Re: RBL Spam question

Ned Slider put forth on 11/3/2010 6:33 PM: > My other thought was to simply comment (or document) ranges known to > contain FPs and then the user can make a judgement call whether they > want to comment out that particular regex based on their circumstances. > Not a very elegant solution. I'm sta

Re: serious bug with check_client_access

On 11/3/2010 11:07 PM, Vincent Lefevre wrote: BTW, so, there is no way to match only subdomains (by that, I mean all possible subdomains, but not the domain itself) without changing parent_domain_matches_subdomains? That's correct with indexed tables. With regexp or pcre tables there is no au

Re: serious bug with check_client_access

On 2010-11-03 22:55:59 -0500, Noel Jones wrote: > I'm so sorry you lost your twitter post. Actually I might have lost other mail (though this is a bit unlikely) since I was generally using an initial dot. > The access map format you're looking for is > twitter.com OK Thanks for the information.

Re: serious bug with check_client_access

On 11/3/2010 10:50 PM, Vincent Lefevre wrote: Actually if a documentation is incorrect/incomplete, it is a bug in the documentation. And FYI, the consequence was a lost mail. So, this is quite serious. I'm so sorry you lost your twitter post. The access map format you're looking for is twit

Re: serious bug with check_client_access

On 2010-11-03 22:16:48 -0500, Noel Jones wrote: > On 11/3/2010 10:00 PM, Vincent Lefevre wrote: > >On 2010-11-03 21:40:54 -0500, Noel Jones wrote: > >>".domain.tld" only works if parent_domain_matches_subdomains does NOT > >>include smtpd_access maps. > > > >The man page says nothing like that. So,

Re: serious bug with check_client_access

On 11/3/2010 10:00 PM, Vincent Lefevre wrote: On 2010-11-03 21:40:54 -0500, Noel Jones wrote: ".domain.tld" only works if parent_domain_matches_subdomains does NOT include smtpd_access maps. The man page says nothing like that. So, the documentation should be fixed. The vast majority of rea

Re: RBL Spam question

I was able to accomplish that as well using fail2ban and some custom regex rules for it. It can be setup to use iptables or /etc/hosts.deny http://www.fail2ban.org/

Re: serious bug with check_client_access

On 2010-11-03 21:40:54 -0500, Noel Jones wrote: > ".domain.tld" only works if parent_domain_matches_subdomains does NOT > include smtpd_access maps. The man page says nothing like that. So, the documentation should be fixed. -- Vincent Lefèvre - Web: 100% accessible val

Re: serious bug with check_client_access

On 2010-11-03 21:44:00 -0500, /dev/rob0 wrote: > On Thu, Nov 04, 2010 at 03:36:30AM +0100, Vincent Lefevre wrote: > > On 2010-11-03 21:21:24 -0500, /dev/rob0 wrote: > > > On Thu, Nov 04, 2010 at 03:08:03AM +0100, Vincent Lefevre wrote: > > > > On 2010-11-03 22:00:21 -0400, Wietse Venema wrote: > >

Re: serious bug with check_client_access

On Thu, 2010-11-04 at 03:36:30 +0100, Vincent Lefevre wrote: > On 2010-11-03 21:21:24 -0500, /dev/rob0 wrote: > > On Thu, Nov 04, 2010 at 03:08:03AM +0100, Vincent Lefevre wrote: > > > On 2010-11-03 22:00:21 -0400, Wietse Venema wrote: > > > > Vincent Lefevre: > > > > > As .twitter.com matches sub

Re: serious bug with check_client_access

On Thu, Nov 04, 2010 at 03:36:30AM +0100, Vincent Lefevre wrote: > On 2010-11-03 21:21:24 -0500, /dev/rob0 wrote: > > On Thu, Nov 04, 2010 at 03:08:03AM +0100, Vincent Lefevre wrote: > > > On 2010-11-03 22:00:21 -0400, Wietse Venema wrote: > > > > Vincent Lefevre: > > > > > As .twitter.com matches

Re: serious bug with check_client_access

On 11/3/2010 9:36 PM, Vincent Lefevre wrote: On 2010-11-03 21:21:24 -0500, /dev/rob0 wrote: On Thu, Nov 04, 2010 at 03:08:03AM +0100, Vincent Lefevre wrote: On 2010-11-03 22:00:21 -0400, Wietse Venema wrote: Vincent Lefevre: As .twitter.com matches subdomains, it should have matched What do

