Re: Forwarding if no local mailbox

[Lothar Braun]

Hi,

Noel Jones wrote:
> Lothar Braun wrote:
>> What I'm trying to do now is: Accept mails for @mydomain.tld on the new
>> server and try to deliver them to the local accounts. If that fails,
>> send it out to the old server and try to deliver it there.
>>
>> I had a look at the documentation but couldn't come up with an easy
>> solution for that. The only solution I can see so far is to create an
>> transport entry on the new server for _every_ email address that needs
>> to be delivered to the old server.
> 
> Yes, that's the proper solution.
> 
> If you're using SQL, just set a flag on each account indicating where
> it's to be delivered, and adjust your transport_maps query accordingly. 
> You may already have the information you need in SQL.
> 
> If you're using {hash, cdb, ...} indexed files, use a script to create
> your transport map.  The size of the map is not a concern.
> 
> An alternative is to use virtual_alias_maps to rewrite the "old" set of
> users to a different subdomain, and use transport_maps to direct the
> mail.  You could then use smtp_generic_maps to rewrite the domain back
> to the original when it's transferred to the old server.
> 
> Just listing everyone in transport_maps is probably easier.

Thank you for the quick answer. I think I'll go with listing all users
in transport_maps.

Best regards,
  Lothar

Re: I thought I had a send-only Postfix server, but I see someone connected to it!

[Wietse Venema]

MountainX:
> Like many other people today, I am aware of important environmental issues,
> the breakdown of the health care system, the huge political changes taken
> place now, the financial crisis, and other events that will have a huge
> impact on our children and subsequent generations. I cannot justify spending
> hours of my time to read documents that are hard for me to understand to
> solve a problem for the server hosting my blog that has no relative
> importance in the world. If I have a few spare hours of time, there are big
> problems I want to work on. (If my server gets in the way of that work, I
> should probably just pull its power cord.) 

If you don't have the time to learn how to maintain Postfix, then
you need to pay someone to do it for you, like an ISP. I don't
tinker with my car, I pay a mechanic. Likewise I prefer to visit
a dentist instead of trying to fix things myself.

Wietse

how to filter

[Munroe Sollog]

This is the only mailing-list that I can't seem to create a filter
(sieve) for.  Posts are sent to so many different combinations of users,
two different domains, two different users, and either can exist in
either the TO: field or the CC: field.  Is there a better element to
filter on?  I find it a little ironic that the one mailing-list I have
trouble filtering is one about mail.

-- 
Munroe Sollog
Systems Engineer
Digirati Consulting, Inc
sol...@digiraticonsulting.com

Re: I thought I had a send-only Postfix server, but I see someone connected to it!

[Aaron Wolfe]

On Tue, Jan 27, 2009 at 6:48 AM, Wietse Venema  wrote:
> MountainX:
>> Like many other people today, I am aware of important environmental issues,
>> the breakdown of the health care system, the huge political changes taken
>> place now, the financial crisis, and other events that will have a huge
>> impact on our children and subsequent generations. I cannot justify spending
>> hours of my time to read documents that are hard for me to understand to
>> solve a problem for the server hosting my blog that has no relative
>> importance in the world. If I have a few spare hours of time, there are big
>> problems I want to work on. (If my server gets in the way of that work, I
>> should probably just pull its power cord.)
>

When you fix health care, the environment OR the current financial
crisis in your spare time, I will gladly spend my spare time to fix
your server.
Till then, your time is not worth more than ours.  Either spend the
time to learn, or spend money on someone to do things for you.

Re: how to filter

[Heiko Wundram]

Am Tuesday 27 January 2009 13:08:18 schrieb Munroe Sollog:
> This is the only mailing-list that I can't seem to create a filter
> (sieve) for.  Posts are sent to so many different combinations of users,
> two different domains, two different users, and either can exist in
> either the TO: field or the CC: field.  Is there a better element to
> filter on?  I find it a little ironic that the one mailing-list I have
> trouble filtering is one about mail.

I filter on the header

List-Post: 

which catches everything (AFAICT) that comes in over the list.

HTH!

-- 
Heiko Wundram
hackerkey://v4sw7CHJLSUY$hw5ln5pr7FOP$ck2ma9u7FL$w3DVWXm0l7GL$i65e6t3EMRSXb7ADORen5a26s5MSr2p-6.62/-6.56g5AORZ

Re: Postfix with AMAVISD how to white list

[Jason Hirsh]

On Jan 26, 2009, at 5:26 PM, mouss wrote:


Jason Hirsh a écrit :


On Jan 26, 2009, at 5:04 PM, mouss wrote:
[snip]

You probably want to ask on the amavisd list. but then give as much
details as you can (whether you restarted amavisd-new, ... etc).



I was told I should behere but all teh discussion Ihad on SPAM  
oretty much

dealt wuth postfix and amavisd as an ingrate solution



hmm. did you ask on the amavis list:
https://lists.sourceforge.net/lists/listinfo/amavis-user

you'll find more amavsid-new users there, thus maximizing the  
chances to

get an answer. (but as I said, you may need to provide more details).




PS. It is a bad idea to bounce mail that was queued by postfix. This
causes backscatter (and you may be blacklisted...)


I am confused by this comment.. do you mean I shouldn't let amavisd  
do

any bouncing??
it handles all of my spam, content and vitus checking



if you use amavisd-new after the queue (content_filter or FILTER),  
then
you should not configure it to bounce mail. Your choices are: (tag  
and)

pass, quarantine or discard (the latter is bad, but still better than
bouncing).

The reason is that spammers forge sender addresses, so your bounce  
will

go to an innocent who never sent you anything. This is backscatter.



postfix handles domain validation and the like..


Rejecting spam during the smtp transaction in postfix
(smtpd_*_restrictions) is good. but once postfix queues the mail, you
should not bounce.



so is
header_checks = regexp:/usr/local/etc/postfix/header_checks


bad or good


as it turns out postfix is doing the rejection not amavisd

Problem with non-delivery notifications and smtpd_recipient_restrictions

[Cédric Laruelle]

Hi,

 

I want to prevent the local users to send emails to a certain domain, let’s
say baddomain.com

 

In order to do that, I set
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_recipient_access hash:/etc/postfix/blacklist
In the blacklist file, I put :

baddomain.com REJECT Should not send mail to baddomain.com

 

Then I did postmap /etc/postfix/blacklist and restarted postfix.

 

Now it is almost working as I would like, meaning that all mails sent to
x...@baddomain.com get rejected. However, the sender does not receive any
non-delivery notification. Can I change that in order the user to know his
mail was rejected ?

 

Best regards,

 

Cédric Laruelle

Query on POSTMAP

[Goutam Baul]

Dear List,

I am using RHEL4 with postfix 2.2.10-1 and openldap 2.2.13-6. I have created
the ldap tree where I can search for the mail-id and get result:

ldapsearch  -x  mail=bo...@rpg.in responds as
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: mail=bo...@rpg.in
# requesting: ALL
#

# bonhi, rpg.in, rpg.orgn
dn: uid=bonhi,ou=rpg.in,dc=rpg,dc=orgn
uid: bonhi
cn: Bonhi  Sengupta
sn: bonhi
title: bonhi
homeDirectory: /home/vmail/rpg.in/bonhi
mailMessageStore: /home/vmail/rpg.in/bonhi/Maildir/
accountStatus: enable
loginShell: /sbin/nologin
uidNumber: 5000
gidNumber: 5000
objectClass: qmailUser
objectClass: posixAccount
objectClass: person
objectClass: shadowAccount
objectClass: organizationalPerson
mail: bo...@rpg.in
mail: bo...@rpgnet.com
mailQuotaSize: 52428800S
mailForwardingAddress: bo...@rpg.in

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

But if I try to test the ldap lookup as being used in postfix then I don't
get any result. The command

postmap -v  -q bo...@rpg.in ldap:/etc/postfix/maps.ldapreturns

. . .

