content filter after postfix/discard by transport

2009-02-01 Thread Evelio Vila 
Hi everyone,

 

I use 

transport_maps = proxy:pgsql:/etc/postfix/pgsql-transport.cf

 

to discard mails being send to  non-existing destinations inside my mta.

 

However I´ve installed amavis-newd to make some content-filtering
(spamassasin, clamav)

 

But since then my mails are filtered before the transport_maps decides it
should be descarted wich

is of course not very efficient.

 

How can I make the transport_maps to discard mails before they are send to
amavis?

 

Main.cf

 

transport_maps = proxy:pgsql:/etc/postfix/pgsql-transport.cf

 

smtpd_client_restrictions = permit_mynetworks, reject_unknown_hostname,
permit

 

smtpd_recipient_restrictions = permit_mynetworks, check_client_access
hash:/etc/postfix/check_client_access, reject_unauth_destination

 

content_filter = smtp-amavis:[127.0.0.1]:10024

 

 

 

Jan 31 15:01:53 mx2 postfix/smtpd[11774]: BA56839F93:
client=angel.tenet.odessa.ua[85.238.107.194]

Jan 31 15:02:16 mx2 postfix/cleanup[11896]: BA56839F93:
message-id=<20090131200153.ba56839...@mx2.example.com>

Jan 31 15:02:16 mx2 postfix/qmgr[8491]: BA56839F93:
from=, size=3406, nrcpt=1 (queue active)

Jan 31 15:06:14 mx2 postfix/cleanup[11785]: 2AC2139F83:
message-id=<20090131200153.ba56839...@mx2.example.com>

Jan 31 15:06:14 mx2 amavis[12036]: (12036-01-17) Passed SPAM,
[85.238.107.194] [85.238.107.194]  ->
, quarantine: 5/spam-5ZuuvQ6qc934.gz, Message-ID:
<20090131200153.ba56839...@mx2.example.com>, mail_id: 5ZuuvQ6qc934, Hits:
20.373, size: 3399, queued_as: 2AC2139F83, 7080 ms

Jan 31 15:06:14 mx2 postfix/smtp[12156]: BA56839F93:
to=, relay=127.0.0.1[127.0.0.1]:10024,
conn_use=17, delay=263, delays=26/231/0/7.1, dsn=2.0.0, status=sent (250
2.0.0 Ok: queued as 2AC2139F83)

Jan 31 15:06:14 mx2 postfix/qmgr[8491]: BA56839F93: removed

 

 

After the filter then it gets discarded…

 

 

Jan 31 15:06:14 mx2 postfix/smtpd[11744]: 2AC2139F83:
client=localhost[127.0.0.1]

Jan 31 15:06:14 mx2 postfix/cleanup[11785]: 2AC2139F83:
message-id=<20090131200153.ba56839...@mx2.example.com>

Jan 31 15:06:14 mx2 postfix/qmgr[8491]: 2AC2139F83:
from=, size=4288, nrcpt=1 (queue active)

Jan 31 15:06:14 mx2 postfix/discard[11961]: 2AC2139F83:
to=, relay=none, delay=0.11, delays=0.1/0.01/0/0,
dsn=2.0.0, status=sent (tesla.example.com)

Jan 31 15:06:14 mx2 postfix/qmgr[8491]: 2AC2139F83: removed

 

 

 

Thanks in advance,

 

 

ila.

VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y 
Educación Energética
9 - 12 de Junio 2009, Palacio de las Convenciones
...Por una cultura energética sustentable
www.ciercuba.com

Re: Mail Undeliverable error with Postfix

2009-02-01 Thread mouss 
jan gestre a écrit :
> Hi guys,
> 
> I have several mail servers running postfix 2.4/2.5 with postfixadmin
> and mysql as backend and dovecot for imap/pop3. I can access the inbox
> from outside the office using Outlook/Thunderbird but whenever I tried
> to send an outside email even to an internal user I always get a "Mail
> Undeliverable Error", but when webmail is used by the user there is no
> problem (to rule out dns misconfiguration). I'm already stumped for two
> days now and I can't figure it out. 
> 
> Need help.
> 
> Here's the output of my postconf -n :

show relevant logs. we need to make sure that the transaction is
rejected by postfix and why. This information is in your logs.

> [snip]

Re: check_client_access

2009-02-01 Thread mouss 
Rocco Scappatura a écrit :
>  [snip]
> 
> :-D
> 
> [snip]

dogs ate logs?

- show logs that prove what you claimed
- show 'postmap -q' results (for all the keys that postfix uses. see the
man page of access for the lookup order).


you also need to make your mind: the subject contains
"check_client_access". your question was about "check_sender_access",
and your explanation was about a "receiver". That's 3 different things...


PS. it would be safer to put your check_sender_access in
smtpd_sender_restrictions so that an error in your sql query doesn't
make you an open relay.

RE: SMTP sessions

2009-02-01 Thread Rocco Scappatura 

Hello,

>> > I have a mail gateway system that consists of several
>> > Postfix+MySQL+Amavisd-new machines behind a load balancer.
>> >
>> > I have defined a balancing policy based on number of SMTP sessions
>> that
>> > every server has to manage.
>>
>> New connections are given to the server with the fewest connections?
>
> Yes.
>
>> > But, even if the session is perfectly balanced, I see that the
>> average
>> > latency of a message in Postfix queues is too high on some machines
>> and
>> > quite zero on other.
>>
>> Are the same servers overloaded over a long period of time? And
> lightly
>> loaded servers remain lightly loaded?
>
> Usually.
>
>> What is the critical resource? Disk I/O? CPU? Output concurrency?
>
> Indeed, the number of sessions is correctly proportional to the weight I
> have assigned to each server on balancer. But the load of the CPUs of
> each machine not. I have watched Disk I/O with vmstat and OS never
> swaps. I have a good quantity of RAM free.
>
> I monitored each machine's parameters using vmstat and what I could have
> noted I is the number of blocked procs which is often nonzero (from 0 to
> 3) when the mchine is overloaded.
>
> What do you mean for output concurrency?
>
> I have raised "maxproc" for amavis-filter to reduce the number of
> blocked procs.
>
>> > What I infer is that every session can be used to devilver/send
>> > different email messages (other then every message as inerently a
>> > different size).
>> >
>> > It is right my argument or Im wrong in something? If yes, has
> Postfix
>> > the control of the number of message that could be manage by each
>> SMTP
>> > session?
>>
>> Take a look at "qshape", is there a lot of deferred mail on some
>> systems
>> and not others? Are you doing recipient validation, or accepting and
>> bouncing a lot of mail?
>
> I constantly have monitored the Postfix queues with qshape, particularly
> active queue:
>
>   # watch "perl
> /usr/local/src/postfix-2.5.2/auxiliary/qshape/qshape.pl -s active| head"
>
> I have a reasonably "normal" number of deferred emails (no more than 100
> messages).
>
> Nevertheless, I'm doing recipient validation for each mailbox that I
> manage and verification on each email of every domain for which I
> forward messages.
>
> I fear that the problem is that for each session I can have an unsettled
> number of messages sent over that session (It could be happen? If yes,
> It could be depend on MTA settings?) other then an unsettled size of
> SMTP traffic (which it determs the latency of messages and it could make
> congestion of postfix active queue more or less heavy).

Have someone further wideing to provide about this argument?

rocsca

Re: check_client_access

2009-02-01 Thread mouss 
Rocco Scappatura a écrit :
> Mouss,
> 
>>>  [snip]
>>>
>>> :-D
>>>
>>> [snip]
>> dogs ate logs?
>>
> 
> Very cool from you.. as usual!
> 
> You have won a prize.. :-)  <-- Is it ok so? ;-)
>

depends on what the prize is :)


>> - show logs that prove what you claimed
> 
> Feb  1 06:02:50 av5 postfix/smtpd[32172]: NOQUEUE: reject: RCPT from
> unknown[83.103.67.197]: 550 5.1.1  rejected: undeliverable address: host
> srvmailvb.domain.intranet[10.36.20.100] said: 550 5.1.1 User unknown (in
> reply to RCPT TO command); from=<> to= proto=ESMTP
> helo=
> 

so the sender is "<>". see below.

