[pfx] Re: spf
W dniu 15.07.2024 o 12:06, Matus UHLAR - fantomas via Postfix-users pisze: On 08.07.24 11:42, natan via Postfix-users wrote: What you propose use ? Maybe instead of not accepting such mail will better is change score in SA ? This is a policy issue. You can choose your policy to be rejecting mail with spf=fail, both spf=fail and spf=softfail, or reject any mail where spf is nof pass or DKIM is not valid as Google set since new year. so far I have used sailsafe options to use SPF at SA level: HELO_reject = False Mail_From_reject = False PermError_reject = False TempError_Defer = True but I'm switching to SPF enforcement: HELO_reject = Null Can you get me example reject in Null ? Mail_From_reject = Fail PermError_reject = True TempError_Defer = True Another option is to reject DMARC failures, in addition to SPF or as it's replacement. W dniu 8.07.2024 o 11:36, natan via Postfix-users pisze: What value do you use in postfix-policyd-spf in PermError_reject ? HELO_reject = Fail Mail_From_reject = Fail #update 20240706 #PermError_reject = False PermError_reject = True TempError_Defer = False I don't know if that's maybe too restrictive PermError_reject But on the other hand, the sender should have correctly configured SPF for his domain -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: spf and Permerror
Hi I try onother Permerror but I dont known why Jul 8 14:28:29 MX postfix/smtpd[48372]: NOQUEUE: reject: RCPT from s10b.cyber-folks.pl[193.17.184.42]: 550 5.7.24 : Recipient address rejected: Message rejected due to: SPF Permanent Error: No valid SPF record for included domain: _spf.cyberfolks.pl: include:_spf.cyberfolks.pl. Please see http://www.openspf.net/Why?s=mfrom;id=x...@wrap-zone.pl;ip=193.17.184.42;r=; from= to= proto=ESMTP helo= W dniu 27.06.2024 o 16:21, Carlos Velasco via Postfix-users pisze: natan via Postfix-users escribió el 27/06/2024 a las 15:48: W dniu 27.06.2024 o 15:39, Scott Kitterman via Postfix-users pisze: Hi Scott Jun 27 15:39:06 MX policyd-spf[3729]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=200.28.23.150; helo=200-28-23-150.baf.movistar.cl; envelope-from=c...@bozon.pl; receiver= Jun 27 15:39:10 MX policyd-spf[3715]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=158.220.89.240; helo=server.creatimercado.pl; envelope-from=bou...@creatimercado.pl; receiver= Jun 27 15:40:19 MX policyd-spf[3623]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=54.37.233.219; helo=vps-91050aa8.vps.ovh.net; envelope-from=c...@wowpromo.pl; receiver= Jun 27 15:41:19 MX policyd-spf[3772]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=40.107.222.136; helo=ind01-max-obe.outbound.protection.outlook.com; envelope-from=c...@b2bexportsllc.com; receiver= Jun 27 15:41:36 MX policyd-spf[5165]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=209.85.208.47; helo=mail-ed1-f47.google.com; envelope-from=cc...@lexgedania.pl; receiver= Jun 27 15:23:05 MX policyd-spf[51357]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=209.85.221.54; helo=mail-wr1-f54.google.com; envelope-from=cc...@p1fuels.com; receiver= Jun 27 15:33:06 MX policyd-spf[2191]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=209.85.166.74; helo=mail-io1-f74.google.com; envelope-from=c...@bombilloamarillo.com; receiver= Jun 27 15:34:45 MX policyd-spf[2455]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=209.85.167.52; helo=mail-lf1-f52.google.com; envelope-from=cc...@inis.pl; receiver= Jun 27 15:41:36 MX policyd-spf[5165]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=209.85.208.47; helo=mail-ed1-f47.google.com; envelope-from=c...@lexgedania.pl; receiver= I change to @ from orginal bozon.pl - Reason: multiple SPF records. This is not allowed. ;; ANSWER SECTION: bozon.pl. 3151 IN TXT "v=spf1 a mx ptr ip4:86.111.240.0/21 -all" bozon.pl. 3151 IN TXT "v=spf1 mx a ~all" bozon.pl - Reason: multiple SPF records. This is not allowed. ;; ANSWER SECTION: creatimercado.pl. 28521 IN TXT "v=spf1 a mx include:spf6.aftermarket.hosting -all" creatimercado.pl. 28521 IN TXT "v=spf1 a ip4:158.220.89.240 ~all" wowpromo.pl - Reason: Syntax error, address 2001:41d0:601:1100::35ee is not an IPv4 address. ;; ANSWER SECTION: wowpromo.pl. 3600 IN TXT "v=spf1 a mx ip4:2001:41d0:601:1100::35ee -all" b2bexportsllc.com - Reason: multiple SPF records. This is not allowed. ;; ANSWER SECTION: b2bexportsllc.com. 3600 IN TXT "v=spf1 include:sender.zohobooks.com" b2bexportsllc.com. 3600 IN TXT "v=spf1 include:dc-aa8e722993._spfm.b2bexportsllc.com ~all include:spf.protection.outlook.com -all include:_spf.salesforce.com ~all include:sender.zohobooks.com ~all" lexgedania.pl - Reason: multiple SPF records. This is not allowed. ;; ANSWER SECTION: lexgedania.pl. 3600 IN TXT "v=spf1 include:_spf.google.com ~all" lexgedania.pl. 3600 IN TXT "v=spf1 mx a ptr ~all" p1fuels.com - Reason: multiple SPF records. This is not allowed. ;; ANSWER SECTION: p1fuels.com. 300 IN TXT "v=spf1 include:mailgun.org ~all" p1fuels.com. 300 IN TXT "v=spf1 include:_spf.mlsend.com include:_spf.google.com ~all" bombilloamarillo.com - Reason: not sure about this, but my SPF test bailed out with "too many DNS requests". Recursive DNS includes... ;; ANSWER SECTION: bombilloamarillo.com. 14400 IN TXT "v=spf1 a mx ptr include:bluehost.com ?all" inis.pl - Reason: not sure about this, but my SPF test bailed out with "too many DNS requests". Recursive DNS includes... ;; ANSWER SECTION: inis.pl. 60 IN TXT "v=spf1 a mx ip4:89.25.206.16/29 ip4:147.135.210.113 ip4:213.189.58.137 ip4:185.54.185.228 ip4:185.36.169.40 ip4:147.135.196.44 ip4:185.54.185.227 include:_spf.mail-source.net include:new.ecampaign.pl include:_spf.g
[pfx] Re: spf
Hi What you propose use ? Maybe instead of not accepting such mail will better is change score in SA ? W dniu 8.07.2024 o 11:36, natan via Postfix-users pisze: Hi What value do you use in postfix-policyd-spf in PermError_reject ? HELO_reject = Fail Mail_From_reject = Fail #update 20240706 #PermError_reject = False PermError_reject = True TempError_Defer = False I don't know if that's maybe too restrictive PermError_reject But on the other hand, the sender should have correctly configured SPF for his domain -- ___ Postfix-users mailing list --postfix-users@postfix.org To unsubscribe send an email topostfix-users-le...@postfix.org -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] spf
Hi What value do you use in postfix-policyd-spf in PermError_reject ? HELO_reject = Fail Mail_From_reject = Fail #update 20240706 #PermError_reject = False PermError_reject = True TempError_Defer = False I don't know if that's maybe too restrictive PermError_reject But on the other hand, the sender should have correctly configured SPF for his domain -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: spf and Permerror
W dniu 27.06.2024 o 15:48, natan via Postfix-users pisze: W dniu 27.06.2024 o 15:39, Scott Kitterman via Postfix-users pisze: On June 27, 2024 1:30:37 PM UTC, natan via Postfix-users wrote: Hi I have a strange problem with SPF and I honestly don't know what to pay attention to What is a Permerror in SPF In log i get: Jun 27 15:09:11 MX policyd-spf[57158]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=84.205.190.72; helo=h2.3hosting.pl;envelope-from=gp.szkole...@domain.pl; receiver= Jun 27 15:09:13 MX policyd-spf[1628]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=40.107.222.124; helo=ind01-max-obe.outbound.protection.outlook.com;envelope-from=et...@domain2.com; receiver= postfix-3.4.23 postfix-policyd-spf-python-2.9.2-0 cut /etc/postfix-policyd-spf-python/policyd-spf.conf ... debugLevel = 1 TestOnly = 1 HELO_reject = False Mail_From_reject = Fail PermError_reject = False TempError_Defer = False skip_addresses = 127.0.0.0/8,:::127.0.0.0/104,::1, ... Permerror: False - Treat PermError the same as no SPF record at all. This is consistet with the pre-RFC usage (the pre-RFC name for this error was "Unknown"). what could be the reason for this? DNS error/no response? Wrong SPF record ? What else? What you propouse to set in PermError_reject ? If you are not going to tell us the domains involved, there's no way to answer your question intelligently. Scott K Hi Scott Jun 27 15:39:06 MX policyd-spf[3729]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=200.28.23.150; helo=200-28-23-150.baf.movistar.cl; envelope-from=c...@bozon.pl; receiver= Jun 27 15:39:10 MX policyd-spf[3715]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=158.220.89.240; helo=server.creatimercado.pl; envelope-from=bou...@creatimercado.pl; receiver= Jun 27 15:40:19 MX policyd-spf[3623]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=54.37.233.219; helo=vps-91050aa8.vps.ovh.net; envelope-from=c...@wowpromo.pl; receiver= Jun 27 15:41:19 MX policyd-spf[3772]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=40.107.222.136; helo=ind01-max-obe.outbound.protection.outlook.com; envelope-from=c...@b2bexportsllc.com; receiver= Jun 27 15:41:36 MX policyd-spf[5165]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=209.85.208.47; helo=mail-ed1-f47.google.com; envelope-from=cc...@lexgedania.pl; receiver= Jun 27 15:23:05 MX policyd-spf[51357]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=209.85.221.54; helo=mail-wr1-f54.google.com; envelope-from=cc...@p1fuels.com; receiver= Jun 27 15:33:06 MX policyd-spf[2191]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=209.85.166.74; helo=mail-io1-f74.google.com; envelope-from=c...@bombilloamarillo.com; receiver= Jun 27 15:34:45 MX policyd-spf[2455]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=209.85.167.52; helo=mail-lf1-f52.google.com; envelope-from=cc...@inis.pl; receiver= Jun 27 15:41:36 MX policyd-spf[5165]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=209.85.208.47; helo=mail-ed1-f47.google.com; envelope-from=c...@lexgedania.pl; receiver= I change to @ from orginal Or example: Jun 27 15:49:22 MX policyd-spf[12108]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=52.101.171.91; helo=fr6p281cu001.outbound.protection.outlook.com; envelope-from=ccc...@schneider-transporte.net; receiver= host -t txt schneider-transporte.net schneider-transporte.net descriptive text "v=spf1 include:spf.protection.outlook.com include:spf-de.emailsignatures365.com include:schneider-transporte.net -all" ___ Postfix-users mailing list --postfix-users@postfix.org To unsubscribe send an email topostfix-users-le...@postfix.org -- ___ Postfix-users mailing list --postfix-users@postfix.org To unsubscribe send an email topostfix-users-le...@postfix.org -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: spf and Permerror
W dniu 27.06.2024 o 15:39, Scott Kitterman via Postfix-users pisze: On June 27, 2024 1:30:37 PM UTC, natan via Postfix-users wrote: Hi I have a strange problem with SPF and I honestly don't know what to pay attention to What is a Permerror in SPF In log i get: Jun 27 15:09:11 MX policyd-spf[57158]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=84.205.190.72; helo=h2.3hosting.pl;envelope-from=gp.szkole...@domain.pl; receiver= Jun 27 15:09:13 MX policyd-spf[1628]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=40.107.222.124; helo=ind01-max-obe.outbound.protection.outlook.com;envelope-from=et...@domain2.com; receiver= postfix-3.4.23 postfix-policyd-spf-python-2.9.2-0 cut /etc/postfix-policyd-spf-python/policyd-spf.conf ... debugLevel = 1 TestOnly = 1 HELO_reject = False Mail_From_reject = Fail PermError_reject = False TempError_Defer = False skip_addresses = 127.0.0.0/8,:::127.0.0.0/104,::1, ... Permerror: False - Treat PermError the same as no SPF record at all. This is consistet with the pre-RFC usage (the pre-RFC name for this error was "Unknown"). what could be the reason for this? DNS error/no response? Wrong SPF record ? What else? What you propouse to set in PermError_reject ? If you are not going to tell us the domains involved, there's no way to answer your question intelligently. Scott K Hi Scott Jun 27 15:39:06 MX policyd-spf[3729]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=200.28.23.150; helo=200-28-23-150.baf.movistar.cl; envelope-from=c...@bozon.pl; receiver= Jun 27 15:39:10 MX policyd-spf[3715]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=158.220.89.240; helo=server.creatimercado.pl; envelope-from=bou...@creatimercado.pl; receiver= Jun 27 15:40:19 MX policyd-spf[3623]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=54.37.233.219; helo=vps-91050aa8.vps.ovh.net; envelope-from=c...@wowpromo.pl; receiver= Jun 27 15:41:19 MX policyd-spf[3772]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=40.107.222.136; helo=ind01-max-obe.outbound.protection.outlook.com; envelope-from=c...@b2bexportsllc.com; receiver= Jun 27 15:41:36 MX policyd-spf[5165]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=209.85.208.47; helo=mail-ed1-f47.google.com; envelope-from=cc...@lexgedania.pl; receiver= Jun 27 15:23:05 MX policyd-spf[51357]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=209.85.221.54; helo=mail-wr1-f54.google.com; envelope-from=cc...@p1fuels.com; receiver= Jun 27 15:33:06 MX policyd-spf[2191]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=209.85.166.74; helo=mail-io1-f74.google.com; envelope-from=c...@bombilloamarillo.com; receiver= Jun 27 15:34:45 MX policyd-spf[2455]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=209.85.167.52; helo=mail-lf1-f52.google.com; envelope-from=cc...@inis.pl; receiver= Jun 27 15:41:36 MX policyd-spf[5165]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=209.85.208.47; helo=mail-ed1-f47.google.com; envelope-from=c...@lexgedania.pl; receiver= I change to @ from orginal ___ Postfix-users mailing list --postfix-users@postfix.org To unsubscribe send an email topostfix-users-le...@postfix.org -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] spf and Permerror
Hi I have a strange problem with SPF and I honestly don't know what to pay attention to What is a Permerror in SPF In log i get: Jun 27 15:09:11 MX policyd-spf[57158]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=84.205.190.72; helo=h2.3hosting.pl; envelope-from=gp.szkole...@domain.pl; receiver= Jun 27 15:09:13 MX policyd-spf[1628]: prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=40.107.222.124; helo=ind01-max-obe.outbound.protection.outlook.com; envelope-from=et...@domain2.com; receiver= postfix-3.4.23 postfix-policyd-spf-python-2.9.2-0 cut /etc/postfix-policyd-spf-python/policyd-spf.conf ... debugLevel = 1 TestOnly = 1 HELO_reject = False Mail_From_reject = Fail PermError_reject = False TempError_Defer = False skip_addresses = 127.0.0.0/8,:::127.0.0.0/104,::1, ... Permerror: False - Treat PermError the same as no SPF record at all. This is consistet with the pre-RFC usage (the pre-RFC name for this error was "Unknown"). what could be the reason for this? DNS error/no response? Wrong SPF record ? What else? What you propouse to set in PermError_reject ? -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] header_checks.pcre
Hi I try block all bc.googleusercontent.com but some adress allow Is this make sense ? cat /etc/postfix/header_checks.pcre #allow /^Received:.from.mg.gitlab.com.*bc.googleusercontent.com/ DUNNO #reject /^Received:.from.*bc.googleusercontent.com/ REJECT spam/scam/419 detected I blocked beacuse I get many many spam from *.bc.googleusercontent.com -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: postfix and from
Hi The problem is that 1 works and 2 doesn't: 1. FROM is encoded as "FRIENDLY_NAME " == encoding ==> "base64" 2. FROM is encoded as "FRIENDLY_NAME " == encoding ==> "base64 " This means that if the entire FROM content is encoded, "author's ticket app" cannot read it. He probably doesn't even try to decode from, he just looks for an e-mail address and if he doesn't find it, it "hangs" and programmer say "thats problem is in postfix " And I would like to prove to him that it is better to improve the application than to play around with postfix because you can cause a big problem I don't want to kick with the horse... W dniu 19.03.2024 o 11:43, Erwan David via Postfix-users pisze: Le 19/03/2024 à 11:39, natan via Postfix-users a écrit : Hi I have one question regarding the RFC of the FROM field: in the message header. Is there any restriction that will force the FROM field to be correct according to the RFC? I'm asking because one client "parses e-mails strangely" and his application hangs and instead of correcting it, he sends me to block such e-mails using Postfix. Allowed (by the RFCs) syntaxes for addresses being very diverse, there is much chance that his application refuses a perfectly valid address, Much more than postfix allowing an illegal syntax. -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] postfix and from
Hi I have one question regarding the RFC of the FROM field: in the message header. Is there any restriction that will force the FROM field to be correct according to the RFC? I'm asking because one client "parses e-mails strangely" and his application hangs and instead of correcting it, he sends me to block such e-mails using Postfix. -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: postfix and smtpd_proxy_timeout
W dniu 28.02.2024 o 16:14, Wietse Venema via Postfix-users pisze: natan via Postfix-users: for"us...@domain.ltd" Feb 27 16:02:28 smtp1v postfix/cleanup[23476]: warning: proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error for"us...@domain.ltd" Feb 27 16:02:29 smtp1v postfix/cleanup[23476]: warning: proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error for"us...@domain.ltd" Feb 27 16:02:30 smtp1v postfix/cleanup[23476]: warning: proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error for"us...@domain.ltd" thenx Clearly, this is edited evidence. I will reach out to you off-list. Wietse ___ Postfix-users mailing list --postfix-users@postfix.org To unsubscribe send an email topostfix-users-le...@postfix.org -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: postfix and smtpd_proxy_timeout
