Re: Question about anvil settings

[Ralf Hildebrandt]

* LuKreme :
> I was looking at the default levels for anvil and unless I am  
> misunderstanding (likely) they seem really high.
>
>smtpd_client_connection_count_limit (default: 50)
>The maximum number of connections that an SMTP client
>may make simultaneously.
>
> So, a single client can open up *50* simultaneous smtp connections?

Yes.

>smtpd_client_connection_rate_limit (default: no limit)
>The maximum number of connections that an SMTP client may
>make in the time interval specified with
>anvil_rate_time_unit (default: 60s).
>
> And can do so every single second?

Yes.

> My server is pretty light weight, and I don't tend to get too many floods 
> of spammers, but are these defaults reasonable to mitigate the damage that 
> a flood might do?  Are these defaults anything a normal user is ever going 
> to hit?

I usually set things differently.

default_process_limit = 800
smtpd_client_connection_rate_limit = 40
smtpd_client_connection_count_limit = 16
anvil_rate_time_unit = 60s

-- 
Ralf Hildebrandt
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.computerbeschimpfung.de
Da wir bestrebt sind die Prozesse und die Produkte ständig zu
verbessern, haben wir festgestellt, daß Betonschwimmwesten mit
Stahlarmierung noch viel widerstandsfähiger sind.

Re: address rewriting with pcre?

[LuKreme]

On 17-Mar-2009, at 08:52, Victor Duchovni wrote:

On Tue, Mar 17, 2009 at 10:01:53AM -0400, Charles Marcus wrote:

On 3/17/2009 9:43 AM, Erwan David wrote:

You may generate the pcre file with a line
/recipient_([...@_]+)@localdomain/recipient+$...@localdomain

for each valid recipient. This would preserve the validation of
recipient at RCPT TO stage.


Interesting... and maybe a good candidate for my first usable  
scripting

attempt.


Perl is the natural choice for this:

   $ echo u...@example.com |
domain=example.com perl -lpe '
s{^(.*)\...@\q$env{domain}\e$}
{/^\Q$1\E_(.*)\...@\q$env{domain}\e\$/ 
$1+\${...@$env{domain}}o;'
   /^user_(.*)@example\.com$/ user+$...@example.com

In practice instead of "echo ... |" Perl would read a list of  
addresses from
a file. The "\Q...\E" construct is the critical ingredient for  
quoting PCRE

special characters in the address localpart and domain.


I came up with this one liner:

 $ ls -1 /usr/local/virtual/ | grep "@" | sed 's/^\([...@]*\)@\(.*\)$/\/ 
^\1_\(.*\)@\2$\/ \1+$...@\2/'


testu...@example.com => /^testuser_(.*)@example.com$/ testuser+$...@example.com

But the sed works for dumping all the virtual users into a .pcre map  
for postfix.


--
My mind is going. There is no question about it. I can feel it. I can
feel it. I can feel it. I'm... afraid.

Re: address rewriting with pcre?

[LuKreme]

On 19-Mar-2009, at 04:14, Charles Marcus wrote:

On 3/19/2009 5:55 AM, LuKreme wrote:

I came up with this one liner:

$ ls -1 /usr/local/virtual/ | grep "@" | sed
's/^\([...@]*\)@\(.*\)$/\/^\1_\(.*\)@\2$\/ \1+$...@\2/'

testu...@example.com => /^testuser_(.*)@example.com$/
testuser+$...@example.com

But the sed works for dumping all the virtual users into a .pcre  
map for

postfix.


I guess I'll just have to wait and see if this ever gets support
natively... it isn't that big of a problem, but it is very annoying  
when
I run into a site that doesn't allow using a plussed address, and  
having
an optional character or two that I could designate on a per site  
basis

would be very convenient.


Well, the sed I posted can easily create the virtual table you need  
without causing backscatter.


$ ls -1 /usr/local/virtual/ | grep "@" | \
sed 's/^\([...@]*\)@\(.*\)$/\/^\1_\(.*\)@\2$\/ \1+$...@\2/' > \
/etc/postfix/virtual_address.pcre

main.cf:
virtual_alias_maps =
hash:$config_directory/virtual
pcre:$config_directory/virtual_address.pcre,
mysql:$config_directory/mysql_virtual_alias_maps.cf

of course the sed will work for any input in the form of 'u...@example.com 
'


If your user list changes frequently you can put it in a crontab. Mine  
changes infrequently enough I can afford to run it manually.


