attempt to open lmdb:postscreen_cache with both "open" lock and "access" lock
Hello World, I'm running Postfix 3.6.4 in a container on Alpine 3.15 main. After a bit of time, I'm starting to get error messages like that: #v+ Mar 17 13:24:40 servername postfix/postscreen[164]: CONNECT from [167.248.133.120]:52756 to [172.17.13.3]:25 Mar 17 13:24:40 servername postfix/proxymap[166]: panic: dict_open: attempt to open lmdb:/var/lib/postfix/postscreen_cache with both "open" lock and "access" lock Mar 17 13:24:41 servername postfix/master[1]: warning: process /usr/libexec/postfix/proxymap pid 166 killed by signal 6 Mar 17 13:24:41 servername postfix/master[1]: warning: /usr/libexec/postfix/proxymap: bad command startup -- throttling Mar 17 13:24:48 servername postfix/postscreen[164]: fatal: watchdog timeout #v- I verified that these are the first messages since container startup that indicate a problem by using: #v+ journalctl CONTAINER_NAME=postfix_postfix_1 -o cat | egrep '(warning|error|fatal|panic):' #v- Output of postconf -n is below - I'll happily provide further details. I'm not running any of the postfix programs in a chroot, so I guess I can simply drop the access by proxy. I also believe that I might be fine without persistence for the postscreen cache. However, if there is another fix, I'd be glad to hear about that. Thanks, Stefan address_verify_map = proxy:lmdb:${data_directory}/verify_cache alias_database = lmdb:/etc/postfix/maps/aliases alias_maps = lmdb:/etc/postfix/maps/aliases allow_percent_hack = no biff = no compatibility_level = 3.6 confirm_delay_cleared = yes delay_warning_time = 1h general_smtpd_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_sender, reject_unlisted_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, check_recipient_access lmdb:${maps_dir}/verify_recipients, check_sender_access lmdb:${maps_dir}/verify_senders, check_policy_service inet:dovecot:25001 header_checks = pcre:${maps_dir}/header_checks.pcre inet_interfaces = all maillog_file = /dev/stdout maps_dir = /etc/postfix/maps maximal_queue_lifetime = 14d message_size_limit = 26214400 milter_default_action = accept milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} milter_protocol = 6 myhostname = servername.example.com parent_domain_matches_subdomains = postscreen_access_list = permit_mynetworks, cidr:${maps_dir}/relay_clients.cidr postscreen_cache_map = proxy:lmdb:$data_directory/postscreen_cache postscreen_greet_action = enforce proxy_interfaces = 65.108.140.253, [2a01:4f9:1a:90c5::2] recipient_delimiter = + relayhost = smtp_address_preference = ipv6 smtp_dns_support_level = dnssec smtp_generic_maps = regexp:${maps_dir}/smtp_generic.regexp smtp_sasl_tls_security_options = noanonymous smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_loglevel = 1 smtp_tls_security_level = dane smtp_tls_session_cache_database = lmdb:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP smtpd_client_connection_count_limit = 20 smtpd_client_restrictions = ${stress?reject_unknown_client_hostname} smtpd_data_restrictions = reject_multi_recipient_bounce, reject_unauth_pipelining smtpd_discard_ehlo_keywords = silent-discard, dsn smtpd_helo_required = yes smtpd_milters = inet:rspamd:11332 smtpd_recipient_restrictions = check_client_access cidr:${maps_dir}/hard_blacklist.cidr, check_recipient_access lmdb:${maps_dir}/recipient_access, $general_smtpd_restrictions smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access cidr:${maps_dir}/relay_clients.cidr, reject_unauth_destination smtpd_sasl_path = inet:dovecot:12345 smtpd_sasl_type = dovecot smtpd_tls_auth_only = yes smtpd_tls_cert_file = /srv/ssl/live/servername.example.com-rsa/fullchain.pem smtpd_tls_dh1024_param_file = /srv/dh/dh_4096.pem smtpd_tls_dh512_param_file = /srv/dh/dh_512.pem smtpd_tls_eccert_file = /srv/ssl/live/servername.example.com-ecdsa/fullchain.pem smtpd_tls_eckey_file = /srv/ssl/live/servername.example.com-ecdsa/privkey.pem smtpd_tls_key_file = /srv/ssl/live/servername.example.com-rsa/privkey.pem smtpd_tls_loglevel = 1 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtputf8_enable = yes submission_hostname = mail.example.com submission_smtpd_recipient_restrictions = check_sasl_access lmdb:${maps_dir}/sasl_access, $general_smtpd_restrictions submission_tls_preempt_cipherlist = yes swap_bangpath = no unverified_recipient_reject_code = 550 unverified_sender_reject_code = 550 virtual_alias_domains = example.net virtual_alias_maps = lmdb:${maps_dir}/virtual_aliases virtual_mailbox_domains = lmdb:${maps_dir}/virtual_mailbox_domains virtual_transport = lmtp:inet:dovecot:10025
Re: Question about disabling SSLv2 and SSLv3 and Opportunistic TLS
* Dirk Stöcker : On Mon, 28 May 2018, Viktor Dukhovni wrote: It might be useful, but probably not, to have a version of postconf -n that showed the default value along sinde the changed value: join <(postconf -n) <(postconf -d | sed 's/=/(default:/; s/$/)/') Do you maybe also have a command to show only changed parameters? Something like postconf -n, but dropping everything identical to default. You can get changed parameters that are at their default value with: comm -1 -2 <(postconf -n) <(postconf -d)
Re: difference between /var/spool/postfix/etc/hosts and /etc/hosts
* Paul Martin: on debian , i am running postfix. I changed my IP ldap server in /etc/hosts but /var/spool/postfix/etc/hosts is different. What shoud I do to make postfix using the new IP ldap? This Debian-specific issue can be solved by restarting the Postfix service (e.g. "service postfix restart") or calling the configuration script for each instance, e.g.: /usr/lib/postfix/configure-instance.sh /etc/postfix HTH, Stefan
Re: Code burn-in: postscreen/verify cache cleanup
* Victor Duchovni victor.ducho...@morganstanley.com: On Wed, Dec 30, 2009 at 08:26:45AM +0100, Stefan F??rster wrote: I've noticed a vast deterioration of the databases's performance, though. 20091209 only emitted some timing warnings for updates from time to time (database rotated every Saturday as per your recommendation). With the new code, lookup timing warnings are emitted frequently for approximately 30 minutes after every cache cleanup. Guess I need a better database library. What database type are you using? Berkeley DB 4.6.21-11 from libdb4.6_4.6.21-11_amd64.deb. Stefan
Re: Code burn-in: postscreen/verify cache cleanup
* Wietse Venema wie...@porcupine.org: I'm burning in some new code that I wrote over the past week to periodically remove old entries from postscreen(8) and verify(8) caches. This is not a sexy topic, but it helps to keep database sizes in check, it speeds up database access, and it was time. If you're courageous you can try postfix-2.7-20091227-nonprod. If I had some problems integrating the Debian patches which support dynamic loading of map types (worse, I don't even understand why), so I went for a traditional compile and install. It's working as expected, I didn't see any adverse side effects so far. OTOH, the servers where I deployed the code have almost no real workload at this time between the years, possibly rendering my observations flawed. What kind of data could we provide to help you with this? Stefan you have used postscreen(8) or verify(8) before, you will notice that they weed out lots and lots of expired entries from the databases while reporting their progress along the way. The cache cleaning code runs while a postscreen(8) or verify(8) process is waiting for real work. Cache cleaning suspends when the process does no real work for $max_idle seconds, and resumes when there is a request for postscreen(8) or verify(8) service. After a cache cleanup run is completed, no cleanup happens for 12 hours. Right now, cache cleaning cannot be disabled, so the postscreen(8) or verify(8) cache databases MUST support the delete and sequence operations. For backwards compatibility sake I may add a non-cleaning option but it won't be the default setting. Wietse
Re: Code burn-in: postscreen/verify cache cleanup