Re: serious bug with check_client_access

On 2010-11-03 21:21:24 -0500, /dev/rob0 wrote: > On Thu, Nov 04, 2010 at 03:08:03AM +0100, Vincent Lefevre wrote: > > On 2010-11-03 22:00:21 -0400, Wietse Venema wrote: > > > Vincent Lefevre: > > > > As .twitter.com matches subdomains, it should have matched > > > > > > What documentation supports

Re: RBL Spam question

One of my favorite anti spam measures is auto add repeat RBL hits, no PTR hits, etc. to system firewall. Here are a few entire network permanent firewall blocks for example as well. ARIN--Level3-Sendlabs-DynDNS.org___-CIDR[63.209.253.224/27] ARIN--Level3-Sendlabs-DynDNS.org___-CIDR[63.211.192.12

Re: serious bug with check_client_access

On Thu, Nov 04, 2010 at 03:08:03AM +0100, Vincent Lefevre wrote: > On 2010-11-03 22:00:21 -0400, Wietse Venema wrote: > > Vincent Lefevre: > > > As .twitter.com matches subdomains, it should have matched > > > > What documentation supports this? > > The access(5) man page says: > > domain.t

Re: serious bug with check_client_access

On 2010-11-03 22:00:21 -0400, Wietse Venema wrote: > Vincent Lefevre: > > As .twitter.com matches subdomains, it should have matched > > What documentation supports this? The access(5) man page says: domain.tld Matches domain.tld. The pattern domain.tld also matches s

Re: serious bug with check_client_access

Vincent Lefevre: > As .twitter.com matches subdomains, it should have matched What documentation supports this?

serious bug with check_client_access

Hi, It seems that I've found a serious bug in check_client_access (or something is missing in the documentation). A message was blocked with the following in the log: Nov 3 21:16:55 ioooi postfix/smtpd[15423]: NOQUEUE: reject: RCPT from mx003.twitter.com[128.121.146.152]: 554 5.7.1 Service una

Re: RBL Spam question

Hi Jack, - "Jack" wrote: > Hello All, > > > > I'm just checking all my spam settings on my postfix servers and I > wanted to > know if anyone is using any newer RBL's than below? > > (which have a low false positive rate) My opinion is of course biased since we run Mailspike IP reputat

RE: RBL Spam question

> -Original Message- > From: owner-postfix-us...@postfix.org [mailto:owner-postfix- > us...@postfix.org] On Behalf Of Stan Hoeppner > Sent: Wednesday, November 03, 2010 8:05 PM > To: postfix-users@postfix.org > Subject: Re: RBL Spam question > > Charles Marcus put forth on 11/3/2010 8:49

Re: RBL Spam question

On 03/11/10 21:54, Stan Hoeppner wrote: Ned Slider put forth on 11/3/2010 3:11 PM: Stan, and others who are using this file - have any of you looked at the overlap with greylisting? I would imaging that the vast majority of clients with dynamic/generic rDNS would be spambots and as such I would

Re: RBL Spam question

Ned Slider put forth on 11/3/2010 3:11 PM: > Stan, and others who are using this file - have any of you looked at the > overlap with greylisting? I would imaging that the vast majority of > clients with dynamic/generic rDNS would be spambots and as such I would > expect greylisting to block the va

Re: RBL Spam question

On 03/11/10 19:04, Stan Hoeppner wrote: Charles Marcus put forth on 11/3/2010 8:49 AM: On 2010-11-02 10:07 PM, Stan Hoeppner wrote: ... check_client_access pcre:/etc/postfix/fqrdns.pcre ... I keep meaning to say/ask - thanks for this - and do you update this frequently

Re: Postfix locking up, not accepting connections / smtp not sending emails out

Christian Rohmann put forth on 11/3/2010 10:02 AM: > Maybe any1 has more ideas based on the fact that the > thing is stable with two cores now, but wasn't with eight. Absolutely. With 8 virtual CPUs (gasp OMG! big no-no) your guest kernel will be generating a vastly larger number of timer interr

Re: RBL Spam question

Charles Marcus put forth on 11/3/2010 8:49 AM: > On 2010-11-02 10:07 PM, Stan Hoeppner wrote: >> Last, but not least important by any means (understatement), you may >> wish to try out: >> http://www.hardwarefreak.com/fqrdns.pcre >> >> Implement this as: >> >> smtpd_recipient_restrictions >> p

Re: smtpd_sender_login_maps with aliases?

