Re: Restrict outgoing/submission to defined local or virtual users
First time I've tried the inline map type. And, I think the spaces may have been what was hosing my earlier attempts. Appreciate the pointer very much. Will give this a go. -- Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Re: Restrict outgoing/submission to defined local or virtual users
Just what I was hoping for, the easy button. Thank you. What about the one (valid) sender I want to prevent? I've got a IMAP account setup for spam reporting, I want to be sure no one who has access to it sends anything from that account. -- Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Restrict outgoing/submission to defined local or virtual users
Postfix 3.2.2, Centos7. All functioning as configured. I have a few local accounts, several virtual addresses delivered to those accounts, and some domains relayed, the latter do not submit mail through this box. All local accounts send via TLS authentication on 587. Currently I don't think I have any restrictions on what an outbound address can be. I do have some aliases so I do not want to restrict to logon names only. Is it possible to restrict outgoing mail to be from one of my "valid" local or virtual aliases? And I want to restrict outbound from one address in particular. I looked here: http://www.postfix.org/RESTRICTION_CLASS_README.html but if the answer is there I'd be grateful for some more help, I didn't get it. On or off-list. Right now my submission section of master.cf I sbelow. I tried adding something here as -o o smtpd_sender_restrictions but didn't get that right. submission inetn - n - - smtpd ## subsequent indented lines override main.cf settings. -o content_filter= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o syslog_name=postfix-submission -o milter_macro_daemon_name=ORIGINATING Happy to provide all the configs if needed.
Re: Deciphering maillog transaction that resulted in reply to spammer
Instead of trying to decipher one with a problem, can someone check my laymen descriptions of this single good message flow for me? I've tried to do my homework and get them right. I think I have it, but would be grateful for confirmation. I have commented the steps of the full message flow with my descriptions of what I understand is happening with that logged step. I did not parse it with the collate script but it is from my quiet server, nothing else happening on it to muddy the waters. I have after-que content filtering setup, using amavisd-new. I have a pre-cleanup and a regular cleanup service. The steps I'm a little shaky on I have prefixed with "???" in the comments. Just looking for some help understanding the log entries in this one message flow, so I can better help myself on problems. (Posted via nabble, hopefully that prevents any wrapping issues) ### LOG START ### # postscreen, whitelisted, and passes due to previous pass Jul 30 11:18:12 mail1 postfix/postscreen[3483]: CONNECT from [1.1.1.1]:59992 to [2.2.2.2]:25 Jul 30 11:18:12 mail1 postfix/dnsblog[3488]: addr 1.1.1.1 listed by domain list.dnswl.org as 127.0.4.0 Jul 30 11:18:12 mail1 postfix/postscreen[3483]: PASS OLD [1.1.1.1]:59992 # connect to main smtp. message QID? F1F5B14D5 Jul 30 11:18:12 mail1 postfix/smtpd[3491]: connect from mail.myserver.com[1.1.1.1] Jul 30 11:18:12 mail1 postfix/smtpd[3491]: F1F5B14D5: client=mail.myserver.com[1.1.1.1] # F1F5B14D5 to pre-cleanup Jul 30 11:18:13 mail1 postfix/cleanup[3494]: F1F5B14D5: message-id=<017101d3094f$6ef5df70$4ce19e50$@com> # F1F5B14D5 into que manager Jul 30 11:18:13 mail1 postfix/qmgr[3285]: F1F5B14D5: from=, size=1022, nrcpt=1 (queue active) # mainsmtp connection done, disconnect Jul 30 11:18:13 mail1 postfix/smtpd[3491]: disconnect from mail.myserver.com[1.1.1.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 # amavis picks up item from queue via amavis-smtpd lmtp service Jul 30 11:18:13 mail1 amavis[1006]: (01006-05) LMTP :10024 /var/spool/amavisd/tmp/amavis-20170730T100904-01006-thTdWRtM: -> SIZE=1022 Received: from mail1.myserver.com ([127.0.0.1]) by localhost (mail1.myserver.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP for ; Sun, 30 Jul 2017 11:18:13 -0500 (CDT) # amavis reports it starts checking the message F1F5B14D5 Jul 30 11:18:13 mail1 amavis[1006]: (01006-05) Checking: er8IU5nNU-RL MYNETS [1.1.1.1] -> # ??? Postfix gets connection from amavis on normal smtpd to send filtered message. That message gets new QID? #230F69E7 Jul 30 11:18:13 mail1 postfix/smtpd[3498]: connect from localhost[127.0.0.1] Jul 30 11:18:13 mail1 postfix/smtpd[3498]: 230F69E7: client=localhost[127.0.0.1], orig_queue_id=F1F5B14D5, orig_client=mail.myserver.com[1.1.1.1] # after-filter cleanup on filtered message 230F69E7? Jul 30 11:18:13 mail1 postfix/cleanup[3499]: 230F69E7: message-id=<017101d3094f$6ef5df70$4ce19e50$@com> # ??? new queue of filtered message #230F69E7 from amavis Jul 30 11:18:13 mail1 postfix/qmgr[3285]: 230F69E7: from= , size=1518, nrcpt=1 (queue active) # amavis done talking to postfix, disconnects Jul 30 11:18:13 mail1 postfix/smtpd[3498]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 quit=1 commands=6 # ??? meanwhile, the same amavis, PID [1006] just logging/reporting what was done Jul 30 11:18:13 mail1 amavis[1006]: (01006-05) er8IU5nNU-RL FWD from -> , BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 230F69E7 Jul 30 11:18:13 mail1 amavis[1006]: (01006-05) Passed CLEAN {RelayedInternal}, MYNETS LOCAL [1.1.1.1]:59992 [108.222.197.75] -> , Queue-ID: F1F5B14D5, Message-ID: <017101d3094f$6ef5df70$4ce19e50$@com>, mail_id: er8IU5nNU-RL, Hits: -, size: 1022, queued_as: 230F69E7, 136 ms # ??? postfix reports it got a message via lmtp from amavis (10024), and it has sent it, although I think it actually sent the filtered version 230F69E7 per local delivery log line that follows Jul 30 11:18:13 mail1 postfix/lmtp[3495]: F1F5B14D5: to= , relay=127.0.0.1[127.0.0.1]:10024, delay=0.18, delays=0.03/0.01/0.01/0.13, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 230F69E7) # qmgr removes the original message received F1F5B14D5 ? Jul 30 11:18:13 mail1 postfix/qmgr[3285]: F1F5B14D5: removed # delivers locally Jul 30 11:18:13 mail1 postfix/local[3500]: 230F69E7: to= , relay=local, delay=0.04, delays=0.01/0.03/0/0, dsn=2.0.0, status=sent (delivered to mailbox) # qmgr removes the filtered message received 230F69E7 ? Jul 30 11:18:13 mail1 postfix/qmgr[3285]: 230F69E7: removed END -- View this message in
