Re: unknown mail transport error

2010-12-09 Thread donovan jeffrey j 

On Dec 9, 2010, at 7:22 AM, Sufian Hameed wrote:

> Dec  9 14:18:18 esprimo postfix/qmgr[8828]: warning: transport smtp failure 
> -- see a previous warning/fatal/panic logfile record for the problem 
> description

what does this log entry say ?

Re: smtpd_sender_login_maps with aliases?

2010-11-03 Thread donovan jeffrey j 

On Nov 3, 2010, at 11:14 AM, Edward Carraro wrote:

> I would like to set up SMTP, allowing the user to authenticate as their main 
> address, but still continue to send mail using their alias (without disabling 
> reject_sender_login_mismatch, as discussed here 
> http://serverfault.com/questions/61351/)
> 
> I'm just not sure what my ldap mapping config should look like... when I add 
> the LDAP attribute mailAlternateAddress to the query_filter, it allows me to 
> authenticate using both the main address and the alias but it won't allow me 
> to send from an address owned by that user other than what was used for 
> authentication.
> 
> master.cf
>   -o smtpd_sender_login_maps=ldap:/etc/postfix/virtual
>   -o smtpd_sender_restrictions=reject_sender_login_mismatch
> 
> /etc/postfix/virtual
> server_host = ldap://ldapserver:389
> server_port = 389
> search_base =
> #query_filter = (mail=%s)
> query_filter = (&(|(mail=%s)(mailAlternateAddress=%s)))
> result_attribute = uid
> version = 3
> start_tls = no
> bind = yes
> bind_dn = xxx
> bind_pw = xxx
> timeout = 30
> 
> Thanks!
> 

postconf -m

was your postfix compiled with ldap support ?

your getting your Auth users from from your local recipients map.
-j

Re: How can i test my local_recipient_maps

2010-10-26 Thread donovan jeffrey j 

On Oct 26, 2010, at 8:47 PM, Wietse Venema wrote:

> jeffrey j donovan:
>> greetings
>> 
>> How can I test my local recipient map. Im looking for something similar to a 
>> " postmap -q us...@example.com  hash:/etc/postfix/myfile "
>> 
>> here is my map statement.
>> local_recipient_maps = proxy:unix:passwd.byname $alias_maps
>> 
>> this doesn't work
>> postmap -q dva...@example.com proxy:unix:passwd.byname
> 
> It does not work, because the local delivery agent does not
> use the domain.
> 
>   Wietse

Thank you sir

postmap -q dvader proxy:unix:passwd.byname

worked like a champ.
-j

Re: Aliases LDAP maps from the MX ?

2010-10-08 Thread donovan jeffrey j 

On Oct 8, 2010, at 8:11 AM, Frank Bonnet wrote:

> Hello
> 
> I would like to use LDAP ( OpenLDAP ) aliases from our MX server
> in order to forward emails to the internal mailhub.
> 
> The MX use the transport utility to forward emails to the mailhub
> and does not perform local deliveries.
> 
> Thanks for any infos

use ldap lookup for local user

local_recipient_maps = ldap:/etc/postfix/ldaplocal $alias_maps

#etc/postfix/ldaplocal
server_host = 127.0.0.1
search_base = dc=my,dc=ldap,dc=server,dc=com
query_filter = (mail=%s)
result_attribute = mail
#result_filter = uid
bind = no

Re: Routing emails through multiple postfix servers

2010-10-06 Thread donovan jeffrey j 

On Oct 6, 2010, at 3:42 PM, Jeroen Geilman wrote:

> On 10/05/2010 12:04 PM, Avinash Pawar // Viva wrote:
>> Hi,
>> 
>> Please suggest me solution on following requirements :
>> 
>> User will send emails on one postfix server then this server will route 
>> email traffic to multiple postfix servers.
> 
> For what purpose ?
> 
> Any useful advice hinges on why you want to do this.
> That will inform us on how you want this to function - and thereby includes 
> most of the answer.

http://www.postfix.org/STANDARD_CONFIGURATION_README.html
http://www.porcupine.org/postfix-mirror/transport.5.html

you will find what you need in these two docs.
-j

Re: Routing emails through multiple postfix servers

2010-10-05 Thread donovan jeffrey j 

On Oct 5, 2010, at 6:04 AM, Avinash Pawar // Viva wrote:

> Hi,
> 
> Please suggest me solution on following requirements :
> 
> User will send emails on one postfix server then this server will route email 
> traffic to multiple postfix servers.
> 
> How we can implement this feature ?
> 
> Should we use any Load Balancer?

greetings you can use transport maps on the one smtp server to send to 
different destinations 
http://www.porcupine.org/postfix-mirror/transport.5.html

snip
#user+extens...@domain transport:nexthop
#   Deliver  mail  for  user+extens...@domain   through
#   transport to nexthop.
# 
#u...@domain transport:nexthop
#   Deliver  mail  for u...@domain through transport to
#   nexthop.
# 
#domain transport:nexthop
#   Deliver mail for domain through transport  to  nex-
#   thop.
# 
#.domain transport:nexthop
#   Deliver  mail  for  any subdomain of domain through
#   transport to nexthop. This applies  only  when  the
#   string  transport_maps  is  not  listed in the par-
#   ent_domain_matches_subdomains  configuration   set-
#   ting.   Otherwise, a domain name matches itself and
#   its subdomains.

Re: Scanning Mails Relayed via Postfix Server/Spamassassin

2010-09-30 Thread donovan jeffrey j 

On Sep 30, 2010, at 8:16 AM, Cimoni Enwis Ogwujiakwu wrote:

> Hello,
> I have setup a postfix server for scanning mails for spam relayed through it 
> and I have redirected all port 25 traffic through it from my firewall but 
> when I try sending mails through
> telnet for example smtp.gmail.com 25
>  I still get through without seeing any transcation on the postfix server and 
> no scanning by the spam assassin.
> What I am getting wrong here.
>  
> 

postconf -n 

SA doesn't run on port 25 usually. in main.cf you should have a content_filter 
statement. 

eg;
content_filter = smtp-amavis:[127.0.0.1]:10024

Re: :Re: emails stuck in queue

2010-09-28 Thread donovan jeffrey j 

On Sep 28, 2010, at 9:42 PM, Troy Campbell wrote:

> The first two lines were commented out but when I looked at the server that 
> used to host mail it was uncommented so I uncommented it on this new machine 
> and recreated the hash i.e., postmap hash:/etc/postfix/transport
> 

this did not look good

Sep 28 19:15:39 request2 postfix/local[5078]: fatal: open database 
/etc/mailman/aliases.db: No such file or directory

also

> 
> Sep 28 19:10:00 request2 postfix/smtp[2147]: connect to 
> srsda01.rmdc.fdx.com[188.82.167.110]: Connection timed out (port 25)

can't speak to " srsda01 "

> Sep 28 19:10:00 request2 postfix/smtp[2147]: 27E14164EEB: 
> to=, relay=none, delay=456127, 
> delays=456097/0.01/30/0, dsn=4.4.1, status=deferred (connect to 
> srsda01.rmdc.fdx.com[188.82.167.110]: Connection timed out)
> Sep 28 19:10:02 request2 postfix/smtpd[2148]: connect from 
> efmtst05.rmdc.fdx.com[188.82.152.16]

relay = none

Re: Ldap multiple server_host config

2010-09-28 Thread donovan jeffrey j 

On Sep 28, 2010, at 8:38 PM, Jeroen Geilman wrote:

> On 09/29/2010 02:35 AM, donovan jeffrey j wrote:
>> 
>> greetings
>> 
>> I was reading http://linux.die.net/man/5/ldap_table  and was trying to get a 
>> clear picture of what the config would look like, and is postmap required?
> 
> server_host (default: localhost)
> The name of the host running the LDAP server, e.g.
> server_host = ldap.example.com
> Depending on the LDAP client library you're using, it should be possible to 
> specify multiple servers here, with the library trying them in order should 
> the first one fail. It should also be possible to give each server in the 
> list a different port (overriding server_port below), by naming them like 
> server_host = ldap.example.com:1444
> 
> With OpenLDAP, a (list of) LDAP URLs can be used to specify both the 
> hostname(s) and the port(s): server_host = ldap://ldap.example.com:1444
> 
> 
> What about this is unclear ?

whats unlcear to me* is, do I have to assign the port number or can i just go 
default when using multiples.

see below
> would this work ?
> 
> server_host = 127.0.0.1
> server_host = 192.168.1.1
> server_host = 192.168.1.2
> search_base = dc=my,dc=example,dc=com
> query_filter = (mail=%s)
> result_attribute = mailHost
> result_filter = smtp:[%s]
> bind = no
> 
> 
> or would I have to go with
> 
> server_host = 127.0.0.1:389
> server_host = 192.168.1.1:1444
> server_host = 192.168.1.2:1445
> search_base = dc=my,dc=example,dc=com
> query_filter = (mail=%s)
> result_attribute = mailHost
> result_filter = smtp:[%s]
> bind = no
> 
> 
> where each ldap server runs on a different port, does it matter ?
> -j



> --
> J.
>

Ldap multiple server_host config

2010-09-28 Thread donovan jeffrey j 
greetings

I was reading http://linux.die.net/man/5/ldap_table  and was trying to get a 
clear picture of what the config would look like, and is postmap required?
would this work

server_host = 127.0.0.1
server_host = 192.168.1.1
server_host = 192.168.1.2
search_base = dc=my,dc=example,dc=com
query_filter = (mail=%s)
result_attribute = mailHost
result_filter = smtp:[%s]
bind = no


or would I have to go with

server_host = 127.0.0.1:389
server_host = 192.168.1.1:1444
server_host = 192.168.1.2:1445
search_base = dc=my,dc=example,dc=com
query_filter = (mail=%s)
result_attribute = mailHost
result_filter = smtp:[%s]
bind = no


where each ldap server runs on a different port, does it matter ?
-j

Re: emails stuck in queue

2010-09-27 Thread donovan jeffrey j 

On Sep 27, 2010, at 6:57 PM, Troy Campbell wrote:

> Sorry, this is probably a newbie question but I’m having an issue where I see 
> a bunch of emails with an “*” next to them when I run postqueue –p but not 
> being delivered to the local machine.  What does the “*” mean.  I also 
> noticed “!” next to held jobs.  Is there somewhere these special characters 
> and/or what queue these messages are on?
>  
> Regards,
> Troy

Hi troy,
postqueue -p will show you what is in your queue see " man mailq "
postqueue -f will flush the queue

the asterisk to summarize means postfix knows about it and it waiting to send 
it.
delivery to the local machine ? check local recipient maps or mail transport. 
Alias maps should also be checked.

postconf -d | grep local
postconf -d | grep mail_transport

post the results back to list.
-j

Re: warning: bogus file name: maildrop/.turd_postfix

2010-09-13 Thread donovan jeffrey j 

On Sep 11, 2010, at 9:04 AM, Wietse Venema wrote:

> donovan jeffrey j:
>> 
>> On Sep 10, 2010, at 10:49 PM, donovan jeffrey j wrote:
>> 
>>> 
>>> On Sep 10, 2010, at 10:30 PM, Wietse Venema wrote:
>>> 
>>>> donovan jeffrey j:
>>>>> greetings
>>>>> 
>>>>> i just upgraded postfix to 2.7.1 on a OSX 10.6.4 machine. From what I 
>>>>> have read in the archives it may be an incorrect user or permission but 
>>>>> it's not harmful. How do i clear the warning ?
>>>>> 
>>>>> I used macports 
>>>>> 
>>>>> Sep 10 22:00:22 mx1 postfix/master[191]: daemon started -- version 2.7.1, 
>>>>> configuration /opt/local/etc/postfix
>>>>> Sep 10 22:01:35 mx1 postfix/postsuper[374]: warning: bogus file name: 
>>>>> maildrop/.turd_postfix
>>>>> 
>>>>> any insight would be helpful.
>>>> 
>>>> That is not supposed to be there. Remove it.
>>>> 
>>>>Wietse
>>> 
>>> im not sure how ?
>> 
>> beside that,.. after going through the macports, i decided i didn't like it. 
>> the whole /opt/directory switch they do just added another layer that could 
>> go wrong.
>> So
>> 
>> can i just move the binaries to to their normal directory since they 
>> complied correctly ? im not worried about OS updates.
> 
> Moving files by hand is not supported, so I can't answer that question.
> 
>   Wietse
> 

okay I appreciate your input.
here is my dilemma. OSX 10.6 comes stock with postfix 2.6 without LDAP support. 
I really like the ability to do ldap queries for local info and transport info 
(great feature). So what is the best way to upgrade?
several people had mentioned " just use macports/darwinports/fink " but now I 
have two full instances of postfix on the system. not really what i wanted. 
Should I just compile from source and hope for the best.
has anyone updated postfix with ldap support on osx ?
sorry for obvious redundant questions.