On Wed, Nov 3, 2010 at 1:04 PM, Reinaldo de Carvalho wrote: > > You must set a basedn. > > Thanks! It's working again after setting the basedn... it's weird it worked before without it. Your changes also work now too. I also changes it from /etc/postfix/virtual to /etc/postfix/login_maps.cf

Re: smtpd_sender_login_maps with aliases?

On Wed, Nov 3, 2010 at 1:45 PM, Edward Carraro wrote: > On Wed, Nov 3, 2010 at 12:36 PM, Reinaldo de Carvalho > wrote: >> $ cat /etc/postfix/virtual > > $ cat virtual | grep -v "#" > server_host = ldap://ldapserver:389 > server_port = 389 > search_base = > query_filter = (mail=%s) > result_attrib

Re: Upgrade 2.5.4

On Wed, Nov 03, 2010 at 12:21:20PM -0400, Linux Addict wrote: > Victor, I see these message after upgrade and in fact its RHEL4 > w/ openssl-0.9.7a-43.17.el4_6.1 I don't know what fixes RedHat backports to OpenSSL 0.9.7, but this is rather an anciennt and otherwise unsupported version of OpenSSL

Re: smtpd_sender_login_maps with aliases?

On Wed, Nov 3, 2010 at 12:36 PM, Reinaldo de Carvalho wrote: > > $ cat /etc/postfix/virtual > > $ cat virtual | grep -v "#" server_host = ldap://ldapserver:389 server_port = 389 search_base = query_filter = (mail=%s) result_attribute = uid version = 3 start_tls = no bind = yes bind_dn = xx bin

Re: smtpd_sender_login_maps with aliases?

On Wed, Nov 3, 2010 at 1:30 PM, Edward Carraro wrote: >> >> query_filter = (|(mail=%s)(mailAlternateAddress=%s)) >> result_attribute = uid, mail, mailAlternateAddress >> >> > Same result: > NOQUEUE: reject: RCPT from smtpserver[xx.xxx.xxx.xx]: 451 4.3.0 > : Temporary lookup failure; > > I undid th

Re: smtpd_sender_login_maps with aliases?

On Wed, Nov 3, 2010 at 11:26 AM, donovan jeffrey j wrote: > > postconf -m > > cidr dbm environ internal ldap nis nisplus proxy regexp static tcp unix > was your postfix compiled with ldap support ? > yes > > your getting your Auth users from from your local recipients map. > -j > I have no l

Re: Upgrade 2.5.4

On Wed, Nov 3, 2010 at 4:48 AM, Terry Kemp wrote: > On 11/3/10, Linux Addict wrote: > > On Tue, Nov 2, 2010 at 1:31 PM, Wietse Venema > wrote: > > > >> Linux Addict: > >> > >> > If the package is not well constructed: > >> > >> > > >> > >> > Read the RELEASE_NOTES file for 2.6 and 2.7, th

Re: default_destination_recipient_limit not working after changing the mailbox_transport to local_transport

On Wed, Nov 03, 2010 at 08:39:52AM -0300, Reinaldo de Carvalho wrote: > As Victor correct me (again) to use transport_maps isn't the better > approach, although works for me. It is a more flexible approach, just not mandatory, which was the substance of the error in your previous post. Setting "l

Re: smtpd_sender_login_maps with aliases?

On Wed, Nov 3, 2010 at 12:14 PM, Edward Carraro wrote: > I would like to set up SMTP, allowing the user to authenticate as their main > address, but still continue to send mail using their alias (without > disabling reject_sender_login_mismatch, as discussed here > http://serverfault.com/questions

Re: smtpd_sender_login_maps with aliases?

On Nov 3, 2010, at 11:14 AM, Edward Carraro wrote: > I would like to set up SMTP, allowing the user to authenticate as their main > address, but still continue to send mail using their alias (without disabling > reject_sender_login_mismatch, as discussed here > http://serverfault.com/questions

smtpd_sender_login_maps with aliases?