postmap: dict_ldap_open: /etc/postfix/maps.ldap server_host URL is
ldap://127.0.0.1:389
postmap: cfg_get_str: /etc/postfix/maps.ldap: scope = sub
postmap: cfg_get_str: /etc/postfix/maps.ldap: search_base =
ou=%d,dc=rpg,dc=orgn
postmap: cfg_get_str: /etc/postfix/maps.ldap: domain =
postmap: cfg_get_int: /etc/postfix/maps.ldap: timeout = 60
postmap: cfg_get_str: /etc/postfix/maps.ldap: query_filter = (&(mail=%s)
(accountStatus=active))
postmap: cfg_get_str: /etc/postfix/maps.ldap: result_format = 
postmap: cfg_get_str: /etc/postfix/maps.ldap: result_filter = %s
postmap: cfg_get_str: /etc/postfix/maps.ldap: result_attribute =
mailMessageStore
postmap: cfg_get_str: /etc/postfix/maps.ldap: special_result_attribute =
postmap: cfg_get_bool: /etc/postfix/maps.ldap: bind = on
postmap: cfg_get_str: /etc/postfix/maps.ldap: bind_dn =
postmap: cfg_get_str: /etc/postfix/maps.ldap: bind_pw =
postmap: cfg_get_bool: /etc/postfix/maps.ldap: cache = off
postmap: cfg_get_int: /etc/postfix/maps.ldap: cache_expiry = -1
postmap: cfg_get_int: /etc/postfix/maps.ldap: cache_size = -1
postmap: cfg_get_int: /etc/postfix/maps.ldap: recursion_limit = 1000
postmap: cfg_get_int: /etc/postfix/maps.ldap: expansion_limit = 0
postmap: cfg_get_int: /etc/postfix/maps.ldap: size_limit = 0
postmap: cfg_get_int: /etc/postfix/maps.ldap: dereference = 0
postmap: cfg_get_bool: /etc/postfix/maps.ldap: chase_referrals = off
postmap: cfg_get_bool: /etc/postfix/maps.ldap: start_tls = off
postmap: cfg_get_bool: /etc/postfix/maps.ldap: tls_require_cert = off
postmap: cfg_get_str: /etc/postfix/maps.ldap: tls_ca_cert_file =
postmap: cfg_get_str: /etc/postfix/maps.ldap: tls_ca_cert_dir =
postmap: cfg_get_str: /etc/postfix/maps.ldap: tls_cert =
postmap: cfg_get_str: /etc/postfix/maps.ldap: tls_key =
postmap: cfg_get_str: /etc/postfix/maps.ldap: tls_random_file =
postmap: cfg_get_str: /etc/postfix/maps.ldap: tls_cipher_suite =
postmap: cfg_get_int: /etc/postfix/maps.ldap: debuglevel = 0
postmap: dict_open: ldap:/etc/postfix/maps.ldap
postmap: dict_ldap_lookup: In dict_ldap_lookup
postmap: dict_ldap_lookup: No existing connection for LDAP source
/etc/postfix/maps.ldap, reopening
postmap: dict_ldap_connect: Connecting to server ldap://127.0.0.1:389
postmap: dict_ldap_connect: Actual Protocol version used is 2.
postmap: dict_ldap_connect: Binding to server ldap://127.0.0.1:389 as dn
postmap: dict_ldap_connect: Successful bind to server ldap://127.0.0.1:389
as
postmap: dict_ldap_connect: Cached connection handle for LDAP source
/etc/postfix/maps.ldap
postmap: dict_ldap_lookup: /etc/postfix/maps.ldap: Searching with filter
(&(mail=bo...@rpg.in) (accountStatus=active))
postmap: dict_ldap_get_values[1]: Search found 0 match(es)
postmap: dict_ldap_get_values[1]: Leaving dict_ldap_get_values
postmap: dict_ldap_lookup: Search returned nothing
postmap: dict_ldap_close: Closed connection handle for LDAP source
/etc/postfix/maps.ldap

The content of the /etc/postfix/maps.ldap is

[r...@mail postfix]# cat maps.ldap
timeout = 60
server_host = 127.0.0.1
server_port = 389
search_base = ou=%d,dc=rpg,dc=orgn
query_filter = (&(mail=%s) (accountStatus=active))
result_attribute = mailMessageStore

In the search_base if I don't use the ou=%d then also I get the same result.
My postconf -d look like this:

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
default_destination_recipient_limit = 200
default_privs = vmail
default_process_limit = 105
disable_vrfy_command = yes
fallback_transport = virtual
home_mailbox = Maildir/
inet_interfaces = all
ipc_timeout = 5000s
local_transport = maildrop
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 25728640
mydestination

Re: how to filter

[Tolga]

Heiko Wundram yazmış:

Am Tuesday 27 January 2009 13:08:18 schrieb Munroe Sollog:
  

This is the only mailing-list that I can't seem to create a filter
(sieve) for.  Posts are sent to so many different combinations of users,
two different domains, two different users, and either can exist in
either the TO: field or the CC: field.  Is there a better element to
filter on?  I find it a little ironic that the one mailing-list I have
trouble filtering is one about mail.



I filter on the header

List-Post: 

which catches everything (AFAICT) that comes in over the list.

HTH!
  

or by the From: line

Regards,

/Tolga

--
Zounds!  I was never so bethumped with words
since I first called my brother's father dad.
-- William Shakespeare, "Kind John"

RE: Problem with non-delivery notifications and smtpd_recipient_restrictions

[Cédric Laruelle]

Nevermind, there actually was a non delivery notification but I didn’t see
it !

 

Best regards,


Cédric Laruelle

 

De : owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] De la part de Cédric Laruelle
Envoyé : mardi 27 janvier 2009 14:06
À : postfix-users@postfix.org
Objet : Problem with non-delivery notifications and
smtpd_recipient_restrictions

 

Hi,

 

I want to prevent the local users to send emails to a certain domain, let’s
say baddomain.com

 

In order to do that, I set
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_recipient_access hash:/etc/postfix/blacklist
In the blacklist file, I put :

baddomain.com REJECT Should not send mail to baddomain.com

 

Then I did postmap /etc/postfix/blacklist and restarted postfix.

 

Now it is almost working as I would like, meaning that all mails sent to
x...@baddomain.com get rejected. However, the sender does not receive any
non-delivery notification. Can I change that in order the user to know his
mail was rejected ?

 

Best regards,

 

Cédric Laruelle

Re: how to filter

[Jorey Bump]

Tolga wrote, at 01/27/2009 08:19 AM:
> 
> Heiko Wundram yazmış:
>>
>> I filter on the header
>>
>> List-Post: 
>>
>> which catches everything (AFAICT) that comes in over the list.
>>   
> or by the From: line
> 
> Regards,
> 
> /Tolga

Your own message proves this to be incorrect:

  From: Tolga 

Re: how to filter

[David Figuera]

Munroe Sollog escribió:

This is the only mailing-list that I can't seem to create a filter
(sieve) for.  Posts are sent to so many different combinations of users,
two different domains, two different users, and either can exist in
either the TO: field or the CC: field.  Is there a better element to
filter on?  I find it a little ironic that the one mailing-list I have
trouble filtering is one about mail.


Sender: owner-postfix-us...@postfix.org

Re: how to filter

[Tolga]

Jorey Bump yazmış:

Tolga wrote, at 01/27/2009 08:19 AM:
  

Heiko Wundram yazmış:


I filter on the header

List-Post: 

which catches everything (AFAICT) that comes in over the list.
  
  

or by the From: line

Regards,

/Tolga



Your own message proves this to be incorrect:

  From: Tolga 
  



:0
* ^From owner-postfix-us...@postfix.org
Postfix

works perfectly

--
Q:  What do you say to a New Yorker with a job?
A:  Big Mac, fries and a Coke, please!

Re: Problem with non-delivery notifications and smtpd_recipient_restrictions

[Larry Stone]

On 1/27/09 7:05 AM, Cédric Laruelle at laruel...@aiderdonner.com wrote:

> I want to prevent the local users to send emails to a certain domain, let¹s
> say baddomain.com
> 
> In order to do that, I set
> smtpd_recipient_restrictions =
> permit_mynetworks
> permit_sasl_authenticated
> reject_unauth_destination
> check_recipient_access hash:/etc/postfix/blacklist
> In the blacklist file, I put :
> 
> baddomain.com REJECT Should not send mail to baddomain.com
> 
> Then I did postmap /etc/postfix/blacklist and restarted postfix.
> 
> Now it is almost working as I would like, meaning that all mails sent to
> x...@baddomain.com get rejected. However, the sender does not receive any
> non-delivery notification. Can I change that in order the user to know his
> mail was rejected ?

Despite your later post saying it is working, I can't see how. Assuming your
local users are on machines that are part of mynetworks or they are using
SASL authentication, permit_mynetworks or permit_sasl_authenticated will OK
the message. And if they're not, then reject_unauth_destination will reject
it. Either way, you never get down to check_recipient_access.

-- 
Larry Stone
lston...@stonejongleux.com
http://www.stonejongleux.com/

Re: how to filter

[Erwan David]

On Tue, Jan 27, 2009 at 02:37:22PM CET, Tolga  said:
>
>
> Jorey Bump yazmış:
>> Tolga wrote, at 01/27/2009 08:19 AM:
>>   
>>> Heiko Wundram yazmış:
>>> 
 I filter on the header

 List-Post: 

 which catches everything (AFAICT) that comes in over the list.
 