Re: Deciphering maillog transaction that resulted in reply to spammer
Bastian: I know this is getting off list-subject. I appreciate the pointer. That option is not in my amavisd.conf. I'm looking to see how to get it set. The examples I see discussing aren't very clear (to me). Once I understand what's going on at the postfix level I'll have a better idea hopefully. -- View this message in context: http://postfix.1071664.n5.nabble.com/RE-Deciphering-maillog-transaction-that-resulted-in-reply-to-spammer-tp91584p91593.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: Deciphering maillog transaction that resulted in reply to spammer
Sorry about the formatting. Damn Outlook client I guess. Hopefully below is not messed up format wise. Thanks for the pointer to Viktor's script. It appears to just have the postfix entries, not the handoffs back and forth. Seems to pickup 6 of the 20+ realted lines. I get that it's just doing postfix, but it did not appear get all of postfix ## collate.pl output ## Jul 26 19:05:56 mail1 postfix/smtpd[11088]: connect from unknown[5.133.8.185] Jul 26 19:05:56 mail1 postfix/smtpd[11088]: E58673D02: client=unknown[5.133.8.185] Jul 26 19:05:57 mail1 postfix/cleanup[11090]: E58673D02: message-id=<5ad4d5216a4bc054e796b681c153b4ca.16322808.16275482@pearls.preal.us_jt0> Jul 26 19:05:57 mail1 postfix/qmgr[910]: E58673D02: from=, size=6760, nrcpt=1 (queue active) Jul 26 19:05:57 mail1 postfix/smtp[11091]: E58673D02: to= , relay=127.0.0.1[127.0.0.1]:10024, delay=0.66, delays=0.49/0.01/0.01/0.15, dsn=2.5.0, status=sent (250 2.5.0 Ok, id=05520-17, BOUNCE) Jul 26 19:05:57 mail1 postfix/qmgr[910]: E58673D02: removed # collate.pl end ## Hopefully this is clean enough for some instruction on what these steps are. # log entries Jul 26 19:05:48 mail1 postfix/postscreen[11080]: CONNECT from [5.133.8.185]:44150 to [pp.pp.pp.pp]:25 Jul 26 19:05:55 mail1 postfix/postscreen[11080]: NOQUEUE: reject: RCPT from [5.133.8.185]:44150: 450 4.3.2 Service currently unavailable; from= , to= , proto=ESMTP, helo= Jul 26 19:05:55 mail1 postfix/postscreen[11080]: PASS NEW [5.133.8.185]:44150 Jul 26 19:05:55 mail1 postfix/postscreen[11080]: DISCONNECT [5.133.8.185]:44150 # immediate retry on second connection to secondary IP: Jul 26 19:05:55 mail1 postfix/postscreen[11080]: CONNECT from [5.133.8.185]:33753 to [ss.ss.ss.ss]:25 Jul 26 19:05:55 mail1 postfix/postscreen[11080]: PASS OLD [5.133.8.185]:33753 Jul 26 19:05:56 mail1 postfix/smtpd[11088]: warning: hostname accept.rootp.us does not resolve to address 5.133.8.185: Name or service not known Jul 26 19:05:56 mail1 postfix/smtpd[11088]: connect from unknown[5.133.8.185] Jul 26 19:05:56 mail1 postfix/smtpd[11088]: E58673D02: client=unknown[5.133.8.185] Jul 26 19:05:57 mail1 postfix/cleanup[11090]: E58673D02: message-id=<5ad4d5216a4bc054e796b681c153b4ca.16322808.16275482@pearls.preal.us_jt0> Jul 26 19:05:57 mail1 postfix/qmgr[910]: E58673D02: from= , size=6760, nrcpt=1 (queue active) Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) ESMTP :10024 /var/spool/amavisd/tmp/amavis-20170726T133617-05520-rH4yYe3A: -> SIZE=6760 BODY=8BITMIME RET=HDRS Received: from mail1.myserver.com ([127.0.0.1]) by localhost (mail1.myserver.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for ; Wed, 26 Jul 2017 19:05:57 -0500 (CDT) Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) Checking: pqyogYJQxVad [5.133.8.185] -> Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) WARN: MIME::Parser error: unexpected end of header; ; error: couldn't parse head; error near:; ; ; error: part did not end with expected boundary; ; error: unexpected end of parts before epilogue Jul 26 19:05:57 mail1 clamd[788]: SelfCheck: Database status OK. Jul 26 19:05:57 mail1 postfix/smtpd[11093]: connect from localhost[127.0.0.1] Jul 26 19:05:57 mail1 postfix/smtpd[11093]: 67FB13910: client=localhost[127.0.0.1] Jul 26 19:05:57 mail1 postfix/cleanup[11094]: 67FB13910: message-id= Jul 26 19:05:57 mail1 postfix/qmgr[910]: 67FB13910: from=<>, size=3222, nrcpt=1 (queue active) Jul 26 19:05:57 mail1 postfix/smtpd[11093]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) waLiP0ZsHz9C(pqyogYJQxVad) SEND from <> -> , ENVID=am.walip0zshz9c.20170727t0005...@mail1.myserver.com BODY=7BIT 250 2.0.0 from MTA(sm tp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 67FB13910 Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) Blocked BAD-HEADER-0 {BouncedInbound,Quarantined}, [5.133.8.185]:33753 [5.133.8.185] -> , Queue-ID: E58673D02, Message-ID: <5ad4d5216a4bc054e796b681c153b4ca.16322808.16275482@pearls.preal.us_jt0>, mail_id: pqyogYJQxVad, Hits: -, size: 6763, 160 ms Jul 26 19:05:57 mail1 postfix/smtp[11091]: E58673D02: to= , relay=127.0.0.1[127.0.0.1]:10024, delay=0.66, delays=0.49/0.01/0.01/0.15, dsn=2.5.0, status=sent (250 2.5.0 Ok, id=05520-17, BOUNCE) ## -- View this message in context: http://postfix.1071664.n5.nabble.com/RE-Deciphering-maillog-transaction-that-resulted-in-reply-to-spammer-tp91584p91592.html Sent from the Postfix Users mailing list archive at
List posting question
I'm trying to post: a question, a copy of 20 lines or so of a maillog, and the output of postconf -n . The list does not seem to be accepting it. Maybe because the log has some IP's and and address of a spammer? What should I do to sanitize it so it will post? Not sure what's triggering the block. I tried posting it from my server and from nabble.com as well. Nabble stays at "...not accepted yet" Thanks, Scott -- View this message in context: http://postfix.1071664.n5.nabble.com/List-posting-question-tp91580.html Sent from the Postfix Users mailing list archive at Nabble.com.
postscreen dnsbl AND smtpd_recipient_restrictions rbl?
