date:20090309

Hello,
I'm using postfix postfix-2.3.3-2 x86 configured for a single domain.
Clients are allowed to relay only after they have performed SMTP AUTH
or if they connect from $mynetworks. (postconf -n posted at
http://pastebin.ca/1356405)

I'd like to mimic M$ Exchange "recall" behaviour for emails sent by
relay-allowed clients.

To accomplish this, I thought of putting all relayed mail into the
'hold' queue by default, then with a cron script to release it
periodically (ex. "ls -lt" and "postsuper -r "), and manually use 'postsuper -d' after instructing users to
call the helpdesk if they want to 'recall' a message they sent.

First thing that comes into mind after reading "man 5 access" is to
modify the "smtpd_sender_restrictions" section in main.cf:

[...]
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/check_sender_access_hash
reject_non_fqdn_sender
reject_unknown_sender_domain

...and in check_sender_access_hash to put:
mynetworks.subnet  HOLD
mydomain.tld   HOLD

What do you think about the above approach? Would there be better alternatives?
Has anyone implemented similar setups? Would the above approach catch
all relayed mail ? Would a "pcre:" table perform better than "hash:"
for this particular purpose ?

Many thanks,
Costin

Re: Accepting sender with MX _only_

2009-03-09 Thread Halassy Zoltán


can you show an example?


postfix log (my contract forbids to put client data here, so masqueraded 
the real hostnames and IPs):


Mar  6 19:01:41 mail postfix/smtpd[6930]: NOQUEUE: reject: RCPT from 
www.XXX.hu[X.X.X.X]: 450 4.1.7 : Sender address 
rejected: unverified address: connect to www.XXX.hu[X.X.X.X]:25: 
Connection refused; from= 
to= proto=ESMTP helo=


www.XXX.hu is a large webhosting service, lot of webpages running on it, 
some uses contact with our clients, but with valid source e-mail 
addresses. So firewalling out this IP doesn't help.


Some other webpages got hacked or something, but they sending spam.

www.XXX.hu doesn't have an MX record (other clients sending with 
different e-mail domain, and those are on different comp, which 
verifiable). Also, port 25 is not open on www.XXX.hu . I would handle 
this situation with permanent error, not temporary.



If you insist, you can write a policy server to do that. but I don't
think this would be a good idea. there are more effective ways to combat
spam.


Well i am using a lot of spam filtering mechanisms, around 1% of spam 
getting through, and around 0.5% of the valid mails gets false positive. 
I am spending lot of time to monitor log files (several hours a day), 
and i am just searching ways to get rid of some lines, eg. sending 550 
in some situations so the other side gives up trying (and prevents extra 
rows).


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Variables for addresses in master.cf

2009-03-09 Thread Charles Marcus

On 3/8/2009, Wietse Venema (wie...@porcupine.org) wrote:
> It is not created with Star Trek transporter beams that materialize a
> complete object all at once.

I am very disappointed. I began using postfix based solely on the
assurance of one person that Start Trek transporter beams could most
suredly materialize a complete object all at once.

Oh, well, guess I"m off to find some *legitimate* software that can
provide a reasonable level of Star Trek transporter beam functionality.

-- 

Best regards,

Charles

RE: Postoffice with virtual mailbox and a Maildrop issue

2009-03-09 Thread Rocco Scappatura

Thanks mouss,
 
> Rocco Scappatura a écrit :
> > [snip]
> > Why the message is not delivered immediately to the virtual mailbox
> after
> > vacation filter?
> >
> 
> because the domain is not listed as a virtual mailbox domain

At first glance, I shoud say as above too, but I swear that the query is 
exactly the one I have reported.
  
> >>> # postmap -q  t...@receiver.tld
> >>> proxy:mysql:/etc/postfix/mysql-virtual-domain.cf
> >>> receiver.tld
> >> virtual_mailbox_domains is looked up with the domain name as the
> key,
> >> not the email address. Show the output from the right command.
> >
> > # postmap -q domain.tld proxy:mysql:/etc/postfix/mysql-virtual-
> domain.cf
> > #
> >
> > :-(
> >
> > But:
> >
> > # cat /etc/postfix/mysql-virtual-domain.cf
> > .
> > .
> > query = select domain from domain where domain = '%d' and active = 1
> >
> > return me correctly:
> >
> > ++
> > | domain |
> > ++
> > | domain.tld |
> > ++
> >
> > mmmhhh!?!?!?
> 
> you'll need to make sure you run the right sql queries when testing and
> that your .cf has the right hosts, user, ... etc.

Also the db configuration parameter in postfix configuration files are correct..

What you suggestme to check?

PS: I have tried also to check maildrop:

