Re: Postoffice with virtual mailbox and a Maildrop issue

[Rocco Scappatura]

Thanks Magnus,

>> append_at_myorigin = no

deleted.

>> I have the problem that mail destined to local virtual mailbox is not
>> delivered locally, even if all looks up succesfully confirm tha the
>> message have to be delivered locally:
>
> So what does happen to the messages?

At the moment, I'm configuring the platform, so the messages tries to go
to the mail server pointed out by the MX for the domain "receiver.tld":

Mar  7 10:06:01 mail1 postfix/smtpd[14046]: connect from
gw.tld[xxx.yyy.zzz.uuu]
Mar  7 10:06:01 mail1 postfix/smtpd[14046]: EF43674001:
client=gw.tld[xxx.yyy.zzz.uuu]
Mar  7 10:06:01 mail1 postfix/cleanup[14049]: EF43674001:
message-id=<362aba71262c41a898506470939c1...@stt.loc>
Mar  7 10:06:02 mail1 postfix/smtpd[14046]: disconnect from
gw.tld[xxx.yyy.zzz.uuu]
Mar  7 10:06:02 mail1 postfix/qmgr[13967]: EF43674001:
from=, size=2893, nrcpt=1 (queue active)
Mar  7 10:06:02 mail1 postfix/pickup[13966]: 2A6A174002: uid=7011
from=
Mar  7 10:06:02 mail1 postfix/cleanup[14049]: 2A6A174002:
message-id=<362aba71262c41a898506470939c1...@stt.loc>
Mar  7 10:06:02 mail1 postfix/pipe[14050]: EF43674001: to=
Mar  7 10:06:02 mail1 postfix/smtpd[14046]: disconnect from
gw.tld[xxx.yyy.zzz.uuu]
Mar  7 10:06:02 mail1 postfix/qmgr[13967]: EF43674001:
from=, size=2893, nrcpt=1 (queue active)
Mar  7 10:06:02 mail1 postfix/pickup[13966]: 2A6A174002: uid=7011
from=
Mar  7 10:06:02 mail1 postfix/cleanup[14049]: 2A6A174002:
message-id=<362aba71262c41a898506470939c1...@stt.loc>
Mar  7 10:06:02 mail1 postfix/pipe[14050]: EF43674001:
to=, relay=filter, delay=0.2, delays=0.04/0/0/0.16,
dsn=2.0.0, status=sent (delivered via filter service)
Mar  7 10:06:02 mail1 postfix/qmgr[13967]: EF43674001: removed
Mar  7 10:06:02 mail1 postfix/qmgr[13967]: 2A6A174002:
from=, size=3006, nrcpt=1 (queue active)
Mar  7 10:06:05 mail1 postfix/smtp[14061]: connect to
mx1.for.domain.tld[xxx1.yyy.zzz.uuu]:25: No route to host
Mar  7 10:06:08 mail1 postfix/smtp[14061]: connect to
mx2.for.domain.tld[xxx2.yyy.zzz.uuu]:25: No route to host
Mar  7 10:06:08 mail1 postfix/smtp[14061]: 2A6A174002:
to=, relay=none, delay=6.1, delays=0.08/0/6/0, dsn=4.4.1,
status=deferred (connect to mx1.for.domain.tld[xxx1.yyy.zzz.uuu]:25: No
route to host)
>, relay=filter, delay=0.2, delays=0.04/0/0/0.16, dsn=2.0.0, status=sent
(delivered via filter service)
Mar  7 10:06:02 mail1 postfix/qmgr[13967]: EF43674001: removed
Mar  7 10:06:02 mail1 postfix/qmgr[13967]: 2A6A174002:
from=, size=3006, nrcpt=1 (queue active)
Mar  7 10:06:05 mail1 postfix/smtp[14061]: connect to
mx1.for.domain.tld[xxx1.yyy.zzz.uuu]:25: No route to host
Mar  7 10:06:08 mail1 postfix/smtp[14061]: connect to
mx2.for.domain.tld[xxx2.yyy.zzz.uuu]:25: No route to host
Mar  7 10:06:08 mail1 postfix/smtp[14061]: 2A6A174002:
to=, relay=none, delay=6.1, delays=0.08/0/6/0, dsn=4.4.1,
status=deferred (connect to mx1.for.domain.tld[xxx1.yyy.zzz.uuu]:25: No
route to host)

Indeed, I'm using a vacation filter too. But, as there is no vacation
configured for recipient r...@domain.tld, the message should be delivered
in (local) virtual mailbox after vacation filter. Instead, I suspect that
the dns is looked up and the message is tried to be delivered to the
responsible MX for domain "domain.tld" (mx1.for.domain.tld and
mx2.for.domain.tld, which is not reacheable from the network on which I
setting up the postoffice).

Why the message is not delivered immediately to the virtual mailbox after
vacation filter?

