Re: failover for check_policy_service

[Jan P. Kessler]

J. Thomsen schrieb:

This is the rationale behind an optional 'dunno if failing' on
check_policy_service components.


I wrote a little ha and loadbalacing script for policy delegation 
requests in perl some time ago. Maybe it is useful for you.


Doc:
http://postfwd.org/DEVEL/hapolicy-0.99.1.html

Code:
http://postfwd.org/DEVEL/hapolicy-0.99.1

Per user whitelist in postfix

[Guy]

Hi,

I'm currently using dnswl (dnswl.org) in my recipient restrictions on a mail
gateway.
Below is an example line from the list:
193.222.110.200/32  permit_auth_destination med nonea.se DNSWLId 10128

As I understand it, this whitelists those IP's from all the RBL etc checks
that follow in the recipient restrictions?

I've been told that we now need per recipient whitelisting. I'm guessing I
need to do something similar to the dnswl, but have it check against mysql
using the recipients address to find out whether it should skip the checks.
Basically I have to give users the option to receive spam if they so choose.

So is this idea feasible and does anyone have any recommendations on its
implementation? Any howtos or documentation from someone that's done
something similar would also be appreciated as it doesn't seem to be
something done very much.

Thanks
Guy

[Current recipient restrictions]
smtpd_recipient_restrictions =
permit_mynetworks,
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_destination,
check_client_access cidr:/etc/postfix/postfix-dnswl-permit,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client psbl.surriel.com,
reject_rhsbl_client zen.spamhaus.org,
reject_rhsbl_client bl.spamcop.net,
check_policy_service inet:127.0.0.1:10031,
permit


-- 
Don't just do something...sit there!

Re: question about relay_recipient_maps

[Nicolás Velásquez O.]

Hello,

We receive a high volume of mail for non nonexistent mailboxes, so we
want to prevent Postfix's SMTP probes to the nearest MTA, we just want
to use localfile or LDAP queries. I've attached the postconf -n and
some tests I've done, any help is appreciated.

About the behavior, I see 2 cases:
1. When mailbox exists:
- checks File. If found, stops
- checks LDAP. If found, stops
- Never asks via SMTP
Telnet test output:
mailx5:~ # telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mailx5.domain.org ESMTP Postfix
EHLO mailx5.domain.org
250-mailx5.domain.org
250-PIPELINING
250-SIZE 525
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: [EMAIL PROTECTED]
250 2.1.0 Ok
RCPT TO: [EMAIL PROTECTED]
250 2.1.5 Ok


2. When mailbox doesn't exist:
- checks File.
- checks LDAP.
- Asks via SMTP if the mailbox exists
- After a lag (1-2 seconds), returns "450 4.1.1
<[EMAIL PROTECTED]>: Recipient address rejected:
unverified address: Address verification in progress"
Telnet test output:
mailx5:~ # telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mailx5.domain.org ESMTP Postfix
EHLO mailx5.domain.org
250-mailx5.domain.org
250-PIPELINING
250-SIZE 525
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: [EMAIL PROTECTED]
250 2.1.0 Ok
RCPT TO: [EMAIL PROTECTED]
450 4.1.1 <[EMAIL PROTECTED]>: Recipient
address rejected: unverified address: Address verification in progress


Here is the output from postconf -n
address_verify_map = btree:/var/spool/postfix/mta/verify
address_verify_negative_cache = no
alias_database = hash:/etc/postfix/aliases  hash:/etc/aliases
alias_maps = hash:/etc/aliases
biff = no
body_checks = pcre:/etc/postfix/body_checks.backscatters.pcre01
pcre:/etc/postfix/body_checks.backscatters.pcre02
bounce_queue_lifetime = 0
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = lmtp-amavis:[localhost]:10024
daemon_directory = /usr/lib/postfix
debug_peer_level = 3
debug_peer_list = hotmail.com, localhost, gmail.com, google.com
disable_vrfy_command = yes
fast_flush_domains =
header_checks = pcre:/etc/postfix/header_checks.pcre00
pcre:/etc/postfix/header_checks.subjects.pcre01
pcre:/etc/postfix/header_checks.backscatters.pcre02
html_directory = no
local_recipient_maps =
local_transport = error:local mail delivery is disabled
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_domains = $mydomain
masquerade_exceptions = root
maximal_queue_lifetime = 0
message_size_limit = 525
mydestination =
mydomain = domain.org
myhostname = mailx5.$mydomain
mynetworks = 127.0.0.0/8,   10.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
parent_domain_matches_subdomains = debug_peer_list  smtpd_access_maps
proxy_interfaces = xxx.xxx.xxx.xxx
queue_directory = /var/spool/postfix
readme_directory = no
recipient_canonical_maps = pcre:/etc/postfix/canonical.pcre
relay_domains = $mydomain, mail.$mydomain, mail5.$mydomain,
step.$mydomain, lists.$mydomain, elist.$mydomain,
relay_recipient_maps = hash:/etc/postfix/LDAPaddressbook.txt
ldap:/etc/postfix/ldap-users.cf
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
show_user_unknown_table_name = no
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname   permit_mynetworks
check_helo_access hash:/etc/postfix/helo_checks
smtpd_recipient_restrictions = reject_unverified_recipient
reject_non_fqdn_recipientreject_unauth_destination
reject_unknown_recipient_domain reject_unlisted_recipient
check_recipient_access pcre:/etc/postfix/recipients_checks.pcre
check_policy_service unix:private/policy-spfreject_rbl_client
zen.spamhaus.org  reject_rbl_client dul.dnsbl.sorbs.net
reject_rbl_client dnsbl.njabl.org
smtpd_sender_restrictions = reject_non_fqdn_sender
permit_mynetworks   check_sender_access
hash:/etc/postfix/whitelist check_sender_access
hash:/etc/postfix/sender_checks check_sender_access
pcre:/etc/postfix/sender_checks.pcre   check_sender_access
hash:/etc/postfix/sender_access reject_unknown_sender_domain
transport_maps = hash:/etc/postfix/transport
unknown_address_reject_code = 550
unknown_hostname_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
virtual_alias_maps = $alias_maps$aliasdatabase
regexp:/etc/postfix/virtual.regexp
hash:/etc/postfix/LDAPaddressbook.txt
ldap:/etc/postfix/ldap-users.cf



2008/10/3 Noel Jones <[EMAIL PROTECTED]>:
> Nicolás Velásquez O. wrote:
>>
>> Hello,
>>
>> I've googled around and been playing with relay_recipient_maps. I have
>> it as follows:
>> relay_recipient_maps =
>>   hash:/etc/postfix/LDAPaddressbook.txt
>>   ldap:/etc/postfix/ldap-users.cf
>>
>> Where /etc/postfix/LDAPaddressbook.txt is a local list of th

Re: question about relay_recipient_maps

[Brian Evans - Postfix List]

Nicolás Velásquez O. wrote:
> Hello,
>
> We receive a high volume of mail for non nonexistent mailboxes, so we
> want to prevent Postfix's SMTP probes to the nearest MTA, we just want
> to use localfile or LDAP queries. I've attached the postconf -n and
> some tests I've done, any help is appreciated.
>   

You are asking Postfix to do this. See below

Also, please use example.(com|net|org) instead of "domain".
> 2. When mailbox doesn't exist:
> - checks File.
> - checks LDAP.
> - Asks via SMTP if the mailbox exists
> - After a lag (1-2 seconds), returns "450 4.1.1
> <[EMAIL PROTECTED]>: Recipient address rejected:
> unverified address: Address verification in progress"
> Telnet test output:
> mailx5:~ # telnet localhost 25
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 220 mailx5.domain.org ESMTP Postfix
> EHLO mailx5.domain.org
> 250-mailx5.domain.org
> 250-PIPELINING
> 250-SIZE 525
> 250-ETRN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> MAIL FROM: [EMAIL PROTECTED]
> 250 2.1.0 Ok
> RCPT TO: [EMAIL PROTECTED]
> 450 4.1.1 <[EMAIL PROTECTED]>: Recipient
> address rejected: unverified address: Address verification in progress
>
>   

What to the logs say on the mail5 machine? It should not delay on such a
request since that is your setup.

> Here is the output from postconf -n

[...]
> smtpd_recipient_restrictions = reject_unverified_recipient
> reject_non_fqdn_recipientreject_unauth_destination
> reject_unknown_recipient_domain reject_unlisted_recipient
> check_recipient_access pcre:/etc/postfix/recipients_checks.pcre
> check_policy_service unix:private/policy-spfreject_rbl_client
> zen.spamhaus.org  reject_rbl_client dul.dnsbl.sorbs.net
> reject_rbl_client dnsbl.njabl.org
>   

reject_unverified_recipient up front means "For everything not in a map,
verify by SMTP".
Since you have map files, why include a SMTP check anyway?


You really should have reject_unauth_destination first (if you don't
trust mynetworks).
This is due to anyone who queries your server for open relay.  You will
ask the entire internet for any address given up front, even if it's not.


Brian

Out Of Office Utility

[Carlos Williams]

I had a user ask me if the Postfix email server can auto respond w/
"Out of Office" reply rather than do this on his client in case his
machine is rebooted and or shut off. I Google'd this first and found a
program called "Vacation" which appears to be somewhat compatible
however I am not sure since I have neither installed or used it as if
yet. I read the man page and it appears like a process getting up and
running so I thought I would ask here 1st if there is a more efficient
way in Postfix to get this up and running w/o having to install a
separate application / daemon to do what I am looking for.

Thanks for any info!

Re: Out Of Office Utility

[Adam Tauno Williams]

On Mon, 2008-10-06 at 09:51 -0400, Carlos Williams wrote:
> I had a user ask me if the Postfix email server can auto respond w/
> "Out of Office" reply rather than do this on his client in case his
> machine is rebooted and or shut off. I Google'd this first and found a
> program called "Vacation" which appears to be somewhat compatible
> however I am not sure since I have neither installed or used it as if
> yet. I read the man page and it appears like a process getting up and
> running so I thought I would ask here 1st if there is a more efficient
> way in Postfix to get this up and running w/o having to install a
> separate application / daemon to do what I am looking for.

If your delivering to a Cyrus IMAPd server then SIEVE has very nice
facilities to handle vacation messages for you.  Several rather nice
UI/clients are available as well so users can setup their own messages.

Re: Out Of Office Utility

[Carlos Williams]

On Mon, Oct 6, 2008 at 9:59 AM, Adam Tauno Williams
<[EMAIL PROTECTED]> wrote:
> If your delivering to a Cyrus IMAPd server then SIEVE has very nice
> facilities to handle vacation messages for you.  Several rather nice
> UI/clients are available as well so users can setup their own messages.

Sadly no. I am delivering to a Dovecot IMAPd.

Re: Out Of Office Utility

[Brian Evans - Postfix List]

Carlos Williams wrote:
> I had a user ask me if the Postfix email server can auto respond w/
> "Out of Office" reply rather than do this on his client in case his
> machine is rebooted and or shut off. I Google'd this first and found a
> program called "Vacation" which appears to be somewhat compatible
> however I am not sure since I have neither installed or used it as if
> yet. I read the man page and it appears like a process getting up and
> running so I thought I would ask here 1st if there is a more efficient
> way in Postfix to get this up and running w/o having to install a
> separate application / daemon to do what I am looking for.
>
> Thanks for any info!
>   

This depends highly on *your* configuration.

Postfix itself is a mail transfer agent.  It's job is to move mail from
point to point.

vacation is a nice utility if you deliver via local (or other MDA that
checks .forward files)

It's a bit more interesting if you use virtual(8) to deliver since that
does not use .forward files.

If we knew a bit more, we might give a more complete suggestion.

Brian

P.S.Writing your own needs knowledge as you can easily become an
Outscatter source if you don't understand what this can do.

Re: Out Of Office Utility

[Mark Goodge]

Carlos Williams wrote:

On Mon, Oct 6, 2008 at 9:59 AM, Adam Tauno Williams
<[EMAIL PROTECTED]> wrote:

If your delivering to a Cyrus IMAPd server then SIEVE has very nice
facilities to handle vacation messages for you.  Several rather nice
UI/clients are available as well so users can setup their own messages.


Sadly no. I am delivering to a Dovecot IMAPd.


If you're delivering to an IMAP server, then the simplest option is to 
add a webmail interface to it which supports auto-reply. Even if your 
end users normally get their mail via a local IMAP client, they can use 
the webmail facility to set up an "out of office" response and it will 
run even with their local machine switched off. And, you get the benefit 
of a webmail interface in case your users ever want it! No changes are 
needed to either Postfix or Dovecot, the webmail system is an additional 
layer that runs on top of your existing configuration.


There are several webmail systems that include auto-reply either as a 
basic feature or an optional extra. Squirrelmail is one that I'm aware 
of, but a bit of Googling should find plenty of others.


Mark
--
http://mark.goodge.co.uk - my pointless blog
http://www.good-stuff.co.uk - my less pointless stuff

Re: Out Of Office Utility

[Barney Desmond]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Carlos Williams wrote:
> I had a user ask me if the Postfix email server can auto respond w/
> "Out of Office" reply rather than do this on his client in case his
> machine is rebooted and or shut off.

My first response would be to ask whether they really need it. :)
This bitterness comes from dealing with too many annoyingly-enterprise-y
customers who are hell bent on notifying people that they'll be away
from their desk for more than 45 seconds, lest they be "left out of the
loop"...

I Google'd this first and found a
> program called "Vacation" which appears to be somewhat compatible
> however I am not sure since I have neither installed or used it as if
> yet. I read the man page and it appears like a process getting up and
> running so I thought I would ask here 1st if there is a more efficient
> way in Postfix to get this up and running w/o having to install a
> separate application / daemon to do what I am looking for.

This isn't something you really "daemonise", postfix just delivers mail.

You can use vacation and formail to do this if you use local delivery.
We use procmail for local delivery, so something like this in the user's
.procmailrc works for us. It's quite manual though, not usually
something users do for themselves. Good for a one-off, but not ongoing.

Delete any ~/.vacation.cache files before starting, and create a
~/.autoreply file for the user.


SHELL=/bin/bash
NAME="Yukari Yakumo"
EMAIL="[EMAIL PROTECTED]"

:0 Whc: .vacation.lock
* !^FROM_DAEMON
* !^X-Loop: infobot_reply
| formail -rD 8192 .vacation.cache

:0 ehc
| (formail -rt -I"From: $NAME <$EMAIL>"\
-A"Precedence: junk (autoreply)"\
-A"X-Loop: infobot_reply" ; \
cat $HOME/.autoreply\
   ) | $SENDMAIL -t -f "$EMAIL"


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI6iCGI3WmMwKrR4MRAg1CAJ9lMwXPhN5JYFwu/kewUwVKoGltuQCbBUko
Xld/pusU8ZbSuDPmfiGJh40=
=RlfZ
-END PGP SIGNATURE-

My first config - unable to telnet to port 25, virtual.db missing

[Paul Cocker]

I have a CentOS 5.2 machine running postfix 2.3.3 install via yum and am
setting up for the first time, having been a sendmail user previously.
 
I have been configuring it based around 'Postfix email firewall/gateway'
setup in the postfix documentation as this machine will be acting as the
primary mail server for outgoing mail and the second MX entry for
incoming.
 
The server has hosts.deny set to ALL:ALL but smtp in hosts.allow is also
set to ALL.
 
Running a postconf -n results in the following output:
 
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
local_recipient_maps =
local_transport = error:local mail delivery is disabled
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination =
mynetworks = 100.243.0.0/22, 100.132.127.128/25
myorigin = domain1.co.uk
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains =
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains = domain1.co.uk, domain2.co.uk, domain3.co.uk
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual

I do /usr/sbin/postfix check, which results in no errors, followed by
/usr/sbin/postfix start. I can see master running in my process list.
 
However, attempts to connect to port 25 on this machine from within the
100.243.0.0/22 network timeout with 'Connect failed' messages.
 
My maillog is filled with the following:
 
Oct  6 14:57:20 merlin postfix/postfix-script: starting the Postfix mail
system
Oct  6 14:57:20 merlin postfix/master[13470]: daemon started -- version
2.3.3, configuration /etc/postfix
Oct  6 14:57:20 merlin postfix/qmgr[13472]: CDF481F80062:
from=<[EMAIL PROTECTED]>, size=971, nrcpt=1 (queue active)
...
Oct  6 14:57:21 merlin postfix/trivial-rewrite[13474]: fatal: open
database /etc/postfix/virtual.db: No such file or directory
Oct  6 14:57:21 merlin postfix/cleanup[13473]: fatal: open database
/etc/postfix/virtual.db: No such file or directory
Oct  6 14:57:22 merlin postfix/master[13470]: warning: process
/usr/libexec/postfix/cleanup pid 13473 exit status 1
Oct  6 14:57:22 merlin postfix/master[13470]: warning:
/usr/libexec/postfix/cleanup: bad command startup -- throttling
Oct  6 14:57:22 merlin postfix/master[13470]: warning: process
/usr/libexec/postfix/trivial-rewrite pid 13474 exit status 1
Oct  6 14:57:22 merlin postfix/master[13470]: warning:
/usr/libexec/postfix/trivial-rewrite: bad command startup -- throttling
...
 
Do I need to manually create virtual.db (and should I run a
set-permissions from postconf if I do?), or is that incidental to the
other errors? Are these errors the reason it won't accept connections on
port 25, or is there an error in the config above?
 
Paul Cocker




TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), 
TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT 
Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post 
Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary 
and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd 
(02556692). All companies are registered in England and Wales; registered 
address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, 
SL7 1HY.

Re: My first config - unable to telnet to port 25, virtual.db missing

[Barney Desmond]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Create the file with:

postmap /etc/postfix/virtual

then attempt to start postfix again. The use of a Makefile in
/etc/postfix is also advised, it'll help keep you sane.
http://www.anchor.com.au/hosting/dedicated/postfix_makefile
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI6iRvI3WmMwKrR4MRAt+JAJ4jwVJOXyVYeFSM3hypwHOUQJs4EwCdF1GF
2twRufESGz0W0tf1HQ3REyw=
=OMwd
-END PGP SIGNATURE-

Re: My first config - unable to telnet to port 25, virtual.db missing

[Brian Evans - Postfix List]

Paul Cocker wrote:
> I have a CentOS 5.2 machine running postfix 2.3.3 install via yum and am
> setting up for the first time, having been a sendmail user previously.
>  
> I have been configuring it based around 'Postfix email firewall/gateway'
> setup in the postfix documentation as this machine will be acting as the
> primary mail server for outgoing mail and the second MX entry for
> incoming.
>  
> The server has hosts.deny set to ALL:ALL but smtp in hosts.allow is also
> set to ALL.
>  
> Running a postconf -n results in the following output:
>   
[...]
> relay_domains = domain1.co.uk, domain2.co.uk, domain3.co.uk
>   

No relay_recipient_maps?  You seem to be heading to be a
(Back|Out)scatter source.
Highly suggest you have a static map or db map (LDAP,SQL) of real users.


>
> Oct  6 14:57:21 merlin postfix/trivial-rewrite[13474]: fatal: open
> database /etc/postfix/virtual.db: No such file or directory
>   

You forgot to run 'postmap hash:/etc/postfix/virtual'.  This must be
done for all hash, cdb, btree, (s)dbm files that you define as maps.
>  
> Do I need to manually create virtual.db (and should I run a
> set-permissions from postconf if I do?), or is that incidental to the
> other errors? Are these errors the reason it won't accept connections on
> port 25, or is there an error in the config above?
>   

Does master.cf have an uncommented line for the smtpd service?
What happens if you remove (comment) the line from hosts.deny?

Brian

Re: Out Of Office Utility

[Justin Pasher]

Carlos Williams wrote:

On Mon, Oct 6, 2008 at 9:59 AM, Adam Tauno Williams
<[EMAIL PROTECTED]> wrote:
  

If your delivering to a Cyrus IMAPd server then SIEVE has very nice
facilities to handle vacation messages for you.  Several rather nice
UI/clients are available as well so users can setup their own messages.



Sadly no. I am delivering to a Dovecot IMAPd.


Check out pysieved. It's a stand-alone sieve daemon that can also hook 
into Dovecot authentication. You can then use the avelsieve plugin for 
SquirrelMail to allow the end user to configure his filters.


http://www.woozle.org/~neale/src/pysieved/

--
Justin Pasher

Re: Per user whitelist in postfix

[mouss]

Guy a écrit :
> Hi,
>
> I'm currently using dnswl (dnswl.org ) in my
> recipient restrictions on a mail gateway.
> Below is an example line from the list:
> 193.222.110.200/32  
> permit_auth_destination med nonea.se  DNSWLId 10128
>
> As I understand it, this whitelists those IP's from all the RBL etc
> checks that follow in the recipient restrictions?

yes.
>
> I've been told that we now need per recipient whitelisting. I'm
> guessing I need to do something similar to the dnswl, but have it
> check against mysql using the recipients address to find out whether
> it should skip the checks. Basically I have to give users the option
> to receive spam if they so choose.

use check_recipient_access. the lookup should return OK if the user
"wants spam". In "hash" terms, it would be something like


[EMAIL PROTECTED]  OK

Re: Out Of Office Utility

[mouss]

Carlos Williams a écrit :
> On Mon, Oct 6, 2008 at 9:59 AM, Adam Tauno Williams
> <[EMAIL PROTECTED]> wrote:
>   
>> If your delivering to a Cyrus IMAPd server then SIEVE has very nice
>> facilities to handle vacation messages for you.  Several rather nice
>> UI/clients are available as well so users can setup their own messages.
>> 
>
> Sadly no. I am delivering to a Dovecot IMAPd.
>   

dovecot deliver (+sieve) can do vacation.

Re: Out Of Office Utility

[mouss]

Barney Desmond a écrit :
> Carlos Williams wrote:
> > I had a user ask me if the Postfix email server can auto respond w/
> > "Out of Office" reply rather than do this on his client in case his
> > machine is rebooted and or shut off.
>
> My first response would be to ask whether they really need it. :)
> This bitterness comes from dealing with too many annoyingly-enterprise-y
> customers who are hell bent on notifying people that they'll be away
> from their desk for more than 45 seconds, lest they be "left out of the
> loop"...
>
> I Google'd this first and found a
> > program called "Vacation" which appears to be somewhat compatible
> > however I am not sure since I have neither installed or used it as if
> > yet. I read the man page and it appears like a process getting up and
> > running so I thought I would ask here 1st if there is a more efficient
> > way in Postfix to get this up and running w/o having to install a
> > separate application / daemon to do what I am looking for.
>
> This isn't something you really "daemonise", postfix just delivers mail.
>
> You can use vacation and formail to do this if you use local delivery.
> We use procmail for local delivery, so something like this in the user's
> .procmailrc works for us. It's quite manual though, not usually
> something users do for themselves. Good for a one-off, but not ongoing.
>
> Delete any ~/.vacation.cache files before starting, and create a
> ~/.autoreply file for the user.
>
>
> SHELL=/bin/bash

Did you ever heard of "portability"? do you know that not every system
is linux?

> NAME="Yukari Yakumo"
> EMAIL="[EMAIL PROTECTED]"
>
> :0 Whc: .vacation.lock
> * !^FROM_DAEMON
> * !^X-Loop: infobot_reply
> | formail -rD 8192 .vacation.cache
>
> :0 ehc
> | (formail -rt -I"From: $NAME <$EMAIL>"\
> -A"Precedence: junk (autoreply)"\
> -A"X-Loop: infobot_reply" ; \
> cat $HOME/.autoreply\
>) | $SENDMAIL -t -f "$EMAIL"
>
>

this is borked. you reply to mailing-lists, bulk, junk, ... etc. stop
this now. use the "old" vacation program instead of borked procmail
sorcerer recipes.

Re: breaking multiple recipients into multiple messages

[David Koski]

On Saturday 04 October 2008 05:52, Wietse Venema wrote:
> Victor Duchovni:
> > On Fri, Oct 03, 2008 at 09:09:56PM -0700, David Koski wrote:
> > > Our CommuniGate server batches mail going out to Yahoo and at times
> > > accumulates enough to exceed the limit of 5 messages per SMTP
> > > connection that Yahoo has and the connection is dropped.  I would like
> > > to now if relaying through Postfix can resolve this problem.
> >
> > You can disable connection caching, globally or for specific sites. Or
> > you can let the connection be dropped and make a new one. Nothing wrong
> > with a dropped connection from time to time... Postfix will try the next
> > MX host. Postfix does not have a numerical connection re-use limit.
> > Rather, the limit is a time-limit, because this exhibits (much) better
> > behaviour when delivering to a mixture of fast and slow servers.
>
> With Postfix 2.2 and later you could do:
>
> /etc/postfix/main.cf:
> smtp_connection_cache_destinations = !yahoo.com, static:all
>
> However, this is not needed. When Yahoo drops a connection, Postfix
> will just try the next MX host immediately.
>
>   Wietse

Now to figure out how to make CGP relay one domain.  But that is another list.

Thanks!
David

Re: My first config - unable to telnet to port 25, virtual.db missing

[mouss]

Paul Cocker a écrit :
> I have a CentOS 5.2 machine running postfix 2.3.3 install via yum and am
> setting up for the first time, having been a sendmail user previously.
>  
> I have been configuring it based around 'Postfix email firewall/gateway'
> setup in the postfix documentation as this machine will be acting as the
> primary mail server for outgoing mail and the second MX entry for
> incoming.
>  
> The server has hosts.deny set to ALL:ALL but smtp in hosts.allow is also
> set to ALL.
>   

hosts.* are irrelevant. postfix doesn't use tcpwrappers.


> [snip]
> relay_domains = domain1.co.uk, domain2.co.uk, domain3.co.uk
>   

As Brian said, list the relay users in relay_recipient_maps. otherwise
use reject_unverified_recipient (with a check_recipient_access).

> sample_directory = /usr/share/doc/postfix-2.3.3/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = hash:/etc/postfix/virtual
>
> I do /usr/sbin/postfix check, which results in no errors, followed by
> /usr/sbin/postfix start. I can see master running in my process list.
>  
> However, attempts to connect to port 25 on this machine from within the
> 100.243.0.0/22 network timeout with 'Connect failed' messages.
>  
> My maillog is filled with the following:
>  
> Oct  6 14:57:20 merlin postfix/postfix-script: starting the Postfix mail
> system
> Oct  6 14:57:20 merlin postfix/master[13470]: daemon started -- version
> 2.3.3, configuration /etc/postfix
> Oct  6 14:57:20 merlin postfix/qmgr[13472]: CDF481F80062:
> from=<[EMAIL PROTECTED]>, size=971, nrcpt=1 (queue active)
> ...
> Oct  6 14:57:21 merlin postfix/trivial-rewrite[13474]: fatal: open
> database /etc/postfix/virtual.db: No such file or directory
>   

you forgot to "compile" the virtual map:
# postmap hash:/etc/postfix/virtual

Please read:
http://www.postfix.org/DATABASE_README.html


> Oct  6 14:57:21 merlin postfix/cleanup[13473]: fatal: open database
> /etc/postfix/virtual.db: No such file or directory
> Oct  6 14:57:22 merlin postfix/master[13470]: warning: process
> /usr/libexec/postfix/cleanup pid 13473 exit status 1
> Oct  6 14:57:22 merlin postfix/master[13470]: warning:
> /usr/libexec/postfix/cleanup: bad command startup -- throttling
> Oct  6 14:57:22 merlin postfix/master[13470]: warning: process
> /usr/libexec/postfix/trivial-rewrite pid 13474 exit status 1
> Oct  6 14:57:22 merlin postfix/master[13470]: warning:
> /usr/libexec/postfix/trivial-rewrite: bad command startup -- throttling
> ...
>  
> Do I need to manually create virtual.db (and should I run a
> set-permissions from postconf if I do?), or is that incidental to the
> other errors? Are these errors the reason it won't accept connections on
> port 25, or is there an error in the config above?
>  
> Paul Cocker
>
>
>
>
> TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), 
> TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), 
> TNT Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post 
> Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary 
> and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd 
> (02556692). All companies are registered in England and Wales; registered 
> address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, 
> SL7 1HY.
>
>   

Re: question about relay_recipient_maps

[Nicolás Velásquez O.]

Thanks, it was the reject_unverified_recipient. Now it is working...

2008/10/6 Brian Evans - Postfix List <[EMAIL PROTECTED]>:
> Nicolás Velásquez O. wrote:
>> Hello,
>>
>> We receive a high volume of mail for non nonexistent mailboxes, so we
>> want to prevent Postfix's SMTP probes to the nearest MTA, we just want
>> to use localfile or LDAP queries. I've attached the postconf -n and
>> some tests I've done, any help is appreciated.
>>
>
> You are asking Postfix to do this. See below
>
> Also, please use example.(com|net|org) instead of "domain".
>> 2. When mailbox doesn't exist:
>> - checks File.
>> - checks LDAP.
>> - Asks via SMTP if the mailbox exists
>> - After a lag (1-2 seconds), returns "450 4.1.1
>> <[EMAIL PROTECTED]>: Recipient address rejected:
>> unverified address: Address verification in progress"
>> Telnet test output:
>> mailx5:~ # telnet localhost 25
>> Trying 127.0.0.1...
>> Connected to localhost.
>> Escape character is '^]'.
>> 220 mailx5.domain.org ESMTP Postfix
>> EHLO mailx5.domain.org
>> 250-mailx5.domain.org
>> 250-PIPELINING
>> 250-SIZE 525
>> 250-ETRN
>> 250-ENHANCEDSTATUSCODES
>> 250-8BITMIME
>> 250 DSN
>> MAIL FROM: [EMAIL PROTECTED]
>> 250 2.1.0 Ok
>> RCPT TO: [EMAIL PROTECTED]
>> 450 4.1.1 <[EMAIL PROTECTED]>: Recipient
>> address rejected: unverified address: Address verification in progress
>>
>>
>
> What to the logs say on the mail5 machine? It should not delay on such a
> request since that is your setup.
>
>> Here is the output from postconf -n
>
> [...]
>> smtpd_recipient_restrictions = reject_unverified_recipient
>> reject_non_fqdn_recipientreject_unauth_destination
>> reject_unknown_recipient_domain reject_unlisted_recipient
>> check_recipient_access pcre:/etc/postfix/recipients_checks.pcre
>> check_policy_service unix:private/policy-spfreject_rbl_client
>> zen.spamhaus.org  reject_rbl_client dul.dnsbl.sorbs.net
>> reject_rbl_client dnsbl.njabl.org
>>
>
> reject_unverified_recipient up front means "For everything not in a map,
> verify by SMTP".
> Since you have map files, why include a SMTP check anyway?
>
>
> You really should have reject_unauth_destination first (if you don't
> trust mynetworks).
> This is due to anyone who queries your server for open relay.  You will
> ask the entire internet for any address given up front, even if it's not.
>
>
> Brian
>
>



-- 
Nicolás Velásquez O.
Genève, Suisse
Mobile +41.797976460

Retry - temp fail ndr?

[Charles Marcus]

Hello,

I probably am using bad terminology, but...

I have set the delay_warning_time to 15m on my system (boss demanded
it), and now the boss wants more than just the one notification...

Is there any way to configure postfix to send more than just the
one/first 'problem' notification to the sender as configured by
delay_warning_time?

Thanks,

-- 

Best regards,

Charles

Re: Retry - temp fail ndr?

[Wietse Venema]

Charles Marcus:
> Hello,
> 
> I probably am using bad terminology, but...
> 
> I have set the delay_warning_time to 15m on my system (boss demanded
> it), and now the boss wants more than just the one notification...

This is not implemented.

However, Postfix 2.3+ can send a positive delivery status notification
on request. This requested via the user agent.

Wietse

> Is there any way to configure postfix to send more than just the
> one/first 'problem' notification to the sender as configured by
> delay_warning_time?
> 
> Thanks,
> 
> -- 
> 
> Best regards,
> 
> Charles
> 
> 

Re: Retry - temp fail ndr?

[Victor Duchovni]

On Mon, Oct 06, 2008 at 11:57:01AM -0400, Charles Marcus wrote:

> Hello,
> 
> I probably am using bad terminology, but...
> 
> I have set the delay_warning_time to 15m on my system (boss demanded
> it), and now the boss wants more than just the one notification...

Postfix will not do that (serious issue with amplification attacks).
Best practice is a single notice after ~2 hours.

> Is there any way to configure postfix to send more than just the
> one/first 'problem' notification to the sender as configured by
> delay_warning_time?

No.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Retry - temp fail ndr?

[Charles Marcus]

On 10/6/2008 12:40 PM, Wietse Venema wrote:
>> I probably am using bad terminology, but...
>>
>> I have set the delay_warning_time to 15m on my system (boss demanded
>> it), and now the boss wants more than just the one notification...

> This is not implemented.

Bummer...

> However, Postfix 2.3+ can send a positive delivery status notification
> on request. This requested via the user agent.

It looks like TBird doesn't support this, so I guess the answer is to
tell him no, and if whatever it is is important, and he gets the
warning, to follow the message up with a phone call (he should be doing
that anyway for anything mission critical, but getting some people to
understand that email is not a 100% reliable communication medium is
sometimes difficult.

Thanks for the response...

-- 

Best regards,

Charles

Re: Retry - temp fail ndr?

[mouss]

Charles Marcus a écrit :
> Hello,
>
> I probably am using bad terminology, but...
>
> I have set the delay_warning_time to 15m on my system (boss demanded
> it), and now the boss wants more than just the one notification...
>   

so you need bossfix :)

> Is there any way to configure postfix to send more than just the
> one/first 'problem' notification to the sender as configured by
> delay_warning_time?
>   

Boss could ask the recipient to confirm that he got the message.

Re: Retry - temp fail ndr?

[Jason Pruim]

On Oct 6, 2008, at 1:00 PM, mouss wrote:


Charles Marcus a écrit :

Hello,

I probably am using bad terminology, but...

I have set the delay_warning_time to 15m on my system (boss demanded
it), and now the boss wants more than just the one notification...



so you need bossfix :)


Nothing to add to the discussion but I'll gladly host the bossfix  
development on my server! I could sure benefit from that! :P



--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
11287 James St
Holland, MI 49424
www.raoset.com
[EMAIL PROTECTED]

smtp only output

[Martín Marqués]

I'm looking to put a smtp server to deliver mails from a non-smtp
server (database, web server, etc.). I started looking at ssmtp and
masqmail, but neither convinced me.

So, as I'm using postfix in my mail servers, and I really like it, and
know how to use it, I thought I would give it a try.

The thing is, which would be the the smallest possible configuration
to get postfix, with aliases enabled, just to output mail that comes
from cron, execution of sendmail from command line and the use of the
mail command (my thoughts start with which lines to comment out of
master.cf)?

-- 
Martín Marqués
select 'martin.marques' || '@' || 'gmail.com'
DBA, Programador, Administrador

Re: smtp only output

[Brian Evans - Postfix List]

Martín Marqués wrote:
> I'm looking to put a smtp server to deliver mails from a non-smtp
> server (database, web server, etc.). I started looking at ssmtp and
> masqmail, but neither convinced me.
>
> So, as I'm using postfix in my mail servers, and I really like it, and
> know how to use it, I thought I would give it a try.
>
> The thing is, which would be the the smallest possible configuration
> to get postfix, with aliases enabled, just to output mail that comes
> from cron, execution of sendmail from command line and the use of the
> mail command (my thoughts start with which lines to comment out of
> master.cf)?
>
>   
You can comment out the smtp (using the smtpd daemon) line in master.cf
to have it not listen on port 25, but still allow outward sending.

Doing so limits you to use the submission port (587 for those that
support TCP submissions) or to use the pickup daemon to get all email
submitted via the sendmail command (mailx also sends via sendmail command).

Brian

Virtual domain uncertainty...

[Charles Marcus]

Hello,

I've been tasked with adding a few more domains for handling mail. This
server has been running flawlessly for about 5 years (and survived many
updates), but this will be my first implementation of virtual hosting,
so before I actually start changing config settings, I thought I'd ask
for clarification. I've read the virtual config docs, and I think I
understand most everything (hopefully I won't find out otherwise) except...

Currently, I simply have our one domain referenced in mydomain, and have
the hostname set accordingly (see postconf -n below), and am not using
virtual_mailbox_domains.

Does simply adding the additional domain example2.com in
virtual_mailbox_domains allow me to use the additional hostname
smtp.example2.com (in client configurations) for sending mail, assuming
example2.com is listed in virtual_mailbox_domains and have appropriate
DNS & MX records for the additional domain(s) pointed to the appropriate IP?

Tia...

**

myhost ~ # postconf -n
alias_maps = hash:/etc/mail/aliases, hash:/var/lib/mailman/data/aliases
anvil_rate_time_unit = 360s
anvil_status_update_time = 3600s
bounce_size_limit = 1
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
delay_warning_time = 15m
home_mailbox = .maildir/
message_size_limit = 5120
mydomain = example.com
myhostname = smtp.example.com
mynetworks = 127.0.0.0/8
parent_domain_matches_subdomains =
recipient_delimiter = +
relay_domains =
relayhost = [mail.example3.com]
smtp_fallback_relay = [smtp.example4.net]
smtpd_hard_error_limit = 3
smtpd_recipient_limit = 100
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,  reject_unauth_destination,
check_client_access cidr:/etc/postfix/allowed_clients.cidr,
check_recipient_access hash:/etc/postfix/x-employees,
check_sender_access hash:/etc/postfix/blocked_senders
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/wildcard.crt
smtpd_tls_key_file = /etc/ssl/wildcard.key
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = mysql:/etc/postfix/mysql_vam.cf,
hash:/var/lib/mailman/data/virtual-mailman
virtual_gid_maps = static:207
virtual_mailbox_base = /var/virtual/mail
virtual_mailbox_limit = 5120
virtual_mailbox_maps = mysql:/etc/postfix/mysql_vmm.cf
virtual_minimum_uid = 207
virtual_uid_maps = static:207
myhost ~ #

Re: Virtual domain uncertainty...

[mouss]

Charles Marcus a écrit :
> Hello,
>
> I've been tasked with adding a few more domains for handling mail. This
> server has been running flawlessly for about 5 years (and survived many
> updates), but this will be my first implementation of virtual hosting,
> so before I actually start changing config settings, I thought I'd ask
> for clarification. I've read the virtual config docs, and I think I
> understand most everything (hopefully I won't find out otherwise) except...
>
> Currently, I simply have our one domain referenced in mydomain, and have
> the hostname set accordingly (see postconf -n below), and am not using
> virtual_mailbox_domains.
>   

currently, you have domains in mydestination even if you didn't specify
that. you can test with
$ postconf mydestination
mydestination = $myhostname, localhost.$mydomain, localhost

This means that the listed domains are "local" domains (they are
delivered to unix accounts).

> Does simply adding the additional domain example2.com in
> virtual_mailbox_domains allow me to use the additional hostname
> smtp.example2.com (in client configurations) for sending mail, assuming
> example2.com is listed in virtual_mailbox_domains and have appropriate
> DNS & MX records for the additional domain(s) pointed to the appropriate IP?
>
>   

receiving mail has nothing to do with sending mail. Repeat this seven
times, get a drink, then repeat again. until you feel convinced. if you
feel your brain is playing games with this, start again. if it's too
hard, repeat once and drink seven times.

when you send mail, the hostname is used as the HELO (EHLO) argument.
This identifies the _server_ that sends mail. It has nothing to do with
the domains you host.


if you want to serve "virtual" domains, add them to
virtual_mailbox_domains, and specify the users mailboxes in
virtual_mailbox_maps. you can set the virtual transport to dovecot
(which is what you use if my my two neurons are still working), in which
case the result in virtual_mailbox_maps doesn't matter, but you'l have
to configure dovecot to know that.

Note that virtual mailbox domains have nothing to do with virtual alias
domains (the latter are "aliases", so their users must be mapped to
users in other domains). and while I am in, virtual alias maps is yet
another concept. it applies to all mail. In short: "virtual" has
different meanings.

outgoing SPAM

[Robert Lopez]

In the past months there have been instances where pfishing was used to get
account credentials and use the victim's account to send massive quantities
of SPAM.

Is there a way to configure postfix to detect such an event and/or to stop
such an event from reoccurring?
Is there a way to limit the number of email a person can sent in a short
period of time?
Is there a way to block sending an email if  a maximum number of recipients
is exceeded?

-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106

Re: outgoing SPAM

[Aaron Wolfe]

On Mon, Oct 6, 2008 at 2:33 PM, Robert Lopez <[EMAIL PROTECTED]> wrote:
> In the past months there have been instances where pfishing was used to get
> account credentials and use the victim's account to send massive quantities
> of SPAM.
>
> Is there a way to configure postfix to detect such an event and/or to stop
> such an event from reoccurring?
> Is there a way to limit the number of email a person can sent in a short
> period of time?
> Is there a way to block sending an email if  a maximum number of recipients
> is exceeded?

You can do some limits with policy filters.  One to limit the number
of mails sent over time is:

http://www.opennix.com/postfixresources/policy/ratelimit

You could easily modify this to limit based on other criteria, some
hints are in the docs.  I have also read that policyd can do this but
haven't used it myself.

-Aaron


>
> --
> Robert Lopez
> Unix Systems Administrator
> Central New Mexico Community College (CNM)
> 525 Buena Vista SE
> Albuquerque, New Mexico 87106
>

Re: outgoing SPAM

[mouss]

Robert Lopez a écrit :
> In the past months there have been instances where pfishing was used
> to get account credentials and use the victim's account to send
> massive quantities of SPAM.
>
> Is there a way to configure postfix to detect such an event and/or to
> stop such an event from reoccurring?
> Is there a way to limit the number of email a person can sent in a
> short period of time?
> Is there a way to block sending an email if  a maximum number of
> recipients is exceeded?


use policyd to rate limit senders.

you can also use a log parser to detect "anomalies" and add rules based
on that.

you can also filter outbound mail and "hold" if mail looks too spammy.

Re: smtp only output

[mouss]

Martín Marqués a écrit :
> I'm looking to put a smtp server to deliver mails from a non-smtp
> server (database, web server, etc.). I started looking at ssmtp and
> masqmail, but neither convinced me.
>
> So, as I'm using postfix in my mail servers, and I really like it, and
> know how to use it, I thought I would give it a try.
>
> The thing is, which would be the the smallest possible configuration
> to get postfix, with aliases enabled, just to output mail that comes
> from cron, execution of sendmail from command line and the use of the
> mail command (my thoughts start with which lines to comment out of
> master.cf)?
>
>   

Why comment out anything? just configure it to not accept mail from
other machines:

mynetworks = 127.0.0.1
smtpd_client_restrictions = permit_mynetworks, reject

This way, web apps can use either sendmail or smtp.

Fwd: outgoing SPAM

[Robert Lopez]

Thank you Aaron.

My supervisor asked me to find a configuration change to postfix. He wants
to avoid adding any new agents/programs. It seems the person I replaced had
some bad times when trying to add other programs to the mail gateway
functionality.

-- Forwarded message --
From: Aaron Wolfe <[EMAIL PROTECTED]>
Date: Mon, Oct 6, 2008 at 12:55 PM
Subject: Re: outgoing SPAM
To: postfix-users@postfix.org


On Mon, Oct 6, 2008 at 2:33 PM, Robert Lopez <[EMAIL PROTECTED]> wrote:
> In the past months there have been instances where pfishing was used to
get
> account credentials and use the victim's account to send massive
quantities
> of SPAM.
>
> Is there a way to configure postfix to detect such an event and/or to stop
> such an event from reoccurring?
> Is there a way to limit the number of email a person can sent in a short
> period of time?
> Is there a way to block sending an email if  a maximum number of
recipients
> is exceeded?

You can do some limits with policy filters.  One to limit the number
of mails sent over time is:

http://www.opennix.com/postfixresources/policy/ratelimit

You could easily modify this to limit based on other criteria, some
hints are in the docs.  I have also read that policyd can do this but
haven't used it myself.

-Aaron


>
> --
> Robert Lopez
> Unix Systems Administrator
> Central New Mexico Community College (CNM)
> 525 Buena Vista SE
> Albuquerque, New Mexico 87106
>



-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106

Re: outgoing SPAM

[Aaron Wolfe]

On Mon, Oct 6, 2008 at 3:45 PM, Robert Lopez <[EMAIL PROTECTED]> wrote:
> Thank you Aaron.
>
> My supervisor asked me to find a configuration change to postfix. He wants
> to avoid adding any new agents/programs. It seems the person I replaced had
> some bad times when trying to add other programs to the mail gateway
> functionality.
>

I think you might be out of luck then, postfix does not do everything
you ask natively AFAIK.
You can limit the number of recipients per message with
smtpd_recipient_limit, at least.
One out of three aint (that) bad.. ?



> -- Forwarded message --
> From: Aaron Wolfe <[EMAIL PROTECTED]>
> Date: Mon, Oct 6, 2008 at 12:55 PM
> Subject: Re: outgoing SPAM
> To: postfix-users@postfix.org
>
>
> On Mon, Oct 6, 2008 at 2:33 PM, Robert Lopez <[EMAIL PROTECTED]> wrote:
>> In the past months there have been instances where pfishing was used to
>> get
>> account credentials and use the victim's account to send massive
>> quantities
>> of SPAM.
>>
>> Is there a way to configure postfix to detect such an event and/or to stop
>> such an event from reoccurring?
>> Is there a way to limit the number of email a person can sent in a short
>> period of time?
>> Is there a way to block sending an email if  a maximum number of
>> recipients
>> is exceeded?
>
> You can do some limits with policy filters.  One to limit the number
> of mails sent over time is:
>
> http://www.opennix.com/postfixresources/policy/ratelimit
>
> You could easily modify this to limit based on other criteria, some
> hints are in the docs.  I have also read that policyd can do this but
> haven't used it myself.
>
> -Aaron
>
>
>>
>> --
>> Robert Lopez
>> Unix Systems Administrator
>> Central New Mexico Community College (CNM)
>> 525 Buena Vista SE
>> Albuquerque, New Mexico 87106
>>
>
>
>
> --
> Robert Lopez
> Unix Systems Administrator
> Central New Mexico Community College (CNM)
> 525 Buena Vista SE
> Albuquerque, New Mexico 87106
>

Re: Virtual domain uncertainty...

[Charles Marcus]

On 10/6/2008 2:29 PM, mouss wrote:
>> Currently, I simply have our one domain referenced in mydomain, and
>> have the hostname set accordingly (see postconf -n below), and am
>> not using virtual_mailbox_domains.

> currently, you have domains in mydestination even if you didn't specify
> that. you can test with
> $ postconf mydestination
> mydestination = $myhostname, localhost.$mydomain, localhost

Ok, but only one (virtual) domain I'm concerned with

> This means that the listed domains are "local" domains (they are
> delivered to unix accounts).

And the only real accounts I care about are aliased to my virtual admin
account...

>> Does simply adding the additional domain example2.com in 
>> virtual_mailbox_domains allow me to use the additional hostname 
>> smtp.example2.com (in client configurations) for sending mail,
>> assuming example2.com is listed in virtual_mailbox_domains and have
>> appropriate DNS & MX records for the additional domain(s) pointed
>> to the appropriate IP?

> receiving mail has nothing to do with sending mail.

I know... thats why I was asking about how virtual hosting works with
respect to SENDING mail via CLIENTS (MUAs).

I'm going to be writing up instructions for users who will be using
these new domains how to set up their mail clients (Thunderbird mainly,
but I also include instructions for the Microsoft clients)... so I
wanted to confirm that I can use the hosts 'smtp.example1.com' and
'smtp.example2.com' for their SMTP (outbound) server setting in their
clients.

> when you send mail, the hostname is used as the HELO (EHLO) argument.

I'm not talking about HELO commands issued between MTAs... I'm talking
about hostnames used by MUAs for SENDING mail...

> This identifies the _server_ that sends mail. It has nothing to do with
> the domains you host.

Well... it does, if I want users getting mail at example1.com to be able
to reference smtp.example1.com in their client settings.

It will be awkward to tell a user to put smtp.fred.com for their
outbound server setting, if their email address is [EMAIL PROTECTED], don't
you think?

> you can set the virtual transport to dovecot (which is what you use
> if my my two neurons are still working),

Not for this client... still trying to get them to let me switch them to
dovecot.

-- 

Best regards,

Charles

Re: Fwd: outgoing SPAM

[Noel Jones]

Robert Lopez wrote:

Thank you Aaron.

My supervisor asked me to find a configuration change to postfix. He 
wants to avoid adding any new agents/programs. It seems the person I 
replaced had some bad times when trying to add other programs to the 
mail gateway functionality.




Postfix does have rate limiting built in, but it's a rather 
blunt tool, specifically intended to keep your server from 
melting when a runaway client tries to make thousands of 
connections.  When the limit is exceeded, mail will be 
temp-failed, not rejected.  Please see:

http://www.postfix.org/TUNING_README.html#conn_limit
http://www.postfix.org/anvil.8.html
The anvil settings are not intended to enforce user quotas or 
traffic shaping.


Delegating access decisions to an add-on program such as 
policyd gives you much, much greater flexibility, but does add 
a level of complexity.


Just because the last guy screwed up is not a good reason to 
ignore solutions tailor-made for your stated problem.




--
Noel Jones

Re: Virtual domain uncertainty...

[Brian Evans - Postfix List]

Charles Marcus wrote:
> On 10/6/2008 2:29 PM, mouss wrote:
>   
>>> Does simply adding the additional domain example2.com in 
>>> virtual_mailbox_domains allow me to use the additional hostname 
>>> smtp.example2.com (in client configurations) for sending mail,
>>> assuming example2.com is listed in virtual_mailbox_domains and have
>>> appropriate DNS & MX records for the additional domain(s) pointed
>>> to the appropriate IP?
>>>   
>
>   
>> receiving mail has nothing to do with sending mail.
>> 
>
> I know... thats why I was asking about how virtual hosting works with
> respect to SENDING mail via CLIENTS (MUAs).
>
> I'm going to be writing up instructions for users who will be using
> these new domains how to set up their mail clients (Thunderbird mainly,
> but I also include instructions for the Microsoft clients)... so I
> wanted to confirm that I can use the hosts 'smtp.example1.com' and
> 'smtp.example2.com' for their SMTP (outbound) server setting in their
> clients.
>
>   

This depends if you permit_mynetworks and permit_sasl_authenticated
before any reject actions.
I could put [EMAIL PROTECTED] even if I only control example.com as
the envelope sender in my MUA.  Provided I'm within the permits, Postfix
will not care.

>> when you send mail, the hostname is used as the HELO (EHLO) argument.
>> 
>
> I'm not talking about HELO commands issued between MTAs... I'm talking
> about hostnames used by MUAs for SENDING mail...
>   

MUAs typically use the hostname they are given.  A good majority of Win
clients, for example, use a single name as it's helo and not fqdn.
Do you care? Only if you configure Postfix to reject_non_fqdn_hostname
somewhere.

>   
>> This identifies the _server_ that sends mail. It has nothing to do with
>> the domains you host.
>> 
>
> Well... it does, if I want users getting mail at example1.com to be able
> to reference smtp.example1.com in their client settings.
>
> It will be awkward to tell a user to put smtp.fred.com for their
> outbound server setting, if their email address is [EMAIL PROTECTED], don't
> you think?
>
>   

Think hosted domain.  Server can only have one name, but serves several. 
MXs that check only care if the sending domain matches in DNS as being
responsible, preferably an A or MX record.

Will bogus mails get rejected at the source? Maybe, though some
postmasters care not, some actually do check.

Brian

Re: Virtual domain uncertainty...

[Jorey Bump]

Charles Marcus wrote, at 10/06/2008 04:27 PM:

> I'm going to be writing up instructions for users who will be using
> these new domains how to set up their mail clients (Thunderbird mainly,
> but I also include instructions for the Microsoft clients)... so I
> wanted to confirm that I can use the hosts 'smtp.example1.com' and
> 'smtp.example2.com' for their SMTP (outbound) server setting in their
> clients.
[snip]
> Well... it does, if I want users getting mail at example1.com to be able
> to reference smtp.example1.com in their client settings.
> 
> It will be awkward to tell a user to put smtp.fred.com for their
> outbound server setting, if their email address is [EMAIL PROTECTED], don't
> you think?

If the name resolves, they'll connect to your server. However, if you're
going to offer STARTTLS, you have a problem. How are you going to
support all of these different domains in a single certificate?
Currently, you can't, so you'll need to pick a name (mail.example.com)
for your SMTP/IMAP/POP3 server and stick with it. Otherwise, you'll need
to use a more complicated approach, such as multiple instances each with
their own certificate.

Users can't infer the server settings from an email address, so you'll
have to explicitly provide it, anyway. The problems caused by the wrong
certificate are likely to create more support calls.

Re: Virtual domain uncertainty...

[Charles Marcus]

On 10/6/2008, Brian Evans - Postfix List ([EMAIL PROTECTED]) wrote:
>> I'm going to be writing up instructions for users who will be using
>> these new domains how to set up their mail clients (Thunderbird mainly,
>> but I also include instructions for the Microsoft clients)... so I
>> wanted to confirm that I can use the hosts 'smtp.example1.com' and
>> 'smtp.example2.com' for their SMTP (outbound) server setting in their
>> clients.

> This depends if you permit_mynetworks and permit_sasl_authenticated
> before any reject actions.

According to the postconf -n output I included, yes I do...

>> It will be awkward to tell a user to put smtp.fred.com for their
>> outbound server setting, if their email address is [EMAIL PROTECTED], don't
>> you think?

> Think hosted domain.  Server can only have one name, but serves several. 
> MXs that check only care if the sending domain matches in DNS as being
> responsible, preferably an A or MX record.
> 
> Will bogus mails get rejected at the source? Maybe, though some
> postmasters care not, some actually do check.

I was just wanting some clarification - I know the answer has to be yes
(look at how many shared hosting solutions are out there) - so why is it
not possible to just get a yes or no answer?

Can I set up DNS (and MX records) for several different domains to point
to the same postfix instance/host/IP address and reference that same
postfix instance/host/IP by different DNS host names (smtp.example1.com,
smtp.example2.com, etc), and have everything just work?

I'm guessing, 'Of COURSE, dummy!' is the right answer?

I guess the question is just too simplistic and basic, so my apologies...

-- 

Best regards,

Charles

query re setup

[Lists]

Hi,

I have got dovecot setup as the postfix smtp authentication now YAY - 
man its cool!

Just wanted to check if my setup was good practice.

I have it authenticating against a mysql database(MailEnable mysql db) 
with passwords stored as plain text.

Is this ok?

the passwd-file is to allow for backward compatibility with single 
username and password that some of our clients will still be using.


in my dovecot.conf i have
auth default {
 mechanisms = plain login
 passdb sql {
 args = /etc/dovecot-sql.conf
 }
 userdb passwd {
 }
 passdb passwd-file {
 args = /etc/passwd.dovecot
 }
 socket listen {
   client {
 path = /var/spool/postfix/private/auth
 mode = 0660
 user = postfix
 group = postfix
   }
 }
   }

cheers
Kate

Re: Virtual domain uncertainty...

[Noel Jones]

Charles Marcus wrote:


Can I set up DNS (and MX records) for several different domains to point
to the same postfix instance/host/IP address and reference that same
postfix instance/host/IP by different DNS host names (smtp.example1.com,
smtp.example2.com, etc), and have everything just work?



Usually one will just set up extra MX records to host virtual 
domains, and tell your clients to use the "primary" domain 
name (rather than their own virtual name) in their mail client 
to submit mail.


While you can create multiple DNS A records pointing to the 
same host IP, that will screw up TLS verification and raise 
the false expectation that only the hosted virtual domain name 
will be visible.


It's likely to be more confusing if the client sees 
"unexpected" domain names in the headers of mail he sends and 
receives.  Postfix (or any mail server) will continue to use 
its primary domain as the HELO greeting and recorded in 
Received: headers.


If you want to "customize" the email such that each domain 
only sees their own virtual name in mail, you will need a 
separate IP for each domain, along with either multiple 
postfix instances or complicated master.cf gyrations.



> I guess the question is just too simplistic and basic, so 
my apologies...

>

SMTP hosting is quite different from HTTP hosting.  In SMTP 
the server announces its hostname before the recipient is 
known, so the hostname cannot be hidden and cannot be based on 
recipient information.


Stupid illustration:

(http client knocks on the door):
   Who are you looking for?
(is this Mike's web server?):
   Yes, it is.  Here is his page...

So the http client only sees Mike's name above, because the 
client told us the answer he expected.


(smtp client knocks on the door):
   Welcome to Bob's mail server.  Got some mail?
(do you accept mail for Mike?):
   Yes, please send it...

And here the smtp client will always see Bob's name, no matter 
who he's trying to contact.


--
Noel Jones

Re: Virtual domain uncertainty...

[Charles Marcus]

On 10/6/2008, Jorey Bump ([EMAIL PROTECTED]) wrote:
> If the name resolves, they'll connect to your server. However, if you're
> going to offer STARTTLS, you have a problem. How are you going to
> support all of these different domains in a single certificate?
> Currently, you can't, so you'll need to pick a name (mail.example.com)
> for your SMTP/IMAP/POP3 server and stick with it. Otherwise, you'll need
> to use a more complicated approach, such as multiple instances each with
> their own certificate.
> 
> Users can't infer the server settings from an email address, so you'll
> have to explicitly provide it, anyway. The problems caused by the wrong
> certificate are likely to create more support calls.

Ok, thanks, that was my next speed bump.

I use self-signed certs, and since my instructions already explain in
detail about the 'warning' (man, I really hate how Firefox 3 reacts to
self-signed certs now), I was hoping that it wouldn't matter that the
domain name didn't match, that TBird would react the same way (warning
me, but letting me accept the cert anyway).

If it won't, you're right, I'll have to just make do with a single
server name (no problem really, but I'd prefer to use domain specific
ones if possible)... so lets go see...

Cool, it works... :) guess there's no better answer available that just
trying it out won't give...

Now all thats left is to try it from outside the network, and I have to
wait for the MX records te get set up (using outsourced anti-spam
provider for incoming mail)...

-- 

Best regards,

Charles

Re: Virtual domain uncertainty...

[Wietse Venema]

Charles Marcus:
> Can I set up DNS (and MX records) for several different domains to point
> to the same postfix instance/host/IP address and reference that same
> postfix instance/host/IP by different DNS host names (smtp.example1.com,
> smtp.example2.com, etc), and have everything just work?

Not unless you also list smtp.example1.com in $mydestination,
otherwise mail will loop.

You could also keep it simple and list the real hostname in the MX
records.

Wietse

forwarding for unknown accounts.

[Marcelo Iturbe]

Hello,
I am currently hosting the mail for the domain santiago.cl at google Apps.
Google Apps has a very limited mailing list system so I want to install a
local linux+postfix+mailman server for mailing list administration.

I can create the sub-domain lists.santiago.cl and point the MX records to
this linux server and have all the lists with @lists.santiago.cl and
everything would be OK.

BUT, I would like to avoid using @lists.santiago.cl and just use @
santiago.cl as the domain.

All members of these lists belong to this domain santiago.cl, there are no
external emails.

In order to do this, I have come up with the following plan:
1 - configure postfix to accept email for domains: santiago.cl and
lists.santiago.cl
2 - configure lists on mailman to work with both domains
3 - create accounts on google apps for each list I want to create and route
all emails to these accounts to [EMAIL PROTECTED] without changing
the SMTP envelope.
this would allow me to send an email to [EMAIL PROTECTED] and it would
arrive at the postfix server, the postfix server would accept this email and
deliver it to mailman.

The problem is that if mailman tries to deliver the email to the list
members, the delivery will fail because the account does not exist locally
on the linux server.

In the mailing list I have read-up on modifying the transport file
"add this line to /etc/postfix/transport
user2 at example.com smtp:[your.isp.smarthost]"

But the problem is that I have 8000+ accounts and they get added more every
day dinamically so maintaining this file is not really an option.

Any other options?

Thanks

Fighting SPAM

[Marky Yehezkiel (SNC)]

 

Hi,

I just wondering is there any way in postfix that can check port 25 of
sender is open or not.

Commonly I got spam where the sender IP address are not open for port 25
such as :

 

Oct  6 20:47:06 smtp2 postfix/smtpd[58410]: 8F625267977:
client=unknown[190.26.129.204]

Oct  6 20:47:09 smtp2 postfix/cleanup[58769]: 8F625267977:
message-id=<[EMAIL PROTECTED]>

Oct  6 20:47:09 smtp2 postfix/qmgr[941]: 8F625267977:
from=<[EMAIL PROTECTED]>, size=2732, nrcpt=1 (queue active)

 

Oct  7 02:23:07 smtp2 postfix/smtpd[62042]: 448C1267935:
client=mail1005.centrum.cz[90.183.38.135]

Oct  7 02:23:08 smtp2 postfix/cleanup[62044]: 448C1267935:
message-id=<[EMAIL PROTECTED]>

Oct  7 02:23:08 smtp2 postfix/qmgr[60036]: 448C1267935:
from=<[EMAIL PROTECTED]>, size=1352, nrcpt=1 (queue active)

 

I want to make policy If source IP 190.26.129.204 and 90.183.38.135 with
port 25 is not open then postfix will reject the email.

Can any one help me how to set it up on postfix please?

 

Because the domain is valid, also sender address also valid so I just want
to make policy to fight this spam. Thank you all

 

 

<>

Re: Fighting SPAM

[Sahil Tandon]

Marky Yehezkiel (SNC) <[EMAIL PROTECTED]> wrote:

> I just wondering is there any way in postfix that can check port 25 of
> sender is open or not.
> 
> Commonly I got spam where the sender IP address are not open for port 25
> such as :

[...]

> I want to make policy If source IP 190.26.129.204 and 90.183.38.135 with
> port 25 is not open then postfix will reject the email.
> 
> Can any one help me how to set it up on postfix please?

This is not a good idea.  A user on this site received email from
[EMAIL PROTECTED] today; the connecting server was
ug-out-1314.google.com, to which you cannot connect on port 25.

-- 
Sahil Tandon <[EMAIL PROTECTED]>

Re: Fighting SPAM

[Victor Duchovni]

On Tue, Oct 07, 2008 at 10:17:41AM +0800, Marky Yehezkiel (SNC) wrote:

> Oct  6 20:47:06 smtp2 postfix/smtpd[58410]: 8F625267977:
> client=unknown[190.26.129.204]
> 
> I want to make policy If source IP 190.26.129.204 and 90.183.38.135 with
> port 25 is not open then postfix will reject the email.

Won't get any mail from most large sender domains with such a policy. High
volume senders (including the one I am sending from) use separate
hosts for inbound and outbound mail, and the outbound hosts don't have
public port 25 listeners. This approach is not viable. Consider using
zen.spamhaus.org instead (to block most illegitimate email emitting
systems), and sign up for a paid rsync feed if your inbound volume is
high enough. Consider adding greylisting, and content scoring systems
such as SpamAssassin (perhaps via amavisd-new). A combination of systematic
measures will work better than ad-hoc heuristics.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Fighting SPAM

[Jorey Bump]

Marky Yehezkiel (SNC) wrote, at 10/06/2008 10:17 PM:

> I just wondering is there any way in postfix that can check port 25 of
> sender is open or not.

Why do you assume that a legitimate relay must also accept connections
on port 25? There's no requirement that an MX must also be the source of
outgoing mail for a domain. The method you propose would reject mail
from many large ESPs (such as Gmail) or a number of mailing list services.

Re: forwarding for unknown accounts.

[Magnus Bäck]

On Tuesday, October 07, 2008 at 03:57 CEST,
 Marcelo Iturbe <[EMAIL PROTECTED]> wrote:

> I am currently hosting the mail for the domain santiago.cl at google
> Apps. Google Apps has a very limited mailing list system so I want to
> install a local linux+postfix+mailman server for mailing list
> administration.
> 
> I can create the sub-domain lists.santiago.cl and point the MX records
> to this linux server and have all the lists with @lists.santiago.cl
> and everything would be OK.
> 
> BUT, I would like to avoid using @lists.santiago.cl and just use @
> santiago.cl as the domain.

[...]

> In the mailing list I have read-up on modifying the transport file
> "add this line to /etc/postfix/transport
> user2 at example.com smtp:[your.isp.smarthost]"
>
> But the problem is that I have 8000+ accounts and they get added more
> every day dinamically so maintaining this file is not really an
> option.

Seriously, why not? Surely you must have a data source from which can
you pull out the usernames? Nobody is suggesting that you maintain that
file by hand.

-- 
Magnus Bäck
[EMAIL PROTECTED]