mail1:~ # maildrop -V9 -d t...@receiver.tld
maildrop: authlib: groupid=1021
maildrop: authlib: userid=1021
maildrop: authlib: logname= t...@receiver.tld, home=/home/virtual/, mail= 
receiver.tld /t...@receiver.tld/
maildrop: Changing to /home/virtual/
Message start at 0 bytes, envelope send...@receiver.tld
Tokenized logfile
Tokenized string: "/var/log/maildrop.log"
Tokenized ;
Tokenized string: "$HOME/$DEFAULT"
Tokenized ;
Tokenized exception
Tokenized {
Tokenized ;
Tokenized string: "TO"
Tokenized string: "$HOME$DEFAULT"
Tokenized ;
Tokenized }
Tokenized ;
Tokenized log
Tokenized string: "/usr/local/bin/maildirmake $HOME$DEFAULT"
Tokenized ;
Tokenized string: `/usr/local/bin/maildirmake $HOME$DEFAULT`
Tokenized ;
Tokenized log
Tokenized string: "/usr/local/bin/maildirmake -q $MAILDIRQUOTA $HOME$DEFAULT"
Tokenized ;
Tokenized string: `/usr/local/bin/maildirmake -q $MAILDIRQUOTA $HOME$DEFAULT`
Tokenized ;
Tokenized string: "TO"
Tokenized string: "$HOME$DEFAULT"
Tokenized ;
Tokenized eof
/etc/maildroprc(1): Opening logfile /var/log/maildrop.log
/etc/maildroprc(3): Trapping exceptions.
/etc/maildroprc(3): Exception trapping removed.
maildrop: Filtering through `/usr/local/bin/maildirmake $HOME$DEFAULT`
maildirmake: /home/virtual/receiver.tld/t...@receiver.tld/: File exists
maildrop: Filtering through `/usr/local/bin/maildirmake -q $MAILDIRQUOTA 
$HOME$DEFAULT`
maildrop: Attempting .mailfilter

It's seems that all works fine..

Thanks,

rocsca

Re: virtual_alias_maps


LuKreme wrote:

On 8-Mar-2009, at 19:39, Sahil Tandon wrote:

What happens if you set:

virtual_alias_domains =

in main.cf?



Then all mail to local (non virtual) users bounces with a Relay access 
denied error.




Sounds as if you have (unintentionally)? defined all your 
local domains as virtual_alias_domains.


Time to start at square one.
http://www.postfix.org/ADDRESS_CLASS_README.html

  -- Noel Jones

Re: hold all relayed mail by default

Costin Guşă wrote:

Hello,
I'm using postfix postfix-2.3.3-2 x86 configured for a single domain.
Clients are allowed to relay only after they have performed SMTP AUTH
or if they connect from $mynetworks. (postconf -n posted at
http://pastebin.ca/1356405)

I'd like to mimic M$ Exchange "recall" behaviour for emails sent by
relay-allowed clients.

To accomplish this, I thought of putting all relayed mail into the
'hold' queue by default, then with a cron script to release it
periodically (ex. "ls -lt" and "postsuper -r "), and manually use 'postsuper -d' after instructing users to
call the helpdesk if they want to 'recall' a message they sent.

First thing that comes into mind after reading "man 5 access" is to
modify the "smtpd_sender_restrictions" section in main.cf:

[...]
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/check_sender_access_hash
reject_non_fqdn_sender
reject_unknown_sender_domain

...and in check_sender_access_hash to put:
mynetworks.subnet HOLD
mydomain.tld HOLD

What do you think about the above approach? Would there be better alternatives?
Has anyone implemented similar setups? Would the above approach catch
all relayed mail ? Would a "pcre:" table perform better than "hash:"
for this particular purpose ?

I don't think this is a good idea at all.

Folks by now somewhat expect mail being near real time, and
will think your system is broken if it takes an hour or more
to deliver anything.

I think the recall feature is rather bogus anyway; you can't
recall anything sent to a non-exchange site and you can't tell
the recipient to unread something they already looked at. One
could argue that features that work part of the time are
broken by design.

But yes, your proposed design would do what you describe.

-- Noel Jones

Re: Does main.cf need world readable?

On Sun, Mar 08, 2009 at 08:47:53PM -0700, Jacky Chan wrote:

> 
> Hi all,
> 
> I found when I set main.cf to 740, owner is root and group is postfix.
> 
> [11:41:55][use...@nx1:~]# echo "testing" | mail -s "testing" root
> [11:41:58][use...@nx1:~]# send-mail: fatal: open /etc/postfix/main.cf:
> Permission denied
> 
> Does main.cf need world readable?

Yes.

> If so, the setting in main.cf will be world readable also.

Yes.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: hold all relayed mail by default

On Mon, Mar 9, 2009 at 2:43 PM, Noel Jones  wrote:
> Costin Guşă wrote:
>>

[...]

>>
>> I'd like to mimic M$ Exchange "recall" behaviour for emails sent by
>> relay-allowed clients.
>>

[...]

>
> I don't think this is a good idea at all.
>
> Folks by now somewhat expect mail being near real time, and will think your
> system is broken if it takes an hour or more to deliver anything.

yes, it's true that people expect instant delivery; however I was
thinking at short delays such as 5 minutes, since most regrettable
errors are discovered within the next few seconds following the event,
so keeping the mail in queue for extra five minutes wouldn't bother
the majority.

note that I didn't mention that I actually _want_ to do this, but this
has come up as a proposed solution to these kind of people with whom I
am interacting - I am supporting the IT in a field where being
computer literate is not a mandatory skill for a manager.

>
> I think the recall feature is rather bogus anyway; you can't recall anything
> sent to a non-exchange site and you can't tell the recipient to unread
> something they already looked at.  One could argue that features that work
> part of the time are broken by design.
>

I know this might turn into patching the effect instead of eliminating
the cause - but that's the most I am able to do now; after all, we are
all humans and prone to errors and my belief is that instead of humans
adapting to technology (as it happens now) it would be much better for
technology to adapt to humans. Maybe I am already offtopic, so I
should stop here :)

[...]

