Re: Postfix Mailman integration

Mon, 29 Feb 2016 00:43:18 -0800 

On 2016-02-29 08:43, Ruben Safir wrote:
Can I have input about this recommendation? Is there unreasonable security 
risk?  I think not, but I want to double check



That looks sensible. That comes near to the configuration i use for my 
mailman installation.


You should not do rbl checks on the mailman -> postfix reinject.

Do that when you accept mail from external sources via port 25 in e.g. 
postscreen and afterwards.



To have mailman reinject on an extra port on localhost is how it should 
be done.

On 02/28/2016 10:51 PM, Ruben Safir wrote:

On 02/29/2016 01:34 AM, Mark Sapiro wrote:

I think we can fix your issue fairly simply.

Please, as I asked in my reply at
<https://mail.python.org/pipermail/mailman-users/2016-February/080524.html>,
post the output from 'postconf -n' and the contents of mm_cfg.py.



Sorry, I got mixed up.  Its just probably the frustration.  Everyone
uses mailman, I don't know why I'm so stupid





smtpd_recipient_restrictions = check_client_access
hash:/etc/postfix/helo_client_exceptions check_sender_access
hash:/etc/postfix/sender_checks, reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_sender_domain,
reject_unknown_recipient_domain, permit_mynetworks,

reject_unauth_destination, permit_mynetworks, 
reject_unauth_destination,

reject_invalid_hostname, reject_non_fqdn_hostname,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
reject_rbl_client cbl.abuseat.org, permit



This is almost certainly your problem. All those checks take time,
especially if DNS is slow. If you send a message from a client and

Postfix takes 5 seconds to accept it, it's no big deal. If Mailman 
sends

to 10 or 20 recipients, and it takes Postfix a minute to respond, it
still may be no big deal unless another two posts arrive in that minute
, and so on until you have a big backlog.

I suggest that if you really want all those checks, that you set up a
separate port for Mailman to send to without all those rbl lookups and
recipient domain lookups. See below.



vim /usr/lib/mailman/Mailman/mm_cfg.py

###############################################
# Here's where we get the distributed defaults.

from Defaults import *

##################################################
# Put YOUR site-specific settings below this line.
DEFAULT_URL_PATTERN = 'http://%s/mailman/'
DEFAULT_NNTP_HOST = 'www.mrbrklyn.com'
DEFAULT_EMAIL_HOST = 'nylxs.com'
DEFAULT_URL_HOST = 'www.nylxs.com'
MTA = 'Postfix'
POSTFIX_ALIAS_CMD = '/usr/sbin/postalias'
POSTFIX_MAP_CMD = '/usr/sbin/postmap'
DELIVERY_MODULE = 'SMTPDirect'
SMTPHOST = 'mrbrklyn.com'
SMTPPORT = '25'



Here's where I'm suggesting changes. Pick a port, say 8000, although it
could be anything that doesn't conflict.

Then change the above to

SMTPHOST = '127.0.0.1'
SMTPPORT = 8000

(don't quote the port - it's a number, not a string)

Also, while you're at it I suggest adding

VERP_PASSWORD_REMINDERS = Yes
VERP_PERSONALIZED_DELIVERIES = Yes
VERP_DELIVERY_INTERVAL = 1

for more reliable bounce processing.


But, see below for changes to Postfix master.cf that you must make 
first.



add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST)
add_virtualhost('lists.mrbrklyn.com', 'mrbrklyn.com')
IMAGE_LOGOS = '/mailmanicons/'



There is another one in apache:
I don't know if it is being used.
vim /usr/local/apache/conf/mailman/Mailman/mm_cfg.py


No, that shouldn't be used.


In Postfix master.cf add the following stanza

127.0.0.1:8000  inet  n       -       -       -        -      smtpd
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8
        -o mynetworks=127.0.0.0/8
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_data_restrictions=

Make this addition to Postfix master.cf and reload Postfix. Only after

you've done that and Postfix is listening on the loopback interface 
port

8000, make the changes to mm_cfg.py and restart Mailman.

--
Mark Sapiro <m...@msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com

Being so tracked is for FARM ANIMALS and and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013


--
 Christian Kivalo























					Reply via email to