I feel bad for anyone at domain, company, foo, bar, foobar .com etc at least once day. Use example.com, example.net, example.org, etc. Or use an impossible name like mydomain.tld, foobar.tld, c. when obfuscating. Oh, and obfuscating on this list is generally a waste of time and makes it harder for people to help you. Glad you brought this up, often times I am using example.com and then ns.example.com and imap.example.com and want to refer to something else outside of example.com. I am pretty sure there is even an RFC that states to use example.com. However, when you want to show a two sided problem, you need another, using second.tld is a nice way to do that, so thanks. It would be interesting to see some data on 208.77.188.166 (example.com A record) to see just what type of traffic they do get. -- Scott * If you contact me off list replace talklists@ with scott@ *
Re: Sent Mail Shows FQDN in Email Address
On May 18, 2009, at 9:15 PM, LuKreme wrote: On 18-May-2009, at 21:47, Scott Haneda wrote: Glad you brought this up, often times I am using example.com and then ns.example.com and imap.example.com and want to refer to something else outside of example.com. At least example.net and example.org in addition to example.com, so you can easily show a three domain interaction. Yes, thanks again. I just read 2606, I was not aware .org and .net were also available and treated the same way. -- Scott * If you contact me off list replace talklists@ with scott@ *
Options for immediate email address activation in postfix.
A client of mine has a web service where a simple web page can be made via a browser to crete an identity for them online. Build a page with web tools, toggle a setting to add DNS records, update the registrar to point to the NS's, and they have a live webpage in short order. They want to be able to allow an info@ email address that will only forward to some other account. There is no need for pop/imap login, i...@example.com will simply forward to users-des...@theiremail.com Any suggestions on the simplest way to approach this. I was thinking postfix with MySql backed data store. Today I read that RHEL is behind on postfix, and I think does not have MySql support in their rpm's. I have zero access to a staging server. If this turns into a high volume site, would file based aliases fall apart after a certain amount? I also see maintaining a alias mapping via a file managed by a web service to be prone to error. If anything I wold store the mappings in a database, and write them out clean on schedule. What are the upper limits of how many forwards I should feel comfortable maintaing as a local file? Any other suggestions on methodology? -- Scott * If you contact me off list replace talklists@ with scott@ *
Re: Options for immediate email address activation in postfix.
On May 14, 2009, at 6:07 PM, Barney Desmond wrote: If this turns into a high volume site, would file based aliases fall apart after a certain amount? I also see maintaining a alias mapping via a file managed by a web service to be prone to error. If anything I wold store the mappings in a database, and write them out clean on schedule. What are the upper limits of how many forwards I should feel comfortable maintaing as a local file? With enough sanity checks you can manage an alias file with scripts (run via web frontend), but it's not much fun. I believe (redhat) default hash-maps perform and scale quite nicely. CDB maps are said to scale even better, and I think numbers quoted on this list previously say... 1 million is no problem for CDB? Thank you very much, I do not think a million will be hit for some time. Is there any penalty when you run postmap to read in the changes to the virtual_alias_maps file? I know it is not a server restart, and can happen without interruption of service, though I wonder what happens when you issue a postmap on a million line file. Thanks. -- Scott * If you contact me off list replace talklists@ with scott@ *
Re: Relocated Users
On May 13, 2009, at 10:40 AM, Fabio Viero wrote: I need to do something like this: Someone sends an e-mail to u...@domain.com Someone gets a reply from postfix saying User has moved to newu...@newdomain.com I need postfix to STILL deliver the message to u...@domain.com (which doesn't happens) I tried using relocated with virtual aliases, transport with virtual aliases but neither worked (or were not correctly configured). I can send the reply informing that the user has moved, but cannot make postfix still deliver the original message. I want this because the users had not actually moved yet, itś going to be a gradual process. I may be totally wrong on this, but how about an auto-reply? You would have u...@domain.com auto reply for the time being with the message you desire. http://www.postfix.org/VIRTUAL_README.html#autoreplies This will allow email to deliver as usual to u...@domain.com. I would also configure u...@domain.com t pass messages off from that account to the newu...@newdomain.com account. This is how I would approach it, though I am nut sure how to configure it, the docs at the link above seem a good starting point. -- Scott * If you contact me off list replace talklists@ with scott@ *
Re: Relocated Users
On May 13, 2009, at 1:08 PM, Randy wrote: You can still do an auto-reply using scripts. Hand off the user's message, then send it to the new location. I used smtpd_recipient_restrictions and created a list. I then passed this on to the autoresponder once a user/input validation script made did a few checks. After this, the script sends it on its merry way. While we are on the subject of autoreplies, there is a not a lot of data here: http://www.postfix.org/VIRTUAL_README.html#autoreplies I did some brief searching, perhaps I am not using the correct terminology... With auto-reply, what is the preferred method most are using for allowing end user configuration of the enabling, disabling, and message. Are there any solutions that give end user control over the time window in which is is active? What are my options in regards to not replying to the same address more than once during the time window in which the auto reply message has been set? Thank for any info or links to other docs I am missing. -- Scott * If you contact me off list replace talklists@ with scott@ *