Re: Accepting sender with MX _only_

2009-03-09 Thread Wietse Venema

Halassy Zolt??n:
> > can you show an example?
> 
> postfix log (my contract forbids to put client data here, so masqueraded 
> the real hostnames and IPs):
> 
> Mar  6 19:01:41 mail postfix/smtpd[6930]: NOQUEUE: reject: RCPT from 
> www.XXX.hu[X.X.X.X]: 450 4.1.7 : Sender address 
> rejected: unverified address: connect to www.XXX.hu[X.X.X.X]:25: 
> Connection refused; from= 
> to= proto=ESMTP helo=
> 
> www.XXX.hu is a large webhosting service, lot of webpages running on it, 
> some uses contact with our clients, but with valid source e-mail 
> addresses. So firewalling out this IP doesn't help.
> 
> Some other webpages got hacked or something, but they sending spam.

I recommend that you stop the spam at its source, the hacked websites,
instead of trying to block that spam down-stream with Postfix.

Wietse

Re: Does main.cf need world readable?

2009-03-09 Thread Wietse Venema

Victor Duchovni:
> On Sun, Mar 08, 2009 at 08:47:53PM -0700, Jacky Chan wrote:
> 
> > 
> > Hi all,
> > 
> > I found when I set main.cf to 740, owner is root and group is postfix.
> > 
> > [11:41:55][use...@nx1:~]# echo "testing" | mail -s "testing" root
> > [11:41:58][use...@nx1:~]# send-mail: fatal: open /etc/postfix/main.cf:
> > Permission denied
> > 
> > Does main.cf need world readable?
> 
> Yes.
> 
> > If so, the setting in main.cf will be world readable also.
> 
> Yes.

If you tinker with Postfix access permissions, you void the warranty,
and you lose support.

Wietse

Re: hold all relayed mail by default

2009-03-09 Thread Charles Marcus

On 3/9/2009, Costin Gu_ (costi...@gmail.com) wrote:
> yes, it's true that people expect instant delivery; however I was
> thinking at short delays such as 5 minutes, since most regrettable
> errors are discovered within the next few seconds following the event,
> so keeping the mail in queue for extra five minutes wouldn't bother
> the majority.
> 
> note that I didn't mention that I actually _want_ to do this, but this
> has come up as a proposed solution to these kind of people with whom I
> am interacting - I am supporting the IT in a field where being
> computer literate is not a mandatory skill for a manager.

This is actually an interesting idea... but I think it should only be
available on an opt-in basis, where the end user understands that all of
their mail will be subject to this delay...

I wonder how hard some kind of automatic script processing would be,
where the user could just add a 'RECALL' to the subject beginning, and
have postfix delete the message from the queue if it found a match with
the sender and subject and then deliver a confirmation, or simply send a
'Too late' response if there is no match...

-- 

Best regards,

Charles

Re: hold all relayed mail by default

2009-03-09 Thread Jorey Bump

Charles Marcus wrote, at 03/09/2009 09:42 AM:
> On 3/9/2009, Costin Gu_ (costi...@gmail.com) wrote:
>> yes, it's true that people expect instant delivery; however I was
>> thinking at short delays such as 5 minutes, since most regrettable
>> errors are discovered within the next few seconds following the event,
>> so keeping the mail in queue for extra five minutes wouldn't bother
>> the majority.
>>
>> note that I didn't mention that I actually _want_ to do this, but this
>> has come up as a proposed solution to these kind of people with whom I
>> am interacting - I am supporting the IT in a field where being
>> computer literate is not a mandatory skill for a manager.
> 
> This is actually an interesting idea... but I think it should only be
> available on an opt-in basis, where the end user understands that all of
> their mail will be subject to this delay...
> 
> I wonder how hard some kind of automatic script processing would be,
> where the user could just add a 'RECALL' to the subject beginning, and
> have postfix delete the message from the queue if it found a match with
> the sender and subject and then deliver a confirmation, or simply send a
> 'Too late' response if there is no match...

Isn't this best implemented at the MUA level? At the very least, a user
can simply save drafts of all composed email, then review & send
messages periodically. Not only does this address the problem, it is
more convenient for everyone, including the user, who can edit the
message in place before finally sending.

Re: hold all relayed mail by default

2009-03-09 Thread Charles Marcus

On 3/9/2009, Jorey Bump (l...@joreybump.com) wrote:
> Isn't this best implemented at the MUA level? At the very least, a user
> can simply save drafts of all composed email, then review & send
> messages periodically. Not only does this address the problem, it is
> more convenient for everyone, including the user, who can edit the
> message in place before finally sending.

It will never fail that the user will decide right after clicking the
send button that they want to recall it, no matter how long they wait
prior to sending...

I can't tell you how many times I've had to explain to one of our users
why we cannot recall their message - whcih usually ends up with me
describing how this exchange capability works, and why it only works
under certain limited circumstances, which does NOT include any
destinations that are NOT exchange servers configured to cooperate with
these requests.

I only said it was an interesting idea, and wondered if it could be
automated... I'm still not sure it *should* be done... :)

-- 

Best regards,

Charles

Rewrite body messages

2009-03-09 Thread Guillaume Rehm


Hi list,

I would known if Postfix is able to rewrite body messages.

I would translate mails comes from an application by Pattern

Exemple:

From: t...@domain.com To: u...@domain.com Subject:MyApp Body:[Item1] 
toto [Item2] titi


To

From: t...@domain.com To: u...@domain.com Subject:MyApp Body:[Text for 
Item1] toto [Text for Item2] titi


Thanks in advance for your help.

