bounces to reply-to or return-path?

[Stefan Palme]

Hi all,

this is a question not exactly postfix related: When a mail server
is about to send a bounce message to the original sender of an
undeliverable mail - which address will this bounce be sent to?

The Return-Path? The address from the "From" header? 
Or even to the "Reply-To" address?

Thanks 
Best regards
-stefan-

Re: bounces to reply-to or return-path?

[Stefan Palme]

> > this is a question not exactly postfix related: When a mail server
> > is about to send a bounce message to the original sender of an
> > undeliverable mail - which address will this bounce be sent to?
> >
> > The Return-Path? The address from the "From" header?
> > Or even to the "Reply-To" address?
> 
> Bounces are always sent to the envelope sender address. That address is
> also added as the Return-Path header by the MTA upon final delivery (i.e.
> you won't find the Return-Path header on the wire and you can't use that
> header to affect where bounces go).

Thanks for your answer. It's absolutely perfect :-)

I don't want to use the Return-Path for changing any behaviour,
I only want to make sure, that normal replies to an email go to
another recipient (using the Reply-To-Header) than bounce messages...

Regards
-stefan-

best way for website sending emails

[Stefan Palme]

Hello,

a little bit off topic - but maybe someone can comment this...

We are running a website where users can register themself, use
features like "send this page to a friend" etc. Those features
make the web application send an email to a user. The from
addresses (envelope FROM and header From:) are set to an
existing email address (like [EMAIL PROTECTED]).

It happens very very often that users enter an invalid email
address or just senseless texts. So the webmaster-address
receives all the backscatter from undeliverable mail.

Now I want to change the envelope FROM (and the header From)
address to a non-existing address (like [EMAIL PROTECTED]),
and set the Reply-To-Header to [EMAIL PROTECTED]

The idea behind this: the backscatter caused by undeliverable
mail will go to /dev/null, while all regular replies to one
of those auto-generated emails will reach the webmaster.

Is this the "state-of-the-art" way to solve this? Or are there
any other, better solutions? 
[Using captchas or similar does not really solve the problem, 
because even really existing human beings often enter senseless 
stuff like "[EMAIL PROTECTED]" ;-)]

Thanks
Best regards
-stefan-

Re: best way for website sending emails

[Stefan Palme]

Hi,

> > It happens very very often that users enter an invalid email
> > address or just senseless texts. So the webmaster-address
> > receives all the backscatter from undeliverable mail.
> 
> This is not backscatter. this is a legitimate bounce.

Ok, sorry, I've used the wrong term - I'm talking about
exactly those ligitimate bounce messages.

> > Now I want to change the envelope FROM (and the header From)
> > address to a non-existing address (like [EMAIL PROTECTED]),
> > and set the Reply-To-Header to [EMAIL PROTECTED]
> > 
> 
> Instead of playing bad games, set the envelope sender to a specific 
> address.
> 
> > The idea behind this: the backscatter caused by undeliverable
> > mail will go to /dev/null, while all regular replies to one
> > of those auto-generated emails will reach the webmaster.
> > 
> 
> and what if I want to complain by replying to the From or Reply-to? what 
> if as a new admin, I want you to cease sending to an old address? ... etc.

Hmmm. Maybe I did not understand you, or you me... ;-)

I want the From address to be set to something like [EMAIL PROTECTED]
A mail sent to this address will cause no error, but nobody will
read those emails.

The Reply-To-address will become a really existing address which is read
by someone, so that replying to an email works as expected.


So all those "legitimate bounces", which go to the envelope FROM address
(= address in From: header, caused by our email sending tool) will be
received by our server, but never read by someone;  and all ligitmate
replies, which go to the Reply-To address, will be received and read
normally.

Because bounces go to the envelope FROM, and I dont want to receive
bounces, I have to set the envelope FROM to a "dummy" mail address. 
The address in the From: header could be "my" email address, but because
of limitations in the used email sending tool the From: header address
and the envelope FROM always equal.
Maybe the weak point here is the From: header address being always the
same as the envelope FROM ?


> don't think this will be a simple projet: it is not. make sure to get
> it right. every time you send a message, you will be judged. and if
> you are judged wrong, you won't have any chance to fix thing (once you
> are in our private ACLs, you will never be able to get out. and once 
> hotmail/yahoo/ have computed your "reputation", you'll have ahard 
> time changing it).

This part I dont't understand. When our web application sends the
following mail:

  From: [EMAIL PROTECTED]
  To: [EMAIL PROTECTED]

using [EMAIL PROTECTED] in the "MAIL FROM" during SMTP communication,
and there is no "somebody" at Yahoo, a bounce message to
[EMAIL PROTECTED] could be the result. This address is a valid
address, but all emails sent to this address will be thrown away
as soon as received. How wants Yahoo detect this and blame me for this?


Ahm - maybe we misunderstood in this point: all references to
"example.com" in my postings should be replaced by my REAL domain
name - of course I do not want to send mails with "[EMAIL PROTECTED]"
as sender address - I've used it just as a placeholder... :)


Regards
-stefan-

Re: best way for website sending emails

[Stefan Palme]

> > I want the From address to be set to something like [EMAIL PROTECTED]
> > A mail sent to this address will cause no error, but nobody will
> > read those emails.
> 
> That is a very very bad idea and the best way to have your server added to
> many RBLs.
> 
> You want to look at and process all bounce messages and then identify the
> clients that are causing the problem and deal with them. 