--
Over 3,500 gay marriages and, what, no hellfire? I was promise
hellfire. And riots. What gives?  -- Mark Morford

Re: Question about anvil settings

[Wietse Venema]

LuKreme:
> My server is pretty light weight, and I don't tend to get too many  
> floods of spammers, but are these defaults reasonable to mitigate the  
> damage that a flood might do?  Are these defaults anything a normal  
> user is ever going to hit?

A normal user is NEVER going to hit these limits.  As documented,
anvil is for out-of-control clients. It is not a traffic quota
tool, and must not be used for that purpose.

Wietse

Re: address rewriting with pcre?

[Wietse Venema]

LuKreme:
> On 17-Mar-2009, at 08:52, Victor Duchovni wrote:
> > On Tue, Mar 17, 2009 at 10:01:53AM -0400, Charles Marcus wrote:
> >> On 3/17/2009 9:43 AM, Erwan David wrote:
> >>> You may generate the pcre file with a line
> >>> /recipient_([...@_]+)@localdomain/recipient+$...@localdomain
> >>>
> >>> for each valid recipient. This would preserve the validation of
> >>> recipient at RCPT TO stage.
> >>
> >> Interesting... and maybe a good candidate for my first usable  
> >> scripting
> >> attempt.
> >
> > Perl is the natural choice for this:
> >
> >$ echo u...@example.com |
> > domain=example.com perl -lpe '
> > s{^(.*)\...@\q$env{domain}\e$}
> > {/^\Q$1\E_(.*)\...@\q$env{domain}\e\$/ 
> > $1+\${...@$env{domain}}o;'
> >/^user_(.*)@example\.com$/ user+$...@example.com
> >
> > In practice instead of "echo ... |" Perl would read a list of  
> > addresses from
> > a file. The "\Q...\E" construct is the critical ingredient for  
> > quoting PCRE
> > special characters in the address localpart and domain.
> 
> I came up with this one liner:
> 
>   $ ls -1 /usr/local/virtual/ | grep "@" | sed 's/^\([...@]*\)@\(.*\)$/\/ 
> ^\1_\(.*\)@\2$\/ \1+$...@\2/'
> 
> testu...@example.com => /^testuser_(.*)@example.com$/ 
> testuser+$...@example.com

This is BROKEN. You are not escaping any of the regexp metacharacters
such as '.' and so on.

Wietse

Re: address rewriting with pcre?

[Charles Marcus]

On 3/19/2009 5:55 AM, LuKreme wrote:
 You may generate the pcre file with a line
 /recipient_([...@_]+)@localdomain/recipient+$...@localdomain

 for each valid recipient. This would preserve the validation of
 recipient at RCPT TO stage.

>>> Interesting... and maybe a good candidate for my first usable scripting
>>> attempt.

Or... not...

>> Perl is the natural choice for this:
>>
>>$ echo u...@example.com |
>> domain=example.com perl -lpe '
>> s{^(.*)\...@\q$env{domain}\e$}
>> {/^\Q$1\E_(.*)\...@\q$env{domain}\e\$/ $1+\${...@$env{domain}}o;'
>>/^user_(.*)@example\.com$/ user+$...@example.com
>>
>> In practice instead of "echo ... |" Perl would read a list of 
>> addresses from a file. The "\Q...\E" construct is the critical
>> ingredient for quoting PCRE special characters in the address
>> localpart and domain.

Whew... as a non-programmer, lets just say I almost swallowed my adams
apple when I saw Victors perl magic... ;)

> I came up with this one liner:
> 
>  $ ls -1 /usr/local/virtual/ | grep "@" | sed
> 's/^\([...@]*\)@\(.*\)$/\/^\1_\(.*\)@\2$\/ \1+$...@\2/'
> 
> testu...@example.com => /^testuser_(.*)@example.com$/
> testuser+$...@example.com
> 
> But the sed works for dumping all the virtual users into a .pcre map for
> postfix.

I guess I'll just have to wait and see if this ever gets support
natively... it isn't that big of a problem, but it is very annoying when
I run into a site that doesn't allow using a plussed address, and having
an optional character or two that I could designate on a per site basis
would be very convenient.

Re: address rewriting with pcre?

[LuKreme]

On 19-Mar-2009, at 04:45, Wietse Venema wrote:
 $ ls -1 /usr/local/virtual/ | grep "@" | sed 's/^\([...@]*\)@\(.*\)$/ 
\/

^\1_\(.*\)@\2$\/ \1+$...@\2/'

testu...@example.com => /^testuser_(.*)@example.com$/ testuser+$...@example.com


This is BROKEN. You are not escaping any of the regexp metacharacters
such as '.' and so on.