I'm converting to use postscreen. I have a question about dnsbl's in postscreen vs smtpd_recipient_restrictions Following threads here and a git by Steve Jenkins I was going to start with this for postscreen: postscreen_dnsbl_sites = zen.spamhaus.org*3 bl.mailspike.net*2 b.barracudacentral.org*2 bl.spameatingmonkey.net bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com swl.spamhaus.org*-4 list.dnswl.org=127.0.[2..15].0*-2 list.dnswl.org=127.0.[2..15].1*-3 list.dnswl.org=127.0.[2..15].[2..3]*-4 wl.mailspike.net=127.0.0.[17;18]*-1 wl.mailspike.net=127.0.0.[19;20]*-2 I had my smtpd_recipient_restrictions RBLs as: ... reject_rbl_client zen.spamhaus.org=127.0.0.[2..255], reject_rhsbl_client dbl.spamhaus.org=127.0.1.[2..99], reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99], reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99], reject_rbl_client bl.spamcop.net reject_rbl_client psbl.surriel.com reject_rbl_client cbl.abuseat.org, ... I've seen in other threads configs that left some but not all rbl's in their smtpd_recipient_restrictions. If I'm going to reject no matter what at smtpd_recipient_restrictions, it seems I should give that rbl a high score in postscreen checks and not do the second check in smtpd_recipient_restrictions? I understood that the second lookup is "free" since it's cached, but is there any advantage/disadvantage to having both? Any advise appreciated. -- View this message in context: http://postfix.1071664.n5.nabble.com/postscreen-dnsbl-AND-smtpd-recipient-restrictions-rbl-tp91307.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: upgrade/compile options
Thanks Peter, appreciate the nudge. What the hell, I'm in . I'll try it on my test server. It would be nice for me to stay in the yum update world. -- View this message in context: http://postfix.1071664.n5.nabble.com/upgrade-compile-options-tp91241p91262.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: upgrade/compile options
Hi Peter: > Why are you trying to upgrade from old to slightly less old? The > current stable of postfix is 3.2.2. Valid question. It wasn't because of EOL concerns. I was looking to add the feature available in 2.11+: postscreen_dnsbl_whitelist_threshold Beyond that, I was just chicken of biting off too much at a time without having a handle on it. Baby steps. v2.10 (and now 2.11) will be my first use of postscreen and will have enough new to it vs. the old version I'm upgrading from. Maybe an unfounded fear and I should go right to 3.2, but that's why I was just moving to 2.11. Once I'm comfy, maybe move up another few rungs to 3.2. -- View this message in context: http://postfix.1071664.n5.nabble.com/upgrade-compile-options-tp91241p91250.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: upgrade/compile options
I removed the one Cyrus SASL path Victor pointed out. For anyone else who may come on this searching... Google "Steve Jenkins Building Postfix on RHEL / CentOS from Source" for detailed steps. Except for me I wanted TLS, Dovecot SASL (no Cyrus), the rest as normal for the distribution. On a stock centos7 install with functioning postfix 2.10, SASL and TLS, I did this to upgrade to 2.11: - yum install gcc openssl-devel pcre pcre-devel dovecot-devel - download source to /usr/local/src - used this to build makefile on x64 make makefiles CCARGS=' -fPIC -DUSE_TLS -DUSE_SSL -DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DPREFIX=\"/usr\" -DHAS_PCRE -I/usr/include/openssl -I/usr/include/dovecot -I/usr/include' AUXLIBS=' -L/usr/lib64 -L/usr/lib64/openssl -lssl -lcrypto -lpcre -lz -lm -Wl,-rpath,/usr/lib64/openssl -pie -W l,-z,relro' OPT='-O' DEBUG='-g' Be sure to exclude postfix from yum updates so it doesn't get hosed if they ever get around to updating. -- View this message in context: http://postfix.1071664.n5.nabble.com/upgrade-compile-options-tp91241p91248.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: upgrade/compile options
Wietse: >If I correct your command for word-wrap breakage and spurious spaces, >but otherwise leave all the unnecessary stuff in place, it produces >a working build with Postfix 3.3 on Fedora Core 24. The reference I started with was one by Steve Jenkins for a Centos 7 system (and others). I'd be grateful to see the compile arguments without the "unnecessary stuff". make makefiles CCARGS=' -fPIC -DUSE_TLS -DUSE_SSL -DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DPREFIX=\"/usr\" -DHAS_PCRE -I/usr/include/openssl -I/usr/include/dovecot -I/usr/include' AUXLIBS='-L/usr/lib64 -L/usr/lib64/openssl -lssl -lcrypto -L/usr/lib64/sasl2 -lpcre -lz -lm -Wl,-rpath,/usr/lib64/openssl -pie -Wl,-z,relro' OPT='-O' DEBUG='-g' Anyway after make upgrade and a restart I didn't get the warnings this time on test messages. Apologies for the static. I would be grateful for the "only necessary stuff" line Thank you (Victor too). -- View this message in context: http://postfix.1071664.n5.nabble.com/upgrade-compile-options-tp91241p91247.html Sent from the Postfix Users mailing list archive at Nabble.com.
upgrade/compile options
I have a functioning install of 2.10 from rpm's on Centos7. I'm trying to upgrade the postfix to 2.11. I don't use LDAP and I'm using Dovecot for SASL. I use TLS. Following the postfix docs and other's directions, I've tried to pick the correct compile options. Unfortunately for me RedHat/Centos doesn't appear to include the .out file I need to see how they compiled theirs. This is the script I'm using to create the makefile and compile. The compile goes fine without any errors that I see: make makefiles CCARGS=' -fPIC -DUSE_TLS -DUSE_SSL -DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE=\"dovecot\" - DPREFIX=\\"/usr\\" -DHAS_PCRE -I/usr/include/openssl -I/usr/include/dovecot -I/usr/include' AUXLIBS='- L/usr/lib64 -L/usr/lib64/openssl -lssl -lcrypto -L/usr/lib64/sasl2 -lpcre -lz -lm -Wl,-rpath, /usr/lib 64/openssl -pie -Wl,-z,relro' OPT='-O' DEBUG='-g' But in the logs I have warnings about both TLS and SASL not being compiled in: warning: smtpd_sasl_auth_enable is true, but SASL support is not compiled in warning: TLS has been selected, but TLS support is not compiled in I did add this include: -I/usr/include/dovecot In lieu of a direction to use /usr/include/sasl which did not exist Can someone help me with my compile options? Do I have to keep the CYRUS parts in there, too? Figure I'm missing an option or path. Thanks -- View this message in context: http://postfix.1071664.n5.nabble.com/upgrade-compile-options-tp91241.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: postscreen delay inprovement - multple IP addresses
> http://www.postfix.org/POSTSCREEN_README.html#white_veto Noel. I had read that section of the manual but it didn't sink in. Now I get it perfectly. Thanks again, much appreciated. -- View this message in context: http://postfix.1071664.n5.nabble.com/postscreen-delay-inprovement-multple-IP-addresses-tp91174p91224.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: postscreen delay inprovement - multple IP addresses
re "IP addresses, published in DNS as different IP addresses for the same MX hostname or for different MX hostnames. This avoids mail delivery delays with clients that reconnect immediately from the same IP address. " I understand now this had nothing to do with improving systems that (re)connect from different IPs. Hopefully not too elementary of a question I would like to understand how it helps for clients reconnecting immediately from the same IP. Will such a client immediately retry on the next available DNS configured MX (if available) vs. some other delay to retry on the same IP? As if the primary was considered unavailable so it immediately tries the secondary? That would be great presuming the undesirables don't. Thanks again, Scott -- View this message in context: http://postfix.1071664.n5.nabble.com/postscreen-delay-inprovement-multple-IP-addresses-tp91174p91197.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: postscreen with postgrey - can they cause a double reject?