>> - show 'postmap -q' results (for all the keys that postfix uses. see the
>> man page of access for the lookup order).
> 
> Cound you instruct me about the order postfix applies the restrictions
> (you can see "postconf" output in my previous email.. Thanks.)
> 

From
http://www.postfix.org/access.5.html
in the EMAIL ADDRESS PATTERNS section, the order is:
   u...@domain
   domain.tld
   user@


so you would do
# postmap -q j...@domain.example proxy:mysql:/
# postmap -q domain.example proxy:mysql:/
# postmap -q joe@ proxy:mysql:/

> Anyway,
> 
> # postmap -q st...@receiver.tld
> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
> REJECT
> 
>> you also need to make your mind: the subject contains
>> "check_client_access". your question was about "check_sender_access",
> 
> OK. Sorry I have wrong my subject..
> 
>> and your explanation was about a "receiver". That's 3 different things...
> 
> So.. What I have to do to block a message based on the receiver?
> 

check_recipient_access.

>> PS. it would be safer to put your check_sender_access in
>> smtpd_sender_restrictions so that an error in your sql query doesn't
>> make you an open relay.
> 
> Why is safer? Could have any side effect in my configuration? Thanks.
> 

it's ok if you don't return "OK" in your map (Annie, are you OK?). but
one day, you'll be tired and you'll add an entry to your map...

this is why it is generally safer to put check_*_access after
reject_unauth_destination in smtpd_recipient_restrictions, or to put
them in other restrictions (latter if you want them to apply to both
inbound and outbound mail).

Re: Limit no of messages per relayhost

2009-02-01 Thread Jack Knowlton 
On Sat, January 31, 2009 3:01 pm, Wietse Venema wrote:
> Jack Knowlton:
>> Hi all.
>> I have an postfix installation configured to use my ISP's server as
>> relayhost.
>> I don't want to put too much load on it (and get blacklisted) so I'd
>> like
>> to limit the number of messages sent per minute.
>> I found previous posts on how to do that per destination domain - but
>> how
>> about the relayhost?
>
> Postfix is short-sighted. It thinks only one step ahead. The
> relayhost *IS* the destination, for the purposes of connection
> scheduling.
>
>   Wietse
>

Ok. I configured *_destination_concurrency_limit but I was looking for
something time-defined, like messages per minute.
Is it possible to achieve?

-JK

Re: Mail Undeliverable error with Postfix

2009-02-01 Thread jan gestre 
Hi Mouss,
I've just replicated the issue right now, from /var/log/maillog:

Feb  1 21:26:38 mail postfix/cleanup[19777]: 55E6C148049: hold: header
Received: from [127.0.0.1] (unknown [122.53.207.8])??by
mail.ddblocal.com(Postfix) with ESMTP id 55E6C148049??for <
rages...@xinapse.net>; Sun,  1 Feb 2009 21:26:37 +0800 (PHT) from
unknown[122.53.207.8]; from= to=
proto=ESMTP helo=<[127.0.0.1]>
Feb  1 21:26:38 mail postfix/cleanup[19777]: 55E6C148049: message-id=<
4985a3e0.7000...@ddblocal.com>
Feb  1 21:26:38 mail postfix/smtpd[19520]: disconnect from
unknown[122.53.207.8]
Feb  1 21:26:38 mail dovecot: imap-login: Login: user=,
method=plain, rip=:::122.53.207.8, lip=:::192.168.1.3

Feb  1 21:26:42 mail MailScanner[17048]: Uninfected: Delivered 1 messages
Feb  1 21:26:42 mail MailScanner[17048]: MailScanner child dying of old age
Feb  1 21:26:42 mail postfix/pipe[19788]: D9A6D148050: to=<
postmas...@ddblocal.com>, relay=dovecot, delay=5.6, delays=5.6/0.01/0/0.03,
dsn=5.1.1, status=bounced (user unknown)


postmas...@ddbphil.com exists and has an alias jan.ges...@ddbphil.com, all
emails for the postmaster gets forwarded to this account. This doesn't
happen when I used a webmail client.

On Sun, Feb 1, 2009 at 9:10 PM, mouss  wrote:

> jan gestre a écrit :
> > Hi Mouss,
> >
> > This is from my inbox, user jan.ges...@ddblocal.com
> >  is a real user.
> >
>
> you need to check the postfix logs (/var/log/maillog or
> /var/log/mail.log or the like), not bounce messages.
>
> for obvious reasons, postfix won't tell everything to an smtp client, so
> you won't know what is really happening by looking at a bounce message.
>
> but from the bounce message, I see that  is
> "unknown". This is bad. if this is one of your domains, make sure mail
> for postmaster is accepted and delivered. In general, people create an
> alias for this address (alias_maps if domain is in mydestination,
> virtual_alias_maps if domain is virtual).
>

Re: Dead RBL

2009-02-01 Thread Justin Piszcz 



On Sun, 1 Feb 2009, mouss wrote:


Justin Piszcz a écrit :

RIP: dnsbl.clue-by-4.org
http://dnsbl.clue-by-4.org/parking.php?domain_name=clue-by-4.org

Not sure exactly when but FYI, this RBL appears to be no more.



This is the first time I hear about such DNSBL...

can you please send a mail to webmas...@spamlinks.net so that he moves
this from
http://spamlinks.net/filter-dnsbl-lists.htm
to
http://spamlinks.net/filter-dnsbl-dead.htm
?



It used to be a fairly accurate RBL-- in any case-- sent him an e-mail, 
thanks.


Justin.

Re: Mail Undeliverable error with Postfix

2009-02-01 Thread mouss 
jan gestre a écrit :
> Hi Mouss,
> 
> I've just replicated the issue right now, from /var/log/maillog:
> 
> Feb  1 21:26:38 mail postfix/cleanup[19777]: 55E6C148049: hold: header
> Received: from [127.0.0.1] (unknown [122.53.207.8])??by
> mail.ddblocal.com  (Postfix) with ESMTP id
> 55E6C148049??for mailto:rages...@xinapse.net>>;
> Sun,  1 Feb 2009 21:26:37 +0800 (PHT) from unknown[122.53.207.8];
> from=mailto:jan.ges...@ddb.com>>
> to=mailto:rages...@xinapse.net>> proto=ESMTP
> helo=<[127.0.0.1]>
> Feb  1 21:26:38 mail postfix/cleanup[19777]: 55E6C148049:
> message-id=<4985a3e0.7000...@ddblocal.com
> >
> Feb  1 21:26:38 mail postfix/smtpd[19520]: disconnect from
> unknown[122.53.207.8]
> Feb  1 21:26:38 mail dovecot: imap-login: Login:
> user=mailto:jan.ges...@ddb.com>>, method=plain,
> rip=:::122.53.207.8, lip=:::192.168.1.3
> 
> Feb  1 21:26:42 mail MailScanner[17048]: Uninfected: Delivered 1 messages
> Feb  1 21:26:42 mail MailScanner[17048]: MailScanner child dying of old age
> Feb  1 21:26:42 mail postfix/pipe[19788]: D9A6D148050:
> to=mailto:postmas...@ddblocal.com>>,
> relay=dovecot, delay=5.6, delays=5.6/0.01/0/0.03, dsn=5.1.1,
> status=bounced (user unknown)
> 
> 
> postmas...@ddbphil.com  exists and has an
> alias jan.ges...@ddbphil.com , all emails
> for the postmaster gets forwarded to this account. This doesn't happen
> when I used a webmail client.
> 


I guess the alias is defined in alias_maps, but this map is only
consulted by "local", which you don't use (you deliver via dovecot, not
via local).

use virtual_alias_maps instead.

Re: check_client_access

2009-02-01 Thread mouss 
Rocco Scappatura a écrit :
> 
> 
> Mouss,
> 
 and your explanation was about a "receiver". That's 3 different
 things...
>>> So.. What I have to do to block a message based on the receiver?
>>>
>> check_recipient_access.
>>
 PS. it would be safer to put your check_sender_access in
 smtpd_sender_restrictions so that an error in your sql query doesn't
 make you an open relay.
>>> Why is safer? Could have any side effect in my configuration? Thanks.
>>>
>> it's ok if you don't return "OK" in your map (Annie, are you OK?). but
>> one day, you'll be tired and you'll add an entry to your map...
>>
>> this is why it is generally safer to put check_*_access after
>> reject_unauth_destination in smtpd_recipient_restrictions, or to put
>> them in other restrictions (latter if you want them to apply to both
>> inbound and outbound mail).
> 
> This is the restictions in my main.cf file:
> 
> smtpd_client_restrictions =
> check_client_access
> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
> 
> smtpd_helo_restrictions =
> smtpd_sender_restrictions =
> 
> smtpd_recipient_restrictions =
> check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
> check_recipient_access
> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
> check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf
> permit_mynetworks
> permit_sasl_authenticated
> check_policy_service inet:127.0.0.1:54000
> reject_unauth_destination
> .
> .
> .
> 
> How do I have to modify it so that I could block an email address either
> if is the sender or one of the recipients, AND either if the message is
> incoming or outgoing?
> 
> Maybe so (assuming that the action will never be "OK")...
> 
> smtpd_client_restrictions =
> check_client_access
> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
> 
> smtpd_helo_restrictions =
> smtpd_sender_restrictions =
> check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
> check_recipient_access
> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
> 
> smtpd_recipient_restrictions =
> check_recipient_access
> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf

this one is already in smtpd_sender_restrictions, so just remove it

> check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf

what's this for? it's already in smtpd_client_restrictions, so you may
or may not need it here.