On this special server the one and only client is the web application,
where anonymous users can use a web form to ask for an account. They
have to fill in their email address. The web application sends a
mail to this address with a dynamically generated link the user has
to follow to really make the web app create the account.

In this scenario the "bad client" is "all the bored kids and bots" 
that fill web forms with senseless content, so the only way to fight
this is using some kind of captchas, isn't it? 

I did not know that it's "no good reputation" for a sending mail
server when this server often tries to send to non-existing email
addresses... 
(So in theory, a "bad employee" could blame its companies outgoing 
mail server be generating thousands of mails to non existing email
addresses?)

Regards
-stefan-

Re: best way for website sending emails

[Stefan Palme]

Thanks for all your answers. My first approach to just throw
away all bounces caused by senseless data entered into a web
form is obviously too naive ;-)

I guess I will go the way to collect bounces by a script and
establish an smtpd_recipient_restrictions based on this list
of bouncing addresses.

The only thing I cannot handle with this approach are bots using
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] etc. as
destination email addresses - all those addresses will bounce
and being collected, but never tried again by the bot. An IP-based
rate limiting (and all other sort of rate limiting based on clients
information) on postfix side will not work, because the clients
IP address is always 127.0.0.1 (the web application, used via a
remote browser).

So an IP-based rate limiting in the web applications logic
will be necessary - and this is really expensive, because there
are a LOT of web applications using web forms running on this
server...

Maybe there is a way to solve this on postfix side, too?
Each web application could add an additional Header "X-Sender-IP: "
(and maybe other client information) to the generated mails - this
is not too expensive to implement.

Is it possible to use postfix to define "for each value of
X-Sender-IP there are only 5 messages per day allowed" ? This would
not prevent a bot from filling the web form thousand times a day,
but postfix will not even accept 995 of these messages to be sent out...

I guess I will have to write an own policy daemon for this,
or is this possible with pure postfix configuration?

Thanks and regards
-stefan-

Re: best way for website sending emails

[Stefan Palme]

> Instead of adding an ever-increasing list of features to Postfix
> (or throwing in a Turing-complete scripting language) I decided
> around 2000 to allow people to plug stuff into Postfix: content
> filters, policy daemons, and Milter applications.

This is absolutely ok - I've just asked to be sure to not
code something what already exists natively in postfix :-)

Regards
-stefan-

Re: [OT] Using [EMAIL PROTECTED] [was: best way for website sending emails]

[Stefan Palme]

On Tue, 2008-08-26 at 10:51 +0200, Robert Schetterer wrote:
> Jeff schrieb:
> > On Mon, Aug 25, 2008 at 9:46 AM, Tony Holmes <[EMAIL PROTECTED]> wrote:
> >>> I want the From address to be set to something like [EMAIL PROTECTED]
> >>> A mail sent to this address will cause no error, but nobody will
> >>> read those emails.
> >> That is a very very bad idea and the best way to have your server added to
> >> many RBLs.
> >>
> > 
> > 
> > I'm afraid I don't see how sending mail with an unmonitored return
> > address (i.e., accepted and delivered locally to /dev/null) will get
> > you on an RBL. I get mail of that type from big companies all the
> > time. They usually have something in the message that explains that
> > you should not reply and that replies will not be read. Could someone
> > expand on the RBL comment?
> > 
> > We have reason to do this for messages that provide automated
> > information but are not intended to start a dialogue with the
> > customer. Why is this wrong? It seems to be a rather common practice.
> > 
> 
> in rare cases , recipients may use sender verify ( which they shouldnt 
> do these days i.e it makes lot of unneeded smtp traffic , backscatter 
> and dont work with greylisting in the most cases ) so if you use a
> not working/valid noreply@ mail address, mail will not reach
> the recipient ( never use no existing domains with noreply@ cause this 
> will not work with most antispam solutions, never use domains you do not 
> own cause this leads loosing mail traffic to others ), so use a smtp 
> working noreply@ with your domains as sender address
> but simply dont answer to mails going there, you may silent discard them

This is exactly the point of question me and Jeff are talking about:
It has been said by other posters, that using a sender address, that
is SMTP-valid (i.e. you can send emails to this address without error),
but silently discarded by the receiving server, is NOT a good practice
and will cause "bad reputation". Why?

-stefan-

Re: [OT] Using [EMAIL PROTECTED] [was: best way for website sending emails]

[Stefan Palme]

Hi Robert,

> there is nothing you can do against people
> writing/reply mails to adresses what ever, so i think
> this problem is not really total solvable by
> tec stuff , also there is less what you can do about
> what people think about your reputation, so you better dont care

It's not MY reputation I have to care about. We are talking about
"reputation" in sense of being blacklisted - see the original
thread for the full discussion, and especially the postings of mouss.

Thanks

Best regards
-stefan-

bounce delivery report

[Stefan Palme]

Hi all,

when postfix creates a bounce message, a "Delivery report" will be
attached describing the problem.

Is it possible to modify the format of this delivery report, 
e.g. adding a line to it?

Regards
-stefan-

Re: bounce delivery report

[Stefan Palme]

> > Is it possible to modify the format of this delivery report, 
> > e.g. adding a line to it?
> 
> 

Great, thanks!

-stefan-

canonical_classes per sender?