>>> or by the From: line
>>>
>>> Regards,
>>>
>>> /Tolga
>>> 
>>
>> Your own message proves this to be incorrect:
>>
>>   From: Tolga 
>>   
>
>
> :0
> * ^From owner-postfix-us...@postfix.org
> Postfix
>
> works perfectly

It will depend on your delivery agent, I think.
I use

*^Sender: owner-postfix
.listes.postfix/


-- 
Erwan

Re: Query on POSTMAP

[Victor Duchovni]

On Tue, Jan 27, 2009 at 06:42:45PM +0530, Goutam Baul wrote:

> accountStatus: enable
> mail: bo...@rpg.in
> 
> The content of the /etc/postfix/maps.ldap is
> 
> query_filter = (&(mail=%s) (accountStatus=active))

Your LDAP server is not a native English speaker and fails to recognize
the semantic similarity between the query and the actual data.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Bounces.

[Linux Addict]

Magnus Bäck wrote:

On Monday, January 26, 2009 at 23:39 CET,
 Linux Addict  wrote:

  

I am seeing multiple messages on Postfix Maillog. The mx server cant
reach the host in question and its timing out. We monitor the mailq
size and because of 100 of messages like this, we are bombarded with
pages.  What is the best practice to handle these messages? Any help
or link to documentation is greatly appreciated.

A414CD52788 3706 Fri Jan 23 02:36:41  bounce.7d54cafd@example.net
 (connect to a34-mta03.direcpc.com[66.82.4.104]:25: Connection 
timed out)

movieaho...@direcway.com



Where do these messages come from? Check the logs and inspect the
messages with postcat(1). Are any of these domains hosted by you?
If not, why are they being relayed in the first place?

100 deferred messages in the queue is nothing.

  
Typo. Its 100s of messages, currently its more than 1600.  We are 
sending this from one of our internal application. What I would like to 
do is, if a destination host does not have an MX record, then I would 
like to drop the message, don't want to bounce it.

Re: Bounces.

[Wietse Venema]

Linux Addict:
> What I would like to do is, if a destination host does not have
> an MX record, then I would like to drop the message, don't want
> to bounce it.

The Internet email RFCs do not require MX records. They specify
that the MTA must deliver by A records when MX records don't exist.

Wietse

450 response being delivered to a sender is a mistake - isn't it?

[KLaM Postmaster]

I was thinking about something I wrote here a couple of days ago. A 450
response from my server being delivered to the original sender is a
mistake - isn't it?
Everything I have read to date seems to indicate that 4xx codes are
temporary conditions between SMTP endpoints. But as I am new to this I
started to wondering if I was correct in asserting that such response
messages should not as a rule get back to the sender.

I came across this when I got a complaint that I had "bounced"
somebodies email with a 450 indicating the message was being delayed due
to greylisting. The sender received the following message in their inbox
"450 4.2.0 : Recipient address rejected: Greylisted,
see http://postgrey.schweikert.ch/help/mumble.com.html; from=
to= proto=ESMTP helo=."
which seemed odd to me.

As a secondary question, does this response give out too much
information about how we handle email.

TIA
JLA

Re: I thought I had a send-only Postfix server, but I see someone connected to it!

[Stroller]

On 27 Jan 2009, at 02:41, MountainX wrote:

MacShane, Tracy wrote:

...
Personally, I wonder why you're using Postfix at all if you're just
sending and receiving mail via Gmail. Postfix is a full-blown MTA,  
so it
seems like a lot of overkill for mail you could collect via IMAP/ 
POP using

the mail client of your preference.



Well, now that Postfix is almost working the way I want, it would  
require
more time to switch to something else. But you have aroused my  
curiosity.

What is a simple solution that will allow my Linux server to send all
notifications (such as those generated by system events or otherwise  
and
addressed to root @localhost or any other user account) to me at my  
gmail

account without using Postfix?


ssmtp is usually the recommended solution, although I don't know if it  
accommodates whatever authentication / ssl is required by Gmail.


* mail-mta/ssmtp
 Available versions:  *2.61-r2 [M]~2.61-r30 [M]~2.61-r31
 Homepage:ftp://ftp.debian.org/debian/pool/main/s/ 
ssmtp/
 Description: Extremely simple MTA to get mail off the  
system to a Mailhub


Stroller.

Re: Bounces.

[Linux Addict]

Wietse Venema wrote:

Linux Addict:
  

What I would like to do is, if a destination host does not have
an MX record, then I would like to drop the message, don't want
to bounce it.



The Internet email RFCs do not require MX records. They specify
that the MTA must deliver by A records when MX records don't exist.

Wietse

  
I dont know if its convincing to send mails to a host where no smtp is 
running(hence no MX record) but is there anyway at all in Postfix to 
check for MX record before the qmgr accepts the mail?


I know Postfix is compliant to all RFCs, but just wondering anything 
customizable exists.


~LA

Multiple relay_recipient_maps Makefile

[Matt Hayes]

It was suggested that to bring the number of map queries down on my
server to shove them into a Makefile and create one recipient map.

Basic research turns up some good information, but wanted to check with
the list on anyone else that has done this and how they went about
getting the Makefile built.

I have quite a few mailing lists I host and do relay_recipient_maps per
list.  Would like to combine these into one to reduce some overhead.

Any help is greatly appreciated.

Thank you,

Matt

Re: Bounces.

[Sahil Tandon]

On Jan 27, 2009, at 9:52 AM, Linux Addict   
wrote:



Wietse Venema wrote:


Linux Addict:


What I would like to do is, if a destination host does not have
an MX record, then I would like to drop the message, don't want
to bounce it.


The Internet email RFCs do not require MX records. They specify
that the MTA must deliver by A records when MX records don't exist.

Wietse


I dont know if its convincing to send mails to a host where no smtp  
is running(hence no MX record) but is there anyway at all in Postfix  
to check for MX record before the qmgr accepts the mail?


Just because there is no MX record pointing to host X does not mean  
this host is not listening for SMTP connections.  See postconf(5) for  
MX-related checks supported by Postfix. 

Re: Bounces.

[Victor Duchovni]

On Tue, Jan 27, 2009 at 09:52:30AM -0500, Linux Addict wrote:

>> The Internet email RFCs do not require MX records. They specify
>> that the MTA must deliver by A records when MX records don't exist.
>
> I dont know if its convincing to send mails to a host where no smtp is 
> running(hence no MX record) but is there anyway at all in Postfix to check 
> for MX record before the qmgr accepts the mail?

You are mightly confused. By definition (RFC 5321) of the SMTP protocol,
a domain with just an A records has an *implicit* MX record:

example.com.IN  MX 0 example.com.

There is no valid "no smtp is running" => "hence no MX record" inference.

> I know Postfix is compliant to all RFCs, but just wondering anything 
> customizable exists.

Postfix can reject SMTP mail from sender domains that have neither A
records nor MX records:

http://www.postfix.org/postconf.5.html#reject_unknown_sender_domain

such domains cannot receive mail, since they have neither explicit, nor
implicit MX records.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: 450 response being delivered to a sender is a mistake - isn't it?

[Victor Duchovni]

On Tue, Jan 27, 2009 at 09:28:23AM -0500, KLaM Postmaster wrote:

> I was thinking about something I wrote here a couple of days ago. A 450
> response from my server being delivered to the original sender is a
> mistake - isn't it?
> Everything I have read to date seems to indicate that 4xx codes are
> temporary conditions between SMTP endpoints. But as I am new to this I
> started to wondering if I was correct in asserting that such response
> messages should not as a rule get back to the sender.

They certainly get back to the sender if the condition persists "long
enough" and the sending system gives up. The choice of "long enough"
is up to the sending system.

> I came across this when I got a complaint that I had "bounced"
> somebodies email with a 450 indicating the message was being delayed due
> to greylisting. The sender received the following message in their inbox
> "450 4.2.0 : Recipient address rejected: Greylisted,
> see http://postgrey.schweikert.ch/help/mumble.com.html; from=
> to= proto=ESMTP helo=."
> which seemed odd to me.

This is perfectly fine. Now figure out how long they kept trying and
why their system does not succeed in getting the mail through your
greylisting system.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Multiple relay_recipient_maps Makefile

[Victor Duchovni]

On Tue, Jan 27, 2009 at 09:56:36AM -0500, Matt Hayes wrote:

> It was suggested that to bring the number of map queries down on my
> server to shove them into a Makefile and create one recipient map.