Hi In log i get: Feb 27 15:57:28 smtp1v postfix/cleanup[23476]: warning: proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error for "us...@domain.ltd" Feb 27 16:02:28 smtp1v postfix/cleanup[23476]: warning: proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error for "us...@domain.ltd" Feb 27 16:02:29 smtp1v postfix/cleanup[23476]: warning: proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error for "us...@domain.ltd" Feb 27 16:02:30 smtp1v postfix/cleanup[23476]: warning: proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error for "us...@domain.ltd" Feb 27 16:05:28 smtp1v postfix/cleanup[24084]: warning: proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error for "us...@domain.ltd" Feb 27 16:05:29 smtp1v postfix/cleanup[24084]: warning: proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error for "us...@domain.ltd" Feb 27 16:05:30 smtp1v postfix/cleanup[24084]: warning: proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error for "us...@domain.ltd" Feb 27 16:06:28 smtp1v postfix/cleanup[26225]: warning: proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error for "us...@domain.ltd" Feb 27 16:11:28 smtp1v postfix/cleanup[26383]: warning: proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error for "us...@domain.ltd" Feb 27 16:11:29 smtp1v postfix/cleanup[26383]: warning: proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error for "us...@domain.ltd" Feb 27 16:13:28 smtp1v postfix/cleanup[26225]: warning: proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error for "us...@domain.ltd" Feb 27 16:13:29 smtp1v postfix/cleanup[26225]: warning: proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error for "us...@domain.ltd" Feb 27 16:13:30 smtp1v postfix/cleanup[26395]: warning: proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error for "us...@domain.ltd" Problem with connect to database was in ~15:56 some users get thats warrning some users in this time send normaly - like postfix cached "proxy_map" connections After restoring the connection to the database, the new connections were correct, but the old ones still received information that it was impossible to connect to the database. After restart postfix all was ok Another setup example It happens the same as in the above case, when, for example, the database cluster transfers VIP IP (keepalived) from one SQL node to another (keepalived move IP) All new connections work ok, but the old ones get an error connecting to the database. W dniu 27.02.2024 o 17:44, Wietse Venema via Postfix-users pisze: natan via Postfix-users: If i set smtpd_proxy_timeout=60s I "terminating" (timeout) all old connections who get "warning: proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error foru...@test.lt" after 60s ? smtpd_proxy_timeout is a time limit for Postfix to talk to an smtpd_proxy_filter. It is NOT a time limit for talking to proxymap server. As for the lookup error for an existing proxymap connection, the proxymap client is supposed to retry the query forever, sleeping one second between attempts. Your logging examples do not match Postfix code, perhaps you can provide mor accurate examples. Details matter. Wietse ___ Postfix-users mailing list --postfix-users@postfix.org To unsubscribe send an email topostfix-users-le...@postfix.org -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] postfix and smtpd_proxy_timeout
Hi I have questions about "high ability" in postfix For example setup 1)postfix + external mysql (klaster) like main.cf: ... smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf smtpd_proxy_timeout=60s ... For example I have a mysql maps - mysql_sender_login_maps.cf: user = sql_postfix password = hosts = 127.0.0.1:3307 dbname = vmail query = In this maps I connect to local haproxy 127.0.0.1:3307 haproxy.cfg ... local haproxy have: bind 127.0.0.1:3307 default_backend mysql-backend backend mysql-backend mode tcp server galera1 192.168.0.1:3306 check inter 12000 rise 3 fall 3 server galera2 192.168.0.2:3306 check inter 12000 rise 3 fall 3 server galera3 192.168.0.3:3306 check inter 12000 rise 3 fall 3 ... All works fine...but If galera3 go away (like reboot, or network connect) - haproxy turn off galera3 from cluster (check inter 12000 rise 3 fall 3) but postfix try connect (establish connections) "old connections" and I get warning: proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error for u...@test.lt thats ok because thats works proxy:mysql New connections is correct My questions: If i set smtpd_proxy_timeout=60s I "terminating" (timeout) all old connections who get "warning: proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error for u...@test.lt" after 60s ? I understand that this may be a stupid question and I am aware of that - but I am looking for a solution -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: I don't understand the problem with DMARC and postfix
W dniu 9.02.2024 o 15:13, Juri Haberland via Postfix-users pisze: On 09.02.24 14:58, natan via Postfix-users wrote: Hi I have setup postfix+SPF+DKIM+DMARK and im confused Sometimes I get in logs fail like: Feb 2 09:02:46 mail134 opendmarc[29379]: AE3D53B0062: allegromail.pl fail Feb 2 09:02:45 mail134 opendmarc[29379]: 888B43B0063 ignoring Authentication-Results at 12 from mail134.xxx.xxx.pl ^^^ opendmarc.conf: AuthservID mail143.xxx.xxx.pl -^^^ A typo in your config or just a copy and paste error? A paste error ... Cheers, Juri ___ Postfix-users mailing list --postfix-users@postfix.org To unsubscribe send an email topostfix-users-le...@postfix.org -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] I don't understand the problem with DMARC and postfix
Hi I have setup postfix+SPF+DKIM+DMARK and im confused Sometimes I get in logs fail like: Feb 2 09:02:31 mail134 opendmarc[29379]: 5AB633B005D: gmail.com none Feb 2 09:02:39 mail134 opendmarc[29379]: D02333B005D: patronite.email pass Feb 2 09:02:44 mail134 opendmarc[29379]: 363153B005D: indeka.pl none Feb 2 09:02:45 mail134 opendmarc[29379]: 888B43B0063: allegromail.pl fail Feb 2 09:02:46 mail134 opendmarc[29379]: AE3D53B0062: allegromail.pl fail I check via ID Feb 2 09:02:45 mail134 opendkim[27903]: 888B43B0063: smtpfarm4.allegro.pl [91.207.xxx.xxx] not internal Feb 2 09:02:45 mail134 opendkim[27903]: 888B43B0063: not authenticated Feb 2 09:02:45 mail134 opendkim[27903]: 888B43B0063: DKIM verification successful Feb 2 09:02:45 mail134 opendkim[27903]: 888B43B0063: s=smtp d=allegromail.pl SSL Feb 2 09:02:45 mail134 opendmarc[29379]: 888B43B0063 ignoring Authentication-Results at 0 from mail134.xxx.xxx.pl Feb 2 09:02:45 mail134 opendmarc[29379]: 888B43B0063 ignoring Authentication-Results at 12 from mail134.xxx.xxx.pl Feb 2 09:02:45 mail134 opendmarc[29379]: 888B43B0063: allegromail.pl fail Feb 2 09:02:46 mail134 postfix/qmgr[26002]: 888B43B0063: from=<@allegromail.pl>, size=3733, nrcpt=1 (queue active) Why I get example domain like allegromail.pl fail ? SPF is correct DKIM verification successful DMARC host -t txt _dmarc.allegromail.pl _dmarc.allegromail.pl descriptive text "v=DMARC1; p=quarantine; adkim=r; aspf=r; rf=afrf;" opendmarc.conf: AuthservID mail143.xxx.xxx.pl PidFile /var/run/opendmarc.pid RejectFailures false Syslog true IgnoreAuthenticatedClients true IgnoreHosts /etc/opendmarc/ignore.hosts SyslogFacility mail UMask 0002 UserID opendmarc:opendmarc HistoryFile /var/tmp/opendmarc.dat And I have no idea. And I don't know what to pay attention to the email itself has the correct structure -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] postfix repo
Hi Wietse Have you thought about postfix repo for Debian, just like dovecot has for his relase ? I'm asking by the way -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Not a very important problem - smtpd_sender_login_maps
Hi I know it may seem quite strange, but I need it for my MX ... I need a mapping every single email to the same one in pcre for sender_login_maps.cf for reject_sender_login_mismatch ... smtpd_sender_login_maps = pcre:/etc/postfix/sender_login_maps.cf ... Yes, I can use an existing map - I have such a map for outgoing e-mails But I need a this "wildcard" for my MX that only works for incoming mail something like .*@.* -> *.@.* I just don't want stupid bots to try to play... -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling with long-term fix
Hi Yest this is e-mails body from test - only when sender domain have SPF set ~all or SPF not exist W dniu 8.01.2024 o 15:08, Damian via Postfix-users pisze: SMUGGLING WORKS with '\r\n\x00.\r\n' as "fake" end-of-data sequence! SMUGGLING WORKS with '\r.\r\n' as "fake" end-of-data sequence! SMUGGLING WORKS with '\r.\r' as "fake" end-of-data sequence! SMUGGLING WORKS with '\r.\n' as "fake" end-of-data sequence! Are those really standalone emails with subject "SMUGGLED EMAIL ..."? If they are, I cannot reproduce that even with disabled short-term workarounds. ___ Postfix-users mailing list --postfix-users@postfix.org To unsubscribe send an email topostfix-users-le...@postfix.org -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling with long-term fix
W dniu 8.01.2024 o 13:35, Damian via Postfix-users pisze: I create test VPS (outside my infrastructure) and install all for python3 for testing root@hanz:~# python3 smtp_smuggling_scanner.py --sender-domain gmail.com piot...@mydomain.ltd Don't use a sender-domain you don't have control over. The default should be good enough for basic smuggling tests. yes I will remember Sorry its correct for "Short-term workarounds" ? You should have received various emails with subject "CHECK EMAIL ...". If you have not received additional emails with subject "SMUGGLED EMAIL ..." then your short-term workarounds are doing their job. I get some SMUGGLING WORKS with '\r\n\x00.\r\n' as "fake" end-of-data sequence! SMUGGLING WORKS with '\r.\r\n' as "fake" end-of-data sequence! SMUGGLING WORKS with '\r.\r' as "fake" end-of-data sequence! SMUGGLING WORKS with '\r.\n' as "fake" end-of-data sequence! ___ Postfix-users mailing list --postfix-users@postfix.org To unsubscribe send an email topostfix-users-le...@postfix.org -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling with long-term fix
Hi
Sorry for stupid question but I dont realy undarstand
I create test VPS (outside my infrastructure) and install all for
python3 for testing
root@hanz:~# python3 smtp_smuggling_scanner.py --sender-domain gmail.com
piot...@mydomain.ltd
[*] Getting MX record for domain: xx
[*] Running SMTP smuggling check!
[+] Sent smuggling e-mail for end-of-data sequence '\n.\n'! Check your
inbox!
[+] Sent smuggling e-mail for end-of-data sequence '\n.\r'! Check your
inbox!
[+] Sent smuggling e-mail for end-of-data sequence '\r.\n'! Check your
inbox!
[+] Sent smuggling e-mail for end-of-data sequence '\r.\r'! Check your
inbox!
[+] Sent smuggling e-mail for end-of-data sequence '\n.\r\n'! Check your
inbox!
[+] Sent smuggling e-mail for end-of-data sequence '\r.\r\n'! Check your
inbox!
[+] Sent smuggling e-mail for end-of-data sequence '\r\n\x00.\r\n'!
Check your inbox!
In my MX I use postfix-3.4.x and main.cf like:
...
smtpd_data_restrictions =
#postfwd
check_policy_service { inet:127.0.0.1:10040 timeout=2s,
default_action=DUNNO }
reject_unauth_pipelining,
reject_multi_recipient_bounce,
permit
smtpd_discard_ehlo_keywords = chunking, silent-discard
...
And I get all alow delivery without two test:
\\n.\\n
\\n.\\r\\n
Jan 8 13:03:29 maitest postfix/smtpd[21417]: improper command
pipelining after DATA from ipxxx.ip-87-98-xxx.eu[87.98.xxx.xxx]: From:
smugg...@gmail.com\r\nTo: piot...@domain.ltd \r\nSubject: SMUGGLED EMAIL
('\\n.\\n')\r\nDate: Mo
Jan 8 13:03:29 mailtest postfix/smtpd[21417]: 4T7t4d2GKnz3mhqr: reject:
DATA from ipxxx.ip-87-98-xxx.eu[87.98.xxx.xxx]: 503 5.5.0 : Data
command rejected: Improper use of SMTP command pipelining;
from= to= proto=ESMTP
helo=
Jan 8 13:03:51 mailtest postfix/smtpd[21416]: improper command
pipelining after DATA from ipxxx.ip-87-98-xxx.eu[87.98.xxx.xxx]: From:
smugg...@gmail.com\r\nTo: piot...@domain.ltd\r\nSubject: SMUGGLED EMAIL
('\\n.\\r\\n')\r\nDate:
Jan 8 13:03:51 mailtest postfix/smtpd[21416]: 4T7t530077z3mhqs: reject:
DATA from ipxxx.ip-87-98-xxx.eu[87.98.xxx.xxx]: 503 5.5.0 : Data
command rejected: Improper use of SMTP command pipelining;
from= to= proto=ESMTP
helo=
Sorry its correct for "Short-term workarounds" ?
When I use domain with hard SPF reject - all was rejected (Rejected at
spf level)
[1] https://github.com/The-Login/SMTP-Smuggling-Tools.git
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
--
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: implementing recipient rate limits
Hi I was in the same place some time ago and I use postwfd + others for 600K users and analize via sawmill (probably 6.x) And conclusion for me ... First rate is for 1 minut id=sasl_msg_1min ; sasl_username=~$$sender ; action=rate(sasl_username/40/60/421 4.7.1: $$sasl_username: Sorry, send to fast - code EC:40x60) Seccond rate 5 min id=sasl_msg_5min ; sasl_username=~$$sender ; action=rate(sasl_username/100/300/421 4.7.1: $$sasl_username: Sorry, send to fast - code EC:100x300) and the last bastion va lpolicyd: 500 for 1h and 5000 for 24h Additionally, restrictions from outside the EU This is limitations only for outgoing W dniu 2.01.2024 o 13:12, Matus UHLAR - fantomas via Postfix-users pisze: Hello, due to spam issue I'm trying to implement rate limits for outgoing mail. I looked at postfwd and its rate limit looks promising, supporting different limits per IP/sasl_user for internal network, webmail: http://www.postfwd.org/ratelimits.html Of course, if there is any other tool that can do that, I'll look. However, I need to find the limits to set. Guessing is quite hard as some clients post too many mails, I'd like to have limits safe and not limiting. Processing past postfix logs to see how many mails to how many recipients were sent by clients in the long run could help much. Do you have any or know about tool that processes log files to produce statistics usable for limiting? Thanks. -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [pfx-ann] SMTP Smuggling, workarounds and fix
Hi A good idea in my opinion, additionally add reject_sender_login_mismatch with maps (u...@domain.ltd user@domainltd) smtpd_sender_restrictions = ... reject_sender_login_mismatch, ... reject_unauth_pipelining, Than only reject_unauth_pipelining smtpd_data_restrictions = reject_unauth_pipelining in postfix3.4.x ? -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling, workarounds and fix // Clarification on BDAT
Hi In postfix-3.4.23 (debian) I set (I use always) smtpd_data_restrictions = reject_unauth_pipelining And today I put smtpd_discard_ehlo_keywords = chunking And I get many many logs like: ... Dec 29 10:10:13 msmtp postfix/submission/smtpd[11064]: discarding EHLO keywords: CHUNKING Dec 29 10:10:16 msmtp postfix/submission/smtpd[11063]: discarding EHLO keywords: CHUNKING Dec 29 10:10:16 msmtp postfix/submission/smtpd[11063]: discarding EHLO keywords: CHUNKING Dec 29 10:10:18 msmtp postfix/submission/smtpd[11064]: discarding EHLO keywords: CHUNKING Dec 29 10:10:18 msmtp postfix/submission/smtpd[11064]: discarding EHLO keywords: CHUNKING Dec 29 10:10:18 msmtp postfix/submission/smtpd[11062]: discarding EHLO keywords: CHUNKING Dec 29 10:10:18 msmtp postfix/submission/smtpd[11062]: discarding EHLO keywords: CHUNKING Dec 29 10:10:18 msmtp postfix/submission/smtpd[11064]: discarding EHLO keywords: CHUNKING Dec 29 10:10:18 msmtp postfix/submission/smtpd[11064]: discarding EHLO keywords: CHUNKING Dec 29 10:10:19 msmtp postfix/submission/smtpd[11063]: discarding EHLO keywords: CHUNKING Dec 29 10:10:19 msmtp postfix/submission/smtpd[11063]: discarding EHLO keywords: CHUNKING Dec 29 10:10:19 msmtp postfix/submission/smtpd[11064]: discarding EHLO keywords: CHUNKING Dec 29 10:10:19 msmtp postfix/submission/smtpd[11064]: discarding EHLO keywords: CHUNKING Dec 29 10:10:19 msmtp postfix/submission/smtpd[11062]: discarding EHLO keywords: CHUNKING Dec 29 10:10:19 msmtp postfix/submission/smtpd[11062]: discarding EHLO keywords: CHUNKING Dec 29 10:10:19 msmtp postfix/submission/smtpd[11064]: discarding EHLO keywords: CHUNKING Dec 29 10:10:19 msmtp postfix/submission/smtpd[11064]: discarding EHLO keywords: CHUNKING Dec 29 10:10:20 msmtp postfix/submission/smtpd[11063]: discarding EHLO keywords: CHUNKING Dec 29 10:10:20 msmtp postfix/submission/smtpd[11063]: discarding EHLO keywords: CHUNKING Dec 29 10:10:20 msmtp postfix/submission/smtpd[11064]: discarding EHLO keywords: CHUNKING Dec 29 10:10:20 msmtp postfix/submission/smtpd[11064]: discarding EHLO keywords: CHUNKING Dec 29 10:10:20 msmtp postfix/submission/smtpd[11062]: discarding EHLO keywords: CHUNKING Dec 29 10:10:20 msmtp postfix/submission/smtpd[11062]: discarding EHLO keywords: CHUNKING Dec 29 10:10:20 msmtp postfix/submission/smtpd[11064]: discarding EHLO keywords: CHUNKING Dec 29 10:10:20 msmtp postfix/submission/smtpd[11064]: discarding EHLO keywords: CHUNKING Dec 29 10:10:21 msmtp postfix/submission/smtpd[11063]: discarding EHLO keywords: CHUNKING Dec 29 10:10:21 msmtp postfix/submission/smtpd[11063]: discarding EHLO keywords: CHUNKING ... And I don't know what to think about it because they are probably usually sent out, probably some newsletters or mailling And I dont known what i must say thats clients W dniu 28.12.2023 o 02:22, Wietse Venema via Postfix-users pisze: Damian via Postfix-users: It really does not matter much, but leaving BDAT enabled can help in some cases. It is not necessary to go this deep down the rabbit hole. So what could be smuggled into a Postfix that defines "reject_unauth_pipelining" but does not define "smtpd_discard_ehlo_keywords = chunking"? It depends on whether your are talking about the BDAT or DATA commands that are used to deliver the message with the smuggled commands and text, or about the smuggled BDAT or DATA commands. The smuggling attack won't work when the sending MTA and receiving MTA support BDAT, and the sending MTA prefers using BDAT over DATA. When the sending MTA chooses to use DATA, the smuggled commands can still use BDAT or DATA. This time, the choice is made by the attacker, and it depends only on the receiving MTA capabilities. With a smuggled DATA command, the attack can trigger a command pipelining violation, because the sending MTA will not wait between sending the smuggled DATA command and the smuggled text (but see notes below). With a smuggled BDAT command, there is no pipelining violation. This is why the current short-term fix recommends to not announce CHUNKING support. Note 1: an attacker can use their own custom MTA that waits after sending the smuggled DATA command, but then they can no longer send the attack from an IP address that passes SPF-based DMARC checks for the sender that they wish to impersonate. Note 2: an attacker can place the smuggled DATA\r\n at the end of a network packet, and cause network congestion in the hope that there will be some delay between receiving the smuggled DATA command and the smuggled text. But that is a blind attack. The sending MTA ignores any error responses that the receiving MTA sends after the "ok" response to the fake end-of-message. Wietse ___ Postfix-users mailing list --postfix-users@postfix.org To unsubscribe send an email topostfix-users-le...@postfix.org -- ___ Postfix-users mailing list --
[pfx] Re: postfix and smuggling spoofing
Hi
Why I asking beacuse I use
.
smtpd_end_of_data_restrictions =
check_policy_service { inet:127.0.0.1:10040 timeout=4s,
default_action=DUNNO }
permit_mynetworks,
lpolicyd
smtpd_data_restrictions = reject_unauth_pipelining
.