Re: Relocated Users
On May 13, 2009, at 2:14 PM, mouss wrote: Thank for any info or links to other docs I am missing. There are problems with auto-responders: - first, there is the backscatter problem (sending the reply to a forged address...). - second, most auto-responders are broken, in so many ways. so at this time, the answer is: don't use a responder unless you are willing to invest in setting up a good one. some basic rules: - filter spam and only respond if spamicity is reasonably low (for example, with a correctly configured spamassassin setup, don't respond if spam level is = 3 [this is an example: 3 is arbitrary here]). the idea is to detect as much spam as you can, so that responses to spam are rare. - never respond to addresses found in headers. if a response is to be sent, send it to the original envelope sender. This is unfortunately often missed. - do not respond to automatically submitted or resent mail. This includes mail from mailing-lists. - the auto-response should contain enough infos (reason for the auto-response, original headers). it is a good idea to include a short English text if you use another language. - unless you know why, the auto-response shouldn't contain the original body. the rationale is to avoid resending spam. I often see auto- replies containing viruses. This is irresponsible. See RFC 3834 for more infos. Thanks. I have to have them, my users will demand them. If I want to keep the users, there needs to be auto reply in place. I am glad you brought up RFC 3834, specifically I need to support section 2 in it's entirety. Ideally, I want to support all the MUST aspects of that rfc, and any of the parts that are of may and lead to a better system, I want to support those as well. So If I am getting this correct, auto-reply is not something native to postfix other than in a very basic form, and I should look to 3rd party solutions that have matured? Thank you -- Scott * If you contact me off list replace talklists@ with scott@ *
Re: Newb question about too many sent mail
On May 6, 2009, at 12:10 AM, Philippe Le Gal wrote: I'm a newbie to Postfix. My Postfix server is functionnal but the stats (mailgraph) show lot of sent messages : example for yesterday : Received messages : 2818 Sent messages : 2766 I don't think that the users of the mail server sent so many mails yesterday... I suppose that I've a problem with the configuration, and that Postfix send too many nofications for rejected mail You need to check your mail logs for that date range, and see how many messages really were sent. Once you know that number, you can look to see if it is in mailgrah, rrdtool, or perhaps, your users did in fact send that many emails. -- Scott * If you contact me off list replace talklists@ with scott@ *
Re: question on permit_sasl_authenticated and check_sender_access
On May 5, 2009, at 12:57 AM, Gaël Lams wrote: What seems to happen is that some providers transparently send emails through their own smtp server instead of allowing our users to use the configured smtp server. The check_sender_access check is after permit_sasl_authenticated with the idea that the request would be permittted when the client is successfully authenticated, thinking that it would do the trick (afterall, the user submits a username and a password which are corrects) but still the email is blocked by the check_sender_access control. I believe you need to move your users to the alternate submission port. The normal widely used port for this is 587. Some people will lock down port 587 to only allow authenticated and encrypted connections. Others will allow non crypto, but mandate authentication. You can not trust any connection your road warriors or even desktop users are on. Most ISP's I have had to deal with block port 25, many hotels and hotspots will blindly intercept port 25, and route it through their machines. You have no idea what they do with that traffic; they could relay it on, or they could be storing and relaying, or flat out intercepting for nefarious means. Switch your users to port 587, assuming you have set up the submission port in master.cf and you should be good to go. I suggest also enabling TLS as well. -- Scott * If you contact me off list replace talklists@ with scott@ *
Re: Postfix Setup
On May 5, 2009, at 12:58 PM, Aaron Wolfe wrote: I fully believe that the experts on this list have good intentions and I appreciate the time they spend helping us. However, this scenario has happened quite a few times.. A new user asks questions that are vague or easily answered by the docs, etc and then (justified or not) gets offended by the responses. Is there any interest in creating a postfix-noobs (or postfix-lusers :) list where all questions, especially these types, are allowed and those who care to offer assistance can do so? A kinder, gentler list of sorts that the real experts here can simply ignore? I would not go the road of list fragmentation for a beginners list. You end up with a list that beginners go to, but the only way for them to get answers is if experts are in that list. With a list of that nature, questions of How do I set up postfix will be far too many. I myself have only recently come to this list. I am a beginner, and I came with some trepidation. I learned I need not have, but there is a certain way to do things. Every list is a