* Ralf Hildebrandt ralf.hildebra...@charite.de: * Wietse Venema wie...@porcupine.org: Dec 29 04:20:17 spike postfix/postscreen[44900]: cache /var/lib/postfix/ps_cache.db full cleanup: retained=134 dropped=19 entries Dec 29 06:19:33 spike postfix/verify[46072]: cache /var/lib/postfix/verify.db full cleanup: retained=1726 dropped=28 entries The initial cleanup: Dec 29 10:16:35 mail postfix/postscreen[12078]: cache /var/lib/postfix/ps_cache.db full cleanup: retained=8460 dropped=274056 entries Dec 29 10:17:13 mail postfix/verify[12105]: cache /var/lib/postfix/verify.db full cleanup: retained=109892 dropped=648105 entries Not using verify here, for postscreen, the number of entries retained settled itself between 2500 and 2900, the number of dropped entries varies around 300 and 500. I've noticed a vast deterioration of the databases's performance, though. 20091209 only emitted some timing warnings for updates from time to time (database rotated every Saturday as per your recommendation). With the new code, lookup timing warnings are emitted frequently for approximately 30 minutes after every cache cleanup. Guess I need a better database library. Stefan
ps_dict_put: /var/lib/postfix/ps_cache.db update took X ms
While I certainly like the fact that Postfix becomes more and more admin friendly in that it now also logs warnings about performance issues, I'd like to know how many milliseconds a single request to update the temporary whitelist may take before a warning is emitted. Is it 100ms? I got exactly 882 messages like postscreen[5486]: warning: ps_dict_put: /var/lib/postfix/ps_cache.db update took 108 ms with values ranging from 101 to 147 within the last 24 hours on a moderately busy system. Probably unrelated: When does postscreen(8) clean up it's database? Periodically? Every X connections? Never? What database sizes are to be expected? Stefan
Re: PATCH: smtpd_proxy logging
* Mark Martinec mark.martinec+post...@ijs.si: On Sunday 06 December 2009 13:11:16 Stefan Foerster wrote: 2. The number of SMTP proxy processes busy talking to Postfix went down from 16.44 to 8.73 (5s resolution) - that's a completely unexpected result, possibly flawed by the small data sample. I'll verify this again once I got a full month's data. A drop in the number of necessary content filtering processes is to be expected, and is in fact the main reason for the smtpd_proxy_options=speed_adjust feature. Very useful / indispensable in the pre-queue filtering setup. Of course - but not by this magnitude. As I said, I'll verify mid-December (or perhaps around Christmas). Stefan
Re: whitelisting problem
* Stan Hoeppner s...@hardwarefreak.com: smtpd_helo_required = yes smtpd_helo_restrictions = check_recipient_access hash:/etc/postfix/access Did you mean check_helo_access? Stefan reject_non_fqdn_helo_hostname reject_invalid_helo_hostname reject_unknown_helo_hostname smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination reject_unlisted_recipient check_recipient_access hash:/etc/postfix/access reject_rbl_client zen.spamhaus.org check_policy_service inet:127.0.0.1:6 /etc/postfix/access ... 66.135.197 OK 168.100.1 OK 204.238.179 OK spam-l-boun...@spam-l.com OK owner-postfix-us...@cloud9.net OK majordomo-ow...@cloud9.net OK owner-postfix-us...@postfix.org OK ... Dec 4 13:39:15 greer postfix/smtpd[7124]: NOQUEUE: reject: RCPT from unknown[204.238.179.8]: 450 4.7.1 mx1.mfn.org: Helo command rejected: Host not found; from=spam-l-boun...@spam-l.com to=s...@hardwarefreak.com proto=ESMTP helo=mx1.mfn.org Any clues as to what's wrong? -- Stan
Re: whitelisting problem
Hallo Stan, * Stan Hoeppner s...@hardwarefreak.com: Stefan Förster put forth on 12/5/2009 5:46 AM: * Stan Hoeppner s...@hardwarefreak.com: smtpd_helo_required = yes smtpd_helo_restrictions = check_recipient_access hash:/etc/postfix/access Did you mean check_helo_access? What does this have to do with the question I asked? How would this cause the problem I'm inquiring about? Why have two members now completely missed the problem? Rejection message: | Dec 4 13:39:15 greer postfix/smtpd[7124]: NOQUEUE: reject: RCPT from | unknown[204.238.179.8]: 450 4.7.1 mx1.mfn.org: Helo command rejected: | Host not found; from=spam-l-boun...@spam-l.com | to=s...@hardwarefreak.com proto=ESMTP helo=mx1.mfn.org Obviously triggered by the reject_unknown_helo_hostname in: |smtpd_helo_restrictions = |check_recipient_access hash:/etc/postfix/access |reject_non_fqdn_helo_hostname |reject_invalid_helo_hostname |reject_unknown_helo_hostname Whitelist doesn't trigger because you are performing a check for the value of the RCPT TO parameter, not the HELO or EHLO. If this isn't what you were looking for I don't have any idea what your question is. Stefan
Re: whitelisting problem
* Stefan Förster cite+postfix-us...@incertum.net: Rejection message: | Dec 4 13:39:15 greer postfix/smtpd[7124]: NOQUEUE: reject: RCPT from | unknown[204.238.179.8]: 450 4.7.1 mx1.mfn.org: Helo command rejected: | Host not found; from=spam-l-boun...@spam-l.com | to=s...@hardwarefreak.com proto=ESMTP helo=mx1.mfn.org Obviously triggered by the reject_unknown_helo_hostname in: |smtpd_helo_restrictions = |check_recipient_access hash:/etc/postfix/access |reject_non_fqdn_helo_hostname |reject_invalid_helo_hostname |reject_unknown_helo_hostname Whitelist doesn't trigger because you are performing a check for the value of the RCPT TO parameter, not the HELO or EHLO. Addendum: You can use check_client_access here. Stefan
Re: whitelisting problem
* Stan Hoeppner s...@hardwarefreak.com: Two classes before smtpd_helo_restrictions should have triggered accepting the email. The message should have never made it to the HELO checks. It should have been accepted in smtpd_client_restrictions or smtpd_sender_restrictions. Both classes come before smtpd_helo_restrictions in my main.cf. The order in which checks are evaluated is the one in which the criterion to be checkd is made available to Postfix: 1. client IP address 2. HELO hostname 3. MAIL FROM aka sender 4. RCPT TO, aka recipient(s) 5. DATA 6. . How is everyone missing this? You're fixated on the darn error message. We all know what caused the error, a DNS lookup failure. That's not rocket science and has nothing to do with the problem. The problem is that the restriction processing order isn't being followed for some reason. Why isn't it? _THAT_ is the problem I'm asking for help with. That was clear in my first email, was it not? Postfix behaves according to the documentation. The documentation doesn't say that an OK from a check_client_access results in an OK for the HELO restrictions. And no, it was not clear from your first posting that you had a serious misunderstanding of how Postfix access control works. Your first posting simply suggested that you worked a whole night, couldn't barely keep your eyes open (5:46am) and therefore mixed check_recipient_access with check_client_access in your smtpd_helo_restrictions. Stefan
Snapshot 20091109, queue disk partition sizing
If I understood the release notes correctly, with smtpd_proxy_options = speed_adjust, each smtpd process will keep the message it's currently receiving in a temporary file. That seems to imply that there could be (number of smtpd processes) * message_size_limit bytes of queue space allocated in temporary files. I _think_ that this is not different from a setup without a content filter which would mean I don't have to increase the disk partition keeping the queue - is that assumption correct? Stefan
Re: Snapshot 20091109, queue disk partition sizing
* Wietse Venema wie...@porcupine.org: Stefan Förster: (number of smtpd processes) * message_size_limit bytes of queue space allocated in temporary files. By default, the Postfix requires 1.5*message_size_limit of free space before it accepts mail. Right now, the before-proxy scratch files are put in the incoming queue, but that may still chnage. I didn't change the formula (to 2.5*message_size_limit) for that reason. Thank you for that clarification. Now, about logging - I'd be really grateful if the existing logging functionality could be extended in a way so that the pre-queue content filter's response is logged. I know that it is actually the content filter's job to log what it did during an ESMTP transaction, but I think if Postfix logged the filter's response, correlating logs would be much easier. Stefan
Re: Configuring Two Postfix mail servers behind HA Proxy load balancer.