> permit_mynetworks
> permit_sasl_authenticated
> check_policy_service inet:127.0.0.1:54000

what's this for? you probably want to put this after
reject_unauth_destination.

remember: reject_unauth_destination is what prevents open relay. so
avoid putting a lot of stuff before it, because you increase the risks.

and reject_unauth_destination is a very safe a very cheap check, so it's
 good to have it as soon as possible.

> reject_unauth_destination
> .
> .
> .
> 
> Or you have another configuration to propose the is safer?
> 

see above.

as a general "rule of thumb", put anti-spam checks (I'm talking about
inbound spam. outbound spam is a different subject) after
reject_unauth_destination, and put "general restrictions" (that also
apply to your users) in one of smtpd_(client|helo|sender)_restrictions.

Re: Mail Undeliverable error with Postfix

2009-02-01 Thread jan gestre 
Hi Daniel,
Just like I said, postmaster account exists, I don't know why this is
happening.
On Sun, Feb 1, 2009 at 10:04 PM, Daniel V. Reinhardt wrote:

> Hi Mouss,
>
> I've just replicated the issue right now, from /var/log/maillog:
>
> Feb  1 21:26:38 mail postfix/cleanup[19777]: 55E6C148049: hold: header
> Received: from [127.0.0.1] (unknown [122.53.207.8])??by 
> mail.ddblocal.com(Postfix) with ESMTP id 55E6C148049??for <
> rages...@xinapse.net>; Sun,  1 Feb 2009 21:26:37 +0800 (PHT) from
> unknown[122.53.207.8]; from= to=
> proto=ESMTP helo=<[127.0.0.1]>
> Feb  1 21:26:38 mail postfix/cleanup[19777]: 55E6C148049: message-id=<
> 4985a3e0.7000...@ddblocal.com>
> Feb  1 21:26:38 mail postfix/smtpd[19520]: disconnect from
> unknown[122.53.207.8]
> Feb  1 21:26:38 mail dovecot: imap-login: Login: user=,
> method=plain, rip=:::122.53.207.8, lip=:::192.168.1.3
>
> Feb  1 21:26:42 mail MailScanner[17048]: Uninfected: Delivered 1 messages
> Feb  1 21:26:42 mail MailScanner[17048]: MailScanner child dying of old age
> Feb  1 21:26:42 mail postfix/pipe[19788]: D9A6D148050: to=<
> postmas...@ddblocal.com>, relay=dovecot, delay=5.6,
> delays=5.6/0.01/0/0.03, dsn=5.1.1, status=bounced (user unknown)
>
>
> postmas...@ddbphil.com exists and has an alias jan.ges...@ddbphil.com, all
> emails for the postmaster gets forwarded to this account. This doesn't
> happen when I used a webmail client.
>
> On Sun, Feb 1, 2009 at 9:10 PM, mouss  wrote:
>
>> jan gestre a écrit :
>> > Hi Mouss,
>> >
>> > This is from my inbox, user jan.ges...@ddblocal.com
>> >  is a real user.
>> >
>>
>> you need to check the postfix logs (/var/log/maillog or
>> /var/log/mail.log or the like), not bounce messages.
>>
>> for obvious reasons, postfix won't tell everything to an smtp client, so
>> you won't know what is really happening by looking at a bounce message.
>>
>> but from the bounce message, I see that  is
>> "unknown". This is bad. if this is one of your domains, make sure mail
>> for postmaster is accepted and delivered. In general, people create an
>> alias for this address (alias_maps if domain is in mydestination,
>> virtual_alias_maps if domain is virtual).
>>
>
> I have sent you an email to postmas...@ddbphil.com and it was successful:
>
> 2009-02-01 07:51:28 1LTcjQ-0003gJ-Jt => cryptodan 
> F=<> R=localuser T=local_delivery S=3121
>
> 2009-02-01 07:53:08 1LTcl2-0003hp-Cu <= crypto...@cryptodan.com H=
> static-71-178-174-180.washdc.fios.verizon.net (alphacentari)
> [71.178.174.180] P=esmtpa A=login:cryptodan S=2126
> id=8a130529ba7d4bf399b598ee69c58...@alphacentari T="Testing" from <
> crypto...@cryptodan.com> for postmas...@ddbphil.com
>
> 2009-02-01 07:53:10 1LTcl2-0003hp-Cu => postmas...@ddbphil.com F=<
> crypto...@cryptodan.com> R=lookuphost T=remote_smtp S=2187 H=
> mail.ddbphil.com [122.55.93.36] C="250 2.0.0 Ok: queued as 966C2148049"
>
>
>
>
>

Re: Limit no of messages per relayhost

2009-02-01 Thread Wietse Venema 
Jack Knowlton:
> On Sat, January 31, 2009 3:01 pm, Wietse Venema wrote:
> > Jack Knowlton:
> >> Hi all.
> >> I have an postfix installation configured to use my ISP's server as
> >> relayhost.
> >> I don't want to put too much load on it (and get blacklisted) so I'd
> >> like
> >> to limit the number of messages sent per minute.
> >> I found previous posts on how to do that per destination domain - but
> >> how
> >> about the relayhost?
> >
> > Postfix is short-sighted. It thinks only one step ahead. The
> > relayhost *IS* the destination, for the purposes of connection
> > scheduling.
> >
> > Wietse
> >
> 
> Ok. I configured *_destination_concurrency_limit but I was looking for
> something time-defined, like messages per minute.
> Is it possible to achieve?

http://www.postfix.org/postconf.5.html#default_destination_rate_delay

The Postfix defaults are:

default_destination_rate_delay = 0s
lmtp_destination_rate_delay = $default_destination_rate_delay
local_destination_rate_delay = $default_destination_rate_delay
relay_destination_rate_delay = $default_destination_rate_delay
smtp_destination_rate_delay = $default_destination_rate_delay
virtual_destination_rate_delay = $default_destination_rate_delay

You can override these in main.cf.

Wietse

Re: Mail Undeliverable error with Postfix

2009-02-01 Thread Daniel V. Reinhardt 
Hi Mouss,


I've just replicated the issue right now, from /var/log/maillog:

Feb  1 21:26:38 mail postfix/cleanup[19777]: 55E6C148049: hold: header 
Received: from [127.0.0.1] (unknown [122.53.207.8])??by mail.ddblocal.com 
(Postfix) with ESMTP id 55E6C148049??for ; Sun,  1 Feb 
2009 21:26:37 +0800 (PHT) from unknown[122.53.207.8]; from= 
to= proto=ESMTP helo=<[127.0.0.1]>
Feb  1 21:26:38 mail postfix/cleanup[19777]: 55E6C148049: 
message-id=<4985a3e0.7000...@ddblocal.com>
Feb  1 21:26:38 mail postfix/smtpd[19520]: disconnect from unknown[122.53.207.8]
Feb  1 21:26:38 mail dovecot: imap-login: Login: user=, 
method=plain, rip=:::122.53.207.8, lip=:::192.168.1.3

Feb  1 21:26:42 mail MailScanner[17048]: Uninfected: Delivered 1 messages
Feb  1 21:26:42 mail MailScanner[17048]: MailScanner child dying of old age
Feb  1 21:26:42 mail postfix/pipe[19788]: D9A6D148050: 
to=, relay=dovecot, delay=5.6, delays=5.6/0.01/0/0.03, 
dsn=5.1.1, status=bounced (user unknown)


postmas...@ddbphil.com exists and has an alias jan.ges...@ddbphil.com, all 
emails for the postmaster gets forwarded to this account. This doesn't happen 
when I used a webmail client.

On Sun, Feb 1, 2009 at 9:10 PM, mouss  wrote:

jan gestre a écrit :

> Hi Mouss,
>
> This is from my inbox, user jan.ges...@ddblocal.com
>  is a real user.
>

you need to check the postfix logs (/var/log/maillog or
/var/log/mail.log or the like), not bounce messages.

for obvious reasons, postfix won't tell everything to an smtp client, so
you won't know what is really happening by looking at a bounce message.

but from the bounce message, I see that  is
"unknown". This is bad. if this is one of your domains, make sure mail
for postmaster is accepted and delivered. In general, people create an
alias for this address (alias_maps if domain is in mydestination,
virtual_alias_maps if domain is virtual).