little different; if you have not posted to a list before, you *must* lurk a while, and get a feel. At the very least, you *must* read some of the archives. Put your question into search, see what comes up. The help I got was on the order of what I would consider better than any paid for consulting support I have received, and I got it for no cost. I am massively grateful for this, and if I have to do a little du-diligence to get that, I take no issue with that at all. The issue the OP had, and I saw it the second I read the OP's first post, is that my assumption was that the question was not possible to answer. In order for it to be answered, the list people would have to ask questions, just to get to a point where they could answer questions. Mailing lists are for getting answers, list users are not apt to coax questions out of posters. If a question comes up and a link to the docs is given, that is a gentle suggestion to dive in, start settings things up, and report back with your first stumbling block. Then your reply will not be a link to the docs, but to a specific *section* within the docs. Solve that issue, move on to the next, rinse and repeat until you are done. I have been given links to sub sections of docs, I give it a shot, if it makes sense, I move on, if not, I re-read the section multiple times, hit up google, and do all I can to make sure I can not find alternate ways to answer the question on my own. If I can, I try to come back and report success and where I got stuck, so perhaps, some other person reading the archives will be helped later on. Email servers in general are a complicated thing, postfix is one part of the puzzle, you still need a pop/IMAP server, spam filtering, filter rules, greylisting setup, and the list goes on and on. I can certainly see why. I wish to use my Postfix system (v2.1.5) to accept mail for, and relay mail to another MTA. How do I go about doing this? Pointing the user to: http://www.postfix.org/BASIC_CONFIGURATION_README.html http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall In reality, is about as good as it is going to get. The guidelines state to post postconf -n output, that alone is helpful. The OP's question lacked far too many details, any answer had a high chance of being a waste of the list members time. We need to know current config, current workflow, why the OP wants to do this, perhaps a config change would render the need moot, etc etc. I always look at mailing lists as if I am asking someone to help me move because they have a truck. To a degree, I am burdening them, and try my best to make it as simple on them as possible. I apply that same line of thought to mailing lists. New mailing list users need to read the guidelines/faq, lurk a while, and see how things work. My two cents. -- Scott * If you contact me off list replace talklists@ with scott@ *
Re: Suggestions on submission port config
On May 1, 2009, at 7:19 AM, Jorey Bump wrote: Scott Haneda wrote, at 04/30/2009 10:11 PM: What happens is, under heavy MTA load on port 25, I will run out of connection slots on port 25. Have you investigated the nature of this problem? Thoroughly. My current email server lacks control, it is only recently we have even been given greylisting. Moving users to port 587 largely solved it, but issues still remain. It is just time for me to move on. I am at the whim of the developer, this is not a config file driven email server. Even mention of SPF on his mail list get you told to not talk about it. It is not an option, and while I personally do not intend to use SPF, I want options, which postfix has abound. To be honest, I have received more education and support from you and a few other people on this list in a few days than the 10 years of using something else. I do thank you all again, as well as those who make postfix what it is. By moving users to 587, I do not care about port 25 connection slots. MTA's will try again later if busy. You might be chasing a red herring. If your server is overloaded, there is a reason why, and there may be more effective remediation techniques available. Improving your submission service is good, but it might not deliver the performance payoff you're expecting. You nailed it, there are indeed many more techniques for dealing with my issues. Manually scanning logs and putting IP ranges into a local DNS blacklist and manually creating rules that are not flexible in how they can match patterns is what hinders me for the most part. What do you guys think? My end goal here is to get this all working, and then change these ports to, for example, 25 - 2525 and 587 - 587587 unless there is some other convention. I am going to put a anti spam proxy in front of all this. If you still have a heavy load, consider separating your MX entirely from submission, using separate instances/machines. It's generally easier to move the MX, since MUA configurations don't care about it. I have this as a option from the beginning of setup. I was given a large enough IP allocation that I tend to give up an IP for each service, and create DNS records pointing to each IP. If I ever need to for example, most SMTP 587 to it's own machine, it is as simple as just setting up the software, remove the old IP from the old machine, and putting it into the new machine. I use will use this when I migrate as well, not having to fiddle with DNS TTL's and some other ISP's that seem to cache DNS and not honor TTL's then becomes a non issue. I just do not want to add too much to my learning curve, so first, get postfix to where I understand it, then toggle the ports and put the proxy in. It should blindly pass the traffic, I assume in much the same way stunnel does. I am open to any and all advice on this matter to make this work best. I have a feeling later on down the road I will