Re: redirecting remote blacklisted (rbl) messages

[Jan P. Kessler]

Frederick Reeve schrieb:
> On Mon, 8 Dec 2008 06:49:46 +0100
> Magnus Bäck <[EMAIL PROTECTED]> wrote:
>
>   
>> On Monday, December 08, 2008 at 06:36 CET,
>>  Frederick Reeve <[EMAIL PROTECTED]> wrote:
>>
>> 
>>> I have a working Postfix 2.5.5 setup that uses several rbls.  I would
>>> like to collect the mail being blocked by these rbls but have it all
>>> delivered to a single local address.  I already have local delivery
>>> working fine. Is this possible in an simple fashion?
>>>   

If you want asyncronous lookups and configurable timeouts you could use
postfwd (http://postfwd.org) with the following rule:

 rbl=rbl1.domain.tld, rbl2.domain.tld, ... ; action=REDIRECT
[EMAIL PROTECTED]

Re: Alias and mailbox under one e-mail address

[Jakub Nadolny]

On Wed, Dec 10, 2008 at 11:44:23PM +0100, mouss wrote:
> - fix the mysql lookup problem. your quries should not return an empty
> string. (when nothing should be returned, then return NULL, not the
> "empty string". In short '' != NULL).
> 
> - what does your filter script do with mail? does it use the sendmail
> command?
> 
> - what are the senderbcc and recipientbcc things? do you use sender or
> recipient bcc? if so, this can explain the dups.
> 
> - it looks like your filter script is for vacation (judging by the
> directory name). don't do it like that. do vacation _after_ filtering.
> there is no point to handle viruses and spam in a vacation program.

That is it! Thank you. I have commented out lines:
/.../
  -o content_filter=filter:dummy
/.../
filterunix  -   n   n   -   -   pipe
  flags=Rq user=vacation argv=/home/vacation/mail-filter -f ${sender} --

And emails are send only once. 

Now I have to analyse this vacation filter.

But, as I understand it, according to master.cf it is run AFTER filtering, not
before?

> >> if you can't find the culprit, post relevant logs and master.cf (or the
> >> output of 'grep -v "^#" master.cf', but don't remove comments manually
> >> as this may "fix" typos that you still have in the file).
> > 
> > My master.cf:
> > 
> > smtp  inet  n   -   n   -   -   smtpd
> >  -o content_filter=filter:dummy -o 
> > receive_override_options=no_address_mappings
> > pickupfifo  n   -   n   60  1   pickup
> > cleanup   unix  n   -   n   -   0   cleanup
> > qmgr  fifo  n   -   n   300 1   qmgr
> > rewrite   unix  -   -   n   -   -   trivial-rewrite
> > bounceunix  -   -   n   -   0   bounce
> > defer unix  -   -   n   -   0   bounce
> > flush unix  n   -   n   1000?   0   flush
> > proxymap  unix  -   -   n   -   -   proxymap
> > smtp  unix  -   -   n   -   -   smtp
> > relay unix  -   -   n   -   -   smtp
> > showq unix  n   -   n   -   -   showq
> > error unix  -   -   n   -   -   error
> > local unix  -   n   n   -   -   local
> > virtual   unix  -   n   n   -   -   virtual
> > lmtp  unix  -   -   n   -   -   lmtp
> > maildrop  unix  -   n   n   -   -   pipe
> >   flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
> > old-cyrus unix  -   n   n   -   -   pipe
> >   flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
> > cyrus unix  -   n   n   -   -   pipe
> >   user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
> > uucp  unix  -   n   n   -   -   pipe
> >   flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail 
> > ($recipient)
> > ifmailunix  -   n   n   -   -   pipe
> >   flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
> > bsmtp unix  -   n   n   -   -   pipe
> >   flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop 
> > $recipient
> > filterunix  -   n   n   -   -   pipe
> >   flags=Rq user=vacation argv=/home/vacation/mail-filter -f ${sender} --
> > ${recipient}
> > smtp-amavis unix -  -   n   -   4  smtp
> > -o smtp_data_done_timeout=2400
> > -o smtp_connect_timeout=60
> > -o disable_dns_lookups=yes
> > 127.0.0.1:10025 inet n  -   n   -   -  smtpd
> > -o content_filter=
> > -o local_recipient_maps=
> > -o relay_recipient_maps=
> > -o smtpd_restriction_classes=
> > -o smtpd_client_restrictions=
> > -o smtpd_helo_restrictions=
> > -o smtpd_sender_restrictions=
> > -o smtpd_recipient_restrictions=permit_mynetworks,reject
> > -o mynetworks=127.0.0.0/8,xxx.yyy.zzz.0/24
> > -o strict_rfc821_envelopes=yes
> > -o smtpd_error_sleep_time=0
> > -o smtpd_soft_error_limit=1001
> > -o smtpd_hard_error_limit=1000
> > trace unix  -   -   -   -   0   bounce
> > verifyunix  -   -   -   -   1   verify
> > tlsmgrunix  -   -   -   1000?   1   tlsmgr
> > anvil unix  -   -   -   -   1   anvil
> > scacheunix  -   -   -   -   1   scache
> > discard   unix  -   -   -   -   -   discard

Re: Alias and mailbox under one e-mail address

[mouss]

Jakub Nadolny a écrit :
> On Wed, Dec 10, 2008 at 11:44:23PM +0100, mouss wrote:
>> - fix the mysql lookup problem. your quries should not return an empty
>> string. (when nothing should be returned, then return NULL, not the
>> "empty string". In short '' != NULL).
>>
>> - what does your filter script do with mail? does it use the sendmail
>> command?
>>
>> - what are the senderbcc and recipientbcc things? do you use sender or
>> recipient bcc? if so, this can explain the dups.
>>
>> - it looks like your filter script is for vacation (judging by the
>> directory name). don't do it like that. do vacation _after_ filtering.
>> there is no point to handle viruses and spam in a vacation program.
> 
> That is it! Thank you. I have commented out lines:
> /.../
>   -o content_filter=filter:dummy
> /.../
> filterunix  -   n   n   -   -   pipe
>   flags=Rq user=vacation argv=/home/vacation/mail-filter -f ${sender} --
> 
> And emails are send only once. 
> 
> Now I have to analyse this vacation filter.
> 
> But, as I understand it, according to master.cf it is run AFTER filtering, not
> before?
> 

according to your previous master.cf, smtpd passes the mail to your
vacation "filter", so this happens before amavisd-new sees the message.

your script probably uses the sendmail command, so mail passes through:

postfix/smtpd (25) -> yourscript -> postfix/sendmail (pickup) ->
amavisd-new -> postfix/smtpd (10025).

Re: Alias and mailbox under one e-mail address

[Jakub Nadolny]

On Thu, Dec 11, 2008 at 11:52:02AM +0100, mouss wrote:
> Jakub Nadolny a écrit :
> > On Wed, Dec 10, 2008 at 11:44:23PM +0100, mouss wrote:
> >> - fix the mysql lookup problem. your quries should not return an empty
> >> string. (when nothing should be returned, then return NULL, not the
> >> "empty string". In short '' != NULL).
> >>
> >> - what does your filter script do with mail? does it use the sendmail
> >> command?
> >>
> >> - what are the senderbcc and recipientbcc things? do you use sender or
> >> recipient bcc? if so, this can explain the dups.
> >>
> >> - it looks like your filter script is for vacation (judging by the
> >> directory name). don't do it like that. do vacation _after_ filtering.
> >> there is no point to handle viruses and spam in a vacation program.
> > 
> > That is it! Thank you. I have commented out lines:
> > /.../
> >   -o content_filter=filter:dummy
> > /.../
> > filterunix  -   n   n   -   -   pipe
> >   flags=Rq user=vacation argv=/home/vacation/mail-filter -f ${sender} --
> > 
> > And emails are send only once. 
> > 
> > Now I have to analyse this vacation filter.
> > 
> > But, as I understand it, according to master.cf it is run AFTER filtering, 
> > not
> > before?
> > 
> 
> according to your previous master.cf, smtpd passes the mail to your
> vacation "filter", so this happens before amavisd-new sees the message.
> 
> your script probably uses the sendmail command, so mail passes through:
> 
> postfix/smtpd (25) -> yourscript -> postfix/sendmail (pickup) ->
> amavisd-new -> postfix/smtpd (10025).

Yes, it uses sendmail command. It is common vacation.pl by Mischa Peters, but
quite old version, I can not find newer one. What would be the best solution for
postfix auto-responder which could be easily integrated with postfix admin and
mysql?

Re: Alias and mailbox under one e-mail address

[Charles Marcus]

On 12/11/2008, Jakub Nadolny ([EMAIL PROTECTED]) wrote:
> Yes, it uses sendmail command. It is common vacation.pl by Mischa Peters, but
> quite old version, I can not find newer one. What would be the best solution 
> for
> postfix auto-responder which could be easily integrated with postfix admin and
> mysql?

Upgrade postfixadmin. Current version is 2.2.1.1, and the vacation
autoresponder has changed dramatically for the better (thanks in no
small part to mouss)

-- 

Best regards,

Charles

Minimal MTA/ MDA for local mail only?

[Gaute Amundsen]

Slightly OT this, but I can't think on any other obvious place to ask, and an 
hour of googling turned up little.

The question:
What are my options if I don't want to run a full blown mail server, and 
really only want all mail delivered to a single local mbox or maildir?

There seems to be a number for minimal sendmal replacements that do smtp only, 
but none that delivers locally, and I don't think procmail or maildrop can 
impersonate /usr/bin/sendmail directly..

Basically I run smartmontools and a number of cronjobs on my laptop and I want 
to get the reports and alerts, but I want to avoid the overhead of running and 
maintaining a full mailserver.

I have a sneaky feeling that I am somehow not seeing the forest for all the 
trees, or my assumptions are wrong, but I can't put my finger on it..

Regards

Gaute Amundsen

Re: Entourage authentication in postfix+dovecot+mysql not supported

[Larry Stone]

On 12/10/08 11:26 PM, jan gestre at [EMAIL PROTECTED] wrote:

> Hi Guys,
> I've recently configured a mail server running
> postfix+dovecot+mysql+postfixadmin, it is now in production and everything
> is working fine except for MAC Entourage mail which is a PITA IMO which says
> it doesn't support authentication, outlook and thunderbird doesn't
> experience this issue. All mail clients are configured   to use "Server uses
> Authentication" but it doesn't work for Entourage so I have to omit that
> part which works fine if the user is emailing from within LAN because of
> $mynetworks but doesn't if they email from outside LAN.  Any workaround for
> this?

You didn't say what version of Entourage but I have clients with both
Entourage 2008 and 2004 and both work fine with authentication.

I don't use Dovecot so no help there but building on Noel's response, in my
main.cf I have:
smtpd_sasl_auth_enable=yes
smtpd_use_pw_server=yes
enable_server_options=yes
smtpd_pw_server_security_options=plain, login
smtpd_sasl_security_options=noanonymous
broken_sasl_auth_clients=yes
smtpd_sasl_local_domain=$mydomain

But this was all placed there by a 3rd party utility that configures the
Postfix that comes with Mac OS X into a "real" mail server so I have no idea
why some of those are there. But most definitely works fine with Entourage.

-- 
Larry Stone
[EMAIL PROTECTED]
http://www.stonejongleux.com/

Re: mail forward based on user to specific filter then to another address

[J.P. Trosclair]

On Dec 10, 2008, at 9:31 PM, MacShane, Tracy wrote:


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of J.P. Trosclair
Sent: Thursday, 11 December 2008 10:32 AM
To: postfix-users@postfix.org
Subject: mail forward based on user to specific filter then
to another address

Hi,

I've got a user that wants their mail forwarded to their
blackberry account. No big deal. The catch is they want
attachments stripped first.
I've found this tool called renattach that does just that. I
set this up in main.cf:



This is not solving the question you asked, but what is wrong with the
user not selecting the option on his/her Blackberry to download the
attachments? Attachments are not delivered to the device until such  
time

as you specifically prompt to download them. The attachment pointer is
just that, a *pointer*.



We allow attachments larger than what the blackberry smtp servers  
allow and this generates a bounce message to the sender when the limit  
is reached or exceeded. The bounce is to be avoided. It has nothing to  
do with the user downloading the attachment on to their blackberry.  
This is the setup requested by the user, I'm looking for a way to  
deliver on it. It should be noted that the user's blackberry email is  
provided by their cellular carrier, not us. As a last resort I'll ask  
the user to reconfigure their blackberry accounts to check our server  
for mail rather than have it forwarded, but for now forwarding is what  
they want and what I'm trying to make happen.


So I setup a filter for stripping the attachments. I want to route  
mail based on [EMAIL PROTECTED] through this filter before it is passed  
on to domain's MX address. I think it's possible by using  
transport_maps and some tricks in master.cf, at least thats what I was  
told in a dream last night. I haven't tried it yet but will in a  
little while.