How may do you have? Generally, 1 vs 2 or 3 is not compelling if
it is easier to define and understand 2 or 3 instead of 1.

> Basic research turns up some good information, but wanted to check with
> the list on anyone else that has done this and how they went about
> getting the Makefile built.
> 
> I have quite a few mailing lists I host and do relay_recipient_maps per
> list.  Would like to combine these into one to reduce some overhead.

This does not scale, one for lists and another for users may be
reasonable, one per-list is not.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Bounces.

[Larry Stone]

On Tue, 27 Jan 2009, Linux Addict wrote:

I dont know if its convincing to send mails to a host where no smtp is 
running(hence no MX record) but is there anyway at all in Postfix to check 
for MX record before the qmgr accepts the mail?


Why do you think no MX record implies no SMTP running? They're really two 
separate things requiring two independent configurations. An SMTP daemon 
can and will run just fine with or without an MX record pointing to it.


-- Larry Stone
   lston...@stonejongleux.com

Re: Postfix with AMAVISD how to white list

[Stroller]

On 26 Jan 2009, at 21:11, Jason Hirsh wrote:

...
PS. It is a bad idea to bounce mail that was queued by postfix. This
causes backscatter (and you may be blacklisted...)


I am confused by this comment.. do you mean I shouldn't let amavisd  
do any bouncing??

it handles all of my spam, content and vitus checking



All the regular subscribers to this list know what backscatter is, and  
use the term comfortably. Unfortunately, the word isn't much in use in  
the wider geek or user community.


Ordinary people tend to say "I got loads of spam today" when they may  
mean "I got loads of backscatter". A user who speaks more precisely  
than most might say "I got loads of junk email-bounces today" -  
"backscatter" is the shorter term for this.


Backscatter is when a spammer forges an email address and the  
addressee's system bounces it. The real holder of the email address  
(the email address that the spammer forged) gets their inbox filled up  
with junk "undeliverable" messages. This is obviously undesirable.


The problem with deciding not to deliver a message after you have  
accepted it is that you are sure to send backscatter. This is  
unpopular with mail administrators who know a lot about email (like  
the folks on this list) because it is avoidable. ISTM that it's easy  
for a n00b to set up a mail system that creates backscatter (and much  
harder to configure a robust mail system that is proof against spam),  
but as far as an administrator (who deals with Postfix all day every  
day, to the exclusion of all else) is concerned, why should he suffer  
junk in his mailbox just because you don't know how to set up your  
system "properly"? Consequently, if you cause backscatter you may get  
blacklisted.


In your case, if I haven't been clear, once the message reaches  
amavisd it is too late to reject the message in a "safe" way - it is  
already in your system. If you can get *Postfix* to reject the message  
then it will do so whilst the original incoming SMTP connection is  
still active, and leave the problem with that sending server. The bad  
message does not become your problem, and you do not have to cause  
backscatter. The sending mailserver is left with the problem of this  
bad message - the chances are that it's a spambot, but if it is a  
legitimate mail relay then it's up to that system administrator to  
deal with (he can determine which one of his users sent the spam in  
the first place & cut off their account).


The best analogy I can think of is if you accidentally ordered  
something from Amazon - you phone them up & they tell you it's too  
late to cancel the delivery. The courier arrives at your door and asks  
you to sign for it. If you refuse to do so then the parcel gets  
returned to the vendor and it's no longer your problem - you can  
dispute the charges by saying "I never accepted that parcel - you  
can't prove I signed for it and my credit card company will reject  
your charges". If, instead, you accept the parcel from the delivery  
driver, he drives away and you open up the box to look inside  
(amavisd) it becomes your responsibility to return the goods and  
persuade the vendor that you deserve a refund.


So if you reject a message using amavisd you shouldn't bounce it, but  
just put it in your junk folder or deliver it to /dev/null. The  
spammer is surely not using his real email address, so when you reject  
it you send the problem on to someone innocent.


If you want to reject messages you should do so at the Postfix  
"layer". I've read reports on this list indicating that use of  
greylisting, Domainkeys/DKIM &/or SPF records can reduce your spam /  
backscatter to a degree whereby filtering (such as amavisd) is barely  
necessary.


Stroller.

Re: Multiple relay_recipient_maps Makefile

[Matt Hayes]

Victor Duchovni wrote:
> On Tue, Jan 27, 2009 at 09:56:36AM -0500, Matt Hayes wrote:
> 
>> It was suggested that to bring the number of map queries down on my
>> server to shove them into a Makefile and create one recipient map.
> 
> How may do you have? Generally, 1 vs 2 or 3 is not compelling if
> it is easier to define and understand 2 or 3 instead of 1.
> 
>> Basic research turns up some good information, but wanted to check with
>> the list on anyone else that has done this and how they went about
>> getting the Makefile built.
>>
>> I have quite a few mailing lists I host and do relay_recipient_maps per
>> list.  Would like to combine these into one to reduce some overhead.
> 
> This does not scale, one for lists and another for users may be
> reasonable, one per-list is not.
> 


Right now I have (4) mailing lists that I do relay maps for, however, I
do see your point.  Just combine those 4 lists into one and be done with it.

Simple.. well, at least now it is when you put it that way.

Thanks Victor.

-Matt

Re: 450 response being delivered to a sender is a mistake - isn't it?

[KLaM Postmaster]

Victor Duchovni wrote:
> On Tue, Jan 27, 2009 at 09:28:23AM -0500, KLaM Postmaster wrote:
>
>   
>> I was thinking about something I wrote here a couple of days ago. A 450
>> mistake - isn't it?
>> Everything I have read to date seems to indicate that 4xx codes are
>> temporary conditions between SMTP endpoints. But as I am new to this I
>> started to wondering if I was correct in asserting that such response
>> messages should not as a rule get back to the sender.
>> 
>
> They certainly get back to the sender if the condition persists "long
> enough" and the sending system gives up. The choice of "long enough"
> is up to the sending system.
>   
So far, the only response I have seen to delayed email, has been a
warning about it being delayed and the system will keep trying. I do not
remember the warning containing any indication as to the cause of the
delay. But as I am an antique my memory may well be way off.
>   
>> I came across this when I got a complaint that I had "bounced"
>> somebodies email with a 450 indicating the message was being delayed due
>> to greylisting. The sender received the following message in their inbox
>> "450 4.2.0 : Recipient address rejected: Greylisted,
>> see http://postgrey.schweikert.ch/help/mumble.com.html; from=
>> to= proto=ESMTP helo=."
>> which seemed odd to me.
>> 
>
> This is perfectly fine. Now figure out how long they kept trying and
> why their system does not succeed in getting the mail through your
> greylisting system.
>
>   
First, an apology to Blackberry/RIM, I copied the wrong message into the
above and then forgot to munge the helo address  :-[ .
Second, when I received the complaint I checked the previous months
logs, and could only find one attempt at delivery had ever been made.
The system saw a new sender and greylisted them, at that point they
seemed to have given up trying.

Re: I thought I had a send-only Postfix server, but I see someone connected to it!

[MountainX]

Stroller wrote:
> 
> 
> On 27 Jan 2009, at 02:41, MountainX wrote:
>> MacShane, Tracy wrote:
>>> ...
>>> Personally, I wonder why you're using Postfix at all if you're just
>>> sending and receiving mail via Gmail. Postfix is a full-blown MTA,  
>>> so it
>>> seems like a lot of overkill for mail you could collect via IMAP/ 
>>> POP using
>>> the mail client of your preference.
>>>
>>
>> Well, now that Postfix is almost working the way I want, it would  
>> require
>> more time to switch to something else. But you have aroused my  
>> curiosity.
>> What is a simple solution that will allow my Linux server to send all
>> notifications (such as those generated by system events or otherwise  
>> and
>> addressed to root @localhost or any other user account) to me at my  
>> gmail
>> account without using Postfix?
> 
> ssmtp is usually the recommended solution, although I don't know if it  
> accommodates whatever authentication / ssl is required by Gmail.
> 
> * mail-mta/ssmtp
>   Available versions:  *2.61-r2 [M]~2.61-r30 [M]~2.61-r31
>   Homepage:ftp://ftp.debian.org/debian/pool/main/s/ 
> ssmtp/
>   Description: Extremely simple MTA to get mail off the  
> system to a Mailhub
> 
> Stroller.
> 
> 
> 

Thank you, Stroller. I will look into ssmtp. However, I do have Postfix
working with Gmail, TLS, etc. so I am reluctant to make a wholesale change
just now.