All righty, I didn't escape the . but since exampleqcom or example$com  
are not valid hostnames and the match is anchored to both the start  
and end of the string AND since it is pulling the data from my own  
list of existing users, I'm not seeing that it's much of a risk.


But sure, you can escape the . if you like, it only adds a few  
characters to the sed portion.


sed 's/^\([...@]*\)@\([^.]*\)\.\(.*\)$/\/^\1_\(.*\)@\2\\.\3$\/ \1+${1}@ 
\2\\.\3/'


--
Well boys, we got three engines out, we got more holes in us than a
horse trader's mule, the radio is gone and we're leaking fuel
and if we was flying any lower why we'd need sleigh bells on
this thing... but we got one little budge on those Roosskies.
At this height why they might harpoon us but they dang sure
ain't gonna spot us on no radar screen!

Re: Question about anvil settings

[Noel Jones]

LuKreme wrote:

On 19-Mar-2009, at 04:44, Wietse Venema wrote:

LuKreme:

My server is pretty light weight, and I don't tend to get too many
floods of spammers, but are these defaults reasonable to mitigate the
damage that a flood might do?  Are these defaults anything a normal
user is ever going to hit?


A normal user is NEVER going to hit these limits.  As documented,
anvil is for out-of-control clients. It is not a traffic quota
tool, and must not be used for that purpose.


OK, but if the numbers were lowered to ... oh, say

smtpd_client_connection_rate_limit = 8
smtpd_client_connection_count_limit = 20

A normal user is still never going to hit them I'd think.

Obviously, on a large server with a LAN or a lot of people maybe behind 
a single IP those numbers wouldn't work.


OTOH, I'm not changing anything at this point.




It's reasonable to tune these settings for your site.  But 
remember anvil is an emergency shutoff, not a traffic cop.


Your settings should be several times what you see from your 
highest volume "normal" client.  The settings should reflect a 
ridiculous amount of traffic that you will never ever see from 
a legit client.


--
Noel Jones

Re: Question about anvil settings

[LuKreme]

On 19-Mar-2009, at 04:44, Wietse Venema wrote:

LuKreme:

My server is pretty light weight, and I don't tend to get too many
floods of spammers, but are these defaults reasonable to mitigate the
damage that a flood might do?  Are these defaults anything a normal
user is ever going to hit?


A normal user is NEVER going to hit these limits.  As documented,
anvil is for out-of-control clients. It is not a traffic quota
tool, and must not be used for that purpose.


OK, but if the numbers were lowered to ... oh, say

smtpd_client_connection_rate_limit = 8
smtpd_client_connection_count_limit = 20

A normal user is still never going to hit them I'd think.

Obviously, on a large server with a LAN or a lot of people maybe  
behind a single IP those numbers wouldn't work.


OTOH, I'm not changing anything at this point.


--
I AM ZOMBOR! (kelly) ZOMBOR!

Re: address rewriting with pcre?

[Wietse Venema]

LuKreme:
> On 19-Mar-2009, at 04:45, Wietse Venema wrote:
> >>  $ ls -1 /usr/local/virtual/ | grep "@" | sed 's/^\([...@]*\)@\(.*\)$/ 
> >> \/
> >> ^\1_\(.*\)@\2$\/ \1+$...@\2/'
> >>
> >> testu...@example.com => /^testuser_(.*)@example.com$/ 
> >> testuser+$...@example.com
> >
> > This is BROKEN. You are not escaping any of the regexp metacharacters
> > such as '.' and so on.
> 
> All righty, I didn't escape the . but since exampleqcom or example$com  
> are not valid hostnames and the match is anchored to both the start  
> and end of the string AND since it is pulling the data from my own  
> list of existing users, I'm not seeing that it's much of a risk.
> 
> But sure, you can escape the . if you like, it only adds a few  
> characters to the sed portion.
> 
> sed 's/^\([...@]*\)@\([^.]*\)\.\(.*\)$/\/^\1_\(.*\)@\2\\.\3$\/ \1+${1}@ 
> \2\\.\3/'

This is bad advice.  Domain names can have more than one ".", and
characters on the left of "@" need escaping too.

Victor's example is safe because it quotes all metacharacters,
Lukreme's example is unsafe.

Wietse

Change failure code for opportunistic TLS

[Cory Coager]

If I'm reading the documentation correctly, when using 
smtp_tls_policy_maps for specific domains, if no servers are available 
the email will be deferred?  Is there a way to change this to a 
permanent failure?