Thank you for the expert input. I will heed your advise. Scott -- View this message in context: http://postfix.1071664.n5.nabble.com/postscreen-with-postgrey-can-they-cause-a-double-reject-tp91176p91183.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: postscreen delay inprovement - multple IP addresses
Thanks guys, I understand now. Much appreciated. -- View this message in context: http://postfix.1071664.n5.nabble.com/postscreen-delay-inprovement-multple-IP-addresses-tp91174p91182.html Sent from the Postfix Users mailing list archive at Nabble.com.
postscreen with postgrey - can they cause a double reject?
- postscreen with postgrey - can they cause a double reject? I searched for answers regarding using both postscreen and greylisting. I saw some differing opinions. But I did not see this point covered. Assuming a clients first connection to me to deliver and Assuming that postscreen is configured for deep protocol tests, and the connection passes all tests. I understand postscreen will temporary whitelist the IP but the client must reconnect in order to deliver. On that second connection, postscreen hands off to postfix due to the temporary whitelist. If I have greylisting configured, as I have done it in the past in main.cf: smtpd_recipient_restrictions ... check_policy_service unix:postgrey/socket permit Won't this second connection get temp rejected by my normal greylisting a second time? The regular greylisting won't know about the postscreen's recent pass. So won't the client would have to connect for a 3rd time to deliver? That would seem to me to be an argument against using both, or at least using both with postscreen's deep protocol tests enabled. I'd be grateful to be straightened out if I have it wrong.
postscreen delay inprovement - multple IP addresses
I'm working on converting to using postscreen. Studying the details. I have a question from the docs related to the delays due to the effective greylisting caused by "Tests after the 220 SMTP server greeting". I believe my server would qualify as a small site receiving mail for just a few hundred users. Snippet from the Howto: " The following measures may help to avoid email delays: Small sites: Configure postscreen(8) to listen on multiple IP addresses, published in DNS as different IP addresses for the same MX hostname or for different MX hostnames. This avoids mail delivery delays with clients that reconnect immediately from the same IP address. Can someone help me understand why this helps? If I add an IP to the server and configure it as a second instance of the MX hostname, how does that help with a server that may reconnect from a different IP? I though tthat if it reconnected immediately from the same IP, that would be a good thing. Or maybe I misunderstood "immediately". I took it to mean immediately after getting a 4xx response and drop. I assume this doesn't do anything to help with servers like Google that will connect from a different server? Anyway, I'd apprecaite it if someone could elaboate so I understand this detail. Thank you, Scott
RE: Unable to get TLS working with Outlook
>The last "master.cf" should be "main.cf". Check. > specify mua_client_restrictions, mua_helo_restrictions, and mua_sender_restrictions in master.cf. Done. And I finally got a message to pass via submission from Outlook. What are good/reasonable restrictions to add for the submission service? I will only have typical consumer useers using Windows Outlook and iPhone's to send mail through that port once authenticated. On my old box I only have smtpd_recipient_restrictions=permit_sasl_authenticated,reject And that was working fine. Anything else I need to add to the mua restrictions while I'm at it. I'm so relieved to get this past this Outlook-send hurdle. = postconf -n = alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 disable_vrfy_command = yes home_mailbox = mail/inbox html_directory = no inet_interfaces = $myhostname, localhost inet_protocols = ipv4 local_recipient_maps = hash:/etc/postfix/local_recipient mail_owner = postfix mail_spool_directory = /var/spool/mail mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man # New mua_client_restrictions = permit_sasl_authenticated, reject mua_helo_restrictions = mua_sender_restrictions = ### mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = tn2.myserver.com myhostname = tn2.myserver.com mynetworks = localhost, $mydomain, x.x.x.x/32, y.y.y.y/32 myorigin = $myhostname newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES relay_domains = xxx.com relay_recipient_maps = hash:/etc/postfix/relay_recipients sample_directory = /usr/share/doc/postfix-2.10.1/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_helo_required = yes smtpd_recipient_limit = 2500 smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_recipient_access pcre:/etc/postfix/recipient_checks.pcre, check_helo_access hash:/etc/postfix/helo_checks, check_sender_access hash:/etc/postfix/sender_checks, check_client_access hash:/etc/postfix/client_checks, check_client_access pcre:/etc/postfix/client_checks.pcre, check_recipient_access hash:/etc/postfix/access, reject_rbl_client zen.spamhaus.org reject_rbl_client psbl.surriel.com, reject_rbl_client bl.spamcop.net, check_policy_service unix:postgrey/socket, permit smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_sasl_type = dovecot smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem smtpd_tls_cert_file = /etc/postfix/certs/tn2.myserver.com.crt smtpd_tls_key_file = /etc/postfix/certs/tn2.myserver.com.key smtpd_tls_loglevel = 1 smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 = Master.cf = submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_local_domain=$myhostname -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_helo_restrictions=$mua_helo_restrictions -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING smtp-amavis unix - - n - 3 smtp -o disable_dns_lookups=yes -o smtp_send_xforward_command=yes smtp inet n - n - - smtpd -v -o cleanup_service_name=pre-cleanup pickup fifo n - n 60 1 pickup -o cleanup_service_name=pre-cleanup pre-cleanup unix n - n - 0 cleanup -o virtual_alias_maps= -o canonical_maps= -o
RE: Unable to get TLS working with Outlook
>Otherwise, the absense of "AUTH" in the EHLO reply might be a configuration >issue with dovecot, or is rather mysterious. Well, at least no AUTH was something to go on, thanks, I missed that detail. Checked the socket path setting and the file permissions, all looked good there. I Found what I hope is the main issue and cure. Since I was able to send a message to the server from an iPhone, I'm getting close. Noob error but its something I haven't set in a while, didn't realize it was there. An Outlook drop down for "Use the following type of encrypted connection: None, SSL, TLS, or Auto. It was set to none. Fixed. Now if I try to connect I get the AUTH But the message is rejected with recipient address restrictions: Jul 24 15:35:28 tn2 postfix/smtpd[10358]: >>> START Recipient address RESTRICTIONS <<< Jul 24 15:35:28 tn2 postfix/smtpd[10358]: generic_checks: name=reject_invalid_hostname Jul 24 15:35:28 tn2 postfix/smtpd[10358]: reject_invalid_hostname: HDPLEX2 Jul 24 15:35:28 tn2 postfix/smtpd[10358]: generic_checks: name=reject_invalid_hostname status=0 Jul 24 15:35:28 tn2 postfix/smtpd[10358]: generic_checks: name=reject_non_fqdn_hostname Jul 24 15:35:28 tn2 postfix/smtpd[10358]: reject_non_fqdn_hostname: HDPLEX2 Jul 24 15:35:28 tn2 postfix/smtpd[10358]: NOQUEUE: reject: RCPT from hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from=to= proto=ESMTP helo= Jul 24 15:35:28 tn2 postfix/smtpd[10358]: generic_checks: name=reject_non_fqdn_hostname status=2 Jul 24 15:35:28 tn2 postfix/smtpd[10358]: >>> END Recipient address RESTRICTIONS <<< The client PC's "name" is HDPLEX2. Is there a (safe) workaround to this without changing all my Windows PC's to FQDN names?