I have sent you an email to postmas...@ddbphil.com and it was successful:

2009-02-01 07:51:28 1LTcjQ-0003gJ-Jt => cryptodan  
F=<> R=localuser T=local_delivery S=3121

2009-02-01 07:53:08 1LTcl2-0003hp-Cu <= crypto...@cryptodan.com 
H=static-71-178-174-180.washdc.fios.verizon.net (alphacentari) [71.178.174.180] 
P=esmtpa A=login:cryptodan S=2126 
id=8a130529ba7d4bf399b598ee69c58...@alphacentari T="Testing" from 
 for postmas...@ddbphil.com

2009-02-01 07:53:10 1LTcl2-0003hp-Cu => postmas...@ddbphil.com 
F= R=lookuphost T=remote_smtp S=2187 
H=mail.ddbphil.com [122.55.93.36] C="250 2.0.0 Ok: queued as 966C2148049"

Re: content filter after postfix/discard by transport

2009-02-01 Thread mouss 
Evelio Vila a écrit :
> Hi everyone,
> 
>  
> 
> I use
> 
> transport_maps = proxy:pgsql:/etc/postfix/pgsql-transport.cf
> 
>  
> 
> to discard mails being send to  non-existing destinations inside my mta.
> 

why do you discard mail?

>  
> 
> However I´ve installed amavis-newd to make some content-filtering
> (spamassasin, clamav)
> 
>  
> 
> But since then my mails are filtered before the transport_maps decides
> it should be descarted wich
> 
> is of course not very efficient.
> 
>  
> 
> How can I make the transport_maps to discard mails before they are send
> to amavis?
> 

use check_recipient_access.

Re: Mail Undeliverable error with Postfix

2009-02-01 Thread mouss 
jan gestre a écrit :
> Hi Mouss,
> 
> This is from my inbox, user jan.ges...@ddblocal.com
>  is a real user.
> 

you need to check the postfix logs (/var/log/maillog or
/var/log/mail.log or the like), not bounce messages.

for obvious reasons, postfix won't tell everything to an smtp client, so
you won't know what is really happening by looking at a bounce message.

but from the bounce message, I see that  is
"unknown". This is bad. if this is one of your domains, make sure mail
for postmaster is accepted and delivered. In general, people create an
alias for this address (alias_maps if domain is in mydestination,
virtual_alias_maps if domain is virtual).

Dead RBL

2009-02-01 Thread Justin Piszcz 

RIP: dnsbl.clue-by-4.org
http://dnsbl.clue-by-4.org/parking.php?domain_name=clue-by-4.org

Not sure exactly when but FYI, this RBL appears to be no more.

Justin.

Re: Mail Undeliverable error with Postfix

2009-02-01 Thread jan gestre 
Hi Mouss,

This is from my inbox, user jan.ges...@ddblocal.com is a real user.

This is the mail system at host mail.ddblocal.com. I'm sorry to have to
inform you that your message could not be delivered to one or more
recipients. It's attached below. For further assistance, please send mail to
postmaster. If you do so, please include this problem report. You can delete
your own text from the attached returned message. The mail system <
postmas...@ddbphil.com>: user unknown
Reporting-MTA: dns; mail.ddblocal.com X-Postfix-Queue-ID: 39423148059
X-Postfix-Sender: rfc822;
jan.ges...@lddblocal.comArrival-Date:
Sun, 1 Feb 2009 15:13:14 +0800 (PHT) Final-Recipient: rfc822;
postmas...@ddblocal.com  Action: failed Status:
5.1.1 Diagnostic-Code: x-unix; user unknown
test -- This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.

On Sun, Feb 1, 2009 at 5:48 PM, mouss  wrote:

> jan gestre a écrit :
> > Hi guys,
> >
> > I have several mail servers running postfix 2.4/2.5 with postfixadmin
> > and mysql as backend and dovecot for imap/pop3. I can access the inbox
> > from outside the office using Outlook/Thunderbird but whenever I tried
> > to send an outside email even to an internal user I always get a "Mail
> > Undeliverable Error", but when webmail is used by the user there is no
> > problem (to rule out dns misconfiguration). I'm already stumped for two
> > days now and I can't figure it out.
> >
> > Need help.
> >
> > Here's the output of my postconf -n :
>
> show relevant logs. we need to make sure that the transaction is
> rejected by postfix and why. This information is in your logs.
>
> > [snip]
>

Re: check_client_access

2009-02-01 Thread Rocco Scappatura 



Mouss,

>>> and your explanation was about a "receiver". That's 3 different
>>> things...
>>
>> So.. What I have to do to block a message based on the receiver?
>>
>
> check_recipient_access.
>
>>> PS. it would be safer to put your check_sender_access in
>>> smtpd_sender_restrictions so that an error in your sql query doesn't
>>> make you an open relay.
>>
>> Why is safer? Could have any side effect in my configuration? Thanks.
>>
>
> it's ok if you don't return "OK" in your map (Annie, are you OK?). but
> one day, you'll be tired and you'll add an entry to your map...
>
> this is why it is generally safer to put check_*_access after
> reject_unauth_destination in smtpd_recipient_restrictions, or to put
> them in other restrictions (latter if you want them to apply to both
> inbound and outbound mail).

This is the restictions in my main.cf file:

smtpd_client_restrictions =
check_client_access
proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf

smtpd_helo_restrictions =
smtpd_sender_restrictions =

smtpd_recipient_restrictions =
check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
check_recipient_access
proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf
permit_mynetworks
permit_sasl_authenticated
check_policy_service inet:127.0.0.1:54000
reject_unauth_destination
.
.
.

How do I have to modify it so that I could block an email address either
if is the sender or one of the recipients, AND either if the message is
incoming or outgoing?

Maybe so (assuming that the action will never be "OK")...

smtpd_client_restrictions =
check_client_access
proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf

smtpd_helo_restrictions =
smtpd_sender_restrictions =
check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
check_recipient_access
proxy:mysql:/etc/postfix/mysql-check-sender-access.cf

smtpd_recipient_restrictions =
check_recipient_access
proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf
permit_mynetworks
permit_sasl_authenticated
check_policy_service inet:127.0.0.1:54000
reject_unauth_destination
.
.
.

Or you have another configuration to propose the is safer?

rocsca

Re: check_client_access

2009-02-01 Thread Rocco Scappatura 
>> How do I have to modify it so that I could block an email address either
>> if is the sender or one of the recipients, AND either if the message is
>> incoming or outgoing?
>>
>> Maybe so (assuming that the action will never be "OK")...
>>
>> smtpd_client_restrictions =
>> check_client_access
>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
>>
>> smtpd_helo_restrictions =
>> smtpd_sender_restrictions =
>> check_sender_access
>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
>> check_recipient_access
>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
>>
>> smtpd_recipient_restrictions =
>> check_recipient_access
>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
>
> this one is already in smtpd_sender_restrictions, so just remove it
>

I can't remove it because this lookup return "reject_unverified_address"
for the domains that I maintain but for wich I have no a list of valid
recipient:

query = select restriction from domain where domain='%s'

maybe could I put both lookups in smtpd_sender_restrictions?

check_recipient_access
proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
proxy:mysql:/etc/postfix/mysql-check-sender-access.cf

is it ok?

>> check_client_access
>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
>
> what's this for? it's already in smtpd_client_restrictions, so you may
> or may not need it here.

It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
trhough my SMTP gateway). I need it.

>
>> permit_mynetworks
>> permit_sasl_authenticated
>> check_policy_service inet:127.0.0.1:54000
>
> what's this for? you probably want to put this after
> reject_unauth_destination.

postgrey

>
> remember: reject_unauth_destination is what prevents open relay. so
> avoid putting a lot of stuff before it, because you increase the risks.
>
> and reject_unauth_destination is a very safe a very cheap check, so it's
>  good to have it as soon as possible.
>
>> reject_unauth_destination
>> .
>> .
>> .
>>
>> Or you have another configuration to propose the is safer?
>>
>
> see above.
>
> as a general "rule of thumb", put anti-spam checks (I'm talking about
> inbound spam. outbound spam is a different subject) after
> reject_unauth_destination, and put "general restrictions" (that also
> apply to your users) in one of smtpd_(client|helo|sender)_restrictions.

thanks,

rocsca

Re: check_client_access

2009-02-01 Thread Rocco Scappatura 

Mouss,

>>  [snip]
>>
>> :-D
>>
>> [snip]
>
> dogs ate logs?
>

Very cool from you.. as usual!

