Re: postfix xforward queueid patch

[Victor Duchovni]

On Wed, Mar 11, 2009 at 02:41:54PM +0800, saguto yin wrote:

> hi, folks
> 
> this is a simple patch to make postfix 2.5.6 send queueid by xforward
> command to next-hop, hope this can be ...
> 
> BTW: server side queueid parse does not  done in this patch.

Why is this necessary? What's wrong with parsing the "id" element of
the top-most "Received:" header? Ignoring text in RFC822 comments,
and Microsoft's grammare violations (since this will be generated
by Postfix), you have:

Received: [FROM client-helo-name]
[BY server-name>] [WITH protocol] [ID queue-id]
[FOR ] ";" RFC-822-Date

Postfix always includes the "ID queue-id" attribute-value pair.

There is a price to pay for each additional XFORWARD keyword, it is far
from clear that the benefit justifies the cost in this case.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

PCRE Conditional Canonical Address Mapping

[Yves Kreis]

Dear,

Can I use a canonical map like:
if /^To: u...@domain\.com$/
/^From: (".*" )*(.+)@(.+)$/ From: ${1}${2}+$...@anotherdomain.com
endif

Thanks,
Yves

Re: virtual_alias_maps

[LuKreme]

On 10-Mar-2009, at 21:42, Victor Duchovni wrote:
You are supposed to now have just the domains here, and the user  
mappings

in virtual_alias_maps.


OK, i thought I tried that when I put the bare domains in  
virtual_alias_domains but something else must have been mucked up then.



I did say multiple times that this setting depends
on *ONLY* the domains being listed in this file. Otherwise use two  
files:


   /etc/postfix/virtual_alias_domains:
example.com virtual alias domain
example.net virtual alias domain

   /etc/postfix/virtual:
j...@example.comj...@somewhere
f...@example.netf...@somewhere

And thus:

virtual_alias_domains = hash:/etc/postfix/virtual_alias_domains
virtual_alias_maps = hash:/etc/postfix/virtual,
... more tables for virtual(5) rewrites ...



Since the domain list is short, I just listed then in  
virtual_alias_domains, removed them from /etc/postfix/virtual, and  
left virtual_alias_maps the way it was. (Oh, and postmapped the  
virtual file as well).


Everything (well, everything related to this) looks like it's working  
now, thanks for your patience.


--
We will fight for Bovine Freedom and hold our large heads high
We will run free with the Buffalo or die

Re: v2.5.5 showq and postcat date/time stamp discrepancy

[LuKreme]

On 10-Mar-2009, at 20:43, Glen B wrote:

Why no TZ was set in the chroot, I'm clueless



Because the chroot jail doesn't have access to read the TMZ information?

--
I draw the line at 7 unreturned phone calls.

Re: virtual_alias_maps

[LuKreme]

On 10-Mar-2009, at 21:48, Sahil Tandon wrote:
The lookup key for virtual_alias_DOMAINS should be a domain name,  
not full address.  Are you going to reply with some more sarcastic  
pedantry? :-)


Hey now, there's always room for more sarcastic pedantry!

I *think* I have it all straight in my head now. really for sure this  
time.


--
The trouble with being a god is that you've got no one to pray to.

Re: changing sender null address...

[LuKreme]

On 10-Mar-2009, at 18:15, mme...@gmail.com wrote:
when postfix wants to send a  bounce message (notifying the rejected  
message), my mail system will always try to deliver it directly to  
the recipient server (i'm not using a relayhost)... i think i need  
to change <> to _real_send...@realdomain. I played with this  
parameters, without sucess:



NEVER EVER send a bounce message for a message you have accepted.   
Either reject it during the transaction phase, or accept it and dow  
what you will with it, but sending a bounce to an almost certainly  
forged 'From:' address is a sure way to make a lot of sysadmins angry  
and get you blacklisted.  And not in those friendly RBLs you have some  
hope of getting off of, but in the Black Pits of Calcutta sorts of  
private blacklists you have no hope of ever removing yourself from.


--
I've got Mathematica 2.2 on my Quadra

Second instance of postfix

[Wouter van Marle]

Hi list,

I am trying to run a second instance of postfix for a separate queue
(see my thread "Prioritising outgoing mail" for why). I have followed
information on the Internet but still can't get it running.

I have set up a second instance with a second IP and separate config and
spool directories, but am stuck with the /var/lib/postfix/master.lock
file. I can not find where I can change this, so the second instance can
create it's own lockfile e.g. /var/lib/postfix/master2.lock
or /var/lib/postfix2/master.lock. All the tutorials/howtos I have found
on the net completely ignore this issue.

The /var/spool/postfix2/pid/master.pid file is created. Spool dirs and
so are all in place.

Wouter.

Re: v2.5.5 showq and postcat date/time stamp discrepancy

[Wietse Venema]

Glen B:
> directly. So, can I request a raw message dump tool that simply outputs 
> the headers and data section? I'd be fine with a raw envelope used in 
> SMTP DATA transactions. If this is possible with an existing tool then 
> I'd be fine with that also. As it stands I can't rely on postcat output 
> having an accurate local date/time.

Use postcat, with a TZ environment setting that is
consistent with Postfix daemon processes.

Wietse

Re: postfix xforward queueid patch

[Wietse Venema]

Victor Duchovni:
> On Wed, Mar 11, 2009 at 02:41:54PM +0800, saguto yin wrote:
> 
> > hi, folks
> > 
> > this is a simple patch to make postfix 2.5.6 send queueid by xforward
> > command to next-hop, hope this can be ...
> > 
> > BTW: server side queueid parse does not  done in this patch.
> 
> Why is this necessary? What's wrong with parsing the "id" element of
> the top-most "Received:" header? Ignoring text in RFC822 comments,
> and Microsoft's grammare violations (since this will be generated
> by Postfix), you have:
> 
>   Received: [FROM client-helo-name]
>   [BY server-name>] [WITH protocol] [ID queue-id]
>   [FOR ] ";" RFC-822-Date
> 
> Postfix always includes the "ID queue-id" attribute-value pair.
> 
> There is a price to pay for each additional XFORWARD keyword, it is far
> from clear that the benefit justifies the cost in this case.

If anything, XFORWARD should be shrunk not expanded. It is a real
maintenance problem, making maintenance N times as expensive
since it requires updating the SMTP client protocol, SMTP server
protocol, SMTPD proxy filter protocol, Postfix logging, and so on.

Wietse

Re: Second instance of postfix

[kemas]

Hi list,

I have set up a second instance with a second IP and separate config and
spool directories, but am stuck with the /var/lib/postfix/master.lock
file. I can not find where I can change this, so the second instance can
create it's own lockfile e.g. /var/lib/postfix/master2.lock
or /var/lib/postfix2/master.lock. All the tutorials/howtos I have found
on the net completely ignore this issue.



mine like this, from http://advosys.ca/papers/email/58-postfix-instance.html

queue_directory = /var/spool/postfix2nd
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix2nd

the master.lock created in /var/lib/postfix2nd/

Re: PCRE Conditional Canonical Address Mapping

[Wietse Venema]

Yves Kreis:
> Dear,
> 
> Can I use a canonical map like:
> if /^To: u...@domain\.com$/
> /^From: (".*" )*(.+)@(.+)$/ From: ${1}${2}+$...@anotherdomain.com
> endif

Dear Yves, please RTFM the pcre_table manpage.

   if /pattern/flags

   endif  Match the input string  against  the  patterns  between  if  and
  endif,  IF  AND ONLY IF THAT SAME INPUT STRING ALSO MATCHES PAT-
  TERN. The if..endif can nest.