W dniu 21.12.2023 o 19:41, Wietse Venema via Postfix-users pisze:
natan:
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
Wietse:
See:https://www.postfix.org/smtp-smuggling.html
natan:
reject_unauth_pipelining in: smtpd_data_restrictions
or maybe only in smtpd_end_of_data_restrictions ?
Then, Postfix will have to receive the entire message before
disconnecting the client.
Wietse
___
Postfix-users mailing list --postfix-users@postfix.org
To unsubscribe send an email topostfix-users-le...@postfix.org
--
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: postfix and smuggling spoofing
Hi Thenx for info Wietse reject_unauth_pipelining in: smtpd_data_restrictions or maybe only in smtpd_end_of_data_restrictions ? W dniu 21.12.2023 o 19:11, Wietse Venema via Postfix-users pisze: natan via Postfix-users: Hi I found today https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ See:https://www.postfix.org/smtp-smuggling.html ___ Postfix-users mailing list --postfix-users@postfix.org To unsubscribe send an email topostfix-users-le...@postfix.org -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] postfix and smuggling spoofing
Hi I found today https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: can't read SMFIC_OPTNEG
Hi Thenx problem solved - problem was trivial (existing process with port 10028) W dniu 17.10.2023 o 17:37, Wietse Venema via Postfix-users pisze: natan via Postfix-users: Hi I have a some problem with setup opendkim+opendmarc+amavisd-milter main.cf--- smtpd_milters = inet:localhost:10028,inet:localhost:10027,inet:localhost:10029 When I try local telnet 25 i get many many logs like: .. Oct 17 13:59:01 mail2 postfix/10028/smtpd[6]: connect from localhost[127.0.0.1] Oct 17 13:59:01 mail2 postfix/10028/smtpd[60001]: connect from localhost[127.0.0.1] Oct 17 13:59:01 mail2 postfix/10028/smtpd[60002]: connect from localhost[127.0.0.1] Oct 17 13:59:01 mail2 postfix/10028/smtpd[60003]: connect from localhost[127.0.0.1] Oct 17 13:59:01 mail2 postfix/10028/smtpd[60004]: connect from localhost[127.0.0.1] Oct 17 13:59:01 mail2 postfix/10028/smtpd[60005]: connect from localhost[127.0.0.1] Oct 17 13:59:01 mail2 postfix/10028/smtpd[60006]: connect from localhost[127.0.0.1] Oct 17 13:59:01 mail2 postfix/10028/smtpd[60007]: connect from localhost[127.0.0.1] ... When you make ONE telnet connection, MULTIPLE Postfix SMTP server processes log a "connect from" event? How many? You appear to have a broken accept(2) system call, such that ONE SMTP connection from one client to Postfix is accepted in MULTIPLE Postfix server processes. Does this also happen with SeLinmux, AppArmoer, etc., turned ff? When I send localy mail i get many logs like: ... Oct 17 13:52:41 mail2 postfix/10028/smtpd[57064]: connect from localhost[127.0.0.1] Oct 17 13:52:41 mail2 postfix/10028/smtpd[57065]: warning: milter inet:localhost:10028: can't read SMFIC_OPTNEG reply packet header: Connection timed out Oct 17 13:52:41 mail2 postfix/10028/smtpd[57065]: warning: milter inet:localhost:10028: read error in initial handshake Oct 17 13:52:41 mail2 postfix/10028/smtpd[57065]: warning: milter inet:localhost:10027: unexpected reply "[" in initial handshake Oct 17 13:52:41 mail2 postfix/10028/smtpd[57065]: lost connection after CONNECT from localhost[127.0.0.1] Oct 17 13:52:41 mail2 postfix/10028/smtpd[57065]: disconnect from localhost[127.0.0.1] commands=0/0 Maybe the Milter process also has to accept multiple connections when one Postfix SMTP process makes one connection to the Milter proces. That would be two connection explosions for one SMTP client connection. If that is the case, then the Milter process will quickly run into a per-process limit on the number of file handles, and that could result in Milter protocol timeouts. Wietse ___ Postfix-users mailing list --postfix-users@postfix.org To unsubscribe send an email topostfix-users-le...@postfix.org -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] can't read SMFIC_OPTNEG
Hi I have a some problem with setup opendkim+opendmarc+amavisd-milter main.cf--- smtpd_milters = inet:localhost:10028,inet:localhost:10027,inet:localhost:10029 When I try local telnet 25 i get many many logs like: .. Oct 17 13:59:01 mail2 postfix/10028/smtpd[6]: connect from localhost[127.0.0.1] Oct 17 13:59:01 mail2 postfix/10028/smtpd[60001]: connect from localhost[127.0.0.1] Oct 17 13:59:01 mail2 postfix/10028/smtpd[60002]: connect from localhost[127.0.0.1] Oct 17 13:59:01 mail2 postfix/10028/smtpd[60003]: connect from localhost[127.0.0.1] Oct 17 13:59:01 mail2 postfix/10028/smtpd[60004]: connect from localhost[127.0.0.1] Oct 17 13:59:01 mail2 postfix/10028/smtpd[60005]: connect from localhost[127.0.0.1] Oct 17 13:59:01 mail2 postfix/10028/smtpd[60006]: connect from localhost[127.0.0.1] Oct 17 13:59:01 mail2 postfix/10028/smtpd[60007]: connect from localhost[127.0.0.1] ... When I send localy mail i get many logs like: ... Oct 17 13:52:41 mail2 postfix/10028/smtpd[57064]: connect from localhost[127.0.0.1] Oct 17 13:52:41 mail2 postfix/10028/smtpd[57065]: warning: milter inet:localhost:10028: can't read SMFIC_OPTNEG reply packet header: Connection timed out Oct 17 13:52:41 mail2 postfix/10028/smtpd[57065]: warning: milter inet:localhost:10028: read error in initial handshake Oct 17 13:52:41 mail2 postfix/10028/smtpd[57065]: warning: milter inet:localhost:10027: unexpected reply "[" in initial handshake Oct 17 13:52:41 mail2 postfix/10028/smtpd[57065]: lost connection after CONNECT from localhost[127.0.0.1] Oct 17 13:52:41 mail2 postfix/10028/smtpd[57065]: disconnect from localhost[127.0.0.1] commands=0/0 Oct 17 13:52:41 mail2 postfix/10028/smtpd[57065]: connect from localhost[127.0.0.1] Oct 17 13:52:41 mail2 postfix/10028/smtpd[57062]: warning: milter inet:localhost:10028: can't read SMFIC_OPTNEG reply packet header: Connection timed out Oct 17 13:52:41 mail2 postfix/10028/smtpd[57062]: warning: milter inet:localhost:10028: read error in initial handshake Oct 17 13:52:41 mail2 postfix/10028/smtpd[57062]: warning: milter inet:localhost:10027: unexpected reply "[" in initial handshake Oct 17 13:52:41 mail2 postfix/10028/smtpd[57062]: lost connection after CONNECT from localhost[127.0.0.1] Oct 17 13:52:41 mail2 postfix/10028/smtpd[57062]: disconnect from localhost[127.0.0.1] commands=0/0 /etc/default/opendkim: SOCKET="inet:10028@localhost" /etc/opendkim.conf: Canonicalization relaxed/simple Mode v OversignHeaders From AuthservID HOSTNAME UserID opendkim UMask 007 Socket inet:10028@localhost PidFile /run/opendkim/opendkim.pid TrustAnchorFile /usr/share/dns/root.key I use amavis for sign DKIM but validate opendkim+dmarc in postfix via milter When I diable opendkim via miler works fine but this is not the solutions any idea ? Server: Ubuntu 22.04.3 LTS postfix: 3.6.4 -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: postfix and ssl provlem
Hi Exactly as you're saying - problem solved - CA cant load via aplications. W dniu 8.05.2023 o 15:31, Viktor Dukhovni via Postfix-users pisze: On Mon, May 08, 2023 at 01:29:55PM +0200, natan via Postfix-users wrote: I have some problem with cert - user who connect via 465 postfix/smtps/smtpd[6901]: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: ../ssl/record/rec_layer_s3.c:1544:SSL alert number 48: Cert is new (renew) and openssl x509 -in ... and key is ok server and client not connect via ssl3 The client cannot validate your server's certificate chain. Perhaps you've deployed just the leaf certificate, rather than a "chain" with the leaf certificate plus intermediate issuing CA? https://datatracker.ietf.org/doc/html/rfc8446#page-89 unknown_ca: A valid certificate chain or partial chain was received, but the certificate was not accepted because the CA certificate could not be located or could not be matched with a known trust anchor. -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: postfix and ssl provlem
Hi Problem is only via web aplications (php) W dniu 8.05.2023 o 13:29, natan via Postfix-users pisze: Hi I have some problem with cert - user who connect via 465 postfix/smtps/smtpd[6901]: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1544:SSL alert number 48: Debian10 Cert is new (renew) and openssl x509 -in ... and key is ok server and client not connect via ssl3 Any idea ? -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] postfix and ssl provlem
Hi I have some problem with cert - user who connect via 465 postfix/smtps/smtpd[6901]: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1544:SSL alert number 48: Debian10 Cert is new (renew) and openssl x509 -in ... and key is ok server and client not connect via ssl3 Any idea ? -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: postconf -M foo/unix='foo unix ...' get segfault if multiple entries exist in master.cf
Hi In old version 3.4.x problem not exists W dniu 27.04.2023 o 14:50, Wietse Venema via Postfix-users pisze: SATOH Fumiyasu (TSUCHIDA Fumiyasu) via Postfix-users: I see the following problems. 1. `postconf -M bar/unix='foo unix ...'` will duplicates entries in master.cf. Nice find: postconf should reject this request, because the key (bar/unix) does not match the content (foo unix ...). 2. `postconf -M foo/unix='foo unix ...' get segfault if multiple entries exist in master.cf. postconf has not been tested on all possible forms of broken master.cf file. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: postconf -M foo/unix='foo unix ...' get segfault if multiple entries exist in master.cf
Hi In centos7 root@node2-klone:~# postconf mail_version mail_version = 3.4.23 root@node2-klone:~# postconf -M bar/unix='foo unix - n n - - pipe argv=/bin/false' root@node2-klone:~# postconf -M bar/unix='foo unix - n n - - pipe argv=/bin/false' root@node2-klone:~# postconf -M bar/unix='foo unix - n n - - pipe argv=/bin/false' root@node2-klone:~# postconf -M bar/unix='foo unix - n n - - pipe argv=/bin/false' root@node2-klone:~# postconf -M bar/unix='foo unix - n n - - pipe argv=/bin/false' root@node2-klone:~# tail /etc/postfix/master.cf ... policy-spf unix - n n - - spawn user=nobody argv=/usr/bin/policyd-spf #policy unix - n n - - spawn # user=nobody argv=/usr/bin/perl /usr/lib/postfix/postfix-policyd-spf-perl /etc/postfix-policyd-spf-python/policyd-spf.conf foo unix - n n - - pipe argv=/bin/false foo unix - n n - - pipe argv=/bin/false foo unix - n n - - pipe argv=/bin/false foo unix - n n - - pipe argv=/bin/false foo unix - n n - - pipe argv=/bin/false W dniu 27.04.2023 o 01:48, SATOH Fumiyasu (TSUCHIDA Fumiyasu) via Postfix-users pisze: I see the following problems. 1. `postconf -M bar/unix='foo unix ...'` will duplicates entries in master.cf. 2. `postconf -M foo/unix='foo unix ...' get segfault if multiple entries exist in master.cf. ``` # postconf mail_version mail_version = 3.7.4 # postconf -M foo/unix='foo unix - n n - - pipe argv=/bin/false' # tail /etc/postfix/master.cf ... foounix - n n - - pipe argv=/bin/false # postconf -M bar/unix='foo unix - n n - - pipe argv=/bin/false' # tail /etc/postfix/master.cf ... foounix - n n - - pipe argv=/bin/false foounix - n n - - pipe argv=/bin/false # postconf -M foo/unix='foo unix - n n - - pipe argv=/bin/false' Segmentation fault ``` -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] smtpcheck
Hi
I use keepalived and easy check like:
vrrp_script chk_myscript {
script "/usr/bin/postfix-check.sh"
interval 4
fall 2
weight 10
user root
}
...
#!/bin/bash
echo "ehlo localhost" | /bin/nc -w 1 "127.0.0.1" 25 |grep -q "250"
...
It's not very pretty but do you have any similar solutions?
--
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: *_error_limit and exclude
W dniu 19.04.2023 o 17:23, Wietse Venema via Postfix-users pisze:
natan via Postfix-users:
Hi
I have question about *_error_limit and postfix
I have separated services like
smtp incomming and smtp outgoing and webmail
I have roudcube which is used by several thousand users
On smtp outgoing in main.cf:
...
smtpd_client_connection_count_limit = 900
smtpd_hard_error_limit = 5
smtpd_soft_error_limit = 2
First: your limits are much smaller than the default, and second:
what kinds of errors are causing Postfix to reject commands?
I'd like to exclude all too many errors * for a specific IP
I would like to avoid that in case of any "too many errors" problems
with sending mails from roundcube
Of course, when I find errors, I try to remove them - it's obvious
But in this time I need a sollutions to whitelists thats IP
Some times I get "too many errors after NOOP from zabbix"
In the following case, for example, zabbix has a problem with sending
once in a while
local zabbix admin say they won't do anything about it
zabbix send 3 x times for 1min
Additionally for smtpd_junk_command_limit = ${stress?{1}:{100}}
but problem with too many errors after NOOP from zabbix - sometimes it
shows up
Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
--
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] *_error_limit and exclude
Hi I have question about *_error_limit and postfix I have separated services like smtp incomming and smtp outgoing and webmail I have roudcube which is used by several thousand users On smtp outgoing in main.cf: ... smtpd_client_connection_count_limit = 900 smtpd_hard_error_limit = 5 smtpd_soft_error_limit = 2 smtpd_recipient_limit = 100 default_destination_recipient_limit = 100 ... I am afraid that the roundcube may collapse at times too many errors after RCPT or too many errors after MAIL Is it possible to separate (exclude) the IP of this RC so that it does not catch on *_error_limit? roundcube is in local notwork like 10.0.1.0/24 For this momnt I add IP rc in mynetworks in smtpd_client_restrictions = permit_mynetworks, ... smtpd_sender_restrictions = permit_mynetworks, ... problem solved but this It's not very good -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Blocked Sender
Hi Yes, my pasting error smtpd_sender_restrictions = permit_mynetworks check_sender_access pcre:/etc/postfix/sender_checks.pcre reject_unknown_sender_domain ... cat /etc/postfix/sender_checks.pcre /@domain\.ltd/ OK Of course, if required, use $ at the end For me better is pcre/regexp but hash I use too W dniu 27.03.2023 o 14:16, Matus UHLAR - fantomas via Postfix-users pisze: On 27.03.23 12:39, natan via Postfix-users wrote: /etc/postfix/sender_checks.pcre /@scripkabox\.com/ /etc/postfix/recipient_checks.pcre smtpd_sender_restrictions = permit_mynetworks check_sender_access pcre:/etc/postfix/sender_checks.pcre reject_unknown_sender_domain ... cat /etc/postfix/sender_checks.pcre /@domain\.ltd/ OK which one is it then? In any case I recommend using hash tables, or putting '$' at the end of RE, so it doesn't match e.g. "scripkabox.communicate.with.me" W dniu 26.03.2023 o 21:52, Doug Hardie via Postfix-users pisze: I have a specific email sender that is getting the error "Sender addresses rejected: Domain not found". Sure enough DNS provides no response for that domain. If I drop off the first part of the domain name, then DNS returns a response. However, the organization is using the complete name which means the emails are dropped. I know the proper solution is to have the originator fix their DNS, but that is not going to happen in the near term. I have tried various ways for a temporary fix, but none have worked so far. I don't want to remove the "reject_unknown_sender_domain" function as it gets used properly a lot. Is there some way I can get postfix to accept these for local delivery? -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: destination based rate limiting
Hi Try postfwd for postfix http://postfwd.org/ratelimits.html W dniu 27.03.2023 o 13:21, Gino Ferguson via Postfix-users pisze: Hi, How can one set up outbound rate limiting for a certain mail service provider? Can postfix 'recognise' that recipientdomainA, recipientdomainB and recipientdomainC are hosted at the same mail service provider (bigmxprovider.com) so this limiting must be applied automatically? The destination is not immediately obvious by the recipient domain's name and it would be enormous work to maintain such a list manually. Thank you, Gino ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Blocked Sender
Hi Mayby this help you: /etc/postfix/sender_checks.pcre /@scripkabox\.com/ /etc/postfix/recipient_checks.pcre smtpd_sender_restrictions = permit_mynetworks check_sender_access pcre:/etc/postfix/sender_checks.pcre reject_unknown_sender_domain ... cat /etc/postfix/sender_checks.pcre /@domain\.ltd/ OK W dniu 26.03.2023 o 21:52, Doug Hardie via Postfix-users pisze: I have a specific email sender that is getting the error "Sender addresses rejected: Domain not found". Sure enough DNS provides no response for that domain. If I drop off the first part of the domain name, then DNS returns a response. However, the organization is using the complete name which means the emails are dropped. I know the proper solution is to have the originator fix their DNS, but that is not going to happen in the near term. I have tried various ways for a temporary fix, but none have worked so far. I don't want to remove the "reject_unknown_sender_domain" function as it gets used properly a lot. Is there some way I can get postfix to accept these for local delivery? -- Doug ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: uceprotect.wtf (was: Send email to one @domain.com via authenticated relay?)