[Stefan Palme]

Hi,

I want to apply canonical_maps to different canonical_classes, depending
on the sender. E.g. I have the following sender_canonical_maps file:

  [EMAIL PROTECTED]  [EMAIL PROTECTED]
  [EMAIL PROTECTED]  [EMAIL PROTECTED]


I want the first rule be applied only to the envelope_sender,
while the second rule should be applied to both envelope_sender
and header_sender. 
So I would need a per-sender sender_canonical_classes 
configuration directive...

Is this possible?

Thanks and regards
-stefan-

Re: Erronous Legal bounces... query

[Stefan Palme]

> At one of our domains we get a lot of SPAM, thats relatively easily 
> handled with all the filters and software
> available today, but one thing we are plagued with is bounces from spam 
> sent to other domains using our
> domains users as faked senders... these will not be caught in our spam 
> engines and are really erronous since
> none of our accounts was the really sending these emails... but we sure 
> do get the bounces...
> 
> How do you people sort these out?
> We are really not interested in bounces and rejects because of mail WE 
> did not send.

Probably this helps:
http://www.postfix.org/BACKSCATTER_README.html


> Johan A
> Beginning postix admin

The first rule to be a good postfix admin: don't misspell postfix ;-)

-stefan-

where to send auto-replies?

[Stefan Palme]

Hi all,

I've reconfigured our website email system, so auto-generated emails
now have a valid From: and Reply-To: header ([EMAIL PROTECTED]) and use
an alternate envelope-FROM ([EMAIL PROTECTED]).

Now I have seen a lot of auto-reply mails (aka "I am on holidays and
back in september"). These mails are being sent to the info-bounces
address, i.e. the original envelope FROM.

Is this the expected behaviour for this kind of auto replies? 

More general: is there a written rule, when to send emails to the
Return-Path, when to "Reply-To:" and when to "Errors-To" ?

Thanks and regards
-stefan-

rbl / rhsbl services?

[Stefan Palme]

Hi again,

where do I get information about current well known 
services to be used for

  reject_rbl_client
  reject_rhsbl_sender
  reject_rhsbl_recipient 

Thanks and regards
-stefan-

caching information about bouncing receipients?

[Stefan Palme]

Hi,

is there a builtin way to make postfix remember bouncing recipient
addresses, so that further attempts to send mails to those addresses
can be rejected?

I do NOT want to use active recipient address verification. I only want
to save when a real mail delivery attempt fails - so this seems to be
kind of "passive address verification during mail delivery". 

Thanks and regards
-stefan-

append_at_myorigin for envelope addresses?

[Stefan Palme]

Hi,

the following SMTP sessions works:

--
> telnet localhost 25
...
EHLO localhost
...
MAIL FROM: root
250 2.1.0 Ok
RCPT TO: root
250 2.1.5 Ok
DATA 
354 End data with .
To: root
From: root
Subject: test

.
250 2.0.0 Ok: queued as 1FE944A4078
--

I receive the email in the correct mailbox. My main.cf contains

  append_at_myorigin = yes
  append_dot_mydomain = yes
  local_header_rewrite_clients = 

In the received mail the From: and To: headers are indeed only
"root" (and not "[EMAIL PROTECTED]").

But what makes postfix accept the non-fully-qualified envelope 
sender and recipient addresses? I don't want to allow this,
I want to enforce "MAIL FROM: [EMAIL PROTECTED]" etc...

Thanks and regards
-stefan-

Re: append_at_myorigin for envelope addresses?

[Stefan Palme]

> But what makes postfix accept the non-fully-qualified envelope 
> sender and recipient addresses? I don't want to allow this,
> I want to enforce "MAIL FROM: [EMAIL PROTECTED]" etc...

Ah sorry, found the problem in my smtpd_recipient_restrictions:

smtpd_recipient_restrictions = 
  permit_mynetworks, permit_sasl_authenticated,
  reject_non_fqdn_recipient,
  ...

After putting the reject_non_fqdn_recipient in the first 
place everything works as expected.

Regards
-stefan-

Re: envelope recipient in mail headers?

[Stefan Palme]

> > Is there a way to enforce postfix to always insert a "from ..." part
> > on its Received: header? 

Of course I meant "for..." part...


> No, that would violate the privacy of BCC recipients.

Why? The normal recipient (e.g. [EMAIL PROTECTED]) would get a mail with

  Received: from ... by mail.example.com for [EMAIL PROTECTED]


while a BCC recipient (e.g. [EMAIL PROTECTED]) would get a mail with 

  Received: from ... by mail.hell.net for [EMAIL PROTECTED]


I don't see any privacy violation. What exactly do you mean
with "privacy of the BCC recipients" ?

Regards
-stefan-

Re: envelope recipient in mail headers?

[Stefan Palme]

urx, friday syndrom...

More correct example:

Why? The normal recipient (e.g. [EMAIL PROTECTED]) would get a mail with
 
  Received: from ... by mail.example.com for [EMAIL PROTECTED]
 
while a BCC recipient (e.g. [EMAIL PROTECTED]) would get a mail with 

  Received: from ... by mail.example.com for [EMAIL PROTECTED]

 
-stefan-


On Fri, 2008-08-29 at 12:58 +0200, Stefan Palme wrote:
> > > Is there a way to enforce postfix to always insert a "from ..." part
> > > on its Received: header? 
> 
> Of course I meant "for..." part...
> 
> 
> > No, that would violate the privacy of BCC recipients.
> 
> Why? The normal recipient (e.g. [EMAIL PROTECTED]) would get a mail with
> 
>   Received: from ... by mail.example.com for [EMAIL PROTECTED]
> 
> 
> while a BCC recipient (e.g. [EMAIL PROTECTED]) would get a mail with 
> 
>   Received: from ... by mail.hell.net for [EMAIL PROTECTED]
> 
> 
> I don't see any privacy violation. What exactly do you mean
> with "privacy of the BCC recipients" ?
> 
> Regards
> -stefan-
> 
> 
-- 
---
Dipl. Inf. (FH) Stefan Palme
 
email: [EMAIL PROTECTED]
www:   http://hbci4java.kapott.org
   http://converter-db.de
   http://myamavis.kapott.org
icq:   36376278
 
key fingerprint: 1BA7 D217 36A1 534C A5AD  F18A E2D1 488A E904 F9EC
---

envelope recipient in mail headers?