Re: Second instance of postfix

[Wietse Venema]

Wouter van Marle:
> Hi list,
> 
> I am trying to run a second instance of postfix for a separate queue
> (see my thread "Prioritising outgoing mail" for why). I have followed
> information on the Internet but still can't get it running.
> 
> I have set up a second instance with a second IP and separate config and
> spool directories, but am stuck with the /var/lib/postfix/master.lock
> file. I can not find where I can change this, so the second instance can
> create it's own lockfile e.g. /var/lib/postfix/master2.lock
> or /var/lib/postfix2/master.lock. All the tutorials/howtos I have found
> on the net completely ignore this issue.
> 
> The /var/spool/postfix2/pid/master.pid file is created. Spool dirs and
> so are all in place.

Every Postfix instance must have its own config_directory,
queue_directory AND DATA_DIRECTORY.

Postfix 2.6 has multi-instance support built-in. It will be
released once I have time to clean up the documentation.

Wietse

Re: hold all relayed mail by default

[Charles Marcus]

On 3/10/2009, mouss (mo...@ml.netoyen.net) wrote:
> it's not that hard. the hard part is to make sure that how recalls only
> recalls his own mail. This is easy via a web interface which requires
> user authentication (aka webmail). if everything is done by mail, then
> it's a bit harder unless you force authentication (sasl).

I do (enforce authentication), even for 'trusted' clients... the cost is
negligible, and personally, I just don't like unlocked doors in a
virtual world...

So, that would just be a requirement, no big deal...

Dynamic sender and recipient restrictions

[Michał Łomnicki]

Hi folks

I've got web application where users can send messages to each
other. Messages are e-mails and system base on postfix and roundcube
(web client). User A can send message to user B if B has A on his
contact list. 
I need to configure postfix to check restrictions for both
sender and receiver. Ie. if there are users A, B and C postfix should
allow send mail from A to B and from B to C, but not from A to C. Rules
changes as often as contact lists so restrictions cannot be static.
Is it possible to create sender and recipient
restrictions dynamic, where sender and recipient are selected by sql
query?

Best regards,
Michael

Winbind group based recipient access

[Veiko Kukk]

Hello,

I need to receive mail to all winbind users except for those who are 
"disabled" on NT4 domain controller and/or are in certain windows group.

How could this be accomplished?

--
Veiko

Re: Second instance of postfix

[Wouter van Marle]

On 11 Mar 09, at 18:46, kemas wrote:





Hi list,

I have set up a second instance with a second IP and separate config 
and

spool directories, but am stuck with the /var/lib/postfix/master.lock
file. I can not find where I can change this, so the second instance 
can

create it's own lockfile e.g. /var/lib/postfix/master2.lock
or /var/lib/postfix2/master.lock. All the tutorials/howtos I have 
found

on the net completely ignore this issue.



mine like this, from 
http://advosys.ca/papers/email/58-postfix-instance.html


queue_directory = /var/spool/postfix2nd
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix2nd


Thanks, the last one I missed.
One more hurdle taken. Not up yet but shouldn't take long now.

Wouter.



the master.lock created in /var/lib/postfix2nd/

Re: Dynamic sender and recipient restrictions

[Barney Desmond]

2009/3/11 Michał Łomnicki :
>        Is it possible to create sender and recipient
> restrictions dynamic, where sender and recipient are selected by sql
> query?

Yes and no.

"Yes" because you can use MySQL for a lookup table.
http://www.postfix.org/mysql_table.5.html

"No" because I don't believe you can lookup the sender AND recipient
at once for this kind of check. For that you need a policy server.

Rewriting addresses

[LuKreme]

I have a file /etc/postfix/virtual.pcre that contains lines like this:

/^(.*)_(.*)@example.com$/${1}+$...@example.com
/^(.*)_(.*)@example.org$/${1}+$...@example.org
/^(.*)_(.*)@example.net$/${1}+$...@example.net

etc etc. This is to allow the _ to act as an additional address  
extension character to get around the legion of retarded website  
admins that reject '+' addresses as invalid.


I would like to have a single line

/^(.*)_(.*)@(.*)$/  ${1}+$...@${3}

since that would mean I would not have to update this file each time I  
add a virtual domain; but that won't work as it will rewrite the  
addresses on OUTBOUND email as well as inbound email, so if someone  
sends an email to first_l...@outboundexample.com it gets rewritten to first+l...@outboundexample.com 
 and bounces.


So, other than manually listing every virtual domain, is there  
something else I could do?  Is there a way to use mysql:/usr/local/etc/ 
postfix/mysql_virtual_domains_maps.cf in some way so that the pcre  
expression will only match for those domains that are listed in the map?



--
Criticizing evolutionary theory because Darwin was limited is like
claiming computers don't work because Chuck Babbage didn't
foresee Duke Nukem 3.

Re: Dynamic sender and recipient restrictions

[Noel Jones]

Micha? ?omnicki wrote:

Is it possible to create sender and recipient
restrictions dynamic, where sender and recipient are selected by sql
query?

Yes, you can do this with a policy server.  Some pre-built 
policy servers can be found here:

http://www.postfix.org/addon.html#policy

Policy server interface documentation:
http://www.postfix.org/SMTPD_POLICY_README.html

  -- Noel Jones

Single domain and two destinations via Postfix

[Philip]

Hello,
We are testing a new mail system and I want to duplicate mail flow to the
new system at the same time allow flow to the exist system.

/ -  CurrentMailhost.example.com (running Postfix)
@example.com  -
\ -  NewMailhost.example.com (running Postfix)

In fact its deliver locally and relay.


@example.com  --   CurrentMailhost.example.com (running Postfix)
   \ -  NewMailhost.example.com (running
Postfix)


Yes I want "duplicate" mail to flow to each system.  I tried using the
transport mapping for the domain, but it seems that duplicate entries are
not allowed (though only a warning is logged) and only the first entry is
used and mail will not be delivered to both.

/etc/postfix/transport
# delivery locally
exmaple.com  :
# and forward a copy to a remove smtp gateway
example.com  smtp:newmailhost.example.com


Does anyone have any other suggestions?

Thanks
Phil

Re: Dynamic sender and recipient restrictions

[Michał Łomnicki]

> Yes, you can do this with a policy server.  Some pre-built 

Thank you Noel. That's exactly what I was looking for.

Michael

Re: Rewriting addresses

[Charles Marcus]

On 3/11/2009 9:38 AM, LuKreme wrote:
> I have a file /etc/postfix/virtual.pcre that contains lines like this:
> 
> /^(.*)_(.*)@example.com$/${1}+$...@example.com
> /^(.*)_(.*)@example.org$/${1}+$...@example.org
> /^(.*)_(.*)@example.net$/${1}+$...@example.net
> 
> etc etc. This is to allow the _ to act as an additional address
> extension character to get around the legion of retarded website admins
> that reject '+' addresses as invalid.

It would be better if postfix could natively support multiple recipient
delimiters...

-- 

Best regards,

Charles

Mail filtering problem

[Webmaster Bliss Corporation]

Greetings,

I am installing a Postfix Server, and I am having trouble setting up a 
spam filter with Spamassassin.


I installed Postfix and it is working fine using virtual domains (I 
followed these instructions: 
http://www.howtoforge.com/linux_postfix_virtual_hosting). I also 
installed Spamassassin, which is working fine also (I tested it). The 
problem is that I cannot make the two work together. I followed the 
instructions found at 
http://wiki.apache.org/spamassassin/IntegratedSpamdInPostfix, but the 
e-mails start looping inside the Postfix server. As soon as I disable 
the filter, I receive the e-mails duplicated several times. What am I 
doing wrong? Please tell me which information do you need to help me 
solve this problem.


I am running postfix-2.5.5-1.fc9.i386 on a Linux 2.6.25.14-108.fc9.i686 
with spamassassin-3.2.5-1.fc9.i386


Any help will be apreciated.

Thank you

Stefano

Re: changing sender null address...