>> # postmap -q  t...@receiver.tld
>> proxy:mysql:/etc/postfix/mysql-virtual-domain.cf
>> receiver.tld
>
> virtual_mailbox_domains is looked up with the domain name as the key,
> not the email address. Show the output from the right command.

# postmap -q domain.tld proxy:mysql:/etc/postfix/mysql-virtual-domain.cf
#

:-(

But:

# cat /etc/postfix/mysql-virtual-domain.cf
.
.
query = select domain from domain where domain = '%d' and active = 1

return me correctly:

++
| domain |
++
| domain.tld |
++

mmmhhh!?!?!?

rocsca

Re: Postoffice with virtual mailbox and a Maildrop issue

[mouss]

Rocco Scappatura a écrit :
> [snip]
> Why the message is not delivered immediately to the virtual mailbox after
> vacation filter?
> 

because the domain is not listed as a virtual mailbox domain

>>> # postmap -q  t...@receiver.tld
>>> proxy:mysql:/etc/postfix/mysql-virtual-domain.cf
>>> receiver.tld
>> virtual_mailbox_domains is looked up with the domain name as the key,
>> not the email address. Show the output from the right command.
> 
> # postmap -q domain.tld proxy:mysql:/etc/postfix/mysql-virtual-domain.cf
> #
> 
> :-(
> 
> But:
> 
> # cat /etc/postfix/mysql-virtual-domain.cf
> .
> .
> query = select domain from domain where domain = '%d' and active = 1
> 
> return me correctly:
> 
> ++
> | domain |
> ++
> | domain.tld |
> ++
> 
> mmmhhh!?!?!?

you'll need to make sure you run the right sql queries when testing and
that your .cf has the right hosts, user, ... etc.

Re: restricting who can be sent to.

[mouss]

Carver Banks a écrit :
> Or so I thought..., that did restrict all mail to the internal recipients as 
> well.
> 
> I need anyone in mydomain.com to be able to email anyone in mydomain.local, 
> but I need users on mydomain.local to only be allowed to email a few people 
> in mydomain.com, and none of the other members of mydoman.local.
> 

then you need to read the first part of Noel post: the part about
restriction classes (follow the link and read).

if what you want is:
- sender from allowed.example can send anywhere
- nobody else should be able to send to restricted.example

then you can do it with:


If you use this, please do not interchange "sender" and "recipient". In
particular, this is to be used under smtpd_SENDER_restrictions.


smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/allowed_sender
check_recipient_access hash:/etc/postfix/restricted_recipient

== restricted_recipient
local.example   recipient_restricted

== restricted_recipient
allowed.example OK


If the config you're trying to setup is different, then you'll have to
spend some time so that you can describe it precisely and clearly. (This
isn't really the place for requirement elicitation ;-p)


> I think postfix may not be able to accomplish what I desire, if I am wrong 
> please correct me.
> 

Re: restricting who can be sent to.

[mouss]

mouss a écrit :
> Carver Banks a écrit :
>> Or so I thought..., that did restrict all mail to the internal recipients as 
>> well.
>>
>> I need anyone in mydomain.com to be able to email anyone in mydomain.local, 
>> but I need users on mydomain.local to only be allowed to email a few people 
>> in mydomain.com, and none of the other members of mydoman.local.
>>
> 
> then you need to read the first part of Noel post: the part about
> restriction classes (follow the link and read).
> 
> if what you want is:
> - sender from allowed.example can send anywhere
> - nobody else should be able to send to restricted.example
> 
> then you can do it with:
> 
> 
> If you use this, please do not interchange "sender" and "recipient". In
> particular, this is to be used under smtpd_SENDER_restrictions.
> 
> 
> smtpd_sender_restrictions =
>   check_sender_access hash:/etc/postfix/allowed_sender
>   check_recipient_access hash:/etc/postfix/restricted_recipient
> 
> == restricted_recipient
> local.example recipient_restricted

this should be

local.example   REJECT you are not allowed blah blah

> 
> == restricted_recipient
> allowed.example   OK
> 
> 
> If the config you're trying to setup is different, then you'll have to
> spend some time so that you can describe it precisely and clearly. (This
> isn't really the place for requirement elicitation ;-p)
> 
> 
>> I think postfix may not be able to accomplish what I desire, if I am wrong 
>> please correct me.
>>
> 

Re: postconf -n suggestion

[Andrew J. Caines]

Wietse Venema wrote:
> Making trouble reports easier requires a saslfinger-like tool that
> captures info about Postfix, the OS, build options, etc.

While not updated in a few years, postfinger[1] does a fair job of this.


