Re: Another sanity check request
Le 13/04/2013 21:33, Russell Jones a écrit : Hi all, Upgrading mail server from Postfix 2.9 to 2.10. Could I get a quick sanity check to ensure my (fairly simple) setup is sane with the new smtpd_relay_restrictions? Thanks :-) smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated check_client_access hash:/etc/postfix/rbl_override reject_rbl_client zen.spamhaus.org Also, just as a sanity check on my own understanding of this option being split into two now The relay_restrictions section is pretty self-explanatory, however in the docs it recommends also keeping permit_mynetworks and permit_sasl_authenticated in the recipient_restrictions section to exclude those clients from RBL lookups. This would only come into play when a user of the server is sending mail to another local user on the box, correct? this would come to play for mail sent from mynetworks or by an authenticated user. if you have completely separate services for MX and submission, then you can remove these two permit from your smtpd_restrictions and from your smtpd_relay_restrictions. In the case where the same postfix instance is used for MX and submission, make sure to specify the restrictions that will be used for submission. something along the lines: submissioninet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o syslog_name=${submission_syslog_name} -o cleanup_service_name=cleanmsa -o myhostname=${submission_myhostname} -o smtpd_tls_security_level=${submission_tls_security_level} -o smtpd_client_restrictions=${submission_client_restrictions} -o smtpd_helo_restrictions=${submission_helo_restrictions} -o smtpd_sender_restrictions=${submission_sender_restrictions} -o smtpd_recipient_restrictions=${submission_recipient_restrictions} -o smtpd_relay_restrictions=${submission_relay_restrictions} -o content_filter=${submission_content_filter} -o receive_override_options=no_address_mappings cleanmsa unixn - n - 0 cleanup -o syslog_name=${submission_syslog_name} -o header_checks=${submission_header_checks} -o mime_header_checks=${submission_mime_header_checks} then each submission_mumble is defined in main.cf.
Re: Sending mail with specific address in own domain to relay.
Le 13/04/2013 18:11, Peter Welzien a écrit : Hi. The situation is as follows: I get all my mail to my domain to the web hotel where I've registered the domain. I fetch my mail using Fetchmail and deliver it to my server running Dovecot + Postfix. Outgoing mail is relayed to my ISP. The problem is that my wife has an email account at my web hotel, within the same domain as me. Her mail is not fetched with Fetchmail. When I try to send her an email, Postfix thinks it's a local account and fails with error User unknown in virtual mailbox table. I've tried adding her email address to /etc/postfix/transport (and running postmap), but it doesn't work. saying it doesn't work and nothing else is sure to encourage people to ignore your post (or to reply it doesn't work on holidays :) do not forget to run 'postfix reload'. if it still doesn' to work, follow the list recommendation: http://www.postfix.org/DEBUG_README.html#mail How can I make Postfix relay any mail with her address as recipient to my ISP? transport_maps should work. otherwise, a combination of virtual_alias_maps and smtp_generic_maps also works (and is recommended for those who have a lot of traffic, but this dooes not look to be your case): 1) use a virtual alias to map: yourw...@example.comyourwife@nothere.example 2) use smtp_generic_maps to write the address back: yourwife@nothere.example yourw...@example.com yes, this works because generic comes after transport.
Re: Setting up secure submission for remote users
Le 12/04/2013 02:11, LuKreme a écrit : Reindl Harald opined on Thursday 11-Apr-2013@16:58:28 mynetworks should be genrally used with care and only for specific address instead whole networks with sooner or later potentially infected clients which can be banned if using auth even if the malware leaks auth data and abuse it from outside Mynetworks currently contains the mail server, the webmail server, and my home fixed IP since I do not have secure submission working as of now. I’m reading up on dovecot-1.2.17 and dovecot-2.1.16 and trying to decide if I can switch to either of those without breaking everything. One item of concern was reading a comment that “postfix hands the mail off to dovecot for local delivery” which makes me think I will lose procmail as my LDA. That would be bad. I’m also wondering if I can set dovecot up to only work with port 587 and keep cyrus-sasl for port 993, at least for now. I know it seems redundant, and it would be a stepping stone to ensure that current users are able to connect as they do now. (IMAP-SSL with “Password” for either local users or mysql users). yes, you can install dovecot and disable pop+imap in its configuration (otherwise, it will conflict with your courier setup) and configure postfix to use dovecot-auth (that's actually the default). do not configure postfix to deliver mail to dovecot. it should also be possible to use your current user-password database with dovecot. later, you may be able to replace courier with dovecot (to avoid having to manage two solutions. I have nothing against courier!). and over time, you may move more and more procmail rules to postfix, sieve, ... or /dev/null (if they're no more useful).
Re: IP in headers and spam detection
Le 14/04/2013 20:08, Julian Pilfold-Bagwell a écrit : Hi List, I have a question regarding running Postfix in a DMZ. I have a UTM with a single IP address on it's red interface but our ISP provides a range of 15 IPs for hosting websites, mail, etc.. I have an external IP allocated and forwarded to the mail server, but when remote servers perform a reverse lookup, the header contain the red interface IP. I tried setting proxy_interfaces = and smtp_bind_address = to the external IP but it still came out as the red interface. Is there a way of pushing Postfix into using the external IP or do I have to mess with DNS. I guess your UTM performs NAT. if so, it is the piece to configure so that traffic out of postfix gets the right IP.
Re: SMTPS 465
Le 12/04/2013 23:05, Joan Moreau a écrit : Please don't top-post. I do not understand smtpd_tls_loglevel = 1 is sufficient for debugging. ok 2013-04-12T21:49:03.160443+02:00 server postfix/smtpd[12238]: warning: TLS library problem: 12238:error:1409D08A:SSL routines:ssl3_setup_key_block:cipher or hash unavailable:s3_enc.c:423: This suggests your TLS library is broken. The TLS library being which one ? I am using openSSL and all https web site are working fine. Is there another library involved ? most probably, the compiled/configured version of openssl does not match what postfix expects. you said that your upgraded the kernel. did this cause an upgrade of openssl? if so, try rebuilding postfix. Is your openssl library striped to only include selected algorithms? if so, you need to make sure that this mtaches the algos configured in postfix: $ postconf |grep medium lmtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_ciphers = medium smtpd_tls_mandatory_ciphers = medium tls_medium_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH you can try: openssl ciphers -v 'aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH' (single quotees to avoid the shell barfing because of the '!' char).
Re: Trouble configuring backup MX to reject unauth destination
Le 23/03/2013 00:02, Titanus Eramius a écrit : [snip] The goal is a virtual only mailserver, so the domains is stored in MySQL and fetched through virtual_mailbox_domains. Besides virtual_mailbox_domains, I use virtual_mailbox_maps and virtual_alias_maps. The documentation is among the best documentation I have seen, but I can't seem to find the solution, even though I have read most of what I could find in relation to virtual handling. One more clue is the error messages when sending to non-existent users. When sending to aptget.dk Postfix responds with 550 5.1.1 non_exist...@aptget.dk: Recipient address rejected: User unknown in virtual mailbox table. When sending to cogky.dk the response is only non_exist...@cogky.dk: user unknown one possible reason is that you configured a wildcard alias: @cogky.dk == @aptget.dk (that is anything to cogky maps to same address in aptget.dk). if so, that's your problem. you need to configure mappings only for existing users. since you use mysql, this should be easy to do.
Re: autoresponder mail sent twice
Le 13/03/2013 15:01, Arnaud Jayet a écrit : Hello, I have installed an autoresponder using a perl script and special transport (autoreply) in master.cf does your autoresponder obeys http://tools.ietf.org/html/rfc3834 ? if not, get it out. my problem is that postfix send the email to the perl script twice Then you did an error. so the perl script sends two mails to the recipient instead of one as i wish. get yourself a better program that doesn't resend borkmail. old programs maintain a cache and do not send mail all over gain. when an user has set up its responder, i want the incoming mails for him still be delivered to its maildir but i want also the responder send a mail to the sender advising the user (recipient) is absent my main.cf : ... ... virtual_alias_maps = proxy:mysql:/etc/postfix/vir_alias_repondeur.cf, my master.cf : ... ... autoreply unix- n n - 5 pipe flags=Oqu user=nobody argv=/usr/local/bin/repondeur.pl $sender $recipient transport map : ... ... autoreply.univ-lille3.fr autoreply: vir_alias_repondeur.cf : query = SELECT autoreply FROM mail_vacation WHERE email='%s' AND active='1' AND (CURRENT_DATE() BETWEEN dstart AND dstop); the 'autoreply' field from mail_vacation mysql table returns something like this for email='u...@univ-lille3.fr' == u...@univ-lille3.fr,u...@autoreply.univ-lille3.fr it seems there is some recursion with the alias expansion (u...@univ-lille3.fr is on the right side of the alias for mail delivering) explaining why email is sent twice. it seems you forgot to follow the recommendations in the list welcome message. - logs to show what you say - output of postconf -n - in your case, content of master.cf cristal ball says: - you have a content filter but you forgot to disable address mapping in the before the filter service ... when i replace the fied value from 'u...@univ-lille3.fr,u...@autoreply.univ-lille3.fr' by only 'u...@autoreply.univ-lille3.fr', the responder email is sent only once but the orginal message is not delivered to the user maildir (it's not want i want) Thank you for your help to solve my problem. Arnaud
Re: Null sender address in NDR's
Le 14/02/2013 16:03, James Day a écrit : Hello List, I'll have to start by breaking to golden rule of this list and not posting postconf -n output as my question relates to a server over which I have no control. A customer of mine is using a smart host provided by their ISP through which all outbound mail is delivered smtp.enta.net (which is running postfix). This server holds a list of valid domain from which this customer is allowed to send. A sensible precaution to prevent a compromised machine from sending spam using spoofed sender addresses on other domains. The problem is that when clients mail server sends a NDR the sender address is (ie NULL). The null sender address causes the message to be rejected with: 554+5.7.1+:+Sender+address+rejected:+Access+denied Is there a sensible way to configure postfix to allow these messages with null sender addresses to be relayed without opening the smart host up to exploitation? null sender should be accepted. as of today, null sendr is not (yet?) abused by spammers. and even if someday spammers decide to abuse it, we will setup simple content filtering rules (NDR is not supposed to use a normal From: address, etc etc). so I'd say: just allow the null sender for now. Or alternatively - and this is off topic for this list - is there a way to configure Microsoft exchange 2003 to send NDR's with a different sender address. dunno. but if you can put a postfix in front of exchange, you could replace the null sender with specific address (of course, if you do so, make sure to discard mail to this address to avoid loops). of course, you should try to only do that for that specific ISP. And before anyone comments, yes I know this isn't best practice as NDR's should have null sender addresses to stop loops (bouncing bounce-backs!). yeah. but as long as you take care for auto-replies, you can replace the null sender with any specific address of yours (such as n...@example.com) for which you never send bounces. not trivial, but you can do that.
Re: OT: Mail forwarding services
Le 30/01/2013 13:13, Fernando Maior a écrit : Hello All, In the area where my office is, internet providers cannot offer us links with fixed ip, only dhcp. I wonder if someone in the list knows about a mail forwarder server that can receive emails from my server and forwards them to the internet in our behalf. well, it really depends on a way too many things! how much mail do you send? are you ready to pay for or are you looking for a free service (free also means no contractual guarantee)? ... etc. for a free service, you can try google or other. if you want something else, many of us here (including $self) can setup that for you. the richer you are, the more we will make you pay:) If it's for a charity org or the like, I'll do that for free (with the usual things: no mass mail, no stupid sender).
Re: Rewrite delivery address if spam
Le 15/01/2013 01:23, Robert Moskowitz a écrit : For some users I would like to redirect spam to special addresses. For example, if I were to get spam (like 500/day) I would like it to go to rgm-s...@htt-consult.com. My search fu is weak, and I have not found any guidance on this. To further the complexity, I would have a mysql table for those users to have spam redirected where the table has the source email address and the redirect email address. Then Dovecot would drop the spam into this redirect account. I have learned that spamassasin can only tag the message as spam by changing the subject. I searched messages both on their list and here for any discussion on this, and the postfix documentation and did not find any help. It would seem that postfix, not dovecot is the proper place to do the address rewriting. thank you. Oh, my wife is regularly insulted by the spam she gets. It would really bring some peace in the house if she no longer saw ANY spam, and I did the checking once a week of a different mail account if there was something she should see... here's what's done here... - first of all, real time checks block mail from bad clients (postscreen, rbl, ...). - then content filters (amavisd with clamav and spamassin) check mail. the results are put into headers. if X-Spam-Flag is YES, then the message goes to +spam extension. the lda then puts such mail in the Junk folder of the recipient. this folder has 3 subfolders: - Innocent: this is to report false positives - Spam: this is to confirm spam - Kill: this is to escape filter training for mail that you don't want but tat shouldn't be passed for training spam that gets past the filter is manually checked. if it can be fixed, good. if it can't, the source. depnding on the situation, ip, ip/24 or domain is blocked. A date is set but no guarantee is given to unblock the sucking sender. oh, and spam sent to children results in total boycott (ie: it'not just about mail).
Re: Naming a master.cf attribute (RFC: postconf user interface)
Le 11/01/2013 21:47, Wietse Venema a écrit : Viktor Dukhovni: The only part that is tricky is the command + args column, where users arguably may want to add/delete -o flags, but in general the various -o flags one may want to add are not necessarily othogonal, and it is not always safe to add such a setting while unware of its context. So perhaps when changing the command, one should be forced to use -Me, but this is not completely obvious. Editing individual words in master.cf with a command-line tool is too much like editing a text document on a hard-copy terminal. I'll aim for a limited interface: postconf -Mu attribute=value... service-spec... Or in mouss style, which makes -e redundant: postconf -M type.service.attribute=value... note that the delimiter may be a dot as in sysctl or an underscore as in main.cf, BSD rc.conf, ... (underscore is more shell friendly). I like the MIB approach because it is generic enough. it can be easily implemented in a UI, in a DB, ... etc. I can use the same syntax for postfix as well as for other stuff. and given that postfix is often integrated with other stuff (network config, pop/imap, mailing-list, anti-spam, fetchmail/getmail/.., ...), having a generic syntax is a good thing IMHO. as for uncommenting out services, I personally prefer to distinguish: defining a service (specifying its attribtes) and enabling/disabling that service. For each matching service, update the named attributes with the specified values. It remains to be seen how robust the latter form can be made, considering that '.' already appears in service names as part of an IP address. Also, we would have to forbid the use of '=' in a service name, which I hope is uncommon. The attribute name is service, type, private, unprivileged, chroot, wakeup, process_limit or command. The command attribute includes both the name and arguments; the attribute value would typically be specified in the shell as a quoted string with embedded whitespace. If there is a command to set the value of a specific attribute, that suggests there needs to be a corresponding command to query its value. I'm sure that mouss would want to see something like type.service.attribute = value here. Asking for an attribute's value by its name is not necessarily useful for humans but it would allow for a more robust postfix upgrade-configuration implementation. If the concerns with '=' and '.' in service names can be overcome, then the mouss syntax would simplify the user interface to query or update a master.cf attribute. Wietse
Re: Understanding master.cf pickup daemon parameters
Le 09/01/2013 14:34, Robert Moskowitz a écrit : I have read the man page and http://www.postfix.org/BUILTIN_FILTER_README.html, but don't think I got the why of all of it yet. A couple howtos I have been using as guidance have the following content for master.cf pickupfifo n - n 60 1 pickup -o content_filter= -o receive_override_options=no_header_body_checks I will be using Amavisd-new, ClamAV, and SpamAssassin for content filtering. There are lots of other lines scattered around that are specific to these filtering tools. I think I am adding these lines to limit what pickup is doing as there will be other tools that will do more? Is that correct? Thank you. the pickup service is used when you use the sendmail command to submit mail (instead of using smtp). many system programs (cron, logwatch ...) use the sendmail command to send mail to root and other accounts. and here: 1) such programs assume a no error sendmail. in short, they won't accept a 421 try later etc. so unless the world gets on fire, the sendmail command is supposed to take responsbility of the message and do whatever to get it delivered. the submitter won't manage a queue or retry etc. that's wat the pickup service is for. it'll retry if it can't pass the message to another party. and if delivery is not possible, it'll try to send an error message (a bounce). 2) some programs will send spam reports (think of a log parser...) which do contain spammy words etc. you wouldn't want these to be blocked by a content filter. 3) after all, this is outbound mail. so standard spam filters aren't good at this game. you cannot use RBLs, and other reputation things. on the other hand, if you see junk you can take action. so why care of content filtering...