You have won a prize.. :-)  <-- Is it ok so? ;-)

> - show logs that prove what you claimed

Feb  1 06:02:50 av5 postfix/smtpd[32172]: NOQUEUE: reject: RCPT from
unknown[83.103.67.197]: 550 5.1.1  to= proto=ESMTP
helo=

> - show 'postmap -q' results (for all the keys that postfix uses. see the
> man page of access for the lookup order).

Cound you instruct me about the order postfix applies the restrictions
(you can see "postconf" output in my previous email.. Thanks.)

Anyway,

# postmap -q st...@receiver.tld
proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
REJECT

> you also need to make your mind: the subject contains
> "check_client_access". your question was about "check_sender_access",

OK. Sorry I have wrong my subject..

> and your explanation was about a "receiver". That's 3 different things...

So.. What I have to do to block a message based on the receiver?

> PS. it would be safer to put your check_sender_access in
> smtpd_sender_restrictions so that an error in your sql query doesn't
> make you an open relay.

Why is safer? Could have any side effect in my configuration? Thanks.

rocsca

Re: Dead RBL

2009-02-01 Thread mouss 
Justin Piszcz a écrit :
> RIP: dnsbl.clue-by-4.org
> http://dnsbl.clue-by-4.org/parking.php?domain_name=clue-by-4.org
> 
> Not sure exactly when but FYI, this RBL appears to be no more.
> 

This is the first time I hear about such DNSBL...

can you please send a mail to webmas...@spamlinks.net so that he moves
this from
http://spamlinks.net/filter-dnsbl-lists.htm
to
http://spamlinks.net/filter-dnsbl-dead.htm
?

Re: check_client_access

2009-02-01 Thread Rocco Scappatura 


Sorry,

>>> How do I have to modify it so that I could block an email address
>>> either
>>> if is the sender or one of the recipients, AND either if the message is
>>> incoming or outgoing?
>>>
>>> Maybe so (assuming that the action will never be "OK")...
>>>
>>> smtpd_client_restrictions =
>>> check_client_access
>>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
>>>
>>> smtpd_helo_restrictions =
>>> smtpd_sender_restrictions =
>>> check_sender_access
>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
>>> check_recipient_access
>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
>>>
>>> smtpd_recipient_restrictions =
>>> check_recipient_access
>>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
>>
>> this one is already in smtpd_sender_restrictions, so just remove it
>>
>
> I can't remove it because this lookup return "reject_unverified_address"
> for the domains that I maintain but for wich I have no a list of valid
> recipient:
>
> query = select restriction from domain where domain='%s'
>
> maybe could I put both lookups in smtpd_sender_restrictions?
>
> check_recipient_access
> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf

I'm saying:

 check_recipient_access
proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf

>
> is it ok?
>
>>> check_client_access
>>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
>>
>> what's this for? it's already in smtpd_client_restrictions, so you may
>> or may not need it here.
>
> It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
> trhough my SMTP gateway). I need it.
>
>>
>>> permit_mynetworks
>>> permit_sasl_authenticated
>>> check_policy_service inet:127.0.0.1:54000
>>
>> what's this for? you probably want to put this after
>> reject_unauth_destination.
>
> postgrey
>
>>
>> remember: reject_unauth_destination is what prevents open relay. so
>> avoid putting a lot of stuff before it, because you increase the risks.
>>
>> and reject_unauth_destination is a very safe a very cheap check, so it's
>>  good to have it as soon as possible.
>>
>>> reject_unauth_destination
>>> .
>>> .
>>> .
>>>
>>> Or you have another configuration to propose the is safer?
>>>
>>
>> see above.
>>
>> as a general "rule of thumb", put anti-spam checks (I'm talking about
>> inbound spam. outbound spam is a different subject) after
>> reject_unauth_destination, and put "general restrictions" (that also
>> apply to your users) in one of smtpd_(client|helo|sender)_restrictions.
>
> thanks,
>
> rocsca
>
>

Re: check_client_access

2009-02-01 Thread mouss 
Rocco Scappatura a écrit :
> 
> Sorry,
> 
 How do I have to modify it so that I could block an email address
 either
 if is the sender or one of the recipients, AND either if the message is
 incoming or outgoing?

 Maybe so (assuming that the action will never be "OK")...

 smtpd_client_restrictions =
 check_client_access
 proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf

 smtpd_helo_restrictions =
 smtpd_sender_restrictions =
 check_sender_access
 proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
 check_recipient_access
 proxy:mysql:/etc/postfix/mysql-check-sender-access.cf

 smtpd_recipient_restrictions =
 check_recipient_access
 proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
>>> this one is already in smtpd_sender_restrictions, so just remove it
>>>
>> I can't remove it

sorry, I didn't notice that it was a different map.

> because this lookup return "reject_unverified_address"
>> for the domains that I maintain but for wich I have no a list of valid
>> recipient:
>>
>> query = select restriction from domain where domain='%s'
>>
>> maybe could I put both lookups in smtpd_sender_restrictions?
>>

yes.

>> check_recipient_access
>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
> 
> I'm saying:
> 
>  check_recipient_access
> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
> 

check_foo_access checks only one map. so you need to do it like this:

 check_recipient_access
proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
 check_recipient_access
proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf


>> is it ok?
>>
 check_client_access
 proxy:mysql:/etc/postfix/mysql-check-client-access.cf
>>> what's this for? it's already in smtpd_client_restrictions, so you may
>>> or may not need it here.
>> It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
>> trhough my SMTP gateway). I need it.
>>

that's ok.

 permit_mynetworks
 permit_sasl_authenticated
 check_policy_service inet:127.0.0.1:54000
>>> what's this for? you probably want to put this after
>>> reject_unauth_destination.
>> postgrey
>>

then put it at the end. no point to greylist a relay attempt.

>>> remember: reject_unauth_destination is what prevents open relay. so
>>> avoid putting a lot of stuff before it, because you increase the risks.
>>>
>>> and reject_unauth_destination is a very safe a very cheap check, so it's
>>>  good to have it as soon as possible.
>>>
 reject_unauth_destination
 .
 .
 .

 Or you have another configuration to propose the is safer?

>>> see above.
>>>
>>> as a general "rule of thumb", put anti-spam checks (I'm talking about
>>> inbound spam. outbound spam is a different subject) after
>>> reject_unauth_destination, and put "general restrictions" (that also
>>> apply to your users) in one of smtpd_(client|helo|sender)_restrictions.
>> thanks,
>>
>> rocsca
>>
>>
> 
>

Re: Mail Undeliverable error with Postfix

2009-02-01 Thread Benny Pedersen 

On Sun, February 1, 2009 14:41, jan gestre wrote:

> Feb  1 21:26:42 mail postfix/pipe[19788]: D9A6D148050: to=<
> postmas...@ddblocal.com>, relay=dovecot, delay=5.6,
> delays=5.6/0.01/0/0.03,
> dsn=5.1.1, status=bounced (user unknown)

this is a bounce from dovecot not from postfix, postmaster exists in
postfix, but dovecot dont know that user


-- 
http://localhost/ 100% uptime and 100% mirrored :)

Re: Mail Undeliverable error with Postfix

2009-02-01 Thread Benny Pedersen 

On Sun, February 1, 2009 16:17, mouss wrote:

> I guess the alias is defined in alias_maps, but this map is only
> consulted by "local", which you don't use (you deliver via dovecot,
> not via local).
>
> use virtual_alias_maps instead.

postfixadmin handle this when configured to do so :)

for the OP to solve it, dovecot lda must only see the mailbox from
mysql not any alias, and postfixadmin must have all destinations to
mailbox not local: aliases


-- 
http://localhost/ 100% uptime and 100% mirrored :)

HELO/EHLO isn't passed to milter when XCLIENT is enabled

2009-02-01 Thread Bokhan Artem 

In the next example postfix does not pass HELO from XCLIENT line to the milter if 
"EHLO spike.porcupine.org" is ommited.
It looks like bug.