[mmelyp]

LuKreme  escribió:


On 10-Mar-2009, at 18:15, mme...@gmail.com wrote:
when postfix wants to send a  bounce message (notifying the  
rejected message), my mail system will always try to deliver it  
directly to the recipient server (i'm not using a relayhost)... i  
think i need to change <> to _real_send...@realdomain. I played  
with this parameters, without sucess:



NEVER EVER send a bounce message for a message you have accepted.   
Either reject it during the transaction phase, or accept it and dow  
what you will with it, but sending a bounce to an almost certainly  
forged 'From:' address is a sure way to make a lot of sysadmins  
angry and get you blacklisted.  And not in those friendly RBLs you  
have some hope of getting off of, but in the Black Pits of Calcutta  
sorts of private blacklists you have no hope of ever removing  
yourself from.




Yeah i know. It's better to discard the message.
BTW, this was for studying purposes only, not for applying in  
production servers.



This message was sent using IMP, the Internet Messaging Program.

Re: changing sender null address...

[Charles Marcus]

On 3/11/2009 10:44 AM, mme...@gmail.com wrote:
> Yeah i know. It's better to discard the message.

Actually, its best to REJECT the message...

-- 

Best regards,

Charles

Re: Single domain and two destinations via Postfix

[Noel Jones]

Philip wrote:

Hello,
We are testing a new mail system and I want to duplicate mail flow to 
the new system at the same time allow flow to the exist system.




To send mail to an additional destination, you need to add an 
additional recipient.  Use virtual_alias_maps to add a second 
recipient, transport_maps to direct the mail where it should 
go, and optionally smtp_generic_maps to rewrite the address 
back to the original form.


A basic example:

main.cf:
virtual_alias_maps = hash:/etc/postfix/virtual

virtual:
us...@example.com  us...@example.com us...@new.example.com

Then use a transport table entry to route the new mail to the 
proper server.

main.cf:
transport_maps = hash:/etc/postfix/transport

transport:
new.example.com  relay:[192.168.192.168]

You can optionally use a pcre smtp_generic_maps to rewrite the 
recipient back to the original domain.

main.cf
smtp_generic_maps = pcre:/etc/postfix/smtp_generic.pcre

smtp_generic.pcre:
/^(.*)@new\.example\.com$/  $...@example.com


Important Notes:
Do not change your current setting for virtual_alias_domains.
Do not use wildcard or regexp rewrites in virtual_alias_maps; 
each recipient must be listed individually.


  -- Noel Jones

Unable To Track Spam in Mail Logs = :(

[Carlos Williams]

I just had a ticket come in regards to a user who just last week
started receiving a crazy amount of spam emails that he has never had
an issue with. I checked the mail logs (/var/log/mail.log) and was
unable to find anything. I checked the spam emails the user still had
on his client and copied the message headers:

Return-Path: 
X-Original-To: ba...@mydomain.com
Delivered-To: ba...@mydomain.com
Received: from localhost (localhost [127.0.0.1])
by mail.mydomain.com (Postfix) with ESMTP id 052A51FA41E4
for ; Mon,  9 Mar 2009 06:54:05 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at mydomain.com
Received: from mail.mydomain.com ([127.0.0.1])
by localhost (mail.mydomain.com [127.0.0.1]) (amavisd-new,
port 10024)
with ESMTP id E5kf3dILFNtT for ;
Mon,  9 Mar 2009 06:54:04 -0400 (EDT)
Received: from mail.lkpp.gov.my (unknown [219.93.25.92])
by mail.mydomain.com (Postfix) with ESMTP id ECD741FA413E
for ; Mon,  9 Mar 2009 06:54:03 -0400 (EDT)
Received: from lkpp.gov.my (localhost [127.0.0.1])
by mail.lkpp.gov.my (Postfix) with ESMTP id 29335BE1F7;
Mon,  9 Mar 2009 18:03:55 +0800 (MYT)
From: "Zaohang Lin" 
Reply-To: hnagza...@yahoo.com.cn
Subject: I need your assistance please
Date: Mon, 9 Mar 2009 18:03:55 +0800
Message-Id: <20090309100355.m63...@yahoo.com.cn>
X-Mailer: OpenWebMail 2.53
X-OriginatingIP: 216.139.189.104 (sharifah)
MIME-Version: 1.0
Content-Type: text/plain;
charset=utf-8
To: undisclosed-recipients:;

===

Return-Path: 
X-Original-To: ba...@mydomain.com
Delivered-To: ba...@mydomain.com
Received: from localhost (localhost [127.0.0.1])
by mail.mydomain.com (Postfix) with ESMTP id 3B3311FA41E0
for ; Sun,  8 Mar 2009 19:42:37 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at mydomain.com
Received: from mail.mydomain.com ([127.0.0.1])
by localhost (mail.mydomain.com [127.0.0.1]) (amavisd-new,
port 10024)
with ESMTP id vYnvKEJBBnbB for ;
Sun,  8 Mar 2009 19:42:37 -0400 (EDT)
Received: from topadmin.por.tw (52.121.217.203.static.tcol.com.tw
[203.217.121.52])
by mail.mydomain.com (Postfix) with ESMTPS id 7C91D1FA4180
for ; Sun,  8 Mar 2009 19:42:36 -0400 (EDT)
Received: by topadmin.por.tw (Postfix, from userid 99)
id 3B035C0C8B; Mon,  9 Mar 2009 07:41:12 +0800 (CST)
To: ba...@mydomain.com
Subject: Anticipating Your Prompt Response
From: GUY-PATRICE  LUMUMBA 
Reply-To: guypatrice.lumu...@yahoo.com
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit
Message-Id: <20090308234115.3b035c0...@topadmin.por.tw>
Date: Mon,  9 Mar 2009 07:41:12 +0800 (CST)
X-ServerMaster-MailScanner-Information: Please contact the ISP for
more information
X-ServerMaster-MailScanner: Not scanned: please contact your Internet
E-Mail Service Provider for details
X-ServerMaster-MailScanner-SpamCheck:
X-MailScanner-From: nob...@topadmin.por.tw

==

Now I am wondering why I am unable to find any of these messages in my logs:

mail:~# cat /var/log/mail.log | grep -i 203.217.121.52
mail:~# cat /var/log/mail.log | grep -i 3B3311FA41E0
mail:~# cat /var/log/mail.log | grep -i guypatricelumu...@congo.gov

Am I searching for this incorrectly or in the wrong directory?  Thanks
for any help!

- Carlos

Re: Unable To Track Spam in Mail Logs = :(

[Bjørn Ruberg]

On Wed, 11 Mar 2009 11:19:45 -0400, Carlos Williams 
wrote:
> I just had a ticket come in regards to a user who just last week
> started receiving a crazy amount of spam emails that he has never had
> an issue with. I checked the mail logs (/var/log/mail.log) and was
> unable to find anything.

The logs may have been rotated? Check for older log files like
/var/log/mail/log.0 or similar.

You can check the first lines of the different log files to see the date
and time at which it has started logging.

-- 
Bjørn

Re: Unable To Track Spam in Mail Logs = :(

[Jorey Bump]

Carlos Williams wrote, at 03/11/2009 11:19 AM:
> I just had a ticket come in regards to a user who just last week
> started receiving a crazy amount of spam emails that he has never had
> an issue with. I checked the mail logs (/var/log/mail.log) and was
> unable to find anything. I checked the spam emails the user still had
> on his client and copied the message headers:
> 
> Return-Path: 

This will be logged.

> Received: from mail.lkpp.gov.my (unknown [219.93.25.92])

As will this IP.

> Now I am wondering why I am unable to find any of these messages in my logs:
> 
> mail:~# cat /var/log/mail.log | grep -i 203.217.121.52
> mail:~# cat /var/log/mail.log | grep -i 3B3311FA41E0
> mail:~# cat /var/log/mail.log | grep -i guypatricelumu...@congo.gov
> 
> Am I searching for this incorrectly or in the wrong directory?  Thanks
> for any help!