Regarding my message in this thread from yesterday, I need to clarify one
thing I wrote yesterday. I did NOT say my time is worth more than yours. I
do not believe that and I did not write that. 

My thoughts were that an individual's time is best spent in the areas where
that individual can have the greatest impact for good. For many people here,
if you are passionate about Postfix and/or if Postfix plays a central role
in your career, honing and sharing your Postfix knowledge may be one way you
can have a significant positive impact on others. After all, email
communication is critical in today's world. And so are individual open
source projects. In my view, an individual is fulfilling his or her purpose
when she is working on something that comes natural and that she feel
passionate about, that she enjoys and that she is good at. For some of you,
that is Postfix and related computing areas. For me, that is other areas.

I do often spend time (many hours a day sometimes) answering questions
online (for free) in my area of expertise. When a lawyer or financier or
other professional (or not) wants me to give them an answer (and they don't
want to invest significant time and energy to acquire that answer), I try to
give them an appropriate answer. I can't always do it, but I enjoy trying. I
recognize that I benefit by answering questions for others (in my spare
time).

I do think Shuttleworth and Ubuntu set a gold standard, and I don't think it
is because they cater to newbie (or only desktop) users. It is probably
highly unfair of me to compare this list or any other with the Ubuntu forums
(and even the Ubuntu forums are far from perfect). Maybe I'm just in that
phase where, in my enthusiasm for non-proprietary software, I'm being
unrealistic in expecting everyone involved in an open source project to feel
as excited about, and as welcoming of, the future possibilities and
opportunities for change as I do.

In my opinion, the opportunity for Linux to rise to greater heights starts
with attitude. I believe Mark Shuttleworth recognizes that. The Ubuntu
community didn't evolve the way it has by accident -- it was by design.

I believe the (false) idea that a person (without much background in the
subject) asking questions about Postfix (and wanting simple cook-book-style
answers) has only two choices -- do a lot of time-consuming work or pay an
expert -- is harmful to the potential growth of open source. This attitude
is elitist. There is a third choice -- an expert can choose to spend a few
moments to give an appropriate response. I do this in my area of expertise
all the time. (I don't do it for all people and I do ignore some questions,
of course -- and any one of you are free to ignore me.)

I do still have specific Postfix questions. And I hope I have not offended
the majority of people on this list. I have received help over the last two
days that I value greatly. The reply above from Stroller is a perfect
example. I had never heard of ssmtp three days ago. Now I know it exists and
I can find more on Google.

The reason I think (hope) a discussion such as the one is not off topic is
because it relates to the manner in which I (or any newbie) can expect to
interact with this list in the future. 

I guess the best advice I would give myself is (while on this list) to focus
my attention on those people who generously offer me useful responses; and
ignore those people who (incorrectly) tell me that I don't value their time
or that I should 1) become a Postfix expert or 2) pay them to answer every
question. 

Even after I 

Re: I thought I had a send-only Postfix server, but I see someone connected to it!

[Jorey Bump]

MountainX wrote, at 01/27/2009 11:35 AM:

> In my opinion, the opportunity for Linux to rise to greater heights starts

Please get off your soapbox. If you have a question about Postfix, ask
it. If you don't understand the answer and have more questions, ask
them. If you want to say thanks, do so briefly, but it isn't usually
necessary if it adds nothing to the thread.

> The reason I think (hope) a discussion such as the one is not off topic is
> because it relates to the manner in which I (or any newbie) can expect to
> interact with this list in the future. 

It's off-topic because Linux advocacy has nothing to do with Postfix,
which runs on a variety of platforms. Please restrict your comments to
your original question or let the thread come to a natural close. The
rest is just noise that won't help other users (including newbies) who
search the archive for answers to specific questions.

I am confused about my system's email addresses - need some help getting them to conform to my wishes

[Dave]

Hopefully I have improved my question-asking now. :)

I'm using smtp.gmail.com with Postfix. It is working and all emails are
delivered.
All my config info is at the bottom of this message.
The account I use to sign in to gmail is me-at-example.com (as shown in
config below).
I want to check my emails using the gmail web client for me-at-example.com.
(All this basic functionality is working.)

I want to correct my email addressing, as I will try to describe below.

In this message I globally replaced @ with -at- so it will be easier to read
in some clients (like Nabble) that obfuscate email addresses as "n...@..."

Here's the first example of email addressing that I want to fix/modify.

subject: DenyHosts Report
from: nobody-at-localhost
to: root-at-localhost

I want this to be from me-at-example.com (or root-at-example.com) to
me-at-example.com.
The message does not appear in my sent mail folder at example.com (but I
want it to).

>From the headers you will see that I am now aliasing root-at-localhost as
myname-at-otherdomain2.net. And I am forwarding all email from
myname-at-otherdomain2.net to me-at-example.com. That's the only way (so
far) I could get email intended for root-at-localhost to appear in the inbox
of me me-at-example.com.

I want mail now intended for root-at-localhost to instead go directly to
me-at-example.com (and appear in both sent-mail and inbox, as it would if I
sent it from a normal client with those to/from addresses). I tried, without
success, to do this on my own.

Delivered-To: me-at-example.com
Received: by 10.229.91.201 with SMTP id oom;
Tue, 27 Jan 2009 08:43:20 -0800 (PST)
Received: by 10.114.14.8 with SMTP id mm.76.1233074599667;
Tue, 27 Jan 2009 08:43:19 -0800 (PST)
Return-Path: 
Received: from wf-out-1314.google.com (wf-out-1314.google.com[209.85.200.172])
by mx.google.com with ESMTP id nof.27.2009.01.27.08.43.18;
Tue, 27 Jan 2009 08:43:19 -0800 (PST)
Received-SPF: neutral (google.com: 209.85.200.172 is neither permitted nor
denied by best guess record for domain of myname+caf_=me=
example.com-at-otherdomain2.net) client-ip=209.85.200.172;
Authentication-Results: mx.google.com; spf=neutral (google.com:
209.85.200.172 is neither permitted nor denied by best guess record for
domain of myname+caf_=me=example.com-at-otherdomain2.net)
smtp.mail=myname+caf_=me=example.com-at-otherdomain2.net
Received: by wf-out-1314.google.com with SMTP id 2a.27
for ; Tue, 27 Jan 2009 08:43:18 -0800 (PST)
Received: by 10.142.169.4 with SMTP id rrre.262.1233074598389;
Tue, 27 Jan 2009 08:43:18 -0800 (PST)
X-Forwarded-To: me-at-example.com
X-Forwarded-For: myname-at-otherdomain2.net me-at-example.com
Delivered-To: myname-at-otherdomain2.net
Received: by 10.143.62.8 with SMTP id pppk;
Tue, 27 Jan 2009 08:43:18 -0800 (PST)
Received: by 10.100.207.14 with SMTP id eee.60.1233074597413;
Tue, 27 Jan 2009 08:43:17 -0800 (PST)
Return-Path: 
Received: from MyHostName.example.com (myhost.com [xxx.xxx.xxx.345])
by mx.google.com with ESMTP id nna.37.2009.01.27.08.43.16;
Tue, 27 Jan 2009 08:43:17 -0800 (PST)
Received-SPF: neutral (google.com: xxx.xxx.xxx.345 is neither permitted nor
denied by best guess record for domain of nobody-at-localhost)
client-ip=xxx.xxx.xxx.345;
Authentication-Results: mx.google.com; spf=neutral (google.com:
xxx.xxx.xxx.345 is neither permitted nor denied by best guess record for
domain of nobody-at-localhost) smtp.mail=nobody-at-localhost
Received: by MyHostName.example.com (Postfix)
id 5081C12B70; Tue, 27 Jan 2009 11:43:16 -0500 (EST)
Delivered-To: root-at-localhost
Received: from example.com (localhost [127.0.0.1])
by MyHostName.example.com (Postfix) with ESMTP id 44
for ; Tue, 27 Jan 2009 11:43:16 -0500 (EST)
From: DenyHosts 
To: root-at-localhost
Subject: DenyHosts Report
Date: Tue, 27 Jan 2009 11:43:16 -0500
Message-Id: <20090127164316.E5-at-MyHostName.example.com>

Added the following hosts to /etc/hosts.deny:

210.51.1.21 (unknown)

---

Test Email 1 (while logged in as myuseracct)

to: root-at-localhost
from: myuseracct-at-example.com

I want it to be addressed from me-at-example.com (or
myuseracct-at-example.com) and addressed to me-at-example.com. The message
does not appear in sent-mail and I think it should.