* Manoj Burande manoj.bura...@artificialmachines.com: I am trying to setup a Postfix Mail Server on Fedora10. I am trying to learn the basic process of setting up and manage a Postfix Mail Server. Trying to learn Postfix by implementing a HA solution is not really a suitable way, IMHO. In case nobody else is going to post those links: http://www.postfix.org/BASIC_CONFIGURATION_README.html http://www.postfix.org/STANDARD_CONFIGURATION_README.html Perhaps you might want to set up a standard Postfix mailserver before you work on an HA setup. Also trying to build a High-Available Postfix Mail Server set. I have already configured HA Proxy load balancer servers. I just wanted to place my two postfix mail server behind it. Is there ANYBODY help me to accomplish the same. Or please provide me online stuff to set up mail servers behind load balancer. The way the SMTP protocl is designe, load balancers are almost always unnecessary - even HA loadbalancers might reduce availability (if your only MX entry points to the LB and the receiving Postfix server dies mid-transaction). What you want to look at when talking about a HA setup is the availability to continuously process a mail queue even if one node dies. You should have a very good reason to invest in such a setup, for example, sending out large newsletters. If your mailservers typically run with very small queues and a loss/delay of a single mail is not a big deal, simply configure two mail servers (and make your IMAP server/$WHATEVER clustered). If you absolutely need to make sure that queued mails will be processed even if the node that owned the queue dies, then - and only then - try to setup a cluster. So, a quick list of things you should get accomplished: 1. Get a HA storage solution. If e.g. it is some SAN/iSCSI stuff, get it connected to you two nodes and configure a cluster filesystem (someone might comment on why a queue on NFS is not a good idea). Whatever you do, make sure both nodes can access the same filesystem. 2. Get a clustering software working and installed on your nodes. Pacemaker/Corosync should do the job. 3. Configure two Postfix instances, each with it's own queue directory. If you don't want to store it's binaries/configuration files on the clustered filesystem, figure out a way to keep them in sync on both nodes. 4. Write yourself a resource agent which is capable of stopping and starting an instance. 5. In your clustering software, configure a mailserver resource using the resource agents from the previous step, and add other cluster resources (stonith devices, virtual IP addresses) as needed. Once you are finished, when one of your nodes dies, the Postfix instance will be started on the remaining node. Since the queue directory will still be available (clustered filesystem, you remember?), processing of the queue will continue. All of this of course doesn't guarantee your users will have access to your mails - you'll basically need to repeat the above steps for your IMAP/POP3 server. Ciao Stefan -- Stefan Förster http://www.incertum.net/ Public Key: 0xBBE2A9E9 Tapferkeit ist ein Anfall, der bei den meisten Menschen schnell vorübergeht.
rbl_reply_maps - specify OK/ACCEPT/220?
rbl_reply_maps overrides default_rbl_reply for blacklist/response code pairs listed in the referenced lookup tables. Is it possible to specify a numeric code which is NOT a reject code, thereby realizing a DNS whitelist? Stefan
Re: rbl_reply_maps - specify OK/ACCEPT/220?
Hallo postfix-users, * Stefan Förster cite+postfix-us...@incertum.net: * Stefan Förster cite+postfix-us...@incertum.net: rbl_reply_maps overrides default_rbl_reply for blacklist/response code pairs listed in the referenced lookup tables. Is it possible to specify a numeric code which is NOT a reject code, thereby realizing a DNS whitelist? Clarifying: I know I cannot return accept, defer_if_permit or something like that - but what about 250 2.1.5 Ok? Doesn't work: postfix/smtpd[1100]: warning: rbl response code configuration error: 250 2.1.5 Ok - in dsbl.org Stefan
Are queue IDs unique within a sinlge instance?
