Re: Apparent buffer overflow from huge headers

[Ralf Hildebrandt]

* Robert Cohen <[EMAIL PROTECTED]>:

> We recently started getting periods where postfix
> would just spin its wheels for a while spitting out a stream of errors like
> 
> ul 27 12:43:23 mailin2 postfix/smtp[29137]: 4CBB07E8009:
> to=<[EMAIL PROTECTED]>, relay=127.0.0.1[127.0.0.1]:10025, delay=137638,
> delays=137638/0/0/0, dsn=4.4.2, status=deferred (lost connection with
> 127.0.0.1[127.0.0.1] while sending message body)
> 
> 
> continuously for about 15 minutes before the smtpd got killed and restarted.

It's smtp, not smtpd. Has it occured to you that the content_filter on
127.0.0.1 may be the problem?

> Essentially it was unable to send any emails to the content filter during
> this period.

Yes, because the content_filter "hangs up".

> Killing/restarting the content filter had no effect. But killing/restarting
> postfix fixed it which implies its postfix's problem.

No. Postfix backs off form a dead destination (the content_filter)

> We eventually tracked it down to a particular set of messages in the
> deferred queue.

Yes, I know that form broken content_filters. The message triggers an
error in the content_filter, which fucks up, and then the message is
deferred. I've seen that many times with amavisd-new and TrendMicro
VirusWall.

> Whenever it tried to process them, it would develop this problem,
Of course.

> When we cleared those messages, the problem disappeared.
Of course.

> The only obvious issue with the particular messages is that the headers are
> gigantic. About 400k of headers which leads me to believe its a buffer
> overflow.

In the content_filter, for sure.

Which content_filter do you use?

-- 
Ralf Hildebrandt ([EMAIL PROTECTED])  [EMAIL PROTECTED]
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
llama would be a more fitting name for OpenLDAP: 
It's big, stubborn and spits in your face when you need it the most.

Re: Apparent buffer overflow from huge headers

[Ralf Hildebrandt]

* Ralf Hildebrandt <[EMAIL PROTECTED]>:

> No. Postfix backs off form a dead destination (the content_filter)

from, not form

> > We eventually tracked it down to a particular set of messages in the
> > deferred queue.
> 
> Yes, I know that form broken content_filters. The message triggers an

from, not form

-- 
Ralf Hildebrandt ([EMAIL PROTECTED])  [EMAIL PROTECTED]
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
I must confess, I was born at a very early age. - Groucho Marx

Re: Apparent buffer overflow from huge headers

[Robert Cohen]

On 13/8/08 5:13 PM, "Ralf Hildebrandt" <[EMAIL PROTECTED]> wrote:

> 
> It's smtp, not smtpd. Has it occured to you that the content_filter on
> 127.0.0.1 may be the problem?
> 
>> Essentially it was unable to send any emails to the content filter during
>> this period.
> 
> Yes, because the content_filter "hangs up".
> 
>> Killing/restarting the content filter had no effect. But killing/restarting
>> postfix fixed it which implies its postfix's problem.
> 
> No. Postfix backs off form a dead destination (the content_filter)
> 
>> We eventually tracked it down to a particular set of messages in the
>> deferred queue.
> 
> Yes, I know that form broken content_filters. The message triggers an
> error in the content_filter, which fucks up, and then the message is
> deferred. I've seen that many times with amavisd-new and TrendMicro
> VirusWall.
> 
>> Whenever it tried to process them, it would develop this problem,
> Of course.
> 
>> When we cleared those messages, the problem disappeared.
> Of course.
> 
>> The only obvious issue with the particular messages is that the headers are
>> gigantic. About 400k of headers which leads me to believe its a buffer
>> overflow.
> 
> In the content_filter, for sure.
> 
> Which content_filter do you use?

That is with the policy milter that ships with sophos puremessage.
Its been reported to sophos, so if it is the milter, then they will
doubtless provide a patch.

I assumed it wasn't the milter because restarting postfix even without
restarting the milter fixed the problem, I'm pretty sure.

And the problem didn't occur with sendmail with the same milter. But its
always possible that sendmail communicates differently.



===
Robert Cohen
Systems & Desktop Services
Division of Information
R.G Menzies Building
Building 2
The Australian National University
Canberra ACT 0200 Australia
 
T: +61 2 6125 8389
F: +61 2 6125 7699
http://www.anu.edu.au
 
CRICOS Provider #00120C
===

Re: Apparent buffer overflow from huge headers

[Ralf Hildebrandt]

* Robert Cohen <[EMAIL PROTECTED]>:

> That is with the policy milter that ships with sophos puremessage.

Milters don't log this way - that's postfix sending the mail via smtp,
milters don't need to do that:

Jul 27 12:43:23 mailin2 postfix/smtp[29137]: 4CBB07E8009: to=<[EMAIL 
PROTECTED]>, relay=127.0.0.1[127.0.0.1]:10025,
delay=137638, delays=137638/0/0/0, dsn=4.4.2, status=deferred (lost connection 
with 127.0.0.1[127.0.0.1] while sending message body)

-- 
Ralf Hildebrandt ([EMAIL PROTECTED])  [EMAIL PROTECTED]
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
[REDACTED BY MINISTRY OF PATRIOTISM FALSE BELIEF FILTER. TRUTH
MAINTENANCE SERVICES PROVIDE BY COKE. ENJOY NEW HAZELNUT CREME COKE]

Re: Apparent buffer overflow from huge headers

[Ralf Hildebrandt]

* Ralf Hildebrandt <[EMAIL PROTECTED]>:

> Milters don't log this way - that's postfix sending the mail via smtp,
> milters don't need to do that:

(but that doesn't change the problem)

-- 
Ralf Hildebrandt ([EMAIL PROTECTED])  [EMAIL PROTECTED]
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
echo Mhbqnrnes Stbjr | tr "[a-y]"  "[b-z]" 

domains with dashes and incomplete addresses rewriting problem

[Luca Cazzaniga]

hello, i've problem about incomplete address rewriting
my test configuration file /etc/postfix/main.cf reported below

myhostname = pippo
mydomain = topo-linea.it
myorigin = $myhostname.$mydomain
mydestination = $myhostname.$mydomain, $myhostname, localhost.$mydomain,
localhost
mynetworks = 127.0.0.0/8
relayhost =
append_at_myorigin = yes
append_dot_mydomain = yes

Another variables involved in rewriting get the default:

# postconf local_header_rewrite_clients
local_header_rewrite_clients = permit_inet_interfaces
# postconf remote_header_rewrite_domain
remote_header_rewrite_domain =

i realize that a sender address without domain is rewrited appending the
@mydomain instead @myorigin

erasing the dash in the variable $mydomain the rewrite appends @myorigin  as
hoped.

mydomain = topolinea.it

behaviour with dash (mydomain = topo-linea.it)
luca gets [EMAIL PROTECTED]

behaviour without dash (mydomain = topolinea.it )
luca gets [EMAIL PROTECTED]

has dash to be quoted in the configuration file?
do other variables affect the rewriting behaviour?

My postfix version is 2.4.5 

thanks

Luca


--
** ATTENZIONE !!! **
Il presente messaggio ed i suoi allegati devono intendersi ad uso esclusivo dei 
suoi destinatari e sono confidenziali. Se ricevete questo messaggio per errore, 
Vi preghiamo di cancellarlo, di distruggerne ogni copia e di informarci 
immediatamente.
Internet non garantisce l'integrita' dei messaggi. A.M.S. (Asset Management 
Service) declina pertanto ogni responsabilita' in caso di intercettazione o 
modifiche del presente messaggio.
A.M.S. (Asset Management Service) non assume alcuna responsabilita' riguardo al 
contenuto del presente messaggio; le opinioni ivi espresse sono quelle 
dell'autore.
-- WARNING !!! --
This message and any attachments is intended solely for the use of the intended 
addressees and is confidential. If you receive this message in error, please 
delete it, destroy all copies and immediately notify us.
Internet can not guarantee the integrity of this message. A.M.S. (Asset 
Management Service) shall (will) not therefore be liable for interception or 
amendment of this message.
A.M.S. (Asset Management Service) accepts no responsibility as to the contents 
of this message: the opinions expressed therein are solely the writer's.
**

Re: domains with dashes and incomplete addresses rewriting problem

[Ralf Hildebrandt]

* Luca Cazzaniga <[EMAIL PROTECTED]>:
> hello, i've problem about incomplete address rewriting
> my test configuration file /etc/postfix/main.cf reported below
> 
> myhostname = pippo
> mydomain = topo-linea.it

That's wrong.
You need to use:
myhostname = pippo.topo-linea.it
mydomain = topo-linea.it

> myorigin = $myhostname.$mydomain

That's wrong. Use the default (myorigin = $myhostname) instead.

> mydestination = $myhostname.$mydomain, $myhostname, localhost.$mydomain, 
> localhost
You need to correct this as well.

> mynetworks = 127.0.0.0/8

> relayhost =
default
> append_at_myorigin = yes
default
> append_dot_mydomain = yes
default
 
> Another variables involved in rewriting get the default:
> 
> # postconf local_header_rewrite_clients
> local_header_rewrite_clients = permit_inet_interfaces
> # postconf remote_header_rewrite_domain
> remote_header_rewrite_domain =
> 
> i realize that a sender address without domain is rewrited appending the
> @mydomain instead @myorigin

No. A sender address without domain is gets @$myorigin
 
-- 
Ralf Hildebrandt ([EMAIL PROTECTED])  [EMAIL PROTECTED]
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
One of the main causes of the fall of the Roman Empire was that,
lacking zero, they had no way to indicate successful termination of
their C Programs. 

Addresses of domain parking services?

[Ralf Hildebrandt]

Is there a readily available list of domain parking services for use
with

check_recipient_mx_access $default_database_type:/etc/postfix/parked_domains
check_sender_mx_access$default_database_type:/etc/postfix/parked_domains

Right now I have but one entry:

82.98.86.163REJECT Parked at sedoparking.com

-- 
Ralf Hildebrandt ([EMAIL PROTECTED])  [EMAIL PROTECTED]
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
"The computer programmer is a creator of universes for which he alone
is responsible. Universes of virtually unlimited complexity can be
created in the form of computer programs."-Joseph Weizenbaum

R: domains with dashes and incomplete addresses rewriting problem

[Luca Cazzaniga]

I changed the suggested variables but the behaviour is the same if domain
contains dash character

The configuration changes involve:
myhostname = pippo.topo-linea.it
mydomain = topo-linea.it
myorigin =  $myhostname

After I submitted postfix reload 
 
luca gets [EMAIL PROTECTED]

As explained without dashes the address rewriting is correct: 
myhostname = pippo.topolinea.it
mydomain = topolinea.it

luca gets [EMAIL PROTECTED]  

Thanks a lot for your support.



-Messaggio originale-
Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Per conto di Ralf Hildebrandt
Inviato: mercoledì 13 agosto 2008 10.26
A: postfix-users@postfix.org
Oggetto: Re: domains with dashes and incomplete addresses rewriting problem

* Luca Cazzaniga <[EMAIL PROTECTED]>:
> hello, i've problem about incomplete address rewriting
> my test configuration file /etc/postfix/main.cf reported below
> 
> myhostname = pippo
> mydomain = topo-linea.it

That's wrong.
You need to use:
myhostname = pippo.topo-linea.it
mydomain = topo-linea.it

> myorigin = $myhostname.$mydomain

That's wrong. Use the default (myorigin = $myhostname) instead.

> mydestination = $myhostname.$mydomain, $myhostname, localhost.$mydomain,
localhost
You need to correct this as well.

> mynetworks = 127.0.0.0/8

> relayhost =
default
> append_at_myorigin = yes
default
> append_dot_mydomain = yes
default
 
> Another variables involved in rewriting get the default:
> 
> # postconf local_header_rewrite_clients
> local_header_rewrite_clients = permit_inet_interfaces
> # postconf remote_header_rewrite_domain
> remote_header_rewrite_domain =
> 
> i realize that a sender address without domain is rewrited appending the
> @mydomain instead @myorigin

No. A sender address without domain is gets @$myorigin
 
-- 
Ralf Hildebrandt ([EMAIL PROTECTED])  [EMAIL PROTECTED]
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
One of the main causes of the fall of the Roman Empire was that,
lacking zero, they had no way to indicate successful termination of
their C Programs. 


--
** ATTENZIONE !!! **
Il presente messaggio ed i suoi allegati devono intendersi ad uso esclusivo dei 
suoi destinatari e sono confidenziali. Se ricevete questo messaggio per errore, 
Vi preghiamo di cancellarlo, di distruggerne ogni copia e di informarci 
immediatamente.
Internet non garantisce l'integrita' dei messaggi. A.M.S. (Asset Management 
Service) declina pertanto ogni responsabilita' in caso di intercettazione o 
modifiche del presente messaggio.
A.M.S. (Asset Management Service) non assume alcuna responsabilita' riguardo al 
contenuto del presente messaggio; le opinioni ivi espresse sono quelle 
dell'autore.
-- WARNING !!! --
This message and any attachments is intended solely for the use of the intended 
addressees and is confidential. If you receive this message in error, please 
delete it, destroy all copies and immediately notify us.
Internet can not guarantee the integrity of this message. A.M.S. (Asset 
Management Service) shall (will) not therefore be liable for interception or 
amendment of this message.
A.M.S. (Asset Management Service) accepts no responsibility as to the contents 
of this message: the opinions expressed therein are solely the writer's.
**

Password Authentication in Postfix

[R Pradeepa]

Dear Sir

Can I enable password authentication in postfix even if the client is 
not having cyrus sasl. Please advice. Because using script programs 
people are able to send mail without authentication. I want to prevent 
it. How can i enable this in postfix. Please advice


Regards
Pradeepa

Re: postfix via cyberoam

[Vikas Rawal]

> I use postfix on my laptop to send mail using gmail's smtp servers. The
>> laptop runs ubuntu 8.04.
>>
>> I shall be grateful if I could get help in resolving the following two
>> problems.
>>
>> 1. The setup works well when used from home where I do not have a proxy
>> server. However, in my office, I have to work through a cyberoam proxy.
>> Postfix does not send e-mails through the proxy. I would like to know if
>> anyone has experience of making postfix send e-mail through cyberoam.
>>
>>
> So what's the error message in the logs?


This is what I get.

Aug 13 14:16:30 shireen postfix/smtp[7985]: connect to smtp.gmail.com[
209.85.199.109]:587: No route to host
Aug 13 14:16:39 shireen postfix/smtp[7985]: connect to smtp.gmail.com[
209.85.199.111]:587: No route to host
Aug 13 14:16:39 shireen postfix/smtp[7985]: B9AB02675: to=<[EMAIL PROTECTED]>,
relay=none, delay=9.7, delays=0.08/0.03/9.6/0, dsn=4.4.1, status=deferred
(connect to smtp.gmail.com[209.85.199.111]:587: No route to host)

Please note that I am able to use a browser, access the internet using say
wget, and use dig to resolve the address. The other thing that does not work
is fetchmail.

Is it that my firewall has blocked the ports that postfix and fetchmail
need, and this is end of the road for me?


>
>
>  2. The second problem is that when postfix is unable to connect to the
>> gmail's servers (either because it is behind cyberoam or because I am simply
>> not connected), postfix does not even keep the mails in the queue. The mails
>> are simply removed from the queue when it cannot reach the gmail servers.
>> That is a big nuisance and defeats the whole purpose of having postfix. The
>> mail.log shows the following in such a case.
>>
>
> find the "smtp" transport (not the smtpd listener) in master.cf and add to
> it:
>  -o soft_bounce=yes
>

worked like a charm!! Thanks.

Vikas

Re: Password Authentication in Postfix

[Patrick Ben Koetter]

* R Pradeepa <[EMAIL PROTECTED]>:
> Can I enable password authentication in postfix even if the client is  
> not having cyrus sasl. Please advice. Because using script programs  

Cyrus SASL is not necessarily required in the client to use SMTP AUTH. Postfix
requires either Cyrus SASL or Dovecot SASL.

[EMAIL PROTECTED]


> people are able to send mail without authentication. I want to prevent  
> it. How can i enable this in postfix. Please advice
>
> Regards
> Pradeepa
>
>
>

-- 
The Book of Postfix

saslfinger (debugging SMTP AUTH):

Re: Apparent buffer overflow from huge headers

[Noel Jones]

Robert Cohen wrote:



On 13/8/08 5:13 PM, "Ralf Hildebrandt" <[EMAIL PROTECTED]> wrote:


It's smtp, not smtpd. Has it occured to you that the content_filter on
127.0.0.1 may be the problem?


Essentially it was unable to send any emails to the content filter during
this period.

Yes, because the content_filter "hangs up".


Killing/restarting the content filter had no effect. But killing/restarting
postfix fixed it which implies its postfix's problem.

No. Postfix backs off form a dead destination (the content_filter)


We eventually tracked it down to a particular set of messages in the
deferred queue.

Yes, I know that form broken content_filters. The message triggers an
error in the content_filter, which fucks up, and then the message is
deferred. I've seen that many times with amavisd-new and TrendMicro
VirusWall.


Whenever it tried to process them, it would develop this problem,

Of course.


When we cleared those messages, the problem disappeared.

Of course.


The only obvious issue with the particular messages is that the headers are
gigantic. About 400k of headers which leads me to believe its a buffer
overflow.

In the content_filter, for sure.

Which content_filter do you use?


That is with the policy milter that ships with sophos puremessage.
Its been reported to sophos, so if it is the milter, then they will
doubtless provide a patch.

I assumed it wasn't the milter because restarting postfix even without
restarting the milter fixed the problem, I'm pretty sure.

And the problem didn't occur with sendmail with the same milter. But its
always possible that sendmail communicates differently.




I agree with Ralf's analysis.

IIRC sendmail truncates single headers longer than 32k; 
postfix by default allows 1M per header.


You can tell postfix to truncate headers by setting:
# main.cf
header_size_limit = 3

This may break signatures on DKIM/DomainKeys signed mail, but 
will probably make your content filter happier.


--
Noel Jones

Re: postfix via cyberoam

[Noel Jones]

Vikas Rawal wrote:


I use postfix on my laptop to send mail using gmail's smtp
servers. The laptop runs ubuntu 8.04.

I shall be grateful if I could get help in resolving the
following two problems.

1. The setup works well when used from home where I do not have
a proxy server. However, in my office, I have to work through a
cyberoam proxy. Postfix does not send e-mails through the proxy.
I would like to know if anyone has experience of making postfix
send e-mail through cyberoam.


So what's the error message in the logs?


This is what I get.

Aug 13 14:16:30 shireen postfix/smtp[7985]: connect to smtp.gmail.com 
[209.85.199.109 ]:587: No 
route to host
Aug 13 14:16:39 shireen postfix/smtp[7985]: connect to smtp.gmail.com 
[209.85.199.111 ]:587: No 
route to host
Aug 13 14:16:39 shireen postfix/smtp[7985]: B9AB02675: 
to=<[EMAIL PROTECTED] >, relay=none, 
delay=9.7, delays=0.08/0.03/9.6/0, dsn=4.4.1, status=deferred (connect 
to smtp.gmail.com [209.85.199.111 
]:587: No route to host)


Please note that I am able to use a browser, access the internet using 
say wget, and use dig to resolve the address. The other thing that does 
not work is fetchmail.


Is it that my firewall has blocked the ports that postfix and fetchmail 
need, and this is end of the road for me?
 


Looks as if you don't have a default route set.  This is a 
networking issue.


Generally:
# route add default ip.of.gate.way

Or maybe the network there doesn't allow outgoing connections, 
in which case you may be out of luck.  Talk to the network 
guys there.


--
Noel Jones

Re: Outbound rate throttling

[Noel Jones]

MacShane, Tracy wrote:
I realise this has been covered before, but I'm having a problem with 
getting outbound mail to a destination domain. The ISP in question has 
an interesting policy of refusing messages sent to a single email 
address in excess of 30/min. Their servers also go on and offline at 
random intervals, due to telecoms issues. We have an application that 
sends messages to a single recipient on the destination domain, usually 
in excess of 200 a day. If a server has gone offline for a while, 
naturally we have a backlog of mail waiting to deliver when the server 
is up again, and we quickly exceed the 30/min limit.
 
I've upgraded a server to Postfix 2.5.2 (from 2.2) and tried 
implementing a slow transport for this purpose:
 
master.cf

---
# transport for touchy domains
slowunix-   -   n   -   1smtp


You can add
  -o syslog_name=postfix-slow
to the above to differentiate it in the logs so you know it's 
being used.



main.cf
-
slow_destination_concurrency_limit = 1
slow_destination_rate_delay = 2
transport
---
solomon.com.sb  slow:


Looks correct.  Check your work with "postconf -n" and 
"postmap -q ..."


 
However, at the next retry interval, the entire queue is trying to empty 
itself concurrently:
 
Aug 13 15:59:14 smtptest postfix/error[4456]: 4569E15E00F9: 
to=<[EMAIL PROTECTED] >, 
relay=none, delay=3283, delays=3282/0.08/0/0.01, dsn=4.4.1, 
status=deferred (delivery temporarily suspended: connect to 
mx.telekom.net.sb[202.1.161.20]:25: Connection refused)
Aug 13 15:59:14 smtptest postfix/error[4468]: F40FE15E00BD: 
to=<[EMAIL PROTECTED] >, 
relay=none, delay=4906, delays=4906/0.08/0/0.01, dsn=4.4.1, 
status=deferred (delivery temporarily suspended: connect to 
mx.telekom.net.sb[202.1.161.20]:25: Connection refused)
Aug 13 15:59:14 smtptest postfix/error[4476]: 6023715E009D: 
to=<[EMAIL PROTECTED] >, 
relay=none, delay=4905, delays=4905/0.08/0/0, dsn=4.4.1, status=deferred 
(delivery temporarily suspended: connect to 
mx.telekom.net.sb[202.1.161.20]:25: Connection refused)
Aug 13 15:59:14 smtptest postfix/error[4460]: 4061815E00C0: 
to=<[EMAIL PROTECTED] >, 
relay=none, delay=4906, delays=4905/0.08/0/0.01, dsn=4.4.1, 
status=deferred (delivery temporarily suspended: connect to 
mx.telekom.net.sb[202.1.161.20]:25: Connection refused)

[... 75 messages in the queue]
I expect the messages to try filtering themselves out at a rate of one 
every two seconds to this destination, not all of them in the same 
second. Could someone please clarify what I've omitted or misunderstood 
here?
 
Thanks.


These are not delivery attempts.  Delivery attempts are logged 
by postfix/smtp.
These are all from the error: service notifying you that the 
destination has been throttled because of multiple previous 
"connection refused" error.


--
Noel Jones

Postfix with SASL Authentication against LDAP

[Alejandro Cabrera Obed]

Dear all, I have a Debian Etch + Postfix 2.3.8 mail server with LDAP
2.3.30. TLS encryption work succesfully but SASL authentication don't.

I have these:

apt-get install sasl2-bin libsasl2-modules

/etc/default/saslauthd:
START=yes
MECHANISMS="ldap"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

/etc/saslauthd.conf:
ldap_servers: ldap://ldap.company.com/
ldap_search_base: ou=people,dc=company,dc=com
ldap_bind_dn: cn=admin,dc=company,dc=com
ldap_bind_pw: xyz
ldap_filter: (&(objectClass=CourierMailAccount)(cn=%U))
ldap_scope: sub
ldap_auth_method: bind

I execute:
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
adduser postfix sasl

/etc/postfix/sasl/smtpd.conf:
pwcheck_method: saslauthd
mech_list: plain login
log_level: 7

/etc/postfix/master.cf:
smtp  inet  n   -   n   -   -   smtpd -o 
content_filter=spamassassin  # No chroot

/etc/postfix/main.cf:
# TLS
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/courier/smtpd.cert
smtpd_tls_key_file = /etc/courier/smtpd.key
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
# SASL
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
# SMTP Restrictions
smtpd_recipient_restrictions = permit_sasl_authenticate, permit_mynetworks

Restart postfix and saslauthd

After that:

$telnet mail 25

and I see: 

250-STARTTLS
250-AUTH LOGIN PLAIN 
250-AUTH=LOGIN PLAIN 

So TLS and SASL are OK.

Finally I configure my mail client (Iceweasel) and sens a mail, asking me for 
the password, but I FAIL !!! I see this in /var/log/auth.log:

Aug 13 15:25:45 mail postfix/cleanup[4182]: looking for plugins in 
'/usr/lib/sasl2', failed to open directory, error: No such file or directory
Aug 13 15:25:53 mail postfix/smtpd[4196]: looking for plugins in 
'/usr/lib/sasl2', failed to open directory, error: No such file or directory
Aug 13 15:27:15 mail postfix/cleanup[4222]: looking for plugins in 
'/usr/lib/sasl2', failed to open directory, error: No such file or directory
Aug 13 15:29:41 mail postfix/cleanup[4290]: looking for plugins in 
'/usr/lib/sasl2', failed to open directory, error: No such file or directory
Aug 13 15:29:57 mail postfix/smtpd[4303]: looking for plugins in 
'/usr/lib/sasl2', failed to open directory, error: No such file or directory
Aug 13 15:30:01 mail CRON[4306]: (pam_unix) session opened for user vmail by 
(uid=0)
Aug 13 15:30:01 mail pam_limits[4306]: setrlimit limit #11 to soft=-1, hard=-1 
failed: Operation not permitted; uid=0 euid=0
Aug 13 15:30:01 mail pam_limits[4306]: setrlimit limit #12 to soft=-1, hard=-1 
failed: Operation not permitted; uid=0 euid=0
Aug 13 15:30:01 mail CRON[4306]: (pam_unix) session closed for user vmail


How can I do to put SASL to work agains my LDAP ???

REALLY THANKS !!!

Alejandro

Re: Postfix with SASL Authentication against LDAP

[Daniel L. Miller]

Alejandro Cabrera Obed wrote:

Dear all, I have a Debian Etch + Postfix 2.3.8 mail server with LDAP
2.3.30. TLS encryption work succesfully but SASL authentication don't.

I have these:

apt-get install sasl2-bin libsasl2-modules

/etc/default/saslauthd:
START=yes
MECHANISMS="ldap"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

/etc/saslauthd.conf:
ldap_servers: ldap://ldap.company.com/
ldap_search_base: ou=people,dc=company,dc=com
ldap_bind_dn: cn=admin,dc=company,dc=com
ldap_bind_pw: xyz
ldap_filter: (&(objectClass=CourierMailAccount)(cn=%U))
ldap_scope: sub
ldap_auth_method: bind

I execute:
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
adduser postfix sasl

/etc/postfix/sasl/smtpd.conf:
pwcheck_method: saslauthd
mech_list: plain login
log_level: 7

/etc/postfix/master.cf:
smtp  inet  n   -   n   -   -   smtpd -o 
content_filter=spamassassin  # No chroot

/etc/postfix/main.cf:
# TLS
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/courier/smtpd.cert
smtpd_tls_key_file = /etc/courier/smtpd.key
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
# SASL
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
# SMTP Restrictions
smtpd_recipient_restrictions = permit_sasl_authenticate, permit_mynetworks

Restart postfix and saslauthd

After that:

$telnet mail 25

and I see: 


250-STARTTLS
250-AUTH LOGIN PLAIN 
250-AUTH=LOGIN PLAIN 


So TLS and SASL are OK.

Finally I configure my mail client (Iceweasel) and sens a mail, asking me for 
the password, but I FAIL !!! I see this in /var/log/auth.log:

Aug 13 15:25:45 mail postfix/cleanup[4182]: looking for plugins in 
'/usr/lib/sasl2', failed to open directory, error: No such file or directory
Aug 13 15:25:53 mail postfix/smtpd[4196]: looking for plugins in 
'/usr/lib/sasl2', failed to open directory, error: No such file or directory
Aug 13 15:27:15 mail postfix/cleanup[4222]: looking for plugins in 
'/usr/lib/sasl2', failed to open directory, error: No such file or directory
Aug 13 15:29:41 mail postfix/cleanup[4290]: looking for plugins in 
'/usr/lib/sasl2', failed to open directory, error: No such file or directory
Aug 13 15:29:57 mail postfix/smtpd[4303]: looking for plugins in 
'/usr/lib/sasl2', failed to open directory, error: No such file or directory
Aug 13 15:30:01 mail CRON[4306]: (pam_unix) session opened for user vmail by 
(uid=0)
Aug 13 15:30:01 mail pam_limits[4306]: setrlimit limit #11 to soft=-1, hard=-1 
failed: Operation not permitted; uid=0 euid=0
Aug 13 15:30:01 mail pam_limits[4306]: setrlimit limit #12 to soft=-1, hard=-1 
failed: Operation not permitted; uid=0 euid=0
Aug 13 15:30:01 mail CRON[4306]: (pam_unix) session closed for user vmail


How can I do to put SASL to work agains my LDAP ???

REALLY THANKS !!!

Alejandro

  
You need to install either the courier or dovecot packages to provide 
the necessary utilities/libraries.


For the courier option, you'll need libsasl2-modules and sasl2-bin at a 
minimum.  I don't think the dovecot packages have broken out the auth 
portion yet, so you would need to install dovecot-imapd and/or 
dovecot-pop3d.


--
Daniel

Re: Recipient whitelist

[mleal]

Hi again!

Before anything sorry for my english.

I read the docs and, if I understood correctly, when I want to filter a 
recipient in a relay system I need to use relay_recipient_maps, right?
Ok... but my problem continue.
Let try to explain better.

I want to delivery mail to a Lotus Dominos server that use the concept of 
"Groups".
This "Groups" means a internally named group, in the Dominos server, with 
a list of users that receive mail when anybody send mail to it. Looks like 
a mailman system with exception that those "Groups" don't have an external 
mail address.
One example of this is a group named "%managers".

So... this is my big problem... how can I relay mails to these groups 
since they don't have any domains like @example.com?

Because of this I was trying that check_recipient before.


Thanks for your help.

__
Marcus






Marcus Jose de Oliveira Leal
12/08/2008 10:44


Para:   postfix users list 
cc: 
Assunto:Re: Recipient whitelist

Ok Noel.

I'll carefully check the docs again.
Thanks to your reply.

__
Marcus






Noel Jones <[EMAIL PROTECTED]>
Enviado Por: [EMAIL PROTECTED]
11/08/2008 19:32
Favor responder a postfix users list

 
Para:   postfix-users@postfix.org
cc: 
Assunto:Re: Recipient whitelist


[EMAIL PROTECTED] wrote:
>
> Hi all,
>
> I recently configure my postfix and I am having problems with
> "smtpd_recipient_restrictions".
>
> I change it to "smtpd_recipient_restrictions = check_recipient_access
> regexp:/etc/postfix/check_recipients reject", but when I allow a
> recipient in check_recipients file, specifically talking to the seconde
> rule, it continues rejected by the last reject command.
>
> I would like to configure some kind of whitelist in the check_recipients
> file.
>
> Can you help me?
>
> Thanks in advance
> Marcus
>
>
> My confs:
>
> main.cf
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> allow_percent_hack = no
> append_at_myorigin = no
> append_dot_mydomain = no
> biff = no
> config_directory = /etc/postfix
> default_process_limit = 10
> disable_vrfy_command = yes
> inet_interfaces = all
> local_recipient_maps =
> local_transport = error:local mail delivery is disabled
> mail_release_date = ""
> mail_version = ""
> mailbox_size_limit = 0
> mydestination =
> myhostname = relay.intranet.net
> mynetworks = 127.0.0.0/8 192.168.0.0/23
> myorigin = /etc/mailname
> recipient_delimiter = +
> relay_domains = regexp:/etc/postfix/relay_domains
> relayhost = relaygw.extranet.net
> show_user_unknown_table_name = no
> smtp_helo_name = relay.intranet.net
> smtpd_banner = relay.intranet.net
> smtpd_client_restrictions = reject_unknown_client_hostname
> permit_mynetworks reject
> smtpd_data_restrictions = reject_unauth_pipelining
> smtpd_helo_required = yes
> smtpd_helo_restrictions = reject_invalid_helo_hostname
> reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
> permit_mynetworks reject
> smtpd_recipient_restrictions = check_recipient_access
> regexp:/etc/postfix/check_recipients reject
> smtpd_sender_restrictions = check_sender_access
> regexp:/etc/postfix/check_senders reject_non_fqdn_sender
> reject_unknown_sender_domain reject
> strict_rfc821_envelopes = yes
>
> check_recipients
> /[EMAIL PROTECTED]/ OK
> /^\%group.*/ OK

Your check_recipients file is unsafe and unwise.

Start here:
http://www.postfix.org/BASIC_CONFIGURATION_README.html

and move on to this:
http://www.postfix.org/ADDRESS_CLASS_README.html

Then if you need help, see:
http://www.postfix.org/DEBUG_README.html#mail

--
Noel Jones

Re: Recipient whitelist

[Noel Jones]

[EMAIL PROTECTED] wrote:


Hi again!

Before anything sorry for my english.

I read the docs and, if I understood correctly, when I want to filter a 
recipient in a relay system I need to use relay_recipient_maps, right?


The relay_domains parameter lists domains you host but final 
delivery is done somewhere else, such as an internal server.
Valid recipients for those domains are listed in 
relay_recipient_maps, postfix will reject any recipient not 
listed.



Ok... but my problem continue.
Let try to explain better.

I want to delivery mail to a Lotus Dominos server that use the concept 
of "Groups".
This "Groups" means a internally named group, in the Dominos server, 
with a list of users that receive mail when anybody send mail to it. 
Looks like a mailman system with exception that those "Groups" don't 
have an external mail address.


If they don't have an external mail address, postfix won't be 
able to send them mail no matter what you do.



One example of this is a group named "%managers".

So... this is my big problem... how can I relay mails to these groups 
since they don't have any domains like @example.com?


Seems as if you need to configure Lotus to accept external 
mail to your group names.  I have no idea how to do that.


Good luck.

--
Noel Jones

another "mail forwarding loop" question

[Christopher Adams]

Can someone clue me in as to what might be causing this? A person sent
a message to a mailing list named Xlist. There is nothing nonstandard
about Postfix, no Virtual Hosts. I need to know where the fault lies.
I call my server '[EMAIL PROTECTED]'. I have a general idea of what
a mail forwarding loop is, but I just need to be clear with the
customer about it. This is what the sender received back:

Diagnostic information for administrators:

Generating server: myserver.domain.com

[EMAIL PROTECTED]
#< #5.4.6 X-Postfix; mail forwarding loop for [EMAIL PROTECTED]> #SMTP#

Original message headers:

Received: from mailgwisb01.mail.la.gov (mailgwisb01.mail.la.gov
 [204.196.242.62])   by myserver.domain.com (Postfix) with ESMTP id
 CBCC5364037 for <[EMAIL PROTECTED]>; Wed, 13 Aug 2008 12:53:45
 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.32,203,1217826000";
   d="scan'208,217";a="7100986"
Received: from mailfe03.mail.la.gov ([10.4.10.64])
  by mailgwisb01.mail.la.gov with ESMTP; 13 Aug 2008 14:58:55 -0500
Received: from mailht01.MAIL.LA.GOV ([10.4.10.65]) by
MAILFE03.MAIL.LA.GOV with Microsoft SMTPSVC(6.0.3790.3959);
 Wed, 13 Aug 2008 14:58:55 -0500
Received: from mailht03.MAIL.LA.GOV (10.4.10.67) by mailht01.mail.la.gov
 (10.4.10.65) with Microsoft SMTP Server (TLS) id 8.1.291.1; Wed, 13 Aug 2008
 14:58:55 -0500
Received: from MAILMBX02.MAIL.LA.GOV ([10.4.10.105]) by mailht03.MAIL.LA.GOV
 ([10.4.10.67]) with mapi; Wed, 13 Aug 2008 14:58:54 -0500
From: John Smith 
To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
Date: Wed, 13 Aug 2008 14:58:38 -0500
Subject: FW: change in Listserv email address
Thread-Topic: change in Listserv email address
Thread-Index: Acj9VlgkrTPJ6IlMQy2oGiYT/1KrwgAACBcA
Message-ID: <[EMAIL PROTECTED]>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-originalarrivaltime: 13 Aug 2008 15:09:34.0657 (UTC)
FILETIME=[98704B10:01C8FD56]
x-ironport-av: E=Sophos;i="4.32,201,1217826000"; d="scan'208,217";a="6997685"
delivered-to: [EMAIL PROTECTED]
x-original-to: [EMAIL PROTECTED]
Content-Type: multipart/alternative;
boundary="_000_4EDB8E2A7232FA43B495A019D02B505A364C5CB304MAILMBX02MAIL_"
MIME-Version: 1.0



-- 
Christopher Adams
[EMAIL PROTECTED]

Re: Before queue filter vs access policy delegation?

[Bill Anderson]

On Aug 9, 2008, at 8:52 PM, Noel Jones wrote:




It doesn't need to process the body of the email
Just curious, since queue_id is passed, is it possible for the  
script to actually read the email body in postfix queue?


No.  The queue file format is intentionally undocumented to  
discourage direct manipulation of queue files.  The queue file  
format can change between postfix versions without warning.

Direct manipulation of queue files is unsupported and not recommended.

Of course, a more basic problem is that the queue file doesn't yet  
exist when the policy service is called from smtpd_{client, helo,  
sender, recipient, data}_restrictions.


To be fair, if he only want to read the body, he could "shell out" to  
postcat to *read* it so long as it was done late enough in the process  
- i.e. end-of-data. I make no guarantees about performance of such  
acts, however. ;)  I have done this *on occasion* for very specific  
checks.


Obviously modification is out.

A queuefile *could* exist during the RCPT TO phases, but there would  
be no header/body content to be read anyway.



Cheers,
Bill

Selinux Postfix rpm problems

[Voytek Eymont]

I have installed a new Centos 5.2 server, with Centos's Postfix as a
default MTA;

I then built and installed a Postfix rpm using Simon Mudd's srpm as:
postfix-2.5.2-1.pcre.mysql.sasl2.rhel5.i386.rpm

but, I get these Selinux issues as per log entries below:

what's the best way of setting this up?

# service postfix start
Starting postfix:  [  OK  ]
# service postfix status
master is stopped

# egrep '(warning|error|fatal|panic):' /var/log/maillog

Aug 14 10:07:36 centos postfix/master[1108]: fatal: open lock file
/var/lib/postfix/master.lock: cannot create file exclusively: Permission
denied

tail /var/log/messages

Aug 14 10:07:39 centos setroubleshoot: SELinux is preventing find
(postfix_master_t) "getattr" to /etc/postfix/examples (postfix_etc_t). For
complete SELinux messages. run sealert -l
4282-656b-4947-94a8-6359add5545a
Aug 14 10:07:39 centos setroubleshoot: SELinux is preventing find
(postfix_master_t) "getattr" to /etc/postfix/html (postfix_etc_t). For
complete SELinux messages. run sealert -l
546e2c29-d462-4cba-b7d5-533a2793227d
Aug 14 10:07:39 centos setroubleshoot: SELinux is preventing find
(postfix_master_t) "getattr" to /etc/postfix/readme (postfix_etc_t). For
complete SELinux messages. run sealert -l
131f678a-897d-410b-a008-83ce2eb5e454
followed by more of similar ...


# sealert -l 4282-656b-4947-94a8-6359add5545a

Summary:

SELinux is preventing find (postfix_master_t) "getattr" to
/etc/postfix/examples
(postfix_etc_t).

Detailed Description:

SELinux denied access requested by find. It is not expected that this
access is required by find and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of
the application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for /etc/postfix/examples,

restorecon -v '/etc/postfix/examples'

If this does not work, there is currently no automatic way to allow this
access. Instead, you can generate a local policy module to allow this
access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Contextroot:system_r:postfix_master_t
Target Contextsystem_u:object_r:postfix_etc_t
Target Objects/etc/postfix/examples [ lnk_file ]
Sourcefind
Source Path   /usr/bin/find
Port  
Host  centos.sbt.net.au
Source RPM Packages   findutils-4.2.27-4.1
Target RPM Packages   postfix-2.5.2-1.pcre.mysql.sasl2.rhel5
Policy RPMselinux-policy-2.4.6-137.1.el5
Selinux Enabled   True
Policy Type   targeted
MLS Enabled   True
Enforcing ModeEnforcing
Plugin Name   catchall_file
Host Name centos.sbt.net.au
Platform  Linux centos.sbt.net.au 2.6.18-92.el5 #1 SMP
Tue
  Jun 10 18:49:47 EDT 2008 i686 i686
Alert Count   9
First SeenWed Aug 13 00:07:23 2008
Last Seen Thu Aug 14 10:07:36 2008
Local ID  4282-656b-4947-94a8-6359add5545a
Line Numbers

Raw Audit Messages

host=centos.sbt.net.au type=AVC msg=audit(1218672456.745:45945): avc: 
denied  { getattr } for  pid=1092 comm="find" path="/etc/postfix/examples"
dev=dm-0 ino=36700221 scontext=root:system_r:postfix_master_t:s0
tcontext=system_u:object_r:postfix_etc_t:s0 tclass=lnk_file

host=centos.sbt.net.au type=SYSCALL msg=audit(1218672456.745:45945):
arch=4003 syscall=196 success=no exit=-13 a0=8f29467 a1=bfbdb218
a2=6e0ff4 a3=bfbdb218 items=0 ppid=1081 pid=1092 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=8141 comm="find"
exe="/usr/bin/find" subj=root:system_r:postfix_master_t:s0 key=(null)


# postconf -m
btree
cidr
environ
hash
ldap
mysql
nis
pcre
proxy
regexp
static
unix

# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix-2.5.2-documentation/html
inet_interfaces = localhost
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.2-documentation/readme
sample_directory = /usr/

Re: About maildir

[Ben Beuchler]

> I am using maildir with postfix. I have to copy lots of e-mail from a user's
> inbox to another. I am trying to copy all mails in cur and new folder to
> another but after this action inbox does not work. How can i transfrer these
> mails.

It's not clear exactly what you are doing.  Please include the
commands you are executing (ideally a transcript of the session) or a
more thorough explanation.

-Ben

Re: Postfix with SASL Authentication against LDAP

[Alejandro Facultad]

Daniel L. Miller escribió:

Alejandro Cabrera Obed wrote:

Dear all, I have a Debian Etch + Postfix 2.3.8 mail server with LDAP
2.3.30. TLS encryption work succesfully but SASL authentication don't.

I have these:

apt-get install sasl2-bin libsasl2-modules

/etc/default/saslauthd:
START=yes
MECHANISMS="ldap"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

/etc/saslauthd.conf:
ldap_servers: ldap://ldap.company.com/
ldap_search_base: ou=people,dc=company,dc=com
ldap_bind_dn: cn=admin,dc=company,dc=com
ldap_bind_pw: xyz
ldap_filter: (&(objectClass=CourierMailAccount)(cn=%U))
ldap_scope: sub
ldap_auth_method: bind

I execute:
dpkg-statoverride --add root sasl 710 
/var/spool/postfix/var/run/saslauthd

adduser postfix sasl

/etc/postfix/sasl/smtpd.conf:
pwcheck_method: saslauthd
mech_list: plain login
log_level: 7

/etc/postfix/master.cf:
smtp  inet  n   -   n   -   -   smtpd -o 
content_filter=spamassassin  # No chroot


/etc/postfix/main.cf:
# TLS
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/courier/smtpd.cert
smtpd_tls_key_file = /etc/courier/smtpd.key
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
# SASL
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
# SMTP Restrictions
smtpd_recipient_restrictions = permit_sasl_authenticate, 
permit_mynetworks


Restart postfix and saslauthd

After that:

$telnet mail 25

and I see:
250-STARTTLS
250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN
So TLS and SASL are OK.

Finally I configure my mail client (Iceweasel) and sens a mail, 
asking me for the password, but I FAIL !!! I see this in 
/var/log/auth.log:


Aug 13 15:25:45 mail postfix/cleanup[4182]: looking for plugins in 
'/usr/lib/sasl2', failed to open directory, error: No such file or 
directory
Aug 13 15:25:53 mail postfix/smtpd[4196]: looking for plugins in 
'/usr/lib/sasl2', failed to open directory, error: No such file or 
directory
Aug 13 15:27:15 mail postfix/cleanup[4222]: looking for plugins in 
'/usr/lib/sasl2', failed to open directory, error: No such file or 
directory
Aug 13 15:29:41 mail postfix/cleanup[4290]: looking for plugins in 
'/usr/lib/sasl2', failed to open directory, error: No such file or 
directory
Aug 13 15:29:57 mail postfix/smtpd[4303]: looking for plugins in 
'/usr/lib/sasl2', failed to open directory, error: No such file or 
directory
Aug 13 15:30:01 mail CRON[4306]: (pam_unix) session opened for user 
vmail by (uid=0)
Aug 13 15:30:01 mail pam_limits[4306]: setrlimit limit #11 to 
soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0
Aug 13 15:30:01 mail pam_limits[4306]: setrlimit limit #12 to 
soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0
Aug 13 15:30:01 mail CRON[4306]: (pam_unix) session closed for user 
vmail



How can I do to put SASL to work agains my LDAP ???

REALLY THANKS !!!

Alejandro

  
You need to install either the courier or dovecot packages to provide 
the necessary utilities/libraries.


For the courier option, you'll need libsasl2-modules and sasl2-bin at 
a minimum.  I don't think the dovecot packages have broken out the 
auth portion yet, so you would need to install dovecot-imapd and/or 
dovecot-pop3d.



I had libsasl2-modules and sasl2-bin as I just said above.

What can I do 

Thanks again

Re: Apparent buffer overflow from huge headers

[Wietse Venema]

Robert Cohen:
> ul 27 12:43:23 mailin2 postfix/smtp[29137]: 4CBB07E8009:
> to=<[EMAIL PROTECTED]>, relay=127.0.0.1[127.0.0.1]:10025, delay=137638,
> delays=137638/0/0/0, dsn=4.4.2, status=deferred (lost connection with
> 127.0.0.1[127.0.0.1] while sending message body)

The filter hangs up because it gets messed up.

> The only obvious issue with the particular messages is that the headers are
> gigantic. About 400k of headers which leads me to believe its a buffer
> overflow.

Quite possible, but not in Postfix.

Wietse

Re: Apparent buffer overflow from huge headers

[Robert Cohen]

On 14/8/08 12:11 PM, "Wietse Venema" <[EMAIL PROTECTED]> wrote:

> Robert Cohen:
>> ul 27 12:43:23 mailin2 postfix/smtp[29137]: 4CBB07E8009:
>> to=<[EMAIL PROTECTED]>, relay=127.0.0.1[127.0.0.1]:10025, delay=137638,
>> delays=137638/0/0/0, dsn=4.4.2, status=deferred (lost connection with
>> 127.0.0.1[127.0.0.1] while sending message body)
> 
> The filter hangs up because it gets messed up.
> 
>> The only obvious issue with the particular messages is that the headers are
>> gigantic. About 400k of headers which leads me to believe its a buffer
>> overflow.
> 
> Quite possible, but not in Postfix.
> 
> Wietse

So if a filter botches handling one message, postfix gives on sending it
anything for up to 15 minutes?
That doesn't seem like a particularly graceful way of handling filter
failure.



===
Robert Cohen
Systems & Desktop Services
Division of Information
R.G Menzies Building
Building 2
The Australian National University
Canberra ACT 0200 Australia
 
T: +61 2 6125 8389
F: +61 2 6125 7699
http://www.anu.edu.au
 
CRICOS Provider #00120C
===

RE: Outbound rate throttling

[MacShane, Tracy]

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Noel Jones
> Sent: Wednesday, 13 August 2008 10:53 PM
> To: MacShane, Tracy
> Cc: postfix-users@postfix.org
> Subject: Re: Outbound rate throttling
> 
>
> >  
> > I've upgraded a server to Postfix 2.5.2 (from 2.2) and tried 
> > implementing a slow transport for this purpose:
> >  
> > master.cf
> > ---
> > # transport for touchy domains
> > slowunix-   -   n   -   1smtp
> 
> You can add
>-o syslog_name=postfix-slow
> to the above to differentiate it in the logs so you know it's 
> being used.

Great, that's showing up beautifully now. 

> > 15:59:14 smtptest postfix/error[4460]: 4061815E00C0:
> > to=<[EMAIL PROTECTED] >,
> > relay=none, delay=4906, delays=4905/0.08/0/0.01, dsn=4.4.1, 
> > status=deferred (delivery temporarily suspended: connect to
> > mx.telekom.net.sb[202.1.161.20]:25: Connection refused) [
> 
> These are not delivery attempts.  Delivery attempts are 
> logged by postfix/smtp.
> These are all from the error: service notifying you that the 
> destination has been throttled because of multiple previous 
> "connection refused" error.

Ahah! Clear as day, once you see the difference between postfix/smtp and
postfix/error. It looks like it's working perfectly, then - postfix-slow
is trying a connection every few minutes at present, and the rest are
the errors/backoffs.

So it should be fine, once they start accepting my mail again. 

Re: another "mail forwarding loop" question

[Noel Jones]

Christopher Adams wrote:

Can someone clue me in as to what might be causing this? A person sent
a message to a mailing list named Xlist. There is nothing nonstandard
about Postfix, no Virtual Hosts. I need to know where the fault lies.
I call my server '[EMAIL PROTECTED]'. I have a general idea of what
a mail forwarding loop is, but I just need to be clear with the
customer about it. This is what the sender received back:

Diagnostic information for administrators:

Generating server: myserver.domain.com

[EMAIL PROTECTED]
#< #5.4.6 X-Postfix; mail forwarding loop for [EMAIL PROTECTED]> #SMTP#



It's more informative to see what postfix logs.


Original message headers:
...
delivered-to: [EMAIL PROTECTED]


If that delivered-to: header was in the mail that postfix 
received, postfix will treat it as a loop and bounce it.
That header should only be added by a final delivery agent, 
and should never be in mail arriving from the network.


My wild guess is that some broken software is adding that 
header, postfix uses caps. Delivered-To:


It's possible to use a header_checks rule with the IGNORE 
action to remove the offending header, but that's not recommended.


--
Noel Jones

Re: Apparent buffer overflow from huge headers

[Ralf Hildebrandt]

* Robert Cohen <[EMAIL PROTECTED]>:
> So if a filter botches handling one message, postfix gives on sending it
> anything for up to 15 minutes?

Exactly. Since the transport is broken, postfix backs off.
You can configure that.

> That doesn't seem like a particularly graceful way of handling filter
> failure.

Of course it is. What's the point in hammering a broken program/broken
server/broken destination for hours on end?

-- 
Ralf Hildebrandt ([EMAIL PROTECTED])  [EMAIL PROTECTED]
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
Simplicity is the only path to some measure of peace as an email admin!

Re: mail stuck in mailq q

[Voytek Eymont]

On Mon, August 11, 2008 11:50 am, Sahil Tandon wrote:

>> name=meriden.nsw.edu.au type=MX: Host not found, try again)
>
> Figure out why there was/is a name service error for that hostname.

Sahil,
thanks again:

the data centre *used* to run the target dns, but, no longer do, *and*,
havent' removed it, so, I was hitting authoritative dns that wasn't...



-- 
Voytek