[1] ftp://ftp.wl0.org/ftp.wl0.org/postfinger/

-- 
-Andrew J. Caines-   Unix Systems Engineer   a.j.cai...@halplant.com
FreeBSD/Linux/Solaris, Web/Mail/Proxy/...   http://halplant.com:2001/
  "Machines take me by surprise with great frequency" - Alan Turing

Force authentication for own domains

[Francisco M. Marzoa Alonso]

Helo,

I've a postfix server wich uses SASL + Mysql for authentication, my own
domains are mostly listed in a mysql table on that database. Its working
fine enough, but I want to made it a bit more restrictrive. At current
time its behaviour about sending mail is as folows:

FROM external domains TO my own domains -> accept
FROM my own domains TO my own domains -> accept
FROM my own domains TO external domains -> requires authentication
FROM external domains TO external domains -> reject

What I want to do is that it also requires authentication when sending
from my own domains TO my own domains. What is the best way to do that?

Thanks a lot in advance,

Re: Force authentication for own domains

[Magnus Bäck]

On Saturday, March 07, 2009 at 13:40 CET,
 "Francisco M. Marzoa Alonso"  wrote:

> I've a postfix server wich uses SASL + Mysql for authentication, my
> own domains are mostly listed in a mysql table on that database. Its
> working fine enough, but I want to made it a bit more restrictrive. At
> current time its behaviour about sending mail is as folows:
> 
> FROM external domains TO my own domains -> accept
> FROM my own domains TO my own domains -> accept
> FROM my own domains TO external domains -> requires authentication
> FROM external domains TO external domains -> reject
> 
> What I want to do is that it also requires authentication when sending
> from my own domains TO my own domains. What is the best way to do that?

main.cf:
smtpd_sender_restrictions = check_sender_access hash:/path/to/file

/path/to/file:
example.com permit_sasl_authenticated, reject

-- 
Magnus Bäck
mag...@dsek.lth.se

Re: Plus addressing not delivering to folder

[mouss]

Charles Marcus a écrit :
> On 3/6/2009 3:43 PM, LuKreme wrote:
>> On 6-Mar-2009, at 12:27, Charles Marcus wrote:
>>> Hmmm... I'm now wondering if ${extension} can somehow be used with the
>>> virtual_mailbox_maps query to accomplish what I want?
> 
>> Yes, but you need procmail (or, I assume, Maildrop)
> 
> Many thanks for the detail... but with Victor and Wietse's responses, I
> think the 2x4 is no longer needed... :)
> 
> Procmail is not a beast I want to unleash on my server, so, since the
> conversion to dovecot is probably not far away (I'm waiting for 1.2),
> I'll just wait for that...
> 

given a list of users (which you have) and a list of acceptable
extensions, you can build a list of user+extens...@domain and use it.

if all extensions are acceptable (not very recommended), you can build a
pcre list. something like

/^joe+([a-z]{1,2...@example\.com$/
/blah/blah/example.com/joe/maildir/.$1/

adjust the path to match your imap server conventions.

PS. if using mysql or the like, these "lists" can be generated on the fly.

bcc for email archiving

[KLaM Postmaster]

I am currently using "always_bcc" to archive email for the group I work
with, I am not sure that we need an archive, but that not my call.
The bcc option is attached to in the "cleanup" service in master.cf

cleanup unixn-n-0cleanup
..
  -o always_bcc=archi...@example.com


two questions.
is there a better way of creating an archive?
is there a way of using plus addressing in order to break the archive
into manageable chunks, something like archives+...@example.com?

TIA
JLA

Re: Plus addressing not delivering to folder

[Charles Marcus]

On 3/7/2009, mouss (mo...@ml.netoyen.net) wrote:
> if all extensions are acceptable (not very recommended),

Ok, this caught my attention...

Yes, I was planning on allowing any extension to be used/made up on the
fly... thje purpose for using the extension will be for signing up for
different sites/lists/things, so I can use the same address, but be able
to distinguish mail that comes to me via that service...

I just don't want to have to create the alias before I use it...

So, is there maybe some kind of regex that could be used to make this
safer? Ie, only allow safe characters, or something?

Thanks mouss,

-- 

Best regards,

Charles

Re: Force authentication for own domains

[Francisco M. Marzoa Alonso]

Hello Magnus,

Thanks a lot. I saw that solution before searching on Internet, but I
would like something that gets my domains directly from my domain table
on my Mysql database instead of putting all domains in a new file.

May be any manner of using a database table within "hash:..." instead of
a file?