RE: Unable to get TLS working with Outlook
The problem is occurring with MS Outlook 2007. Can't get it to work on 465 or 587. For the 587/submission port I changed it to the settings from Patrick Koetter's guide (http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_suppor t.html) ## TLS # Transport Layer Security smtpd_use_tls = yes smtpd_tls_key_file = /etc/postfix/certs/tn2.myserver.com.key smtpd_tls_cert_file = /etc/postfix/certs/tn2.myserver.com.crt smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom In master.cf I changed submission section to below for testing, Commented some restrictions for now to test. submission inetn - n - - smtpd -v -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth # -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_local_domain=$myhostname -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_login_maps=hash:/etc/postfix/virtual_users # -o smtpd_sender_restrictions=reject_sender_login_mismatch # -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipi ent_domain,permit_sasl_authenticated,reject I can send a mail via telnet from a different server to 587 (or 465) including SASL authentication using: openssl s_client -connect tn2.myserver.com:587 -starttls smtp -crlf I used echo -ne '\0myusername\0thatpassword' | openssl enc -base64 to generate the credentials for AUTH PLAIN I'm shown the certificate then I ehlo through quit and the server delivers the message to the local account I sent it to. The Outlook box retrieves it via POP. I also tried the same command above from a linux machine on the same (home)IP as my desktop Outlook PC, it too will let me send a message through the submission port 587 using the openssl comand above. But if I try to send from Outlook to port 587, the connection fails. Outlook's "Test account settings" reports: "Send test e-mail message: None of the authentication methods supported by this client are supported by your server." The log from the Outlook connection here: hh.hh.hh.hh is my home/Outlook PC's IP address Jul 24 13:35:11 tn2 postfix/smtpd[9553]: name_mask: ipv4 Jul 24 13:35:11 tn2 postfix/smtpd[9553]: inet_addr_local: configured 2 IPv4 addresses Jul 24 13:35:11 tn2 postfix/smtpd[9553]: process generation: 102 (102) Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: mynetworks ~? debug_peer_list Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: mynetworks ~? fast_flush_domains Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: mynetworks ~? mynetworks Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: relay_domains ~? debug_peer_list Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: relay_domains ~? fast_flush_domains Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: relay_domains ~? mynetworks Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: relay_domains ~? permit_mx_backup_networks Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: relay_domains ~? qmqpd_authorized_clients Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: relay_domains ~? relay_domains Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: permit_mx_backup_networks ~? debug_peer_list Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: permit_mx_backup_networks ~? fast_flush_domains Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: permit_mx_backup_networks ~? mynetworks Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: permit_mx_backup_networks ~? permit_mx_backup_networks Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Compiled against Berkeley DB: 5.3.21? Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Run-time linked against Berkeley DB: 5.3.21? Jul 24 13:35:11 tn2 postfix/smtpd[9553]: dict_open: hash:/etc/postfix/local_recipient Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Compiled against Berkeley DB: 5.3.21? Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Run-time linked against Berkeley DB: 5.3.21? Jul 24 13:35:11 tn2 postfix/smtpd[9553]: dict_open: hash:/etc/postfix/relay_recipients Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~? debug_peer_list Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~? fast_flush_domains Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~? mynetworks Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~? permit_mx_backup_networks Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~? qmqpd_authorized_clients Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~? relay_domains Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~? smtpd_access_maps Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Compiled against Berkeley DB: 5.3.21? Jul 24 13:35:11 tn2 postfix/smtpd[9553]:
RE: Unable to get TLS working with Outlook
>Don't waste our time posting configuration data from the wrong machine. I won't. I didn't. The posted configs are from the box I'm working on now. Was just mentioning the other one to explain the commented line. Thank you for the advice on that line in any case. >If you have mail clients that only support port 465 wrapper-mode SSL rather >than STARTTLS, you'll the port 465 service. Strident views to the contrary >don't change the facts. Good luck. I do not have any such clients unless Outlook 2007 is one of them? If it is I can upgrade that. Anyway, I understand the point, thank you. > re: ...Oriley... I misspoke from being tired. The book I used was yours and Patrick's (Book of Postfix 2005), had almost forgot about it. Last time I had to do this was 2010. Had no trouble then. Excuse my digression, back to my issue then...