need to learn exactly what things to disable in postfix, as it should not do any bouncing at all, anything that will lead to backsplatter, since I am putting a proxy ahead of it. FWIW, a poorly implemented proxy can do more harm than good. A lot of sites just toss them in, and don't pay attention to finer details like DNS settings and recipient validation. I have spent the past few years looking at them and reading about them. Starting with the hardware driven devices like Barracuda. My main reason for not deploying as of yet was the only way to get user validation on my server was LDAP, which I could not ever get to work reliably. Maintaining a text file of users was an option, but at minutes to dump a list of users via AppleScript from the email server, I did not like that option. I am settling in on ASSP, which seems to solve my needs, and provide everything I need. If it turns out I do not like it, the nice thing about a proxy is, you just turn it off, a quick change of port listeners in postfix, and I should be back up and running. # server TLS parameters smtpd_tls_key_file = /etc/ssl/yoshino.meidokon.net_key smtpd_tls_cert_file = /etc/ssl/yoshino.meidokon.net_crt smtpd_tls_auth_only = yes -- as mentioned, user can only auth on a secure connection smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes You have the two cert, ahhh, smtp*d*. Ok, I think I get it, that is for MUA traffic, and you present them a cert authorization when they are auth'ing. So I can even use the current certs I have in place now? These are for all client connections that use STARTTLS, not just MUAs. The difference is that MTAs typically don't quit if they can't verify the cert (check it against a root certificate store), so using a self-signed cert is adequate. It is increasingly harder to support MUAs with noncommercial certs, however. You can get basic ones fairly cheaply, so I recommend it to avoid annoying
Re: Suggestions on submission port config
Barney, ( and Jorey ), thanks so much for your help in understanding this, moving to postfix is something I have needed to do for some time, glad to finally get down to it. I had to step away for a few days and get some other work done, but made some good progress last night. I have some more clarifications thought if you do not mind. On Apr 24, 2009, at 9:35 PM, Barney Desmond wrote: 2009/4/25 Scott Haneda talkli...@newgeo.com: If you do not like a lack of TLS enforcement on the submission port what do [snip... on SSL/TLS methods] think most are on 587 as a result of most ISP's filtering 25. There's a few distinct concepts here: [snip... Explanation of SSL/TLS] I am hesitant to detract and add more to this, but here goes. My current email server does not support SSL/TLS. I have 250-AUTH CRAM- MD5 DIGEST-MD5 NTLM PLAIN LOGIN ( Does the order of my methods matter? ) I do have some auth methods in regards to the user/pass, but from what I understand, the data is always in the clear. My current setup is *mostly* MTA to MTA on port 25, there are a handful of users whose ISP's have not filtered 25, so those users are still on port 25. I can force auth on 25, but with no way of testing that before toggling the setting, I am not anxious to do so. tcpdump would be the only way, and a little too much of a pain to deal with. The reason I want to force all users to 587, and allow auth and crypto on 587, and not mandate crypto exclusive, is that is how 99% of my users are set now, 587 using md5-challenge response. This has been done at suggestion of the developer of my current server. What happens is, under heavy MTA load on port 25, I will run out of connection slots on port 25. By moving users to 587, I do not care about port 25 connection slots. MTA's will try again later if busy. What I do not want, is MUA users getting a server busy response on port 25 just because mail volume is high that day. The general suggested idea from the developer of my mail server is to move all users to port 587, and only have MTA mail on port 25. Hopefully this issue of running out of connections is not much an issue in postfix. I also have a setting of limit x connections from same host. If I have an office of users, logging in over a LAN, where their public IP is a fixed IP, and they all have private IP's, my current mail server sees them all as many connections from the same IP, and they get too many simultaneous connections errors. ( How does postfix deal with this? ) Because of this, I can not limit connections from same host on port 25 to a reasonable number to slow dictionary attacks and the like, as the office of 100 employees is going to hit a wall really soon. By moving them to 587, I have more control. Maybe I am just jaded in how my old email server forced me down a path, and I should not worry about this, and allow 25 and 587 to behave identical, with one exception in that 587 would disallow explicitly any non authenticated connections. I think I can force auth and crypto on 587 and not hassle my MUA users one bit; then allow auth no crypto on 25, and also open it to non auth non crypto for MTA chatting. Not sure if that is possible, to allow non auth MTA mail on 25, but also tell MUA clients they must at minimum, auth. What do you guys think? My end goal here is to get this all working, and then change these ports to, for example, 25 - 2525 and 587 - 587587 unless there is some other convention. I am going to put a anti spam proxy in front of all this. I just do not want to add too much to my learning curve, so first, get postfix to where I understand it, then toggle the ports and put the proxy in. It should blindly pass the traffic, I assume in much the same way stunnel does. I am open to any and all advice on this matter to make this work best. I have a feeling later on down the road I will need to learn exactly what