--
Guillaume REHM
Centre de Ressources Informatiques
Responsable Sécurité du Système d'Information (RSSI)

Bibliothèque Nationale et Universitaire de Strasbourg
5 rue du Maréchal Joffre
BP 51029
67070 Strasbourg

tél: 03 88 25 28 23
fax: 03 88 25 28 03
mail: guillaume.r...@bnu.fr
web: http://www.bnu.fr

Re: Rewrite body messages

2009-03-09 Thread Wietse Venema

Guillaume Rehm:
> Hi list,
> 
> I would known if Postfix is able to rewrite body messages.
> 
> I would translate mails comes from an application by Pattern
> 
> Exemple:
> 
> From: t...@domain.com To: u...@domain.com Subject:MyApp Body:[Item1] 
> toto [Item2] titi
> 
> To
> 
> From: t...@domain.com To: u...@domain.com Subject:MyApp Body:[Text for 
> Item1] toto [Text for Item2] titi

Postfix has limited rewriting built-in (the body_checks REPLACE,
IGNORE and PREPEND actions).

For heavy-duty content rewriting, you need to use an external
(preferably SMTP-based) content filter, or a Milter application.

SMTP-based proxy filters are widely available. See FILTER_README
for how to put this into Postfix. The Milter interface is documented
in the MILTER_README file. Writing Milter applications is for the
very courageous.

Wietse

Re: hold all relayed mail by default

On Mon, Mar 9, 2009 at 3:55 PM, Jorey Bump  wrote:
> Charles Marcus wrote, at 03/09/2009 09:42 AM:
>> On 3/9/2009, Costin Gu_  (costi...@gmail.com) wrote:
>>> yes, it's true that people expect instant delivery; however I was
>>> thinking at short delays such as 5 minutes, since most regrettable
>>> errors are discovered within the next few seconds following the event,
>>> so keeping the mail in queue for extra five minutes wouldn't bother
>>> the majority.
>>>
>>> note that I didn't mention that I actually _want_ to do this, but this
>>> has come up as a proposed solution to these kind of people with whom I
>>> am interacting - I am supporting the IT in a field where being
>>> computer literate is not a mandatory skill for a manager.
>>
>> This is actually an interesting idea... but I think it should only be
>> available on an opt-in basis, where the end user understands that all of
>> their mail will be subject to this delay...
>>
>> I wonder how hard some kind of automatic script processing would be,
>> where the user could just add a 'RECALL' to the subject beginning, and
>> have postfix delete the message from the queue if it found a match with
>> the sender and subject and then deliver a confirmation, or simply send a
>> 'Too late' response if there is no match...
>
> Isn't this best implemented at the MUA level? At the very least, a user
> can simply save drafts of all composed email, then review & send
> messages periodically. Not only does this address the problem, it is
> more convenient for everyone, including the user, who can edit the
> message in place before finally sending.

composing drafts still does not prevent you from making mistakes when
you click "send" button on an unrevised draft. for example, you are
sure of the content but you could wrongly select the recipient in a
hurry. or mistype it. or be convinced that typing the very few letters
would select the contact it used to be selected, but by the chance a
new contact has been entered into the mua address book cache... and so
on.

Re: hold all relayed mail by default


Charles Marcus wrote:

On 3/9/2009, Jorey Bump (l...@joreybump.com) wrote:

Isn't this best implemented at the MUA level? At the very least, a user
can simply save drafts of all composed email, then review & send
messages periodically. Not only does this address the problem, it is
more convenient for everyone, including the user, who can edit the
message in place before finally sending.


It will never fail that the user will decide right after clicking the
send button that they want to recall it, no matter how long they wait
prior to sending...

I can't tell you how many times I've had to explain to one of our users
why we cannot recall their message - whcih usually ends up with me
describing how this exchange capability works, and why it only works
under certain limited circumstances, which does NOT include any
destinations that are NOT exchange servers configured to cooperate with
these requests.

I only said it was an interesting idea, and wondered if it could be
automated... I'm still not sure it *should* be done... :)



Yes, this could be automated as you described.
I think the implementation will be a real pain, and you'll 
answer as many or more questions once it's implemented.

So no, it shouldn't be done.

Lots of interesting ideas don't really work, that doesn't mean 
you should stop trying.


  -- Noel Jones

understanding reject_unknown_client

2009-03-09 Thread Krishna Murthy

Hi,

I have reject_unknown_client  in my smtpd_recipient_restrictions and have 2
questions regarding the working of this option. I looked up the
documentation, but would love to cross check my understanding with other
users.

1.

I have noticed that the following scenario results in rejection with error -


450 4.7.1 Client host rejected: cannot find your hostname

1. A host connects to my postfix server from IPAddressA
2. IPAddressA has a proper PTR record pointing to HostnameA
3. HostnameA has an A record and points to IPAddressB
4. IPAddressB does not have a PTR record.

The above behavior suggests that postfix expects a PTR -> A -> PTR -> A
mapping. Is my understanding right?

Or is PTR -> A -> PTR adequate?


2. If IPAddressA points to HostnameA and HostNameA points to IPAddressB (
not to IPAddressA), should that be considered as an unknown_client and
eligible for rejection?

Thanks
Krishnan

Re: understanding reject_unknown_client

On Mon, Mar 09, 2009 at 08:46:12PM +0530, Krishna Murthy wrote:

> I have reject_unknown_client  in my smtpd_recipient_restrictions

Don't. This restriction is to aggressive. It is only useful in combination
with other tests (applied to specific netblocks, sender domains, ...)