Hi Today uceprotect add class /24 to blaclist ... One user (dedicated server) send probably spam but the user claims that he did not send spam only 6 e-mails in 1h. And uceprotect was blocked by the whole class ... other RBLs it was clean any IP with that class /24 Any idea ? I'm not going to pay the clowns W dniu 6.12.2022 o 14:10, Jaroslaw Rafa pisze: Dnia 6.12.2022 o godz. 10:27:36 Joachim Lindenberg pisze: Of course I looked at the page, and my understanding is, it describes very good, what UCEPROTECT does. Thus if it is a parody, then it is a good one. Do you have insights on that question? Under "In the news" section on uceprotect.wtf page, there is a link to article "UCEPROTECT Extortion Service: All Your Mails Are Belong To Us!" ( https://www.aaroncake.net/misc/showthought.asp?thought=57 ). One of the comments under that article (dated March 23, 2021) is from a person who stated that he/she has just created the uceprotect.wtf page. -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
Question about rfc
Hi Is there any rfc about having to use or regarding the need to use "sender login mismatch"; This is just a loose question I know that everything depends on the administrator and you don't have to impose anything --
Re: double extensions
Hi
In file i have:
/^Content-(Type|Disposition):.*(file)?name=.*(\.|=2E)(exe|ade|adp|bas|bat|chm|cmd|cpl|hlp|hta|inf|ins|isp|img|js|jse|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|vb|vbe|vbs|wsc|wsf|wsh|mim|b64|bhx|hqx|xxe|uu|uue)"/
REJECT Sorry, we do not accept .${4} file type.
/^Content-(Type|Disposition):.*(file)?name=.*\.([a-z]+\.exe)"/
REJECT Sorry, we do not accept double extension .${3} file type.
/^Content-(Type|Disposition):.*(file)?name=.*\.([a-z]+\.img)"/
WARN Sorry, we do not accept double extension file type img.
W dniu 27.02.2023 o 15:56, Wietse Venema pisze:
natan:
Hi
I gat many many e-mails with virus and double exstension like:
*.jpg.img
*.pdf.img
*.*.img
I try in header_checks.pcre
[broken regexp omitted]
and not working
The following blocks a 'bad' extension before a 'good' one such
as 'name.exe.pdf'.
1) Take the example from the header_checks manpage
2) Insert ((\.|=2E)[a-z]+)? between vxd|ws[cfh]) and )(\?=)?"?\s*(;|$)/x
3) Replace $4 with $4$5
A much simpler rule would block all double extensions (such as
'name.pdf.jpg'), but I don't know if that would also block legitimate
mail.
Wietse
--
Re: double extensions
Hi But in config i have: postconf |grep "mime_header_checks" mime_header_checks = $header_checks W dniu 27.02.2023 o 15:47, Matus UHLAR - fantomas pisze: On 27.02.23 12:38, natan wrote: I gat many many e-mails with virus and double exstension like: *.jpg.img *.pdf.img *.*.img I try in header_checks.pcre ^Content-(Type|Disposition):.*(file)?name=.*(\.|=2E)(exe|ade|adp|bas|bat|chm|cmd|cpl|hlp|hta|inf|ins|isp|img|js|jse|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|vb|vbe|vbs|wsc|wsf|wsh|mim|b64|bhx|hqx|xxe|uu|uue)"/ REJECT you must use mime_header_checks http://www.postfix.org/postconf.5.html#mime_header_checks but I recommend antivirus and/or antispam plugin to check these. They can do much more than just scan mime headers --
Re: Outgoing content-filter
Hi
Auto added footer is very bad but nn one of server i have:
smtp inet n - n - - smtpd -o
content_filter=stopka
stopka unix - n n - - pipe
flags=Rq user=filter argv=/home/filter/add_filter.sh -f ${sender}
-- ${recipient}
#!/bin/sh
INSPECT_DIR=/home/filter/filter
SENDMAIL=/usr/sbin/sendmail
EX_TEMPFAIL=75
EX_UNAVAILABLE=69
# Clean up when done or when aborting.
trap "rm -f in.$$" 0 1 2 3 15
# Start processing.
cd $INSPECT_DIR || { echo $INSPECT_DIR does not exist; exit
$EX_TEMPFAIL; }
cat >in.$$ || { echo Cannot save mail to file; exit $EX_TEMPFAIL; }
/usr/bin/altermime --input=in.$$ \
--disclaimer=/home/filter/stopka.txt \
--disclaimer-html=/home/filter/stopka.html \
$SENDMAIL "$@"
Hi there,
I was doing a research about how to implement an outgoing email filter.
For every sent message we want to add a footer with a counter.
I've tried to add the "content_filter" tag as shown:
smtp inet n - n - 50 smtpd
-o content_filter=footer
footer unix - n n - - pipe
flags=Rq user=myuser argv=/home/postfix/tag.sh ${sender}
${recipient}
But the messages doesn't seem to be filtered.
$ postconf | grep content_filter
content_filter = (empty)
Is this supposed to work? Is there a workaround for this?
Huge thanks.
R
--
double extensions
Hi I gat many many e-mails with virus and double exstension like: *.jpg.img *.pdf.img *.*.img I try in header_checks.pcre ^Content-(Type|Disposition):.*(file)?name=.*(\.|=2E)(exe|ade|adp|bas|bat|chm|cmd|cpl|hlp|hta|inf|ins|isp|img|js|jse|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|vb|vbe|vbs|wsc|wsf|wsh|mim|b64|bhx|hqx|xxe|uu|uue)"/ REJECT and not working --
disable Undelivered
Hi One of client have two serwervers 1)for outgoing - smtp.domain.ltd 2)for incomming - mx.domain.ltd and hi send e-mail from n...@domain.ltd bounce -> smtp.domain.ltd send to mx.domain.ltd how disable bounce and non delivery and sender notify who was send to smtp.domain.ltd ? I try in header_checks /^Subject:.*Undelivered Mail Returned/ DISCARD /^From:.*smtp1.domain.ltd/ DISCARD and smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/access.recipients n...@domain.lt REJECT Too many --
Re: Blocking TLDs
Hi
Before add sender-acces works fine ?
Can you send output postconf -m ?
W dniu 8.02.2023 o 14:15, James Pifer pisze:
On 2/8/2023 4:14 AM, Viktor Dukhovni wrote:
On Wed, Feb 08, 2023 at 10:00:14AM +0200, mailm...@ionos.gr wrote:
/\.top$/ REJECT
/\.xyz$/ REJECT
/\.cam$/ REJECT
/\.fun$/ REJECT
/\.buzz$/ REJECT
/\.club$/ REJECT
/\.link$/ REJECT
/\.hinet\.net$/ REJECT
Why everyone feels they need regular expressions for this is a mystery.
/etc/postfix/sender-access:
top REJECT I employ crude anti-spam measures
.top REJECT I employ crude anti-spam measures
cam REJECT I employ crude anti-spam measures
.cam REJECT I employ crude anti-spam measures
...
main.cf:
texthash = texthash:${config_directory}/
smtpd_sender_restrictions =
check_sender_access ${texthash}sender-access
or directly in main.cf:
main.cf:
smtpd_sender_restrictions =
check_sender_access inline:{
{ top = REJECT I employ crude anti-spam measures }
{ .top = REJECT I employ crude anti-spam measures }
{ cam = REJECT I employ crude anti-spam measures }
{ .cam = REJECT I employ crude anti-spam measures } }
or an indexed table (with same sender-access file, after "postmap"):
main.cf:
# "cdb" is better when available
default_database_type = hash
indexed = ${default_database_type}:${config_directory}/
smtpd_sender_restrictions =
check_sender_access ${indexed}sender-access
Whatever you choose, regular expressions should last or on your list, or
not at all. A very small fraction of mortals are capable of using
regular expressions correctly.
Thanks for everyone who has responded. This (directly in main.cf)
appears to be the answer that works for me and is much simpler.
I tried the suggested regexp before this one and still got the same
error.
The error was:
Feb 8 07:38:11 mailserver postfix/smtpd[446839]: NOQUEUE: reject:
RCPT from mail-qt1-f179.google.com[209.85.160.179]: 451 4.3.5 Server
configuration error; from=
to= proto=ESMTP helo=
--
Re: Blocking TLDs
Hi Please send info like: postconf -m Probably you dont have pcre try postmap -q your_ask pcre:/etc/postfix/reject_domains W dniu 7.02.2023 o 22:49, James Pifer pisze: Hello all. I'm trying to block some TLDs and everything I try I'm getting: 451 4.3.5 : Sender address rejected: Server configuration error; Obviously this is a configuration issue. I've tried following these sites among others: https://forum.centos-webpanel.com/index.php?topic=10649.0 https://www.davidmartinwhite.com/2016/10/25/fighting-spam-block-entire-ttld-with-postfix/ https://www.ericmichaelstone.com/how-to-block-an-entire-tld-in-postfix/ Hoping there's and easy fix in my configuration. Sorry, not a postfix expert. If you see any issues in my config I would appreciate suggestions. Thanks My /etc/postfix/reject_domains looks like: /\.(pro)$/ REJECT We reject all .pro domains /\.(date)$/ REJECT We reject all .date domains /\.(science)$/ REJECT We reject all .science domains /\.(top)$/ REJECT We reject all .top domains /\.(download)$/ REJECT We reject all .download domains /\.(work)$/ REJECT We reject all .work domains /\.(click)$/ REJECT We reject all .click domains /\.(link)$/ REJECT We reject all .link domains /\.(diet)$/ REJECT We reject all .diet domains /\.(review)$/ REJECT We reject all .review domains /\.(party)$/ REJECT We reject all .party domains /\.(zip)$/ REJECT We reject all .zip domains /\.(xyz)$/ REJECT We reject all .xyz domains /\.(stream)$/ REJECT We reject all .stream domains /\.(bid)$/ REJECT We reject all .bid domains /\.(store)$/ REJECT We reject all .store domains My /etc/postfix/main.cf virtual_alias_maps = hash:/etc/postfix/virtual relay_domains = mydomain.com relayhost = 192.168.1.188:25 mynetworks = 192.168.188.0/24 recipient_delimiter = + #debug_peer_list = 0.0.0.0 smtpd_restriction_classes = sender_white_list sender_white_list = check_client_access hash:/etc/postfix/check_client_access ### AS SOON AS I UNCOMMENT THESE TWO LINES I GET THE ERROR ON ALL EMAILS## #smtpd_recipient_restrictions = # check_sender_access pcre:/etc/postfix/reject_domains smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated check_helo_access hash:/etc/postfix/helo_access reject_invalid_helo_hostname reject_non_fqdn_helo_hostname # reject_unknown_helo_hostname ## Commented out 01/30/2023 ## # reject_rhsbl_helo dbl.spamhaus.org, # reject_rhsbl_reverse_client dbl.spamhaus.org, # reject_rhsbl_sender dbl.spamhaus.org, # reject_rbl_client zen.spamhaus.org smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain, reject_unknown_reverse_client_hostname, reject_unknown_client_hostname, #...the rest of them, permit --
Re: backop-transport maps
W dniu 24.01.2023 o 13:03, Wietse Venema pisze: natan: W dniu 24.01.2023 o?12:05, Wietse Venema pisze: natan: Hi For test i runnig gallera claster + haproxy haproxy: . listen galera-test bind 10.10.10.10:3307 balance leastconn mode tcp option tcplog option tcpka option httpchk server sql1 10.10.10.11:3306 check port 9200 inter 12000 rise 2 fall 2 server sql2 10.10.10.12:3306 check port 9200 inter 12000 rise 2 fall 2 server sql3 10.10.10.13:3306 check port 9200 inter 12000 rise 2 fall 2 server sql4 10.10.10.14:3306 check port 9200 inter 12000 rise 2 fall 2 works fine (galera+haproxy+keepalive) but ... I had a problem once like scenario: And that problem is now solved with the load balancer? No Old (exists) process cann connect to mysql - newer connections didn't have this problem and in logs i get many: warning: proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf lookup error for "u...@domain.lt" You have proxy:mysql lookup errors AFTER ADDING a load balancer for the myaql server? From the beginning of such a solution machine1 machine2 machine3,4,5,6 [postfix]--[-haproxy--galera]---sqlX I'm thinking about it but it doesn't make sense: 1)postfix+haproxy local In haproxy local (in this same machine where is postfix) - server EXTERNAL 10.10.10.1:3306 check port 9200 inter 12000 rise 2 fall 2 - server local 127.0.0.1:3307 check backup Wietse Wietse --
Re: backop-transport maps
W dniu 24.01.2023 o 12:05, Wietse Venema pisze: natan: Hi For test i runnig gallera claster + haproxy haproxy: . listen galera-test bind 10.10.10.10:3307 balance leastconn mode tcp option tcplog option tcpka option httpchk server sql1 10.10.10.11:3306 check port 9200 inter 12000 rise 2 fall 2 server sql2 10.10.10.12:3306 check port 9200 inter 12000 rise 2 fall 2 server sql3 10.10.10.13:3306 check port 9200 inter 12000 rise 2 fall 2 server sql4 10.10.10.14:3306 check port 9200 inter 12000 rise 2 fall 2 works fine (galera+haproxy+keepalive) but ... I had a problem once like scenario: And that problem is now solved with the load balancer? No Old (exists) process cann connect to mysql - newer connections didn't have this problem and in logs i get many: warning: proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf lookup error for "u...@domain.lt" like postfix not close thats connections - this is probbaly when I use proxy:mysql/etc/postfix/maps ? Of course, if I restart postfix, the problem will not occur maybe I must tunning some timeouts/cache on postfix ? Wietse --
Re: backop-transport maps
Hi For test i runnig gallera claster + haproxy haproxy: . listen galera-test bind 10.10.10.10:3307 balance leastconn mode tcp option tcplog option tcpka option httpchk server sql1 10.10.10.11:3306 check port 9200 inter 12000 rise 2 fall 2 server sql2 10.10.10.12:3306 check port 9200 inter 12000 rise 2 fall 2 server sql3 10.10.10.13:3306 check port 9200 inter 12000 rise 2 fall 2 server sql4 10.10.10.14:3306 check port 9200 inter 12000 rise 2 fall 2 works fine (galera+haproxy+keepalive) but ... I had a problem once like scenario: 1)There was a problem with the network connection to the database sql2 2)Haproxy flagged "serwer sql2" as error and not letting new traffic to node sql2 3)Some connections were hanging from postfix to haproxy -> sql2 like haproxy dont sent RST 4)old process cann connect to mysql - newer connections didn't have this problem and in logs i get many: warning: proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf lookup error for "u...@domain.lt" 5)problem with sql2 wax fixed 6)some old process still can't connect to mysql - newer connections didn't have this problem As if postfix wouldn't reconnect itself - after some times all works fine And I would like to eliminate it and I dont have idea where i must find "problem" I use everywhere proxy:mysql:/etc/postfix/mysql_maps. W dniu 20.01.2023 o 18:43, Wietse Venema pisze: natan: W dniu 20.01.2023 o?15:04, Wietse Venema pisze: natan: Hi I try to run "backup" transport maps like: smtpd_sender_login_maps = #first-main database proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf #second-backup proxy:mysql:/etc/postfix/mysql_sender_login_maps-backup.cf Both databases are the same because they are synchronized (cluser gallera) but the first is in other machines and second in local (database ~150MB) I am thinking of such a solution as if there was a problem with the connection to the main database. does this solution make sense? Postfix does not know that the two databases are identical, and therefore it must assume that the databases can return different results. When databases can produce different results, skipping a database can produce an incorrect result. For correctness reasons, Postfix must stop when a database fails to produce a result, and it must not skip to the next database. Right. That would make a double query like 1)cannot find user in first go to second Yes. The first database produces a reply (not found). 2)cannot connect first go to second No. Here the dtabase produces no reply, and Postfix cannot know that the two databases are identical, therefore it must not skip the non-responding database. That is the difference with a load balancer. A load balancer knows that its backends provide an indentical service. If you need fast fail over from one database mirror to another, use a load balancer. I don't think that it would be a good idea to build a database load balancer into Postfix. Wietse --
sender_login_mismatch
Hi I need to set reject_sender_login_mismatch on one server to warn only in logs and let the message through? Is it possible ? I know it's not supposed to do this but it needs a couple of hours. --
Re: backop-transport maps
W dniu 20.01.2023 o 15:04, Wietse Venema pisze: natan: Hi I try to run "backup" transport maps like: smtpd_sender_login_maps = #first-main database proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf #second-backup proxy:mysql:/etc/postfix/mysql_sender_login_maps-backup.cf Both databases are the same because they are synchronized (cluser gallera) but the first is in other machines and second in local (database ~150MB) I am thinking of such a solution as if there was a problem with the connection to the main database. does this solution make sense? Postfix does not know that the two databases are identical, and therefore it must assume that the databases can return different results. When databases can produce different results, skipping a database can produce an incorrect result. For correctness reasons, Postfix must stop when a database fails to produce a result, and it must not skip to the next database. Right. That would make a double query like 1)cannot find user in first go to second 2)cannot connect first go to second If found in first database go back This would all be fine if the base was synchronized (mysql galera watches over it) but sometimes double query. Or maby use localhaproxy ? Yes, if you have haproxy tests that validate the database response, i.e. the database produces the expected answer for a specific query. Merely making a TCP connection is not sufficient. Thinking about server galera01 10.10.10.10:3306 server galera02 127.0.0.1:3306 backup and special check database Wietse Why I ask. Because I had a problem once like scenario: 1)There was a problem with the network connection to the database (problem with switch) 2)Postfix cannot connect to mysql - It is obvious 3)problem with switch was fixed (1m) 4)some old process cann connect to mysql - newer connections didn't have this problem As if postfix wouldn't reconnect itself - after some times all works fine And I would like to eliminate it I use everywhere proxy:mysql:/etc/postfix/mysql_maps. --
backop-transport maps
Hi I try to run "backup" transport maps like: smtpd_sender_login_maps = #first-main database proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf #second-backup proxy:mysql:/etc/postfix/mysql_sender_login_maps-backup.cf Both databases are the same because they are synchronized (cluser gallera) but the first is in other machines and second in local (database ~150MB) I am thinking of such a solution as if there was a problem with the connection to the main database. does this solution make sense? Or maby use localhaproxy ? --
Re: block domain
Hi I mean /etc/postfix/sender_checks.pcre ... /emailll\.org/ DISCARD Too many fake spam2 /surdeu\.de/ DISCARD Too many fake spam ... W dniu 16.01.2023 o 11:03, natan pisze: Hi Is there any chance to reject domain (incomming) via postscreen ? I get many e-mails from one domain (from diferent IP) NOQUEUE: discard: RCPT from vc-gp-n-105-244-68-222.umts.vodacom.co.za[105.244.68.222]: : Sender address Too many fake spam; from= to= proto=ESMTP helo= I reject in smtpd_sender_restrictions = permit_mynetworks check_sender_access pcre:/etc/postfix/sender_checks.pcre . /etc/postfix/sender_checks.pcre ... /emailll\.org/ DISCARD Too many fake spam2 ... Is there a faster method ? I thinking about postscreen ? -- --
block domain
Hi Is there any chance to reject domain (incomming) via postscreen ? I get many e-mails from one domain (from diferent IP) NOQUEUE: discard: RCPT from vc-gp-n-105-244-68-222.umts.vodacom.co.za[105.244.68.222]: : Sender address Too many fake spam; from= to= proto=ESMTP helo= I reject in smtpd_sender_restrictions = permit_mynetworks check_sender_access pcre:/etc/postfix/sender_checks.pcre . /etc/postfix/sender_checks.pcre ... /emailll\.org/ DISCARD Too many fake spam2 ... Is there a faster method ? I thinking about postscreen ? --
postfix+tansport relay
Hi I have a postfix (for outgoing) and I have many vusers and vdomain (in mysql) Works fine but one of client have external spam fileter (like barracuda/sophos/others) and I need a filter all his outgoing e-mail (only one client vdomain or two vdomain) I thinking: cat /etc/postfix/senders.pcre /vdomain1.com/ relay:[smtp.private.fileter.barracuda] /cdomain2.com/ relay:[smtp2.private.fileter.sophos] main.cf transport_maps = regexp:/etc/postfix/senders.pcre Is a correct ? Or maybe better is hash ? --
error_limit
Hi I have one specific question in main.cf i have: ... smtpd_hard_error_limit = 5 smtpd_soft_error_limit = 2 ... It is possible to change number *_error_limit for one IP ? --
Re: master_wakeup_timer_event problem
W dniu 23.06.2022 o 15:00, Wietse Venema pisze: natan: W dniu 23.06.2022 o?13:37, Wietse Venema pisze: natan: Hi I found in logs: Jun 23 10:08:54 mx4 postfix/master[4540]: warning: master_wakeup_timer_event: service qmgr(public/qmgr): Resource temporarily unavailable Your operating system kernel is running out of resources. You need a better computer. Why better computer ? This is PowerEdge R630 256 RAM and 55 x 2.40GHz with load ~0,86 Because your operating system kernel returns a "Resource temporarily unavailable" error. It is also posible that it returns "Resource temporarily unavailable" because Postfix has used up all the available sockets. In that case, reduce Postfix process limits (main.cf:default_process_limit and in master.cf) by 2x and do "postfix reload" until the error goes away. Wietse I get one time and change: main.cf - default_process_limit master.cf - smtpd maxproc --
Re: master_wakeup_timer_event problem
W dniu 23.06.2022 o 13:37, Wietse Venema pisze: natan: Hi I found in logs: Jun 23 10:08:54 mx4 postfix/master[4540]: warning: master_wakeup_timer_event: service qmgr(public/qmgr): Resource temporarily unavailable Your operating system kernel is running out of resources. You need a better computer. Why better computer ? This is PowerEdge R630 256 RAM and 55 x 2.40GHz with load ~0,86 20462 ? Ss 0:31 /usr/lib/postfix/sbin/master cat /proc/20462/limits Limit Soft Limit Hard Limit Units Max cpu time unlimited unlimited seconds Max file size unlimited unlimited bytes Max data size unlimited unlimited bytes Max stack size 8388608 unlimited bytes Max core file size 0 unlimited bytes Max resident set unlimited unlimited bytes Max processes 515277 515277 processes Max open files 12000 12000 files Max locked memory 65536 65536 bytes Max address space unlimited unlimited bytes Max file locks unlimited unlimited locks Max pending signals 515277 515277 signals Max msgqueue size 819200 819200 bytes Max nice priority 0 0 Max realtime priority 0 0 Max realtime timeout unlimited unlimited us debian9 But I don't know what this problem is caused by master.cf ... qmgr unix n - n 300 1 qmgr ... I found in net to change: ... qmgr fifo n - n 1 1 qmgr But I don't know if it makes sense That just made the problem 300 times worse. My bad I mean: qmgr fifo n - n 300 1 qmgr Wietse --
master_wakeup_timer_event problem
Hi I found in logs: Jun 23 10:08:54 mx4 postfix/master[4540]: warning: master_wakeup_timer_event: service qmgr(public/qmgr): Resource temporarily unavailable But I don't know what this problem is caused by master.cf smtp inet n - - - 1 postscreen smtpd pass - - - - 900 smtpd -o receive_override_options=no_address_mappings dnsblog unix - - - - 0 dnsblog tlsproxy unix - - - - 0 tlsproxy ... pickup unix n - y 60 1 pickup qmgr unix n - n 300 1 qmgr ... I found in net to change: pickup fifo n - n 60 1 pickup qmgr fifo n - n 1 1 qmgr But I don't know if it makes sense --
Re: limit recipients
W dniu 31.05.2022 o 17:17, Viktor Dukhovni pisze: On Tue, May 31, 2022 at 04:52:58PM +0200, natan wrote: lmtp_destination_concurrency_limit = 100 lmtp_destination_recipient_limit = 1 virtual_transport = lmtp:inet:10.xxx.xxx.5:24 Wny do you have "lmtp_destination_recipient_limit = 1", that's a really bad idea. Set it to 100 or even 1000 (if Dovecot won't object), and all will be well. I do not remember exactly but Some times ago I change from default to 1 beacuse i have some problem with queue and time delivery and that's solve problems I have postfix+dovecot klaster+external amavis --
Re: limit recipients
W dniu 31.05.2022 o 16:41, Viktor Dukhovni pisze:
On Tue, May 31, 2022 at 03:28:30PM +0200, natan wrote:
I have separate servers for outgoing and incomming e-mail like
One user who have many alias group like:
1)alias...@domain1.ltd - 500 recipients
2)alias...@domain1.ltd - 500 recipients
3)alias...@domain1.ltd - 500 recipients
4)alias...@domain1.ltd - 500 recipients
-all recipients is in domain domain1.ltd)
and user send 1 email with 4 x To:
alias...@domain.ltd
alias...@domain.ltd
alias...@domain.ltd
alias...@domain.ltd
The question to ask is how you've configured delivery to Dovecot.