Re: Entourage authentication in postfix+dovecot+mysql not supported

[jan gestre]

On Thu, Dec 11, 2008 at 1:47 PM, Noel Jones <[EMAIL PROTECTED]> wrote:

> jan gestre wrote:
>
>> Hi Guys,
>>
>> I've recently configured a mail server running
>> postfix+dovecot+mysql+postfixadmin, it is now in production and everything
>> is working fine except for MAC Entourage mail which is a PITA IMO which says
>> it doesn't support authentication, outlook and thunderbird doesn't
>> experience this issue. All mail clients are configured   to use "Server uses
>> Authentication" but it doesn't work for Entourage so I have to omit that
>> part which works fine if the user is emailing from within LAN because of
>> $mynetworks but doesn't if they email from outside LAN.  Any workaround for
>> this?
>>
>>
> It's unclear what "doesn't support authentication" means in your statement
> above.  Maybe logs of a failed session would help??
>
> Wild Guess That May Waste Your Time: You need to enable both the "login"
> and "plain" auth mechanisms in your dovecot.conf.
>
>
>
Hi Noel,

 Here's my dovecot.conf, as you can see plain and login auth mechanisms are
enabled:

dovecot -n
# 1.0.7: /etc/dovecot.conf
base_dir: /var/run/dovecot/
log_timestamp: %Y-%m-%d %H:%M:%S
ssl_cert_file: /etc/postfix/ssl/mail-cert.pem
ssl_key_file: /etc/postfix/ssl/mail-key.pem
login_dir: /var/run/dovecot//login
login_executable(default): /usr/libexec/dovecot/imap-login
login_executable(imap): /usr/libexec/dovecot/imap-login
login_executable(pop3): /usr/libexec/dovecot/pop3-login
first_valid_uid: 150
last_valid_uid: 150
mail_access_groups: mail
mail_location: maildir:/home/virtualmail/%d/%u
mail_executable(default): /usr/libexec/dovecot/imap
mail_executable(imap): /usr/libexec/dovecot/imap
mail_executable(pop3): /usr/libexec/dovecot/pop3
mail_plugin_dir(default): /usr/lib/dovecot/imap
mail_plugin_dir(imap): /usr/lib/dovecot/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/pop3
pop3_client_workarounds(default):
pop3_client_workarounds(imap):
pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh
auth default:
  mechanisms: plain login digest-md5
  user: nobody
  passdb:
driver: sql
args: /etc/dovecot-sql.conf
  userdb:
driver: sql
args: /etc/dovecot-sql.conf
  socket:
type: listen
client:
  path: /var/run/dovecot/auth-client
  mode: 432
  user: postfix
  group: mail
master:
  path: /var/run/dovecot/auth-master
  mode: 432
  user: virtualmail
  group: mail

This is the same configuration that I have in my other mail server that has
no problem, that is why I'm currently baffled, I'm not sure if postfix's
version that I used matters.

Re: Entourage authentication in postfix+dovecot+mysql not supported

[jan gestre]

On Thu, Dec 11, 2008 at 8:51 PM, Larry Stone <[EMAIL PROTECTED]>wrote:

> On 12/10/08 11:26 PM, jan gestre at [EMAIL PROTECTED] wrote:
>
> > Hi Guys,
> > I've recently configured a mail server running
> > postfix+dovecot+mysql+postfixadmin, it is now in production and
> everything
> > is working fine except for MAC Entourage mail which is a PITA IMO which
> says
> > it doesn't support authentication, outlook and thunderbird doesn't
> > experience this issue. All mail clients are configured   to use "Server
> uses
> > Authentication" but it doesn't work for Entourage so I have to omit that
> > part which works fine if the user is emailing from within LAN because of
> > $mynetworks but doesn't if they email from outside LAN.  Any workaround
> for
> > this?
>
> You didn't say what version of Entourage but I have clients with both
> Entourage 2008 and 2004 and both work fine with authentication.


They have a brand new Macs so I suppose it's the 2008 version they're
using.

>
>
> I don't use Dovecot so no help there but building on Noel's response, in my
> main.cf I have:
> smtpd_sasl_auth_enable=yes
> smtpd_use_pw_server=yes
> enable_server_options=yes
> smtpd_pw_server_security_options=plain, login
> smtpd_sasl_security_options=noanonymous
> broken_sasl_auth_clients=yes
> smtpd_sasl_local_domain=$mydomain
>
> But this was all placed there by a 3rd party utility that configures the
> Postfix that comes with Mac OS X into a "real" mail server so I have no
> idea
> why some of those are there. But most definitely works fine with Entourage.
>
> --
> Larry Stone
> [EMAIL PROTECTED]
> http://www.stonejongleux.com/
>
>
>

"legacy" SSL and postfix smtp

[John Baker]

We have a few people using programs (mostly MS crap) that insist on 
older versions of SSL rather than tls.


Internally this works okay but externally ssl gets bounced by my grey 
listing. This seems to indicate that it is not actually authenticating 
right but allowing it to pass internally because its on the network and 
the port is open.


Does anyone know what I might be missing here?

smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/postfix/certs/smtp.marlboro.edu.pem
smtpd_tls_key_file = /etc/postfix/certs/smtp.marlboro.edu.key
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_tls_auth_only = yes

# Some basic UCE stuff
smtpd_helo_restrictions =
permit_mynetworks,
#   warn_if_reject,
reject_non_fqdn_hostname,
#   warn_if_reject,
reject_invalid_hostname,
 permit

smtpd_sender_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
#   warn_if_reject,
reject_non_fqdn_sender,
#   warn_if_reject,
reject_unknown_sender_domain,
permit

smtpd_recipient_restrictions =
check_recipient_access regexp:/etc/postfix/recipient_access,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_helo_access hash:/etc/postfix/helo_checks,
#   uncommenting the following _hostname check --iank 92006
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unlisted_recipient
check_policy_service inet:127.0.0.1:10031
permit

smtpd_data_restrictions =
reject_unauth_pipelining,
permit
--
John Baker
Network Systems Administrator
Marlboro College
Phone: 451-7551 off campus; 551 on campus

Re: Alias and mailbox under one e-mail address

[mouss]

Jakub Nadolny a écrit :
> 
> Yes, it uses sendmail command. It is common vacation.pl by Mischa Peters, but
> quite old version, I can not find newer one. What would be the best solution 
> for
> postfix auto-responder which could be easily integrated with postfix admin and
> mysql?


you can use your script as an LDA instead of a filter. you can use
recipient_bcc_maps or virtual_alais_maps to pass a copy of the mail to
the vacation script. for example:

recipient_bcc_maps = pcre:/etc/postfix/bcc_vacation

== bcc_vacation:
/(.*)@example\.com$/[EMAIL PROTECTED]

then use transport_maps to deliver these copies to your script:
vacation.example.comyourvacation:example.com

... etc.

Re: Minimal MTA/ MDA for local mail only?

[Victor Duchovni]

On Thu, Dec 11, 2008 at 01:25:14PM +0100, Gaute Amundsen wrote:

> Slightly OT this, but I can't think on any other obvious place to ask, and an 
> hour of googling turned up little.
> 
> The question:
> What are my options if I don't want to run a full blown mail server, and 
> really only want all mail delivered to a single local mbox or maildir?

What do you mean by "all mail"? Just locally submitted mail, or also
SMTP mail from the Internet for one or more domains?

> Basically I run smartmontools and a number of cronjobs on my laptop and I 
> want 
> to get the reports and alerts, but I want to avoid the overhead of running 
> and 
> maintaining a full mailserver.
> 
> I have a sneaky feeling that I am somehow not seeing the forest for all the 
> trees, or my assumptions are wrong, but I can't put my finger on it..

With Postfix, just make the SMTP server local and make all domains local:

inet_interfaces = 127.0.0.1
mydestination = static:all
alias_maps = static:yourlogin

The only downside is that pickup will wake up every 60 seconds and scan
/var/spool/postfix/maildrop. This may defeat power-management and prevent
the disk from spinning down.

So perhaps you should use Sendmail, with "sendmail -q" run once an hour
from cron, and no sendmail daemon started when the system boots. Configuring
Sendmail to deliver all mail to a single local mailbox is not too difficult,
just short-cut rule-set 0:

S0
$+  $#local $: yourlogin

This has a lower run-time footprint than Postfix.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Minimal MTA/ MDA for local mail only?

[Jorey Bump]

Gaute Amundsen wrote, at 12/11/2008 07:25 AM:
> Slightly OT this, but I can't think on any other obvious place to ask, and an 
> hour of googling turned up little.
> 
> The question:
> What are my options if I don't want to run a full blown mail server, and 
> really only want all mail delivered to a single local mbox or maildir?
> 
> There seems to be a number for minimal sendmal replacements that do smtp 
> only, 
> but none that delivers locally, and I don't think procmail or maildrop can 
> impersonate /usr/bin/sendmail directly..
> 
> Basically I run smartmontools and a number of cronjobs on my laptop and I 
> want 
> to get the reports and alerts, but I want to avoid the overhead of running 
> and 
> maintaining a full mailserver.
> 
> I have a sneaky feeling that I am somehow not seeing the forest for all the 
> trees, or my assumptions are wrong, but I can't put my finger on it..

Minimal MTAs are usually developed for use with MUAs that don't include
SMTP (such as Mutt) or to easily provide a way to use a relayhost on a
per-user basis (so your outgoing messages don't get bounced). Therefore,
they tend not to deal with local delivery.

The good news is that the MTA provided with your distribution (either
postfix or sendmail) is usually trivially easy to set up for local
delivery, especially if the mail is locally generated. You might need to
run the daemon, but the overhead is negligible, and modern distributions
improve security by having it listen only on localhost by default. If
you want to support a more complicated environment (such as running a
local IMAP server), you may need additional tweaks, but if you simply
want to read local system notifications, you usually need nothing more
than the default MTA and an MUA (mail, nail, mutt, pine, kmail, etc.).
The benefit you receive is that these widely used MTAs tend to handle
mail more correctly, due to years of use and development.

Re: Entourage authentication in postfix+dovecot+mysql not supported

[Noel Jones]

jan gestre wrote:
 Here's my dovecot.conf, as you can see plain and login auth mechanisms 
are enabled:

...

auth default:
  mechanisms: plain login digest-md5


My first step would be to remove digest-md5 and see if that 
helps.


You mention you have another working server; the second step 
is to do some session sniffing to see how the two differ in 
their responses.



--
Noel Jones

Re: Tempfail if saslauthd unavailable

[Victor Duchovni]

On Thu, Dec 11, 2008 at 10:14:30AM +0530, ram wrote:

> I use postfix 2.3  with cyrus-sasl for smtp-auth
> 
> cyrus-sasl needs a restart every few hours ( they havent fixed the
> memory leaks ) 
> 
> The problem is if saslauthd is momentarily unavailable , postfix cant
> (obviously) authenticate the smtp session. 
> Postfix rejects the mail with a permanent failure. How do I change this
> to a 4xx error code so that the clients server would retry the mail 

Do you which error (may need to attach a debugger to smtpd to test)
SASL returns for this failure?

#define SASL_CONTINUE1   /* another step is needed in authentication */
#define SASL_OK  0   /* successful result */
#define SASL_FAIL   -1   /* generic failure */
#define SASL_NOMEM  -2   /* memory shortage failure */
#define SASL_BUFOVER-3   /* overflowed buffer */
#define SASL_NOMECH -4   /* mechanism not supported */
#define SASL_BADPROT-5   /* bad protocol / cancel */
#define SASL_NOTDONE-6   /* can't request info until later in exchange */
#define SASL_BADPARAM   -7   /* invalid parameter supplied */
#define SASL_TRYAGAIN   -8   /* transient failure (e.g., weak key) */
#define SASL_BADMAC -9   /* integrity check failed */
#define SASL_NOTINIT-12  /* SASL library not initialized */
#define SASL_BADSERV-10  /* server failed mutual authentication step */
#define SASL_WRONGMECH  -11  /* mechanism doesn't support requested feature */
#define SASL_BADAUTH-13  /* authentication failure */
#define SASL_NOAUTHZ-14  /* authorization failure */
#define SASL_TOOWEAK-15  /* mechanism too weak for this user */
#define SASL_ENCRYPT-16  /* encryption needed to use mechanism */
#define SASL_TRANS  -17  /* One time use of a plaintext password will
#define SASL_EXPIRED-18  /* passphrase expired, has to be reset */
#define SASL_DISABLED   -19  /* account disabled */
#define SASL_NOUSER -20  /* user not found */
#define SASL_BADVERS-23  /* version mismatch with plug-in */
#define SASL_UNAVAIL-24  /* remote authentication server unavailable */
#define SASL_NOVERIFY   -26  /* user exists, but no verifier for user */
#define SASL_PWLOCK -21  /* passphrase locked */
#define SASL_NOCHANGE   -22  /* requested change was not needed */
#define SASL_WEAKPASS   -27  /* passphrase is too weak for security policy */
#define SASL_NOUSERPASS -28  /* user supplied passwords not permitted */

You can put a break-point in xsasl_cyrus_server_auth_response() and look
at the sasl_status function argument (may need to single step one step
before it is placed into the right register). A negative value indicates
failure, I'd like to know which negative value is seen when saslauthd is
down.

Perhaps Postfix can detect the tempfail condition and respond accordingly.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Outgoing TLS Problem

[Dennis Putnam]

I thought I had this working at some point but it seems that my  
outgoing emails are not being sent via TLS when offered (incoming is  
fine). I can see the offer in the smtp log but no TLS session is  
started. Did something get dropped from my main.cf?


smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/postfix/ssl/smtp.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpunc.key
smtpd_tls_CAfile = /etc/postfix/ssl/root.crt
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
smtpd_tls_received_header = yes
smtp_tls_note_starttls_offer = yes

This is version 2.2 so I cannot enforce TLS but I want to use TLS  
whenever possible. Thanks.

Re: "legacy" SSL and postfix smtp

[Noel Jones]

John Baker wrote:
We have a few people using programs (mostly MS crap) that insist on 
older versions of SSL rather than tls.


Internally this works okay but externally ssl gets bounced by my grey 
listing. This seems to indicate that it is not actually authenticating 
right but allowing it to pass internally because its on the network and 
the port is open.


"legacy" SSL makes me think of the long-deprecated "smtps" 
wrapper mode SSL on port 465 that some MS products (still) 
seem to prefer rather than using STARTTLS on a standard port.


Do you have the smtps port enabled in postfix and your firewall?

Do your logs show these clients using SSL/TLS and attempting 
authentication?  Use "smtpd_tls_loglevel = 1" in main.cf.



--
Noel Jones

Re: Outgoing TLS Problem

[Dennis Putnam]

Sorry but I put the version on. It is 2.1.5.

On Dec 11, 2008, at 11:53 AM, Dennis Putnam wrote:

I thought I had this working at some point but it seems that my  
outgoing emails are not being sent via TLS when offered (incoming is  
fine). I can see the offer in the smtp log but no TLS session is  
started. Did something get dropped from my main.cf?


smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/postfix/ssl/smtp.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpunc.key
smtpd_tls_CAfile = /etc/postfix/ssl/root.crt
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
smtpd_tls_received_header = yes
smtp_tls_note_starttls_offer = yes

This is version 2.2 so I cannot enforce TLS but I want to use TLS  
whenever possible. Thanks.

Re: Outgoing TLS Problem

[Noel Jones]

Dennis Putnam wrote:
I thought I had this working at some point but it seems that my outgoing 
emails are not being sent via TLS when offered (incoming is fine). I can 
see the offer in the smtp log but no TLS session is started. Did 
something get dropped from my main.cf?


smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/postfix/ssl/smtp.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpunc.key
smtpd_tls_CAfile = /etc/postfix/ssl/root.crt
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
smtpd_tls_received_header = yes
smtp_tls_note_starttls_offer = yes

This is version 2.2 so I cannot enforce TLS but I want to use TLS 
whenever possible. Thanks.