220 server.example.com ESMTP Postfix
EHLO client.example.com
250-server.example.com
250-PIPELINING
250-SIZE 1024
250-VRFY
250-ETRN
250-XCLIENT NAME ADDR PROTO HELO
250 8BITMIME
XCLIENT NAME=spike.porcupine.org ADDR=168.100.189.2 HELO=spike.porcupine.org
220 server.example.com ESMTP Postfix

EHLO spike.porcupine.org

250-server.example.com
250-PIPELINING
250-SIZE 1024
250-VRFY
250-ETRN
250-XCLIENT NAME ADDR PROTO HELO
250 8BITMIME
MAIL FROM:
250 Ok
RCPT TO:
250 Ok
DATA
354 End data with .
. . .message content. . .
.
250 Ok: queued as 763402AAE6
QUIT
221 Bye

Re: HELO/EHLO isn't passed to milter when XCLIENT is enabled

2009-02-01 Thread Wietse Venema 
Bokhan Artem:
> In the next example postfix does not pass HELO from XCLIENT line to the 
> milter if "EHLO spike.porcupine.org" is ommited.
> It looks like bug.

This is not a bug.  

After XCLIENT, Postfix must reset the Milter session and start from
scratch with the new client IP address and hostname.

It makes no sense to send the Milter the EHLO that was sent
before XCLIENT.

Wietse
> 
> 220 server.example.com ESMTP Postfix
> EHLO client.example.com
> 250-server.example.com
> 250-PIPELINING
> 250-SIZE 1024
> 250-VRFY
> 250-ETRN
> 250-XCLIENT NAME ADDR PROTO HELO
> 250 8BITMIME
> XCLIENT NAME=spike.porcupine.org ADDR=168.100.189.2 HELO=spike.porcupine.org
> 220 server.example.com ESMTP Postfix
> 
> EHLO spike.porcupine.org
> 
> 250-server.example.com
> 250-PIPELINING
> 250-SIZE 1024
> 250-VRFY
> 250-ETRN
> 250-XCLIENT NAME ADDR PROTO HELO
> 250 8BITMIME
> MAIL FROM:
> 250 Ok
> RCPT TO:
> 250 Ok
> DATA
> 354 End data with .
> . . .message content. . .
> .
> 250 Ok: queued as 763402AAE6
> QUIT
> 221 Bye
> 
>

Re: HELO/EHLO isn't passed to milter when XCLIENT is enabled

2009-02-01 Thread Victor Duchovni 
On Sun, Feb 01, 2009 at 05:16:18PM -0500, Wietse Venema wrote:

> Bokhan Artem:
> > In the next example postfix does not pass HELO from XCLIENT line to the 
> > milter if "EHLO spike.porcupine.org" is ommited.
> > It looks like bug.
> 
> This is not a bug.  
> 
> After XCLIENT, Postfix must reset the Milter session and start from
> scratch with the new client IP address and hostname.
> 
> It makes no sense to send the Milter the EHLO that was sent
> before XCLIENT.

Nor the "HELO=" parameter, because milters process SMTP commands, not
artbitrary attributes. Since you see "220" after "XCLIENT", send
the desired EHLO command at that point.

This means that the "HELO" parameter for "XCLIENT" could arguably be
deprecated, you are free to not send "HELO=" with XCLIENT. If you do
sent it, and don't EHLO/HELO after 220, it will only apply to Postfix
restrictions, not milters.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: HELO/EHLO isn't passed to milter when XCLIENT is enabled

2009-02-01 Thread Bokhan Artem 

Wietse Venema пишет:

Bokhan Artem:

In the next example postfix does not pass HELO from XCLIENT line to the milter if 
"EHLO spike.porcupine.org" is ommited.
It looks like bug.


This is not a bug.  


The behavior of mail proxy (nginx) is not to send EHLO after XCLIENT. Thank you.



After XCLIENT, Postfix must reset the Milter session and start from
scratch with the new client IP address and hostname.

It makes no sense to send the Milter the EHLO that was sent
before XCLIENT.

Wietse

220 server.example.com ESMTP Postfix
EHLO client.example.com
250-server.example.com
250-PIPELINING
250-SIZE 1024
250-VRFY
250-ETRN
250-XCLIENT NAME ADDR PROTO HELO
250 8BITMIME
XCLIENT NAME=spike.porcupine.org ADDR=168.100.189.2 HELO=spike.porcupine.org
220 server.example.com ESMTP Postfix

EHLO spike.porcupine.org

250-server.example.com
250-PIPELINING
250-SIZE 1024
250-VRFY
250-ETRN
250-XCLIENT NAME ADDR PROTO HELO
250 8BITMIME
MAIL FROM:
250 Ok
RCPT TO:
250 Ok
DATA
354 End data with .
. . .message content. . .
.
250 Ok: queued as 763402AAE6
QUIT
221 Bye

Re: HELO/EHLO isn't passed to milter when XCLIENT is enabled

2009-02-01 Thread Wietse Venema 
Victor Duchovni:
> On Sun, Feb 01, 2009 at 05:16:18PM -0500, Wietse Venema wrote:
> 
> > Bokhan Artem:
> > > In the next example postfix does not pass HELO from XCLIENT line to the 
> > > milter if "EHLO spike.porcupine.org" is ommited.
> > > It looks like bug.
> > 
> > This is not a bug.  
> > 
> > After XCLIENT, Postfix must reset the Milter session and start from
> > scratch with the new client IP address and hostname.
> > 
> > It makes no sense to send the Milter the EHLO that was sent
> > before XCLIENT.
> 
> Nor the "HELO=" parameter, because milters process SMTP commands, not
> artbitrary attributes. Since you see "220" after "XCLIENT", send
> the desired EHLO command at that point.
> 
> This means that the "HELO" parameter for "XCLIENT" could arguably be
> deprecated, you are free to not send "HELO=" with XCLIENT. If you do
> sent it, and don't EHLO/HELO after 220, it will only apply to Postfix
> restrictions, not milters.

No need to deprecate HELO=, it just can't work with Milters.

Wietse

Re: check_client_access

2009-02-01 Thread Rocco Scappatura 
Mouss,

> How do I have to modify it so that I could block an email address
> either
> if is the sender or one of the recipients, AND either if the message
> is
> incoming or outgoing?
>
> Maybe so (assuming that the action will never be "OK")...
>
> smtpd_client_restrictions =
> check_client_access
> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
>
> smtpd_helo_restrictions =
> smtpd_sender_restrictions =
> check_sender_access
> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
> check_recipient_access
> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
>
> smtpd_recipient_restrictions =
> check_recipient_access
> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
 this one is already in smtpd_sender_restrictions, so just remove it

>>> I can't remove it
>
> sorry, I didn't notice that it was a different map.
>
>> because this lookup return "reject_unverified_address"
>>> for the domains that I maintain but for wich I have no a list of valid
>>> recipient:
>>>
>>> query = select restriction from domain where domain='%s'
>>>
>>> maybe could I put both lookups in smtpd_sender_restrictions?
>>>
>
> yes.
>
>>> check_recipient_access
>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
>>
>> I'm saying:
>>
>>  check_recipient_access
>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
>>
>
> check_foo_access checks only one map. so you need to do it like this:
>
>  check_recipient_access
>   proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
>  check_recipient_access
>   proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
>
>
>>> is it ok?
>>>
> check_client_access
> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
 what's this for? it's already in smtpd_client_restrictions, so you may
 or may not need it here.
>>> It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
>>> trhough my SMTP gateway). I need it.
>>>
>
> that's ok.
>
> permit_mynetworks
> permit_sasl_authenticated
> check_policy_service inet:127.0.0.1:54000
 what's this for? you probably want to put this after
 reject_unauth_destination.
>>> postgrey
>>>
>
> then put it at the end. no point to greylist a relay attempt.
>
 remember: reject_unauth_destination is what prevents open relay. so
 avoid putting a lot of stuff before it, because you increase the
 risks.

 and reject_unauth_destination is a very safe a very cheap check, so
 it's
  good to have it as soon as possible.

> reject_unauth_destination
> .
> .
> .
>
> Or you have another configuration to propose the is safer?
>
 see above.

 as a general "rule of thumb", put anti-spam checks (I'm talking about
 inbound spam. outbound spam is a different subject) after
 reject_unauth_destination, and put "general restrictions" (that also
 apply to your users) in one of
 smtpd_(client|helo|sender)_restrictions.

All works fine.. Annie is OK! ;-)

Thanks,

rocsca

Postfix installation problem

2009-02-01 Thread Mayuresh Kasture 
Hello everyone,

I am trying to install postfix. When I do make install, I get an error,
*/etc/postfix/post-install: Error: no /usr/sbin/postconf command found.
Re-run this command as /etc/postfix/post-install
command_directory=/some/where.
make: *** [install] Error 1
*
But, I can see postconf in /usr/sbin.
*r...@mayuresh-desktop:*/home/mayuresh/Desktop/Tools/Postfix/postfix-2.5.6*#
ls -l /usr/sbin/postconf
-rwxr-xr-x 1 root root 568127 2009-02-01 16:45 /usr/sbin/postconf
*
I followed instructions given in
http://archive.netbsd.se/?ml=postfix-users&a=2004-08&t=308185,

All the tests give the same outputs as in the thread. But,

*4. /usr/bin/env -i TZ=$TZ /bin/sh -c "
  /usr/sbin/postconf -d mail_version || {
echo postconf -d mail_version failed
exit 1
}" echo $?