[Stefan Palme]

Hi all,

Today seems to be postfix day, so sorry for the bulk of questions ;-)

When I receive a mail with only ONE envelope recipient, postfix
inserts a mail header of the form

Received: from localhost (localhost [127.0.0.1]) by
mail.mydomain.com (Postfix) with ESMTP id F335A4A4084 for
<[EMAIL PROTECTED]>; Fri, 29 Aug 2008 12:23:23 +0200 (CEST)


Which is nice, because this way I see the original envelope recipient
even when the To: header is forged.


During mail delivery with multiple envelope recipients the generated
Received: header looks like this:

Received: from localhost (localhost [127.0.0.1]) by
mail.mydomain.com (Postfix) with ESMTP id 2FAE74A406F; Fri, 29 Aug
2008 12:20:13 +0200 (CEST)

Of course there is no "for ..." part because there are multiple
recipients. 

Is there a way to enforce postfix to always insert a "from ..." part
on its Received: header? 
Maybe by specifing default_destination_recipient_limit = 1 ?

If yes, has default_destination_recipient_limit=1 any bad side effects?

Thanks and regards
-stefan-

Re: Creating a dummy filter

[Stefan Palme]

On Fri, 2008-08-29 at 09:39 -1000, Camron W. Fox wrote:
> Noel Jones wrote:
> > Camron W. Fox wrote:
> >> Alle,
> >>
> >> We would like to filter all internal email so that it bypasses 
> >> SpamAssassin. We have set up per_client_filters using:
> >>
> >> smtpd_client_restrictions =
> >> check_client_access cidr:/etc/postfix/per_client_filter
> >>
> >> == per_client_filter:
> >> 0.0.0.0/0FILTER spamassassin:
> >> 10.0.0.0/8FILTER dummy:
> >> ...
> >>
> > 
> > Note that order matters in a cidr: table.  First match wins; everything 
> > matches 0.0.0.0/0.  Put the catchall last, more specific entries earlier.
> > http://www.postfix.org/cidr_table.5.html
> > 
> >> The spamassasin filter works fine, but how do we create a dummy 
> >> filter that just does a bypass of all the internal emails?
> >>
> > 
> > Why send them through a filter at all if you don't want them filtered?  
> > Use DUNNO as the table result.
> > 
> > 10.0.0.0/8  DUNNO
> > 0.0.0.0/0  FILTER...
> > 
> Noel,
> 
>   So this will accomplish what we want?
> 
> 10.0.0.0/0DUNNO
> 0.0.0.0/0 FILTER  spamassassin:


Maybe not exactly. We have a similar setup. The problem here is,
that mails handed out to spamassassin (in our case its amavisd-new)
is reinjected by amavisd-new to postfix via localhost:10025. All
mails bypassing amavisd-new must be "manually" reinjected to port
10025 to accomplish address rewriting etc. (all the stuff that is
done AFTER content filtering).

So your setup would look like this:

10.0.0.0/0 FILTER smtp:[127.0.0.1]:10025
0.0.0.0/0  FILTER spamassassin:

Regards
-stefan-

when will smtpd_milters be applied

[Stefan Palme]

Hi all,

will an incoming message be sent through the specified smtpd_milters
BEFORE or AFTER smtpd_recipient_restrictions tests are be applied?

I did not found any hint regarding this in the docs.

Thanks
-stefan-

bounce processing

[Stefan Palme]

Hi all,

Our mail server is configured to use special envelope sender addresses
for some outgoing mail so that bounces can be processed automatically.

The "bounce processor" is a self-made script. Are there any hints what
to look for in a bounced mail to be sure, that it really is a bounce
caused by "undeliverable mail" (and not only a vacation message), and
how to clearly detect the email address that bounced? My goal is to
collect invalid email addresses, but not email addresses that only send
a vacation message or other auto-reply-stuff.

I guess I have to look which formats of bounce messages I receive and
make my bounce processor detect the various formats and extract the
relevant information from it. Maybe there is a more general approach?

Thanks and regards
-stefan-

Re: bounce processing

[Stefan Palme]

On Fri, 2008-09-05 at 06:52 -0400, Wietse Venema wrote:
> Stefan Palme:
> > Hi all,
> > 
> > Our mail server is configured to use special envelope sender addresses
> > for some outgoing mail so that bounces can be processed automatically.
> > 
> > The "bounce processor" is a self-made script. Are there any hints what
> > to look for in a bounced mail to be sure, that it really is a bounce
> > caused by "undeliverable mail" (and not only a vacation message), and
> > how to clearly detect the email address that bounced? My goal is to
> > collect invalid email addresses, but not email addresses that only send
> > a vacation message or other auto-reply-stuff.
> 
> Use an envelope sender address that does not appear in From: or reply-To:.