Re: RFC: postconf user interface
Le 08/01/2013 22:00, Wietse Venema a écrit : This note discusses some user-interface issues with upcoming postconf(1) features that will be used to manage the content of master.cf files. User-interface consistency is important, especially for people who work a lot with Postfix: fewer things to remember means fewer mistakes to make (it's also important for implementors, because it leads to similar code for similar operations and opportunities to use code that already exists, meaning fewer mistakes to make). In particular, it would be desirable that postconf(1) uses similar command syntax for similar operations on main.cf and master.cf. First I will review a few commands that already exist, and then I'll introduce some commands that are likely to be implemented. The first two examples are already implemented: postconf -M inet Show all TCP services in master.cf postconf -M inet.submission Show the submission-over-TCP service in master.cf Next, a few examples that are likely to be implemented: postconf -M# service-type ... postconf -M# service-type.service-name ... postconf -MX service-type ... postconf -MX service-type.service-name ... Delete (or comment) out the specified services. These commands are analogous to postconf -# parameter(s) (comment out main.cf parameter settings) and postconf -X parameter(s) (remove main.cf parameter settings). Therefore they should have similar syntax. I don't expect that these commands will be used much, but they will make the postconf command more consistent. I am contemplating a new class of master.cf operations that operate column-wise. These currently have no main.cf equivalent. postconf -Mu chroot=n inet unix fifo pass I like the mib syntax of main.cf. so I'd prefer something like postconf -e service.submission.chroot=n (or false|no|whatever) and then, I would love to have that in main.cf. more precisely, it would be nice to control master.cf things from main.cf: service.submission.disable = (true|false) so I could disable a service without removing it (the old pattern: active vs undefined) service.submission.chroot = false and then a service.all.chroot = false would disable all chrooting, which would be helpful when we suspect that a problem is due to a chroot. service.submission.class = smtpd service.submission.address = 0.0.0.0 service.submission.port = 587 service.submission.name = submission with this, we would have submission_recipient_restrictions = mumble dee service.submission.logname = postmumble/submission service.submission.options = joe=jim foo=bar ... this would add -o joe=jim etc. for all but well known options. if you go that road, then at one time, master.cf would become a service definition file. Update the chroot column to n for all services. postconf -Mu type=unix fifo Update all fifo services so that they use UNIX-domain sockets. This is more laptop-friendly as it avoids MTIME updates. Obviously, this command is powerful but it can also inflict a great deal of damage. And finally, a more complicated example: postconf -Me 'text of complete master.cf entry' Replace the specified master.cf service or add a new service. Each postconf(1) command-line argument contains the text of a complete master.cf entry. The new entry is line-wrapped as with postconf -Mf. This command syntax is consistent with existing postconf -e commands, where each postconf(1) command-line argument contains the text of a complete main.cf entry. However, the syntax differs from postconf -M commands that can target multiple services, such as postconf -M inet or postconf -Mu chroot=n inet. There, a service is better specified as service-type or service-type.service-name. Considering the difference between specifying the complete content of a master.cf entry versus a patterm that can select multiple master.cf entries, it makes sense to have this difference in command syntax. Wietse
Re: RFC: postconf user interface
Le 08/01/2013 23:06, Wietse Venema a écrit : Patrick Ben Koetter: [snip] Should postconf be able/offer to make backup copies before it acts a request out? Should it with main.cf? Should we enourage the use of version control? given that people use different version control systems, I wouldn't make that part of postfix. also, I am working on a web UI, where the whole conf would be in a db (dumped to config files of course!). in which case, the version control part amounts to a few columns (who did what when...) and a rollback is not a lot more than an sql query. (I actually can do all that for me, but I find it hard to support all the possible configurations that postfix supports). And finally, a more complicated example: postconf -Me 'text of complete master.cf entry' Replace the specified master.cf service or add a new service. Each postconf(1) command-line argument contains the text of a complete master.cf entry. The new entry is line-wrapped as with postconf -Mf. This command syntax is consistent with existing postconf -e commands, where each postconf(1) command-line argument contains the text of a complete main.cf entry. In postconf(1) you wrote -e Edit the main.cf configuration file, and update parameter settings ... The text is too vague and needs to be updated. What happens in reality is replace or add main.cf entry, using the complete entry given on the postconf command line. If there is a command to implement THAT FUNCTION for master.cf (add or replace entry, using the complete entry given on the postconf command line) then it should use the same -e option. I haven't thought this through - you probably have: Wouldn't it be more consistent to use only 'e' (as already for main.cf) instead of 'u' and 'e' as proposed for master.cf? u replaces a field in master.cf. It has no main.cf equivalent (replace a word in the middle of a line?) therefore should not use an option letter that is used for main.cf. Wietse
Re: Integration of content filter in master.cf
Le 08/01/2013 21:48, Titanus Eramius a écrit : Tue, 08 Jan 2013 12:39:58 -0600 skrev Noel Jones njo...@megan.vbhcs.org: On 1/8/2013 10:47 AM, Titanus Eramius wrote: I'm a little unsure about best practice here, hence the question. Running /usr/sbin/spamd from the SpamAssassin package to scan mail, I've integrated it into /etc/postfix/master.cf with the following lines --- smtp inet n - n - - smtpd -o content_filter=spamassassin ... spamassassin unix - n n - - pipe flags=Rq user=spamd argv=/usr/bin/spamc -u ${user}@${domain} -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} --- And then in /etc/postfix/main.cf there's added the line --- spamassassin_destination_recipient_limit = 1 --- However, this scans both incoming and outgoing mail, but for outgoing I plan on using rate-limiting to avoid spamming the net (to much), in case an account gets hacked. So I searched the web, and constructed this alternative to use in master.cf --- 26 inet n - n - - smtpd -o content_filter=spamassassin smtp inet n - n - - smtpd --- Using iptables, all incoming connections to port 25 could then be directed to port 26. The server only have one ip-address. The question then is, is this a practical solution, or can it be done smarter, for example with less work and without using iptables, or maybe some other way entirely? Using iptables to separate traffic is a reasonable solution. Probably a good idea to add a comment to master.cf documenting what you've done. The more typical way to do this is for local mail to use the submission port 587. Sometimes folks redirect port 25 on the local network to 587 as a migration aid. -- Noel Jones OK, but using submission more or less removes the problem with SpamAssassin. Thank you for the pointer, I'll be sure to use 587 for relaying from the users. This raises the question (or at least I think it do), if it's possible to force the users onto 587 by denying relay access to 25? fix the problem at the source: force the client to do the work: use different services for different uses: [MX service] port: 25 example DNS name: mx01.example.com = no relay virus and spam filtering... [submission service] example DNS name: smtp01.example.com port 587. if this is hard, port 25 with a specific IP is ok. SASL auth. when not desirable, IP based access control (thoug this may be implemented outside of postfix, such as on a firewall) virus filtering rate limit and custom checks as needed. [reverse MX] example DNS name: mailrelay01.example.com in small setups, this could be the same service as the submission one. in larger setups, make this dedicated. it'll take the complexity of mail routing and caching (retry). ...
Re: RoundCube vs squirrelmail (pros and cons)
Le 27/12/2012 07:38, Muhammad Yousuf Khan a écrit : i want a web interface for our email access. To me roundcube seems more attractive/better then squirrel-mail (look wise) however i dont want to overlook better options/features if there are any in squirrelmail. so my question to all the users who have experience with both UI. would you please suggest me which one to pick and which one is good/better/stable to use? Thanks, both are reasonablechoices. I personally prefer RoundCube. The real problem with webmail is password theft, and this is independent of which solution you use.
Re: Postscreen and exceptions
Le 27/12/2012 04:05, Stan Hoeppner a écrit : On 12/26/2012 6:19 PM, Noel Jones wrote: On 12/26/2012 4:52 PM, Stan Hoeppner wrote: On 12/24/2012 4:57 PM, Noel Jones wrote: Opinions differ on psbl.surriel and barracudacentral, but they are frequently used in scoring rather than outright. A site listed on two of these three is likely spam, a site listed on only one of them is questionable. Nonsense. The mere fact that a listing on one DNSBL is absent on others Glad it works for you at your sites, I use them too. As with all third-party blacklists (and whitelists!) each sysop should make their own decision about who to hand the keys to. When giving advice to others knowing next to nothing about their local policy, it would be foolish to be anything but conservative. Yes, conservative. Note my last response in this thread which contained this instruction with my scoring recommendation: test first unfortunately, testing isn't enough. things keep changing: - DNSBL listings change. - sites situation changes - new sites appear ... when I first tested BRBL, I found it safe for outright rejection. but this didn't last. I also added local rules, which worked for a long time, but many of these rules proved unsafe.
Re: RoundCube vs squirrelmail (pros and cons)
Le 27/12/2012 17:38, Titanus Eramius a écrit : Thu, 27 Dec 2012 11:00:34 -0500 skrev Robert Moskowitz r...@htt-consult.com: On 12/27/2012 01:38 AM, Muhammad Yousuf Khan wrote: i want a web interface for our email access. To me roundcube seems more attractive/better then squirrel-mail (look wise) however i dont want to overlook better options/features if there are any in squirrelmail. so my question to all the users who have experience with both UI. would you please suggest me which one to pick and which one is good/better/stable to use? There was a recent thread on this over on the Centos list, and Roundcube was strongly perferred. It seems that my search fu is low today, could I please trouble you for a link? you didn't pay your web search subscription :) the thread can be found on http://www.spinics.net/lists/centos/msg131997.html you can also search for roundcube vs squirrelmail. and you can also read the wikipedia article http://en.wikipedia.org/wiki/Roundcube PS. Please remember that all this is off topic here (so, no webmail war please!)
Re: checking script doesnt work - Re: How to change modified cf files to postconf commands
Le 23/12/2012 15:28, Robert Moskowitz a écrit : On 12/23/2012 09:20 AM, Noel Jones wrote: On 12/23/2012 7:17 AM, Robert Moskowitz wrote: You can chase these with something like: # postconf -n | while read parameter equal value; do default_value=`postconf -d $parameter 21`; if [ $value = $default_value ]; then echo NOTICE: Useless setting: $parameter = $value; fi; done I have been running this against the base Centos 6 install that has a main.cf with lots of comments and a few parameter lines. postconf -n shows about 20 parameters, and when I compare these against postconf -d only 9 of them are different. That sounds about right. A basic postfix install needs only a few non-default settings. parameters like mailq_path is now /usr/bin/mailq.postfix and the default is /usr/bin/mailq sounds reasonable. I look at the script and I am not able to tell what is wrong; can you help me get it right? I think this is a real useful tool. It's unclear what problem you are having. Please explain. When I run the script shown above, there is no output. Yet I know there are lines in the main.cf that differ from the defaults. That is there are 9 lines shown in the -n option that are different from shown in the -d option. I would think that the above script should have printed those lines. No. the only output of the script is the one in the 'echo' line: it only prints anything if the value is the same in main.cf and in `postconf -d`. To see local settings, use 'postconf -n'. that's its job. If you really insist, here is a modified version of the script: postconf -n | while read parameter equal value; do default_value=`postconf -d $parameter 21`; if [ $value = $default_value ]; then echo NOTICE: Useless setting: $parameter = $value; else echo $parameter = $value fi; done but this is too complex for the task. I ran the script both as me and as root.
Re: BCC Transport Map
Le 23/12/2012 05:21, Joey J a écrit : Hello All, I have done this previously, but can't find any of my own documentation that I make. I want to configure a transport map, that delivers mail to my server ( postfix acting as a gateway ) but also deliver every message to a mailbox. this is how we get mail if the server crashes. no need for a transport. use http://www.postfix.org/ADDRESS_REWRITING_README.html#auto_bcc recipient_bcc_maps = pcre:/etc/postfix/recipient_bcc recipient_delimiter = + == recipient_bcc: /(.*)@example\.com$/archive+$1...@example.net this will copy mail for foo...@example.com to archive+foo...@example.net the extension allows you to retrieve the original recipient. if you have multiple domains, you use something like: /(.*)@(example\.com)$/archive+$1=$2...@example.net so as to retrieve the original recipient domain as well.
Re: Problem: Recipient address rejected: User unknown in virtual mailbox table
Le 15/12/2012 00:03, Valone, Toren W.@DMV a écrit : I actually did not feed the full path, when doing that I got no error, This doesn't tell us what command was run and whether it returned a result or not. You're not being very helpful here. Please help us to help you. For that, we need complete/full/unaltered information. Feel free to redact private information (such as email addresses) but do so consistently (use a one-to-one mapping). so let's start again! Please show: 1) the log line that contains user unknown. Please notice: I say line, not part, snippet,... etc = we are used to reading postfix logs and can spot things you may miss. 2) the command I asked you to run and the results. (copy-paste what you see on the screen, starting from the command itself until the next prompt, so we see it when the result is empty) as a reminder, the command is: postmap -q user@domain mysql:/etc/postfix/mysql-virtual_mailboxes.cf we need to see the command itself as well as the results (up to the next prompt). = we need to check that you ran the right command (no typos, no misunderstanding, ...) for the right user (the one that appears in the logs). 3) evidence that the user is in your mysql table. show the table definition (the columns), show the line containing the user address that we're looking at. 4) the contents of mysql-virtual_mailboxes.cf good luck... [snip]
Re: Send mails use the same source IP across multiple servers
Le 15/12/2012 14:43, Ram a écrit : Hi I have a slightly OT question If I have to use a single IP for a sender domain to the internet, but yet the mails may get sent from different servers What is the best way for doing it The requirement is because the volumes are too large for a single machine to handle but the client still wants to send the mails using a dedicated IP if the servers perform heavy tasks such as malware and spam filtering, then dedicate one box to mail routing and use it as a gateway from which all mail will get out. if even mail routing is too heavy, then as said, NAT may help (whether on a hard box or on a server with BSD+pf or Linux+iptables), provided one box can route as much traffic! Note1. with 1 IP, you get less than 2@16 ports, which gives a hard upper limit on the number of simultaneous TCP connections. Note2. if you need a lot of bandwidth, then the box that sends mail as well as all other nodes in the path need to be able to handle this.
Re: How to change modified cf files to postconf commands
Le 14/12/2012 01:55, Robert Moskowitz a écrit : On 12/13/2012 05:47 PM, Noel Jones wrote: On 12/13/2012 4:17 PM, Robert Moskowitz wrote: In the totorial: http://www.campworld.net/thewiki/pmwiki.php/LinuxServersCentOS/Cent6VirtMailServer There are modified postfix .cf files. I don't want to just use a modified postfix file, I want to user postconf to do the modifications. And I am not experienced using things like diff to work out what changes were made from the base install files. Can anyone lend some expertise in identifying the mods so I can work this up as postconf commands? Why? If you're just going to paste in changes it doesn't matter too much if you paste in a pre-made .cf file or if you run a bunch of postconf commands. For the past 3 years I have been running with a setup based on: http://www.howtoforge.com/virtual-users-and-domains-with-postfix-courier-mysql-and-squirrelmail-fedora-14-x86_64 Here the postfix changes are done via postconf, so I CAN tell what changes are made and understand what is going on. # postconf -d shows default settings (builtin defaults). # postconf -n shows local settings. that said, some local settings may use the same value as the default config, which is mostly useless. on the url you posted, an example is inet_interfaces = all, since this is the default: # postconf -d inet_interfaces inet_interfaces = all so the setting is useless and can be removed from main.cf. same for mydestination, alias_maps... You can chase these with something like: # postconf -n | while read parameter equal value; do default_value=`postconf -d $parameter 21`; if [ $value = $default_value ]; then echo NOTICE: Useless setting: $parameter = $value; fi; done Such settings can be removed from main.cf. (the 21 will avoid false positives when a parameter is unknown to 'postconf -d'...). Better to learn why each line is there, and why. And most important, if *you* need it. Kind of my point. What changes is the author of the tutorial really making so I can understand why. http://www.postfix.org/documentation.html http://www.postfix.org/STANDARD_CONFIGURATION_README.html http://www.postfix.org/VIRTUAL_README.html main.cf parameters and their defaults are documented here: http://www.postfix.org/postconf.5.html Generally, only parameters that differ from their default should be included in your main.cf. Again, what I want to get to. Understand what changes the author made to the defaults. Looks like I will first have to learn how to understand the output of diff. do not blindly follow howotos/utorials/etc. better learn from the official documentation. see Noel's postf for a few URLs. more on postfix site. you can also consider getting a copy of the book of postfix.
Re: Directive mynetwork and mynetwork_style
Le 14/12/2012 11:28, Muhammad Yousuf Khan a écrit : Thanks :) and it is recommended to use mynetworks. This is because mynetwork_style may open a hole in some situations (when your netwmaks is wide but you only own few boxes in the same network. this is generally the case for residential networks). you can generally start with mynetworks = 127.0.0.1 and then add the minimum subnets or IPs that need to relay via this postfix without SASL authentication. [snip]
Re: Problem: Recipient address rejected: User unknown in virtual mailbox table
Le 14/12/2012 22:49, Reindl Harald a écrit : Am 14.12.2012 22:36, schrieb Valone: I have Postfix/DoveCot/SASL with mysql setup up running on Ubuntu Server 10.04. I believe that when the mail comes in, something in the settings is not allowing the data to be parsed correctly resulting in the User unknown error. --main.cf non-default parameters-- do NOT post in HTML on mailing list post output of postconf -n and not main.cf contents he actually did it. postfinger shows 'postconf -n' output.
Re: Problem: Recipient address rejected: User unknown in virtual mailbox table
Le 14/12/2012 22:36, Valone, Toren W.@DMV a écrit : I have Postfix/DoveCot/SASL with mysql setup up running on Ubuntu Server 10.04. I believe that when the mail comes in, something in the settings is not allowing the data to be parsed correctly resulting in the User unknown error. you can debug your maps with postmap. for example: # postmap -q user@domain mysql:/etc/postfix/mysql-virtual_mailboxes.cf this should return something. [snip]
Re: Limit an account to 1 email address
Le 09/12/2012 11:28, Reindl Harald a écrit : Am 09.12.2012 03:16, schrieb Grant: Each of my systems sends alerts to my mail server for delivery to my email address through a special user account on my mail server with no shell account which is only used for this purpose. Can I limit all mail sent by authenticating through this user account so that it can only be delivered to my email address? The user's password is stored in plain text in ssmtp.conf on each of my systems but I figure that doesn't matter if it can only be used to send mail to my address. do you mean a catch-all address? sorry but the decription of your goal is weird maybe OP is trying to say: this sender can only send to a specifc email address. if so, restriction classes can help: http://www.postfix.org/RESTRICTION_CLASS_README.html if not, OP is invited to state his goal with an example.