I would like to set up SMTP, allowing the user to authenticate as their main address, but still continue to send mail using their alias (without disabling reject_sender_login_mismatch, as discussed here http://serverfault.com/questions/61351/) I'm just not sure what my ldap mapping config should l

Re: Postfix locking up, not accepting connections / smtp not sending emails out

Hallo, sorry for the late update ... but here it is ... On 10/29/2010 10:35 PM, Wietse Venema wrote: > If I don't see a credible report about warnings etc. in Postfix > logfiles, then that means that you are flying blind, and that needs > to be addressed first. Agreed. I did read the document a

Re: Custom action based on rDNS and helo

On 11/3/2010 9:15 AM, Mark Scholten wrote: Hello, Is it possible to do a custom action (greylisting with an external program or RBL checks or RHSBL checks) only if the checks below failed? If yes, how could that be done with postfix (I prefer to do it with settings in main.cf and without an extr

RE: Custom action based on rDNS and helo

> -Original Message- > From: owner-postfix-us...@postfix.org [mailto:owner-postfix- > us...@postfix.org] On Behalf Of Reinaldo de Carvalho > Sent: Wednesday, November 03, 2010 3:28 PM > To: Mark Scholten > Cc: postfix-users@postfix.org > Subject: Re: Custom action based on rDNS and helo >

Re: Custom action based on rDNS and helo

On Wed, Nov 3, 2010 at 11:15 AM, Mark Scholten wrote: > Hello, > > Is it possible to do a custom action (greylisting with an external program > or RBL checks or RHSBL checks) only if the checks below failed? If yes, how > could that be done with postfix (I prefer to do it with settings in main.cf

Re: F/P with "reject_unknown_client_hostname"

On 11/03/10 08:17, Noel Jones wrote: > On 11/3/2010 5:04 AM, Jerry wrote: >> I noticed this posted on another forum: >> >> >> It should be noted that reject_unknown_client_hostname will check only >> the first PTR record returned for a host. So, you might reject >> well-configured (i.e. RFC-compli

Custom action based on rDNS and helo

Hello, Is it possible to do a custom action (greylisting with an external program or RBL checks or RHSBL checks) only if the checks below failed? If yes, how could that be done with postfix (I prefer to do it with settings in main.cf and without an extra program)? - Match PTR/A-record (no "unknown

Re: RBL Spam question

On 2010-11-02 10:07 PM, Stan Hoeppner wrote: > Last, but not least important by any means (understatement), you may > wish to try out: > http://www.hardwarefreak.com/fqrdns.pcre > > Implement this as: > > smtpd_recipient_restrictions > permit_mynetworks > permit_sasl_authenticated >

Re: default_destination_recipient_limit not working after changing the mailbox_transport to local_transport

> gu...@lorenzutti.com.ar put forth on 11/2/2010 10:03 PM: > >>> # main.cf >>> transport_maps = hash:/etc/postfix/transport >>> >>> # /etc/postfix/transport >>> exmaple.org lmtp:unix:/path/to/cyrus-lmtp-server-socket > >> >> MMmmm... when I remove the local_transport and add everything to the

Re: F/P with "reject_unknown_client_hostname"

On 11/3/2010 5:04 AM, Jerry wrote: I noticed this posted on another forum: It should be noted that reject_unknown_client_hostname will check only the first PTR record returned for a host. So, you might reject well-configured (i.e. RFC-compliant) clients whose matching PTR record unfortunately i

Re: default_destination_recipient_limit not working after changing the mailbox_transport to local_transport

On Wed, Nov 3, 2010 at 12:03 AM, wrote: >> >> # main.cf >> transport_maps = hash:/etc/postfix/transport >> >> # /etc/postfix/transport >> exmaple.org      lmtp:unix:/path/to/cyrus-lmtp-server-socket >> > > MMmmm... when I remove the local_transport and add everything to the > transport_map I get

F/P with "reject_unknown_client_hostname"

I noticed this posted on another forum: It should be noted that reject_unknown_client_hostname will check only the first PTR record returned for a host. So, you might reject well-configured (i.e. RFC-compliant) clients whose matching PTR record unfortunately isn't the first one in the list. Is