With LMTP you should be able to deliver many recipients in one
go, with just a small number of processes need to complete all
the deliveries.
Please post the details of the address class for the recipient
domain, and what transports are used to perform delivery.
Full (unmunged, with line folds preserved) "postconf -nf" and
"postconf -Mf" would be very useful.
smtp inet n - - - 1 postscreen
smtpd pass - - - - 850 smtpd
-o receive_override_options=no_address_mappings
dnsblog unix - - - - 0 dnsblog
tlsproxy unix - - - - 0 tlsproxy
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
maildrop unix - n n - - pipe flags=DRhu
user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe flags=Fqhu
user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe flags=F
user=ftn
argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe flags=Fq.
user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe flags=R
user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
${user} ${extension}
mailman unix - n n - - pipe flags=FR
user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
${user}
smtp-amavis unix - - - - 165 smtp
-o smtp_data_done_timeout=900s
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=155
10.xxx.xxx.5:10025 inet n - n - - smtpd
-o content_filter=
-o recipient_delimiter=+
-o mynetworks_style=host
-o mynetworks=10.xxx.xxx.0/24
-o local_recipient_maps=
-o relay_recipient_maps=
-o strict_rfc821_envelopes=yes
-o smtp_tls_security_level=none
-o smtpd_tls_security_level=none
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_end_of_data_restrictions=
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks
xxx.xxx.xxx.199:10027 inet n - n - 450 smtpd
-o smtpd_proxy_timeout=900s
-o content_filter=
-o mynetworks_style=host
-o mynetworks=10.xxx.xxx.0/24
-o local_recipient_maps=
-o relay_recipient_maps=
-o str
Re: limit recipients
W dniu 31.05.2022 o 15:44, Wietse Venema pisze: natan: Hi I have separate servers for outgoing and incomming e-mail like One user who have many alias group like: 1)alias...@domain1.ltd - 500 recipients 2)alias...@domain1.ltd - 500 recipients 3)alias...@domain1.ltd - 500 recipients 4)alias...@domain1.ltd - 500 recipients -all recipients is in domain domain1.ltd) and user send 1 email with 4 x To: alias...@domain.ltd alias...@domain.ltd alias...@domain.ltd alias...@domain.ltd Yes I known is to many but web panel is allowed to 500 recipients (sic) Is any method to slowdown thats delivery or limited that user ? I thinking about postfwd - but I dont known what restrictions create Any idea ? May 31 14:06:39 MX4 dovecot: master: Warning: service(lmtp): process_limit (800) reached, client connections are being dropped May 31 14:06:40 MX4 dovecot: master: Warning: service(lmtp): process_limit (800) reached, client connections are being dropped In master.cf reduce he number of Postfix pocesses that deliver to Dovecot, and do "postfix reload"; or increase the process limits in Dovecot, if your hardware can handle that. Wietse Increase the process limits in dovecot klaster is workaround (temporary) solutions I thinking about restryctins like: If in one e-mail is alias1g1 and alias2g2 then REJECT "not welcome" --
limit recipients
Hi I have separate servers for outgoing and incomming e-mail like One user who have many alias group like: 1)alias...@domain1.ltd - 500 recipients 2)alias...@domain1.ltd - 500 recipients 3)alias...@domain1.ltd - 500 recipients 4)alias...@domain1.ltd - 500 recipients -all recipients is in domain domain1.ltd) and user send 1 email with 4 x To: alias...@domain.ltd alias...@domain.ltd alias...@domain.ltd alias...@domain.ltd Yes I known is to many but web panel is allowed to 500 recipients (sic) Is any method to slowdown thats delivery or limited that user ? I thinking about postfwd - but I dont known what restrictions create Any idea ? May 31 14:06:39 MX4 dovecot: master: Warning: service(lmtp): process_limit (800) reached, client connections are being dropped May 31 14:06:40 MX4 dovecot: master: Warning: service(lmtp): process_limit (800) reached, client connections are being dropped --
Re: First world problem ...
W dniu 16.05.2022 o 15:51, Matus UHLAR - fantomas pisze: W dniu 16.05.2022 o 15:14, Matus UHLAR - fantomas pisze: Any idea to whitlist ? On 16 May 2022, at 9:35 pm, Matus UHLAR - fantomas wrote: perhaps the null address at outgoing server, so you don't reject your own bounces W dniu 16.05.2022 o 14:46, Viktor Dukhovni pisze: No. Better to apply the reject rule only on the inbound side, where it should only lead to bounces on remote systems. The OP's own systems should be sending outbound mail via the outbound MTA. On 16.05.22 14:52, natan wrote: Maybe smart loop if then ? But I do not know if it is not overcomplicated and what it would look like please explain more deeply what do your inbound and outbound mailservers exactly do. perhaps explain, how did e-mail 4L1w1y6WBVz1DDmK enter your mailserver - if you could block it the way in, you wouldn't have to generate bounce. I guessed your incoming server is used as MX, and outgoing server for outbound e-mail from your clients. On 16.05.22 15:33, natan wrote: 1)I send email from my outgoing server smtp xxx.xxx.xxx.220 Log from serwer smtp xxx.xxx.xxx.220: May 16 12:08:38 smtp1 postfix/submission/smtpd[18768]: 4L1w1y5FpXz6c1M: client=unknown[xxx.xxx.xxx.60], sasl_method=LOGIN, sasl_username=na...@domain.ltd May 16 12:08:38 smtp1 postfix/cleanup[4182]: 4L1w1y5FpXz6c1M: warning: header Subject: alakot from unknown[xxx.xxx.xxx.60]; from= to= proto=ESMTP helo= May 16 12:08:38 smtp1 postfix/cleanup[4182]: 4L1w1y5FpXz6c1M: message-id=<6eb63dcd4d1732c33ca530cbae194...@domain.ltd> May 16 12:08:38 smtp1 postfix/qmgr[33961]: 4L1w1y5FpXz6c1M: from=, size=1270, nrcpt=1 (queue active) May 16 12:08:38 smtp1 postfix/smtp/smtp[36552]: 4L1w1y5FpXz6c1M: to=, relay=delay=0.18, delays=0.11/0/0.04/0.03, dsn=5.7.1, status=bounced (host mx.domain.ltd[xxx.xxx.xxx.4] said: 550 5.7.1 spam2bok bla bla (in reply to end of DATA command)) May 16 12:08:38 smtp1 postfix/bounce[3725]: 4L1w1y5FpXz6c1M: sender non-delivery notification: 4L1w1y6Yk6z6c0l May 16 12:08:38 smtp1 postfix/qmgr[33961]: 4L1w1y5FpXz6c1M: removed so, it's as Victor said - your outgoing server accepted mail from you to you, and your incoming server first refused to accept mail from your incoming server, then it refused to accept the bounce, both because of the same reason. You can filter such mail on your outgoing server, so you don't accept something you can't deliver. Or, you can whitelist mail from your outgoing server with null envelope on your incoming server, so you know what was refused. ... this should be safe if you don't accept or forward such mail to outside hosts. Are you aware that body_checks is very lightway compared to e.g. spam and virus filtering? Yes I know I understand it but it is more complicated. example: 1)I get "targeted spam" where in body is "fake link" 2)I block this in body_checks - works perfect (fastest) 3)Before I blocked some emails passed 4)My user send me "a spam sample" and I dont get this maybe realy good idea is block thats in outgoing serwer with REJECT bla bla --
Re: First world problem ...
W dniu 16.05.2022 o 15:14, Matus UHLAR - fantomas pisze: Any idea to whitlist ? On 16 May 2022, at 9:35 pm, Matus UHLAR - fantomas wrote: perhaps the null address at outgoing server, so you don't reject your own bounces W dniu 16.05.2022 o 14:46, Viktor Dukhovni pisze: No. Better to apply the reject rule only on the inbound side, where it should only lead to bounces on remote systems. The OP's own systems should be sending outbound mail via the outbound MTA. On 16.05.22 14:52, natan wrote: Maybe smart loop if then ? But I do not know if it is not overcomplicated and what it would look like please explain more deeply what do your inbound and outbound mailservers exactly do. perhaps explain, how did e-mail 4L1w1y6WBVz1DDmK enter your mailserver - if you could block it the way in, you wouldn't have to generate bounce. I guessed your incoming server is used as MX, and outgoing server for outbound e-mail from your clients. 1)I send email from my outgoing server smtp xxx.xxx.xxx.220 2)e-mail was delivered to my MX-node1 (external server) Log from serwer MX xxx.xxx.xxx.4: May 16 12:08:38 MX-node1 postfix/smtpd[56703]: 4L1w1y6WBVz1DDmK: client=smtp [xxx.xxx.xxx.220] May 16 12:08:38 MX-node1 postfix/cleanup[45210]: 4L1w1y6WBVz1DDmK: warning: header Subject: alakot from smtp[xxx.xxx.xxx.220]; from= to= proto=ESMTP helo= May 16 12:08:38 MX-node1 postfix/cleanup[45210]: 4L1w1y6WBVz1DDmK: message-id=<6eb63dcd4d1732c33ca530cbae194...@domain.ltd> May 16 12:08:38 MX-node1 postfix/cleanup[45210]: 4L1w1y6WBVz1DDmK: reject: body alakot from smtp[xxx.xxx.xxx.220]; from= to= proto=ESMTP helo=: 5.7.1 spam2bok bla bla Log from serwer smtp xxx.xxx.xxx.220: May 16 12:08:38 smtp1 postfix/submission/smtpd[18768]: 4L1w1y5FpXz6c1M: client=unknown[xxx.xxx.xxx.60], sasl_method=LOGIN, sasl_username=na...@domain.ltd May 16 12:08:38 smtp1 postfix/cleanup[4182]: 4L1w1y5FpXz6c1M: warning: header Subject: alakot from unknown[xxx.xxx.xxx.60]; from= to= proto=ESMTP helo= May 16 12:08:38 smtp1 postfix/cleanup[4182]: 4L1w1y5FpXz6c1M: message-id=<6eb63dcd4d1732c33ca530cbae194...@domain.ltd> May 16 12:08:38 smtp1 postfix/qmgr[33961]: 4L1w1y5FpXz6c1M: from=, size=1270, nrcpt=1 (queue active) May 16 12:08:38 smtp1 postfix/smtp/smtp[36552]: 4L1w1y5FpXz6c1M: to=, relay=delay=0.18, delays=0.11/0/0.04/0.03, dsn=5.7.1, status=bounced (host mx.domain.ltd[xxx.xxx.xxx.4] said: 550 5.7.1 spam2bok bla bla (in reply to end of DATA command)) May 16 12:08:38 smtp1 postfix/bounce[3725]: 4L1w1y5FpXz6c1M: sender non-delivery notification: 4L1w1y6Yk6z6c0l May 16 12:08:38 smtp1 postfix/qmgr[33961]: 4L1w1y5FpXz6c1M: removed May 16 12:08:38 smtp1 postfix/cleanup[43380]: 4L1w1y6Yk6z6c0l: message-id=<4L1w1y6Yk6z6c0l@smtp> May 16 12:08:38 smtp1 postfix/bounce[3725]: 4L1w1y5FpXz6c1M: sender non-delivery notification: 4L1w1y6Yk6z6c0l May 16 12:08:38 smtp1 postfix/qmgr[33961]: 4L1w1y6Yk6z6c0l: from=<>, size=3342, nrcpt=1 (queue active) May 16 12:08:39 smtp1 postfix/smtp/smtp[36560]: 4L1w1y6Yk6z6c0l: to=, relay=mx.domain.ltd[xxx.xxx.xxx.4]:25, delay=0.22, delays=0/0/0.05/0.17, dsn=5.7.1, status=bounced (host mx.domain.ltd[xxx.xxx.xxx.4] said: 550 5.7.1 spam2bok bla bla (in reply to end of DATA command)) May 16 12:08:39 smtp1 postfix/qmgr[33961]: 4L1w1y6Yk6z6c0l: removed --
Re: First world problem ...
W dniu 16.05.2022 o 14:46, Viktor Dukhovni pisze: On 16 May 2022, at 9:35 pm, Matus UHLAR - fantomas wrote: Any idea to whitlist ? perhaps the null address at outgoing server, so you don't reject your own bounces No. Better to apply the reject rule only on the inbound side, where it should only lead to bounces on remote systems. The OP's own systems should be sending outbound mail via the outbound MTA. Maybe smart loop if then ? But I do not know if it is not overcomplicated and what it would look like --
Re: First world problem ...
W dniu 16.05.2022 o 13:10, Wietse Venema pisze:
natan:
Hi
I have probably trivial problem - but I cannot resolv
I have two server
1)for outgoing
2)for incoming (typical mx)
For test i create in (incoming server) body_checks.pcre:
/alakot/ REJECT spam2bok bla bla
If i send e-mail from external (gmail, yahoo) I get info from
Mailer-Daemon about REJECT - works fine
but if i send from my domain I dont get Mailer-Daemon:
May 16 12:08:38 MX-node1 postfix/cleanup[45210]: 4L1w1y6WBVz1DDmK:
reject: body alakot from smtp[xxx.xxx.xxx.xxx];
from= to= proto=ESMTP
helo=: 5.7.1 spam2bok bla bla
May 16 12:08:39 Mx1-node1 postfix/cleanup[45282]: 4L1w1z0zmpz1DDmn:
reject: body alakot from smtp[xxx.xxx.xxx.]; from=<>
to= proto=ESMTP helo=: 5.7.1 spam2bok
bla bla
Is this correct beacuse body_check check "second time" when incoming return
Any idea to whitlist ?