Thank you very much,


Magnus Bäck escribió:
> On Saturday, March 07, 2009 at 13:40 CET,
>  "Francisco M. Marzoa Alonso"  wrote:
>
>   
>> I've a postfix server wich uses SASL + Mysql for authentication, my
>> own domains are mostly listed in a mysql table on that database. Its
>> working fine enough, but I want to made it a bit more restrictrive. At
>> current time its behaviour about sending mail is as folows:
>>
>> FROM external domains TO my own domains -> accept
>> FROM my own domains TO my own domains -> accept
>> FROM my own domains TO external domains -> requires authentication
>> FROM external domains TO external domains -> reject
>>
>> What I want to do is that it also requires authentication when sending
>> from my own domains TO my own domains. What is the best way to do that?
>> 
>
> main.cf:
> smtpd_sender_restrictions = check_sender_access hash:/path/to/file
>
> /path/to/file:
> example.com permit_sasl_authenticated, reject
>
>   

Re: Force authentication for own domains

[Francisco M. Marzoa Alonso]

I did try with this:

smtpd_sender_restrictions = check_sender_access
proxy:mysql:/etc/postfix/mysql-virtual_domains.cf


That's the domain table configuration file that's working fine on
"virtual_mailbox_domains", but it didnt work for this:

451 4.3.5 Server configuration error



Francisco M. Marzoa Alonso escribió:
> Hello Magnus,
>
> Thanks a lot. I saw that solution before searching on Internet, but I
> would like something that gets my domains directly from my domain table
> on my Mysql database instead of putting all domains in a new file.
>
> May be any manner of using a database table within "hash:..." instead of
> a file?
>
> Thank you very much,
>
>
> Magnus Bäck escribió:
>   
>> On Saturday, March 07, 2009 at 13:40 CET,
>>  "Francisco M. Marzoa Alonso"  wrote:
>>
>>   
>> 
>>> I've a postfix server wich uses SASL + Mysql for authentication, my
>>> own domains are mostly listed in a mysql table on that data Its
>>> working fine enough, but I want to made it a bit more restrictrive. At
>>> current time its behaviour about sending mail is as folows:
>>>
>>> FROM external domains TO my own domains -> accept
>>> FROM my own domains TO my own domains -> accept
>>> FROM my own domains TO external domains -> requires authentication
>>> FROM external domains TO external domains -> reject
>>>
>>> What I want to do is that it also requires authentication when sending
>>> from my own domains TO my own domains. What is the best way to do that?
>>> 
>>>   
>> main.cf:
>> smtpd_sender_restrictions = check_sender_access hash:/path/to/file
>>
>> /path/to/file:
>> example.com permit_sasl_authenticated, reject
>>
>>   
>> 
>
>
>   

Re: bcc for email archiving

[Jose Ildefonso Camargo Tolosa]

Hi!

I use to use assp along with postfix, and I do the archiving
configuration on ASSP, so that I can have separate SPAM and NOTSPAM
archives.

Anyway, I use Maildir format, and run a script that deletes messages
older that 15 days, but I believe that a similar script can be used
for moving/compressing old messages.  I just use the find command to
do the searching, I use the -atime command, because messages that are
"read" on the archive are given a longer "live time", but if you just
care about when the file was modified, you could use -mtime.

I hope this helps,

Ildefonso Camargo

On Sun, Mar 8, 2009 at 10:09 AM, KLaM Postmaster  wrote:
> I am currently using "always_bcc" to archive email for the group I work
> with, I am not sure that we need an archive, but that not my call.
> The bcc option is attached to in the "cleanup" service in master.cf
>
> cleanup unix    n    -    n    -    0    cleanup
> ..
>  -o always_bcc=archi...@example.com
>
>
> two questions.
> is there a better way of creating an archive?
> is there a way of using plus addressing in order to break the archive
> into manageable chunks, something like archives+...@example.com?
>
> TIA
> JLA
>
>
>

Re: Plus addressing not delivering to folder

[Noel Jones]

Charles Marcus wrote:

On 3/7/2009, mouss (mo...@ml.netoyen.net) wrote:

if all extensions are acceptable (not very recommended),


Ok, this caught my attention...

Yes, I was planning on allowing any extension to be used/made up on the
fly... thje purpose for using the extension will be for signing up for
different sites/lists/things, so I can use the same address, but be able
to distinguish mail that comes to me via that service...

I just don't want to have to create the alias before I use it...

So, is there maybe some kind of regex that could be used to make this
safer? Ie, only allow safe characters, or something?

Thanks mouss,



Postfix does not allow $1 etc. substitution in 
virtual_mailbox_maps.

http://www.postfix.org/postconf.5.html#virtual_mailbox_maps

Postfix virtual(8) will accept any extension, but will always 
deliver unmatched extensions to the user's default inbox.


Some third-party IMAP servers may support "deliver to any 
extension subfolder", I haven't looked.



  -- Noel Jones

Re: Plus addressing not delivering to folder

[Charles Marcus]

On 3/7/2009, Noel Jones (njo...@megan.vbhcs.org) wrote:
> Some third-party IMAP servers may support "deliver to any extension
> subfolder", I haven't looked.

They do... both cyrus and dovecot, and I think courier maildrop does as
well...

Since I'm going to be converting to dovecot soon, I'll be using its LDA...