Postfix TLS support in versions prior to 2.3 was provided by a 
third-party patch.  Support for those versions is limited; I 
would strongly encourage upgrading.


You need to enable TLS for outgoing connections.  I think the 
settings for 2.2 were:

smtp_use_tls = yes
smtp_enforce_tls = no
Consult the TLS_README included with your postfix version for 
details.


--
Noel Jones

Re: Outgoing TLS Problem

[Noel Jones]

Dennis Putnam wrote:

Sorry but I put the version on. It is 2.1.5.



(I misspoke earlier)

Postfix TLS support in versions prior to 2.2 was provided by a 
third-party patch.  Support for those versions is limited; I 
would strongly encourage upgrading.



--
Noel Jones

Professional Services: Postfix Developer

[Brian A. Seklecki]

All:

  I'm seeking a contact or a referral for a Postfix hacker.

  We're looking to build additional functionality, probably share
  it with the community.

  Someone intimately familiar with internals.  Project oriented
  feature development gig.  Firms are okay, but highly motivated
  individuals are preferred.

  Searching the list archives for permutations of "consultant, developer,
  contract, professional services" comes up short and I don't see a
  postfix-jobs@ list.

  Contact me at my day job (cc: above)

  Thanks,


-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

Re: Weird disconnections after RCPT using TLS

[Jesús Manuel Loaiza Vidal]

Noel Jones escribió:
> Jesús Manuel Loaiza Vidal wrote:
>> Hi guys.
>>
>> My system specs:
>> Gentoo Linux
>> Postfix 2.5.5
>>
>> I have the problem below:
>>
>> When using TLS postfix sometimes (most the times) disconnects the
>> client just after it issues the RCPT command.
>>
>> When I try to re-send the test email just after the error or when not
>> using TLS the problem doesn't happen at all and the mail sends
>> successfully.
>>
>> I'm sure its not MTU related cuz all the path between my mail server
>> and the client is ethernet using the same MTU of 1500.
>>
>> I guess its TLS session related or something related to race conditions.
>>
>> I'm using PostgreSQL and LDAP lookup tables to do user mailbox lookup
>> and various other things and Dovecot SASL for authentication
>>
>> My 'postconf -n' output
>>
>> debugger_command =
>> PATH=/bin:/usr/bin:/usr/local/bin;
>> (strace -s 1000 -p $process_id 2>&1 | logger -p mail.debug) &
>> sleep 5
>> 2bounce_notice_recipient = [EMAIL PROTECTED]
>> bounce_notice_recipient = [EMAIL PROTECTED]
>> broken_sasl_auth_clients = yes
>> config_directory = /etc/postfix
>> delay_warning_time = 4h
>> error_notice_recipient = [EMAIL PROTECTED]
>> local_recipient_maps = $virtual_mailbox_maps proxy:unix:passwd.byname
>> $alias_maps
>> mailbox_size_limit = 104857600
>> message_size_limit = 2048
>> milter_default_action = accept
>> myhostname = test.test.bg
>> mynetworks = 127.0.0.0/8
>> notify_classes = bounce, resource
>> recipient_delimiter = +
>> smtp_helo_name = test.test.bg
>> smtpd_banner = test.bg Test ESMTP Server
>> smtpd_client_restrictions = permit_mynetworks,   
>> permit_sasl_authenticatedcheck_client_access
>> pgsql:/etc/postfix/pgsql-accesspolicy-client.cf,reject_rbl_client
>> zen.spamhaus.org
>> smtpd_data_restrictions = sleep 1,permit_mynetworks,   
>> permit_sasl_authenticated,reject_multi_recipient_bounce,   
>> reject_unauth_pipelining
>> smtpd_helo_required = yes
>> smtpd_helo_restrictions = permit_mynetworks,   
>> permit_sasl_authenticatedcheck_client_access
>> pgsql:/etc/postfix/pgsql-accesspolicy-helo-client.cf,   
>> check_helo_access pgsql:/etc/postfix/pgsql-accesspolicy-helo.cf,   
>> check_helo_mx_access
>> pgsql:/etc/postfix/pgsql-accesspolicy-helo-mx.cf,   
>> reject_invalid_helo_hostname,reject_non_fqdn_helo_hostname
>> smtpd_recipient_restrictions = permit_mynetworks,   
>> permit_sasl_authenticated,reject_unauth_destination,   
>> reject_unknown_recipient_domain,check_policy_service
>> inet:127.0.0.1:2501
>> smtpd_sasl_auth_enable = yes
>> smtpd_sasl_path = private/auth
>> smtpd_sasl_type = dovecot
>> smtpd_sender_login_maps = ldap:/etc/postfix/ldap-sendermaps.cf
>> smtpd_sender_restrictions = permit_mynetworks,   
>> reject_sender_login_mismatch,permit_sasl_authenticated,   
>> check_sender_access pgsql:/etc/postfix/pgsql-senderpolicy.cf,   
>> reject_non_fqdn_sender,reject_unknown_sender_domain
>> smtpd_tls_CAfile = /etc/ssl/pem/ICH_SSL_CA_chain.crt
>> smtpd_tls_auth_only = no
>> smtpd_tls_cert_file = /etc/ssl/pem/mail.test.bg.crt
>> smtpd_tls_fingerprint_digest = sha1
>> smtpd_tls_key_file = /etc/ssl/pem/mail.test.bg.pem
>> smtpd_tls_loglevel = 2
>> smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
>> tls_random_source = dev:/dev/urandom
>> virtual_alias_maps = pgsql:/etc/postfix/pgsql-aliases.cf
>> virtual_gid_maps = static:1001
>> virtual_mailbox_base = /
>> virtual_mailbox_domains = test.bg
>> virtual_mailbox_limit = 104857600
>> virtual_mailbox_maps = pgsql:/etc/postfix/pgsql-mbox.cf,
>> ldap:/etc/postfix/ldap-mbox.cf
>> virtual_minimum_uid = 1000
>> virtual_uid_maps = static:1001
>>
>> Below are the links to my mail log files and tcpdump network capture
>> with/out TLS with debug info using strace and 'smtpd -v -D'
>>
>> Postfix Log without TLS 
>> TCP network capture without TLS
>> 
>> Postfix Log with TLS and mail retry
>> 
>> TCP network capture with TLS and mail retry
>> 
>> OpenSSL s_client test 
>
>
> Your server is fine; the only thing you missed in your investigation
> is the s_client man page.
>
> # man s_client
> ...
> CONNECTED COMMANDS
>   When used interactively (which means neither -quiet nor
>   -ign_eof have been given), the session will be renegotiated
>   if the line begins with an R, and if the line begins with a
>   Q or if end of file is reached, the connection will be
>   closed down.
> ...
>
> The "R" in "RCPT TO" triggers a TLS renegotiation, disrupting your
> connection.  s_client is a great tool to see if you have TLS
> connectivity, but it falls a little short trying to emulate a whole
> SMTP session.
>
> You can test postfix using lower-case "rcpt to", but be careful of any
> other line that might 

Re: Outgoing TLS Problem

[Dennis Putnam]

Thanks. Unfortunately, at this time upgrading is not an option (long  
story) in the short term. We will be upgrading in late spring 09  
(hopefully) but in the mean time I badly need a solution now. As I  
said enforced TLS is not possible but I do need at least opportunistic  
TLS.


On Dec 11, 2008, at 12:15 PM, Noel Jones wrote:


Dennis Putnam wrote:

Sorry but I put the version on. It is 2.1.5.


(I misspoke earlier)

Postfix TLS support in versions prior to 2.2 was provided by a third- 
party patch.  Support for those versions is limited; I would  
strongly encourage upgrading.



--
Noel Jones

Re: mail forward based on user to specific filter then to another address

[J.P. Trosclair]

J.P. Trosclair wrote:


So I setup a filter for stripping the attachments. I want to route  
mail based on [EMAIL PROTECTED] through this filter before it is passed  
on to domain's MX address. I think it's possible by using  
transport_maps and some tricks in master.cf, at least thats what I was  
told in a dream last night. I haven't tried it yet but will in a  
little while.


I've been messing with this idea of using transport_maps without much 
success because it seems a loop is unavoidable since transport_maps 
can't be overridden (I've googled and confirmed it from posts in the 
past). Any suggestions would be appreciated. Here's what I've tested 
which I've deemed unusable based on transport_maps being a global 
setting (besides that, the whole thing is a big hack):


Entries added in master.cf:

renattach   unix-   n   n   -   -   pipe
  flags=q user=nobody argv=/mailtools/bin/renattach -dal -p 
/mailtools/bin/mini_sendmail -v -s127.0.0.1 -p10001 -f${sender} ${recipient}


127.0.0.1:1 inet n   -   n   -   -   smtpd
  -o content_filter=renattach
  -o mynetworks=127.0.0.0/8
  -o smtpd_enforce_tls=no
  -o smtpd_client_restrictions=permit_mynetworks,reject

127.0.0.1:10001 inet n  -   n   -   -   smtpd
  -o content_filter=
  -o mynetworks=127.0.0.0/8
  -o smtpd_enforce_tls=no
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o transport_maps=
  -o receive_override_options=no_milters,no_address_mappings


Entry added to main.cf:
transport_maps = hash:/etc/postfix/transport

/etc/postfix/transport:
[EMAIL PROTECTED]   smtp:[127.0.0.1]:1

J.P.

Re: Outgoing TLS Problem

[Noel Jones]

Dennis Putnam wrote:
Thanks. Unfortunately, at this time upgrading is not an option (long 
story) in the short term. We will be upgrading in late spring 09 
(hopefully) but in the mean time I badly need a solution now. As I said 
enforced TLS is not possible but I do need at least opportunistic TLS.


I think the main.cf settings you need are
smtp_use_tls = yes
smtp_enforce_tls = no

No warranty expressed or implied.

If that doesn't work, you'll need to consult the documentation 
included with the third-party patch that provides TLS support 
in your version of postfix.


--
Noel Jones

Re: Outgoing TLS Problem

[Dennis Putnam]

Thanks. You should have offered a warranty and charged for it. :) That  
did it. :D


On Dec 11, 2008, at 12:35 PM, Noel Jones wrote:


Dennis Putnam wrote:
Thanks. Unfortunately, at this time upgrading is not an option  
(long story) in the short term. We will be upgrading in late spring  
09 (hopefully) but in the mean time I badly need a solution now. As  
I said enforced TLS is not possible but I do need at least  
opportunistic TLS.


I think the main.cf settings you need are
smtp_use_tls = yes
smtp_enforce_tls = no

No warranty expressed or implied.

If that doesn't work, you'll need to consult the documentation  
included with the third-party patch that provides TLS support in  
your version of postfix.


--
Noel Jones





Dennis Putnam
Sr. IT Systems Administrator
AIM Systems, Inc.
11675 Rainwater Dr., Suite 200
Alpharetta, GA  30009
Phone: 678-240-4112
Main Phone: 678-297-0700
FAX: 678-297-2666 or 770-576-1000
The information contained in this e-mail and any attachments is  
strictly confidential. If you are not the intended recipient, any use,  
dissemination, distribution, or duplication of any part of this e-mail  
or any attachment is prohibited. If you are not the intended  
recipient, please notify the sender by return e-mail and delete all  
copies, including the attachments.

Re: mail forward based on user to specific filter then to another address

[Noel Jones]

J.P. Trosclair wrote:

J.P. Trosclair wrote:


So I setup a filter for stripping the attachments. I want to route  
mail based on [EMAIL PROTECTED] through this filter before it is 
passed  on to domain's MX address. I think it's possible by using  
transport_maps and some tricks in master.cf, at least thats what I 
was  told in a dream last night. I haven't tried it yet but will in a  
little while.


I've been messing with this idea of using transport_maps without much 
success because it seems a loop is unavoidable since transport_maps 
can't be overridden (I've googled and confirmed it from posts in the 
past). Any suggestions would be appreciated. Here's what I've tested 
which I've deemed unusable based on transport_maps being a global 
setting (besides that, the whole thing is a big hack):




You're right, you need to use transport_maps to redirect your 
recipient to the proper content filter, and transport_maps 
cannot be overridden by entries in master.cf.


The solution is to use multiple instances of postfix, each 
with its own config and queue directories.


--
Noel Jones

spammers using my mailserver trough webmai

[Gerardo Herzig]

Hi all. Im facing a ugly situation. Some spammer is using the webmail to
 send spam. The thing is, hes using an actual account/password (from my
server)to authenticate agains the webmail, and then sending mail from
"UK LOTTO <[EMAIL PROTECTED]>"...crap!!

Since i have
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination

This dude is authenticated, so...what can i do? Cant i restrict or check
the address which is sending and forbidde those which are not of my domain?

Thanks!
Gerardo

Re: spammers using my mailserver trough webmai

[Victor Duchovni]

On Thu, Dec 11, 2008 at 02:32:52PM -0300, Gerardo Herzig wrote:

> Hi all. Im facing a ugly situation. Some spammer is using the webmail to
>  send spam. The thing is, hes using an actual account/password (from my
> server)to authenticate agains the webmail, and then sending mail from
> "UK LOTTO <[EMAIL PROTECTED]>"...crap!!
> 
> Since i have
> smtpd_recipient_restrictions = permit_sasl_authenticated,
> permit_mynetworks, reject_unauth_destination
> 
> This dude is authenticated, so...what can i do? Cant i restrict or check
> the address which is sending and forbidde those which are not of my domain?

Change the password for the compromised account. Or do you offer free
sign-up?

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: spammers using my mailserver trough webmai

[Jorey Bump]

Gerardo Herzig wrote, at 12/11/2008 12:32 PM:
> Hi all. Im facing a ugly situation. Some spammer is using the webmail to
>  send spam. The thing is, hes using an actual account/password (from my
> server)to authenticate agains the webmail, and then sending mail from
> "UK LOTTO "...crap!!
> 
> Since i have
> smtpd_recipient_restrictions = permit_sasl_authenticated,
> permit_mynetworks, reject_unauth_destination
> 
> This dude is authenticated, so...what can i do? Cant i restrict or check
> the address which is sending and forbidde those which are not of my domain?