Given no external interference, are queue IDs unique within a single instance for the whole span a message stays within qmgr's control, or can a mail in e.g. the deferred queue, share an ID with a message in the active queue? Cheers Stefan
Re: Reverse DNS fails with cannot find your hostname when forward IP is wrong
* Michael Monnerie michael.monne...@is.it-management.at: I've just had a very strange bug which cost me an hour to find. mailserver: postfix-2.5.1-28.5 On the mailserver, I should receive mail from 212.69.162.205. # dig -x 212.69.162.205 showed me a correct, existing PTR: 205.192-28.162.69.212.in-addr.arpa. 3600 IN PTR protegate5.zmi.at. Just the forward request doesn't fit the IP: # dig +short protegate5.zmi.at 212.69.164.56 and postfix refused to take the e-mail with this message: 450 4.7.1 Client host rejected: cannot find your hostname, [212.69.162.205] As documented in http://www.postfix.org/postconf.5.html#smtpd_client_restrictions reject_unknown_client_hostname is triggered if 1) the client IP address-name mapping fails[, or] 2) the name-address mapping fails, or 3) the name-address mapping does not match the client IP address This is often reffered to as forward confirmed reverse DNS: http://en.wikipedia.org/wiki/Forward_Confirmed_reverse_DNS The log text is not correct, it should say your PTR 212.69.162.205 doesn't fit the forward IP of protegate5.zmi.at. The log text ist correct. A host with an IP resolved to protegate5.zmi.at connected, but the host with that name has a different IP. So Postfix was not able to find a host name that resolved to that IP address. I changed the PTR to now be 205.192-28.162.69.212.in-addr.arpa. 3600 IN PTR protegate5old.zmi.at. and this fits the forward: # dig +short protegate5old.zmi.at 212.69.162.205 and then the e-mail passes through. I don't know if that has already been fixed, but it really should as the log messages suggests that we had a DNS issue while it really only was the misfit of forward/reverse lookups. This kind of misfit is commonly referred to as a DNS issue when postmasters talk to each other ;-) Cheers Stefan I also looked at http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname but found no mentioning of the message that's logged. But a cannot find your hostname is really not a good answer here. mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660 / 415 65 31 .network.your.ideas. // PGP Key: curl -s http://zmi.at/zmi.asc | gpg --import // Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4 // Keyserver: wwwkeys.eu.pgp.net Key-ID: 1C1209B4
Re: warning: SASL authentication failure: No worthy mechs found
* Dan Winchester 2...@dan.co.uk: I am new to Postfix. I am trying to get Postfix to relay via mail.authsmtp.com. I have added the following lines to main.cf relayhost = [mail.authsmtp.com] smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous I get the following errors: warning: SASL authentication failure: No worthy mechs found SASL authentication failed; cannot authenticate to server mail.authsmtp.com[62.13.128.189]: no mechanism available I have run saslfinger -c (as advised in a previous post to this list), and have copied the output below this email. Any help would be gratefully received! Cheers Dan # saslfinger -c saslfinger - postfix Cyrus sasl configuration Thu Aug 27 06:23:33 EDT 2009 version: 1.0.2 mode: client-side SMTP AUTH -- basics -- Postfix: 2.3.3 System: CentOS release 5.3 (Final) -- smtp is linked to -- libsasl2.so.2 = /usr/lib64/libsasl2.so.2 (0x7fd1b846e000) -- active SMTP AUTH and TLS parameters for smtp -- relayhost = [mail.authsmtp.com] smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous -- listing of /usr/lib64/sasl2 -- total 2712 drwxr-xr-x 2 root root 4096 Aug 5 05:55 . drwxr-xr-x 39 root root 20480 Aug 6 04:02 .. -rwxr-xr-x 1 root root890 Jan 7 2007 libanonymous.la -rwxr-xr-x 1 root root 15880 Jan 7 2007 libanonymous.so -rwxr-xr-x 1 root root 15880 Jan 7 2007 libanonymous.so.2 -rwxr-xr-x 1 root root 15880 Jan 7 2007 libanonymous.so.2.0.22 -rwxr-xr-x 1 root root936 Jan 7 2007 libsasldb.la -rwxr-xr-x 1 root root 892920 Jan 7 2007 libsasldb.so -rwxr-xr-x 1 root root 892920 Jan 7 2007 libsasldb.so.2 -rwxr-xr-x 1 root root 892920 Jan 7 2007 libsasldb.so.2.0.22 -rw-r--r-- 1 root root 26 Aug 14 2008 smtpd.conf -- listing of /usr/lib/sasl2 -- total 68 drwxr-xr-x 2 root root 4096 Aug 3 06:16 . drwxr-xr-x 22 root root 12288 Aug 5 05:55 .. -rwxr-xr-x 1 root root 884 Jan 7 2007 libanonymous.la -rwxr-xr-x 1 root root 14372 Jan 7 2007 libanonymous.so -rwxr-xr-x 1 root root 14372 Jan 7 2007 libanonymous.so.2 -rwxr-xr-x 1 root root 14372 Jan 7 2007 libanonymous.so.2.0.22 I don't see any SASl modules for AUTH PLAIN or AUTH LOGIN here. You should use yum to search for packages like cyrus-sasl, sasl-modules and similar. Cheers Stefan -- listing of /etc/sasl2 -- total 8 drwxr-xr-x 2 root root 4096 Jan 7 2007 . drwxr-xr-x 58 root root 4096 Aug 27 04:02 .. -- permissions for /etc/postfix/sasl_passwd -- -rw--- 1 root root 37 Aug 18 08:08 /etc/postfix/sasl_passwd -- permissions for /etc/postfix/sasl_passwd.db -- -rw--- 1 root root 12288 Aug 18 08:10 /etc/postfix/sasl_passwd.db /etc/postfix/sasl_passwd.db is up to date. -- active services in /etc/postfix/master.cf -- # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) smtp inet n - n - - smtpd pickupfifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgrunix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounceunix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verifyunix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o fallback_relay= showq unix n - n - - showq error unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scacheunix - - n - 1 scache maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} old-cyrus unix - n n - - pipe flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user} cyrus unix - n n - - pipe user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user} uucp unix - n n -
Re: warning: SASL authentication failure: No worthy mechs found
* Dan Winchester 2...@dan.co.uk: I don't see any SASl modules for AUTH PLAIN or AUTH LOGIN here. You should use yum to search for packages like cyrus-sasl, sasl-modules and similar. I have a number of cyrus-sasl packages installed: # yum list installed | grep sasl cyrus-sasl.x86_642.1.22-4 installed cyrus-sasl-lib.i386 2.1.22-4 installed cyrus-sasl-lib.x86_642.1.22-4 installed Are these sufficient for AUTH PLAIN or AUTH LOGIN? Obviously, they are not, are they? I think you might want to install cyrus-sasl-plain.x86_64. Cheers Stefan
Re: rbl checks, best place