> The above behavior suggests that postfix expects a PTR -> A -> PTR -> A
> mapping. Is my understanding right?

Same idea but there is no second PTR required:

2.2.0.192.in-addr.arpa  IN PTR mail.example.com.
mail.example.com.   IN A 192.0.2.1
mail.example.com.   IN A 192.0.2.2
mail.example.com.   IN A 192.0.2.3

- The address resolves to a name via one PTR record (the first,
  additional PTRs are ignored)

- The name resolves to a set of addresses, at least one of which must
  be the original address.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: understanding reject_unknown_client


Krishna Murthy wrote:

Hi,

I have reject_unknown_client  in my smtpd_recipient_restrictions and 
have 2 questions regarding the working of this option. I looked up the 
documentation, but would love to cross check my understanding with other 
users.




http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname

  -- Noel Jones

Re: postfix filter and CR LF.CR LF - New Issue

2009-03-09 Thread Jordi Moles Blanco


En/na Jordi Moles Blanco ha escrit:

En/na Magnus Bäck ha escrit:

On Thu, March 5, 2009 10:13 am, Jordi Moles Blanco said:

 

En/na martijn.list ha escrit:

   

You are probably forgetting to convert the single dot (.) to dot-dot
(..)

See RFC 2821 section 4.5.2 Transparency
  

thanks for your suggestion, I'll give it a try. However, I think that
I've already tried this. As far as I can remember, the problem by
modifying the content of the message was that when a user used some 
kind

of signature, the checksum wouldn't match and users complain about the
body being altered. Does that make sense to you? Or may be it's only
that my implementation was buggy.



The extra dot is removed by the SMTP server so that the message remains
the same after transmission.

  

Hi,

thanks for the info. Now the filter seems to work properly.

I guess it was my fault the first time I tried this. I didn't keep 
that piece of code cause it wasn't working anyway... but it was 
defenetly buggy.


Thanks for your help.


Hi,

after your comments I thought I had "fixed" my filter and everything 
seemed to work fine. I only replaced \n.\n with \n..\n in the body of 
the message.


But now I've found out that when the message contains html code, it 
doesn't work properly.


If you look at the content of the message, by doing "cat" for example, 
you can see a line like this ., which is obvious for being HTML 
. However, i can't add the second dot properly. After trying several 
approaches I can only replace some of the dots there are in the message.

For example, if the body of the message is something like this:

**

asdf*adsfa*sd
.
MAIL FROM: unremit...@vivalasvegas.com
RCPT TO: jo...@cdmon.com
DATA

prova, pro*va, prov*a sense quota
.

***

it will only replace the first dot, but not the second one.

How can I replace the dot properly when the text has HTML code?

Thanks.

RE: Postoffice with virtual mailbox and a Maildrop issue [SOLVED]

2009-03-09 Thread Rocco Scappatura

Hello,

> > Rocco Scappatura a écrit :
> > > [snip]
> > > Why the message is not delivered immediately to the virtual mailbox
> > after
> > > vacation filter?
> > >
> >
> > because the domain is not listed as a virtual mailbox domain
> 
> At first glance, I shoud say as above too, but I swear that the query
> is exactly the one I have reported.
> 
> > >>> # postmap -q  t...@receiver.tld
> > >>> proxy:mysql:/etc/postfix/mysql-virtual-domain.cf
> > >>> receiver.tld
> > >> virtual_mailbox_domains is looked up with the domain name as the
> > key,
> > >> not the email address. Show the output from the right command.
> > >
> > > # postmap -q domain.tld proxy:mysql:/etc/postfix/mysql-virtual-
> > domain.cf
> > > #
> > >
> > > :-(
> > >
> > > But:
> > >
> > > # cat /etc/postfix/mysql-virtual-domain.cf
> > > .
> > > .
> > > query = select domain from domain where domain = '%d' and active =
> 1
> > >
> > > return me correctly:
> > >
> > > ++
> > > | domain |
> > > ++
> > > | domain.tld |
> > > ++
> > >
> > > mmmhhh!?!?!?
> >
> > you'll need to make sure you run the right sql queries when testing
> and
> > that your .cf has the right hosts, user, ... etc.
> 
> Also the db configuration parameter in postfix configuration files are
> correct..

Not completely.. Infact, I have read carefully mysql_table man and I see that 
the right query is:

query = select domain from domain where domain = '%s' and active = 1

because postfix evidently passes the domain part of the recipient for lookup.. 
while I erroneously thought the the entire recipient was looked up..

I'm sorry,

rocsca

Re: postfix filter and CR LF.CR LF - New Issue

On Mon, Mar 09, 2009 at 04:50:29PM +0100, Jordi Moles Blanco wrote:

> after your comments I thought I had "fixed" my filter and everything seemed 
> to work fine. I only replaced \n.\n with \n..\n in the body of the message.

You don't change message bodies before transmission, you follow RFCs
821, 2821, 5321 and remove leading "." from the SMTP payload on input
(in the SMTP server) and add leading "." to the SMTP payload on output
(in the SMTP client). SMTP uses "\r\n" at the ends of lines.

> But now I've found out that when the message contains html code, it doesn't 
> work properly.

This is nonsense, SMTP+MIME deliver conforming message bodies unmodified
from the sender to the recipient. It does via suitable encodings during
message preparation and transport.

Use MIME to encode content that is not printable ASCII text (with
sufficiently short lines). Use SMTP transparency to deal with lines
starting with ".".

> If you look at the content of the message, by doing "cat" for example, you 
> can see a line like this ., which is obvious for being HTML . 