This seems easy: Simply reset the password.

If it was stolen, notify the original user immediately and explain what
happened. Some users share login credentials among multiple accounts, so
they deserve to know in order to change the password everywhere it is
used. They may also need to fix a compromised machine or be educated on
phishing attacks.

If it's a user that is doing the spamming, delete their account.

Re: mail forward based on user to specific filter then to another address

[mouss]

J.P. Trosclair a écrit :
> Hi,
> 
> I've got a user that wants their mail forwarded to their blackberry
> account. No big deal. The catch is they want attachments stripped first.
> I've found this tool called renattach that does just that. I set this up
> in main.cf:
> 
> renattachunix-nn--pipe
> flags=q user=postfix argv=/mailtools/bin/renattach -dal -p
> /usr/sbin/sendmail -i -f ${sender} -- ${recipient}
> 
> 
> What I would like to do is when mail arrives for u...@mydomain.com,
> deliver the mail to their local mailbox as normal and then send the same
>  mail to u...@blackberryaccount.com with the mail first being run
> through the renattach filter I have setup above. I'm not sure how to
> accomplish this. I'm guessing I will need to setup a special submission
> for this filter as the next step that uses content_filter=renattach but
> I'm not sure how to make sure the forward gets pushed through the
> renattach filter before it goes out to the user's blackberry address.
>


you can try:

- change the definition of your renattach transport: replace
${recipient} with ${us...@${nexthop}:

renattachunix-nn--pipe
 flags=q user=postfix argv=/mailtools/bin/renattach -dal -p
  /usr/sbin/sendmail -i -f ${sender} -- ${us...@${nexthop}

- in main.cf, set:
renattach_destination_recipient_limit = 1

- use virtual_alias_maps:

u...@example.comu...@example.com, u...@renattach.example.com

- use transport_maps:
renattach.example.com   renattach:example.com

Re: mail forward based on user to specific filter then to another address

[mouss]

mouss a écrit :
> J.P. Trosclair a écrit :
>> Hi,
>>
>> I've got a user that wants their mail forwarded to their blackberry
>> account. No big deal. The catch is they want attachments stripped first.
>> I've found this tool called renattach that does just that. I set this up
>> in main.cf:
>>
>> renattachunix-nn--pipe
>> flags=q user=postfix argv=/mailtools/bin/renattach -dal -p
>> /usr/sbin/sendmail -i -f ${sender} -- ${recipient}
>>
>>
>> What I would like to do is when mail arrives for u...@mydomain.com,
>> deliver the mail to their local mailbox as normal and then send the same
>>  mail to u...@blackberryaccount.com with the mail first being run
>> through the renattach filter I have setup above. I'm not sure how to
>> accomplish this. I'm guessing I will need to setup a special submission
>> for this filter as the next step that uses content_filter=renattach but
>> I'm not sure how to make sure the forward gets pushed through the
>> renattach filter before it goes out to the user's blackberry address.
>>
> 
> 
> you can try:
> 
> - change the definition of your renattach transport: replace
> ${recipient} with ${us...@${nexthop}:
> 
> renattachunix-nn--pipe
>  flags=q user=postfix argv=/mailtools/bin/renattach -dal -p
>   /usr/sbin/sendmail -i -f ${sender} -- ${us...@${nexthop}
> 
> - in main.cf, set:
> renattach_destination_recipient_limit = 1
> 
> - use virtual_alias_maps:
> 
> u...@example.com  u...@example.com, u...@renattach.example.com
> 
> - use transport_maps:
> renattach.example.com renattach:example.com


argh! the transport entry should be:

renattach.example.com   renattach:bb.example.com

so that sendmail sends to ${us...@bb.example.com. adjust as needed.

Re: Professional Services: Postfix Developer

[Victor Duchovni]

On Thu, Dec 11, 2008 at 12:15:35PM -0500, Brian A. Seklecki wrote:

> 
> All:
> 
>   I'm seeking a contact or a referral for a Postfix hacker.
> 
>   We're looking to build additional functionality, probably share
>   it with the community.

If you want to share the results with the community, and you believe
that the functionality in question may be broadly useful, post the
problem description on postfix-devel and see where that takes you.

If you can write up a clear problem statement, that's the first step.
The hardest part after that is a clear design document, explaining the
administrator-interface and the implmentation strategy. The programming
is the easiest part.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: spammers using my mailserver trough webmai

[Gerardo Herzig]

Victor Duchovni wrote:
> On Thu, Dec 11, 2008 at 02:32:52PM -0300, Gerardo Herzig wrote:
> 
>> Hi all. Im facing a ugly situation. Some spammer is using the webmail to
>>  send spam. The thing is, hes using an actual account/password (from my
>> server)to authenticate agains the webmail, and then sending mail from
>> "UK LOTTO "...crap!!
>>
>> Since i have
>> smtpd_recipient_restrictions = permit_sasl_authenticated,
>> permit_mynetworks, reject_unauth_destination
>>
>> This dude is authenticated, so...what can i do? Cant i restrict or check
>> the address which is sending and forbidde those which are not of my domain?
> 
> Change the password for the compromised account. Or do you offer free
> sign-up?
> 

Well, yes, that an option. But seems like a partial solution. About the
postfix configuration: There is anything i can do to avoid an account
@uklotto (or whatever is not my domain) send mail trough my server? Crap
i feel not :(

Thanks for the suggestion.
Gerardo

Re: spammers using my mailserver trough webmai

[Jorey Bump]

Gerardo Herzig wrote, at 12/11/2008 12:47 PM:
> Victor Duchovni wrote:
>> Change the password for the compromised account. Or do you offer free
>> sign-up?
> 
> Well, yes, that an option. But seems like a partial solution. About the
> postfix configuration: There is anything i can do to avoid an account
> @uklotto (or whatever is not my domain) send mail trough my server? Crap
> i feel not :(

That's merely a symptom of your real problem: you have a compromised
account, giving the spammer full access to your resource. As long as
they can authenticate, they will find workarounds to any restrictions
you put in place that still allow other authenticated users to send
mail. For example, you really don't want them to start using your domain
in a forged sender address. You must reset the password and/or delete
the account. Do it sooner than later to avoid being blacklisted.

Re: spammers using my mailserver trough webmai

[Brian Evans - Postfix List]

Gerardo Herzig wrote:
> Victor Duchovni wrote:
>   
>> On Thu, Dec 11, 2008 at 02:32:52PM -0300, Gerardo Herzig wrote:
>>
>> 
>>> Hi all. Im facing a ugly situation. Some spammer is using the webmail to
>>>  send spam. The thing is, hes using an actual account/password (from my
>>> server)to authenticate agains the webmail, and then sending mail from
>>> "UK LOTTO "...crap!!
>>>
>>> Since i have
>>> smtpd_recipient_restrictions = permit_sasl_authenticated,
>>> permit_mynetworks, reject_unauth_destination
>>>
>>> This dude is authenticated, so...what can i do? Cant i restrict or check
>>> the address which is sending and forbidde those which are not of my domain?
>>>   
>> Change the password for the compromised account. Or do you offer free
>> sign-up?
>>
>> 
>
> Well, yes, that an option. But seems like a partial solution. About the
> postfix configuration: There is anything i can do to avoid an account
> @uklotto (or whatever is not my domain) send mail trough my server? Crap
> i feel not :(
>
>   

Really the only thing that can be done on the postfix side is to
implement smtpd_sender_login_maps and
reject_authenticated_sender_login_mismatch (or similar).
This is a matter of policy as any matches with invalid results will be
rejected.

See http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps and
http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions.

Fight spam through trusted sources since MAIL FROM is easily forged and
will block legitimate mail.

Note: just remember the first restriction wins. If you want this to
work, it must come before permit_sasl_authenticated.

Brian

Re: spammers using my mailserver trough webmai

[mouss]

Gerardo Herzig a écrit :
> Victor Duchovni wrote:
>> On Thu, Dec 11, 2008 at 02:32:52PM -0300, Gerardo Herzig wrote:
>>
>>> Hi all. Im facing a ugly situation. Some spammer is using the webmail to
>>>  send spam. The thing is, hes using an actual account/password (from my
>>> server)to authenticate agains the webmail, and then sending mail from
>>> "UK LOTTO "...crap!!
>>>
>>> Since i have
>>> smtpd_recipient_restrictions = permit_sasl_authenticated,
>>> permit_mynetworks, reject_unauth_destination
>>>
>>> This dude is authenticated, so...what can i do? Cant i restrict or check
>>> the address which is sending and forbidde those which are not of my domain?
>> Change the password for the compromised account. Or do you offer free
>> sign-up?
>>
> 
> Well, yes, that an option. But seems like a partial solution. About the
> postfix configuration: There is anything i can do to avoid an account
> @uklotto (or whatever is not my domain) send mail trough my server? Crap
> i feel not :(
> 

smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/mysenders
reject_unauth_destination
...


== mysenders:
example.com OK

Note that this works for the envelope sender, not the From: or reply-To:
headers.

Re: spammers using my mailserver trough webmai

[mouss]

Brian Evans - Postfix List a écrit :
> 
> Really the only thing that can be done on the postfix side is to
> implement smtpd_sender_login_maps and
> reject_authenticated_sender_login_mismatch (or similar).
> This is a matter of policy as any matches with invalid results will be
> rejected.
> 
> See http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps and
> http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions.
> 
> Fight spam through trusted sources since MAIL FROM is easily forged and
> will block legitimate mail.
> 
> Note: just remember the first restriction wins. If you want this to
> work, it must come before permit_sasl_authenticated.
> 

note that this only works if the webmail solution does authenticate with
user login.

Enforced TLS Question

[Dennis Putnam]

Now that I have TLS working in both directions I thought it would be  
interesting to see if I can get enforced TLS to work also. It seems  
that the 3rd party postfix extension to version 2.1.5 supposedly  
supports that possibility, contrary to my previous understanding.


I seem to have a semblance of that working except internal mail is  
getting deferred because 'starttls' is not offered. I added my domain  
to the hash with "NONE" but that doesn't seem to help. I wonder if I  
need to add 127.0.0.1 instead, or is there something else wrong that  
won't exclude local mail?


Thanks.

Re: Minimal MTA/ MDA for local mail only?

[Gaute Amundsen]

On Thursday 11 December 2008 17:22:35 Jorey Bump wrote:
> Gaute Amundsen wrote, at 12/11/2008 07:25 AM:
> > Slightly OT this, but I can't think on any other obvious place to ask,
> > and an hour of googling turned up little.
> >
> > The question:
> > What are my options if I don't want to run a full blown mail server, and
> > really only want all mail delivered to a single local mbox or maildir?
> >
> > There seems to be a number for minimal sendmal replacements that do smtp
> > only, but none that delivers locally, and I don't think procmail or
> > maildrop can impersonate /usr/bin/sendmail directly..
> >
> > Basically I run smartmontools and a number of cronjobs on my laptop and I
> > want to get the reports and alerts, but I want to avoid the overhead of
> > running and maintaining a full mailserver.
> >
> > I have a sneaky feeling that I am somehow not seeing the forest for all
> > the trees, or my assumptions are wrong, but I can't put my finger on it..
>
> Minimal MTAs are usually developed for use with MUAs that don't include
> SMTP (such as Mutt) or to easily provide a way to use a relayhost on a
> per-user basis (so your outgoing messages don't get bounced). Therefore,
> they tend not to deal with local delivery.

Examples of which would be nbsmtp, sSMTP, nullmailer etc.?
Yeah, I noticed those. Hm.. It seems  I could configure ssmtp to use 
authentication like I would need to to send, and I am online most of the time, 
so it would probably work ok. 
It only violates any and all sense of elegance ;-/

> The good news is that the MTA provided with your distribution (either
> postfix or sendmail) is usually trivially easy to set up for local
> delivery, especially if the mail is locally generated. 

Just went through a non-trivial case of that, yes, so that is not an issue, 
except perhaps the potential to screw it up by trying to be to be too clever 
:)

> You might need to
> run the daemon, but the overhead is negligible, and modern distributions
> improve security by having it listen only on localhost by default. 

Hm.. yes, it all gets swapped out when not actually in use and so on.

If there is general agreement on that I guess all I am left with is my sense 
of technical overkill and ugliness :( 

> If
> you want to support a more complicated environment (such as running a
> local IMAP server), you may need additional tweaks, but if you simply
> want to read local system notifications, you usually need nothing more
> than the default MTA and an MUA (mail, nail, mutt, pine, kmail, etc.).
> The benefit you receive is that these widely used MTAs tend to handle
> mail more correctly, due to years of use and development.

On the other hand one might presume that all the daemons that send the mail 
I'm interested in are rather well used and polished as well, and that perhaps 
I'm spending a lot of time researching something I could hack up in a few 
hours in python. The sendmail commandline is not rocket science after all.

I guess I will have to see if my sense of in-elegance and overkill is 
sufficiently strong to overcome the challenge  :)

Thanks for the input.

Gaute

Re: fight spam problem: sender equal to receiver

[mouss]

Roland Plüss a écrit :
> I tried to find one of the messages in the logs. It's damn hard to find
> it since it's really weird... and it all makes no sense to me. I think
> this email source belongs to the logs below ( added  to prevent
> potential damage due to fudged HTML ).
> 

Do not edit logs, except replacing private information. you have really
no reason to remove the pid. In any case, the format of the lines must
not be changed (because we know how a unix log line looks like).


anyway,
reject_rbl_client zen.spamhaus.org
should be enough to block 99.206.220.166

Re: Enforced TLS Question

[Victor Duchovni]

On Thu, Dec 11, 2008 at 01:28:02PM -0500, Dennis Putnam wrote:

> Now that I have TLS working in both directions I thought it would be  
> interesting to see if I can get enforced TLS to work also. It seems  
> that the 3rd party postfix extension to version 2.1.5 supposedly  
> supports that possibility, contrary to my previous understanding.

It does not support it very well, if you want actual enforcement, I would
suggest the official release, at which point you may as well use 2.5.5.

> I seem to have a semblance of that working except internal mail is  
> getting deferred because 'starttls' is not offered. I added my domain  
> to the hash with "NONE" but that doesn't seem to help. I wonder if I  
> need to add 127.0.0.1 instead, or is there something else wrong that  
> won't exclude local mail?