*gives*
**/usr/sbin/postconf: error while loading shared libraries:
libmysqlclient.so.16: cannot open shared object file: No such file or
directory
postconf -d mail_version failed
*
I checked LD_LIBRARY_PATH and LD_RUN_PATH, both point to correct directory,

r...@mayuresh-desktop:/home/mayuresh/Desktop/Tools/Postfix/postfix-2.5.6#
$LD_LIBRARY_PATH
bash: /usr/local/mysql/lib/mysql/: is a directory
r...@mayuresh-desktop:/home/mayuresh/Desktop/Tools/Postfix/postfix-2.5.6#
$LD_RUN_PATH
bash: /usr/local/mysql/lib/mysql/: is a directory

Does anybody have any idea what is going on here?

Thanks,
Mayuresh

Re: Postfix installation problem

2009-02-01 Thread Terry Carmen 

Mayuresh Kasture wrote:

Hello everyone,

I am trying to install postfix. When I do make install, I get an error,
//etc/postfix/post-install: Error: no /usr/sbin/postconf command found.
Re-run this command as /etc/postfix/post-install 
command_directory=/some/where.

make: *** [install] Error 1
/ 
But, I can see postconf in /usr/sbin.
/r...@mayuresh-desktop://home/mayuresh/Desktop/Tools/Postfix/postfix-2.5.6/# 
ls -l /usr/sbin/postconf

-rwxr-xr-x 1 root root 568127 2009-02-01 16:45 /usr/sbin/postconf
/

If you're running anything like SELinux or AppArmor, turn it off.

If you're running a plain *nix install, something is screwed up in your
installation package. Download a fresh copy from http://www.postfix.org/
and try again.

Troubleshooting your specific problem is possible, but probably not a
productive use of your time.//
I followed instructions given in 
http://archive.netbsd.se/?ml=postfix-users&a=2004-08&t=308185 
,



Use the instructions that come with postfix or from the above URL. 3rd
party instructions are not necessarily current or accurate.
. . .

gives/
///usr/sbin/postconf: error while loading shared libraries: 
libmysqlclient.so.16: cannot open shared object file: No such file or 
directory

postconf -d mail_version failed
/

The default postfix install does not use mysql. Unless you require it
for something, it's probably a package dependency you're missing on a
precompiled version of postfix. If you actually need mysql, you should
make sure that mysql and the mysql client libraries are installed.

Terry

--
Terry Carmen
CNY Support, LLC


http://cnysupport.com

Re: Postfix installation problem

2009-02-01 Thread Mayuresh Kasture 
Thanks, Terry, for your reply.

I am not sure if I am using SELinux, AppArmor. I didn't install any of these
explicitly. I am not sure if they run by default.

While doing make, I used
*make makefiles 'CCARGS=-DHAS_MYSQL ** -I/usr/local/mysql/include/mysql
-DUSE_SASL_AUTH -I/usr/local/include/sasl -I/usr/local/bdb/include'
'AUXLIBS=-L/usr/local/mysql/lib/mysql -lmysqlclient -lz -lm -L/usr/local/lib
-lsasl2 -L/usr/local/bdb/lib'
*
And I got error during make install.

But, when I removed mysql related arguments from the make command,
everything worked fine. The make command I used now is,
 *make makefiles 'CCARGS=-DUSE_SASL_AUTH -I/usr/local/include/sasl
-I/usr/local/bdb/include' 'AUXLIBS=-lz -lm -L/usr/local/lib -lsasl2
-L/usr/local/bdb/lib'

*I am still not getting what the problem is. I am using the correct library
path */usr/local/mysql/lib/mysql *in the command which contains the file *
libmysqlclient.so.16

r...@mayuresh-desktop:/home/mayuresh/Desktop/Tools/Postfix/postfix-2.5.6# ls
/usr/local/mysql/lib/mysql
libdbug.alibmyisammrg.a libmysqlclient_r.a
libmysqlclient_r.so.16  libmysqlclient.so.16  libmysys.a  libz.la
libheap.alibmysqlclient.a   libmysqlclient_r.la
libmysqlclient_r.so.16.0.0  libmysqlclient.so.16.0.0  libvio.aplugin
libmyisam.a  libmysqlclient.la  libmysqlclient_r.so
libmysqlclient.so   libmystrings.alibz.a

*And as mentioned in the previous mail postconf is also present in the
proper directory.

Then why is installation not allowing me to include mysql related arguments?

Thanks,
Mayuresh


On Sun, Feb 1, 2009 at 9:33 PM, Terry Carmen  wrote:

> Mayuresh Kasture wrote:
>
>> Hello everyone,
>>
>> I am trying to install postfix. When I do make install, I get an error,
>> //etc/postfix/post-install: Error: no /usr/sbin/postconf command found.
>> Re-run this command as /etc/postfix/post-install
>> command_directory=/some/where.
>> make: *** [install] Error 1
>> / But, I can see postconf in /usr/sbin.
>> /r...@mayuresh-desktop://home/mayuresh/Desktop/Tools/Postfix/postfix-2.5.6/#
>> ls -l /usr/sbin/postconf
>> -rwxr-xr-x 1 root root 568127 2009-02-01 16:45 /usr/sbin/postconf
>> /
>>
> If you're running anything like SELinux or AppArmor, turn it off.
>
> If you're running a plain *nix install, something is screwed up in your
> installation package. Download a fresh copy from http://www.postfix.org/
> and try again.
>
> Troubleshooting your specific problem is possible, but probably not a
> productive use of your time.//
>
>> I followed instructions given in
>> http://archive.netbsd.se/?ml=postfix-users&a=2004-08&t=308185 <
>> http://archive.netbsd.se/?ml=postfix-users&a=2004-08&t=308185>,
>>
>>  Use the instructions that come with postfix or from the above URL. 3rd
> party instructions are not necessarily current or accurate.
> . . .
>
>> gives/
>> ///usr/sbin/postconf: error while loading shared libraries:
>> libmysqlclient.so.16: cannot open shared object file: No such file or
>> directory
>> postconf -d mail_version failed
>> /
>>
> The default postfix install does not use mysql. Unless you require it
> for something, it's probably a package dependency you're missing on a
> precompiled version of postfix. If you actually need mysql, you should
> make sure that mysql and the mysql client libraries are installed.
>
> Terry
>
> --
> Terry Carmen
> CNY Support, LLC
>
>
> http://cnysupport.com
>
>
>
>
>

Re: Postfix installation problem

2009-02-01 Thread Victor Duchovni 
On Sun, Feb 01, 2009 at 10:07:32PM -0500, Mayuresh Kasture wrote:

> Thanks, Terry, for your reply.
> 
> I am not sure if I am using SELinux, AppArmor. I didn't install any of these
> explicitly. I am not sure if they run by default.
> 
> While doing make, I used
> *make makefiles 'CCARGS=-DHAS_MYSQL ** -I/usr/local/mysql/include/mysql
> -DUSE_SASL_AUTH -I/usr/local/include/sasl -I/usr/local/bdb/include'
> 'AUXLIBS=-L/usr/local/mysql/lib/mysql -lmysqlclient -lz -lm -L/usr/local/lib
> -lsasl2 -L/usr/local/bdb/lib'
> *
> And I got error during make install.
> 
> But, when I removed mysql related arguments from the make command,
> everything worked fine. The make command I used now is,
>  *make makefiles 'CCARGS=-DUSE_SASL_AUTH -I/usr/local/include/sasl
> -I/usr/local/bdb/include' 'AUXLIBS=-lz -lm -L/usr/local/lib -lsasl2
> -L/usr/local/bdb/lib'
> 
> *I am still not getting what the problem is. I am using the correct library
> path */usr/local/mysql/lib/mysql *in the command which contains the file *
> libmysqlclient.so.16

Don't confuse the "-L" flag which enables the linker to find the library
at compile-time, with the compiler-dependent flags that enable the
run-time shared-library linker to find the library at run-time.