-j

Re: warning: bogus file name: maildrop/.turd_postfix

2010-09-10 Thread donovan jeffrey j 

On Sep 10, 2010, at 10:49 PM, donovan jeffrey j wrote:

> 
> On Sep 10, 2010, at 10:30 PM, Wietse Venema wrote:
> 
>> donovan jeffrey j:
>>> greetings
>>> 
>>> i just upgraded postfix to 2.7.1 on a OSX 10.6.4 machine. From what I have 
>>> read in the archives it may be an incorrect user or permission but it's not 
>>> harmful. How do i clear the warning ?
>>> 
>>> I used macports 
>>> 
>>> Sep 10 22:00:22 mx1 postfix/master[191]: daemon started -- version 2.7.1, 
>>> configuration /opt/local/etc/postfix
>>> Sep 10 22:01:35 mx1 postfix/postsuper[374]: warning: bogus file name: 
>>> maildrop/.turd_postfix
>>> 
>>> any insight would be helpful.
>> 
>> That is not supposed to be there. Remove it.
>> 
>>  Wietse
> 
> im not sure how ?

beside that,.. after going through the macports, i decided i didn't like it. 
the whole /opt/directory switch they do just added another layer that could go 
wrong.
So

can i just move the binaries to to their normal directory since they complied 
correctly ? im not worried about OS updates.
-j

Re: warning: bogus file name: maildrop/.turd_postfix

2010-09-10 Thread donovan jeffrey j 

On Sep 10, 2010, at 10:30 PM, Wietse Venema wrote:

> donovan jeffrey j:
>> greetings
>> 
>> i just upgraded postfix to 2.7.1 on a OSX 10.6.4 machine. From what I have 
>> read in the archives it may be an incorrect user or permission but it's not 
>> harmful. How do i clear the warning ?
>> 
>> I used macports 
>> 
>> Sep 10 22:00:22 mx1 postfix/master[191]: daemon started -- version 2.7.1, 
>> configuration /opt/local/etc/postfix
>> Sep 10 22:01:35 mx1 postfix/postsuper[374]: warning: bogus file name: 
>> maildrop/.turd_postfix
>> 
>> any insight would be helpful.
> 
> That is not supposed to be there. Remove it.
> 
>   Wietse

im not sure how ?

Re: warning: bogus file name: maildrop/.turd_postfix

2010-09-10 Thread donovan jeffrey j 

On Sep 10, 2010, at 10:05 PM, donovan jeffrey j wrote:

> greetings
> 
> i just upgraded postfix to 2.7.1 on a OSX 10.6.4 machine. From what I have 
> read in the archives it may be an incorrect user or permission but it's not 
> harmful. How do i clear the warning ?
> 
> I used macports 
> 
> Sep 10 22:00:22 mx1 postfix/master[191]: daemon started -- version 2.7.1, 
> configuration /opt/local/etc/postfix
> Sep 10 22:01:35 mx1 postfix/postsuper[374]: warning: bogus file name: 
> maildrop/.turd_postfix
> 
> any insight would be helpful.
> -j

woops check that OS version it's 10.5.8 not sure if that makes a difference.
-j

warning: bogus file name: maildrop/.turd_postfix

2010-09-10 Thread donovan jeffrey j 
greetings

i just upgraded postfix to 2.7.1 on a OSX 10.6.4 machine. From what I have read 
in the archives it may be an incorrect user or permission but it's not harmful. 
How do i clear the warning ?

I used macports 

Sep 10 22:00:22 mx1 postfix/master[191]: daemon started -- version 2.7.1, 
configuration /opt/local/etc/postfix
Sep 10 22:01:35 mx1 postfix/postsuper[374]: warning: bogus file name: 
maildrop/.turd_postfix

any insight would be helpful.
-j

Re: How common is reverse DNS checking?

2010-08-23 Thread donovan jeffrey j 

On Aug 23, 2010, at 11:32 AM, LuKreme wrote:

> On 19-Aug-2010, at 13:08, D G Teed wrote:
>> 
>> The only place I've seen which publicly talks about
>> the reverse DNS requirement is AOL.
> 
> Craigslist requires that the reverse DNS match EXACTLY the mail server name. 
> So, if your mailserver doubles 
> as a dns server and your primary rDNS point to ns1.mydomain.tld and you send 
> mail from mail.mydomain.tld, craigslist will reject it.

why
mail from is from your host name. your host name should say mail.mydomain.tld = 
ipaddress , ip address should = mail.mydomain.tld
we are talking about sending mail right ?
receiving for the domain, thats a different record.

> 
> They also never answer admin mail, so I've just told people using my 
> mailservers to use gmail for craigslist since I don't have spare IPs lying 
> around.
> 
> I used reject_unknown_reverse_client_hostname and I tried 
> reject_unknown_client_hostname but that as very bad. Don't go there.

i would love to implement reject_unknown_client_hostname. the world would be a 
better place.
i can see many reasons why having a fully qualified name is appropriate. A mail 
server for one should be able to say yes to ip = name and name = ip.

Re: warn_if_reject reject_unknown_client

2010-08-12 Thread donovan jeffrey j 

On Aug 12, 2010, at 2:55 PM, Noel Jones wrote:

> On 8/12/2010 1:37 PM, donovan jeffrey j wrote:
>> 
>> On Aug 12, 2010, at 2:24 PM, Noel Jones wrote:
>> 
>>> On 8/12/2010 1:07 PM, donovan jeffrey j wrote:
>>>> greetings
>>>> 
>>>> all day long I see  tons of reject warnings from different ips sample
>>>> reject_warning: RCPT from unknown[65.60.20.157]: 450 Client host rejected: 
>>>> cannot find your hostname, [65.60.20.157];
>>>> 
>>>> when I do an nslookup or host that IP it returns a 
>>>> 157.20.60.65.in-addr.arpa domain name pointer sh4.amazingfireman.info
>>>> 
>>>> but dig returns nothing so postfix returns a reject warning.
>>>> Much of this mail is unwanted , i want to block the majority of these 
>>>> however I do not want to block users that use a colocation site or legit 
>>>> users;
>>>> 
>>>> example; i know these people are legit but have no control over their 
>>>> mailserver
>>>> reject_warning: RCPT from unknown[209.131.70.106]: 450 Client host 
>>>> rejected: cannot find your hostname, [209.131.70.106]; from=
>>>> 
>>>> Non-authoritative answer:
>>>> 106.70.131.209.in-addr.arpaname = ip70-106-tcpbbs.net.
>>>> 
>>>> dig shows nothing for that ip but they do have an mx record under their 
>>>> domain name dhuy.com
>>>> 
>>>> ;; ANSWER SECTION:
>>>> dhuy.com.  1595IN  MX  10 mail.dhuy.com.
>>>> 
>>>> Name:  mail.dhuy.com
>>>> Address: 209.131.70.106
>>>> 
>>>> nc1-100:~ drfoo$ host 209.131.70.106
>>>> 106.70.131.209.in-addr.arpa domain name pointer ip70-106-tcpbbs.net
>>>> 
>>>> it goes in a circle.
>>>> 
>>>> So in hopes that i can allow them to pass i have added the IP  to my 
>>>> smtpd_client_restrictions = permit_mynetworks check_client_access 
>>>> hash:/etc/postfix/access
>>>> is that the right approach ?
>>> 
>>> I hope you mean you added the IP to your access table, not mynetworks.  
>>> Other than that, this is the right general idea.
>> 
>> hehe yeah yeah not my network, i added to access.
>>> 
>>> Whether this is the right place to add the access table depends on where 
>>> your reject_unknown_client is.  The whitelist and reject_unknown_client 
>>> must be in the same section.
>> 
>> is it okay to have the warn_if_reject reject_unknown_client in 
>> smtpd_recipient_restrictions, I had read somewhere it was better to reject 
>> after client and helo because the client would just hang up and try again.
>> right now I have the restriction in recipient. and I also have a 
>> check_recipient_access hash:/etc/postfix/recipient_access. So i must place 
>> it in there.
>> -j
> 
> In that case remove your smtpd_{client, helo, sender}_restrictions and put 
> everything under smtpd_recipient_restrictions.

so no reject_unknown_client in any line ?
sorry if i seem confused. I have not worked with this config in many years and 
I'm trying to update all of these systems.
 so i should then,
smtpd_client_restrictions =
smtpd_sender_restrictions =

smtpd_recipient_restrictions = permit_mynetworks
reject_unauth_destination
check_recipient_access hash:/etc/postfix/recipient_white_access
check_recipient_access hash:/etc/postfix/recipient_black_access
reject_invalid_hostname
reject_non_fqdn_sender
reject_non_fqdn_recipient
reject_unlisted_recipient
reject_unknown_recipient_domain
reject_rbl_client zen.spamhaus.org
reject_rbl_client cbl.abuseat.org, permit

I added a few because they were already in my config. along with warn_if_reject 
reject_unknown_client

thanks for your help.