Re: connect from unknown
Le 09/12/2012 06:33, Cameron Smith a écrit : Having trouble getting postfix configured correctly to relay to Google Apps some of the time. I am seeing the following error in /var/log/mail.log Dec 8 21:15:08 vps postfix/master[3924]: daemon started -- version 2.9.3, configuration /etc/postfix Dec 8 21:16:05 vps postfix/smtpd[3930]: warning: hostname vps.abw.co does not resolve to address 199.101.51.160 postfix found that 199.101.51.160 resolves to vps.abw.co but not the opposite. many possibilities: - transient dns error. - dns misconfiguration (postfix points to a dns server that doesn't give the right answer). - postfix is chrooted and /etc/resolv.conf is not copied to the chroot cage. to see whether postfix is chrooted, run egrep -i ^[0-9a-z].*smtpd /etc/postfix/master.cf | awk '{print $5}' this command should show only 'n'. if you see 'y' or '-', then at least one smtpd is chrooted. Dec 8 21:16:05 vps postfix/smtpd[3930]: connect from unknown[199.101.51.160] Dec 8 21:16:05 vps postfix/smtpd[3930]: lost connection after RSET from unknown[199.101.51.160] For some reason, the client (or an intermediary router/firewall) dropped the connection. = postfix did not reject the client. Dec 8 21:16:05 vps postfix/smtpd[3930]: disconnect from unknown[199.101.51.160] If I use a sendmail command from the CLI I am able to send with a 250 response code. it is unclear whether your phpmail runs on the same machine as your postfix server or whether they run on different boxen. and whether you run sendmail on the postfix server or another box. etc. I only see the other error when using php and phpmailer. Since that makes it probably a phpmailer issue what things could be set incorrectly there that would cause postfix to log the errors listed above whatever is connecting to your postfix server drops the connection. I have tried removing vps.abw.co from my destination with the same result. 199.101.51.160 is my server IP vps.abw.co is my server hostname RDNS is set correctly: host 199.101.51.160 160.51.101.199.in-addr.arpa domain name pointer vps.abw.co for the future (and for the archive), this alone is not enough to sR is set correctly. You must test the forward query as well. yes, it woks from here (now). $ host vps.abw.co vps.abw.co has address 199.101.51.160 [snip]
Re: SASL auth and (local) relaying through telnet
Le 07/12/2012 18:22, Titanus Eramius a écrit : [snip] titanus@asrock:~$ telnet 94.247.168.138 25 Trying 94.247.168.138... Connected to 94.247.168.138. Escape character is '^]'. 220 ntdata.nt-data.dk ESMTP Postfix EHLO fake 250-ntdata.nt-data.dk 250-PIPELINING 250-SIZE 1024 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN MAIL FROM:s...@veryfakeaddress548562.tld 250 2.1.0 Ok RCPT TO:m...@nt-data.dk 250 2.1.5 Ok DATA 354 End data with CRLF.CRLF content here . 250 2.0.0 Ok: queued as EDB151746A80 quit 221 2.0.0 Bye Connection closed by foreign host. The maillog on the server looks like this: titanus@ntdata:~$ sudo cat /var/log/mail.log | grep EDB151746A80 humour mew :) you like cats too? or is it the pipe that you like? $ sudo grep /var/log/mail.log saves a few keystorkes /humour keep reading. answer below. Dec 7 17:51:38 ntdata postfix/smtpd[26112]: EDB151746A80: client=unknown[92.243.255.38] Dec 7 17:51:51 ntdata postfix/cleanup[26118]: EDB151746A80: message-id= Dec 7 17:51:51 ntdata postfix/qmgr[3981]: EDB151746A80: from=SRS0=QfAL=KB=veryfakeaddress548562.tld=s...@nt-data.dk, size=396, nrcpt=1 (queue active) Dec 7 17:51:51 ntdata postfix/pipe[26119]: EDB151746A80: to=m...@nt-data.dk, relay=dovecot, delay=36, delays=36/0.01/0/0.17, dsn=2.0.0, status=sent (delivered via dovecot service) Dec 7 17:51:51 ntdata postfix/qmgr[3981]: EDB151746A80: removed If at all possible, I would like the system not to accept the mail. why not? because you sent it using the telnet client program? there is no fundamental difference between mail sent using a standard MUA (thunderbird, outlook, ...) or a program such as telnet, netcat, ... or a script using perl, python, php, ... and no, spammers do not use the telnet program. that would be too slow! they (generally) use spam bots, which can send masse mails in a short time. trying to detect such bots is teh subject of anti-spam measures such as postcreen, greylisting, spam filters (that look for specific headers or other).
Re: connect from unknown
Le 09/12/2012 16:31, /dev/rob0 a écrit : snip] The client might see something in your EHLO response which makes it unable or unwilling to try to send mail. indeed. if the client is configured to use AUTH and/or STARTTLS and doesn't see it in the EHLO response, then that might explain the problem. snip
Re: How to stop smtp servers to send us emails
Le 06/12/2012 06:22, Pierre-Gilles RAYNAUD a écrit : Hi Everyone, On 01/12/12 18:19, Noel Jones wrote: On 12/1/2012 11:11 AM, PGR wrote: Hi Everyone, I would like to know how to stop/forbid this server to send us their emails The content of received email is Received: from web-groupsolweb1.aquaray.com (unknown [95.128.42.80]) by mail.domain.tld (Postfix) with ESMTP for i...@sdomain.tld; Fri, 30 Nov 2012 00:56:49 +0100 (CET) Received: from PC-de-thib (2.147.3.109.rev.sfr.net [109.3.147.2]) by web-groupsolweb1.aquaray.com (Postfix) with SMTP id E4515974A2C for i...@domain.tld; Tue, 27 Nov 2012 03:59:06 +0100 (CET) The contain of mail.log Nov 30 00:56:49 serv001 postfix/smtpd[21866]: warning: 95.128.42.80: address not listed for hostname web-groupsolweb1.aquaray.com Nov 30 00:56:49 serv001 postfix/smtpd[21866]: connect from unknown[95.128.42.80] Add a check_client_access map to reject them. Something like: # main.cf smtpd_client_restrictions = check_client_access hash:/etc/postfix/client_blacklist # client_blacklist 95.128.42.80 REJECT listed in client blacklist Both have been done /etc/postfix$ grep iglobe.be * client-blacklist:.iglobe.be REJECT 555 Spam not tolerated vy default, parent_domain_matches_subdomains contains smtpd_access_maps. this implies that you should use iglobe.be without a dot. my recommendation is: use two entries, one with a leadin dot and one without: .iglobe.beREJECT iglobe.beREJECT ... This way, the domain is blocked whatever the value of parent_domain_matches_subdomains is: http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains note that this check depends on DNS. you can add checks based on the IP address. check_client_access cidr:/etc/postfix/client-bl.cidr and in that file: #reject 62.182.56.160 - 62.182.56.175 62.182.56.160/28 REJECT ... # this doesn't include the IPs 62.182.56.176 - 62.182.56.187 # but that makes many cidr blocks. # if you feel a little angry, extend the block up to 62.182.56.191. #62.182.56.160/27REJECT # if you are very angry, just block the /24. /etc/postfix$ grep client-blacklist * main.cf:smtpd_client_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/client-blacklist, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org,reject_unknown_reverse_client_hostname and I'm still getting unwanted email (from iglobe.be in this example) Received: from paganini.iglobe.be (diegem.iglobe.be [62.182.56.170]) by mail.domain.tld (Postfix) with ESMTP for u...@domain.tld; Wed, 5 Dec 2012 12:51:37 +0100 (CET) Received: from pluto.be-housing.be (unknown [192.168.137.94]) by paganini.iglobe.be (Postfix) with ESMTP id 69C6688B77 for u...@domain.tld; Wed, 5 Dec 2012 12:51:39 +0100 (CET) Received: from 84.194.91.122 (localhost [127.0.0.1]) by pluto.be-housing.be (Postfix) with SMTP id 01744158023 for u...@domain.tld; Wed, 5 Dec 2012 12:51:36 +0100 (CET) Any suggestions on what is going on my configuration? Cheers -- PGR
Re: Bounces back to myself
Le 06/12/2012 14:58, Muzaffer Tolga Özses a écrit : On 12/05/2012 03:57 PM, Benny Pedersen wrote: Muzaffer Tolga Özses skrev den 04-12-2012 09:10: mydestination = localhost try using it as default, comment it in main.cf if it still loops then recipient domain is missing in mysql virtual_mailbox_domains virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf try postmap -q example.org mysql:/etc/postfix/mysql_virtual_domains_maps.cf no output ?, then example.org is missing in sql data, make sure mydestination domains exists here, if you want to change it to just localhost in main.cf test with youŕ own domain to make sure it works mail.bilgisayarciniz.org are missing ? drupalizm.com works in postmap Hi again, I've resolved all but one of these bouncing issues. How do I silently discard e-mails sent to an unknown user, because they also bounce? do not accept mail unless you deliver it. now, if you have queued mail to remove, you can use # postsuper -d $queueid
Re: avoiding overload on port 587
Le 03/12/2012 09:30, Tomas Macek a écrit : OK, so I spent some time reading config params in doc and topics in various forums and decided to setup my submission port 587 like this: submission inet n - n - - smtpd -o smtpd_etrn_restrictions=reject -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject I decided not to use the smtpd_sasl_exceptions_networks = $mynetworks, because I experienced, that Opera M2 mail client sends the auth credentials even if none auth is offered by the mail server... don't know why, but maybe there is still some other mail client with this strange behaviour... there are two things I don't understand in what you say: 1) you say that opera sends credentials even if it's not asked. I doubt this. please show evidence. 2) why would you setup a submission service that doesn't require auth from MUAs? Do you agree with this setup? Any further recomendations? if you setup submission, require authentication. otherwise, use port 25.
Re: avoiding overload on port 587
Le 03/12/2012 10:07, Stan Hoeppner a écrit : You might want to look into these as well: -o content_filter= ahem? submission or not, it must go through a malware filter. -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o receive_override_options=no_unknown_recipient_checks,\ no_address_mappings,no_header_body_checks These disable restrictions configured elsewhere in the system that target public client MTAs. This is a submission service, so you probably want to disable many of the existing restrictions, such as DNSBL lookups, SpamAssassin, etc, which will cause rejections, or users' outbound mail possibly being marked as spam. And obviously server processing load increases due to more mail going through SA if you don't disable SA for this service. # cat master.cf submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o syslog_name=${submission_syslog_name} -o cleanup_service_name=cleanmsa -o myhostname=${submission_myhostname} -o smtpd_tls_security_level=${submission_tls_security_level} -o smtpd_client_restrictions=${submission_client_restrictions} -o smtpd_helo_restrictions=${submission_helo_restrictions} -o smtpd_sender_restrictions=${submission_sender_restrictions} -o smtpd_recipient_restrictions=${submission_recipient_restrictions} -o smtpd_relay_restrictions=${submission_relay_restrictions} -o content_filter=${submission_content_filter} -o receive_override_options=no_address_mappings and in main.cf, adjust all these vars. but don't let a message go without control.
Re: spaces when using -o in master.cf
Le 03/12/2012 14:59, Tomas Macek a écrit : On Mon, 3 Dec 2012, Reindl Harald wrote: Am 03.12.2012 14:42, schrieb Tomas Macek: I have line like this smtpd_client_restrictions = check_policy_service inet:127.0.0.1:24575, ... in my main.cf I would like the $smtpd_client_restrictions to override in master.cf, something like: submission inet n - n - - smtpd -o smtpd_client_restrictions=check_policy_service inet:127.0.0.1:24575 but the space between check_policy_service and inet is a problem. How can I write this (if it's possible generally)? I know, that the doc says, the spaces are not allowed but maybe there is a way... main.cf whatever_smtpd_client_restrictions = check_policy_service inet:127.0.0.1:24575 master.cf: -o smtpd_client_restrictions=$whatever_smtpd_client_restrictions Thanks, this seems to be also the solution. it's not also. it's the. But according to the http://marc.info/?l=postfix-usersm=108075412814545 (found after really long time) the , (comma) did the job: -o smtpd_client_restrictions=check_policy_service,inet:127.0.0.1:24575 How this can work?? :-o ',' is a separator. so that works, but it is obscure. avoid it.
Re: Postfix multiple instances + Dovecot
Le 01/12/2012 11:15, WebprodsPT a écrit : Hello, I have a multiple instance Postfix setup. The first (original) one was configured with dovecot with the property: smtpd_sasl_path = private/auth-client This path represents a socket where dovecot listens to postfix connections (pardon me if this description is not 100% accurate). Now the other postfix instances doesn't have this special socket file in their spool directory, so I receive the following error in other Postfix instances: [snip] create a socket for each postfix instance. With dovecot 1.x, that would look like client { path = /var/spool/postfix/private/dovecot-auth mode = 0660 user = postfix group = postfix } client { path = /d/spool/postfix2/private/dovecot-auth mode = 0660 user = postfix group = postfix } ... With dovecot 2.x, something like unix_listener /var/spool/postfix/private/dovecot-auth { mode = 0666 user = postfix group = postfix } unix_listener /var/spool/postfix2/private/dovecot-auth { mode = 0666 user = postfix group = postfix } ... ...
Re: alias_maps are not being read correctly
Le 30/11/2012 18:36, l...@airstreamcomm.net a écrit : [snip] Thanks for the clarification Noel, from your explanation it appears my relay is virtual so the alias_maps are not going to be recognized for the domains that are hosted virtually. I just created a mysql table with a source and destination column like so: massmailaddr - destaddr1 massmailaddr - destaddr2 ... it is recommended to use fully qualified addresses (put the domain in the addresses). otherwise, if you change myorigin, you'll have a surprise... Added virtual_alias_map = mysql:/etc/postfix/massmail.cf: hosts = x.x.x.x, y.y.y.y user = user password = password dbname = massmail query = SELECT destination FROM entries WHERE source = '%s' postmap -q massmailaddr mysql:/etc/postfix/massmail.cf: destaddr1, destaddr2, ... And had success. I also had to update the value for virtual_alias_expansion_limit as my customer needed to deliver to more than the default 1000 addresses. For mass mail, it is recommended to use a mailing list manager, such as mailman and sympa. these tools have been design for that task (and they do many things that you'll have a hard time implementing with a stock MTA).
Re: CSI Cloudmark configuration
Le 22/11/2012 13:22, Nico Angenon a écrit : Helllo, My goal is not to send mass mail, i'm looking for a solution because my server serves about 1500 Users sending normal mails 10 hours a day, how many users sending is irrelevant. what counts is how many messages get out of your system. and this trouble causes delay on delivery that my users don't accept anymore... When orange tells us to slow down, it's inpossible to send them some mail during a few minutes, so, even with 10 mails in queue, it can takes several minutes to be delivered...
Re: master.cf Pipe delivery to virtual
Le 20/11/2012 10:28, r...@tntwrk.info a écrit : Hello all, I'm using postfix together with LDAP from where I take information about user addresses and their home dirs, where I want to store emails. I have everything configured correctly, it's working for all users except for users that don't have created homedir yet. I want to implement script, that will get message based on that will create homedir + maildir for user is not exists already and then it will pass transparently whole message to virtual, that will do delivery as usual. Over the Internet I've found such scripts for maildrop delivery, but with implementing same logic I had no success to apply that knowledge in my scenario. My configuration is in master.cf: --- homedir unix - nn--pipe user=nobody:nobody argv=/usr/libexec/postfix/home -d ${user}@${nexthop} -f ${sender} --- Content of /usr/libexec/postfix/home is: --- #!/bin/bash INSPECT_DIR=/var/spool/filter # Exit codes from sysexits.h EX_TEMPFAIL=75 EX_UNAVAILABLE=69 # Clean up when done or when aborting. trap rm -f in.$$ 0 1 2 3 15 cd $INSPECT_DIR || { echo $INSPECT_DIR does not exist; exit $EX_TEMPFAIL; } cat in.$$ || { echo Cannot save mail to file; exit $EX_TEMPFAIL; } /usr/libexec/postfix/virtual $@ in.$$ exit $? --- Now when I end email to machine, I see following in log: --- Nov 19 15:29:01 localhost postfix/postfix-script[4343]: starting the Postfix mail system Nov 19 15:29:01 localhost postfix/master[4344]: daemon started -- version 2.9.4, configuration /etc/postfix Nov 19 15:29:05 localhost postfix/smtpd[4349]: connect from unknown[192.168.255.201] Nov 19 15:29:05 localhost postfix/smtpd[4349]: F117F43F2D: client=unknown[192.168.255.201] Nov 19 15:29:06 localhost postfix/cleanup[4353]: F117F43F2D: message-id= Nov 19 15:29:07 localhost postfix/qmgr[4348]: F117F43F2D: from=r...@b.zn, size=421, nrcpt=1 (queue active) Nov 19 15:29:07 localhost postfix/smtpd[4349]: disconnect from unknown[192.168.255.201] Nov 19 15:29:07 localhost postfix/virtual[4357]: fatal: no transport type specified Nov 19 15:29:08 localhost postfix/pipe[4354]: F117F43F2D: to=lukas@A.Z, relay=homedir, delay=2.3, delays=1.2/0.01/0/1.2, dsn=5.3.0, status=bounced (Command died with status 1: /usr/libexec/postfix/home) --- What I believe is wrong is way, how I pass email to virtual at the end of script. Unfortunately when I try to run /usr/libexec/postfix/virtual with parameters such as --help or -h I don't get any help, and also I didn't found any documentation saying if virtual needs to get any command line arguments or something special to STDIN. so question is how can I specify all required inputs to virtual, in log it's asking for transport specification, but I'm not sure it will be only one information virtual needs. Thank you in advance. the easy answer is: when you create an email account, do create the mailbox. what's so complicated about this? why do you want the mailbox be created at inbound mail reception? optimise for the common case. the common case for a mailbox is receiving email, not creating the mailbox. from a security perspective, it is debatable to let a network connected daemon create arbitrary directories on your system.