Add appropriate AUXLIBS flags to add the mysql library to the run-time
library path.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

virtual_maibox_maps, ldap lookups, and multiple attributes

2009-02-01 Thread ben thielsen 

hi-

i'm using an ldap lookup map for virtual_maibox_maps and haven't been  
able to get the lookup to work quite the way i'd like.  users exist in  
the ldap tree as  
uid=user,ou=people,ou=users,ou=accounts,dc=example,dc=com, and  
currently i'm using the mailLocalAddress attribute to store addresses  
which should be delivered to the filesystem, by virtual.  users  
potentially have multiple addresses in their entry using this  
attribute, each of which should be delivered to a discrete mailbox -  
e.g.:


dn: uid=user,ou=people,ou=users,ou=accounts,dc=example,dc=com
mailLocalAddress: u...@foo.com  -  delivered to foo.com/user/Maildir/
mailLocalAddress: u...@bar.net  - delivered to bar.net/user/Maildir/
mailLocalAddress: u...@foobar.org   - delivered to foobar.org/u/Maildir/

this works well for entries that contain only a single  
mailLocalAddress attribute, but not so well when multiple attributes  
exist.  using %U and %D in the result_format value appeared to be a  
step in the right direction, but still returns more than one result,  
which suggested that there might be a more sensible approach.  i also  
experimented with expansion_limit and size_limit, neither of which  
appeared to change the outcome (aside from introducing failures).


at first glance, it seems to me that being able to use % expansions in  
the result_attribute might get me what i'm after (e.g.  
result_attribute = mailLocalAddress=%s or such), the idea being that  
only attributes that matched a particular value would be returned.   
since this isn't possible though, according to the ldap_table man  
page, i'm wondering how else i might achieve my goal, without  
requiring independent entries in ldap for each mailbox.


thanks
-ben

Re: virtual_maibox_maps, ldap lookups, and multiple attributes

2009-02-01 Thread ben thielsen 

On Feb 01, 2009, at 23.15, ben thielsen wrote:


hi-

i'm using an ldap lookup map for virtual_maibox_maps and haven't  
been able to get the lookup to work quite the way i'd like.  users  
exist in the ldap tree as  
uid=user,ou=people,ou=users,ou=accounts,dc=example,dc=com, and  
currently i'm using the mailLocalAddress attribute to store  
addresses which should be delivered to the filesystem, by virtual.   
users potentially have multiple addresses in their entry using this  
attribute, each of which should be delivered to a discrete mailbox -  
e.g.:


dn: uid=user,ou=people,ou=users,ou=accounts,dc=example,dc=com
mailLocalAddress: u...@foo.com  -  delivered to foo.com/user/Maildir/
mailLocalAddress: u...@bar.net  - delivered to bar.net/user/Maildir/
mailLocalAddress: u...@foobar.org   - delivered to foobar.org/u/Maildir/

this works well for entries that contain only a single  
mailLocalAddress attribute, but not so well when multiple attributes  
exist.  using %U and %D in the result_format value appeared to be a  
step in the right direction, but still returns more than one result,  
which suggested that there might be a more sensible approach.  i  
also experimented with expansion_limit and size_limit, neither of  
which appeared to change the outcome (aside from introducing  
failures).


at first glance, it seems to me that being able to use % expansions  
in the result_attribute might get me what i'm after (e.g.  
result_attribute = mailLocalAddress=%s or such), the idea being that  
only attributes that matched a particular value would be returned.   
since this isn't possible though, according to the ldap_table man  
page, i'm wondering how else i might achieve my goal, without  
requiring independent entries in ldap for each mailbox.


thanks
-ben


apologies-

i meant to include my lookup map, as it currently stands (horribly  
munged, out of unreasonable paranoia):


version = 3
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
server_host = ldaps://ldap.example.com
bind_dn = cn=postfix,ou=under,ou=services,ou=accounts,dc=example,dc=com
bind_pw = xx
search_base = ou=people,ou=users,ou=accounts,dc= example,dc= com
query_filter = (&(objectClass=inetLocalMailRecipient)(mailLocalAddress= 
%s)(memberOf=cn=mail_recipients,dc= 
%d,ou=domains,ou=mail,dc=example,dc=com))

result_attribute = mailLocalAddress
result_format = %D/%U/Maildir/

-ben

Re: virtual_maibox_maps, ldap lookups, and multiple attributes

2009-02-01 Thread Victor Duchovni 
On Sun, Feb 01, 2009 at 11:15:00PM -0500, ben thielsen wrote:

> dn: uid=user,ou=people,ou=users,ou=accounts,dc=example,dc=com
> mailLocalAddress: u...@foo.com-  delivered to foo.com/user/Maildir/
> mailLocalAddress: u...@bar.net- delivered to bar.net/user/Maildir/
> mailLocalAddress: u...@foobar.org - delivered to foobar.org/u/Maildir/
>
> this works well for entries that contain only a single mailLocalAddress 
> attribute, but not so well when multiple attributes exist.  using %U and %D 
> in the result_format value appeared to be a step in the right direction, 
> but still returns more than one result, which suggested that there might be 
> a more sensible approach.  i also experimented with expansion_limit and 
> size_limit, neither of which appeared to change the outcome (aside from 
> introducing failures).
>
> at first glance, it seems to me that being able to use % expansions in the 
> result_attribute might get me what i'm after (e.g. result_attribute = 
> mailLocalAddress=%s or such), the idea being that only attributes that 
> matched a particular value would be returned.  since this isn't possible 
> though, according to the ldap_table man page, i'm wondering how else i 
> might achieve my goal, without requiring independent entries in ldap for 
> each mailbox.

Pick a single-valued attribute as the result_attribute.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Postfix installation problem

2009-02-01 Thread Mayuresh Kasture 
Okay. As of now I have installed postfix w/o mysql support. I will add that
support later.

Thanks for your help.

- Mayuresh

On Sun, Feb 1, 2009 at 10:41 PM, Victor Duchovni <
victor.ducho...@morganstanley.com> wrote:

> On Sun, Feb 01, 2009 at 10:07:32PM -0500, Mayuresh Kasture wrote:
>
> > Thanks, Terry, for your reply.
> >
> > I am not sure if I am using SELinux, AppArmor. I didn't install any of
> these
> > explicitly. I am not sure if they run by default.
> >
> > While doing make, I used
> > *make makefiles 'CCARGS=-DHAS_MYSQL ** -I/usr/local/mysql/include/mysql
> > -DUSE_SASL_AUTH -I/usr/local/include/sasl -I/usr/local/bdb/include'
> > 'AUXLIBS=-L/usr/local/mysql/lib/mysql -lmysqlclient -lz -lm
> -L/usr/local/lib
> > -lsasl2 -L/usr/local/bdb/lib'
> > *
> > And I got error during make install.
> >
> > But, when I removed mysql related arguments from the make command,
> > everything worked fine. The make command I used now is,
> >  *make makefiles 'CCARGS=-DUSE_SASL_AUTH -I/usr/local/include/sasl
> > -I/usr/local/bdb/include' 'AUXLIBS=-lz -lm -L/usr/local/lib -lsasl2
> > -L/usr/local/bdb/lib'
> >
> > *I am still not getting what the problem is. I am using the correct
> library
> > path */usr/local/mysql/lib/mysql *in the command which contains the file
> *
> > libmysqlclient.so.16
>
> Don't confuse the "-L" flag which enables the linker to find the library
> at compile-time, with the compiler-dependent flags that enable the
> run-time shared-library linker to find the library at run-time.
>
> Add appropriate AUXLIBS flags to add the mysql library to the run-time
> library path.
>
> --
>Viktor.
>
> Disclaimer: off-list followups get on-list replies or get ignored.
> Please do not ignore the "Reply-To" header.
>
> To unsubscribe from the postfix-users list, visit
> http://www.postfix.org/lists.html or click the link below:
> 
>
> If my response solves your problem, the best way to thank me is to not
> send an "it worked, thanks" follow-up. If you must respond, please put
> "It worked, thanks" in the "Subject" so I can delete these quickly.
>

dovecot sasl build problem

2009-02-01 Thread rpyne 
I am having trouble compiling postfix (2.5.6) with dovecot sasl 
support. I get:

gcc -DHAS_MYSQL -I/usr/include/mysql -DHAS_PGSQL -I/usr/include/pgsql 
-DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE="dovecot" -DUSE_TLS -
I/usr/include/openssl -DHAS_PCRE  -g -march=pentium3 -O2 -
march=pentium3 -I. -I../../include -DLINUX2 -c smtpd.c
smtpd.c: In function 'main':
smtpd.c:4789: error: 'dovecot' undeclared (first use in this 
function)
smtpd.c:4789: error: (Each undeclared identifier is reported only 
once
smtpd.c:4789: error: for each function it appears in.)


Thanks in advance for any help.

--Richard