~Cory Coager




The information contained in this communication is intended
only for the use of the recipient(s) named above. It may
contain information that is privileged or confidential, and
may be protected by State and/or Federal Regulations. If
the reader of this message is not the intended recipient,
you are hereby notified that any dissemination,
distribution, or copying of this communication, or any of
its contents, is strictly prohibited. If you have received
this communication in error, please return it to the sender
immediately and delete the original message and any copy
of it from your computer system. If you have any questions
concerning this message, please contact the sender.

Postfix + DovecotSASL

[Gabriel Hahmann]

Hello everybody,

I'm running in a very strange problem.

I've used postfix with saslauthd for a long time but as my server hosts a
local domain and a few virtual domains I could only authenticate local
domain with smtp auth plain, cause I'm using virtual domains flat files.

So my virtual users can download their emails with POP3 (dovecot) but can
only send with webmail.

Yesterday I discovered that I could use DovecotSASL to authenticate all my
virtual domains, and changed postfix and dovecot to acomplish this.

dovecot.conf: Added this lines
   socket listen {
client {
   path = /var/spool/postfix/private/auth
   mode = 0660
   user = postfix
   group = postfix
}
  }

main.cf: Added these lines:
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes

Restarted both services and tried to send a message from a virtual domain to
gmail, telneting to server port 25 and using perl to create the base64 based
on us...@domain\0user\@domain\0password. And this works perfectly.

Then I tried to use Thunderbird. And works perfectly both for local and
virtual domains.

The problem is when I try to send a mail using Microsoft Outlook. I send the
message and then I receive the folowing error:

NOQUEUE: reject: RCPT from XXX.XXX.XXXdynamicIP.dominio.net[XXX.XXX.XXX.XXX]:
554 5.7.1 : Sender address rejected: Access denied;
from= to= proto=ESMTP helo=

I keep thinking and can't find a solution, telneting diretly to the server
and using Thunderbird works perfectly and with Microsoft Outlook does not!!!
I hate M$.

Can anybody help me?

Thanks in advance,
Gabriel.

Re: Change failure code for opportunistic TLS

[Wietse Venema]

Cory Coager:
> If I'm reading the documentation correctly, when using 
> smtp_tls_policy_maps for specific domains, if no servers are available 
> the email will be deferred?  Is there a way to change this to a 
> permanent failure?

There exists no code to convert a TLS failure into a permanent error.

I suggest that you don't require TLS unless you have verified that
Postfix can inter-operate with the remote host. 

Once you know that TLS is supposed to work, a TLS failure is no
different than any other connection failure. Just retry until the
problem is gone or until the mail is too old.

Wietse

Looking for Anti-spam setting: local username/external IP

[David A. Gershman]

Hello All,

I've been getting spam messages passing through my server because they
are "from" a local user account (spoofed).  However, the connection came
from an external source.  I'm trying to see if there is a setting in
master.cf (or other .cf file) which will reject any email from an
external IP (other than my own) *and* is claiming to be from a local
user account.

Thanks!

---
David A. Gershman
gersh...@dagertech.net
http://dagertech.net/gershman/
"It's all about the path!" --d. gershman

Re: Looking for Anti-spam setting: local username/external IP

[Magnus Bäck]

On Thursday, March 19, 2009 at 20:28 CET,
 "David A. Gershman"  wrote:

> I've been getting spam messages passing through my server because they
> are "from" a local user account (spoofed).  However, the connection
> came from an external source.  I'm trying to see if there is a setting
> in master.cf (or other .cf file) which will reject any email from an
> external IP (other than my own) *and* is claiming to be from a local
> user account.

Assuming you mean envelope sender address when you say "from":

main.cf:
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_sender_access hash:/path/to/file

/path/to/file:
example.com REJECT

-- 
Magnus Bäck
mag...@dsek.lth.se

Re: Postfix + DovecotSASL

[Steve Roemen]

You have to enable "login" auth mechanism.

In dovecot.conf:

auth default {
  # Space separated list of wanted authentication mechanisms:
  #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi
  # NOTE: See also disable_plaintext_auth setting.
  mechanisms = plain login


Steve

On 03/19/2009 12:51 PM, Gabriel Hahmann wrote:

Hello everybody,

I'm running in a very strange problem.

I've used postfix with saslauthd for a long time but as my server 
hosts a local domain and a few virtual domains I could only 
authenticate local domain with smtp auth plain, cause I'm using 
virtual domains flat files.


So my virtual users can download their emails with POP3 (dovecot) but 
can only send with webmail.