> 
> General order should be like so:
> smtpd_recipient_restrictions =
> # clients that can relay
>  permit_mynetworks
> # no one below here can relay
>  reject_unauth_destination
> # local whitelist of IPs and client names goes here
>  check_client_access hash:/etc/postfix/client_whitelist
> # maybe a local blacklist.  It's possible to combine
> # the whitelist & blacklist, but cleaner to separate
>  check_client_access hash:/etc/postfix/client_blacklist
> # other local reject_* antispam checks
>  ...
> # generally put RBLs last since they require a DNS lookup.
>  reject_rbl_client zen.spamhaus.org
> # anything that gets this far is delivered.
> 
> 
> 
>  -- Noel Jones
>

Re: warn_if_reject reject_unknown_client

2010-08-12 Thread donovan jeffrey j 

On Aug 12, 2010, at 2:24 PM, Noel Jones wrote:

> On 8/12/2010 1:07 PM, donovan jeffrey j wrote:
>> greetings
>> 
>> all day long I see  tons of reject warnings from different ips sample
>> reject_warning: RCPT from unknown[65.60.20.157]: 450 Client host rejected: 
>> cannot find your hostname, [65.60.20.157];
>> 
>> when I do an nslookup or host that IP it returns a 157.20.60.65.in-addr.arpa 
>> domain name pointer sh4.amazingfireman.info
>> 
>> but dig returns nothing so postfix returns a reject warning.
>> Much of this mail is unwanted , i want to block the majority of these 
>> however I do not want to block users that use a colocation site or legit 
>> users;
>> 
>> example; i know these people are legit but have no control over their 
>> mailserver
>> reject_warning: RCPT from unknown[209.131.70.106]: 450 Client host rejected: 
>> cannot find your hostname, [209.131.70.106]; from=
>> 
>> Non-authoritative answer:
>> 106.70.131.209.in-addr.arpa  name = ip70-106-tcpbbs.net.
>> 
>> dig shows nothing for that ip but they do have an mx record under their 
>> domain name dhuy.com
>> 
>> ;; ANSWER SECTION:
>> dhuy.com.1595IN  MX  10 mail.dhuy.com.
>> 
>> Name:mail.dhuy.com
>> Address: 209.131.70.106
>> 
>> nc1-100:~ drfoo$ host 209.131.70.106
>> 106.70.131.209.in-addr.arpa domain name pointer ip70-106-tcpbbs.net
>> 
>> it goes in a circle.
>> 
>> So in hopes that i can allow them to pass i have added the IP  to my 
>> smtpd_client_restrictions = permit_mynetworks check_client_access 
>> hash:/etc/postfix/access
>> is that the right approach ?
> 
> I hope you mean you added the IP to your access table, not mynetworks.  Other 
> than that, this is the right general idea.

hehe yeah yeah not my network, i added to access.
> 
> Whether this is the right place to add the access table depends on where your 
> reject_unknown_client is.  The whitelist and reject_unknown_client must be in 
> the same section.

is it okay to have the warn_if_reject reject_unknown_client in 
smtpd_recipient_restrictions, I had read somewhere it was better to reject 
after client and helo because the client would just hang up and try again.
right now I have the restriction in recipient. and I also have a 
check_recipient_access hash:/etc/postfix/recipient_access. So i must place it 
in there. 
-j

> 
> 
>  -- Noel Jones
>

warn_if_reject reject_unknown_client

2010-08-12 Thread donovan jeffrey j 
greetings

all day long I see  tons of reject warnings from different ips sample
reject_warning: RCPT from unknown[65.60.20.157]: 450 Client host rejected: 
cannot find your hostname, [65.60.20.157];

when I do an nslookup or host that IP it returns a 157.20.60.65.in-addr.arpa 
domain name pointer sh4.amazingfireman.info

but dig returns nothing so postfix returns a reject warning. 
Much of this mail is unwanted , i want to block the majority of these however I 
do not want to block users that use a colocation site or legit users;

example; i know these people are legit but have no control over their mailserver
reject_warning: RCPT from unknown[209.131.70.106]: 450 Client host rejected: 
cannot find your hostname, [209.131.70.106]; from= 

Non-authoritative answer:
106.70.131.209.in-addr.arpa name = ip70-106-tcpbbs.net.

dig shows nothing for that ip but they do have an mx record under their domain 
name dhuy.com

;; ANSWER SECTION:
dhuy.com.   1595IN  MX  10 mail.dhuy.com.

Name:   mail.dhuy.com
Address: 209.131.70.106

nc1-100:~ drfoo$ host 209.131.70.106
106.70.131.209.in-addr.arpa domain name pointer ip70-106-tcpbbs.net

it goes in a circle. 

So in hopes that i can allow them to pass i have added the IP  to my 
smtpd_client_restrictions = permit_mynetworks check_client_access 
hash:/etc/postfix/access
is that the right approach ?

insight and flames welcome
-j

Re: need help with forged To and From

2010-08-08 Thread donovan jeffrey j 

On Aug 8, 2010, at 2:16 PM,  
 wrote:

> http://www.openspf.org/
> 

thanks for the reply,
since this is not postfix related. I have to go off list. but before I go

i get a little confused when reading the SPF docs. It seems to easy.
from what i understand I can add a TXT line in my dns config,
@IN TXT "v=spf1 a:example.com -all"

or 

example.com.10800   IN  TXT "v=spf1 a:host.example.com -all"


do i apply this for the whole domain or just what hosts I authorize to send 
mail.
Do i need to apply a record for my MX server ?

The only systems that should be sending mail with my domain are two SMTP 
relays.; smtp1 and smtp2 respectively.
-j

need help with forged To and From

2010-08-08 Thread donovan jeffrey j 
greetings

this weekend I have been hit with a ton of forged spam messages.
here is a sample header


 From:  realu...@beth.k12.pa.us
Subject:realu...@beth.k12.pa.us 62% OFF on Pfizer!
Date:   August 8, 2010 9:41:57 AM EDT
To: realu...@beth.k12.pa.us
Return-Path:
Received:   from murder ([unix socket]) by bragg.beth.k12.pa.us (Cyrus 
v2.2.12-OS X 10.4.8) with LMTPA; Sun, 08 Aug 2010 09:43:46 -0400
Received:   from smtp3.beth.k12.pa.us (smtp3.beth.k12.pa.us [10.135.1.13]) 
by bragg.beth.k12.pa.us (Postfix) with ESMTP id A327A3D8EE95 for 
; Sun,  8 Aug 2010 09:43:46 -0400 (EDT)
Received:   from localhost (mx2.beth.k12.pa.us [10.135.1.23]) by 
smtp3.beth.k12.pa.us (Postfix) with ESMTP id 2D14229B0822 for 
; Sun,  8 Aug 2010 09:41:49 -0400 (EDT)
Received:   from mx2.beth.k12.pa.us ([127.0.0.1]) by localhost 
(mx2.beth.k12.pa.us [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 
k3Z44V0jwgqW for ; Sun,  8 Aug 2010 09:41:48 -0400 
(EDT)
Received:   from mail2.beth.k12.pa.us (mail2.beth.k12.pa.us [192.227.0.10]) 
by mx2.beth.k12.pa.us (Postfix) with ESMTP id AB7AD1F60ED for 
; Sun,  8 Aug 2010 09:41:48 -0400 (EDT)
Received:   from 21-182-134-95.pool.ukrtel.net 
(21-182-134-95.pool.ukrtel.net [95.134.182.21]) by mail2.beth.k12.pa.us 
(Postfix) with ESMTP id BFDF110E19A4 for ; Sun,  8 Aug 
2010 09:41:57 -0400 (EDT)
X-Sieve:CMU Sieve 2.2
X-Virus-Scanned:amavisd-new at beth.k12.pa.us
Mime-Version:   1.0
Content-Type:   text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding:  7bit
Message-Id: <20100808134157.bfdf110e1...@mail2.beth.k12.pa.us>


it seems that each of my users has received on of these. I have so many 
restrictions in place that I'm not sure where to look at this point.

here are my restrictions on my mx;
smtpd_client_restrictions = permit_mynetworks, check_client_access 
hash:/etc/postfix/access, hash:/etc/postfix/smtpdreject  reject_rbl_client 
zen.spamhaus.org reject_rbl_client cbl.abuseat.org  reject_rbl_client 
bl.spamcop.net permit
smtpd_data_restrictions = check_sender_access hash:/etc/postfix/backscatter
smtpd_delay_reject = yes
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access 
hash:/etc/postfix/helo_access, reject_non_fqdn_hostname, reject_invalid_hostname
smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/recipient_access check_sender_mx_access 
cidr:/etc/postfix/reject_private_mx.cidr warn_if_reject reject_unknown_client, 
reject_non_fqdn_sender,
reject_unknown_sender_domain, reject_unlisted_sender, permit_mynetworks, 
reject_non_fqdn_recipient, reject_invalid_hostname, 
reject_unknown_recipient_domain, reject_unauth_destination, 
reject_unlisted_recipient, reject_unauth_pipelining,
reject_rbl_client cbl.abuseat.org, reject_rbl_client zen.spamhaus.org, permit
smtpd_restriction_classes = reject_ndn
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = 
reject_non_fqdn_sender,reject_unknown_sender_domain, check_recipient_access 
hash:/etc/postfix/backscatter_recipient


I do have header checks that should thwart this I thought;

#   HEADER_CHECKS(5)
/^Received:.*by beth.k12.pa.us/ REJECT Forged hostname in Received header
if /^Received:/
/^Received: +from +(beth\.k12\.pa\.us) +/   reject forged client name in 
Received: header: $1
/^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(beth\.k12\.pa\.us)\)/   
reject forged client name in Received: header: $1
/^Received:.* +by +(beth\.k12\.pa\.us)[[:>:]]/  reject forged mail server name 
in Received: header: $1
endif

did I miss something ?
-j

Re: starttls testing

2010-07-31 Thread donovan jeffrey j 

On Jul 31, 2010, at 11:11 AM, Magnus Bäck wrote:

> On Friday, July 30, 2010 at 19:47 CEST,
> donovan jeffrey j  wrote:
> 
> [...]
> 
>> There is no smtpd.conf that defines what SASL should do for Postfix.
>> SMTP AUTH can't work!
> 
> This is bad.
> 
> http://www.postfix.org/SASL_README.html#server_sasl
> 
> Apple has patched Postfix so you may need to read the Apple
> documentation.
> 
>> smtp2:/usr/local/saslfinger-1.0.3 root# ./saslfinger -c
>> saslfinger - postfix Cyrus sasl configuration Fri Jul 30 13:46:42 EDT 2010
>> version: 1.0.2
>> mode: client-side SMTP AUTH
> 
> I assume the previous output was for server-side SASL (which is what
> you're after). Never mind client-side SASL for now.

thanks for the reply

this is an older 10.4 machine. I just tested it with a 10.4.11 I just enabled 
their gui for smtpd Auth
the result matched my config but i recieevd the same test results;

client side starttls it just sits and waits.
10.4.11
imap2:~ root# telnet localhost 25
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 imap2.beth.k12.pa.us ESMTP Postfix
EHLO imap2.beth.k12.pa.us
250-imap2.beth.k12.pa.us
250-PIPELINING
250-SIZE 20971520
250-VRFY
250-ETRN
250-STARTTLS
250 8BITMIME




then I tested it with 10.5.8 and 10.6
map3:postfix root# telnet localhost 25
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying fe80::1...
telnet: connect to address fe80::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 imap3.beth.k12.pa.us ESMTP Postfix
EHLO imap3.beth.k12.pa.us
250-imap3.beth.k12.pa.us
250-PIPELINING
250-SIZE 15728640
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN CRAM-MD5
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN


server side.

is it bad to have some clients initiate the Starttls ?
-j

Re: starttls testing

2010-07-30 Thread donovan jeffrey j 

On Jul 30, 2010, at 11:50 AM, Magnus Bäck wrote:

> On Friday, July 30, 2010 at 17:33 CEST,
> donovan jeffrey j  wrote:
> 
>> I have an older relay system accept ssl on port 25, it seems to be
>> working, but when i test it, STARTTLS shows up but then the session
>> stalls like it's waiting for me to do something. -probably i do.
>> 
>> smtp2:/etc/postfix root# telnet 127.0.0.1 25
>> Trying 127.0.0.1...
>> Connected to localhost.
>> Escape character is '^]'.
>> 220 smtp2.beth.k12.pa.us ESMTP Postfix
>> EHLO beth.k12.pa.us
>> 250-smtp2.beth.k12.pa.us
>> 250-PIPELINING
>> 250-SIZE 26214400
>> 250-VRFY
>> 250-ETRN
>> 250-STARTTLS
>> 250 8BITMIME
> 
> As indicated by the lacking hyphen between 250 and 8BITMIME on the final
> line, that's the final line of the server's response. It's then the
> client's turn to send the next command. There is no AUTH line in the
> EHLO response so for some reason Postfix doesn't accept authentication.
> 
>> what comes next ? i would expect AUTH types. Do I have to initiate an
>> auth sequence ?
>> 
>> postconf
>> 
>> smtpd_enforce_tls = yes
>> smtpd_pw_server_security_options = login,cram-md5,plain,gssapi
>> smtpd_recipient_restrictions = 
>> permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,permit
>> smtpd_sasl_auth_enable = yes
>> smtpd_tls_cert_file = /etc/certificates/Default.crt
>> smtpd_tls_key_file = /etc/certificates/Default.key
>> smtpd_use_pw_server = yes
>> smtpd_use_tls = yes
> 

alias_maps = hash:/etc/aliases,ldap:/etc/postfix/ldaplocal
always_bcc = basdarch...@beth.k12.pa.us
bounce_queue_lifetime = 5m
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
enable_server_options = yes
html_directory = no
inet_interfaces = all
local_recipient_maps = ldap:/etc/postfix/ldaplocal $alias_maps
luser_relay = lukeskywalker
mail_owner = postfix
mailbox_size_limit = 0
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 26214400
mydestination = $myhostname,localhost.$mydomain,localhost,smtp,smtp2
mydomain = beth.k12.pa.us
mydomain_fallback = beth.k12.pa.us
myhostname = smtp2.beth.k12.pa.us
mynetworks = 127.0.0.1/32,etc..
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
owner_request_special = no
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_enforce_tls = yes
smtpd_pw_server_security_options = login,cram-md5,plain,gssapi
smtpd_recipient_restrictions = 
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,permit
smtpd_sasl_auth_enable = yes
smtpd_tls_cert_file = /etc/certificates/Default.crt
smtpd_tls_key_file = /etc/certificates/Default.key
smtpd_use_pw_server = yes
smtpd_use_tls = yes
soft_bounce = no
transport_maps = ldap:/etc/postfix/ldaptransport
unknown_local_recipient_reject_code = 550


> Please post at least full "postconf -n" output, or even better
> saslfinger output (Google it).
-- basics --
Postfix: 2.1.5
System: Welcome to Darwin!

-- smtpd is linked to --
./saslfinger: line 1: ldd: command not found
./saslfinger: line 1: ldd: command not found

-- active SMTP AUTH and TLS parameters for smtpd --
smtpd_sasl_auth_enable = yes
smtpd_tls_cert_file = /etc/certificates/Default.crt
smtpd_tls_key_file = /etc/certificates/Default.key
smtpd_use_tls = yes


-- listing of /usr/lib/sasl2 --
total 2416
drwxr-xr-x40 root  wheel1360 Nov 20  2008 .
drwxr-xr-x   282 root  wheel9588 Dec  8  2009 ..
-rw-r--r-- 1 root  wheel 631 Mar 20  2005 apop.la
-r-xr-xr-x 1 root  wheel   17496 Mar 20  2005 apop.so
-rwxr-xr-x 1 root  wheel 629 Mar 20  2005 dhx.la
-r-xr-xr-x 1 root  wheel  598600 Jan 30  2006 dhx.so
-rw-r--r-- 1 root  wheel 653 Mar 20  2005 digestmd5WebDAV.la
-r-xr-xr-x 1 root  wheel   43132 Mar 20  2005 digestmd5WebDAV.so
drwxr-xr-x 9 root  wheel 306 Nov 20  2008 disabled
-r-xr-xr-x 1 root  wheel   17660 Mar 20  2005 libanonymous.2.so
-rw-r--r-- 1 root  wheel 694 Mar 20  2005 libanonymous.la
-r-xr-xr-x 1 root  wheel   17740 Mar 20  2005 libcrammd5.2.so
-rw-r--r-- 1 root  wheel 682 Mar 20  2005 libcrammd5.la
-r-xr-xr-x 1 root  wheel   47228 Jan 19  2007 libdigestmd5.2.so
-rw-r--r-- 1 root  wheel 703 Mar 20  2005 libdigestmd5.la
-r-xr-xr-x 1 root  wheel   22688 Jan 19  2007 libgssapiv2.2.0.18.so
-r-xr-xr-x 1 root  wheel   22688 Jan 19  2007 libgssapiv2.2.so
-rw-r--r-- 1 root  wheel 739 Mar 20  2005 libgssapiv2.la
-r-xr-xr-x 1 root  wheel   22504 Mar

starttls testing

2010-07-30 Thread donovan jeffrey j 
Greetings

I have an older relay system accept ssl on port 25, it seems to be working, but 
when i test it, STARTTLS shows up but then the session stalls like it's waiting 
for me to do something. -probably i do.

smtp2:/etc/postfix root# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 smtp2.beth.k12.pa.us ESMTP Postfix
EHLO beth.k12.pa.us
250-smtp2.beth.k12.pa.us
250-PIPELINING
250-SIZE 26214400
250-VRFY
250-ETRN
250-STARTTLS
250 8BITMIME

what comes next ? i would expect AUTH types. Do I have to initiate an auth 
sequence ?

postconf

smtpd_enforce_tls = yes
smtpd_pw_server_security_options = login,cram-md5,plain,gssapi
smtpd_recipient_restrictions = 
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,permit
smtpd_sasl_auth_enable = yes
smtpd_tls_cert_file = /etc/certificates/Default.crt
smtpd_tls_key_file = /etc/certificates/Default.key
smtpd_use_pw_server = yes
smtpd_use_tls = yes


-j

Re: too much config version 2.5.5,

2010-07-29 Thread donovan jeffrey j 

On Jul 29, 2010, at 9:33 AM, Wietse Venema wrote:

> donovan jeffrey j:
>> 
>> On Jul 29, 2010, at 7:16 AM, Wietse Venema wrote:
>> 
>>> The simplest way to upgrade an existing configuration is:
>>> 
>>> - Back up the new main.cf, master.cf, postfix-files, postfix-script
>>> and post-install files.
>>> 
>>> - Install the old main.cf and old master.cf and any files that
>>> you have added to the old Postfix setup. 
>>> 
>>> - DO NOT INSTALL THE OLD POSTFIX-FILES, POSTFIX-SCRIPT AND POST-INSTALL
>>> FILES.  You must use the new versions of those files.
>>> 
>>> - Execute (as root): "postfix upgrade-configuration". This will
>>> update the old main.cf and old master.cf files and add missing 
>>> entries that Postfix needs.
>>> 
>>> This procedure assumes that your vendor did not break "postfix
>>> upgrade-configuration" or any of the files that it depends on.
>>> 
>>> Wietse
>> 
>> thanks Wietse
>> 
>> these two systems have different mailbox_transports
>> mailbox_transport = dovecot
>> mailbox_transport = cyrus
>> 
>> is it as simple as switching these two ? or are there any other 
>> considerations.
> 
> You'll also need to configure the receiving end (dovecot or cyrus).

for right now, there are no users on this server. there willl only be a 
junkmail/nojunkmail folder.
all mailboxes are on other servers i have an external relay at 
server.mydomain:2525 pickingup and delivering this system i want dedicated to 
filtering content.

> 
>> i have also needed to change the user and group info
>> 
>> mail_owner = postfix to mail_owner = _postfix
>> setgid_group = postdrop to setgid_group = _postdrop
> 
> My procedure above is for upgrading an existing setup when there
> are no other changes.
> 
> If the new system has different usernames or pathnames etc.  then
> you'll need to put that into the new Postfix configuration.
> 
>   Wietse


thanks for the reply, i did the update and have no errors on postfix check.

i have setup a test on my mx server to transport mail for 
lukeskywal...@beth.k12.pa.us to mx2.beth.k12.pa.us ( my new 10.6 filter )

so far my mail2 primary mx can send to the filter (mx2). Mx2 ;postfix  picks up 
and sends to amavis. then I get some 554 error,.. im not sure who is 
complaining.

Jul 29 10:20:08 mx2 postfix/smtpd[63722]: connect from 
mail2.beth.k12.pa.us[192.227.0.10]
Jul 29 10:20:08 mx2 postfix/smtpd[63722]: 15B7551C06DA: 
client=mail2.beth.k12.pa.us[192.227.0.10]
Jul 29 10:20:08 mx2 postfix/cleanup[63726]: 15B7551C06DA: 
message-id=<0d766f25-ec81-452b-9f77-f4c2a0ce2...@gmail.com>
Jul 29 10:20:08 mx2 postfix/qmgr[63217]: 15B7551C06DA: 
from=, size=2231, nrcpt=1 (queue active)
Jul 29 10:20:11 mx2 postfix/smtp[63727]: 15B7551C06DA: 
to=, relay=127.0.0.1[127.0.0.1]:10024, delay=3.4, 
delays=0.01/0.01/0.01/3.3, dsn=5.1.0, status=bounced (host 127.0.0.1[127.0.0.1] 
said: 554 5.1.0 Failed, id=63219-01, from MTA([smtp.beth.k12.pa.us]:2525): 554 
: Client host rejected: Access denied (in 
reply to end of DATA command))

so amavis picks it up then someone says access denied. my next relay is sitting 
at " smtp.beth.k12.pa.us:2525 " so it looks like that MTA is complaining about 
MX2 sending to it. maybe because it's says it's hostname is localhost ???

this below is another issue where the bounce can't leave the building.

Jul 29 10:20:11 mx2 postfix/cleanup[63726]: 6C64951C06E7: 
message-id=<20100729142011.6c64951c0...@mx1.beth.k12.pa.us>
Jul 29 10:20:11 mx2 postfix/bounce[63731]: 15B7551C06DA: sender non-delivery 
notification: 6C64951C06E7
Jul 29 10:20:11 mx2 postfix/qmgr[63217]: 6C64951C06E7: from=<>, size=4388, 
nrcpt=1 (queue active)
Jul 29 10:20:11 mx2 postfix/qmgr[63217]: 15B7551C06DA: removed
Jul 29 10:20:11 mx2 postfix/smtp[63732]: connect to 
gmail-smtp-in.l.google.com[74.125.91.27]:25: Connection refused
Jul 29 10:20:11 mx2 postfix/smtp[63732]: connect to 
alt1.gmail-smtp-in.l.google.com[74.125.77.27]:25: Connection refused
Jul 29 10:20:11 mx2 postfix/smtp[63732]: connect to 
alt2.gmail-smtp-in.l.google.com[74.125.43.27]:25: Connection refused
Jul 29 10:20:11 mx2 postfix/smtp[63732]: connect to 
alt3.gmail-smtp-in.l.google.com[74.125.155.27]:25: Connection refused
Jul 29 10:20:11 mx2 postfix/smtp[63732]: connect to 
alt4.gmail-smtp-in.l.google.com[74.125.157.27]:25: Connection refused
Jul 29 10:20:11 mx2 postfix/smtp[63732]: 6C64951C06E7: to=, 
relay=none, delay=0.03, delays=0/0.01/0.01/0, dsn=4.4.1, status=deferred 
(connect to alt4.gmail-smtp-in.l.google.com[74.125.157.27]:25: Connection 
refused)



postconf from MX2
command_directory = /usr/sbin
config_directory = /etc/postfix
content_

Re: too much config version 2.5.5,

2010-07-29 Thread donovan jeffrey j 

On Jul 29, 2010, at 7:16 AM, Wietse Venema wrote:

> The simplest way to upgrade an existing configuration is:
> 
> - Back up the new main.cf, master.cf, postfix-files, postfix-script
> and post-install files.
> 
> - Install the old main.cf and old master.cf and any files that
> you have added to the old Postfix setup. 
> 
> - DO NOT INSTALL THE OLD POSTFIX-FILES, POSTFIX-SCRIPT AND POST-INSTALL
> FILES.  You must use the new versions of those files.
> 
> - Execute (as root): "postfix upgrade-configuration". This will
> update the old main.cf and old master.cf files and add missing 
> entries that Postfix needs.
> 
> This procedure assumes that your vendor did not break "postfix
> upgrade-configuration" or any of the files that it depends on.
> 
>   Wietse

thanks Wietse

these two systems have different mailbox_transports
mailbox_transport = dovecot
mailbox_transport = cyrus

is it as simple as switching these two ? or are there any other considerations.
i have also needed to change the user and group info

mail_owner = postfix to mail_owner = _postfix
setgid_group = postdrop to setgid_group = _postdrop

-j

too much config version 2.5.5,

2010-07-28 Thread donovan jeffrey j 
version 2.5.5,

greetings
im upgrading a couple of xserves to 10.6 from 10.4. the main.cf used to be 
pretty straight forward. The default main.cf on 10.6 snow leopard server has 
overwhelmed my old eyeballs. may new lines most i understand but they pretty 
much list every option known to man. anyhoo. 

I want to use this system to pickup with postfix, send it to amavis and have 
either prostfix or amavis realy to another server.

from what i can remember in main.cf

content_filter = smtp-amavis:[127.0.0.1]:10024
this should send to amavis right ?



then in amavisd.conf
$forward_method = 'smtp:smtp.beth.k12.pa.us:2525';

after scanning relay to another system on port 2525

I just want to make sure i have that config down, I don't want the mail to stop 
and stay on this server. Do I have to add a transport or edit the master to 
make sure mail hits the content filter?
-j

Re: regular expression in header_check question

2010-05-04 Thread donovan jeffrey j 

On May 4, 2010, at 3:23 AM, Ansgar Wiechers wrote:

> On 2010-05-03 donovan jeffrey j wrote:
>> im working on a header check to filter out anything that says Viagra
>> in the From: line. My question,.. is how do I handle the quotes ?
>> 
>> here is a sample header
>> 
>> From: "Viagra US supplier" 
>> From: "Viagra US dealer" 
>> 
>> 
>> here is what i want to use , is this the correct syntax or do I need to 
>> double quote those quotes somehow.
>> 
>> /^From: "Viagra US supplier"/DISCARD viagra foo
>> /^From: "Viagra US dealer"/  DISCARD viagra foo
> 
> /^From: .*viagra/  DISCARD viagra foo
> 

what does the dot asterisk do ?
will that cover the ( "  " ) quotes?
-j

regular expression in header_check question

2010-05-03 Thread donovan jeffrey j 
Greetings

im working on a header check to filter out anything that says Viagra in the 
From: line. My question,.. is how do I handle the quotes ?

here is a sample header

From: "Viagra US supplier" 
From: "Viagra US dealer" 


here is what i want to use , is this the correct syntax or do I need to double 
quote those quotes somehow.

/^From: "Viagra US supplier"/   DISCARD viagra foo
/^From: "Viagra US dealer"/ DISCARD viagra foo

-j

Re: DNS RBL error

2010-04-19 Thread donovan jeffrey j 

On Apr 19, 2010, at 9:22 PM, Steve wrote:

> You can run that caching DNS where ever you want as long as you secure that 
> DNS. If you use BIND and are using forwarders to your ISP name servers then 
> that caching will not necessarily help much if your ISP's NS are the problem.
> 
thanks for the reply.
this is where i get upside down.

if im caching only on localhost 127.0.0.1, and I point my OS to use local dns, 
it will query root servers correct ?
but sitting on the inside behind aNATed ip , how then does it resolv internal 
hosts if Im resolving from root servers ? i guess i could pull secondary from 
internal dns server, but I do not want addresses to bleed over.- sorry i know " 
not a postfix thread issue. just trying make sure my requests are coming out 
correctly.
-j

> If this would be the case then instruct your BIND to forward queries for 
> spamhaus.org directly to their name servers instead going over your ISP's 
> name servers. Something like that here below might be helpful to you:
> --
> zone "spamhaus.org" in {
>  type forward;
>  allow-query { 127.0.0.1; };
>  forwarders {
>82.94.216.239;   // ns8.spamhaus.org
>194.82.174.6;// ns20.ja.net
>149.20.58.65;// ns.dns-oarc.net
>194.109.9.101;   // ns3.xs4all.nl
>207.241.224.5;   // ns2.spamhaus.org
>192.150.94.200;  // ns3.spamhaus.org
>195.169.124.71;  // ns3.surfnet.nl
> };
> --
> 

i will keep this handy. i could have used this snippit this morning. :)

> Keep in mind that the NS list for spamhaus.org could change in the future. If 
> that happens then you need to update that forwarders list from above.
> 
as in most things these days. thanks.
> Keep in mind that if you put out that server on the net that you update the 
> list of IPs allowed to query that zone by updating allow-query. Most likely 
> you will not need to do anything because you are not authoritative for that 
> domain/zone but god only knows what else you will add to your named.conf so 
> limiting additionally inside the zone will not do any harm.

Re: DNS RBL error

2010-04-19 Thread donovan jeffrey j 

On Apr 19, 2010, at 3:07 PM, Ralf Hildebrandt wrote:
> 
> Rather test with:
> 2.0.0.127.zen.spamhaus.org
> 
> which should return:
> 2.0.0.127.zen.spamhaus.org has address 127.0.0.2
> 2.0.0.127.zen.spamhaus.org has address 127.0.0.4
> 2.0.0.127.zen.spamhaus.org has address 127.0.0.10

yes this is working now.

question on my setup. my primary MX server sits inside my network, with a NATed 
IP. my postfix config references only the inside network.
should i move this MX server outside and use it's public address in the config 
? inbound mail gets checked and relayed to a content filter on another server.

mynetworks = 127.0.0.1/32,192.168.0.10/32,10.135.0.0/16

or am i fine leaving it behind the NAT ?
to help fix the dns problem i want to run a cache only dns on the primary mx. 
Not sure i wanted that inside or outside. i'm leaning to outside.
tips flames welcome

-j

Re: DNS RBL error ::solved::

2010-04-19 Thread donovan jeffrey j 

On Apr 19, 2010, at 12:58 PM, Wietse Venema wrote:

> donovan jeffrey j:
>> by the time i typed this email. i got an authoritative answer; 
>> 
>> dns:~ root# nslookup 2.0.0.127.zen.spamhaus.org
>> Server: 209.96.96.2
>> Address:209.96.96.2#53
> 
> You should do such tests as a non-root user. Postfix does not query
> the DNS as root.
> 
>   Wietse

thank you,

rbl seems to be working again. dns seemed to be stuck some where.
blocked using zen.spamhaus.org; 
http://www.spamhaus.org/query/bl?ip=24.15.115.211;

a little time and a few kicks here and there. and whala.

:~ foo# nslookup 2.0.0.127.zen.spamhaus.org
Server: 209.96.96.2
Address:209.96.96.2#53

Non-authoritative answer:
Name:   2.0.0.127.zen.spamhaus.org
Address: 127.0.0.10
Name:   2.0.0.127.zen.spamhaus.org
Address: 127.0.0.2
Name:   2.0.0.127.zen.spamhaus.org
Address: 127.0.0.4

i don't think I did anything other than stop lookups for a bit.
thanks for your assistance.
-j

Re: DNS RBL error

2010-04-19 Thread donovan jeffrey j 

On Apr 19, 2010, at 12:36 PM, /dev/rob0 wrote:

> On Mon, Apr 19, 2010 at 08:31:19AM -0400, donovan jeffrey j wrote:
>> abuseat.org is working fine. I'm only having trouble with zen.
>> Apr 19 08:29:12 mail2 postfix/smtpd[21642]: NOQUEUE: reject: RCPT 
>> from unknown[117.201.68.108]: 554 Service unavailable; Client host 
>> [117.201.68.108] blocked using cbl.abuseat.org; Blocked - see 
>> http://cbl.abuseat.org/lookup.cgi?ip=117.201.68.108; 
>> from= to= proto=ESMTP 
> 
> Whilst it appears that the DNS problem has been sorted, I'm going to 
> suggest a different approach to this one.
> 
>> helo=<[117.201.69.50]>
>> 
>> any ideas ?
> 
> The bracketed IP address is a valid HELO, commonly seen from your 
> authenticating clients. There is no reason why a real MTA should be 
> using such a HELO. I block these with a pcre: map.
> 
> !/[[:alpha:]]/  502 5.5.4
>We find that all-numeric EHLO/HELO greetings are usually
>spam. If not, please ask your postmaster to correct the
>server's EHLO/HELO greeting.
> !/\./   502 5.5.4
>We find that non-qualified EHLO/HELO greetings are usually
>spam. If not, please ask your postmaster to correct the
>server's EHLO/HELO greeting.
> 
> This would fall under the first condition, "a helo which contains no 
> alpha characters." The second condition is my own reimplementation of 
> Postfix's built-in reject_non_fqdn_helo_hostname restriction.
> 
> Obviously these MUST NOT be applied to authenticating users, same as 
> with Zen. Precede this lookup with your permit_* restrictions for 
> relaying users (and move submission off of port 25, if applicable.)
> -- 
>Offlist mail to this address is discarded unless
>"/dev/rob0" or "not-spam" is in Subject: header
> 

thanks rob, I will chew on this for weeks Im sure. right now im trying to 
figure out why my dns server won't speak to spamhaus.
-- oh wait.,


by the time i typed this email. i got an authoritative answer; 

dns:~ root# nslookup 2.0.0.127.zen.spamhaus.org
Server: 209.96.96.2
Address:209.96.96.2#53

Non-authoritative answer:
Name:   2.0.0.127.zen.spamhaus.org
Address: 127.0.0.2
Name:   2.0.0.127.zen.spamhaus.org
Address: 127.0.0.4
Name:   2.0.0.127.zen.spamhaus.org
Address: 127.0.0.10


i removed the rbl from main.cf and kicked postfix. now dns can at least 
query. I don't know what was up with that.
do i dare put it back now? some strange foo.
-j

Re: DNS RBL error

2010-04-19 Thread donovan jeffrey j 

On Apr 19, 2010, at 9:15 AM, Ralf Hildebrandt wrote:

> * donovan jeffrey j :
>> 
>> On Apr 19, 2010, at 9:03 AM, Ralf Hildebrandt wrote:
>> 
>>> * donovan jeffrey j :
>>> 
>>>> this system in question picks up mail ( primary MX ) for about 2000 users.
>>> 
>>> This should well be within the limits. We're execeeding the limit at
>>> about 30k users. Maybe you're using your ISPs DNS forwarder?
>> 
>> Im not sure i understand. I know my isp pulls zone files from me, and runs a 
>> secondary dns server.
> 
> Show your /etc/resolv.conf

ins2:~ root# cat /etc/resolv.conf
search beth.k12.pa.us
nameserver 10.135.1.2
nameserver 209.96.96.2
nameserver 207.172.3.20

ins2:~ root# nslookup zen.spamhaus.org
Server: 207.172.3.20
Address:207.172.3.20#53

** server can't find zen.spamhaus.org: REFUSED


okay,.. Ill have to check this. to make sure my queries to zen are directly 
from my mail system does that sound right ?
-j

Re: DNS RBL error

2010-04-19 Thread donovan jeffrey j 

On Apr 19, 2010, at 9:03 AM, Ralf Hildebrandt wrote:

> * donovan jeffrey j :
> 
>> this system in question picks up mail ( primary MX ) for about 2000 users.
> 
> This should well be within the limits. We're execeeding the limit at
> about 30k users. Maybe you're using your ISPs DNS forwarder?

Im not sure i understand. I know my isp pulls zone files from me, and runs a 
secondary dns server.
-j

Re: DNS RBL error

2010-04-19 Thread donovan jeffrey j 

On Apr 19, 2010, at 8:58 AM, John Peach wrote:

> On Mon, 19 Apr 2010 08:53:03 -0400
> donovan jeffrey j  wrote:
> 
>> 
>> On Apr 19, 2010, at 8:41 AM, Ralf Hildebrandt wrote:
>> 
>>> * donovan jeffrey j :
>>>> Greetings
>>>> 
>>>> i have been seeing tons of errors coming from spamhaus, it seems
>>>> it's not resolving. at least for me. is anyone else having any
>>>> problems ?
>>> 
>>> You might have been blocked because you exceeded the limits for free
>>> usage.
>> 
>> i did not know there was such a thing. I may be having some type of
>> dns issue with zen. My local dns server does not resolve zen, but
>> google public dns does. i found this
>> 
> 
> http://www.spamhaus.org/organization/dnsblusage.html
> 
> -- 
> John
> 

thanks John,
okay,.. 100,000 smtp a day or 300,000 queries,... i have no idea if i reach 
either of these.sigh:: I've been running this for years.
-j

Re: DNS RBL error

2010-04-19 Thread donovan jeffrey j 

On Apr 19, 2010, at 8:54 AM, Ralf Hildebrandt wrote:

> * donovan jeffrey j :
> 
>> I certainly do not want to exceed any limits, how do i avoid that ?
> 
> Well, how big is your server?

oh it's about this high " - - - "
j/k

this system in question picks up mail ( primary MX ) for about 2000 users.
-j

Re: DNS RBL error

2010-04-19 Thread donovan jeffrey j 

On Apr 19, 2010, at 8:41 AM, Ralf Hildebrandt wrote:

> * donovan jeffrey j :
>> Greetings
>> 
>> i have been seeing tons of errors coming from spamhaus, it seems it's not 
>> resolving. at least for me. is anyone else having any problems ?
> 
> You might have been blocked because you exceeded the limits for free
> usage.

i did not know there was such a thing. I may be having some type of dns issue 
with zen. My local dns server does not resolve zen, but google public dns does.
i found this

ins2:~ root# nslookup zen.spamhaus.org
Server: 207.172.3.20
Address:207.172.3.20#53

** server can't find zen.spamhaus.org: REFUSED

ins2:~ root# nslookup zen.spamhaus.com
Server: 10.135.1.2
Address:10.135.1.2#53

Non-authoritative answer:
Name:   zen.spamhaus.com
Address: 208.87.33.151

I certainly do not want to exceed any limits, how do i avoid that ?

-jeff

DNS RBL error

2010-04-19 Thread donovan jeffrey j 
Greetings

i have been seeing tons of errors coming from spamhaus, it seems it's not 
resolving. at least for me. is anyone else having any problems ?

Apr 19 08:21:48 mail2 postfix/smtpd[21485]: warning: 
130.60.141.41.zen.spamhaus.org: RBL lookup error: Host or domain name not 
found. Name service error for name=130.60.141.41.zen.spamhaus.org type=A: Host 
not found, try again
Apr 19 08:21:49 mail2 postfix/smtpd[21433]: warning: 
70.195.122.178.zen.spamhaus.org: RBL lookup error: Host or domain name not 
found. Name service error for name=70.195.122.178.zen.spamhaus.org type=A: Host 
not found, try again
Apr 19 08:21:50 mail2 postfix/smtpd[21427]: warning: 
26.125.83.80.zen.spamhaus.org: RBL lookup error: Host or domain name not found. 
Name service error for name=26.125.83.80.zen.spamhaus.org type=A: Host not 
found, try again
Apr 19 08:21:50 mail2 postfix/smtpd[21324]: warning: 
163.152.43.91.zen.spamhaus.org: RBL lookup error: Host or domain name not 
found. Name service error for name=163.152.43.91.zen.spamhaus.org type=A: Host 
not found, try again
Apr 19 08:21:51 mail2 postfix/smtpd[21397]: warning: 
23.118.201.117.zen.spamhaus.org: RBL lookup error: Host or domain name not 
found. Name service error for name=23.118.201.117.zen.spamhaus.org type=A: Host 
not found, try again

postconf -n | grep zen
maps_rbl_domains = zen.spamhaus.org,bl.spamcop.net
smtpd_client_restrictions = permit_mynetworks, check_client_access 
hash:/etc/postfix/access, hash:/etc/postfix/smtpdreject  reject_rbl_client   
zen.spamhaus.org reject_rbl_client cbl.abuseat.org  reject_rbl_client   
bl.spamcop.net permit
smtpd_recipient_restrictions = permit_mynetworks, check_recipient_access 
hash:/etc/postfix/recipient_access check_sender_mx_access 
cidr:/etc/postfix/reject_private_mx.cidr warn_if_reject reject_unknown_client, 
reject_non_fqdn_sender, reject_non_fqdn_recipient, 
reject_invalid_hostname,reject_unknown_sender_domain, 
reject_unknown_recipient_domain, reject_unauth_destination, 
reject_unlisted_recipient, reject_unlisted_sender, reject_unauth_pipelining, 
reject_rbl_client cbl.abuseat.org, reject_rbl_client zen.spamhaus.org, permit


abuseat.org is working fine. I'm only having trouble with zen.
Apr 19 08:29:12 mail2 postfix/smtpd[21642]: NOQUEUE: reject: RCPT from 
unknown[117.201.68.108]: 554 Service unavailable; Client host [117.201.68.108] 
blocked using cbl.abuseat.org; Blocked - see 
http://cbl.abuseat.org/lookup.cgi?ip=117.201.68.108; 
from= to= proto=ESMTP 
helo=<[117.201.69.50]>


any ideas ?

-jeff

Re: Configuration Backup Script

2010-04-09 Thread donovan jeffrey j 

On Apr 9, 2010, at 9:06 AM, Ansgar Wiechers wrote:

> On 2010-04-08 donovan jeffrey j wrote:
>> On Apr 8, 2010, at 9:57 PM, osmcr...@gmail.com wrote:
>>> I'm running Suse 10.3 Server and looking for a script like this that

DOH!
my bad,.. I saw 10.3 Server with one eye, thought he was speaking mac.
no mailbfr fo you  

>>> will backup all the system config files and any others that I would
>>> want, this is a db and mailbox users backup for my mail server ?..
>>> But I plan migrating to a new server, using the same distro that's
>>> why I'm preparing it for restore again in case of emergency
>>> 
>>> Any comments are welcome
>> 
>> check out mailbfr for mail related configurations.
>> 
>> http://osx.topicdesk.com/content/view/41/57/
> 
> mailbfr was developed for Mac OS X, not for SuSE Linux. IIRC it's a
> Python script, so it should be possible to modify it to be usable on
> Linux as well. However, right now mailbfr is distributed as a .pkg, so
> one would have to go to some lengths to even extract the actual script
> from the package.
> 
> Regards
> Ansgar Wiechers


thanks for the catch.
-j

Re: Configuration Backup Script

2010-04-08 Thread donovan jeffrey j 

On Apr 8, 2010, at 9:57 PM, osmcr...@gmail.com wrote:

> I’m running Suse 10.3 Server and looking for a script like this that will 
> backup all the system config files and any others that I would want, this is 
> a db and mailbox users backup for my mail server …..  But I plan migrating to 
> a new server, using the same distro that’s why I’m preparing it for restore 
> again in case of emergency
>  
> Any comments are welcome
>  
> Bye
> 
> ……
>  
> echo "yay"

greetings

check out mailbfr for mail related configurations.

http://osx.topicdesk.com/content/view/41/57/

-j

Re: Out: 452 Insufficient system storage

2010-03-03 Thread donovan jeffrey j 


On Mar 3, 2010, at 12:09 AM, Wietse Venema wrote:


donovan jeffrey j:

  5468961666%
13235578  6836202   66%   /


And that's 26 GBytes as well.

It would be interesting to see what Postfix smtpd logs.  You can
turn it on selectively

   postconf -e debug_peer_list=127.0.0.1
   postfix reload

Then do "telnet 127.0.0.1 25", and "grep smtpd_check_queue /the/ 
maillog/file".


You can kill the logging with

   postconf -e debug_peer_list=

Wietse



i just tried this, i wasn't sure i was reading logs correctly. maillog  
is also being used by amavis, but i greped out postfix messages to a  
file, then tailed that file.
in the short time I ran this I did not see the smtpd_check_queue . I  
am out of my maintenance window so I will try it later and let it run  
longer.


Mar  3 09:49:59 mx1 postfix/smtp[1054]: name_mask: resource
Mar  3 09:49:59 mx1 postfix/smtp[1054]: name_mask: software
Mar  3 09:49:59 mx1 postfix/qmgr[603]: 0529299C4604: removed
Mar  3 09:49:59 mx1 postfix/smtp[1054]: < 127.0.0.1[127.0.0.1]: 220  
[127.0.0.1] ESMTP amavisd-new service ready
Mar  3 09:49:59 mx1 postfix/smtp[1054]: > 127.0.0.1[127.0.0.1]: EHLO  
mx1.beth.k12.pa.us
Mar  3 09:49:59 mx1 postfix/smtp[1054]: < 127.0.0.1[127.0.0.1]: 250- 
[127.0.0.1]
Mar  3 09:49:59 mx1 postfix/smtp[1054]: < 127.0.0.1[127.0.0.1]: 250- 
PIPELINING

Mar  3 09:49:59 mx1 postfix/smtp[1054]: < 127.0.0.1[127.0.0.1]: 250-SIZE
Mar  3 09:49:59 mx1 postfix/smtp[1054]: < 127.0.0.1[127.0.0.1]:  
250-8BITMIME
Mar  3 09:49:59 mx1 postfix/smtp[1054]: < 127.0.0.1[127.0.0.1]: 250- 
ENHANCEDSTATUSCODES
Mar  3 09:49:59 mx1 postfix/smtp[1054]: < 127.0.0.1[127.0.0.1]: 250  
XFORWARD NAME ADDR PROTO HELO

Mar  3 09:49:59 mx1 postfix/smtp[1054]: server features: 0x78f size 0
Mar  3 09:49:59 mx1 postfix/smtp[1054]: Using ESMTP PIPELINING, TCP  
send buffer size is 4096
Mar  3 09:49:59 mx1 postfix/smtp[1054]: > 127.0.0.1[127.0.0.1]:  
XFORWARD NAME=mx2.beth.k12.pa.us ADDR=192.168.1.10
Mar  3 09:49:59 mx1 postfix/smtp[1054]: > 127.0.0.1[127.0.0.1]:  
XFORWARD PROTO=ESMTP HELO=mx2.beth.k12.pa.us
Mar  3 09:49:59 mx1 postfix/smtp[1054]: > 127.0.0.1[127.0.0.1]: MAIL  
FROM: SIZE=3652 BODY=8BITMIME
Mar  3 09:49:59 mx1 postfix/smtp[1054]: > 127.0.0.1[127.0.0.1]: RCPT  
TO:

Mar  3 09:49:59 mx1 postfix/smtp[1054]: > 127.0.0.1[127.0.0.1]: DATA
Mar  3 09:49:59 mx1 postfix/smtp[1054]: < 127.0.0.1[127.0.0.1]: 250  
2.5.0 Ok
Mar  3 09:49:59 mx1 postfix/smtp[1054]: < 127.0.0.1[127.0.0.1]: 250  
2.5.0 Ok
Mar  3 09:49:59 mx1 postfix/smtp[1054]: < 127.0.0.1[127.0.0.1]: 250  
2.1.0 Sender owner-macsc...@listserv.dartmouth.edu OK
Mar  3 09:49:59 mx1 postfix/smtp[1054]: < 127.0.0.1[127.0.0.1]: 250  
2.1.5 Recipient jdono...@beth.k12.pa.us OK
Mar  3 09:49:59 mx1 postfix/smtp[1054]: < 127.0.0.1[127.0.0.1]: 354  
End data with .

Mar  3 09:49:59 mx1 postfix/smtp[1054]: > 127.0.0.1[127.0.0.1]: .
Mar  3 09:49:59 mx1 postfix/smtp[1054]: > 127.0.0.1[127.0.0.1]: QUIT
Mar  3 09:49:59 mx1 postfix/smtp[1066]: < 127.0.0.1[127.0.0.1]: 250  
2.6.0 Ok, id=01261-05, from MTA: 250 Ok: queued as 4DDF323BA248
Mar  3 09:49:59 mx1 postfix/smtp[1066]: E1AEF99C4624: to=>, relay=127.0.0.1[127.0.0.1], delay=3, status=sent (250 2.6.0 Ok,  
id=01261-05, from MTA: 250 Ok: queued as 4DDF323BA248)

Mar  3 09:49:59 mx1 postfix/smtp[1066]: name_mask: resource
Mar  3 09:49:59 mx1 postfix/smtp[1066]: name_mask: software
Mar  3 09:49:59 mx1 postfix/qmgr[603]: E1AEF99C4624: removed
Mar  3 09:49:59 mx1 postfix/smtp[1066]: < 127.0.0.1[127.0.0.1]: 220  
[127.0.0.1] ESMTP amavisd-new service ready
Mar  3 09:49:59 mx1 postfix/smtp[1066]: > 127.0.0.1[127.0.0.1]: EHLO  
mx1.beth.k12.pa.us
Mar  3 09:49:59 mx1 postfix/smtp[1066]: < 127.0.0.1[127.0.0.1]: 250- 
[127.0.0.1]
Mar  3 09:49:59 mx1 postfix/smtp[1066]: < 127.0.0.1[127.0.0.1]: 250- 
PIPELINING

Mar  3 09:49:59 mx1 postfix/smtp[1066]: < 127.0.0.1[127.0.0.1]: 250-SIZE
Mar  3 09:49:59 mx1 postfix/smtp[1066]: < 127.0.0.1[127.0.0.1]:  
250-8BITMIME
Mar  3 09:49:59 mx1 postfix/smtp[1066]: < 127.0.0.1[127.0.0.1]: 250- 
ENHANCEDSTATUSCODES
Mar  3 09:49:59 mx1 postfix/smtp[1066]: < 127.0.0.1[127.0.0.1]: 250  
XFORWARD NAME ADDR PROTO HELO

Mar  3 09:49:59 mx1 postfix/smtp[1066]: server features: 0x78f size 0
Mar  3 09:49:59 mx1 postfix/smtp[1066]: Using ESMTP PIPELINING, TCP  
send buffer size is 4096
Mar  3 09:49:59 mx1 postfix/smtp[1066]: > 127.0.0.1[127.0.0.1]:  
XFORWARD NAME=mx2.beth.k12.pa.us ADDR=192.168.1.10
Mar  3 09:49:59 mx1 postfix/smtp[1066]: > 127.0.0.1[127.0.0.1]:  
XFORWARD PROTO=ESMTP HELO=mail2.beth.k12.pa.us
Mar  3 09:49:59 mx1 postfix/smtp[1066]: > 127.0.0.1[127.0.0.1]: MAIL  
FROM: SIZE=6185
Mar  3 09:49:59 mx1 postfix/smtp[1066]: > 127.0.0.1[127.0.0.1]: RCPT  
TO:

Mar  3 09:49:59 mx1 postfix/smtp[1066]: > 127.0.0.1[127.0.0.1]: DATA
Mar  3 09:49:59 mx1 postfix/smtp[1066]: < 127.0.0.1[127.0.0.1]: 250  
2.5.0 Ok
Ma

Re: Out: 452 Insufficient system storage

2010-03-02 Thread donovan jeffrey j 


On Mar 2, 2010, at 9:03 PM, Wietse Venema wrote:


It may be worthwhile to run the Postfix fsspace test program.

- Download any Postfix source code that compiles on your system.

- cd into the source tree, then execute the following commands:

   make makefiles
   cd src/util
   make fsspace
   ./fsspace /var/spool/postfix

and report if the numbers look wrong.

Postfix uses the fsspace routine to determine the amount of
free space in the queue file system.

Wietse


mx1:/usr/local/postfix-2.7.0/src/util root# ./fsspace /var/spool/postfix
/var/spool/postfix: block size 4096, blocks free 6836216
mx1:/usr/local/postfix-2.7.0/src/util root# df -i
Filesystem  512-blocks  Used Avail Capacity   
iusedifree %iused  Mounted on
/dev/disk0s3 160574256 105372640  5468961666%  
13235578  6836202   66%   /
devfs  198   198 0   100%   
5900  100%   /dev
fdesc2 2 0   100% 
4  2532%   /dev
   1024  1024 0   100% 
00  100%   /.vol
/dev/disk1s3 489972528  46944240 44302828810%  5868028  
55378536   10%   /Volumes/SSHD2
automount -nsl [212] 0 0 0   100% 
00  100%   /Network
automount -fstab [223]   0 0 0   100% 
00  100%   /automount/Servers
automount -static [223]  0 0 0   100% 
00  100%   /automount/static
/dev/disk2s3 489972528 105210640 38476188821% 13151328  
48095236   21%   /Volumes/MX1




I was sitting on a memory upgrade, and I through some in , possibly  
some Virtual memory foo in the OS. i also did a block level clone to  
another larger drive /dev/disk2s3 as a backup. did a reboot. nothing  
yet. I'lll have to wait and see if maybe the reboot makes this vanish.  
still running on original drive. maybe the drive isn't so S.M.A.R.T


stay tuned. :)

-j

Re: Out: 452 Insufficient system storage

2010-03-02 Thread donovan jeffrey j 


On Mar 2, 2010, at 7:31 PM, Daniel V. Reinhardt wrote:


this is default on all my systems.




MX1
/dev/disk1s3   77G51G26G66%/

MX2
/dev/disk0s3  234G46G   187G20%/




Can you show the partitioning of these systems?

Thanks



thats all i have,.. no partitions.




MX1


FilesystemSize   Used  Avail Capacity  Mounted on
/dev/disk1s3   77G51G26G66%/
devfs  97K97K 0B   100%/dev
fdesc 1.0K   1.0K 0B   100%/dev
   512K   512K 0B   100%/.vol
automount -nsl [227]0B 0B 0B   100%/Network
automount -fstab [233]  0B 0B 0B   100%/automount/ 
Servers

automount -static [233] 0B 0B 0B   100%/automount/static
/dev/disk0s3  234G22G   211G10%/Volumes/SSHD2



MX2


FilesystemSize   Used  Avail Capacity  Mounted on
/dev/disk0s3  234G46G   187G20%/
devfs 104K   104K 0B   100%/dev
fdesc 1.0K   1.0K 0B   100%/dev
   512K   512K 0B   100%/.vol
/dev/disk1s3  172G   431M   172G 0%/Volumes/mailHD
/dev/disk2s10 172G46G   127G26%/Volumes/backup2
automount -nsl [213]0B 0B 0B   100%/Network
automount -fstab [226]  0B 0B 0B   100%/automount/ 
Servers

automount -static [226] 0B 0B 0B   100%/automount/static

Re: Out: 452 Insufficient system storage

2010-03-02 Thread donovan jeffrey j 


On Mar 1, 2010, at 10:56 AM, lst_ho...@kwsoft.de wrote:


Zitat von donovan jeffrey j :


Greetings

I had several of these on my primary MX this weekend and one just   
popped up. Can someone explain where this Insufficient system  
storage  is ?
both mail queues are empty, and DF shows < 20% on the reporting  
system.


Out: 220 mx2.beth.k12.pa.us ESMTP Postfix
In:  EHLO mx1.beth.k12.pa.us
Out: 250-mx2.beth.k12.pa.us
Out: 250-PIPELINING
Out: 250-SIZE 1024
Out: 250-ETRN
Out: 250 8BITMIME
In:  MAIL FROM:   
SIZE=11687

   BODY=8BITMIME
Out: 452 Insufficient system storage
In:  RCPT TO:
Out: 503 Error: need MAIL command
In:  DATA
Out: 503 Error: need RCPT command
In:  RSET
Out: 250 Ok
In:  QUIT
Out: 221 Bye


Have a look for "queue_minfree" parameter in main.cf. The default  
for Postfix 2.1 and later is 1,5*message_size_limit which can be  
more than your 20% free if the filesystem the queues reside is  
rather small.


Regards

Andreas




greetings

thanks for the reply

queue_minfree = 0

this is default on all my systems.

MX1
/dev/disk1s3   77G51G26G66%/

MX2
/dev/disk0s3  234G46G   187G20%/


here is another example;

Transcript of session follows.

Out: 220 mx1.beth.k12.pa.us ESMTP Postfix
In:  EHLO MX2.beth.k12.pa.us
Out: 250-mx1.beth.k12.pa.us
Out: 250-PIPELINING
Out: 250-SIZE 1024
Out: 250-ETRN
Out: 250 8BITMIME
In:  MAIL FROM: SIZE=2878 BODY=8BITMIME
Out: 452 Insufficient system storage
In:  RCPT TO:
Out: 503 Error: need MAIL command
In:  DATA
Out: 503 Error: need RCPT command
In:  RSET
Out: 250 Ok
In:  QUIT
Out: 221 Bye

mx2 picks up and sends it to  mx1 for AV scan. i can see MX1 has a  
smaller drive, but it's just amavis scanning and relay. No real big  
space required. System seems to be fine, but these errors are eluding  
me.

any insight would be helpful.
postconf available if need be,.

-j

Out: 452 Insufficient system storage

2010-03-01 Thread donovan jeffrey j 

Greetings

I had several of these on my primary MX this weekend and one just  
popped up. Can someone explain where this Insufficient system storage  
is ?

both mail queues are empty, and DF shows < 20% on the reporting system.

Out: 220 mx2.beth.k12.pa.us ESMTP Postfix
In:  EHLO mx1.beth.k12.pa.us
Out: 250-mx2.beth.k12.pa.us
Out: 250-PIPELINING
Out: 250-SIZE 1024
Out: 250-ETRN
Out: 250 8BITMIME
In:  MAIL FROM:  
SIZE=11687

BODY=8BITMIME
Out: 452 Insufficient system storage
In:  RCPT TO:
Out: 503 Error: need MAIL command
In:  DATA
Out: 503 Error: need RCPT command
In:  RSET
Out: 250 Ok
In:  QUIT
Out: 221 Bye

Re: load balancing among mail servers

2010-02-16 Thread donovan jeffrey j 


On Feb 16, 2010, at 10:39 AM, Massimo Nuvoli wrote:


donovan jeffrey j ha scritto:


On Feb 16, 2010, at 8:09 AM, aa wrote:


Someone advised me to insert in the DNS zone a list of MX records
defined with the same level of priority so the DNS server will  
choose

one of them without invoking always the same mail server
It could be an idea, in my opinion, but I'd prefer a "less  random"
solution and a more scientific one

very easy for smtp relays.
smtp1
smtp2
create a dns name smtp, and your system will round robin query for  
the

next available server.


DNS round robin is bad, it works but is defective for real load
balancing. The client choose the IP to use, this is "random", and
after can use the same ip for a while... this is not random.

The real solution is lvs or keepalived, the choice of the node is done
by the load balancer...

Bye.



I wouldn't  say it's bad, it's just cheap. Of course a load balancing  
switch can be purchased $

-j

Re: load balancing among mail servers

2010-02-16 Thread donovan jeffrey j 


On Feb 16, 2010, at 8:09 AM, aa wrote:

Someone advised me to insert in the DNS zone a list of MX records  
defined with the same level of priority so the DNS server will  
choose one of them without invoking always the same mail server
It could be an idea, in my opinion, but I'd prefer a "less  random"  
solution and a more scientific one


very easy for smtp relays.

smtp1
smtp2


create a dns name smtp, and your system will round robin query for the  
next available server.

Re: Pflogsumm Status

2010-01-14 Thread donovan jeffrey j 


On Jan 13, 2010, at 10:23 PM, Jim Seymour wrote:


Hi All,

As many of you may be aware, about a year ago I emailed the list
asking if anybody would be interested in taking over maintenance
of Pflogsumm.  Several people volunteered.  In the mean-time,
after un-loading a bit (basically taking a hiatus from anything
that resembled computer "work" in my spare time) and reflecting on
it, I decided to keep the project.  At the time I was considering
giving it, and my other projects up, I was going through a pretty
rough patch, life-wise, job-wise, etc..  I've gotten things
straightened-out and back on an even keel.  (Well, as even a keel
as things can get, these days :).)

I'm working on a new release even now.  More information to
follow in a day or two.

Regards,
Jim


excellent!

love that little tool.
5 0 * * *   /usr/local/bin/pflogsumm.pl -d yesterday /var/log/ 
mail.log | mail -s " mail2 Today log sum $date" jdono...@beth.k12.pa.us


couldn't wake up in the morning without reading.
if you ever need a tester.

-j

Re: Accept null HELO/EHLO

2009-10-22 Thread donovan jeffrey j 


On Oct 22, 2009, at 6:50 AM, ram wrote:



On Wed, 2009-10-21 at 09:07 -0400, Wietse Venema wrote:

ram:
A lotus notes server of our clients in hugely misconfigured to  
send just

a empty HELO. And we are supposed to relay mails for this client.

I know getting the lotus admin to set his MTA is the right thing ,  
but

we for now I want to accept the null HELO

how do I do this ? I already have smtpd_helo_required = no


This requires one of the following:

1) A baseball bat, and a strong WHACK over the idiot's head.

Got the message. We sent one of our guys over ( not with a  baseball  
bat

though .. we rather play cricket here in India ).

Finally we convinced the client to let us configure their Lotus and  
set

a proper hostname. Talk of wasting human resources ..


while your sending people out can you stop by a few other countries  
for us ?

:)

Re: Not receive mail error

2009-10-09 Thread donovan jeffrey j 


On Oct 9, 2009, at 10:33 AM, Mark Johnson wrote:


All,
We have an application server to generate mail and use postfix as  
relay mail server for outgoing mail. We ran the test and postfix did  
catch the error. However, it didn't report back to application server.
We used sendmail as relay mail server and it did report back to  
application server.


Any suggestion is appreciated?

Here is the mail log:
Oct  9 10:17:34 smtpmailer postfix/smtp[27126]: 47E79249AA4: to=>, relay=none, delay=20, delays=0.07/0/20/0, dsn=4.4.3,  
status=deferred (Host or domain name not found. Name service error  
for name=varsitygold.com type=MX: Host not found, try again)
Oct  9 10:17:34 smtpmailer postfix/smtp[27128]: 5813B249AA6: to=>, relay=none, delay=20, delays=0.07/0.01/20/0, dsn=4.4.3,  
status=deferred (Host or domain name not found. Name service error  
for name=varsitygold.com type=MX: Host not found, try again)



Thanks.

M.J.



the message may still be in the queue waiting, it will try again until  
it times out, then a bounce will be sent back.


-j

checking local_recipient_maps

2009-08-01 Thread donovan jeffrey j 

greetings,

how can I test  local_recipient_maps ?

I am using an ldap local map, and I would like to insert a backup or  
failover map. here is what I am using.


local_recipient_maps = ldap:/etc/postfix/ldaplocal $alias_maps

#ldaplocal
server_host = 10.10.1.12
search_base = dc=ldap,dc=mydomain,dc=com
query_filter = (mail=%s)
result_attribute = mail
bind = no

can I add a secondary to this query ?
i use ldap search all the time for testing but i would like to see how  
postfix queries and replies.


-j

Re: SMTP connectivity problem

2009-07-08 Thread donovan jeffrey j 


On Jul 8, 2009, at 2:16 PM, New Old Stk wrote:

Looks like I spoke to early about tricky Cisco router. Just had our  
modem/router equipment replaced, hoping it would fix the problem but  
to no avail! I give up.


in the cisco box , did you remove any "  fixup smtp "protocols / ports ?



On Wed, Jul 8, 2009 at 6:03 PM, New Old Stk  
 wrote:
Guys thanks a lot for helping out with my problem. I just tried  
sending mail from friend's mail server (SBS 2003) and same problem  
occured. Looks like Cisco box in our office messing up.


Appreciate all the input and many many thanks!

George

On Wed, Jul 8, 2009 at 4:34 PM, Victor Duchovni > wrote:

On Wed, Jul 08, 2009 at 04:25:43PM +0100, New Old Stk wrote:

> Noel, connecting to server remotely didn't work. I wonder what's  
the reason

> as no ports seem to be blocked.
>
>
> g2$ openssl s_client -starttls smtp -crlf -connect  
one.mailexpeditor.com:25

> CONNECTED(0003)
> 157:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol:s23_clnt.c:601:

This server supports "starttls" (sorry have not released smtp-finger  
yet...)


   smtp-finger: Connected to one.mailexpeditor.com[92.60.109.90]:25
   smtp-finger: < 220 one.mailexpeditor.com ESMTP Postfix
   smtp-finger: > EHLO hqmtaext01.ms.com
   smtp-finger: < 250-one.mailexpeditor.com
   smtp-finger: < 250- 
PIPELINING   smtp- 
finger: < 250-SIZE 1024

   smtp-finger: < 250-VRFY
   smtp-finger: < 250-ETRN
   smtp-finger: < 250-STARTTLS
   smtp-finger: < 250- 
ENHANCEDSTATUSCODES  smtp- 
finger: < 250-8BITMIME

   smtp-finger: < 250 DSN
   smtp-finger: > STARTTLS
   smtp-finger: < 220 2.0.0 Ready to start TLS
   smtp-finger: Untrusted TLS connection established to  
one.mailexpeditor.com[92.60.109.90]:25: TLSv1 with cipher ADH-AES256- 
SHA (256/256 bits)

   smtp-finger: Server is anonymous

Also works with s_client:

   $ openssl s_client -starttls smtp -connect one.mailexpeditor.com:25
   CONNECTED(0003)
   depth=1 /C=GB/ST=Buckinghamshire/O=Mail 
Expeditor/CN=one.mailexpeditor.com/emailaddress=a1l6e...@mailexpeditor.com
   verify error:num=19:self signed certificate in certificate chain
   verify return:0
   ---
   Certificate chain
0 s:/C=GB/ST=Buckinghamshire/L=Milton Keynes/O=Mail 
Expeditor/CN=one.mailexpeditor.com/emailaddress=a1l6e...@mailexpeditor.com
  i:/C=GB/ST=Buckinghamshire/O=Mail 
Expeditor/CN=one.mailexpeditor.com/emailaddress=a1l6e...@mailexpeditor.com
1 s:/C=GB/ST=Buckinghamshire/O=Mail 
Expeditor/CN=one.mailexpeditor.com/emailaddress=a1l6e...@mailexpeditor.com
  i:/C=GB/ST=Buckinghamshire/O=Mail 
Expeditor/CN=one.mailexpeditor.com/emailaddress=a1l6e...@mailexpeditor.com
   ---
   Server certificate
   -BEGIN CERTIFICATE-
   ...
   -END CERTIFICATE-
   subject=/C=GB/ST=Buckinghamshire/L=Milton Keynes/O=Mail 
Expeditor/CN=one.mailexpeditor.com/emailaddress=a1l6e...@mailexpeditor.com
   issuer=/C=GB/ST=Buckinghamshire/O=Mail 
Expeditor/CN=one.mailexpeditor.com/emailaddress=a1l6e...@mailexpeditor.com
   ---
   No client certificate CA names sent
   ---
   SSL handshake has read 2505 bytes and written 351 bytes
   ---
   New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
   Server public key is 1024 bit
   Compression: NONE
   Expansion: NONE
   SSL-Session:
   Protocol  : TLSv1
   Cipher: DHE-RSA-AES256-SHA
   ...
   Verify return code: 19 (self signed certificate in  
certificate chain)

   ---
   250 DSN
   quit
   221 2.0.0 Bye

--
   Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.