You are still mightily confused. Don't modify the message or its HTML
encoding. Implement correct SMTP server and client code.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

per-user relay destinations

2009-03-09 Thread Aaron Zuercher

Hello,
I have setup a box running postfix+amavis+spamassasin to act as a mail
gateway.  I currently have an older postfix box doing mail gateway duties
now.  I'd like to run some live tests on the new spam box by forwarding some
of the users mail from the current gateway to the new box for processing.
Is this a possiblity?  Can someone point me in the right direction on how to
set this up?  I was looking at transport maps?

Thanks,
Aaron

Re: hold all relayed mail by default

On Mon, Mar 9, 2009 at 4:02 PM, Charles Marcus
 wrote:
> On 3/9/2009, Jorey Bump (l...@joreybump.com) wrote:
>> Isn't this best implemented at the MUA level? At the very least, a user
>> can simply save drafts of all composed email, then review & send
>> messages periodically. Not only does this address the problem, it is
>> more convenient for everyone, including the user, who can edit the
>> message in place before finally sending.
>
> It will never fail that the user will decide right after clicking the
> send button that they want to recall it, no matter how long they wait
> prior to sending...
>
> I can't tell you how many times I've had to explain to one of our users
> why we cannot recall their message - whcih usually ends up with me
> describing how this exchange capability works, and why it only works
> under certain limited circumstances, which does NOT include any
> destinations that are NOT exchange servers configured to cooperate with
> these requests.
>
> I only said it was an interesting idea, and wondered if it could be
> automated... I'm still not sure it *should* be done... :)
>

yes that looks interesting; however at the moment the recall request
rate is really low for my particular case so sould be enough to
manually release mails from the hold queue with 'postsuper';
however i'm wondering if my proposed implementation would *really*
catch not only all relayed mail but also internal clients sending mail
to internal clients ?

Re: hold all relayed mail by default


Costin Guşă wrote:


however i'm wondering if my proposed implementation would *really*
catch not only all relayed mail but also internal clients sending mail
to internal clients ?


To only catch outbound mail, use something like this (note 
smtpd_SENDER_restrictions):


# main.cf
smtpd_sender_restrictions =
  permit_auth_destination
  static:hold

This requires the default setting "smtpd_delay_reject = yes", 
so don't change it.



  -- Noel Jones

Re: per-user relay destinations

2009-03-09 Thread Veiko Kukk


Aaron Zuercher wrote:

Hello,
I have setup a box running postfix+amavis+spamassasin to act as a mail 
gateway.  I currently have an older postfix box doing mail gateway 
duties now.  I'd like to run some live tests on the new spam box by 
forwarding some of the users mail from the current gateway to the new 
box for processing.  Is this a possiblity?  Can someone point me in the 
right direction on how to set this up?  I was looking at transport maps?


You are looking at right solution.

transport_maps = hash:/your/dir/transport.map

transport.map includes rows like this:

u...@foo.bar smtp:some.smtp.server

--
veiko

Outbound mail routing

2009-03-09 Thread Zachary Fortna

Is it possible to route outbound messages based upon the domain of the from 
address?  For example:

If u...@example.com sends and outbound message it is 
routed to host1.mailrelay.com and if u...@test.com sends 
and outbound message it is routed to host2.mailrelay.com

Thanks in advance for any assistance.

Re: Outbound mail routing

On Mon, Mar 09, 2009 at 02:10:03PM -0400, Zachary Fortna wrote:

> Is it possible to route outbound messages based upon the domain of the from 
> address?  For example:
> 
> If u...@example.com sends and outbound message it is 
> routed to host1.mailrelay.com and if u...@test.com 
> sends and outbound message it is routed to host2.mailrelay.com
> 
> Thanks in advance for any assistance.

http://www.postfix.org/SOHO_README.html#client_sasl_sender

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Outbound mail routing

2009-03-09 Thread Pascal Volk

On 09.03.2009 19:10 Zachary Fortna wrote:
> Is it possible to route outbound messages based upon the domain of the
> from address?  For example:
> 
> If u...@example.com  sends and outbound message
> it is routed to host1.mailrelay.com and if u...@test.com
>  sends and outbound message it is routed to
> host2.mailrelay.com

sender_dependent_relayhost_maps (default: empty)
A sender-dependent override for the global relayhost parameter setting.

See postconf(5) for more details


Regards,
Pascal
-- 
The trapper recommends today: decade.0906...@localdomain.org

Re: virtual_alias_maps

2009-03-09 Thread LuKreme


On 9-Mar-2009, at 06:31, Noel Jones wrote:

LuKreme wrote:

On 8-Mar-2009, at 19:39, Sahil Tandon wrote:

What happens if you set:

   virtual_alias_domains =

in main.cf?
Then all mail to local (non virtual) users bounces with a Relay  
access denied error.


Sounds as if you have (unintentionally)? defined all your local  
domains as virtual_alias_domains.


virtual_alias_maps =
hash:/usr/local/etc/postfix/virtual,
pcre:/usr/local/etc/postfix/virtual.pcre,
mysql:/usr/local/etc/postfix/mysql_virtual_alias_maps.cf

this has been working for a year until 2.5.6

Just to be clear, the only thing that is not working is .. oh wait

Never mind. Everything is working 100%, I simply forgot how I  
configured everything.


The domain 'southgaylord.com' *IS* a virtual domain.  I have two  
legacy email addresses in that domain that were setup to deliver, via  
an alias in the virtual domain, to local user accounts.  All fixed now.