Thanks again for the responses and leading me to the watering hole... :)

-- 

Best regards,

Charles

Re: Force authentication for own domains

[Noel Jones]

Francisco M. Marzoa Alonso wrote:

I did try with this:

smtpd_sender_restrictions = check_sender_access
proxy:mysql:/etc/postfix/mysql-virtual_domains.cf


That's the domain table configuration file that's working fine on
"virtual_mailbox_domains", but it didnt work for this:

451 4.3.5 Server configuration error



Please don't top post.

Make a copy of your mysql-virtual_domains.cf with a 
result_format appropriate for your check_sender_access map.

ie. result_format permit_sasl_authenticated, reject

  -- Noel Jones

Remove header for non-local delivery (was: Do not include...)

[Til Schubbe]

* On 05.03. Noel Jones muttered:

> The solution is to define an alternate cleanup service for "submission",
> and then define alternate header_checks for that cleanup

I have a similar problem like the OP: I want to delete a header only
if a mail is delivered non-locally.

So I tried to tell smtp to use another cleanup service, but the
header is still not stripped off:


/etc/postfix/master.cf:
smtpunix-   -   -   -   -   smtp
  -o cleanup_service_name=cleanup_out
cleanup_out  unix   n   -   -   -   0 cleanup
  -o header_checks=pcre:/etc/postfix/header_checks

/etc/postfix/header_checks:
/^X-Test:/IGNORE


I called postmap header_checks and postfix reload. I left main.cf
unchanged.

What should I do to get rid of the header in non-local mails?

Thanks!

Til

Re: Remove header for non-local delivery (was: Do not include...)

[Noel Jones]

Til Schubbe wrote:

* On 05.03. Noel Jones muttered:


The solution is to define an alternate cleanup service for "submission",
and then define alternate header_checks for that cleanup


I have a similar problem like the OP: I want to delete a header only
if a mail is delivered non-locally.

So I tried to tell smtp to use another cleanup service, but the
header is still not stripped off:


/etc/postfix/master.cf:
smtpunix-   -   -   -   -   smtp
  -o cleanup_service_name=cleanup_out
cleanup_out  unix   n   -   -   -   0 cleanup
  -o header_checks=pcre:/etc/postfix/header_checks


Wrong tool.  Cleanup processes on input, not output.

http://www.postfix.org/postconf.5.html#smtp_header_checks
This feature is available in postfix 2.5 and later.

  -- Noel Jones

Re: Plus addressing not delivering to folder

[Victor Duchovni]

On Sat, Mar 07, 2009 at 10:44:54AM -0500, Charles Marcus wrote:

> On 3/7/2009, Noel Jones (njo...@megan.vbhcs.org) wrote:
> > Some third-party IMAP servers may support "deliver to any extension
> > subfolder", I haven't looked.
> 
> They do... both cyrus and dovecot, and I think courier maildrop does as
> well...

With Cyrus IMAP, delivery to "+folder" depends on the folder's access
control list and the identity of the agent doing the delivery. Allowing
mail to arrive in every folder (Sent, Trash, ...) is not always a good
idea.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: bcc for email archiving

[Victor Duchovni]

On Sat, Mar 07, 2009 at 09:39:16AM -0500, KLaM Postmaster wrote:

> I am currently using "always_bcc" to archive email for the group I work
> with, I am not sure that we need an archive, but that not my call.
> The bcc option is attached to in the "cleanup" service in master.cf
> 
> cleanup unixn-n-0cleanup
> ..
>   -o always_bcc=archi...@example.com
> 
> 
> two questions.
> is there a better way of creating an archive?

Yes, your archive does not record envelope recipients, only headers.
Suggestions using recipient_bcc_maps are in the archives of this list.

> is there a way of using plus addressing in order to break the archive
> into manageable chunks, something like archives+...@example.com?

You should be using a maildir. If you want multiple maildirs, you can
use $process_id split deliveries over multiple maildir directories.

archive unix ... virtual -o
-o virtual_mailbox_base=/var/spool/archive
-o virtual_mailbox_maps=static:$process_id/

then route mail for the archive user to the archive transport.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Plus addressing not delivering to folder

[LuKreme]

On 7-Mar-2009, at 08:11, Charles Marcus wrote:

On 3/7/2009, mouss (mo...@ml.netoyen.net) wrote:

if all extensions are acceptable (not very recommended),


Ok, this caught my attention...

Yes, I was planning on allowing any extension to be used/made up on  
the

fly... thje purpose for using the extension will be for signing up for
different sites/lists/things, so I can use the same address, but be  
able

to distinguish mail that comes to me via that service...


Yep, that's what I do, and I've yet to hear a valid security concern  
other than "user could create a lot of folders in their Maildir.