Yesterday I discovered that I could use DovecotSASL to authenticate 
all my virtual domains, and changed postfix and dovecot to acomplish this.


dovecot.conf: Added this lines
   socket listen {
client {
   path = /var/spool/postfix/private/auth
   mode = 0660
   user = postfix
   group = postfix
}
  }

main.cf : Added these lines:
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes

Restarted both services and tried to send a message from a virtual 
domain to gmail, telneting to server port 25 and using perl to create 
the base64 based on us...@domain\0user\@domain\0password. And this 
works perfectly.


Then I tried to use Thunderbird. And works perfectly both for local 
and virtual domains.


The problem is when I try to send a mail using Microsoft Outlook. I 
send the message and then I receive the folowing error:


NOQUEUE: reject: RCPT from XXX.XXX.XXXdynamicIP.dominio.net 
[XXX.XXX.XXX.XXX]: 554 5.7.1 
: Sender address rejected: Access denied; 
from= to= proto=ESMTP helo=


I keep thinking and can't find a solution, telneting diretly to the 
server and using Thunderbird works perfectly and with Microsoft 
Outlook does not!!! I hate M$.


Can anybody help me?

Thanks in advance,
Gabriel.

Performance tuning

[Brandon Hilkert]

We send out a pretty volume of emails right now using a combination of SQL and 
IIS SMTP. We get rates now of about 5,000/min. We're looking to not only 
improve the rates, but incorporate DKIM/Domainkey signing into the process. The 
choice has been made to go with postfix along with a queue directory on an XFS 
file system.

I'm using postfix as a relay, and having it sign the outgoing emails with DKIM. 
That process was about twice as slow as without it. Without DKIM, I'm getting a 
rate of 700/min.

I was expecting much better performance out of the box. I realize in my tests 
I'm going from a single host, to another single postfix box that is receiving 
all the emails to one account, so there may be bottlenecks that exist in my 
test setup, that may not be there in our production environment.

I'm really hoping to move away from MS SMTP and don't have tons of experience 
with Linux, so I'm hoping people could give me some good ideas about improving 
outbound performance. The server will not be directly exposed to the internet, 
so security is less of a concern as it will be behind several Cisco firewalls. 
This server will not be receiving any email, so nothing needs to be considered 
for that side.

Thanks,
Brandon

instance= in check_policy_service

[Danilo Paffi Monteiro]

Hello,

my old postfix version (postfix-2.2.8) send the instance that match
with this regexp [a-f0-9]+\.[a-f0-9]+\.[a-f0-9]

the version(postfix-2.5.5) that I'm using now
[a-f0-9]+\.[a-f0-9]+\.[a-f0-9]+\.[a-f0-9]

is it possible to change the instance= format?

Thanks,
Danilo Paffi Monteiro

Re: instance= in check_policy_service

[Wietse Venema]

Danilo Paffi Monteiro:
> Hello,
> 
> my old postfix version (postfix-2.2.8) send the instance that match
> with this regexp [a-f0-9]+\.[a-f0-9]+\.[a-f0-9]
> 
> the version(postfix-2.5.5) that I'm using now
> [a-f0-9]+\.[a-f0-9]+\.[a-f0-9]+\.[a-f0-9]
> 
> is it possible to change the instance= format?

No, but if you need to use a regular expression, perhaps [a-f0-9.]+
will do the job?

The string was changed to eliminate the possibility that two
different mail transactions get the same instance= value.

Wietse

Re: Performance tuning

[Wietse Venema]

Brandon Hilkert:
> We send out a pretty volume of emails right now using a combination
> of SQL and IIS SMTP. We get rates now of about 5,000/min. We're
> looking to not only improve the rates, but incorporate DKIM/Domainkey
> signing into the process. The choice has been made to go with
> postfix along with a queue directory on an XFS file system.
> 
> I'm using postfix as a relay, and having it sign the outgoing
> emails with DKIM. That process was about twice as slow as without
> it. Without DKIM, I'm getting a rate of 700/min.
> 
> I was expecting much better performance out of the box. I realize
> in my tests I'm going from a single host, to another single postfix
> box that is receiving all the emails to one account, so there may
> be bottlenecks that exist in my test setup, that may not be there
> in our production environment.
> 
> I'm really hoping to move away from MS SMTP and don't have tons
> of experience with Linux, so I'm hoping people could give me some
> good ideas about improving outbound performance. The server will
> not be directly exposed to the internet, so security is less of
> a concern as it will be behind several Cisco firewalls. This server
> will not be receiving any email, so nothing needs to be considered
> for that side.

To improve performance, you need to identify the bottleneck.
Usually, the file system is the slowest component.

On Linux systems, fixing this can be as simple as editing the
syslog.conf file and making sure that the syslog daemon does not
sync the disk after every logfile record. Something like:

mail.*  -/var/log/maillog

Postfix was recently clocked at several thousand messages a second
while sending mail, but receiving mail is much more expensive since
each message needs to be made persistent on the local disk.