I do. But not only "real bounces" are sent back to the envelope sender
address, but vacation-auto-replies too. See thread with subject 
"where to send auto-replies?".

Regards
-stefan-

RE: [SPAM?] Re: First Time Configuration assistance

[Stefan Palme]

> With an ever changing list of over 600 e-mail addresses, manually
> maintaining relay_recepient_maps doesn't strike me as appealing, or
> practical.
> 
> Unsurprisingly we have an AD back-end, is there any way for the two to
> communicate? I see this as being the only practical way to check valid
> recipients, though let me know if there is a better way.

We have a similar setup, where a "frontend mailserver" is relaying
incoming mail to an intranet Domino mail server. Because its very
ugly to automatically extract a list of valid email addresses from
the Domino server we are currently switching to recipient address
verification on the frontend mail server (postfix), so that postfix
always "asks" the Domino server "is this a valid address?"

Regards
-stefan-

Re: per-user recipient_restrictions?

[Stefan Palme]

On Wed, 2008-11-12 at 09:22 -0500, Wietse Venema wrote:
> Stefan Palme:
> > Hi all,
> > 
> > I have something like this in my main.cf:
> > 
> > smtpd_recipient_restrictions = 
> > reject_non_fqdn_sender,
> > reject_non_fqdn_recipient,
> > reject_unknown_sender_domain,
> > reject_unknown_recipient_domain,
> > permit_mynetworks,
> > permit_sasl_authenticated,
> > reject
> > 
> > This is a mail server used only as outgoing SMTP server,
> > either for local hosts (which is only 127.0.0.1) and
> > a list of authenticated users.
> > 
> > Now I want a special authenticated user to be allowed to send
> > mails with an "unknown recipient domain". Is this possible?
> 
> The simple approach is to put permit_mynetworks BEFORE the other
> restrictions.
> 
> The ugly approach is to replace the above by:
> 
> /etc/postfix/main.cf:
> smtpd_client_restrictions =
>   check_client_access pcre:/etc/postfix/client_access
> 
> smtpd_recipient_restrictions =
>   permit_mynetworks
>   permit_sasl_authenticated
>   reject
> 
> /etc/postfix/client_access:
> /^1\.2\.3\.4$/ dunno
> /./  reject_non_fqdn_sender, .., 
> reject_unknown_recipient_domain
> 

Thanks to all of you.

@Wietse: the main point is, that I don't want a certain CLIENT (=IP
address) to be allowed to send to invalid domains, but a certain USER
(identified by SASL-auth). 
For all "normal" users the domain check should be enabled, only one
special user will be allowed to try to send to "invalid domains"...

Regards
-stefan-

per-user recipient_restrictions?

[Stefan Palme]

Hi all,

I have something like this in my main.cf:

smtpd_recipient_restrictions = 
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject

This is a mail server used only as outgoing SMTP server,
either for local hosts (which is only 127.0.0.1) and
a list of authenticated users.

Now I want a special authenticated user to be allowed to send
mails with an "unknown recipient domain". Is this possible?

(The reason for this strange requirement is, that this "user"
is a software product. This software delivers its mails via 
the local SMTP server. When it tries to send emails to an invalid
domain, postfix should not reject this email during the internal
SMTP communication. Instead I want it to accept it and create
a bounce message to the original sender).

Any hints how to solve this?

Thanks and regards
-stefan-

skipping single restrictions

[Stefan Palme]

Hi all,

I have smtpd_recipient_restrictions like this:

smtpd_recipient_restrictions = 
...
permit_sasl_authenticated, permit_mynetworks, 
reject_unauth_destination,
check_policy_service unix:private/postgrey,
reject_rbl_client zen.spamhaus.org,
permit

For testing purposes, I want to skip the policy service for some
recipient addresses, for other recipients I want to skip the spamhaus
check, and for a third class of recipients I want to skip both checks.

So the idea is something like this:

smtpd_recipient_restrictions = 
...
permit_sasl_authenticated, permit_mynetworks, 
reject_unauth_destination,
check_recipient_access hash:/etc/postfix/skip_postgrey,
check_policy_service unix:private/postgrey,
check_recipient_access hash:/etc/postfix/skip_spamhaus,
reject_rbl_client zen.spamhaus.org,
permit

/etc/postfix/skip_postgrey could contain somethink like:

  do.not.want.postg...@example.comSKIP_NEXT_RESTRICTION

Similar for /etc/postfix/skip_spamhaus...

Of course, "SKIP_NEXT_RULE" is not a possible action in access tables.
But I guess you see what I want. Any ideas how to solve this?

Thanks and regards
-stefan-

Re: skipping single restrictions

[Stefan Palme]

On Wed, 2010-02-10 at 15:26 -0500, Wietse Venema wrote:
> Stefan Palme:
> > ...
> > For testing purposes, I want to skip the policy service for some
> > recipient addresses, for other recipients I want to skip the spamhaus
> > check, and for a third class of recipients I want to skip both checks.
> 
> See RESTRICTION_CLASS_README for recipient-dependent restrictions.

Thanks to all for their answers, restriction classes solved the issue!