It's very easy to do in /etc/procmailrc though

:0
* ! ? test -f $HOME/.procmailrc
{
  ARG=$1
  LOG="User has no procmailrc logname=$logn...@$host HOME=$HOME$NL"
  :0 fw
  | /usr/local/bin/spamc -u $LOGNAME

  DROPPRIVS=YES
  DEFAULT=$HOME/Maildir

:0
* ! ARG 
.$ARG/

   :0
   * ^X-Spam-Status:(.*\<)?Yes
   .SPAM/


   :0
   $DEFAULT/
}
LOG="User $logn...@$host has a .procmailrc, processing...$NL"

If the user does not have a .procmailrc, get teh extension and save it  
in ARG, check the message against SA, and then, if there was an  
extension.  Save the file in that folder.  If the message is spam,  
save it in .Spam, else save it in DEFAULT. (Some people will want to  
put the spamcheck BEFORE the ARG check.



So, is there maybe some kind of regex that could be used to make this
safer? Ie, only allow safe characters, or something?


What unsafe characters are allowed in a username portion of the email  
address?



--
if you ever get that chimp of your back, if you ever find the thing
you lack, ah but you know you're only having a laugh.  Oh, oh
here we go again -- until the end.

Re: Plus addressing not delivering to folder

[LuKreme]

On 7-Mar-2009, at 08:39, Noel Jones wrote:

Postfix does not allow $1 etc. substitution in virtual_mailbox_maps.
http://www.postfix.org/postconf.5.html#virtual_mailbox_maps


It is pretty easy to set up a procmail transport to be used by postfix:

procmail  unix  -   n   n   -   -   pipe
  -o flags=uhFORD user=vpopmail argv=/usr/local/bin/procmail -t -m  
USER=${recipient} EXTENSION=${extension} /usr/local/etc/ 
procmailrc.common


--
if you ever get that chimp of your back, if you ever find the thing
you lack, ah but you know you're only having a laugh.  Oh, oh
here we go again -- until the end.

Re: Force authentication for own domains

[mouss]

Magnus Bäck a écrit :
> On Saturday, March 07, 2009 at 13:40 CET,
>  "Francisco M. Marzoa Alonso"  wrote:
> 
>> I've a postfix server wich uses SASL + Mysql for authentication, my
>> own domains are mostly listed in a mysql table on that database. Its
>> working fine enough, but I want to made it a bit more restrictrive. At
>> current time its behaviour about sending mail is as folows:
>>
>> FROM external domains TO my own domains -> accept
>> FROM my own domains TO my own domains -> accept
>> FROM my own domains TO external domains -> requires authentication
>> FROM external domains TO external domains -> reject
>>
>> What I want to do is that it also requires authentication when sending
>> from my own domains TO my own domains. What is the best way to do that?
> 
> main.cf:
> smtpd_sender_restrictions = check_sender_access hash:/path/to/file
> 
> /path/to/file:
> example.com permit_sasl_authenticated, reject
> 

most examples you'll see here use hash. you can use whatever db type.
you can use 'postmap -q' to test your map.

in this particular case, you can create a Access_Sender table, and use
something like

query = select action from Access_Sender where '%s' = email;

this will allow you to define actions per sender (full address or domain).

Re: Plus addressing not delivering to folder

[mouss]

Noel Jones a écrit :
> Charles Marcus wrote:
>> On 3/7/2009, mouss (mo...@ml.netoyen.net) wrote:
>>> if all extensions are acceptable (not very recommended),
>>
>> Ok, this caught my attention...
>>
>> Yes, I was planning on allowing any extension to be used/made up on the
>> fly... thje purpose for using the extension will be for signing up for
>> different sites/lists/things, so I can use the same address, but be able
>> to distinguish mail that comes to me via that service...
>>
>> I just don't want to have to create the alias before I use it...
>>
>> So, is there maybe some kind of regex that could be used to make this
>> safer? Ie, only allow safe characters, or something?
>>
>> Thanks mouss,
>>
> 
> Postfix does not allow $1 etc. substitution in virtual_mailbox_maps.
> http://www.postfix.org/postconf.5.html#virtual_mailbox_maps
> 

sigh. I always forget that. but mysql comes to the rescue...

> Postfix virtual(8) will accept any extension, but will always deliver
> unmatched extensions to the user's default inbox.
> 
> Some third-party IMAP servers may support "deliver to any extension
> subfolder", I haven't looked.
> 
> 
>   -- Noel Jones

Re: Variables for addresses in master.cf

[mouss]

Wietse Venema a écrit :
> Daniel L. Miller:
>> Does Postfix support variables (I suppose defined in main.cf) to be used 
>> for internet addresses in master.cf?  Example:
>>
>> main.cf:
>> inbound_interface = 192.168.0.10
>> outbound_interface = 192.168.0.11
>>
>> master.cf:
>> inbound_interface:25   inet n - - - - smtpd
>> outbound_interface:submission   inet n - - - - smtpd
> 
> Currently, you can have main.cf variables only where Postfix daemon
> processes expect to find them, that is, on the daemon process
> command line.
> 
> man 5 master
> 
>   Wietse


BTW, is there any reason why one can't do

joepipe ... pipe
flags=${joe_flags}
user=${joe_user}
args=${joe_command} ${joe_options}

?