* /dev/rob0 r...@gmx.co.uk: On Friday 21 August 2009 00:23:07 Olivier Nicole wrote: This is a difficult question. I disagree. Just that because you disagree makes the question not simple :) Perhaps you didn't understand. I tried to explain why the choice of pre-DATA reject_rbl_client lookups should be preferred to doing them through content filters. Yes, I made the exception of untrustworthy lists. If you look back, you'll possibly see that I was proposing responsible, informed use of DNSBLs. I have to disagree here. For me it would simply be unacceptable to reject a mail based on only _one_ criterion. As you said, if e.g. gmail get's listed on any DNSBL, this might not be a false positive, but OTOH, it's highly undesireable to block the dozillions of other legitimate customer mail originating from gmail. Nowadays, I'd always favour computing a score for every incoming email as soon as we know the HELO/EHLO, (r)DNS data and MAIL FROM. With Postfix's smtpd_delay_reject, this is easily realized by calling a policy service at an appropriate place in smtpd_recipient_restrictions. While I know that the original reason to introduce the delayed rejects was not to make more data available, rejection at the rcpt to stage allows for making much more comprehensive decisions about the fate of an email. You could, for example, make it easier to contact postmaster - because that's where third parties will seek help if they are blocked by your system. It's only logical to extend this conception when it comes to other, sender/sending host specific criteria: Instead of evaluating one criterion at a time, basing a rejection decision on the one currently being examined, you should use _all_ the data you have about an incoming message to decide on that message's fate. I think blind reliance on content filtering is ill-advised, based on poor logic and lack of understanding of the nature of spam. SA and other content filters will be checking the same DNSBL as I am, with addition of some that I'd consider less trustworthy. Furthermore, by virtue of having accepted the DATA, a MTA assumes responsibility for these few messages amidst all the spam garbage. Actually (that's for the archives only, I know you are well aware of that), my server only accepted a message after giving a 2xx to the DATA-DOT. I'm not opposed to content filtering; on the contrary, I know it's an important third or fourth line of defense for many sites. Those sites which are using it as the first line get what they deserve. I have to disagree here, again. From your description, I think that when you are talking about content filtering, you are referring to a post queue filter setup. There are a million sites out there using a post queue setup, and IMNSHO, they should all die in a fire for torturing their users with ancient technology like that. About 14 months ago, I switched to a pre queue setup. The main reason for this was that even with Nazi style rejection rules (that's one Godwin for me, please!) at the SMTP level, there were still mailboxes for which our content_filter quarantined (rerouted to plus'd addresses, $WHATEVER) about 30 messages per day - while killing another 50 ones silently. And no, there wasn't any chance we could have set the kill level even lower. C'mon. We are living in the 21st century. Why on earth should anyone have to look through a folder/quarantine with 30 messages per day? We are humans, not machines. I know that there are many concerns regarding the use of smtpd_proxy_filter - many of them having to do with the lack of scalability. So what? Buy more hardware. Or buy better hardware. If you are worried about rejecting mailing list mails, learn how to use your filter framework. But, for God's sake, step into the 21st century, finally! Postfix could easily help this if it supported the same kind of routing it does with a content_filter (where you can specify content_filter = smtp-foo:filter.domain.com:10024 and it will lookup the MX records for filter.domain.com) to faciliate load balancing and increase robustness, but we probably won't see that too soon. Cheers Stefan
Re: openldap-2.3.39 crash
Hello 承磊, * 承磊 cheng...@east.net wrote: I have been using postfix since a few weeks. The setup is currently: Redhat As4.4 (Linux 2.6.9-42 SMP), Postfix 2.3.39, openldap-2.3.39, BerkeleyDB 4.5. 20 , courier-authlib-0.56. Now, the ldap service crashes frequently once the ldap connection raises about 300(the database engine is bdb). you can try whether using the proxymap(8) service to access you LDAP lookup tables (with an appropriate process limit defined in master.cf) solves your problem: http://www.postfix.org/proxymap.8.html Cheers Stefan
Re: Postfix queue problem?
Hallo Junior, * Junior Tux junior.pe...@gmail.com: Dear all , i have a big problem with postfx queue. I'm using postfix amavis spamassain. But queue has 5 mails. it's sending very slow. What Can i do ? Thanks. There are various ways to debug this problem and improve performance. A first stop should be http://www.postfix.org/QSHAPE_README.html which describes not only how the various queues work together, but does also give valuable hints on solving some of the problems which one might encounter. General hints on performance tuning can be found at http://www.postfix.org/TUNING_README.html - those documents together should provide you with a reasonable start. smtp-amavis unix - - n - 40 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes Can your server really handle 40 content filter processes (assuming that $max_servers in amavisd is set to 40, too)? You might want to look at your servers memory ressources and see if it startet swapping. You should also provide logging output of messages which are processed slowly - please note that you will need to track two queue IDs, one before it enters the content_filter and one after the reinjection. Cheers Stefan
Re: Postfix queue problem?
On second thought, * Junior Tux junior.pe...@gmail.com: qmgr_clog_warn_time = 0 you might want to leave that at the default value to get helpful information. smtpd_milters = inet:localhost:10026 This milter could be a problem if it is slow. soft_bounce = yes On a prodcution machine, this will increase the load in most cases (senders retrying instead of giving up). virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf If your database is slow or overloaded with connections, this might could slow down mail delivery. Postfix logs lookup problems, so you can verify that quite easily. Cheers Stefan
Re: Looking for opinions on FreeBSD OS for Postfix
* Guy wyldf...@gmail.com: I'm considering FreeBSD as an alternative, but I was wondering what people think of FreeBSD as a platform for Postfix. It's obviously not as easy to maintain as Ubuntu, but it does have a reputation for stability. Any thoughts, recommendations or experiences would be appreciated. The documentation at http://www.postfix.org/INSTALL.html#4 mentions that earlier versions of Postfix were supported on FreeBSD 2.x to 5.x. I think it's very likely that you can run recent Postfix versions on newer FreeBSD releases, too. Cheers Stefan
Improper command pipelining after QUIT
Dear members of postfix-users, can anyone of you please explain to me what the following log entry means: postfix/smtpd[8558]: improper command pipelining after QUIT from unknown[64.8.20.35] I do know what command PIPELINING is, that it is offered in response to an EHLO and that Postfix 2.6 keeps track of improper pipelining on a per session basis (see release notes, feature 20090228). But I am not sure how a client can transmit additional commands after it sent a QUIT to the server. Is that some kind of timing issue, my hardware perhaps being too slow? FWIW, the only restriction I have that mentions pipelining is: smtpd_data_restrictions = reject_multi_recipient_bounce reject_unauth_pipelining I will happily provide all of postconf -n and any lookup tables as per DEBUG_README if that should be necessary. Cheers Stefan
Re: Improper command pipelining after QUIT
* Wietse Venema wie...@porcupine.org: Stefan Förster: Dear members of postfix-users, can anyone of you please explain to me what the following log entry means: postfix/smtpd[8558]: improper command pipelining after QUIT from unknown[64.8.20.35] This means that the client sent QUITCRLF followed by something else; a sign of poor software at work. I see, so that additional text was received before the QUIT statement was actually evaluated and acted upon. Thank you. Perhaps Postfix should log pipelining violations with a fragment of the bits that were sent in error. I don't think this could do much harm. Thanks again Stefan
Re: Understanding rate limiting with anvil.