You also need to keep in mind that you can't deliver mail as fast
to ONE single machine as you can deliver to the whole Internet.

In the one machine case, all the mail is fighting for access to
the same file system, while with mail into the Internet, you are
effectively spreading the load over many remote file systems.

Wietse

how to create a filter in amavisd

[deconya]

Hi

Im configuring a server with postfix amavisd and spamassassin and appears a
problem with the antispam rules. There are one application that uses the
server to send to different clients mails but the amavisd detect howo to
spam this mails. How I can create an exception? I would like to create a
whitelist inside amavisd. It's possible?

Im grateful for any help.

Best Regards

Re: Issue with pipe mail to script

[mouss]

Simon a écrit :
> On Thu, Mar 19, 2009 at 10:39 AM, mouss  wrote:
>> Simon a écrit :
>>> On Tue, Mar 17, 2009 at 7:57 AM, Simon  wrote:
 On Mon, Mar 16, 2009 at 11:35 PM, Wietse Venema  
 wrote:
> You are expanding the virtual aliase BEFORE the Amavis filter,
> and another time after mail is filtered.
>
> See http://www.postfix.org/FILTER_README, and look for examples
> with receive_override_options.
 Thanks again.. OK: So the mail is getting delivered before amavis,
 which is fine for the normal address..  but the pipe gets delivered,
 then after amavis gets delivered again? Is that right?

 I need postfix to accept mail based on the virtual alises, filter the
 mail thru amavis, then deliver the mail to dbmail via dbmail-lmtp - am
 i going about this the correct way?

>>> Bump.. can anyone check out this and see if i have things right?
>> you need no pipe with amavisd-new.
>>
>> if mail gets delivered twice, you probably forgot to disable rewrite
>> before amavisd-new. check amavisd-new README.postfix and follow it
>> strictly. only when you get things working can you start customization.
> 
> Sorry - i need to understand this correct in my head.
> 
> Currently i have it setup like this:
> 
> Network > Postfix > Content Filter (amavis) > Postfix > Network (DBMail)
> 
> What is happening is listed in the thread, but basically the alias
> that allows postfix to accept mail for t...@testdomain.co.nz, and then
> deliver it thru the system to dbmail is working fine. Its when i add a
> 2nd alias for t...@testdomain.co.nz that points it to the
> autoresponder service (defined in master.cf).. I get 2 emails
> delivered to the autoresponder. So am i correct that in the above
> flow, it is delivering the mail to the autoresponder script before and
> after amavis?
> 

That's possible. please do what I told you. if you did and you still
have a problem, feel free to ask. but it's annoying for us to help fix
problems that are known and for which the solution is as easy as to
follow well documented procedures.

Re: modify incoming mail

[mouss]

Cedric Zeline a écrit :
> Hi all,
> 
> I need some help. I would like to modify incoming emails.
> I need to add a link at top of the incoming mail body, in order to allow
> employees that received their email to click on this link and connect
> directly to our data base to check the client's data. I need to add a
> link that will pass the client's email as parameters (should be
> something like http://192.168.0.2/client.php?client=em...@domaine.com).
> I was thinking to do this job with postfix body_checks features by using
> body rewritting but I can't find the way to do it because I can't find a
> way to identify the begining of the mail body.
> 

You can't do that with body_checks. you can do that with a custom
content filter, but it is not recommended to change email without a
"serious" reason. and if you should, do that at submission time, not at
reception time.

Re: whitelist from spamhaus

[mouss]

Wietse Venema a écrit :
> /dev/rob0:
>> On Wed March 18 2009 03:06:40 Pascal Volk wrote:
 can i whitelist one domain from checking spamhaus ?
 thanks
>>> smtpd_recipient_restrictions =
>>>   ...
>>>   reject_unauth_destination
>>>   ...
>>>   check_client_access hash:/etc/postfix/whitelist_clients
>>>   check_sender_access hash:/etc/postfix/whitelist_senders
>>>   reject_rbl_client zen.spamhaus.org
>>>   ...
>>>
>>> /etc/postfix/whitelist_clients:
>>> mailout.trusteddoma.in  OK
>>> # or ip address of trusted hosts
>>>
>>> /etc/postfix/whitelist_senders:
>>> u...@trusteddoma.in OK
>> Some comments I would add:
>>
>> 1. I consider it best practice to use "permit_auth_destination" rather
>>than "OK" for whitelisting. That's an extra safety check in case you
>>accidentally put smtpd_recipient_restrictions in the wrong order.
> 
> That is a good point. I wonder how much would break with
> 
> /etc/postfix/main.cf
> restriction_classes = ok [... other names ...]
> ok = permit_auth_destination
> 
> This would change the meaning of OK such that it works like
> permit_auth_destination in access(5) maps. It's a gross hack, but
> then, restriction_classes was also a gross hack.
> 

I would suggest separating relay control from other checks. something like

smtpd_relay_restrictions =
permit_mynetworks
permit_sasl_authenticated

Re: Sender vs recipient restrictions.