Re: root delivery for monitoring services

[mouss]

Cameron Camp a écrit :
> I have monitoring applications on boxes on the same subnet as a box I
> want to use for mailing list notification using Postfix/mailman to
> notify several users. An example is some box throwing an snmp trap,
> where a notification would try to send to notification_l...@example.com
> so several people would know. Right now that e-mail would be seen to be
> coming from r...@the_monitor_node_box_name, which won't deliver.

that's the problem to fix.

if some remote server rejects the sender address, you should try to
configure the remote server not do so. if you can't, use
smtp_generic_maps to rewrite the sender.

> What
> are best practices for this? I would only ever have about 15 boxes
> reporting. Sorry if this has been already covered.

Use a specific IP or port, and on this IP or port, accept all mail. the
sender address is irrelevant in this case.

note that a lot of cron jobs are run as $service user, and will send as
such. if this user doesn't exist on the mail hub, you risk rejecting
mail from cron related jobs. so don't use reject_unlisted_sender for
mail coming out of your own systems.


PS. why do we see that many @cloud9.net instead of @postfix.org mail?

Re: Plus addressing not delivering to folder

[Charles Marcus]

On 3/7/2009 1:45 PM, LuKreme wrote:
>> Yes, I was planning on allowing any extension to be used/made up on
>> the fly... thje purpose for using the extension will be for signing
>> up for different sites/lists/things, so I can use the same address,
>> but be able to distinguish mail that comes to me via that
>> service...

> Yep, that's what I do, and I've yet to hear a valid security concern
> other than "user could create a lot of folders in their Maildir.



> It is pretty easy to set up a procmail transport to be used by postfix:
> 
> procmail  unix  -   n   n   -   -   pipe
>   -o flags=uhFORD user=vpopmail argv=/usr/local/bin/procmail -t -m
> USER=${recipient} EXTENSION=${extension} /usr/local/etc/procmailrc.common

Ok, I'm intrigued... if it is this simple, maybe I'll go ahead and do
it, but...

As I said in an earlier mail, I do NOT want the folder auto-created - if
it doesn't exist, I want the message deliver to fall back to the Inbox...

Is there a way to tweak the above to accomplish this?

Thanks!

-- 

Best regards,

Charles

Re: Plus addressing not delivering to folder

[LuKreme]

On 7-Mar-2009, at 12:13, Charles Marcus wrote:

As I said in an earlier mail, I do NOT want the folder auto-created  
- if
it doesn't exist, I want the message deliver to fall back to the  
Inbox...


Is there a way to tweak the above to accomplish this?


Sure, you can do most anything in procmail.  Let me see, something  
like this:


ARV=$1

:0
* ! ? test -d .$ARG
{ $DEFAULT }

:0E
.$ARV/

(if the directory .ARG does no exist, save in $DEFAULT, else save in  
$.ARG/)



--
if you ever get that chimp of your back, if you ever find the thing
you lack, ah but you know you're only having a laugh.  Oh, oh
here we go again -- until the end.

Re: Variables for addresses in master.cf

[Victor Duchovni]

On Sat, Mar 07, 2009 at 07:51:13PM +0100, mouss wrote:

> BTW, is there any reason why one can't do
> 
> joepipe ... pipe
>   flags=${joe_flags}
>   user=${joe_user}
>   args=${joe_command} ${joe_options}

The reason is that theve arguments are not and should not be subject to
main.cf macro substitution.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: postconf -n suggestion

[Simon J Mudd]

a.j.cai...@halplant.com ("Andrew J. Caines") writes:

> Wietse Venema wrote:
> > Making trouble reports easier requires a saslfinger-like tool that
> > captures info about Postfix, the OS, build options, etc.
> 
> While not updated in a few years, postfinger[1] does a fair job of this.
> 
> 
> [1] ftp://ftp.wl0.org/ftp.wl0.org/postfinger/

I don't follow postfix-users now as much as I used to. If there are 
improvements that can be made to postfinger I'll certainly add them.

Simon

Re: Force authentication for own domains

[Francisco M. Marzoa Alonso]

mouss escribió:
> most examples you'll see here use hash. you can use whatever db type.
> you can use 'postmap -q' to test your map.
>
> in this particular case, you can create a Access_Sender table, and use
> something like
>
> query = select action from Access_Sender where '%s' = email;
>
> this will allow you to define actions per sender (full address or domain).
>
>   
Sounds very interesting, thanks. I'll take a deeper look on postfix
documentation about mapping to mysql tables.