* Jaroslaw Grzabel ja...@meil.me: I had a problem with rate limiting in postfix in last week, and I had to disable it. I don't know why but I set up rate limiting per IP and it looks like it didn't count rates correctly. Let me shed a lit a bit for my problem. My company decided to limit a number of messages per day per IP. That's why we run anvil and limit 1000msg/24h/IP, so I put into main.cf: smtpd_client_event_limit_exceptions = /etc/postfix/ratelimiting Clients that are excluded from connection count, connection rate, or... excluded. !aaa.bbb.ccc.ddd/29 This means: Don't exclude aaa.bbb.ccc.ddd/29 from rate limiting, i.e. enforce rate limiting for aaa.bbb.ccc.ddd/29. 0.0.0.0/0 This means: Exclude the whole world from rate limiting. I presume syntax in exclude list is incorrect or I don't understand how anvil works at all. I think you need Postfix 2.4 or later to work with that bang-style notation. Cheers Stefan
Re: Delivery failure for one recipient results in re-delivery for all
* Karl-Johan Karlsson creideiki+postfix-us...@ferretporn.se: On Tuesday 04 August 2009, Ralf Hildebrandt wrote: Thanks! That (or, rather, owner-root: somebody) gives the result I want. I only wonder... why? I can't find much documentation on the owner--aliases, and none of it manages to explain this behaviour. http://www.postfix.org/aliases.5.html In addition, when an alias exists for owner-name, delivery diagnostics are directed to that address, instead of to the originator of the message. This is typically used to direct delivery errors to the maintainer of a mailing list, who is in a better position to deal with mailing list delivery problems than the originator of the undeliv- ered mail. Yes, I've seen that, and it makes no sense to me, since no delivery diagnostic mails are ever produced, neither with nor without the owner-root alias. I know that if a owner- alias is present, alias expansion isn't done on every delivery attempt but instead the alias is expanded and the result of that expansion is saved, at least according to this thread: http://archives.neohapsis.com/archives/postfix/2009-06/0396.html I could be terribly wrong, though. Ciao Stefan -- Stefan Förster http://www.incertum.net/ Public Key: 0xBBE2A9E9 FdI #147: Fortran - Makrosprache für ein I/O-Verhinderungssystem (Arno Eigenwillig)
Received: headers and mail forwarding loops
When I submit a mail to my Postfix server (using SASL auth over a TLS connection), Postfix adds the following received header: Received: from aletheia.cite.lan (33.33.33.333.dynamic.cablesurf.de [33.33.33.333]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.incertum.net (Postfix) with ESMTPSA for c...@example.net; Fri, 31 Jul 2009 23:42:33 +0200 (CEST) This is working as expected. If I create a new mail and forcibly insert the above header before I submit it, I get a NDR saying that there is a mail forwarding loop for c...@example.net - which is exactly what I expected, but I'm not 100% sure how this mechanism works. So my question is: Does Postfix compare both the sending host _and_ the recipient address in Received: headers? If not, with regard to Received: headers, which (if any) information is compared to detect a mail forwarding loop? Cheers Stefan
Re: Received: headers and mail forwarding loops
* Wietse Venema wie...@porcupine.org wrote: Stefan Förster: This is working as expected. If I create a new mail and forcibly insert the above header before I submit it, I get a NDR saying that there is a mail forwarding loop for c...@example.net - which is As documented, Postfix uses Delivered-To: headers for loop detection. I am very sorry - I had indeed pasted too many lines into my test email. Cheers Stefan
Re: sieve instead procmail?
* Michael Monnerie michael.monne...@is.it-management.at wrote: I currently have postfix - procmail - zarafa, and would like to have postfix - sieve - zarafa. Is that possible via a milter maybe? The sieve implementation would need to be able to call an external program to deliver mail, but the rest is standard. Since you mentioned procmail, my buest guess is that your Postfix/Zarafa integration is similar to the wiki page at http://zarafa.com/wiki/index.php/MTA_integration This leaves me slightly puzzled, because I can't imagine where you'd want to plug in a Sieve filter: The setup describe above looks like the program zarafa-agent is doing the final delivery (as far as Postfix is concerned), which means that ultimately, the decisions on things like the destination mailbox are made by Zarafa, and not any intermediate MDA (mail delivery agent). What excatly are you trying to do with Sieve filtering? Cheers Stefan
Re: sieve instead procmail?
* Michael Monnerie michael.monne...@is.it-management.at wrote: On Mittwoch 22 Juli 2009 Stefan Förster wrote: What excatly are you trying to do with Sieve filtering? Yes, zarafa-dagent delivers, but you can tell it where: See http://forums.zarafa.com/viewtopic.php?f=11t=2759 Example procmail: :0w * ^X-Original-To: spam-t...@otherdomain.example | /usr/bin/zarafa-dagent $USER -CF Inbox\\SPAM_trapped EXITCODE=$? Maybe I can do the same with dovecot-deliver as Ralf suggested. I'll try this tonight. You should be aware of http://wiki.dovecot.org/LDA/Sieve. Quote: Note that Sieve doesn't support running external programs. Cheers Stefan
Re: postfix strip æø å (highbit chars)
* Benny Pedersen m...@junc.org wrote: On Wed, July 22, 2009 17:50, Noel Jones wrote: You could configure postfix to reject such mail, but then you'll lose otherwise legit mail. yes legit problem also This is probably a stupid question, but are those characters really allowed in email headers? Ciao Stefan -- Stefan Förster http://www.incertum.net/ Public Key: 0xBBE2A9E9 I'm not evil, I'm ... differently motivated!
Re: How do I deliver to a program using a wild card
* Rob Tanner rtan...@linfield.edu wrote: I get email forwarded to me from a FAX server that I need to process and then forward to a different server. The ³to² email address is always in the form of FAXnumber@send.fax. The FAX number could be the phone number for any FAX machine in the country and only the �...@send.fax² is a constant. Right now, I¹ve set up an alias that looks like ³*.send.fax ³/opt/local/adm/aliasFilters/FAX.filter faxfilter² which seems like it should work. When I point alias_maps to that file, and include the send.fax domain in mydestination, the message bounces because it doesn¹t recognize the user (which is simply one of an infinite possible phone numbers). When I move the send.fax domain to relay_domains and point virtual_alias_maps to the alias file, Postfix happily forward the message on to the regilar mail server, substituting the file path for the ³to² address. In no case does the message ever get delivered to the program. Can someone please tell me what I need to do to get this to work right? I¹m running this in a separate instance of Postfix, so no matter what I do, I won¹t screw up the main mail system. Set up fax.send in virtual_alias_domains. In a PCRE map referenced by virtual_alias_maps, add an entry like: /(.*)@fax.send/ local...@my.domain,${1}final.mailserver This will redirect the message to faxnumber@final.mailserver and to the alias localfax (given that you substitue my.domain with a domain which is part of mydestination). In /etc/aliases, add localfax: |/path/to/program and issue newaliases. Cheers Stefan
Re: How do I deliver to a program using a wild card
* Stefan Förster cite+postfix-us...@incertum.net wrote: /(.*)@fax.send/ local...@my.domain,${1}final.mailserver /(.*)@fax.send/ local...@my.domain,$...@final.mailserver The @ was missing.
Re: LDAP Email Recipients Query Script - Feedback Appreciated
* James Robertson j...@mesrobertson.com wrote: I decided to write a bash script for extracting recipients from Windows Active Directory for a Postfix box in front of Exchange. [...] $LDAPSEARCH -x -h $LDAPHOST -D $LDAPUSER -w $LDAPPASS -b $LDAPBASE \ '(proxyAddresses=*)' 2$ERRORLOG | $GREP -f $RELAYDOMAINS | $GREP -Fi While this will almost certainly work for smaller networks, you are in serious trouble if you have more than 1000 recipients. To work around this issue from the Linux side, consider using -E pr=100/(no)prompt. As for the Exchange side, I really don't know, but I know for sure that there is a LDAP protocol settings dialogue in the Exchange server administration GUI. Perhaps someone else can shed some light on this one. Ciao Stefan -- Stefan Förster http://www.incertum.net/ Public Key: 0xBBE2A9E9 FdI #54: Jetzt mit neuem, umfangreichem Softwarepaket. - Treiber liegt bei. (Kristian Köhntopp)
Re: Virtual accounts.