Don't bother with enforced TLS in 2.1.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Enforced TLS Question

[Dennis Putnam]

Thanks. It was only a hope. Having opportunistic TLS working is  
sufficient until we can upgrade.


On Dec 11, 2008, at 1:42 PM, Victor Duchovni wrote:


On Thu, Dec 11, 2008 at 01:28:02PM -0500, Dennis Putnam wrote:


Now that I have TLS working in both directions I thought it would be
interesting to see if I can get enforced TLS to work also. It seems
that the 3rd party postfix extension to version 2.1.5 supposedly
supports that possibility, contrary to my previous understanding.


It does not support it very well, if you want actual enforcement, I  
would
suggest the official release, at which point you may as well use  
2.5.5.



I seem to have a semblance of that working except internal mail is
getting deferred because 'starttls' is not offered. I added my domain
to the hash with "NONE" but that doesn't seem to help. I wonder if I
need to add 127.0.0.1 instead, or is there something else wrong that
won't exclude local mail?


Don't bother with enforced TLS in 2.1.

--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: spammers using my mailserver trough webmai

[Terry Carmen]

Hi all. Im facing a ugly situation. Some spammer is using the webmail to
 send spam. The thing is, hes using an actual account/password (from my
server)to authenticate agains the webmail, and then sending mail from
"UK LOTTO "...crap!

I'd also recommend switching to a webmail package that doesn't allow the 
user to specify the "from" address. If this guy did it, I'm sure his 
friends will follow soon.


Squirrelmail works nicely.

Terry

Re: spammers using my mailserver trough webmai

[Gerardo Herzig]

Terry Carmen wrote:
> 
> Hi all. Im facing a ugly situation. Some spammer is using the
> webmail to
>  send spam. The thing is, hes using an actual account/password
> (from my
> server)to authenticate agains the webmail, and then sending mail from
> "UK LOTTO "...crap!
> 
> I'd also recommend switching to a webmail package that doesn't allow the
> user to specify the "from" address. If this guy did it, I'm sure his
> friends will follow soon.
> 
> Squirrelmail works nicely.
> 
> Terry
> 
> 
Oh, actually im using squirrelmail. Im going to see what i have to do
with it now.

Thanks!
Gerardo

Re: spammers using my mailserver trough webmai

[Magnus Bäck]

On Thursday, December 11, 2008 at 19:25 CET,
 mouss  wrote:

> smtpd_sender_restrictions =
>   check_sender_access hash:/etc/postfix/mysenders
>   reject_unauth_destination
>   ...
> 
> 
> == mysenders:
> example.com   OK
> 
> Note that this works for the envelope sender, not the From: or
> reply-To: headers.

This method of course assumes that the webmail application submits
messages via SMTP and not sendmail(1). From what the OP has written
so far this is not necessarily the case.

-- 
Magnus Bäck
mag...@dsek.lth.se

Re: spammers using my mailserver trough webmai

[Gerardo Herzig]

mouss wrote:
> Gerardo Herzig a écrit :
>> Victor Duchovni wrote:
>>> On Thu, Dec 11, 2008 at 02:32:52PM -0300, Gerardo Herzig wrote:
>>>
 Hi all. Im facing a ugly situation. Some spammer is using the webmail to
  send spam. The thing is, hes using an actual account/password (from my
 server)to authenticate agains the webmail, and then sending mail from
 "UK LOTTO "...crap!!

 Since i have
 smtpd_recipient_restrictions = permit_sasl_authenticated,
 permit_mynetworks, reject_unauth_destination

 This dude is authenticated, so...what can i do? Cant i restrict or check
 the address which is sending and forbidde those which are not of my domain?
>>> Change the password for the compromised account. Or do you offer free
>>> sign-up?
>>>
>> Well, yes, that an option. But seems like a partial solution. About the
>> postfix configuration: There is anything i can do to avoid an account
>> @uklotto (or whatever is not my domain) send mail trough my server? Crap
>> i feel not :(
>>
> 
> smtpd_sender_restrictions =
>   check_sender_access hash:/etc/postfix/mysenders
>   reject_unauth_destination
>   ...
> 
> 
> == mysenders:
> example.com   OK
> 
> Note that this works for the envelope sender, not the From: or reply-To:
> headers.
> 
> 
Oh, that sounds good to me!
Thanks mouss!

Gerardo

Postfix on Solaris 10

[Bailo, John]

 

Is Postfix available for or part of Sun's Solaris 10 OS as a compiled
package?

 

(I am using Postfix on openSuse - so it's easily installed as part of
the Yast installer - I am not as familiar with Sun/Solaris 10's
packaging/installation system).

 

 


CONFIDENTIALITY NOTICE: The information in this Internet email is confidential 
and may be legally privileged. It is intended solely for the addressee. Access 
to this email by anyone else is unauthorized. 

Re: Weird disconnections after RCPT using TLS

[Jesús Manuel Loaiza Vidal]

Victor Duchovni escribió:

  On Wed, Dec 10, 2008 at 06:04:54PM -0700, Jes?s Manuel Loaiza Vidal wrote:

  
  
   I guess its TLS session related or something related to race conditions.

   I'm using PostgreSQL and LDAP lookup tables to do user mailbox lookup and
   various other things and Dovecot SASL for authentication

  
  
Your debugging level is way too high, and the strace output includes your
RSA private key (change it as soon as you get a chance). Also the "test"
account SASL password seems to be "123".

Don't post the strace output, this is for you to read. Don't post base64
encoded SASL PLAIN/LOGIN protocol messages.

Don't mix strace and smtpd output in the same log. tls log level 2 is
sufficient for an initial diagnosis.

  

The RSA key and the whole host is for testing, so it doesn't matter.

I stripped the strace stuff from postfix.txt and leave only the output
from smtpd.

Full log with strace is now in postfix-strace.txt

Re: Postfix on Solaris 10

[J.P. Trosclair]

Bailo, John wrote:
 


Is Postfix available for or part of Sun's Solaris 10 OS as a compiled
package?



Check blastwave and sun freeware, afaik there is no official release 
from sun. There are some guides on building SMF scripts for postfix on 
solaris 10.

Re: "legacy" SSL and postfix smtp

[John Baker]

Ok, that could be it.

The main culprit I am trying to figure out is Entourage (I just noticed 
a bunch of messages on that I should look through).


The log for it looks like this:

Dec 11 14:49:48 arnold postfix/smtpd[6341]: connect from 
c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]
Dec 11 14:49:48 arnold postfix/smtpd[6341]: lost connection after EHLO 
from c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]
Dec 11 14:49:48 arnold postfix/smtpd[6341]: disconnect from 
c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]
Dec 11 14:56:28 arnold postfix/smtpd[4671]: connect from 
c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]
Dec 11 14:56:28 arnold postfix/smtpd[4671]: setting up TLS connection 
from c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]
Dec 11 14:56:29 arnold postfix/smtpd[4671]: TLS connection established 
from c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]: TLSv1 with 
cipher DES-CBC3-SHA (168/168 bits)
Dec 11 14:56:29 arnold postfix/smtpd[4671]: lost connection after EHLO 
from c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]
Dec 11 14:56:29 arnold postfix/smtpd[4671]: disconnect from 
c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]


The error I am getting now is that the server does not support any of 
the authentication methods. Before I was getting a greylist "try later" 
message. I think it is trying on port 25.


Wrapper mode is not on and if I try Thunderbird with SSL it does default 
to that port which is open in the firewall. But I get no attempted TLS 
connection. My syslog just tracks that the ip/mac address is hitting it.


I notice in my log that there is one other instance of 168 DES ciphers 
that appears to be failing while all other types appear to be working. 
Could that be the issue? If so how do I fix it?

Noel Jones wrote:

John Baker wrote:
We have a few people using programs (mostly MS crap) that insist on 
older versions of SSL rather than tls.


Internally this works okay but externally ssl gets bounced by my grey 
listing. This seems to indicate that it is not actually authenticating 
right but allowing it to pass internally because its on the network 
and the port is open.


"legacy" SSL makes me think of the long-deprecated "smtps" wrapper mode 
SSL on port 465 that some MS products (still) seem to prefer rather than 
using STARTTLS on a standard port.


Do you have the smtps port enabled in postfix and your firewall?

Do your logs show these clients using SSL/TLS and attempting 
authentication?  Use "smtpd_tls_loglevel = 1" in main.cf.






--
John Baker
Network Systems Administrator
Marlboro College
Phone: 451-7551 off campus; 551 on campus

Re: Postfix on Solaris 10

[Bryan Allen]

+--
| On 2008-12-11 14:41:46, Bailo, John wrote:
| 
| Is Postfix available for or part of Sun's Solaris 10 OS as a compiled
| package?
| 
| (I am using Postfix on openSuse - so it's easily installed as part of
| the Yast installer - I am not as familiar with Sun/Solaris 10's
| packaging/installation system).

It isn't, no.

I use pkgsrc[1] on Solaris/OpenSolaris for postfix, among other
things.

You could also use Blastwave[2], which does have a Postfix
package.

[1] http://www.netbsd.org/docs/software/packages.html
[2] http://wiki.blastwave.org/
-- 
bda
Cyberpunk is dead.  Long live cyberpunk.
http://mirrorshades.org

Re: Postfix on Solaris 10

[Camron W. Fox]

Bailo, John wrote:
 

Is Postfix available for or part of Sun’s Solaris 10 OS as a compiled 
package?


 

(I am using Postfix on openSuse – so it’s easily installed as part of 
the Yast installer – I am not as familiar with Sun/Solaris 10’s 
packaging/installation system).


 

 

CONFIDENTIALITY NOTICE: The information in this Internet email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. 




John,

Theres also http://ihsan.dogan.ch/postfix/.

Best Regards,
Camron

Camron W. Fox
Hilo Office
High Performance Computing Group
Fujitsu Management Services of America, Inc.
E-mail: cw...@us.fujitsu.com

Re: Weird disconnections after RCPT using TLS

[Victor Duchovni]

On Thu, Dec 11, 2008 at 12:47:20PM -0700, Jes?s Manuel Loaiza Vidal wrote:

>Full log with strace is now in [1]postfix-strace.txt
> 
> References
> 
>Visible links
>1. http://www.ich.edu.mx/attachments/postfix-strace.txt

This is still the old log from Dec 9th. Please post just otherwise
normal logging from smtpd with smtpd_tls_loglevel=2 for a *single*
failed session and a raw PCAP capture file of that same failed session.

Please describe the view of this from the SMTP client, and exactly
what client you are using, and how you are using it.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Weird disconnections after RCPT using TLS

[Jesús Manuel Loaiza Vidal]

Jesús Manuel Loaiza Vidal escribió:

  
  
Victor Duchovni escribió:
  
On Wed, Dec 10, 2008 at 06:04:54PM -0700, Jes?s Manuel Loaiza Vidal wrote:

  

 I guess its TLS session related or something related to race conditions.

   I'm using PostgreSQL and LDAP lookup tables to do user mailbox lookup and
   various other things and Dovecot SASL for authentication



Your debugging level is way too high, and the strace output includes your
RSA private key (change it as soon as you get a chance). Also the "test"
account SASL password seems to be "123".

Don't post the strace output, this is for you to read. Don't post base64
encoded SASL PLAIN/LOGIN protocol messages.

Don't mix strace and smtpd output in the same log. tls log level 2 is
sufficient for an initial diagnosis.

  
  
The RSA key and the whole host is for testing, so it doesn't matter.
  
I stripped the strace stuff from postfix.txt and leave only the output
from smtpd.
  
Full log with strace is now in postfix-strace.txt

I did fix the other logs as well.
So, the logs now are:

Postfix Log
without TLS
Postfix
Log without TLS, with strace logging
Postfix Log
with TLS
Postfix
with TLS and strace

Re: Weird disconnections after RCPT using TLS

[Jesús Manuel Loaiza Vidal]

Victor Duchovni escribió:

  On Thu, Dec 11, 2008 at 12:47:20PM -0700, Jes?s Manuel Loaiza Vidal wrote:

  
  
   Full log with strace is now in [1]postfix-strace.txt

References

   Visible links
   1. http://www.ich.edu.mx/attachments/postfix-strace.txt

  
  
This is still the old log from Dec 9th. Please post just otherwise
normal logging from smtpd with smtpd_tls_loglevel=2 for a *single*
failed session and a raw PCAP capture file of that same failed session.

Please describe the view of this from the SMTP client, and exactly
what client you are using, and how you are using it.

  

The client doesn't matter, same problem from Thunderbird, Outlook,
s_client.

Re: Minimal MTA/ MDA for local mail only?

[Gaute Amundsen]

On Thursday 11 December 2008 17:21:54 Victor Duchovni wrote:
> On Thu, Dec 11, 2008 at 01:25:14PM +0100, Gaute Amundsen wrote:
> > Slightly OT this, but I can't think on any other obvious place to ask,
> > and an hour of googling turned up little.
> >
> > The question:
> > What are my options if I don't want to run a full blown mail server, and
> > really only want all mail delivered to a single local mbox or maildir?
>
> What do you mean by "all mail"? Just locally submitted mail, or also
> SMTP mail from the Internet for one or more domains?
>
> > Basically I run smartmontools and a number of cronjobs on my laptop and I
> > want to get the reports and alerts, but I want to avoid the overhead of
> > running and maintaining a full mailserver.
> >
> > I have a sneaky feeling that I am somehow not seeing the forest for all
> > the trees, or my assumptions are wrong, but I can't put my finger on it..
>
> With Postfix, just make the SMTP server local and make all domains local:
>
>   inet_interfaces = 127.0.0.1
>   mydestination = static:all
>   alias_maps = static:yourlogin
>
> The only downside is that pickup will wake up every 60 seconds and scan
> /var/spool/postfix/maildrop. This may defeat power-management and prevent
> the disk from spinning down.
>
> So perhaps you should use Sendmail, with "sendmail -q" run once an hour
> from cron, and no sendmail daemon started when the system boots.
> Configuring Sendmail to deliver all mail to a single local mailbox is not
> too difficult, just short-cut rule-set 0:
>
>   S0
>   $+  $#local $: yourlogin
>
> This has a lower run-time footprint than Postfix.