Accepting sender with MX _only_

[Halassy Zoltán]

Hello!

I don't need to say, if your server is popular, you'll get a dozens of 
spam too. Lately i am getting random mails from 
www-d...@www.some.hackedsite.com . I am using address verification, so 
they usually not coming in, cause port 25 is not open on 
www.some.hackedsite.com (no MX record on www, so falling back to A, says 
the RFC). But since it comes from a foreign mailqueue, they show up a 
lot of times in my log (annoyingly huge amount), hence "a temporary 
error in address verification" which gives 450 code.


So, is there a way (other than modify postfix source code) to drop 
mails, when there is no MX records associated with the right-hand side 
of the '@' (sender's e-mail domain) ? (i dont care about the A record, 
spams has nothing to do with RFCs, and sane e-mail domain has an MX 
record anyway)




smime.p7s
Description: S/MIME Cryptographic Signature

Re: Variables for addresses in master.cf

[mouss]

Victor Duchovni a écrit :
> On Sat, Mar 07, 2009 at 07:51:13PM +0100, mouss wrote:
> 
>> BTW, is there any reason why one can't do
>>
>> joepipe ... pipe
>>  flags=${joe_flags}
>>  user=${joe_user}
>>  args=${joe_command} ${joe_options}
> 
> The reason is that theve arguments are not and should not be subject to
> main.cf macro substitution.
> 

well, the question was why it is so. I mean what is the risk exactly?
after all, one can generate master.cf with a script that takes
definitions from main.cf (or from elsewhere). but I'm sure I'm missing
something. thus the question.

Re: Plus addressing not delivering to folder

[mouss]

Charles Marcus a écrit :
> On 3/7/2009 1:45 PM, LuKreme wrote:
>>> Yes, I was planning on allowing any extension to be used/made up on
>>> the fly... thje purpose for using the extension will be for signing
>>> up for different sites/lists/things, so I can use the same address,
>>> but be able to distinguish mail that comes to me via that
>>> service...
> 
>> Yep, that's what I do, and I've yet to hear a valid security concern
>> other than "user could create a lot of folders in their Maildir.
> 
> 
> 
>> It is pretty easy to set up a procmail transport to be used by postfix:
>>
>> procmail  unix  -   n   n   -   -   pipe
>>   -o flags=uhFORD user=vpopmail argv=/usr/local/bin/procmail -t -m
>> USER=${recipient} EXTENSION=${extension} /usr/local/etc/procmailrc.common
> 
> Ok, I'm intrigued... if it is this simple, maybe I'll go ahead and do
> it, but...
> 
> As I said in an earlier mail, I do NOT want the folder auto-created - if
> it doesn't exist, I want the message deliver to fall back to the Inbox...
> 
> Is there a way to tweak the above to accomplish this?
> 

maildrop won't create folders (except if you explicitly run the command
to do so), so you can use it. and its syntax is less horrible than
procmail.

Re: Accepting sender with MX _only_

[mouss]

Halassy Zoltán a écrit :
> Hello!
> 
> I don't need to say, if your server is popular, you'll get a dozens of
> spam too. Lately i am getting random mails from
> www-d...@www.some.hackedsite.com . I am using address verification, so
> they usually not coming in, cause port 25 is not open on
> www.some.hackedsite.com (no MX record on www, so falling back to A, says
> the RFC). But since it comes from a foreign mailqueue, they show up a
> lot of times in my log (annoyingly huge amount), hence "a temporary
> error in address verification" which gives 450 code.
> 

can you show an example?

> So, is there a way (other than modify postfix source code) to drop
> mails, when there is no MX records associated with the right-hand side
> of the '@' (sender's e-mail domain) ? (i dont care about the A record,
> spams has nothing to do with RFCs, and sane e-mail domain has an MX
> record anyway)
> 

If you insist, you can write a policy server to do that. but I don't
think this would be a good idea. there are more effective ways to combat
spam.

Re: Variables for addresses in master.cf

[Victor Duchovni]

On Sun, Mar 08, 2009 at 03:07:16AM +0100, mouss wrote:

> Victor Duchovni a ?crit :
> > On Sat, Mar 07, 2009 at 07:51:13PM +0100, mouss wrote:
> > 
> >> BTW, is there any reason why one can't do
> >>
> >> joepipe ... pipe
> >>flags=${joe_flags}
> >>user=${joe_user}
> >>args=${joe_command} ${joe_options}
> > 
> > The reason is that these arguments are not and should not be subject to
> > main.cf macro substitution.
> 
> well, the question was why it is so. I mean what is the risk exactly?
> after all, one can generate master.cf with a script that takes
> definitions from main.cf (or from elsewhere). but I'm sure I'm missing
> something. thus the question.

Well, consider the syntax of "args", and think about how main.cf macro
expansion would interact with it.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.