Delivered-To: me-at-example.com
Received: by 10.229.91.201 with SMTP id nnm;
Tue, 27 Jan 2009 08:43:57 -0800 (PST)
Received: by 10.220.98.70 with SMTP id n.13.1233074636356;
Tue, 27 Jan 2009 08:43:56 -0800 (PST)
Return-Path: 
Received: from rn-out-0910.google.com (rn-out-0910.google.com[64.233.170.184])
by mx.google.com with ESMTP id n.25.2009.01.27.08.43.56;
Tue, 27 Jan 2009 08:43:56 -0800 (PST)
Received-SPF: neutral (google.com: 

Re: how to filter

[Chris Babcock]

On Tue, 27 Jan 2009 14:48:43 +0100
Erwan David  wrote:

> On Tue, Jan 27, 2009 at 02:37:22PM CET, Tolga  said:
> >>> or by the From: line
> >>>
> >>> Regards,
> >>>
> >>> /Tolga
> >>> 
> >>
> >> Your own message proves this to be incorrect:
> >>
> >>   From: Tolga 
> >>   
> >
> >
> > :0
> > * ^From owner-postfix-us...@postfix.org
> > Postfix
> >
> > works perfectly
> 
> It will depend on your delivery agent, I think.
> I use
> 
> *^Sender: owner-postfix
> .listes.postfix/

"From:" != "From "

Tolga is filtering on the envelope sender, not the header field. The
colon in first post was an error. The list id header is the most likely
to remain consistant, but sender is a good choice too. Filtering on the
envelope sender is not a good idea because you never know when some
protocol like VERP or BATV may be implemented, breaking your filter
rule.

Chris Babcock


signature.asc
Description: PGP signature

Re: how to filter

[Erwan David]

Le Tue 27/01/2009, Chris Babcock disait
> On Tue, 27 Jan 2009 14:48:43 +0100
> Erwan David  wrote:
> 
> > On Tue, Jan 27, 2009 at 02:37:22PM CET, Tolga  said:
> > >>> or by the From: line
> > >>>
> > >>> Regards,
> > >>>
> > >>> /Tolga
> > >>> 
> > >>
> > >> Your own message proves this to be incorrect:
> > >>
> > >>   From: Tolga 
> > >>   
> > >
> > >
> > > :0
> > > * ^From owner-postfix-us...@postfix.org
> > > Postfix
> > >
> > > works perfectly
> > 
> > It will depend on your delivery agent, I think.
> > I use
> > 
> > *^Sender: owner-postfix
> > .listes.postfix/
> 
> "From:" != "From "
> 
> Tolga is filtering on the envelope sender, not the header field. The
> colon in first post was an error. The list id header is the most likely
> to remain consistant, but sender is a good choice too. Filtering on the
> envelope sender is not a good idea because you never know when some
> protocol like VERP or BATV may be implemented, breaking your filter
> rule.

Delivering to a maildir, through procmail, I have no "From " in the mail. 
That's why I say id must depends on the delivery agent.

Re: I thought I had a send-only Postfix server, but I see someone connected to it!

[Chris Babcock]

On Mon, 26 Jan 2009 18:41:32 -0800 (PST)
MountainX  wrote:

> The experts have already learned Postfix. As far as I am concerned, I
> can't add anything to the world by learning Postfix too.

It isn't enough for email to just work. It has to work right. Imparting
knowledge without understanding in such an environment would be ill
advised. You may or may not be able to add anything to the world by
learning Postfix, but you can take quite a bit out by running a mail
server without understanding what you are doing. Applications that send
mail are serious. If a web server configuration breaks, it stops
delivering content. If a mailserver breaks, it just may turn into that
horrid broom from "The Sorceror's Apprentice".

I like deployment recipes as well as the next person (and Postfix has
them), but I generally use them as an outline to study the process - a
syllabus. I've run Postfix as part of a hobby server setup for only
three years now and the time I spent learning the why along with the
how has been saved several times over since. 

Open source communities are a little like martial arts instructors. The
good ones are willing to give you a few bruises if it is going to keep
you from getting killed in the real world.

Chris Babcock



signature.asc
Description: PGP signature

Re: I thought I had a send-only Postfix server, but I see someone connected to it!

[Dave]

On Tue, Jan 27, 2009 at 1:37 PM, Chris Babcock wrote:

> On Mon, 26 Jan 2009 18:41:32 -0800 (PST)
> MountainX  wrote:
>
> > The experts have already learned Postfix. As far as I am concerned, I
> > can't add anything to the world by learning Postfix too.
>
> It isn't enough for email to just work. It has to work right. Imparting
> knowledge without understanding in such an environment would be ill
> advised. You may or may not be able to add anything to the world by
> learning Postfix, but you can take quite a bit out by running a mail
> server without understanding what you are doing. Applications that send
> mail are serious. If a web server configuration breaks, it stops
> delivering content. If a mailserver breaks, it just may turn into that
> horrid broom from "The Sorceror's Apprentice".


Excellent point. I do have some appreciation for this. People on the list
helped me yesterday and I think my Postfix installation is in better shape
now (and I believe it is adequately secure), although I still have to apply
the one suggestion from today (and I did not understand it to the point
where I could apply it.)

>
>
> I like deployment recipes as well as the next person (and Postfix has
> them), but I generally use them as an outline to study the process - a
> syllabus. I've run Postfix as part of a hobby server setup for only
> three years now and the time I spent learning the why along with the
> how has been saved several times over since.
>
> Open source communities are a little like martial arts instructors. The
> good ones are willing to give you a few bruises if it is going to keep
> you from getting killed in the real world.


Good analogy. :)

>
>
> Chris Babcock
>
>

Re: Backscatter with forged return-path

[mouss]

Paweł Leśniak a écrit :
> Jim Wright pisze:
>>> Jan 26 13:05:42 mail postfix/policy-spf[2500]: : Policy
>>> action=PREPEND Received-SPF: none (server.hipwah.com: No applicable
>>> sender policy available) receiver=mail.example.com; identity=helo;
>>> helo=SERVER.hipwah.com; client-ip=202.134.118.114
>> reject_unknown_hostname
>>
>> SERVER.hipwah.com has no DNS A or MX record.
>>
> [r...@mail postfix]# host server.hipwah.com
> Host server.hipwah.com not found: 3(NXDOMAIN)
> [r...@mail postfix]# host -t mx server.hipwah.com
> Host server.hipwah.com not found: 3(NXDOMAIN)

there is no point checking the MX of a helo name (and it's even more
useless when the domain does not exist!)

> [r...@mail postfix]# host -t mx hipwah.com
> hipwah.com mail is handled by 5 mail.hipwah.com.
> [r...@mail postfix]# host mail.hipwah.com
> mail.hipwah.com has address 202.134.118.114
> 
> 
> I may be wrong, but I think I should not block sender on helo basis?
> Jan 26 13:05:41 mail postfix/smtpd[2432]: connect from
> static-ip-114-118-134-202.rev.dyxnet.com[202.134.118.114]
> Jan 26 13:05:42 mail postgrey[1086]: action=pass, reason=triplet found,
> delay=727, client_name=static-ip-114-118-134-202.rev.dyxnet.com,
> client_address=202.134.118.114, recipient=u...@example.com
> 
> From my point of view it looks like reject_unknown_helo_hostname is far
> to agressive, while reject_unknown_client_hostname and
> reject_unknown_reverse_client_hostname would both permit this mail.
> Correct me please if I'm wrong.
> 

reject_unknown_helo_hostname would indeed be too aggressive. but you
could use restriction classes and only call it if the sender is null (<>).

or you could run aggressive checks if the client has a "generic" reverse
dns. or in this particular case, simply reject *.rev.dynxnet.com with a
check_client_access:
rev.dynxnet.com REJECT blah blah
.rev.dynxnet.comREJECT blah blah

Re: Postfix with AMAVISD how to white list

[mouss]

Jason Hirsh a écrit :
> 
> On Jan 26, 2009, at 5:26 PM, mouss wrote:
> 
>> Jason Hirsh a écrit :
>>>
>>> On Jan 26, 2009, at 5:04 PM, mouss wrote:
>>> [snip]
 You probably want to ask on the amavisd list. but then give as much
 details as you can (whether you restarted amavisd-new, ... etc).