RE: Unable to get TLS working with Outlook
>> #port 465 >> # my inbound mail comes here >> smtpsinet n - n - - smtpd -v >> # next line below so I don't filter the mail I send in via 465 # -o >> content_filter= # -o >> smtpd_recipient_restrictions=permit_sasl_authenticated,reject >> # -o smtpd_sasl_auth_enable=yes >> # -o smtpd_tls_wrappermode=yes >> # -o syslog_name=postfix/smtps >> -o smtpd_tls_security_level=encrypt >> -o smtpd_sasl_auth_enable=yes >> -o smtpd_sasl_type=dovecot >> -o smtpd_sasl_path=private/auth >> -o smtpd_sasl_security_options=noanonymous >> -o smtpd_sasl_local_domain=$myhostname >> -o smtpd_client_restrictions=permit_sasl_authenticated,reject >> -o smtpd_sender_login_maps=hash:/etc/postfix/virtual >> -o smtpd_sender_restrictions=reject_sender_login_mismatch >> -o >> smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_ >> recipi ent_domain,permit_sasl_authenticated,reject > >Commenting out "-o smtpd_tls_wrappermode=yes" is rather unwise for port >465 Thanks Victor. It's probably where I was turning off things on this new box to troubleshoot, or following some howto on the web in desperation. It is un-commented on my production box. I understand I don't need the 465 port anymore from a different poster. My production box was set up a long time ago. I used the Oriley book, a popular guide from HughesJR.com (gone now), and Jim Seymours Postfix anti-UCE configuration, and notes from the occasional question on this maillist a long time ago. I'd like to get back to that setup as it has worked very well for many years. Just can't seem to get it all working on Centos 7. :( Thanks, Scott
RE: Unable to get TLS working with Outlook
>> test tunneled TLS connections to port 465 >> openssl s_client -connect tn2.myserver.com:465 Appears to work >> - >> From remote server >> test STARTTLS connections on port 25 or 587 with: >> openssl s_client -connect tn2.myserver.com:587 -starttls smtp >appears >> to work, shows a bunch of info and the certificate text. >> Nothing >> that looks like errors except a line that says: >> verify error:num=18:self signed certificate >> verify return:1 >> - > >You can confirm or refute on your "appears to work" conclusions 2 ways: > >1. Look in your server logs for lines with content like this: > > postfix/smtpd[123]: Anonymous TLS connection established from >host.example.com[192.0.2.1]: TLSv1 with cipher DHE-RSA-AES256-SHA >2. When using openssl s_client, you should be left connected in a SMTP >session so you can issue a EHLO command and should get a reasonable >reply. If not, there's something wrong. Well crap. Something I've done has caused the first test to port 465 to stop working. I'm nearly positive it was working. [root@tn1] # openssl s_client -connect tn2.myserver.com:465 CONNECTED(0003) 26351:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:475: When I run this command Anonymous is there. openssl s_client -connect tn2.companypostoffice.com:587 -starttls smtp Jul 23 19:23:59 tn2 postfix/smtpd[2007]: Anonymous TLS connection established from tn1.myserver.com[xx.xx.xx.xx]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) I can also ehlo and issue smtp commands after above. >> -- >> >> MS Outlook is happy using port 587 (SASL only I think) > >> I can deliver a test >> message. POP also works and it will retrive same. > >POP and IMAP are irrelevant here, since they are not part of Postfix, but it's >good to know that you don't seem to have any issues with Dovecot >complicating things and obscuring your Postfix issues... Well, I spoke too soon there. I'm using Outlooks utilty to "test settings" where it sends the message. If I send a message locally I can then get it via POP. I can only send the message via port 587 (no TLS I don't' think, about to fix that). I can send and then POP a message using that port as is. I had Dovecot jacked for a min trying to get mbox format to work, finally got setting in each of them they were happy with. POPing again now. Can fine tune that another day (want them in /var/spool/mail/user, have them in HOME/mail/inbox). >Serious question: why do you care? Port 465 SSL-wrapped SMTP was never >made a standard and correctly never will be. No software that I'm aware of >can use that botch and cannot use STARTTLS except for a few clients so >outdated as to be inherently unsafe (e.g. antique versions of >Outlook.) Make sure Outlook is using STARTTLS on port 587 and be happy >with that: it's a service defined by a RFC which is supported by any client >software that isn't a danger to its users. Since port 465 service owes its >zombie existence to an early draft for SSLv3 that was never made into any >sort of standard, it is formally improper to offer ANY TLS version over it, while >all versions of SSL should be treated as broken and obsolete. Do you see the >problem? > >Assuming you have a concrete need (e.g. The Boss uses Outlook Express on >Windows ME and won't upgrade,) if s_client is working to port 465 and >Outlook is not, you have an Outlook problem. Talk to your vendor about that. >Since you've not included your master.cf configuration for the smtps (port >465) service, there's no hope of diagnosis here at present. Re why do I care: I do not and will defer to your experience on this point for sure. I was just replicating (trying to) what I had. If it's not needed anymore I'm ALL FOR getting rid of it and making it simpler. I only have a few local accounts on the box. Everything else is relayed . Old OL versions are not an issue So I need to get rid of the 465 setupand get 587 working right...Check. But, I'm not sure how to do that right :( So, here's my master.cf below. I'd be extremely grateful for any pruning/editing >1. Back off smtpd_tls_loglevel to 1. All of the above happened within a >second and provides no useful clues. How do I change the level? I only know how to add the -v >2. Without knowing the config of the smtps service (i.e. the relevant lines >from master.cf) it is impossible to do anything more than make wild guesses. >I'm going to make the wild guess that you didn't uncomment all of the >essential continuation lines after the first one for smtps: >the indented ones starting with '-o'. I've been using my original config that I've used for years, and editing it as I go trying to get it to work. I'm a little lost at this point. I'll post what I have in its current state >Side note on this: > >> Telnet to the server and STARTTLS seems happy: >> 220 tn2.myserver.com ESMTP Postfix >> ehlo sample.com >> 250-tn2.myserver.com >>
Unable to get TLS working with Outlook
I'm building a new server to replace an old one in production. I've never had trouble in the past, but it's been a while and it is not going smoothly this time. I've spent a week trying and not getting it going. I gave up getting Cyrus-sasl to work, moved to Dovecot. Got farther but stuck now. Eyes crossed. :) This is on Centos 7, Postfix 2.10.1 from stock rpm, Dovecot 2.2.10. I have my self signed certificates made and entered in main.cf and /etc/dovecot/conf.d/10-ssl.conf I am no certificate guru, I think I have them right. I've checked everything best I can figure out how: - test tunneled TLS connections to port 465 openssl s_client -connect tn2.myserver.com:465 Appears to work - >From remote server test STARTTLS connections on port 25 or 587 with: openssl s_client -connect tn2.myserver.com:587 -starttls smtp appears to work, shows a bunch of info and the certificate text. Nothing that looks like errors except a line that says: verify error:num=18:self signed certificate verify return:1 - >From remote server Tested my cacert.pem certificate with openssl x509 -in cacert.pem -inform pem -noout -text It did not ask for a PW, displayed contents, so I think that' s good (happy to post output if it helps) - checked if the cert and key match (openssl x509 -noout -modulus -in /etc/certs/tn2.myserver.com.crt | openssl md5 ;openssl rsa -noout -modulus -in /etc/certs/tn2.myserver.com.key | openssl md5) | uniq I only get one match so I think that' s good. Telnet to the server and STARTTLS seems happy: 220 tn2.myserver.com ESMTP Postfix ehlo sample.com 250-tn2.myserver.com 250-PIPELINING 250-SIZE 1024 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN STARTTLS 220 2.0.0 Ready to start TLS --- My postfix config is: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 disable_vrfy_command = yes home_mailbox = Maildir/ html_directory = no inet_interfaces = $myhostname, localhost inet_protocols = ipv4 local_recipient_maps = hash:/etc/postfix/local_recipient mail_owner = postfix mail_spool_directory = /var/spool/mail mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = tn2.myserver.com myhostname = tn2.myserver.com mynetworks = localhost, $mydomain, xx.xx.xx.xx/32 myorigin = $myhostname newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES relay_domains = mlec.com relay_recipient_maps = hash:/etc/postfix/relay_recipients sample_directory = /usr/share/doc/postfix-2.10.1/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_helo_required = yes smtpd_recipient_limit = 2500 smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_recipient_access pcre:/etc/postfix/recipient_checks.pcre, check_helo_access hash:/etc/postfix/helo_checks, check_sender_access hash:/etc/postfix/sender_checks, check_client_access hash:/etc/postfix/client_checks, check_client_access pcre:/etc/postfix/client_checks.pcre, check_recipient_access hash:/etc/postfix/access, reject_rbl_client zen.spamhaus.org reject_rbl_client psbl.surriel.com, reject_rbl_client bl.spamcop.net, check_policy_service unix:postgrey/socket, permit smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_sasl_type = dovecot smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem smtpd_tls_cert_file = /etc/postfix/certs/tn2.myserver.com.crt smtpd_tls_key_file = /etc/postfix/certs/tn2.myserver.com.key smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 -- MS Outlook is happy using port 587 (SASL only I think) I can deliver a test message. POP also works and it will retrive same. But with Outlook set to use port 465 it will not work. Times out. The maillog for the timed out test shows below. It gets to that last line and just hangs. Jul 23
RE: Bounce a particular recipient address with specified reject message
You are NOT 'rejecting', you are ACCEPTING, then BOUNCING, which you should never do if you can possibly help it. Reject it at smtp time. Why waste system resources scanning messages you will later bounce? I understand your point. Thank you for correcting my syntax. FWIW, this will only happen to a relatively minuscule number of inbound messages. I don't *think* it will take much in the way of resources. For my specific purpose, this check is to deal with the occasional, but fairly regular incorrect replies to the announcement list. The access map check is likely to only have to deal with such an accept, then bounce a few times a week. So I figured instead of testing thousands per day of unrelated inbound messages against this access check that I know will get hit rarely, I figured it would be better to put the check nearer the end of my UCE checks. Which will cause the occasional accept then bounce. Mainly I was apprehensive about moving the restriction on my main.cf. I have tried to carefully select respected authorities books and one particular UCE guide to build my main.cf. And it works very, very well (thanks Ralf). Not being an expert, I don't want to accidentally break anything that is there and screw it up. If you have a suggestion on where to put the access map restriction in my setup, I'm all ears. Thanks!