Best regards
-stefan-

how to specify a "default key" in access(5)

[Stefan Palme]

Hi,

I guess I'm just temporarily blind, but I can't find a solution.
I have a smtpd_recipient_restriction like this:

  ..., check_recipient_access hash:/etc/postfix/recipients, permit

with /etc/postfix/recipients:
us...@example.com REJECT don't use this!
us...@example.net DEFER some other reason
. REJECT rejected for testing purposes

(This is just for some tests, so don't mind about how useful
this may be ;-)

The last entry in this file seems not to work - all recipient
addresses (except us...@example.com and us...@example.net) fall
through this test, so that the next rule in recipient_restrictions
("permit") applies to them.

Is there a way to define a kind of "fallback lookup pattern"?

[Some background information: this "recipients" file will later
be converted into an LDAP lookup. For this reason, the following
will NOT be a solution for me:

  smtpd_recipient_restrictions = 
...,
check_recipient_access ldap:/etc/postfix/recipients.cf,
reject rejected for testing purposes,

Because the person with access to the LDAP tree containing the
recipients information must also be able to define the default
behaviour for all the not explicitly specified recipient addresses].

Regards
-stefan-

Re: how to specify a "default key" in access(5)

[Stefan Palme]

> check_recipient_access hash:/etc/postfix/recipients
> check_recipient_access pcre:/etc/postfix/recipients_default
> 
> //  REJECT rejected for testing purposes

Thanks for the hint. But the content of "recipients_default" must
also be stored in LDAP (because some admin with LDAP access privileges
will define the default behaviour), so I can not use regular expression
lookups, but only the lookups as defined by the access(5) syntax.

-stefan-

content_filter .vs. transport_maps

[Stefan Palme]

Hi,

Is the effect of 

  content_filter = smtp:[127.0.0.1]:10025

the same as

  transport_maps = hash:/etc/postfix/transports

/etc/postfix/transports:
  *smtp:[127.0.0.1]:10025

?

Thanks and regards
-stefan-

Re: content_filter .vs. transport_maps

[Stefan Palme]

On Sun, 2010-02-14 at 14:21 -0500, Wietse Venema wrote:
> content_filter and FILTER have precedence over all routing mechanisms
> in Postfix including transport_maps, relayhost, address classes, etc.

Ok, but if I have a very simple setup without any per-whatever
transport_maps, relayhost, etc. it does not really make any
difference if I use a simple transport_map or the content_filter
declaration?

Regards
-stefan-

Re: how to specify a "default key" in access(5)

[Stefan Palme]

On Sun, 2010-02-14 at 23:44 +0100, mouss wrote:
> Stefan Palme a écrit :
> >> check_recipient_access hash:/etc/postfix/recipients
> >> check_recipient_access pcre:/etc/postfix/recipients_default
> >>
> >> //  REJECT rejected for testing purposes
> > 
> > Thanks for the hint. But the content of "recipients_default" must
> > also be stored in LDAP (because some admin with LDAP access privileges
> > will define the default behaviour), so I can not use regular expression
> > lookups, but only the lookups as defined by the access(5) syntax.
> > 
> 
> if it's in ldap, then do it in ldap instead of pcre. make your ldap
> query return the "default behaviour" whatever the key is.

Something like this?

  check_recipient_access ldap:/etc/postfix/recipients.cf
  check_recipient_access ldap:/etc/postfix/recipients_default.cf

with /etc/postfix/recipients_default.cf:
  search_base = ou=postfix,dc=example,dc=com
  query_filter = (&(objectClass=postfixConfiguration)(cn=DEFAULT_BEHAVIOUR))

Nice idea... Have to take a look at this.

Thanks a lot!
-stefan-

Re: Blocklist with multiple SELECT-fields

[Stefan Palme]

On Wed, 2010-02-24 at 09:16 +0100, Jørn Skjerven wrote:
> I have tried the following query:
> 
> query = SELECT action,text FROM blocked_accounts WHERE address = '%s'

Try 
  query = SELECT concat(action,' ',text) FROM blocked_accounts ...

(don't know the correct Syntax in MySQL to concatenate strings) - as
a result, you should get ONE field for the "right hand side" of the 
access map...

-stefan-

temporarily putting ON HOLD

[Stefan Palme]

Hi,

I have a postfix configuration with virtual aliases like this:

  u...@example.com u...@imap.server, u...@relay.other.server

There are transport maps like this:

  imap.server   lmtp:unix:/var/imap/socket/lmtp
  relay.other.serversmtp:[ip.address.of.other.server]

With this I store incoming mails in the local IMAP server
and additionally send them to another SMTP server (which is
an obsolete domino server, mails have to be stored there for
internal reasons there).

Currently the "other server" will be down (for a long time - at
least more than the default "maximal_queue_lifetime"). Because
of this, I want all mails that would normally go to relay.other.server
to be put ON HOLD.

But I have no idea how to do this. AFAIK there is no way to define
a transport rule for this, like

  relay.other.server   HOLD relay down

Adding a check_recipient_access to smtpd_recipient_restrictions also
does not work (because the original recipient's address is
@example.com).

Any ideas?

Thanks and regards!
-stefan-

strange mail protocol

[Stefan Palme]

Hi,

I've just found the following in my postfix log:

> grep C5E7710205CD: /var/log/mail/current 
May 29 13:21:01 [postfix/pickup] C5E7710205CD: uid=65534 
from=
May 29 13:21:01 [postfix/cleanup] C5E7710205CD: 
message-id=<20090529112101.11351.11039.stra...@strato1>
May 29 13:21:01 [postfix/qmgr] C5E7710205CD: from=, 
size=1355, nrcpt=1 (queue active)
May 29 13:21:03 [postfix/smtp] C5E7710205CD: host 
f.mx.mail.yahoo.com[68.142.202.247] said: 451 Message temporarily deferred - 
[170] (in reply to end of DATA command)
May 29 13:21:04 [postfix/smtp] C5E7710205CD: to=, 
relay=f.mx.mail.yahoo.com[98.137.54.237]:25, delay=3.2, 
delays=0.29/0.01/1.7/1.2, dsn=2.0.0, status=sent (250 ok dirdel)
May 29 13:21:04 [postfix/qmgr] C5E7710205CD: removed

So the question: what has happened with that mail? 

I am confused about the line "451 Message temporarily deferred" 
immediately followed by "status=sent (250 ok)".

Thanks and regards
-stefan-

Re: strange mail protocol

[Stefan Palme]

> > I am confused about the line "451 Message temporarily deferred"
> > immediately followed by "status=sent (250 ok)".
> 
> 4xx are temporary Errors and Postfix tries the next MX.
> 
> 68.142.202.247 != 98.137.54.237

Args, obviously you are right. Sorry for the noise...

Thanks
-stefan-

order of local_recipient_maps, smtpd_recipient_restrictions

[Stefan Palme]

Hi all,

local_recipient_maps .vs. smtpd_recipient_restrictions - can 
anybody tell me which test happens first on incoming emails?

Thanks and regards
-stefan-

Re: order of local_recipient_maps, smtpd_recipient_restrictions

[Stefan Palme]

On Thu, 2009-06-11 at 13:54 +0200, Magnus Bäck wrote:
> On Thu, June 11, 2009 1:03 pm, Stefan Palme said:
> 
> > local_recipient_maps .vs. smtpd_recipient_restrictions - can
> > anybody tell me which test happens first on incoming emails?
> 
> You're comparing apples and oranges, but I understand what you mean.
> local_recipient_maps specifies lookup tables that Postfix will consult if
> the recipient address domain is local (i.e. listed in mydestination). This
> check takes place at the end of smtpd_recipient_restrictions, unless you
> explicitly place a reject_unlisted_recipient restriction somewhere else.

Thanks to you and Wietse.

What happens if my smtpd_recipient_restrictions do NOT contain
reject_unlisted_recipients, but contain something like this:

  check_recipient_access pcre:/etc/postfix/filter_incoming

with /etc/postfix/filter_incoming:

  /.*/  FILTER amavis:[127.0.0.1]:10024


Will the local_recipient_maps-test happen BEFORE the mail will be
handed over to the filter? I guess the answer is YES, because there
is no AFTER the filter, because the mail will be reinjected by the
filter as a new mail... - I just want to be sure.

Regards
-stefan-

howto HOLD all mails for a specific user?

[Stefan Palme]

Hi all,

As far as I have understood, check_recipient_access in 
smtpd_recipient_restrictions uses the original RCPT TO addresses for
lookup (and not on the results after resolving (virtual) aliases).

I want all mails received for a certain user to put on HOLD
for a while (because I am repairing her IMAP mailbox).

This user receives mail for a lot of (virtual) email addresses, e.g.
i...@example1.com, webmas...@example2.net, etc.

Do I really have to write my check_recipient_access map in the form

  i...@example1.com   HOLD
  webmas...@example2.net  HOLD
  ...

or is there a shorter way to do this, because all this mail addresses
are in the end aliased to the same "local" user account?

Some of those email addresses are even aliased to more than one user. 
So the bad side effect of the map as shown above would be, that NOBODY
receives mails targeted at e.g. i...@example1.com - but I only want to
prevent one special mailbox to not receive any mail...

Thanks and regards
-stefan-

Re: howto HOLD all mails for a specific user?

[Stefan Palme]

On Fri, 2009-06-12 at 09:47 +0200, Magnus Bäck wrote:
> The only solution I can think of that isn't overcomplicated would be to
> clone the virtual or local transport in master.cf (depends on the address
> class of the domain) and use the transport table to redirect the final
> address to that transport. Then, use defer_transports to defer deliveries
> to the clones transport.

Sounds like a good solution, and the effort to realize this is
independent of the number of aliases of that user, so I guess I
will try it.


> Perhaps there are other solutions than suspending deliveries to the user's
> account? Why does the IMAP mailbox need to be "repaired"?  How do you
> repair it and why does that operation require exclusive access to the
> mailbox?

The user my accident deleted all mails (>20.000) from her IMAP account.
I have to recover them from backup (and merge them with the mails 
meanwhile). After that, I have to reconstruct the mailbox database (I 
use cyrus imap server). I don't want any new mails to come in during
this recovery phase because I have bad experience with this...

Thanks and regards
-stefan-

logging stuff: NOQUEUE

[Stefan Palme]

Hi all,

I am currently working on a new logfile analyzer for postfix.
Regarding this I will probably have some questions. Here the
first one:

When an incoming mail is rejected because of one of the rules
defined by smtpd_{sender,recipient,data,helo}_restrictions, this
rejection is logged with queue-id="NOQUEUE":


Jun 12 19:11:30 [postfix/smtpd] NOQUEUE: reject: 
  RCPT from 217-68-166-69.dynamic.primacom.net[217.68.166.69]: 
  450 4.1.2 : Recipient address rejected: Domain not found;
  from= to= 
  proto=ESMTP helo=<[192.168.1.144]>


Can I be sure that postfix creates a queue-id only AFTER
all smtpd_*_restrictions have been passed successfully?