Hallo Gerard, * Gerard postfix.u...@yahoo.com wrote: Running postfix 2.6 I have mail accounts at 'hotmail' and 'yahoo'. I would like to use fetchmail to retrieve mail from those accounts and relay it to postfix. Now, I was thinking that I could use 'virtual' for that. You can do this with fetchmail. user foo there with password bar is baz here. virtual_alias_domains = hotmail.com yahoo.com Don't do that. It basically tells your Postfix to lookup all mails for hotmail/yahoo in this table, and if the receiver is not found, the mail is rejected/bounced. Ciao Stefan -- Stefan Förster http://www.incertum.net/ Public Key: 0xBBE2A9E9 Someone had to put all that chaos there!
Re: Impossible to send mail using SSL for SMTP connection.
* Patrick Ben Koetter p...@state-of-mind.de wrote: * mouss mouss+nob...@netoyen.net: and please remove the smtpd_banner = The eMail Service because it is invalid. The banner must contain the hostname... etc. and it must contain ESMTP or the client will not know the server can speak EXTENDED SMTP, which includes the capability STARTTLS, which is the startpoint for TLS ... Now, maybe I'm blind, but I don't see that requirement in RFC 2821 or 5321. And Postfix's SMTP client's default behaviour is: $ postconf -d smtp_always_send_ehlo mail_version smtp_always_send_ehlo = yes mail_version = 2.5.5 I think an initial greeting of 220 fully.qualified.hostname is pretty common this days - especially with so called anti spam, anti malware appliances. Ciao Stefan -- Stefan Förster http://www.incertum.net/ Public Key: 0xBBE2A9E9 UNIX *is* user-friendly; it's just picky about its friends.
Re: TLS Logging
Hello Mark, please take the following with a grain of salt, it's 4am here, so I might be seriously wrong: * Mark Watts [EMAIL PROTECTED] wrote: I'm in the process of setting up TLS on a number of servers. I have two servers, both running Postfix, one an smtp client and the other an smtpd server, using a self-signed SSL certificate. Sending messages, I get the following in the log on the sender: Nov 19 10:05:01 mailr postfix/smtp[22688]: setting up TLS connection to mail.linux-corner.info Nov 19 16:05:01 mailr postfix/smtp[22688]: TLS connection established to mail.linux-corner.info: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) ADH-AES256-SHA is a certificate less cipher. Without a certificate, teher is nothing to verify. However, the same server sending to another TLS-enabled server (I believe its qmail), I get this: Nov 19 10:09:09 mailr postfix/smtp[25134]: setting up TLS connection to burn.qinetiq.com Nov 19 10:09:09 mailr postfix/smtp[25134]: certificate verification failed for burn.qinetiq.com: num=18:self signed certificate Nov 19 10:09:09 mailr postfix/smtp[25134]: Unverified: subject_CN=burn.qinetiq.com, issuer=burn.qinetiq.com Nov 19 10:09:09 mailr postfix/smtp[25113]: TLS connection established to burn.qinetiq.com: TLSv1 with cipher AES256-SHA (256/256 bits) I don't know what exactly AES256-SHA is, but obviously, it is not a null cipher, so there is a certificate to verify, and verification fails. Cheers Stefan -- Stefan Förster http://www.incertum.net/ Public Key: 0xBBE2A9E9 FdI #266: Allradantrieb - Allradantrieb bedeutet, dass man dort stecken bleibt, wo der Abschleppwagen nicht hinkommt.
Re: [OT] postmaster@ for customers' domains?
* Martin Strand [EMAIL PROTECTED] wrote: Now one of these customers wants to create a [EMAIL PROTECTED] account and use it for his personal email... I just want to ask what you guys think about this policy, am I just being silly when reserving these addresses in the customer's own domain? Should I drop that restriction and leave their domains alone? Apart from the workarounds and valid concers which were already pointed out, for me, the main reason to avoid using the postmaster localpart for personal mail is the special treatment it receives at many sites: I've made it a habit for systems I set up to drastically lower the amount of filtering, both in terms of smtpd_mumble_restrictions and content filtering, that postmaster and abuse addresses receive. After all, postmaster is the address that other admins will use to contact you if they have problems receiving mail from or sending it to your system, so you don't want that address to receive your usual filtering. This has never been a problem for me because the amount of junk email sent to postmaster and abuse is absolutely negligible. I don't want to know what happens, though, if that address was used every day... Ciao Stefan -- Stefan Förster http://www.incertum.net/ Public Key: 0xBBE2A9E9 FdI #181: Internet - Das Internet ist durch die preußische Landordnung vorhergesagt worden. (BMJ-Mitarbeiter Dr. Matthias Korte interpretiert Bundesverwaltungsrichter Prof. Dr. Dr. Jörg Berkemann)
Re: [OT] postmaster@ for customers' domains?
* Neil [EMAIL PROTECTED] wrote: On 8 Nov 2008, at 03:46, Stefan Förster wrote: This has never been a problem for me because the amount of junk email sent to postmaster and abuse is absolutely negligible. I don't want to know what happens, though, if that address was used every day... I've noticed the same in the past, and it always puzzled me a little... I suppose spamming the abuse/postmaster is a somewhat faster way to find oneself blacklisted; but on the other hand, I don't really understand why spammers would take the effort to avoid those addresses...afterall, it's easier to guess postmaster and abuse than the random letter/number strings I'm seeing in my mail logs. I think that most of the poeple out there sending UBE/UCE want to make money, but the folks reading postmaster@ and abuse@ are in general not the ones who buy anything from spammers or get easily fooled by some Nigerian scam. From a spammers point of view, there is nothing to gain by sending UBE/UCE to abuse@ and [EMAIL PROTECTED] Cheers Stefan -- Stefan Förster http://www.incertum.net/ Public Key: 0xBBE2A9E9 25 Zeichen, daß Du erwachsen bist, Nummer 24: Du trinkst nicht mehr zu Hause, um Geld zu sparen, bevor Du ausgehst.