You included no "postconf -n" settings, so I will wast some bandwidth
with random text.
Wietse
internal_mail_filter_classes (default: empty)
What categories of Postfix-generated mail are subject to before-queue
content inspection by non_smtpd_milters, HEADER_CHECKS and body_checks.
Specify zero or more of the following, separated by whitespace or
comma.
BOUNCE INSPECT THE CONTENT OF DELIVERY STATUS NOTIFICATIONS.
notify Inspect the content of postmaster notifications by the smtp(8)
and smtpd(8) processes.
NOTE: It's generally not safe to enable content inspection of Post-
fix-generated email messages. The user is warned.
This feature is available in Postfix 2.3 and later.
sorry
postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = pcre:/etc/postfix/body_checks.pcre
bounce_queue_lifetime = 5h
broken_sasl_auth_clients = yes
compatibility_level = 2
default_destination_concurrency_limit = 100
default_destination_recipient_limit = 100
default_process_limit = 850
delay_warning_time = 0h
disable_vrfy_command = yes
enable_long_queue_ids = yes
header_checks = pcre:/etc/postfix/header_checks.pcre
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
lmtp_destination_concurrency_limit = 100
lmtp_destination_recipient_limit = 1
lpolicyd = check_policy_service { unix:private/policyd-lemat3,
timeout=4s, default_action=DUNNO }
mailbox_size_limit = 0
max_idle = 1200s
max_use = 150
maximal_queue_lifetime = 24h
message_size_limit = 146800640
myhostname = mx-node1.domain.ltd
mynetworks = 127.0.0.0/8, xxx.xxx.xxx.xxx/32
myorigin = /etc/mailname
policy-spf_time_limit = 3600
postscreen_access_list = permit_mynetworks
cidr:/etc/postfix/postscreen_access.cidr
cidr:/etc/postfix/postscreen_spf_whitelist.cidr
postscreen_blacklist_action = ignore
proxy_read_maps = $canonical_maps $lmtp_generic_maps
$local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps
$recipient_canonical_maps $relay_domains $relay_recipient_maps
$relocated_maps $sender_bcc_maps $sender_canonical_maps
$smtp_generic_maps $smtpd_sender_login_maps $transport_maps
$virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains
$virtual_mailbox_maps $smtpd_sender_restrictions
$sender_dependent_relayhost_maps
proxy:mysql:/etc/postfix/mysql_whitelist_recipient.cf
readme_directory = no
recipient_delimiter = +
smtp-amavis_destination_recipient_limit = 1
smtp_connection_reuse_time_limit = 400s
smtp_data_done_timeout = 1600s
smtp_rcpt_timeout = 900s
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_connection_count_limit = 200
smtpd_client_restrictions = check_client_access
cidr:/etc/postfix/client_checks, check_client_access
cidr:/etc/postfix/amavis_bypass, reject_unauth_pipelining, permit
smtpd_data_restrictions = check_policy_service { inet:127.0.0.1:10040
timeout=2s, default_action=DUNNO } reject_unauth_pipelining,
reject_multi_recipient_bounce, permit
smtpd_enforce_tls = no
smtpd_hard_error_limit = 50
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
pcre:/etc/postfix/helo_access.pcre reject_unauth_pipelining,
reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
smtpd_proxy_timeout = 240s
smtpd_recipient_limit = 100
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/bad_recipients, reject_unauth_pipelining,
reject_non_fqdn_recipient, reject_unknown_sender_domain,
reject_unknown_recipient_domain, permit_mynetworks,
permit_sasl_authenticated, check_client_access
hash:/etc/postfix/whitelista, reject_unauth_destination, lpolicyd,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
check_recipient_access mysql:/etc/postfix/mysql_whitelist_recipient.cf
First world problem ...
Hi I have probably trivial problem - but I cannot resolv I have two server 1)for outgoing 2)for incoming (typical mx) For test i create in (incoming server) body_checks.pcre: /alakot/ REJECT spam2bok bla bla If i send e-mail from external (gmail, yahoo) I get info from Mailer-Daemon about REJECT - works fine but if i send from my domain I dont get Mailer-Daemon: May 16 12:08:38 MX-node1 postfix/cleanup[45210]: 4L1w1y6WBVz1DDmK: reject: body alakot from smtp[xxx.xxx.xxx.xxx]; from= to= proto=ESMTP helo=: 5.7.1 spam2bok bla bla May 16 12:08:39 Mx1-node1 postfix/cleanup[45282]: 4L1w1z0zmpz1DDmn: reject: body alakot from smtp[xxx.xxx.xxx.]; from=<> to= proto=ESMTP helo=: 5.7.1 spam2bok bla bla Is this correct beacuse body_check check "second time" when incoming return Any idea to whitlist ? --
Re: sending amount settings
Hi Postfix cant limited per user/domian - try workaround solutions about limit sender/incomming/others postfwd - https://postfwd.org/ratelimits.html policyd-lemat - https://pp.siedziba.pl/tmp/policyd/policyd.pl lpolicyd - https://wiki.policyd.org/ W dniu 29.04.2022 o 15:06, al...@coakmail.com pisze: Hello, Where can I set the limit for sending amount for a given period? for instance, a user can send max 200 messages per 24 hours. Thank you alice. --
Re: AW: password security
Hi Or use allow_nets (geoip) for dovecot-auth (in mysql) and fail2ban or ipset + hashlimit + geoip or 2fa - It's a bit of fun in configurations W dniu 25.04.2022 o 12:44, Ludi Cree pisze: Hi, Even if fail2ban is “whack a mole”, you could also feed the data on auth spammers to an abuse-compaint script, and do your part to make the internet a little cleaner. And we all know how fabulously well abuse reports have worked with preventing spam, don't we !! As I said. Fail2ban is a waste of time whack-a-mole. Sure your logs might be quieter, but quieter logs does not equal better security ! On a busy gateway fail2ban can easily make the difference between totally unusable logs and constant high load from brute-forcers - or very well usable logs and low load from brute-forcers. It must not be mistaken as a security solution. Fail2ban is a measurement to significantly reduce the noise. Abuse reports is a different topic. They are useless if brute-forcers use facilities friendly to criminals. Even Gmail does not honor abuse reports, making it the #1 nigeria spam hosting company. Greets, Ludi --
Re: password security
Hi Probably fail2ban resolve your problem about brute-force auth W dniu 25.04.2022 o 09:07, Laura Smith pisze: --- Original Message --- On Monday, April 25th, 2022 at 05:26, ミユナ wrote: do you know how to stop passwords from being brute-forced for a mailserver? do you have any practical guide? Simple. You've got two options: a) Use strong passwords (and if you run an automated password changing system, enforce strong passwords) b) Use client-certificate authentication Stuff like fail2ban is for the lazy. You should be focusing on solving the underlying cause of the problem, i.e. using one of the two options above. The problem with stuff like fail2ban is that you are basically playing whack-a-mole. IP address blocking simply does not work 2022, attackers have too many options (i.e. they can hop between cloud providers, they can use IPv6 to give them massive ranges to play with etc. etc.). --
postfix+amavis
Hi It is probably not for this group, but... Maybe someone has such a solution and can suggest? I have vuser and vdomain and my working environment (general scheme) : postfix+haproxy(external 2 x amavis) ... Spamassassin works fine with inwidual score (in mysql) but Amavis will overwrite the score with the value it has in amavid.conf is there any method to prevent amavis from doing this (maby alternate for amavis) ? --
Re: master_wakeup_timer_event
W dniu 18.01.2022 o 16:53, natan pisze: > W dniu 18.01.2022 o 16:17, Wietse Venema pisze: >> natan: >>> Hi >>> My happiness did not last long >>> >>> Jan 18 13:33:22? postfix/master[3581]: warning: >>> master_wakeup_timer_event: service qmgr(public/qmgr): Resource >>> temporarily unavailable >>> >>> I'm so confused beacuse I cannot resolv thats problem and I dont known >>> where is realy problem >> Repeat: >> Reduce the process limits for "smtp pass" by half. >> Reduce the default_process_limit by half >> (this is used by postscreen to size its connection queues). >> Execute "postfix reload". >> Wait for a few hours. >> Until Postfix stops logging "Resource > temporarily unavailable". >> >> Wietse >> > master.cf > smtpd pass - - - - 150 smtpd -o > receive_override_options=no_address_mappings > > main.cf > default_process_limit = 200 > -- > sorry: master.cf smtpd pass - - - - 200 smtpd -o receive_override_options=no_address_mappings main.cf default_process_limit = 200 --
Re: master_wakeup_timer_event
W dniu 18.01.2022 o 16:17, Wietse Venema pisze: > natan: >> Hi >> My happiness did not last long >> >> Jan 18 13:33:22? postfix/master[3581]: warning: >> master_wakeup_timer_event: service qmgr(public/qmgr): Resource >> temporarily unavailable >> >> I'm so confused beacuse I cannot resolv thats problem and I dont known >> where is realy problem > Repeat: > Reduce the process limits for "smtp pass" by half. > Reduce the default_process_limit by half > (this is used by postscreen to size its connection queues). > Execute "postfix reload". > Wait for a few hours. > Until Postfix stops logging "Resource > temporarily unavailable". > > Wietse > master.cf smtpd pass - - - - 150 smtpd -o receive_override_options=no_address_mappings main.cf default_process_limit = 200 --
Re: master_wakeup_timer_event
Hi My happiness did not last long Jan 18 13:33:22 postfix/master[3581]: warning: master_wakeup_timer_event: service qmgr(public/qmgr): Resource temporarily unavailable I'm so confused beacuse I cannot resolv thats problem and I dont known where is realy problem W dniu 18.01.2022 o 10:34, natan pisze: > Hi > Thenx all :) for test i change to 300 for default_process_limit and > change 190 to 300 > > > > Wysłano z mojego Mi MIX 2 > Wietse Venema 17 sty 2022 18:34 napisał(a): > > natan: > > W dniu 17.01.2022 o?15:58, Wietse Venema pisze: > > > natan: > > >> W dniu 14.01.2022 o 22:18, Wietse Venema pisze: > > >>> natan: > > >>> Wietse: > > >>>> Do you know if the problem is a kernel limit or a > per-process limit? > > >>>> Does master have 4096 open files (including network > sockets: ip, > > >>>> unix-domain, etc.). > > >>> Wietse: > > >>>> BTW that last one was a trick question: you need a huge > number of > > >>>> services in master.cf <http://master.cf> to exceed the 4096 > limit. The master needs > > >>>> three sockets for each service with type 'unix' in > master.cf <http://master.cf>; > > >>>> services with type 'inet' require two sockets plus one > socket per > > >>>> address in inet_interfaces. > > >>> natan: > > >>>> "Do you know if the problem is a kernel limit or a > per-process limit?" > > >>>> > > >>>> I realy dont known where is it the problem - and how > diagnose this > > >>>> > > >>>> I long think about kernel limit but ... no have idea > > > Wietse: > > >> Were you the person who has a Postfix process limit in the > thousands? > > >> If that is the case, then I suggest that you reduce the Postfix > > >> process limit to half the number, do "postfix reload", wait > for a > > >> while, and keep reducing the limit to half its value until the > > >> "resource temporarily unavailable" warnings go away. Also, make > > >> arrangements for more (and more powerful) servers. > > > natan: > > >> I don't know if I am that man with limit thousands > > >> > > >> # postconf -nf > > > ... > > >> default_process_limit = 1200 > > >> > > >> from log: > > >> Jan 17 10:10:50 thebe4b postfix/postscreen[7103]: warning: > cannot > > >> connect to service private/smtpd: Resource temporarily > unavailable > > > postscreen maintains queues with connetions that still need to be > > > 'tested' (postscreen_pre_queue_limit) and that need to be > given to > > > an smtpd process (postscreen_post_queue_limit). > > > > > > Each postscreen queue size is $default_process_limit. Both queues > > > together add up to 2400 network sockets. > > > > > > If you make this amount the same as your internet-facing smtpd > > > process limits, then postscreen might leave more resources for > the > > > rest of Postfix. > > > > > > And then, reduce process limits by half and do "postfix reload", > > > until the 'Resource temporarily unavailable' message goes away. > > > > > >> This is a strong machine where load average: 0,95, 1,19, 2,08 > > > Obviously, it doesn't use much CPU power when it can't create a > > > UNIX-domain socket. > > > > > > Wietse > > > #for no scan amavis: > > 10.0.100.24/32 <http://10.0.100.24/32> FILTER > smtp:10.0.100.5:10025 <http://10.0.100.5:10025> > > xxx.xxx.xxx <http://xxx.xxx.xxx>.25/32 FILTER > smtp:10.0.100.5:10025 <http://10.0.100.5:10025> > > #go to amavis-klaster > > 0.0.0.0/0 FILTER smtp-amavis:[127.0.0.1 <http://127.0.0.1>]:10628 > > ## > > OK, you're switching between after-queue content filters, > and there is no smtpd_proxy_filter. > > > That leaves the possibility that postscreen is hogging too many > network sockets. > > Reduce the default_process_limit to the same number as your "smtpd > pass" service (currently, 190). Then do "postfix reload", and wait > for some time. > > While Postfix logs "resource temporarily unavailable": > Halve the process limit for the "smtpd pass" SMTP service. > Halve the default_process_limit. > Do "postfix reload". > Wait for some time. > > Wietse > --
Re: master_wakeup_timer_event
Hi Thenx all :) for test i change to 300 for default_process_limit and change 190 to 300 Wysłano z mojego Mi MIX 2Wietse Venema 17 sty 2022 18:34 napisał(a):natan: > W dniu 17.01.2022 o?15:58, Wietse Venema pisze: > > natan: > >> W dniu 14.01.2022 o 22:18, Wietse Venema pisze: > >>> natan: > >>> Wietse: > >>>> Do you know if the problem is a kernel limit or a per-process limit? > >>>> Does master have 4096 open files (including network sockets: ip, > >>>> unix-domain, etc.). > >>> Wietse: > >>>> BTW that last one was a trick question: you need a huge number of > >>>> services in master.cf to exceed the 4096 limit. The master needs > >>>> three sockets for each service with type 'unix' in master.cf; > >>>> services with type 'inet' require two sockets plus one socket per > >>>> address in inet_interfaces. > >>> natan: > >>>> "Do you know if the problem is a kernel limit or a per-process limit?" > >>>> > >>>> I realy dont known where is it the problem - and how diagnose this > >>>> > >>>> I long think about kernel limit but ... no have idea > > Wietse: > >> Were you the person who has a Postfix process limit in the thousands? > >> If that is the case, then I suggest that you reduce the Postfix > >> process limit to half the number, do "postfix reload", wait for a > >> while, and keep reducing the limit to half its value until the > >> "resource temporarily unavailable" warnings go away. Also, make > >> arrangements for more (and more powerful) servers. > > natan: > >> I don't know if I am that man with limit thousands > >> > >> # postconf -nf > > ... > >> default_process_limit = 1200 > >> > >> from log: > >> Jan 17 10:10:50 thebe4b postfix/postscreen[7103]: warning: cannot > >> connect to service private/smtpd: Resource temporarily unavailable > > postscreen maintains queues with connetions that still need to be > > 'tested' (postscreen_pre_queue_limit) and that need to be given to > > an smtpd process (postscreen_post_queue_limit). > > > > Each postscreen queue size is $default_process_limit. Both queues > > together add up to 2400 network sockets. > > > > If you make this amount the same as your internet-facing smtpd > > process limits, then postscreen might leave more resources for the > > rest of Postfix. > > > > And then, reduce process limits by half and do "postfix reload", > > until the 'Resource temporarily unavailable' message goes away. > > > >> This is a strong machine where load average: 0,95, 1,19, 2,08 > > Obviously, it doesn't use much CPU power when it can't create a > > UNIX-domain socket. > > > > Wietse > #for no scan amavis: > 10.0.100.24/32 FILTER smtp:10.0.100.5:10025 > xxx.xxx.xxx.25/32 FILTER smtp:10.0.100.5:10025 > #go to amavis-klaster > 0.0.0.0/0 FILTER smtp-amavis:[127.0.0.1]:10628 > ## OK, you're switching between after-queue content filters, and there is no smtpd_proxy_filter. That leaves the possibility that postscreen is hogging too many network sockets. Reduce the default_process_limit to the same number as your "smtpd pass" service (currently, 190). Then do "postfix reload", and wait for some time. While Postfix logs "resource temporarily unavailable": Halve the process limit for the "smtpd pass" SMTP service. Halve the default_process_limit. Do "postfix reload". Wait for some time. Wietse
Re: master_wakeup_timer_event
W dniu 17.01.2022 o 15:58, Wietse Venema pisze: > natan: >> W dniu 14.01.2022 o 22:18, Wietse Venema pisze: >>> natan: >>> Wietse: >>>> Do you know if the problem is a kernel limit or a per-process limit? >>>> Does master have 4096 open files (including network sockets: ip, >>>> unix-domain, etc.). >>> Wietse: >>>> BTW that last one was a trick question: you need a huge number of >>>> services in master.cf to exceed the 4096 limit. The master needs >>>> three sockets for each service with type 'unix' in master.cf; >>>> services with type 'inet' require two sockets plus one socket per >>>> address in inet_interfaces. >>> natan: >>>> "Do you know if the problem is a kernel limit or a per-process limit?" >>>> >>>> I realy dont known where is it the problem - and how diagnose this >>>> >>>> I long think about kernel limit but ... no have idea > Wietse: >> Were you the person who has a Postfix process limit in the thousands? >> If that is the case, then I suggest that you reduce the Postfix >> process limit to half the number, do "postfix reload", wait for a >> while, and keep reducing the limit to half its value until the >> "resource temporarily unavailable" warnings go away. Also, make >> arrangements for more (and more powerful) servers. > natan: >> I don't know if I am that man with limit thousands >> >> # postconf -nf > ... >> default_process_limit = 1200 >> > I don't see any settings that turn on content_filter or smtpd_proxy_filter, > but you do have after-filter smtpd processes in master.cf. If your > after-filter smtpd process limits are too low, then your system > would die from congestion. > >> # postconf -Mf > ... >> smtpd pass - - - - 190 smtpd >> -o receive_override_options=no_address_mappings > ... >> smtp-amavis unix - - - - 160 smtp >> -o smtp_data_done_timeout=900s >> -o smtp_send_xforward_command=yes >> -o disable_dns_lookups=yes >> >> #without amavis >> 10.0.100.5:10025 inet n - n - - smtpd >> -o content_filter= > ... >> #from external amavis >> xxx.xxx.xxx.199:10027 inet n -n - 400 smtpd >> -o smtpd_proxy_timeout=900s >> -o content_filter= > ... >> from log: >> Jan 17 14:05:05 mailserver postfix/master[55510]: warning: >> master_wakeup_timer_event: service qmgr(public/qmgr): Resource >> temporarily unavailable >> >> >> 14:05:01 CET >> ps -e |grep smtpd |wc -l >> 267 >> >> 14:06:01 CET >> ps -e |grep smtpd |wc -l >> 266 >> >> >> # cat /var/log/mail.log |grep "Jan 17 10:10:54" |grep postscreen |grep >> CONN |wc -l >> 27 >> # cat /var/log/mail.log |grep "Jan 17 14:05:04" |grep postscreen |grep >> CONN |wc -l >> 21 >> # cat /var/log/mail.log |grep "Jan 17 14:05:05" |grep postscreen |grep >> CONN |wc -l >> 31 >> # cat /var/log/mail.log |grep "Jan 17 14:05:06" |grep postscreen |grep >> CONN |wc -l >> 22 >> >> >> >> from log: >> Jan 17 10:10:50 thebe4b postfix/postscreen[7103]: warning: cannot >> connect to service private/smtpd: Resource temporarily unavailable > postscreen maintains queues with connetions that still need to be > 'tested' (postscreen_pre_queue_limit) and that need to be given to > an smtpd process (postscreen_post_queue_limit). > > Each postscreen queue size is $default_process_limit. Both queues > together add up to 2400 network sockets. > > If you make this amount the same as your internet-facing smtpd > process limits, then postscreen might leave more resources for the > rest of Postfix. > > And then, reduce process limits by half and do "postfix reload", > until the 'Resource temporarily unavailable' message goes away. > >> This is a strong machine where load average: 0,95, 1,19, 2,08 > Obviously, it doesn't use much CPU power when it can't create a > UNIX-domain socket. > > Wietse Hmmm full postconf -nf alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no body_checks = pcre:/etc/postfix/body_checks.pcre bounce_queue_lifetime = 5h broken_sasl_auth_clients = yes compatibility_level = 2 default_destination_concurrency_limit = 100 default_destination_recipient_limit = 100 default_process_limit = 1200 delay_warning_time = 0h disable_vrfy_command = ye
Re: master_wakeup_timer_event
W dniu 14.01.2022 o 22:18, Wietse Venema pisze:
> natan:
> Wietse:
>> Do you know if the problem is a kernel limit or a per-process limit?