RE: Bounce a particular recipient address with specified reject message
Sahil, et.al: Use an access(5) or transport(5) map: It appears that using an access map would best meet my need. I do not currently use an access map. Can you/anyone assist me with the proper placement of check_client_access hash:/etc/postfix/access in my setup? I don't want to screw up my restrictions which otherwise work properly. I *think* putting it last, after my greylisting line (see comment in postconf output below) would be appropriate. I think I'd want them to pass all other spam checks before rejecting semi-legitimate mail to this particular address with my specific reject message. Thanks, Scott postconf -n: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 disable_vrfy_command = yes html_directory = no inet_interfaces = $myhostname, localhost local_recipient_maps = hash:/etc/postfix/local_recipient mail_owner = postfix mail_spool_directory = /var/spool/mail mailbox_size_limit = 483886080 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 10485760 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = companypostoffice.com myhostname = tn1.companypostoffice.com mynetworks = localhost,$localdomain, xx.xx.xx.xx/32, xx.xx.xx.xx/32 myorigin = $myhostname newaliases_path = /usr/bin/newaliases.postfix parent_domain_matches_subdomains = smtpd_access_maps queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES recipient_bcc_maps = hash:/etc/postfix/recipient_bcc relay_domains = differentdomain.com relay_recipient_maps = hash:/etc/postfix/relay_recipients sample_directory = /usr/share/doc/postfix-2.2.10/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_helo_required = yes smtpd_recipient_limit = 1500 smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, permit_mynetworks, reject_unauth_destination, check_recipient_mx_access hash:/etc/postfix/mx_access, check_sender_mx_access hash:/etc/postfix/mx_access, reject_unknown_sender_domain, check_recipient_access pcre:/etc/postfix/recipient_checks.pcre, check_helo_access hash:/etc/postfix/helo_checks, check_sender_access hash:/etc/postfix/sender_checks, check_client_access hash:/etc/postfix/client_checks, check_client_access pcre:/etc/postfix/client_checks.pcre, reject_rbl_client list.dsbl.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client psbl.surriel.com, reject_rbl_client bl.spamcop.net, check_policy_service unix:postgrey/socket, permit ## access map check here ?? smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/certs/postfix_public_cert.pem smtpd_tls_key_file = /etc/postfix/certs/postfix_private_key.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_domains = hash:/etc/postfix/virtual_domains virtual_alias_maps = hash:/etc/postfix/virtual_users
RE: Bounce a particular recipient address with specified reject message
I tried to setup an access map and reject a specific user. But the mails to that user are not rejected. I tried adding the access map in a few different places in the configuration, so far none worked. It shows up in the smtpd_recipient_restrictions line below. Can anyone see what I did wrong?: My access map file has: mailli...@mydomain.com 550 REJECT The corresponding access.db file is built and fresh But mails to mailli...@mydomain.com get through without issue. postconf -n: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 disable_vrfy_command = yes html_directory = no inet_interfaces = $myhostname, localhost local_recipient_maps = hash:/etc/postfix/local_recipient mail_owner = postfix mail_spool_directory = /var/spool/mail mailbox_size_limit = xxx mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = x mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = companypostoffice.com myhostname = tn1.companypostoffice.com mynetworks = localhost,$localdomain, xx.xx.xx.xx/32, xx.xx.xx.xx/32 myorigin = $myhostname newaliases_path = /usr/bin/newaliases.postfix parent_domain_matches_subdomains = smtpd_access_maps queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES recipient_bcc_maps = hash:/etc/postfix/recipient_bcc relay_domains = differentdomain.com relay_recipient_maps = hash:/etc/postfix/relay_recipients sample_directory = /usr/share/doc/postfix-2.2.10/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_helo_required = yes smtpd_recipient_limit = 1500 smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, permit_mynetworks, reject_unauth_destination, check_recipient_mx_access hash:/etc/postfix/mx_access, check_sender_mx_access hash:/etc/postfix/mx_access, reject_unknown_sender_domain, check_recipient_access pcre:/etc/postfix/recipient_checks.pcre, check_helo_access hash:/etc/postfix/helo_checks, check_sender_access hash:/etc/postfix/sender_checks, check_client_access hash:/etc/postfix/client_checks, check_client_access pcre:/etc/postfix/client_checks.pcre, check_client_access hash:/etc/postfix/access reject_rbl_client list.dsbl.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client psbl.surriel.com, reject_rbl_client bl.spamcop.net, check_policy_service unix:postgrey/socket, permit smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/certs/postfix_public_cert.pem smtpd_tls_key_file = /etc/postfix/certs/postfix_private_key.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_domains = hash:/etc/postfix/virtual_domains virtual_alias_maps = hash:/etc/postfix/virtual_users -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of techlist06 Sent: Tuesday, November 24, 2009 8:14 AM To: postfix-users@postfix.org Subject: Bounce a particular recipient address with specified reject message Greetings: I have what I expect is a simple question for you guys. Thanks to Ralphs book and the help here I have a many-year stable postfix configuration, love it, don't mess with it. I have a very small hobby-based mailing list I maintain manually in Outlook. Although all maillist messages I send out include a footer asking the recipients to not reply to that maillist messages, the users will reply to the maillist messages occasionally and I would prefer they only reply to my other addresses. I can change the reply to address in Outlook to an invalid one, and it will reject it back to the sender with not in virtual user table but I don't wan that bounce message for this particular case. Instead, I would like to setup postfix so it has a more friendly reject for mail sent to (via replys to my messages) maill...@mydomain.com with a particular reject message that instructs the user on what address(es) to use to better contact me. Something similar to : 550 reject The email address maill...@mydomain.com does not accept inbound mail. Please use one of these addresses for contacting us: maillist unsubsubscribe: rem...@mydomain.com, support issues: supp...@mydomain.com, other i...@mydomain.com, etc
RE: Bounce a particular recipient address with specified reject message
You have: check_client_access hash:/etc/postfix/access which is wrong for matching email addresses: Thanks, that fixed my error. check_recipient_access hash:/etc/postfix/access BTW, if you are trying to block all access to this email address, why not just remove it from your list(s) of valid recipients? Did I miss something earlier in the thread? I was wanting to give a specific reject message for a particular address. It's a small, manually maintained maillist. I don't want the subscribers to reply to the reply to address, but I didn't want to reject mails without a friendlier explanation of where they should reply. An auto-reply with reject I guess. I expect there is a better way to do same, this seems to work OK.