Re: CSI Cloudmark configuration
Le 20/11/2012 09:46, Nico Angenon a écrit : Hello, Some of the biggest french provider are using CSI “cloudmark sender intelligence” : the big problem wih CSI cloudmark is that they don’t accept many simultaneous connexions. i always get a log like “too many connexion, slow down” so i made the following configuration : In /etc/postfix.transport wanadoo.com slow: wanadoo.fr slow: In /etc/postfix/master.cf slow unix – - n – 5 smtp -o syslog_name=postfix-slow -o smtp_destination_concurrency_limit=3 -o slow_destination_rate_delay=1 In /etc/postfix/main.cf transport_maps = /etc/postfix/transport slow_destination_recipient_limit = 20 slow_destination_concurrency_limit = 2 but i keep have some trouble in my logs... In the CSI advice, they says : if you have 100 Messages to deliver to this server, the better way is to open 1 connection and send 100 messages instead of opening 100 connexions delivering 1 message each... do i have to change the slow_destination_recipient_limit parametter to follow this advice ? Thanks in advance Nico Angenon if your goal is to send mass mail, then you should ask to be whitelisted. (of course, it is necessary that you follow good practices. unfortunately, this is not sufficient!).
Re: System watcher to check if Postfix is running
Le 20/11/2012 21:44, Rosenbaum, Larry M. a écrit : We have some scripts that run to check that important processes like Postfix are running. The Postfix check does a 'ps ax' and looks for '/postfix/master', 'qmgr', 'pickup', and 'tlsmgr'. Should we be checking for all 4 of these or are there normal circumstances where some of these may be missing? if the goal is to monitor the mail system, then setup a monitoring address, send mail to and have a process to read that mail (pop or whatever).
Re: Simplest approach to full-adress aliases?
Le 17/11/2012 15:24, Jeroen Geilman a écrit : [snip] NOTE that domainALPHA.com must be in an address class you control: relay, local, or virtual_*. No. virtual_alias_maps apply to all mail that goes through your postfix, whatever the domain class is. The presence of the alias alone does not mean mail for the domain is accepted. and mail may be accepted even if the domain is not in an address class you control the obvious example is submitted mail. a less obvious one is a domain not declared in relayd_omains, but accepted via a check_recipient_address (yeah, that's ugly, but still possible). in short, the three things: - mail rewrite - mail address classes - mail acceptance are 3 different concepts.
Re: mixing mbox and maildirs for local users
Le 10/11/2012 23:26, maillis...@gmail.com a écrit : Postfix does respect set guid, that's my bad. I still don't see how to share a Maildir, though. what is share a Maildir? to create a shared mailstore, look at what your imap server can do.
Re: FROM: Address re-writing using regexp:/etc/postfix/sender_canonical for particular emails.
Le 12/11/2012 14:21, Prashanth P.Nair a écrit : great.. will this also possible in regexp?..change both domain and user part of email address ? From:mys...@thisdomain.com to yourself@thatdomain. 1...@thatdomain.com looks like your gmail posting pollutes your message. anyway, /^myself@example\.com$/ some...@example.net works. but you probably want smtp_generic_maps inetas of canonical_* http://www.postfix.org/ADDRESS_REWRITING_README.html#generic http://www.postfix.org/postconf.5.html#smtp_generic_maps On Mon, Nov 12, 2012 at 6:29 PM, Ralf Hildebrandt r...@sys4.de wrote: * Prashanth P.Nair prashanth...@gmail.com: How to re-write From: My Self mys...@thisdomain.com to From: My Self mys...@thatdomain.com using regexp . I know the sender_canonical_maps changes both the envelop sender address and header sender address according to the sender_canonical_classes. Below regexp is converting all the emails from @thisdomain.com to @thatdomain.com.But i need only for specif email address.Any way to achieve using regexp? /^(.*@)thisdomain.com$/ ${1}thatdomain.com /^(myself|somebodyelse)@thisdomain.com$/ ${1}@thatdomain.com -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
Re: ot: iPhone smtp setup
Le 25/10/2012 22:39, li...@sbt.net.au a écrit : [snip] the error message didn't say, I've screenshoted it, not sure if iPhone has some other log access one can see ? or it tried to connecte to the smtps port, and this one is not open/enabled. As Jeroen told you, make sure you configured the account to use TLS and not SSL. [snip] but, my understanding of mail header above, it was submitted to ISP's mail server, not postfix server, yet, the only enabled smtp I saw on iphone was my postfix server (unless iPhone user fiddled the iPhone..?) maybe the ISP is silently redirecting traffic. good ISPs should not redirect submission (port 587) but some do. or the iphone is not configured to use 587.
Re: Postfix 5.4.0 Error: too many hops
Le 23/10/2012 18:07, Viktor Dukhovni a écrit : On Tue, Oct 23, 2012 at 08:53:19AM -0700, marintech wrote: I'm having a heck of a time trying to get inbound mail to work from my new Spam filtering provider. The problem I see is that when my mail server gets the mail from Spam Soap there is something in the header that it thinks made too many hops. You've likely created a routing loop between your server and the spam filtering service. Don't forward already filtered mail back to the filtering service. Or you have a content filter loop on the local machine, with mail that passes a content filter re-injected right back into that local filter. or there is a Delivered-To header issue. if your foo-provider adds a Delivered-to: j...@example.com, and your postfix tries to deliver to j...@example.com then it's a loop and postfix will barf. so make sure your foo-provider does not add such a header. try a header_checks like these /^(Delivered\-To:.*)/ REPLACE X-$1 /^(X\-Delivered\-To:.*)/REPLACE X-$1 /^X\-X\-Delivered\-To:/ REJECT the universe collapsed of course, you must remove these once you know what the problem is.
Re: Block sending from non-US IPs
Le 17/10/2012 22:41, Thomas E Lackey a écrit : I am looking into a system where one of the [virtual] mail accounts was compromised. Apparently the account, once compromised, was used to send spam from overseas hosts. Since the company has no overseas users, they asked if it were possible to block outbound/relaying activity from all non-US IP addresses, even from authenticated accounts, while still allowing inbound SMTP from non-US IPs. And, of course, they would like to retain sending from US IPs from authenticated accounts. I am pretty familiar with Postfix, but this combination has me scratching my head. Is it doable? well, there is no reliable list of this is here IPs. you can try http://countries.nerd.dk/more.html you can also try GeoIP. these will give you lists of IPs that you could add to your firewall rules. however, both are best effort things. and really, you should only look at this once you analyzed the situation for more neutral approaches, such as: mail submission should require authentication. this does not solve all problems, but if your authnetication is compromised, then you have other problems...
Re: recipient bcc - SOLVED
Le 04/10/2012 15:02, Jason Hirsh a écrit : dovecot on the server i also don't see these commands; alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases mailbox_command local_recipient_maps I was not using those in postfix take some time and read what they do. you should at least specify system root and postmaster and abuse. i handled that in virtual_mailbox cat /etc/amavisd.conf | grep forward that did not show any active commands your path may different. depending on your OS. here is a sample typical linux location /etc/amavis/conf.d/ what i meant was that all associate dlines were commented out as I understand it I am running amavisd set to default iin this section virtual_alias_maps = hash:/usr/local/etc/postfix/virtual what do these say? virtual is empty okay , take some time and read up what virtual alias maps do for you. http://www.postfix.org/VIRTUAL_README.html basically it looks like your system is delivering into amavis back to postfix. but at that point it has no clue what to do. for debug purposes I would comment out the content filter and watch your postfix logs typical location /var/log/mail.log. #content_filter = smtp-amavis:[127.0.0.1]:10024 OK as it turns out I found one possible error I did not define the type data base (No hash) in my declaration of virtual_mailbox_domains since the domains worked i think that was not a major concern speaks well of the strength of postfix what I did find is that I was essential disabling the re-address by having the following in main.cf receive_override_options = no_address_mappings took that out and it works fine but do enable that before the filter.
Re: recipient bcc
Le 28/09/2012 02:29, Jason Hirsh a écrit : I am trying to have email coming into postfix be delivered to two mail accouts From what I understand the subject command can do that here is my postconf-n postconf-n [snip] receive_override_options = no_address_mappings did you remember to disable this after the filter in master.cf ? http://www.postfix.org/FILTER_README.html#advanced_filter [snip]
Re: Apply policy service for inbound mail only.
Le 20/09/2012 05:05, Brock Henry a écrit : I still can't quite get my head around it. I am fairly new to Postfix. If a user connects via SASL, they get permitted too early, and miss out on the check_policy_service. smtpd_recipient_restrictions = ... permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/checkfull, ... I can't work out the combination of rules that will give me what I want. What I want. 1) non sasl, incoming mail permitted, and seen by checkfull. 2) non sasl, outgoing mail (from inside) permitted, not seen by checkfull. 3) non sasl, outgoing mail (from outside) rejected (not be an open relay, obviously) 4) sasl, outgoing permitted, not seen by checkfull 5) sasl, incoming permitted, seen by checkfull Restriction classes may do what I want, but I'm not sure. I will investigate that option. it is easier to rephrase your needs. if I understand, you want to implent this: 1- you allow the usual stuff (from mynetworks, from sasl, to your domains); and 2- for mail to your domains, you check policy except if it's from mynetwoks then implement the first under smtpd_recipient_restrictions as usual and the second using restriction classes. for safety, use another smtpd_mumble_restrictions for this (an error could make you an open relay). I am assuming smtpd_delay_reject=yes. smtpd_restriction_classes = ... policy_checkfull smtpd_sender_restrictions = permit_mynetworks check_recipient_access hash:/etc/postfix/mydomains_checkfull smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination ... policy_checkfull = check_policy_service unix:private/checkfull === cat mydomains_checkfull.hash: joe@mydomain1.example DUNNO mydomain1.example policy_checkfull .mydomain1.example policy_checkfull mydomain2.example policy_checkfull .mydomain2.example policy_checkfull mydomain3.example policy_checkfull .mydomain3.example policy_checkfull Note 1. if you don't mind the call to checkfull, then better let it manage the complexity. See Joel post Note 2. I voluntarily ignored the goal of your policy service. quota checking is not a simple problem (multi-recipient mail, multiple mails coming at the same time, ...). Thanks, Brock PS: Thanks for the tip about _data_ treatment of recipients.
Re: Error: reject_sender_login_mismatch
Le 20/09/2012 05:41, Leon a écrit : Hi, I have running a server with postfix-mysql+dovecot+postfixadmin,in main.cf: smtpd_sender_login_maps = mysql:/etc/postfix/mysql_mailbox_maps.cf, mysql:/etc/postfix/mysql_alias_maps.cf smtpd_sender_restrictions = reject_non_fqdn_sender, reject_sender_login_mismatch virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox_maps.cf user = mail password = password hosts = 127.0.0.1 dbname = mail query = SELECT CONCAT(domain,'/',maildir) FROM mailbox WHERE username = '%s' AND active = 1 virtual_alias_maps = mysql:/etc/postfix/mysql_alias_maps.cf user = mail password = password hosts = 127.0.0.1 dbname = mail query = SELECT goto FROM alias WHERE address = '%s' AND active = 1 When sending a mail,i got a error message. An error occurred while sending mail. The mail server responded: 4.3.0 l...@kingdest.com: Temporary lookup failure. Please check the message recipient postfix-users@postfix.org and try again. In google,many advice is to create another sender maps,but it is so difficult and no automatic when creating new user in postfixadmin to do that with thousands of mail users. I think there must be a better way to set smtpd_sender_login_maps = myql:***. what do you mean? what exactly do you want to implement? if the login must match the full email address for whatever domain, then SELECT %s could do. (but then do not create logins without the domain part). note that the above can be implemnted with pcre/regex: /(.*)/ $1 if you want to do some logic/transformations, then find out the sql statement that implements what you need. start from something like SELECT username FROM mailbox WHERE username = '%s' AND active = 1 then adjust as needed.
Re: virtual_alias_domains not working
Le 17/09/2012 05:14, Neil Aggarwal a écrit : Noel: # main.cf mydestination = localhost localhost.example.com virtual_alias_domains = virtual.example.com # virtual_alias # NOTE: best to use fully-qualified domain names here us...@virtual.example.com us...@localhost.example.com OK, this is what I was missing. look the docs for the maning of myorigin. in smtp, addresses have domains. postfix will fix incomplete addresses. if you say joe, postfix will make that joe@$myorigin. (this is configurable but you should keep it like that). and by the way, it is recommended that you define myhostname, mydomain and myorigin explicitly, instead of relying on default values. the old minimum surprise principle... Thank you for the clarification. I updated my files and everything seems to be working great now.
Re: block ip ranges before sasl
Le 17/09/2012 23:26, l...@airstreamcomm.net a écrit : On 9/17/12 4:15 PM, /dev/rob0 wrote: On Mon, Sep 17, 2012 at 03:51:03PM -0500, l...@airstreamcomm.net wrote: We would like to block a couple ranges of ips before a sasl login is able to happen. Smtpd_recipient_restrictions looks like this: smtpd_recipient_restrictions = permit_mynetworks, check_client_access cidr:/etc/postfix/restricted If the blocked IP address is in the cidr:/etc/postfix/restricted map with a reject result, it might do what you want. permit_sasl_authenticated, check_client_access mysql:/etc/postfix/authb4smtp.cf, If it is returned by the mysql:/etc/postfix/authb4smtp.cf query, it will not do anything useful, because you already passed permit_sasl_authenticated. reject_unauth_destination Just want to confirm this configuration will reject connections before sasl is allowed. I'm thinking you want to reject mail from a user which will be authenticated. But what you SAY here is reject *connections* before sasl is allowed. If you mean what I think you mean, see above. If you mean exactly what you say, see the other posts in the thread (I think I'd go for the firewall blocking, personally.) Also would it make more sense to put the check_client_access cidr:/etc/postfix/restricted in smtpd_client_restrictions instead? Maybe. See http://www.postfix.org/SMTPD_ACCESS_README.html Thanks for the reply. Essentially we would like to be able to reject mail from ip ranges and log the rejected mail so we can tell where it was coming from, hence the idea to set an cidr range to reject in /etc/postfix/restricted. We disable authentication per username based on the query for auth in dovecot, so that is handled in the permit_sasl_authenticated phase. Just to clarify, if the IP is rejected in the check_client_access /etc/postfix/restricted, none of the following rules in smtpd_recipient_restrictions should apply to that message correct? yes. but as Wietse said, this doen't prevent user from trying to auth. by default smtpd_{client,hello,sender,recipient}_restrictions are applied at RCPT (recipient) time. don't change this behaviour unless you know what you do.
Re: virtual_alias_domains not working
Le 16/09/2012 18:42, Neil Aggarwal a écrit : Hello: I am trying to set up virtual domain hosting following the guide on this page: http://www.postfix.org/VIRTUAL_README.html According to that page, I list the domain in virtual_alias_domains and NOT in mydestination. I then listed all my user accounts in /etc/postfix/virtual and compiled that into a binary map file. When I start postfix, all email to the users on the domain gets rejected. I searched the internet and several people suggested moving the domain from the virtual_alias_domains to mydestination. When I did that, everything seems to be working, but I get this warning: warning: do not list domain in BOTH mydestination and virtual_alias_domains Any idea why the virtual_alias_domains is not working? it looks like you want http://www.postfix.org/VIRTUAL_README.html#virtual_mailbox but you tried http://www.postfix.org/VIRTUAL_README.html#virtual_alias anyway, if you want help, you'll need to follow the direction in http://www.postfix.org/DEBUG_README.html#mail in your partciular case, we need to see - output of 'postconf -n' - logs showing a reject - for these logs, entries from /etc/postfix/virtual for the rejected user. maybe you're confusing this with virtual_mailbox_domains ?
Re: BCP on throttling outbound mail
Le 24/07/2012 08:37, Stan Hoeppner a écrit : On 7/24/2012 12:44 AM, CSS wrote: On Jul 24, 2012, at 1:24 AM, Stan Hoeppner wrote: On 7/23/2012 4:16 PM, CSS wrote: I'd like to take some measures to limit what an authenticated sender can do but not limit legitimate use. See: http://www.postfix.org/postconf.5.html#smtpd_client_connection_rate_limit You would apply this to your submission service, eg: 587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_connection_rate_limit=1 This limits spammers and legit users to 1 msg/min, 60 msgs per hour. Postfix is not psychic. This may be a problem for roaming users who send batches of mails when they get a connection--10 msgs takes 10 minutes. Thus, as with anything, some analysis and [re]tuning will be required. If you trust some users to never have their acct compromised, you can always create multiple submission services on different ports and have different limits for different sets of users, or even no limits for some. Not a perfect solution, but better than what you have now. If I can cobble this thing together, the quota module offers things like messages per day or per hour, which is a fairly reasonable way to restrict customers. Apparently you didn't read the docs I provided. http://www.postfix.org/postconf.5.html#anvil_rate_time_unit anvil is not an anti-spam solution. it's measure against clients gone crazy. fighting outbound spam is a serious challenge. [skip] You'd think humans beings would be smart enough to follow directions and use strong passwords, AV software, etc, and not fall for phishing scams. Your adversary in this war isn't the spammers, it's not the technology, but your users. oh come on! the users excuse is wa too old. if your software accepts weak passwords, then the problem is with the software, not the user. AV? oh no, I don't want any on my unix boxen. phising? well, it's far from being a simple thing. when OS, pki browser vendors will ignore their business for the happiness of the universe, things might get better in an Alice wonderfull world. do you really believe it? You should not be expending any more time/effort on the tech piece of the solution beyond finding the most basic rate limiting tool and enabling it to prevent spewage, right now. This is the smallest battle in this war. The big battles are user education (AV software on their machines, safe surfing habits, anti-phish education, etc), and wholesale forcing all users to change to *enforced* strong passwords. I disagree. those who put the responsibility of their failure on others (call em users or whataver) should get another job. The user related stuff wins this war. The tech portion merely decreases the amount of damage per clueless user battle.
Re: Minimal permissions on /etc/postfix
Le 24/07/2012 18:09, Michael Orlitzky a écrit : We store our virtual_foo_maps in, /etc/posfix/maps/virtual_foo_maps.pgsql and so the (read-only) database credentials are visible in that file. I'd like to tighten this up if possible, but I don't want to do anything stupid. If I'm not going about this all wrong, what can I do to prevent e.g. SSH users from reading the DB credentials? Ideally, I'd also like to prevent them from reading the rest of the maps, which contain lists of addresses, clients, etc. map_directory = /var/db/postmap cidr = cidr:${map_directory}/cidr db = ${db_type}:${map_directory}/${db_type} map_directory = /var/db/postmap regex = ${regex_type}:${map_directory}/${regex_type} sql = ${sql_type}:${map_directory}/${sql_type} ... ls -l /var/db/ ... drwxr-x---9 root postfix 512 Feb 10 2011 postmap/ ... note that I prefer /somedir/pgsql/foo_map over /somedir/foo_map.pgsql this is because I can do db_type=mysql foo_map=${db_type}:/somedir/${db_type}/foo_map
Re: how to relay mails from outbound instance ?
Le 21/07/2012 14:32, Naval saini a écrit : I have changed it with smtp_bind_address = y.y.y.y now i want to know how i can check it by sending a mail or should i configure a null client also.? postfix comes with a sendmail command. $ sendmail -f sender@yoursytem recipient@someotherplace Subject: test test . then check the headers of received message. PS. please: - do not top post. put your reply after the text you replay too. Google for top posting to see why etc. - keep the discussion on the list. this will give you more chances to get an answer from the so many members On Sat, Jul 21, 2012 at 3:56 PM, mouss mo...@ml.netoyen.net wrote: Le 20/07/2012 14:52, Naval saini a écrit : I have created postfix-out1 instance on centos 6.3 server which has 3 different IP-address 3 different Hostname now both default postfix and postfix-out1 instance running. Hostname=r09.example.com which have IP=x.x.x.x and i want postfix-out1 instance send all mails from Hostname=r09a.example.com which have IP=y.y.y.y. my server currently showing hostname=r09.example.com with IP=x.x.x.x In /etc/postfix-out1/main.cf hostname=r09a.example.com domainname=example.com inet_interfaces =y.y.y.y relay_domains =example.com multi_instance_group = mta multi_instance_name = postfix-out1 multi_instance_enable = no master_service_disable = authorized_submit_users =root smtpd_authorized_xforward_hosts = $mynetworks smtpd_client_connection_count_limit = 0 smtpd_client_event_limit_exceptions = $mynetworks smtp_bind_address = 0.0.0.0 local_header_rewrite_clients = alias_maps = alias_database = local_recipient_maps = local_transport = error:5.1.1 Mailbox unavailable recipient_delimiter = + smtpd_recipient_restrictions = permit_mynetworks smtpd_timeout = 1200s smtpd_client_port_logging = no /etc/postfix-out1/master.cf 127.0.0.1:10026 inet n - n - - smtpd Now please tell me what configuration i have to make to send mails from r09a.example.com with IP=y.y.y.y ? remove smtp_bind_address. or set it to y.y.y.y if it is set to 0.0.0.0., then it is your kernel which selects the source IP (based on the destination IP).
Re: prevent archiving SPAM mails
Le 19/07/2012 10:23, Nalinda Herath a écrit : In my current setup, server will not discard any mail even though they are tagged as SPAM. all the spam mails are routed to the junk folder's of each user. According to our policy, we cannot discard any mail, and users are allowed to check whether any mail has been accidentally tagged as SPAM. We simply BCC the emails which are received to the server by setting always_bcc = email address how do you deliver the archived mail? if it's via an LDA such as dovecot or maildrop or procmail, you can create a rule to discard mail which has a header that says it's spam (X-Spam-Flag: YES). if you want that in postfix, then you need to do some work. [multiple instances of postfix] if you accept to run multiple instances (run postfix multiple times, with different configurations etc), then make ue a specific domain for the archive (for exemple: archive.example.com), then use transport maps to direct such mail to its own instance. and in this instance, use header_checks to discard mail tagged as spam. [in a single instance] with a single instance, you can't use routing (transport_maps) because transport_maps is global to an instance, and you don't want to creat a loop. but you can create a dedicated smtpd listener. here is an example: 1- use a different domain for mail archiving. but instead of always_bcc, I'll recommend using recipient_bcc_maps: recipient_bcc_maps = pcre:/etc/postfix/recipient_bcc.pcre then in recipient_bcc.pcre, something like /(.*)@example\.com$/bcc+$1...@archive.example.com add an expression for any domain you want to archive mail for. side benefit: you have the original recipient in the bcc address! (this assumes you have recipient_delimiter = +). 2- In your after-the-filter smtpd (assuming you are using a filter such as amavisd-new), add a check_recipient_access to pass such mail to a specific smtpd (that you need to add): ... ... check_recipient_access hash:/etc/postfix/filter_bcc.hash and in filter_bcc.hash: archive.example.com FILTER filter:[127.0.0.1]:10624 .archive.example.comFILTER filter:[127.0.0.1]:10624 (here, I assume you start an smtpd on 10624 for such mail, and I assume you defined a filter named filter. this may be the same as you use to passe your mail to your standard filter). 3- for the smtpd on 10624, create a cleanup service that uses a check_headers to do /^X\-Spam\-Flag: YES/ DISCARD PS. instead of discarding such spam, better deliver it to a special account which is purged more often. this gives you a chance to re-archive a message if someone says it was a false positive... etc. (and it gives you the content if someone claims it is a false positive but you don't agree. of course, reading other people's mail requires their consent and/or support by your local policy. but you almost always can run a script to parse the Received headers and show that the message passed via bad networks, without ever touching the body...). debating this is however off-topic here. I only wanted you to kknow that this is a possibility... I need some workaround to prevent archiving mails tagged as spam by Spamassassin. Regards, Nalinda On Wed, Jul 18, 2012 at 10:22 PM, Noel Jones njo...@megan.vbhcs.org wrote: On 7/18/2012 11:22 AM, Nalinda Herath wrote: Hi all, Recently I have integrated spmassassin to my existing postfix system. But now I need to tune my archiving settings in postfix to prevent from archiving mails tagged as spam. It will be really helpful If someone can help me on this. Thanks. Regards, Nalinda -- Regards, Nalinda General procedure -- apply anti-spam and anti-virus before the archiving procedure. One way to do this is to run spamassassin in a pre-queue smtpd_proxy_filter or milter so only clean mail enters postfix. Or with a traditional postfix after queue content_filter, do your archiving in the after-filter postfix instance. If you need a more specific answer, you'll need to share full details of your postfix setup, your archiving procedure, and how you've integrated spamassassin. http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones
Re: RV: problems again
Le 19/07/2012 12:36, Tomas Garijo (Click) a écrit : Hi to all thank you Tom I know where is the problem. I have Colt Telecom by Internet provider, from two week ago, we have a packets lost with any site of italy. Colt not know because occurs but they know in where is the problem, they opened a ticket with Internet Italy, but they have not response from them. My dns is inside range of address that blocked and the smtp cannot consults my dns and reject de my mail, but only the smtp that do this comprobation. I have configure my dns outside my company. as Viktor said, you still have a DNS issue. see http://www.intodns.com/e-surland.com http://www.dnssy.com/report.php?q=e-surland.com etc.
Re: how to relay mails from outbound instance ?
Le 20/07/2012 14:52, Naval saini a écrit : I have created postfix-out1 instance on centos 6.3 server which has 3 different IP-address 3 different Hostname now both default postfix and postfix-out1 instance running. Hostname=r09.example.com which have IP=x.x.x.x and i want postfix-out1 instance send all mails from Hostname=r09a.example.com which have IP=y.y.y.y. my server currently showing hostname=r09.example.com with IP=x.x.x.x In /etc/postfix-out1/main.cf hostname=r09a.example.com domainname=example.com inet_interfaces =y.y.y.y relay_domains =example.com multi_instance_group = mta multi_instance_name = postfix-out1 multi_instance_enable = no master_service_disable = authorized_submit_users =root smtpd_authorized_xforward_hosts = $mynetworks smtpd_client_connection_count_limit = 0 smtpd_client_event_limit_exceptions = $mynetworks smtp_bind_address = 0.0.0.0 local_header_rewrite_clients = alias_maps = alias_database = local_recipient_maps = local_transport = error:5.1.1 Mailbox unavailable recipient_delimiter = + smtpd_recipient_restrictions = permit_mynetworks smtpd_timeout = 1200s smtpd_client_port_logging = no /etc/postfix-out1/master.cf 127.0.0.1:10026 inet n - n - - smtpd Now please tell me what configuration i have to make to send mails from r09a.example.com with IP=y.y.y.y ? remove smtp_bind_address. or set it to y.y.y.y if it is set to 0.0.0.0., then it is your kernel which selects the source IP (based on the destination IP).
Re: postfix/virtual can't deliver to virtual mailbox
Le 04/06/2012 11:48, Alvin Wong a écrit : Thanks, it's really the SELinux problem. The labels of some files in `/var/spool/postfix/pid` have the wrong label set. Running `/sbin/restorecon -rv /var/spool/postfix/pid/*` fixed the problem. So my problem is now solved. But I have no idea why the labels are changed themselves, though. Will it be possible that after I've enabled virtual mailboxes I re-started postfix manually, so the files are created with the wrong label? I see that if I start postfix manually, the process isn't running in the expected SELinux context. Will this possibly be a bug? No. that's expected behaviour. anyway, this is not a postfix relaed question.
Re: newsreader and subscription
Le 28/05/2012 09:53, Georg Schönweger a écrit : Hi, i'm using a Newsreader to read this list (via news.gname.org). But afaik i have to be subscribed to write to this list. And if i'm subscribed i will receive every post via email too, so i receive it twice. Is there a way to be subscribed without receving posts to my mail address? no. almost all mailing lists work this way (posters = members = recipients). believe it or not, many of us have considered this problem, but it's not a simple one (open lists such as debian lists currently get more abuse...). I personally worked on a much much simpler problem: N persons in a company are subscribed to a single list: the company gets N copies of the sames messages. would there be a way to get only one copy, yet allow each person to post individually? my anwser so far is: live with that (not even pruning N-1 messages, because it's harder than it looks...). keep it simple... to fix your problem, get yourself an address that you don't consult, such as gschoewgere.posto...@gmail.com it's sub-optimal, but it's so simple.
Re: newsreader and subscription
Le 30/05/2012 00:06, Simon Brereton a écrit : On May 29, 2012 6:03 PM, mouss mo...@ml.netoyen.net wrote: Le 28/05/2012 09:53, Georg Schönweger a écrit : Hi, i'm using a Newsreader to read this list (via news.gname.org). But afaik i have to be subscribed to write to this list. And if i'm subscribed i will receive every post via email too, so i receive it twice. Is there a way to be subscribed without receving posts to my mail address? no. almost all mailing lists work this way (posters = members = recipients). believe it or not, many of us have considered this problem, but it's not a simple one (open lists such as debian lists currently get more abuse...). I personally worked on a much much simpler problem: N persons in a company are subscribed to a single list: the company gets N copies of the sames messages. would there be a way to get only one copy, yet allow each person to post individually? my anwser so far is: live with that (not even pruning N-1 messages, because it's harder than it looks...). keep it simple... to fix your problem, get yourself an address that you don't consult, such as gschoewgere.posto...@gmail.com it's sub-optimal, but it's so simple. By default gmail doesn't show you your own post. Some mailing software doesn't either.. looks like you misread OP (I did at first). the issue isn't with one own messages being resent. he gets the message both on his email address via list re-post and on his news reader. (and gmail behaviour is subject to debate, some like it, some don't. but this is not the right list for such debates).
Re: how to act with abuse to yahoo.com
Le 23/05/2012 20:13, Reindl Harald a écrit : WTF? they are violating RFCs and their website is nonsense spam-l is probably a better place for this. Every major email provider has a system for reporting spam or junk mail, and information about spammers is shared across providers. As a result, if a Gmail user marks a message from a Yahoo! user as spam in a Gmail account, the report will be sent to us, and we can take appropriate action when necessary according to our Terms of Service. aha - and what should i do as MY OWN provider? Original-Nachricht Betreff: Re: ABUSE: Spam from ptr...@yahoo.com Datum: Wed, 23 May 2012 10:48:16 -0700 (PDT) Von: no-re...@cc.yahoo-inc.com An: h.rei...@thelounge.net This is an automated response; please do not reply to this email as replies will not be answered. To report spam, security, or abuse-related issues involving Yahoo!'s services, please go to http://abuse.yahoo.com. Thank you, Yahoo! Customer Care Original-Nachricht Betreff: ABUSE: Spam from ptr...@yahoo.com Datum: Wed, 23 May 2012 19:47:34 +0200 Von: Reindl Harald h.rei...@thelounge.net Organisation: the lounge interactive design An: ptr...@yahoo.com, ab...@yahoo.com Kopie (CC): ffmpeg-u...@ffmpeg.org good day would you PLEASE kill the address ptr...@yahoo.com this guy is sending SPAm multiple times to several technical mailinglists the last days i contacted this idiot yesterday off-list that he should stop this, but he is not interested __ From: Peter Tap ptr...@yahoo.com To: ffmpeg-u...@ffmpeg.org, fm-discuss-ow...@opensolaris.org, gba...@videolan.org, develo...@lists.illumos.org, j...@videolan.org, robert.mor...@thestreet.com, pavel.bu...@oracle.com Received: from [41.131.254.170] by web125401.mail.ne1.yahoo.com via HTTP; Wed, 23 May 2012 10:36:27 PDT X-Mailer: YahooMailWebService/0.8.118.349524 Message-ID: 1337794587.24719.yahoomail...@web125401.mail.ne1.yahoo.com Date: Wed, 23 May 2012 10:36:27 -0700 (PDT) From: Peter Tap ptr...@yahoo.com __ From: Peter Tap ptr...@yahoo.com To: productsupp...@gfi.com, ptr...@yahoo.com, rafa...@rafaelc.net, us...@jersey.java.net, vlc-de...@videolan.org, x264-de...@videolan.org Received: from albiero.videolan.org ([127.0.0.1]) by localhost (albiero.videolan.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id THpZ-gqdJ1ym; Wed, 23 May 2012 19:36:33 +0200 (CEST) Received: from albiero.videolan.org (localhost [127.0.0.1]) by albiero.videolan.org (Postfix) with ESMTP id 9624F14ABB1; Wed, 23 May 2012 19:36:33 +0200 (CEST) X-Original-To: x264-de...@videolan.org Delivered-To: x264-de...@albiero.videolan.org Received: from localhost (localhost [127.0.0.1]) by albiero.videolan.org (Postfix) with ESMTP id DE7A8146E38 for x264-de...@videolan.org; Wed, 23 May 2012 19:36:31 +0200 (CEST) Received: from albiero.videolan.org ([127.0.0.1]) by localhost (albiero.videolan.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jDAINL4vpZl1 for x264-de...@videolan.org; Wed, 23 May 2012 19:36:31 +0200 (CEST) Received: from nm13.bullet.mail.ne1.yahoo.com (nm13.bullet.mail.ne1.yahoo.com [98.138.90.76]) by albiero.videolan.org (Postfix) with SMTP id 47D4114ABAA for x264-de...@videolan.org; Wed, 23 May 2012 19:36:31 +0200 (CEST) Received: from [98.138.90.54] by nm13.bullet.mail.ne1.yahoo.com with NNFMP; 23 May 2012 17:36:30 - Received: from [98.138.89.234] by tm7.bullet.mail.ne1.yahoo.com with NNFMP; 23 May 2012 17:36:30 - Received: from [127.0.0.1] by omp1049.mail.ne1.yahoo.com with NNFMP; 23 May 2012 17:36:30 - X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 312507.91749...@omp1049.mail.ne1.yahoo.com Received: (qmail 32386 invoked by uid 60001); 23 May 2012 17:36:30 - DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1337794590; bh=uh7O3LzCeu5ojluCkOtRF5qEGcwxOj1zNXVOC3/BLAk=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:To:MIME-Version:Content-Type; b=Z087mA5aXBBFBY/iURKrLgf+dsWhytn5CVio/9UocybawMZhlkEwevvUueKiDry1mHdGV5J7cIpm/Vc0Xm7QjbTUEat0TpDWdG0pT8jBcXr5UYBW2G6uzOe/r5+zWPrXpsg/zE1pCKKDTZ2h4mlUPBgmc4K1G61gQxH3P/I8z1s= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:To:MIME-Version:Content-Type; b=fNxJtBEL3f3EF7CjJ5ZuhyyRn7MtWJEVh1tPA2sQfwWUgmu5FKm/tFqlHRLkg+GzfvOjkddge/Ak7daf7lFW0TiWgkZB9FCx0buCnUXyBnrZUU2FYdskE+852DjfCJRs0jdUsi0orst9eQCRgGWPsNbAgiZIkETROM8cSJ7VO2o=; X-YMail-OSG: fPRYIVIVM1mr5u6zkj.a7vrqZCwaLSbiLhdjwIDyC719b8L KKtx3YyRWoIMw.83qwQyZoNYIJrq5EHCvBZcftvNFqpw7a5.AZQsy4mTPAhi nPtvBpIqcQ1H2NWsKMFAUkBUQWzco4My17rKAz__uqPxblG6lJYaiVqlkoWz xpn7hs1lp9zT_TovMgWFOCaLqNVDNwlBxgTUZYkH.Bf8EYpCy39GNbPUd3A7 bVTKWg8DFDHUb3fwPd2j1oBpylC458knaTjj5VMeDV1kMpiG2YSwEtIQZWCA
Re: Missing attachments - BAD HEADER SECTION, MIME error: error: part did not end with expected boundary
Le 16/05/2012 15:35, Alex Dyas a écrit : Hello, Thanks for your reply. My initial theory was that the attachment was being stripped out of the message before it got to Amavis, well, that's probable, but where was it stripped out? most probably at the client side, by Exchange or Zimbra or whatever... what I can say from the posted headers: - no user-agent header - empty X-MS-TNEF-Correlator header - X-Copyrighted-Material header hence asking here on the Postfix list. I will ask on the Amavis list in that case. Cheers, Alex. On 05/15/2012 08:21 PM, Jeroen Geilman wrote: On 05/15/2012 06:11 PM, Alex Dyas wrote: Hello, Environment : - Ubuntu - 10.04.3 LTS - Postfix - 2.7.0-1ubuntu0.2 - Amavis - 1:2.6.4-1ubuntu5 - Spam Assassin - 3.3.1-1 - ClamAV - 0.96.5+dfsg-1ubuntu1.10.04.3 Symptoms - A couple of emails per day come through the system with empty attachments. They have the following line in their header: X-Amavis-Alert: BAD HEADER SECTION, MIME error: error: part did not end with expected boundary This is the postfix users mailing list; perhaps you should ask this on an amavisd-new related list. - I have not been able to reproduce the problem myself - Problematic mails re-sent often come through without problem, ie with the attachment - The offending mails generate ClamAV quarentine files, but even these don't contain the attachments - If I receive the same emails at a different account on an unrelated system I see the attachment perfectly well - We see the same issue from a number of unrelated senders Please see the welcome message you received when joining this list on how to receive help: http://www.postfix.org/DEBUG_README.html#mail Sample header (anonymised): We'd need to see the output of postconf -n, and a relevant section of the mail log, at minimum.