If not - what is the general rule when I have to expect a NOQUEUE
and when to expect a conrete queue ID?

Thanks for any hints
Regards
-stefan-

Re: logging stuff: NOQUEUE

[Stefan Palme]

On Fri, 2009-06-12 at 12:41 -0500, Noel Jones wrote:
> A QUEUEID is created when the number of accepted recipients 
> for a message is greater than zero.
> 
> In the case of a multi-recipient message where some recipients 
> are accepted and some rejected, recipients before the first 
> accepted recipient will have NOQUEUEID, after that a QUEUEID 
> will be listed.
> 
> A message may be rejected by smtpd_{data, 
> end-of-data}_restrictions, in which case a QUEUEID will have 
> already been created.

Ok, to be sure, if I have understood all this correctly: 
whenever the smtpd server sees a "RCPT TO" in the SMTP 
protocol, all the smtpd_recipient_restrictions will be 
applied. After the first "valid" recipient a QUEUEID is
created (which will be used in the logs for this and all
subsequent valid and invalid "RCPT TO" recipients).

Because a "DATA" command is only allowed when there has
been at least one valid recipient, all log messages
regarding invalid DATA / END-OF-DATA restrictions will 
contain a QUEUEID (!="NOQUEUE").

Ok?

Thanks and regards
-stefan-

Re: postscreen logging question

[Stefan Palme]

On Tue, 2009-06-16 at 16:43 +0200, Ralf Hildebrandt wrote:
> I'm trying out postscreen. No unexpected explosions so far.
> ...

May I ask what exactly "postscreen" is? I've never heard about it 
and can not find any references in the web...

Thanks and regards
-stefan-

avoid aliasing

[Stefan Palme]

Hi list,

I have a (probably simple) alias configuration problem, 
but currently have no idea how to solve it.

Have a postfix server which has "mydestination=example.com".
There is a valid email address u...@example.com

For certain reasons I wanto to duplicate mails sent to u...@example.com
to another mail-account, so I have added an alias:

  user: user, otheru...@otherdomain.com

This works as expected.


Now I want to be able to send mails to this user that should NOT
be duplicated. For example, when sending mails to
user+noduplic...@example.com, the mail should be stored only in
the local mailbox, but NOT duplicated to otheru...@otherdomain.com

I've tried these aliases:

  user+noduplicate: user+noduplicate
  user: user, otheru...@otherdomain.com

but this does not work (when sending to user+noduplic...@example.com
the mail still gets duplicated to otheru...@otherdomain.com)

Any ideas how to solve this issue?

Thank and regards
-stefan-

Re: avoid aliasing

[Stefan Palme]

On Wed, 2009-08-26 at 18:12 -0600, LuKreme wrote:
> On 26-Aug-2009, at 03:14, Stefan Palme wrote:
> >  user+noduplicate: user+noduplicate
> >  user: user, otheru...@otherdomain.com
> 
> Seems to me this would be an ideal use of procmail.

Thanks for the tip, but procmail is no option here. The reason:
The local mailbox_transport is lmtp:/var/imap/socket/lmtp, which
means mail is stored in an IMAP server in the end.

Regards
-stefan-

Re: avoid aliasing

[Stefan Palme]

On Thu, 2009-08-27 at 06:59 -0600, LuKreme wrote:
> On 27-Aug-2009, at 00:16, Stefan Palme wrote:
> > On Wed, 2009-08-26 at 18:12 -0600, LuKreme wrote:
> >> On 26-Aug-2009, at 03:14, Stefan Palme wrote:
> >>> user+noduplicate: user+noduplicate
> >>> user: user, otheru...@otherdomain.com
> >>
> >> Seems to me this would be an ideal use of procmail.
> >
> > Thanks for the tip, but procmail is no option here. The reason:
> > The local mailbox_transport is lmtp:/var/imap/socket/lmtp, which
> > means mail is stored in an IMAP server in the end
> 
> IMAP has nothing to do with it. I use procmail to store to IMAP. It's  
> not an issue.

But does procmail not require a local user account for the recipient
in question? In this machine there are NO normal user accounts.

However, I have solved the issue in another way by using
virtualaliases and some modified transports...

Thanks for help!

Regards
-stefan-

Re: avoid aliasing

[Stefan Palme]

> My procmail delivers to mysql users just fine. The initial setup takes  
> some extra steps, but that's all.

Ok, maybe I will take a look at this solution, too :-)

Thanks and regards
-stefan-

Re: reject_unknown_sender_domain and DNS SERVFAIL result

[Stefan Palme]

On Wed, 2012-10-03 at 16:00 -0400, Bill Cole wrote:

> lazarus:~# dig dfleur.com mx
> 
> ; <<>> DiG 9.9.1-P3 <<>> dfleur.com mx
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 41183

...

> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Oct  3 15:07:35 2012


Your locally installed DNS server does not work as you expect.

-stefan-

Re: Documentation Bug

[Stefan Palme]

On Thu, 2011-10-13 at 17:11 +0200, Reindl Harald wrote:

> ... depending on the attachment the overhead can be very different


Base64 always encodes 3 original bytes into 4 base64-bytes, so the
factor to calculate the effective size for an attachment in an email is
always 4/3*original_size.

Of course, if an attachment is not base64-encoded, the effective size of
an attachment may differ...

-stefan-