Hm. very pragmatic approach.
I'm afraid I'm somewhat more pigheaded than that :)
See my reply to Jorey Bump.

I have however made a quick hack on which I would love comments.
See next post.

Gaute

Re: Minimal MTA/ MDA for local mail only - hack

[Gaute Amundsen]

How about this?
Even more off topic!

But so far this seems to work for me.
Kmail "could not write lockfile" when reading the mbox, but "FCNTL" worked, 
whatever that means :)
Considerable room for improvement I'm sure, but in principle?

Suggestions welcome :)

Gaute

/usr/bin/sendmail:

#!/usr/bin/python

import mailbox
import sys
import email
from time import gmtime, strftime

mbox = mailbox.mbox('/var/mail/root', factory=None, create=True)

msg = email.message_from_file(sys.stdin)
msg['From'] = 'r...@localhost'
msg['Date']= strftime("%a, %d %b %Y %H:%M:%S +", gmtime())

mbox.add(msg)

Re: Postfix on Solaris 10

[Victor Duchovni]

On Thu, Dec 11, 2008 at 02:41:46PM -0500, Bailo, John wrote:

> Is Postfix available for or part of Sun's Solaris 10 OS as a compiled
> package?

Build Postfix from source, and then create a package out of that.

Attached a script I used to use to build the "prototype" and "pkginfo" files
for an SvR4 package. The "prototype" is sent to stdout. Then just
"pkgmk" and there you are.

Have not used in a long time, so it may require a bit of tweaking...
And you may need to add an init.d start script in some cases.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
#! /bin/env perl

use IO::File;

my $prefix=shift(@ARGV);
# Commands in $INSTALL_EXEC_PREFIX/sbin
# Daemons in $INSTALL_EXEC_PREFIX/libexec
# Docs in $INSTALL_PREFIX/{man,html,readme}
my $INSTALL_EXEC_PREFIX="$prefix";
my $INSTALL_PREFIX="$prefix";
my $CFDIR="/etc/postfix";
my $POSTCONF="$INSTALL_EXEC_PREFIX/sbin/postconf -c $CFDIR";

# Create pkginfo file:
#   ARCH and VERSION are computed dynamically.
#   The Postfix configuration parameters become package parameters,
#   with the first letter converted to upper case.
#
my $info = IO::File->new("pkginfo", "w");
print $info "PKG=postfix\n";
print $info "NAME=Postfix MTA\n";
print $info "ARCH=".qx{uname -p};
print $info "VERSION=".qx{$POSTCONF -d -h mail_version};
print $info "CATEGORY=system\n";
print $info "BASEDIR=/\n";
print $info "DESC=Mail Transport Agent http://www.postfix.org/\n";;
print $info "CLASSES=none site\n";
for (@ARGV) { print $info "\u$1=$3\n"; }

# List pkginfo and the install/remove scripts for "site" files.
#
print "1 i pkginfo\n";
print "1 i postinstall\n";
print "1 i i.site\n";
print "1 i r.site\n";

# These configuration files are preserved if present
#
my %preserve;
for (qw(aliases main.cf master.cf)) { $preserve{$_}=1; }

my $pfiles = "$INSTALL_EXEC_PREFIX/libexec/postfix-files";
my $pfd = IO::File->new($pfiles, "r")
or die "$0: Could not open: $pfiles: $!\n";

# Parse postfix-files
#
while(defined($_ = <$pfd>) || defined($_ = shift(@extra))) {
next if (/^#/);
chomp;
# Expected format is: name:type:owner:group:permission[:flags]
#
my @F=split(/:/, $_);

# skip obsolete files
next if ($#F > 4 && $F[5] =~ /o/);

# Default group for Solaris is "bin"
#
$F[3] = "bin" if ($F[3] eq "" || $F[3] eq "-");

# Compute substituted values for the file locations. 
#
(my $path = $F[0]) =~ s{^\$(\w+)}{getconfig($1, 1) || die "$0: $1 not 
known\n"}e;
(my $owner = $F[2]) =~ s{^\$(\w+)}{getconfig($1, 0) || die "$0: $1 not 
known\n"}e;
(my $group = $F[3]) =~ s{^\$(\w+)}{getconfig($1, 0) || die "$0: $1 not 
known\n"}e;

next if ($path =~ m{^no/});

# Small-caps Postfix installation parameters
#
map {s{^\$(\w+)}{\$\u$1}} @F;
my $dest = $F[0];

# Check installed image.
#
if (!lstat("$path")) {
# Allow missing directories if automatically created.
#
next if ($F[1] eq "d" && $F[5] =~ /c/ || $F[1] eq "l");
die "$0: $dest missing from image\n";
}
if ($F[1] eq "d") {
# postfix-files wants a directory.
#
if ( -d _ ) {
printf "1 d none %s 0%o %s %s\n",
$dest, oct($F[4]), $F[2], $F[3];
next;
}
die "$0: $dest is not a directory\n";
}
if ($F[1] eq "f") {
# postfix-files wants a file.
#
if ( -f _ ) {
my $class = "f none";
if ( $dest =~ m{^\$Config_directory/(.*)}) {
if (exists $preserve{$1}) {
$class = "v site";
}
}
printf "1 %s %s=%s 0%o %s %s\n",
$class, $dest, $path, oct($F[4]), $F[2], $F[3];
next;
}
die "$0: $dest is not a file\n";
}
if ($F[1] eq "l") {
# postfix-files wants a symlink
#
my $link = readlink("$path") or die "$0: readlink($path): $!\n";
printf "1 s none %s=%s\n", $dest, $link;
}
if ($F[1] eq "h") {
# postfix-files wants a hardlink
#
my $link = $F[2];
printf "1 l none %s=%s\n", $dest, $link;
}
}
close($pfd);

close($info) or die "$0: pkginfo write error: $!\n";

my %config;
sub getconfig {
my ($p, $ispath) = @_;

return $config{$p} if (defined($config{$p}));

$v = qx{$POSTCONF -d -h $p};
die "$0: Parameter $p lookup failed\n" if ($? != 0);
chomp($v);
return $config{$p}="no" if ($v eq "no");
die "$0: Parameter $p not an absolute p

Re: Minimal MTA/ MDA for local mail only - hack

[Victor Duchovni]

On Thu, Dec 11, 2008 at 09:34:31PM +0100, Gaute Amundsen wrote:

> How about this?
> Even more off topic!
> 
> But so far this seems to work for me.
> Kmail "could not write lockfile" when reading the mbox, but "FCNTL" worked, 
> whatever that means :)
> Considerable room for improvement I'm sure, but in principle?
> 
> Suggestions welcome :)
> 
> Gaute
> 
> /usr/bin/sendmail:
> 
> #!/usr/bin/python
> 
> import mailbox
> import sys
> import email
> from time import gmtime, strftime
> 
> mbox = mailbox.mbox('/var/mail/root', factory=None, create=True)
> 
> msg = email.message_from_file(sys.stdin)
> msg['From'] = 'r...@localhost'
> msg['Date']= strftime("%a, %d %b %Y %H:%M:%S +", gmtime())

The problem is that users other than the owner of the mailbox may
need to send mail... So you need either a setuid sendmail(1) or
a system like Postfix with multiple processes at different privilege
levels and IPC between them.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: fight spam problem: sender equal to receiver

[Roland Plüss]

I only enclosed the HTML tags in the email body with comment marks. The
logs are unaltered except hidding one email address.

What goes for zen.spamhaus.org... I've got this one in my config... but
it seems to not work ( host not found ).

mouss wrote:
> Roland Plüss a écrit :
>   
>> I tried to find one of the messages in the logs. It's damn hard to find
>> it since it's really weird... and it all makes no sense to me. I think
>> this email source belongs to the logs below ( added  to prevent
>> potential damage due to fudged HTML ).
>>
>> 
>
> Do not edit logs, except replacing private information. you have really
> no reason to remove the pid. In any case, the format of the lines must
> not be changed (because we know how a unix log line looks like).
>
>
> anyway,
>   reject_rbl_client zen.spamhaus.org
> should be enough to block 99.206.220.166
>
>   

-- 
Yours sincerely
Plüss Roland

Leader and Head Programmer
- Game: Epsylon ( http://epsylon.rptd.ch/ ,
http://www.moddb.com/games/4057/epsylon )
- Game Engine: Drag(en)gine ( http://dragengine.rptd.ch ,
http://www.moddb.com/engines/9/dragengine )
- Normal Map Generator: DENormGen ( http://epsylon.rptd.ch/denormgen.php )



signature.asc
Description: OpenPGP digital signature

Re: Weird disconnections after RCPT using TLS

[Victor Duchovni]

On Thu, Dec 11, 2008 at 01:25:11PM -0700, Jes?s Manuel Loaiza Vidal wrote:

>Victor Duchovni escribio:
> 
>  On Thu, Dec 11, 2008 at 12:47:20PM -0700, Jes?s Manuel Loaiza Vidal wrote:
> 
>   
> 
> Full log with strace is now in [1]postfix-strace.txt
> 
>  References
> 
> Visible links
> 1. [1]http://www.ich.edu.mx/attachments/postfix-strace.txt
> 
> 
>  This is still the old log from Dec 9th. Please post just otherwise
>  normal logging from smtpd with smtpd_tls_loglevel=2 for a *single*
>  failed session and a raw PCAP capture file of that same failed session.
> 
>  Please describe the view of this from the SMTP client, and exactly
>  what client you are using, and how you are using it.
> 
>   
> 
>The client doesn't matter, same problem from Thunderbird, Outlook,
>s_client.

Please send plain-text email, not HTML. Please post the requested logging
and PCAP file, using one of the real clients (not s_client) would be ideal.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: fight spam problem: sender equal to receiver

[Roland Plüss]

SASL is a problem. I tried doing it once but as soon as I enable the
entire system totally breaks. I tried various tuts and howtos but to no
avail. SASL stays broken and I can't get it working. I'm running
hardened 64bit here and postfix crashes left and right if not compiled
with a no-pie compiler. With SASL compiled in it also crashes left and
right with a no-pie compiler so I'm somehow forced to find another way
around this problem.

DJ Lucas wrote:
> Roland Plüss wrote:
>> `reject_unauthenticated_sender_login_mismatch' ignored: no SASL support
>>   
> Well, there ya go.  There is no restriction that would prevent that
> message from being delivered, so of course they get through.
>
> At a very minimum, please add: 'reject_rbl_client zen.spamhaus.org' to
> smtpd_recipient_restrictions.  That'll stop quite a few of them as
> well as a lot of other junk.
>
> As far as SASL support, you can verify with postconf -a.  Making
> postfix aware of Cyrus or Dovecot is another thing that probably
> should be done at some point.
> See http://www.postfix.org/SASL_README.html#build_postfix or check
> with your distribution/vendor for support if postfix was supplied to
> you in a package.
>
> -- DJ Lucas
>
>
postconf -a yields nothing. What is it supposed to do?

-- 
Yours sincerely
Plüss Roland

Leader and Head Programmer
- Game: Epsylon ( http://epsylon.rptd.ch/ ,
http://www.moddb.com/games/4057/epsylon )
- Game Engine: Drag(en)gine ( http://dragengine.rptd.ch ,
http://www.moddb.com/engines/9/dragengine )
- Normal Map Generator: DENormGen ( http://epsylon.rptd.ch/denormgen.php )



signature.asc
Description: OpenPGP digital signature

Re: "legacy" SSL and postfix smtp

[mouss]

John Baker a écrit :
> Ok, that could be it.
> 
> The main culprit I am trying to figure out is Entourage (I just noticed
> a bunch of messages on that I should look through).
> 
> The log for it looks like this:
> 
> Dec 11 14:49:48 arnold postfix/smtpd[6341]: connect from
> c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]
> Dec 11 14:49:48 arnold postfix/smtpd[6341]: lost connection after EHLO
> from c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]
> Dec 11 14:49:48 arnold postfix/smtpd[6341]: disconnect from
> c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]
> Dec 11 14:56:28 arnold postfix/smtpd[4671]: connect from
> c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]
> Dec 11 14:56:28 arnold postfix/smtpd[4671]: setting up TLS connection
> from c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]
> Dec 11 14:56:29 arnold postfix/smtpd[4671]: TLS connection established
> from c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]: TLSv1 with
> cipher DES-CBC3-SHA (168/168 bits)
> Dec 11 14:56:29 arnold postfix/smtpd[4671]: lost connection after EHLO
> from c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]
> Dec 11 14:56:29 arnold postfix/smtpd[4671]: disconnect from
> c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]
> 
> The error I am getting now is that the server does not support any of
> the authentication methods. Before I was getting a greylist "try later"
> message. I think it is trying on port 25.
> 

so you have a SASL issue. you need to check the value of

smtpd_sasl_security_options
smtpd_sasl_tls_security_options

in particular, make sure the latter allows plaintext auth methods. you
can set it to
smtpd_sasl_tls_security_options = noanonymous

you can also do a test with telnet:

# telnet yourserver 25
...
EHLO host.example.com
...
QUIT

check the AUTH lines in the EHLO response.

> Wrapper mode is not on and if I try Thunderbird with SSL it does default
> to that port which is open in the firewall. But I get no attempted TLS
> connection. My syslog just tracks that the ip/mac address is hitting it.
> 

Thunderbird supports both "standard" mode (they call it "TLS") and
wrapper mode (they call it "SSL").

you need to test each mode independently. trying to debug multiple
problems at once is hard.

> I notice in my log that there is one other instance of 168 DES ciphers
> that appears to be failing while all other types appear to be working.
> Could that be the issue? If so how do I fix it?

Re: spammers using my mailserver trough webmai

[mouss]

Magnus Bäck a écrit :
> On Thursday, December 11, 2008 at 19:25 CET,
>  mouss  wrote:
> 
>> smtpd_sender_restrictions =
>>  check_sender_access hash:/etc/postfix/mysenders
>>  reject_unauth_destination
>>  ...
>>
>>
>> == mysenders:
>> example.com  OK
>>
>> Note that this works for the envelope sender, not the From: or
>> reply-To: headers.
> 
> This method of course assumes that the webmail application submits
> messages via SMTP and not sendmail(1). From what the OP has written
> so far this is not necessarily the case.
> 

Indeed. I'm too used to smtp that I forget sendmail submission...