things to disable in postfix, as it should not do any bouncing at all, anything that will lead to backsplatter, since I am putting a proxy ahead of it. 2. The alternative is to wrap everything in a crypto pipe - this is SSL or TLS. Once the whole session is encrypted we don't care how authentication happens, as confidentiality is provided externally. It's obvious that there's a 2x2 matrix of auth+crypto options here. If you're trying to be very flexible then you're probably interested in stopping the one possibility that could leak passwords - no-crypto while using insecure auth. Correct. I was actually not aware that something like password, md5-* etc was even a legitimate way of protecting yourself. I understand the data channel is plain text, but the user and pass being hashed in some way, I had assumed it would be trivial to crack, something akin to base64. Good to know it is a lot more than that. I'm happy for mail clients to select
Re: Suggestions on submission port config
Jorey, thanks for your email also. Sorry for the delay, but you and Barney have been hugely instrumental in getting me on track with this. On Apr 24, 2009, at 9:43 PM, Jorey Bump wrote: Scott Haneda wrote, at 04/24/2009 07:41 PM: Thanks for this, this is getting me on track, comments interspersed below... On Apr 24, 2009, at 6:51 AM, Jorey Bump wrote: Scott Haneda wrote, at 04/24/2009 07:58 AM: For port 587 submission, I want to offer SSL, TLS, and non encrypted to cover the users who will not want to change their settings. Use: -o smtpd_tls_security_level=may -o smtpd_tls_auth_only=no I think it's normally a bad idea not to enforce TLS on the submission port, but if you're using a secure mechanism and want to prevent weaker ones, add: -o smtpd_sasl_security_options=noanonymous,noplaintext -o smtpd_sasl_tls_security_options=noanonymous If you do not like a lack of TLS enforcement on the submission port what do you suggest for users who just do not care enough to use any TLS? I suggest they use it if they want to send mail. :) Since one of the purposes of the submission port is to support road warriors, I feel it should be as secure as possible and the entire communication should be encrypted. I am in a bad spot in this regard, because of some of the faults of my current email server. It is pushed a bit to move users to 587, but the server does not support SSL/TLS. It would be very hard for me to get them to all change their settings to use SSL/TLS. I would love to make 587 the default secure port, I just do not thing I can put my users in that situation. If postfix can log in a way that I can tell what is going on, and over time, I can make a call a day, and convert people over to TLS, eventually I will flip this switch. You let them work on port 25? In some cases, I allow the use of a secure mechanism without TLS on port 25. This protects the login, but not the message contents. I don't allow unencrypted plaintext logins. I am leaning back on this idea again. Have to hash that out from the standpoint of a proxy. I am just do not know if I gain anything by putting all user MUA traffic on a non port 25 port. I know the proxy tries to learn from users sending emails, and white list the recipients, I do not know if that learning is port bound or not. Glad you brought up webmail. I am going to use Roundcube, on the same machine, worst case, on a close machine, in the same subnet. Since I have the nynetworks setting set to allow mail, all should be ok? I do not want to deal with AUTH for SMTP in webmail, it is going to be local to local, I see no point in securing that part. Is that correct? It's up to you. I use SMTP AUTH for webmail, partly because it provides better logging for troubleshooting. Good point. What webmail are you using? Does it globally SMTP AUTH via a config file and a smtp account, or is each user login it's own SMTP AUTH case, which is where you are picking up the logging data specific to the sender under that specific account? I am confused about your comments about 465. Reading it makes me think that 465 is sort of a last resort option. I am not understanding the difference between SSL and TLS. If I was setting up a email client, and could use TLS versus SSL, my logic would be to use SSL, it seems the better option, but I do not know why. Are you saying SSL email is the lesser of the options, and I should use TLS when I can? I'm saying that smtps (wrapper mode on port 465) is deprecated in favor of STARTTLS on ports 25 or 587. Good to know. For some reason, SSL sounds the better way to go in my head, and in the heads of a lot of people I talk to. Strange, because when I think about it, how it sends out a STARTTLS, and moves on from there, that seems a better policy, less prone to problems as well. Do you know how this related to Apple Mail? There is no setting in the SMTP section to opt for SSL versus TLS? Use SSL is the only checkbox there is. I take it if you do not select that, it will use TLS if it can, but do so in a invisible way? Default autoconfiguration appears to use ports 25, 465, 587 and SSL if detected. The server I tested supports all of these and the mechanism list is PLAIN LOGIN CRAM-MD5 DIGEST-MD5. After autoconfiguration, Apple Mail used STARTTLS and the PLAIN mechanism on port 25 to send a message. Are there are good reasons to support PLAIN and LOGIN and PASSWORD? I have told all our users to use MD5 Challenge Response. Maybe I would aid Apple Mail in figuring out which to pick, it seems to always fall back on PASSWORD iirc. Perhaps other desktop clients do not support md5 mechanisms. I assume it follows an algorithm to determine a fallback strategy for trying the other ports if its first choice is not available. Although I would have preferred it start with port 587, the choice it made
Re: delivery temporarily suspended !