Debian logs email funny. Try this, and work from there:

  egrep '(hangza...@yahoo.com.cn|219.93.25.92)' /var/log/mail*

If that turns up nothing, you may need to look at /etc/syslog.conf (or
whatever Debian uses) to see how syslog is configured to log mail.

Re: Unable To Track Spam in Mail Logs = :(

[Terry Carmen]

Carlos Williams wrote:

I just had a ticket come in regards to a user who just last week

Now I am wondering why I am unable to find any of these messages in my logs:

mail:~# cat /var/log/mail.log | grep -i 203.217.121.52
mail:~# cat /var/log/mail.log | grep -i 3B3311FA41E0
mail:~# cat /var/log/mail.log | grep -i guypatricelumu...@congo.gov

Am I searching for this incorrectly or in the wrong directory?  Thanks
for any help!

- Carlos
  


I'm guessing that the log has been rotated or you're looking in the 
wrong log file.


What do you get with:

postconf |grep log

If the results contain:

syslog_facility = mail

What do you get with:

grep mail /etc/syslog.conf



Terry


--
Terry Carmen
CNY Support, LLC
http://cnysupport.com 

Re: Dynamic sender and recipient restrictions

[Michał Łomnicki]

> "Yes" because you can use MySQL for a lookup table.
> http://www.postfix.org/mysql_table.5.html
> 
> "No" because I don't believe you can lookup the sender AND recipient
> at once for this kind of check. For that you need a policy server.

"No" because postfix can pass only one argument to where condition?
Isn't it possible to pass multiple arguments? I'm just curious,
solution with policy server satisfies me.

Re: Rewriting addresses

[Victor Duchovni]

On Wed, Mar 11, 2009 at 07:38:25AM -0600, LuKreme wrote:

> I have a file /etc/postfix/virtual.pcre that contains lines like this:
>
> /^(.*)_(.*)@example.com$/${1}+$...@example.com
> /^(.*)_(.*)@example.org$/${1}+$...@example.org
> /^(.*)_(.*)@example.net$/${1}+$...@example.net
>
> etc etc. This is to allow the _ to act as an additional address extension 
> character to get around the legion of retarded website admins that reject 
> '+' addresses as invalid.
>
> I would like to have a single line
>
> /^(.*)_(.*)@(.*)$/  ${1}+$...@${3}
>

Sorry, not possible. Also the above defeats recipient validation for
email addresses with "_" in them, it is not recommended.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Blocking certain users from sending to certain internal mail addresses

[jpb]

Hi List,

I have Postfix 2.3.3 with amavis-new, spamassassin and clamav and am
trying to block a group of users from sending to two internal maillists
called staff and pupils.

I have two files, restricted_maillists which is in the format:

pup...@bordengrammar.kent.sch.uk   restricted_mail_lists

and user_permissions in the form:

st...@bordengrammar.kent.sch.uk REJECT
pup...@bordengrammar.kent.sch.ukREJECT


I've hashed these, put them in a folder called rules in /etc/postfix and
added them to main.cf as:

smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/rules/restricted_maillists,permit_mynetworks,reject_unauth_destination

smtpd_restriction_classes = restricted_mail_lists

restricted_mail_lists = check_sender_access
hash:/etc/postfix/rules/user_permissions,reject_unauth_destination

Without the last reject line entries, it complains about not having a
legitimate entry in the restrictions list and with it, users in the banned
list can send mail to the lists. Can anyone give me a poke in the right
direction please as I've been going at this all day.

Thanks,

Julian PB

Re: Dynamic sender and recipient restrictions

[Noel Jones]

Micha? ?omnicki wrote:

"Yes" because you can use MySQL for a lookup table.
http://www.postfix.org/mysql_table.5.html

"No" because I don't believe you can lookup the sender AND recipient
at once for this kind of check. For that you need a policy server.


"No" because postfix can pass only one argument to where condition?
Isn't it possible to pass multiple arguments? I'm just curious,
solution with policy server satisfies me.


Native postfix lookup mechanisms are based on single key 
lookups, ie. check_sender_access uses only the sender address 
as the key.  Limited combinations can be pre-defined using 
smtpd_restriction_classes, but that quickly gets unmanageable.


The policy server interface is provided for more complex 
restriction requirements.


  -- Noel Jones

relayhost

[Rocco Scappatura]

Hello,

I need to use 'mail()' PHP function on a UNIX system, which uses Postfix
as MTA.

On Linux systems, mail() function use the 'sendmail' program to transmit
messages. And so, my PHP program uses postfix setup to transmit the
messages. In particular, it looks up DNS for MX of destination domain an
forward it to the correct destination.

Now I have the problem, that indeed I need that some messages have to be
forwarded directly to the destination, while the ones generated by my
mail application should be sent trhough a smart host (setting up
relayhost=smart.host.tld).

How could I do? Is it possible to change the "relayhost" postfix
parameter on the fly? Or what?

Thanks,

rocsca

Re: relayhost

[Noel Jones]

Rocco Scappatura wrote:

Hello,

I need to use 'mail()' PHP function on a UNIX system, which uses Postfix
as MTA.

On Linux systems, mail() function use the 'sendmail' program to transmit
messages. And so, my PHP program uses postfix setup to transmit the
messages. In particular, it looks up DNS for MX of destination domain an
forward it to the correct destination.

Now I have the problem, that indeed I need that some messages have to be
forwarded directly to the destination, while the ones generated by my
mail application should be sent trhough a smart host (setting up
relayhost=smart.host.tld).

How could I do? Is it possible to change the "relayhost" postfix
parameter on the fly? Or what?

Thanks,

rocsca


You can change it based on the envelope sender
http://www.postfix.org/postconf.5.html#sender_dependent_relayhost_maps

  -- Noel Jones

Mail forwarding

[Jeff Bernier]

Can I use Postfix as a host for email forwarding?
 
The scenario I envision is an Alum or Faculty member authenticates to a web 
portal, then tells the system where to forward their email. All email destined 
for Staff would go to our current email system.
 
Any thoughts are welcome.
 
Regards,
Jeff
 
"It does not require many words to speak the truth." - Chief Joseph, Great Nez 
Perce Indian Chief 

Re: Mail forwarding

[Victor Duchovni]

On Wed, Mar 11, 2009 at 01:35:26PM -0400, Jeff Bernier wrote:

> Can I use Postfix as a host for email forwarding?
>  
> The scenario I envision is an Alum or Faculty member authenticates to
> a web portal, then tells the system where to forward their email. All
> email destined for Staff would go to our current email system.
>  

You *can* do this, but probably should not. The problem is that your
forwarder will be saturated with spam that you will be poorly positioned
to process. Receiving systems will soon blacklist your forwarder, and
it becomes useless. Quaranine is not an option, and tagging will not
be acceptable to receiving sites. Your only choice is to have a very
effective filter to reject spam during SMTP, not easy to do.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Mail forwarding

[Jeff Bernier]

Thank you Viktor for your reply.
 
We already have an anti-spam/anti-virus system sitting in front of our mail 
system. Would this then work if Postfix were positioned similarly?
 

>>> Victor Duchovni  3/11/2009 1:48 PM >>>
On Wed, Mar 11, 2009 at 01:35:26PM -0400, Jeff Bernier wrote:

> Can I use Postfix as a host for email forwarding?
>  
> The scenario I envision is an Alum or Faculty member authenticates to
> a web portal, then tells the system where to forward their email. All
> email destined for Staff would go to our current email system.
>  

You *can* do this, but probably should not. The problem is that your
forwarder will be saturated with spam that you will be poorly positioned
to process. Receiving systems will soon blacklist your forwarder, and
it becomes useless. Quaranine is not an option, and tagging will not
be acceptable to receiving sites. Your only choice is to have a very
effective filter to reject spam during SMTP, not easy to do.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Mail forwarding

[Victor Duchovni]

On Wed, Mar 11, 2009 at 01:55:03PM -0400, Jeff Bernier wrote:

> We already have an anti-spam/anti-virus system sitting in front of our
> mail system. Would this then work if Postfix were positioned similarly?