Re: "legacy" SSL and postfix smtp

[Noel Jones]

John Baker wrote:

Ok, that could be it.

The main culprit I am trying to figure out is Entourage (I just noticed 
a bunch of messages on that I should look through).


The log for it looks like this:

Dec 11 14:49:48 arnold postfix/smtpd[6341]: connect from 
c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]
Dec 11 14:49:48 arnold postfix/smtpd[6341]: lost connection after EHLO 
from c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]
Dec 11 14:49:48 arnold postfix/smtpd[6341]: disconnect from 
c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]
Dec 11 14:56:28 arnold postfix/smtpd[4671]: connect from 
c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]
Dec 11 14:56:28 arnold postfix/smtpd[4671]: setting up TLS connection 
from c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]
Dec 11 14:56:29 arnold postfix/smtpd[4671]: TLS connection established 
from c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]: TLSv1 with 
cipher DES-CBC3-SHA (168/168 bits)
Dec 11 14:56:29 arnold postfix/smtpd[4671]: lost connection after EHLO 
from c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]
Dec 11 14:56:29 arnold postfix/smtpd[4671]: disconnect from 
c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]


The error I am getting now is that the server does not support any of 
the authentication methods. Before I was getting a greylist "try later" 
message. I think it is trying on port 25.


Wrapper mode is not on and if I try Thunderbird with SSL it does default 
to that port which is open in the firewall. But I get no attempted TLS 
connection. My syslog just tracks that the ip/mac address is hitting it.


I notice in my log that there is one other instance of 168 DES ciphers 
that appears to be failing while all other types appear to be working. 
Could that be the issue? If so how do I fix it?


[please don't top-post]

You have two possible problems - TLS and authentication.  Try 
to separate them to see which one is working.


Remove the "smtpd_tls_auth_only = yes" setting from main.cf 
temporarily and see if your client can authenticate without 
TLS.  Then try submitting mail using TLS without authentication.


The DES-CBC3-SHA 168 bit cypher seems reasonably common (here, 
nearly 10% of connections) so I don't think that's the problem 
unless your OpenSSL is broken.  You can (temporarily) disable 
this cypher with

smtpd_tls_exclude_ciphers = DES-CBC3-SHA
but you probably shouldn't, disabling cyphers can cause 
interoperability problems.


If you have a recent postfix you can adjust the syslog name of 
the different master.cf services so postfix logs which service 
was used.  Cheap example:

submission ... smtpd
  -o syslog_name=postfix-submission

I still think you should enable the smtps port 465 with 
wrappermode to support legacy MS clients.  There should be a 
commented-out smtps entry in your master.cf.  You may also 
need to adjust your firewall settings.


But the smtps thingy won't help T-bird.  That sounds as if you 
have a problem with your authentication.  Make sure your 
server offers both PLAIN and LOGIN auth mechanisms, and during 
testing nothing else.


You can test your TLS connection with openssl s_client; note 
that s_client is not a direct replacement for telnet, so might 
give "unexpected" (but documented) behavior if you try to do a 
whole SMTP session.

# openssl s_client -connect hostname:25 -starttls smtp
(after a bunch of TLS handshake info you should get the 220 
greeting banner).  Entering "ehlo fred" should give the server 
response including the AUTH mechanisms supported.  That's 
enough to tell that TLS is very likely working correctly, so 
you can enter "quit".


--
Noel Jones

Re: "legacy" SSL and postfix smtp

[Victor Duchovni]

On Thu, Dec 11, 2008 at 03:07:47PM -0600, Noel Jones wrote:

> The DES-CBC3-SHA 168 bit cypher seems reasonably common (here, 
> nearly 10% of connections)

SSL with DES-CBC3-SHA is broken in pre-Vista version of Windows,
so if a Windows client is using the SSL support in Microsoft's
Crypto API, that could be an issue.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Minimal MTA/ MDA for local mail only - hack

[Gaute Amundsen]

On Thursday 11 December 2008 21:38:58 Victor Duchovni wrote:
> On Thu, Dec 11, 2008 at 09:34:31PM +0100, Gaute Amundsen wrote:
> > How about this?
> > Even more off topic!
> >
> > But so far this seems to work for me.
> > Kmail "could not write lockfile" when reading the mbox, but "FCNTL"
> > worked, whatever that means :)
> > Considerable room for improvement I'm sure, but in principle?
> >
> > Suggestions welcome :)
> >
> > Gaute
> >
> > /usr/bin/sendmail:
> >
> > #!/usr/bin/python
> >
> > import mailbox
> > import sys
> > import email
> > from time import gmtime, strftime
> >
> > mbox = mailbox.mbox('/var/mail/root', factory=None, create=True)
> >
> > msg = email.message_from_file(sys.stdin)
> > msg['From'] = 'r...@localhost'
> > msg['Date']= strftime("%a, %d %b %Y %H:%M:%S +", gmtime())
>
> The problem is that users other than the owner of the mailbox may
> need to send mail... So you need either a setuid sendmail(1) or
> a system like Postfix with multiple processes at different privilege
> levels and IPC between them.

Well, that could hardly be much of a problem in this case?
As long as there is only me and the daemons, and nobody else expects their 
mail to go out. After all I have not missed a mta on this laptop for years..
 
Actually I had just naively set a+wr on the mbox, but setuid might be better 
yes :) 

Btw. I don't think I am alone in this situation. I have noticed smartmontols 
on ubuntu jumps through all sorts of custom hoops with "smart-notifier" to get 
it's alerts raised. A utility like this hack would solve that for the general 
case...

Gaute

Re: fight spam problem: sender equal to receiver

[mouss]

Roland Plüss a écrit :
> I only enclosed the HTML tags in the email body with comment marks. The
> logs are unaltered except hidding one email address.
> 

so what logs are these? I mean, how were these logs generated?


Dec 10 18:03:41 [postfix/smtpd] connect from
99-206-220-166.pools.spcsdns.net[99.206.220.166]

a standard unix log line would look like this:

Dec 10 18:03:41 yourhost postfix/smtpd[390]: connect from
99-206-220-166.pools.spcsdns.net[99.206.220.166]

In particular, it has the pid (the [390] in this example).

if you followed the "mentioned threads", then that mail should have been
blocked. your sender_access should contain

rptd.ch REJECT not authorized blah blah

do not forget to postmap the file.


> What goes for zen.spamhaus.org... I've got this one in my config... but
> it seems to not work ( host not found ).

try

$ host 2.0.0.127.zen.spamhaus.org

This should return

2.0.0.127.zen.spamhaus.org has address 127.0.0.4
2.0.0.127.zen.spamhaus.org has address 127.0.0.10
2.0.0.127.zen.spamhaus.org has address 127.0.0.2


Note that spamhaus require you to pay for a feed if you query them too
much. so if you get a lot of mail, you'll need a feed. Also, if you
forward DNS queries to your ISP, and your ISP doesn't pay for a feed,
then your queries will be blocked as well.


you could also reject "dynamic like" helo names with a
check_helo_access pcre:/etc/postfix/access_helo.pcre

== access_helo.pcre
/^\d+([-\.]\d+){3}\./   REJECT dynamic like helo hostname. Please fix your
HELO or use your ISP relay

WARNING: untested/unvalidated/no warranty/...

Examples have been posted on the list (more or less recently).


In another post, you wrote:
> SASL is a problem. I tried doing it once but as soon as I enable the
> entire system totally breaks. I tried various tuts and howtos but to
> no avail. SASL stays broken and I can't get it working. I'm running
> hardened 64bit here and postfix crashes left and right if not compiled
> with a no-pie compiler. With SASL compiled in it also crashes left and
> right with a no-pie compiler so I'm somehow forced to find another way
> around this problem.

you can try dovecot sasl implementation, if you have a recent postfix.

Re: Minimal MTA/ MDA for local mail only - hack

[Victor Duchovni]

On Thu, Dec 11, 2008 at 10:17:09PM +0100, Gaute Amundsen wrote:

> > The problem is that users other than the owner of the mailbox may
> > need to send mail... So you need either a setuid sendmail(1) or
> > a system like Postfix with multiple processes at different privilege
> > levels and IPC between them.
> 
> Well, that could hardly be much of a problem in this case?
> As long as there is only me and the daemons, and nobody else expects their 
> mail to go out. After all I have not missed a mta on this laptop for years..
>  
> Actually I had just naively set a+wr on the mbox, but setuid might be better 
> yes :) 

So long as you are willing to configure your mailbox mode 0666, sure,
your python script may work (given a locking scheme compatible with
the mail reader). Otherwise, Sendmail (not too new, so that local
submission is not punted to a loopback SMTP server) is not a bad bet.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: fight spam problem: sender equal to receiver

[Roland Plüss]

> so what logs are these? I mean, how were these logs generated?
>   
vixie-cron
> if you followed the "mentioned threads", then that mail should have been
> blocked. your sender_access should contain
>
> rptd.ch   REJECT not authorized blah blah
>
> do not forget to postmap the file.
>   
I can try adding this line. But didn't this thread mentioned "potential
problems" with this setup?
> Note that spamhaus require you to pay for a feed if you query them too
> much. so if you get a lot of mail, you'll need a feed. Also, if you
> forward DNS queries to your ISP, and your ISP doesn't pay for a feed,
> then your queries will be blocked as well.
>   
What kind of numbers for "not too many" do we talk here?
> you can try dovecot sasl implementation, if you have a recent postfix.
>   
I've got mail-mta/postfix-2.5.5 , should this work?

-- 
Yours sincerely
Plüss Roland

Leader and Head Programmer
- Game: Epsylon ( http://epsylon.rptd.ch/ ,
http://www.moddb.com/games/4057/epsylon )
- Game Engine: Drag(en)gine ( http://dragengine.rptd.ch ,
http://www.moddb.com/engines/9/dragengine )
- Normal Map Generator: DENormGen ( http://epsylon.rptd.ch/denormgen.php )



signature.asc
Description: OpenPGP digital signature

Re: fight spam problem: sender equal to receiver

[mouss]

Roland Plüss a écrit :
>> so what logs are these? I mean, how were these logs generated?
>>   
> vixie-cron

so they are not logs. these are reports.

next time, connect to your server and grab lines from /var/log/maillog
(or whatever file contains postfix logs). not necessary now.


>> if you followed the "mentioned threads", then that mail should have been
>> blocked. your sender_access should contain
>>
>> rptd.ch  REJECT not authorized blah blah
>>
>> do not forget to postmap the file.
>>   
> I can try adding this line. But didn't this thread mentioned "potential
> problems" with this setup?

it really depends on your setup and/or policy.

>> Note that spamhaus require you to pay for a feed if you query them too
>> much. so if you get a lot of mail, you'll need a feed. Also, if you
>> forward DNS queries to your ISP, and your ISP doesn't pay for a feed,
>> then your queries will be blocked as well.
>>   
> What kind of numbers for "not too many" do we talk here?

http://www.spamhaus.org/organization/dnsblusage.html

if you generate 300,000 DNS queries per day, you need a feed... but you
forgot to run the test command... (host 2.0.).

>> you can try dovecot sasl implementation, if you have a recent postfix.
>>   
> I've got mail-mta/postfix-2.5.5 , should this work?
> 


dovecot is supported in "2.3 and later". but your package may have been
built without it. run
# postconf -a
and see if "dovecot" is listed in the output.

read
http://www.postfix.org/SASL_README.html
for more.

Re: "legacy" SSL and postfix smtp

[Noel Jones]

Victor Duchovni wrote:

On Thu, Dec 11, 2008 at 03:07:47PM -0600, Noel Jones wrote:

The DES-CBC3-SHA 168 bit cypher seems reasonably common (here, 
nearly 10% of connections)


SSL with DES-CBC3-SHA is broken in pre-Vista version of Windows,
so if a Windows client is using the SSL support in Microsoft's
Crypto API, that could be an issue.



I miscounted earlier, my overly-simple grep included things 
such as "EDH-RSA-DES-CBC3-SHA" in the total.


Occurrences of "cipher DES-CBC3-SHA" turn out to be pretty 
rare here - less than 0.1% rather than the 10% I quoted 
earlier.  YMMV.


So maybe disabling DES-CBC3-SHA isn't a bad thing, at least 
for testing.


--
Noel Jones

Re: fight spam problem: sender equal to receiver

[Roland Plüss]

> so they are not logs. these are reports.
>
> next time, connect to your server and grab lines from /var/log/maillog
> (or whatever file contains postfix logs). not necessary now.
>   
I don't have such a file. All logs go into the one I posted managed by
vixie-cron.
> it really depends on your setup and/or policy.
>   
Tried it. I'm still getting the same spam which clearly matches this
rule but it doesn't seem to work. Are they using a work-around to trick
postfix?
> http://www.spamhaus.org/organization/dnsblusage.html
>
> if you generate 300,000 DNS queries per day, you need a feed... but you
> forgot to run the test command... (host 2.0.).
>   
Do we talk of "DNS" queries of conventional queries ( per mail ). Since
I've got a DNS server on my machine which would already capture all DNS
queries.
> dovecot is supported in "2.3 and later". but your package may have been
> built without it. run
> # postconf -a
> and see if "dovecot" is listed in the output.
>
> read
>   http://www.postfix.org/SASL_README.html
> for more.
>   
No, all empty. I'll have a closer look into this one this weekend.

-- 
Yours sincerely
Plüss Roland

Leader and Head Programmer
- Game: Epsylon ( http://epsylon.rptd.ch/ ,
http://www.moddb.com/games/4057/epsylon )
- Game Engine: Drag(en)gine ( http://dragengine.rptd.ch ,
http://www.moddb.com/engines/9/dragengine )
- Normal Map Generator: DENormGen ( http://epsylon.rptd.ch/denormgen.php )



signature.asc
Description: OpenPGP digital signature

BUG: postfix does not comply with RFC 2821

[klondike]

According to section 4.2.4 on the RFC 282, the SMTP server should return
502 only when a command is recognised but not implemented, and 500 if it
isn't recognised.