On Apr 29, 2009, at 1:31 AM, Nasser Heidari wrote: Hi, This is Nasser. I'm running postfix-2.5.5,1 on FreeBSD 7.1-STABLE . Today I take a look at my graphs and see there are about 1500 Email in Queue. Then I run mailq on the server and see lots of messages like this: (delivery temporarily suspended: lost connection with mail.xyz.ab[1.2.3.4] while receiving the initial server greeting) What does lost connection with ... while receiving the initial server greeting) means? Is it related to my configuration? I think it is nearly impossible to tell unless we know the hostname/ IP. It could be the remote server is down, and will come up soon, it could be a odd router inbetween, or it could be your config, or your DNS. It could be any number of things. You do not have to give up the email address, just the host you are trying to talk to, which is public in nature, at least in most cases. -- Scott * If you contact me off list replace talklists@ with scott@ *
Re: how to detect spam attacks
I'm not sure if you can on your hardware, but some of my most effective countermeasures are ehlo/helo checking for hostname does not contain a .. This can cause a very small amount of false positives so please do check your logs first. Second is greylisting. Third is checking if the ehlo/helo ip is in my range of ip's. Sorry about the top post, I'm on a mobile that does not give a lot of flexibility in that regard. -- Scott Iphone says hello. On Apr 26, 2009, at 3:19 PM, deconya elmailperso...@gmail.com wrote: Hi list Im with the next problem: I have and old server and Im in process to migrate to a better machine, but actually Im having spam attacks in the server than saturate it. For the age of the server and because in two weeks is replaced I can't install any program like spamity or similar to help to detect spam attacks, but I need to understand the mail.log to deduce the Ips where comes the attacks and stop it. Any people can help me what clues can help me to deduce this Ips? Actually Im using blacklists but nots detects this attacks. Any other option to create estadistics using external programs? Thanks Best regards
private/anvil errors
Still working on getting postfix and dovecot playing nice, current issue I am trying to understand and solve is this error: Apr 24 02:14:58 catalyst postfix/smtpd[358]: private/anvil: wanted attribute: status I have 123 log lines of that, they vary somewhat: wanted attribute: count wanted attribute: rate wanted attribute: (list terminator) wanted attribute: status Those seem to be the bulk of the log lines. What is this error in regards to, and any ideas on how to solve it? This is a PPC Dual 2.0Ghz machine, running Mac OS X 10.5 $postconf -n alias_maps = hash:/opt/local/etc/postfix/aliases biff = no broken_sasl_auth_clients = yes command_directory = /opt/local/sbin config_directory = /opt/local/etc/postfix daemon_directory = /opt/local/libexec/postfix data_directory = /opt/local/var/lib/postfix debug_peer_level = 2 debug_peer_list = 127.0.0.1 default_privs = nobody disable_vrfy_command = yes html_directory = no inet_interfaces = all invalid_hostname_reject_code = 450 mail_owner = _postfix mailq_path = /opt/local/bin/mailq manpage_directory = /opt/local/share/man maps_rbl_reject_code = 450 message_size_limit = 0 mydestination = localhost myhostname = catalyst.hostwizard.com mynetworks = 64.84.37.0/26 newaliases_path = /opt/local/bin/newaliases non_fqdn_reject_code = 450 queue_directory = /opt/local/var/spool/postfix readme_directory = /opt/local/share/postfix/readme sample_directory = /opt/local/share/postfix/sample sendmail_path = /opt/local/sbin/sendmail setgid_group = _postdrop smtp_tls_cert_file = /opt/local/etc/ssl/certs/dovecot.pem smtp_tls_key_file = /opt/local/etc/ssl/private/dovecot.pem smtp_tls_security_level = may smtp_tls_session_cache_database = btree:$data_directory/ smtp_tls_session_cache smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce,permit smtpd_helo_required = yes smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticatedreject_unauth_destinationpermit smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_ask_ccert = yes smtpd_tls_cert_file = /opt/local/etc/ssl/certs/postfix.pem smtpd_tls_key_file = /opt/local/etc/ssl/private/postfix.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:$data_directory/ smtpd_tls_session_cache tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = mysql:/opt/local/etc/postfix/mysql-virtual-alias- maps.cf,mysql:/opt/local/etc/postfix/mysql-email2email.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /opt/local/var/vmail virtual_mailbox_domains = mysql:/opt/local/etc/postfix/mysql-virtual- mailbox-domains.cf virtual_mailbox_maps = mysql:/opt/local/etc/postfix/mysql-virtual- mailbox-maps.cf virtual_minimum_uid = static:5000 virtual_transport = dovecot virtual_uid_maps = static:5000 -- Scott * If you contact me off list replace talklists@ with scott@ *
Re: private/anvil errors