Yes, but is it sufficiently effective? Does it reject during SMTP or
quarantine after? The devil is in the details. If you spam system can
reject all bad content during SMTP and output less than 0.3% spam, you
can forward the resulting stream via Postfix, just configure a virtual
alias domain:

http://www.postfix.org/VIRTUAL_README.html

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

I need help with smtp configuration

[deconya]

Hi people

Im with a biggest problem in my postfix server because today the people
can't use the server to send any mail only receive. This error is produced
how to randomand every time in the logs appears the same

Mar 11 19:24:53 correo postfix/smtpd[27553]: NOQUEUE: reject: RCPT from
ip-89-102-95-183.karneval.cz[89.102.95.183]: 554 :
Relay access denied; from= to=<
ba...@otherdomain.com> proto=SMTP helo=

The problem starts to appear today and I don't know if there are the sender
resctrctions rules the problem. Actually are:

smtpd_sender_restrictions = reject_unknown_sender_domain,check_sender_access
hash:/etc/postfix/spammer,reject_non_fqdn_sender,permit

I can't understand wheres the problem, If any people understand why produces
this error Im very agreed for any help.

Best regards

Re: I need help with smtp configuration

[Victor Duchovni]

On Wed, Mar 11, 2009 at 08:02:55PM +0100, deconya wrote:

> Hi people
> 
> Im with a biggest problem in my postfix server because today the people
> can't use the server to send any mail only receive. This error is produced
> how to randomand every time in the logs appears the same
> 
> Mar 11 19:24:53 correo postfix/smtpd[27553]: NOQUEUE: reject: RCPT from
> ip-89-102-95-183.karneval.cz[89.102.95.183]: 554 :
> Relay access denied; from= to=<
> ba...@otherdomain.com> proto=SMTP helo=
> 
> The problem starts to appear today and I don't know if there are the sender
> resctrctions rules the problem. Actually are:
> 
> smtpd_sender_restrictions = reject_unknown_sender_domain,check_sender_access
> hash:/etc/postfix/spammer,reject_non_fqdn_sender,permit

"Relay access denied" is produced by either "reject_unauth_destination"
or the obsolete "check_relay_domains". These are typically found in
smtpd_recipient_restrictions. Note, you should not take these out, they
are needed on servers whose SMTP port can be reached by untrusted clients.

Rather, add rules to permit trusted clients before blocking relaying by
untrusted clients:

smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
... UCE controls ...

Do make sure "mynetworks" is defined correctly.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: I need help with smtp configuration

[deconya]

HI

until yesterday all were good. In the main.cf my configuration actually is

smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/overquota
permit_mynetworks
permit_sasl_authenticated
check_client_access hash:/etc/postfix/clientes
reject_unauth_destination

Where clientes is an archive with the IPs blocked for spam. Im commented
this line but Im not sure if this is the problem

The message 554 where is configured?

in main.cf not appears and Im lost with this problem, is very strange
continues making. Any other idea?

Best Regards

On Wed, Mar 11, 2009 at 8:11 PM, Victor Duchovni <
victor.ducho...@morganstanley.com> wrote:

> On Wed, Mar 11, 2009 at 08:02:55PM +0100, deconya wrote:
>
> > Hi people
> >
> > Im with a biggest problem in my postfix server because today the people
> > can't use the server to send any mail only receive. This error is
> produced
> > how to randomand every time in the logs appears the same
> >
> > Mar 11 19:24:53 correo postfix/smtpd[27553]: NOQUEUE: reject: RCPT from
> > ip-89-102-95-183.karneval.cz[89.102.95.183]: 554  >:
> > Relay access denied; from= to=<
> > ba...@otherdomain.com> proto=SMTP helo=
> >
> > The problem starts to appear today and I don't know if there are the
> sender
> > resctrctions rules the problem. Actually are:
> >
> > smtpd_sender_restrictions =
> reject_unknown_sender_domain,check_sender_access
> > hash:/etc/postfix/spammer,reject_non_fqdn_sender,permit
>
> "Relay access denied" is produced by either "reject_unauth_destination"
> or the obsolete "check_relay_domains". These are typically found in
> smtpd_recipient_restrictions. Note, you should not take these out, they
> are needed on servers whose SMTP port can be reached by untrusted clients.
>
> Rather, add rules to permit trusted clients before blocking relaying by
> untrusted clients:
>
>smtpd_recipient_restrictions =
>permit_mynetworks,
>permit_sasl_authenticated,
>reject_unauth_destination,
>... UCE controls ...
>
> Do make sure "mynetworks" is defined correctly.
>
> --
>Viktor.
>
> Disclaimer: off-list followups get on-list replies or get ignored.
> Please do not ignore the "Reply-To" header.
>
> To unsubscribe from the postfix-users list, visit
> http://www.postfix.org/lists.html or click the link below:
> 
>
> If my response solves your problem, the best way to thank me is to not
> send an "it worked, thanks" follow-up. If you must respond, please put
> "It worked, thanks" in the "Subject" so I can delete these quickly.
>

Throttling based on incoming domain/mta

[stevem]

Hello.

Is it possible to create different throttling thresholds based on the
domain or MTA that is connecting to postfix? Ie, allow google.com
to send freely, but limit suspectdomain.com to a certain number of
messages/connections per minute/hour/day etc.

Thank you.

stevem

Re: PCRE Conditional Canonical Address Mapping

[Yves Kreis]

On 11.03.2009, at 11:49, Wietse Venema wrote:


Yves Kreis:

Dear,

Can I use a canonical map like:
if /^To: u...@domain\.com$/
/^From: (".*" )*(.+)@(.+)$/ From: ${1}${2}+$...@anotherdomain.com
endif


Dear Yves, please RTFM the pcre_table manpage.

  if /pattern/flags

  endif  Match the input string  against  the  patterns   
between  if  and
 endif,  IF  AND ONLY IF THAT SAME INPUT STRING ALSO  
MATCHES PAT-

 TERN. The if..endif can nest.



Dear Wietse,

Sorry, I read it multiple times but I overlooked this information.

Thanks,
Yves

Re: I need help with smtp configuration

[Victor Duchovni]

On Wed, Mar 11, 2009 at 08:37:17PM +0100, deconya wrote:

> smtpd_recipient_restrictions =
> check_recipient_access hash:/etc/postfix/overquota
> permit_mynetworks
> permit_sasl_authenticated
> check_client_access hash:/etc/postfix/clientes
> reject_unauth_destination
> 
> in main.cf not appears and Im lost with this problem, is very strange
> continues making. Any other idea?

No, the same idea. Your authorized senders are no longer allowed to
relay via:

> permit_mynetworks
> permit_sasl_authenticated
> check_client_access hash:/etc/postfix/clientes

One of these has changed. Check that mynetworks is correct, SASL
is still working and the "clientes" table and its postmapped version
are correct. One of these is not correct. Figure out which one.

Alternatively, your "smtpd_recipient_restrictions" is not what you
believe it to be. Check "postconf -n" output and master.cf "-o ..."
settings.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Creating database maps with postmap

[Chris Cameron]

I'm using spf-milter-python, which uses an access map for refining the
SPF policy.

The file is formated as:

SPF-Fail:   REJECT
SPF-Softfail:   CBV
SPF-Neutral:OK
SPF-PermError:  REJECT
SPF-Pass:   OK


Running postmap on this gives:

postmap: warning: access, line 1: record is in "key: value" format; is
this an alias file?


But it still creates the expected access.db file. However,
spf-milter-python is unable to use it. Using makemap from another
machine, the resulting file works fine.