Whe I connect to my postfix server and enter some random commands (ie
knodwfonfwdnoi) I get a 502 error message instead of a 500. So I suppose
that in order to acomplish with RFC 2821 it should return a 500 error
intead.



signature.asc
Description: OpenPGP digital signature

Re: Weird disconnections after RCPT using TLS

[Jesús Manuel Loaiza Vidal]

Victor Duchovni escribió:

On Thu, Dec 11, 2008 at 01:25:11PM -0700, Jes?s Manuel Loaiza Vidal wrote:

  

   Victor Duchovni escribio:

 On Thu, Dec 11, 2008 at 12:47:20PM -0700, Jes?s Manuel Loaiza Vidal wrote:

  


Full log with strace is now in [1]postfix-strace.txt

 References

Visible links
1. [1]http://www.ich.edu.mx/attachments/postfix-strace.txt



 This is still the old log from Dec 9th. Please post just otherwise
 normal logging from smtpd with smtpd_tls_loglevel=2 for a *single*
 failed session and a raw PCAP capture file of that same failed session.

 Please describe the view of this from the SMTP client, and exactly
 what client you are using, and how you are using it.

  


   The client doesn't matter, same problem from Thunderbird, Outlook,
   s_client.



Please send plain-text email, not HTML. Please post the requested logging
and PCAP file, using one of the real clients (not s_client) would be ideal.

  

Normal logging without -v parameter?

Local & remote delivery?

[Ville Walveranta]

Hello everybody,

In virtual_mailbox_maps I can define:

someu...@somelocaldomain.com  somelocaldomain.com/someuser/

or, in virtual_alias_maps I can set:

someu...@somelocaldomain.com  anotheracco...@someplaceelse.com

But how do I combine these so that mail received by
someu...@somelocaldomain.com would be both delivered to the local mailbox
and forwarded to the remote address? The same recipient should not be
defined both in virtual_mailbox_maps and in virtual_alias_maps, should it?

Ville

Re: Local & remote delivery?

[Ville Walveranta]

Nevermind... this was sufficiently answered in a recent discussion "Alias
and mailbox under one e-mail address".

Either this kind of questions repeat frequently enough, or it's an
interesting co-incidence that the same issues I'm tackling with are often
discussed on the list just around the same time. :-)

Ville

Re: Local & remote delivery?

[Ville Walveranta]

To continue on this issue... I was able to get the functionality I was
looking for by first creating an alias with multiple recipients on the local
domain, then using that alias in recipient_bcc_maps to send a copy of a
message delivered to a local mailbox to multiple external recipients (as
recipient_bcc_maps doesn't directly accept multiple recipients).

Is this the easiest way to send a copy of a message delivered to a local
mailbox to multiple recipients (local or remote)?

Ville

Re: Weird disconnections after RCPT using TLS

[Victor Duchovni]

On Thu, Dec 11, 2008 at 06:02:34PM -0700, Jes?s Manuel Loaiza Vidal wrote:

> >Please send plain-text email, not HTML. Please post the requested logging
> >and PCAP file, using one of the real clients (not s_client) would be ideal.
> >

> Normal logging without -v parameter?

Yes, all the verbose logging is just hiding the TLS issues. If you
have a TLS transport issue, the problem is a communications problem,
and we need to focus primarily on the communications. Try:

# The host you want to debug
debug_peer_list = 192.0.2.1
# 1 is enough.
debug_peer_level = 1

This will reduce the noise a bit, but still log clear-text protocol
interactions, so we can tell when in the SMTP protocol the TLS layer
is failing.


-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Local & remote delivery?

[Sahil Tandon]

Ville Walveranta wrote:

> To continue on this issue... I was able to get the functionality I was
> looking for by first creating an alias with multiple recipients on the local
> domain, then using that alias in recipient_bcc_maps to send a copy of a
> message delivered to a local mailbox to multiple external recipients (as
> recipient_bcc_maps doesn't directly accept multiple recipients).
> 
> Is this the easiest way to send a copy of a message delivered to a local
> mailbox to multiple recipients (local or remote)?

Why use recipient_bcc_maps?

/etc/postfix/main.cf:
virtual_alias_maps = hash:/etc/postfix/virtual

/etc/postfix/virtual:
u...@domain.tld u...@domain.tld, u...@domain2.tld

In the example above, domain.tld can be a virtual_mailbox_domain while
domain2.tld is an external domain.  You can modify the virtual file as
necessary for delivery to local users, additional virtual users or
external destinations.

-- 
Sahil Tandon 

Re: Local & remote delivery?

[Ville Walveranta]

Thanks, Sahil!  That is certainly simpler and seems to work well.

Ville

Postfix does not dot the i's when client sends gibberish

[Victor Duchovni]

On Fri, Dec 12, 2008 at 12:59:41AM +0100, klondike wrote:

> According to section 4.2.4 on the RFC 282, the SMTP server should return
> 502 only when a command is recognised but not implemented, and 500 if it
> isn't recognised.

This is not a bug, but it is admittedly an unecessary deviation from
SHOULD normative language in the RFC when the client is in flagrant
violation by sending garbage.

> Whe I connect to my postfix server and enter some random commands (ie
> knodwfonfwdnoi) I get a 502 error message instead of a 500. So I suppose
> that in order to acomplish with RFC 2821 it should return a 500 error
> intead.

If you need RFC conformance for invalid client commands, here's a patch
that works for the latest 2.6 snapshot, and likely also for 2.5.5. The
part you want is the second "hunk", but may as well pick another nit
while we're at it:

Index: src/smtpd/smtpd.c
--- src/smtpd/smtpd.c   6 Dec 2008 08:12:25 -   1.1.1.16.2.2
+++ src/smtpd/smtpd.c   12 Dec 2008 03:40:42 -
@@ -3230,7 +3230,7 @@
 }
 if (argc != 2) {
state->error_mask |= MAIL_ERROR_PROTOCOL;
-   smtpd_chat_reply(state, "500 Syntax: ETRN domain");
+   smtpd_chat_reply(state, "501 Syntax: ETRN domain");
return (-1);
 }
 if (argv[1].strval[0] == '@' || argv[1].strval[0] == '#')
@@ -4394,7 +4394,7 @@
&& (err = check_milter_reply(state, err)) != 0) {
smtpd_chat_reply(state, err);
} else
-   smtpd_chat_reply(state, "502 5.5.2 Error: command not 
recognized");
+   smtpd_chat_reply(state, "500 5.5.2 Error: command not 
recognized");
state->error_mask |= MAIL_ERROR_PROTOCOL;
state->error_count++;
continue;

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Postfix does not dot the i's when client sends gibberish

[Larry Stone]

On 12/11/08 9:41 PM, Victor Duchovni at victor.ducho...@morganstanley.com
wrote:

> On Fri, Dec 12, 2008 at 12:59:41AM +0100, klondike wrote:
> 
>> According to section 4.2.4 on the RFC 282, the SMTP server should return
>> 502 only when a command is recognised but not implemented, and 500 if it
>> isn't recognised.
> 
> This is not a bug, but it is admittedly an unecessary deviation from
> SHOULD normative language in the RFC when the client is in flagrant
> violation by sending garbage.

At the risk of moving away from Postfix technical issues, RFC 2821 is poorly
written. SHOULD, despite much misuse in commonly used English, is the past
tense of SHALL. Something that SHALL be done is mandatory yet in common but
incorrect use, SHOULD is often used to mean present tense MAY (as in you can
do so but it is not mandatory). As a formal document, the RFC ought to say
either SHALL (mandatory) or MAY (optional) with SHOULD, being in the past
tense, completely incorrect in the context of that paragraph. Unfortunately,
given the incorrect use of SHOULD, it is unclear to me what the RFC really
means.

-- 
Larry Stone
lston...@stonejongleux.com
http://www.stonejongleux.com/

Re: Postfix does not dot the i's when client sends gibberish

[Victor Duchovni]

On Thu, Dec 11, 2008 at 10:53:18PM -0600, Larry Stone wrote:

> > This is not a bug, but it is admittedly an unecessary deviation from
> > SHOULD normative language in the RFC when the client is in flagrant
> > violation by sending garbage.
> 
> At the risk of moving away from Postfix technical issues, RFC 2821 is poorly
> written. SHOULD, despite much misuse in commonly used English, is the past
> tense of SHALL. Something that SHALL be done is mandatory yet in common but
> incorrect use, SHOULD is often used to mean present tense MAY (as in you can
> do so but it is not mandatory). As a formal document, the RFC ought to say
> either SHALL (mandatory) or MAY (optional) with SHOULD, being in the past
> tense, completely incorrect in the context of that paragraph. Unfortunately,
> given the incorrect use of SHOULD, it is unclear to me what the RFC really
> means.

You *should* next read:

http://tools.ietf.org/html/rfc2119

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

OT: RE: Postfix does not dot the i's when client sends gibberish

[MacShane, Tracy]

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Larry Stone
> Sent: Friday, 12 December 2008 3:53 PM
> To: postfix-users@postfix.org
> Subject: Re: Postfix does not dot the i's when client sends gibberish
> 
> On 12/11/08 9:41 PM, Victor Duchovni at 
> victor.ducho...@morganstanley.com
> wrote:
> 
> > On Fri, Dec 12, 2008 at 12:59:41AM +0100, klondike wrote:
> > 
> >> According to section 4.2.4 on the RFC 282, the SMTP server should 
> >> return
> >> 502 only when a command is recognised but not implemented, 
> and 500 if 
> >> it isn't recognised.
> > 
> > This is not a bug, but it is admittedly an unecessary deviation from

> > SHOULD normative language in the RFC when the client is in flagrant 
> > violation by sending garbage.
> 
> At the risk of moving away from Postfix technical issues, RFC 
> 2821 is poorly written. SHOULD, despite much misuse in 
> commonly used English, is the past tense of SHALL. Something 
> that SHALL be done is mandatory yet in common but incorrect 
> use, SHOULD is often used to mean present tense MAY (as in 
> you can do so but it is not mandatory). As a formal document, 
> the RFC ought to say either SHALL (mandatory) or MAY 
> (optional) with SHOULD, being in the past tense, completely 
> incorrect in the context of that paragraph. Unfortunately, 
> given the incorrect use of SHOULD, it is unclear to me what 
> the RFC really means.
> 
> --
> Larry Stone
> lston...@stonejongleux.com
> http://www.stonejongleux.com/
> 

I don't know when it happened (I don't have the OED to hand), but for
quite some time (at least decades), "should" has not *solely* been the
past tense of "shall". As an _auxiliary_ verb, it has the following
accepted senses:

1. ought (to be or do something); Indicates that the subject of the
sentence has some obligation to execute the sentence predicate. 
You should go to the doctor if you have a severe fever. 
2. will likely (become or do something) Indicates that the subject of
the sentence is likely to execute the sentence predicate. 
You should be fine soon if he treats you with an anti-pyretic. 
3. If; in case of; Indicates that its subordinate clause refers to a
hypothetical condition for the event expressed by main clause. 
Should you need to contact the doctor right away, you will need to use
the after-hours number.

To insist you don't understand a common and accepted modern usage of
"should" is disingenous in the extreme. I do think "ought" is often
better in formal documentation, though. But as long as the use of a term
is clearly defined in a document - as it is in the RFCs - it actually
doesn't matter what might be "correct". Technical, scientific and
academic English can be quite different to Standard English.

Re: "legacy" SSL and postfix smtp

[Victor Duchovni]

On Thu, Dec 11, 2008 at 04:44:08PM -0600, Noel Jones wrote:

> Victor Duchovni wrote:
> >On Thu, Dec 11, 2008 at 03:07:47PM -0600, Noel Jones wrote:
> >
> >>The DES-CBC3-SHA 168 bit cypher seems reasonably common (here, 
> >>nearly 10% of connections)
> >
> >SSL with DES-CBC3-SHA is broken in pre-Vista version of Windows,
> >so if a Windows client is using the SSL support in Microsoft's
> >Crypto API, that could be an issue.
> >
> 
> I miscounted earlier, my overly-simple grep included things 
> such as "EDH-RSA-DES-CBC3-SHA" in the total.
> 
> Occurrences of "cipher DES-CBC3-SHA" turn out to be pretty 
> rare here - less than 0.1% rather than the 10% I quoted 
> earlier.  YMMV.
> 
> So maybe disabling DES-CBC3-SHA isn't a bad thing, at least 
> for testing.

Generally, (unless one disables RC4, is Windows is re-configured to prefer
3DES), the same Windows systems choose RC4-MD5 ahead of all other ciphers,
so the breakage is rarely seen. I would not disable DES-CBC3-SHA on the
Postfix SMTP server, but if sending from Windows, I would fix whatever
registry setting is causing Windows to use its broken implementation.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: fight spam problem: sender equal to receiver

[mouss]

Roland Plüss a écrit :
>> so they are not logs. these are reports.
>>
>> next time, connect to your server and grab lines from /var/log/maillog
>> (or whatever file contains postfix logs). not necessary now.
>>   
> I don't have such a file. All logs go into the one I posted managed by
> vixie-cron.

No. cron doesn't "manage" logs. cron runs log parsers that generate
reports. but the logs are somewhere on your system. if you are using a
standard syslogd, then you can find the path in /etc/syslog.conf. if you
can't find them, you'll need to ask on a forum dedicated to your OS.

>> it really depends on your setup and/or policy.
>>   
> Tried it. I'm still getting the same spam which clearly matches this
> rule but it doesn't seem to work. Are they using a work-around to trick
> postfix?

that check only blocks specific spam: spam that uses an address in your
domain in the envelope sender (MAIL FROM command). this envelope sender
is what you see in the Return-Path header in the sample you posted.

>> http://www.spamhaus.org/organization/dnsblusage.html
>>
>> if you generate 300,000 DNS queries per day, you need a feed... but you
>> forgot to run the test command... (host 2.0.).
>>   
> Do we talk of "DNS" queries of conventional queries ( per mail ). Since
> I've got a DNS server on my machine which would already capture all DNS
> queries.

instead of spending time on theory, why don't you run the command that I
told you?
$ host 2.0.0.127.zen.spamhaus.org

and yes, the 30 are DNS queries. if you don't get a lot of mail,
then your DNS server won't be blocked, unless it forwards queries to
your ISP.

>> dovecot is supported in "2.3 and later". but your package may have been
>> built without it. run
>> # postconf -a
>> and see if "dovecot" is listed in the output.
>>
>> read
>>  http://www.postfix.org/SASL_README.html
>> for more.
>>   
> No, all empty. I'll have a closer look into this one this weekend.
> 

so you need to rebuild/reinstall it.