On Apr 24, 2009, at 6:15 AM, Wietse Venema wrote: Scott Haneda: Those seem to be the bulk of the log lines. What is this error in regards to, and any ideas on how to solve it? Don't turn on VERBOSE LOGGING. Ahh, thanks. In the log, how does one tell the difference between notice, error, and normal messages? To me, that appeared as a bad thing, I had no idea it was just informational. Don't turn on verbose logging unless asked to do so. It was the only way I could solve some other issues I was having. It was helpful for me to be able to pin down errors that were being shown in a non verbose case. I could not have figured out what was happening were it not for verbose logging. Errors are ALWAYS logged in NON-VERBOSE mode. Good to know, thanks. It was not clear to me, and some post I read suggested to turn it on. I have commented it out now, and the logs are clean, thanks for the help. -- Scott * If you contact me off list replace talklists@ with scott@ *
Re: Suggestions on submission port config
Thanks for this, this is getting me on track, comments interspersed below... On Apr 24, 2009, at 6:51 AM, Jorey Bump wrote: Scott Haneda wrote, at 04/24/2009 07:58 AM: I am a little confused about main.cf and master.cf. Is there overlap in some of the settings? Do some settings exist in both files, or at least are interchangable? If this is the case, under what conditions do you decide to do so? From master(5) [http://www.postfix.org/master.5.html]: -o name=value Override the named main.cf configuration parameter. The parameter value can refer to other parameters as $name etc., just like in main.cf. See postconf(5) for syntax. As implied, it's useful when you need to override the settings in main.cf to get different behaviour appropriate to the service you're setting up in master.cf (submission, reinjection from proxy/filter, etc.). I have a little affliction against man type pages, they never seem to make a lot of sense to me :) This section does though. Just to be clear, this is a full blown over-ride, in that deleting the corresponding value from main.cf would do nothing to the server, so long as it exists in master.cf? [snip...] I am willing to disallow user connection to port 25. How do I do this? In main.cf or master.cf? Right now, I believe I only have this: [snip... master.cf ] smtp inet n - n - - smtpd I believe I need to add a restriction in there to stop clients from connecting? There was a recent thread on this subject, worth reading: http://www.mail-archive.com/postfix-users@postfix.org/msg06230.html Nice, thanks again, that was very telling. I will use that as a reference on how to best set this up, I think I still have some general questions below, as a result of my never having dealt with SSL/ TLS other than on ftp servers and SSL in the http space. For port 587 submission, I want to offer SSL, TLS, and non encrypted to cover the users who will not want to change their settings. I can not seem to get this to work, it is either no encryption, or forced encryption. [snip... master.cf ] submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated -o milter_macro_daemon_name=ORIGINATING Use: -o smtpd_tls_security_level=may -o smtpd_tls_auth_only=no I think it's normally a bad idea not to enforce TLS on the submission port, but if you're using a secure mechanism and want to prevent weaker ones, add: -o smtpd_sasl_security_options=noanonymous,noplaintext -o smtpd_sasl_tls_security_options=noanonymous If you do not like a lack of TLS enforcement on the submission port what do you suggest for users who just do not care enough to use any TLS? You let them work on port 25? I could go that route, but I am really trying to find a way to do traffic isolation. If I know no client connections are made on 25, from a troubleshooting perspective alone, it seems to make things simpler on me. My mailserver has a setting where I can disable auth on port 25. Maybe I will do this pre-migration, which would allow me to force all my users to change to port 25. The hobbly little server I am using now does not offer any way for me to look and see what users are connecting on 25 still. I think most are on 587 as a result of most ISP's filtering 25. Maybe a little tcpdump would get me those numbers. * Do I even need the milter line? Good question. It may depend on whether or not you use milters. I don't, but I leave it in because I don't want issues later if I decide to deploy a milter. Quick research seems to lead me to believe milter is for mail filtering, hence the name. Since I plan to have a proxy sit in front of my system, it should be safe to never use milter at all? I may want to auto file IMAP email to a junk mail folder, but I believe that would be done in dovecot, not postfix. Port 465, I believe will be reserved exclusively for SSL? Port 587 does the TLS, is that correct? Or is the SSL just wrapping around the TLS? [snip... master.cf ] 465 inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING This is for legacy support. I suggest you don't activate it until you're sure you need it. Wrapper mode is different from offering STARTTLS. Nearly all modern clients support STARTTLS. If someone absolutely needs port 465, that could be a red flag that the user needs an upgrade. However, some webmail programs might have poor support for STARTTLS, forcing you to enable smtps if you require an encrypted connection. Glad you brought up webmail. I am going to use Roundcube, on the same machine, worst case, on a close