>>>
>>> I was told I should behere but all teh discussion Ihad on SPAM oretty
>>> much
>>> dealt wuth postfix and amavisd as an ingrate solution
>>>
>>
>> hmm. did you ask on the amavis list:
>> https://lists.sourceforge.net/lists/listinfo/amavis-user
>>
>> you'll find more amavsid-new users there, thus maximizing the chances to
>> get an answer. (but as I said, you may need to provide more details).
>>
>>

 PS. It is a bad idea to bounce mail that was queued by postfix. This
 causes backscatter (and you may be blacklisted...)
>>>
>>> I am confused by this comment.. do you mean I shouldn't let amavisd do
>>> any bouncing??
>>> it handles all of my spam, content and vitus checking
>>>
>>
>> if you use amavisd-new after the queue (content_filter or FILTER), then
>> you should not configure it to bounce mail. Your choices are: (tag and)
>> pass, quarantine or discard (the latter is bad, but still better than
>> bouncing).
>>
>> The reason is that spammers forge sender addresses, so your bounce will
>> go to an innocent who never sent you anything. This is backscatter.
>>
>>
>>> postfix handles domain validation and the like..
>>
>> Rejecting spam during the smtp transaction in postfix
>> (smtpd_*_restrictions) is good. but once postfix queues the mail, you
>> should not bounce.
> 
> 
> so is
> header_checks = regexp:/usr/local/etc/postfix/header_checks
> 
> 
> bad or good

They are good for what they are designed for.

I use them to reject dangerous attachments (.pif, ...), but I don't
reject images or other media files.

header_checks are not a substitute for an anti-virus or a spam filter.

> 
> 
> as it turns out postfix is doing the rejection not amavisd
> 
> 
> 
>>
>>
>>
> 

Re: how to filter

[mouss]

Munroe Sollog a écrit :
> This is the only mailing-list that I can't seem to create a filter
> (sieve) for.  Posts are sent to so many different combinations of users,
> two different domains, two different users, and either can exist in
> either the TO: field or the CC: field.  Is there a better element to
> filter on?  I find it a little ironic that the one mailing-list I have
> trouble filtering is one about mail.
> 


if header :contains "Sender" "owner-postfix-us...@postfix.org" {
 fileinto "List.mail.postfix-users";
 stop;
}

you can filter most lists using one of the following headers:

List-Id (preferable)
List-Owner
List-Post
Sender

Re: Blocking Phishing emails

[mouss]

KLaM Postmaster a écrit :
> Noel Jones wrote:
>> Voytek Eymont wrote:
>>> On Sat, January 24, 2009 1:39 am, Noel Jones wrote:
>>>
 reject_unknown_reverse_client_hostname reject_rbl_client
 zen.spamhaus.org
 {a greylisting policy service}
>>>
>>> Noel,
>>>
>>> is that a good place to add reject_unknown_reverse_client_hostname ?
>>>
>>> smtpd_recipient_restrictions =
>>>  permit_sasl_authenticated,
>>>  permit_mynetworks,
>>>  check_client_access hash:/etc/postfix/pop-before-smtp,
>>>  reject_unauth_destination,
>>>  check_recipient_access hash:/etc/postfix/recipient_no_checks,
>>>  reject_non_fqdn_sender,
>>>  reject_non_fqdn_recipient,
>>>  reject_invalid_hostname,
>>>  reject_non_fqdn_hostname,
>>>  reject_unknown_sender_domain,
>>> reject_unknown_reverse_client_hostname 
>>>  reject_unlisted_recipient,
>>>  check_sender_access hash:/etc/postfix/freemail_access,
>>>  check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
>>>  check_helo_access hash:/etc/postfix/helo_checks,
>>>  check_sender_access hash:/etc/postfix/sender_checks,
>>>  check_client_access hash:/etc/postfix/client_checks,
>>>  check_client_access pcre:/etc/postfix/client_checks.pcre,
>>>  reject_rbl_client zen.spamhaus.org,
>>> 
>>>
>>>
>> Yup, that's fine.
>>
> is there some way of implementing the something like "client_RBL_checks".
> I was thinking that even though the incoming mail has managed to get by
> the various checks by the time the recipient get around to replying the
> senders address may have wound up in spamcop, and if not spamcop some
> other like list.
> 

the reply is a different message: you can't infer the "original" client
by checking the response.

you can however greylist the client and hope that it will be listed when
it will retry.

but this won't help with fraud mail sent via gmail, yahoo, hotmail,
$bigisp unless you are willing to block such big ones. Almost all
phishing and 419 mail I see comes from large ISPs that I won't block.
One day, I may add more checks if the client is one of these, but for
now, spamassassin gets most of these (use JM_SOUGHT rules for this. ask
on spamassassin list if you don't know how to get them...).



> just wondering
> JLA.
> 

Re: Backscatter with forged return-path

[Paweł Leśniak]

Jim Wright pisze:

On Jan 26, 2009, at 4:05 PM, Paweł Leśniak wrote:


I may be wrong, but I think I should not block sender on helo basis?


Most of what will be blocked are zombie systems that send no 
legitimate mail, a very small number of legitimate mails 'may' be 
blocked.  It's a personal preference, I bounce these with 
unknown_hostname_reject_code = 450 in case it's a transient error on 
their end.

OK
As you've suggested I've changed smtpd_recipient_restrictions to include 
reject_unknown_*_hostname, so now I have:

smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/spam_lovers.map,
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_invalid_hostname,
reject_unauth_destination,
reject_unlisted_sender,
check_sender_access hash:/etc/postfix/restricted_senders.map,
reject_sender_login_mismatch,
check_client_access pcre:/etc/postfix/check_client_fqdn.pcre,
check_client_access cidr:/etc/postfix/postfix-dnswl-permit,
check_recipient_access hash:/etc/postfix/restricted_recipients.map,
reject_unknown_reverse_client_hostname,
reject_unknown_client_hostname,
reject_unknown_helo_hostname,
reject_rbl_client zen.spamhaus.org,
check_policy_service unix:private/policy,
check_greylist,
reject_unauth_pipelining
permit

Default action of  reject_unknown_*_hostname is 450, so sender's mailer 
should try to deliver message again after some time. As far as I can see 
now in my logs, nothing like this happens.
Mostly mails rejected (for future delivery) are being sent in bulks of 4 
emails at once to different email addresses. This almost definitely 
solves my problem for now. No more forged returned mails right now 
(after 13 hours of tests). And if something bad happens (when some mail 
get rejected for future delivery) I hope I'll be able to find it.


Thank you for help

Regards

Pawel Lesniak

Re: Backscatter with forged return-path

[Paweł Leśniak]

mouss pisze:


reject_unknown_helo_hostname would indeed be too aggressive. but you
could use restriction classes and only call it if the sender is null (<>).

or you could run aggressive checks if the client has a "generic" reverse
dns. or in this particular case, simply reject *.rev.dynxnet.com with a
check_client_access:
rev.dynxnet.com REJECT blah blah
.rev.dynxnet.comREJECT blah blah
  


If I'll have any trouble with reject_unknown_helo_hostname sitewide I'll 
change it according to information above.
For now I'll have some time to think over BATV (full-blown or "poorman" 
versions) - each simplified solution has some disadvantages which on 
first sight are not good at my site (ex. changing submission port means 
to me reconfiguration of over 100 standalone PCs...).


Thank you for all support

Regards
Pawel Lesniak

Re: Proper location of permit_mynetworks for mailman

[Todd A. Jacobs]

On Mon, Jan 26, 2009 at 10:15:44PM +0100, mouss wrote:

> This is useless. at this stage, the domain is yours (other domains have
> been rejected by the anti-relay control: reject_unauth_destination).

Nevertheless, if I don't put permit_mynetworks in both
smtpd_client_restrictions and smtpd_recipient_restrictions, email sent
to a mailman list address on the local server will be rejected because
it's considered an unauthorized relay when:

Jan 27 14:21:39 penguin postfix/smtpd[32089]: NOQUEUE: reject: RCPT from 
localhost.localdomain[127.0.0.1]: 554 5.7.1 : Relay access 
denied; from= to= 
proto=ESMTP helo=

So, if I don't permit_mynetworks explicitly, mail sent to the mailman list
address is received, but can't be sent on to the list participants. I get
"relay access denied" when mailman attempts to resend the mail.

> consider putting all your checks under smtpd_recipient_restrictions.

Or not. From http://www.postfix.org/SMTPD_ACCESS_README.html:

Some people recommend placing ALL the access restrictions in the
smtpd_recipient_restrictions list. Unfortunately, this can result in
too permissive access.