[mouss]

Paweł Leśniak a écrit :
> W dniu 2009-03-18 14:23, Costin Guşă pisze:
>> On Wed, Mar 18, 2009 at 3:11 PM,   wrote:
>>   
>>> I've been reading today about;
>>>
>>> reject_unknown_sender_domain
>>>
>>> and I'm wondering if it is only allowed under 'smtpd_sender_restrictions'
>>> whereas I've had it under 'smtpd_recipient_restrictions'. Is this correct?
>>>
>>> thanks,
>>> Chas.
>>> 
>>
>> all smtpd_recipient_restrictions can appear in smtpd_sender_restrictions.
>>   
> Wrong. As SMTP session has MAIL FROM before RCPT TO, you can have
> sender_restrictions in smtpd_recipient_restrictions, but not vice versa
> (of course you can, but it'd be useless) - recipient is not known during
> smtp_sender_restrictions part.
> 


by default, smtpd_[client|helo|sender|recipient]_restrictions are
executed at RCPT TO time. so it's ok to have a check_recipient_access in
smtpd_client_restrictions and so on.

Re: how to create a filter in amavisd

[mouss]

deconya a écrit :
> Hi
> 
> Im configuring a server with postfix amavisd and spamassassin and
> appears a problem with the antispam rules. There are one application
> that uses the server to send to different clients mails but the amavisd
> detect howo to spam this mails. How I can create an exception? I would
> like to create a whitelist inside amavisd. It's possible?
> 
how does your application pass mail to postfix?

if it's with the sendmail command, the easy way is to skip amavisd-new
for sendmail submitted mail by adding
-o content_filter=
under the pickup service (in master.cf)


if it submits mail via smtp, check if you can configure it to use a
specific port. then you can use the -o content_filter as above.

otherwise, give more infos. and when you give infos, think of how to
differentiate mail from uor app and other mail.

Re: Performance tuning

[Brandon Hilkert]

Thanks for the response.

Our test system is a pretty standard SATA disk with 2GB memory. If disk is 
the necessary resource, would we see an immediate benefit by going to a SCSI 
disk or even a SCSI array, or does that hardware benefit flatten out at some 
point?


As I mentioned, we're using the XFS system for the queue, does that provide 
any additional benefit, or would ext3 perform the same? Keep in mind, we 
will be dealing with 1,000,000 piece mailouts during a session. My findings 
were that XFS might handle more of the small html email files better, 
especially if they get backed up in a deferred queue for some reason, is 
this true?


In your response, you mention that receiving is much more taxing than just 
simply sending. Would a relay machine (as ours is acting) be considered a 
receiving server, or are you just referring to a server where mail is the 
last stop for a locally delivered account? What do you think is a reasonable 
relay rate for a standard setup?


I understand what you mean about sending to one server. I'm going to try and 
setup a few more receiving servers so that I can more accurately simulate 
sending it out to the internet.


Thanks again for your help!

Brandon

- Original Message - 
From: "Wietse Venema" 

To: "Postfix users" 
Sent: Thursday, March 19, 2009 4:30 PM
Subject: Re: Performance tuning



Brandon Hilkert:

We send out a pretty volume of emails right now using a combination
of SQL and IIS SMTP. We get rates now of about 5,000/min. We're
looking to not only improve the rates, but incorporate DKIM/Domainkey
signing into the process. The choice has been made to go with
postfix along with a queue directory on an XFS file system.

I'm using postfix as a relay, and having it sign the outgoing
emails with DKIM. That process was about twice as slow as without
it. Without DKIM, I'm getting a rate of 700/min.

I was expecting much better performance out of the box. I realize
in my tests I'm going from a single host, to another single postfix
box that is receiving all the emails to one account, so there may
be bottlenecks that exist in my test setup, that may not be there
in our production environment.

I'm really hoping to move away from MS SMTP and don't have tons
of experience with Linux, so I'm hoping people could give me some
good ideas about improving outbound performance. The server will
not be directly exposed to the internet, so security is less of
a concern as it will be behind several Cisco firewalls. This server
will not be receiving any email, so nothing needs to be considered
for that side.