Working with the postfix log files
As a test, I have disabled authenticated SMTP on port 25. I just fired up thunderbird, set the SMTP port to 25, and enabled SSL. Sending a test email, and I get an error back from the Thunderbird. Thunderbird chewed on this for a long time. My concern is what was in the logs. If a customer of mine is on the phone with me, and I tell them to make a connection, and the server is rather busy, I am not seeing anything I am going to be able to use form the logs, to help them out Apr 24 18:13:17 catalyst postfix/smtpd[831]: connect from c-76-102-xx1- xx.hsd1.ca.comcast.net[76.102.xx1.xx] Apr 24 18:14:21 catalyst postfix/smtpd[831]: lost connection after UNKNOWN from c-76-102-xx1-xx.hsd1.ca.comcast.net[76.102.xx1.xx] Apr 24 18:14:21 catalyst postfix/smtpd[831]: disconnect from c-76-102- xx1-xx.hsd1.ca.comcast.net[76.102.xx1.xx] I think I would have to ask them to locate their IP, then I could help them out. Suggestions? -- Scott * If you contact me off list replace talklists@ with scott@ *
Postfix get_service_attr, dovecot, mysql, OS X
Hello, this is a new install of postfix with dovecot and mysql as an auth db for me. I have built everything in /opt/local/. Currently, I have pop, smtp, imap working, auth'ing against mysql. I can pop login, smtp login, and imap login. When I make a telnet conenction to port 25, I am allowed in, I set mail from, rcpt to, send the data, and am given back a queue id. Looking at the log, I hit an error: Apr 23 16:28:02 postfix/qmgr[49216]: 0B073225D0D: from=sc...@scotttest.com , size=410, nrcpt=1 (queue active) Apr 23 16:28:02 postfix/qmgr[49216]: 11803227FEE: from=sc...@scotttest.com , size=419, nrcpt=1 (queue active) Apr 23 16:28:02 postfix/pipe[49289]: fatal: get_service_attr: unknown username: vmail Apr 23 16:28:02 postfix/pipe[49290]: fatal: get_service_attr: unknown username: vmail Apr 23 16:28:03 postfix/qmgr[49216]: warning: private/dovecot socket: malformed response Apr 23 16:28:03 postfix/qmgr[49216]: warning: transport dovecot failure -- see a previous warning/fatal/panic logfile record for the problem description Apr 23 16:28:03 postfix/master[43394]: warning: process /opt/local/ libexec/postfix/pipe pid 49289 exit status 1 Apr 23 16:28:03 postfix/master[43394]: warning: /opt/local/libexec/ postfix/pipe: bad command startup -- throttling Apr 23 16:28:03 postfix/qmgr[49216]: warning: private/dovecot socket: malformed response Apr 23 16:28:03 postfix/qmgr[49216]: warning: transport dovecot failure -- see a previous warning/fatal/panic logfile record for the problem description Apr 23 16:28:03 postfix/master[43394]: warning: process /opt/local/ libexec/postfix/pipe pid 49290 exit status 1 I am pretty new to this on OS X, and I am fairly certain few people have gotten this setup on OS X. You will see reference to user vmail above, which I have set up that user, and as far as I know, it is correct. OS X uses a slightly different mechanism that on linux to add users and groups. I was new to this, but I am able to set user and group on a file or directory. I am not sure what data is needed to help me, other than the log snips above, just in case, here is the output to postconf -n, I can also put up any cf files if they are needed. I just saw 'debug_peer_level' below, I am going to bump that up and see if it gives me any clues. $postconf -n command_directory = /opt/local/sbin config_directory = /opt/local/etc/postfix daemon_directory = /opt/local/libexec/postfix data_directory = /opt/local/var/lib/postfix debug_peer_level = 2 default_privs = nobody html_directory = no mail_owner = _postfix mailq_path = /opt/local/bin/mailq manpage_directory = /opt/local/share/man newaliases_path = /opt/local/bin/newaliases queue_directory = /opt/local/var/spool/postfix readme_directory = /opt/local/share/postfix/readme sample_directory = /opt/local/share/postfix/sample sendmail_path = /opt/local/sbin/sendmail setgid_group = _postdrop unknown_local_recipient_reject_code = 550 virtual_alias_maps = mysql:/opt/local/etc/postfix/mysql-virtual-alias- maps.cf,mysql:/opt/local/etc/postfix/mysql-email2email.cf virtual_gid_maps = static:5000 virtual_mailbox_domains = mysql:/opt/local/etc/postfix/mysql-virtual- mailbox-domains.cf virtual_mailbox_maps = mysql:/opt/local/etc/postfix/mysql-virtual- mailbox-maps.cf virtual_transport = dovecot virtual_uid_maps = static:5000 -- Scott * If you contact me off list replace talklists@ with scott@ *
How to change the log location
I think I have traveled from one end of the internet to the other on this one :) How do you change the log location for postfix? Currently, the log is sent to /var/log/mail.log on Mac OS X. I would like to move it to /opt/local/var/log/postfix/mail.log since that is where postfix is. OS X has a log roller built in, that rolls things out, I need to keep my logs longer. If I edit the OS X log roller to exclude the mail.log, every system update seems to put it back. I did not see any log path in the configure options for building it out, or in any of the cf files. Thanks -- Scott * If you contact me off list replace talklists@ with scott@ *