RE: Bounce a particular recipient address with specified reject message
So, lemme get this straight. You changed the list address, but instead of just sending an email to the list addresses telling all users of the list address change, you just decided to, in essence, inform them via an NDR when they send mail to the list? There have got to be at least 1000 list management how-to's on the web, and not a one would recommend you do this in this way, and probably all 1000 would say _never_ manage a list this way...yikes. No I didn't change the list address. It is not a mail list like this one, more of an announcement list. It is not a 2-way mailing list. The subscribers don't send anything to it for other subscribers to see. It's used rarely to send announcements of event cancellations, etc. About 1000 subscribers manually maintained. But, the users tend to start a (unrelated) communication with us via replying to that announcement list's reply to address since that is where they last received a message from us. And so their message does not go to the right person, it goes to the source address of the announcement and we have to sort through them and direct the message to where it should have gone to start with. We just want to let subscriber who incorrectly sends to the announcement list address to use one of the correct addresses to communicate with us, not via replying to the announcement list. See? FWIW, we tell them not to do it with a footer and header on every announcement email, but they do it anyway. I'm sure there is a better way, this seemed easy enough to implement. Perhaps and auto-reply type setup to that particular address. I looked at those and they looked more difficult to set up. I'd be grateful for better suggestions. I'll look for a better way to notify them. Thanks very much for the help.
RE: Bounce a particular recipient address with specified reject message
Noel: Thank you. The envelope sender where delivery problems are reported can be different from the From: header displayed in most email clients, which can also be different from the Reply-To: header where most mail clients will send if you hit the Reply button. You mustn't block the mail list's envelope sender address; you must be able to receive non-delivery notifications. There's nothing wrong with rejecting incoming mail addressed to the mail list From: address for an announce-only list. I believe I understand and that was exactly what I was setting up, I think. This is what I had setup to do: The original message is actually sent from maill...@mydomain.com. The envelope sender as I understand it. I NEED to know when a announcement message bounces, because that is how I maintain the list manually, and remove any invalid entries. When they bounce, I know they are bad, or I can decide if they've had too many mailbox full replies, etc. and I then I remove the bounced address from the distribution list. So I have not blocked the envelope sender. For announcements I send, I have the Reply to set to a different, but similar address which is: maillist_nore...@mydomain.com (still trying to get their attention to not reply to the address). This is the address I have blocked in my new access table. So, if they click on reply in their client, the reply message should be sent to maillist_nore...@mydomain.com. My end accepts it (through spam filters), but then rejects the address with my custom reject message via my new access table with: maillist_nore...@mydomain.com 550 Do not reply to this address, instead do this. I did not add all that detail in my original post to avoid confusing my original question. Thanks for the detailed reply and helping me be sure I wasn't doing something wrong/improper. Best, Scott
Bounce a particular recipient address with specified reject message
Greetings: I have what I expect is a simple question for you guys. Thanks to Ralphs book and the help here I have a many-year stable postfix configuration, love it, don't mess with it. I have a very small hobby-based mailing list I maintain manually in Outlook. Although all maillist messages I send out include a footer asking the recipients to not reply to that maillist messages, the users will reply to the maillist messages occasionally and I would prefer they only reply to my other addresses. I can change the reply to address in Outlook to an invalid one, and it will reject it back to the sender with not in virtual user table but I don't wan that bounce message for this particular case. Instead, I would like to setup postfix so it has a more friendly reject for mail sent to (via replys to my messages) maill...@mydomain.com with a particular reject message that instructs the user on what address(es) to use to better contact me. Something similar to : 550 reject The email address maill...@mydomain.com does not accept inbound mail. Please use one of these addresses for contacting us: maillist unsubsubscribe: rem...@mydomain.com, support issues: supp...@mydomain.com, other i...@mydomain.com, etc. I thought maybe adding the address maill...@mydomain.com to the recipient_checks.pcre? But I don't know how to write the re if that's the right place to do this. Can someone help and tell me where is the best place to set this up? Thanks as always, Scott postconf -n: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 disable_vrfy_command = yes html_directory = no inet_interfaces = $myhostname, localhost local_recipient_maps = hash:/etc/postfix/local_recipient mail_owner = postfix mail_spool_directory = /var/spool/mail mailbox_size_limit = 483886080 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 10485760 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = companypostoffice.com myhostname = tn1.companypostoffice.com mynetworks = localhost,$localdomain, xx.xx.xx.xx/32, xx.xx.xx.xx/32 myorigin = $myhostname newaliases_path = /usr/bin/newaliases.postfix parent_domain_matches_subdomains = smtpd_access_maps queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES recipient_bcc_maps = hash:/etc/postfix/recipient_bcc relay_domains = differentdomain.com relay_recipient_maps = hash:/etc/postfix/relay_recipients sample_directory = /usr/share/doc/postfix-2.2.10/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_helo_required = yes smtpd_recipient_limit = 1500 smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, permit_mynetworks, reject_unauth_destination, check_recipient_mx_access hash:/etc/postfix/mx_access, check_sender_mx_access hash:/etc/postfix/mx_access, reject_unknown_sender_domain, check_recipient_access pcre:/etc/postfix/recipient_checks.pcre, check_helo_access hash:/etc/postfix/helo_checks, check_sender_access hash:/etc/postfix/sender_checks, check_client_access hash:/etc/postfix/client_checks, check_client_access pcre:/etc/postfix/client_checks.pcre, reject_rbl_client list.dsbl.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client psbl.surriel.com, reject_rbl_client bl.spamcop.net, check_policy_service unix:postgrey/socket, permit smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/certs/postfix_public_cert.pem smtpd_tls_key_file = /etc/postfix/certs/postfix_private_key.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_domains = hash:/etc/postfix/virtual_domains virtual_alias_maps = hash:/etc/postfix/virtual_users