>> Does master have 4096 open files (including network sockets: ip,
>> unix-domain, etc.).
> Wietse:
>> BTW that last one was a trick question: you need a huge number of
>> services in master.cf to exceed the 4096 limit. The master needs
>> three sockets for each service with type 'unix' in master.cf;
>> services with type 'inet' require two sockets plus one socket per
>> address in inet_interfaces.
> natan:
>> "Do you know if the problem is a kernel limit or a per-process limit?"
>>
>> I realy dont known where is it the problem - and how diagnose this
>>
>> I long think about kernel limit but ... no have idea
> Were you the person who has a Postfix process limit in the thousands?
> If that is the case, then I suggest that you reduce the Postfix
> process limit to half the number, do "postfix reload", wait for a
> while, and keep reducing the limit to half its value until the
> "resource temporarily unavailable" warnings go away. Also, make
> arrangements for more (and more powerful) servers.
>
> Wietse
I don't know if I am that man with limit thousands
# postconf -nf
default_destination_concurrency_limit = 100
default_destination_recipient_limit = 100
default_process_limit = 1200
delay_warning_time = 0h
disable_vrfy_command = yes
enable_long_queue_ids = yes
lmtp_destination_concurrency_limit = 100
lmtp_destination_recipient_limit = 1
max_idle = 1200s
max_use = 150
policy-spf_time_limit = 3600
smtp_connection_reuse_time_limit = 400s
smtp_data_done_timeout = 1600s
smtp_rcpt_timeout = 900s
smtpd_client_connection_count_limit = 200
smtpd_proxy_timeout = 240s
smtpd_recipient_limit = 100
smtpd_tls_session_cache_timeout = 600s
smtpd_use_tls = yes
smtputf8_enable = no
strict_rfc821_envelopes = yes
# postconf -Mf
smtp inet n - - - 1 postscreen
smtpd pass - - - - 190 smtpd
-o receive_override_options=no_address_mappings
dnsblog unix - - - - 0 dnsblog
tlsproxy unix - - - - 0 tlsproxy
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
maildrop unix - n n - - pipe flags=DRhu
user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe flags=Fqhu
user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe flags=F
user=ftn
argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe flags=Fq.
user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe flags=R
user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
${user} ${extension}
mailman unix - n n - - pipe flags=FR
user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
${user}
smtp-amavis unix - - - - 160 smtp
-o smtp_data_done_timeout=900s
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
#without amavis
10.0.100.5:10025 inet n - n - - smtpd
-o content_filter=
-o rec
Re: master_wakeup_timer_event
W dniu 14.01.2022 o 18:11, Wietse Venema pisze: > Wietse Venema: >> natan: >>> W dniu 14.01.2022 o?14:54, Wietse Venema pisze: >>>> natan: >>>>> Hi >>>>> I have very strong machine with load average: 2,22, 2,32, 2,19 >>>>> >>>>> and today i get >>>>> >>>>> Jan 14 12:34:25 thebe postfix/master[4925]: warning: >>>>> master_wakeup_timer_event: service qmgr(public/qmgr): Resource >>>>> temporarily unavailable >>>>> Jan 14 12:39:25 thebe postfix/master[4925]: warning: >>>>> master_wakeup_timer_event: service qmgr(public/qmgr): Resource >>>>> temporarily unavailable >>>>> >>>>> And i don't known where is a problem >>>> The Operating System Kernel is telling Postfix that it could not >>>> connect to or write to the qmgr socket (typically, located at >>>> /var/spool/postfix/public/qmgr). >>>> >>>> Either Postfix has exceeded some per-process limit, or some Operating >>>> System Kernel resource is exhausted. >> >> Do you know if the problem is a kernel limit or a per-process limit? >> Does master have 4096 open files (including network sockets: ip, >> unix-domain, etc.). > BTW that last one was a trick question: you need a huge number of > services in master.cf to exceed the 4096 limit. The master needs > three sockets for each service with type 'unix' in master.cf; > services with type 'inet' require two sockets plus one socket per > address in inet_interfaces. > > Wietse "Do you know if the problem is a kernel limit or a per-process limit?" I realy dont known where is it the problem - and how diagnose this I long think about kernel limit but ... no have idea --
Re: master_wakeup_timer_event
W dniu 14.01.2022 o 14:54, Wietse Venema pisze: > natan: >> Hi >> I have very strong machine with load average: 2,22, 2,32, 2,19 >> >> and today i get >> >> Jan 14 12:34:25 thebe postfix/master[4925]: warning: >> master_wakeup_timer_event: service qmgr(public/qmgr): Resource >> temporarily unavailable >> Jan 14 12:39:25 thebe postfix/master[4925]: warning: >> master_wakeup_timer_event: service qmgr(public/qmgr): Resource >> temporarily unavailable >> >> And i don't known where is a problem > The Operating System Kernel is telling Postfix that it could not > connect to or write to the qmgr socket (typically, located at > /var/spool/postfix/public/qmgr). > > Either Postfix has exceeded some per-process limit, or some Operating > System Kernel resource is exhausted. > > Wietse What I can realy do i systemctl ? change to: fs.file-max=13223142 net.ipv4.ip_local_port_range= 2048 65000 net.core.somaxconn = 2048 6510 ? Ss 0:50 /usr/lib/postfix/sbin/master cat /proc/6510/limits Limit Soft Limit Hard Limit Units Max cpu time unlimited unlimited seconds Max file size unlimited unlimited bytes Max data size unlimited unlimited bytes Max stack size 8388608 unlimited bytes Max core file size 0 unlimited bytes Max resident set unlimited unlimited bytes Max processes 515277 515277 processes Max open files 4096 4096 files Max locked memory 65536 65536 bytes Max address space unlimited unlimited bytes Max file locks unlimited unlimited locks Max pending signals 515277 515277 signals Max msgqueue size 819200 819200 bytes Max nice priority 0 0 Max realtime priority 0 0 Max realtime timeout unlimited unlimited us --
master_wakeup_timer_event
Hi I have very strong machine with load average: 2,22, 2,32, 2,19 and today i get Jan 14 12:34:25 thebe postfix/master[4925]: warning: master_wakeup_timer_event: service qmgr(public/qmgr): Resource temporarily unavailable Jan 14 12:39:25 thebe postfix/master[4925]: warning: master_wakeup_timer_event: service qmgr(public/qmgr): Resource temporarily unavailable And i don't known where is a problem --
Re: Resource temporarily
W dniu 23.12.2021 o 12:12, raf pisze: > On Thu, Dec 23, 2021 at 09:52:05AM +0100, natan wrote: > >> W dniu 23.12.2021 o 01:53, raf pisze: >>> On Wed, Dec 22, 2021 at 11:25:10AM +0100, natan wrote: >>> >>>> W dniu 21.12.2021 o 18:15, Wietse Venema pisze: >>>> 10.x.x.10 - is gallera klaster wirth 3 nodes (and max_con set to 1500 >>>> for any nodes) >>>> >>>> when I get this eror I check number of connections >>>> >>>> smtpd : 125 >>>> >>>> smtp inet n - - - 1 postscreen >>>> smtpd pass - - - - - smtpd -o >>>> receive_override_options=no_address_mappings >>>> >>>> and total: amavis+lmtp-dovecot+smtpd-o >>>> receive_override_options=no_address_mappings : 335 >>>> from: ps -e|grep smtpd |wc -l >>>> >>>>>> but: >>>>>> for local lmt port:10025 - 5 connection >>>>>> for incomming from amavis port: 10027- 132 connections >>>>>> smtpd - 60 connections ( >>>>>> ps -e|grep smtpd - 196 connections >>>>> 1) You show two smtpd process counts. What we need are the >>>>> internet-related smtpd processes counts. >>>>> >>>>> 2) Network traffic is not constant. What we need are process counts >>>>> at the time that postscreen logs the warnings. >>>>> >>>>>>> 2) Your kernel cannot support the default_process_limit of 1200. >>>>>>> In that case a higher default_process_limit would not help. Instead, >>>>>>> kernel configuration or more memory (or both) would help. >>>>>> 5486 ?Ss 6:05 /usr/lib/postfix/sbin/master >>>>>> cat /proc/5486/limits >>>>> Those are PER-PROCESS resource limits. I just verified that postscreen >>>>> does not run into the "Max open files" limit of 4096 as it tries >>>>> to hand off a connection, because that would result in an EMFILE >>>>> (Too many open files) kernel error code. >>>>> >>>>> Additionally there are SYSTEM-WIDE limits for how much the KERNEL >>>>> can handle. These are worth looking at when you're trying to handle >>>>> big traffic on a small (virtual) machine. >>>>> >>>>> Wietse >>>> How I check ? >>> Googling "linux system wide resource limits" shows a >>> lot of things including >>> https://www.tecmint.com/increase-set-open-file-limits-in-linux/ >>> which mentions sysctl, /etc/sysctl.conf, ulimit, and >>> /etc/security/limits.conf. >>> >>> Then I realised that the problem is with process limits, >>> not open file limits, but the same methods apply. >>> >>> On my VM, the hard and soft process limits are 3681: >>> >>> # ulimit -Hu >>> 3681 >>> # ulimit -Su >>> 3681 >>> >>> Perhaps yours is less than that. >>> >>> To change it permanently, add something like the >>> following to /etc/security/limits.conf (or to a file in >>> /etc/security/limits.d/): >>> >>> * hard nproc 4096 >>> * soft nproc 4096 >>> >>> Note that this is assuming Linux, and assuming that your >>> server will be OK with increasing the process limit. That >>> might not be the case if it's a tiny VM being asked to >>> do too much. Good luck. >>> >>> cheers, >>> raf >>> >> Raf I have: >> #ulimit -Hu >> 257577 >> # ulimit -Su >> 257577 >> >> 7343 ? Rs 24:22 /usr/lib/postfix/sbin/master >> >> # cat /proc/7343/limits >> Limit Soft Limit Hard Limit >> Units >> Max cpu time unlimited unlimited >> seconds >> Max file size unlimited unlimited >> bytes >> Max data size unlimited unlimited >> bytes >> Max stack size 8388608 unlimited >> bytes >> Max core file size 0 unlimited >> bytes >> Max resident set unlimited unlimited >> bytes >> Max processes 257577 257577 >> processes >> Max open files 4
Re: Resource temporarily
W dniu 23.12.2021 o 01:53, raf pisze: > On Wed, Dec 22, 2021 at 11:25:10AM +0100, natan wrote: > >> W dniu 21.12.2021 o 18:15, Wietse Venema pisze: >> 10.x.x.10 - is gallera klaster wirth 3 nodes (and max_con set to 1500 >> for any nodes) >> >> when I get this eror I check number of connections >> >> smtpd : 125 >> >> smtp inet n - - - 1 postscreen >> smtpd pass - - - - - smtpd -o >> receive_override_options=no_address_mappings >> >> and total: amavis+lmtp-dovecot+smtpd-o >> receive_override_options=no_address_mappings : 335 >> from: ps -e|grep smtpd |wc -l >> >>>> but: >>>> for local lmt port:10025 - 5 connection >>>> for incomming from amavis port: 10027- 132 connections >>>> smtpd - 60 connections ( >>>> ps -e|grep smtpd - 196 connections >>> 1) You show two smtpd process counts. What we need are the >>> internet-related smtpd processes counts. >>> >>> 2) Network traffic is not constant. What we need are process counts >>> at the time that postscreen logs the warnings. >>> >>>>> 2) Your kernel cannot support the default_process_limit of 1200. >>>>> In that case a higher default_process_limit would not help. Instead, >>>>> kernel configuration or more memory (or both) would help. >>>> 5486 ?Ss 6:05 /usr/lib/postfix/sbin/master >>>> cat /proc/5486/limits >>> Those are PER-PROCESS resource limits. I just verified that postscreen >>> does not run into the "Max open files" limit of 4096 as it tries >>> to hand off a connection, because that would result in an EMFILE >>> (Too many open files) kernel error code. >>> >>> Additionally there are SYSTEM-WIDE limits for how much the KERNEL >>> can handle. These are worth looking at when you're trying to handle >>> big traffic on a small (virtual) machine. >>> >>> Wietse >> How I check ? > Googling "linux system wide resource limits" shows a > lot of things including > https://www.tecmint.com/increase-set-open-file-limits-in-linux/ > which mentions sysctl, /etc/sysctl.conf, ulimit, and > /etc/security/limits.conf. > > Then I realised that the problem is with process limits, > not open file limits, but the same methods apply. > > On my VM, the hard and soft process limits are 3681: > > # ulimit -Hu > 3681 > # ulimit -Su > 3681 > > Perhaps yours is less than that. > > To change it permanently, add something like the > following to /etc/security/limits.conf (or to a file in > /etc/security/limits.d/): > > * hard nproc 4096 > * soft nproc 4096 > > Note that this is assuming Linux, and assuming that your > server will be OK with increasing the process limit. That > might not be the case if it's a tiny VM being asked to > do too much. Good luck. > > cheers, > raf > Raf I have: #ulimit -Hu 257577 # ulimit -Su 257577 7343 ? Rs 24:22 /usr/lib/postfix/sbin/master # cat /proc/7343/limits Limit Soft Limit Hard Limit Units Max cpu time unlimited unlimited seconds Max file size unlimited unlimited bytes Max data size unlimited unlimited bytes Max stack size 8388608 unlimited bytes Max core file size 0 unlimited bytes Max resident set unlimited unlimited bytes Max processes 257577 257577 processes Max open files 4096 4096 files Max locked memory 65536 65536 bytes Max address space unlimited unlimited bytes Max file locks unlimited unlimited locks Max pending signals 257577 257577 signals Max msgqueue size 819200 819200 bytes Max nice priority 0 0 Max realtime priority 0 0 Max realtime timeout unlimited unlimited us this is real limits for /usr/lib/postfix/sbin/master --
Re: Resource temporarily
W dniu 22.12.2021 o 21:01, Phil Stracchino pisze: > On 12/22/21 12:55, Wietse Venema wrote: >> In this case Postfix is (also) overloading the MySQL server. >> >> - Get a more powerful system (or VM) for the MySQL server. >> >> - Reduce the workload per MySQL server (spread the load across >> multiple servers). > > > > > Perhaps first of all, make sure that mysqld is properly tuned. 90% of > small MySQL/MariaDB deployment performance problems can be resolved > simply by properly tuning it for the available resources. > > But if you're overloading a single MySQL instance, consider using a > Galera cluster (either MySQL or MariaDB) behind ProxySQL or HAproxy. > Read performance on a Galera cluster scales approximately linearly > with the number of nodes, and nodes can be more-or-less transparently > added and dropped on demand. > > (Also, this gives you transparent DB redundancy in the case that a > node crashes or needs to be taken offline for maintenance.) > > I had galera-claster with 3 nodes and haproxy --
Re: Resource temporarily
W dniu 22.12.2021 o 15:44, Wietse Venema pisze: > natan: >> And today I get other error: >> Dec 22 10:38:28 mx4 postfix/proxymap[27207]: warning: connect to mysql >> server 10.x.x.10:3307: Lost connection to MySQL server at 'reading >> authorization packet', system error: 11 "Resource temporarily unavailable" >> Dec 22 10:38:28 m4 postfix/cleanup[26889]: warning: >> proxy:mysql:/etc/postfix/mysql/mysql_recipient_bcc_maps_user.cf lookup >> error for "@zz.com" > You have an overloaded system. > > - Get need a more powerful system (or VM). > > - Reduce the workload (number of Postfix processes) per system. now in system I have default_process_limit = 1400 but server 10.x.x.10:3307 is a external mysql-galera claster It realy problem with overloaded system fith postfix ? > Obligatory comic: https://dilbert.com/strip/1995-06-24 I love Dilbert :) Thenx > > Wietse --
Re: Resource temporarily
W dniu 22.12.2021 o 11:25, natan pisze: > W dniu 21.12.2021 o 18:15, Wietse Venema pisze: >> natan: >>>> postscreen tries to hand off each 'good' connection to an smtpd >>>> process. Apparently, there are not enough of smtpd processes to >>>> take those connections, and some kernel-internal queue is filling up >>>> resulting in an EAGAIN kernel error code. >>>> >>>> Possible causes: >>>> >>>> 1) The default_process_limit of 1200 is too low. In that case a >>>> higher default_process_limit would help. >>> Hm I try up 20% >> Please don't waste time with minuscule changes. I suggest doubling >> the number to see if it makes a difference (don't forget "postfix >> reload"). > I change x2 > And today I get other error: > Dec 22 10:38:28 mx4 postfix/proxymap[27207]: warning: connect to mysql > server 10.x.x.10:3307: Lost connection to MySQL server at 'reading > authorization packet', system error: 11 "Resource temporarily unavailable" > Dec 22 10:38:28 m4 postfix/cleanup[26889]: warning: > proxy:mysql:/etc/postfix/mysql/mysql_recipient_bcc_maps_user.cf lookuperror > for "@zz.com" and other Dec 22 10:38:11 m4 postfix/proxymap[27124]: warning: connect to mysql server 10.x.x.10:3307: Lost connection to MySQL server at 'reading authorization packet', system error: 0 "Internal error/check (Not system error)" > > 10.x.x.10 - is gallera klaster wirth 3 nodes (and max_con set to 1500 > for any nodes) > > when I get this eror I check number of connections > > smtpd : 125 > > smtp inet n - - - 1 postscreen > smtpd pass - - - - - smtpd -o > receive_override_options=no_address_mappings > > and total: amavis+lmtp-dovecot+smtpd-o > receive_override_options=no_address_mappings : 335 > from: ps -e|grep smtpd |wc -l > > >>> but: >>> for local lmt port:10025 - 5 connection >>> for incomming from amavis port: 10027- 132 connections >>> smtpd - 60 connections ( >>> ps -e|grep smtpd - 196 connections >> 1) You show two smtpd process counts. What we need are the >> internet-related smtpd processes counts. >> >> 2) Network traffic is not constant. What we need are process counts >> at the time that postscreen logs the warnings. >> >>>> 2) Your kernel cannot support the default_process_limit of 1200. >>>> In that case a higher default_process_limit would not help. Instead, >>>> kernel configuration or more memory (or both) would help. >>> 5486 ?Ss 6:05 /usr/lib/postfix/sbin/master >>> cat /proc/5486/limits >> Those are PER-PROCESS resource limits. I just verified that postscreen >> does not run into the "Max open files" limit of 4096 as it tries >> to hand off a connection, because that would result in an EMFILE >> (Too many open files) kernel error code. >> >> Additionally there are SYSTEM-WIDE limits for how much the KERNEL >> can handle. These are worth looking at when you're trying to handle >> big traffic on a small (virtual) machine. >> >> Wietse > How I check ? > > -- > --