I posted the relevant sections of my configuration, but I'll put the
output of postconf here to avoid argument:

$ sudo postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
append_dot_mydomain = no
biff = no
bounce_template_file = /etc/postfix/bounce.cf
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
default_destination_concurrency_limit = 3
delay_warning_time = 4
disable_vrfy_command = yes
mailbox_command = /usr/bin/procmail -p
mailbox_size_limit = 0
manpage_directory = /usr/share/man
masquerade_domains = codegnome.org  asd-advocacy.org
independentlivingsupports.com
masquerade_exceptions = root
mydestination = $myhostname $mydomain   localhost   
localhost.localdomain   localhost.$mydomain AA.com
mydomain = codegnome.org
mynetworks = 127.0.0.0/8192.168.11.0/24
myorigin = /etc/mailname
owner_request_special = no
readme_directory = /usr/share/doc/postfix
recipient_delimiter = -
relay_destination_recipient_limit = 5
relayhost = smtp.charter.net
sample_directory = /usr/share/doc/postfix/examples
setgid_group = postdrop
smtpd_authorized_verp_clients = $mynetworks
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = reject_rbl_client zen.spamhaus.org  
check_client_access hash:/etc/postfix/domain_access permit_mynetworks
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_error_sleep_time = 5
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname  
reject_non_fqdn_helo_hostname   reject_unknown_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks
reject_unauth_destination   reject_unknown_recipient_domain 
check_recipient_mx_access hash:/etc/postfix/recipient_mx_access
check_recipient_access hash:/etc/postfix/recipient_access   
check_policy_service inet:127.0.0.1:6
smtpd_sender_restrictions = check_sender_mx_access 
hash:/etc/postfix/sender_mx_access   check_sender_access 
hash:/etc/postfix/sender_access reject_unknown_sender_domain
smtpd_soft_error_limit = 2

My educated guess is that it has something to do with
reject_unauth_destination in the smtpd_recipient_restrictions, but I'm
not sure how that is being evaluated in this particular context.

-- 
"Oh, look: rocks!"
-- Doctor Who, "Destiny of the Daleks"

Re: smtp relay and smtp verification

[David Koski]

On Thursday 20 March 2008, David Koski wrote:
> On Wednesday 19 March 2008 22:53, MacShane, Tracy wrote:
> >  > -Original Message-
> > >
> > > From: owner-postfix-us...@postfix.org
> > > [mailto:owner-postfix-us...@postfix.org] On Behalf Of David Koski
> > > Sent: Thursday, 20 March 2008 2:48 PM
> > > To: postfix-users@postfix.org
> > > Subject: smtp relay and smtp verification
> > >
> > > Hello,
> > >
> > > I have some Postfix blacklisting relay servers that I want to
> > > use smtp to verify recipients before accepting emails.  For
> > > example, before accepting a message to joe...@example.com I
> > > want to verify that such an account exists using smtp to the
> > > MX at example.com.  Can this be done with Postfix and how, if so?
> >
> > http://www.postfix.org/ADDRESS_VERIFICATION_README.html
>
> I think this is what I was looking for.  Thanks!
>
> > This should be used as little as possible, IMO, for specific domains you
> > have trouble with. You're doubling up on network traffic with each
> > request you make, and you're naturally increasing the work the sending
> > server has to do. We find we get decent results blocking spurious mail
> > using the usual kinds of checks, a decent RBL and a content scanner.
>
> This is for incoming email only.

I did some testing with this in main.cf:

smtpd_recipient_restrictions =
...
check_recipient_access hash:/etc/postfix/recipient_access

recipient_access:
mytestdomain.comreject_unverified_recipient
kosmosisland.comreject_unverified_recipient

This host relays directly to kosmosisland.com but there is another hop to 
mytestdomain.com, a Barracuda spam firewall.  Mail to domain kosmosisland.com 
is relayed as expected but mail to mytestdomain.com is rejected regardless of 
wheather the email address is correct:

450 4.1.1 : Recipient address rejected: undeliverable 
address: host cuda2.myrelayhost.com[65.183.202.16] said: 550 Blocked (in 
reply to RCPT TO command)

Is it not permitted to use recipient verification through a relay server?

Regards,
David Koski
da...@kosmosisland.com

Re: I am confused about my system's email addresses - need some help getting them to conform to my wishes

[Sahil Tandon]

On Tue, 27 Jan 2009, Dave wrote:

> Hopefully I have improved my question-asking now. :)

You are confusing the role of the SMTP server and the IMAP client/server.
Several of your "problems" have little to do with Postfix.

> Here's the first example of email addressing that I want to fix/modify.
> 
> subject: DenyHosts Report
> from: nobody-at-localhost
> to: root-at-localhost
> 
> I want this to be from me-at-example.com (or root-at-example.com) to
> me-at-example.com.
> The message does not appear in my sent mail folder at example.com (but I
> want it to).

Because you are not 'nobody', the message will not appear in your sent
folder.  In any case, the functionality of saving a copy of sent messages in
some folder is not a Postfix issue.  Also see the SMTP_FROM parameter in
denyhosts to modify the sender address.

-- 
Sahil Tandon 

Re: smtp relay and smtp verification

[Sahil Tandon]

On Tue, 27 Jan 2009, David Koski wrote:

> I did some testing with this in main.cf:
> 
> smtpd_recipient_restrictions =
>   ...
>   check_recipient_access hash:/etc/postfix/recipient_access
> 
> recipient_access:
> mytestdomain.com  reject_unverified_recipient
> kosmosisland.com  reject_unverified_recipient
> 
> This host relays directly to kosmosisland.com but there is another hop to 
> mytestdomain.com, a Barracuda spam firewall.  Mail to domain kosmosisland.com 
> is relayed as expected but mail to mytestdomain.com is rejected regardless of 
> wheather the email address is correct:
> 
> 450 4.1.1 : Recipient address rejected: undeliverable 
> address: host cuda2.myrelayhost.com[65.183.202.16] said: 550 Blocked (in 
> reply to RCPT TO command)

Careful when munging!  You forgot to obfuscate 65.183.202.16. :-)

> Is it not permitted to use recipient verification through a relay server?

So cuda2.cascadenetworks.com does not believe e...@mytestdomain.com is a
valid recipient.

-- 
Sahil Tandon 

Re: I am confused about my system's email addresses - need some help getting them to conform to my wishes

[Dave]

On Tue, Jan 27, 2009 at 11:10 PM, Sahil Tandon  wrote:

> On Tue, 27 Jan 2009, Dave wrote:
>
> > Hopefully I have improved my question-asking now. :)
>
> You are confusing the role of the SMTP server and the IMAP client/server.
> Several of your "problems" have little to do with Postfix.


IMAP is not involved unless the gmail webclient is using IMAP and I don't
know it. As far as I know, I have only Postfix and the gmail webclient.
Can you tell me where my confusion is? Thank you.


>
>
> > Here's the first example of email addressing that I want to fix/modify.
> >
> > subject: DenyHosts Report
> > from: nobody-at-localhost
> > to: root-at-localhost
> >
> > I want this to be from me-at-example.com (or root-at-example.com) to
> > me-at-example.com.
> > The message does not appear in my sent mail folder at example.com (but I
> > want it to).
>
> Because you are not 'nobody', the message will not appear in your sent
> folder.  In any case, the functionality of saving a copy of sent messages
> in
> some folder is not a Postfix issue.


OK, so I have to make sure all messages are from me-at-example.com in order
for them to appear in the sent-mail folder of that account.
Any idea how I can do that?



> Also see the SMTP_FROM parameter in
> denyhosts to modify the sender address.


Thank you. Fixed that one issue now.


>
>
> --
> Sahil Tandon 
>

Re: smtp relay and smtp verification

[David Koski]

On Tuesday 27 January 2009, Sahil Tandon wrote:
> On Tue, 27 Jan 2009, David Koski wrote:
> > I did some testing with this in main.cf:
> >
> > smtpd_recipient_restrictions =
> > ...
> > check_recipient_access hash:/etc/postfix/recipient_access
> >
> > recipient_access:
> > mytestdomain.comreject_unverified_recipient
> > kosmosisland.comreject_unverified_recipient
> >
> > This host relays directly to kosmosisland.com but there is another hop to
> > mytestdomain.com, a Barracuda spam firewall.  Mail to domain
> > kosmosisland.com is relayed as expected but mail to mytestdomain.com is
> > rejected regardless of wheather the email address is correct:
> >
> > 450 4.1.1 : Recipient address rejected:
> > undeliverable address: host cuda2.myrelayhost.com[65.183.202.16] said:
> > 550 Blocked (in reply to RCPT TO command)
>
> Careful when munging!  You forgot to obfuscate xx.xxx.xxx.xx. :-)
>
> > Is it not permitted to use recipient verification through a relay server?
>
> So cuda2.cascadenetworks.com does not believe e...@mytestdomain.com is a
> valid recipient.

That seems to be the case when doing recipient verification.  But without it 
accepts the email to e...@mytestdomain.com happily.

Regards,
David Koski
dko...@sutinen.com