To improve performance, you need to identify the bottleneck.
Usually, the file system is the slowest component.

On Linux systems, fixing this can be as simple as editing the
syslog.conf file and making sure that the syslog daemon does not
sync the disk after every logfile record. Something like:

   mail.* -/var/log/maillog

Postfix was recently clocked at several thousand messages a second
while sending mail, but receiving mail is much more expensive since
each message needs to be made persistent on the local disk.

You also need to keep in mind that you can't deliver mail as fast
to ONE single machine as you can deliver to the whole Internet.

In the one machine case, all the mail is fighting for access to
the same file system, while with mail into the Internet, you are
effectively spreading the load over many remote file systems.

Wietse 

Re: Performance tuning

[Victor Duchovni]

On Thu, Mar 19, 2009 at 09:52:42PM -0400, Brandon Hilkert wrote:

> I understand what you mean about sending to one server. I'm going to try 
> and setup a few more receiving servers so that I can more accurately 
> simulate sending it out to the internet.

Did you at least take time to rule out the "syslog" bottleneck? This is
a common problem with stock Linux configurations, where syslog hammers
the disk so hard that Postfix can't get any I/O done. Throughput as low
as 10 msgs/sec is strongly suggestive of something like that, or perhaps
just failure to send in parallel, or insufficient concurrency in output
processing because all the test messages are routed to the same local(8)
mailbox.

Linux servers that are 5 years can do 300-400 msgs/sec, when the disk is
managed by a RAID controller with an 8MB battery cache, and IIRC somewhere
between 50 and 100 msgs/sec with the cache off.

Start with syslog, then figure out where the messages are accumulating,
see QSHAPE_README.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Change failure code for opportunistic TLS

[Victor Duchovni]

On Thu, Mar 19, 2009 at 01:37:31PM -0400, Cory Coager wrote:

> If I'm reading the documentation correctly, when using smtp_tls_policy_maps 
> for specific domains, if no servers are available

That is no servers offer TLS, or do offer TLS, but with unsatisfactory
certificates.

> the email will be deferred?

Yes.

> Is there a way to change this to a permanent failure?

No, doing this would be a design error.

  - When an attackers temporarily disable TLS between you and a remote
domain, they should not be able to cause messages to bounce.
 
  - When attackers provide false DNS responses for the MX hosts of the
target domain, they should not be able to cause messages to bounce.

  - When an administrator of the remote server screws up disables TLS,
messages should not bounce.

A secure channel must temp-fail when security cannot be established,
otherwise the channel is subject to tampering by untrusted parties.
Negative responses must be secured just like positive ones.

For example, both DNSCurve and DNSSEC provide cryptographic protection
for NXDOMAIN responses. No DNSCurve or DNSSEC client will turn failure
to authenticate a response into NXDOMAIN, rather both will return a
tempfail status.

Incorrect behaviour will not likely be supported any time soon,
no matter popular, unless it is the only work-around for a critical
inter-operability issue.

If you have enforced TLS destinations that consistently tempfail, and
you cannot disable TLS, but want to alert senders faster, temporarily
install a transport override for the domain:

example.com error:5.7.4 Mandatory TLS service unavailable

Whether it is wise to continue to enforce TLS for a destination where
you expect to TLS service to never be restored is something you have
to consider.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: whitelist from spamhaus

[Victor Duchovni]

On Thu, Mar 19, 2009 at 11:58:52PM +0100, mouss wrote:

> I would suggest separating relay control from other checks. something like
> 
> smtpd_relay_restrictions =
>   permit_mynetworks
>   permit_sasl_authenticated

This has been proposed before.

http://archives.neohapsis.com/archives/postfix/2006-05/0598.html

Perhaps some day, it would be a major change, and the question is whether
it is worth the effort if it is only an interim design. When you change
something this big, the new feature should be stable for a long time.

Changing the interface with every release becomes unpopular with users.
So the current design for all its flaws is stable, and has proved
reasonably flexible. A new design would need a lot of scrutiny to make
sure we have a solid solution good for another decade of releases.

One could, take this to the extreme and introduce a new (not replacement,
but alternative) SMTP server called "pysmtpd" that bolts a Python
interpreter into Postfix, and provides all the restriction building blocks
(various lookups, ...) as functions in the Python interpreter. Then, in
"pysmtpd" you'd tweak Python code to make access decisions. There'd be
of stock rules and a gentle configuration syntax for non-programmers,
but the underlying rule engine would be a full programming language
extensible by module writers and advanced users.

Lots of other possibilities. Which approach is right?

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.