Re: Resource temporarily
W dniu 21.12.2021 o 18:15, Wietse Venema pisze: > natan: >>> postscreen tries to hand off each 'good' connection to an smtpd >>> process. Apparently, there are not enough of smtpd processes to >>> take those connections, and some kernel-internal queue is filling up >>> resulting in an EAGAIN kernel error code. >>> >>> Possible causes: >>> >>> 1) The default_process_limit of 1200 is too low. In that case a >>> higher default_process_limit would help. >> Hm I try up 20% > Please don't waste time with minuscule changes. I suggest doubling > the number to see if it makes a difference (don't forget "postfix > reload"). I change x2 And today I get other error: Dec 22 10:38:28 mx4 postfix/proxymap[27207]: warning: connect to mysql server 10.x.x.10:3307: Lost connection to MySQL server at 'reading authorization packet', system error: 11 "Resource temporarily unavailable" Dec 22 10:38:28 m4 postfix/cleanup[26889]: warning: proxy:mysql:/etc/postfix/mysql/mysql_recipient_bcc_maps_user.cf lookup error for "@zz.com" 10.x.x.10 - is gallera klaster wirth 3 nodes (and max_con set to 1500 for any nodes) when I get this eror I check number of connections smtpd : 125 smtp inet n - - - 1 postscreen smtpd pass - - - - - smtpd -o receive_override_options=no_address_mappings and total: amavis+lmtp-dovecot+smtpd-o receive_override_options=no_address_mappings : 335 from: ps -e|grep smtpd |wc -l >> but: >> for local lmt port:10025 - 5 connection >> for incomming from amavis port: 10027- 132 connections >> smtpd - 60 connections ( >> ps -e|grep smtpd - 196 connections > 1) You show two smtpd process counts. What we need are the > internet-related smtpd processes counts. > > 2) Network traffic is not constant. What we need are process counts > at the time that postscreen logs the warnings. > >>> 2) Your kernel cannot support the default_process_limit of 1200. >>> In that case a higher default_process_limit would not help. Instead, >>> kernel configuration or more memory (or both) would help. >> 5486 ?Ss 6:05 /usr/lib/postfix/sbin/master >> cat /proc/5486/limits > Those are PER-PROCESS resource limits. I just verified that postscreen > does not run into the "Max open files" limit of 4096 as it tries > to hand off a connection, because that would result in an EMFILE > (Too many open files) kernel error code. > > Additionally there are SYSTEM-WIDE limits for how much the KERNEL > can handle. These are worth looking at when you're trying to handle > big traffic on a small (virtual) machine. > > Wietse How I check ? --
postscreen to aggressive
Hi I turn on a deep test in postscreen like: postscreen_non_smtp_command_enable = yes postscreen_non_smtp_command_action = enforce or postscreen_bare_newline_enable = yes postscreen_bare_newline_action = enforce every time i get problem with ...gmail Dec 21 17:27:13 m4 postfix/postscreen[7844]: NOQUEUE: reject: RCPT from [209.85.210.178]:35689: 450 4.3.2 Service currently unavailable; from=, to=, proto=ESMTP, helo= Dec 21 17:27:40 m4 postfix/postscreen[7844]: NOQUEUE: reject: RCPT from [209.85.216.41]:46905: 450 4.3.2 Service currently unavailable; from=, to=, proto=ESMTP, helo= Dec 21 17:28:17 m4 postfix/postscreen[7844]: NOQUEUE: reject: RCPT from [209.85.208.193]:34784: 450 4.3.2 Service currently unavailable; from=, to=, proto=ESMTP, helo= Dec 21 17:28:17 m4 postfix/postscreen[7844]: NOQUEUE: reject: RCPT from [209.85.161.41]:34661: 450 4.3.2 Service currently unavailable; from=, to=, proto=ESMTP, helo= for 1h ~255 rejected e-mail send from gmail Postscreen would it be to aggressive or gmail send "non normal" e-mails of course i can use whitelist _spf gmail but this is not cool to added any e-mail operator to whitelist --
Re: Resource temporarily
W dniu 21.12.2021 o 16:22, Wietse Venema pisze: > natan: >> Dec 20 14:51:19 m4 postfix/postscreen[5883]: warning: cannot connect to >> service private/smtpd: Resource temporarily unavailable >> Dec 20 14:51:19 m4 postfix/postscreen[5883]: warning: cannot connect to >> service private/smtpd: Resource temporarily unavailable >> Dec 20 14:51:20 m4 postfix/postscreen[5883]: warning: cannot connect to >> service private/smtpd: Resource temporarily unavailable >> Dec 20 14:51:20 m4 postfix/postscreen[5883]: warning: cannot connect to >> service private/smtpd: Resource temporarily unavailable > There is a limit in your operating system kernel, or in your Postfix > configuration. > >> in main.cf: >> default_process_limit = 1200 --> beacause i have many incomming e-mail >> >> in master.cf >> smtp inet n - - - 1 postscreen >> smtpd pass - - - - - smtpd -o >> receive_override_options=no_address_mappings > postscreen tries to hand off each 'good' connection to an smtpd > process. Apparently, there are not enough of smtpd processes to > take those connections, and some kernel-internal queue is filling up > resulting in an EAGAIN kernel error code. > > Possible causes: > > 1) The default_process_limit of 1200 is too low. In that case a > higher default_process_limit would help. Hm I try up 20% but: for local lmt port:10025 - 5 connection for incomming from amavis port: 10027- 132 connections smtpd - 60 connections ( ps -e|grep smtpd - 196 connections > > 2) Your kernel cannot support the default_process_limit of 1200. > In that case a higher default_process_limit would not help. Instead, > kernel configuration or more memory (or both) would help. 5486 ? Ss 6:05 /usr/lib/postfix/sbin/master cat /proc/5486/limits Limit Soft Limit Hard Limit Units Max cpu time unlimited unlimited seconds Max file size unlimited unlimited bytes Max data size unlimited unlimited bytes Max stack size 8388608 unlimited bytes Max core file size 0 unlimited bytes Max resident set unlimited unlimited bytes Max processes 257577 257577 processes Max open files 4096 4096 files Max locked memory 65536 65536 bytes Max address space unlimited unlimited bytes Max file locks unlimited unlimited locks Max pending signals 257577 257577 signals Max msgqueue size 819200 819200 bytes > > 3) Some non-Postfix "security" feature is getting in the way. > > In the implementation, postscreen makes a non-blocking connect() call > with a 1-second time limit, and immediately receives an EAGAIN > kernel error code (immediately, because postscreen logs the same > warning message multiple times per second). > > Wietse --
Re: Resource temporarily
Hi ps -e|grep smtpd |wc -l 273 root@m4:~# grep "Resource temporarily unavailable" /var/log/mail.log root@m4:~# W dniu 21.12.2021 o 11:03, natan pisze: > Hi > Where is a limit for postscreen/smtpd ? > > Dec 20 14:51:19 m4 postfix/postscreen[5883]: warning: cannot connect to > service private/smtpd: Resource temporarily unavailable > Dec 20 14:51:19 m4 postfix/postscreen[5883]: warning: cannot connect to > service private/smtpd: Resource temporarily unavailable > Dec 20 14:51:20 m4 postfix/postscreen[5883]: warning: cannot connect to > service private/smtpd: Resource temporarily unavailable > Dec 20 14:51:20 m4 postfix/postscreen[5883]: warning: cannot connect to > service private/smtpd: Resource temporarily unavailable > > > > in main.cf: > > default_process_limit = 1200 --> beacause i have many incomming e-mail > > default_destination_recipient_limit = 100 > default_destination_concurrency_limit = 100 > lmtp_destination_concurrency_limit = 100 > lmtp_destination_recipient_limit = 1 > smtp-amavis_destination_recipient_limit = 1 > smtpd_recipient_limit = 100 > > in master.cf > smtp inet n - - - 1 postscreen > smtpd pass - - - - - smtpd -o > receive_override_options=no_address_mappings > dnsblog unix - - - - 0 dnsblog > tlsproxy unix - - - - 0 tlsproxy > > > -- > --
Resource temporarily
Hi Where is a limit for postscreen/smtpd ? Dec 20 14:51:19 m4 postfix/postscreen[5883]: warning: cannot connect to service private/smtpd: Resource temporarily unavailable Dec 20 14:51:19 m4 postfix/postscreen[5883]: warning: cannot connect to service private/smtpd: Resource temporarily unavailable Dec 20 14:51:20 m4 postfix/postscreen[5883]: warning: cannot connect to service private/smtpd: Resource temporarily unavailable Dec 20 14:51:20 m4 postfix/postscreen[5883]: warning: cannot connect to service private/smtpd: Resource temporarily unavailable in main.cf: default_process_limit = 1200 --> beacause i have many incomming e-mail default_destination_recipient_limit = 100 default_destination_concurrency_limit = 100 lmtp_destination_concurrency_limit = 100 lmtp_destination_recipient_limit = 1 smtp-amavis_destination_recipient_limit = 1 smtpd_recipient_limit = 100 in master.cf smtp inet n - - - 1 postscreen smtpd pass - - - - - smtpd -o receive_override_options=no_address_mappings dnsblog unix - - - - 0 dnsblog tlsproxy unix - - - - 0 tlsproxy --
Re: another way to block incomming
W dniu 20.12.2021 o 16:52, post...@ptld.com pisze: >> What is a fastest method to block that recipient domain (because I would >> like it not to ask the ldap server for that account/domain ) > One way to block an entire domain: > > > main.cf >smtpd_recipient_restrictions = check_recipient_access > hash:/etc/postfix/block_domains > > > block_domains >subdomain.domain.ltd 550 Invalid Recipient Domain > > > You can set "Invalid Recipient Domain" to any error message. > And don't forget to run "postmap block_domains" or DISCARD if I dont have send any info --
another way to block incomming
Hi I have user who have domain and subdomain like subdomain.domain.ltd For both domain's cliet set entries MX in DNS for first domain (domain.ltd) client create e-mail accont - thats ok for second (subdomain.domain.ltd) clinet dont create anty accunts and any aliases - Hi set only rekord mx for test client sent to the subdomain.domain.ltd many many e-mail and my MX send: 454 Relay access denied - beacuse user not create any accond/aliases/catchall - but only set rekord mx in dns And every time thats "query" ask my ldap. Not to ask the ldap server for an account What is a fastest method to block that recipient domain (because I would like it not to ask the ldap server for that account/domain ) smtpd_recipient_restrictions = hash:/etc/postfix/bad_recipients works fine but only for existsing or: virtual_mailbox_domains = /etc/postfix/bad, proxy:mysql:/etc/postfix/map.sql but I don't know if it's a good idea --
not very sensible question
Hi Sorry for my stupid question. I know you shouldn't do that -but it interests me. One of my client have old qmail+ldap (virtualboxes in ldap) but it's not have virtualdomain list - this server is for incoming mail only (MX) In qmail i found "magic path" who allow all domain which have MX set mxmagix.domain.ltd Is it possible to do this in postfix? --
Re: two mysql
Wietse: Thanks for repley, but in docu mysql_table manpage hosts = 10.10.10.1, 10.10.10.2 is not simle HA but "roundrobin" style W dniu 26.11.2021 o 13:43, Wietse Venema pisze: > natan: > [ text/html is unsupported, treating like TEXT/PLAIN ] sorry > >> Hi >> Is it possible to use two hosts entries in the map in case of failure of the >> first one, the second server will be asked >> >> I know I can use haproxy but is there anything simpler? >> >> Ile: >> # virtual_domain_maps.cf >> user = postfix >> password = $password >> dbname = postfix >> hosts = 10.10.10.1 >> hosts = 10.10.10.2 > hosts = 10.10.10.1, 10.10.10.2 > > As documented in the mysql_table manpage. > >> query = SELECT domain FROM vmail WHERE . > Wietse --
two mysql
Hi Is it possible to use two hosts entries in the map in case of failure of the first one, the second server will be asked I know I can use haproxy but is there anything simpler? Ile: # virtual_domain_maps.cf user = postfix password = $password dbname = postfix hosts = 10.10.10.1 hosts = 10.10.10.2 query = SELECT domain FROM vmail WHERE .
blocking incomming mail
Hi I need block all in incomming to one e-mail like: to= DISCARD but allow: from= At the earliest level as possible only in smtpd_recipient_restrictions ? --
Re: I need problem tu]o understand
Matus: On 16.11.2021 12:09, Matus UHLAR - fantomas wrote: >>> On 16.11.21 10:06, natan wrote: >>>> I need some help about uderstand log: >>>> >>>> I have >>>> FILTER smtp-amavis:[127.0.0.1]:10628 > >> On 16.11.2021 10:22, Matus UHLAR - fantomas wrote: >>> you have this where? > > On 16.11.21 10:41, natan wrote: >> in master.cf: >> >> smtp-amavis unix - - - - 140 smtp >> -o smtp_data_done_timeout=6000s >> -o smtp_send_xforward_command=yes >> -o disable_dns_lookups=yes > in main.cf I have smtpd_client_restrictions = #map with and without check_client_access cidr:/etc/postfix/amavis_bypass, ... 86.xxx.xxx.xxx/24 FILTER smtp:10.0.100.5:10025 85.xxx.xxx.xxx/23 FILTER smtp:10.0.100.5:10025 10.0.100.26/32 FILTER smtp:10.0.100.5:10025 0.0.0.0/0 FILTER smtp-amavis:[127.0.0.1]:10628 10.0.100.5:10025 this is local transport porty without amavis > I don't see any FILTER there. > I can only guess you have amavis defined as content_filter or > smtpd_proxy_filter. the "FILTER ..." should be somewhere in access > rules and makes postfix use > amavis as content_filter (thus smtpd_proxy_timeout is useless later). > > >> (in amavis I have 145) > > this may also be a problem. 140 concurrent amavis filters can eat too > much > of RAM and CPU. This is no problem > >>>> this is local haproxy where connect postfix to port 10628 like: >>>> >>>> ... >>>> bind 127.0.0.1:10628 >>>> >>>> server amavis1 86.xxx.xxx.125:10628 check maxconn >>>> server amavis2 86.xxx.xxx.155:10628 check maxconn >>>> server amavis3 86.xxx.xxx.234:10628 check maxconn >>>> >>>> and come back from amavis to postfix is like >>>> >>>> 86.xxx.xxx.199:10027 inet n - n - 140 smtpd >>>> -o smtpd_proxy_timeout=900s >>>> -o content_filter= >>>> -o mynetworks_style=host >>>> -o >>>> mynetworks=10.0.100.0/24,86.xxx.xxx.199/32,46.xxx.xxx.98/32,86.xxx.xxx.159/32,86.xxx.xxx.125/32,86.xxx.xxx.155/32,86.xxx.xxx.234/32 >>>> >>>> >>> >>> I recommend adding something like >>> -o syslog_name=postfix/filtered >> >> I added but nothing > > I think that "postfix reload" is needed in this case. yes i get it (stop and start to) > > >> But in amavis I found: >> >> Nov 16 10:32:17 amavis1 amavis[1501]: (01501-06) smtp resp to MAIL >> (pip): 421 4.4.2 thebe4.domain.pl Error: timeout exceeded > > this is what your postfix replied to amavis when it tried to deliver the > message. > > but the postfix should also mention this in postfix logs which you did > not provide. > > >> Is problem postfix to amavis - but I dont known where >>> to see clearly when the mail comes from your content filter. > >>> looks like your incoming smtpd on port 10027 said this to >>> content_filter >>> which further said this to your postfix. >>> >>> however, I don't see where your postfix [86.xxx.xxx.199]:10027 >>> rejected the >>> mail. You should have that in logs, and if you do what I recommended >>> above, >>> you'll see those errors in log under name "postfix/filtered/smtpd" > probably this is problem: 1)to amavis I have 140 connect max (I have 3 amavis and max is 3 x 140) 2)my local delivery - from amavis xxx.xxx.xxx.xxx:10027 have default (100) maybe when I have "spam attack" amavis was to many e-mail in (back) delivery to xxx.xxx.xxx.xxx:10027 and xxx.xxx.xxx.xxx:10027 send to amavis 4xx master.cf smtp-amavis unix - - - - 140 smtp -o smtp_data_done_timeout=6000s -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes # -o max_use=40 10.0.100.5:10025 inet n - n - - smtpd -o content_filter= -o recipient_delimiter=+ -o mynetworks_style=host -o mynetworks=10.0.100.0/24 -o local_recipient_maps= -o relay_recipient_maps= -o strict_rfc821_envelopes=yes -o smtp_tls_security_level=none -o smtpd_tls_security_level=none -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_end_of_data_restrictions= -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -
