SuSE repository - old postfix ?

[Alexander Grüner]

Hello,

I am installing a new server with SuSE Linux Enterprise SP2 and want to 
use the SuSE mail repository.


http://download.opensuse.org/repositories/server:/mail/SLE_10/x86_64/?C=M;O=D

They offer a postfix24-2.4.5-1.1.x86_64.rpm which seems to be quite old 
from August 2007 and even unsecure (?).


http://download.opensuse.org/repositories/server:/mail/SLE_10/repodata/repoview/postfix24-0-2.4.5-1.1.html

Is there a better rpm source available ? (Yes, I might compile it by 
myself...) Or is this the right release for a productive environment ?


Sorry if this is slightly OT, but I have not found an answer, yet.

Regards,
Alexander

RE: SuSE repository - old postfix ?

[MacShane, Tracy]

 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Alexander Grüner
> Sent: Monday, 8 December 2008 7:16 PM
> To: postfix-users@postfix.org
> Subject: SuSE repository - old postfix ?
> 
> Hello,
> 
> I am installing a new server with SuSE Linux Enterprise SP2 
> and want to use the SuSE mail repository.
> 
> http://download.opensuse.org/repositories/server:/mail/SLE_10/
> x86_64/?C=M;O=D
> 
> They offer a postfix24-2.4.5-1.1.x86_64.rpm which seems to be 
> quite old from August 2007 and even unsecure (?).
> 
> http://download.opensuse.org/repositories/server:/mail/SLE_10/
> repodata/repoview/postfix24-0-2.4.5-1.1.html
> 
> Is there a better rpm source available ? (Yes, I might compile it by
> myself...) Or is this the right release for a productive environment ?
> 
> Sorry if this is slightly OT, but I have not found an answer, yet.
> 
> Regards,
> Alexander
> 
> 
> 

Open SUSE includes more recent posfix rpms (but in the "factory" not the 
repos): 
http://download.opensuse.org/factory/repo/oss/suse/x86_64/postfix-2.5.5-6.6.x86_64.rpm
http://download.opensuse.org/factory/repo/oss/suse/i586/postfix-2.5.5-6.5.i586.rpm

Obviously, there may be dependencies you need to meet. There are also SRC rpms 
available.

RE: SuSE repository - old postfix ?

[Alexander Grüner]

> Open SUSE includes more recent posfix rpms (but in the "factory" not 
the repos): 
http://download.opensuse.org/factory/repo/oss/suse/x86_64/postfix-2.5.5-6.6.x86_64.rpm
> 
http://download.opensuse.org/factory/repo/oss/suse/i586/postfix-2.5.5-6.5.i586.rpm

>
> Obviously, there may be dependencies you need to meet. There are also 
SRC rpms available.


Tracy,

thanks for this hint. Are these only for openSuSE 11.1 ? I will need 
SuSE Linux Enterprise 10 SP2.


Regards,

Alexander
Munich, Germany

Re: FW: Help Needed with odd configuration...

[Justin McAleer]

Spahn, Daniel wrote:

My setup is using the defaults, but the connection is so flaky that even pings 
don't return consistently. My current setup no longer delivers mail, but I get 
lots of timeout errors, and it looks like most messages end up in the defer 
queue. Any ideas? This is a highly political situation and the people 
responsible for fixing the problem will not work with me, yet I am responsible 
for the proper functioning of this email system. Anything that even has a 
slight chance of working will be greatly appreciated. To give a better picture 
of the setup, I have a professional-grade multifunction device that scans, 
faxes, prints, copies, etc.. It has a fixed IP on the LAN. Its scans go out to 
the postfix server, which is connected to a Cisco switch, Netgear firewall, and 
Cisco router/CSU/DSU. I have authentication turned on and it only accepts mail 
from the multifunction device. It's not a high-traffic system- it just 
occasionally has to send a few scans over email. I have administrative access 
to the whole network, except the router/CSU/DSU (but any changes can be 
requested if needed). Any advice that can mitigate the poor line quality is 
appreciated.

  


If the network is that bad, and the people in charge of it don't 
consider it to be a problem worth fixing, get a dialup account somewhere 
and use good, old fashioned PPP. That assumes you can get a "good" 
dialup line, obviously. When your justification is that it would provide 
a more reliable Internet connection than your LAN, perhaps it would have 
the side effect of getting your network fixed.

Re: Check for identical sender and recipient

[Tobias Reckhard]

Sorry, I should've checked the archives first. I've found
http://archives.neohapsis.com/archives/postfix/2008-11/0337.html, I'll
come back if necessary.

Please excuse my previous post.
Cheers,
Tobias

Check for identical sender and recipient

[Tobias Reckhard]

Hi

Is it possible to perform a check to see if envelope sender and envelope
recipient are identical (and within a specific domain or, even better,
within a list, e.g. relay_recipients) with postfix check_mumble_access
rules? Following Ralf's hints at www.arschkrebs.de, I can chain sender
and recipient restrictions and check both against the same list of
e-mail addresses (albeit with different actions), but that will match
any pair or addresses, while the requirement is for sender and recipient
to be identical.

I have thought of the possibility of specifying as many restrictions as
there are addresses (check_sender_access address1 &&
check_recipient_access address1 && OK; check_sender_access address2 &&
check_recipient_access address2 && OK; ...), but that seems rather
convoluted..

A regexp table seems attractive, but I wouldn't know how to pass a
matched expression from a check_sender_access to a check_recipient_access.

Any ideas?

Cheers,
Tobias

Alias and mailbox under one e-mail address

[Jakub Nadolny]

Hello,

how can I have an e-mail account to which when people send e-mail messages then
they are kept in this account and also forwarded to some other accounts?

In other words:
There is an e-mail account [EMAIL PROTECTED] Someone uses this account for
sending / receiving e-mails. But it is required that when e-mail is send to
[EMAIL PROTECTED] then it will be forwarded also to [EMAIL PROTECTED],
[EMAIL PROTECTED] etc.

I can achieve it by modifying alias table (mysql):
 address = '[EMAIL PROTECTED]'
 goto = '[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]'

But the problem is that in such case users address1 and adress2 get each e-mail
twice. 

If I delete [EMAIL PROTECTED] from goto, then they get it once, but
[EMAIL PROTECTED] will not get it at all.

How can I do it properly?

Thank you in advance,
Jakub

RE: Info on Filtering Mail based on subdomain

[Mark A. Olbert]

f Of mouss
Sent: Sunday, December 07, 2008 11:30 PM
To: postfix-users@postfix.org
Subject: Re: Info on Filtering Mail based on subdomain

Mark A. Olbert a écrit :
> Sorry about the line endings. Let me try again:
>
> Error message:
>
> [EMAIL PROTECTED]:/etc/postfix# mailq
> -Queue ID- --Size-- Arrival Time -Sender/Recipient---
> 140DC2741FE  459 Sun Dec  7 17:57:07  [EMAIL PROTECTED]
> (host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Unable to relay (in reply to end 
> of DATA command))
>  [EMAIL PROTECTED]
>

Always look at logs. They contain more infos than bounces or mailq output.

> postconf -n:
> [snip]
> mydestination = $myhostname, localhost.$mydomain, $mydomain,
> mail.$mydomain, www.$mydomain, ftp.$mydomain, list.$mydomain

so list.arcabama.com is in mydestination.

> [snip]
> transport_maps = hash:/etc/postfix/transport

can you show the contents of transport_maps?

> unknown_local_recipient_reject_code = 550
> unverified_recipient_reject_code = 550
> virtual_alias_maps = hash:/etc/postfix/virtual
>


__ Information from ESET NOD32 Antivirus, version of virus signature 
database 3671 (20081208) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



__ Information from ESET NOD32 Antivirus, version of virus signature 
database 3671 (20081208) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

Re: Info on Filtering Mail based on subdomain

[Dario "subbia" Cavallaro]

mouss ha scritto:

can you show the contents of transport_maps?
  
And the content of alias map? As far as I can remember I had a similar 
error and IU had made two mistakes:

1) listed in transport the domain and the destination;
2) no alias set in aliases;

And last but not least, there was no one listening on 127.0.0.1 on port 25.

Hth.

Dario "subbia" Cavallaro

A message disappeared

[Kai Wang]

Greetings,

We run Postfox (postfix-2.3.3-2.pcre.sasl2.rhel4) and MailScanner 
(mailscanner-4.66.5-3)
together. A user reported that he lost a message. I checked into our log 
and found 4 entries

about the message, all from postfix.

Dec  7 16:04:47 smtp2 postfix/smtpd[12441]: connect from 
h129-184.wlan.ucalgary.ca[136.159.184.129]
Dec  7 16:04:52 smtp2 postfix/smtpd[12441]: 5568910031: 
client=h129-184.wlan.ucalgary.ca[136.159.184.129], sasl_method=PLAIN,

[EMAIL PROTECTED]
Dec  7 16:04:52 smtp2 postfix/cleanup[13044]: 5568910031: hold: header 
Received: from [136.159.184.129] (h129-184.wlan.ucalga
ry.ca [136.159.184.129])??by smtp2.ucalgary.ca (Postfix) with ESMTP id 
5568910031??for <[EMAIL PROTECTED]>; Sun,  7 Dec 2008
16:04:52 -0700 (MST) from h129-184.wlan.ucalgary.ca[136.159.184.129]; 
from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=E

SMTP helo=<[136.159.184.129]>
Dec  7 16:04:52 smtp2 postfix/cleanup[13044]: 5568910031: 
message-id=<[EMAIL PROTECTED]>


Can anybody give us a hand?


Thanks

--
Kai Wang
System Services
Information Technologies, University of Calgary,
2500 University Drive, N.W.,
Calgary, Alberta, Canada T2N 1N4
Phone (403) 220-2423, Fax (403) 282-9361

Re: A message disappeared

[Victor Duchovni]

On Mon, Dec 08, 2008 at 09:23:14AM -0700, Kai Wang wrote:

> We run Postfox (postfix-2.3.3-2.pcre.sasl2.rhel4) and MailScanner 
> (mailscanner-4.66.5-3)
> together.

Mailscanner is expressly unsupported here, it misuses undocumented
Postfix interfaces and queue-file formats.

> A user reported that he lost a message. I checked into our log 
> and found 4 entries
> about the message, all from postfix.
> 
> Dec  7 16:04:47 smtp2 postfix/smtpd[12441]: connect from 
> h129-184.wlan.ucalgary.ca[136.159.184.129]
> Dec  7 16:04:52 smtp2 postfix/smtpd[12441]: 5568910031: 
> client=h129-184.wlan.ucalgary.ca[136.159.184.129], sasl_method=PLAIN,
> [EMAIL PROTECTED]
> Dec  7 16:04:52 smtp2 postfix/cleanup[13044]: 5568910031: hold: header 
> Received: from [136.159.184.129] (h129-184.wlan.ucalga
> ry.ca [136.159.184.129])??by smtp2.ucalgary.ca (Postfix) with ESMTP id 
> 5568910031??for <[EMAIL PROTECTED]>; Sun,  7 Dec 2008
> 16:04:52 -0700 (MST) from h129-184.wlan.ucalgary.ca[136.159.184.129]; 
> from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=E
> SMTP helo=<[136.159.184.129]>
> Dec  7 16:04:52 smtp2 postfix/cleanup[13044]: 5568910031: 
> message-id=<[EMAIL PROTECTED]>
> 
> Can anybody give us a hand?

Ask on the Mailscanner list. Postfix put the message into the HOLD
queue (where Mailscanner takes over).

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: A message disappeared

[Wietse Venema]

Kai Wang:
> 
> Greetings,
> 
> We run Postfox (postfix-2.3.3-2.pcre.sasl2.rhel4) and MailScanner 
> (mailscanner-4.66.5-3)
> together. A user reported that he lost a message. I checked into our log 
> and found 4 entries
> about the message, all from postfix.
> 
> Dec  7 16:04:47 smtp2 postfix/smtpd[12441]: connect from 
> h129-184.wlan.ucalgary.ca[136.159.184.129]
> Dec  7 16:04:52 smtp2 postfix/smtpd[12441]: 5568910031: 
> client=h129-184.wlan.ucalgary.ca[136.159.184.129], sasl_method=PLAIN,
>  [EMAIL PROTECTED]
> Dec  7 16:04:52 smtp2 postfix/cleanup[13044]: 5568910031: hold: header 
> Received: from [136.159.184.129] (h129-184.wlan.ucalga
> ry.ca [136.159.184.129])??by smtp2.ucalgary.ca (Postfix) with ESMTP id 
> 5568910031??for <[EMAIL PROTECTED]>; Sun,  7 Dec 2008
> 16:04:52 -0700 (MST) from h129-184.wlan.ucalgary.ca[136.159.184.129]; 
> from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=E
> SMTP helo=<[136.159.184.129]>
> Dec  7 16:04:52 smtp2 postfix/cleanup[13044]: 5568910031: 
> message-id=<[EMAIL PROTECTED]>
> 
> Can anybody give us a hand?

Postfix left the message in the "hold" queue and Mailscanner took over.
If you have no other entries for message-id=<[EMAIL PROTECTED]>
then Mailscanner trashed your mail.

Wietse

554 5.7.1 : Client host rejected. Access denied.

[Miguel Angel Cañedo]

Hi I have set up my postfix server:
Every SMTP connection from evolution works.
Every SMTP connection from Outlook fails (smtp authentication is marked)
they get 554 5.7.1 : Client host rejected. Access denied.

This is driving me nuts, any help will be grat, thanks in advance

Here are my files:

main.cf
***
# See /usr/share/postfix/main.cf.dist for a commented, more complete
version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = mydomain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mydomain.com, localhost.localdomain, localhost
relayhost = 
#mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 172.16.0.0/16
mynetworks = 127.0.0.0/8 
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
home_mailbox = Maildir/
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth-client
smtpd_sasl_local_domain = 
#mcanedo noanonymous
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes

smtpd_recipient_restrictions = 
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_rbl_client
 dnsbl.sorbs.net,check_policy_service inet:127.0.0.1:6

#smtpd_recipient_restrictions = 
permit_sasl_authenticated,permit_mynetworks,check_relay_domains

#smtpd_reject_unlisted_recipient = no

smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
content_filter = smtp-amavis:[127.0.0.1]:10024

#Indicar que vaya a buscarar el transporte elegido (como smtproutes en qmail)
#transport_maps = hash:/etc/postfix/transport
#todo via no-ip
default_transport=smtp:smtp-auth.no-ip.com:3325


#Archivo con Contraseña para servidores relay (ej. no-ip)
smtp_sender_dependent_authentication = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd


local_recipient_maps =
***

master.cf
***
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -   n   n   -   -   pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp  unix  -   n   n   -   -   pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmailunix  -   n   n   -   -   pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix  -   n   n   -   -   pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -   n   n   -   2   pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} 
${user} ${extension}
mailman   unix  -   n   n   -   -   pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

#mcanedo: Añadido para amavis FILTRS antivirus y spam
smtp-amavis unix-   -   -   -   2   smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20

127.0.0.1:10025 inetn   -   -   -   -   smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connect

One domain used by virtual_alias_maps AND transport_maps?

[Daniel Funke]

Hi,

I have a postfix gateway sending mails to accounts on different backend 
systems and to local maildirs for imap. But the destination of an email 
should depend from the single recipient address not from the complete 
destination domain.


I'll try to explain it with my testdomain "example.com". My config is below.

In the transport you can see addresses which are redirected to an 
exchange-server without changing the recipient address. In the virtual I 
have addresses for local maildirs (funked03) and for backend systems 
needing a rewrite of the recipient address ([EMAIL PROTECTED]). In 
the last line the [EMAIL PROTECTED] at the right hand side is needed to 
look for this address in the transport.


If I haven't missed something all works as I want. Mails to unknown 
recipients are rejected.


But I found the information that it's never allowed to list a virtual 
domain in mydestination. Do you have any idea how to do this better or 
dou you think I could operate a system in this config without any trouble?


Best regards,

Daniel


main.cf:

mynetworks = 127.0.0.0/8
mydestination = $myhostname, localhost.$mydomain, localhost, example.com
transport_maps = hash:/etc/postfix/transport
virtual_alias_domains =
virtual_alias_maps = hash:/etc/postfix/virtual
local_recipient_maps = hash:/etc/postfix/transport


transport:
--
[EMAIL PROTECTED]  smtp:[192.168.1.10]
[EMAIL PROTECTED]smtp:[192.168.1.10]
notes-in.local  smtp:[192.168.1.120]


virtual:

[EMAIL PROTECTED] funked03
[EMAIL PROTECTED] [EMAIL PROTECTED]
[EMAIL PROTECTED][EMAIL PROTECTED], funked03, [EMAIL PROTECTED]


--
DIS - Network Services/Executive Solution Center

DOUGLAS Informatik & Service GmbH - Kabeler Str. 4, D-58099 Hagen
http://www.douglas-informatik.de
Handelsregister Hagen HRB 1051
Geschaeftsfuehrer: Olaf Schrage - Prokurist: Stephan Borkenfeld - Prokurist: 
Dr. Martin Kiel

Re: 554 5.7.1 : Client host rejected. Access denied.

[J.P. Trosclair]

Miguel Angel Cañedo wrote:

Hi I have set up my postfix server:
Every SMTP connection from evolution works.
Every SMTP connection from Outlook fails (smtp authentication is marked)
they get 554 5.7.1 : Client host rejected. Access denied.

This is driving me nuts, any help will be grat, thanks in advance

Here are my files:

main.cf
***
# See /usr/share/postfix/main.cf.dist for a commented, more complete
version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = mydomain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mydomain.com, localhost.localdomain, localhost
relayhost = 
#mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 172.16.0.0/16
mynetworks = 127.0.0.0/8 
mailbox_size_limit = 0

recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
home_mailbox = Maildir/
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth-client
smtpd_sasl_local_domain = 
#mcanedo noanonymous

smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes

smtpd_recipient_restrictions = 
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_rbl_client
 dnsbl.sorbs.net,check_policy_service inet:127.0.0.1:6

#smtpd_recipient_restrictions = 
permit_sasl_authenticated,permit_mynetworks,check_relay_domains

#smtpd_reject_unlisted_recipient = no

smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
content_filter = smtp-amavis:[127.0.0.1]:10024

#Indicar que vaya a buscarar el transporte elegido (como smtproutes en qmail)
#transport_maps = hash:/etc/postfix/transport
#todo via no-ip
default_transport=smtp:smtp-auth.no-ip.com:3325


#Archivo con Contraseña para servidores relay (ej. no-ip)
smtp_sender_dependent_authentication = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd


local_recipient_maps =
***

master.cf
***
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -   n   n   -   -   pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp  unix  -   n   n   -   -   pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmailunix  -   n   n   -   -   pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix  -   n   n   -   -   pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -   n   n   -   2   pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} 
${user} ${extension}
mailman   unix  -   n   n   -   -   pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

#mcanedo: Añadido para amavis FILTRS antivirus y spam
smtp-amavis unix-   -   -   -   2   smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20

127.0.0.1:10025 inetn   -   -   -   -   smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000

Can't Receive emails!

[Kirt Bajwa]

Hello:
 
Over a year ago, I installed a CentOS 5.2 with Postfix
2:2.3..3-2.1 (and Dovecot) on a Server. Postfix ran without a problem & did
not do anything for 18 months. 
 
Couple of weeks ago, I lost the P/S in the Server. I took
the MB and installed it into another Server. I changed the IP address on the
NIC card and the Server was up.
 
At this point I noticed that I was NOT getting emails from
the Internet. I can send emails to the outside
World, but don’t receive any email. Then I tried sending email from one account
to another email account on the same Server. Emails gets through.
 
Can some one help as to why I am not getting emails from the
Internet?
 
Sam
 
Following will help:
/var/log/maillog
 
Dec  8 08:09:11 www dovecot: Dovecot v1.1.2 starting up
Dec  8 08:09:13 www postfix/postfix-script: starting
the Postfix mail system
Dec  8 08:09:13 www postfix/master[5105]: daemon
started -- version 2.3.3, configuration /etc/postfix
 
 
[EMAIL PROTECTED] ~]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailbox_command = /usr/libexec/dovecot/deliver
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost,
$mydomain
mydomain = imwell-usa.com
myhostname = mail.imwell-usa.com
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains = 
relayhost = 
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
unknown_local_recipient_reject_code = 550
[EMAIL PROTECTED] ~]# 


  

Re: One domain used by virtual_alias_maps AND transport_maps?

[Brian Evans - Postfix List]

Daniel Funke wrote:
> Hi,
>
> I have a postfix gateway sending mails to accounts on different
> backend systems and to local maildirs for imap. But the destination of
> an email should depend from the single recipient address not from the
> complete destination domain.
>
> I'll try to explain it with my testdomain "example.com". My config is
> below.
>
> In the transport you can see addresses which are redirected to an
> exchange-server without changing the recipient address. In the virtual
> I have addresses for local maildirs (funked03) and for backend systems
> needing a rewrite of the recipient address ([EMAIL PROTECTED]). In
> the last line the [EMAIL PROTECTED] at the right hand side is needed to
> look for this address in the transport.
>
> If I haven't missed something all works as I want. Mails to unknown
> recipients are rejected.
>
> But I found the information that it's never allowed to list a virtual
> domain in mydestination. Do you have any idea how to do this better or
> dou you think I could operate a system in this config without any
> trouble?
Only list domains this machine receives directly into mydestination
(think final destination = this machine).
For a domain that is forwarded on, use relay_domains AND
relay_recipient_maps.
Do not blindly accept addresses by omitting relay_recipient_maps.
In the case of Exchange, Postfix can be setup to query LDAP. 
This can be to the AD directly or (recommended) to a local OpenLDAP mirror.

See http://www.postfix.org/ADDRESS_CLASS_README.html for details on
Postfix's address classes.

>
> Best regards,
>
> Daniel
>
> 
> main.cf:
> 
> mynetworks = 127.0.0.0/8
> mydestination = $myhostname, localhost.$mydomain, localhost, example.com
> transport_maps = hash:/etc/postfix/transport
> virtual_alias_domains =
> virtual_alias_maps = hash:/etc/postfix/virtual
> local_recipient_maps = hash:/etc/postfix/transport

Please do not reuse different maps like this.  It may work now, but
could easily break in the future.

>
>
> transport:
> --
> [EMAIL PROTECTED]  smtp:[192.168.1.10]
> [EMAIL PROTECTED]smtp:[192.168.1.10]
This does not take the place of validation.
Simplify this to 'example.com smtp:[192.168.1.10]' and create a real
recipient map.
> notes-in.local  smtp:[192.168.1.120]
>
>
> virtual:
> 
> [EMAIL PROTECTED] funked03

Note, this appends myorigin and then the delivery process continues.
If myorigin is NOT in an address class, it will bounce.
Furthermore, the mapping you suggest above will *break* local machine
validation and cause bounces.

> [EMAIL PROTECTED] [EMAIL PROTECTED]
> [EMAIL PROTECTED][EMAIL PROTECTED], funked03, [EMAIL PROTECTED]
> 
>

Re: SuSE repository - old postfix ?

[J Sloan]

Alexander Grüner wrote:
> > Open SUSE includes more recent posfix rpms (but in the "factory" not
> the repos):
> http://download.opensuse.org/factory/repo/oss/suse/x86_64/postfix-2.5.5-6.6.x86_64.rpm
>
> >
> http://download.opensuse.org/factory/repo/oss/suse/i586/postfix-2.5.5-6.5.i586.rpm
>
> >
> > Obviously, there may be dependencies you need to meet. There are
> also SRC rpms available.
>
> Tracy,
>
> thanks for this hint. Are these only for openSuSE 11.1 ? I will need
> SuSE Linux Enterprise 10 SP2.

I always grab the src rpms from suse factory, compile them on a SLES 9
server and push the compiled packages out to our SLES 9 based smtp
gateways. It works quite well. That may not be "supported", but in all
the years we've had linux support, we've never, ever called for a
postfix problem anyway, so that matters little. The alternative for us
would be to run postfix-2.1.1 as shipped on SLES 9.

Joe

Re: Can't Receive emails!

[Brian Evans - Postfix List]

Kirt Bajwa wrote:
>
> Hello:
>
>  
>
> Over a year ago, I installed a CentOS 5.2 with Postfix 2:2..3.3-2.1
> (and Dovecot) on a Server. Postfix ran without a problem & did not do
> anything for 18 months.
>
>  
>
> Couple of weeks ago, I lost the P/S in the Server. I took the MB and
> installed it into another Server. I changed the IP address on the NIC
> card and the Server was up.
>
>  
>
> At this point I noticed that I was NOT getting emails from the
> Internet. I can send emails to the outside World, but don’t receive
> any email. Then I tried sending email from one account to another
> email account on the same Server. Emails gets through.
>
>  
>
> Can some one help as to why I am not getting emails from the Internet?
>
>  
>
> mydomain = imwell-usa.com
>
> myhostname = mail.imwell-usa.com
>

Your machine is not accepting requests:

[EMAIL PROTECTED] ~ $ telnet mail.imwell-usa.com 25
Trying 65.103.190.105...
telnet: connect to address 65.103.190.105: Connection refused

Can you 'telnet localhost 25' on that box?
Can you telnet to the box on the same network?

Is SELinux or AppArmor installed?
Is there a general smtp service entry in master.cf?

Brian

RE: Can't Receive emails!

[Chris Johnson]

Did you change the MX record to point to the new server?
Do you show anything in the logs, rejections? Did you open your firewall for 
the new IP?



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kirt Bajwa
Sent: Monday, December 08, 2008 11:58 AM
To: [EMAIL PROTECTED]
Subject: Can't Receive emails!

Hello:

Over a year ago, I installed a CentOS 5.2 with Postfix 2:2..3.3-2.1 (and 
Dovecot) on a Server. Postfix ran without a problem & did not do anything for 
18 months.

Couple of weeks ago, I lost the P/S in the Server. I took the MB and installed 
it into another Server. I changed the IP address on the NIC card and the Server 
was up.

At this point I noticed that I was NOT getting emails from the Internet. I can 
send emails to the outside World, but don’t receive any email. Then I tried 
sending email from one account to another email account on the same Server. 
Emails gets through.

Can some one help as to why I am not getting emails from the Internet?

Sam

Following will help:
/var/log/maillog

Dec  8 08:09:11 www dovecot: Dovecot v1.1.2 starting up
Dec  8 08:09:13 www postfix/postfix-script: starting the Postfix mail system
Dec  8 08:09:13 www postfix/master[5105]: daemon started -- version 2.3.3, 
configuration /etc/postfix


[EMAIL PROTECTED] ~]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailbox_command = /usr/libexec/dovecot/deliver
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = imwell-usa.com
myhostname = mail.imwell-usa.com
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains =
relayhost =
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, 
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
unknown_local_recipient_reject_code = 550
[EMAIL PROTECTED] ~]#




This message contains confidential information and is intended only for the 
individual addressee(s) named above.  If you are not an intended recipient or 
believe you have received this e-mail in error, you should not disseminate, 
distribute or copy it, you should notify the sender immediately by return 
e-mail, and you should delete the e-mail.  E-mail transmission cannot be 
guaranteed to be secure or error-free as information could be intercepted, 
corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.  The 
sender therefore does not accept liability for any errors or omissions in the 
contents of this e-mail or any virus which may accompany or be located in this 
e-mail.

Re: 554 5.7.1 : Client host rejected. Access denied.

[Miguel Angel Cañedo]

El lun, 08-12-2008 a las 11:45 -0600, J.P. Trosclair escribió:
> Miguel Angel Cañedo wrote:
> > Hi I have set up my postfix server:
> > Every SMTP connection from evolution works.
> > Every SMTP connection from Outlook fails (smtp authentication is marked)
> > they get 554 5.7.1 : Client host rejected. Access denied.
> > 
> > This is driving me nuts, any help will be grat, thanks in advance
> > 
> > Here are my files:
> > 
> > main.cf
> > ***
> > # See /usr/share/postfix/main.cf.dist for a commented, more complete
> > version
> > 
> > 
> > # Debian specific:  Specifying a file name will cause the first
> > # line of that file to be used as the name.  The Debian default
> > # is /etc/mailname.
> > #myorigin = /etc/mailname
> > 
> > smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
> > biff = no
> > 
> > # appending .domain is the MUA's job.
> > append_dot_mydomain = no
> > 
> > # Uncomment the next line to generate "delayed mail" warnings
> > delay_warning_time = 4h
> > 
> > readme_directory = no
> > 
> > # TLS parameters
> > smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
> > smtpd_tls_key_file = /etc/ssl/private/smtpd.key
> > smtpd_use_tls = yes
> > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> > 
> > # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
> > # information on enabling SSL in the smtp client.
> > 
> > myhostname = mydomain.com
> > alias_maps = hash:/etc/aliases
> > alias_database = hash:/etc/aliases
> > myorigin = /etc/mailname
> > mydestination = mydomain.com, localhost.localdomain, localhost
> > relayhost = 
> > #mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 172.16.0.0/16
> > mynetworks = 127.0.0.0/8 
> > mailbox_size_limit = 0
> > recipient_delimiter = +
> > inet_interfaces = all
> > inet_protocols = ipv4
> > home_mailbox = Maildir/
> > smtpd_sasl_type = dovecot
> > smtpd_sasl_path = private/auth-client
> > smtpd_sasl_local_domain = 
> > #mcanedo noanonymous
> > smtpd_sasl_security_options = noanonymous
> > broken_sasl_auth_clients = yes
> > smtpd_sasl_auth_enable = yes
> > 
> > smtpd_recipient_restrictions = 
> > permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_rbl_client
> >  dnsbl.sorbs.net,check_policy_service inet:127.0.0.1:6
> > 
> > #smtpd_recipient_restrictions = 
> > permit_sasl_authenticated,permit_mynetworks,check_relay_domains
> > 
> > #smtpd_reject_unlisted_recipient = no
> > 
> > smtpd_tls_auth_only = no
> > smtp_use_tls = yes
> > smtpd_use_tls = yes
> > smtp_tls_note_starttls_offer = yes
> > smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
> > smtpd_tls_loglevel = 1
> > smtpd_tls_received_header = yes
> > smtpd_tls_session_cache_timeout = 3600s
> > tls_random_source = dev:/dev/urandom
> > content_filter = smtp-amavis:[127.0.0.1]:10024
> > 
> > #Indicar que vaya a buscarar el transporte elegido (como smtproutes en 
> > qmail)
> > #transport_maps = hash:/etc/postfix/transport
> > #todo via no-ip
> > default_transport=smtp:smtp-auth.no-ip.com:3325
> > 
> > 
> > #Archivo con Contraseña para servidores relay (ej. no-ip)
> > smtp_sender_dependent_authentication = yes
> > smtp_sasl_auth_enable = yes
> > smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> > 
> > 
> > local_recipient_maps =
> > ***
> > 
> > master.cf
> > ***
> > # maildrop. See the Postfix MAILDROP_README file for details.
> > # Also specify in main.cf: maildrop_destination_recipient_limit=1
> > #
> > maildrop  unix  -   n   n   -   -   pipe
> >   flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
> > #
> > # See the Postfix UUCP_README file for configuration details.
> > #
> > uucp  unix  -   n   n   -   -   pipe
> >   flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail 
> > ($recipient)
> > #
> > # Other external delivery methods.
> > #
> > ifmailunix  -   n   n   -   -   pipe
> >   flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
> > bsmtp unix  -   n   n   -   -   pipe
> >   flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender 
> > $recipient
> > scalemail-backend unix  -   n   n   -   2   pipe
> >   flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store 
> > ${nexthop} ${user} ${extension}
> > mailman   unix  -   n   n   -   -   pipe
> >   flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
> >   ${nexthop} ${user}
> > 
> > #mcanedo: Añadido para amavis FILTRS antivirus y spam
> > smtp-amavis unix-   -   -   -   2   smtp
> > -o smtp_data_done_timeout=1200
> > -o smtp_send_xforward_command=yes
> > -o disable_dns_lookups=yes
> > -o max_use=20
> > 
> > 127.0.0.1:10025 inetn   -   -   -   -   smtpd
> > 

Re: Can't Receive emails!

[Kirt Bajwa]

My previous post should have said Hard Disk Drive (HDD) instead of Motherboard 
(MB). I am reposting. Sorry.





From: Kirt Bajwa <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Sent: Monday, December 8, 2008 10:57:54 AM
Subject: Can't Receive emails!


 
Hello:
 
Over a year ago, I installed a CentOS 5.2 with Postfix
2:2..3.3-2.1 (and Dovecot) on a Server. Postfix ran without a problem & did
not do anything for 18 months. 
 
Couple of weeks ago, I lost the P/S in the Server. I took
the HDD and installed it into another Server. I changed the IP address on the
NIC card and the Server was up.
 
At this point I noticed that I was NOT getting emails from
the Inter net . I can send emails to the outside
World, but don’t receive any email. Then I tried sending email from one account
to another email account on the same Server. Emails gets through.
 
Can some one help as to why I am not getting emails from the
Inter net ?
 
Sam
 
Following will help:
 
/var/log/maillog
Dec  8 08:09:11 www dovecot: Dovecot v1.1.2 starting up
Dec  8 08:09:13 www postfix/postfix-script: starting
the Postfix mail system
Dec  8 08:09:13 www postfix/master[5105]: daemon
started -- version 2.3.3, configuration /etc/postfix
 
 
[EMAIL PROTECTED] ~]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
i net _interfaces = all
mail_owner = postfix
mailbox_command = /usr/libexec/dovecot/deliver
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost,
$mydomain
mydomain = imwell-usa.com
myhostname = mail.imwell-usa.com
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains = 
relayhost = 
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_my net works,
permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
unknown_local_recipient_reject_code = 550
[EMAIL PROTECTED] ~]# 


  

[OT] Korreio: free software announce, Postfix related

[Reinaldo de Carvalho]

Hi,

Korreio is a GUI to mail management with support to LDAP, CYRUS and
POSTFIX. It is a free software hosted on http://korreio.sf.net. (Now
available in English)

It has some integrated modules:

- LDAP management to add, modify and delete entries with many
facilities including Password Change and Samba Populate.
- Cyrus-IMAP Mailbox management to create, delete, reconstruct, share
(full ACLs support), set quota and expire.
- Cyrus-IMAP Partition Manager to move mailboxes into IMAP-partitions,
and show report about quota availability.
- Sieve management to send, active and delete scripts (some template
available) for one, some or all imap users.
- Postfix Queue manager to build tree based on 'postqueue -p' by a SSH
connection. Can delete, hold on, unhold, requeue by QUEUEID or by
sender also show message content.
- Postfix config interface modify main.cf, postmap files and a remote
text editor through SSH.

See screenhosts: http://sourceforge.net/project/screenshots.php?group_id=206408

Have fun.

-- 
Reinaldo de Carvalho
http://korreio.sf.net (Now available in English)
http://python-cyrus.sf.net

OT: no response from spamhaus

[ghe]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I'm a profoundly low-volume mailer, so there's no way I'm cut off for
traffic. And I'm not a spammer.

But spamassassin has been checking with zen for 2 or 3 years now, and
this morning I noticed bind saying it was getting too many timeouts from
spamhaus. Now the host command (from here and from another domain) gets
no response -- just a timeout, not even an error.

I've googled, and I've searched the spamhaus website, but I can't find a
way to talk to them. Anybody got an addy for this situation?

- --
Glenn English
[EMAIL PROTECTED]

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkk9aRAACgkQ04yQfZbbTLaowACglwxL8Nyn4EeXTrkLwWOz78ez
hSYAoIf//XZ2ItT1A4iemSK4PuvAmywM
=FTCZ
-END PGP SIGNATURE-

Re: Can't Receive emails!

[Kirt Bajwa]

> Can you 'telnet localhost 25' on that box?
YES

> Can you telnet to the box on the same network?
YES


>Is SELinux or AppArmor installed?
SELinux is installed (as part of CentOS installation) but is DISABLED.

>Is there a general smtp service entry in master.cf?
No idea what to look for! Please give some direction. I am pretty newbie.

Sam




From: Brian Evans - Postfix List <[EMAIL PROTECTED]>
To: Postfix users 
Sent: Monday, December 8, 2008 11:06:28 AM
Subject: Re: Can't Receive emails!


Your machine is not accepting requests:

[EMAIL PROTECTED] ~ $ telnet mail.imwell-usa.com 25
Trying 65.103.190.105...
telnet: connect to address 65.103.190.105: Connection refused

Can you 'telnet localhost 25' on that box?
Can you telnet to the box on the same network?

Is SELinux or AppArmor installed?
Is there a general smtp service entry in master.cf?

Brian



  

RE: Info on Filtering Mail based on subdomain

[Mark A. Olbert]

ember 08, 2008 7:24 AM
To: mouss
Cc: postfix-users@postfix.org
Subject: Re: Info on Filtering Mail based on subdomain

mouss ha scritto:
> can you show the contents of transport_maps?
>
And the content of alias map? As far as I can remember I had a similar
error and IU had made two mistakes:
1) listed in transport the domain and the destination;
2) no alias set in aliases;

And last but not least, there was no one listening on 127.0.0.1 on port 25.

Hth.

Dario "subbia" Cavallaro


__ Information from ESET NOD32 Antivirus, version of virus signature 
database 3671 (20081208) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


__ Information from ESET NOD32 Antivirus, version of virus signature 
database 3672 (20081208) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

Re: Can't Receive emails!

[Kirt Bajwa]

I think the problem is with Qwest DSL blocking the incoming mail. I have reset 
the DSL modem and did receive one email. I am hoping that it is working. THANKS 
to all.


  

Re: Info on Filtering Mail based on subdomain

[mouss]

Mark A. Olbert a écrit :
> Log info:
> 
> Dec  8 07:03:23 wiggle_butt postfix/pickup[13057]: 132802741F3: uid=0 
> from=
> Dec  8 07:03:23 wiggle_butt postfix/cleanup[13064]: 132802741F3: 
> message-id=<[EMAIL PROTECTED]>
> Dec  8 07:03:23 wiggle_butt postfix/qmgr[13058]: 132802741F3: from=<[EMAIL 
> PROTECTED]>, size=462, nrcpt=1 (queue active)
> Dec  8 07:03:23 wiggle_butt amavis[12916]: (12916-05) ESMTP::10024 
> /var/amavisd/tmp/amavis-20081208T065442-12916: <[EMAIL PROTECTED]> -> <[EMAIL 
> PROTECTED]> Received: SIZE=462 from mail.arcabama.com ([127.0.0.1]) by 
> localhost (host.domain.tld [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP 
> id 12916-05 for <[EMAIL PROTECTED]>; Mon,  8 Dec 2008 07:03:23 -0800 (PST)
> Dec  8 07:03:23 wiggle_butt amavis[12916]: (12916-05) Checking: <[EMAIL 
> PROTECTED]> -> <[EMAIL PROTECTED]>
> Dec  8 07:03:23 wiggle_butt amavis[12916]: (12916-05) FWD via SMTP: 
> [192.168.1.200]:25 <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>
> Dec  8 07:03:28 wiggle_butt amavis[12916]: (12916-05) mail_via_smtp: DATA 
> skipped, no valid recips, 0

no valid recips and still no postfix logs? are you sure your amavisd-new
is configured to pass mail back to postfix? please check your amavisd.conf.

> Dec  8 07:03:28 wiggle_butt amavis[12916]: (12916-05) mail_via_smtp: 550 
> 5.7.1 Unable to relay
> Dec  8 07:03:28 wiggle_butt amavis[12916]: (12916-05) Blocked CLEAN, <[EMAIL 
> PROTECTED]> -> <[EMAIL PROTECTED]>, Message-ID: <[EMAIL PROTECTED]>, Hits: -, 
> 5119 ms

Re: Can't Receive emails!

[Matt Rude]

On Mon, December 8, 2008 12:41 pm, Kirt Bajwa wrote:
>> Can you 'telnet localhost 25' on that box?
>>
> YES
>
>
>> Can you telnet to the box on the same network?
>>
> YES
>
>
>
>> Is SELinux or AppArmor installed?
>>
> SELinux is installed (as part of CentOS installation) but is DISABLED.
>
>
>> Is there a general smtp service entry in master.cf?
>>
> No idea what to look for! Please give some direction. I am pretty newbie.
>
>
> Sam
>
>
>
>
> 
> From: Brian Evans - Postfix List <[EMAIL PROTECTED]>
> To: Postfix users 
> Sent: Monday, December 8, 2008 11:06:28 AM
> Subject: Re: Can't Receive emails!
>
>
>
> Your machine is not accepting requests:
>
>
> [EMAIL PROTECTED] ~ $ telnet mail.imwell-usa.com 25 Trying 65.103.190.105...
> telnet: connect to address 65.103.190.105: Connection refused
>
>
> Can you 'telnet localhost 25' on that box?
> Can you telnet to the box on the same network?
>
>
> Is SELinux or AppArmor installed?
> Is there a general smtp service entry in master.cf?
>
>
> Brian
>
>
>
>
>

You changed the IP address, did you change your MX record on your DNS server?

-- 
Matt Rude
website: http://www.mattrude.com  -  wiki: http://wiki.mattrude.com
PGP Fingerprint: 0E94 70DA 89F8 5102 0862  5EA2 CB10 759E E65F 2C46

Re: Can't Receive emails!

[Sipos Gabor]

Kirt Bajwa wrote:
My previous post should have said Hard Disk Drive (HDD) instead of 
Motherboard (MB). I am reposting. Sorry.



*From:* Kirt Bajwa <[EMAIL PROTECTED]>
*To:* [EMAIL PROTECTED]
*Sent:* Monday, December 8, 2008 10:57:54 AM
*Subject:* Can't Receive emails!

Hello:

 

Over a year ago, I installed a CentOS 5.2 with Postfix 2:2..3.3-2.1 
(and Dovecot) on a Server. Postfix ran without a problem & did not do 
anything for 18 months.


 

Couple of weeks ago, I lost the P/S in the Server. I took the HDD and 
installed it into another Server. I changed the IP address on the NIC 
card and the Server was up.


 

At this point I noticed that I was NOT getting emails from the Inter 
net . I can send emails to the outside World, but don’t receive any 
email. Then I tried sending email from one account to another email 
account on the same Server. Emails gets through.


 


Can some one help as to why I am not getting emails from the Inter net ?

 


Sam

 

Exactly why did you change the IP for a HDD change? Are you behind some 
NAT firewall? If so, you should revise your NAT rules to reflect the new 
IP of the machine.


Gabor Sipos

Stopping backscatter with before-queue

[Chris Turan]

Hey All,

I'm having an issue with backscatter emails and implementing a 
before-queue spam and virus scanner.  My current mail server uses a 
after-queue amavisd-new scanner with spamassassin and clamav.  In the 
last two weeks, my system has started *sending* a significant number of 
backscatter messages.


I need to silence these messages in a safe and reliable way.  Here are 
my criteria:


1) Reject the message before the end of the smtp transaction.
2) Scan for both spam and viruses.
3) Never discard. MTA must deliver-and-tag or reject-and-notify.
4) Scan both incoming and outgoing messages.
5) Scanner is fast, runs as a daemon, and is preferably written in a 
faster language like C.


Despite my best research, I have not yet found a way to do all five of 
these.  Can anyone recommend a way to run amavis as before-queue 
scanner, or to recommend a different scanner better than amavisd-new.


I'm hoping to get some recommendations from the folks here.

-Chris

Re: Alias and mailbox under one e-mail address

[mouss]

Jakub Nadolny a écrit :
> Hello,
> 
> how can I have an e-mail account to which when people send e-mail messages 
> then
> they are kept in this account and also forwarded to some other accounts?
> 
> In other words:
> There is an e-mail account [EMAIL PROTECTED] Someone uses this account for
> sending / receiving e-mails. But it is required that when e-mail is send to
> [EMAIL PROTECTED] then it will be forwarded also to [EMAIL PROTECTED],
> [EMAIL PROTECTED] etc.
> 
> I can achieve it by modifying alias table (mysql):
>  address = '[EMAIL PROTECTED]'
>  goto = '[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]'
> 
> But the problem is that in such case users address1 and adress2 get each 
> e-mail
> twice. 
> 
> If I delete [EMAIL PROTECTED] from goto, then they get it once, but
> [EMAIL PROTECTED] will not get it at all.
> 
> How can I do it properly?

# grep content_filter main.cf
# grep content_filter master.cf
# grep receive_override_options master.cf
# wget http://www.postfix.org/FILTER_README.html
# grep receive_override_options FILTER_README.html

if this doesn't help, you'll have to tell us more ;-p

Re: OT: no response from spamhaus

[Bill Cole]

ghe wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I'm a profoundly low-volume mailer, so there's no way I'm cut off for
traffic. And I'm not a spammer.


Being cut off from DNS queries is not based on how much you send, but on how 
much you use the DNS query service. See 
http://www.spamhaus.org/organization/dnsblusage.html for details. It is not 
at all unusual for a very low-volume sender (e.g. a middling corporate or 
academic system) to be targeted by enough spam to go past the 300k/day query 
limit. That is especially likely if you don't take steps to minimize your 
impact on their DNS servers, most importantly putting your own caching 
recursive resolver between your mail servers and the world.



But spamassassin has been checking with zen for 2 or 3 years now, and
this morning I noticed bind saying it was getting too many timeouts from
spamhaus. Now the host command (from here and from another domain) gets
no response -- just a timeout, not even an error.


That's what one sees when one has been cut off from DNS queries by Spamhaus.


I've googled, and I've searched the spamhaus website, but I can't find a
way to talk to them. Anybody got an addy for this situation?


You seem to be having a searching problem...

http://www.spamhaus.org/contacts.html has email addresses (including one for 
administrative issues) that should work (i.e. have worked for me in the 
past) and that page is linked from the Spamhaus homepage and many of their 
other pages behind "Contacts."


http://www.spamhaus.org/faq/answers.lasso?section=Legal%20Questions has 
postal addresses and is linked from many places on their site as "Legal 
Questions."


One of the postal addresses is "The Spamhaus Project Ltd. 18 Avenue Louis 
Casai, CH-1209, Geneva, Switzerland" which you will also find at the bottom 
of http://www.spamhaus.org/organization/index.lasso, which is behind the 
"About Spamhaus" links that exist on many of their pages.

Re: Stopping backscatter with before-queue

[Noel Jones]

Chris Turan wrote:

Hey All,

I'm having an issue with backscatter emails and implementing a 
before-queue spam and virus scanner.  My current mail server uses a 
after-queue amavisd-new scanner with spamassassin and clamav.  In the 
last two weeks, my system has started *sending* a significant number of 
backscatter messages.


I need to silence these messages in a safe and reliable way.  Here are 
my criteria:


1) Reject the message before the end of the smtp transaction.
2) Scan for both spam and viruses.
3) Never discard. MTA must deliver-and-tag or reject-and-notify.
4) Scan both incoming and outgoing messages.
5) Scanner is fast, runs as a daemon, and is preferably written in a 
faster language like C.


Despite my best research, I have not yet found a way to do all five of 
these.  Can anyone recommend a way to run amavis as before-queue 
scanner, or to recommend a different scanner better than amavisd-new.


I'm hoping to get some recommendations from the folks here.

-Chris



You need to configure postfix to reject unknown recipients 
during SMTP.  Switching to something other than amavisd-new 
and/or switching to a before-queue filter won't help that.


amavisd-new meets all your criteria, providing you configure 
it to tag+deliver mail rather than bounce.


You can configure amavisd-new as a before-queue postfix 
smtpd_proxy_filter.  Note this mode is not "officially" 
supported by the amavisd-new author, but it should work well 
for small volume sites.  The "small volume sites" is a 
before-queue limitation, not an amavisd-new limitation.


If you describe your problem in more detail, you will likely 
get more specific recommendations in solving it.


--
Noel Jones

Re: Stopping backscatter with before-queue

[Terry Carmen]

Chris Turan wrote:

Hey All,

I'm having an issue with backscatter emails and implementing a 
before-queue spam and virus scanner.  My current mail server uses a 
after-queue amavisd-new scanner with spamassassin and clamav.  In the 
last two weeks, my system has started *sending* a significant number 
of backscatter messages.


I need to silence these messages in a safe and reliable way.  Here are 
my criteria:


1) Reject the message before the end of the smtp transaction.
2) Scan for both spam and viruses.
3) Never discard. MTA must deliver-and-tag or reject-and-notify.
4) Scan both incoming and outgoing messages.
5) Scanner is fast, runs as a daemon, and is preferably written in a 
faster language like C.


Despite my best research, I have not yet found a way to do all five of 
these.  Can anyone recommend a way to run amavis as before-queue 
scanner, or to recommend a different scanner better than amavisd-new.
To eliminate *sending* backscatter, all you need to do is not accept 
mail you won't be able to deliver:


http://www.postfix.org/BACKSCATTER_README.html

amavisd-new with spamassassin and clamav will handle #2 #3 and #4 and 
maybe #5 depending on what you think "fast" is.


Unfortunately, there's still no such thing as a "free lunch" and both 
the virus and spam scanning are not exactly speedy, regardless of how 
fast amavis is. The trick is to reject everything possible using other 
means (blacklists, regular expressions, other tests) before finally 
sending the message to the scanners.


That said, it depends very much on your mail volume and how much is spam 
and how much is ham. I have a small (2 processor, 512M/RAM) mail server 
that runs anywhere from 30K-60K connections/day, rejects way over 90% of 
the attempts and still only runs at less than 2% utilization until the 
spam/AV scanners are started, at which point it runs around 50% for a 
few seconds, then goes back to 0.


Unless you're running a really big site or a really old server, it's 
unlikely that the performance issues you're worried about will actually 
be a problem.


Postfix is extremely efficient, and the cost of rejecting unwanted 
connections is really low.


Back to your actual problem, if you can post the output from postconf 
-n, someone can probably tell you what's wrong.


Terry

Relay access denied

[Tolga]

Hi,

When I try to send mail, I get 5.7.1 Relay access denied. Although I don't get 
this when I send mail with mutt, I am 
wondering if this is a Postfix issue. If not, can you redirect me?

Regards,
mto

Re: Relay access denied

[Daniel V. Reinhardt]

- Original Message 
> From: Tolga <[EMAIL PROTECTED]>
> To: postfix-users@postfix.org
> Sent: Monday, December 8, 2008 8:26:25 PM
> Subject: Relay access denied
> 
> Hi,
> 
> When I try to send mail, I get 5.7.1 Relay access denied. Although I don't 
> get 
> this when I send mail with mutt, I am 
> wondering if this is a Postfix issue. If not, can you redirect me?
> 
> Regards,
> mto

Can you please post your postconf -n content, and some log messages.  I am 
thinking this is a configuration error with $mynetworks.



  

Re: Relay access denied

[J.P. Trosclair]

Tolga wrote:

Hi,

When I try to send mail, I get 5.7.1 Relay access denied. Although I don't get this when I send mail with mutt, I am 
wondering if this is a Postfix issue. If not, can you redirect me?


Regards,
mto


Sounds like a postfix configuration issue. Are you using mutt on the 
same server postfix is running on or on a machine located in a network 
covered by postfix's mynetworks setting?


Please include the output of postconf -n in your reply.

J.P.

Re: Stopping backscatter with before-queue

[Chris Turan]

Noel Jones wrote:
You need to configure postfix to reject unknown recipients during SMTP.  
Switching to something other than amavisd-new and/or switching to a 
before-queue filter won't help that.


Hey Noel.  I actually am rejecting unknown recipients.  I wrote some 
software to refresh the recipients map every five minutes on my system.


amavisd-new meets all your criteria, providing you configure it to 
tag+deliver mail rather than bounce.


Well, I also have it set to bounce messages with a spamassassin score 
above 12.  Turning that off and just delivering everything with tagging 
*could* work.  It would be highly annoying for my end users, however.


If you describe your problem in more detail, you will likely get more 
specific recommendations in solving it.


Not sure what more I can add, but I'll give it a shot.

The backscatter is mostly messages with a spam score above 12.  They're 
being sent off to all sorts of off-site addresses.  In addition, there 
are some messages that has the sender address being set the same as the 
recipient.


-Chris

Re: Stopping backscatter with before-queue

[Chris Turan]

Terry Carmen wrote:
To eliminate *sending* backscatter, all you need to do is not accept 
mail you won't be able to deliver:


I am rejecting unknown recipients but the bounces are coming from 
messages with a spamassassin score above 12.


Unfortunately, there's still no such thing as a "free lunch" and both 
the virus and spam scanning are not exactly speedy, regardless of how 
fast amavis is. The trick is to reject everything possible using other 
means (blacklists, regular expressions, other tests) before finally 
sending the message to the scanners.


Hmmm.  I did get a suggestion about checking the headers against RBL's 
using builtin postfix content filters.  After that, it can be passed 
onto the real scanners.


That said, it depends very much on your mail volume and how much is spam 
and how much is ham. I have a small (2 processor, 512M/RAM) mail server 
that runs anywhere from 30K-60K connections/day, rejects way over 90% of 
the attempts and still only runs at less than 2% utilization until the 
spam/AV scanners are started, at which point it runs around 50% for a 
few seconds, then goes back to 0.


I get 10K emails per day, so its still fairly small.  Do you have a 
before-queue scanner installed?  There are warnings all over 
amavisd-new's documentation saying not to use it as a before queue 
scanner and rightly so.


Back to your actual problem, if you can post the output from postconf 
-n, someone can probably tell you what's wrong.


[EMAIL PROTECTED] /]# postconf -n
alias_maps = hash:/etc/aliases
bounce_queue_lifetime = 4h
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
local_recipient_maps =
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_queue_lifetime = 1d
message_size_limit = 20971520
mynetworks = a.a.a.a/32, b.b.b.b/32, c.c.c.c/32, d.d.d.d/32, e.e.e.e/32
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.4.5/README_FILES
receive_override_options = no_address_mappings
relay_domains = hash:/etc/postfix/relay_domains
relay_recipient_maps = hash:/etc/postfix/relay_recipient_maps
sample_directory = /usr/share/doc/postfix-2.4.5/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_tls_CAfile = /etc/postfix/certs/gd_intermediate_bundle.crt
smtpd_tls_CApath = /etc/postfix/certs
smtpd_tls_cert_file = /etc/postfix/certs/.crt
smtpd_tls_key_file = /etc/postfix/certs/.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport_maps
unknown_local_recipient_reject_code = 550
[EMAIL PROTECTED] /]#

Re: Relay access denied

[Tolga]

On Mon, Dec 08, 2008 at 12:28:22PM -0800, Daniel V. Reinhardt wrote:
> 
> 
> 
> 
> 
> - Original Message 
> > From: Tolga <[EMAIL PROTECTED]>
> > To: postfix-users@postfix.org
> > Sent: Monday, December 8, 2008 8:26:25 PM
> > Subject: Relay access denied
> > 
> > Hi,
> > 
> > When I try to send mail, I get 5.7.1 Relay access denied. Although I don't 
> > get 
> > this when I send mail with mutt, I am 
> > wondering if this is a Postfix issue. If not, can you redirect me?
> > 
> > Regards,
> > mto
> 
> Can you please post your postconf -n content, and some log messages.  I am 
> thinking this is a configuration error with $mynetworks.

My postconf -n, I don't have logs.
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
mailbox_size_limit = 0
mydestination = ozses.net, localhost.net, , localhost
myhostname = ozses.net
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost = 
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = permit_mynetworks,   permit_sasl_authenticated, 
  reject_unauth_destination,   
reject_unknown_reverse_client_hostname,   reject_unauth_pipelining,   
reject_non_fqdn_recipient,   
reject_rbl_client zen.spamhaus.org
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
> 
> 
> 
>   

Re: Relay access denied

[Tolga]

On Mon, Dec 08, 2008 at 02:29:51PM -0600, J.P. Trosclair wrote:
> Tolga wrote:
>> Hi,
>>
>> When I try to send mail, I get 5.7.1 Relay access denied. Although I 
>> don't get this when I send mail with mutt, I am wondering if this is a 
>> Postfix issue. If not, can you redirect me?
>>
>> Regards,
>> mto
>
> Sounds like a postfix configuration issue. Are you using mutt on the  
> same server postfix is running on or on a machine located in a network  
> covered by postfix's mynetworks setting?
>
> Please include the output of postconf -n in your reply.

Mutt is on the same server with postfix. Below is my postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
mailbox_size_limit = 0
mydestination = ozses.net, localhost.net, , localhost
myhostname = ozses.net
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost = 
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = permit_mynetworks,   permit_sasl_authenticated, 
  reject_unauth_destination,   
reject_unknown_reverse_client_hostname,   reject_unauth_pipelining,   
reject_non_fqdn_recipient,   
reject_rbl_client zen.spamhaus.org
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes

Regards,
mto
>
> J.P.

Re: Relay access denied

[J.P. Trosclair]

Tolga wrote:

On Mon, Dec 08, 2008 at 02:29:51PM -0600, J.P. Trosclair wrote:

Tolga wrote:

Hi,

When I try to send mail, I get 5.7.1 Relay access denied. Although I 
don't get this when I send mail with mutt, I am wondering if this is a 
Postfix issue. If not, can you redirect me?


Regards,
mto


Sounds like a postfix configuration issue. Are you using mutt on the  
same server postfix is running on or on a machine located in a network  
covered by postfix's mynetworks setting?


Please include the output of postconf -n in your reply.


Mutt is on the same server with postfix. Below is my postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
mailbox_size_limit = 0
mydestination = ozses.net, localhost.net, , localhost
myhostname = ozses.net
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128


Here (mynetworks) you will either want to add your local network or 
setup SMTP authentication (depends on your requirements) so that users 
not originating from localhost can relay mail through your server.


Quick example:
mynetworks = 127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, etc


myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost = 
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = permit_mynetworks,   permit_sasl_authenticated,   reject_unauth_destination,   
reject_unknown_reverse_client_hostname,   reject_unauth_pipelining,   reject_non_fqdn_recipient,   
reject_rbl_client zen.spamhaus.org


I see you have permit_sasl_authenticated but I don't see any smtp auth 
specific settings other than this one.



smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes

Regards,
mto


J.P.


After you get done modifying these settings to suit your needs I suggest 
you go here and make sure you haven't opened up relaying to spammers and 
what not (just a safety measure):


http://www.abuse.net/relay.html


J.P.

Re: fight spam problem: sender equal to receiver

[Roland Plüss]

I read now the thread in the archive and tried to apply the proposed
solution. I'm still getting the same amount of spam mails where
sender=receiver. My settings look like this:

disable_vrfy_command = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
   permit_mynetworks,
   check_helo_access hash:/etc/postfix/helo_access,
   reject_invalid_helo_hostname,
   reject_non_fqdn_helo_hostname,
   reject_unknown_helo_hostname,
   permit
smtpd_recipient_restrictions =
   permit_mynetworks,
   reject_unauth_destination,
   reject_non_fqdn_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_recipient_domain,
   reject_rbl_client zen.spamhaus.org,
   permit
smtpd_sender_restrictions =
   permit_mynetworks,
   check_sender_access hash:/etc/postfix/sender_access,
   reject_non_fqdn_sender,
   reject_unknown_sender_domain,
   reject_sender_login_mismatch,
   reject_unauthenticated_sender_login_mismatch,
   permit

I added the "reject_unknown_recipient_domain" and "reject_rbl_client
zen.spamhaus.org" lines to no avail. Any ideas what else I could try?

Sturgis, Grant wrote:
> On Sun, 2008-12-07 at 09:51 -0700, Roland Plüss wrote:
>   
>> I've got since a couple of weeks a rather nasty spam increase ( in
>> fact
>> massive ). Some jerk sends forged emails to some address [EMAIL PROTECTED] 
>> on my
>> server with the same email address as the receiver ( hence [EMAIL PROTECTED]
>> receives an email from [EMAIL PROTECTED] ). It's clearly not relayed by my 
>> server
>> since the emails come from some spurious servers but got the sender
>> email forged.
>>
>> Now I could not figure out a way with postfix-2.5.5 to reject emails
>> where the sender and receiver emails do match. Any ideas how to
>> accomplish this?
>> 
>
> This has been discussed at length in the last couple of weeks.  Check
> the archives:
>
> http://archives.neohapsis.com/archives/postfix/
>
>
>   
>> --
>> Yours sincerely
>> Plüss Roland
>>
>>
>>
>>
>> 
>
> This electronic message transmission is a PRIVATE communication which
> contains information which may be confidential or privileged. The
> information is intended to be for the use of the individual or entity
> named above. If you are not the intended recipient, please be aware that
> any disclosure, copying, distribution or use of the contents of this
> information is prohibited. Please notify the sender  of the delivery
> error by replying to this message, or notify us by telephone
> (877-633-2436, ext. 0), and then delete it from your system.
>   

-- 
Yours sincerely
Plüss Roland

Leader and Head Programmer
- Game: Epsylon ( http://epsylon.rptd.ch/ ,
http://www.moddb.com/games/4057/epsylon )
- Game Engine: Drag(en)gine ( http://dragengine.rptd.ch ,
http://www.moddb.com/engines/9/dragengine )
- Normal Map Generator: DENormGen ( http://epsylon.rptd.ch/denormgen.php )



signature.asc
Description: OpenPGP digital signature

Re: Relay access denied

[Tolga]

J.P. Trosclair yazmış:



Tolga wrote:

On Mon, Dec 08, 2008 at 02:29:51PM -0600, J.P. Trosclair wrote:

Tolga wrote:

Hi,

When I try to send mail, I get 5.7.1 Relay access denied. Although 
I don't get this when I send mail with mutt, I am wondering if this 
is a Postfix issue. If not, can you redirect me?


Regards,
mto


Sounds like a postfix configuration issue. Are you using mutt on the 
same server postfix is running on or on a machine located in a 
network covered by postfix's mynetworks setting?


Please include the output of postconf -n in your reply.


Mutt is on the same server with postfix. Below is my postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
mailbox_size_limit = 0
mydestination = ozses.net, localhost.net, , localhost
myhostname = ozses.net
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128


Here (mynetworks) you will either want to add your local network or 
setup SMTP authentication (depends on your requirements) so that users 
not originating from localhost can relay mail through your server.


Quick example:
mynetworks = 127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, etc


myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost = smtp_tls_session_cache_database = 
btree:${data_directory}/smtp_scache

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = permit_mynetworks, 
permit_sasl_authenticated, reject_unauth_destination, 
reject_unknown_reverse_client_hostname, reject_unauth_pipelining, 
reject_non_fqdn_recipient, reject_rbl_client zen.spamhaus.org


I see you have permit_sasl_authenticated but I don't see any smtp auth 
specific settings other than this one.



smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes

Regards,
mto


J.P.


After you get done modifying these settings to suit your needs I 
suggest you go here and make sure you haven't opened up relaying to 
spammers and what not (just a safety measure):


http://www.abuse.net/relay.html


J.P.

Thank you all, it worked :)

Re: Stopping backscatter with before-queue

[Noel Jones]

Chris Turan wrote:

Noel Jones wrote:
You need to configure postfix to reject unknown recipients during 
SMTP.  Switching to something other than amavisd-new and/or switching 
to a before-queue filter won't help that.


Hey Noel.  I actually am rejecting unknown recipients.  I wrote some 
software to refresh the recipients map every five minutes on my system.


amavisd-new meets all your criteria, providing you configure it to 
tag+deliver mail rather than bounce.


Well, I also have it set to bounce messages with a spamassassin score 
above 12.  Turning that off and just delivering everything with tagging 
*could* work.  It would be highly annoying for my end users, however.


If you describe your problem in more detail, you will likely get more 
specific recommendations in solving it.


Not sure what more I can add, but I'll give it a shot.

The backscatter is mostly messages with a spam score above 12.  They're 
being sent off to all sorts of off-site addresses.  In addition, there 
are some messages that has the sender address being set the same as the 
recipient.


-Chris





Setting amavisd-new to tag+deliver with D_PASS will solve your 
backscatter problem.


Use zen.spamhaus.org to reduce the number of spams entering 
your system.  Add clamav to amavisd-new if you don't have it 
already, and use the Sanesecurity add-on signatures (in 
addition to the official clamav signatures, of course).


If you want to investigate setting up amavisd-new as a 
pre-queue filter, general instructions are here:

http://www.postfix.org/SMTPD_PROXY_README.html
More specific instructions can likely be found in the archives 
of the amavis-users mail list.


--
Noel Jones

Re: Stopping backscatter with before-queue

[Henrik K]

On Mon, Dec 08, 2008 at 03:13:57PM -0600, Noel Jones wrote:
>
> If you want to investigate setting up amavisd-new as a pre-queue filter, 
> general instructions are here:
> http://www.postfix.org/SMTPD_PROXY_README.html
> More specific instructions can likely be found in the archives of the 
> amavis-users mail list.

This is fine read, but have a look at amavisd-milter, which is much better
solution for before-queue amavisd.

Re: Stopping backscatter with before-queue

[Terry Carmen]

Chris Turan wrote:

Terry Carmen wrote:
To eliminate *sending* backscatter, all you need to do is not accept 
mail you won't be able to deliver:


I am rejecting unknown recipients but the bounces are coming from 
messages with a spamassassin score above 12.

Don't do that.

Once you've accepted a message, it's yours. Aside from anything else, it 
makes you look bad when someone sends a legitimate email that happens to 
"look" spammy and you bounce it back as spam.


One of my clients HOLDs spammy messages for manual inspection by the 
postmaster, then releases or deletes it. Another one lets the users 
email application deal with the messages based on the spamassassin header.




Unfortunately, there's still no such thing as a "free lunch" and both 
the virus and spam scanning are not exactly speedy, regardless of how 
fast amavis is. The trick is to reject everything possible using 
other means (blacklists, regular expressions, other tests) before 
finally sending the message to the scanners.


Hmmm.  I did get a suggestion about checking the headers against RBL's 
using builtin postfix content filters.  After that, it can be passed 
onto the real scanners.
You just about have to use an RBL or you'll get creamed. However before 
sending it to the RBL, reject everything possible using less 
(processor/network) expensive methods like rdns verification and regular 
expressions. See "Re:RBL" on this list for more information.




That said, it depends very much on your mail volume and how much is 
spam and how much is ham. I have a small (2 processor, 512M/RAM) mail 
server that runs anywhere from 30K-60K connections/day, rejects way 
over 90% of the attempts and still only runs at less than 2% 
utilization until the spam/AV scanners are started, at which point it 
runs around 50% for a few seconds, then goes back to 0.


I get 10K emails per day, so its still fairly small.  Do you have a 
before-queue scanner installed?  There are warnings all over 
amavisd-new's documentation saying not to use it as a before queue 
scanner and rightly so.
I have no before-queue scanner. I reject everything possible based on 
the senders IP, existence of an rdns entry and some regular expressions 
(see  Re:RBL"). Anything that makes it past there is never rejected or 
bounced, no matter what. It either goes to the final recipient or is 
deleted based on corporate policy (chain letters, porn, etc.)


Back to your actual problem, if you can post the output from postconf 
-n, someone can probably tell you what's wrong.

Terry

Re: Stopping backscatter with before-queue

[Corey Chandler]

Chris Turan wrote:

Noel Jones wrote:

amavisd-new meets all your criteria, providing you configure it to 
tag+deliver mail rather than bounce.


Well, I also have it set to bounce messages with a spamassassin score 
above 12.  Turning that off and just delivering everything with 
tagging *could* work.  It would be highly annoying for my end users, 
however.


Tough-- you're really creating your own misery here.  You MUST either 
reject at the gateway, or accept the traffic without sending a bounce.  
You can delete silently if you trust your filters, but given that the 
vast majority of spam has a forged From: header, you're inflicting YOUR 
spam problem on innocent third parties.


Failure to do this will get your server blacklisted at some sites.

DNS resolution and delayed 220 response

[Michael Brennen]

mail_version = 2.5.5
mail_release_date = 20080902

Last week I worked for some hours to resolve a problem receiving mail from 
puremail.com.  I have a short term workaround now, but for the long term I 
want to understand the problem and obviate the need for the workaround.

The mail from puremail was sent from ip address 66.81.101.50, which reverses 
to 'mx.puremail.com'.  A forward lookup on 'mx.puremail.com' results in a 
truncated DNS result and TCP retry, returning 23 ip addresses.

From the remote end's view the 220 return message is delayed by minutes; that 
is how I isolated it to a DNS resolution problem.  Running postfix debug on 
that ip address results in the log entries at the end of this mail.  The only 
redaction in the log is to remove the specific matches for my local networks.

It appears from the log that the 220 tried to be sent, but the "smtp_get: EOF" 
line would seem to indicate that a connection was not open, or had been 
closed, or something like that; in any case concurrent packet sniffs confirm 
that the 220 never made it to the network.

I implemented a short term workaround by defining 66.81.101.50 as 
mx.puremail.com in my local /etc/hosts; that at least got mail coming 
through.

I found this post referencing the postfix changelog entry 20050622 that 
mentions that only the 'best' five MX records are retained from long name 
server replies.  I don't know if this factors into this problem or not.

http://archives.neohapsis.com/archives/postfix/2007-11/0032.html

I am not having any other problems with slow connects (at least none that have 
been reported.)  DNS is run from two other servers on the local network, and 
those have been working well for a long time.

If someone can give me an idea if this is a configuration problem on my side 
or something on the puremail side I would very much appreciate it, and TIA.

   -- Michael

===
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: connect from 
mx.puremail.com[66.81.101.50]
... removed various match_hostaddr for local network ...
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: match_list_match: mx.puremail.com: 
no match
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: match_list_match: 66.81.101.50: no 
match
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: send attr request = connect
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: send attr ident = smtp:66.81.101.50
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: vstream_fflush_some: fd 23 flush 41
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: vstream_buf_get_ready: fd 23 got 25
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: private/anvil: wanted attribute: 
status
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: input attribute name: status
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: input attribute value: 0
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: private/anvil: wanted attribute: 
count
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: input attribute name: count
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: input attribute value: 1
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: private/anvil: wanted attribute: 
rate
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: input attribute name: rate
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: input attribute value: 1
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: private/anvil: wanted attribute: 
(list terminator)
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: input attribute name: (end)
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: > mx.puremail.com[66.81.101.50]: 
220 srmail2.fni.com ESMTP UCE subject to blockage without notice
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: vstream_fflush_some: fd 11 flush 66
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: watchdog_pat: 0x57a980
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: smtp_get: EOF
... removed various match_hostaddr for local network ...
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: match_list_match: mx.puremail.com: 
no match
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: match_list_match: 66.81.101.50: no 
match
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: send attr request = disconnect
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: send attr ident = smtp:66.81.101.50
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: vstream_fflush_some: fd 23 flush 44
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: vstream_buf_get_ready: fd 23 got 10
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: private/anvil: wanted attribute: 
status
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: input attribute name: status
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: input attribute value: 0
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: private/anvil: wanted attribute: 
(list terminator)
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: input attribute name: (end)
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: lost connection after CONNECT from 
mx.puremail.com[66.81.101.50]
Dec  4 18:18:27 bilbo postfix/smtpd[3919]: disconnect from 
mx.puremail.com[66.81.101.50]
===


signature.asc
Description: This is a digitally signed message part.

Re: DNS resolution and delayed 220 response

[Wietse Venema]

Michael Brennen:
> The mail from puremail was sent from ip address 66.81.101.50, which reverses 
> to 'mx.puremail.com'.  A forward lookup on 'mx.puremail.com' results in a 
> truncated DNS result and TCP retry, returning 23 ip addresses.
> 
> From the remote end's view the 220 return message is delayed by minutes; that 
> is how I isolated it to a DNS resolution problem.  Running postfix debug on 
> that ip address results in the log entries at the end of this mail.  The only 
> redaction in the log is to remove the specific matches for my local networks.
...
> Dec  4 18:18:27 bilbo postfix/smtpd[3919]: connect from 
> mx.puremail.com[66.81.101.50]

This line is logged AFTER the DNS delays. There is no useful
information in what gets logged from here onwards.

You should be able to reproduce DNS delays with Postfix's own
getaddrinfo and getnameinfo utilities, part of the Postfix source
code distribution.

./getnameinfo 66.81.101.50
./getaddrinfo mx.puremail.com

Contact me off-list if you don't have these sources.

These lookups resolve instantly, even on my prehistoric network.

Wietse

RE: Stopping backscatter with before-queue

[MacShane, Tracy]

 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Chris Turan
> Sent: Tuesday, 9 December 2008 7:39 AM
> To: Terry Carmen
> Cc: postfix-users@postfix.org
> Subject: Re: Stopping backscatter with before-queue
> 
> Terry Carmen wrote:
> > To eliminate *sending* backscatter, all you need to do is not accept

> > mail you won't be able to deliver:
> 
> I am rejecting unknown recipients but the bounces are coming from 
> messages with a spamassassin score above 12.
> 
> 
> Hmmm.  I did get a suggestion about checking the headers against RBL's

> using builtin postfix content filters.  After that, it can be passed 
> onto the real scanners.
> 
> I get 10K emails per day, so its still fairly small.  Do you have a 
> before-queue scanner installed?  There are warnings all over 
> amavisd-new's documentation saying not to use it as a before queue 
> scanner and rightly so.
> 
> > Back to your actual problem, if you can post the output 
> from postconf 
> > -n, someone can probably tell you what's wrong.
> 
> [EMAIL PROTECTED] /]# postconf -n
> alias_maps = hash:/etc/aliases
> bounce_queue_lifetime = 4h
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> content_filter = amavis:[127.0.0.1]:10024
> daemon_directory = /usr/libexec/postfix
> debug_peer_level = 2
> home_mailbox = Maildir/
> html_directory = no
> inet_interfaces = all
> local_recipient_maps =
> mail_owner = postfix
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> maximal_queue_lifetime = 1d
> message_size_limit = 20971520
> mynetworks = a.a.a.a/32, b.b.b.b/32, c.c.c.c/32, d.d.d.d/32, 
> e.e.e.e/32
> newaliases_path = /usr/bin/newaliases.postfix
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix-2.4.5/README_FILES
> receive_override_options = no_address_mappings
> relay_domains = hash:/etc/postfix/relay_domains
> relay_recipient_maps = hash:/etc/postfix/relay_recipient_maps
> sample_directory = /usr/share/doc/postfix-2.4.5/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtpd_tls_CAfile = /etc/postfix/certs/gd_intermediate_bundle.crt
> smtpd_tls_CApath = /etc/postfix/certs
> smtpd_tls_cert_file = /etc/postfix/certs/.crt
> smtpd_tls_key_file = /etc/postfix/certs/.key
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_security_level = may
> smtpd_use_tls = yes
> transport_maps = hash:/etc/postfix/transport_maps
> unknown_local_recipient_reject_code = 550

I don't see the smtpd_*_restrictions. Sensible ones there cut down on
acres of spam and take load off the content scanner, without much in the
way of false positives (in fact, I have none). I suggest (after
permit_mynetworks, for each set):

smtpd_helo_restrictions =
  reject_invalid_helo_hostname,
  reject_non_fqdn_helo_hostname, (this one traps the most from bots)
smtpd_client_restrictions =
  reject_non_fqdn_hostname,
  reject_unknown_reverse_client_hostname OR
  reject_unknown_client_hostname (this one tends to cause more false
positives, due to idiots configuring their DNS)
smtpd_sender_restrictions = 
  reject_non_fqdn_sender,
  reject_unknown_sender_domain 
smtpd_recipient_restrictions =
  reject_unauth_destination
  reject_non_fqdn_recipient,
  reject_rbl_client zen.spamhaus.org,
smtpd_data_restrictions =
  reject_unauth_pipelining

Also set strict_rfc821_envelopes = yes (unless you have ancient mail
clients you need to support)

All my senders are in mynetworks (or I'd be using auth, in any case), so
I can have a sender access map (after permit_mynetworks) that basically
consists of "@mydomain.com  REJECT". You can have helo access maps
that reject servers purporting to be your own.

Re: OT: no response from spamhaus

[mouss]

Bill Cole a écrit :
> ghe wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> I'm a profoundly low-volume mailer, so there's no way I'm cut off for
>> traffic. And I'm not a spammer.
> 
> Being cut off from DNS queries is not based on how much you send, but on
> how much you use the DNS query service. See
> http://www.spamhaus.org/organization/dnsblusage.html for details. It is
> not at all unusual for a very low-volume sender (e.g. a middling
> corporate or academic system) to be targeted by enough spam to go past
> the 300k/day query limit. That is especially likely if you don't take
> steps to minimize your impact on their DNS servers, most importantly
> putting your own caching recursive resolver between your mail servers
> and the world.
> 

add to this that if he forwards dns queries to his ISP, it is the number
of queries from the ISP that counts.

>> But spamassassin has been checking with zen for 2 or 3 years now, and
>> this morning I noticed bind saying it was getting too many timeouts from
>> spamhaus. Now the host command (from here and from another domain) gets
>> no response -- just a timeout, not even an error.
> 
> That's what one sees when one has been cut off from DNS queries by
> Spamhaus.
> 
>> I've googled, and I've searched the spamhaus website, but I can't find a
>> way to talk to them. Anybody got an addy for this situation?
> 
> You seem to be having a searching problem...
> 
> http://www.spamhaus.org/contacts.html has email addresses (including one
> for administrative issues) that should work (i.e. have worked for me in
> the past) and that page is linked from the Spamhaus homepage and many of
> their other pages behind "Contacts."
> 
> http://www.spamhaus.org/faq/answers.lasso?section=Legal%20Questions has
> postal addresses and is linked from many places on their site as "Legal
> Questions."
> 
> One of the postal addresses is "The Spamhaus Project Ltd. 18 Avenue
> Louis Casai, CH-1209, Geneva, Switzerland" which you will also find at
> the bottom of http://www.spamhaus.org/organization/index.lasso, which is
> behind the "About Spamhaus" links that exist on many of their pages.
> 
> 

Re: DNS resolution and delayed 220 response

[Michael Brennen]

On Monday 08 December 2008, Wietse Venema wrote:
> Michael Brennen:
> > The mail from puremail was sent from ip address 66.81.101.50, which
> > reverses to 'mx.puremail.com'.  A forward lookup on 'mx.puremail.com'
> > results in a truncated DNS result and TCP retry, returning 23 ip
> > addresses.
> >
> > From the remote end's view the 220 return message is delayed by minutes;
> > that is how I isolated it to a DNS resolution problem.  Running postfix
> > debug on that ip address results in the log entries at the end of this
> > mail.  The only redaction in the log is to remove the specific matches
> > for my local networks.
> ...
>
> > Dec  4 18:18:27 bilbo postfix/smtpd[3919]: connect from
> > mx.puremail.com[66.81.101.50]
>
> This line is logged AFTER the DNS delays. There is no useful
> information in what gets logged from here onwards.
> 
> You should be able to reproduce DNS delays with Postfix's own
> getaddrinfo and getnameinfo utilities, part of the Postfix source
> code distribution.
>
> ./getnameinfo 66.81.101.50
> ./getaddrinfo mx.puremail.com

Excellent, thank you.  The problem is fixed.

I found the source in the 2.5.5 tree and built the utilities.  They turned up 
that one of the name servers, in this case the first one listed for the 
outward facing mail servers, had a long timeout on one of the checks; the 
other name server resolved both immediately.

On both dns servers nslookup worked immediately on both forward and reverse 
lookup, so I was not seeing the problem from the postfix point of view.

I compared the configurations of the two name servers, made a few adjustments 
to the slow one, and now both are responding immediately.  I still don't know 
why the name server config changes made any difference, as the changes were 
only in logging, but that is another investigation.  Again, thank you.

-- 

   -- Michael


signature.asc
Description: This is a digitally signed message part.

Re: Stopping backscatter with before-queue

[Chris Turan]

Terry Carmen wrote:

Don't do that. Once you've accepted a message, it's yours. Aside from
anything else, it makes you look bad when someone sends a legitimate
email that happens to "look" spammy and you bounce it back as spam.


Right, I'm trying to correct that problem.  This wasn't much of an issue 
when I first set up this server.  None of my addresses or domains were 
known to the spammers and as a result, I sent very very little 
backscatter.  That's changed now and I need to rethink things.



One of my clients HOLDs spammy messages for manual inspection by the
postmaster, then releases or deletes it.


This is a great idea!  I didn't think of this at all but this idea will 
definitely solve the problem for the interim until I can design and QA a 
new server.  I've just set it to forward spammy messages to a mailbox 
where I'll review and release messages.



You just about have to use an RBL or you'll get creamed. However
before sending it to the RBL, reject everything possible using less 
(processor/network) expensive methods like rdns verification and

regular expressions. See "Re:RBL" on this list for more information.


I'm reading the postfix pages on this now.  I didn't know postfix had 
this many knobs for RBL stuff.  I will try it!



I have no before-queue scanner. I reject everything possible based on
the senders IP, existence of an rdns entry and some regular
expressions (see  Re:RBL"). Anything that makes it past there is
never rejected or bounced, no matter what. It either goes to the
final recipient or is deleted based on corporate policy (chain
letters, porn, etc.)


Nice! I've been relying on bayesian scanning for the most part. 
Althought, passing everything concerns me a bit but if the RBL's work, 
then I think I should be in the clear.  This one really underlines the 
fact that I'm the one that's creating my own problem.


-Chris

Re: Stopping backscatter with before-queue

[Chris Turan]

Corey Chandler wrote:

Tough-- you're really creating your own misery here.  You MUST either
reject at the gateway, or accept the traffic without sending a
bounce. You can delete silently if you trust your filters, but given
that the vast majority of spam has a forged From: header, you're
inflicting YOUR spam problem on innocent third parties. Failure to do
this will get your server blacklisted at some sites.


Ouch, but you're right.  I am creating my own misery.  It wasn't a 
problem before when I was unknown to the spammers.  Its only been a 
problem for a few weeks and I haven't yet been put on any blacklists.


-Chris

Re: Stopping backscatter with before-queue

[J Sloan]

Chris Turan wrote:
>
> Ouch, but you're right.  I am creating my own misery.  It wasn't a
> problem before when I was unknown to the spammers.  Its only been a
> problem for a few weeks and I haven't yet been put on any blacklists.

Keep sending out backscatter spam, and you will most certainly end up on
blacklists.

Joe

Re: Stopping backscatter with before-queue

[Chris Turan]

J Sloan wrote:

Keep sending out backscatter spam, and you will most certainly end up on
blacklists.


I think you might have misread my intention.  I definitely don't want to 
continue sending backscatter.  Per another suggestion on the list, I 
made a change that stopped all of my backscatter spam.  So I'm 
officially not sending backscatter as of an hour ago.


-Chris

Re: SuSE repository - old postfix ?

[j debert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Alexander Grüner さんは書きました:
| Hello,
|
| I am installing a new server with SuSE Linux Enterprise SP2 and want to
| use the SuSE mail repository.
|
|
http://download.opensuse.org/repositories/server:/mail/SLE_10/x86_64/?C=M;O=D

|
|
| They offer a postfix24-2.4.5-1.1.x86_64.rpm which seems to be quite old
| from August 2007 and even unsecure (?).
|
|
http://download.opensuse.org/repositories/server:/mail/SLE_10/repodata/repoview/postfix24-0-2.4.5-1.1.html

|
|
| Is there a better rpm source available ? (Yes, I might compile it by
| myself...) Or is this the right release for a productive environment ?
|

There is a SuSE build service for Postfix. I can't check it at the
moment but it sould be in the list of community repositories. It is
usually a little closer to the current stable release than the other
repositories.

I started building Postfix from the latest release source on the main
Postfix site and there have been no dependency problems. Just be sure
to have SuSE's postfix installed so the deps are met and build with
the correct options. The only problem doing it this way is that any
update packages will overwrite your own build, so you must set postfix
as protected in yast/yum/whatever so it will not update. This is
unreliable so be sure to check the list of updates to be done. This
means you can't use auto-update, which is probably not a good idea to
use anyway.

==
~ jd
- --
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4-svn0 (GNU/Linux)

iD8DBQFJPTSihpL3F+HeDrIRAnIvAJwOt/bLrLKIrHG1hYZeSYGoVIhK+gCdF+y7
SJpSEXEb81/7nSZR0YQgBfI=
=1mvU
-END PGP SIGNATURE-

Re: Stopping backscatter with before-queue

[Terry Carmen]

Chris Turan wrote:

Terry Carmen wrote:

Don't do that. Once you've accepted a message, it's yours. Aside from
anything else, it makes you look bad when someone sends a legitimate
email that happens to "look" spammy and you bounce it back as spam.


Right, I'm trying to correct that problem.  This wasn't much of an 
issue when I first set up this server.  None of my addresses or 
domains were known to the spammers and as a result, I sent very very 
little backscatter.  That's changed now and I need to rethink things.



One of my clients HOLDs spammy messages for manual inspection by the
postmaster, then releases or deletes it.


This is a great idea!  I didn't think of this at all but this idea 
will definitely solve the problem for the interim until I can design 
and QA a new server.  I've just set it to forward spammy messages to a 
mailbox where I'll review and release messages.
If you don't' want to corrupt the destination addresses, you can just 
tag them as "HOLD" with


/^X-Spam-Level.*\*\*\*\*/ HOLD

in /etc/postfix/header_checks

which will leave the suspect messages in the Postfix HOLD queue, where 
you can inspect them with postcat and release or delete them with postsuper.


just make sure you have:

header_checks=regexp:/etc/postfix/header_checks

in your main.cf file.


I have no before-queue scanner. I reject everything possible based on
the senders IP, existence of an rdns entry and some regular
expressions (see  Re:RBL"). Anything that makes it past there is
never rejected or bounced, no matter what. It either goes to the
final recipient or is deleted based on corporate policy (chain
letters, porn, etc.)


Nice! I've been relying on bayesian scanning for the most part. 
Althought, passing everything concerns me a bit but if the RBL's work, 
then I think I should be in the clear.  This one really underlines the 
fact that I'm the one that's creating my own problem.


The RBLs help a lot, as do the regular expressions in the other 
referenced thread.


Good luck!

Terry

--
Terry Carmen
CNY Support, LLC

315.382.3939
http://cnysupport.com