What is makemap doing that postmap isn't? How can I use postmap to
create the correct kind of file?


Thanks,
Chris

Re: Creating database maps with postmap

[Brian Evans - Postfix List]

Chris Cameron wrote:
> I'm using spf-milter-python, which uses an access map for refining the
> SPF policy.
>
> The file is formated as:
>
> SPF-Fail: REJECT
>   

If the lookup key you want is 'SPF-Fail' then do not put a colon.
Colons are normally only used in alias lookups with Postfix
In General, access maps will not use them.

Brian

Re: Rewriting addresses

[LuKreme]

On 11-Mar-2009, at 08:27, Charles Marcus wrote:

On 3/11/2009 9:38 AM, LuKreme wrote:
I have a file /etc/postfix/virtual.pcre that contains lines like  
this:


/^(.*)_(.*)@example.com$/${1}+$...@example.com
/^(.*)_(.*)@example.org$/${1}+$...@example.org
/^(.*)_(.*)@example.net$/${1}+$...@example.net

etc etc. This is to allow the _ to act as an additional address
extension character to get around the legion of retarded website  
admins

that reject '+' addresses as invalid.


It would be better if postfix could natively support multiple  
recipient

delimiters...


Yes, well, if wishes were horses beggars would ride. As far as I know  
there's no plan to allow multiple delimiters. I'd love to be wrong on  
this.


On 11-Mar-2009, at 10:26, Victor Duchovni wrote:

Sorry, not possible. Also the above defeats recipient validation for
email addresses with "_" in them, it is not recommended.


Yep, I am aware of that.  In this case, however, the ability to use a  
second delimiter far outweighs the lack of recipient validation.



--
Mom: There was more than one lobster present at the birth of Jesus?
Daughter: Duh.

Re: Single domain and two destinations via Postfix

[LuKreme]

On 11-Mar-2009, at 09:14, Noel Jones wrote:
You can optionally use a pcre smtp_generic_maps to rewrite the  
recipient back to the original domain.

main.cf
smtp_generic_maps = pcre:/etc/postfix/smtp_generic.pcre

smtp_generic.pcre:
/^(.*)@new\.example\.com$/  $...@example.com



This would need to be on new.example.com, right?

--
and I lift my glass to the Awful Truth / which you can't reveal to
the Ears of Youth / except to say it isn't worth a dime

Re: Rewriting addresses

[Charles Marcus]

On 3/11/2009 3:55 PM, LuKreme wrote:
>> Sorry, not possible. Also the above defeats recipient validation for
>> email addresses with "_" in them, it is not recommended.

> Yep, I am aware of that.  In this case, however, the ability to use a
> second delimiter far outweighs the lack of recipient validation.

Also, just like every other program out there, there are many ways to
shoot ones self in the foot with postfix. If this ability (multiple
recipient delimiters) was added, simply documenting this fact (about
breaking recipient validation if any of the delimiters are allowed to be
used in the actual email address) should be enough, no?

-- 

Best regards,

Charles

Re: Rewriting addresses

[Victor Duchovni]

On Wed, Mar 11, 2009 at 04:04:38PM -0400, Charles Marcus wrote:

> If this ability (multiple
> recipient delimiters) was added, simply documenting this fact (about
> breaking recipient validation if any of the delimiters are allowed to be
> used in the actual email address) should be enough, no?

This makes no sense. If multiple delimiters were supported, they would
work correctly, without breaking validation.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Single domain and two destinations via Postfix

[Magnus Bäck]

On Wednesday, March 11, 2009 at 21:02 CET,
 LuKreme  wrote:

> On 11-Mar-2009, at 09:14, Noel Jones wrote:
> >You can optionally use a pcre smtp_generic_maps to rewrite the  
> >recipient back to the original domain.
> >main.cf
> >smtp_generic_maps = pcre:/etc/postfix/smtp_generic.pcre
> >
> >smtp_generic.pcre:
> >/^(.*)@new\.example\.com$/  $...@example.com
> 
> 
> This would need to be on new.example.com, right?

No. Generic rewriting takes place on output, i.e. when delivering via
SMTP. We then get the following sequence on the gateway server:

1. Input: Virtual rewrite to new.example.com
2. Routing decision based on new.example.com.
3. Output: Generic rewrite back to example.com.

-- 
Magnus Bäck
mag...@dsek.lth.se

Re: Single domain and two destinations via Postfix

[Noel Jones]

LuKreme wrote:

On 11-Mar-2009, at 09:14, Noel Jones wrote:
You can optionally use a pcre smtp_generic_maps to rewrite the 
recipient back to the original domain.

main.cf
smtp_generic_maps = pcre:/etc/postfix/smtp_generic.pcre

smtp_generic.pcre:
/^(.*)@new\.example\.com$/  $...@example.com



This would need to be on new.example.com, right?



No, this is on the existing gateway.  Generic rewriting is for 
outgoing mail.

http://www.postfix.org/ADDRESS_REWRITING_README.html#generic

  -- Noel Jones

Blocking certain users from sending to certain internal mail addresses

[jpb]

Hi List,

I have Postfix 2.3.3 with amavis-new, spamassassin and clamav and am
trying to block a group of users from sending to two internal maillists
called staff and pupils.

I have two files, restricted_maillists which is in the format:

pup...@bordengrammar.kent.sch.uk   restricted_mail_lists

and user_permissions in the form:

st...@bordengrammar.kent.sch.uk REJECT
pup...@bordengrammar.kent.sch.ukREJECT


I've hashed these, put them in a folder called rules in /etc/postfix and
added them to main.cf as:

smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/rules/restricted_maillists,permit_mynetworks,reject_unauth_destination

smtpd_restriction_classes = restricted_mail_lists

restricted_mail_lists = check_sender_access
hash:/etc/postfix/rules/user_permissions,reject_unauth_destination

Without the last reject line entries, it complains about not having a
legitimate entry in the restrictions list and with it, users in the banned
list can send mail to the lists. Can anyone give me a poke in the right
direction please as I've been going at this all day.

Thanks,

Julian PB

Re: Throttling based on incoming domain/mta

[Noel Jones]

stevem wrote:

Hello.

Is it possible to create different throttling thresholds based on the
domain or MTA that is connecting to postfix? Ie, allow google.com
to send freely, but limit suspectdomain.com to a certain number of
messages/connections per minute/hour/day etc.

Thank you.

stevem


If you implement throttling with the postfix anvil(8) service, 
there are two classes: unlimited and everyone else.
IMPORTANT: These limits must not be used to regulate 
legitimate traffic: mail will suffer grotesque delays if you 
do so. The limits are designed to protect the smtpd(8) server 
against abuse by out-of-control clients.

http://www.postfix.org/postconf.5.html#smtpd_client_event_limit_exceptions
http://www.postfix.org/TUNING_README.html#conn_limit

If you implement throttling with an external policy service, 
you can do whatever you want.

http://www.postfix.org/SMTPD_POLICY_README.html

  -- Noel Jones

Ubuntu, dynamicmaps?

[KLaM Postmaster]

I am thinking of switching to Ubuntu 8.10 LTS server, however when I
look at the Postfix configuration it seems somewhat odd.
I don't want to start a flame war, but I would like to hear what people
think about things like "dynamicmaps" and other oddities of the Ubuntu
Postfix configuration.

TIA
JLA

Re: Single domain and two destinations via Postfix

[LuKreme]

On 11-Mar-2009, at 14:24, Noel Jones wrote:
No, this is on the existing gateway.  Generic rewriting is for  
outgoing mail.

http://www.postfix.org/ADDRESS_REWRITING_README.html#generic


Ah.  Too bad there is not a similar option for local only mail, then I  
could use it to solve my multiple delimiters issue in the 'Rewriting  
addresses' thread.



--
Incredible! One of the worst performances of my career and they
never doubted it for a second.

Re: Ubuntu, dynamicmaps?

[Victor Duchovni]

On Wed, Mar 11, 2009 at 04:40:26PM -0500, KLaM Postmaster wrote:

> I am thinking of switching to Ubuntu 8.10 LTS server, however when I
> look at the Postfix configuration it seems somewhat odd.
> I don't want to start a flame war, but I would like to hear what people
> think about things like "dynamicmaps" and other oddities of the Ubuntu
> Postfix configuration.

This has been a Debian feature for a long time, a perfectly fine idea
to separate table drivers from Postfix, so that a single base Postfix
package can be shipped, and table support is provided shared libraries
available for people who need said tables.

Ubuntu is a Debian derivative, and it is not surprising to see this
reflected in how they package Postfix.

On the whole, I've not heard of LaMont Jones adding anything particularly
to Postfix. The reasons some of the these changes are not in the official
distribution is that is difficult to support these for all platforms...

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Creating database maps with postmap

[Chris Cameron]

Fair enough. However the documents for spf-milter-python state that I
could also do:

SPF-Neutral:aol.com REJECT
SPF-Softfail:aol.comREJECT


Would that still be valid considering "SPF-Softfail:aol.com" could be
seen as just one string?


Thank you for your help,

Chris


On Wed, Mar 11, 2009 at 1:54 PM, Brian Evans - Postfix List
 wrote:
> Chris Cameron wrote:
>> I'm using spf-milter-python, which uses an access map for refining the
>> SPF policy.
>>
>> The file is formated as:
>>
>> SPF-Fail:     REJECT
>>
>
> If the lookup key you want is 'SPF-Fail' then do not put a colon.
> Colons are normally only used in alias lookups with Postfix
> In General, access maps will not use them.
>
> Brian
>

Re: Ubuntu, dynamicmaps?

[LuKreme]

On 11-Mar-2009, at 15:40, KLaM Postmaster wrote:

I am thinking of switching to Ubuntu 8.10 LTS server, however when I
look at the Postfix configuration it seems somewhat odd.


Yes, everything in Debian is 'somewhat odd'. It's what makes Deb Deb.

I don't want to start a flame war, but I would like to hear what  
people

think about things like "dynamicmaps" and other oddities of the Ubuntu
Postfix configuration.


I looked at Debian a long time ago and decided that postfix and SSL  
and all the services I wanted to run were complex enough that I didn't  
want to add another layer of complication to that.


I don't think anything Debian does is bad per se, but it is different.  
In my case I decided that different was bad.  With a base of FreeBSD  
I've had a lot less trouble getting help than I think I would have  
otherwise.


I also really like portinstall and portupgrade more than rpm or apt-get.

--
Living is easy with eyes closed, misunderstanding all you see

Re: override the catch-all ?

[Curtis]

On Tue, Mar 10, 2009 at 8:43 PM, Victor Duchovni
 wrote:
>
> On Tue, Mar 10, 2009 at 10:23:30PM -0400, Sahil Tandon wrote:
>
> > On Mar 10, 2009, at 9:27 PM, Curtis wrote:
> >
> >> I've got the catch-all feature explained here working just fine...
> >>
> >> http://www.postfix.org/VIRTUAL_README.html
> >>
> >> Is there an easy way to designate an explicit *invalid* email address so
> >> that even though the catch-all is enabled for a domain, a specific email
> >> address is considered invalid and is bounced at smtp?
> >
> > Use transport maps to direct messages for the specific email address to the
> > error mailer.
> >
> >       http://www.postfix.org/transport.5.html
> >       http://www.postfix.org/error.8.html
>
> This works because smtpd(8) policy is applied to input address before
> rewriting. One can also enhance the rewriting tables:
>
>    virtual:
>       �...@example.com            catch...@example.com
>        bo...@example.com       nosuchu...@address.invalid
>
>    transport:
>        bo...@example.com       error:5.1.1 Invalid recipient address
>        address.invalid         error:5.1.1 Invalid recipient address
>
> this bounces the address when submitted locally.

Perhaps it's a problem with my postfix configuration, but the above
solution bounced the email after smtp, which won't work for us.  I did
find one solution that seems to work...

main.cf:
smtpd_recipient_restrictions ... , check_recipient_access
hash:/etc/postfix/recipient_access

recipient_access:
bo...@example.com 515 Invalid Recipient

...which bounced the email at smtp.  However, when sending a test
message via gmail the bounce error wasn't what I expected:

"[blah, blah, blah ] The error that the other server returned was:
515 515 5.7.1 : Recipient address rejected: Invalid
Recipient (state 14)."

The error code appears to be listed 3 times... "515 515 5.7.1"

According to http://www.postfix.org/access.5.html  ...' When no code
is specified at the beginning of the text below, Postfix inserts a
default enhanced status code of "5.7.1" '

But, instead, I'm getting my 515 code twice and the 5.7.1 as well.  Any ideas?

Thanks,

Curtis

Re: Creating database maps with postmap

[Scott Kitterman]

On Wed, 11 Mar 2009 14:51:02 -0600 Chris Cameron  wrote:
>On Wed, Mar 11, 2009 at 1:54 PM, Brian Evans - Postfix List
> wrote:
>> Chris Cameron wrote:
>>> I'm using spf-milter-python, which uses an access map for refining the
>>> SPF policy.
>>>
>>> The file is formated as:
>>>
>>> SPF-Fail:     REJECT
>>>
>>
>> If the lookup key you want is 'SPF-Fail' then do not put a colon.
>> Colons are normally only used in alias lookups with Postfix
>> In General, access maps will not use them.
>>
>> Brian
>>
>Fair enough. However the documents for spf-milter-python state that I
>could also do:
>
>SPF-Neutral:aol.comREJECT
>SPF-Softfail:aol.com   REJECT
>
>
>Would that still be valid considering "SPF-Softfail:aol.com" could be
>seen as just one string?
>
>
>Thank you for your help,
>
>Chris

All the documentation for spf-milter-python is written by a Sendmail admin.  If 
you (sorry, I've been busy and just skimming the list - so this is to all of 
you discussing this) have suggestions for the documentation for Postfix users, 
please let me know and I'll get them forwarded upstream (I've packaged this for 
Debian/Ubuntu, but am not the author).

On a related note, with Postfix this is very easy to do (and much better 
documented) with the postfix-policyd-spf-python policy server.  Apologies if 
you've already been down this road.

Scott K

Re: override the catch-all ?

[Noel Jones]

Curtis wrote:

On Tue, Mar 10, 2009 at 8:43 PM, Victor Duchovni

   transport:
   bo...@example.com   error:5.1.1 Invalid recipient address
   address.invalid error:5.1.1 Invalid recipient address

this bounces the address when submitted locally.


Perhaps it's a problem with my postfix configuration, but the above
solution bounced the email after smtp, which won't work for us.  I did
find one solution that seems to work...


Suggests an implementation error on your part.  or possibly 
you have an ancient postfix.  The feature works as Viktor 
described.




main.cf:
smtpd_recipient_restrictions ... , check_recipient_access
hash:/etc/postfix/recipient_access

recipient_access:
bo...@example.com 515 Invalid Recipient


This rejects mail with a 515 reject code, which I don't think 
is defined.


I think you mean:
bo...@example.com  REJECT 5.1.5 Invalid recipient




...which bounced the email at smtp.  However, when sending a test
message via gmail the bounce error wasn't what I expected:

"[blah, blah, blah ] The error that the other server returned was:
515 515 5.7.1 : Recipient address rejected: Invalid
Recipient (state 14)."

The error code appears to be listed 3 times... "515 515 5.7.1"


... suggests a non-ancient postfix.


According to http://www.postfix.org/access.5.html  ...' When no code
is specified at the beginning of the text below, Postfix inserts a
default enhanced status code of "5.7.1" '


Don't confuse reject codes with status codes.

  -- Noel Jones

Re: Ubuntu, dynamicmaps?

[Scott Kitterman]

On Wed, 11 Mar 2009 16:40:26 -0500 KLaM Postmaster  
wrote:
>I am thinking of switching to Ubuntu 8.10 LTS server, however when I
>look at the Postfix configuration it seems somewhat odd.
>I don't want to start a flame war, but I would like to hear what people
>think about things like "dynamicmaps" and other oddities of the Ubuntu
>Postfix configuration.
>
The design decision in the Debian/Ubuntu Postfix packages the most often 
causes commentary here is to enable chroot by default.  Personally, I like 
it, but it does add some complexity and add to the number of people needing 
help.

How to accomplish most things you need to do with the chroot is reasonably 
well covered in the Ubuntu documentation.  There are also distro specific 
support resources that can help.

We are shipping (and I don't recall which release it arrived in, it may 
just be in the development release) a script to automate removing the 
chroot for people that don't want it.

Scott K

Re: override the catch-all ?

[Victor Duchovni]

On Wed, Mar 11, 2009 at 05:21:25PM -0500, Noel Jones wrote:

> Curtis wrote:
>> On Tue, Mar 10, 2009 at 8:43 PM, Victor Duchovni
>>>transport:
>>>bo...@example.com   error:5.1.1 Invalid recipient address
>>>address.invalid error:5.1.1 Invalid recipient address
>>>
>>> this bounces the address when submitted locally.
>> Perhaps it's a problem with my postfix configuration, but the above
>> solution bounced the email after smtp, which won't work for us.  I did
>> find one solution that seems to work...
>
> Suggests an implementation error on your part.  or possibly you have an 
> ancient postfix.  The feature works as Viktor described.

Sorry, Noel, my error led you up the garden path too.

virtual(5) hits trump error:message hits in the transport table,
so with a catchall, the transport setting does not trigger rejection
via smtpd(8). Indeed an explicit access check is required to complete
the solution. The reason is that all users in a virtual_alias_domain
resolve to the error transport unless rewritten, so rewrites have to
trump transport selection...

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Ubuntu, dynamicmaps?

[Wietse Venema]

Victor Duchovni:
> On Wed, Mar 11, 2009 at 04:40:26PM -0500, KLaM Postmaster wrote:
> 
> > I am thinking of switching to Ubuntu 8.10 LTS server, however when I
> > look at the Postfix configuration it seems somewhat odd.
> > I don't want to start a flame war, but I would like to hear what people
> > think about things like "dynamicmaps" and other oddities of the Ubuntu
> > Postfix configuration.
> 
> This has been a Debian feature for a long time, a perfectly fine idea
> to separate table drivers from Postfix, so that a single base Postfix
> package can be shipped, and table support is provided shared libraries
> available for people who need said tables.
> 
> Ubuntu is a Debian derivative, and it is not surprising to see this
> reflected in how they package Postfix.
> 
> On the whole, I've not heard of LaMont Jones adding anything particularly
> to Postfix. The reasons some of the these changes are not in the official
> distribution is that is difficult to support these for all platforms...

I have several generations of LaMont's patches.

I have no problem with dynamically-linked maps (though it further
complicates chrooted operation). The problem is that it requires
that Postfix's own libraries are also dynamically linked (libutil,
libglobal, and likely more). 

I have no time to convert and test all supported platforms for
dynamically linked Postfix libraries, I have no time to maintain
build procedures for static and for dynamic linking as it doubles
the number of tests that need to be done, I do not want to drop
supported platforms, and I do not want to make Postfix dependent
on libtool and autobloat.

Wietse

Re: Ubuntu, dynamicmaps?

[KLaM Postmaster]

KLaM Postmaster wrote:
> I am thinking of switching to Ubuntu 8.10 LTS server, however when I
> look at the Postfix configuration it seems somewhat odd.
> I don't want to start a flame war, but I would like to hear what people
> think about things like "dynamicmaps" and other oddities of the Ubuntu
> Postfix configuration.
>
> TIA
> JLA
>From the replies that I have received so far, I get the impression that
while no one has anything bad to say about the Ubuntu implementation of
Postfix, nobody is very enthusiastic.
I think I will stick with my current Fedora 10 setup for the moment,
while I look around for a less quirky distribution.
Thanks for the input

JLA

Re: Ubuntu, dynamicmaps?

[Victor Duchovni]

On Thu, Mar 12, 2009 at 12:18:02AM -0500, KLaM Postmaster wrote:

> From the replies that I have received so far, I get the impression that
> while no one has anything bad to say about the Ubuntu implementation of
> Postfix, nobody is very enthusiastic.

No, it is a fine Postfix port. There is no reason to avoid it. The dynamic
tables make it easy to add additional table types without re-installing
Postfix or building a Postfix that supports all possible table types. This
Postfix is at least as good as that on other Linux systems.

> I think I will stick with my current Fedora 10 setup for the moment,
> while I look around for a less quirky distribution.

Ubuntu may or may be quirky, but it is not Postfix that makes it so.
The (really Debian) changes you see in Ubuntu cleanly integrate Postfix
into the rest of the system, making SASL, loadable tables, ... fit more
organically into the larger system. And unlike the MacOSX laptop mode,
the changes are robust and reasonably well thought out.

Good system release engineering is often under-appreciated, lets not
give it a bad name here.

If Unix systems had a much more API for building and using shared
libraries, some of the Ubuntu code would be a nice addition to Postfix.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Ubuntu, dynamicmaps?

[Patrick Ben Koetter]

* KLaM Postmaster :
> I am thinking of switching to Ubuntu 8.10 LTS server, however when I
> look at the Postfix configuration it seems somewhat odd.
> I don't want to start a flame war, but I would like to hear what people
> think about things like "dynamicmaps" and other oddities of the Ubuntu
> Postfix configuration.

Postfix integration is okay as it is. Several people have pointed out why and
I agree with all statements. What hasn't been mentioned yet is the tools you
have access to, if you run Postfix on an Debian/Ubuntu system.

I moved away from RH-like systems two years ago because it's a PITA to get all
the programs you want when you build a mail server. You can get dkim-milter,
amavisd, SpamAssassin etc. pp. through Dag Wieers repository, but then you
break this other dependency and this doesn't work anymore or you spent weeks
waiting for a bug fix.

I haven't seen this on Ubuntu - minor deviations not taken into account.

Looking at the mail system as a whole makes Debian/Ubuntu interesting to me.

dynamicmaps work and don't get into my way. That's perfect for me. On SASL I
don't agree where LaMont puts the configuration file, but then I don't want to
be dogmatic about this either.

The real bad thing is you set it up and it just works. You don't get any
reason to play with once you've set it up. Which is bad, because it's fun. ;)

p...@rick

-- 
All technical answers asked privately will be automatically answered on
the list and archived for public access unless privacy is explicitely
required and justified.

saslfinger (debugging SMTP AUTH):

Re: hold all relayed mail by default

[Costin Guşă]

On Mon, Mar 9, 2009 at 6:49 PM, Noel Jones  wrote:
> Costin Guşă wrote:
>>
>> however i'm wondering if my proposed implementation would *really*
>> catch not only all relayed mail but also internal clients sending mail
>> to internal clients ?
>
> To only catch outbound mail, use something like this (note
> smtpd_SENDER_restrictions):
>
> # main.cf
> smtpd_sender_restrictions =
>  permit_auth_destination
>  static:hold
>
> This requires the default setting "smtpd_delay_reject = yes", so don't
> change it.

Oh, many thanks for enlightening me with the 'static:HOLD' hint!
Despite reading the docs, it wasn't until your answer came to
understand what "foobar" really meant in postconf man page:

"For example, static:foobar always returns the string foo-bar as lookup result."

Maybe I could have understood it easier if the example phrase
contained a real example keyword such as "REJECT" instead of "foobar"
:)