Re: mailbox_coomand
Le 19/05/2012 04:01, john a écrit : I recently upgraded my server to Debian 6. One of the things that seems to have been changed in the Postfix-Dovecot setup is the configuration of the mailbox_command. In my old setup the command was mailbox_command = /usr/lib/dovecot/dovecot-lda -f ${sender} *-d ${recipient}* -m ${extension} in the new setup the command is mailbox_command = /usr/lib/dovecot/dovecot-lda -f ${sender} *-d ${user}@${nexthop}* -m ${extension} Similarly master.cf has also changed dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender} *-d ${recipient}* -m ${extension} new setup dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender} *-d ${user}@${nexthop}* -m ${extension} Which is better and why? For precise infos on the meaning and expansion of these variables, see http://www.postfix.org/pipe.8.html it really depends on your LDA and on what you want to achieve, but in general, I'd say the order of pref is: 1- ${user}@${domain} (but this is only available for postfix = 2.5) 2- ${user}@${nexthop} 3- ${recipient} to see why, think about delivering an address with an extension: joe+extensi...@example.com (assuming recipient_delimiter = +). you generally want mail for this address to be delivered to the mailbox of j...@example.com (possibly in a extension1 folder). of course, if your LDA can parse addresses, then this handling may be delegated to the LDA. but since postfix functionality comes for free...
Re: Why is after-queue content filter executing before-queue?
Le 19/05/2012 15:18, Chris a écrit : [snip] Log: May 15 18:30:25 s1 postfix/smtpd[19422]: connect from mail-pb0-f46.google.com[209.85.160.46] May 15 18:30:25 s1 postfix/smtpd[19422]: NOQUEUE: filter: RCPT from mail-pb0-f46.google.com[209.85.160.46]: mail-pb0-f46.google.com[ Plus: postfix-users Postfix rejecting e-mail without providing reason... Wed Oct 31, 2007 http://tech.groups.yahoo.com/group/postfix-users/message/229132 Wietse Venema says NOQUEUE means that either Postfix has not yet created a queue file, or that it is giving the mail to a before-queue content filter. When I came across this post I assumed (given what I saw in the log) that the second half of Wietse's and/or statement was what was happening. But if it's the first half then well I have created my own little storm in own little teacup - sorry to involve you and others. smtpd logs the FILTER rule match when it sees it (smtpd restrictions, header/body checks), and that's before mail is queued. you can see for yourself by stopping dspam. you will see that mail is queued. [snip]
Re: Logging Rejection in Cleanup Daemon
Le 17/05/2012 00:51, Masegaloeh a écrit : Hi, Postfix List I would like to build the script which analyze maillog and produce a report of every email delivery. My server currently act as relay server between internal mail server and Internet. My final purpose, when I query a sender and/or recipient, I will know if the rejection occurs or not. As far as I know, the rejection would triggered in smtpd and cleanup. When analyze rejection on smtpd, we have no problem because the postfix will record sender and every recipient. But when header_checks and body_checks kicks in via cleanup daemon, the log just shows queue id, sender and *last recipient*. So if the message contains multiple recipient, I will not able to tracking every rejected recipient. To help understanding my problem, here the demo SMTP TRANSACTION: #telnet mx 25 Trying 192.168.117.135... Connected to mx.domain.org. Escape character is '^]'. 220 ESMTP MAIL FROM:f...@server.domain.org 250 2.1.0 Ok RCPT TO:us...@mx.domain.org 250 2.1.5 Ok RCPT TO:us...@mx.domain.org 250 2.1.5 Ok RCPT TO:us...@mx.domain.org 250 2.1.5 Ok DATA 354 End data with CRLF.CRLF x-header: momomo test data . 550 5.7.1 GET OUT MAILLOG in postfix server May 16 17:30:14 mx postfix/smtpd[1308]: connect from server.domain.org[192.168.117.143] May 16 17:30:40 mx postfix/smtpd[1308]: 30EBB38A: client=server.domain.org[192.168.117.143] May 16 17:31:21 mx postfix/cleanup[1312]: 30EBB38A: reject: header x-header: momomo from server.domain.org[192.168.117.143]; from=f...@server.domain.org to=us...@mx.domain.org proto=SMTP: 5.7.1 GET OUT May 16 17:34:59 mx postfix/smtpd[1308]: disconnect from server.domain.org[192.168.117.143] So, I expected that postfix keep logging that 3 recipient (user1, user2, user3) was rejected, not just user3. Can I achieved that? Or there is a other way? Thanks a lot for your answer you can add a WARN rule in smtpd restrictions to log the full infos. you can then correlate all the stuff. here is an example (assuming a recent postfix. otherwise, adjust to your version) pcre=pcre:/etc/postfix/maps/pcre smtpd_recipient_restrictions = ... reject_unauth_destination ... check_reverse_client_hostname_access${pcre}/action_log $ cat /etc/postfix/maps/pcre/action_log.pcre: /(.*)/ WARN Transaction logged: PTR=$1 then you would see logs like: ... postfix/smtpd[65432]: NOQUEUE: warn: RCPT from unknown[192.0.2.25]:59012: Transaction logged: PTR=host.example.com; from=j...@example.com to=j...@example.net proto=ESMTP helo=host.example.com (the reason I use check_reverse_client_hostname_access is in case the hostname is unknown but the IP has a PTR, as in this made-up example). then your parser should check the pid (65432 in the example) and the client IP (192.0.2.25 in the example). then get the queueid from the log line that contains ... postfix/smtpd[65432]: 30EBB38A: client=unknwon[192.0.2.25] this gives you the queuid (30EBB38A in this example). PS. if your postfix is recent, consider using enable_long_queue_ids = yes
Re: mailbox_coomand
Le 19/05/2012 16:50, john a écrit : {snip] Thanks for the pointer to pipe document, I had Googled, but I got a mass of not very useful hits. the official documentation of postfix can be found on http://www.postfix.org/documentation.html for the man pages, click on All Postfix manual pages, which leads you to http://www.postfix.org/postfix-manuals.html and for all postfix parameters, click on All main.cf parameters, which leads you to http://www.postfix.org/postconf.5.html OK, so if I got this right, were to continue using ${recipient} then I am passing /joe+extens...@example.com/ to the LDA which may not be good. I assume that ${domain} is extracted from the recipient address and therefor might possible be blank (null), the domain is never empty. (unless you configure postfix not to append @myroigin, which is highly discouraged). but in the case above should result in /example.com/. Therefore ${user}@${domain} could give me /joe /(assuming an address of just/jo/e) or /j...@example.com/ (assuming the example above). Whereas, it appears that ${nexthop} is either equals${domain} if the address is as above or ${mydomain} again assuming the the recipient address is just /joe,/ right?/ ${nexthop} can be set by you in a transport entry. /If I am right, big if, then it would appear to be better to use ${domain} rather than ${nexthop}. if using postfix 2.5 or higher (the variable didn't exist before). However, rereading the Dovecot LDA docs I might be better using ${recipient} as it appears that Dovecot parse the arguments anyway. well, the risk is if you change the extension delimiter in postfix but dovecot keeps using '+'. I prefer to handle the extension in postfix and pass it via -m to dovecot. Oh well, back to the docs. Thanks for the help, but I think I am going to do a lot more reading! JohnA
Re: ..::Maildir question::..
Le 18/05/2012 18:11, Alfonso Alejandro Reyes Jimenez a écrit : I'm sorry you are right, I totally forgot that information. Please do not top post. google for top posting if this isn't clear. keep reading. [snip] mail_spool_directory = /var/spool/mail according to this, mail should be delivered in /var/spool/mail/user, which is not what you see to have. please post logs that show email being delivered. also, post your master.cf to see if it overrides your main.cf configuration. note that if you are delivering your mail using dovecot LDA, then you will need to configure dovecot lda, not postfix. mailbox_size_limit = 524288000 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man masquerade_domains = mydomain.com message_size_limit = 5242880 mydestination = $myhostname, localhost.$mydomain, localhost mydomain = mydomain.com myhostname = mydomain.com mynetworks = 127.0.0.0/8, 10.1.8.27/32, 10.1.8.23/32, 172.16.18.101/32 myorigin = ibossmonitor.com newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_generic_maps = hash:/etc/postfix/generic smtp_host_lookup = native,dns smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_banner = $myhostname Microsoft ESMTP MAIL Service ready (decoy :) ) smtpd_helo_required = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_path = inet:127.0.0.1:12345 smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_login_maps = pcre:/etc/postfix/sender_login.pcre smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,check_client_access hash:/etc/postfix/client_access smtpd_tls_CAfile = /etc/postfix/cert/cacert.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/cert/smtpd.crt smtpd_tls_key_file = /etc/postfix/cert/smtpd.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 Thanks. On 5/18/12 10:35 AM, Ralf Hildebrandt wrote: * Alfonso Alejandro Reyes Jimenezare...@ibossmonitor.com: Hi Everyone. I have a question. We have a postfix server, it works great. All the users on that postfix are added without home directory, we need to change the mbox default to maildir in order to have dovecot working with IMAP. We just changed the home_mailbox = Mailbox command to home_mailbox = Maildir/. The problem is that postfix is trying to use the home directory of those users to store the mail directory. The question is: Is there some way to change the mail directory of every user to /var/spool/mail/user/ ?? If so how can we do that? Sure, but since you forgot to post postconf -n output it's hard to know how you configured things!
Re: Simple content filter
Le 18/05/2012 07:22, Stan Hoeppner a écrit : On 5/17/2012 11:44 PM, /dev/rob0 wrote: [snip] Note that you must disable restrictions on the reinjection from content_filter. You do NOT want to reject at that point, because it is risking backscatter. Of course. But this is mostly a concern only when using SMTP for reinjection. I'm currently looking at using the sendmail command for reinjection. but make sure you don't enable a global content filter. set a -o content_filter= under the pickup service. So I should only possibly need to disable header_checks in the master.cf service definition, though after a quick look they won't pose a problem if left enabled (but for tiny CPU burn). I've historically been opposed to using content filters for various reasons, as some here may recall me stating, probably mostly on other lists. That said, I've recently been toying with the idea of taking SA for a test drive, using spamc/spamd and sendmail reinjection-the easy method so some state. currently, the best option is to use amavisd-new. this will avoid forking a child for every message (amavisd-new embeds SA code, so it load it once). A little OT, but I'd like to ask, as I've not been able to find real information via Google. What's the memory consumption of a single spamd process using the default SA configuration? Maybe a better question is how much real RAM is SA eating on systems folks here have in production? it indeed depends on the configuration. I've found that you can remove/disable many checks. but I never measured how much each config eats.
Re: ..::Maildir question::..
Le 18/05/2012 19:25, Alfonso Alejandro Reyes Jimenez a écrit : Mouss. Here's the updated configuration, I didn't attached the correct one. ah. so you have home_mailbox = Maildir/ as http://www.postfix.org/postconf.5.html#home_mailbox says, Optional pathname of a mailbox file relative to a local(8) user's home directory. the user home directory must be exist. but that's not what you want. it seems you want something like mail_spool_directory = /var/spool/maildirs (with a trailing slash), but you must create users directories in advance: mkdir /var/spool/maildirs/joe chown joe /var/spool/maildirs/joe For more infos, see http://www.postfix.org/postconf.5.html#mail_spool_directory http://www.postfix.org/local.8.html alternatively, use dovecot LDA to deliver mail. in this case, you will only need to configure dovecot (and will help reduce the opprtunity of mismatch between postfix and dovecot configurations). http://wiki2.dovecot.org/LDA/Postfix [root@mail postfix]# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 disable_vrfy_command = yes home_mailbox = Maildir/ html_directory = no inet_interfaces = all mail_owner = postfix mail_spool_directory = /var/spool/mail mailbox_size_limit = 524288000 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man masquerade_domains = ibossmonitor.com message_size_limit = 5242880 mydestination = $myhostname, localhost.$mydomain, localhost mydomain = ibossmonitor.com myhostname = ibossmonitor.com mynetworks = 127.0.0.0/8, 10.1.8.27/32, 10.1.8.23/32, 172.16.18.101/32 myorigin = ibossmonitor.com newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_generic_maps = hash:/etc/postfix/generic smtp_host_lookup = native,dns smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_banner = $myhostname Microsoft ESMTP MAIL Service ready smtpd_helo_required = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_path = inet:127.0.0.1:12345 smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_login_maps = pcre:/etc/postfix/sender_login.pcre smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,check_client_access hash:/etc/postfix/client_access smtpd_tls_CAfile = /etc/postfix/cert/cacert.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/cert/smtpd.crt smtpd_tls_key_file = /etc/postfix/cert/smtpd.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 We are just using dovecot to get those emails, the delivery is made directly to postfix. Thats why we would like to us maildir on postfix, to make easier the configuration on dovecot. Here's the master.cf configuration: [root@mail postfix]# cat master.cf # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: man 5 master). # # == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # == smtp inet n - n - - smtpd #submission inet n - n - - smtpd # -o smtpd_enforce_tls=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject #smtps inet n - n - - smtpd # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject #628 inet n - n - - qmqpd pickupfifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr tlsmgrunix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounceunix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify
Re: Why is after-queue content filter executing before-queue?
Le 18/05/2012 20:06, Chris a écrit : Hi Noel, The email from gmail.com in my example log comes in on port 25 - the 1st line in master.cf. If I leave the -o content_filter=lmtp:unix:/tmp/dspam.sock in instead of removing it, then authenticating users who choose to use port 25 in their email clients will also go through dspam as well as non-authenticating users. That is why I need to have this: main.cf - smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, . check_client_access pcre:/etc/postfix/dspam_filter_access so that authenticating clients bypass the content filter (regardless if they use ports 25 or 587) and non-authenticating clients get caught by the check_client_access line at the end, which puts them through dspam, but _unfortunately_ before queue. no, it's still after queue. the TRIGGER line in your logs is informative. it doesn't mean mail is passed to dspam. mail can still get rejected (in subsequent smtpd checks, in header/body checks.., or for othe reasons). stop dspam and see by yourself.
Re: my server generates spam
Le 10/05/2012 19:09, john a écrit : Off topic, but related to this thread. I/we use Squirrelmail and while we have not had any problems with it I wonder (and as this is this list seems to be the home of email gurus) if there are any recommendations as to a better solution, particularly one that would work in a postfix/dovecote environment. (please don't top post. put your replies after the text you reply too. google for top posting if this isn't clear). - enforce ssl (https). don't allow plain http:// urls. = don't configre automated redirects. your real users must know where it is (rationale: given the number of sites available via plain http, miscreantes don't seem to have enoug incentives to attack ssl based ones). - you can use geo controls: in general, posts from Nigeria or the like are suspicious and can be quarantined or passed to a strict filter... here, you can have a whitelist, a blacklist, a greylist, etc... (for travelling users, you can setup special procedures...). - ensure traceability: you should be able to find which account was used to post which message. - if using passwords, establish a password policy. (I am not recommending anything here: just define what you accept and know it! the idea is that your password policy will indicate what you should check etc). = with phishing, password strength isn't enough... - at MTA level, detect anomalies (too much mail from an account, too much reected mail, ...) and block webmail if bad things happen (ie fail on the safe side). - don't use common urls such as http[s]://vhost/squirrelmail/ http[s]://vhost/roundcube/ http[s]://vhost/rc/ ... (rationale: avoid noise and get rid of blind robots) ... etc.
Re: my server generates spam
Le 08/05/2012 23:10, Giuseppe Perna a écrit : hy, i have an old version of postfix. i have this problem: from my server with sender freelo...@hotmail.com leave hundreds of spam messages to the Internet, I analyzed the file / var / log / maillog and I see this: BE80AB81E65 3272 Tue May 8 08:18:41 freelo...@hotmail.com (host smart-relay.mail.pippo.it[210.91.5.137] said: 451 DNS temporary error. (in reply to RCPT TO command)) g...@m2.lvlfe.com gogrant...@mn.rr.com gore...@mn.rr.com goverl...@mn.rr.com gpinv...@mstarmetro.net how can I check who is the real user who generates envi spam? thank you for contacting us. please read the fine directions described in http://www.postfix.org/DEBUG_README.html#mail there is no chance that we yunderstand what happens in your platform unless you explain it clearly. and stating my server generates spam won't make it urgent for us.
Re: How to find out where an e-mail address delivers
Le 06/05/2012 13:58, Marc SCHAEFER a écrit : Hi, I have two scenarii where I would like to know how an e-mail address delivers. One of those scenarii is: I extract e-mail address from various databases for the various services of our system (ranging from the USENET news server to fax to e-mail gateway) then create a (Mailman) mailing-list with it. Unfortunately, some of the users (including me) receive quite a bit of duplicates. It could be handy to be able to remove duplicates from that list, e.g. by knowing what e-mail address it ultimately delivers to. For example, on my big list I have: ad...@some-domain.ch admi...@alphanet.ch www...@alphanet.ch fax...@alphanet.ch pbxad...@alphanet.ch they all get ultimately (through /etc/aliases, vmailbox, .forward) to \schaefer. sendmail -bv helps: However, it is not easily usable in a script AFAIK. shakotay:/home/schaefer# sendmail -bv pbxad...@alphanet.ch Mail Delivery Status Report will be mailed to root. which then gives (among others): schae...@alphanet.ch (expanded from pbxad...@alphanet.ch): delivery via local: delivers to file: /home/schaefer/Mail/mail.received That schae...@alphanet.ch is the info I need. Is there anyway to do that, either through an installed shell command (Version: 2.7.1-1+squeeze1 or even a later version), or through an API ? Or does the multi-threaded very confined approach of Postfix makes this impossible ? In that case I could resort to heuristics, parsing /etc/aliases, /etc/postfix/* myself. AFAICT, there's no easy way. you could try looping over postmap -q but that's not simple (you'll need to do everything postfix does! this includes recursive lookups, removing the domain part for /etc/aliases and .forward, trying multiple forms for virtual aliases - according to the search order in the man pages. you also may need to handle '+' addresses if they are enabled etc...). And if you do that in memory, then you must ensure that this expansion results in a large number of addresses. maybe it's easier to prune duplicates at delivery time (based on the messageId when the message is from one of your lists). you can do this with maildrop for instance. check maildropex documentation until you see something like this: # Avoid messages with duplicate Message-IDs `/usr/bin/reformail -D 8000 duplicate.cache` if ( $RETURNCODE == 0 ) exit (the above applies to all mail. you may want to restrict this to your lists mail). Thank you for any input!
Re: header_checks rule that doesn't work
Le 05/05/2012 05:47, /dev/rob0 a écrit : On Fri, May 04, 2012 at 10:03:35PM -0400, Wietse Venema wrote: Vincent Lefevre: I've received a mail having: From: =?GB2312?B?tfXBoyy2/rrP0ru19cGjLMj9us/Su7X1waMsy8S6z9K7tfXBoyy3/srOtfXB?= I wanted to reject such mail with /^.=\?GB2312\?B\?/ REJECT GB2312 in headers The OP showed that on two lines, but if it is, there would be leading whitespace. You want to match a whole logical header, not only a continued line. The expression should be: /^From:.=\?GB2312\?B\?/ REJECT GB2312 in headers Or, remove the anchor: /=\?GB2312\?B\?/ REJECT GB2312 in headers in header_checks.pcre, but this didn't work. I don't understand because postmap -q - pcre:/etc/postfix/header_checks.pcre the_message says that the rule applies on this line. Try: postmap -h -q This way you enforce that it looks at headers only. One thing the header_checks(5) manual is not clear about is how to match the line end and leading whitespace. Is it matched by a single space in the expression, No: with the following header: Received: from localhost (localhost [127.0.0.1]) by russian-caravan.cloud9.net (Postfix) with ESMTP $ cat test.pcre /^Received:.*\) by/ WARN match single space /^Received:.*\) by/ WARN match two spaces /^Received:.*\)\s+by/ WARN match \s+ $ postmap -h -q - pcre:test.pcre test.hdr WARN match \s+ or would we have to replace spaces with something like this: [[:blank:]]+ ? with pcre, you can use \s+ /Received:\s*from\s+\S+\s+\(\S+\s+\[\S+\]\)\s+by\+\S+/ that looks a bit cryptic, doesn't it? :)
Re: how to fix forwarding loop
Le 11/04/2012 04:40, Rich a écrit : It is postfix. It is being sent back to mail. It seems to be sent back to the mx mail server from archive. time for http://www.postfix.org/DEBUG_README.html PS. please, do not top post: http://en.wikipedia.org/wiki/Posting_style On Tuesday, April 10, 2012, mouss wrote: Le 08/04/2012 20:13, Rich a écrit : I am trying to build an archive server for all email. Here is my setup. My domain is domain.com my email server is mail.domain.com and the main.cf settings are: mydomain is domain.com myhostname is mail.domain.com I have a sender_bcc file that says user u...@archive.domain.com javascript:; the archive server is archive.domain.com the main.cf settings are: mydomain = domain.com myhostname is archive.domain.com mydestination = archive.domain.com When I send mail from mail.domain.com it forwards the mail to archive.domain.com. I get the following error on the archive server. mail forwarding loop for u...@archive.domain.com javascript:; Where am I making mistake in the main.cf of the archive server? try sending a fresh new mail to u...@archive.domain.com javascript:;and see if you still have a loop. if you have no loop for new mail, then you were probably resubmitting mail that was already delivered on archive.domain.com (which thus contains a Delivered-To header etc etc) if it happens even for new mail, then something on archive.* is retransmitting mail to mail.*. show the config and _logs_ of archive.mail.domain (we're assuming this is a postfix. if it ain't, we can't help much). forget about the relay/mx and focus on the archive server. See http://www.postfix.org/DEBUG_README.html#mail for the fine directions.
Re: how to fix forwarding loop
Le 08/04/2012 20:13, Rich a écrit : I am trying to build an archive server for all email. Here is my setup. My domain is domain.com my email server is mail.domain.com and the main.cf settings are: mydomain is domain.com myhostname is mail.domain.com I have a sender_bcc file that says user u...@archive.domain.com the archive server is archive.domain.com the main.cf settings are: mydomain = domain.com myhostname is archive.domain.com mydestination = archive.domain.com When I send mail from mail.domain.com it forwards the mail to archive.domain.com. I get the following error on the archive server. mail forwarding loop for u...@archive.domain.com Where am I making mistake in the main.cf of the archive server? try sending a fresh new mail to u...@archive.domain.com and see if you still have a loop. if you have no loop for new mail, then you were probably resubmitting mail that was already delivered on archive.domain.com (which thus contains a Delivered-To header etc etc) if it happens even for new mail, then something on archive.* is retransmitting mail to mail.*. show the config and _logs_ of archive.mail.domain (we're assuming this is a postfix. if it ain't, we can't help much). forget about the relay/mx and focus on the archive server. See http://www.postfix.org/DEBUG_README.html#mail for the fine directions.
Re: relocation of virtual_transport settings to master.cf service
Le 14/03/2012 03:53, b...@bitrate.net a écrit : On Mar 13, 2012, at 17.01, mouss wrote: Le 13/03/2012 19:07, b...@bitrate.net a écrit : i've been experimenting with delivery for the virtual domain class to dovecot via lmtp - e.g. postconf virtual_transport virtual_transport = lmtp:[localhost]:lmtp-deliver this works fine. out of curiosity, i wondered if the particulars could be somehow moved into a service definition in master.cf - e.g. virtual_transport = dovecot yes, you can define a transport in master.cf and use it in main.cf. so you can define joerunsfast ... smtp -o var=val ... and use that in main.cf: foo_transport = joerunsfast you can even define parameters for that transport: joerunsfast_variable = value in your main.cf, as far as variable applies to a transport (transports inherit from: smtp, lmtp, pipe, ... ) $ cat master.cf ... # Dovecot LDA dovecot unix- n n - - pipe flags=DRhu user=_mailbox argv=/usr/local/libexec/dovecot/deliver -d ${user}@${domain} -n -m ${extension} ... $ grep dovecot main.cf virtual_transport = dovecot dovecot_destination_recipient_limit = 1 deliver_command = /usr/local/libexec/dovecot/deliver … yes, this part i think i understand - the difficulty i'm having is with determining which parameters i can pass to lmtp to accomplish this. i'm effectively looking for what i would consider the equivalent to virtual_transport=lmtp:[localhost]:lmtp-deliver - but reading through the smtp/lmtp and others man pages and experimenting a bit, i've not been able to figure out what parameter might provide for this. and then somehow in master.cf a parameter to the lmtp service named dovecot, specifying [localhost]:lmtp-deliver not that way:) it's transport:[nexthop], not [nexthop]:transport... man smtp, lmtp, pipe, … sorry, i probably should have been more literal here, given the context. [localhost] is the nexthop, and lmtp-deliver is the port [10026 in this case, by way of the system's services database]. i omitted the leading transport here [lmtp] in an attempt to illustrate that the data would be a parameter passed to lmtp. so far, given the various portions of the documentation i've referenced and the iterations i've tried, the answer appears to be no, but i wondered if i might be missing something. I won't debate this now, but it seems to me that all this is documented. anyway, postfix supports custom transports, and they are used in many places. examples: - spam filtering: things like: amavis . smtp -o blah=blah ... - delivery: things like dovecot ... pipe -o blah=blah therein lies my fundamental question, i guess. having read the documentation for lmtp(8), transport(5), master(5) and probably a few others i'm forgetting - if i'm being blind to the relevant lmtp parameters, i'm hopeful i might glean some enlightenment, or if not, just a confirmation that this particular exercise isn't possible. as per http://www.postfix.org/lmtp.8.html you can specify lmtp_port (default is 24). so you could do -o lmtp_port=10026 now, you'd better explain what real problem you are trying to solve. describe it in in the problem domain, not in the solution domain (ideally, describe it in a postfix independent manner).
Re: problem with rejecting helo
Le 16/03/2012 18:22, Jack a écrit : Hello All, I'm having a problem where I am rejecting messages from one of our servers, but I'm not clear as to why. We are using: check_helo_access hash:/etc/postfix/helo_access We have in helo_access the following: ourdomain.comREJECT Helo Check helo_access ourdomain.net REJECT Helo Check helo_access x.x.x.x REJECT Helo Check helo_access localhost REJECT Helo Check helo_access I thought this would reject messages from someone saying they are our IP, saying they are localhost, or saying they are ourdomain.com and ourdomain.net, however it looks like we are rejecting the messages coming from server.ourdomain.net Exact error: 554 5.7.1 server7.ourdomain.net : Helo command rejected: Helo Check helo_access; Do I need to specify the subdomain otherwise it will consider this to be *.ourdomain.net? # postconf -e parent_domain_matches_subdomains= http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains Is this rule not beneficiary ? from a purist viewpoint, helo should be ignored. helo checks are useful to block stupid ratware. but then, it is more efficient to block the offending IPs. from a nother viewpoint, wel, do whatever you think is good for you... I know SPF can handle this as well and we do use it. No comments. spf debates are forbidden on this list (please don't ask why. google is your friend).
Re: using header_checks for custom transport
Le 16/03/2012 15:06, Pim Zandbergen a écrit : On 16-3-2012 14:18, Viktor Dukhovni wrote: /^X-Mailing-List:/REDIRECT some@address DO NOT do this. If a particular recipient wants his list traffic left a local mailbox, and the rest forwarded, that's up the to user's LDA, say procmail(1), or similar. This must not be done at the message level by the MTA which processes mail for multiple recipients. I agree, the other SMTP server that receives all the other mail, a popular commercial groupware product, should handle the mailing list mail as well. But it does so in an unsatisfying way. So I need to intercept this mail before it gets handed over to this other server. Here, local processing means submitting to Cyrus IMAP, and further filtering by Cyrus' sieve which works much more satisfying than the other servers' filtering mechanisms. As Viktor said, don't route mail based on headers. use the recipient address. your ML has a recipient address, no? simply use virtual_alias_maps: joel...@example.org joelist+example.org@localhost of course, you can also use a transport entry: joel...@example.org local:
Re: relocation of virtual_transport settings to master.cf service
Le 13/03/2012 19:07, b...@bitrate.net a écrit : i've been experimenting with delivery for the virtual domain class to dovecot via lmtp - e.g. postconf virtual_transport virtual_transport = lmtp:[localhost]:lmtp-deliver this works fine. out of curiosity, i wondered if the particulars could be somehow moved into a service definition in master.cf - e.g. virtual_transport = dovecot yes, you can define a transport in master.cf and use it in main.cf. so you can define joerunsfast ... smtp -o var=val ... and use that in main.cf: foo_transport = joerunsfast you can even define parameters for that transport: joerunsfast_variable = value in your main.cf, as far as variable applies to a transport (transports inherit from: smtp, lmtp, pipe, ... ) $ cat master.cf ... # Dovecot LDA dovecot unix- n n - - pipe flags=DRhu user=_mailbox argv=/usr/local/libexec/dovecot/deliver -d ${user}@${domain} -n -m ${extension} ... $ grep dovecot main.cf virtual_transport = dovecot dovecot_destination_recipient_limit = 1 deliver_command = /usr/local/libexec/dovecot/deliver ... and then somehow in master.cf a parameter to the lmtp service named dovecot, specifying [localhost]:lmtp-deliver not that way:) it's transport:[nexthop], not [nexthop]:transport... man smtp, lmtp, pipe, ... so far, given the various portions of the documentation i've referenced and the iterations i've tried, the answer appears to be no, but i wondered if i might be missing something. I won't debate this now, but it seems to me that all this is documented. anyway, postfix supports custom transports, and they are used in many places. examples: - spam filtering: things like: amavis . smtp -o blah=blah ... - delivery: things like dovecot ... pipe -o blah=blah thanks -ben
Re: New default settings for submission service?
Le 13/03/2012 00:25, Patrick Ben Koetter a écrit : Wietse et al. With the arrival of postscreen, but also before I find myself repeatedly changing the defaults for the 'submission' service in master.cf. I believe the changes I apply are not rooted in my local mail policies, but of general nature. Now that submission has become more popular I'd like to discuss if the current settings should be modified to work better with an MTA that runs different policies for port 25 and 587, which I believe has become the standard use case for 'a mailserver'. [sip] I would add the following filters to reject messages that are not in conformance in order to gain basic transportability and better deliverabilty: reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unkown_recipient_domain while I like such checks in order to detect virus/trojan attacks, we're not there yet. more efforts are needed to educate hosters as well as application developers I'd also add header fields if the authenticated client failed to: always_add_missing_headers=yes And finally I'd change the current settings for smtpd_tls_security_level and smtpd_delay_reject regarding the submission service: smtpd_tls_security_level I would not enforce TLS as the submission RFC only says SHOULD on TLS and therefore would only set 'may' as preconfigured setting. I'd leave it to the postmaster to set a stricter policy. I personally keep changing this all the time since I configure and test SASL first and once that works as expected turn to TLS. Opportunistic TLS as default would make this easier without breaking RFCs. smtpd_delay_reject For convenience reasons I'd add this setting and set it to 'yes'. Eversince postscreen has been around I've been switching to smtpd_delay_reject=no and more aggressive filtering on port 25. I believe many have done so. Unfortunately setting it to 'no' breaks the assigned smtpd_client_restrictions for the submission service - the client will be rejected before it was able to authenticate. All in all I think these changes would make a submission service more useful out of the box. What do you think? p@rick
Re: Blocking mail from one user to another
Le 03/03/2012 18:11, /dev/rob0 a écrit : On Sat, Mar 03, 2012 at 12:14:41PM +0200, Nikolaos Milas wrote: [snip] You mean that an error entry in the maps might be such that it would allow - under certain circumstances - an undesired ACCEPT which would bypass reject_unauth_destination (due to the resulting stop in the evaluation of the rest of the statements in the smtpd_recipient_restrictions directive)? yes. you write this in your map: joedomain.example REJECT we get too much spam from you then years later, a new admin comes in and wants to accept mail from friend@joedomain.example. he then adds friend@joedomain.exampleOK (instead of the correct friend@joedomain.exampleDUNNO ) with the OK there, friend is given a free ticket... This is just an example. things may get worst. The impact of errors is not proprortional to the number of lines ;-p [snip] Sometimes it is easier to offload a few restrictions to another stage. There is no clear-cut, always right (nor always wrong) way. Since some (many?) years, my rule of thumb has been: - anti-spam measures go after reject_unauth_destination under smtpd_recipient_retsrictions. - use other restrictions for special controls that are not really spam oriented, such as this address is local-only, that address is write-only and shouldn't get mail etc. Just be aware of who you are allowing to relay and why. Best practice: use a separate submission service and ONLY allow relay through that, not on port 25 at all. fully agreed. divide and conquer!
Re: Virtual mailboxes only
Le 02/03/2012 04:24, Karol Babioch a écrit : Hi, I'm pretty sure that this was asked for already, but I couldn't find anything useful with the keywords I was using. I've tried to play with some configurations, but couldn't find a reliable solution so far. I will explain what I'm trying to do with two example domains: I've got a server, which can be found at the domain example.com (including a PTR record for reverse DNS lookups). Now I want to run a mailserver for example.com, but I don't want to create local users, but instead use virtual mailboxing. Furthermore I've got the domain example.net which I want to be a mail host for - once again using virtual mailboxing. Emails to i...@example.com should be stored (using dovecot) in /var/spool/mail/example.com/info. The emails for the example.net domain should be treated the same way (e.g. /var/spool/mail/example.net/info). Now what would be the best way to deal with these kind of problem? From my understanding the documentation seems to assume that virtual mailboxing is only used for additional domains, but not for the main one. no. you can use virtual mailbox domains for whatever domain you like. there's no concept of additional domains. http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall shows an example with relay_domains. you can do the same with virtual_mailbox_domains. or you can do mydestination = localhost virtual_mailbox_domains = ... and use localhost (via virtual_alias_maps) when you need to execute scripts or use the include feature (because virtual does not allow you to do that). So my question, I guess, comes down to this: What would be the best way to have a single main domain virtual mailboxed, so that I don't have to create system users for each account? Is this even possible in a clean way? Best regards, Karol Babioch
Re: Enabling SSL on SMTP Communications
Le 24/02/2012 17:28, Kaleb Hosie a écrit : I'm trying to enable postfix to use an SSL certificate for sending email but when I enable SMTP on my outlook client, I get this message: Send test e-mail message: Your server does not support the connection encryption type you have specified. Try changing the encryption method. Contact your mail server administrator or Interenet service provider (ISP) for additional assistance. If I use TLS as an encryption method rather than SSL, it works. there are two ways to implement ssl/tls in smtp: - the non-standard way: smtp over ssl (smtps). in postfix, this is called wrapper mode tls. this is what old version of outluck suuport. you can use this by enabling smtps in your master.cf. your client needs to use the smtps port instead of the smtp port. - the standard is STARTTLS. this uses the standard smtp port (25). mail user agents may have different names for these mode. sometimes they use ssl for the first and tls for the second. this is a MUA UI choice. you'll need to figure out what your MUA is trying to say. if you can't, ask your vendor. Here is the configuration in my main.cf: smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_cert_file = /etc/pki/tls/certs/stopspam.nicanada.com.crt smtpd_tls_key_file = /etc/pki/tls/certs/stopspam.nicanada.com.key I have also added the following in my master.cf file as well: smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject Any ideas why it is not working?
Re: Blocking mail from one user to another
Le 20/02/2012 11:40, Nikolaos Milas a écrit : Hi, We would like to block ONLY user somebad...@example.net so that he can't send mail to myu...@example.com. Does the following look sane? smtpd_restriction_classes = controlled_senders, otherclass1, otherclass2 controlled_senders = check_sender_access hash:/etc/postfix/blocked_senders /etc/postfix/main.cf: smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/protected_users, check_recipient_access hash:/etc/postfix/protected_destinations, ...other directives... it is safer to use smtpd_sender/helo/client_restrictions instead of smtpd_recipient_restrictions: smtpd_sender_restrictions = check_recipient_access hash:/etc/postfix/protected_users, ... this way, errors in your checks or maps won't break the functionality of reject_unauth_destination, which is there to protect you (and us) from being an open relay. /etc/postfix/protected_users: myu...@example.com controlled_senders /etc/postfix/blocked_senders: somebad...@example.net REJECT No Access Thanks in advance, Nick
Re: reject_non_fqdn_helo_hostname usefulness, safety
Le 11/11/2011 00:45, Steve Fatula a écrit : This check says that the RFC requires a fully qualified hostname for HELO. Most internet searches show this to be a safe check that shouldn't really kill any real mail. Lately, noticed no ebay mail was coming through, looked through the logs and see entires like: Nov 9 20:30:58 host2 postfix/smtpd[16167]: NOQUEUE: reject: RCPT from mxpool19.ebay.com[66.135.197.25]: 504 5.5.2 mx88: Helo command rejected: need fully-qualified hostname; from=e...@ebay.com to=m...@hiddendomain.com proto=ESMTP helo=mx88 mx88 is of course not a FQDN. So, it was correctly rejected per the setting. Obviously, I can try and whitelist all the ebay servers, but, it's a slight pain. Could be a moving target, etc. This would allow me to keep the setting, but Since this did block mail from a rather well known common mailer, I am starting to wonder how safe this check really is. Perhaps it's not so safe. Yes, that is a configuration error on ebays part, but, I don't think you really want to block ebay mail. Are you finding this is not as safe a check as it should be, since presumably the RFC requires it, still, people make mistakes? Is it really of much use these days anyway for blocking spam? AFAICT, the check is safe. wait for some time and see if they don't fix their setup. A lot of write a web app that sends mail sites get into such problems when they upgrade their web apps. (yep, the solution is easy: use an outbound relay that detects issues and either rejects or fixes the problems. unfortunately, many sites send directly or they configure their outbound relay too lazily...). if they get many errors, they notice the problem and fix it. so keep rejecting them. (if they don't notice or fix the problem quickly, that's a different matter. post here and/or on spam-l so that someone gets a contact there...).
Re: A Problem No One Has Solved According To Googling
Le 25/10/2011 21:06, Jack Fredrikson a écrit : Here is a problem that many postfix users have had that has apparently never been resolved! I appeal to you for your help. Welcome to the postfix mailing liFt... If you have a problem, please follow the directions you received when you subscribed. In particular, read http://www.postfix.org/DEBUG_README.html#mail do not try to help us. describe YOUR problem. and show FULL logs. and do not show logs of other people. Believe it or not, the only apparently never been resolved thing is that which my mother told me not to talk about. (for those who understand french, I am ref'ing the fabulous Brassens song ;-) I have been googling this for a very long time now. Here is my problem Oct 25 10:49:18 myserver postfix/pipe[3712]: 0423257901AB: to=f...@bar.com, relay=dovecot, delay=109318, delays=109318/0.14/0/0.1, dsn=4.3.0, status=deferred (temporary failure Look at this comment I found while googling: http://blog.absolutedisaster.co.uk/osticket-plesk-9-postfix-pipe-mail-to-a-progr From the maillog: 1.Oct 1 14:10:39 serverXXX-XX pipe[9594]: fatal: pipe_command: execvp /var/www/vhosts/{domain}.com/subdomains/support/httpdocs/api/pipe.php: Permission denied 2.Oct 1 14:10:39 serverXXX-XX postfix/pipe[9088]: EF2541117B5: to=support@{domain}.com, relay=pipeSupportEmails, delay=3.5, delays=3.4/0/0/0.02, dsn=4.3.0, status=deferred (temporary failure. Command output: pipe: fatal: pipe_command: execvp /var/www/vhosts/{domain}.com/subdomains/support/httpdocs/api/pipe.php: Permission denied ) This is not an uncommon error, but none of the suggested solutions I have found online yet resolve it. I will update when I have more idea. It would seem (perhaps obviously) to just be a matter of setting the permissions correctly, but I've clearly not worked out just how they should be set.[ So, you see, it's a major problem that nobody has bothered to fix!! Please help me fix this now!! It's been a week that I've been working day and night to get this fixed. I forgot to add this information: [root]# doveconf -n auth_mechanisms = plain login first_valid_gid = 12 first_valid_uid = 86 mail_location = maildir:/var/vmail/%d/%u passdb { args = /usr/local/etc/dovecot/sql.conf driver = sql } plugin { quota = maildir:storage=10240:messages=1000 trash = /usr/local/etc/dovecot/trash.conf } protocols = imap pop3 service auth { unix_listener auth-userdb { group = postfix mode = 0660 user = postfix } user = root } ssl_cert = /etc/pki/tls/certs/mail.myserver.com.cert ssl_cipher_list = ALL:!LOW:!SSLv2 ssl_key = /etc/pki/tls/private/mail.myserver.com.key ssl_key_password = passwd userdb { args = /usr/local/etc/dovecot/sql.conf driver = sql } protocol imap { mail_plugins = quota imap_quota } protocol pop3 { mail_plugins = quota pop3_client_workarounds = outlook-no-nuls oe-ns-eoh } protocol lda { hostname = myserver.com info_log_path = /var/log/dovecot-deliver.log log_path = /var/log/dovecot-deliver.log mail_plugins = quota postmaster_address = postmas...@creative.vi sendmail_path = /usr/sbin/sendmail.postfix } [root] # vi main.cf queue_directory = /var/spool/postfix myorigin = $mydomain command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix mail_owner = postfix inet_interfaces = all unknown_local_recipient_reject_code = 550 debug_peer_list = sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases mailq_path = /usr/bin/mailq setgid_group = postdrop html_directory = no manpage_directory = /usr/local/man sample_directory = /etc/postfix readme_directory = no mydomain = myserver.com mydestination = $mydomain, $myhostname, localhost.$mydomain mail_spool_directory = /var/spool/mail home_mailbox = Mailbox disable_vrfy_command = yes show_user_unknown_table_name = no data_directory = /var/lib/postfix # --- local settings -- myhostname = myserver.com inet_interfaces = localhost, $myhostname mynetworks = $config_directory/mynetworks #mydestination = localhost.$mydomain, localhost, $myhostname #uncomment if you need relay_domains... do not list domains in both relay and virtual relay_domains = proxy:mysql:$config_directory/mysql_relay_domains_maps.cf # -- VIRTUAL DOMAINS START -- virtual_mailbox_base= /var/vmail virtual_mailbox_domains = proxy:mysql:$config_directory/mysql_virtual_domains_maps.cf virtual_mailbox_maps= proxy:mysql:$config_directory/mysql_virtual_mailbox_maps.cf virtual_alias_maps = proxy:mysql:$config_directory/mysql_virtual_alias_maps.cf virtual_mailbox_limit_maps =
Re: A question about mynetworks
Le 25/10/2011 18:49, Aniruddha a écrit : I've added my local ip adress range to allow computers in my lan to send e-mails though my local postfix server. Is this the correct setting to achieve this? That's a start. you can possibly improve the situation: - for hosts owned by users, you can require authentication (TLS+SASL) - for servers: only allow the hosts tat are supposed to send email And am I correct that with the current mynetworks configuration only clients in my lan can user the smtp server? According to mxtoolbox I don't have an open relay. Are there other security measures I should take? I guess you mean postfix related measures. if so, postfix is - safe by default, - it tries to protect against shoot your foot (well, unless you're not reasonable) so thanks to Wietse and other postfix developpers... mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 192.168.1.0/24
Re: Messages successfully sent through MX relay still deferred
Le 14/10/2011 21:25, Jeroen van Vianen a écrit : Hi, I have the following problem: I have two postfix mail servers, one for my own domain on my home server and another one running on an external server that's sending mail to my own domainname.tld. My ISP blocks incoming port 25 and I therefore have to use a mail relay: DNS: mydomain.tld.86400INMX50 mail.mydomain.tld. mydomain.tld.86400INMX100 mailrelay.myprovider.tld. If I now send mail from this external server to myself I do receive the mail through the mailrelay. However, after a while I see the following in the deferred queue: (delivery temporarily suspended: connect to mail.mydomain.tld[x.x.x.x]: No route to host) Of course this is due to the fact that my ISP blocks port 25. To get rid of these errors I tried the following on the external server: main.cf: transport_maps = hash:/etc/postfix/transport transport: mydomain.tld: smtp:mailrelay.myprovider.tld .mydomain.tld: smtp:mailrelay.myprovider.tld (of course I did a postmap transport and restart of postfix). But it doesn't work. The deferred queue is still filling up with these errors. if the errors occur with previously queued mail, then use the postsuper command. Is there anything else I can do to fix these errors? Thanks and regards, Jeroen
Re: How to restrict noreply user not to receive email ?
Le 12/10/2011 12:01, J. Bakshi a écrit : [snip] set the restriction before permit i.e smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/restrictioinincoming, permit_mynetworks, permit_sasl_authenticated, Thanks, already solved it :-) that's a bad idea. an error in the map will make you an open relay. for this reason, the general advice is to avoid using check_*_access before reject_unauth_destination in smtpd_recipient_restrictions. assuming the default value of smtpd_delay_reject, you can simply move that check_recipient_access to another restriction, for example: smtpd_helo_restriction = check_recipient_access hash:/etc/postfix/restrictioinincoming an alternative (that will also work for mail submitted via the sendmail comand) is to use transport_maps: nore...@example.com error:... Note that if you don't want to receive errors for such mail, then you should use a null sender (MAIL FROM:). also, be sure to include informations for users to contact you if they really need to (complain, unsubscribe, ... etc).
Re: Header, body checks are they useful when using Amavis-new+Spamassassin?
Le 20/09/2011 00:06, john a écrit : I am running Ubuntu 11.04 as a SOHO server with postfix/dovecot/Amavis-new/Spamassassin/Clamav setup as my email service. I currently use header and body checks in postfix as part of my anti-spam measures. How useful and/or how effective are these measures? Are they still worthwhile if I am using the Amavis-new/Spamassassin/Clamav setup for anti-spam? The check files were originally from a third party (Jeff Posluns ?) and are fairly old, I have added some of my own checks but the basic files are originals. If these checks are still worthwhile are there more up to date files, and if so where might they be found? TIA John A -- First they came for the Communists, but I was not a Communist so I did not speak out. Then they came for the Socialists and the Trade Unionists, but I was neither, so I did not speak out. Then they came for the Jews, but I was not a Jew so I did not speak out. And when they came for me, there was no one left to speak out for me. Dietrich Bonhoeffer - 1906-1945 the issue is: will you maintain this? if you can maintain it, then it's ok. but if you think you'd better let spamassassin team work on that, then remove your own checks and rely on SA updates. in fact, the hard part is spam that other users get. and harder is the FPs you create (when your users miss a legit mail because of one of your rules). so if I have a recommendation, then it'll be: don't try to stop all spam. try to make the spam users receive to a manageable limit. don't over react. don't try to stop every spam.
Re: Any way to minimize Postscreen logging?
Le 21/09/2011 16:02, Steve Jenkins a écrit : I couldn't find anything in the docs, but is there an option to minimize Postscreen's log output? For troubleshooting I'd turn logging back to full, but perhaps an option to only show the NOQUEUE output in the maillog? Assuming this doesn't exist, I think that might be a nice feature for future versions. so you'd like to have if (shouldlog(feature)) { logit(...) } all around the code? the fact that postfix provides incremental logs is not without reason. you may be happy to see Apache logs a line per request, and unhappy to see that postfix gives you many lines for a single transaction. but for those of us who care about security, postfix logging is the way: if the system is compromised in the middle of a transaction, we get some information to work with. of course, most of the time, this is useless, but when you need it, it's there.
Re: Off Topic: Auto-whitelisting from sent mail?
Le 20/09/2011 15:16, Stan Hoeppner a écrit : On 9/19/2011 5:38 PM, john wrote: I think this is off topic. I am running Ubuntu 11.04 as a SOHO server with postfix/dovecot/Amavis-new/Spamassassin/Clamav setup as my email service. Does anybody know of a program... that can white list inbound email based upon the addresses of emails that have been sent? This simple 7 line bash script does the trick superbly on Debian. just nitpicking: replace bash with sh. I know linux people swear by bash. but you should favour portable shell. when you can't, then it's time for perl and python.
Re: Blacklists for you MTA
Le 19/09/2011 19:07, Marek Salwerowicz a écrit : Hi all, I am new to Postfix-users mailing list so would like to say hello to everyone ;) I am wondering what rbl's are you using to prevent your MTAs against spam? My current config is as follows: reject_rbl_client zen.spamhaus.org, reject_rbl_client t1.dnsbl.net.au, reject_rbl_client dnsbl.njabl.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client psbl.surriel.com, reject_rbl_client bl.spamcop.net, Since one month I have benn receiveing more spam so I started thinking about adding other (if there are any) rbl's - what do you suggest? if you show examples of spam you get, we might help you fight it. if you're looking for general advice, you'll get general spam. if you're looking for a miracle, I have one for you: stop using email and you will never get email spam. if you want to to use email and hate spam you get, show us the spam you get and your config, and we might see if you get less...
Re: Problems with hash map file reloading
Le 19/09/2011 19:54, Paul Enlund a écrit : Hello I am having problems with the reloading of hash: map files. The text files are generated on a master server then rsync'd to the secondary MX server. There seems to be a variable delay on the secondary MX before it picks up that the .db files have changed. It appears it can take as long as 5 minutes before the .db file changes take affect on the operation of the secondary address restrictions when receiving mail. Is this time period fixed or can it be set in configuration? if you want to force reload, force it: postfix reload. but you'll have to think about this: are you reconfiguring the system every 5 minutes? if so, why? if not, why care about when it relads?
Re: Tony's Quick Guide to CSA
Le 19/09/2011 03:40, Benny Pedersen a écrit : was reading something about client smtp auth :=) http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/doc/antiforgery/csa.html hope it will be supported in postfix Thanks Tony for make the guide if you like 3/4 letters combination (csa), you migh like: SPF: http://www.openspf.org/ DMP: http://www.pan-am.ca/dmp/ RMX: http://www.danisch.de/work/security/antispam.html DRIP: http://www.sherzer.net/draft-brand-drip-02.txt CSV: http://mipassoc.org/csv/ DKIM: http://spamlinks.net/prevent-research.htm#verify-tech-dkim BATV: http://mipassoc.org/batv/ SRA: http://www.tuffmail.com/backscatter.php DMTP: http://www.ee.hawaii.edu/%7Edong/papers/DiffMail_UH.htm if you have time, you'll see more on http://spamlinks.net $ one thing is: all that stuff is known since some time. and spam is still around...
Re: Configuring null-mail machine
Le 17/09/2011 17:18, tmac a écrit : I Have RHEL6 and am trying to use postfix for the first time. My host is server1.lab.my.org The mail server is mailserver.my.org I also have an alias file being passed around via NIS. This is used with sendmail to re-write usernames from u...@lab.my.org or just user to u...@my.org I would like to have this single host (server1) running postfix send/forward all mailto the mailserver (mailserver.my.org). I would also like it to re-write the user names with the NIS aliases file. If the user does not exist in NIS, append my.org to the email address. I have a setup working now, as long as I specify u...@my.org. Anything else does not work (i.e. user or u...@lab.my.org) looks like you want to rewrite addresses. if so, http://www.postfix.org/ADDRESS_REWRITING_README.html try generic...