Re: How to run patch file making correction
* Stephen Liu [EMAIL PROTECTED] wrote: I'm following this howto; POSTFIX http://www.postfixvirtual.net/postfixvirtual.html#postfix CYRUS_SASL http://www.postfixvirtual.net/postfixvirtual.html#cyrussasl building the mail server. All packages were compiled from sources. Version; postfix-2.5.5.tar.gz I have tried building Postfix Virtual by following other 3 howtos before, all packages download on Debian repo. After finish all servers can't work properly. This is my 4th round. There is no reason to build your own packages when using Debian/stable. Backports include Postfix 2.5.5. To use them, simply add to your /etc/apt/sources.list: deb http://www.backports.org/debian etch-backports main contrib non-free Run aptitude update, then aptitude -t etch-backports install postfix You might want to include more packages in the command line above, like for example postfix-pcre, postfix-mysql or postfix-cdb, depending on your need. Make sure you carefully read (and understand) http://www.backports.org/dokuwiki/doku.php?id=instructions Ciao Stefan -- Stefan Förster http://www.incertum.net/ Public Key: 0xBBE2A9E9 One World, one Web, one Program - Microsoft promotional ad Ein Volk, ein Reich, ein Fuhrer - Adolf Hitler
Re: authentication failed
* Rocco Scappatura [EMAIL PROTECTED] wrote: After connection, in mail log, I get: postfix/smtpd[19545]: warning: unknown[xxx.yyy.www.zzz]: SASL LOGIN authentication failed: authentication failure I do get those all the time. Users mistyping their passwords, usernames, client's getting AUTH all wrong and so on. then postfix/smtpd[19545]: lost connection after AUTH from unknown[xxx.yyy.www.zzz] The client disconnects. Add that particular client to debug_peer_list to see what's going on, but this is not a Postfix problem, it's the client which disconnects after authentication doesn't succeed. But I think that - being authentication failure a warning, the smtp dialog shoulnt be broken. Seen from an smtpd's point of view, failure to authenticate is not fatal, so it is logged as a warning. Then I ask why the connection with the client is lost? Go ask the client's programmers ;-) Ciao Stefan -- Stefan Förster http://www.incertum.net/ Public Key: 0xBBE2A9E9 FdI #132: Plug and Play - Kondome. (Rolf Siebrecht)
Re: Remote delivery concurrency
* Samy Ascha, Xel Media B.V. [EMAIL PROTECTED] wrote: Do you guyz have any smart ideas on how to treat mail for this domain a little different from other mail, so I don't have to change our mail- setup globally? The document available at http://www.postfix.org/QSHAPE_README.html#backlog shows how to define a dedicated transport for one specific destination, how to play around with concurrency and the number of smtp delivery agents available, makes remarks about the use of static connection caching and so on. You cannot copy/paste the example given there, but it should show you how you can approach this problem. What's also baking my noodle, is whether the remote party might have an issue with connections hanging around.. For all I know, I'm making only one connection, but they are screwing something up on their side by not closing them down. The problems started few days ago and, although they have not confirmed this, I must conclude that they only recently made this cripled MTA cluster. Postfix supports the smtp_data_done_timeout, though this might not exactly be what you are lokking for: Postfix will try to deliver at least once, not exactly one. If you do not receive a server response on a hanging connection and smtp_data_done_timeout kicks in, the mail might be delivered multiple times. Cheers Stefan -- Stefan Förster http://www.incertum.net/ Public Key: 0xBBE2A9E9
Re: Remote delivery concurrency
* Samy Ascha, Xel Media B.V. [EMAIL PROTECTED] wrote: I added a [chello.nl - chello:] mapping to the SQL back-end and a [EMAIL PROTECTED] - @chello.nl] virtual mapping to fix the unknown local user (550) error. I don't understand exactly. What you need is a transport_maps entry (i.e. an entry in one of the maps specified by transport_maps) pointing to the newly created transport - I assume that's the first part of your statement above. I don't know, though, why you went through the trouble of adding a virtual user mapping like above: Wildcard mapping like you presented it will likely result in a broken recipient validation. Furthermore, when relaying a mail to a remote destination, you should never get a 550 User unknown referring to a local destination. After a 'postsuper -r ALL deferred' I still don't see any evidence in the logs of the transport being used. I feel there is a solutino here, but postfix just isn't using it ;) If you issue the command postmap -q chello.nl map (replace map with the actual transport map!), does it say chello:? At this point, I'm almost about to ask you for output of postconf -n and the content of any relevant maps involved in the relay attempt and the relevant log entries, because I suspect a mis-use of the different Postfix address classes (see: http://www.postfix.org/ADDRESS_CLASS_README.html). Please do obfuscate any logs you post here as needed to protect your user's privacy. Cheers Stefan -- Stefan Förster http://www.incertum.net/ Public Key: 0xBBE2A9E9
Re: Which FileSystem do you use on your postfix server?
* Simone Felici [EMAIL PROTECTED] wrote: I know, there is enough written on the net and on the mailinglist too, but have found only old results, maybe the meanwhile something is different, also I would ask you... Which filesystem do you use on your mailserver? I'm going to migrate a mailserver with EXT3 (and qmail) to a new postfix mailserver (virtual domains on mysql, ...). I would create the system on EXT3 (RHES) and the following partitions on rieserfs: /var/spool/postfix AND the partition that will contain all mails in MailDir format. Postfix works perfectly with it's spool on an ext3 filesystem - or rather, the list of Linux specific issues at http://www.postfix.org/LINUX_README.html does not mention ext3. Given this and the fact that a lot of people are running Postfix with it's spool on an ext3 filesystem suggests that there are no fundamental problems with this setup (well, there is one gotcha: At least on i386, ext3 can only handle 32k inodes per directory). Since some point during development of the 2.4 kernel, ext3 got the ability to use htree hashing for direcotry indexing. I don't know whether the Orlov allocator ever made it to the official kernel, but nevertheless, an ext3 filesystem initialized for storing a lot of small files (inode_ratio = 4096) and htree inidces (-O dir_index) is perfectly capable of dealing with the requirements that mail handling imposes. That said, although I personally never had any issues with ReiserFS, there are really tons of problem reports out there on the net - so I'd never use ReiserFS for any data I care for - though it might be perfectly fine for things like a proxy cache. Besides, I never saw any real performance gains (see below). At the moment the server has ~100.000 mailboxes and more or less 120.000 mails stored per day (already filtered trought spam filters from frontend servers). If directory access times really become an issue, you can always work around that: The configuration parameter virtual_mailbox_maps allows you to store incoming mail in a directory structure of several levels instead of a flat hierarchy. For example: [EMAIL PROTECTED] - $virtual_mailbox_base/incertum.invalid/cite could also become [EMAIL PROTECTED] - $virtual_mailbox_base/i/incertum.net/c/cite We cannot give you any advice on a possible way to organize your mail storage without knowing some real data on the number of domains and localparts per domain involved. Any suggestions? Any test results on both FS to compare with mine I'll create? Back in 2004, during my time at university, me and some friends performed some quick tests, which you can find at: http://tinyurl.com/6bb3q4 It's in German, but perhaps you can find an online service to translate it - though I seriously doubt it's worth the trouble: Old kernel and we didn't really put that much effort into the tests we performed. There are a number of performance related docs in the Postfix website: http://www.postfix.org/TUNING_README.html http://www.postfix.org/QSHAPE_README.html As a last remark: IMAP servers typically impose a greater I/O load on a system than the MTA itself. There are massive performance differences betweens Cyrus, Courier, uw-imapd and Dovecot, so perhaps you might want to search for a benchmark on those programs. Conclusion: Don't put valuable data on ReiserFS. Don't do premature optimization. You can always change filesystems if your tests show performance gains and you run into performance shortages. Cheers Stefan -- Stefan Förster http://www.incertum.net/ Public Key: 0xBBE2A9E9
Re: System stressed
* Joey [EMAIL PROTECTED] wrote: I see several of these when watching top. smtpd -n smtp -t inet -u -o stress If Postfix was operating in stress mode, you would see -o stress=yes. Ciao Stefan -- Stefan Förster http://www.incertum.net/ Public Key: 0xBBE2A9E9 25 Zeichen, daß Du erwachsen bist, Nummer 17: Essen gehen und Kino ist die ganze Verabredung, nicht erst der Anfang.