--
Nihil est--in vita priore ego imperator Romanus fui.

Content Filters - Body Matching

2009-03-09 Thread Post Freak

Hello,
I have a restriction that mandates only certain types of email to be allowed 
outbound. If an email does not match a pattern, they want that email BCCed to 
another account. Reading the documentation, I see that body_checks isn't a good 
way to filter multiple lines and that I should use something like Spamassassin 
(version 3.2.4). I have that installed and working with Postfix (version 
2.2.10).

The issue is how can I guarantee that only email fitting a certain pattern will 
go through and others won't? Has anyone had a setup similar to this, and is 
Spamassassin the best filter for this kind of setup?

Thank you!!

Re: Content Filters - Body Matching

2009-03-09 Thread Evan Platt


At 01:38 PM 3/9/2009, you wrote:

Hello,
I have a restriction that mandates only certain types of email to be 
allowed outbound. If an email does not match a pattern, they want 
that email BCCed to another account. Reading the documentation, I 
see that body_checks isn't a good way to filter multiple lines and 
that I should use something like Spamassassin (version 3.2.4). I 
have that installed and working with Postfix (version 2.2.10).


The issue is how can I guarantee that only email fitting a certain 
pattern will go through and others won't? Has anyone had a setup 
similar to this, and is Spamassassin the best filter for this kind of setup?


Spamassassin won't work as Spamassassin cannot 'stop' mails. SA only 
assigns scores. What you do with a message SA flagged (or rather 
scored) as Spam or not spam is up to you.

Re: Content Filters - Body Matching


Post Freak wrote:

Hello,
I have a restriction that mandates only certain types of email to be 
allowed outbound. If an email does not match a pattern, they want that 
email BCCed to another account. Reading the documentation, I see that 
body_checks isn't a good way to filter multiple lines and that I should 
use something like Spamassassin (version 3.2.4). I have that installed 
and working with Postfix (version 2.2.10).


The issue is how can I guarantee that only email fitting a certain 
pattern will go through and others won't? Has anyone had a setup similar 
to this, and is Spamassassin the best filter for this kind of setup?


Thank you!!



I don't think there's a simple way to do this, but I suppose 
it could be done by having SpamAssassin add a header (could 
just be part of the list of matching rules report) and then 
use a postfix header_checks with the FILTER action to send the 
matching mail to another postfix instance with always_bcc set.


of course, your SA rule must only match mail you want to BCC.

  -- Noel Jones

Re: virtual_alias_maps

LuKreme a écrit :
> On 9-Mar-2009, at 06:31, Noel Jones wrote:
>> LuKreme wrote:
>>> On 8-Mar-2009, at 19:39, Sahil Tandon wrote:
 What happens if you set:

virtual_alias_domains =

 in main.cf?
>>> Then all mail to local (non virtual) users bounces with a Relay
>>> access denied error.
>>
>> Sounds as if you have (unintentionally)? defined all your local
>> domains as virtual_alias_domains.
> 
> virtual_alias_maps =
> hash:/usr/local/etc/postfix/virtual,
> pcre:/usr/local/etc/postfix/virtual.pcre,
> mysql:/usr/local/etc/postfix/mysql_virtual_alias_maps.cf
> 
> this has been working for a year until 2.5.6
> 
> Just to be clear, the only thing that is not working is .. oh wait
> 
> Never mind. Everything is working 100%, I simply forgot how I configured
> everything.
> 
> The domain 'southgaylord.com' *IS* a virtual domain.  I have two legacy
> email addresses in that domain that were setup to deliver, via an alias
> in the virtual domain, to local user accounts.  All fixed now.
> 
> 


you must understand the difference between
virtual_mailbox_domains
and
virtual_alias_domains

Re: sender IP check

K bharathan a écrit :
> hi all
> on my smtp out i want to put ''reject_rbl_client  zen.spamhaus.org
> '' since many local ADSL dynamic ips are in PBL
> ; is it desirable?
> where i can put this? this relay machine does only sending out;

if this is "only out", then it should not accept mail except from
- trusted networks (mynetworks)
- trusted users (sasl authentication)
all the rest should get a reject. so it's

smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject

if this is an MX (a mail server that accepts mail from anywhere to few
domains), then

smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
#reject_invalid_helo_hostname
#reject_non_fqdn_helo_hostname
reject_unlisted_recipient
reject_unlisted_sender
reject_rbl_client zen.spamhaus.org

Re: hold all relayed mail by default

Charles Marcus a écrit :
> On 3/9/2009, Jorey Bump (l...@joreybump.com) wrote:
>> Isn't this best implemented at the MUA level? At the very least, a user
>> can simply save drafts of all composed email, then review & send
>> messages periodically. Not only does this address the problem, it is
>> more convenient for everyone, including the user, who can edit the
>> message in place before finally sending.
> 
> It will never fail that the user will decide right after clicking the
> send button that they want to recall it, no matter how long they wait
> prior to sending...
> 

and they will also decide to recall it after it was "released" ;-p


> I can't tell you how many times I've had to explain to one of our users
> why we cannot recall their message - whcih usually ends up with me
> describing how this exchange capability works, and why it only works
> under certain limited circumstances, which does NOT include any
> destinations that are NOT exchange servers configured to cooperate with
> these requests.
> 

next time: insult him, then "recall the insult", and see if he accepts ;-p

or if he is stronger than you, ask him how to recall a phone call ;--p


> I only said it was an interesting idea, and wondered if it could be
> automated... I'm still not sure it *should* be done... :)
> 

it can be automated. the hard part is to define the criteria (when to
keep, when to "release") and how to recall (how does user tell the
system that he wants to recall a message, and in particular, how to
authenticate the user). all these can be solved, but I'm not sure it's
worth the trouble...

Re: hold all relayed mail by default

Costin Guşă a écrit :
> On Mon, Mar 9, 2009 at 3:55 PM, Jorey Bump  wrote:
>> Charles Marcus wrote, at 03/09/2009 09:42 AM:
>>> On 3/9/2009, Costin Gu_  (costi...@gmail.com) wrote:
 yes, it's true that people expect instant delivery; however I was
 thinking at short delays such as 5 minutes, since most regrettable
 errors are discovered within the next few seconds following the event,
 so keeping the mail in queue for extra five minutes wouldn't bother
 the majority.

 note that I didn't mention that I actually _want_ to do this, but this
 has come up as a proposed solution to these kind of people with whom I
 am interacting - I am supporting the IT in a field where being
 computer literate is not a mandatory skill for a manager.
>>> This is actually an interesting idea... but I think it should only be
>>> available on an opt-in basis, where the end user understands that all of
>>> their mail will be subject to this delay...
>>>
>>> I wonder how hard some kind of automatic script processing would be,
>>> where the user could just add a 'RECALL' to the subject beginning, and
>>> have postfix delete the message from the queue if it found a match with
>>> the sender and subject and then deliver a confirmation, or simply send a
>>> 'Too late' response if there is no match...
>> Isn't this best implemented at the MUA level? At the very least, a user
>> can simply save drafts of all composed email, then review & send
>> messages periodically. Not only does this address the problem, it is
>> more convenient for everyone, including the user, who can edit the
>> message in place before finally sending.
> 
> composing drafts still does not prevent you from making mistakes when
> you click "send" button on an unrevised draft. for example, you are
> sure of the content but you could wrongly select the recipient in a
> hurry. or mistype it. or be convinced that typing the very few letters
> would select the contact it used to be selected, but by the chance a
> new contact has been entered into the mua address book cache... and so
> on.

everytime this happened to me, I only realised after I saw the recipient
reply, or after many days...

I actally thought of implementing this just for me (in which case, there
is no interface problem, since I have full control on the server and I
don't need a fancy UI), but I realized that I would click on
"recall" instantly anyway...

Re: understanding reject_unknown_client

Krishna Murthy a écrit :
> Hi,
> 
> I have reject_unknown_client  in my smtpd_recipient_restrictions and
> have 2 questions regarding the working of this option. I looked up the
> documentation, but would love to cross check my understanding with other
> users.
> 
> 1.
> 
> I have noticed that the following scenario results in rejection with
> error -
> 
> 450 4.7.1 Client host rejected: cannot find your hostname
> 
> 1. A host connects to my postfix server from IPAddressA
> 2. IPAddressA has a proper PTR record pointing to HostnameA
> 3. HostnameA has an A record and points to IPAddressB
> 4. IPAddressB does not have a PTR record.
> 
> The above behavior suggests that postfix expects a PTR -> A -> PTR -> A
> mapping. Is my understanding right?
> 
> Or is PTR -> A -> PTR adequate?
> 

IP -> PTR -> A=IP

in case of multiple PTRs, only the first is used. if there is a round
robin, then you should guarantee the match above for all PTRs, or you'll
have a mismatch from time to time.

Multiple A record (last step) are ok.

> 
> 2. If IPAddressA points to HostnameA and HostNameA points to IPAddressB
> ( not to IPAddressA), should that be considered as an unknown_client and
> eligible for rejection?
> 

it's "unknown_client", but this is too aggressive today. you'll have to
wait until the big gorillas (aol, google, ... etc) enforce this.

Re: per-user relay destinations

2009-03-09 Thread Barney Desmond

2009/3/10 Veiko Kukk :
> transport.map includes rows like this:
>
> u...@foo.bar smtp:some.smtp.server

Almost correct - you'll probably want to put square-brackets around
the server's hostname to prevent undesirable lookups. Like so:

u...@example.com smtp:[new.mail.server]

Without square brackets, Postfix will attempt to do an MX lookup on
that name, which is usually not what you want.

v2.5.5 showq and postcat date/time stamp discrepancy

2009-03-09 Thread Glen B



Hi,

Postfix 2.5.5 on Debian

I've just noticed a discrepancy between showq (postqueue -p) and 
postcat. I've looked through the code, played with the conversion code 
in postcat and I honestly can not figure out what's going wrong:


-Queue ID- --Size-- Arrival Time -Sender/Recipient---
DBBAD4A340AD  827 Mon Mar  9 10:29:27  root

*** ENVELOPE RECORDS /var/spool/postfix/maildrop/DBBAD4A340AD ***
message_arrival_time: Mon Mar  9 06:29:27 2009

postcat is stating time in GMT (+4 tz for me) and it is performing 
localtime() on the, supposedly, same seconds value that showq is. The 
only difference I noticed code-wise was the fact that showq is doing a 
direct string-to-long conversion whereas postcat is using the 
REC_TYPE_TIME_SCAN macro to convert the seconds chars directly to 
tv.tv_sec. Any thoughts? I either need GMT with the tz offset info, or a 
correct local time, in the postcat output.


Thanks,

GlenB

Re: v2.5.5 showq and postcat date/time stamp discrepancy